All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Linus Walleij" <linusw@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v4] ARM: breakpoint: CFI breakpoints only on demand
Date: Fri, 03 Jul 2026 12:48:21 +0000	[thread overview]
Message-ID: <20260703124822.130081F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-arm32-cfi-bug-v4-1-c26acb640a8f@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The CFI breakpoint handler incorrectly assumes the BKPT instruction is always 4 bytes long, which corrupts the instruction pointer in Thumb-2 mode.
--

commit 8a3d2d7e6aa4575ee54af7475a100d8d6db4f18a
Author: Linus Walleij <linusw@kernel.org>

ARM: breakpoint: CFI breakpoints only on demand
    
This removes the stub hw_breakpoint_cfi_handler() from ARM, making
it not steal breakpoint type 0x03 unless CFI is actively used in
the kernel. It falls through to return unhandled fault for userspace
breakpoints.

Closes: https://lore.kernel.org/lkml/kJqktbpLphg_Pk5I5SPptgTLjl3E3eq5mN5UzCslyFj7Q1Irp-wDid4mj5eQVd2iZtRGXgeZd8goq195EkXdjyt864YMc8mVb2B9NGH91NQ=@protonmail.com/

> diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
> index cd4b34c96e35e..38feb30dfb5f8 100644
> --- a/arch/arm/kernel/hw_breakpoint.c
> +++ b/arch/arm/kernel/hw_breakpoint.c
> @@ -929,10 +929,6 @@ static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
>  		break;
>  	}
>  }

[Severity: High]
This is a pre-existing issue, but I noticed a potential problem in
hw_breakpoint_cfi_handler() right above this diff.

When a CFI failure triggers a warning (such as when CONFIG_CFI_PERMISSIVE is
enabled), the handler attempts to skip the breaking instruction:

arch/arm/kernel/hw_breakpoint.c:hw_breakpoint_cfi_handler() {
    ...
	case BUG_TRAP_TYPE_WARN:
		/* Skip the breaking instruction */
		instruction_pointer(regs) += 4;
		break;
    ...
}

Does this incorrectly assume the BKPT instruction is always 4 bytes long?

In Thumb-2 mode, BKPT is a 16-bit (2-byte) instruction. If the instruction
pointer is advanced by 4 bytes, wouldn't it skip the intended instruction
and an additional 2 bytes of the following instruction, potentially corrupting
the execution stream and leading to an Oops?

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-arm32-cfi-bug-v4-1-c26acb640a8f@kernel.org?part=1

  reply	other threads:[~2026-07-03 12:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 12:25 [PATCH v4] ARM: breakpoint: CFI breakpoints only on demand Linus Walleij
2026-07-03 12:48 ` sashiko-bot [this message]
2026-07-08 10:07 ` slipher
2026-07-08 18:53 ` Nathan Chancellor
2026-07-15 16:21 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703124822.130081F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linusw@kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.