1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2014, The Linux Foundation. All rights reserved.
4 * Debug helper to dump the current kernel pagetables of the system
5 * so that we can see what the various memory ranges are set to.
6 *
7 * Derived from x86 and arm implementation:
8 * (C) Copyright 2008 Intel Corporation
9 *
10 * Author: Arjan van de Ven <arjan@linux.intel.com>
11 */
12 #include <linux/debugfs.h>
13 #include <linux/errno.h>
14 #include <linux/fs.h>
15 #include <linux/io.h>
16 #include <linux/init.h>
17 #include <linux/mm.h>
18 #include <linux/ptdump.h>
19 #include <linux/sched.h>
20 #include <linux/seq_file.h>
21
22 #include <asm/fixmap.h>
23 #include <asm/kasan.h>
24 #include <asm/memory.h>
25 #include <asm/pgtable-hwdef.h>
26 #include <asm/ptdump.h>
27
28
29 #define pt_dump_seq_printf(m, fmt, args...) \
30 ({ \
31 if (m) \
32 seq_printf(m, fmt, ##args); \
33 })
34
35 #define pt_dump_seq_puts(m, fmt) \
36 ({ \
37 if (m) \
38 seq_printf(m, fmt); \
39 })
40
41 static const struct ptdump_prot_bits pte_bits[] = {
42 {
43 .mask = PTE_VALID,
44 .val = PTE_VALID,
45 .set = " ",
46 .clear = "F",
47 }, {
48 .mask = PTE_USER,
49 .val = PTE_USER,
50 .set = "USR",
51 .clear = " ",
52 }, {
53 .mask = PTE_RDONLY,
54 .val = PTE_RDONLY,
55 .set = "ro",
56 .clear = "RW",
57 }, {
58 .mask = PTE_PXN,
59 .val = PTE_PXN,
60 .set = "NX",
61 .clear = "x ",
62 }, {
63 .mask = PTE_SHARED,
64 .val = PTE_SHARED,
65 .set = "SHD",
66 .clear = " ",
67 }, {
68 .mask = PTE_AF,
69 .val = PTE_AF,
70 .set = "AF",
71 .clear = " ",
72 }, {
73 .mask = PTE_NG,
74 .val = PTE_NG,
75 .set = "NG",
76 .clear = " ",
77 }, {
78 .mask = PTE_CONT,
79 .val = PTE_CONT,
80 .set = "CON",
81 .clear = " ",
82 }, {
83 .mask = PTE_TABLE_BIT,
84 .val = PTE_TABLE_BIT,
85 .set = " ",
86 .clear = "BLK",
87 }, {
88 .mask = PTE_UXN,
89 .val = PTE_UXN,
90 .set = "UXN",
91 .clear = " ",
92 }, {
93 .mask = PTE_GP,
94 .val = PTE_GP,
95 .set = "GP",
96 .clear = " ",
97 }, {
98 .mask = PTE_ATTRINDX_MASK,
99 .val = PTE_ATTRINDX(MT_DEVICE_nGnRnE),
100 .set = "DEVICE/nGnRnE",
101 }, {
102 .mask = PTE_ATTRINDX_MASK,
103 .val = PTE_ATTRINDX(MT_DEVICE_nGnRE),
104 .set = "DEVICE/nGnRE",
105 }, {
106 .mask = PTE_ATTRINDX_MASK,
107 .val = PTE_ATTRINDX(MT_NORMAL_NC),
108 .set = "MEM/NORMAL-NC",
109 }, {
110 .mask = PTE_ATTRINDX_MASK,
111 .val = PTE_ATTRINDX(MT_NORMAL),
112 .set = "MEM/NORMAL",
113 }, {
114 .mask = PTE_ATTRINDX_MASK,
115 .val = PTE_ATTRINDX(MT_NORMAL_TAGGED),
116 .set = "MEM/NORMAL-TAGGED",
117 }
118 };
119
120 static struct ptdump_pg_level kernel_pg_levels[] __ro_after_init = {
121 { /* pgd */
122 .name = "PGD",
123 .bits = pte_bits,
124 .num = ARRAY_SIZE(pte_bits),
125 }, { /* p4d */
126 .name = "P4D",
127 .bits = pte_bits,
128 .num = ARRAY_SIZE(pte_bits),
129 }, { /* pud */
130 .name = "PUD",
131 .bits = pte_bits,
132 .num = ARRAY_SIZE(pte_bits),
133 }, { /* pmd */
134 .name = "PMD",
135 .bits = pte_bits,
136 .num = ARRAY_SIZE(pte_bits),
137 }, { /* pte */
138 .name = "PTE",
139 .bits = pte_bits,
140 .num = ARRAY_SIZE(pte_bits),
141 },
142 };
143
