From nobody Sun Feb  8 02:55:52 2026
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C0033597E
	for <linux-kernel@vger.kernel.org>; Mon,  6 Jan 2025 17:09:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1736183366; cv=none;
 b=suTZqxNU1E/ar9JxVAmb1HSmn4tmy0eBv8BZXk/dQmgnrLB5ipIJK7hmxfmHt+VkKYD5xajb6rirQn33AE3oViXhw7d5/YhHu7woKO590vwWM7a5EmGXrNSN2fPRpsiD1/wTAYRk3CeSRsfqXZHAPS5jrwJTYizmIz/+rMSQu88=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1736183366; c=relaxed/simple;
	bh=5odTQt/umoyxEyAYE4uFQQbkbjU3syOqBVRC7LJdBVc=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=hfuJJa8oRCeLI1QWAZ6Ay7lpLRO42f3LzkayOpRvff6CHbaO+JNdyHMhOEcMhrDDxZTjAld9ZKMmsMsoJm/sInegwbB8GKQgcsMlPlRyeJ+6kGAw5aObg/+k3XO4SffVSZrKj9UZoclhgqWVM7LrQf7dXiDk/TKLThF+dc9b3tM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=rivosinc.com;
 spf=pass smtp.mailfrom=rivosinc.com;
 dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com
 header.i=@rivosinc-com.20230601.gappssmtp.com header.b=jcDRLSBe;
 arc=none smtp.client-ip=209.85.214.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=rivosinc.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=rivosinc.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com
 header.i=@rivosinc-com.20230601.gappssmtp.com header.b="jcDRLSBe"
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-2164b1f05caso206327755ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 06 Jan 2025 09:09:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1736183364;
 x=1736788164; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=rbce092ZLczhOhH4XTVRQYxBwIS56/FODTEPeJDdcKI=;
        b=jcDRLSBeGfIeOUCQ/ZdMuMITjHuGp0PetXdFsL6FISoOimN43YhmsfsVBH84uygnDV
         y5hTitA5npHBp1RDr7Drz9AYLsYsvy1ExO2i2KvbHm1GEc09trY+bW0g3KzkZ15jP+nB
         dbzIdYwlVUhuZOQf4DicElPEikyZ4eT6DyT3cZHIg+E9SPW9nyzKWzJo0HIBawddZB6f
         KXW/kgOXHostbfQJqH7ET4ILW5QnpR4mQye7X+nvqdsC6LUxe33h4WuvnkMHiFuFqu7n
         XvqtG2oK0DLsYq39vOHnjiaCM+EhaOciB0JCtzQfo1OSRxYEIyW78PIRORY6Kpu5SPJ8
         8GWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736183364; x=1736788164;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=rbce092ZLczhOhH4XTVRQYxBwIS56/FODTEPeJDdcKI=;
        b=FKThN4Exyy1tFtM68fGOwo4vEK2+pWTAsCiKlBy2ifenFfWTHaOn5/S/0EaHhU7bJm
         APfZeAlhB+75V8Cdwzw9evDpm4bewOLBORgUuShbvdLdvCKnK5xc4OaqiIYdO1jFUsAx
         kcgWDPTcetT3ZPF4hDEa1aOKS8Xa1GGv/TILHMNdChhDgsVkyxRPMK5WRUs7XF9SwqNm
         03yP500tQUQn5oNBlzcWinmrWfPqF8X+FIm/LWPKoGxfaUBrfdn/PgLX2IAtNPP8J1ad
         R7j22wwewcjy+XK/naNghi3+5hIVwCD3olXS7B1bFcdNv3vbJJFlbKis/Y0qRnNn+zIj
         BdeA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUzE50QIvuUQGAAfYfxaQx4FpRnPUPYyay1S/M6dO/30QQCVPCIPhRZReFnS66jaI+epI66Lom0O4jw0Ps=@vger.kernel.org
X-Gm-Message-State: AOJu0YxLHZSGcEd1P69krnXPEG9Aa1hHj0wOcHbdVTdRYOnwKjEGcUVN
	M8e8x2eyV39pQw4DsMTbhzJXvGyJo5qig+bnj2fZWIk35ri38IfrxWbS780ARso=
X-Gm-Gg: ASbGncvwAf/5wIbemw+2bxHRgmlhsihTWFn9PUICadCyZr8wjtEt5KRbM22dWLLFGuy
	R5CBviUclPjsyM2MgMCCaJpm8CnLHX5R+OoG8VtQ+i8KLY1ezfoklXB05lMF1H4ph9MFboXfZmK
	MF3urXTv5nUgU+1IlL8aXcgDIUC+r3wFMgMdcv2NndAISpcZrJ8UcZK47+1JkRdXXA01mV1atRX
	VwZoCybwJ+UYmitFGvBNcLbR9zXx2B+arRi03Pz8ha0TCO3xVcNF/ebJw==
X-Google-Smtp-Source: 
 AGHT+IHUY4CZVBm/XKZtAhXutDUGhNJ1CtZDaw4qM0q1zL+zzKqxOLozbGljgiIr1MNwrItiL0PUzQ==
X-Received: by 2002:a05:6a21:6f87:b0:1e0:c432:32fe with SMTP id
 adf61e73a8af0-1e5e04a444fmr86089298637.26.1736183363740;
        Mon, 06 Jan 2025 09:09:23 -0800 (PST)
Received: from carbon-x1.. ([2a01:e0a:e17:9700:16d2:7456:6634:9626])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-72aad8163fdsm31602646b3a.6.2025.01.06.09.09.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 06 Jan 2025 09:09:23 -0800 (PST)
From: =?UTF-8?q?Cl=C3=A9ment=20L=C3=A9ger?= <cleger@rivosinc.com>
To: Paul Walmsley <paul.walmsley@sifive.com>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	linux-riscv@lists.infradead.org (open list:RISC-V ARCHITECTURE),
	linux-kernel@vger.kernel.org (open list)
Cc: =?UTF-8?q?Cl=C3=A9ment=20L=C3=A9ger?= <cleger@rivosinc.com>,
	Samuel Holland <samuel.holland@sifive.com>,
	Alexandre Ghiti <alexghiti@rivosinc.com>
Subject: [PATCH v2] riscv: misaligned: disable pagefault before accessing user
 memory
Date: Mon,  6 Jan 2025 18:09:08 +0100
Message-ID: <20250106170911.1403467-1-cleger@rivosinc.com>
X-Mailer: git-send-email 2.47.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Calling copy_{from/to}_user() in interrupt context might actually sleep
and display a BUG message:

