git: 2f1cdb1e4883 - stable/13 - riscv: Avoid passing invalid addresses to pmap_fault()

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Thu, 04 Aug 2022 13:57:35 UTC
The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=2f1cdb1e4883a962ff305f7422495122516983df

commit 2f1cdb1e4883a962ff305f7422495122516983df
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-07-28 13:38:52 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-04 13:57:15 +0000

    riscv: Avoid passing invalid addresses to pmap_fault()
    
    After the addition of SV48 support, VIRT_IS_VALID() did not exclude
    addresses that are in the SV39 address space hole but not in the SV48
    address space hole.  This can result in mishandling of accesses to that
    range when in SV39 mode.
    
    Fix the problem by modifying VIRT_IS_VALID() to use the runtime address
    space bounds.  Then, if the address is invalid, and pcb_onfault is set,
    give vm_fault_trap() a chance to veto the access instead of panicking.
    
    PR:             265439
    Reviewed by:    jhb
    Reported and tested by: Robert Morris <rtm@lcs.mit.edu>
    Fixes:          31218f3209ac ("riscv: Add support for enabling SV48 mode")
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 828ea49debe34fddf63cb648b9e57871a34158b6)
---
 sys/riscv/include/pmap.h    | 5 +++++
 sys/riscv/include/vmparam.h | 4 ----
 sys/riscv/riscv/pmap.c      | 2 ++
 sys/riscv/riscv/trap.c      | 7 ++-----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/sys/riscv/include/pmap.h b/sys/riscv/include/pmap.h
index 8ba46f0d61ae..8834c91362ad 100644
--- a/sys/riscv/include/pmap.h
+++ b/sys/riscv/include/pmap.h
@@ -144,6 +144,11 @@ enum pmap_mode {
 
 extern enum pmap_mode pmap_mode;
 
+/* Check if an address resides in a mappable region. */
+#define	VIRT_IS_VALID(va)						\
+	((va) < (pmap_mode == PMAP_MODE_SV39 ? VM_MAX_USER_ADDRESS_SV39 : \
+	    VM_MAX_USER_ADDRESS_SV48) || (va) >= VM_MIN_KERNEL_ADDRESS)
+
 struct thread;
 
 #define	pmap_vm_page_alloc_check(m)
diff --git a/sys/riscv/include/vmparam.h b/sys/riscv/include/vmparam.h
index f11f02dcb3e6..6e1c9e11a3cc 100644
--- a/sys/riscv/include/vmparam.h
+++ b/sys/riscv/include/vmparam.h
@@ -202,10 +202,6 @@
 #define	VM_MINUSER_ADDRESS	(VM_MIN_USER_ADDRESS)
 #define	VM_MAXUSER_ADDRESS	(VM_MAX_USER_ADDRESS)
 
-/* Check if an address resides in a mappable region. */
-#define	VIRT_IS_VALID(va)						\
-    (((va) < VM_MAX_USER_ADDRESS) || ((va) >= VM_MIN_KERNEL_ADDRESS))
-
 #define	KERNBASE		(VM_MIN_KERNEL_ADDRESS)
 #define	SHAREDPAGE_SV39		(VM_MAX_USER_ADDRESS_SV39 - PAGE_SIZE)
 #define	SHAREDPAGE_SV48		(VM_MAX_USER_ADDRESS_SV48 - PAGE_SIZE)
diff --git a/sys/riscv/riscv/pmap.c b/sys/riscv/riscv/pmap.c
index ee8b332bcb8c..686d4278902a 100644
--- a/sys/riscv/riscv/pmap.c
+++ b/sys/riscv/riscv/pmap.c
@@ -2606,6 +2606,8 @@ pmap_fault(pmap_t pmap, vm_offset_t va, vm_prot_t ftype)
 	pt_entry_t bits, *pte, oldpte;
 	int rv;
 
+	KASSERT(VIRT_IS_VALID(va), ("pmap_fault: invalid va %#lx", va));
+
 	rv = 0;
 	PMAP_LOCK(pmap);
 	l2 = pmap_l2(pmap, va);
diff --git a/sys/riscv/riscv/trap.c b/sys/riscv/riscv/trap.c
index d378bfe1383d..9a889661b965 100644
--- a/sys/riscv/riscv/trap.c
+++ b/sys/riscv/riscv/trap.c
@@ -212,10 +212,7 @@ page_fault_handler(struct trapframe *frame, int usermode)
 		 */
 		intr_enable();
 
-		if (!VIRT_IS_VALID(stval))
-			goto fatal;
-
-		if (stval >= VM_MAX_USER_ADDRESS) {
+		if (stval >= VM_MIN_KERNEL_ADDRESS) {
 			map = kernel_map;
 		} else {
 			if (pcb->pcb_onfault == 0)
@@ -234,7 +231,7 @@ page_fault_handler(struct trapframe *frame, int usermode)
 		ftype = VM_PROT_READ;
 	}
 
-	if (pmap_fault(map->pmap, va, ftype))
+	if (VIRT_IS_VALID(va) && pmap_fault(map->pmap, va, ftype))
 		goto done;
 
 	error = vm_fault_trap(map, va, ftype, VM_FAULT_NORMAL, &sig, &ucode);