lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251029024151.6005-1-xieyuanbin1@huawei.com>
Date: Wed, 29 Oct 2025 10:41:51 +0800
From: Xie Yuanbin <xieyuanbin1@...wei.com>
To: <bigeasy@...utronix.de>
CC: <akpm@...ux-foundation.org>, <arnd@...db.de>, <brauner@...nel.org>,
	<kuninori.morimoto.gx@...esas.com>, <liaohua4@...wei.com>,
	<lilinjie8@...wei.com>, <linux-arm-kernel@...ts.infradead.org>,
	<linux-kernel@...r.kernel.org>, <linux@...linux.org.uk>,
	<lorenzo.stoakes@...cle.com>, <marc.zyngier@....com>, <pfalcato@...e.de>,
	<punitagrawal@...il.com>, <rjw@...ysocki.net>, <rmk+kernel@...linux.org.uk>,
	<rppt@...nel.org>, <tony@...mide.com>, <vbabka@...e.cz>, <will@...nel.org>,
	<xieyuanbin1@...wei.com>
Subject: Re: [PATCH v2 RESEND 1/2] ARM: spectre-v2: Fix potential missing mitigations

On Tue, 28 Oct 2025 17:20:05 +0100, Sebastian Andrzej Siewior wrote:
> If I apply both patches (of yours) then it sends a
> signal with disabled interrupts which breaks my PREEMPT_RT case.

I am not familiar with PREEMPT_RT yet and do not know that signals cannot
be sent with disabled interrupts and PREEMPT_RT=y.
I apologize for this.

On Tue, 28 Oct 2025 19:20:52 +0100, Sebastian Andrzej Siewior wrote:
> !LPAE does do_bad_area() -> __do_user_fault() and does not trigger the
> warning in harden_branch_predictor() because the interrupts are off.
> On PREEMPT_RT this leads to an error due to accessing spinlock_t from
> force_sig_fault() with disabled interrupts.

This seems to be a more serious bug, and may require another patch to
fix it. Not only !LPAE is affected, but LAPE=y is also affected:
do_translation_fault() -> do_bad_area() -> __do_user_fault()
This code path seems very easy to trigger.

> I guess the requirement is to invoke harden_branch_predictor() on the
> same CPU that triggered the page_fault, right? Couldn't we then move
> harden_branch_predictor() a little bit earlier, invoke it in the >=
> TASK_SIZE case and then enable interrupts if they were enabled?
>
> That would make me happy ;)

This seems to only fix the warning in harden_branch_predictor, but cannot
fix the issue of sending signals with disabled interrupts mentioned above.

What about adding:

diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 09dde89a88ed..b9c9c80db109 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -182,6 +182,12 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
 		int code, struct pt_regs *regs)
 {
 	struct task_struct *tsk = current;
+	const bool save_irqs_disabled = irqs_disabled();
+
+	if (save_irqs_disabled) {
+		preempt_disable();
+		local_irq_enable();
+	}

 	if (addr > TASK_SIZE)
 		harden_branch_predictor();
@@ -207,6 +213,11 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
 	tsk->thread.error_code = fsr;
 	tsk->thread.trap_no = 14;
 	force_sig_fault(sig, code, (void __user *)addr);
+
+	if (save_irqs_disabled) {
+		local_irq_disable();
+		preempt_enable_no_resched();
+	}
 }

and the modification of patch 1 is still retained.

Xie Yuanbin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