Re: [PATCH] LoongArch: add spectre boundry for syscall dispatch table

From: Xi Ruoyao

Date: Wed Apr 08 2026 - 04:27:55 EST

On Wed, 2026-04-08 at 16:20 +0800, Huacai Chen wrote:
> Hi, all,
>
> On Wed, Apr 8, 2026 at 1:26 PM Greg Kroah-Hartman
> <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Wed, Apr 08, 2026 at 09:17:07AM +0800, Bibo Mao wrote:
> > >
> > >
> > > On 2026/4/2 下午10:36, Greg Kroah-Hartman wrote:
> > > > On Wed, Mar 25, 2026 at 09:53:09AM +0100, Greg Kroah-Hartman wrote:
> > > > > On Wed, Mar 25, 2026 at 11:26:29AM +0800, Xi Ruoyao wrote:
> > > > > > On Tue, 2026-03-24 at 17:30 +0100, Greg Kroah-Hartman wrote:
> > > > > > > The LoongArch syscall number is directly controlled by userspace, but
> > > > > > > does not have a array_index_nospec() boundry to prevent access past
> > > > > > > the
> > > > > > > syscall function pointer tables.
> > > > > > >
> > > > > > > Cc: Huacai Chen <chenhuacai@xxxxxxxxxx>
> > > > > > > Cc: WANG Xuerui <kernel@xxxxxxxxxx>
> > > > > > > Assisted-by: gkh_clanker_2000
> > > > > > > Cc: stable <stable@xxxxxxxxxx>
> > > > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> > > > > > > ---
> > > > > > > My scripts caught this as I think LoongArch is vulnerable to the
> > > > > >
> > > > > > There's no evidence.  The kernel currently report all LoongArch
> > > > > > processors invulnerable to spectre V1 via cpuinfo.
> > > > >
> > > > > Where is that?  In the sysfs files, or in the actual silicon testing?
> > > > >
> > > > > > So NAK unless there's a reproducer of spectre V1 on LoongArch.  If so
> > > > > > we'd also need to adjust the cpuinfo output.
> > > > >
> > > > > I really thought this cpu was vulnerable to this, but if the companies
> > > > > say it isn't, then great, but reports like this:
> > > > >   https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/
> > > > > say that the silicon is vulnerable.  So, which is it?
> > > >
> > > > Any thoughts about this?
> > > co-ask though it is hard to decide :(
> >
> > Can't you all run the reproducers on your platform to determine this?
> > There should be some basic ones around somewhere, this is a very old bug
> > :)
> I have consulted with the chip designers. They confirmed that existing
> LoongArch processors are vulnerable to Spectre-V1. But this conclusion
> is just for the PoC (as [1] said,  Spectre-V1 is not easily mitigated
> in hardware), it is very difficult to create a real attack program.
> This is not even a LoongArch-specific problem.
>
> As an additional point, LoongArch's boundary-checking memory access
> instructions, which provide immunity against Spectre-V1, are not
> convenient enough to automatically apply to all critical code
> sections.
>
> Anyway, user pointer sanitization is the proper mitigation of
> Spectre-V1, and that is exactly what this patch does. So, I will take
> this patch and update other corresponding parts of the kernel.
>
> [1] https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/

Then IMO we should update cpuinfo report as well (well, maybe also for
other architectures, if there are literally no hardware immune to the
issue).

--
Xi Ruoyao <xry111@xxxxxxxxxxx>