dump_prot(struct ptdump_pg_state * st,const struct ptdump_prot_bits * bits,size_t num)144 static void dump_prot(struct ptdump_pg_state *st, const struct ptdump_prot_bits *bits,
145 size_t num)
146 {
147 unsigned i;
148
149 for (i = 0; i < num; i++, bits++) {
150 const char *s;
151
152 if ((st->current_prot & bits->mask) == bits->val)
153 s = bits->set;
154 else
155 s = bits->clear;
156
157 if (s)
158 pt_dump_seq_printf(st->seq, " %s", s);
159 }
160 }
161
note_prot_uxn(struct ptdump_pg_state * st,unsigned long addr)162 static void note_prot_uxn(struct ptdump_pg_state *st, unsigned long addr)
163 {
164 if (!st->check_wx)
165 return;
166
167 if ((st->current_prot & PTE_UXN) == PTE_UXN)
168 return;
169
170 WARN_ONCE(1, "arm64/mm: Found non-UXN mapping at address %p/%pS\n",
171 (void *)st->start_address, (void *)st->start_address);
172
173 st->uxn_pages += (addr - st->start_address) / PAGE_SIZE;
174 }
175
note_prot_wx(struct ptdump_pg_state * st,unsigned long addr)176 static void note_prot_wx(struct ptdump_pg_state *st, unsigned long addr)
177 {
178 if (!st->check_wx)
179 return;
180 if ((st->current_prot & PTE_RDONLY) == PTE_RDONLY)
181 return;
182 if ((st->current_prot & PTE_PXN) == PTE_PXN)
183 return;
184
185 WARN_ONCE(1, "arm64/mm: Found insecure W+X mapping at address %p/%pS\n",
186 (void *)st->start_address, (void *)st->start_address);
187
188 st->wx_pages += (addr - st->start_address) / PAGE_SIZE;
189 }
190
note_page(struct ptdump_state * pt_st,unsigned long addr,int level,u64 val)191 void note_page(struct ptdump_state *pt_st, unsigned long addr, int level,
192 u64 val)
193 {
194 struct ptdump_pg_state *st = container_of(pt_st, struct ptdump_pg_state, ptdump);
195 struct ptdump_pg_level *pg_level = st->pg_level;
196 static const char units[] = "KMGTPE";
197 u64 prot = 0;
198
199 /* check if the current level has been folded dynamically */
200 if (st->mm && ((level == 1 && mm_p4d_folded(st->mm)) ||
201 (level == 2 && mm_pud_folded(st->mm))))
202 level = 0;
203
204 if (level >= 0)
205 prot = val & pg_level[level].mask;
206
207 if (st->level == -1) {
208 st->level = level;
209 st->current_prot = prot;
210 st->start_address = addr;
211 pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
212 } else if (prot != st->current_prot || level != st->level ||
213 addr >= st->marker[1].start_address) {
214 const char *unit = units;
215 unsigned long delta;
216
217 if (st->current_prot) {
218 note_prot_uxn(st, addr);
219 note_prot_wx(st, addr);
220 }
221
222 pt_dump_seq_printf(st->seq, "0x%016lx-0x%016lx ",
223 st->start_address, addr);
224
225 delta = (addr - st->start_address) >> 10;
226 while (!(delta & 1023) && unit[1]) {
227 delta >>= 10;
228 unit++;
229 }
230 pt_dump_seq_printf(st->seq, "%9lu%c %s", delta, *unit,
231 pg_level[st->level].name);
232 if (st->current_prot && pg_level[st->level].bits)
233 dump_prot(st, pg_level[st->level].bits,
234 pg_level[st->level].num);
235 pt_dump_seq_puts(st->seq, "\n");
236
237 if (addr >= st->marker[1].start_address) {
238 st->marker++;
239 pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
240 }
241
242 st->start_address = addr;
243 st->current_prot = prot;
244 st->level = level;
245 }
246
247 if (addr >= st->marker[1].start_address) {
