There are two distinct CPU features related to the use of XSAVES and LBR: whether LBR is itself supported and whether XSAVES supports LBR. The LBR subsystem correctly checks both in intel_pmu_arch_lbr_init(), but the XSTATE subsystem does not.
The LBR bit is only removed from xfeatures_mask_independent when LBR is not supported by the CPU, but there is no validation of XSTATE support. If XSAVES does not support LBR the write to IA32_XSS causes a #GP fault, leaving the state of IA32_XSS unchanged, i.e. zero. The fault is handled with a warning and the boot continues.
Consequently the next XRSTORS which tries to restore supervisor state fails with #GP because the RFBM has zero for all supervisor features, which does not match the XCOMP_BV field.
As XFEATURE_MASK_FPSTATE includes supervisor features setting up the FPU causes a #GP, which ends up in fpu_reset_from_exception_fixup(). That fails due to the same problem resulting in recursive #GPs until the kernel runs out of stack space and double faults.
Prevent this by storing the supported independent features in fpu_kernel_cfg during XSTATE initialization and use that cached value for retrieving the independent feature bits to be written into IA32_XSS.
[ tglx: Massaged change log ]
Fixes: f0dccc9da4c0 ("x86/fpu/xstate: Support dynamic supervisor feature for LBR") Suggested-by: Thomas Gleixner tglx@linutronix.de [ Mitchell Levy: Backport to 5.15, since struct fpu_config is not introduced until 578971f4e228 and feature masks are not included in said struct until 1c253ff2287f ] Signed-off-by: Mitchell Levy levymitchell0@gmail.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20240812-xsave-lbr-fix-v3-1-95bac1bf62f4@gmail.c... --- arch/x86/include/asm/fpu/xstate.h | 5 +++-- arch/x86/kernel/fpu/xstate.c | 7 +++++++ 2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/fpu/xstate.h b/arch/x86/include/asm/fpu/xstate.h index d91df71f60fb..3bc08b5313b0 100644 --- a/arch/x86/include/asm/fpu/xstate.h +++ b/arch/x86/include/asm/fpu/xstate.h @@ -85,6 +85,7 @@ #endif
extern u64 xfeatures_mask_all; +extern u64 xfeatures_mask_indep;
static inline u64 xfeatures_mask_supervisor(void) { @@ -124,9 +125,9 @@ static inline u64 xfeatures_mask_fpstate(void) static inline u64 xfeatures_mask_independent(void) { if (!boot_cpu_has(X86_FEATURE_ARCH_LBR)) - return XFEATURE_MASK_INDEPENDENT & ~XFEATURE_MASK_LBR; + return xfeatures_mask_indep & ~XFEATURE_MASK_LBR;
- return XFEATURE_MASK_INDEPENDENT; + return xfeatures_mask_indep; }
extern u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS]; diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c index 81891f0fff6f..3772577462a0 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -60,6 +60,11 @@ static short xsave_cpuid_features[] __initdata = { * XSAVE buffer, both supervisor and user xstates. */ u64 xfeatures_mask_all __ro_after_init; +/* + * This represents the "independent" xfeatures that are supported by XSAVES, but not managed as part + * of the FPU core, such as LBR. + */ +u64 xfeatures_mask_indep __ro_after_init; EXPORT_SYMBOL_GPL(xfeatures_mask_all);
static unsigned int xstate_offsets[XFEATURE_MAX] __ro_after_init = @@ -768,6 +773,8 @@ void __init fpu__init_system_xstate(void) goto out_disable; }
+ xfeatures_mask_indep = xfeatures_mask_all & XFEATURE_MASK_INDEPENDENT; + /* * Clear XSAVE features that are disabled in the normal CPUID. */