Re: [PATCH] LoongArch: add spectre boundry for syscall dispatch table

From: Huacai Chen

Date: Wed Apr 08 2026 - 04:25:39 EST

Hi, all,

On Wed, Apr 8, 2026 at 1:26 PM Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Wed, Apr 08, 2026 at 09:17:07AM +0800, Bibo Mao wrote:
> >
> >
> > On 2026/4/2 下午10:36, Greg Kroah-Hartman wrote:
> > > On Wed, Mar 25, 2026 at 09:53:09AM +0100, Greg Kroah-Hartman wrote:
> > > > On Wed, Mar 25, 2026 at 11:26:29AM +0800, Xi Ruoyao wrote:
> > > > > On Tue, 2026-03-24 at 17:30 +0100, Greg Kroah-Hartman wrote:
> > > > > > The LoongArch syscall number is directly controlled by userspace, but
> > > > > > does not have a array_index_nospec() boundry to prevent access past
> > > > > > the
> > > > > > syscall function pointer tables.
> > > > > >
> > > > > > Cc: Huacai Chen <chenhuacai@xxxxxxxxxx>
> > > > > > Cc: WANG Xuerui <kernel@xxxxxxxxxx>
> > > > > > Assisted-by: gkh_clanker_2000
> > > > > > Cc: stable <stable@xxxxxxxxxx>
> > > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > > > > > ---
> > > > > > My scripts caught this as I think LoongArch is vulnerable to the
> > > > >
> > > > > There's no evidence. The kernel currently report all LoongArch
> > > > > processors invulnerable to spectre V1 via cpuinfo.
> > > >
> > > > Where is that? In the sysfs files, or in the actual silicon testing?
> > > >
> > > > > So NAK unless there's a reproducer of spectre V1 on LoongArch. If so
> > > > > we'd also need to adjust the cpuinfo output.
> > > >
> > > > I really thought this cpu was vulnerable to this, but if the companies
> > > > say it isn't, then great, but reports like this:
> > > > https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/
> > > > say that the silicon is vulnerable. So, which is it?
> > >
> > > Any thoughts about this?
> > co-ask though it is hard to decide :(
>
> Can't you all run the reproducers on your platform to determine this?
> There should be some basic ones around somewhere, this is a very old bug
> :)
I have consulted with the chip designers. They confirmed that existing
LoongArch processors are vulnerable to Spectre-V1. But this conclusion
is just for the PoC (as [1] said, Spectre-V1 is not easily mitigated
in hardware), it is very difficult to create a real attack program.
This is not even a LoongArch-specific problem.

As an additional point, LoongArch's boundary-checking memory access
instructions, which provide immunity against Spectre-V1, are not
convenient enough to automatically apply to all critical code
sections.

Anyway, user pointer sanitization is the proper mitigation of
Spectre-V1, and that is exactly what this patch does. So, I will take
this patch and update other corresponding parts of the kernel.

[1] https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/

Huacai

>
> thanks,
>
> greg k-h