1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2014, The Linux Foundation. All rights reserved.
4  * Debug helper to dump the current kernel pagetables of the system
5  * so that we can see what the various memory ranges are set to.
6  *
7  * Derived from x86 and arm implementation:
8  * (C) Copyright 2008 Intel Corporation
9  *
10  * Author: Arjan van de Ven <arjan@linux.intel.com>
11  */
12 #include <linux/debugfs.h>
13 #include <linux/errno.h>
14 #include <linux/fs.h>
15 #include <linux/io.h>
16 #include <linux/init.h>
17 #include <linux/mm.h>
18 #include <linux/ptdump.h>
19 #include <linux/sched.h>
20 #include <linux/seq_file.h>
21 
22 #include <asm/fixmap.h>
23 #include <asm/kasan.h>
24 #include <asm/memory.h>
25 #include <asm/pgtable-hwdef.h>
26 #include <asm/ptdump.h>
27 
28 
29 #define pt_dump_seq_printf(m, fmt, args...)	\
30 ({						\
31 	if (m)					\
32 		seq_printf(m, fmt, ##args);	\
33 })
34 
35 #define pt_dump_seq_puts(m, fmt)	\
36 ({					\
37 	if (m)				\
38 		seq_printf(m, fmt);	\
39 })
40 
41 static const struct ptdump_prot_bits pte_bits[] = {
42 	{
43 		.mask	= PTE_VALID,
44 		.val	= PTE_VALID,
45 		.set	= " ",
46 		.clear	= "F",
47 	}, {
48 		.mask	= PTE_USER,
49 		.val	= PTE_USER,
50 		.set	= "USR",
51 		.clear	= "   ",
52 	}, {
53 		.mask	= PTE_RDONLY,
54 		.val	= PTE_RDONLY,
55 		.set	= "ro",
56 		.clear	= "RW",
57 	}, {
58 		.mask	= PTE_PXN,
59 		.val	= PTE_PXN,
60 		.set	= "NX",
61 		.clear	= "x ",
62 	}, {
63 		.mask	= PTE_SHARED,
64 		.val	= PTE_SHARED,
65 		.set	= "SHD",
66 		.clear	= "   ",
67 	}, {
68 		.mask	= PTE_AF,
69 		.val	= PTE_AF,
70 		.set	= "AF",
71 		.clear	= "  ",
72 	}, {
73 		.mask	= PTE_NG,
74 		.val	= PTE_NG,
75 		.set	= "NG",
76 		.clear	= "  ",
77 	}, {
78 		.mask	= PTE_CONT,
79 		.val	= PTE_CONT,
80 		.set	= "CON",
81 		.clear	= "   ",
82 	}, {
83 		.mask	= PTE_TABLE_BIT,
84 		.val	= PTE_TABLE_BIT,
85 		.set	= "   ",
86 		.clear	= "BLK",
87 	}, {
88 		.mask	= PTE_UXN,
89 		.val	= PTE_UXN,
90 		.set	= "UXN",
91 		.clear	= "   ",
92 	}, {
93 		.mask	= PTE_GP,
94 		.val	= PTE_GP,
95 		.set	= "GP",
96 		.clear	= "  ",
97 	}, {
98 		.mask	= PTE_ATTRINDX_MASK,
99 		.val	= PTE_ATTRINDX(MT_DEVICE_nGnRnE),
100 		.set	= "DEVICE/nGnRnE",
101 	}, {
102 		.mask	= PTE_ATTRINDX_MASK,
103 		.val	= PTE_ATTRINDX(MT_DEVICE_nGnRE),
104 		.set	= "DEVICE/nGnRE",
105 	}, {
106 		.mask	= PTE_ATTRINDX_MASK,
107 		.val	= PTE_ATTRINDX(MT_NORMAL_NC),
108 		.set	= "MEM/NORMAL-NC",
109 	}, {
110 		.mask	= PTE_ATTRINDX_MASK,
111 		.val	= PTE_ATTRINDX(MT_NORMAL),
112 		.set	= "MEM/NORMAL",
113 	}, {
114 		.mask	= PTE_ATTRINDX_MASK,
115 		.val	= PTE_ATTRINDX(MT_NORMAL_TAGGED),
116 		.set	= "MEM/NORMAL-TAGGED",
117 	}
118 };
119 
120 static struct ptdump_pg_level kernel_pg_levels[] __ro_after_init = {
121 	{ /* pgd */
122 		.name	= "PGD",
123 		.bits	= pte_bits,
124 		.num	= ARRAY_SIZE(pte_bits),
125 	}, { /* p4d */
126 		.name	= "P4D",
127 		.bits	= pte_bits,
128 		.num	= ARRAY_SIZE(pte_bits),
129 	}, { /* pud */
130 		.name	= "PUD",
131 		.bits	= pte_bits,
132 		.num	= ARRAY_SIZE(pte_bits),
133 	}, { /* pmd */
134 		.name	= "PMD",
135 		.bits	= pte_bits,
136 		.num	= ARRAY_SIZE(pte_bits),
137 	}, { /* pte */
138 		.name	= "PTE",
139 		.bits	= pte_bits,
140 		.num	= ARRAY_SIZE(pte_bits),
141 	},
142 };
143 
