From: Mark Rutland <mark.rutland@arm.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Ryan Roberts <ryan.roberts@arm.com>, Kees Cook <kees@kernel.org>,
Ard Biesheuvel <ardb+git@google.com>,
Will Deacon <will@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Jeremy Linton <jeremy.linton@arm.com>,
Catalin Marinas <Catalin.Marinas@arm.com>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
linux-hardening@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v1 2/2] randomize_kstack: Unify random source across arches
Date: Tue, 2 Dec 2025 09:35:40 +0000 [thread overview]
Message-ID: <aS6ylpLIyDZOvBDB@J2N7QTR9R3> (raw)
In-Reply-To: <CAMj1kXHX1W2Kz5NJehtzDhOCKWEd6y1sp8+ViOMHGsq9e8=7Pw@mail.gmail.com>
On Tue, Dec 02, 2025 at 10:15:22AM +0100, Ard Biesheuvel wrote:
> On Mon, 1 Dec 2025 at 19:20, Ryan Roberts <ryan.roberts@arm.com> wrote:
> > On 28/11/2025 11:01, Ard Biesheuvel wrote:
> > > On Thu, 27 Nov 2025 at 12:00, Ryan Roberts <ryan.roberts@arm.com> wrote:
> > >> diff --git a/include/linux/randomize_kstack.h b/include/linux/randomize_kstack.h
> > >> index 089b1432f7e6..83c7e6710f6d 100644
> > >> --- a/include/linux/randomize_kstack.h
> > >> +++ b/include/linux/randomize_kstack.h
> > >> @@ -6,6 +6,7 @@
> > >> #include <linux/kernel.h>
> > >> #include <linux/jump_label.h>
> > >> #include <linux/percpu-defs.h>
> > >> +#include <linux/prandom.h>
> > >>
> > >> DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
> > >> randomize_kstack_offset);
> > >> @@ -45,9 +46,13 @@ DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
> > >> #define KSTACK_OFFSET_MAX(x) ((x) & 0b1111111100)
> > >> #endif
> > >>
> > >> +static __always_inline u32 get_update_kstack_offset(void)
> > >> +{
> > >> + return prandom_u32_state(¤t->kstack_rnd_state);
> >
> > I've got bot warnings because this is being called from noinstr code. I guess
> > the best option is to just move add_random_kstack_offset() to after
> > instrumentation is enabled for the affected arches.
>
> Just put instrumentation_begin()/instrumentation_end() around the call
> to prandom_u32_state() - that seems to be the common approach for
> punching holes into the 'noinstr' validation.
That silences the warning, but isn't necessarily safe, so please DO NOT
do that blindly. The instrumentation_{begin,end}() annotations are only
supposed to be used when we know by construction that instrumentation is
safe.
Generally, if you can move this to after instrumentation is already
enabled, that should be safe, and so that'd be the better approach.
Ryan, can you share those warnings (e.g. link to those reports)?
IIUC only x86 has noinstr validation, and from a quick scan, I expect
you see warnings from:
* do_syscall_64()
* do_int80_syscall_32()
* __do_fast_syscall_32()
For all of these, it is not safe to call instrumentable code before the
calls to {syscall_,}enter_from_user_mode{,_prepare}(). You'll need to
move the stack rnadomization after the existing instrumentation_begin()
calls.
We'll need to go check the other architectures similarly.
Mark.
next prev parent reply other threads:[~2025-12-02 9:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-27 10:59 [RFC PATCH v1 0/2] Fix bugs and performance of kstack offset randomisation Ryan Roberts
2025-11-27 10:59 ` [RFC PATCH v1 1/2] randomize_kstack: Maintain kstack_offset per task Ryan Roberts
2025-11-27 10:59 ` [RFC PATCH v1 2/2] randomize_kstack: Unify random source across arches Ryan Roberts
2025-11-28 11:01 ` Ard Biesheuvel
2025-12-01 18:20 ` Ryan Roberts
2025-12-02 9:15 ` Ard Biesheuvel
2025-12-02 9:34 ` Ryan Roberts
2025-12-02 9:35 ` Mark Rutland [this message]
2025-12-02 9:39 ` Ryan Roberts
2025-12-02 9:53 ` Mark Rutland
2025-12-02 11:04 ` Ryan Roberts
2025-12-02 9:47 ` Ard Biesheuvel
2025-12-02 10:02 ` Mark Rutland
2025-12-02 16:59 ` [RFC PATCH v1 0/2] Fix bugs and performance of kstack offset randomisation Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aS6ylpLIyDZOvBDB@J2N7QTR9R3 \
--to=mark.rutland@arm.com \
--cc=Catalin.Marinas@arm.com \
--cc=Jason@zx2c4.com \
--cc=ardb+git@google.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=jeremy.linton@arm.com \
--cc=kees@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ryan.roberts@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox