From 828ea49debe34fddf63cb648b9e57871a34158b6 Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Thu, 28 Jul 2022 09:38:52 -0400
Subject: [PATCH] riscv: Avoid passing invalid addresses to pmap_fault()

After the addition of SV48 support, VIRT_IS_VALID() did not exclude
addresses that are in the SV39 address space hole but not in the SV48
address space hole.  This can result in mishandling of accesses to that
range when in SV39 mode.

Fix the problem by modifying VIRT_IS_VALID() to use the runtime address
space bounds.  Then, if the address is invalid, and pcb_onfault is set,
give vm_fault_trap() a chance to veto the access instead of panicking.

PR:		265439
Reviewed by:	jhb
Reported and tested by:	Robert Morris <rtm@lcs.mit.edu>
Fixes:		31218f3209ac ("riscv: Add support for enabling SV48 mode")
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35952
---
 sys/riscv/include/pmap.h    | 5 +++++
 sys/riscv/include/vmparam.h | 4 ----
 sys/riscv/riscv/pmap.c      | 2 ++
 sys/riscv/riscv/trap.c      | 7 ++-----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/sys/riscv/include/pmap.h b/sys/riscv/include/pmap.h
index 8ba46f0d61a..8834c91362a 100644
--- a/sys/riscv/include/pmap.h
+++ b/sys/riscv/include/pmap.h
@@ -144,6 +144,11 @@ enum pmap_mode {
 
 extern enum pmap_mode pmap_mode;
 
+/* Check if an address resides in a mappable region. */
+#define	VIRT_IS_VALID(va)						\
+	((va) < (pmap_mode == PMAP_MODE_SV39 ? VM_MAX_USER_ADDRESS_SV39 : \
+	    VM_MAX_USER_ADDRESS_SV48) || (va) >= VM_MIN_KERNEL_ADDRESS)
+
 struct thread;
 
 #define	pmap_vm_page_alloc_check(m)
diff --git a/sys/riscv/include/vmparam.h b/sys/riscv/include/vmparam.h
index f11f02dcb3e..6e1c9e11a3c 100644
--- a/sys/riscv/include/vmparam.h
+++ b/sys/riscv/include/vmparam.h
@@ -202,10 +202,6 @@
 #define	VM_MINUSER_ADDRESS	(VM_MIN_USER_ADDRESS)
 #define	VM_MAXUSER_ADDRESS	(VM_MAX_USER_ADDRESS)
 
-/* Check if an address resides in a mappable region. */
-#define	VIRT_IS_VALID(va)						\
-    (((va) < VM_MAX_USER_ADDRESS) || ((va) >= VM_MIN_KERNEL_ADDRESS))
-
 #define	KERNBASE		(VM_MIN_KERNEL_ADDRESS)
 #define	SHAREDPAGE_SV39		(VM_MAX_USER_ADDRESS_SV39 - PAGE_SIZE)
 #define	SHAREDPAGE_SV48		(VM_MAX_USER_ADDRESS_SV48 - PAGE_SIZE)
diff --git a/sys/riscv/riscv/pmap.c b/sys/riscv/riscv/pmap.c
index 076e26230eb..9799b2b7bd9 100644
--- a/sys/riscv/riscv/pmap.c
+++ b/sys/riscv/riscv/pmap.c
@@ -2606,6 +2606,8 @@ pmap_fault(pmap_t pmap, vm_offset_t va, vm_prot_t ftype)
 	pt_entry_t bits, *pte, oldpte;
 	int rv;
 
+	KASSERT(VIRT_IS_VALID(va), ("pmap_fault: invalid va %#lx", va));
+
 	rv = 0;
 	PMAP_LOCK(pmap);
 	l2 = pmap_l2(pmap, va);
diff --git a/sys/riscv/riscv/trap.c b/sys/riscv/riscv/trap.c
index 0744f5a25fb..8b709b2de12 100644
--- a/sys/riscv/riscv/trap.c
+++ b/sys/riscv/riscv/trap.c
@@ -213,10 +213,7 @@ page_fault_handler(struct trapframe *frame, int usermode)
 		 */
 		intr_enable();
 
-		if (!VIRT_IS_VALID(stval))
-			goto fatal;
-
-		if (stval >= VM_MAX_USER_ADDRESS) {
+		if (stval >= VM_MIN_KERNEL_ADDRESS) {
 			map = kernel_map;
 		} else {
 			if (pcb->pcb_onfault == 0)
@@ -235,7 +232,7 @@ page_fault_handler(struct trapframe *frame, int usermode)
 		ftype = VM_PROT_READ;
 	}
 
-	if (pmap_fault(map->pmap, va, ftype))
+	if (VIRT_IS_VALID(va) && pmap_fault(map->pmap, va, ftype))
 		goto done;
 
 	error = vm_fault_trap(map, va, ftype, VM_FAULT_NORMAL, &sig, &ucode);