dump_prot(struct ptdump_pg_state * st,const struct ptdump_prot_bits * bits,size_t num)144 static void dump_prot(struct ptdump_pg_state *st, const struct ptdump_prot_bits *bits,
145 			size_t num)
146 {
147 	unsigned i;
148 
149 	for (i = 0; i < num; i++, bits++) {
150 		const char *s;
151 
152 		if ((st->current_prot & bits->mask) == bits->val)
153 			s = bits->set;
154 		else
155 			s = bits->clear;
156 
157 		if (s)
158 			pt_dump_seq_printf(st->seq, " %s", s);
159 	}
160 }
161 
note_prot_uxn(struct ptdump_pg_state * st,unsigned long addr)162 static void note_prot_uxn(struct ptdump_pg_state *st, unsigned long addr)
163 {
164 	if (!st->check_wx)
165 		return;
166 
167 	if ((st->current_prot & PTE_UXN) == PTE_UXN)
168 		return;
169 
170 	WARN_ONCE(1, "arm64/mm: Found non-UXN mapping at address %p/%pS\n",
171 		  (void *)st->start_address, (void *)st->start_address);
172 
173 	st->uxn_pages += (addr - st->start_address) / PAGE_SIZE;
174 }
175 
note_prot_wx(struct ptdump_pg_state * st,unsigned long addr)176 static void note_prot_wx(struct ptdump_pg_state *st, unsigned long addr)
177 {
178 	if (!st->check_wx)
179 		return;
180 	if ((st->current_prot & PTE_RDONLY) == PTE_RDONLY)
181 		return;
182 	if ((st->current_prot & PTE_PXN) == PTE_PXN)
183 		return;
184 
185 	WARN_ONCE(1, "arm64/mm: Found insecure W+X mapping at address %p/%pS\n",
186 		  (void *)st->start_address, (void *)st->start_address);
187 
188 	st->wx_pages += (addr - st->start_address) / PAGE_SIZE;
189 }
190 
note_page(struct ptdump_state * pt_st,unsigned long addr,int level,u64 val)191 void note_page(struct ptdump_state *pt_st, unsigned long addr, int level,
192 	       u64 val)
193 {
194 	struct ptdump_pg_state *st = container_of(pt_st, struct ptdump_pg_state, ptdump);
195 	struct ptdump_pg_level *pg_level = st->pg_level;
196 	static const char units[] = "KMGTPE";
197 	u64 prot = 0;
198 
199 	/* check if the current level has been folded dynamically */
200 	if (st->mm && ((level == 1 && mm_p4d_folded(st->mm)) ||
201 	    (level == 2 && mm_pud_folded(st->mm))))
202 		level = 0;
203 
204 	if (level >= 0)
205 		prot = val & pg_level[level].mask;
206 
207 	if (st->level == -1) {
208 		st->level = level;
209 		st->current_prot = prot;
210 		st->start_address = addr;
211 		pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
212 	} else if (prot != st->current_prot || level != st->level ||
213 		   addr >= st->marker[1].start_address) {
214 		const char *unit = units;
215 		unsigned long delta;
216 
217 		if (st->current_prot) {
218 			note_prot_uxn(st, addr);
219 			note_prot_wx(st, addr);
220 		}
221 
222 		pt_dump_seq_printf(st->seq, "0x%016lx-0x%016lx   ",
223 				   st->start_address, addr);
224 
225 		delta = (addr - st->start_address) >> 10;
226 		while (!(delta & 1023) && unit[1]) {
227 			delta >>= 10;
228 			unit++;
229 		}
230 		pt_dump_seq_printf(st->seq, "%9lu%c %s", delta, *unit,
231 				   pg_level[st->level].name);
232 		if (st->current_prot && pg_level[st->level].bits)
233 			dump_prot(st, pg_level[st->level].bits,
234 				  pg_level[st->level].num);
235 		pt_dump_seq_puts(st->seq, "\n");
236 
237 		if (addr >= st->marker[1].start_address) {
238 			st->marker++;
239 			pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
240 		}
241 
242 		st->start_address = addr;
243 		st->current_prot = prot;
244 		st->level = level;
245 	}
246 
247 	if (addr >= st->marker[1].start_address) {
