Re: [PATCH v2 3/5] x86/vsyscall: Restore vsyscall=xonly mode under LASS

[H. Peter Anvin]

On 2026-03-05 13:40, Sohil Mehta wrote:
> Background
> ==========
> The vsyscall page is located in the high/kernel part of the address
> space. Prior to LASS, a vsyscall page access from userspace would always
> generate a #PF. The kernel emulates the accesses in the #PF handler and
> returns the appropriate values to userspace.
> 
> Vsyscall emulation has two modes of operation, specified by the
> vsyscall={xonly, emulate} kernel command line option. The vsyscall page
> behaves as execute-only in XONLY mode or read-execute in EMULATE mode.
> XONLY mode is the default and the only one expected to be commonly used.
> The EMULATE mode has been deprecated since 2022 and is considered
> insecure.
> 
> With LASS, a vsyscall page access triggers a #GP instead of a #PF.
> Currently, LASS is only enabled when all vsyscall modes are disabled.
> 
> LASS with XONLY mode
> ====================
> Now add support for LASS specifically with XONLY vsyscall emulation. For
> XONLY mode, all that is needed is the faulting RIP, which is trivially
> available regardless of the type of fault. Reuse the #PF emulation code
> during the #GP when the fault address points to the vsyscall page.
> 
> As multiple fault handlers will now be using the emulation code, add a
> sanity check to ensure that the fault truly happened in 64-bit user
> mode.
> 
> LASS with EMULATE mode
> ======================
> Supporting vsyscall=emulate with LASS is much harder because the #GP
> doesn't provide enough error information (such as PFEC and CR2 as in
> case of a #PF). So, complex instruction decoding would be required to
> emulate this mode in the #GP handler.
> 
> This isn't worth the effort as remaining users of EMULATE mode can be
> reasonably assumed to be niche users, who are already trading off
> security for compatibility. LASS and vsyscall=emulate will be kept
> mutually exclusive for simplicity.
> 
> Signed-off-by: Sohil Mehta <sohil.mehta@xxxxxxxxx>
> ---
> v2:
>  - Rewrote the commit message
> ---
>  arch/x86/entry/vsyscall/vsyscall_64.c | 22 +++++++++++++++++-----
>  arch/x86/include/asm/vsyscall.h       |  6 ++++++
>  arch/x86/kernel/traps.c               |  4 ++++
>  3 files changed, 27 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
> index 5c6559c37c5b..b34c8763d5e9 100644
> --- a/arch/x86/entry/vsyscall/vsyscall_64.c
> +++ b/arch/x86/entry/vsyscall/vsyscall_64.c
> @@ -23,7 +23,7 @@
>   * soon be no new userspace code that will ever use a vsyscall.
>   *
>   * The code in this file emulates vsyscalls when notified of a page
> - * fault to a vsyscall address.
> + * fault or a general protection fault to a vsyscall address.
>   */
>  
>  #include <linux/kernel.h>
> @@ -118,10 +118,9 @@ static bool __emulate_vsyscall(struct pt_regs *regs, unsigned long address)
>  	long ret;
>  	unsigned long orig_dx;
>  
> -	/*
> -	 * No point in checking CS -- the only way to get here is a user mode
> -	 * trap to a high address, which means that we're in 64-bit user code.
> -	 */
> +	/* Confirm that the fault happened in 64-bit user mode */
> +	if (!user_64bit_mode(regs))
> +		return false;
>  
>  	if (vsyscall_mode == NONE) {
>  		warn_bad_vsyscall(KERN_INFO, regs,
> @@ -282,6 +281,19 @@ bool emulate_vsyscall_pf(unsigned long error_code, struct pt_regs *regs,
>  	return __emulate_vsyscall(regs, address);
>  }
>  
> +bool emulate_vsyscall_gp(struct pt_regs *regs)
> +{
> +	/* Without LASS, vsyscall accesses are expected to generate a #PF */
> +	if (!cpu_feature_enabled(X86_FEATURE_LASS))
> +		return false;
> +
> +	/* Emulate only if the RIP points to the vsyscall address */
> +	if (!is_vsyscall_vaddr(regs->ip))
> +		return false;
> +
> +	return __emulate_vsyscall(regs, regs->ip);
> +}
> +
>  /*
>   * A pseudo VMA to allow ptrace access for the vsyscall page.  This only
>   * covers the 64bit vsyscall page now. 32bit has a real VMA now and does
> diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h
> index f34902364972..538053b1656a 100644
> --- a/arch/x86/include/asm/vsyscall.h
> +++ b/arch/x86/include/asm/vsyscall.h
> @@ -15,6 +15,7 @@ extern void set_vsyscall_pgtable_user_bits(pgd_t *root);
>   * Returns true if handled.
>   */
>  bool emulate_vsyscall_pf(unsigned long error_code, struct pt_regs *regs, unsigned long address);
> +bool emulate_vsyscall_gp(struct pt_regs *regs);
>  #else
>  static inline void map_vsyscall(void) {}
>  static inline bool emulate_vsyscall_pf(unsigned long error_code,
> @@ -22,6 +23,11 @@ static inline bool emulate_vsyscall_pf(unsigned long error_code,
>  {
>  	return false;
>  }
> +
> +static inline bool emulate_vsyscall_gp(struct pt_regs *regs)
> +{
> +	return false;
> +}
>  #endif
>  
>  /*
> diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
> index 614a281bd419..0ca3912ecb7f 100644
> --- a/arch/x86/kernel/traps.c
> +++ b/arch/x86/kernel/traps.c
> @@ -70,6 +70,7 @@
>  #include <asm/tdx.h>
>  #include <asm/cfi.h>
>  #include <asm/msr.h>
> +#include <asm/vsyscall.h>
>  
>  #ifdef CONFIG_X86_64
>  #include <asm/x86_init.h>
> @@ -938,6 +939,9 @@ DEFINE_IDTENTRY_ERRORCODE(exc_general_protection)
>  		if (fixup_umip_exception(regs))
>  			goto exit;
>  
> +		if (emulate_vsyscall_gp(regs))
> +			goto exit;
> +
>  		gp_user_force_sig_segv(regs, X86_TRAP_GP, error_code, desc);
>  		goto exit;
>  	}

Reviewed-by: H. Peter Anvin (Intel) <hpa@xxxxxxxxx>