* [PATCH v3] ARM: imx: Fix suspend/resume crash with Clang CFI
@ 2026-07-18 11:13 Yo'av Moshe
2026-07-18 11:29 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: Yo'av Moshe @ 2026-07-18 11:13 UTC (permalink / raw)
To: Frank Li, Sascha Hauer, Russell King
Cc: Pengutronix Kernel Team, Fabio Estevam, Nathan Chancellor,
Nick Desaulniers, Bill Wendling, Justin Stitt, imx,
linux-arm-kernel, llvm, stable, linux-kernel, Yo'av Moshe
Relocated suspend code in OCRAM lacks compiler-generated CFI type
signatures. When CONFIG_CFI=y is active, the indirect call to
imx6_suspend_in_ocram_fn triggers a strict CFI violation panic.
To resolve this safely without reducing CFI protection scope:
1. Create a minimal wrapper function imx6_suspend_in_ocram annotated
with __nocfi to handle the unverified indirect call.
2. Remove the __nocfi annotation from the main imx6q_suspend_finish
function to preserve full CFI coverage for other indirect calls
in that scope (such as cpu_do_idle() and flush_cache_all()).
3. Mark global variables ccm_base, suspend_ocram_base, and the
imx6_suspend_in_ocram_fn pointer as __ro_after_init to prevent
them from being used as target vectors for CFI bypass exploits.
Cc: stable@vger.kernel.org
Signed-off-by: Yo'av Moshe <linux@yoavmoshe.com>
---
Tested on a Kobo Clara HD (i.MX6SLL SoC) running postmarketOS edge.
Before this patch, suspending the device caused an immediate silent
hang requiring a hard-reboot. With this patch applied, suspend and
resume work successfully.
Differences from v2:
- Restrained __nocfi scope by adding a dedicated, minimal 1-line
wrapper function (imx6_suspend_in_ocram) for the OCRAM call,
avoiding disabling CFI checks for cpu_do_idle() and flush_cache_all().
- Marked global pointers ccm_base and suspend_ocram_base as
__ro_after_init to fully neutralize Write-What-Where exploit bypasses.
arch/arm/mach-imx/pm-imx6.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
index a671ca498..3d5b960c5 100644
--- a/arch/arm/mach-imx/pm-imx6.c
+++ b/arch/arm/mach-imx/pm-imx6.c
@@ -61,9 +61,9 @@
#define MX6Q_SUSPEND_OCRAM_SIZE 0x1000
#define MX6_MAX_MMDC_IO_NUM 33
-static void __iomem *ccm_base;
-static void __iomem *suspend_ocram_base;
-static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase);
+static void __iomem *ccm_base __ro_after_init;
+static void __iomem *suspend_ocram_base __ro_after_init;
+static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase) __ro_after_init;
/*
* suspend ocram space layout:
@@ -360,6 +360,11 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode mode)
return 0;
}
+static void __nocfi imx6_suspend_in_ocram(void __iomem *ocram_vbase)
+{
+ imx6_suspend_in_ocram_fn(ocram_vbase);
+}
+
static int imx6q_suspend_finish(unsigned long val)
{
if (!imx6_suspend_in_ocram_fn) {
@@ -374,7 +379,7 @@ static int imx6q_suspend_finish(unsigned long val)
if (!((struct imx6_cpu_pm_info *)
suspend_ocram_base)->l2_base.vbase)
flush_cache_all();
- imx6_suspend_in_ocram_fn(suspend_ocram_base);
+ imx6_suspend_in_ocram(suspend_ocram_base);
}
return 0;
--
2.55.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v3] ARM: imx: Fix suspend/resume crash with Clang CFI
2026-07-18 11:13 [PATCH v3] ARM: imx: Fix suspend/resume crash with Clang CFI Yo'av Moshe
@ 2026-07-18 11:29 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-07-18 11:29 UTC (permalink / raw)
To: Yo'av Moshe; +Cc: Frank.Li, imx
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] W^X Violation / Exploit Mitigation Bypass via Writable OCRAM Alias
--
--- Patch [1]: [PATCH v3] ARM: imx: Fix suspend/resume crash with Clang CFI ---
commit b6dc32274a7f40075998a9c67f552a3982169e81
Author: Yo'av Moshe <linux@yoavmoshe.com>
ARM: imx: Fix suspend/resume crash with Clang CFI
This commit fixes a suspend/resume crash caused by CFI violations on indirect
calls to relocated OCRAM code. It introduces a minimal __nocfi wrapper for
the OCRAM call and marks relevant pointers as __ro_after_init to mitigate
potential exploit risks.
> diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
> index a671ca498f887..3d5b960c583bd 100644
> --- a/arch/arm/mach-imx/pm-imx6.c
> +++ b/arch/arm/mach-imx/pm-imx6.c
> @@ -61,9 +61,9 @@
> #define MX6Q_SUSPEND_OCRAM_SIZE 0x1000
> #define MX6_MAX_MMDC_IO_NUM 33
>
> -static void __iomem *ccm_base;
> -static void __iomem *suspend_ocram_base;
> -static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase);
> +static void __iomem *ccm_base __ro_after_init;
> +static void __iomem *suspend_ocram_base __ro_after_init;
> +static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase) __ro_after_init;
[ ... ]
> @@ -360,6 +360,11 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode mode)
> return 0;
> }
>
> +static void __nocfi imx6_suspend_in_ocram(void __iomem *ocram_vbase)
> +{
> + imx6_suspend_in_ocram_fn(ocram_vbase);
> +}
[Severity: Critical]
This is a pre-existing issue, but does adding __ro_after_init fully protect
this memory from write-what-where attacks?
Looking at imx6q_suspend_init(), physical OCRAM memory is mapped with both a
persistent writable alias (ocram_base) and an executable alias
(suspend_ocram_base):
arch/arm/mach-imx/pm-imx6.c:imx6q_suspend_init() {
ocram_base = gen_pool_alloc(ocram_pool, MX6Q_SUSPEND_OCRAM_SIZE);
...
ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base);
suspend_ocram_base = __arm_ioremap_exec(ocram_pbase,
MX6Q_SUSPEND_OCRAM_SIZE, false);
...
__arm_iomem_set_ro(suspend_ocram_base, MX6Q_SUSPEND_OCRAM_SIZE);
}
Even though suspend_ocram_base is marked read-only and its pointer is now
__ro_after_init, the initial writable alias (ocram_base) appears to remain
fully active without being unmapped.
Since this patch introduces a __nocfi wrapper to execute this memory, could an
attacker still bypass CFI by writing shellcode directly into the active
writable ocram_base alias?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260718111340.159896-1-linux@yoavmoshe.com?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-18 11:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-18 11:13 [PATCH v3] ARM: imx: Fix suspend/resume crash with Clang CFI Yo'av Moshe
2026-07-18 11:29 ` sashiko-bot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.