arch/x86/kernel/fpu/xstate.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
Some hypervisors (including QEMU 10.1.5) may report CET_SS support in
CPUID Fn7 but fail to report that CET_USER state is supported in
supervisor xstate. Linux relies on XSAVES/XRSTORS to swap CET state
during context switch and assumes it is supported when CET_SS is
present.
As a result, if a user process is run with shadow stacks enabled and
then is switched away from, the system may crash because the new process
may be incorrectly run with shadow stacks enabled.
Detect this broken configuration and disable user shadow stacks unless
CET_USER is supported in xstate.
Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
arch/x86/kernel/fpu/xstate.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 76153dfb58c9..188323442b4d 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -855,6 +855,17 @@ void __init fpu__init_system_xstate(unsigned int legacy_size)
goto out_disable;
}
+ if (boot_cpu_has(X86_FEATURE_USER_SHSTK) &&
+ !(fpu_kernel_cfg.max_features & XFEATURE_MASK_CET_USER)) {
+ /*
+ * The kernel relies on XSAVES/XRSTORS to context switch shadow
+ * stack state. If this isn't present, disable user shadow
+ * stacks.
+ */
+ pr_err("x86/fpu: CET_USER not supported in xstate when CET is supported. Disabling shadow stacks.\n");
+ setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
+ }
+
fpu_kernel_cfg.independent_features = fpu_kernel_cfg.max_features &
XFEATURE_MASK_INDEPENDENT;
base-commit: d998c62f267213aeb815cf654908608eb7c00db2
--
2.53.0On Fri, Apr 03, 2026, David Kaplan wrote:
> Some hypervisors (including QEMU 10.1.5) may report CET_SS support in
> CPUID Fn7 but fail to report that CET_USER state is supported in
> supervisor xstate. Linux relies on XSAVES/XRSTORS to swap CET state
> during context switch and assumes it is supported when CET_SS is
> present.
>
> As a result, if a user process is run with shadow stacks enabled and
> then is switched away from, the system may crash because the new process
> may be incorrectly run with shadow stacks enabled.
>
> Detect this broken configuration and disable user shadow stacks unless
> CET_USER is supported in xstate.
It's not actually broken though, is it? Just "odd". AFAICT, neither the SDM
nor the APM _requires_ CET_{U,S} to be supported in XSS if shadow stacks are
suppported.
> Signed-off-by: David Kaplan <david.kaplan@amd.com>
> ---
> arch/x86/kernel/fpu/xstate.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
> index 76153dfb58c9..188323442b4d 100644
> --- a/arch/x86/kernel/fpu/xstate.c
> +++ b/arch/x86/kernel/fpu/xstate.c
> @@ -855,6 +855,17 @@ void __init fpu__init_system_xstate(unsigned int legacy_size)
> goto out_disable;
> }
>
> + if (boot_cpu_has(X86_FEATURE_USER_SHSTK) &&
> + !(fpu_kernel_cfg.max_features & XFEATURE_MASK_CET_USER)) {
> + /*
> + * The kernel relies on XSAVES/XRSTORS to context switch shadow
> + * stack state. If this isn't present, disable user shadow
> + * stacks.
> + */
> + pr_err("x86/fpu: CET_USER not supported in xstate when CET is supported. Disabling shadow stacks.\n");
> + setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
Doesn't this apply to IBT as well? This code is also misplaced, as it needs to
live after at least this code:
if (!cpu_feature_enabled(X86_FEATURE_XSAVES))
fpu_kernel_cfg.max_features &= XFEATURE_MASK_USER_SUPPORTED;
else
fpu_kernel_cfg.max_features &= XFEATURE_MASK_USER_SUPPORTED |
XFEATURE_MASK_SUPERVISOR_SUPPORTED;
and should probably play nice with the "out_disable" path too.
All in all, setup_cet() seems like a much better fit, but unfortunately that
runs before fpu__init_system() :-(
> + }
> +
> fpu_kernel_cfg.independent_features = fpu_kernel_cfg.max_features &
> XFEATURE_MASK_INDEPENDENT;
>
>
> base-commit: d998c62f267213aeb815cf654908608eb7c00db2
> --
> 2.53.0
>
© 2016 - 2026 Red Hat, Inc.