Re: [PATCH] LoongArch: add spectre boundry for syscall dispatch table

loongarch.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

From: Xi Ruoyao <xry111@xry111.site>
To: Huacai Chen <chenhuacai@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Bibo Mao <maobibo@loongson.cn>,
	loongarch@lists.linux.dev, arnd@arndb.de,
		jiaxun.yang@flygoat.com, linux-kernel@vger.kernel.org,
	WANG Xuerui	 <kernel@xen0n.name>, stable <stable@kernel.org>
Subject: Re: [PATCH] LoongArch: add spectre boundry for syscall dispatch table
Date: Wed, 08 Apr 2026 16:27:35 +0800	[thread overview]
Message-ID: <4df596e36d48496327b10695e4fe5102cc5ac695.camel@xry111.site> (raw)
In-Reply-To: <CAAhV-H4Q1kaTMhJt8CsN2FS1vfkWLpOxuj8hqYaTr1UgLC5LLg@mail.gmail.com>

On Wed, 2026-04-08 at 16:20 +0800, Huacai Chen wrote:
> Hi, all,
> 
> On Wed, Apr 8, 2026 at 1:26 PM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > 
> > On Wed, Apr 08, 2026 at 09:17:07AM +0800, Bibo Mao wrote:
> > > 
> > > 
> > > On 2026/4/2 下午10:36, Greg Kroah-Hartman wrote:
> > > > On Wed, Mar 25, 2026 at 09:53:09AM +0100, Greg Kroah-Hartman wrote:
> > > > > On Wed, Mar 25, 2026 at 11:26:29AM +0800, Xi Ruoyao wrote:
> > > > > > On Tue, 2026-03-24 at 17:30 +0100, Greg Kroah-Hartman wrote:
> > > > > > > The LoongArch syscall number is directly controlled by userspace, but
> > > > > > > does not have a array_index_nospec() boundry to prevent access past
> > > > > > > the
> > > > > > > syscall function pointer tables.
> > > > > > > 
> > > > > > > Cc: Huacai Chen <chenhuacai@kernel.org>
> > > > > > > Cc: WANG Xuerui <kernel@xen0n.name>
> > > > > > > Assisted-by: gkh_clanker_2000
> > > > > > > Cc: stable <stable@kernel.org>
> > > > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > > > > > ---
> > > > > > > My scripts caught this as I think LoongArch is vulnerable to the
> > > > > > 
> > > > > > There's no evidence.  The kernel currently report all LoongArch
> > > > > > processors invulnerable to spectre V1 via cpuinfo.
> > > > > 
> > > > > Where is that?  In the sysfs files, or in the actual silicon testing?
> > > > > 
> > > > > > So NAK unless there's a reproducer of spectre V1 on LoongArch.  If so
> > > > > > we'd also need to adjust the cpuinfo output.
> > > > > 
> > > > > I really thought this cpu was vulnerable to this, but if the companies
> > > > > say it isn't, then great, but reports like this:
> > > > >   https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/
> > > > > say that the silicon is vulnerable.  So, which is it?
> > > > 
> > > > Any thoughts about this?
> > > co-ask though it is hard to decide :(
> > 
> > Can't you all run the reproducers on your platform to determine this?
> > There should be some basic ones around somewhere, this is a very old bug
> > :)
> I have consulted with the chip designers. They confirmed that existing
> LoongArch processors are vulnerable to Spectre-V1. But this conclusion
> is just for the PoC (as [1] said,  Spectre-V1 is not easily mitigated
> in hardware), it is very difficult to create a real attack program.
> This is not even a LoongArch-specific problem.
> 
> As an additional point, LoongArch's boundary-checking memory access
> instructions, which provide immunity against Spectre-V1, are not
> convenient enough to automatically apply to all critical code
> sections.
> 
> Anyway, user pointer sanitization is the proper mitigation of
> Spectre-V1, and that is exactly what this patch does. So, I will take
> this patch and update other corresponding parts of the kernel.
> 
> [1] https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/

Then IMO we should update cpuinfo report as well (well, maybe also for
other architectures, if there are literally no hardware immune to the
issue).

-- 
Xi Ruoyao <xry111@xry111.site>

     prev parent reply	other threads:[~2026-04-08  8:27 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-24 16:30 [PATCH] LoongArch: add spectre boundry for syscall dispatch table Greg Kroah-Hartman
2026-03-25  3:26 ` Xi Ruoyao
2026-03-25  8:53   ` Greg Kroah-Hartman
2026-04-02 14:36     ` Greg Kroah-Hartman
2026-04-08  1:17       ` Bibo Mao
2026-04-08  5:26         ` Greg Kroah-Hartman
2026-04-08  8:20           ` Huacai Chen
2026-04-08  8:27             ` Xi Ruoyao [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4df596e36d48496327b10695e4fe5102cc5ac695.camel@xry111.site \
    --to=xry111@xry111.site \
    --cc=arnd@arndb.de \
    --cc=chenhuacai@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jiaxun.yang@flygoat.com \
    --cc=kernel@xen0n.name \
    --cc=linux-kernel@vger.kernel.org \
    --cc=loongarch@lists.linux.dev \
    --cc=maobibo@loongson.cn \
    --cc=stable@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).