From: Lukas Gerlach <lukas.gerlach@cispa.de>
To: <linux-riscv@lists.infradead.org>
Cc: <palmer@dabbelt.com>, <pjw@kernel.org>, <aou@eecs.berkeley.edu>,
<alex@ghiti.fr>, <linux-kernel@vger.kernel.org>,
<daniel.weber@cispa.de>, <michael.schwarz@cispa.de>,
<marton.bognar@kuleuven.be>, <jo.vanbulck@kuleuven.be>,
Lukas Gerlach <lukas.gerlach@cispa.de>
Subject: [PATCH 0/2] riscv: Add Spectre v1 mitigations
Date: Thu, 18 Dec 2025 20:13:30 +0100 [thread overview]
Message-ID: <20251218191332.35849-1-lukas.gerlach@cispa.de> (raw)
This series adds Spectre v1 to RISC-V in line with x86 and arm64.
Modern RISC-V CPUs with deep pipelines (e.g., XuanTie C910, SiFive P550)
are susceptible to Spectre v1 attacks where an attacker can speculatively
bypass bounds checks and leak kernel memory via cache side channels.
The first patch adds pointer masking to uaccess routines. Similar to
arm64's uaccess_mask_ptr(), this clears the top bit of user pointers
before access, ensuring that even under speculation, a user-controlled
pointer cannot reach kernel memory.
The second patch sanitizes the syscall number using array_index_nospec()
before indexing into the syscall table, preventing out-of-bounds
speculative reads similar to what x86 does.
Lukas Gerlach (2):
riscv: Use pointer masking to limit uaccess speculation
riscv: Sanitize syscall table indexing under speculation
arch/riscv/include/asm/uaccess.h | 41 +++++++++++++++++++++++++-------
arch/riscv/kernel/traps.c | 4 +++-
2 files changed, 35 insertions(+), 10 deletions(-)
--
2.51.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next reply other threads:[~2025-12-18 19:14 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 19:13 Lukas Gerlach [this message]
2025-12-18 19:13 ` [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Lukas Gerlach
2025-12-20 0:44 ` Deepak Gupta
2025-12-27 12:57 ` Lukas Gerlach
2025-12-28 0:41 ` Deepak Gupta
2025-12-27 21:28 ` David Laight
2025-12-28 1:59 ` Deepak Gupta
2025-12-28 22:34 ` David Laight
2025-12-29 12:32 ` David Laight
2025-12-31 3:47 ` Vivian Wang
2025-12-31 10:35 ` David Laight
2025-12-18 19:13 ` [PATCH 2/2] riscv: Sanitize syscall table indexing under speculation Lukas Gerlach
2025-12-31 3:01 ` Paul Walmsley
2025-12-31 3:31 ` [PATCH 0/2] riscv: Add Spectre v1 mitigations patchwork-bot+linux-riscv
2026-01-05 23:17 ` Paul Walmsley
2026-01-06 10:30 ` [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Lukas Gerlach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251218191332.35849-1-lukas.gerlach@cispa.de \
--to=lukas.gerlach@cispa.de \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=daniel.weber@cispa.de \
--cc=jo.vanbulck@kuleuven.be \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=marton.bognar@kuleuven.be \
--cc=michael.schwarz@cispa.de \
--cc=palmer@dabbelt.com \
--cc=pjw@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox