From nobody Sun Apr 12 22:38:35 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1775650974; cv=none; d=zohomail.com; s=zohoarc; b=QxGWCRALcFepVKmrofR5e92sgoZmTd1tq4vOQ7nVqE1CX2iXy79YpdAlcW8dfWDDY/gyPqBp9CiMDzZEaojM5h9bTPzsvQzk/fUUILiAL2dZP3gVND5MP9T8pZR5QSBh/IwbEmSIHJLWnlou3K97Ii6G3jVzZUob6X6ERVZHY4w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775650974; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=VKAaggtmontqKYJrxM1/7VOgp7GYQIjiE3kyRKWFHUo=; b=Rvp5UEBQyqIBiGa5xUKv1Wl0ravJCJyugQd304R9gkSBlWZdEMAFq6tjCUVlBIird8yA8jmTvHdx+HDfqwuzwB6enm73euXd8zLleh7JQr82t6mJ70mcz40XJDF/Afd7ObFFOBlPE7zaOAVDCKCiBOvpc64bxz/Gb4YVe8BrgJ0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1775650974526654.6269050851594; Wed, 8 Apr 2026 05:22:54 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1275949.1561604 (Exim 4.92) (envelope-from ) id 1wARvX-0004c8-Rj; Wed, 08 Apr 2026 12:22:35 +0000 Received: by outflank-mailman (output) from mailman id 1275949.1561604; Wed, 08 Apr 2026 12:22:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wARvX-0004c1-OU; Wed, 08 Apr 2026 12:22:35 +0000 Received: by outflank-mailman (input) for mailman id 1275949; Wed, 08 Apr 2026 12:22:34 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wARvW-0004bv-Hv for xen-devel@lists.xenproject.org; Wed, 08 Apr 2026 12:22:34 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wARvV-008ck7-GF for xen-devel@lists.xenproject.org; Wed, 08 Apr 2026 14:22:33 +0200 Received: from [10.42.69.10] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69d64879-2eae-0a2a0a5409dd-0a2a450ab392-28 for ; Wed, 08 Apr 2026 14:22:33 +0200 Received: from [209.85.128.46] (helo=mail-wm1-f46.google.com) by tlsNG-4011c0.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.0) (envelope-from ) id 69d64889-ee98-0a2a450a0019-d155802ead89-3 for ; Wed, 08 Apr 2026 14:22:33 +0200 Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-488a041eae5so32881585e9.1 for ; Wed, 08 Apr 2026 05:22:33 -0700 (PDT) Received: from [10.156.60.236] (ip-037-024-206-209.um08.pools.vodafone-ip.de. [37.24.206.209]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488a952a03asm306545885e9.0.2026.04.08.05.22.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Apr 2026 05:22:32 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=suse.com header.i="@suse.com" header.h="Content-Transfer-Encoding:In-Reply-To:Autocrypt:Content-Language:References:Cc:To:From:Subject:User-Agent:MIME-Version:Date:Message-ID" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1775650953; x=1776255753; darn=lists.xenproject.org; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :references:cc:to:from:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=VKAaggtmontqKYJrxM1/7VOgp7GYQIjiE3kyRKWFHUo=; b=IWQO+QGn+b/IPP5ChoSKSodFtg/++sQUfe00LdJe/uErJUf2uNSYJw9PV1K+nSkN2F Su+/MARSy+OOuY8IC3pVNq7WMULZTnlIHzApQ+Yz9iyFB9SgLZSmRGQYVxiNxlqp6NzM k1GoH1yenIiXy1HpaoOmiZIB1zkM34vKq5EaKPl0aKHJ9udqicWO+xFl4DSvgN+Inwui q/SE3BndR1WM7nP6jNEKT4ClxW5ndFq3K50qlTuz98FgvVRXQEAbyPsD9EGZf+MR+Giz KWiKsjvEw8NlRFn+Da7ZgCFsLnkzkm4qtfFoUS97x35irM8LIij9QfmjAPwmNz2todY3 fFtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775650953; x=1776255753; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :references:cc:to:from:subject:user-agent:mime-version:date :message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VKAaggtmontqKYJrxM1/7VOgp7GYQIjiE3kyRKWFHUo=; b=lo6xk5nQZ84T5l5iCPMNnMlAgRV8Ay83usHOr1HeufD3L4D1F/4xhOEeYDAHoC4AB5 ANYnhj1jFe3DMiMCXJwbHMcRIXtiFWdjPyHGYG4Bpwx1VpTf4jZU1AYIrIbxvkMJEK1V Q6FvpkRN4cKqY+2WyOFwZ8QueCrB+Qw67ADeBDMziI09Z+TD7gVIXTirif5GgIDbBCMa 