From: sashiko-bot@kernel.org
To: "Yo'av Moshe" <linux@yoavmoshe.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI
Date: Sat, 18 Jul 2026 09:33:28 +0000 [thread overview]
Message-ID: <20260718093329.12DB11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260718091917.81738-1-linux@yoavmoshe.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [High] Applying `__nocfi` to `imx6q_suspend_finish` unintentionally disables KCFI checks for other indirect branches.
- [High] The CFI bypass mitigation is incomplete: `suspend_ocram_base` remains writable, enabling a Write-What-Where (Data-Oriented Programming) exploit.
Pre-existing issues:
- [High] The kCFI panic with `fncpy` relocated code affects multiple platforms, but is only fixed for i.MX6.
- [High] The `ccm_base` global variable is written only during initialization but lacks `__ro_after_init` protection, exposing it to manipulation for Read-Modify-Write (RMW) gadgets.
--
--- Patch [1]: [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI ---
commit 66327a9e81a0b45dd7493d089dd60f3a912e1240
Author: Yo'av Moshe <linux@yoavmoshe.com>
ARM: imx: Fix suspend/resume crash with Clang CFI
Relocated suspend code in OCRAM lacks compiler-generated CFI type
signatures. This patch annotates imx6q_suspend_finish with __nocfi to
bypass CFI checking for the indirect call, and marks the function pointer
as __ro_after_init.
> diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
> index a671ca498f887..b425a47019896 100644
> --- a/arch/arm/mach-imx/pm-imx6.c
> +++ b/arch/arm/mach-imx/pm-imx6.c
> @@ -63,7 +63,7 @@
>
> static void __iomem *ccm_base;
[Severity: High]
This is a pre-existing issue, but does ccm_base also need __ro_after_init
protection?
Since ccm_base is assigned once in imx6_pm_common_init() and then
repeatedly dereferenced in power management functions like imx6_set_lpm(),
could an attacker overwrite it to misdirect read/write operations?
For example, readl_relaxed(ccm_base + CLPCR) could be redirected to
arbitrary kernel addresses. Adding __ro_after_init here might prevent
trivial data-oriented programming exploitation of power management paths.
> static void __iomem *suspend_ocram_base;
[Severity: High]
Since suspend_ocram_base is passed as the first argument to the __nocfi
function imx6_suspend_in_ocram_fn, does leaving it mutable in the .bss
section defeat the intent of the __ro_after_init protection?
The target assembly routine imx6_suspend trusts this pointer (passed in
r0), using it to derive target addresses for memory writes:
arch/arm/mach-imx/suspend-imx6.S:imx6_suspend()
ldr r11, [r0, #PM_INFO_MX6Q_SRC_V_OFFSET]
/* store physical resume addr and pm_info address. */
str r9, [r11, #MX6Q_SRC_GPR1]
Could an attacker with arbitrary memory write capabilities overwrite
suspend_ocram_base to point to a crafted payload, yielding a
write-what-where primitive during suspend that completely bypasses CFI?
> -static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase);
> +static void (*imx6_suspend_in_ocram_fn)(void __iomem *ocram_vbase) __ro_after_init;
>
> /*
> * suspend ocram space layout:
[ ... ]
> @@ -360,7 +360,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode mode)
> return 0;
> }
>
> -static int imx6q_suspend_finish(unsigned long val)
> +static int __nocfi imx6q_suspend_finish(unsigned long val)
[Severity: High]
By applying __nocfi to the entire imx6q_suspend_finish() function, are we
unintentionally disabling CFI checks for other indirect branches?
Within this function, cpu_do_idle() and flush_cache_all() expand to
indirect calls (cpu_vtable[smp_processor_id()]->_do_idle() and
cpu_cache.flush_kern_all()).
Could an attacker with arbitrary memory write capabilities overwrite these
architecture-level function pointers and bypass kCFI entirely when a
suspend is triggered?
Would it be safer to restrict the __nocfi annotation to a minimal inline
or noinline wrapper function that only executes the single unverified
indirect call to imx6_suspend_in_ocram_fn?
> {
> if (!imx6_suspend_in_ocram_fn) {
> cpu_do_idle();
> } else {
> /*
> * call low level suspend function in ocram,
> * as we need to float DDR IO.
> */
> local_flush_tlb_all();
> /* check if need to flush internal L2 cache */
> if (!((struct imx6_cpu_pm_info *)
> suspend_ocram_base)->l2_base.vbase)
> flush_cache_all();
> imx6_suspend_in_ocram_fn(suspend_ocram_base);
[Severity: High]
This is a pre-existing issue, but does fixing this kCFI panic only for
i.MX6 leave other 32-bit ARM platforms broken?
The kCFI panic with fncpy() relocated code appears to affect multiple
platforms since fncpy() copies only the instruction body and omits the
compiler-generated SYM_TYPED_FUNC_START header.
For example, mx5_suspend_enter() in arch/arm/mach-imx/pm-imx5.c invokes
imx5_suspend_in_ocram_fn(suspend_ocram_base), and at91_suspend_finish()
in arch/arm/mach-at91/pm.c invokes at91_suspend_sram_fn(&soc_pm.data).
Since neither seem to have a __nocfi bypass, would they suffer
deterministic kernel panics on suspend when CONFIG_CFI_CLANG is active?
> }
>
> return 0;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260718091917.81738-1-linux@yoavmoshe.com?part=1
prev parent reply other threads:[~2026-07-18 9:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-18 9:19 [PATCH v2] ARM: imx: Fix suspend/resume crash with Clang CFI Yo'av Moshe
2026-07-18 9:33 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260718093329.12DB11F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=linux@yoavmoshe.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox