Re: [PATCH v2] arm64/hw_breakpoint: reject unaligned watchpoints that would truncate BAS

Next message: Bradley Morgan: "[PATCH 2/2] cpu: hotplug: bound hotplug states sysfs output"
Previous message: Al Viro: "Re: [PATCH] net: add sock_open() for unified socket creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Will Deacon

Date: Fri Jun 19 2026 - 12:36:29 EST

On Tue, 09 Jun 2026 06:15:53 -0700, Breno Leitao wrote:
> hw_breakpoint_arch_parse() positions the BAS bit pattern in
> hw->ctrl.len with
>
> offset = hw->address & alignment_mask; /* 0..7 */
> hw->ctrl.len <<= offset;
>
> ctrl.len is an 8-bit bitfield (struct arch_hw_breakpoint_ctrl::len is
> u32 :8), so the shift silently drops any bits past bit 7. For
> non-compat AArch64 watchpoints the offset is unbounded relative to
> ctrl.len: a perf_event_open(PERF_TYPE_BREAKPOINT) caller asking for
> HW_BREAKPOINT_W with bp_addr=page+1 and bp_len=HW_BREAKPOINT_LEN_8
> ends up with 0xff << 1 = 0x1fe, stored as 0xfe. The kernel programs
> WCR.BAS=0xfe and the hardware watches bytes [1..7] instead of the
> requested [1..8] -- the eighth byte is silently dropped. The
> syscall still returns success, leaving userspace to discover the
> gap by empirical probing.
>
> [...]

Applied to arm64 (for-next/core), thanks!

[1/1] arm64/hw_breakpoint: reject unaligned watchpoints that would truncate BAS
https://git.kernel.org/arm64/c/4cc70f75853b

Cheers,
--
Will

https://fixes.arm64.dev
https://next.arm64.dev
https://will.arm64.dev