2 * Copyright (C) 2001 Andrea Arcangeli <andrea@suse.de> SuSE
3 * Copyright 2003 Andi Kleen, SuSE Labs.
5 * [ NOTE: this mechanism is now deprecated in favor of the vDSO. ]
7 * Thanks to hpa@transmeta.com for some useful hint.
8 * Special thanks to Ingo Molnar for his early experience with
9 * a different vsyscall implementation for Linux/IA32 and for the name.
11 * vsyscall 1 is located at -10Mbyte, vsyscall 2 is located
12 * at virtual address -10Mbyte+1024bytes etc... There are at max 4
13 * vsyscalls. One vsyscall can reserve more than 1 slot to avoid
14 * jumping out of line if necessary. We cannot add more with this
15 * mechanism because older kernels won't return -ENOSYS.
17 * Note: the concept clashes with user mode linux. UML users should
21 #include <linux/time.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/timer.h>
25 #include <linux/seqlock.h>
26 #include <linux/jiffies.h>
27 #include <linux/sysctl.h>
28 #include <linux/clocksource.h>
29 #include <linux/getcpu.h>
30 #include <linux/cpu.h>
31 #include <linux/smp.h>
32 #include <linux/notifier.h>
33 #include <linux/syscalls.h>
34 #include <linux/ratelimit.h>
36 #include <asm/vsyscall.h>
37 #include <asm/pgtable.h>
38 #include <asm/compat.h>
40 #include <asm/unistd.h>
41 #include <asm/fixmap.h>
42 #include <asm/errno.h>
44 #include <asm/segment.h>
46 #include <asm/topology.h>
47 #include <asm/vgtod.h>
48 #include <asm/traps.h>
50 #define CREATE_TRACE_POINTS
51 #include "vsyscall_trace.h"
53 DEFINE_VVAR(int, vgetcpu_mode);
54 DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data) =
56 .lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
59 void update_vsyscall_tz(void)
63 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
64 /* sys_tz has changed */
65 vsyscall_gtod_data.sys_tz = sys_tz;
66 write_sequnlock_irqrestore(&vsyscall_gtod_data.lock, flags);
69 void update_vsyscall(struct timespec *wall_time, struct timespec *wtm,
70 struct clocksource *clock, u32 mult)
74 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
76 /* copy vsyscall data */
77 vsyscall_gtod_data.clock.vclock_mode = clock->archdata.vclock_mode;
78 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
79 vsyscall_gtod_data.clock.mask = clock->mask;
80 vsyscall_gtod_data.clock.mult = mult;
81 vsyscall_gtod_data.clock.shift = clock->shift;
82 vsyscall_gtod_data.wall_time_sec = wall_time->tv_sec;
83 vsyscall_gtod_data.wall_time_nsec = wall_time->tv_nsec;
84 vsyscall_gtod_data.wall_to_monotonic = *wtm;
85 vsyscall_gtod_data.wall_time_coarse = __current_kernel_time();
87 write_sequnlock_irqrestore(&vsyscall_gtod_data.lock, flags);
90 static void warn_bad_vsyscall(const char *level, struct pt_regs *regs,
93 static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL, DEFAULT_RATELIMIT_BURST);
94 struct task_struct *tsk;
96 if (!show_unhandled_signals || !__ratelimit(&rs))
101 printk("%s%s[%d] %s ip:%lx cs:%lx sp:%lx ax:%lx si:%lx di:%lx\n",
102 level, tsk->comm, task_pid_nr(tsk),
103 message, regs->ip - 2, regs->cs,
104 regs->sp, regs->ax, regs->si, regs->di);
107 static int addr_to_vsyscall_nr(unsigned long addr)
111 if ((addr & ~0xC00UL) != VSYSCALL_START)
114 nr = (addr & 0xC00UL) >> 10;
121 void dotraplinkage do_emulate_vsyscall(struct pt_regs *regs, long error_code)
123 struct task_struct *tsk;
124 unsigned long caller;
130 if (!user_64bit_mode(regs)) {
132 * If we trapped from kernel mode, we might as well OOPS now
133 * instead of returning to some random address and OOPSing
136 BUG_ON(!user_mode(regs));
138 /* Compat mode and non-compat 32-bit CS should both segfault. */
139 warn_bad_vsyscall(KERN_WARNING, regs,
140 "illegal int 0xcc from 32-bit mode");
145 * x86-ism here: regs->ip points to the instruction after the int 0xcc,
146 * and int 0xcc is two bytes long.
148 vsyscall_nr = addr_to_vsyscall_nr(regs->ip - 2);
150 trace_emulate_vsyscall(vsyscall_nr);
152 if (vsyscall_nr < 0) {
153 warn_bad_vsyscall(KERN_WARNING, regs,
154 "illegal int 0xcc (exploit attempt?)");
158 if (get_user(caller, (unsigned long __user *)regs->sp) != 0) {
159 warn_bad_vsyscall(KERN_WARNING, regs, "int 0xcc with bad stack (exploit attempt?)");
164 if (seccomp_mode(&tsk->seccomp))
167 switch (vsyscall_nr) {
169 ret = sys_gettimeofday(
170 (struct timeval __user *)regs->di,
171 (struct timezone __user *)regs->si);
175 ret = sys_time((time_t __user *)regs->di);
179 ret = sys_getcpu((unsigned __user *)regs->di,
180 (unsigned __user *)regs->si,
185 if (ret == -EFAULT) {
187 * Bad news -- userspace fed a bad pointer to a vsyscall.
189 * With a real vsyscall, that would have caused SIGSEGV.
190 * To make writing reliable exploits using the emulated
191 * vsyscalls harder, generate SIGSEGV here as well.
193 warn_bad_vsyscall(KERN_INFO, regs,
194 "vsyscall fault (exploit attempt?)");
200 /* Emulate a ret instruction. */
208 regs->ip -= 2; /* The faulting instruction should be the int 0xcc. */
209 force_sig(SIGSEGV, current);
214 * Assume __initcall executes before all user space. Hopefully kmod
215 * doesn't violate that. We'll find out if it does.
217 static void __cpuinit vsyscall_set_cpu(int cpu)
220 unsigned long node = 0;
222 node = cpu_to_node(cpu);
224 if (cpu_has(&cpu_data(cpu), X86_FEATURE_RDTSCP))
225 write_rdtscp_aux((node << 12) | cpu);
228 * Store cpu number in limit so that it can be loaded quickly
229 * in user space in vgetcpu. (12 bits for the CPU and 8 bits for the node)
231 d = 0x0f40000000000ULL;
233 d |= (node & 0xf) << 12;
234 d |= (node >> 4) << 48;
236 write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_PER_CPU, &d, DESCTYPE_S);
239 static void __cpuinit cpu_vsyscall_init(void *arg)
241 /* preemption should be already off */
242 vsyscall_set_cpu(raw_smp_processor_id());
246 cpu_vsyscall_notifier(struct notifier_block *n, unsigned long action, void *arg)
248 long cpu = (long)arg;
250 if (action == CPU_ONLINE || action == CPU_ONLINE_FROZEN)
251 smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 1);
256 void __init map_vsyscall(void)
258 extern char __vsyscall_0;
259 unsigned long physaddr_page0 = __pa_symbol(&__vsyscall_0);
260 extern char __vvar_page;
261 unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
263 /* Note that VSYSCALL_MAPPED_PAGES must agree with the code below. */
264 __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_page0, PAGE_KERNEL_VSYSCALL);
265 __set_fixmap(VVAR_PAGE, physaddr_vvar_page, PAGE_KERNEL_VVAR);
266 BUILD_BUG_ON((unsigned long)__fix_to_virt(VVAR_PAGE) != (unsigned long)VVAR_ADDRESS);
269 static int __init vsyscall_init(void)
271 BUG_ON(VSYSCALL_ADDR(0) != __fix_to_virt(VSYSCALL_FIRST_PAGE));
273 on_each_cpu(cpu_vsyscall_init, NULL, 1);
274 /* notifier priority > KVM */
275 hotcpu_notifier(cpu_vsyscall_notifier, 30);
279 __initcall(vsyscall_init);