Re: [PATCH v2 00/13] Dynamic Kernel Stacks

From: H. Peter Anvin

Date: Thu Jun 25 2026 - 17:55:21 EST

On June 25, 2026 4:56:00 AM PDT, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
>> However, I'd still like to work with you to understand what feasible
>> path forward you see, hoping you can proactively steer us away from
>> some of the bigger headaches.
>>
>> I think we are fine being forward-looking, and only supporting this
>> for FRED (which is on our doorstep). That said, understanding the
>> issues you foresee with the IST approach
>
>For IST, read
>https://docs.google.com/document/d/1hWejnyDkjRRAW-JEsRjA5c9CKLOPc6VKJQsuvODlQEI/edit?usp=sharing
>
>This was written prior to the first public drafts of FRED and SEE specs,
>and FRED evolved quite a lot from the first draft to where we are today.
>
>> would still be valuable, as
>> it might save us internal trouble should we choose to carry it
>> temporarily to bridge the gap with FRED.
>
>A lot has been said about the invasiveness and tradeoffs.  I don't wish
>to dwell on or rehash that.
>
>There is one critical point which has not been made as far as I can tell:
>
>In x86, if delivering an interrupt (NMI or INTR) causes an exception
>(any exception, not just pagefault), the original interrupt is lost.
>
>If you are aware of this, then in principle you can look at the LAPIC
>state to figure out when an INTR was missed.  However there is no
>ability at all to figure out when an NMI was missed.  Worse, it is both
>vendor and IDT-vs-FRED specific as to whether NMIs are blocked following
>a missed NMI, and that too is state you cannot recover.
>
>If you wish to make dynamic stacks works, then you *must* find a
>non-fault based approach on x86.
>
>~Andrew

Yes, this is why I said interrupts would absolutely need to be on a separate stack.

As one of the FRED architects: there was a lot of desire to fix every single little bit of the systems architecture with the first release of FRED, but in that case it would simply never have gotten released, so a key criterion became if some specific improvement would tie fundamentally to FRED or if it can be done separately (possibly specifically in FRED mode.)

At the time, there was absolutely no interest in paging kernel stacks from any OS, and I think you will find when you dig into it that it might very well mean having to promote most, if not all, exceptions onto an SL1 stack in the end.