On Sun, 2022-02-06 at 13:42 +0000, David Laight wrote: > > I don't think this is as difficult to avoid because userspace ssp > > has > > its own register that should not be accessed at that point, but I > > have > > not given this aspect enough analysis. Thanks for bringing it up. > > So the user ssp isn't saved (or restored) by the trap entry/exit. > So it needs to be saved by the context switch code? > Much like the user segment registers? > So you are likely to get the same problems if restoring it can fault > in kernel (eg for a non-canonical address). PL3_SSP is lazily saved and restored by the FPU supervisor xsave code, which has its buffer in kernel memory. For the most part it is userspace instructions that use this register and they can only modify it in limited ways. It does look like IRET can cause a #CP if the PL3 SSP is not aligned, but only after RIP and CPL are set back to userspace. I'm not confident enough interpreting the specs to assert the specific behavior and will follow up internally to clarify.