[PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled

Next message: Pasha Tatashin: "Re: [PATCH v2 01/10] liveupdate: centralize state management into struct luo_ser"
Previous message: Richard Patel: "[PATCH 2/7] x86: shstk: don't clobber IBT bits in U_CET MSR"
In reply to: Richard Patel: "[PATCH 2/7] x86: shstk: don't clobber IBT bits in U_CET MSR"
Next in thread: H. Peter Anvin: "Re: [PATCH 4/7] x86: ban 32-bit sigreturn when user IBT enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Richard Patel

Date: Sun May 17 2026 - 14:36:53 EST

IBT enforces that indirect branch targets land on an endbr
instruction. The CPU enforces this by setting the 'WAIT_FOR_ENDBR'
bit after executing an indirect branch/jump.

The only relevant edge case with user IBT is signal handling:
When entering/leaving a signal handler, the WAIT_FOR_ENDBR bit must
be backed up/restored.

IBT is not implemented for 32-bit and cannot be enabled using a
32-bit syscall. However, a 64-bit thread could far jump into 32-bit.
Therefore, 32-bit sigreturn must be banned until IBT supports that
environment.

Signed-off-by: Richard Patel <ripatel@xxxxxxx>
Based-on-patch-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>
Link: https://lwn.net/ml/linux-kernel/20210830182221.3535-5-yu-cheng.yu@xxxxxxxxx/
---
arch/x86/kernel/signal_32.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c
index e55cf19e68fe..7cb76d794366 100644
--- a/arch/x86/kernel/signal_32.c
+++ b/arch/x86/kernel/signal_32.c
@@ -143,6 +143,11 @@ static bool ia32_restore_sigcontext(struct pt_regs *regs,
regs->ds = fixup_rpl(sc.ds);
#endif

+#ifdef CONFIG_X86_USER_IBT
+ if (current->thread.ibt)
+ return false;
+#endif
+
return fpu__restore_sig(compat_ptr(sc.fpstate), 1);
}

--
2.47.3