The arm64 probe simulation doesn't currently have logic in place
to deal with GCS and this results in core dumps if probes are inserted
at control flow locations. Fix-up bl, blr and ret to manipulate the
shadow stack as needed.
While we manipulate and validate the shadow stack correctly, the
hardware provides additional security by only allowing GCS operations
against pages which are marked to support GCS. For writing there is
gcssttr() which enforces this, but there isn't an equivalent for
reading. This means that uprobe users should be aware that probing on
control flow instructions which require reading the shadow stack (ex:
ret) offers lower security guarantees than what is achieved without
the uprobe active.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
---
arch/arm64/kernel/probes/simulate-insn.c | 35 ++++++++++++++++++++----
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/kernel/probes/simulate-insn.c b/arch/arm64/kernel/probes/simulate-insn.c
index 09a0b36122d0..c75dce7bbe13 100644
--- a/arch/arm64/kernel/probes/simulate-insn.c
+++ b/arch/arm64/kernel/probes/simulate-insn.c
@@ -13,6 +13,7 @@
#include <asm/traps.h>
#include "simulate-insn.h"
+#include "asm/gcs.h"
#define bbl_displacement(insn) \
sign_extend32(((insn) & 0x3ffffff) << 2, 27)
@@ -49,6 +50,20 @@ static inline u32 get_w_reg(struct pt_regs *regs, int reg)
return lower_32_bits(pt_regs_read_reg(regs, reg));
}
+static inline void update_lr(struct pt_regs *regs, long addr)
+{
+ int err = 0;
+
+ if (user_mode(regs) && task_gcs_el0_enabled(current)) {
+ push_user_gcs(addr + 4, &err);
+ if (err) {
+ force_sig(SIGSEGV);
+ return;
+ }
+ }
+ procedure_link_pointer_set(regs, addr + 4);
+}
+
static bool __kprobes check_cbz(u32 opcode, struct pt_regs *regs)
{
int xn = opcode & 0x1f;
@@ -107,9 +122,8 @@ simulate_b_bl(u32 opcode, long addr, struct pt_regs *regs)
{
int disp = bbl_displacement(opcode);
- /* Link register is x30 */
if (opcode & (1 << 31))
- set_x_reg(regs, 30, addr + 4);
+ update_lr(regs, addr);
instruction_pointer_set(regs, addr + disp);
}
@@ -133,17 +147,26 @@ simulate_br_blr(u32 opcode, long addr, struct pt_regs *regs)
/* update pc first in case we're doing a "blr lr" */
instruction_pointer_set(regs, get_x_reg(regs, xn));
- /* Link register is x30 */
if (((opcode >> 21) & 0x3) == 1)
- set_x_reg(regs, 30, addr + 4);
+ update_lr(regs, addr);
}
void __kprobes
simulate_ret(u32 opcode, long addr, struct pt_regs *regs)
{
- int xn = (opcode >> 5) & 0x1f;
+ u64 ret_addr;
+ int err = 0;
+ unsigned long lr = procedure_link_pointer(regs);
- instruction_pointer_set(regs, get_x_reg(regs, xn));
+ if (user_mode(regs) && task_gcs_el0_enabled(current)) {
+ ret_addr = pop_user_gcs(&err);
+ if (err || ret_addr != lr) {
+ force_sig(SIGSEGV);
+ return;
+ }
+ }
+
+ instruction_pointer_set(regs, lr);
}
void __kprobes
--
2.49.0Hi Jeremy,
kernel test robot noticed the following build errors:
[auto build test ERROR on arm64/for-next/core]
[also build test ERROR on perf-tools-next/perf-tools-next tip/perf/core perf-tools/perf-tools linus/master v6.15-rc5 next-20250508]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Jeremy-Linton/arm64-gcs-task_gcs_el0_enable-should-use-passed-task/20250505-122838
base: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/core
patch link: https://lore.kernel.org/r/20250504233203.616587-5-jeremy.linton%40arm.com
patch subject: [PATCH v3 4/7] arm64: probes: Add GCS support to bl/blr/ret
config: arm64-randconfig-001-20250509 (https://download.01.org/0day-ci/archive/20250509/202505091926.PBPRfjKb-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 7.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250509/202505091926.PBPRfjKb-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202505091926.PBPRfjKb-lkp@intel.com/
All errors (new ones prefixed by >>):
arch/arm64/kernel/probes/simulate-insn.c: In function 'update_lr':
>> arch/arm64/kernel/probes/simulate-insn.c:58:3: error: implicit declaration of function 'push_user_gcs'; did you mean 'task_user_tls'? [-Werror=implicit-function-declaration]
push_user_gcs(addr + 4, &err);
^~~~~~~~~~~~~
task_user_tls
arch/arm64/kernel/probes/simulate-insn.c: In function 'simulate_ret':
>> arch/arm64/kernel/probes/simulate-insn.c:162:14: error: implicit declaration of function 'pop_user_gcs'; did you mean 'pin_user_pages'? [-Werror=implicit-function-declaration]
ret_addr = pop_user_gcs(&err);
^~~~~~~~~~~~
pin_user_pages
cc1: some warnings being treated as errors
vim +58 arch/arm64/kernel/probes/simulate-insn.c
52
53 static inline void update_lr(struct pt_regs *regs, long addr)
54 {
55 int err = 0;
56
57 if (user_mode(regs) && task_gcs_el0_enabled(current)) {
> 58 push_user_gcs(addr + 4, &err);
59 if (err) {
60 force_sig(SIGSEGV);
61 return;
62 }
63 }
64 procedure_link_pointer_set(regs, addr + 4);
65 }
66
67 static bool __kprobes check_cbz(u32 opcode, struct pt_regs *regs)
68 {
69 int xn = opcode & 0x1f;
70
71 return (opcode & (1 << 31)) ?
