[PATCH 0/2] riscv: Add Spectre v1 mitigations
Lukas Gerlach
lukas.gerlach at cispa.de
Thu Dec 18 11:13:30 PST 2025
This series adds Spectre v1 to RISC-V in line with x86 and arm64.
Modern RISC-V CPUs with deep pipelines (e.g., XuanTie C910, SiFive P550)
are susceptible to Spectre v1 attacks where an attacker can speculatively
bypass bounds checks and leak kernel memory via cache side channels.
The first patch adds pointer masking to uaccess routines. Similar to
arm64's uaccess_mask_ptr(), this clears the top bit of user pointers
before access, ensuring that even under speculation, a user-controlled
pointer cannot reach kernel memory.
The second patch sanitizes the syscall number using array_index_nospec()
before indexing into the syscall table, preventing out-of-bounds
speculative reads similar to what x86 does.
Lukas Gerlach (2):
riscv: Use pointer masking to limit uaccess speculation
riscv: Sanitize syscall table indexing under speculation
arch/riscv/include/asm/uaccess.h | 41 +++++++++++++++++++++++++-------
arch/riscv/kernel/traps.c | 4 +++-
2 files changed, 35 insertions(+), 10 deletions(-)
--
2.51.0
More information about the linux-riscv
mailing list