14 files changed, 225 insertions, 10 deletions
diff --git a/usr/src/cmd/mdb/Makefile.module b/usr/src/cmd/mdb/Makefile.module
index a1b66e05fb..f741cd8278 100644
--- a/usr/src/cmd/mdb/Makefile.module
+++ b/usr/src/cmd/mdb/Makefile.module
@@ -23,6 +23,7 @@
 # Use is subject to license terms.
 #
 # Copyright (c) 2013 by Delphix. All rights reserved.
+# Copyright 2015, Joyent, Inc.
 #
 
 .KEEP_STATE:
@@ -31,9 +32,10 @@
 include $(SRC)/cmd/mdb/Makefile.tools
 
 $(KMOD_SOURCES_DIFFERENT)KMODSRCS = $(MODSRCS)
+$(KMOD_SOURCES_DIFFERENT)KMODASMSRCS = $(MODASMSRCS)
 
-MODOBJS = $(MODSRCS:%.c=dmod/%.o)
-KMODOBJS = $(KMODSRCS:%.c=kmod/%.o)
+MODOBJS = $(MODSRCS:%.c=dmod/%.o) $(MODASMSRCS:%.s=dmod/%.o)
+KMODOBJS = $(KMODSRCS:%.c=kmod/%.o) $(KMODASMSRCS:%.s=kmod/%.o)
 
 MODNAME = $(MODULE:%.so=%)
 KMODULE = $(MODNAME)
@@ -102,6 +104,8 @@ CFLAGS64		+= $(CCVERBOSE)
 CPPFLAGS		+= $($(MDBTGT)_TGTFLAGS) -I../../../common
 LDFLAGS			+= $(ZTEXT)
 LDFLAGS64		+= $(ZTEXT)
+ASFLAGS			+= -P
+AS_CPPFLAGS		+= -D_ASM
 
 # Module type-specific compiler flags
 $(MODOBJS) :=			CFLAGS += $(C_BIGPICFLAGS) $(XREGSFLAG)
@@ -209,33 +213,61 @@ dmod/%.o kmod/%.o: %.c
 	$(COMPILE.c) -o $@ $<
 	$(CTFCONVERT_O)
 
+dmod/%.o kmod%.o: %.s
+	$(COMPILE.s) -o $@ $<
+	$(CTFCONVERT_O)
+
 dmod/%.o kmod/%.o: ../%.c
 	$(COMPILE.c) -o $@ $<
 	$(CTFCONVERT_O)
 
+dmod/%.o kmod%.o: ../%.s
+	$(COMPILE.s) -o $@ $<
+	$(CTFCONVERT_O)
+
 dmod/%.o kmod/%.o: ../../../common/modules/$(MODNAME)/%.c
 	$(COMPILE.c) -o $@ $<
 	$(CTFCONVERT_O)
 
+dmod/%.o kmod%.o: ../../../common/modules/$(MODNAME)/%.s
+	$(COMPILE.s) -o $@ $<
+	$(CTFCONVERT_O)
+
 dmod/%.o kmod/%.o: $$(MODSRCS_DIR)/%.c
 	$(COMPILE.c) -o $@ $<
 	$(CTFCONVERT_O)
 
+dmod/%.o kmod%.o: $$(MODSRCS_DIR)/%.s
+	$(COMPILE.s) -o $@ $<
+	$(CTFCONVERT_O)
+
 #
 # Lint
 #
 dmod/%.ln kmod/%.ln: %.c
 	$(LINT.c) -dirout=$(@D) -c $<
 
+dmod/%.ln kmod/%.ln: %.s
+	$(LINT.s) -dirout=$(@D) -c $<
+
 dmod/%.ln kmod/%.ln: ../%.c
 	$(LINT.c) -dirout=$(@D) -c $<
 
+dmod/%.ln kmod/%.ln: ../%.s
+	$(LINT.s) -dirout=$(@D) -c $<
+
 dmod/%.ln kmod/%.ln: ../../../common/modules/$(MODNAME)/%.c
 	$(LINT.c) -dirout=$(@D) -c $<
 
+dmod/%.ln kmod/%.ln: ../../../common/modules/$(MODNAME)/%.s
+	$(LINT.s) -dirout=$(@D) -c $<
+
 dmod/%.ln kmod/%.ln: $$(MODSRCS_DIR)/%.c
 	$(LINT.c) -dirout=$(@D) -c $<
 
