From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58FEFC7115B for ; Fri, 20 Jun 2025 17:33:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DCB786B0092; Fri, 20 Jun 2025 13:33:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D7BB96B0093; Fri, 20 Jun 2025 13:33:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C6B186B0095; Fri, 20 Jun 2025 13:33:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id B2E6E6B0092 for ; Fri, 20 Jun 2025 13:33:19 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 636161610BC for ; Fri, 20 Jun 2025 17:33:19 +0000 (UTC) X-FDA: 83576475318.07.134F80E Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) by imf19.hostedemail.com (Postfix) with ESMTP id 6D3B11A0016 for ; Fri, 20 Jun 2025 17:33:17 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=ZT9n6YxR; dmarc=none; spf=pass (imf19.hostedemail.com: domain of debug@rivosinc.com designates 209.85.128.174 as permitted sender) smtp.mailfrom=debug@rivosinc.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750440797; a=rsa-sha256; cv=none; b=SXOBFAaSe0XURaHV74oASzLdnPDlVFooA5iR7RdS6hOAoX5d6mdnHTqcJElZSAkrb2LE9J iEsC3VvO/U/CfdVDnUQctiAptAvQHutgyEHNHAY2Oe5JVFvvrvB/hBlCf9KUOISBuh3juU CYWHk5yBwbbX7jHhr8vwd2drQnD/yx4= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=ZT9n6YxR; dmarc=none; spf=pass (imf19.hostedemail.com: domain of debug@rivosinc.com designates 209.85.128.174 as permitted sender) smtp.mailfrom=debug@rivosinc.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750440797; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2abC0SFXgIr7+KzY0H72u6hUC8EwRyPuKIwDFbrFdvA=; b=aXwnc1ki2xtSawX92sFJjQ6LiTyf8Pk3MvJhGENNzg05SOOGFYpm0sDrThmGdNzql6ih1k FJP0rYlAfBCcS2yJyjgxP8KPAB0v/Z9tSmb2lOD9DAtnbUzEQ9JwUMyqHP2MvI2GODraCA MnG8yZ3bcA8NCCGC5CNf6X1IVeFFJzY= Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-70e3e0415a7so19836597b3.0 for ; Fri, 20 Jun 2025 10:33:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1750440796; x=1751045596; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=2abC0SFXgIr7+KzY0H72u6hUC8EwRyPuKIwDFbrFdvA=; b=ZT9n6YxR27KmH8WooZ1YKuF/dI+frxWuKwTVt2+GopNkNlB0DxUlWTP8NN+3SUgNuA FndyuZpGBij5EkHlyi17WGsCUjW2xQxaPNc8wtZckBQzNPpNDXFMkdaZ7TBoBMrCQRg+ Jn5HSzcIMro2/4qeiJi/obHFGwQgeS3VUNlg3OLAkZnGnVDi+D8dpt2WWKbhZQ+Bo85t NFV4K5kkhbEhSHIC1BErqV2E2tr8PZkloJihNQXUbwdeWGY6IFLq3xLJUd4FusRwXpG+ 1ruetJGuDXFo1AUnkuD07EqcBfDIt8xvNBYCbOlfznUYiOxrHJvw3Q8L/Tgl7Aj90hRj 1J5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750440796; x=1751045596; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2abC0SFXgIr7+KzY0H72u6hUC8EwRyPuKIwDFbrFdvA=; b=U67FTIKT5JjgRT6pZMlIodV/sxbJUM8YPq17EHnP6hGoflSt9jxTbATe80ScIGMNGt ubL8jYhR3vT9CwHcp8N/USSkLB5iuQf5B3ncMw8o9PodyJo773X4rGcqxpx1LqwcnIY4 ovGJSiCf5PIUw71gWEi1/hKZCN+g1yojDNg0dZCOg141+wiyz3TZrrdilUpZfW4BH66+ CJdjkYRdCfW6W9h3qDBBs0oRtfbSqmzBSvUa77L7VTqwGDuwBBJ9ixdUzZjIjie/FLC4 frOztZO8RQKlXM1RqVguHW5krEcDNRbd4RrH48+jXJbdz3sedoLVu81jHno1h7hebMxy