[   10.377019] BUG: sleeping function called from invalid context at includ=
e/linux/uaccess.h:162
[   10.379868] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 88, n=
ame: ssh-keygen
[   10.380009] preempt_count: 0, expected: 0
[   10.380324] CPU: 0 UID: 0 PID: 88 Comm: ssh-keygen Not tainted 6.13.0-rc=
5-00013-g3435cd5f1331-dirty #19
[   10.380639] Hardware name: riscv-virtio,qemu (DT)
[   10.380798] Call Trace:
[   10.381108] [<ffffffff80013d30>] dump_backtrace+0x1c/0x24
[   10.381690] [<ffffffff800022d8>] show_stack+0x28/0x34
[   10.381812] [<ffffffff8000ee1c>] dump_stack_lvl+0x4a/0x68
[   10.381958] [<ffffffff8000ee4e>] dump_stack+0x14/0x1c
[   10.382047] [<ffffffff80065e0a>] __might_resched+0xfa/0x104
[   10.382172] [<ffffffff80065e56>] __might_sleep+0x42/0x66
[   10.382267] [<ffffffff801b0c5e>] __might_fault+0x1c/0x24
[   10.382363] [<ffffffff804415e4>] _copy_from_user+0x28/0xc2
[   10.382459] [<ffffffff800152ca>] handle_misaligned_load+0x1ca/0x2fc
[   10.382565] [<ffffffff80a033a0>] do_trap_load_misaligned+0x24/0xee
[   10.382714] [<ffffffff80a0dc66>] handle_exception+0x146/0x152

In order to safely handle user memory access from this context, disable
page fault while copying user memory. Although this might lead to copy
failure in some cases (offlined page), this is the best we can try to be
safe. While at it, replace __get_user by get_user() to actually check
for memory before accessing it and disable fault.

