On Thu, 2022-11-03 at 03:50 -0400, guoren@kernel.org wrote:
[...]
> --- a/arch/riscv/kernel/sys_riscv.c
> +++ b/arch/riscv/kernel/sys_riscv.c
[...]
> +asmlinkage void do_sys_ecall_u(struct pt_regs *regs)
> +{
> +	syscall_t syscall;
> +	ulong nr = regs->a7;
> +
> +	regs->epc += 4;
> +	regs->orig_a0 = regs->a0;
> +	regs->a0 = -ENOSYS;
> +
> +	nr = syscall_enter_from_user_mode(regs, nr);
> +#ifdef CONFIG_COMPAT
> +	if ((regs->status & SR_UXL) == SR_UXL_32)
> +		syscall = compat_sys_call_table[nr];
> +	else
> +#endif
> +		syscall = sys_call_table[nr];
> +
> +	if (nr < NR_syscalls)

This bounds check needs to be done before indexing the system call
table, not after.

Ben.

> +		regs->a0 = syscall(regs->orig_a0, regs->a1, regs->a2,
> +				   regs->a3, regs->a4, regs->a5, regs->a6);
> +	syscall_exit_to_user_mode(regs);
> +}
[...]

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.