k48g== X-Forwarded-Encrypted: i=1; AJvYcCU+JE3JzluyOh+kMVaqxLH7WoFa0cXDoGH/kz02bdvAIrcfjxJCv/aNRR7uq0IvXQrjmGbgTnISgw==@kvack.org X-Gm-Message-State: AOJu0YxDcgH6fovwJ0oJE3SG6PFnggivxHZeb/RI7kTmQGKKy2hokzWm kGsJOBHNGVTd8xFXuHDLbbj8hRmtBLWQq0KDtc5qk5x+PrmuNnZwSoR15KTD9uF2pTRNdMDnXNb vGnrlW/0zXujFngaSgFsoiS3qGVNwVxz+cY0HDUZs8g== X-Gm-Gg: ASbGnctFnQK8CgxAiG2qzs5ksQZdQjplPPvs28PP1n1ujGu18bTA99YzgfXLfIeA0rS Js7NtmrmoJ7CInXQD36deYh24wsX6vNy9vf/9+WH93dW1HRlZOQTujIov7/NB2jAD72lABBMzyl JQmm6KWicSioo93GrFyT/Po3MIiLYlN+o5ClVzEWeQQ70U X-Google-Smtp-Source: AGHT+IEkgLARqA2KXW+VjQvrt/iHwV+xr0H31M/s+eB4pqd94Voek7Ap4g7bsttqbn0aTqp01MS+cbE/e4BYHevU73o= X-Received: by 2002:a05:690c:931c:10b0:712:c5f7:1ee9 with SMTP id 00721157ae682-712ca34ede8mr29381827b3.8.1750440796260; Fri, 20 Jun 2025 10:33:16 -0700 (PDT) MIME-Version: 1.0 References: <20250604-v5_user_cfi_series-v17-0-4565c2cf869f@rivosinc.com> <20250604-v5_user_cfi_series-v17-15-4565c2cf869f@rivosinc.com> In-Reply-To: From: Deepak Gupta Date: Fri, 20 Jun 2025 10:33:05 -0700 X-Gm-Features: Ac12FXwTNfjkf9IENg9kQWer4J0SFv3v73bubAYv2TNOJ9tzM24JcaWhs9j55A8 Message-ID: Subject: Re: [PATCH v17 15/27] riscv/traps: Introduce software check exception and uprobe handling To: Zong Li Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andrew Morton , "Liam R. Howlett" , Vlastimil Babka , Lorenzo Stoakes , Paul Walmsley , Palmer Dabbelt , Albert Ou , Conor Dooley , Rob Herring , Krzysztof Kozlowski , Arnd Bergmann , Christian Brauner , Peter Zijlstra , Oleg Nesterov , Eric Biederman , Kees Cook , Jonathan Corbet , Shuah Khan , Jann Horn , Conor Dooley , Miguel Ojeda , Alex Gaynor , Boqun Feng , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-riscv@lists.infradead.org, devicetree@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org, alistair.francis@wdc.com, richard.henderson@linaro.org, jim.shu@sifive.com, andybnac@gmail.com, kito.cheng@sifive.com, charlie@rivosinc.com, atishp@rivosinc.com, evan@rivosinc.com, cleger@rivosinc.com, alexghiti@rivosinc.com, samitolvanen@google.com, broonie@kernel.org, rick.p.edgecombe@intel.com, rust-for-linux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 6D3B11A0016 X-Stat-Signature: spz46xucx5asxnfrx8oep7etsw3tyfp5 X-Rspam-User: X-HE-Tag: 1750440797-136645 X-HE-Meta: U2FsdGVkX18JTSYMwHGMYl5xVQY90HuT9zU47T0UmcfbhNJmDu7ta2i0EF5+wmwwKGGXPQT5HDRFPsffTuF9mW6wDH4TPGWBEPYnykUNLuwd2X6/l2nhjQvh9snOc4XQ2AyP6Wr66a+zB/Ik8J3o4Dl15+dgt6xq+LjMXIArkg3c01xNBeibg/V5ygY0kz3NPGMWw6E529bHVpQx9wweD5cBtoT0tiXHq9HF1YJSWZxehG7jf/F5ttbxtsURfkydYo+mA+4GwgfCJfkq0QnEwIdFmvwC9N4FUrYStyREDO9zOoYSBWpDwoI0NXxSywsZmpqc3r8UbWSen7mDmgWaPyAXYoF6Qk0E7Bdh94PTsm4PNCcl2kdw8UouIn2imRkIBgiDNyCk5rm/3d+mefBY9VXS1vsTEtzxALwfuEfGQHOXmKMwuTCERWLzwIphVuQOK5Sqw0OmWeCeIErR00ywlgWaJ1Xa7TE65uBsfFHTtaWfa2tmFDctWLoqN/KNtNvFEA+tykbEfH6yNhFKRwBI2el6p3AdU3zDWHeG4j5BECIvfCCoBfZj92g1fPnvS+jjzspyWKrcP3L81CLUX5GAkl+h4U7gaYu8f9fHxv5RwVuNjManiZCaz+D5LYaeWiuC7sqo1bylgZjtEEec7gDJ1cg2AwBJziuccygeT9iZ4IcS/b5lPNHpSL8PTRfH5nYnuqTupK762ValdIeMnNGJUhVHNQvDCTDmDP4BL43/H0aBqHboeWhjpf3hZEuZ8CeLl33y7wsbY40yIdoPVGQejVfcIrR37ORoQM+sZUPhPdPE754hhAc4gzf36ygWIb2VrWkx8g4lsLPTT8tVtu7mFquMnCqafOP/uWvmoSi0vivMPmbp9S+1T+AGxUOmCmAu6rBXHAvTpFD54OaGtm4hHOOQoSnwlYDCnU6bBUlp43A//6EtCdypm1IQPGvBgC2wp6EEwebzUWSqtrajtfm 