248 		st->marker++;
249 		pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
250 	}
251 
252 }
253 
ptdump_walk(struct seq_file * s,struct ptdump_info * info)254 void ptdump_walk(struct seq_file *s, struct ptdump_info *info)
255 {
256 	unsigned long end = ~0UL;
257 	struct ptdump_pg_state st;
258 
259 	if (info->base_addr < TASK_SIZE_64)
260 		end = TASK_SIZE_64;
261 
262 	st = (struct ptdump_pg_state){
263 		.seq = s,
264 		.marker = info->markers,
265 		.mm = info->mm,
266 		.pg_level = &kernel_pg_levels[0],
267 		.level = -1,
268 		.ptdump = {
269 			.note_page = note_page,
270 			.range = (struct ptdump_range[]){
271 				{info->base_addr, end},
272 				{0, 0}
273 			}
274 		}
275 	};
276 
277 	ptdump_walk_pgd(&st.ptdump, info->mm, NULL);
278 }
279 
ptdump_initialize(void)280 static void __init ptdump_initialize(void)
281 {
282 	unsigned i, j;
283 
284 	for (i = 0; i < ARRAY_SIZE(kernel_pg_levels); i++)
285 		if (kernel_pg_levels[i].bits)
286 			for (j = 0; j < kernel_pg_levels[i].num; j++)
287 				kernel_pg_levels[i].mask |= kernel_pg_levels[i].bits[j].mask;
288 }
289 
290 static struct ptdump_info kernel_ptdump_info __ro_after_init = {
291 	.mm		= &init_mm,
292 };
293 
ptdump_check_wx(void)294 bool ptdump_check_wx(void)
295 {
296 	struct ptdump_pg_state st = {
297 		.seq = NULL,
298 		.marker = (struct addr_marker[]) {
299 			{ 0, NULL},
300 			{ -1, NULL},
301 		},
302 		.pg_level = &kernel_pg_levels[0],
303 		.level = -1,
304 		.check_wx = true,
305 		.ptdump = {
306 			.note_page = note_page,
307 			.range = (struct ptdump_range[]) {
308 				{_PAGE_OFFSET(vabits_actual), ~0UL},
309 				{0, 0}
310 			}
311 		}
312 	};
313 
314 	ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
315 
316 	if (st.wx_pages || st.uxn_pages) {
317 		pr_warn("Checked W+X mappings: FAILED, %lu W+X pages found, %lu non-UXN pages found\n",
318 			st.wx_pages, st.uxn_pages);
319 
320 		return false;
321 	} else {
322 		pr_info("Checked W+X mappings: passed, no W+X pages found\n");
323 
324 		return true;
325 	}
326 }
327 
ptdump_init(void)328 static int __init ptdump_init(void)
329 {
330 	u64 page_offset = _PAGE_OFFSET(vabits_actual);
331 	u64 vmemmap_start = (u64)virt_to_page((void *)page_offset);
332 	struct addr_marker m[] = {
333 		{ PAGE_OFFSET,		"Linear Mapping start" },
334 		{ PAGE_END,		"Linear Mapping end" },
335 #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
336 		{ KASAN_SHADOW_START,   "Kasan shadow start" },
337 		{ KASAN_SHADOW_END,     "Kasan shadow end" },
338 #endif
339 		{ MODULES_VADDR,	"Modules start" },
340 		{ MODULES_END,		"Modules end" },
341 		{ VMALLOC_START,	"vmalloc() area" },
342 		{ VMALLOC_END,		"vmalloc() end" },
343 		{ vmemmap_start,	"vmemmap start" },
344 		{ VMEMMAP_END,		"vmemmap end" },
345 		{ PCI_IO_START,		"PCI I/O start" },
346 		{ PCI_IO_END,		"PCI I/O end" },
347 		{ FIXADDR_TOT_START,    "Fixmap start" },
348 		{ FIXADDR_TOP,	        "Fixmap end" },
349 		{ -1,			NULL },
350 	};
351 	static struct addr_marker address_markers[ARRAY_SIZE(m)] __ro_after_init;
352 
353 	kernel_ptdump_info.markers = memcpy(address_markers, m, sizeof(m));
354 	kernel_ptdump_info.base_addr = page_offset;
355 
356 	ptdump_initialize();
357 	ptdump_debugfs_register(&kernel_ptdump_info, "kernel_page_tables");
358 	return 0;
359 }
360 device_initcall(ptdump_init);
361