8gu/A3I1300vYmCBv7CftBxSZZSOLFQVUVArQ+SiVDqGLDq3+YPIJxNpw9gkoJDVAdi9 YwlydVMcaIhDJgj0phEqNH3rdVnFXa2FTMWjvIH3xqJzzEVzC6no9pwr2+IpjNtmzFSZ gs+Q== X-Gm-Message-State: AOJu0Yz0cqNQway1JV0pGaIbqIzz152j2dqIS7qL8mU2+T7RruB3bKwm 00Wn54XcqIQ9d2NRW2ozr7lLGPa9nGHSC4lVpiycaIVlHW/Vf0DJ/gu6SajYmfqMf+RJjvpGihR ZI9Lt8w== X-Gm-Gg: AeBDietWlk9cQqDMZFBXNMwbj3jCDpZA8sewWkQDMV2UdOYyPFSs7eTvi1PCUqnFL+g mf12awkGmBGlhiFO/ZDlK3qp46LMgQR2O1Nx0ZqHdMboiGUEq3Eht+liG4lJZpuZtp4d/czu/gT +cuLz4IgDMVYOVlVqTuvAnRAAxDujZuR7K9PNSozToOPF7aovLgDPdQC8RJi1BAD1VIvxMUNQ2c smIrutaBd78LY9vmEKjycVzZ0L283Z7gXzcGdsa0cprrkPvQSAbHsbWcLUBOx8iPsWemisWNpM/ CDMXkH1OxBHjNoDdnBODEpLF9byToXKpKdzcS5+8yPAvBlPu5iZ9DeuPsffSajvaLZJCfYJimn9 J5odBsRqiHNDDkVw1Jy5kKg+8svwsrokJ3Fdr9jTw31FtAkFJ1qDv2nsvGq9CSNUhd34QJMTq/d /fKWOlP9nGtrcGJs+vFyoGi5Rvz9Y8NTpYS85V32NnFZgnPHmYOUohBQqb7yfoss+ib9Lt17+3W r7+xQ8yw4rE3K0= X-Received: by 2002:a05:600c:1d1c:b0:488:936a:6220 with SMTP id 5b1f17b1804b1-488997d0012mr278324835e9.21.1775650952724; Wed, 08 Apr 2026 05:22:32 -0700 (PDT) Message-ID: Date: Wed, 8 Apr 2026 14:22:31 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH v2 1/3] x86: record SSP at non-guest entry points From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , =?UTF-8?Q?Roger_Pau_Monn=C3=A9?= , Teddy Astie References: Content-Language: en-US Autocrypt: addr=jbeulich@suse.com; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL In-Reply-To: Content-Transfer-Encoding: quoted-printable X-purgate-ID: tlsNG-4011c0/1775650953-0F9440B1-E8CC9AC6/0/0 X-purgate-type: clean X-purgate-size: 6855 X-ZohoMail-DKIM: pass (identity @suse.com) X-ZM-MESSAGEID: 1775650977662158500 Content-Type: text/plain; charset="utf-8" We will want to use that value for call trace generation, and likely also to eliminate the somewhat fragile shadow stack searching done in fixup_exception_return(). For those purposes, guest-only entry points do not need to record that value. To keep the saving code simple, record our own SSP that corresponds to an exception frame, pointing to the top of the shadow stack counterpart of what the CPU has saved on the regular stack. Consuming code can then work its way from there. Signed-off-by: Jan Beulich --- For PUSH_AND_CLEAR_GPRS and POP_GPRS, putting the new field right next to the error code isn't entirely nice; putting it ahead of %r15 would entail other changes, though. An option may be to not make SSP handling part of the macros in the first place. Thoughts? For POP_GPRS, does it really matter that it doesn't alter EFLAGS? Neither of the two currene uses relies on it, and without that requirement we could use ADD in place of LEA. (Of course there are also POP-based ways of getting rid of the SSP slot.) --- v2: Add comment ahead of SAVE_ALL. Add comma between its parameters. Re-base. --- a/xen/arch/x86/hvm/svm/entry.S +++ b/xen/arch/x86/hvm/svm/entry.S @@ -103,7 +103,7 @@ __UNLIKELY_END(nsvm_hap) =20 vmrun =20 - SAVE_ALL + SAVE_ALL ssp=3D0 =20 GET_CURRENT(bx) =20 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -22,7 +22,7 @@ #include =20 FUNC(vmx_asm_vmexit_handler) - SAVE_ALL + SAVE_ALL ssp=3D0 =20 mov %cr2,%rax GET_CURRENT(bx) @@ -171,7 +171,7 @@ UNLIKELY_END(realmode) =20 .Lvmx_vmentry_fail: sti - SAVE_ALL + SAVE_ALL ssp=3D0 =20 /* * SPEC_CTRL_ENTRY notes --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -219,7 +219,11 @@ static always_inline void stac(void) #endif =20 #ifdef __ASSEMBLER__ -.macro SAVE_ALL compat=3D0 +/* + * Use sites may override ssp to 0. It should never be overridden to 1. + * NB: compat=3D1 implies ssp=3D0. + */ +.macro SAVE_ALL compat=3D0, ssp=3DIS_ENABLED(CONFIG_XEN_SHSTK) addq $-(UREGS_error_code-UREGS_r15), %rsp cld movq %rdi,UREGS_rdi(%rsp) @@ -233,6 +237,9 @@ static always_inline void stac(void) movq %rax,UREGS_rax(%rsp) xor %eax, %eax .if !