Commit aa8ef1fa authored Aug 26, 2024 by 乔哲 Committed by Yongqiang Liu Aug 26, 2024

riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()

stable inclusion
from stable-v5.10.224
commit 59be4a167782d68e21068a761b90b01fadc09146
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPTW
CVE: CVE-2024-42267

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=59be4a167782d68e21068a761b90b01fadc09146



--------------------------------

[ Upstream commit 0c710050c47d45eb77b28c271cddefc5c785cb40 ]

Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly
kill the process and we don't BUG() the kernel.

Fixes: 07037db5 ("RISC-V: Paging and MMU")
Signed-off-by: Zhe Qiao <qiaozhe@iscas.ac.cn>
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/20240731084547.85380-1-qiaozhe@iscas.ac.cn


Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

parent b17777fc

arch/riscv/mm/fault.c

+9 −8

Original line number	Diff line number	Diff line
		@@ -39,26 +39,27 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr)

		static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault)
		{
		if (!user_mode(regs)) {
		no_context(regs, addr);
		return;
		}

		if (fault & VM_FAULT_OOM) {
		/*
		* We ran out of memory, call the OOM killer, and return the userspace
		* (which will retry the fault, or kill us if we got oom-killed).
		*/
		if (!user_mode(regs)) {
		no_context(regs, addr);
		return;
		}
		pagefault_out_of_memory();
		return;
		} else if (fault & VM_FAULT_SIGBUS) {
		/* Kernel mode? Handle exceptions or die */
		if (!user_mode(regs)) {
		no_context(regs, addr);
		return;
		}
		do_trap(regs, SIGBUS, BUS_ADRERR, addr);
		return;
		} else if (fault & VM_FAULT_SIGSEGV) {
		do_trap(regs, SIGSEGV, SEGV_MAPERR, addr);
		return;
		}

		BUG();
		}