From nobody Tue Feb 10 23:53:30 2026
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49C832563
	for <linux-kernel@vger.kernel.org>; Fri,  3 Jan 2025 16:02:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1735920144; cv=none;
 b=VPDnFZkkFP+xJ+sQVDw7uft54rT2l7qmZKPNeH0sYQ71lOixddFx955dSMfaBACu9SiTXfjUXjKAElSTqj9UfBgckSkBEThdLk7GcTap/wYfuf/s6yfLDw+bSCTHh+i9QEVraAU7Cf0NjiTT6RqIGia2kXn3wt7d/46s/8nibdM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1735920144; c=relaxed/simple;
	bh=tQgYo/2SIZcZcG1MhUtOhbRB+i/2a4eqLuGNLPVxRTo=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=S89bElUack8LvDQqaCCu6kW395Cxji04Y9fV7uVsP2v+hOXl+Pa6OW0FK/GY/RVnysHKQt7pG6sQorGKToeNJu+vjhmL6m2v2N2YoyHDSERZg0kQXuPEZN5HaSZPOYUE/tDRihM/67ZUWFfG0XpHNz3XoJS5YELF9+4sb0opeOc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=rivosinc.com;
 spf=pass smtp.mailfrom=rivosinc.com;
 dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com
 header.i=@rivosinc-com.20230601.gappssmtp.com header.b=UrN46kMd;
 arc=none smtp.client-ip=209.85.128.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=rivosinc.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=rivosinc.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com
 header.i=@rivosinc-com.20230601.gappssmtp.com header.b="UrN46kMd"
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-43635796b48so75277085e9.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 03 Jan 2025 08:02:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1735920139;
 x=1736524939; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=HhnXhiBJBFC7C+Aawkh2Vz/9safPS+mJzsnuCa4fu70=;
        b=UrN46kMdpBvXRDP8LSo6LhYdoUtjOjh+mUPj/oZkTQc0x7aOYaNaoq+sBloQ6z7pB0
         ImLHBW50Y0qr0zwnJJdUMNEO8jycIFc9eUKdtydItU3G1nV9x3rcoQ653j/x6yDe+fpJ
         eaRpkDQTN91PcTHzvae1Pe9OLIcBMfqtpZjde2H8UyC70Okcr89e8ZWqB+whz8oAZ3cW
         SPAMxje8n4eAD/QAVL/FBKuyS1aVREupBqbrLZGPkxiUW6do8VS9qggndsqbxvfgFguq
         wobG0mgm5jEI7jCigd2fqEZiGlpU4JIaU/rU0zmaHSU1tYUH1FlHc/HyOrrsA2pBhlZW
         gujg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1735920139; x=1736524939;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HhnXhiBJBFC7C+Aawkh2Vz/9safPS+mJzsnuCa4fu70=;
        b=xSNBD4YHjIx6phq+rKILYfylWEhgAvGsZLrkx/EcK8+He0GLSV8ULLHQItsxBPZGeF
         fQbTR41y2FJ7d7vCIJt0Nyd9bkVSMgmTeATnUuSnKLjcYcPM9c9u+yEFZHmXHd49xwUi
         tIdRJhHFJEuyTAZvhsb0UB5k7Glf0vYNECqGCYe1zEqGkg0twJa25avX0OBIDtQXtiZ+
         EBvTksVE/FF82jY5/dt+XYZNeBRFeH+VQ/+QNe9WWxIcpTWwb2SSpuv5spT00KfVW0yY
         mDGl3kbI9XTU/lrUlpj4b82ZYBzmq1liMhbouOCFohv0vErxKScKf2PvnR7PwEnP6r1K
         PcaQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWkYLJ7h9KeFR+yBOTGxg23gT/2gkmaa/EknIZjUPdzxDfPWHkOFiQASWMl2QkUEBEB/e2AsHdeJi3aNP4=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzu0lkaZk0AyQwGD/Jlzuj6i79I2IxsnMfcCX10ZZBjCWdXEhcE
	vonEfLvXi3aSFruLW1NluMR8pCvPeBH7Eqd/4107cn/zMi/TjcoeEpjJ5adORiS6pgQ+HWyoEMh
	l
X-Gm-Gg: ASbGncs5+1IDIMNT5hZ1fVl6ABAjhOXCp27oGNgC4/+u82E9naY0HfZOiOiDNByMRPA
	2iG6ozoCYpfhGlM+EHeb9jksgaTfPLgU/8KZi1uU/14PAGLxsoEpFflsksnnWCuY73lBifSvH8w
	2DxL3H3zczwBrMM22JWQ/1B97BRyyTHJCiyd+s1wGQnrmUWfIhmzRIrT8F/mfW/TAVIdo360gIe
	4ehpiNR2LDrp2ORr50jdGV5H36EfUhbOBP7uJPelGvOJbXuyFbZMmYlYA==
X-Google-Smtp-Source: 
 AGHT+IGiH4f+iFtbqTHqAIn7gziVnGP9IrLLBkdeE5qloAxEpQ4ctpaVRx832Uo/qr0BTEO5Y13l5A==
X-Received: by 2002:a7b:c7cd:0:b0:434:92f8:54a8 with SMTP id
 5b1f17b1804b1-4365c51e2a3mr433112145e9.0.1735920139460;
        Fri, 03 Jan 2025 08:02:19 -0800 (PST)
Received: from carbon-x1.. ([2a01:e0a:e17:9700:16d2:7456:6634:9626])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-436611ea40csm486312685e9.1.2025.01.03.08.02.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 03 Jan 2025 08:02:18 -0800 (PST)
From: =?UTF-8?q?Cl=C3=A9ment=20L=C3=A9ger?= <cleger@rivosinc.com>
To: Paul Walmsley <paul.walmsley@sifive.com>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	linux-riscv@lists.infradead.org (open list:RISC-V ARCHITECTURE),
	linux-kernel@vger.kernel.org (open list)
Cc: =?UTF-8?q?Cl=C3=A9ment=20L=C3=A9ger?= <cleger@rivosinc.com>,
	Samuel Holland <samuel.holland@sifive.com>
Subject: [PATCH] riscv: misaligned: disable pagefault before accessing user
 memory
Date: Fri,  3 Jan 2025 17:02:12 +0100
Message-ID: <20250103160214.657508-1-cleger@rivosinc.com>
X-Mailer: git-send-email 2.45.2
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Calling copy_{from/to}_user() in interrupt context might actually sleep
and display a BUG message:

[   10.377019] BUG: sleeping function called from invalid context at includ=
e/linux/uaccess.h:162
[   10.379868] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 88, n=
ame: ssh-keygen
[   10.380009] preempt_count: 0, expected: 0
[   10.380324] CPU: 0 UID: 0 PID: 88 Comm: ssh-keygen Not tainted 6.13.0-rc=
5-00013-g3435cd5f1331-dirty #19
[   10.380639] Hardware name: riscv-virtio,qemu (DT)
[   10.380798] Call Trace:
[   10.381108] [<ffffffff80013d30>] dump_backtrace+0x1c/0x24
[   10.381690] [<ffffffff800022d8>] show_stack+0x28/0x34
[   10.381812] [<ffffffff8000ee1c>] dump_stack_lvl+0x4a/0x68
[   10.381958] [<ffffffff8000ee4e>] dump_stack+0x14/0x1c
[   10.382047] [<ffffffff80065e0a>] __might_resched+0xfa/0x104
[   10.382172] [<ffffffff80065e56>] __might_sleep+0x42/0x66
[   10.382267] [<ffffffff801b0c5e>] __might_fault+0x1c/0x24
[   10.382363] [<ffffffff804415e4>] _copy_from_user+0x28/0xc2
[   10.382459] [<ffffffff800152ca>] handle_misaligned_load+0x1ca/0x2fc
[   10.382565] [<ffffffff80a033a0>] do_trap_load_misaligned+0x24/0xee
[   10.382714] [<ffffffff80a0dc66>] handle_exception+0x146/0x152

In order to safely handle user memory access from this context, disable
page fault while copying user memory. Although this might lead to copy
failure in some cases (offlined page), this is the best we can try to be
safe.

Fixes: b686ecdeacf6 ("riscv: misaligned: Restrict user access to kernel mem=
ory")
Signed-off-by: Cl=C3=A9ment L=C3=A9ger <cleger@rivosinc.com>

---
 arch/riscv/kernel/traps_misaligned.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps=
_misaligned.c
index 7cc108aed74e..75a08ed20070 100644
--- a/arch/riscv/kernel/traps_misaligned.c
+++ b/arch/riscv/kernel/traps_misaligned.c
@@ -355,7 +355,7 @@ static int handle_scalar_misaligned_load(struct pt_regs=
 *regs)
 {
 	union reg_data val;
 	unsigned long epc =3D regs->epc;
-	unsigned long insn;
+	unsigned long insn, copy_len;
 	unsigned long addr =3D regs->badaddr;
 	int fp =3D 0, shift =3D 0, len =3D 0;
=20
@@ -441,7 +441,16 @@ static int handle_scalar_misaligned_load(struct pt_reg=
s *regs)
=20
 	val.data_u64 =3D 0;
 	if (user_mode(regs)) {
-		if (copy_from_user(&val, (u8 __user *)addr, len))
+		/*
+		 * We can not sleep in exception context. Disable pagefault to
+		 * avoid a potential sleep while accessing user memory. Side
+		 * effect is that if it would have sleep, then the copy will
+		 * fail.
+		 */
+		pagefault_disable();
+		copy_len =3D copy_from_user(&val, (u8 __user *)addr, len);
+		pagefault_enable();
+		if (copy_len)
 			return -1;
 	} else {
 		memcpy(&val, (u8 *)addr, len);
@@ -463,7 +472,7 @@ static int handle_scalar_misaligned_store(struct pt_reg=
s *regs)
 {
 	union reg_data val;
 	unsigned long epc =3D regs->epc;
-	unsigned long insn;
+	unsigned long insn, copy_len;
 	unsigned long addr =3D regs->badaddr;
 	int len =3D 0, fp =3D 0;
=20
@@ -539,7 +548,16 @@ static int handle_scalar_misaligned_store(struct pt_re=
gs *regs)
 		return -EOPNOTSUPP;
=20
 	if (user_mode(regs)) {
-		if (copy_to_user((u8 __user *)addr, &val, len))
+		/*
+		 * We can not sleep in exception context. Disable pagefault to
+		 * avoid a potential sleep while accessing user memory. Side
+		 * effect is that if it would have sleep, then the copy will
+		 * fail.
+		 */
+		pagefault_disable();
+		copy_len =3D copy_to_user((u8 __user *)addr, &val, len);
+		pagefault_enable();
+		if (copy_len)
 			return -1;
 	} else {
 		memcpy((u8 *)addr, &val, len);
--=20
2.45.2