Intel Shadow Stack For Linux Hits Last-Minute Snag With Issue Raised By Torvalds
Shadow Stack support is part of Control-flow Enforcement Technology (CET) and has been found in Intel CPUs since Tiger Lake. The Intel Shadow Stack functionality is intended to provide return address protection to defend against ROP attacks. It's been a long-time coming for getting the Linux kernel's Shadow Stack support into the mainline kernel and now it runs the risk of being pushed back from Linux 6.4.
Linus Torvalds this weekend only got around to reviewing the code closely and already he found one issue with a bug that would affect non-x86_64 kernels. He explained in a mailing list post:
"So I'm going through the original pull request now - I was really hoping to have been able to do that earlier, but there kept being all these small pending other issues.
And I'm about a quarter in, haven't even gotten to the meat yet, and I've already found a bug.
End result: all those architectures that do *not* want the vma argument don't need to do any extra work, and they just implement the old version, and the only thing that happened was that it was renamed.
Because I really don't want to pull this series as-is, when I found what looks like a "this broke an architecture that DOES NOT EVEN CARE" bug in the series.
And yes, my bad for not getting to this earlier to notice this.
Or alternatively - your bad for not going through this with a fine comb like I started doing."
There's been further comments on the mailing list since over the technical nature of this bug, but long story short, Linus isn't pulling these patches as-is. It remains to be seen if there will be a last minute updated patch series or if Torvalds will entertain pulling these patches late past 6.4-rc1, but it's increasingly likely that the Intel Shadow Stack support will be delayed to v6.5+ given this last minute bug being pointed out and Torvalds not even being through in reviewing these patches in full.