From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 971E9C7115A for ; Fri, 20 Jun 2025 02:16:28 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2741A6B0092; Thu, 19 Jun 2025 22:16:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 22A726B0093; Thu, 19 Jun 2025 22:16:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 114046B0095; Thu, 19 Jun 2025 22:16:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 0101C6B0092 for ; Thu, 19 Jun 2025 22:16:27 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 7FD691D6C42 for ; Fri, 20 Jun 2025 02:16:27 +0000 (UTC) X-FDA: 83574164814.12.FFBE048 Received: from mail-io1-f47.google.com (mail-io1-f47.google.com [209.85.166.47]) by imf05.hostedemail.com (Postfix) with ESMTP id 8098A10000F for ; Fri, 20 Jun 2025 02:16:25 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=sifive.com header.s=google header.b=mCvNeGiu; spf=pass (imf05.hostedemail.com: domain of zong.li@sifive.com designates 209.85.166.47 as permitted sender) smtp.mailfrom=zong.li@sifive.com; dmarc=pass (policy=reject) header.from=sifive.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750385785; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=x6VzlhRVh//x5/bp+2ihBVL31M01Rg7PAdE9X0/n0so=; b=nWSKEuNsJDUE7AqSXy2u8IZoXXXvL43wsGQQ08hyiqSl148KEBER4I9ltmv3zLOL0NDrws +wOnNqOfkwYeKmZV/jsXQSQrfYl3TKGUD0GAsfsXppJIRmrqDA5vVGnbOzFcrz/Fuyg3RO 1QZHVAFFEMYDxm86IfZRTmf51O2sifc= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750385785; a=rsa-sha256; cv=none; b=t7+7aAaeyBjP61dXWDzdT+Nl/b6EBw+Eve6aKQ2oNu2u4hf2FOnJlgiPUo+WGryW0GglCa ALZEmoQkuyMtJNKs68JdJmNFfYjwtMVrwEQmxfZtY2MH9kDnvjAONky4ENsARNrY9Yrcil tA3clHtqJyidFilGyr0GaXdNsTq9C3Y= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=sifive.com header.s=google header.b=mCvNeGiu; spf=pass (imf05.hostedemail.com: domain of zong.li@sifive.com designates 209.85.166.47 as permitted sender) smtp.mailfrom=zong.li@sifive.com; dmarc=pass (policy=reject) header.from=sifive.com Received: by mail-io1-f47.google.com with SMTP id ca18e2360f4ac-875dd57d63bso44209539f.0 for ; Thu, 19 Jun 2025 19:16:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sifive.com; s=google; t=1750385784; x=1750990584; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=x6VzlhRVh//x5/bp+2ihBVL31M01Rg7PAdE9X0/n0so=; b=mCvNeGiuE4X2BccCruKvm3DF1IDgpmM/N+lwllTleb2R3nyor81sSV33C26aq7G9bn nADNNf1c75ik7iL+CcT9k8n91NHOh8QBVNaxDw1AZ5zSHHcldujFW5fTxPBLTdDToTYK PRdY76unedvErnUwGhUnd6s2dzPZbbfrLzk+azvtoVUst9R8zBDUNqso7M2735zhNF3o 3Y2qjNap1wNvfN96i5SMx+C/IN7B5li3ElUoYPtCYBVrm4pGvlj7iwJzHL4mxnCXbScJ 1I4rJOpuoFFAnPUk+9s/5a8Teh6UQMpIwDa+/juJnV+yxX3cjonjRKLC6l3OSYDiioKJ kypg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750385784; x=1750990584; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=x6VzlhRVh//x5/bp+2ihBVL31M01Rg7PAdE9X0/n0so=; b=IgNTUye7jRNmbYWTjFEVLWO0yU+1iNKY//CTBFCJohTkzOQq2ObhgDa5k1HtrLi2N3 j/+/UxKBuWEpk1RciBvZ6RObYDoC2LEbUwmGQtyCVK4s4JoKLALyjOrQe3+b3oj3L1Yo lwgp1p87ho4kN9Y5nGAZxuQf/UbyI6m5m4gorLl3SC32tqXVKu72o7Nk69jolq3xp34W jBYTYB9X/tY8VsraNKcbVwHFB0Hque0xKqh6GfrjvshxWBFGXi+CH+NGRW9tO4ykd+h0 AdAdx1kWiXpwn59wgtDY3Zq6GGgH0A+Sr0KUj5X3phtqLXdRUd7NpeXcmpMOE19AeLD+ emVw== X-Forwarded-Encrypted: i=1; AJvYcCVugelfUrp/t0/OsgdlQY7G7g5/f5rC4l1CGTaMspsQUxPpp0a7npGqaXH/M87y/RHT2SdMK3qMnw==@kvack.org X-Gm-Message-State: AOJu0Yx4XPQ00twAvlwX7M31PhrYMsQqiE7d8whc5/nP4a8ImxItHUTy LvyMgVi/vY5Zx1NY5QeQ2KDGcarDilKVXGiXkULV0vkTifZ10d+jjyoTYCoNrMv1jBsqsSDnuzB m2m3ur+M7FBlMj9KwvTK1cmBHvKKlPvHlExhGCVLnRw== X-Gm-Gg: ASbGncueutJhhhUsbwnKdRqKrWdEJAASnicJZeUFwAFEa615/udqaZ6jwU51qDmuA5r vyYJjdtE+p7EC2X9oTGsK+NmyAWoOpDjWwFmZxKyTmvKXN6Wp0NakYhjXR3R4IWhaVLqt+GneOo yekVThAoCrwlSnzNw58D4VTjlmPtQsIs1TsPLccykcrLVlbA== X-Google-Smtp-Source: AGHT+IFMb9mI6JMrDwTDWGg+EBY6yLgAqHEKa1UTY7olo+luMJ+3DWC5EwQujeTUmlUkh6NOSS/MWljD6rFkZYVc5ek= X-Received: by 2002:a05:6602:8303:b0:867:15a5:d16 with SMTP id ca18e2360f4ac-8762e7372bemr28998539f.8.1750385784285; Thu, 19 Jun 2025 19:16:24 -0700 (PDT) MIME-Version: 1.0 References: <20250604-v5_user_cfi_series-v17-0-4565c2cf869f@rivosinc.com> <20250604-v5_user_cfi_series-v17-15-4565c2cf869f@rivosinc.com> In-Reply-To: From: Zong Li Date: Fri, 20 Jun 2025 10:16:12 +0800 X-Gm-Features: AX0GCFudFSxSRELkYOW_7RRTcSiKTWMBH5CUlpZzl260C95QwRIsmCDm3_hQ72g Message-ID: Subject: Re: [PATCH v17 15/27] riscv/traps: Introduce software check exception and uprobe handling To: Deepak Gupta Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andrew Morton , "Liam R. Howlett" , Vlastimil Babka , Lorenzo Stoakes , Paul Walmsley , Palmer Dabbelt , Albert Ou , Conor Dooley , Rob Herring , Krzysztof Kozlowski , Arnd Bergmann , Christian Brauner , Peter Zijlstra , Oleg Nesterov , Eric Biederman , Kees Cook , Jonathan Corbet , Shuah Khan , Jann Horn , Conor Dooley , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-riscv@lists.infradead.org, devicetree@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org, alistair.francis@wdc.com, richard.henderson@linaro.org, jim.shu@sifive.com, andybnac@gmail.com, kito.cheng@sifive.com, charlie@rivosinc.com, atishp@rivosinc.com, evan@rivosinc.com, cleger@rivosinc.com, alexghiti@rivosinc.com, samitolvanen@google.com, broonie@kernel.org, rick.p.edgecombe@intel.com, rust-for-linux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam03 X-Stat-Signature: hkx5si4n36h8wweoj6aii7ysu8fui9ff X-Rspam-User: X-Rspamd-Queue-Id: 8098A10000F X-HE-Tag: 1750385785-581617 X-HE-Meta: U2FsdGVkX19l4oNCPxJ1WiLYj3ako4Q9sGkT2+A9z3bvyYX0KMqejRyUUKBMw1Ng0NS87n8TmxHxAm+gLJKOAGyNOYysKWJ7X0b41VAzhD/B1L1JLYo3MOLgTaolKMpBxMy0/sHSgRy5X0vxeQdAGyuxXDXk2nqrRawRAxmGnDE24VsJzWz06EEna7Oxs8Igh+8mL03G7eoHNvVGQAAvYZyAgDIjSI7alU6sVrNmOfMDfwx4O7Bdn3ptrsPs4ftR9DQLmFQXIEisuOil1W2rVM2qdsu6tA+fdkZXugYRKWPfYtTRsuvQoxl2CAB5RoflKdyfoUfROetjhIQLOsLLx+ptm1M0TBycAjEsFbieaVSQNAOxsUS++WVtEAJjZTzozP6ZKqo49OsY/LGOTbQ9iPud30vqA5tlOHG43pUO1B03ZGCnLcaPaEumZCGHrqSSJCE5U9OS2eIfQ+jYHBq5tg53sGuHPKjWMXM894sT/CxIFf/bWKVzgunMKIGd1oaztZ0ZveWw8Y8kSVn1IrjFiTQvye0aWNzs+IlWgyTLdgmOKnNgezNV5FGz8f092OpFszj4/oBY0QqFGKXKhTBEN1GWW8o6No81iMtvQmA1FtWLP//USmtgrqVTKtJsS7/AUMrVhvWFEI7vPu13hFD1gA3Re1/poxJnALhyRa/lyLI/JOUex6610acxupq8FwDLsbfTPYkLB4udaGyF5A/padHg6tCauU7WMtLD08iBpw0YKMW+atanez6jjcYk1SjD1YCHF2e0k9ww1zoS2EILdRamO6LTJJ3t5J9ug6h2JDlRYuriqeO3fZabx5bpHP8ePKvMYYDah2+23AWE/R37bv6CpCW/xnA9q7N8btvYSXs8UHMTdAw+JAMBpJUrvX9XwB04CkcYHqxTAfHrrW6GH64PVP5oOp8r19ubaatLEdH1A1kZlBkhIQr+lqKgSz8R2xtAGkGQ28OuEFtfpHu aEd9D3Yb NaKTuouHpJZVI2W3G4aWjBmfirIqKCz6ZPYrWax6pRXT7PW0vrBFnbHJM/roqCjPt27sbwEmG8WWvkmAI7cPDDhXC/+5nZf411qLLCp3VRrTQ2+lwoMjSNlcXOHAaUFwCuYRlGesK3hjzsXkiNfIKk1Liw+XMMcdY1VzEB607COFrfLp/WaeuwZHb/OME3rALVzE5TNfFXJ00DLtF9U+15qI7T2n3e3jG4g35lcgoGHxxKjLElNoodrBND4Masz+uTHi1z4znFwoMKjlKwkYYWkwJ1iRWHbXETsWWNopqgYAuXOb7p1/ll+GajeyhN5yUhyMX+mXwP9yYlWSuRuTzVsQnC3njgzFJVCvOQQ+ccElV4HV4C2qFBEyFqTO3t8w7vqhX X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Jun 16, 2025 at 3:31=E2=80=AFPM Zong Li wrote: > > On Thu, Jun 5, 2025 at 1:17=E2=80=AFAM Deepak Gupta = wrote: > > > > zicfiss / zicfilp introduces a new exception to priv isa `software chec= k > > exception` with cause code =3D 18. This patch implements software check > > exception. > > > > Additionally it implements a cfi violation handler which checks for cod= e > > in xtval. If xtval=3D2, it means that sw check exception happened becau= se of > > an indirect branch not landing on 4 byte aligned PC or not landing on > > `lpad` instruction or label value embedded in `lpad` not matching label > > value setup in `x7`. If xtval=3D3, it means that sw check exception hap= pened > > because of mismatch between link register (x1 or x5) and top of shadow > > stack (on execution of `sspopchk`). > > > > In case of cfi violation, SIGSEGV is raised with code=3DSEGV_CPERR. > > SEGV_CPERR was introduced by x86 shadow stack patches. > > > > To keep uprobes working, handle the uprobe event first before reporting > > the CFI violation in software-check exception handler. Because when the > > landing pad is activated, if the uprobe point is set at the lpad > > instruction at the beginning of a function, the system triggers a softw= are > > -check exception instead of an ebreak exception due to the exception > > priority, then uprobe can't work successfully. > > > > Co-developed-by: Zong Li > > Reviewed-by: Zong Li > > Signed-off-by: Zong Li > > Signed-off-by: Deepak Gupta > > --- > > arch/riscv/include/asm/asm-prototypes.h | 1 + > > arch/riscv/include/asm/entry-common.h | 2 ++ > > arch/riscv/kernel/entry.S | 3 ++ > > arch/riscv/kernel/traps.c | 51 +++++++++++++++++++++++++= ++++++++ > > 4 files changed, 57 insertions(+) > > > > diff --git a/arch/riscv/include/asm/asm-prototypes.h b/arch/riscv/inclu= de/asm/asm-prototypes.h > > index cd627ec289f1..5a27cefd7805 100644 > > --- a/arch/riscv/include/asm/asm-prototypes.h > > +++ b/arch/riscv/include/asm/asm-prototypes.h > > @@ -51,6 +51,7 @@ DECLARE_DO_ERROR_INFO(do_trap_ecall_u); > > DECLARE_DO_ERROR_INFO(do_trap_ecall_s); > > DECLARE_DO_ERROR_INFO(do_trap_ecall_m); > > DECLARE_DO_ERROR_INFO(do_trap_break); > > +DECLARE_DO_ERROR_INFO(do_trap_software_check); > > > > asmlinkage void handle_bad_stack(struct pt_regs *regs); > > asmlinkage void do_page_fault(struct pt_regs *regs); > > diff --git a/arch/riscv/include/asm/entry-common.h b/arch/riscv/include= /asm/entry-common.h > > index b28ccc6cdeea..34ed149af5d1 100644 > > --- a/arch/riscv/include/asm/entry-common.h > > +++ b/arch/riscv/include/asm/entry-common.h > > @@ -40,4 +40,6 @@ static inline int handle_misaligned_store(struct pt_r= egs *regs) > > } > > #endif > > > > +bool handle_user_cfi_violation(struct pt_regs *regs); > > + > > #endif /* _ASM_RISCV_ENTRY_COMMON_H */ > > diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S > > index 978115567bca..8d25837a9384 100644 > > --- a/arch/riscv/kernel/entry.S > > +++ b/arch/riscv/kernel/entry.S > > @@ -474,6 +474,9 @@ SYM_DATA_START_LOCAL(excp_vect_table) > > RISCV_PTR do_page_fault /* load page fault */ > > RISCV_PTR do_trap_unknown > > RISCV_PTR do_page_fault /* store page fault */ > > + RISCV_PTR do_trap_unknown /* cause=3D16 */ > > + RISCV_PTR do_trap_unknown /* cause=3D17 */ > > + RISCV_PTR do_trap_software_check /* cause=3D18 is sw check exce= ption */ > > SYM_DATA_END_LABEL(excp_vect_table, SYM_L_LOCAL, excp_vect_table_end) > > > > #ifndef CONFIG_MMU > > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c > > index 8ff8e8b36524..64388370e1ad 100644 > > --- a/arch/riscv/kernel/traps.c > > +++ b/arch/riscv/kernel/traps.c > > @@ -354,6 +354,57 @@ void do_trap_ecall_u(struct pt_regs *regs) > > > > } > > > > +#define CFI_TVAL_FCFI_CODE 2 > > +#define CFI_TVAL_BCFI_CODE 3 > > +/* handle cfi violations */ > > +bool handle_user_cfi_violation(struct pt_regs *regs) > > +{ > > + unsigned long tval =3D csr_read(CSR_TVAL); > > + bool is_fcfi =3D (tval =3D=3D CFI_TVAL_FCFI_CODE && cpu_support= s_indirect_br_lp_instr()); > > + bool is_bcfi =3D (tval =3D=3D CFI_TVAL_BCFI_CODE && cpu_support= s_shadow_stack()); > > + > > + /* > > + * Handle uprobe event first. The probe point can be a valid ta= rget > > + * of indirect jumps or calls, in this case, forward cfi violat= ion > > + * will be triggered instead of breakpoint exception. > > + */ > > + if (is_fcfi && probe_breakpoint_handler(regs)) > > + return true; > > Hi Deepak, > Sorry for missing something earlier. I think we would like to clear > sstatus.SPELP in the uprobe handling case. For example: > > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c > index c2ea999c1167..e8492bb57e09 100644 > --- a/arch/riscv/kernel/traps.c > +++ b/arch/riscv/kernel/traps.c > @@ -349,8 +349,10 @@ bool handle_user_cfi_violation(struct pt_regs *regs) > bool is_fcfi =3D (tval =3D=3D CFI_TVAL_FCFI_CODE && > cpu_supports_indirect_br_lp_instr()); > bool is_bcfi =3D (tval =3D=3D CFI_TVAL_BCFI_CODE && > cpu_supports_shadow_stack()); > > - if (is_fcfi && probe_breakpoint_handler(regs)) > + if (is_fcfi && probe_breakpoint_handler(regs)) { > + regs->status =3D regs->status & ~SR_ELP; > return true; > + } > > if (is_fcfi || is_bcfi) { > do_trap_error(regs, SIGSEGV, SEGV_CPERR, regs->epc, > > > When a user mode CFI violation occurs, the ELP state should be 1, and > the system traps into supervisor mode. During this trap, sstatus.SPELP > is set to 1, and the ELP state is reset to 0. If we don=E2=80=99t clear > sstatus.SPELP, the ELP state will become 1 again after executing the > sret instruction. As a result, the system might trigger another > forward CFI violation upon executing the next instruction in the user > program, unless it happens to be a lpad instruction. > > The previous patch was tested on QEMU, but QEMU does not set the > sstatus.SPELP bit to 1 when a forward CFI violation occurs. Therefore, > I suspect that QEMU might also require some fixes. Hi Deepak, The issue with QEMU was that the sw-check exception bit in medeleg couldn't be set. This has been fixed in the latest QEMU mainline. I have re-tested the latest QEMU version, and it works. > > Thanks > > > + > > + if (is_fcfi || is_bcfi) { > > + do_trap_error(regs, SIGSEGV, SEGV_CPERR, regs->epc, > > + "Oops - control flow violation"); > > + return true; > > + } > > + > > + return false; > > +} > > + > > +/* > > + * software check exception is defined with risc-v cfi spec. Software = check > > + * exception is raised when:- > > + * a) An indirect branch doesn't land on 4 byte aligned PC or `lpad` > > + * instruction or `label` value programmed in `lpad` instr doesn't > > + * match with value setup in `x7`. reported code in `xtval` is 2. > > + * b) `sspopchk` instruction finds a mismatch between top of shadow st= ack (ssp) > > + * and x1/x5. reported code in `xtval` is 3. > > + */ > > +asmlinkage __visible __trap_section void do_trap_software_check(struct= pt_regs *regs) > > +{ > > + if (user_mode(regs)) { > > + irqentry_enter_from_user_mode(regs); > > + > > + /* not a cfi violation, then merge into flow of unknown= trap handler */ > > + if (!handle_user_cfi_violation(regs)) > > + do_trap_unknown(regs); > > + > > + irqentry_exit_to_user_mode(regs); > > + } else { > > + /* sw check exception coming from kernel is a bug in ke= rnel */ > > + die(regs, "Kernel BUG"); > > + } > > +} > > + > > #ifdef CONFIG_MMU > > asmlinkage __visible noinstr void do_page_fault(struct pt_regs *regs) > > { > > > > -- > > 2.43.0 > >