Re: [PATCH v2 4/5] x86/vsyscall: Disable LASS if vsyscall mode is set to EMULATE

[H. Peter Anvin]

On 2026-03-05 13:40, Sohil Mehta wrote:
> The EMULATE mode of vsyscall maps the vsyscall page with a high kernel
> address directly into user address space. Reading the vsyscall page in
> EMULATE mode would cause LASS to trigger a #GP.
> 
> Fixing the LASS violation in EMULATE mode would require complex
> instruction decoding because the resulting #GP does include the
> necessary error information, and the vsyscall address is not
> readily available in the RIP.
> 
> The EMULATE mode has been deprecated since 2022 and can only be enabled
> using the command line parameter vsyscall=emulate. See commit
> bf00745e7791 ("x86/vsyscall: Remove CONFIG_LEGACY_VSYSCALL_EMULATE") for
> details. At this point, no one is expected to be using this insecure
> mode. The rare usages that need it obviously do not care about security.
> 
> Disable LASS when EMULATE mode is requested to avoid breaking legacy
> user software. Also, update the vsyscall documentation to reflect this.
> LASS will only be supported if vsyscall mode is set to XONLY (default)
> or NONE.
> 
> Signed-off-by: Sohil Mehta <sohil.mehta@xxxxxxxxx>
> Reviewed-by: Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx>
> Reviewed-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
> ---
> Eventually, the plan is to get rid of the EMULATE mode altogether. Linus
> and AndyL seem to be okay with such a change. However, those changes are
> beyond the scope of this series.
> 
> v2:
>  - Picked up Dave's review tag
>  - Removed unnecessary CR4 clearing during vsyscall_setup().
>    CR4.LASS is enabled much later via a late_initcall().
> ---
>  Documentation/admin-guide/kernel-parameters.txt | 4 +++-
>  arch/x86/entry/vsyscall/vsyscall_64.c           | 5 +++++
>  2 files changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index cb850e5290c2..64df2c52b2e5 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -8376,7 +8376,9 @@ Kernel parameters
>  
>  			emulate     Vsyscalls turn into traps and are emulated
>  			            reasonably safely.  The vsyscall page is
> -				    readable.
> +				    readable.  This disables the Linear
> +				    Address Space Separation (LASS) security
> +				    feature and makes the system less secure.
>  
>  			xonly       [default] Vsyscalls turn into traps and are
>  			            emulated reasonably safely.  The vsyscall
> diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
> index b34c8763d5e9..215ae07dd3c7 100644
> --- a/arch/x86/entry/vsyscall/vsyscall_64.c
> +++ b/arch/x86/entry/vsyscall/vsyscall_64.c
> @@ -62,6 +62,11 @@ static int __init vsyscall_setup(char *str)
>  		else
>  			return -EINVAL;
>  
> +		if (cpu_feature_enabled(X86_FEATURE_LASS) && vsyscall_mode == EMULATE) {
> +			setup_clear_cpu_cap(X86_FEATURE_LASS);
> +			pr_warn_once("x86/cpu: Disabling LASS due to vsyscall=emulate\n");
> +		}
> +
>  		return 0;
>  	}
>  

Reviewed-by: H. Peter Anvin (Intel) <hpa@xxxxxxxxx>