[PATCH] x86/fpu: Disable shstk if no CET_USER state

Next message: Lizhi Hou: "Re: [PATCH V2] accel/amdxdna: Adjust size for copy_to_user()"
Previous message: guibing: "Re: [BUG] riscv: Kernel panic in free_initmem when driver triggers modprobe"
Next in thread: Sean Christopherson: "Re: [PATCH] x86/fpu: Disable shstk if no CET_USER state"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Kaplan

Date: Fri Apr 03 2026 - 11:52:54 EST

Some hypervisors (including QEMU 10.1.5) may report CET_SS support in
CPUID Fn7 but fail to report that CET_USER state is supported in
supervisor xstate. Linux relies on XSAVES/XRSTORS to swap CET state
during context switch and assumes it is supported when CET_SS is
present.

As a result, if a user process is run with shadow stacks enabled and
then is switched away from, the system may crash because the new process
may be incorrectly run with shadow stacks enabled.

Detect this broken configuration and disable user shadow stacks unless
CET_USER is supported in xstate.

Signed-off-by: David Kaplan <david.kaplan@xxxxxxx>
---
arch/x86/kernel/fpu/xstate.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 76153dfb58c9..188323442b4d 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -855,6 +855,17 @@ void __init fpu__init_system_xstate(unsigned int legacy_size)
goto out_disable;
}

+ if (boot_cpu_has(X86_FEATURE_USER_SHSTK) &&
+ !(fpu_kernel_cfg.max_features & XFEATURE_MASK_CET_USER)) {
+ /*
+ * The kernel relies on XSAVES/XRSTORS to context switch shadow
+ * stack state. If this isn't present, disable user shadow
+ * stacks.
+ */
+ pr_err("x86/fpu: CET_USER not supported in xstate when CET is supported. Disabling shadow stacks.\n");
+ setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
+ }
+
fpu_kernel_cfg.independent_features = fpu_kernel_cfg.max_features &
XFEATURE_MASK_INDEPENDENT;

base-commit: d998c62f267213aeb815cf654908608eb7c00db2
--
2.53.0