On Tue, Jul 15, 2025 at 7:06 PM Zong Li <zong.li@xxxxxxxxxx> wrote: > > On Wed, Jul 16, 2025 at 5:34 AM Deepak Gupta <debug@xxxxxxxxxxxx> wrote: > > > > Hi Zong, > > > > > > On Thu, Jun 19, 2025 at 7:16 PM Zong Li <zong.li@xxxxxxxxxx> wrote: > > > > > > On Mon, Jun 16, 2025 at 3:31 PM Zong Li <zong.li@xxxxxxxxxx> wrote: > > > > > > > > On Thu, Jun 5, 2025 at 1:17 AM Deepak Gupta <debug@xxxxxxxxxxxx> wrote: > > > > > > > > > > zicfiss / zicfilp introduces a new exception to priv isa `software check > > > > > exception` with cause code = 18. This patch implements software check > > > > > exception. > > > > > > > ..... > > > > > > When a user mode CFI violation occurs, the ELP state should be 1, and > > > > the system traps into supervisor mode. During this trap, sstatus.SPELP > > > > is set to 1, and the ELP state is reset to 0. If we don’t clear > > > > sstatus.SPELP, the ELP state will become 1 again after executing the > > > > sret instruction. As a result, the system might trigger another > > > > forward CFI violation upon executing the next instruction in the user > > > > program, unless it happens to be a lpad instruction. > > > > > > > > The previous patch was tested on QEMU, but QEMU does not set the > > > > sstatus.SPELP bit to 1 when a forward CFI violation occurs. Therefore, > > > > I suspect that QEMU might also require some fixes. > > > > > > Hi Deepak, > > > The issue with QEMU was that the sw-check exception bit in medeleg > > > couldn't be set. This has been fixed in the latest QEMU mainline. I > > > have re-tested the latest QEMU version, and it works. > > > > What was this issue, can you point me to the patch in mainline? > > Hi Deepak > The issue was that my QEMU setup somehow missed the change of > `target/riscv/csr.c` in your following patch: > https://github.com/qemu/qemu/commit/6031102401ae8a69a87b20fbec2aae666625d96a > After I upgraded to the latest QEMU source, I found the kernel issue > if we didn't clear sstatus.SPELP in the handler > Thanks Aah ok, got it. > > > > > > > > > > > > > > Thanks > > > > > > > > > + > > > > > + if (is_fcfi || is_bcfi) { > > > > > + do_trap_error(regs, SIGSEGV, SEGV_CPERR, regs->epc, > > > > > + "Oops - control flow violation"); > > > > > + return true; > > > > > + } > > > > > + > > > > > + return false; > > > > > +} > > > > > + > > > > > +/* > > > > > + * software check exception is defined with risc-v cfi spec. Software check > > > > > + * exception is raised when:- > > > > > + * a) An indirect branch doesn't land on 4 byte aligned PC or `lpad` > > > > > + * instruction or `label` value programmed in `lpad` instr doesn't > > > > > + * match with value setup in `x7`. reported code in `xtval` is 2. > > > > > + * b) `sspopchk` instruction finds a mismatch between top of shadow stack (ssp) > > > > > + * and x1/x5. reported code in `xtval` is 3. > > > > > + */ > > > > > +asmlinkage __visible __trap_section void do_trap_software_check(struct pt_regs *regs) > > > > > +{ > > > > > + if (user_mode(regs)) { > > > > > + irqentry_enter_from_user_mode(regs); > > > > > + > > > > > + /* not a cfi violation, then merge into flow of unknown trap handler */ > > > > > + if (!handle_user_cfi_violation(regs)) > > > > > + do_trap_unknown(regs); > > > > > + > > > > > + irqentry_exit_to_user_mode(regs); > > > > > + } else { > > > > > + /* sw check exception coming from kernel is a bug in kernel */ > > > > > + die(regs, "Kernel BUG"); > > > > > + } > > > > > +} > > > > > + > > > > > #ifdef CONFIG_MMU > > > > > asmlinkage __visible noinstr void do_page_fault(struct pt_regs *regs) > > > > > { > > > > > > > > > > -- > > > > > 2.43.0 > > > > >
