On Sun, 18 Feb 2024 at 03:33, Xiang Yang <xiangyang3@xxxxxxxxxx> wrote: > > The shadow call stack for irq now stored in current task's thread info > may restored incorrectly, so backport call_on_irq_stack from mainline to > fix it. > > Ard Biesheuvel (1): > arm64: Stash shadow stack pointer in the task struct on interrupt > > Mark Rutland (3): > arm64: entry: move arm64_preempt_schedule_irq to entry-common.c > arm64: entry: add a call_on_irq_stack helper > arm64: entry: convert IRQ+FIQ handlers to C > > Xiang Yang (1): > Revert "arm64: Stash shadow stack pointer in the task struct on > interrupt" > Backporting this was a mistake. Not only was the backport flawed, the original issue (stashing the shadow call stack pointer onto the normal stack) was not even present, at least not to the same extent. Stashing the shadow call stack pointer in register X24 works around the original issue, except for the case where a hardirq is taken while softirqs are being processed. In this case, X24 will be preserved on the stack by the hardirq handling logic, and restored after. Theoretically, that creates a window where the shadow call stack pointer could be corrupted deliberately, but it seems unlikely to me that this is exploitable in practice. So in the light of this, I think doing only the revert here should be sufficient, and there is no need for the other backports in this series.
