[PATCH 5.10.y 0/5] Backport call_on_irq_stack to fix scs overwritten in irq_stack_entry
Ard Biesheuvel
ardb at kernel.org
Sun Feb 18 02:06:50 PST 2024
On Sun, 18 Feb 2024 at 03:33, Xiang Yang <xiangyang3 at huawei.com> wrote:
>
> The shadow call stack for irq now stored in current task's thread info
> may restored incorrectly, so backport call_on_irq_stack from mainline to
> fix it.
>
> Ard Biesheuvel (1):
> arm64: Stash shadow stack pointer in the task struct on interrupt
>
> Mark Rutland (3):
> arm64: entry: move arm64_preempt_schedule_irq to entry-common.c
> arm64: entry: add a call_on_irq_stack helper
> arm64: entry: convert IRQ+FIQ handlers to C
>
> Xiang Yang (1):
> Revert "arm64: Stash shadow stack pointer in the task struct on
> interrupt"
>
Backporting this was a mistake. Not only was the backport flawed, the
original issue (stashing the shadow call stack pointer onto the normal
stack) was not even present, at least not to the same extent.
Stashing the shadow call stack pointer in register X24 works around
the original issue, except for the case where a hardirq is taken while
softirqs are being processed. In this case, X24 will be preserved on
the stack by the hardirq handling logic, and restored after.
Theoretically, that creates a window where the shadow call stack
pointer could be corrupted deliberately, but it seems unlikely to me
that this is exploitable in practice.
So in the light of this, I think doing only the revert here should be
sufficient, and there is no need for the other backports in this
series.
More information about the linux-arm-kernel
mailing list