From nobody Mon Jul 25 23:05:50 2022 X-Original-To: riscv@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LsFyQ5QhRz4X3SS for ; Mon, 25 Jul 2022 23:05:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LsFyQ3ppxz3yxS for ; Mon, 25 Jul 2022 23:05:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LsFyQ2rfszFRR for ; Mon, 25 Jul 2022 23:05:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 26PN5od2025629 for ; Mon, 25 Jul 2022 23:05:50 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 26PN5oWb025628 for riscv@FreeBSD.org; Mon, 25 Jul 2022 23:05:50 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: riscv@FreeBSD.org Subject: [Bug 265439] copyin() repeatedly traps on some illegal user addresses on RISC-V Date: Mon, 25 Jul 2022 23:05:50 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: riscv X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: riscv@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: FreeBSD on the RISC-V instruction set architecture List-Archive: https://lists.freebsd.org/archives/freebsd-riscv List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-riscv@freebsd.org X-BeenThere: freebsd-riscv@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658790350; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tzcWYA8gPinElxlCNxfp6uXLehkJpkhVpfeQDm1jEYk=; b=Y4HdeZr/6q3KtCdCp59RzsakXEZYAPghRt4CMaYxRK0H6na4+L8tVMKYJAJ/fB5E+uAPzp CDcpPCJnStd9824oyCngF8g5EmNnB4dpVA3tQwkz62Dkhjfshi24D1m3DEMuPiI2Eyq30Z H73+F1Zh/8k2pYQ05dw0Pp0vO7KsXIIGKezS/kuy0yQCjzb0/NK/XodyzoiyvMdEnHghp+ De3t7MFXbRa4PSiulG/kmS7+fZQZni7x8Lzd+nUb+48kM/Dw2przt0rnFz1RwxbM6ywsMA kJCIPu7+N1hIkVBIDsxduwQnHSginl/16T2eSYeUgRijKgNENk/shyKbxMR5kg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1658790350; a=rsa-sha256; cv=none; b=PuSLO2d6xkgjaK067WMetbSPWFZDrCF7A4rudV/Dhc/kYpK/XOkHAr5AtbVv84GG3aEDGU +vqZhtb7fWDOTAX6Mbntvv+nDgXTHBelbm8u19rD1Vj1OlRqoVxSgbXqNGthH/tI0lQDuj YHDyIefOVMTHWuK/ayvAqZpple3/qAALd41Vnjnaq+rLpSh7+P1MX8rlAX48JSQoFU7EPD ApMxviFgmeTJDxPOJY2RlK0jjYGNbCOp7Qs9dApGBWcxlSDCCwPxRKEsGomARO2UMpjCYt s3xIfJXLGIXfEUtBCBoAwqX6utZmV3seYEh4xSExzuaVxQCgkEaeI5cfOdgjWA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265439 Bug ID: 265439 Summary: copyin() repeatedly traps on some illegal user addresses on RISC-V Product: Base System Version: CURRENT Hardware: riscv OS: Any Status: New Severity: Affects Some People Priority: --- Component: riscv Assignee: riscv@FreeBSD.org Reporter: rtm@lcs.mit.edu FreeBSD-CURRENT on qemu 6.2.0's riscv64 emulation can disagree with the "hardware" about whether upper bits of SV39 virtual addresses are significant. copyin() will get a page fault from the hardware if a user-supplied address has a few bits higher than the 39th set, but the pmap.c pmap_xx_index() macros ignore those high bits, so pmap_fault() may treat it as a valid user address. So the trap may return to copyin(), which will fault again on the same address... Here's a program that does that for me. int main() { char buf[512]; write(1, 0x500000000000ULL | (unsigned long) buf, 1); } Here's a typical ddb backtrace: pmap_fault() at pmap_fault+0xc0 page_fault_handler() at page_fault_handler+0x11c do_trap_supervisor() at do_trap_supervisor+0x76 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval =3D 0x500080e1f230 copyin() at copyin+0x68 uiomove() at uiomove+0xe log_console() at log_console+0x60 ttyconsdev_write() at ttyconsdev_write+0x1a devfs_write_f() at devfs_write_f+0xa6 fo_write() at fo_write+0xa dofilewrite() at dofilewrite+0x66 kern_writev() at kern_writev+0x40 sys_write() at sys_write+0x54 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xea cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --=20 You are receiving this mail because: You are the assignee for the bug.=