Bug 266103 - ioctl(/dev/mem, MEM_EXTRACT_PADDR, <0x80000000>) on /dev/mem on riscv64 panics
Summary: ioctl(/dev/mem, MEM_EXTRACT_PADDR, <0x80000000>) on /dev/mem on riscv64 panics
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: riscv (show other bugs)
Version: CURRENT
Hardware: riscv Any
: --- Affects Some People
Assignee: Mark Johnston
URL: https://reviews.freebsd.org/D36395
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-29 18:22 UTC by Robert Morris
Modified: 2022-10-13 00:54 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2022-08-29 18:22:23 UTC 
On qemu riscv64, the program below causes "panic: pmap_l2_to_l3: PA
out of range, PA: 0x0" on an INVARIANTS kernel, and a kernel page
fault without INVARIANTS. The immediate problem seems to be that the
l2 PTE that pmap_extract() finds is all zeroes, but pmap_l2_to_l3()
assumes it contains a valid physical address.

#include <sys/ioctl.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <sys/memrange.h>
int
main() {
  int fd = open("/dev/mem", 2);
  struct mem_extract m;
  memset(&m, 0, sizeof(m));
  m.me_vaddr = 0x80000000;
  ioctl(fd, MEM_EXTRACT_PADDR, &m);
}

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #40 main-n250928-b8170f38ccc7-dirty: Mon Aug 29 13:09:55 EDT 2022     rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc x.c
# ./a.out
panic: Fatal page fault at 0xffffffc000618a18: 0xffffffcf80000000
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0xffffffcf80000000
pmap_extract() at pmap_extract+0x64
memioctl() at memioctl+0x78
devfs_ioctl() at devfs_ioctl+0xbe
VOP_IOCTL_APV() at VOP_IOCTL_APV+0x30
VOP_IOCTL() at VOP_IOCTL+0x36
vn_ioctl() at vn_ioctl+0xba
devfs_ioctl_f() at devfs_ioctl_f+0x20
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
Comment 1 commit-hook freebsd_committer freebsd_triage 2022-09-29 17:25:18 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=ec21f85ab5f03a803884cc7bafa88621c613f4ca

commit ec21f85ab5f03a803884cc7bafa88621c613f4ca
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-09-29 17:07:26 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-09-29 17:11:26 +0000

    riscv: Handle invalid L2 entries in pmap_extract()

    While here, eliminate a single-use local variable.

    PR:             266103
    Reviewed by:    mhorne
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D36395

 sys/riscv/riscv/pmap.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-10-13 00:51:45 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=4539de92bce9afef8a041a0c6b6a1a078a49fe71

commit 4539de92bce9afef8a041a0c6b6a1a078a49fe71
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-09-29 17:07:26 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-10-13 00:44:03 +0000

    riscv: Handle invalid L2 entries in pmap_extract()

    While here, eliminate a single-use local variable.

    PR:             266103
    Reviewed by:    mhorne

    (cherry picked from commit ec21f85ab5f03a803884cc7bafa88621c613f4ca)

 sys/riscv/riscv/pmap.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)