Skip to content

Commit 93091f5

Browse files
ChinYikMingChinYikMing
committed
Handle signals properly
Page faults trigger a trap, which is handled by do_page_fault(). This function calls lock_mm_and_find_vma() to locate and validate the virtual memory area (VMA), returning the VMA if valid, or NULL otherwise. Typically, attempts to read or write to a NULL VMA result in a NULL return. If the VMA is invalid, bad_area_nosemaphore() is invoked, which checks whether the fault originated in kernel or user space. For user-space faults, a SIGSEGV signal is sent to the user process via do_trap(), which determines if the signal should be ignored or blocked, and if not, adds it to the task's pending signal list. Kernel-space faults cause the kernel to crash via die_kernel_fault(). Before returning to user space (via the resume_userspace label), pending work (indicated by the _TIF_WORK_MASK mask) is processed by do_work_pending(). Signals are handled by do_signal(), which in turn calls handle_signal(). handle_signal() creates a signal handler frame that will be jumped to upon returning to user space. This frame creation process might modifies the Control and Status Register (CSR) SEPC. If there are a signal pending, the SEPC CSR overwritten the original trap/fault PC. This caused an assertion failure in get_ppn_and_offset() when running the vi program, reported in [1]. To address this, a variable last_csr_sepc was introduced to store the original SEPC CSR value before entering the trap path. After returning to user space, last_csr_sepc is compared with the current SEPC CSR value. If they differ, the fault ld/st instruction returns early and jumps to the signal handler frame. This commit prevents emulator crashes when the guest OS accesses invalid memory. Consequently, reads or writes to a NULL value now correctly result in a segmentation fault. In addition, two user-space programs: mem_null_read and mem_null_write are bundled into the rootfs for verification. Original behaviour 1. $ make system ENABLE_SYSTEM=1 -j$(nproc) 2. $ mem_null_read # Emulator crashes 3. $ mem_null_write # Emulator crashes 4. $ vi # Emulator crashes Patch Reproduce / Testing procedure: 1. $ make system ENABLE_SYSTEM=1 -j$(nproc) 2. $ mem_null_read # NULL read causes SIGSEGV without crashing 3. $ mem_null_write # NULL write causes SIGSEGV without crashing 4. $ vi # w/o filename causes SIGSEGV without crashing [1] #508
1 parent f7fd15b commit 93091f5

File tree

3 files changed

+51
-8
lines changed

3 files changed

+51
-8
lines changed

src/emulate.c

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ static bool need_clear_block_map = false;
4646
static uint32_t reloc_enable_mmu_jalr_addr;
4747
static bool reloc_enable_mmu = false;
4848
bool need_retranslate = false;
49+
bool need_handle_signal = false;
4950
#endif
5051

5152
static void rv_trap_default_handler(riscv_t *rv)
@@ -379,8 +380,12 @@ static uint32_t peripheral_update_ctr = 64;
379380
{ \
380381
IIF(RV32_HAS(SYSTEM))(ctr++;, ) cycle++; \
381382
code; \
382-
nextop: \
383-
PC += __rv_insn_##inst##_len; \
383+
IIF(RV32_HAS(SYSTEM)) \
384+
( \
385+
if (need_handle_signal) { \
386+
need_handle_signal = false; \
387+
return true; \
388+
}, ) nextop : PC += __rv_insn_##inst##_len; \
384389
IIF(RV32_HAS(SYSTEM)) \
385390
(IIF(RV32_HAS(JIT))( \
386391
, if (unlikely(need_clear_block_map)) { \
@@ -1179,6 +1184,7 @@ static void _trap_handler(riscv_t *rv)
11791184
mode = rv->csr_stvec & 0x3;
11801185
cause = rv->csr_scause;
11811186
rv->csr_sepc = rv->PC;
1187+
rv->last_csr_sepc = rv->csr_sepc;
11821188
} else { /* machine */
11831189
const uint32_t mstatus_mie =
11841190
(rv->csr_mstatus & MSTATUS_MIE) >> MSTATUS_MIE_SHIFT;

src/riscv_private.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,12 @@ struct riscv_internal {
201201
#if RV32_HAS(SYSTEM)
202202
/* The flag is used to indicate the current emulation is in a trap */
203203
bool is_trapped;
204+
205+
/*
206+
* The flag that stores the SEPC CSR at the trap point for corectly
207+
* executing signal handler.
208+
*/
209+
uint32_t last_csr_sepc;
204210
#endif
205211
};
206212

