[PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Richard Patel <ripatel@wii.dev>
To: x86@kernel.org
Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Yu-cheng Yu <yu-cheng.yu@intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
	Andy Lutomirski <luto@kernel.org>, Kees Cook <kees@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Shuah Khan <shuah@kernel.org>,
	linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled
Date: Sun, 17 May 2026 13:30:21 -0500	[thread overview]
Message-ID: <20260517183024.16292-5-ripatel@wii.dev> (raw)
In-Reply-To: <20260517183024.16292-1-ripatel@wii.dev>

IBT enforces that indirect branch targets land on an endbr
instruction. The CPU enforces this by setting the 'WAIT_FOR_ENDBR'
bit after executing an indirect branch/jump.

The only relevant edge case with user IBT is signal handling:
When entering/leaving a signal handler, the WAIT_FOR_ENDBR bit must
be backed up/restored.

IBT is not implemented for 32-bit and cannot be enabled using a
32-bit syscall. However, a 64-bit thread could far jump into 32-bit.
Therefore, 32-bit sigreturn must be banned until IBT supports that
environment.

Signed-off-by: Richard Patel <ripatel@wii.dev>
Based-on-patch-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
Link: https://lwn.net/ml/linux-kernel/20210830182221.3535-5-yu-cheng.yu@intel.com/
---
 arch/x86/kernel/signal_32.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c
index e55cf19e68fe..7cb76d794366 100644
--- a/arch/x86/kernel/signal_32.c
+++ b/arch/x86/kernel/signal_32.c
@@ -143,6 +143,11 @@ static bool ia32_restore_sigcontext(struct pt_regs *regs,
 	regs->ds = fixup_rpl(sc.ds);
 #endif
 
+#ifdef CONFIG_X86_USER_IBT
+	if (current->thread.ibt)
+		return false;
+#endif
+
 	return fpu__restore_sig(compat_ptr(sc.fpstate), 1);
 }
 
-- 
2.47.3

next prev parent reply	other threads:[~2026-05-17 18:35 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-17 18:30 [PATCH 0/7] Usermode Indirect Branch Tracking Richard Patel
2026-05-17 18:30 ` [PATCH 1/7] x86: add userspace IBT config option Richard Patel
2026-05-17 18:30 ` [PATCH 2/7] x86: shstk: don't clobber IBT bits in U_CET MSR Richard Patel
2026-05-17 18:30 ` [PATCH 3/7] x86: signal handler support for IBT Richard Patel
2026-05-17 18:30 ` Richard Patel [this message]
2026-05-18 20:22   ` [PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled H. Peter Anvin
2026-05-19  0:14     ` Richard Patel
2026-05-24 21:53     ` Richard Patel
2026-05-25 11:05       ` David Laight
2026-05-17 18:30 ` [PATCH 5/7] x86: expose user IBT via PR_CFI_BRANCH_LANDING_PADS Richard Patel
2026-05-18  6:46   ` Richard Patel
2026-05-17 18:30 ` [PATCH 6/7] x86/entry/vdso: build with IBT support Richard Patel
2026-05-17 18:30 ` [PATCH 7/7] selftests/x86: test usermode IBT Richard Patel
2026-05-18  7:36 ` [PATCH 0/7] Usermode Indirect Branch Tracking Peter Zijlstra
2026-05-18 16:25   ` Richard Patel
2026-05-18 19:31     ` Peter Zijlstra
2026-05-19  9:33 ` David Laight
2026-05-19  9:40   ` Peter Zijlstra
2026-05-19 13:14   ` Richard Patel
2026-05-19 13:28     ` David Laight
2026-05-19 14:18       ` Richard Patel
2026-05-19 14:42         ` Peter Zijlstra

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e55cf19e68f dfblob:7cb76d79436 )
 OR (
bs:"[PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260517183024.16292-5-ripatel@wii.dev \
    --to=ripatel@wii.dev \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=kees@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rick.p.edgecombe@intel.com \
    --cc=shuah@kernel.org \
    --cc=tglx@kernel.org \
    --cc=x86@kernel.org \
    --cc=yu-cheng.yu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.