+dmod/%.ln kmod/%.ln: $$(MODSRCS_DIR)/%.s
+	$(LINT.s) -dirout=$(@D) -c $<
+
 #
 # Installation targets
 #
diff --git a/usr/src/cmd/mdb/i86pc/modules/unix/amd64/Makefile b/usr/src/cmd/mdb/i86pc/modules/unix/amd64/Makefile
index 8d36fb01e5..26afa1c288 100644
--- a/usr/src/cmd/mdb/i86pc/modules/unix/amd64/Makefile
+++ b/usr/src/cmd/mdb/i86pc/modules/unix/amd64/Makefile
@@ -27,6 +27,7 @@ MODULE = unix.so
 MDBTGT = kvm
 
 MODSRCS = unix.c i86mmu.c
+MODASMSRCS = unix_sup.s
 
 include ../../../../../Makefile.cmd
 include ../../../../../Makefile.cmd.64
diff --git a/usr/src/cmd/mdb/i86pc/modules/unix/ia32/Makefile b/usr/src/cmd/mdb/i86pc/modules/unix/ia32/Makefile
index ad756f82e9..2c76a010bd 100644
--- a/usr/src/cmd/mdb/i86pc/modules/unix/ia32/Makefile
+++ b/usr/src/cmd/mdb/i86pc/modules/unix/ia32/Makefile
@@ -27,6 +27,7 @@ MODULE = unix.so
 MDBTGT = kvm
 
 MODSRCS = unix.c i86mmu.c
+MODASMSRCS = unix_sup.s
 
 include ../../../../../Makefile.cmd
 include ../../../../intel/Makefile.ia32
diff --git a/usr/src/cmd/mdb/i86pc/modules/unix/unix.c b/usr/src/cmd/mdb/i86pc/modules/unix/unix.c
index 55e35e10a5..3a90ce431b 100644
--- a/usr/src/cmd/mdb/i86pc/modules/unix/unix.c
+++ b/usr/src/cmd/mdb/i86pc/modules/unix/unix.c
@@ -20,10 +20,7 @@
  */
 /*
  * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
- */
-
-/*
- * Copyright (c) 2012 Joyent, Inc.  All rights reserved.
+ * Copyright 2015 Joyent, Inc.
  */
 
 #include <mdb/mdb_modapi.h>
@@ -39,9 +36,11 @@
 #include <sys/mutex.h>
 #include <sys/mutex_impl.h>
 #include "i86mmu.h"
+#include "unix_sup.h"
 #include <sys/apix.h>
 #include <sys/x86_archext.h>
 #include <sys/bitmap.h>
+#include <sys/controlregs.h>
 
 #define	TT_HDLR_WIDTH	17
 
@@ -882,6 +881,54 @@ x86_featureset_cmd(uintptr_t addr, uint_t flags, int argc,
 	return (DCMD_OK);
 }
 
+#ifdef _KMDB
+/* ARGSUSED */
+static int
+crregs_dcmd(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv)
+{
+	ulong_t cr0, cr4;
+	static const mdb_bitmask_t cr0_flag_bits[] = {
+		{ "PE",		CR0_PE,		CR0_PE },
+		{ "MP",		CR0_MP,		CR0_MP },
+		{ "EM",		CR0_EM,		CR0_EM },
+		{ "TS",		CR0_TS,		CR0_TS },
+		{ "ET",		CR0_ET,		CR0_ET },
+		{ "NE",		CR0_NE,		CR0_NE },
+		{ "WP",		CR0_WP,		CR0_WP },
+		{ "AM",		CR0_AM,		CR0_AM },
+		{ "NW",		CR0_NW,		CR0_NW },
+		{ "CD",		CR0_CD,		CR0_CD },
+		{ "PG",		CR0_PG,		CR0_PG },
+		{ NULL,		0,		0 }
+	};
+
+	static const mdb_bitmask_t cr4_flag_bits[] = {
+		{ "VME",	CR4_VME,	CR4_VME },
+		{ "PVI",	CR4_PVI,	CR4_PVI },
+		{ "TSD",	CR4_TSD,	CR4_TSD },
+		{ "DE",		CR4_DE,		CR4_DE },
+		{ "PSE",	CR4_PSE,	CR4_PSE },
+		{ "PAE",	CR4_PAE,	CR4_PAE },
+		{ "MCE",	CR4_MCE,	CR4_MCE },
+		{ "PGE",	CR4_PGE,	CR4_PGE },
+		{ "PCE",	CR4_PCE,	CR4_PCE },
+		{ "OSFXSR",	CR4_OSFXSR,	CR4_OSFXSR },
+		{ "OSXMMEXCPT",	CR4_OSXMMEXCPT,	CR4_OSXMMEXCPT },
+		{ "VMXE",	CR4_VMXE,	CR4_VMXE },
+		{ "SMXE",	CR4_SMXE,	CR4_SMXE },
+		{ "OSXSAVE",	CR4_OSXSAVE,	CR4_OSXSAVE },
+		{ "SMEP",	CR4_SMEP,	CR4_SMEP },
+		{ NULL,		0,		0 }
+	};
+
+	cr0 = kmdb_unix_getcr0();
+	cr4 = kmdb_unix_getcr4();
+	mdb_printf("%%cr0 = 0x%08x <%b>\n", cr0, cr0, cr0_flag_bits);
+	mdb_printf("%%cr4 = 0x%08x <%b>\n", cr4, cr4, cr4_flag_bits);
+	return (DCMD_OK);
+}
+#endif
+
 static const mdb_dcmd_t dcmds[] = {
 	{ "gate_desc", ":", "dump a gate descriptor", gate_desc },
 	{ "idt", ":[-v]", "dump an IDT", idt },
@@ -906,6 +953,9 @@ static const mdb_dcmd_t dcmds[] = {
 	    "scale an unscaled high-res time", scalehrtime_cmd },
 	{ "x86_featureset", NULL, "dump the x86_featureset vector",
 		x86_featureset_cmd },
+#ifdef _KMDB
+	{ "crregs", NULL, "dump control registers", crregs_dcmd },
+#endif
 	{ NULL }
 };
 
diff --git a/usr/src/cmd/mdb/i86pc/modules/unix/unix_sup.h b/usr/src/cmd/mdb/i86pc/modules/unix/unix_sup.h
new file mode 100644
index 0000000000..b272baaf59
--- /dev/null
+++ b/usr/src/cmd/mdb/i86pc/modules/unix/unix_sup.h
@@ -0,0 +1,36 @@
+/*
+ * This file and its contents are supplied under the terms of the
+ * Common Development and Distribution License ("CDDL"), version 1.0.
+ * You may only use this file in accordance with the terms of version
+ * 1.0 of the CDDL.
+ *
+ * A full copy of the text of the CDDL should have accompanied this
+ * source.  A copy of the CDDL is also available via the Internet at
+ * http://www.illumos.org/license/CDDL.
+ */
+
+/*
+ * Copyright 2015 Joyent, Inc.
+ */
+
+#ifndef _UNIX_SUP_H
+#define	_UNIX_SUP_H
+
+/*
+ * Support routines for unix.
+ */
+
+#include <sys/types.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern ulong_t kmdb_unix_getcr0(void);
+extern ulong_t kmdb_unix_getcr4(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _UNIX_SUP_H */
diff --git a/usr/src/cmd/mdb/i86pc/modules/unix/unix_sup.s b/usr/src/cmd/mdb/i86pc/modules/unix/unix_sup.s
new file mode 100644
index 0000000000..f7d4e168c0
--- /dev/null
+++ b/usr/src/cmd/mdb/i86pc/modules/unix/unix_sup.s
@@ -0,0 +1,64 @@
+/*
+ * This file and its contents are supplied under the terms of the
+ * Common Development and Distribution License ("CDDL"), version 1.0.
+ * You may only use this file in accordance with the terms of version
+ * 1.0 of the CDDL.
+ *
+ * A full copy of the text of the CDDL should have accompanied this
+ * source.  A copy of the CDDL is also available via the Internet at
+ * http://www.illumos.org/license/CDDL.
+ */
+
+/*
+ * Copyright 2015 Joyent, Inc.
+ */
+
+#if !defined(__lint)
+	.file	"unix_sup.s"
+#endif /* __lint */
+
+/*
+ * Support routines for the unix kmdb module
+ */
+
+#include <sys/asm_linkage.h>
+
+#if defined(__lint)
+
+#include <sys/types.h>
+
+ulong_t
+kmdb_unix_getcr0(void)
+{ return (0); }
+
+ulong_t
+kmdb_unix_getcr4(void)
+{ return (0); }
+
+#else	/* __lint */
+
+#if defined(__amd64)
+	ENTRY(kmdb_unix_getcr0)
+	movq %cr0, %rax
+	ret
+	SET_SIZE(kmdb_unix_getcr0)
+
+	ENTRY(kmdb_unix_getcr4)
+	movq %cr4, %rax
+	ret
+	SET_SIZE(kmdb_unix_getcr4)
+
+#elif defined (__i386)
+	ENTRY(kmdb_unix_getcr0)
+	movl %cr0, %eax
+	ret
+	SET_SIZE(kmdb_unix_getcr0)
+
+	ENTRY(kmdb_unix_getcr4)
+	movl %cr4, %eax
+	ret
+	SET_SIZE(kmdb_unix_getcr4)
+
+#endif	/* __i386 */
+
+#endif /* __lint */
diff --git a/usr/src/cmd/mdb/i86xpv/modules/unix/amd64/Makefile b/usr/src/cmd/mdb/i86xpv/modules/unix/amd64/Makefile
index dd8ea3d585..95922ff772 100644
--- a/usr/src/cmd/mdb/i86xpv/modules/unix/amd64/Makefile
+++ b/usr/src/cmd/mdb/i86xpv/modules/unix/amd64/Makefile
@@ -27,6 +27,7 @@ MODULE = unix.so
 MDBTGT = kvm
 