51s7uz0A oQ2xo1BTmbj8NY1xm0BGzmwRbGV50b7xK9ttulfc7IPYmD5oSOqwqcqWgbKSESJQ+6Vo4WwXtV66tdKtXmuRPMhDAcRIugTq5epSylJe8Z3KzU65BF5Dz2U4vcmNfSisxrDfEDGKheSfHzY3hfnLMM0OIa0NwsqM1c27YqOIUHlkXVWAzXKNpjFI8hEzKG7RTY3j1gboQYFMO/CukB9XV8z/5DBpXUbehzaDM2KYCF2MN5mIAaGZXl2zhSUvp62/e4HF+WehIjTLhlJvLxUwOy6VDz2pKKTn7wsffrx84JQqb4nJQwH2zBumoAtxABp9XquLH6wJlxtkhttNRplh1CBHke3hyEw+pUHl/walcHmyY3WGjsgD75LQ+dg9E5bhIe2EdqSdaoPMAIbaJ21pzB2RyVJU6vIYFJ7h1EihJ0RdYjdKjT4Uzx/fZwA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jun 19, 2025 at 7:16=E2=80=AFPM Zong Li wrote: > > On Mon, Jun 16, 2025 at 3:31=E2=80=AFPM Zong Li wrot= e: > > > > On Thu, Jun 5, 2025 at 1:17=E2=80=AFAM Deepak Gupta wrote: > > > > > > zicfiss / zicfilp introduces a new exception to priv isa `software ch= eck > > > exception` with cause code =3D 18. This patch implements software che= ck > > > exception. > > > > > > Additionally it implements a cfi violation handler which checks for c= ode > > > in xtval. If xtval=3D2, it means that sw check exception happened bec= ause of > > > an indirect branch not landing on 4 byte aligned PC or not landing on > > > `lpad` instruction or label value embedded in `lpad` not matching lab= el > > > value setup in `x7`. If xtval=3D3, it means that sw check exception h= appened > > > because of mismatch between link register (x1 or x5) and top of shado= w > > > stack (on execution of `sspopchk`). > > > > > > In case of cfi violation, SIGSEGV is raised with code=3DSEGV_CPERR. > > > SEGV_CPERR was introduced by x86 shadow stack patches. > > > > > > To keep uprobes working, handle the uprobe event first before reporti= ng > > > the CFI violation in software-check exception handler. Because when t= he > > > landing pad is activated, if the uprobe point is set at the lpad > > > instruction at the beginning of a function, the system triggers a sof= tware > > > -check exception instead of an ebreak exception due to the exception > > > priority, then uprobe can't work successfully. > > > > > > Co-developed-by: Zong Li > > > Reviewed-by: Zong Li > > > Signed-off-by: Zong Li > > > Signed-off-by: Deepak Gupta > > > --- > > > arch/riscv/include/asm/asm-prototypes.h | 1 + > > > arch/riscv/include/asm/entry-common.h | 2 ++ > > > arch/riscv/kernel/entry.S | 3 ++ > > > arch/riscv/kernel/traps.c | 51 +++++++++++++++++++++++= ++++++++++ > > > 4 files changed, 57 insertions(+) > > > > > > diff --git a/arch/riscv/include/asm/asm-prototypes.h b/arch/riscv/inc= lude/asm/asm-prototypes.h > > > index cd627ec289f1..5a27cefd7805 100644 > > > --- a/arch/riscv/include/asm/asm-prototypes.h > > > +++ b/arch/riscv/include/asm/asm-prototypes.h > > > @@ -51,6 +51,7 @@ DECLARE_DO_ERROR_INFO(do_trap_ecall_u); > > > DECLARE_DO_ERROR_INFO(do_trap_ecall_s); > > > DECLARE_DO_ERROR_INFO(do_trap_ecall_m); > > > DECLARE_DO_ERROR_INFO(do_trap_break); > > > +DECLARE_DO_ERROR_INFO(do_trap_software_check); > > > > > > asmlinkage void handle_bad_stack(struct pt_regs *regs); > > > asmlinkage void do_page_fault(struct pt_regs *regs); > > > diff --git a/arch/riscv/include/asm/entry-common.h b/arch/riscv/inclu= de/asm/entry-common.h > > > index b28ccc6cdeea..34ed149af5d1 100644 > > > --- a/arch/riscv/include/asm/entry-common.h > > > +++ b/arch/riscv/include/asm/entry-common.h > > > @@ -40,4 +40,6 @@ static inline int handle_misaligned_store(struct pt= _regs *regs) > > > } > > > #endif > > > > > > +bool handle_user_cfi_violation(struct pt_regs *regs); > > > + > > > #endif /* _ASM_RISCV_ENTRY_COMMON_H */ > > > diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S > > > index 978115567bca..8d25837a9384 100644 > > > --- a/arch/riscv/kernel/entry.S > > > +++ b/arch/riscv/kernel/entry.S > > > @@ -474,6 +474,9 @@ SYM_DATA_START_LOCAL(excp_vect_table) > > > RISCV_PTR do_page_fault /* load page fault */ > > > RISCV_PTR do_trap_unknown > > > RISCV_PTR do_page_fault /* store page fault */ > > > + RISCV_PTR do_trap_unknown /* cause=3D16 */ > > > + RISCV_PTR do_trap_unknown /* cause=3D17 */ > > > + RISCV_PTR do_trap_software_check /* cause=3D18 is sw check ex= ception */ > > > SYM_DATA_END_LABEL(excp_vect_table, SYM_L_LOCAL, excp_vect_table_end= ) > > > > > > #ifndef CONFIG_MMU > > > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c > > > index 8ff8e8b36524..64388370e1ad 100644 > > > --- a/arch/riscv/kernel/traps.c > > > +++ b/arch/riscv/kernel/traps.c > > > @@ -354,6 +354,57 @@ void do_trap_ecall_u(struct pt_regs *regs) > > > > > > } > > > > > > +#define CFI_TVAL_FCFI_CODE 2 > > > +#define CFI_TVAL_BCFI_CODE 3 > > > +/* handle cfi violations */ > > > +bool handle_user_cfi_violation(struct pt_regs *regs) > > > +{ > > > + unsigned long tval =3D csr_read(CSR_TVAL); > > > + bool is_fcfi =3D (tval =3D=3D CFI_TVAL_FCFI_CODE && cpu_suppo= rts_indirect_br_lp_instr()); > > > + bool is_bcfi =3D (tval =3D=3D CFI_TVAL_BCFI_CODE && cpu_suppo= rts_shadow_stack()); > > > + > > > + /* > > > + * Handle uprobe event first. The probe point can be a valid = target > > > + * of indirect jumps or calls, in this case, forward cfi viol= ation > > > + * will be triggered instead of breakpoint exception. > > > + */ > > > + if (is_fcfi && probe_breakpoint_handler(regs)) > > > + return true; > > > > Hi Deepak, > > Sorry for missing something earlier. I think we would like to clear > > sstatus.SPELP in the uprobe handling case. For example: > > > > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c > > index c2ea999c1167..e8492bb57e09 100644 > > --- a/arch/riscv/kernel/traps.c > > +++ b/arch/riscv/kernel/traps.c > > @@ -349,8 +349,10 @@ bool