Linux Perf Users
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Linus Walleij" <linusw@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v4] ARM: breakpoint: CFI breakpoints only on demand
Date: Fri, 03 Jul 2026 12:48:21 +0000	[thread overview]
Message-ID: <20260703124822.130081F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703-arm32-cfi-bug-v4-1-c26acb640a8f@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The CFI breakpoint handler incorrectly assumes the BKPT instruction is always 4 bytes long, which corrupts the instruction pointer in Thumb-2 mode.
--

commit 8a3d2d7e6aa4575ee54af7475a100d8d6db4f18a
Author: Linus Walleij <linusw@kernel.org>

ARM: breakpoint: CFI breakpoints only on demand
    
This removes the stub hw_breakpoint_cfi_handler() from ARM, making
it not steal breakpoint type 0x03 unless CFI is actively used in
the kernel. It falls through to return unhandled fault for userspace
breakpoints.

Closes: https://lore.kernel.org/lkml/kJqktbpLphg_Pk5I5SPptgTLjl3E3eq5mN5UzCslyFj7Q1Irp-wDid4mj5eQVd2iZtRGXgeZd8goq195EkXdjyt864YMc8mVb2B9NGH91NQ=@protonmail.com/

> diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
> index cd4b34c96e35e..38feb30dfb5f8 100644
> --- a/arch/arm/kernel/hw_breakpoint.c
> +++ b/arch/arm/kernel/hw_breakpoint.c
> @@ -929,10 +929,6 @@ static void hw_breakpoint_cfi_handler(struct pt_regs *regs)
>  		break;
>  	}
>  }

[Severity: High]
This is a pre-existing issue, but I noticed a potential problem in
hw_breakpoint_cfi_handler() right above this diff.

When a CFI failure triggers a warning (such as when CONFIG_CFI_PERMISSIVE is
enabled), the handler attempts to skip the breaking instruction:

arch/arm/kernel/hw_breakpoint.c:hw_breakpoint_cfi_handler() {
    ...
	case BUG_TRAP_TYPE_WARN:
		/* Skip the breaking instruction */
		instruction_pointer(regs) += 4;
		break;
    ...
}

Does this incorrectly assume the BKPT instruction is always 4 bytes long?

In Thumb-2 mode, BKPT is a 16-bit (2-byte) instruction. If the instruction
pointer is advanced by 4 bytes, wouldn't it skip the intended instruction
and an additional 2 bytes of the following instruction, potentially corrupting
the execution stream and leading to an Oops?

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-arm32-cfi-bug-v4-1-c26acb640a8f@kernel.org?part=1

      reply	other threads:[~2026-07-03 12:48 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 12:25 [PATCH v4] ARM: breakpoint: CFI breakpoints only on demand Linus Walleij
2026-07-03 12:48 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703124822.130081F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linusw@kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox