From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-io1-f42.google.com (mail-io1-f42.google.com [209.85.166.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6229EBA36 for ; Fri, 20 Jun 2025 02:16:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750385788; cv=none; b=SjuP8ikKxZ8ZX+0w41jYidvCL/REI0vVCGm6c4rfdud77PbTQ35c+ALRvPmy+gaEMvCttDDv6RE3eGLZdFKkPWS4CGFayYIw2dLkGkeMkROpB9SdKTrytSXB6agPP3gBwJPhjFE0UfLkQ5qQCzSLhUjzveDeg8r8yPL77XXqe/s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750385788; c=relaxed/simple; bh=g5OW8tuvyxUA+t6pLcKEEoc1EraU6/LLk2G3G1r0G+8=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=l3LuBuo5cwT1Tc9NQ3bl3MFUsWiCxtinrerXIgTc4VGbDuB+CO72mfQwMmMBsiMn+KYneWz25GQpzOL3jiF+Bn3YNYjDKnLA9DnhWStBhSxuv1KDpszUFaXdx/iZnb05KEbLYNycyVFI31irkNqta6evzKUmhEjJxxOtkJKR/ZE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=sifive.com; spf=pass smtp.mailfrom=sifive.com; dkim=pass (2048-bit key) header.d=sifive.com header.i=@sifive.com header.b=XplCFzea; arc=none smtp.client-ip=209.85.166.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=sifive.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sifive.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=sifive.com header.i=@sifive.com header.b="XplCFzea" Received: by mail-io1-f42.google.com with SMTP id ca18e2360f4ac-86a464849c2so45823439f.1 for ; Thu, 19 Jun 2025 19:16:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sifive.com; s=google; t=1750385784; x=1750990584; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=x6VzlhRVh//x5/bp+2ihBVL31M01Rg7PAdE9X0/n0so=; b=XplCFzeaT0UI3xYRmaARyqEdD97XMne1e3DHmUxq4ajv1NXr3mZN6+HpBn8+p4y2vC ZIffVKiUiG6KqmOdRuglV8AMpVVmK4nQTkuQSjZlY1bJ3tlTIJtJsnRVEpwYPO8bF9ZX giodreBA5Y6kd9L+peqjqAaxHRKKBPHIrTMEqj5/1zVehCA4H5ioBfnGCDoUjl1btvGI JJSJ5VgF+p49cEhlNOYrOoebp+TLtvBmv8rMIAvDfPLEKH8iJ4gBUk+BkE/JCwXSq42/ t/oyEI5d6twFBpd+vHXXEusMArMv3k+DWtDse9duVqJ/nAclXbHwBvjmkeTMQd910xpN opeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750385784; x=1750990584; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=x6VzlhRVh//x5/bp+2ihBVL31M01Rg7PAdE9X0/n0so=; b=BAOsGimAl82RpVe8NuO76dhtTQgsN5ewbT4BPs+HTOYs+xUdTHvIYf+Wr4K6H0+Y+4 QSaCu5kB9VBmxSvmJzVQYCiVVaD2j4NVfXaiJYYRIuG/n+Gw4ek4dorzXt6Msnv8IYyt fWCB0m/Nin7inIw5Duu9oY0GD6eY4Q7szzSsrP5xxBKXMJJ0pYbumlFpKGDgV/AV/Osj 0R+HMuivLSkHrQoGZS3puhOLPOEWwXmj8yLr7HcaGoP7a5xVYxoDWbMnSj47im3+LSVO NyBoQk06mZqiW/E25t3IayRktZ4vka9W2g4v5nPAa6flcBaunPNqHVIibSCrWtd3zJa0 MIaQ== X-Forwarded-Encrypted: i=1; AJvYcCX84d72PZdiFeBjvxUTCHfL5x3TH+ndfqXsKvkRtH2ojkploPSVIgLkYXuGocLUSc4879sXYlksQBhRZfBBxw==@vger.kernel.org X-Gm-Message-State: AOJu0YzUih4hZ0rE/A6FE/LAoqg7EOdZJBYuiBVUjxQTu2lAw9SlUgVN y5WrV+PoIJH2cVo34OSNyncazusqsuwufA2ExrY2y531Ix3FafAYBgsZGLond/M4dSaj/bkJVaA lgsX7ZY9uSVh9kCxmqcuNsppTBzLCZaRvyrUiWzSnhg== X-Gm-Gg: ASbGncuXUPyCTVFpQaCZsdKk6SgTOIukg2ynodmYeoFxv1NHoHemFxykKIrDbWlRicg YZ/5QKIiUwpBH5Ly2L+Ubs08unMzBEvTDUL6u3e6klTFAViqERWfnoOJ+OGAb0YJJa6Q3WHrCLO GEcnylOBG5ejGy71SNl1wCOk66sUyNrT61yg4hTr0PGTfAlQ== X-Google-Smtp-Source: AGHT+IFMb9mI6JMrDwTDWGg+EBY6yLgAqHEKa1UTY7olo+luMJ+3DWC5EwQujeTUmlUkh6NOSS/MWljD6rFkZYVc5ek= X-Received: by 2002:a05:6602:8303:b0:867:15a5:d16 with SMTP id ca18e2360f4ac-8762e7372bemr28998539f.8.1750385784285; Thu, 19 Jun 2025 19:16:24 -0700 (PDT) Precedence: bulk X-Mailing-List: rust-for-linux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20250604-v5_user_cfi_series-v17-0-4565c2cf869f@rivosinc.com> <20250604-v5_user_cfi_series-v17-15-4565c2cf869f@rivosinc.com> In-Reply-To: From: Zong Li Date: Fri, 20 Jun 2025 10:16:12 +0800 X-Gm-Features: AX0GCFudFSxSRELkYOW_7RRTcSiKTWMBH5CUlpZzl260C95QwRIsmCDm3_hQ72g Message-ID: Subject: Re: [PATCH v17 15/27] riscv/traps: Introduce software check exception and uprobe handling To: Deepak Gupta Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andrew Morton , "Liam R. Howlett" , Vlastimil Babka , Lorenzo Stoakes , Paul Walmsley , Palmer Dabbelt , Albert Ou , Conor Dooley , Rob Herring , Krzysztof Kozlowski , Arnd Bergmann , Christian Brauner , Peter Zijlstra , Oleg Nesterov , Eric Biederman , Kees Cook , Jonathan Corbet , Shuah Khan , Jann Horn , Conor Dooley , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-riscv@lists.infradead.org, devicetree@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org, alistair.francis@wdc.com, richard.henderson@linaro.org, jim.shu@sifive.com, andybnac@gmail.com, kito.cheng@sifive.com, charlie@rivosinc.com, atishp@rivosinc.com, evan@rivosinc.com, cleger@rivosinc.com, alexghiti@rivosinc.com, samitolvanen@google.com, broonie@kernel.org, rick.p.edgecombe@intel.com, rust-for-linux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jun 16, 2025 at 3:31=E2=80=AFPM Zong Li wrote: > > On Thu, Jun 5, 2025 at 1:17=E2=80=AFAM Deepak Gupta = wrote: > > > > zicfiss / zicfilp introduces a new exception to priv isa `software chec= k > > exception` with cause code =3D 18. This patch implements software check > > exception. > > > > Additionally it implements a cfi violation handler which checks for cod= e > > in xtval. If xtval=3D2, it means that sw check exception happened becau= se of > > an indirect branch not landing on 4 byte aligned PC or not landing on > > `lpad` instruction or label value embedded in `lpad` not matching label > > value setup in `x7`. If xtval=3D3, it means that sw check exception hap= pened > > because of mismatch between link register (x1 or x5) and top of shadow > > stack (on execution of `sspopchk`). > > > > In case of cfi violation, SIGSEGV is raised with code=3DSEGV_CPERR. > > SEGV_CPERR was introduced by x86 shadow stack patches. > > > > To keep uprobes working, handle the uprobe event first before reporting > > the CFI violation in software-check exception handler. Because when the > > landing pad is activated, if the uprobe point is set at the lpad > > instruction at the beginning of a function, the system triggers a softw= are > > -check exception instead of an ebreak exception due to the exception > > priority, then uprobe can't work successfully. > > > > Co-developed-by: Zong Li > > Reviewed-by: Zong Li > > Signed-off-by: Zong Li > > Signed-off-by: Deepak Gupta > > --- > > arch/riscv/include/asm/asm-prototypes.h | 1 + > > arch/riscv/include/asm/entry-common.h | 2 ++ > > arch/riscv/kernel/entry.S | 3 ++ > > arch/riscv/kernel/traps.c | 51 +++++++++++++++++++++++++= ++++++++ > > 4 files changed, 57 insertions(+) > > > > diff --git a/arch/riscv/include/asm/asm-prototypes.h b/arch/riscv/inclu= de/asm/asm-prototypes.h > > index cd627ec289f1..5a27cefd7805 100644 > > --- a/arch/riscv/include/asm/asm-prototypes.h > > +++ b/arch/riscv/include/asm/asm-prototypes.h > > @@ -51,6 +51,7 @@ DECLARE_DO_ERROR_INFO(do_trap_ecall_u); > > DECLARE_DO_ERROR_INFO(do_trap_ecall_s); > > DECLARE_DO_ERROR_INFO(do_trap_ecall_m); > > DECLARE_DO_ERROR_INFO(do_trap_break); > > +DECLARE_DO_ERROR_INFO(do_trap_software_check); > > > > asmlinkage void handle_bad_stack(struct pt_regs *regs); > > asmlinkage void do_page_fault(struct pt_regs *regs); > > diff --git a/arch/riscv/include/asm/entry-common.h b/arch/riscv/include= /asm/entry-common.h > > index b28ccc6cdeea..34ed149af5d1 100644 > > --- a/arch/riscv/include/asm/entry-common.h > > +++ b/arch/riscv/include/asm/entry-common.h > > @@ -40,4 +40,6 @@ static inline int handle_misaligned_store(struct pt_r= egs *regs) > > } > > #endif > > > > +bool handle_user_cfi_violation(struct pt_regs *regs); > > + > > #endif /* _ASM_RISCV_ENTRY_COMMON_H */ > > diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S > > index 978115567bca..8d25837a9384 100644 > > --- a/arch/riscv/kernel/entry.S > > +++ b/arch/riscv/kernel/entry.S > > @@ -474,6 +474,9 @@ SYM_DATA_START_LOCAL(excp_vect_table) > > RISCV_PTR do_page_fault /* load page fault */ > > RISCV_PTR do_trap_unknown > > RISCV_PTR do_page_fault /* store page fault */ > > + RISCV_PTR do_trap_unknown /* cause=3D16 */ > > + RISCV_PTR do_trap_unknown /* cause=3D17 */ > > + RISCV_PTR do_trap_software_check /* cause=3D18 is sw check exce= ption */ > > SYM_DATA_END_LABEL(excp_vect_table, SYM_L_LOCAL, excp_vect_table_end) > > > > #ifndef CONFIG_MMU > > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c > > index 8ff8e8b36524..64388370e1ad 100644 > > --- a/arch/riscv/kernel/traps.c > > +++ b/arch/riscv/kernel/traps.c > > @@ -354,6 +354,57 @@ void do_trap_ecall_u(struct pt_regs *regs) > > > > } > > > > +#define CFI_TVAL_FCFI_CODE 2 > > +#define CFI_TVAL_BCFI_CODE 3 > > +/* handle cfi violations */ > > +bool handle_user_cfi_violation(struct pt_regs *regs) > > +{ > > + unsigned long tval =3D csr_read(CSR_TVAL); > > + bool is_fcfi =3D (tval =3D=3D CFI_TVAL_FCFI_CODE && cpu_support= s_indirect_br_lp_instr()); > > + bool is_bcfi =3D (tval =3D=3D CFI_TVAL_BCFI_CODE && cpu_support= s_shadow_stack()); > > + > > + /* > > + * Handle uprobe event first. The probe point can be a valid ta= rget > > + * of indirect jumps or calls, in this case, forward cfi violat= ion > > + * will be triggered instead of breakpoint exception. > > + */ > > + if (is_fcfi && probe_breakpoint_handler(regs)) > > + return true; > > Hi Deepak, > Sorry for missing something earlier. I think we would like to clear > sstatus.SPELP in the uprobe handling case. For example: > > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c > index c2ea999c1167..e8492bb57e09 100644 > --- a/arch/riscv/kernel/traps.c > +++ b/arch/riscv/kernel/traps.c > @@ -349,8 +349,10 @@ bool handle_user_cfi_violation(struct pt_regs *regs) > bool is_fcfi =3D (tval =3D=3D CFI_TVAL_FCFI_CODE && > cpu_supports_indirect_br_lp_instr()); > bool is_bcfi =3D (tval =3D=3D CFI_TVAL_BCFI_CODE && > cpu_supports_shadow_stack()); > > - if (is_fcfi && probe_breakpoint_handler(regs)) > + if (is_fcfi && probe_breakpoint_handler(regs)) { > + regs->status =3D regs->status & ~SR_ELP; > return true; > + } > > if (is_fcfi || is_bcfi) { > do_trap_error(regs, SIGSEGV, SEGV_CPERR, regs->epc, > > > When a user mode CFI violation occurs, the ELP state should be 1, and > the system traps into supervisor mode. During this trap, sstatus.SPELP > is set to 1, and the ELP state is reset to 0. If we don=E2=80=99t clear > sstatus.SPELP, the ELP state will become 1 again after executing the > sret instruction. As a result, the system might trigger another > forward CFI violation upon executing the next instruction in the user > program, unless it happens to be a lpad instruction. > > The previous patch was tested on QEMU, but QEMU does not set the > sstatus.SPELP bit to 1 when a forward CFI violation occurs. Therefore, > I suspect that QEMU might also require some fixes. Hi Deepak, The issue with QEMU was that the sw-check exception bit in medeleg couldn't be set. This has been fixed in the latest QEMU mainline. I have re-tested the latest QEMU version, and it works. > > Thanks > > > + > > + if (is_fcfi || is_bcfi) { > > + do_trap_error(regs, SIGSEGV, SEGV_CPERR, regs->epc, > > + "Oops - control flow violation"); > > + return true; > > + } > > + > > + return false; > > +} > > + > > +/* > > + * software check exception is defined with risc-v cfi spec. Software = check > > + * exception is raised when:- > > + * a) An indirect branch doesn't land on 4 byte aligned PC or `lpad` > > + * instruction or `label` value programmed in `lpad` instr doesn't > > + * match with value setup in `x7`. reported code in `xtval` is 2. > > + * b) `sspopchk` instruction finds a mismatch between top of shadow st= ack (ssp) > > + * and x1/x5. reported code in `xtval` is 3. > > + */ > > +asmlinkage __visible __trap_section void do_trap_software_check(struct= pt_regs *regs) > > +{ > > + if (user_mode(regs)) { > > + irqentry_enter_from_user_mode(regs); > > + > > + /* not a cfi violation, then merge into flow of unknown= trap handler */ > > + if (!handle_user_cfi_violation(regs)) > > + do_trap_unknown(regs); > > + > > + irqentry_exit_to_user_mode(regs); > > + } else { > > + /* sw check exception coming from kernel is a bug in ke= rnel */ > > + die(regs, "Kernel BUG"); > > + } > > +} > > + > > #ifdef CONFIG_MMU > > asmlinkage __visible noinstr void do_page_fault(struct pt_regs *regs) > > { > > > > -- > > 2.43.0 > >