 MODSRCS = unix.c i86mmu.c
+MODASMSRCS = unix_sup.s
 
 include ../../../../../Makefile.cmd
 include ../../../../../Makefile.cmd.64
diff --git a/usr/src/cmd/mdb/i86xpv/modules/unix/ia32/Makefile b/usr/src/cmd/mdb/i86xpv/modules/unix/ia32/Makefile
index fd0ad9ee04..975ae705dc 100644
--- a/usr/src/cmd/mdb/i86xpv/modules/unix/ia32/Makefile
+++ b/usr/src/cmd/mdb/i86xpv/modules/unix/ia32/Makefile
@@ -27,6 +27,7 @@ MODULE = unix.so
 MDBTGT = kvm
 
 MODSRCS = unix.c i86mmu.c
+MODASMSRCS = unix_sup.s
 
 include ../../../../../Makefile.cmd
 include ../../../../intel/Makefile.ia32
diff --git a/usr/src/uts/i86pc/os/cpuid.c b/usr/src/uts/i86pc/os/cpuid.c
index 9f57a078d7..586ec0656b 100644
--- a/usr/src/uts/i86pc/os/cpuid.c
+++ b/usr/src/uts/i86pc/os/cpuid.c
@@ -169,7 +169,8 @@ static char *x86_feature_names[NUM_X86_FEATURES] = {
 	"avx2",
 	"bmi1",
 	"bmi2",
-	"fma"
+	"fma",
+	"smep"
 };
 
 boolean_t
@@ -1245,6 +1246,9 @@ cpuid_pass1(cpu_t *cpu, uchar_t *featureset)
 			ecp->cp_ebx &= ~CPUID_INTC_EBX_7_0_BMI2;
 			ecp->cp_ebx &= ~CPUID_INTC_EBX_7_0_AVX2;
 		}
+
+		if (ecp->cp_ebx & CPUID_INTC_EBX_7_0_SMEP)
+			add_x86_feature(featureset, X86FSET_SMEP);
 	}
 
 	/*
diff --git a/usr/src/uts/i86pc/os/mlsetup.c b/usr/src/uts/i86pc/os/mlsetup.c
index 105c5c3363..0fd3ec3dfb 100644
--- a/usr/src/uts/i86pc/os/mlsetup.c
+++ b/usr/src/uts/i86pc/os/mlsetup.c
@@ -267,8 +267,14 @@ mlsetup(struct regs *rp)
 	if (is_x86_feature(x86_featureset, X86FSET_TSCP))
 		(void) wrmsr(MSR_AMD_TSCAUX, 0);
 
+	/*
+	 * Let's get the other %cr4 stuff while we're here.
+	 */
 	if (is_x86_feature(x86_featureset, X86FSET_DE))
 		setcr4(getcr4() | CR4_DE);
+
+	if (is_x86_feature(x86_featureset, X86FSET_SMEP))
+		setcr4(getcr4() | CR4_SMEP);
 #endif /* __xpv */
 
 	/*
diff --git a/usr/src/uts/i86pc/os/trap.c b/usr/src/uts/i86pc/os/trap.c
index 8c2a7bd5bd..4184b116f5 100644
--- a/usr/src/uts/i86pc/os/trap.c
+++ b/usr/src/uts/i86pc/os/trap.c
@@ -625,6 +625,19 @@ trap(struct regs *rp, caddr_t addr, processorid_t cpuid)
 		}
 
