Page MenuHomeFreeBSD

riscv: fix VM_MAXUSER_ADDRESS checks in asm routines
ClosedPublic

Authored by mhorne on Jul 17 2021, 7:50 PM.
Tags
None
Referenced Files
F105568686: D31209.id96293.diff
Tue, Dec 17, 6:36 PM
F105561798: D31209.diff
Tue, Dec 17, 4:47 PM
Unknown Object (File)
Sat, Dec 14, 6:14 PM
Unknown Object (File)
Sat, Dec 14, 6:11 PM
Unknown Object (File)
Thu, Dec 12, 6:29 PM
Unknown Object (File)
Thu, Dec 5, 10:56 PM
Unknown Object (File)
Mon, Nov 18, 5:47 PM
Unknown Object (File)
Mon, Nov 18, 3:32 PM
Subscribers

Details

Summary

There are two issues with the checks against VM_MAXUSER_ADDRESS. First,
the comparison should consider the values as unsigned, otherwise
addresses with the high bit set will fail to branch. Second, the value
of VM_MAXUSER_ADDRESS is, by convention, one larger than the maximum
mappable user address and invalid itself. Thus, use the bgeu instruction
for these comparisons.

PR: 257193
Reported by: Robert Morris <rtm@lcs.mit.edu>

Test Plan

With this change, the test cases in PR 257193 will terminate as expected.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This bug is also repeated in support.S for all the fu/su/casu functions

This bug is also repeated in support.S for all the fu/su/casu functions

Indeed, thanks for catching this. I will include those in this review.

Is it straightforward to add at least a copyin() test for this case, in tests/sys/kern_copyin.c?

With this change, the test cases in PR 253706 will terminate as expected.

Wrong PR number, in case you were planning to include this sentence in the commit log.

Apply the change to routines in support.S as well.

Add a test case to kern_copyin.c. It seems the hang cannot be triggered with a call to write(2), so use fcntl(2) as is done in the PR.

mhorne retitled this revision from riscv: fix bounds checking in copyinout.S routines to riscv: fix VM_MAXUSER_ADDRESS checks in asm routines.Oct 5 2021, 6:10 PM

Add a test case to kern_copyin.c.

Thanks.

It seems the hang cannot be triggered with a call to write(2), so use fcntl(2) as is done in the PR.

Any idea why?

This revision is now accepted and ready to land.Oct 6 2021, 1:15 PM

Add a test case to kern_copyin.c.

Thanks.

It seems the hang cannot be triggered with a call to write(2), so use fcntl(2) as is done in the PR.

Any idea why?

I looked for a bit but could not pinpoint it by code inspection. The path through the write(2) syscall to where copyin() is invoked is much more involved.

I suppose we eventually make it to ffs_write(), where one of vn_io_fault_uiomove() or vn_io_fault_pgmove() is called for the relevant uio. I _think_ the latter would cause the behaviour we are seeing, but I am not sure. I would expect the former to trigger the copyin() bug.