[Bug 265439] copyin() repeatedly traps on some illegal user addresses on RISC-V
Date: Mon, 25 Jul 2022 23:05:50 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=265439
Bug ID: 265439
Summary: copyin() repeatedly traps on some illegal user
addresses on RISC-V
Product: Base System
Version: CURRENT
Hardware: riscv
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: riscv
Assignee: riscv@FreeBSD.org
Reporter: rtm@lcs.mit.edu
FreeBSD-CURRENT on qemu 6.2.0's riscv64 emulation can disagree with
the "hardware" about whether upper bits of SV39 virtual addresses
are significant. copyin() will get a page fault from the hardware if a
user-supplied address has a few bits higher than the 39th set, but the
pmap.c pmap_xx_index() macros ignore those high bits, so pmap_fault()
may treat it as a valid user address. So the trap may return to
copyin(), which will fault again on the same address...
Here's a program that does that for me.
int
main()
{
char buf[512];
write(1, 0x500000000000ULL | (unsigned long) buf, 1);
}
Here's a typical ddb backtrace:
pmap_fault() at pmap_fault+0xc0
page_fault_handler() at page_fault_handler+0x11c
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x500080e1f230
copyin() at copyin+0x68
uiomove() at uiomove+0xe
log_console() at log_console+0x60
ttyconsdev_write() at ttyconsdev_write+0x1a
devfs_write_f() at devfs_write_f+0xa6
fo_write() at fo_write+0xa
dofilewrite() at dofilewrite+0x66
kern_writev() at kern_writev+0x40
sys_write() at sys_write+0x54
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--
You are receiving this mail because:
You are the assignee for the bug.