src/system.c

Lines changed: 37 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -269,6 +269,7 @@ MMU_FAULT_CHECK_IMPL(write, pagefault_store)
269269
* - mmu_write_s
270270
* - mmu_write_b
271271
*/
272+
extern bool need_handle_signal;
272273
extern bool need_retranslate;
273274
static uint32_t mmu_ifetch(riscv_t *rv, const uint32_t addr)
274275
{
@@ -297,8 +298,13 @@ static uint32_t mmu_read_w(riscv_t *rv, const uint32_t addr)
297298
uint32_t level;
298299
pte_t *pte = mmu_walk(rv, addr, &level);
299300
bool ok = MMU_FAULT_CHECK(read, rv, pte, addr, PTE_R);
300-
if (unlikely(!ok))
301+
if (unlikely(!ok)) {
302+
if (rv->csr_sepc != rv->last_csr_sepc) { /* jump to signal handler */
303+
need_handle_signal = true;
304+
return 0;
305+
}
301306
pte = mmu_walk(rv, addr, &level);
307+
}
302308

303309
{
304310
get_ppn_and_offset();
@@ -323,8 +329,13 @@ static uint16_t mmu_read_s(riscv_t *rv, const uint32_t addr)
323329
uint32_t level;
324330
pte_t *pte = mmu_walk(rv, addr, &level);
325331
bool ok = MMU_FAULT_CHECK(read, rv, pte, addr, PTE_R);
326-
if (unlikely(!ok))
332+
if (unlikely(!ok)) {
333+
if (rv->csr_sepc != rv->last_csr_sepc) { /* jump to signal handler */
334+
need_handle_signal = true;
335+
return 0;
336+
}
327337
pte = mmu_walk(rv, addr, &level);
338+
}
328339

329340
get_ppn_and_offset();
330341
return memory_read_s(ppn | offset);
@@ -338,8 +349,13 @@ static uint8_t mmu_read_b(riscv_t *rv, const uint32_t addr)
338349
uint32_t level;
339350
pte_t *pte = mmu_walk(rv, addr, &level);
340351
bool ok = MMU_FAULT_CHECK(read, rv, pte, addr, PTE_R);
341-
if (unlikely(!ok))
352+
if (unlikely(!ok)) {
353+
if (rv->csr_sepc != rv->last_csr_sepc) { /* jump to signal handler */
354+
need_handle_signal = true;
355+
return 0;
356+
}
342357
pte = mmu_walk(rv, addr, &level);
358+
}
343359

344360
{
345361
get_ppn_and_offset();
@@ -364,8 +380,13 @@ static void mmu_write_w(riscv_t *rv, const uint32_t addr, const uint32_t val)
364380
uint32_t level;
365381
pte_t *pte = mmu_walk(rv, addr, &level);
366382
bool ok = MMU_FAULT_CHECK(write, rv, pte, addr, PTE_W);
367-
if (unlikely(!ok))
383+
if (unlikely(!ok)) {
384+
if (rv->csr_sepc != rv->last_csr_sepc) { /* jump to signal handler */
385+
need_handle_signal = true;
386+
return;
387+
}
368388
pte = mmu_walk(rv, addr, &level);
389+
}
369390

370391
{
371392
get_ppn_and_offset();
@@ -390,8 +411,13 @@ static void mmu_write_s(riscv_t *rv, const uint32_t addr, const uint16_t val)
390411
uint32_t level;
391412
pte_t *pte = mmu_walk(rv, addr, &level);
392413
bool ok = MMU_FAULT_CHECK(write, rv, pte, addr, PTE_W);
393-
if (unlikely(!ok))
414+
if (unlikely(!ok)) {
415+
if (rv->csr_sepc != rv->last_csr_sepc) { /* jump to signal handler */
416+
need_handle_signal = true;
417+
return;
418+
}
394419
pte = mmu_walk(rv, addr, &level);
420+
}
395421

396422
get_ppn_and_offset();
397423
memory_write_s(ppn | offset, (uint8_t *) &val);
@@ -405,8 +431,13 @@ static void mmu_write_b(riscv_t *rv, const uint32_t addr, const uint8_t val)
405431
uint32_t level;
406432
pte_t *pte = mmu_walk(rv, addr, &level);
407433
bool ok = MMU_FAULT_CHECK(write, rv, pte, addr, PTE_W);
408-
if (unlikely(!ok))
434+
if (unlikely(!ok)) {
435+
if (rv->csr_sepc != rv->last_csr_sepc) { /* jump to signal handler */
436+
need_handle_signal = true;
437+
return;
438+
}
409439
pte = mmu_walk(rv, addr, &level);
440+
}
410441

411442
{
412443
get_ppn_and_offset();

0 commit comments

Comments
 (0)