\compat +.if \ssp + rdsspq %rcx +.endif movq %r8,UREGS_r8(%rsp) movq %r9,UREGS_r9(%rsp) movq %r10,UREGS_r10(%rsp) @@ -262,6 +269,9 @@ static always_inline void stac(void) xor %r13d, %r13d xor %r14d, %r14d xor %r15d, %r15d +#ifdef CONFIG_XEN_SHSTK + mov %rcx, UREGS_entry_ssp(%rsp) +#endif .endm =20 #define LOAD_ONE_REG(reg, compat) \ @@ -313,9 +323,14 @@ static always_inline void stac(void) .endm =20 /* - * Push and clear GPRs + * Push and clear GPRs. + * + * Use sites may override ssp to 0. It should never be overridden to 1. */ -.macro PUSH_AND_CLEAR_GPRS +.macro PUSH_AND_CLEAR_GPRS ssp=3DIS_ENABLED(CONFIG_XEN_SHSTK) +#ifdef CONFIG_XEN_SHSTK + push $0 +#endif push %rdi xor %edi, %edi push %rsi @@ -326,6 +341,9 @@ static always_inline void stac(void) xor %ecx, %ecx push %rax xor %eax, %eax + .if \ssp + rdsspq %rcx + .endif push %r8 xor %r8d, %r8d push %r9 @@ -352,6 +370,9 @@ static always_inline void stac(void) xor %r14d, %r14d push %r15 xor %r15d, %r15d + .if \ssp + mov %rcx, UREGS_entry_ssp(%rsp) + .endif .endm =20 /* @@ -373,6 +394,9 @@ static always_inline void stac(void) pop %rdx pop %rsi pop %rdi +#ifdef CONFIG_XEN_SHSTK + lea 8(%rsp), %rsp +#endif .endm =20 #ifdef CONFIG_PV32 --- a/xen/arch/x86/include/asm/cpu-user-regs.h +++ b/xen/arch/x86/include/asm/cpu-user-regs.h @@ -27,6 +27,15 @@ struct cpu_user_regs union { uint64_t rsi; uint32_t esi; uint16_t si; uint8_t sil;= }; union { uint64_t rdi; uint32_t edi; uint16_t di; uint8_t dil;= }; =20 +#ifdef CONFIG_XEN_SHSTK + /* + * This points _at_ the corresponding shadow stack frame; it is _not_ = the + * outer context's SSP. That, if the outer context has CET-SS enabled, + * is stored in the top slot of the pointed to shadow stack frame. + */ + uint64_t entry_ssp; +#endif + /* * During IDT delivery for exceptions with an error code, hardware pus= hes * to this point. Entry_vector is filled in by software. --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -53,6 +53,9 @@ void __dummy__(void) OFFSET(UREGS_eflags, struct cpu_user_regs, rflags); OFFSET(UREGS_rsp, struct cpu_user_regs, rsp); OFFSET(UREGS_ss, struct cpu_user_regs, ss); +#ifdef CONFIG_XEN_SHSTK + OFFSET(UREGS_entry_ssp, struct cpu_user_regs, entry_ssp); +#endif DEFINE(UREGS_kernel_sizeof, sizeof(struct cpu_user_regs)); BLANK(); =20 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -275,7 +275,7 @@ FUNC(lstar_enter) pushq $0 BUILD_BUG_ON(TRAP_syscall & 0xff) movb $TRAP_syscall >> 8, EFRAME_entry_vector + 1(%rsp) - SAVE_ALL + SAVE_ALL ssp=3D0 =20 GET_STACK_END(14) =20 @@ -315,7 +315,7 @@ FUNC(cstar_enter) pushq $0 BUILD_BUG_ON(TRAP_syscall & 0xff) movb $TRAP_syscall >> 8, EFRAME_entry_vector + 1(%rsp) - SAVE_ALL + SAVE_ALL ssp=3D0 =20 GET_STACK_END(14) =20 @@ -359,7 +359,7 @@ LABEL(sysenter_eflags_saved, 0) pushq $0 BUILD_BUG_ON(TRAP_syscall & 0xff) movb $TRAP_syscall >> 8, EFRAME_entry_vector + 1(%rsp) - SAVE_ALL + SAVE_ALL ssp=3D0 =20 GET_STACK_END(14) =20 @@ -415,7 +415,7 @@ FUNC(entry_int80) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 movb $0x80, EFRAME_entry_vector(%rsp) - SAVE_ALL + SAVE_ALL ssp=3D0 =20 GET_STACK_END(14) =20 --- a/xen/arch/x86/x86_64/entry-fred.S +++ b/xen/arch/x86/x86_64/entry-fred.S @@ -10,7 +10,7 @@ /* The Ring3 entry point is required to be 4k aligned. */ =20 FUNC(entry_FRED_R3, 4096) - PUSH_AND_CLEAR_GPRS + PUSH_AND_CLEAR_GPRS ssp=3D0 =20 mov %rsp, %rdi call entry_from_pv @@ -38,7 +38,7 @@ LABEL(eretu, 0) END(eretu_exit_to_guest) =20 FUNC(eretu_error_dom_crash) - PUSH_AND_CLEAR_GPRS + PUSH_AND_CLEAR_GPRS ssp=3D0 sti call asm_domain_crash_synchronous /* Does not return */ END(eretu_error_dom_crash) From nobody Sun Apr 12 22:38:35 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1775651006; cv=none; d=zohomail.com; s=zohoarc; b=WmRHU298mITnVxjC7God0qKqPKuZ6wS8iV2a153gd1W9TwChpp8za3+YNhamUJVGW9FvTztSRZJc6nfCsstUKLbW8hzym5vP3+W/XUehsashTbzH/xDh/cO6Vt/EQxFUHgBOj0r9vzz6RzZJrqk+uBjbVZ/rqrNTckzb+cFCw6E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775651006; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=TZdRtcCtuhtN8vbXovqjZa6WKbRVlKT1bRPS4NdGyTY=; b=m9ZoRbtC3DAeBcD1LJM9fM9YfTp70YoRMtYX96cZYwPxux7xXSpZXevLjD7L1MSPxBRU3KVnaiTlTbBOe8fP0hQUXgg0XOxwnIJ1CuYU2E/iFSMYKGnTiRZpKHppID4VAAifl+SvHiuHHHcGZFlqn3U8Ls1VGtsVReX9aO/tXt4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1775651006459332.08567661964344; Wed, 8 Apr 2026 05:23:26 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1275955.1561613 (Exim 4.92) (envelope-from ) id 1wARwB-00056b-2w; Wed, 08 Apr 2026 12:23:15 +0000 Received: by outflank-mailman (output) from mailman id 1275955.1561613; Wed, 08 Apr 2026 12:23:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wARwA-00056U-W5; Wed, 08 Apr 2026 12:23:14 +0000 Received: by outflank-mailman (input) for mailman id 1275955; Wed, 08 Apr 2026 12:23:13 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wARw9-00054e-Mc for xen-devel@lists.xenproject.org; Wed, 08 Apr 2026 12:23:13 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wARw9-001tBn-2b for xen-devel@lists.xenproject.org; Wed, 08 Apr 2026 14:23:13 +0200 Received: from [10.42.69.11] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69d648a0-bab6-0a2a0a5309dd-0a2a450bada0-44 for ; Wed, 08 Apr 2026 14:23:12 +0200 Received: from [209.85.221.50] (helo=mail-wr1-f50.google.com) by tlsNG-42698a.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.0) (envelope-from ) id 69d648b0-bca8-0a2a450b0019-d155dd32c59d-3 for ; Wed, 08 Apr 2026 14:23:12 +0200 Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-43d572f7437so124452f8f.1 for ; Wed, 08 Apr 2026 05:23:12 -0700 (PDT) Received: from [10.156.60.236] (ip-037-024-206-209.um08.pools.vodafone-ip.de. [37.24.206.209]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d1e4e56fesm55610941f8f.27.2026.04.08.05.23.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Apr 2026 05:23:12 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=suse.com header.i="@suse.com" header.h="Content-Transfer-Encoding:In-Reply-To:Autocrypt:Content-Language:References:Cc:To:From:Subject:User-Agent:MIME-Version:Date:Message-ID" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1775650992; x=1776255792; darn=lists.xenproject.org; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :references:cc:to:from:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=TZdRtcCtuhtN8vbXovqjZa6WKbRVlKT1bRPS4NdGyTY=; b=SBRk7/rBqVmg1JCT8ca5KXzgm2N27AmEZRDYEzNsdb1/KANGWh3R6599aGfc9CFGba H9XDMlQEWiRdCDIgwUt+OolHMF98seGjHwmVh5i1Er/M0/OYuKpUy3e+BllqRBzJGaNS zt49/cn97JicTBxkh2nz+plwIFDGzZVyOxzE3Zx/UhxjtHG3Va3L4GUc1jAQppi5skkO CtgE+NM22t2XXyRqrowd7m7+zYGe3F8f4UVlGWwZIFoy/1x1sF35zlrbGogwj1cjeul2 Bu3YCgpDCizzAw3dBOZgx2IdcgWFnxgrV9Onkfqb/lWklQ3laqA+ucA8P0YcVmBejYKx ODpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775650992; x=1776255792; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :references:cc:to:from:subject:user-agent:mime-version:date :message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=TZdRtcCtuhtN8vbXovqjZa6WKbRVlKT1bRPS4NdGyTY=; b=WmB3UhDl8pn3iJ6TL/SfFWLUgQFmJFXpZDUmQCR59Yuf1g06mcdikpscvrRKHrBpNS 1shLVD8uxr/OvOLUhrAG9TNj2/4dC5029ztC5eWnk9xnU8xZLGHazGdjBpVgOsSaXhMP q+ilhE7PuCYrCAa8iuV4SRZYCFr2kRG6C4FAB6qVRIhTX93BpCxRYyC41/EJhVWnQEN1 lxzrGpo5b4PBJ6uytKCKLpsGo1/yHGuS3i9gWZRBJ8hvfm+XG2o90OgwphQ25r4R9FK1 2FZiiJ8zIdeKyZ6H9Z9ghALbRKxyLcVofrc1+OxzRI9b7yYMz9yG8sbjzmazybbmiMkt IxrQ== X-Gm-Message-State: AOJu0YwrIEDBD+STTkse73pTGe/2bxtS0fD0bh5aPfNdCkSiF7/mcbZJ 6MpBLH5dniwi6t0zrLWvCB/XdEgDc6Nm7dBxFqRQLCdGD659WF89s96S34p9xNka8uwsHPQk43H 1ahzsdw== X-Gm-Gg: AeBDiettZSvhE70GklXl98eEZegA3fsptVEpCqnl1e9Eq/hOzuJNieOVTFBCtXSr45n 2Ck2So7HsHSqWJyghALd0sqkVVU2anwHtMGA6L10QtmGowv/EVbPo0n00xzViNdHYUqu21x2JiI QWwYENbXLd0U1oEsH2OJoBRX+mYh6t1ga5oxI41XQ9ZYoURSRCUCqqPdZeqezLzuOP67p8TuKip W+Oma1rS+i77XMNuJ/Fjml4rUNnUgTR+DdyzV4Uhp9bttC3vlkFr98oFcs+8VzQsUPypvxPAQPL u+8UmJwjYtj7SAJz4WdpmP/oHHXqaA+IrmILjoypqK/E4lPtWdUydDykkX0Q9EKDAqqZh/mSrKK rAY+LuNDCfgo7yGMdVZj1Sq+jYwoFCoCY0VUa3nr7zWVr/NJlldoTHvhMrkUP09G6lHccerF7Ko gC5A4Eh1JbDM2fNw1v0dhpSoFPzGM91WMgLsTPBLKkqeDcbjeMJsyIIsrDS7g4kGaKXX1zzM9xz kI4Bg3JEfvEWaB/sszF/crQ1Q== X-Received: by 2002:a5d:64e4:0:b0:43b:8fa4:194d with SMTP id ffacd0b85a97d-43d292855famr29512917f8f.6.1775650992265; Wed, 08 Apr 2026 05:23:12 -0700 (PDT) Message-ID: <79c90706-0530-4b72-9b43-f003dfe87291@suse.com> Date: Wed, 8 Apr 2026 14:23:11 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH v2 2/3] x86/traps: use entry_ssp in fixup_exception_return() From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , =?UTF-8?Q?Roger_Pau_Monn=C3=A9?= , Teddy Astie References: Content-Language: en-US Autocrypt: addr=jbeulich@suse.com; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL In-Reply-To: Content-Transfer-Encoding: quoted-printable X-purgate-ID: tlsNG-42698a/1775650992-EE54B2A1-38389B42/0/0 X-purgate-type: clean X-purgate-size: 5807 X-ZohoMail-DKIM: pass (identity @suse.com) X-ZM-MESSAGEID: 1775651007366158500 Content-Type: text/plain; charset="utf-8" With the value recorded on entry there's no need anymore to go hunt for the respective exception frame on the shadow stack. By deriving "ptr" from that field (without any offset), it then ends up pointin one slot lower than before. Therefore all array indexes need incrementing, nicely doing away with all the negative ones. Signed-off-by: Jan Beulich --- Indentation of the prior inner (but not innermost) if()'s body is deliberately left untouched, to aid review. It'll be adjusted in a separate follow-on patch. --- v2: IS_ENABLED() -> #ifdef. Re-base. --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -690,19 +690,6 @@ unsigned long get_stack_trace_bottom(uns } } =20 -static unsigned long get_shstk_bottom(unsigned long sp) -{ - /* SAF-11-safe */ - switch ( get_stack_page(sp) ) - { -#ifdef CONFIG_XEN_SHSTK - case 0: return ROUNDUP(sp, IST_SHSTK_SIZE) - sizeof(unsigned long); - case 5: return ROUNDUP(sp, PAGE_SIZE) - sizeof(unsigned long); -#endif - default: return sp - sizeof(unsigned long); - } -} - unsigned long get_stack_dump_bottom(unsigned long sp) { switch ( get_stack_page(sp) ) @@ -1187,26 +1174,28 @@ void asmlinkage noreturn do_unhandled_tr static void fixup_exception_return(struct cpu_user_regs *regs, unsigned long fixup, unsigned long stub= _ra) { - if ( IS_ENABLED(CONFIG_XEN_SHSTK) ) +#ifdef CONFIG_XEN_SHSTK { - unsigned long ssp, *ptr, *base; + unsigned long ssp =3D rdssp(); =20 - if ( (ssp =3D rdssp()) =3D=3D SSP_NO_SHSTK ) - goto shstk_done; + if ( ssp !