Fixes: b686ecdeacf6 ("riscv: misaligned: Restrict user access to kernel mem=
ory")
Signed-off-by: Cl=C3=A9ment L=C3=A9ger <cleger@rivosinc.com>

---

V2:
 - Add pagefault disable/enable around get_user()

 arch/riscv/kernel/traps_misaligned.c | 30 +++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps=
_misaligned.c
index 7cc108aed74e..d9a6e44ae745 100644
--- a/arch/riscv/kernel/traps_misaligned.c
+++ b/arch/riscv/kernel/traps_misaligned.c
@@ -268,7 +268,9 @@ static unsigned long get_f32_rs(unsigned long insn, u8 =
fp_reg_offset,
 	int __ret;					\
 							\
 	if (user_mode(regs)) {				\
-		__ret =3D __get_user(insn, (type __user *) insn_addr); \
+		pagefault_disable();			\
+		__ret =3D get_user(insn, (type __user *) insn_addr); \
+		pagefault_enable();			\
 	} else {					\
 		insn =3D *(type *)insn_addr;		\
 		__ret =3D 0;				\
@@ -355,7 +357,7 @@ static int handle_scalar_misaligned_load(struct pt_regs=
 *regs)
 {
 	union reg_data val;
 	unsigned long epc =3D regs->epc;
-	unsigned long insn;
+	unsigned long insn, copy_len;
 	unsigned long addr =3D regs->badaddr;
 	int fp =3D 0, shift =3D 0, len =3D 0;
=20
@@ -441,7 +443,16 @@ static int handle_scalar_misaligned_load(struct pt_reg=
s *regs)
=20
 	val.data_u64 =3D 0;
 	if (user_mode(regs)) {
-		if (copy_from_user(&val, (u8 __user *)addr, len))
+		/*
+		 * We can not sleep in exception context. Disable pagefault to
+		 * avoid a potential sleep while accessing user memory. Side
+		 * effect is that if it would have sleep, then the copy will
+		 * fail.
+		 */
+		pagefault_disable();
+		copy_len =3D copy_from_user(&val, (u8 __user *)addr, len);
+		pagefault_enable();
+		if (copy_len)
 			return -1;
 	} else {
 		memcpy(&val, (u8 *)addr, len);
@@ -463,7 +474,7 @@ static int handle_scalar_misaligned_store(struct pt_reg=
s *regs)
 {
 	union reg_data val;
 	unsigned long epc =3D regs->epc;
-	unsigned long insn;
+	unsigned long insn, copy_len;
 	unsigned long addr =3D regs->badaddr;
 	int len =3D 0, fp =3D 0;
=20
@@ -539,7 +550,16 @@ static int handle_scalar_misaligned_store(struct pt_re=
gs *regs)
 		return -EOPNOTSUPP;
=20
 	if (user_mode(regs)) {
-		if (copy_to_user((u8 __user *)addr, &val, len))
+		/*
+		 * We can not sleep in exception context. Disable pagefault to
+		 * avoid a potential sleep while accessing user memory. Side
+		 * effect is that if it would have sleep, then the copy will
+		 * fail.
+		 */
+		pagefault_disable();
+		copy_len =3D copy_to_user((u8 __user *)addr, &val, len);
+		pagefault_enable();
+		if (copy_len)
 			return -1;
 	} else {
 		memcpy((u8 *)addr, &val, len);
--=20
2.47.1