handle_user_cfi_violation(struct pt_regs *reg= s) > > bool is_fcfi =3D (tval =3D=3D CFI_TVAL_FCFI_CODE && > > cpu_supports_indirect_br_lp_instr()); > > bool is_bcfi =3D (tval =3D=3D CFI_TVAL_BCFI_CODE && > > cpu_supports_shadow_stack()); > > > > - if (is_fcfi && probe_breakpoint_handler(regs)) > > + if (is_fcfi && probe_breakpoint_handler(regs)) { > > + regs->status =3D regs->status & ~SR_ELP; > > return true; > > + } Make sense. I'll pick it up in the next version. Thanks. > > > > if (is_fcfi || is_bcfi) { > > do_trap_error(regs, SIGSEGV, SEGV_CPERR, regs->epc, > > > > > > When a user mode CFI violation occurs, the ELP state should be 1, and > > the system traps into supervisor mode. During this trap, sstatus.SPELP > > is set to 1, and the ELP state is reset to 0. If we don=E2=80=99t clear > > sstatus.SPELP, the ELP state will become 1 again after executing the > > sret instruction. As a result, the system might trigger another > > forward CFI violation upon executing the next instruction in the user > > program, unless it happens to be a lpad instruction. > > > > The previous patch was tested on QEMU, but QEMU does not set the > > sstatus.SPELP bit to 1 when a forward CFI violation occurs. Therefore, > > I suspect that QEMU might also require some fixes. > > Hi Deepak, > The issue with QEMU was that the sw-check exception bit in medeleg > couldn't be set. This has been fixed in the latest QEMU mainline. I > have re-tested the latest QEMU version, and it works. Thanks for the fix. > > > > > Thanks > > > > > + > > > + if (is_fcfi || is_bcfi) { > > > + do_trap_error(regs, SIGSEGV, SEGV_CPERR, regs->epc, > > > + "Oops - control flow violation"); > > > + return true; > > > + } > > > + > > > + return false; > > > +} > > > + > > > +/* > > > + * software check exception is defined with risc-v cfi spec. Softwar= e check > > > + * exception is raised when:- > > > + * a) An indirect branch doesn't land on 4 byte aligned PC or `lpad` > > > + * instruction or `label` value programmed in `lpad` instr doesn'= t > > > + * match with value setup in `x7`. reported code in `xtval` is 2. > > > + * b) `sspopchk` instruction finds a mismatch between top of shadow = stack (ssp) > > > + * and x1/x5. reported code in `xtval` is 3. > > > + */ > > > +asmlinkage __visible __trap_section void do_trap_software_check(stru= ct pt_regs *regs) > > > +{ > > > + if (user_mode(regs)) { > > > + irqentry_enter_from_user_mode(regs); > > > + > > > + /* not a cfi violation, then merge into flow of unkno= wn trap handler */ > > > + if (!handle_user_cfi_violation(regs)) > > > + do_trap_unknown(regs); > > > + > > > + irqentry_exit_to_user_mode(regs); > > > + } else { > > > + /* sw check exception coming from kernel is a bug in = kernel */ > > > + die(regs, "Kernel BUG"); > > > + } > > > +} > > > + > > > #ifdef CONFIG_MMU > > > asmlinkage __visible noinstr void do_page_fault(struct pt_regs *regs= ) > > > { > > > > > > -- > > > 2.43.0 > > >