[PATCH v2 0/3] arm64: Assorted GCS fixes

[PATCH v2 0/3] arm64: Assorted GCS fixes

[Catalin Marinas]

A couple of GCS fixes and a corresponding kselftest. The first fix
solves a kernel panic when LPA2 is present. The second ensures that the
shadow stack is not accessible after mprotect(PROT_NONE). The test is
fairly close to gcs_write_fault.c but performs a normal read from the
shadow stack before and after mprotect(PROT_NOTE).

v1 here:

https://lore.kernel.org/all/20260220140532.285011-1-catalin.marinas@arm.com/

Changes since v1:

- I dropped the VM_NOHUGEPAGE patch from this series. I'll submit a
  separate one that also changes riscv and x86 for consistency.

- Added a gcs_page_prot variable to store the protection for the gcs
  page, somewhat closer to what we do with protection_map[]. There are
  other ways to implement this, e.g. using PTE_MAYBE_SHARED or starting
  from protection_map[] and replacing the PIE bits with those from
  _PAGE_GCS_RO.

- The PROT_NONE patch was updated to drop the NUMA migration reference
  (this path is not exercised in that case), mention mprotect() instead.
  In addition, it checks VM_ACCESS_FLAGS instead of VM_READ|VM_WRITE.

- Added kselftest for the GCS PROT_NONE case.

Thanks.

Catalin Marinas (3):
  arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is
    enabled
  arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings
  kselftest: arm64: Check access to GCS after mprotect(PROT_NONE)

 arch/arm64/include/asm/pgtable-prot.h         |  3 -
 arch/arm64/mm/mmap.c                          | 12 ++-
 .../signal/testcases/gcs_prot_none_fault.c    | 76 +++++++++++++++++++
 3 files changed, 86 insertions(+), 5 deletions(-)
 create mode 100644 tools/testing/selftests/arm64/signal/testcases/gcs_prot_none_fault.c

[PATCH v2 1/3] arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled

[Catalin Marinas]

When FEAT_LPA2 is enabled, bits 8-9 of the PTE replace the
shareability attribute with bits 50-51 of the output address. The
_PAGE_GCS{,_RO} definitions include the PTE_SHARED bits as 0b11 (this
matches the other _PAGE_* definitions) but using this macro directly
leads to the following panic when enabling GCS on a system/model with
LPA2:

  Unable to handle kernel paging request at virtual address fffff1ffc32d8008
  Mem abort info:
    ESR = 0x0000000096000004
    EC = 0x25: DABT (current EL), IL = 32 bits
    SET = 0, FnV = 0
    EA = 0, S1PTW = 0
    FSC = 0x04: level 0 translation fault
  Data abort info:
    ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
    CM = 0, WnR = 0, TnD = 0, TagAccess = 0
    GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
  swapper pgtable: 4k pages, 52-bit VAs, pgdp=0000000060f4d000
  [fffff1ffc32d8008] pgd=100000006184b003, p4d=0000000000000000
  Internal error: Oops: 0000000096000004 [#1]  SMP
  CPU: 0 UID: 0 PID: 513 Comm: gcs_write_fault Tainted: G   M                7.0.0-rc1 #1 PREEMPT
  Tainted: [M]=MACHINE_CHECK
  Hardware name: QEMU QEMU Virtual Machine, BIOS 2025.02-8+deb13u1 11/08/2025
  pstate: 03402005 (nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
  pc : zap_huge_pmd+0x168/0x468
  lr : zap_huge_pmd+0x2c/0x468
  sp : ffff800080beb660
  x29: ffff800080beb660 x28: fff00000c2058180 x27: ffff800080beb898
  x26: fff00000c2058180 x25: ffff800080beb820 x24: 00c800010b600f41
  x23: ffffc1ffc30af1a8 x22: fff00000c2058180 x21: 0000ffff8dc00000
  x20: fff00000c2bc6370 x19: ffff800080beb898 x18: ffff800080bebb60
  x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000007
  x14: 000000000000000a x13: 0000aaaacbbbffff x12: 0000000000000000
  x11: 0000ffff8ddfffff x10: 00000000000001fe x9 : 0000ffff8ddfffff
  x8 : 0000ffff8de00000 x7 : 0000ffff8da00000 x6 : fff00000c2bc6370
  x5 : 0000ffff8da00000 x4 : 000000010b600000 x3 : ffffc1ffc0000000
  x2 : fff00000c2058180 x1 : fffff1ffc32d8000 x0 : 000000c00010b600
  Call trace:
   zap_huge_pmd+0x168/0x468 (P)
   unmap_page_range+0xd70/0x1560
   unmap_single_vma+0x48/0x80
   unmap_vmas+0x90/0x180
   unmap_region+0x88/0xe4
   vms_complete_munmap_vmas+0xf8/0x1e0
   do_vmi_align_munmap+0x158/0x180
   do_vmi_munmap+0xac/0x160
   __vm_munmap+0xb0/0x138
   vm_munmap+0x14/0x20
   gcs_free+0x70/0x80
   mm_release+0x1c/0xc8
   exit_mm_release+0x28/0x38
   do_exit+0x190/0x8ec
   do_group_exit+0x34/0x90
   get_signal+0x794/0x858
   arch_do_signal_or_restart+0x11c/0x3e0
   exit_to_user_mode_loop+0x10c/0x17c
   el0_da+0x8c/0x9c
   el0t_64_sync_handler+0xd0/0xf0
   el0t_64_sync+0x198/0x19c
  Code: aa1603e2 d34cfc00 cb813001 8b011861 (f9400420)

Similarly to how the kernel handles protection_map[], use a
gcs_page_prot variable to store the protection bits and clear PTE_SHARED
if LPA2 is enabled.

Also remove the unused PAGE_GCS{,_RO} macros.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Fixes: 6497b66ba694 ("arm64/mm: Map pages for guarded control stack")
Reported-by: Emanuele Rocca <emanuele.rocca@arm.com>
Cc: <stable@vger.kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
---
 arch/arm64/include/asm/pgtable-prot.h | 3 ---
 arch/arm64/mm/mmap.c                  | 8 ++++++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/include/asm/pgtable-prot.h b/arch/arm64/include/asm/pgtable-prot.h
index d27e8872fe3c..2b32639160de 100644
--- a/arch/arm64/include/asm/pgtable-prot.h
+++ b/arch/arm64/include/asm/pgtable-prot.h
@@ -164,9 +164,6 @@ static inline bool __pure lpa2_is_enabled(void)
 #define _PAGE_GCS	(_PAGE_DEFAULT | PTE_NG | PTE_UXN | PTE_WRITE | PTE_USER)
 #define _PAGE_GCS_RO	(_PAGE_DEFAULT | PTE_NG | PTE_UXN | PTE_USER)
 
-#define PAGE_GCS	__pgprot(_PAGE_GCS)
-#define PAGE_GCS_RO	__pgprot(_PAGE_GCS_RO)
-
 #define PIE_E0	( \
 	PIRx_ELx_PERM_PREP(pte_pi_index(_PAGE_GCS),           PIE_GCS)  | \
 	PIRx_ELx_PERM_PREP(pte_pi_index(_PAGE_GCS_RO),        PIE_R)   | \
diff --git a/arch/arm64/mm/mmap.c b/arch/arm64/mm/mmap.c
index 08ee177432c2..75f343009b4b 100644
--- a/arch/arm64/mm/mmap.c
+++ b/arch/arm64/mm/mmap.c
@@ -34,6 +34,8 @@ static pgprot_t protection_map[16] __ro_after_init = {
 	[VM_SHARED | VM_EXEC | VM_WRITE | VM_READ]	= PAGE_SHARED_EXEC
 };
 
+static ptdesc_t gcs_page_prot __ro_after_init = _PAGE_GCS_RO;
+
 /*
  * You really shouldn't be using read() or write() on /dev/mem.  This might go
  * away in the future.
@@ -73,9 +75,11 @@ static int __init adjust_protection_map(void)
 		protection_map[VM_EXEC | VM_SHARED] = PAGE_EXECONLY;
 	}
 
-	if (lpa2_is_enabled())
+	if (lpa2_is_enabled()) {
 		for (int i = 0; i < ARRAY_SIZE(protection_map); i++)
 			pgprot_val(protection_map[i]) &= ~PTE_SHARED;
+		gcs_page_prot &= ~PTE_SHARED;
+	}
 
 	return 0;
 }
@@ -87,7 +91,7 @@ pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
 
 	/* Short circuit GCS to avoid bloating the table. */
 	if (system_supports_gcs() && (vm_flags & VM_SHADOW_STACK)) {
-		prot = _PAGE_GCS_RO;
+		prot = gcs_page_prot;
 	} else {
 		prot = pgprot_val(protection_map[vm_flags &
 				   (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]);

Re: [PATCH v2 1/3] arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled

[David Hildenbrand (Arm)]

On 2/23/26 18:45, Catalin Marinas wrote:
> When FEAT_LPA2 is enabled, bits 8-9 of the PTE replace the
> shareability attribute with bits 50-51 of the output address. The
> _PAGE_GCS{,_RO} definitions include the PTE_SHARED bits as 0b11 (this
> matches the other _PAGE_* definitions) but using this macro directly
> leads to the following panic when enabling GCS on a system/model with
> LPA2:
> 
>   Unable to handle kernel paging request at virtual address fffff1ffc32d8008
>   Mem abort info:
>     ESR = 0x0000000096000004
>     EC = 0x25: DABT (current EL), IL = 32 bits
>     SET = 0, FnV = 0
>     EA = 0, S1PTW = 0
>     FSC = 0x04: level 0 translation fault
>   Data abort info:
>     ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
>     CM = 0, WnR = 0, TnD = 0, TagAccess = 0
>     GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
>   swapper pgtable: 4k pages, 52-bit VAs, pgdp=0000000060f4d000
>   [fffff1ffc32d8008] pgd=100000006184b003, p4d=0000000000000000
>   Internal error: Oops: 0000000096000004 [#1]  SMP
>   CPU: 0 UID: 0 PID: 513 Comm: gcs_write_fault Tainted: G   M                7.0.0-rc1 #1 PREEMPT
>   Tainted: [M]=MACHINE_CHECK
>   Hardware name: QEMU QEMU Virtual Machine, BIOS 2025.02-8+deb13u1 11/08/2025
>   pstate: 03402005 (nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
>   pc : zap_huge_pmd+0x168/0x468
>   lr : zap_huge_pmd+0x2c/0x468
>   sp : ffff800080beb660
>   x29: ffff800080beb660 x28: fff00000c2058180 x27: ffff800080beb898
>   x26: fff00000c2058180 x25: ffff800080beb820 x24: 00c800010b600f41
>   x23: ffffc1ffc30af1a8 x22: fff00000c2058180 x21: 0000ffff8dc00000
>   x20: fff00000c2bc6370 x19: ffff800080beb898 x18: ffff800080bebb60
>   x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000007
>   x14: 000000000000000a x13: 0000aaaacbbbffff x12: 0000000000000000
>   x11: 0000ffff8ddfffff x10: 00000000000001fe x9 : 0000ffff8ddfffff
>   x8 : 0000ffff8de00000 x7 : 0000ffff8da00000 x6 : fff00000c2bc6370
>   x5 : 0000ffff8da00000 x4 : 000000010b600000 x3 : ffffc1ffc0000000
>   x2 : fff00000c2058180 x1 : fffff1ffc32d8000 x0 : 000000c00010b600
>   Call trace:
>    zap_huge_pmd+0x168/0x468 (P)
>    unmap_page_range+0xd70/0x1560
>    unmap_single_vma+0x48/0x80
>    unmap_vmas+0x90/0x180
>    unmap_region+0x88/0xe4
>    vms_complete_munmap_vmas+0xf8/0x1e0
>    do_vmi_align_munmap+0x158/0x180
>    do_vmi_munmap+0xac/0x160
>    __vm_munmap+0xb0/0x138
>    vm_munmap+0x14/0x20
>    gcs_free+0x70/0x80
>    mm_release+0x1c/0xc8
>    exit_mm_release+0x28/0x38
>    do_exit+0x190/0x8ec
>    do_group_exit+0x34/0x90
>    get_signal+0x794/0x858
>    arch_do_signal_or_restart+0x11c/0x3e0
>    exit_to_user_mode_loop+0x10c/0x17c
>    el0_da+0x8c/0x9c
>    el0t_64_sync_handler+0xd0/0xf0
>    el0t_64_sync+0x198/0x19c
>   Code: aa1603e2 d34cfc00 cb813001 8b011861 (f9400420)
> 
> Similarly to how the kernel handles protection_map[], use a
> gcs_page_prot variable to store the protection bits and clear PTE_SHARED
> if LPA2 is enabled.
> 
> Also remove the unused PAGE_GCS{,_RO} macros.
> 
> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
> Fixes: 6497b66ba694 ("arm64/mm: Map pages for guarded control stack")
> Reported-by: Emanuele Rocca <emanuele.rocca@arm.com>
> Cc: <stable@vger.kernel.org>
> Cc: Mark Brown <broonie@kernel.org>
> Cc: Will Deacon <will@kernel.org>
> ---

Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>

-- 
Cheers,

David

[PATCH v2 2/3] arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings

[Catalin Marinas]

vm_get_page_prot() short-circuits the protection_map[] lookup for a
VM_SHADOW_STACK mapping since it uses a different PIE index from the
typical read/write/exec permissions. However, the side effect is that it
also ignores mprotect(PROT_NONE) by creating an accessible PTE.

Special-case the !(vm_flags & VM_ACCESS_FLAGS) flags to use the
protection_map[VM_NONE] permissions instead. No GCS attributes are
required for an inaccessible PTE.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Fixes: 6497b66ba694 ("arm64/mm: Map pages for guarded control stack")
Cc: <stable@vger.kernel.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
---
 arch/arm64/mm/mmap.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/mm/mmap.c b/arch/arm64/mm/mmap.c
index 75f343009b4b..92b2f5097a96 100644
--- a/arch/arm64/mm/mmap.c
+++ b/arch/arm64/mm/mmap.c
@@ -91,7 +91,11 @@ pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
 
 	/* Short circuit GCS to avoid bloating the table. */
 	if (system_supports_gcs() && (vm_flags & VM_SHADOW_STACK)) {
-		prot = gcs_page_prot;
+		/* Honour mprotect(PROT_NONE) on shadow stack mappings */
+		if (vm_flags & VM_ACCESS_FLAGS)
+			prot = gcs_page_prot;
+		else
+			prot = pgprot_val(protection_map[VM_NONE]);
 	} else {
 		prot = pgprot_val(protection_map[vm_flags &
 				   (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]);

Re: [PATCH v2 2/3] arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings

[David Hildenbrand (Arm)]

On 2/23/26 18:45, Catalin Marinas wrote:
> vm_get_page_prot() short-circuits the protection_map[] lookup for a
> VM_SHADOW_STACK mapping since it uses a different PIE index from the
> typical read/write/exec permissions. However, the side effect is that it
> also ignores mprotect(PROT_NONE) by creating an accessible PTE.
> 
> Special-case the !(vm_flags & VM_ACCESS_FLAGS) flags to use the
> protection_map[VM_NONE] permissions instead. No GCS attributes are
> required for an inaccessible PTE.
> 
> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
> Fixes: 6497b66ba694 ("arm64/mm: Map pages for guarded control stack")
> Cc: <stable@vger.kernel.org>
> Cc: Mark Brown <broonie@kernel.org>
> Cc: Will Deacon <will@kernel.org>
> Cc: David Hildenbrand <david@kernel.org>
> ---

Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>

-- 
Cheers,

David

[PATCH v2 3/3] kselftest: arm64: Check access to GCS after mprotect(PROT_NONE)

[Catalin Marinas]

A GCS mapping should not be accessible after mprotect(PROT_NONE). Add a
kselftest for this scenario.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
---
 .../signal/testcases/gcs_prot_none_fault.c    | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 tools/testing/selftests/arm64/signal/testcases/gcs_prot_none_fault.c

diff --git a/tools/testing/selftests/arm64/signal/testcases/gcs_prot_none_fault.c b/tools/testing/selftests/arm64/signal/testcases/gcs_prot_none_fault.c
new file mode 100644
index 000000000000..2259f454a202
--- /dev/null
+++ b/tools/testing/selftests/arm64/signal/testcases/gcs_prot_none_fault.c
@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2026 ARM Limited
+ */
+
+#include <errno.h>
+#include <signal.h>
+#include <unistd.h>
+
+#include <sys/mman.h>
+#include <sys/prctl.h>
+
+#include "test_signals_utils.h"
+#include "testcases.h"
+
+static uint64_t *gcs_page;
+static bool post_mprotect;
+
+#ifndef __NR_map_shadow_stack
+#define __NR_map_shadow_stack 453
+#endif
+
+static bool alloc_gcs(struct tdescr *td)
+{
+	long page_size = sysconf(_SC_PAGE_SIZE);
+
+	gcs_page = (void *)syscall(__NR_map_shadow_stack, 0,
+				   page_size, 0);
+	if (gcs_page == MAP_FAILED) {
+		fprintf(stderr, "Failed to map %ld byte GCS: %d\n",
+			page_size, errno);
+		return false;
+	}
+
+	return true;
+}
+
+static int gcs_prot_none_fault_trigger(struct tdescr *td)
+{
+	/* Verify that the page is readable (ie, not completely unmapped) */
+	fprintf(stderr, "Read value 0x%lx\n", gcs_page[0]);
+
+	if (mprotect(gcs_page, sysconf(_SC_PAGE_SIZE), PROT_NONE) != 0) {
+		fprintf(stderr, "mprotect(PROT_NONE) failed: %d\n", errno);
+		return 0;
+	}
+	post_mprotect = true;
+
+	/* This should trigger a fault if PROT_NONE is honoured for the GCS page */
+	fprintf(stderr, "Read value after mprotect(PROT_NONE) 0x%lx\n", gcs_page[0]);
+	return 0;
+}
+
+static int gcs_prot_none_fault_signal(struct tdescr *td, siginfo_t *si,
+				      ucontext_t *uc)
+{
+	ASSERT_GOOD_CONTEXT(uc);
+
+	/* A fault before mprotect(PROT_NONE) is unexpected. */
+	if (!post_mprotect)
+		return 0;
+
+	return 1;
+}
+
+struct tdescr tde = {
+	.name = "GCS PROT_NONE fault",
+	.descr = "Read from GCS after mprotect(PROT_NONE) segfaults",
+	.feats_required = FEAT_GCS,
+	.timeout = 3,
+	.sig_ok = SIGSEGV,
+	.sanity_disabled = true,
+	.init = alloc_gcs,
+	.trigger = gcs_prot_none_fault_trigger,
+	.run = gcs_prot_none_fault_signal,
+};

Re: [PATCH v2 3/3] kselftest: arm64: Check access to GCS after mprotect(PROT_NONE)

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 216 bytes --]

On Mon, Feb 23, 2026 at 05:45:32PM +0000, Catalin Marinas wrote:
> A GCS mapping should not be accessible after mprotect(PROT_NONE). Add a
> kselftest for this scenario.

Reviewed-by: Mark Brown <broonie@kernel.org>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH v2 0/3] arm64: Assorted GCS fixes

[Will Deacon]

On Mon, 23 Feb 2026 17:45:29 +0000, Catalin Marinas wrote:
> A couple of GCS fixes and a corresponding kselftest. The first fix
> solves a kernel panic when LPA2 is present. The second ensures that the
> shadow stack is not accessible after mprotect(PROT_NONE). The test is
> fairly close to gcs_write_fault.c but performs a normal read from the
> shadow stack before and after mprotect(PROT_NOTE).
> 
> v1 here:
> 
> [...]

Applied to arm64 (for-next/fixes), thanks!

[1/3] arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled
      https://git.kernel.org/arm64/c/8a85b3131225
[2/3] arm64: gcs: Honour mprotect(PROT_NONE) on shadow stack mappings
      https://git.kernel.org/arm64/c/47a8aad135ac
[3/3] kselftest: arm64: Check access to GCS after mprotect(PROT_NONE)
      https://git.kernel.org/arm64/c/9d1a7c4a457e

Cheers,
-- 
Will

https://fixes.arm64.dev
https://next.arm64.dev
https://will.arm64.dev