All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
	Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 5.15 v3 10/16] x86/its: Add support for ITS-safe return thunk
Date: Sat, 17 May 2025 09:08:43 -0400	[thread overview]
Message-ID: <20250516215643-6e77207da7b569a8@stable.kernel.org> (raw)
In-Reply-To: <20250516-its-5-15-v3-10-16fcdaaea544@linux.intel.com>

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: a75bf27fe41abe658c53276a0c486c4bf9adecfc

Status in newer kernel trees:
6.14.y | Present (different SHA1: f9a449a04ad6)
6.12.y | Present (different SHA1: 22d1efbb1e99)
6.6.y | Present (different SHA1: 2bacac79dd22)
6.1.y | Present (different SHA1: e1d254d4a267)

Note: The patch differs from the upstream commit:
---
1:  a75bf27fe41ab ! 1:  335c313faf43f x86/its: Add support for ITS-safe return thunk
    @@ Metadata
      ## Commit message ##
         x86/its: Add support for ITS-safe return thunk
     
    +    commit a75bf27fe41abe658c53276a0c486c4bf9adecfc upstream.
    +
         RETs in the lower half of cacheline may be affected by ITS bug,
         specifically when the RSB-underflows. Use ITS-safe return thunk for such
         RETs.
    @@ Commit message
     
         - RET in retpoline sequence does not need to be patched, because the
           sequence itself fills an RSB before RET.
    -    - RET in Call Depth Tracking (CDT) thunks __x86_indirect_{call|jump}_thunk
    -      and call_depth_return_thunk are not patched because CDT by design
    -      prevents RSB-underflow.
         - RETs in .init section are not reachable after init.
         - RETs that are explicitly marked safe with ANNOTATE_UNRET_SAFE.
     
    @@ Commit message
         Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
     
      ## arch/x86/include/asm/alternative.h ##
    -@@ arch/x86/include/asm/alternative.h: static __always_inline int x86_call_depth_emit_accounting(u8 **pprog,
    - }
    - #endif
    +@@ arch/x86/include/asm/alternative.h: extern void apply_returns(s32 *start, s32 *end);
    + 
    + struct module;
      
    -+#if defined(CONFIG_MITIGATION_RETHUNK) && defined(CONFIG_OBJTOOL)
    ++#ifdef CONFIG_RETHUNK
     +extern bool cpu_wants_rethunk(void);
     +extern bool cpu_wants_rethunk_at(void *addr);
     +#else
    @@ arch/x86/include/asm/alternative.h: static __always_inline int x86_call_depth_em
      					void *locks, void *locks_end,
     
      ## arch/x86/include/asm/nospec-branch.h ##
    -@@ arch/x86/include/asm/nospec-branch.h: static inline void srso_return_thunk(void) {}
    - static inline void srso_alias_return_thunk(void) {}
    +@@ arch/x86/include/asm/nospec-branch.h: extern void __x86_return_thunk(void);
    + static inline void __x86_return_thunk(void) {}
      #endif
      
     +#ifdef CONFIG_MITIGATION_ITS
    @@ arch/x86/include/asm/nospec-branch.h: static inline void srso_return_thunk(void)
      ## arch/x86/kernel/alternative.c ##
     @@ arch/x86/kernel/alternative.c: void __init_or_module noinline apply_retpolines(s32 *start, s32 *end)
      
    - #ifdef CONFIG_MITIGATION_RETHUNK
    + #ifdef CONFIG_RETHUNK
      
     +bool cpu_wants_rethunk(void)
     +{
    @@ arch/x86/kernel/alternative.c: static int patch_return(void *addr, struct insn *
      		i = JMP32_INSN_SIZE;
      		__text_gen_insn(bytes, JMP32_INSN_OPCODE, addr, x86_return_thunk, i);
      	} else {
    -@@ arch/x86/kernel/alternative.c: void __init_or_module noinline apply_returns(s32 *start, s32 *end)
    - {
    - 	s32 *s;
    - 
    --	if (cpu_feature_enabled(X86_FEATURE_RETHUNK))
    -+	if (cpu_wants_rethunk())
    - 		static_call_force_reinit();
    - 
    - 	for (s = start; s < end; s++) {
     