=3D SSP_NO_SHSTK ) + { + unsigned long *ptr =3D _p(regs->entry_ssp); + unsigned long primary_shstk =3D + (ssp & ~(STACK_SIZE - 1)) + + (PRIMARY_SHSTK_SLOT + 1) * PAGE_SIZE - 8; =20 - ptr =3D _p(ssp); - base =3D _p(get_shstk_bottom(ssp)); + BUG_ON((regs->entry_ssp ^ primary_shstk) >> PAGE_SHIFT); =20 - for ( ; ptr < base; ++ptr ) - { /* - * Search for %rip. The shstk currently looks like this: + * The shstk currently looks like this: * * tok [Supervisor token, =3D=3D &tok | BUSY, only with FRE= D inactive] * ... [Pointed to by SSP for most exceptions, empty in IST= cases] * %cs [=3D=3D regs->cs] * %rip [=3D=3D regs->rip] - * SSP [Likely points to 3 slots higher, above %cs] + * SSP [Pointed to by entry_ssp; Likely points to 3 slots + * higher, above %cs] * ... [call tree to this function, likely 2/3 slots] * * and we want to overwrite %rip with fixup. There are two @@ -1219,13 +1208,10 @@ static void fixup_exception_return(struc * * Check for both regs->rip and regs->cs matching. */ - if ( ptr[0] =3D=3D regs->rip && ptr[1] =3D=3D regs->cs ) - { - unsigned long primary_shstk =3D - (ssp & ~(STACK_SIZE - 1)) + - (PRIMARY_SHSTK_SLOT + 1) * PAGE_SIZE - 8; + BUG_ON(ptr[1] !=3D regs->rip || ptr[2] !=3D regs->cs); =20 - wrss(fixup, ptr); + { + wrss(fixup, &ptr[1]); =20 if ( !stub_ra ) goto shstk_done; @@ -1242,7 +1228,7 @@ static void fixup_exception_return(struc * - if we're on an IST stack, we need to increment the * original SSP. */ - BUG_ON((ptr[-1] ^ primary_shstk) >> PAGE_SHIFT); + BUG_ON((ptr[0] ^ primary_shstk) >> PAGE_SHIFT); =20 if ( (ssp ^ primary_shstk) >> PAGE_SHIFT ) { @@ -1251,39 +1237,30 @@ static void fixup_exception_return(struc * addresses actually match. Then increment the inter= rupted * context's SSP. */ - BUG_ON(stub_ra !=3D *(unsigned long*)ptr[-1]); - wrss(ptr[-1] + 8, &ptr[-1]); + BUG_ON(stub_ra !=3D *(unsigned long*)ptr[0]); + wrss(ptr[0] + 8, &ptr[0]); goto shstk_done; } =20 /* Make sure the two return addresses actually match. */ - BUG_ON(stub_ra !=3D ptr[2]); + BUG_ON(stub_ra !=3D ptr[3]); =20 /* Move exception frame, updating SSP there. */ - wrss(ptr[1], &ptr[2]); /* %cs */ - wrss(ptr[0], &ptr[1]); /* %rip */ - wrss(ptr[-1] + 8, &ptr[0]); /* SSP */ + wrss(ptr[2], &ptr[3]); /* %cs */ + wrss(ptr[1], &ptr[2]); /* %rip */ + wrss(ptr[0] + 8, &ptr[1]); /* SSP */ =20 /* Move all newer entries. */ - while ( --ptr !=3D _p(ssp) ) - wrss(ptr[-1], &ptr[0]); + while ( ptr-- !=3D _p(ssp) ) + wrss(ptr[0], &ptr[1]); =20 /* Finally account for our own stack having shifted up. */ asm volatile ( "incsspd %0" :: "r" (2) ); - - goto shstk_done; } } - - /* - * We failed to locate and fix up the shadow IRET frame. This cou= ld - * be due to shadow stack corruption, or bad logic above. We cann= ot - * continue executing the interrupted context. - */ - BUG(); - } shstk_done: +#endif /* CONFIG_XEN_SHSTK */ =20 /* Fixup the regular stack. */ regs->rip =3D fixup; From nobody Sun Apr 12 22:38:35 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1775651045; cv=none; d=zohomail.com; s=zohoarc; b=X+QohrS4ALOCc+mEylHUqcLwVKr6M6hc5KGZ1t9Zv6WJXL4LSrhMtR+6kiINexVvMXElSyfWUaDY/BEXSEsMX4/25gkHY9VtxoOc0fn6MlePq/3qupP3/sxwv1Wo8EmN014LC2U1wQ+IHczyjiLclQO3WKuhv8gqjuLsloK91A8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775651045; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=kQhxBolergp3DNGfOBRBD3Fsmiz2HJwK7X3GkKtsJpg=; b=MO+xG6UnaHYch5x1TEtC71xy9JhlSe1FRHx5IUSw2G3EDb6rFrm58DDblvWGYcCzUUsmJhY5NxXhKeKSTq9LheQCWaDDqdPujhg1HmmJo/x+JdjS+Z7ntIpwqOQXwzV0uH3h/zG9mBPpLt02CptuxodHxxYp+8NBwndgp+vhCIk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1775651045163320.7129018810273; Wed, 8 Apr 2026 05:24:05 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1275962.1561621 (Exim 4.92) (envelope-from ) id 1wARwj-0005ZM-AX; Wed, 08 Apr 2026 12:23:49 +0000 Received: by outflank-mailman (output) from mailman id 1275962.1561621; Wed, 08 Apr 2026 12:23:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wARwj-0005ZF-7q; Wed, 08 Apr 2026 12:23:49 +0000 Received: by outflank-mailman (input) for mailman id 1275962; Wed, 08 Apr 2026 12:23:48 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wARwi-0005Z3-5n for xen-devel@lists.xenproject.org; Wed, 08 Apr 2026 12:23:48 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wARwf-005bLj-WE for xen-devel@lists.xenproject.org; Wed, 08 Apr 2026 14:23:47 +0200 Received: from [10.42.69.3] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69d648d1-e002-0a2a0a5209dd-0a2a4503c760-6 for ; Wed, 08 Apr 2026 14:23:47 +0200 Received: from [209.85.128.42] (helo=mail-wm1-f42.google.com) by tlsNG-33051d.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.0) (envelope-from ) id 69d648d3-02b3-0a2a45030019-d155802ad825-3 for ; Wed, 08 Apr 2026 14:23:47 +0200 Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4887fd35e60so40745305e9.2 for ; Wed, 08 Apr 2026 05:23:47 -0700 (PDT) Received: from [10.156.60.236] (ip-037-024-206-209.um08.pools.vodafone-ip.de. [37.24.206.209]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488c5db3676sm25434955e9.5.2026.04.08.05.23.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Apr 2026 05:23:46 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=suse.com header.i="@suse.com" header.h="Content-Transfer-Encoding:In-Reply-To:Autocrypt:Content-Language:References:Cc:To:From:Subject:User-Agent:MIME-Version:Date:Message-ID" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1775651027; x=1776255827; darn=lists.xenproject.org; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :references:cc:to:from:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=kQhxBolergp3DNGfOBRBD3Fsmiz2HJwK7X3GkKtsJpg=; b=LOMqIU3HydqSxB4qL/KZS4M4kXRelxEGYWeWD9VPzGKCkOSjpueQOYvZ0nY/yT1Cfm 29L2NEKYoBwpcZ3Sj4sGzIGzZTlP/wC04+91R6qWXpVLrUAk12w3OMXyQRHRNwQjG+Wa CkzTvYOCUiCZuVcvnR2hU7N/ut1uHKISIKCNwIRvH0o/4yR+3Itf64A5j0Cg6lBtsP8o MOSnlFRiwn2Pt9du2RaBZOdyptCNi3nLw6siig0/UTMNW83W4XStyVZmUQfaNC30wC/p tWL0ZuDKM47iaNAiIhuZgtl6hblHnICAxKd34AdHq/NSihpK9j3h7lSFs1KOAjm0P25+ KhLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775651027; x=1776255827; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :references:cc:to:from:subject:user-agent:mime-version:date :message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kQhxBolergp3DNGfOBRBD3Fsmiz2HJwK7X3GkKtsJpg=; b=YDQchz/TxSZnx4Nyt7QbbRnvEV9jc3PBaX18JzSfRqoDMN2br26Q9IDTi/gOSjqpJc y6jKSu0iiH9oswefZhdL9bIquLqFq2HDcbgn/g2WNKTZIeje1aOfYbYHCCTRywpmtTLI 1fZM5Pz49rkA8dNHUUuwkVXqK3AX0WMmc/SDTxEtK1t7e7Tx+bqKIJiPl4mtBI2h0ZWD BUmYToX+6I07xJMtVmYqww4QxQ5geo6uxgrVVh1nCUHYwPjJArlByV9ZVphaZmXEmM/F sZWfLKi2Jt0KzESY4EpEz7LH+6bcPQtyZ3u1kd609TmKnnJBXOU44vFTBAV9ZE9A/wdf X1lw== X-Gm-Message-State: AOJu0YzfWSk0IW9gyx3qUb0LfQVl57JZSDiE910jhU/HxIjZtGOuMo96 oz1l/uEi37g/FeGaxwu+iR9HJMngGd5D5vHLPCUVhuNGPrtPXc6tRujebU1Bdks+BakxHCAvqYm BQRVWbg== X-Gm-Gg: AeBDiesOH3gKIZcFyQ9QPs4RZOt/MKKheJMv/k/ZeRMDP4q3/rh7malz6pmzu3fo+Mk E+wMFWVEwuPY0QJRtAq8z0kpT6B712rAJugNPxSmZ73JxtXB4pD1KVClbT1zRB9/XHOSLALREEc 5LA1QURS1t7T4+wSysYa0E6j+oS9LcytSi2SxZmlIIqXokt/rBLjTdcrROG9bJC2MVYt/gBzvJi /dzjsIHu5M0epKyvby/LRvJ/ZE0nR6hQw455ldedi1/MQFFbDFTeWIMfjUdZlR+Fh6YL8wDqltz jVrJVvGpxExi/tpEJlMtU76rw5b9238g9Ye20YUo/SQ+F03Ejn9O+7aPWx//kIldsgxJQkF562n