72 (get_x_reg(regs, xn) == 0) : (get_w_reg(regs, xn) == 0);
73 }
74
75 static bool __kprobes check_cbnz(u32 opcode, struct pt_regs *regs)
76 {
77 int xn = opcode & 0x1f;
78
79 return (opcode & (1 << 31)) ?
80 (get_x_reg(regs, xn) != 0) : (get_w_reg(regs, xn) != 0);
81 }
82
83 static bool __kprobes check_tbz(u32 opcode, struct pt_regs *regs)
84 {
85 int xn = opcode & 0x1f;
86 int bit_pos = ((opcode & (1 << 31)) >> 26) | ((opcode >> 19) & 0x1f);
87
88 return ((get_x_reg(regs, xn) >> bit_pos) & 0x1) == 0;
89 }
90
91 static bool __kprobes check_tbnz(u32 opcode, struct pt_regs *regs)
92 {
93 int xn = opcode & 0x1f;
94 int bit_pos = ((opcode & (1 << 31)) >> 26) | ((opcode >> 19) & 0x1f);
95
96 return ((get_x_reg(regs, xn) >> bit_pos) & 0x1) != 0;
97 }
98
99 /*
100 * instruction simulation functions
101 */
102 void __kprobes
103 simulate_adr_adrp(u32 opcode, long addr, struct pt_regs *regs)
104 {
105 long imm, xn, val;
106
107 xn = opcode & 0x1f;
108 imm = ((opcode >> 3) & 0x1ffffc) | ((opcode >> 29) & 0x3);
109 imm = sign_extend64(imm, 20);
110 if (opcode & 0x80000000)
111 val = (imm<<12) + (addr & 0xfffffffffffff000);
112 else
113 val = imm + addr;
114
115 set_x_reg(regs, xn, val);
116
117 instruction_pointer_set(regs, instruction_pointer(regs) + 4);
118 }
119
120 void __kprobes
121 simulate_b_bl(u32 opcode, long addr, struct pt_regs *regs)
122 {
123 int disp = bbl_displacement(opcode);
124
125 if (opcode & (1 << 31))
126 update_lr(regs, addr);
127
128 instruction_pointer_set(regs, addr + disp);
129 }
130
131 void __kprobes
132 simulate_b_cond(u32 opcode, long addr, struct pt_regs *regs)
133 {
134 int disp = 4;
135
136 if (aarch32_opcode_cond_checks[opcode & 0xf](regs->pstate & 0xffffffff))
137 disp = bcond_displacement(opcode);
138
139 instruction_pointer_set(regs, addr + disp);
140 }
141
142 void __kprobes
143 simulate_br_blr(u32 opcode, long addr, struct pt_regs *regs)
144 {
145 int xn = (opcode >> 5) & 0x1f;
146
147 /* update pc first in case we're doing a "blr lr" */
148 instruction_pointer_set(regs, get_x_reg(regs, xn));
149
150 if (((opcode >> 21) & 0x3) == 1)
151 update_lr(regs, addr);
152 }
153
154 void __kprobes
155 simulate_ret(u32 opcode, long addr, struct pt_regs *regs)
156 {
157 u64 ret_addr;
158 int err = 0;
159 unsigned long lr = procedure_link_pointer(regs);
160
161 if (user_mode(regs) && task_gcs_el0_enabled(current)) {
> 162 ret_addr = pop_user_gcs(&err);
163 if (err || ret_addr != lr) {
164 force_sig(SIGSEGV);
165 return;
166 }
167 }
168
169 instruction_pointer_set(regs, lr);
170 }
171
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2026 Red Hat, Inc.