      ## arch/x86/kernel/ftrace.c ##
     @@ arch/x86/kernel/ftrace.c: create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
    @@ arch/x86/kernel/static_call.c: static void __ref __static_call_transform(void *i
      			code = text_gen_insn(JMP32_INSN_OPCODE, insn, x86_return_thunk);
      		else
      			code = &retinsn;
    -@@ arch/x86/kernel/static_call.c: static void __ref __static_call_transform(void *insn, enum insn_type type,
    - 	case JCC:
    - 		if (!func) {
    - 			func = __static_call_return;
    --			if (cpu_feature_enabled(X86_FEATURE_RETHUNK))
    -+			if (cpu_wants_rethunk())
    - 				func = x86_return_thunk;
    - 		}
    - 
     
      ## arch/x86/kernel/vmlinux.lds.S ##
    -@@ arch/x86/kernel/vmlinux.lds.S: PROVIDE(__ref_stack_chk_guard = __stack_chk_guard);
    +@@ arch/x86/kernel/vmlinux.lds.S: INIT_PER_CPU(irq_stack_backing_store);
      . = ASSERT(__x86_indirect_its_thunk_array == __x86_indirect_its_thunk_rax, "Gap in ITS thunk array");
      #endif
      
    @@ arch/x86/kernel/vmlinux.lds.S: PROVIDE(__ref_stack_chk_guard = __stack_chk_guard
     +
      #endif /* CONFIG_X86_64 */
      
    - /*
    + #ifdef CONFIG_KEXEC_CORE
     
      ## arch/x86/lib/retpoline.S ##
     @@ arch/x86/lib/retpoline.S: SYM_CODE_START(__x86_indirect_its_thunk_array)
    @@ arch/x86/lib/retpoline.S: SYM_CODE_START(__x86_indirect_its_thunk_array)
     +
     +#endif /* CONFIG_MITIGATION_ITS */
      
    - /*
    -  * This function name is magical and is used by -mfunction-return=thunk-extern
    + SYM_CODE_START(__x86_return_thunk)
    + 	UNWIND_HINT_FUNC
     
      ## arch/x86/net/bpf_jit_comp.c ##
     @@ arch/x86/net/bpf_jit_comp.c: static void emit_return(u8 **pprog, u8 *ip)
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

  reply	other threads:[~2025-05-17 13:08 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-16 23:59 [PATCH 5.15 v3 00/16] ITS mitigation Pawan Gupta
2025-05-16 23:59 ` [PATCH 5.15 v3 01/16] x86,nospec: Simplify {JMP,CALL}_NOSPEC Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-16 23:59 ` [PATCH 5.15 v3 02/16] x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:00 ` [PATCH 5.15 v3 03/16] x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:00 ` [PATCH 5.15 v3 04/16] x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:00 ` [PATCH 5.15 v3 05/16] Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:01 ` [PATCH 5.15 v3 06/16] x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:01 ` [PATCH 5.15 v3 07/16] x86/its: Add support for ITS-safe indirect thunk Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:01 ` [PATCH 5.15 v3 08/16] x86/alternative: Optimize returns patching Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:01 ` [PATCH 5.15 v3 09/16] x86/alternatives: Remove faulty optimization Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:02 ` [PATCH 5.15 v3 10/16] x86/its: Add support for ITS-safe return thunk Pawan Gupta
2025-05-17 13:08   ` Sasha Levin [this message]
2025-05-17  0:02 ` [PATCH 5.15 v3 11/16] x86/its: Enable Indirect Target Selection mitigation Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:02 ` [PATCH 5.15 v3 12/16] x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:02 ` [PATCH 5.15 v3 13/16] x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:03 ` [PATCH 5.15 v3 14/16] x86/its: Use dynamic thunks for indirect branches Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:03 ` [PATCH 5.15 v3 15/16] x86/its: Fix build errors when CONFIG_MODULES=n Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-05-17  0:03 ` [PATCH 5.15 v3 16/16] x86/its: FineIBT-paranoid vs ITS Pawan Gupta
2025-05-17 13:08   ` Sasha Levin
2025-06-07  9:34 ` [PATCH 5.15 v3 00/16] ITS mitigation Salvatore Bonaccorso
2025-06-09 13:31   ` Pawan Gupta

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250516215643-6e77207da7b569a8@stable.kernel.org \
    --to=sashal@kernel.org \
    --cc=pawan.kumar.gupta@linux.intel.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.