HWexbsdhISooa5N4TM0Vl+OMHtxkSkmv9jtyG8xA+3UxXHeVxvdSJllWrpBtZs0xyZvXxl/2p5d P/7/klBXdyZ8GRObYEE+J53Lagmhab4RrYYj45D4Oxkal6ikQLz2Hv/qcs/a6Az/PfFFlliNLjS Sm+wnTfWWhNOmo= X-Received: by 2002:a05:600c:a409:b0:488:c085:22ad with SMTP id 5b1f17b1804b1-488c08523afmr71259885e9.29.1775651026784; Wed, 08 Apr 2026 05:23:46 -0700 (PDT) Message-ID: <4bcc73db-38da-446e-b277-cf94c49002a1@suse.com> Date: Wed, 8 Apr 2026 14:23:45 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH v2 3/3] x86: prefer shadow stack for producing call traces From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , =?UTF-8?Q?Roger_Pau_Monn=C3=A9?= , Teddy Astie References: Content-Language: en-US Autocrypt: addr=jbeulich@suse.com; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL In-Reply-To: Content-Transfer-Encoding: quoted-printable X-purgate-ID: tlsNG-33051d/1775651027-43301C9A-490F1BA4/0/0 X-purgate-type: clean X-purgate-size: 3337 X-ZohoMail-DKIM: pass (identity @suse.com) X-ZM-MESSAGEID: 1775651047017154100 Content-Type: text/plain; charset="utf-8" Shadow stacks contain little more than return addresses, and they in particular allow precise call traces also without FRAME_POINTER. Signed-off-by: Jan Beulich --- While the 'E' for exception frames is probably okay, I'm not overly happy with the 'C' (for CET). I would have preferred 'S' (for shadow), but we use that character already. As an alternative to suppressing output for the top level exception frame, adding the new code ahead of the 'R' output line (and then also ahead of the stack top read) could be considered. Perhaps having a printk() for the PV entry case is meaningless, for - no frame being pushed when entered from CPL=3D3 (64-bit PV), - no entry possible from CPL<3 (32-bit PV disabled when CET is active)? In which case the comment probably should just be "Bogus." and the code merely be "break;". Quite likely a number of other uses of is_active_kernel_text() also want amending with in_stub(). --- v2: IS_ENABLED() -> #ifdef. Re-base. --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -705,6 +706,13 @@ unsigned long get_stack_dump_bottom(unsi } } =20 +#ifdef CONFIG_XEN_SHSTK +static bool in_stub(unsigned long addr) +{ + return !((this_cpu(stubs.addr) ^ addr) >> STUB_BUF_SHIFT); +} +#endif + #if !defined(CONFIG_FRAME_POINTER) =20 /* @@ -797,6 +805,52 @@ static void show_trace(const struct cpu_ !is_active_kernel_text(tos) ) printk(" [<%p>] R %pS\n", _p(regs->rip), _p(regs->rip)); =20 +#ifdef CONFIG_XEN_SHSTK + if ( rdssp() !=3D SSP_NO_SHSTK ) + { + const unsigned long *ptr =3D _p(regs->entry_ssp); + unsigned int n; + + for ( n =3D 0; (unsigned long)ptr & (PAGE_SIZE - sizeof(*ptr)); ++= n ) + { + unsigned long val =3D *ptr; + + if ( is_active_kernel_text(val) || in_stub(val) ) + { + /* Normal return address entry. */ + printk(" [<%p>] C %pS\n", _p(val), _p(val)); + ++ptr; + } + else if ( !((val ^ *ptr) >> (PAGE_SHIFT + STACK_ORDER)) ) + { + if ( val & (sizeof(val) - 1) ) + { + /* Most likely a supervisor token. */ + break; + } + + /* + * Ought to be a hypervisor interruption frame. But don't + * (re)log the current frame's %rip. + */ + if ( n || ptr[1] !=3D regs->rip ) + printk(" [<%p>] E %pS\n", _p(ptr[1]), _p(ptr[1])); + ptr =3D _p(val); + } + else + { + /* Ought to be a PV guest hypercall/interruption frame. */ + printk(" %04lx:[<%p>] E\n", ptr[2], _p(ptr[1])); + ptr =3D 0; + } + } + + /* Fall back to legacy stack trace if nothing was logged at all. */ + if ( n ) + return; + } +#endif /* CONFIG_XEN_SHSTK */ + if ( fault ) { printk(" [Fault on access]\n");