 		/*
+		 * If we have an Instruction fault in kernel mode, then that
+		 * means we've tried to execute a user page (SMEP) or both of
+		 * PAE and NXE are enabled. In either case, given that it's a
+		 * kernel fault, we should panic immediately and not try to make
+		 * any more forward progress. This indicates a bug in the
+		 * kernel, which if execution continued, could be exploited to
+		 * wreak havoc on the system.
+		 */
+		if (errcode & PF_ERR_EXEC) {
+			(void) die(type, rp, addr, cpuid);
+		}
+
+		/*
 		 * See if we can handle as pagefault. Save lofault and onfault
 		 * across this. Here we assume that an address less than
 		 * KERNELBASE is a user fault.  We can do this as copy.s
diff --git a/usr/src/uts/intel/ia32/sys/trap.h b/usr/src/uts/intel/ia32/sys/trap.h
index 3d4536c4f8..55add52cad 100644
--- a/usr/src/uts/intel/ia32/sys/trap.h
+++ b/usr/src/uts/intel/ia32/sys/trap.h
@@ -86,6 +86,8 @@ extern "C" {
 #define	PF_ERR_USER	0x04	/* processor was in user mode */
 				/*	(else supervisor) */
 #define	PF_ERR_EXEC	0x10	/* attempt to execute a No eXec page (AMD) */
+				/* or kernel tried to execute a user page  */
+				/* (Intel SMEP) */
 
 /*
  *  Definitions for fast system call subfunctions
diff --git a/usr/src/uts/intel/sys/controlregs.h b/usr/src/uts/intel/sys/controlregs.h
index d84bba7d3a..98615937b2 100644
--- a/usr/src/uts/intel/sys/controlregs.h
+++ b/usr/src/uts/intel/sys/controlregs.h
@@ -20,6 +20,7 @@
  */
 /*
  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2015, Joyent, Inc.
  */
 
 #ifndef	_SYS_CONTROLREGS_H
@@ -108,9 +109,10 @@ extern "C" {
 #define	CR4_VMXE	0x2000
 #define	CR4_SMXE	0x4000
 #define	CR4_OSXSAVE	0x40000		/* OS xsave/xrestore support	*/
+#define	CR4_SMEP	0x100000	/* NX for user pages in kernel */
 
 #define	FMT_CR4							\
-	"\20\23osxsav\17smxe\16vmxe\13xmme\12fxsr\11pce\10pge"		\
+	"\20\25smep\23osxsav\17smxe\16vmxe\13xmme\12fxsr\11pce\10pge"	\
 	"\7mce\6pae\5pse\4de\3tsd\2pvi\1vme"
 
 /*
diff --git a/usr/src/uts/intel/sys/x86_archext.h b/usr/src/uts/intel/sys/x86_archext.h
index 29909b6910..11b74e8e53 100644
--- a/usr/src/uts/intel/sys/x86_archext.h
+++ b/usr/src/uts/intel/sys/x86_archext.h
@@ -214,13 +214,14 @@ extern "C" {
 
 /*
  * Intel also uses cpuid leaf 7 to have additional instructions and features.
- * Like some other leaves, but unlink the current ones we care about, it
+ * Like some other leaves, but unlike the current ones we care about, it
  * requires us to specify both a leaf in %eax and a sub-leaf in %ecx. To deal
  * with the potential use of additional sub-leaves in the future, we now
  * specifically label the EBX features with their leaf and sub-leaf.
  */
 #define	CPUID_INTC_EBX_7_0_BMI1		0x00000008	/* BMI1 instrs */
 #define	CPUID_INTC_EBX_7_0_AVX2		0x00000020	/* AVX2 supported */
+#define	CPUID_INTC_EBX_7_0_SMEP		0x00000080	/* SMEP in CR4 */
 #define	CPUID_INTC_EBX_7_0_BMI2		0x00000100	/* BMI2 Instrs */
 
 #define	P5_MCHADDR	0x0
@@ -396,6 +397,7 @@ extern "C" {
 #define	X86FSET_BMI1		42
 #define	X86FSET_BMI2		43
 #define	X86FSET_FMA		44
+#define	X86FSET_SMEP		45
 
 /*
  * flags to patch tsc_read routine.
@@ -656,7 +658,7 @@ extern "C" {
 
 #if defined(_KERNEL) || defined(_KMEMUSER)
 
-#define	NUM_X86_FEATURES	45
+#define	NUM_X86_FEATURES	46
 extern uchar_t x86_featureset[];
 
 extern void free_x86_featureset(void *featureset);