[PATCH v2] x86/fpu: Disable shstk if no CET_USER state

[David Kaplan]

Some hypervisors (including QEMU 10.1.5) may report CET_SS support in
CPUID Fn7 but fail to report that CET_USER state is supported in
supervisor xstate.  Linux relies on XSAVES/XRSTORS to swap CET state
during context switch and assumes it is supported when CET_SS is
present.

As a result, if a user process is run with shadow stacks enabled and
then is switched away from, the system may crash because the new process
may be incorrectly run with shadow stacks enabled.

Detect this broken configuration and disable user shadow stacks unless
CET_USER is supported in xstate.

v2:
 - Moved check to later location after fpu_kernel_cfg.max_features is
   finalized.

Signed-off-by: David Kaplan <david.kaplan@xxxxxxx>
---
 arch/x86/kernel/fpu/xstate.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 76153dfb58c9..fb0412224005 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -878,6 +878,17 @@ void __init fpu__init_system_xstate(unsigned int legacy_size)
 		fpu_kernel_cfg.max_features &= XFEATURE_MASK_USER_SUPPORTED |
 					XFEATURE_MASK_SUPERVISOR_SUPPORTED;
 
+	if (boot_cpu_has(X86_FEATURE_USER_SHSTK) &&
+	    !(fpu_kernel_cfg.max_features & XFEATURE_MASK_CET_USER)) {
+		/*
+		 * The kernel relies on XSAVES/XRSTORS to context switch shadow
+		 * stack state.  If this isn't present, disable user shadow
+		 * stacks.
+		 */
+		pr_err("x86/fpu: CET_USER not supported in xstate when CET is supported.  Disabling shadow stacks.\n");
+		setup_clear_cpu_cap(X86_FEATURE_USER_SHSTK);
+	}
+
 	fpu_user_cfg.max_features = fpu_kernel_cfg.max_features;
 	fpu_user_cfg.max_features &= XFEATURE_MASK_USER_SUPPORTED;
 

base-commit: 6c927e5ca9d238f8ae40b453a8382eb9cf4ee855
-- 
2.53.0