Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2] RFC: ARM: breakpoint: CFI breakpoints only on demand
@ 2026-07-01  7:11 Linus Walleij
  2026-07-01 10:40 ` Linus Walleij
  2026-07-03  8:59 ` Mark Rutland
  0 siblings, 2 replies; 4+ messages in thread
From: Linus Walleij @ 2026-07-01  7:11 UTC (permalink / raw)
  To: Russell King, Nathan Chancellor, Sami Tolvanen, Kees Cook,
	Russell King (Oracle)
  Cc: linux-arm-kernel, linux-kernel, stable, slipher, Linus Walleij

This removes the stub hw_breakpoint_cfi_handler() from ARM, making
it not steal breakpoint type 0x03 (ARM_ENTRY_CFI_BREAKPOINT) unless
CFI is actively used in the kernel.

When not instrumenting with CFI, we fall through to return 1 from
hw_breakpoint_pending() "unhandled fault" so userspace can make use
of this breakpoint.

This of course does not work if userspace want to use CFI and custom
breakpoints at the same time, and CONFIG_CFI does exist as something
users might want to select for their kernel. If this is not good
acceptable we need to think about other ways for CFI to interfer, such
as not using BKPT at all (rather something like BUG()) and back out
the offending patch until the compiler behaviour has changed.

Fixes: c3f89986fde7 ("ARM: 9391/2: hw_breakpoint: Handle CFI breakpoints")
Reported-by: slipher <slipher@protonmail.com>
Closes: https://lore.kernel.org/lkml/kJqktbpLphg_Pk5I5SPptgTLjl3E3eq5mN5UzCslyFj7Q1Irp-wDid4mj5eQVd2iZtRGXgeZd8goq195EkXdjyt864YMc8mVb2B9NGH91NQ=@protonmail.com/
Signed-off-by: Linus Walleij <linusw@kernel.org>
---
Trying to solve the CFI bug. Let's see of this first
approach is acceptable for the reporter.
---
Changes in v2:
- Resending as non-RFC so it can be applied as a band-aid.
- Link to v1: https://patch.msgid.link/20260626-arm32-cfi-bug-v1-1-a467b5050c0b@kernel.org
---
 arch/arm/kernel/hw_breakpoint.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index cd4b34c96e35..007023db6a5d 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -929,10 +929,6 @@ static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
 		break;
 	}
 }
-#else
-static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
-{
-}
 #endif
 
 /*
@@ -964,9 +960,11 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr,
 	case ARM_ENTRY_SYNC_WATCHPOINT:
 		watchpoint_handler(addr, fsr, regs);
 		break;
+#ifdef CONFIG_CFI
 	case ARM_ENTRY_CFI_BREAKPOINT:
 		hw_breakpoint_cfi_handler(regs);
 		break;
+#endif
 	default:
 		ret = 1; /* Unhandled fault. */
 	}

---
base-commit: 8cd9520d35a6c38db6567e97dd93b1f11f185dc6
change-id: 20260626-arm32-cfi-bug-10fb960749c4

Best regards,
--  
Linus Walleij <linusw@kernel.org>



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] RFC: ARM: breakpoint: CFI breakpoints only on demand
  2026-07-01  7:11 [PATCH v2] RFC: ARM: breakpoint: CFI breakpoints only on demand Linus Walleij
@ 2026-07-01 10:40 ` Linus Walleij
  2026-07-03  8:59 ` Mark Rutland
  1 sibling, 0 replies; 4+ messages in thread
From: Linus Walleij @ 2026-07-01 10:40 UTC (permalink / raw)
  To: Russell King, Nathan Chancellor, Sami Tolvanen, Kees Cook,
	Russell King (Oracle)
  Cc: linux-arm-kernel, linux-kernel, stable, slipher

On Wed, Jul 1, 2026 at 9:11 AM Linus Walleij <linusw@kernel.org> wrote:

> This removes the stub hw_breakpoint_cfi_handler() from ARM, making
> it not steal breakpoint type 0x03 (ARM_ENTRY_CFI_BREAKPOINT) unless
> CFI is actively used in the kernel.

Was meaning to send a non-RFC of this band-aid patch, but missed to
strip off "RFC", mea culpa.

Yours,
Linus Walleij


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] RFC: ARM: breakpoint: CFI breakpoints only on demand
  2026-07-01  7:11 [PATCH v2] RFC: ARM: breakpoint: CFI breakpoints only on demand Linus Walleij
  2026-07-01 10:40 ` Linus Walleij
@ 2026-07-03  8:59 ` Mark Rutland
  2026-07-03 11:47   ` Linus Walleij
  1 sibling, 1 reply; 4+ messages in thread
From: Mark Rutland @ 2026-07-03  8:59 UTC (permalink / raw)
  To: Linus Walleij
  Cc: Russell King, Nathan Chancellor, Sami Tolvanen, Kees Cook,
	Russell King (Oracle), linux-arm-kernel, linux-kernel, stable,
	slipher

On Wed, Jul 01, 2026 at 09:11:54AM +0200, Linus Walleij wrote:
> This removes the stub hw_breakpoint_cfi_handler() from ARM, making
> it not steal breakpoint type 0x03 (ARM_ENTRY_CFI_BREAKPOINT) unless
> CFI is actively used in the kernel.
> 
> When not instrumenting with CFI, we fall through to return 1 from
> hw_breakpoint_pending() "unhandled fault" so userspace can make use
> of this breakpoint.
> 
> This of course does not work if userspace want to use CFI and custom
> breakpoints at the same time, and CONFIG_CFI does exist as something
> users might want to select for their kernel.

I don't follow this part. CONFIG_CFI is for the kernel; it has nothing
to do with what userspace wnats to do.

AFAICT, when the kernel is built with CONFIG_CFI, if userspace uses BKPT
at all, for any reason, it can cause the kernel to die().

> If this is not good acceptable we need to think about other ways for
> CFI to interfer, such as not using BKPT at all (rather something like
> BUG()) and back out the offending patch until the compiler behaviour
> has changed.

See comments below.

> Fixes: c3f89986fde7 ("ARM: 9391/2: hw_breakpoint: Handle CFI breakpoints")
> Reported-by: slipher <slipher@protonmail.com>
> Closes: https://lore.kernel.org/lkml/kJqktbpLphg_Pk5I5SPptgTLjl3E3eq5mN5UzCslyFj7Q1Irp-wDid4mj5eQVd2iZtRGXgeZd8goq195EkXdjyt864YMc8mVb2B9NGH91NQ=@protonmail.com/
> Signed-off-by: Linus Walleij <linusw@kernel.org>
> ---
> Trying to solve the CFI bug. Let's see of this first
> approach is acceptable for the reporter.
> ---
> Changes in v2:
> - Resending as non-RFC so it can be applied as a band-aid.
> - Link to v1: https://patch.msgid.link/20260626-arm32-cfi-bug-v1-1-a467b5050c0b@kernel.org
> ---
>  arch/arm/kernel/hw_breakpoint.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
> index cd4b34c96e35..007023db6a5d 100644
> --- a/arch/arm/kernel/hw_breakpoint.c
> +++ b/arch/arm/kernel/hw_breakpoint.c
> @@ -929,10 +929,6 @@ static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
>  		break;
>  	}
>  }
> -#else
> -static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
> -{
> -}
>  #endif
>  
>  /*
> @@ -964,9 +960,11 @@ static int hw_breakpoint_pending(unsigned long addr, unsigned int fsr,
>  	case ARM_ENTRY_SYNC_WATCHPOINT:
>  		watchpoint_handler(addr, fsr, regs);
>  		break;
> +#ifdef CONFIG_CFI
>  	case ARM_ENTRY_CFI_BREAKPOINT:
>  		hw_breakpoint_cfi_handler(regs);
>  		break;
> +#endif

AFAICT, hw_breakpoint_cfi_handler() is only intended to handle
BKPT instructions executed in kernel mode, and even when the kernel is
build with CF support, it doesn't make sense to call that for BKPT
instructions executed in user mode.

On arm64, we have separate paths for BRK exceptions from user mode
(do_el0_brk64()) and kernel mode (do_el1_brk64()).

Surely you can check kernel_mode(regs) or user_mode(regs) to distinguish
the two cases, and only call hw_breakpoint_cfi_handler() when the
exception was taken from kernel mode?

Mark.

>  	default:
>  		ret = 1; /* Unhandled fault. */
>  	}
> 
> ---
> base-commit: 8cd9520d35a6c38db6567e97dd93b1f11f185dc6
> change-id: 20260626-arm32-cfi-bug-10fb960749c4
> 
> Best regards,
> --  
> Linus Walleij <linusw@kernel.org>
> 
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] RFC: ARM: breakpoint: CFI breakpoints only on demand
  2026-07-03  8:59 ` Mark Rutland
@ 2026-07-03 11:47   ` Linus Walleij
  0 siblings, 0 replies; 4+ messages in thread
From: Linus Walleij @ 2026-07-03 11:47 UTC (permalink / raw)
  To: Mark Rutland
  Cc: Russell King, Nathan Chancellor, Sami Tolvanen, Kees Cook,
	Russell King (Oracle), linux-arm-kernel, linux-kernel, stable,
	slipher

On Fri, Jul 3, 2026 at 10:59 AM Mark Rutland <mark.rutland@arm.com> wrote:

> AFAICT, hw_breakpoint_cfi_handler() is only intended to handle
> BKPT instructions executed in kernel mode, and even when the kernel is
> build with CF support, it doesn't make sense to call that for BKPT
> instructions executed in user mode.
>
> On arm64, we have separate paths for BRK exceptions from user mode
> (do_el0_brk64()) and kernel mode (do_el1_brk64()).
>
> Surely you can check kernel_mode(regs) or user_mode(regs) to distinguish
> the two cases, and only call hw_breakpoint_cfi_handler() when the
> exception was taken from kernel mode?

You're right of course... I'll add a check like that and see if this
solves the problem for the reporter.

Yours,
Linus Walleij


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-03 11:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01  7:11 [PATCH v2] RFC: ARM: breakpoint: CFI breakpoints only on demand Linus Walleij
2026-07-01 10:40 ` Linus Walleij
2026-07-03  8:59 ` Mark Rutland
2026-07-03 11:47   ` Linus Walleij

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox