From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 5.15 v3 11/16] x86/its: Enable Indirect Target Selection mitigation
Date: Sat, 17 May 2025 09:08:41 -0400 [thread overview]
Message-ID: <20250516220042-03410cef69eea03c@stable.kernel.org> (raw)
In-Reply-To: <20250516-its-5-15-v3-11-16fcdaaea544@linux.intel.com>
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected.
No action required from the submitter.
The upstream commit SHA1 provided is correct: f4818881c47fd91fcb6d62373c57c7844e3de1c0
Status in newer kernel trees:
6.14.y | Present (different SHA1: 35311149d329)
6.12.y | Present (different SHA1: 6968bef67f0f)
6.6.y | Present (different SHA1: be8e627b89f4)
6.1.y | Present (different SHA1: fb02629ab89d)
Note: The patch differs from the upstream commit:
---
1: f4818881c47fd ! 1: 1a74f28934512 x86/its: Enable Indirect Target Selection mitigation
@@ Metadata
## Commit message ##
x86/its: Enable Indirect Target Selection mitigation
+ commit f4818881c47fd91fcb6d62373c57c7844e3de1c0 upstream.
+
Indirect Target Selection (ITS) is a bug in some pre-ADL Intel CPUs with
eIBRS. It affects prediction of indirect branch and RETs in the
lower half of cacheline. Due to ITS such branches may get wrongly predicted
@@ Documentation/admin-guide/kernel-parameters.txt
Format: <full_path>
Run specified binary instead of /sbin/init as init
@@
+ improves system performance, but it may also
expose users to several CPU vulnerabilities.
- Equivalent to: if nokaslr then kpti=0 [ARM64]
- gather_data_sampling=off [X86]
+ Equivalent to: gather_data_sampling=off [X86]
+ indirect_target_selection=off [X86]
+ kpti=0 [ARM64]
kvm.nx_huge_pages=off [X86]
l1tf=off [X86]
- mds=off [X86]
## arch/x86/kernel/cpu/bugs.c ##
@@ arch/x86/kernel/cpu/bugs.c: static void __init srbds_select_mitigation(void);
static void __init l1d_flush_select_mitigation(void);
- static void __init srso_select_mitigation(void);
static void __init gds_select_mitigation(void);
+ static void __init srso_select_mitigation(void);
+static void __init its_select_mitigation(void);
/* The base value of the SPEC_CTRL MSR without task-specific bits set */
u64 x86_spec_ctrl_base;
@@ arch/x86/kernel/cpu/bugs.c: static DEFINE_MUTEX(spec_ctrl_mutex);
- void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
+ void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk;
+static void __init set_return_thunk(void *thunk)
+{
@@ arch/x86/kernel/cpu/bugs.c: void __init cpu_select_mitigations(void)
/*
@@ arch/x86/kernel/cpu/bugs.c: static void __init retbleed_select_mitigation(void)
- setup_force_cpu_cap(X86_FEATURE_RETHUNK);
setup_force_cpu_cap(X86_FEATURE_UNRET);
-- x86_return_thunk = retbleed_return_thunk;
-+ set_return_thunk(retbleed_return_thunk);
+ if (IS_ENABLED(CONFIG_RETHUNK))
+- x86_return_thunk = retbleed_return_thunk;
++ set_return_thunk(retbleed_return_thunk);
if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
-@@ arch/x86/kernel/cpu/bugs.c: static void __init retbleed_select_mitigation(void)
- setup_force_cpu_cap(X86_FEATURE_RETHUNK);
- setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH);
-
-- x86_return_thunk = call_depth_return_thunk;
-+ set_return_thunk(call_depth_return_thunk);
- break;
-
- default:
@@ arch/x86/kernel/cpu/bugs.c: static void __init retbleed_select_mitigation(void)
pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
}
@@ arch/x86/kernel/cpu/bugs.c: static void __init retbleed_select_mitigation(void)
+enum its_mitigation {
+ ITS_MITIGATION_OFF,
+ ITS_MITIGATION_ALIGNED_THUNKS,
-+ ITS_MITIGATION_RETPOLINE_STUFF,
+};
+
+static const char * const its_strings[] = {
+ [ITS_MITIGATION_OFF] = "Vulnerable",
+ [ITS_MITIGATION_ALIGNED_THUNKS] = "Mitigation: Aligned branch/return thunks",
-+ [ITS_MITIGATION_RETPOLINE_STUFF] = "Mitigation: Retpolines, Stuffing RSB",
+};
+
+static enum its_mitigation its_mitigation __ro_after_init = ITS_MITIGATION_ALIGNED_THUNKS;
@@ arch/x86/kernel/cpu/bugs.c: static void __init retbleed_select_mitigation(void)
+ return;
+ }
+
-+ /* Retpoline+CDT mitigates ITS, bail out */
-+ if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
-+ boot_cpu_has(X86_FEATURE_CALL_DEPTH)) {
-+ its_mitigation = ITS_MITIGATION_RETPOLINE_STUFF;
-+ goto out;
-+ }
-+
+ /* Exit early to avoid irrelevant warnings */
+ if (cmd == ITS_CMD_OFF) {
+ its_mitigation = ITS_MITIGATION_OFF;
@@ arch/x86/kernel/cpu/bugs.c: static void __init retbleed_select_mitigation(void)
+ its_mitigation = ITS_MITIGATION_OFF;
+ goto out;
+ }
-+ if (!IS_ENABLED(CONFIG_MITIGATION_RETPOLINE) ||
-+ !IS_ENABLED(CONFIG_MITIGATION_RETHUNK)) {
++ if (!IS_ENABLED(CONFIG_RETPOLINE) || !IS_ENABLED(CONFIG_RETHUNK)) {
+ pr_err("WARNING: ITS mitigation depends on retpoline and rethunk support\n");
+ its_mitigation = ITS_MITIGATION_OFF;
+ goto out;
@@ arch/x86/kernel/cpu/bugs.c: static void __init srso_select_mitigation(void)
- x86_return_thunk = srso_return_thunk;
+ set_return_thunk(srso_return_thunk);
}
- if (has_microcode)
- srso_mitigation = SRSO_MITIGATION_SAFE_RET;
+ srso_mitigation = SRSO_MITIGATION_SAFE_RET;
+ } else {
@@ arch/x86/kernel/cpu/bugs.c: static ssize_t rfds_show_state(char *buf)
return sysfs_emit(buf, "%s\n", rfds_strings[rfds_mitigation]);
}
@@ arch/x86/kernel/cpu/bugs.c: ssize_t cpu_show_reg_file_data_sampling(struct devic
+ return cpu_show_common(dev, attr, buf, X86_BUG_ITS);
+}
#endif
-
- void __warn_thunk(void)
## drivers/base/cpu.c ##
-@@ drivers/base/cpu.c: CPU_SHOW_VULN_FALLBACK(spec_rstack_overflow);
- CPU_SHOW_VULN_FALLBACK(gds);
- CPU_SHOW_VULN_FALLBACK(reg_file_data_sampling);
- CPU_SHOW_VULN_FALLBACK(ghostwrite);
-+CPU_SHOW_VULN_FALLBACK(indirect_target_selection);
+@@ drivers/base/cpu.c: ssize_t __weak cpu_show_reg_file_data_sampling(struct device *dev,
+ return sysfs_emit(buf, "Not affected\n");
+ }
++ssize_t __weak cpu_show_indirect_target_selection(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ return sysfs_emit(buf, "Not affected\n");
++}
++
static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
-@@ drivers/base/cpu.c: static DEVICE_ATTR(spec_rstack_overflow, 0444, cpu_show_spec_rstack_overflow, NU
+ static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+@@ drivers/base/cpu.c: static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL);
+ static DEVICE_ATTR(spec_rstack_overflow, 0444, cpu_show_spec_rstack_overflow, NULL);
static DEVICE_ATTR(reg_file_data_sampling, 0444, cpu_show_reg_file_data_sampling, NULL);
- static DEVICE_ATTR(ghostwrite, 0444, cpu_show_ghostwrite, NULL);
+static DEVICE_ATTR(indirect_target_selection, 0444, cpu_show_indirect_target_selection, NULL);
static struct attribute *cpu_root_vulnerabilities_attrs[] = {
&dev_attr_meltdown.attr,
@@ drivers/base/cpu.c: static struct attribute *cpu_root_vulnerabilities_attrs[] = {
&dev_attr_gather_data_sampling.attr,
+ &dev_attr_spec_rstack_overflow.attr,
&dev_attr_reg_file_data_sampling.attr,
- &dev_attr_ghostwrite.attr,
+ &dev_attr_indirect_target_selection.attr,
NULL
};
@@ drivers/base/cpu.c: static struct attribute *cpu_root_vulnerabilities_attrs[] =
## include/linux/cpu.h ##
@@ include/linux/cpu.h: extern ssize_t cpu_show_gds(struct device *dev,
+ struct device_attribute *attr, char *buf);
extern ssize_t cpu_show_reg_file_data_sampling(struct device *dev,
struct device_attribute *attr, char *buf);
- extern ssize_t cpu_show_ghostwrite(struct device *dev, struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_indirect_target_selection(struct device *dev,
+ struct device_attribute *attr, char *buf);
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
next prev parent reply other threads:[~2025-05-17 13:08 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-16 23:59 [PATCH 5.15 v3 00/16] ITS mitigation Pawan Gupta
2025-05-16 23:59 ` [PATCH 5.15 v3 01/16] x86,nospec: Simplify {JMP,CALL}_NOSPEC Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-16 23:59 ` [PATCH 5.15 v3 02/16] x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:00 ` [PATCH 5.15 v3 03/16] x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:00 ` [PATCH 5.15 v3 04/16] x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:00 ` [PATCH 5.15 v3 05/16] Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:01 ` [PATCH 5.15 v3 06/16] x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:01 ` [PATCH 5.15 v3 07/16] x86/its: Add support for ITS-safe indirect thunk Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:01 ` [PATCH 5.15 v3 08/16] x86/alternative: Optimize returns patching Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:01 ` [PATCH 5.15 v3 09/16] x86/alternatives: Remove faulty optimization Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:02 ` [PATCH 5.15 v3 10/16] x86/its: Add support for ITS-safe return thunk Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:02 ` [PATCH 5.15 v3 11/16] x86/its: Enable Indirect Target Selection mitigation Pawan Gupta
2025-05-17 13:08 ` Sasha Levin [this message]
2025-05-17 0:02 ` [PATCH 5.15 v3 12/16] x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:02 ` [PATCH 5.15 v3 13/16] x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:03 ` [PATCH 5.15 v3 14/16] x86/its: Use dynamic thunks for indirect branches Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:03 ` [PATCH 5.15 v3 15/16] x86/its: Fix build errors when CONFIG_MODULES=n Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:03 ` [PATCH 5.15 v3 16/16] x86/its: FineIBT-paranoid vs ITS Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-06-07 9:34 ` [PATCH 5.15 v3 00/16] ITS mitigation Salvatore Bonaccorso
2025-06-09 13:31 ` Pawan Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250516220042-03410cef69eea03c@stable.kernel.org \
--to=sashal@kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.