On Wed, 2024-10-02 at 22:01 +0100, Mark Brown wrote:

BTW it's probably also worth noting that at least on arm64 (perhaps x86
is different here?) the shadow stack of a thread that exited won't have
a token placed on it so it won't be possible to use it with clone3() at
all unless another token is written.  To get a shadow stack you could
use with clone3() you'd either need to allocate a new one, pivot away
from one that's currently in use or enable shadow stack writes and place
a token.

Hmm, yea. I didn't have a specific idea in mind. But yea, you would have to
switch to something in order to leave a token.

If you enabled WRSS (or similar) you might be able to reuse shadow stacks in
some kind of useful way, but in that case you would probably WRSS the token to
the end of the shadow stack and the start+size would fit better.