Date: Mon, 25 Jul 2022 23:05:50 +0000 From: bugzilla-noreply@freebsd.org To: riscv@FreeBSD.org Subject: [Bug 265439] copyin() repeatedly traps on some illegal user addresses on RISC-V Message-ID: <bug-265439-40250@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265439 Bug ID: 265439 Summary: copyin() repeatedly traps on some illegal user addresses on RISC-V Product: Base System Version: CURRENT Hardware: riscv OS: Any Status: New Severity: Affects Some People Priority: --- Component: riscv Assignee: riscv@FreeBSD.org Reporter: rtm@lcs.mit.edu FreeBSD-CURRENT on qemu 6.2.0's riscv64 emulation can disagree with the "hardware" about whether upper bits of SV39 virtual addresses are significant. copyin() will get a page fault from the hardware if a user-supplied address has a few bits higher than the 39th set, but the pmap.c pmap_xx_index() macros ignore those high bits, so pmap_fault() may treat it as a valid user address. So the trap may return to copyin(), which will fault again on the same address... Here's a program that does that for me. int main() { char buf[512]; write(1, 0x500000000000ULL | (unsigned long) buf, 1); } Here's a typical ddb backtrace: pmap_fault() at pmap_fault+0xc0 page_fault_handler() at page_fault_handler+0x11c do_trap_supervisor() at do_trap_supervisor+0x76 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval =3D 0x500080e1f230 copyin() at copyin+0x68 uiomove() at uiomove+0xe log_console() at log_console+0x60 ttyconsdev_write() at ttyconsdev_write+0x1a devfs_write_f() at devfs_write_f+0xa6 fo_write() at fo_write+0xa dofilewrite() at dofilewrite+0x66 kern_writev() at kern_writev+0x40 sys_write() at sys_write+0x54 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xea cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-265439-40250>