Terminate tasks on unrecoverable PMP access faults

HeatCrab · HeatCrab · commit be9265904804 · 2025-11-21T20:14:24.000+08:00
When PMP access fault recovery fails, the system previously panicked
regardless of context. This change allows graceful degradation by
terminating only the faulting task when the fault occurs in task
context.

The trap handler now checks if a current task exists after PMP fault
recovery fails. If so, it terminates that task using the deferred
cleanup mechanism. If no task context exists, the system still panics
as before, since the fault must have occurred in kernel code.

This prevents a single misbehaving task from crashing the entire system
while still catching genuine kernel bugs.
diff --git a/arch/riscv/hal.c b/arch/riscv/hal.c
@@ -304,8 +304,14 @@ void do_trap(uint32_t cause, uint32_t epc, uint32_t mtval)
             reason = exc_msg[code];
 
         /* Attempt to recover PMP access faults */
-        if ((code == 5 || code == 7) && pmp_handle_access_fault(mtval, code == 7) == 0)
-            return;
+        if (code == 5 || code == 7) {
+            if (pmp_handle_access_fault(mtval, code == 7) == 0)
+                return;
+
+            /* Recovery failed - terminate task if in task context */
+            if (kcb && kcb->task_current && kcb->task_current->data)
+                task_terminate_current();
+        }
 
         /* All other exceptions are fatal */
         printf("[EXCEPTION] code=%u (%s), epc=%08x, cause=%08x\n", code, reason,
