From: Sean Christopherson <seanjc@google.com>
To: David Kaplan <david.kaplan@amd.com>
Cc: Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/fpu: Disable shstk if no CET_USER state
Date: Fri, 3 Apr 2026 12:36:18 -0700 [thread overview]
Message-ID: <adAWsl016zKoyBgY@google.com> (raw)
In-Reply-To: <20260403154915.2285621-1-david.kaplan@amd.com>
On Fri, Apr 03, 2026, David Kaplan wrote:
> Some hypervisors (including QEMU 10.1.5) may report CET_SS support in
> CPUID Fn7 but fail to report that CET_USER state is supported in
> supervisor xstate. Linux relies on XSAVES/XRSTORS to swap CET state
> during context switch and assumes it is supported when CET_SS is
> present.
>
> As a result, if a user process is run with shadow stacks enabled and
> then is switched away from, the system may crash because the new process
> may be incorrectly run with shadow stacks enabled.
>
> Detect this broken configuration and disable user shadow stacks unless
> CET_USER is supported in xstate.
It's not actually broken though, is it? Just "odd". AFAICT, neither the SDM
nor the APM _requires_ CET_{U,S} to be supported in XSS if shadow stacks are
suppported.
> Signed-off-by: David Kaplan <david.kaplan@amd.com>
> ---
> arch/x86/kernel/fpu/xstate.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
> index 76153dfb58c9..188323442b4d 100644
> --- a/arch/x86/kernel/fpu/xstate.c
> +++ b/arch/x86/kernel/fpu/xstate.c
> @@ -855,6 +855,17 @@ void __init fpu__init_system_xstate(unsigned int legacy_size)
> goto out_disable;
> }
>
> + if (boot_cpu_has(X86_FEATURE_USER_SHSTK) &&
> + !(fpu_kernel_cfg.max_features & XFEATURE_MASK_CET_USER)) {
> + /*
> + * The kernel relies on XSAVES/XRSTORS to context switch shadow
> + * stack state. If this isn't present, disable user shadow
> + * stacks.
> + */
> + pr_err("x86/fpu: CET_USER not supported in xstate when CET is supported. Disabling shadow stacks.\n");
> + setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
Doesn't this apply to IBT as well? This code is also misplaced, as it needs to
live after at least this code:
if (!cpu_feature_enabled(X86_FEATURE_XSAVES))
fpu_kernel_cfg.max_features &= XFEATURE_MASK_USER_SUPPORTED;
else
fpu_kernel_cfg.max_features &= XFEATURE_MASK_USER_SUPPORTED |
XFEATURE_MASK_SUPERVISOR_SUPPORTED;
and should probably play nice with the "out_disable" path too.
All in all, setup_cet() seems like a much better fit, but unfortunately that
runs before fpu__init_system() :-(
> + }
> +
> fpu_kernel_cfg.independent_features = fpu_kernel_cfg.max_features &
> XFEATURE_MASK_INDEPENDENT;
>
>
> base-commit: d998c62f267213aeb815cf654908608eb7c00db2
> --
> 2.53.0
>
next prev parent reply other threads:[~2026-04-03 19:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 15:49 [PATCH] x86/fpu: Disable shstk if no CET_USER state David Kaplan
2026-04-03 19:36 ` Sean Christopherson [this message]
2026-04-03 19:52 ` Kaplan, David
2026-04-03 20:10 ` Kaplan, David
2026-04-06 14:26 ` Sean Christopherson
2026-04-06 15:04 ` Kaplan, David
2026-04-06 15:32 ` Sean Christopherson
2026-04-07 21:30 ` Kaplan, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adAWsl016zKoyBgY@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=david.kaplan@amd.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.