morello: uaccess: Disable asm_goto_output#28
Open
heshamelmatary wants to merge 1 commit into
Open
Conversation
The use of asm_goto_output in __get_mem_asm allows the compiler to optimise the success path by branching directly out of inline assembly to a C label on error. However, this breaks execution state guarantees on Morello. When a memory fault triggers on a user-space load, the hardware exception handler uses the exception table to rewrite the Program Counter. If the entry targets the C label directly, execution resumes there immediately—completely bypassing the trailing __ASM_UACCESS_AFTER macro inside the block. On Morello, __ASM_UACCESS_BEFORE and __ASM_UACCESS_AFTER manage critical architectural transitions, such as switching between A64 and C64 (Capability) execution modes via PSTATE.C64. Bypassing the cleanup path leaves the processor stuck in C64 mode, corrupting subsequent A64 instruction streams and causing immediate kernel panics. Fix this by gating asm_goto_output out when Morello is enabled. Fall back to a traditional linear asm volatile block that uses an explicit, sequential landing pad placed right before __ASM_UACCESS_AFTER. This guarantees that execution state cleanup runs on both success and fault paths before checking the error code in standard C. Signed-off-by: Hesham Almatary <hesham.almatary@cl.cam.ac.uk>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The use of asm_goto_output in __get_mem_asm allows the compiler to optimise the success path by branching directly out of inline assembly to a C label on error. However, this breaks execution state guarantees on Morello.
When a memory fault triggers on a user-space load, the hardware exception handler uses the exception table to rewrite the Program Counter. If the entry targets the C label directly, execution resumes there immediately—completely bypassing the trailing __ASM_UACCESS_AFTER macro inside the block.
On Morello, __ASM_UACCESS_BEFORE and __ASM_UACCESS_AFTER manage critical architectural transitions, such as switching between A64 and C64 (Capability) execution modes via PSTATE.C64. Bypassing the cleanup path leaves the processor stuck in C64 mode, corrupting subsequent A64 instruction streams and causing immediate kernel panics.
Fix this by gating asm_goto_output out when Morello is enabled. Fall back to a traditional linear asm volatile block that uses an explicit, sequential landing pad placed right before __ASM_UACCESS_AFTER. This guarantees that execution state cleanup runs on both success and fault paths before checking the error code in standard C.
I also experimented with the following alternative solution that does still use asm_goto_output that seems to pass the same number of tests with this PR and doesn't trigger panics:
It is a bit hacky but it does force this block to use
__ASM_UACCESS_AFTER