248 st->marker++;
249 pt_dump_seq_printf(st->seq, "---[ %s ]---\n", st->marker->name);
250 }
251
252 }
253
ptdump_walk(struct seq_file * s,struct ptdump_info * info)254 void ptdump_walk(struct seq_file *s, struct ptdump_info *info)
255 {
256 unsigned long end = ~0UL;
257 struct ptdump_pg_state st;
258
259 if (info->base_addr < TASK_SIZE_64)
260 end = TASK_SIZE_64;
261
262 st = (struct ptdump_pg_state){
263 .seq = s,
264 .marker = info->markers,
265 .mm = info->mm,
266 .pg_level = &kernel_pg_levels[0],
267 .level = -1,
268 .ptdump = {
269 .note_page = note_page,
270 .range = (struct ptdump_range[]){
271 {info->base_addr, end},
272 {0, 0}
273 }
274 }
275 };
276
277 ptdump_walk_pgd(&st.ptdump, info->mm, NULL);
278 }
279
ptdump_initialize(void)280 static void __init ptdump_initialize(void)
281 {
282 unsigned i, j;
283
284 for (i = 0; i < ARRAY_SIZE(kernel_pg_levels); i++)
285 if (kernel_pg_levels[i].bits)
286 for (j = 0; j < kernel_pg_levels[i].num; j++)
287 kernel_pg_levels[i].mask |= kernel_pg_levels[i].bits[j].mask;
288 }
289
290 static struct ptdump_info kernel_ptdump_info __ro_after_init = {
291 .mm = &init_mm,
292 };
293
ptdump_check_wx(void)294 bool ptdump_check_wx(void)
295 {
296 struct ptdump_pg_state st = {
297 .seq = NULL,
298 .marker = (struct addr_marker[]) {
299 { 0, NULL},
300 { -1, NULL},
301 },
302 .pg_level = &kernel_pg_levels[0],
303 .level = -1,
304 .check_wx = true,
305 .ptdump = {
306 .note_page = note_page,
307 .range = (struct ptdump_range[]) {
308 {_PAGE_OFFSET(vabits_actual), ~0UL},
309 {0, 0}
310 }
311 }
312 };
313
314 ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
315
316 if (st.wx_pages || st.uxn_pages) {
317 pr_warn("Checked W+X mappings: FAILED, %lu W+X pages found, %lu non-UXN pages found\n",
318 st.wx_pages, st.uxn_pages);
319
320 return false;
321 } else {
322 pr_info("Checked W+X mappings: passed, no W+X pages found\n");
323
324 return true;
325 }
326 }
327
ptdump_init(void)328 static int __init ptdump_init(void)
329 {
330 u64 page_offset = _PAGE_OFFSET(vabits_actual);
331 u64 vmemmap_start = (u64)virt_to_page((void *)page_offset);
332 struct addr_marker m[] = {
333 { PAGE_OFFSET, "Linear Mapping start" },
334 { PAGE_END, "Linear Mapping end" },
335 #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
336 { KASAN_SHADOW_START, "Kasan shadow start" },
337 { KASAN_SHADOW_END, "Kasan shadow end" },
338 #endif
339 { MODULES_VADDR, "Modules start" },
340 { MODULES_END, "Modules end" },
341 { VMALLOC_START, "vmalloc() area" },
342 { VMALLOC_END, "vmalloc() end" },
343 { vmemmap_start, "vmemmap start" },
344 { VMEMMAP_END, "vmemmap end" },
345 { PCI_IO_START, "PCI I/O start" },
346 { PCI_IO_END, "PCI I/O end" },
347 { FIXADDR_TOT_START, "Fixmap start" },
348 { FIXADDR_TOP, "Fixmap end" },
349 { -1, NULL },
350 };
351 static struct addr_marker address_markers[ARRAY_SIZE(m)] __ro_after_init;
352
353 kernel_ptdump_info.markers = memcpy(address_markers, m, sizeof(m));
354 kernel_ptdump_info.base_addr = page_offset;
355
356 ptdump_initialize();
357 ptdump_debugfs_register(&kernel_ptdump_info, "kernel_page_tables");
358 return 0;
359 }
360 device_initcall(ptdump_init);
361