Disallow unprivileged critical sections with MPU wrappers v2#1427
Open
archigup wants to merge 1 commit into
Open
Disallow unprivileged critical sections with MPU wrappers v2#1427archigup wants to merge 1 commit into
archigup wants to merge 1 commit into
Conversation
archigup
force-pushed
the
fix/mpu-v2-disallow-unpriv-critical-sections
branch
from
198a622 to
ccb3d1f
Compare
When using MPU wrappers version 2 (configUSE_MPU_WRAPPERS_V1 == 0), portRAISE_PRIVILEGE() is a no-op because the portSVC_RAISE_PRIVILEGE handler is compiled only for MPU wrappers version 1. As a result, an unprivileged task that calls taskENTER_CRITICAL() does not actually raise its privilege, so the subsequent BASEPRI write is ignored by the hardware and the critical section silently fails to mask interrupts. This produces latent, hard-to-debug faults. configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is therefore not supported with MPU wrappers version 2. In the ARMv7-M MPU ports: - When the option is left undefined under v2, default it to 0 instead of 1 so the dangerous default configuration is safe. - When the option is explicitly set to 1 under v2, raise a compile-time #error so the unsupported configuration is rejected loudly rather than failing silently at run time. Behaviour for MPU wrappers version 1 is unchanged.
archigup
force-pushed
the
fix/mpu-v2-disallow-unpriv-critical-sections
branch
from
ccb3d1f to
54dcd46
Compare
|
AniruddhaKanhere
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When using MPU wrappers version 2 (
configUSE_MPU_WRAPPERS_V1 == 0), unprivileged tasks cannot safely enter critical sections, but the current ARMv7-M MPU ports allow it and fail silently.vPortEnterCritical()/vPortExitCritical()handle an unprivileged caller by raising privilege viaportRAISE_PRIVILEGE()before writingBASEPRI.portRAISE_PRIVILEGE()issuessvc portSVC_RAISE_PRIVILEGE, but theportSVC_RAISE_PRIVILEGEcase in the SVC handler is compiled only for MPU wrappers v1 (#if ( configUSE_MPU_WRAPPERS_V1 == 1 )). Under v2 the SVC falls through to the no-opdefaultcase, privilege is never raised, and the subsequentBASEPRIwrite from unprivileged mode is ignored by the hardware. The critical section appears to succeed but never masks interrupts, producing latent, hard-to-debug faults.This is made worse by the defaults:
configUSE_MPU_WRAPPERS_V1defaults to0(v2) andconfigALLOW_UNPRIVILEGED_CRITICAL_SECTIONSdefaults to1, so the dangerous combination is the out-of-the-box configuration.Changes
In the four ARMv7-M MPU ports (
GCC/ARM_CM3_MPU,GCC/ARM_CM4_MPU,IAR/ARM_CM4F_MPU,RVDS/ARM_CM4_MPU):configALLOW_UNPRIVILEGED_CRITICAL_SECTIONSis left undefined under v2, it now defaults to0(instead of1), so the default configuration is safe.1under v2, a compile-time#errorrejects the unsupported configuration loudly rather than letting it fail silently at run time.1with the existing security#warning, and explicit0/1are both honoured).ARMv8-M ports are unaffected: they do not expose
configALLOW_UNPRIVILEGED_CRITICAL_SECTIONSand their critical-section primitives arePRIVILEGED_FUNCTIONs that never attempt the privilege raise.Fixes #1378
Test Steps
Verified the preprocessor logic across all relevant config permutations:
configUSE_MPU_WRAPPERS_V1configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS0, no error1#error00, no error1+ existing#warning11, no errorChecklist:
Related Issue
#1378
By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.