From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, pawan.kumar.gupta@linux.intel.com
Cc: Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 5.15 v3 14/16] x86/its: Use dynamic thunks for indirect branches
Date: Sat, 17 May 2025 09:08:15 -0400 [thread overview]
Message-ID: <20250516221241-2873375becab2c5e@stable.kernel.org> (raw)
In-Reply-To: <20250516-its-5-15-v3-14-16fcdaaea544@linux.intel.com>
[ Sasha's backport helper bot ]
Hi,
Summary of potential issues:
ℹ️ This is part 14/16 of a series
⚠️ Found follow-up fixes in mainline
The upstream commit SHA1 provided is correct: 872df34d7c51a79523820ea6a14860398c639b87
WARNING: Author mismatch between patch and upstream commit:
Backport author: Pawan Gupta<pawan.kumar.gupta@linux.intel.com>
Commit author: Peter Zijlstra<peterz@infradead.org>
Status in newer kernel trees:
6.14.y | Present (different SHA1: 37526e8a94dd)
6.12.y | Present (different SHA1: 5f6966e6a709)
6.6.y | Present (different SHA1: cb4b8d845fc5)
6.1.y | Present (different SHA1: 383a65981c30)
Found fixes commits:
9f35e33144ae x86/its: Fix build errors when CONFIG_MODULES=n
Note: The patch differs from the upstream commit:
---
1: 872df34d7c51a ! 1: 98921616793d1 x86/its: Use dynamic thunks for indirect branches
@@ Metadata
## Commit message ##
x86/its: Use dynamic thunks for indirect branches
+ commit 872df34d7c51a79523820ea6a14860398c639b87 upstream.
+
ITS mitigation moves the unsafe indirect branches to a safe thunk. This
could degrade the prediction accuracy as the source address of indirect
branches becomes same for different execution paths.
@@ Commit message
they are both more flexible (got to extend them later) and live in 2M TLBs,
just like kernel code, avoiding undue TLB pressure.
+ [ pawan: CONFIG_EXECMEM and CONFIG_EXECMEM_ROX are not supported on
+ backport kernel, made changes to use module_alloc() and
+ set_memory_*() for dynamic thunks. ]
+
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
- ## arch/x86/Kconfig ##
-@@ arch/x86/Kconfig: config MITIGATION_ITS
- bool "Enable Indirect Target Selection mitigation"
- depends on CPU_SUP_INTEL && X86_64
- depends on MITIGATION_RETPOLINE && MITIGATION_RETHUNK
-+ select EXECMEM
- default y
- help
- Enable Indirect Target Selection (ITS) mitigation. ITS is a bug in
-
## arch/x86/include/asm/alternative.h ##
-@@ arch/x86/include/asm/alternative.h: static __always_inline int x86_call_depth_emit_accounting(u8 **pprog,
- }
- #endif
+@@ arch/x86/include/asm/alternative.h: extern void apply_returns(s32 *start, s32 *end);
+
+ struct module;
+#ifdef CONFIG_MITIGATION_ITS
+extern void its_init_mod(struct module *mod);
@@ arch/x86/include/asm/alternative.h: static __always_inline int x86_call_depth_em
+static inline void its_free_mod(struct module *mod) { }
+#endif
+
- #if defined(CONFIG_MITIGATION_RETHUNK) && defined(CONFIG_OBJTOOL)
+ #ifdef CONFIG_RETHUNK
extern bool cpu_wants_rethunk(void);
extern bool cpu_wants_rethunk_at(void *addr);
@@ arch/x86/kernel/alternative.c
#include <linux/mmu_context.h>
#include <linux/bsearch.h>
#include <linux/sync_core.h>
-+#include <linux/execmem.h>
++#include <linux/moduleloader.h>
#include <asm/text-patching.h>
#include <asm/alternative.h>
#include <asm/sections.h>
@@
+ #include <asm/fixmap.h>
+ #include <asm/paravirt.h>
#include <asm/asm-prototypes.h>
- #include <asm/cfi.h>
- #include <asm/ibt.h>
+#include <asm/set_memory.h>
int __read_mostly alternatives_patched;
-@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+1] =
- #endif
- };
+@@ arch/x86/kernel/alternative.c: static int emit_indirect(int op, int reg, u8 *bytes)
+
+ #ifdef CONFIG_MITIGATION_ITS
-+#ifdef CONFIG_MITIGATION_ITS
-+
+static struct module *its_mod;
+static void *its_page;
+static unsigned int its_offset;
@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+
+
+void its_fini_mod(struct module *mod)
+{
++ int i;
++
+ if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
+ return;
+
@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+
+ its_page = NULL;
+ mutex_unlock(&text_mutex);
+
-+ for (int i = 0; i < mod->its_num_pages; i++) {
++ for (i = 0; i < mod->its_num_pages; i++) {
+ void *page = mod->its_page_array[i];
-+ execmem_restore_rox(page, PAGE_SIZE);
++ set_memory_ro((unsigned long)page, 1);
++ set_memory_x((unsigned long)page, 1);
+ }
+}
+
+void its_free_mod(struct module *mod)
+{
++ int i;
++
+ if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
+ return;
+
-+ for (int i = 0; i < mod->its_num_pages; i++) {
++ for (i = 0; i < mod->its_num_pages; i++) {
+ void *page = mod->its_page_array[i];
-+ execmem_free(page);
++ module_memfree(page);
+ }
+ kfree(mod->its_page_array);
+}
+
+static void *its_alloc(void)
+{
-+ void *page __free(execmem) = execmem_alloc(EXECMEM_MODULE_TEXT, PAGE_SIZE);
++ void *page = module_alloc(PAGE_SIZE);
+
+ if (!page)
+ return NULL;
@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+
+ void *tmp = krealloc(its_mod->its_page_array,
+ (its_mod->its_num_pages+1) * sizeof(void *),
+ GFP_KERNEL);
-+ if (!tmp)
++ if (!tmp) {
++ module_memfree(page);
+ return NULL;
++ }
+
+ its_mod->its_page_array = tmp;
+ its_mod->its_page_array[its_mod->its_num_pages++] = page;
-+
-+ execmem_make_temp_rw(page, PAGE_SIZE);
+ }
+
-+ return no_free_ptr(page);
++ return page;
+}
+
+static void *its_allocate_thunk(int reg)
@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+
+ thunk = its_page + its_offset;
+ its_offset += size;
+
-+ return its_init_thunk(thunk, reg);
-+}
++ set_memory_rw((unsigned long)its_page, 1);
++ thunk = its_init_thunk(thunk, reg);
++ set_memory_ro((unsigned long)its_page, 1);
++ set_memory_x((unsigned long)its_page, 1);
+
-+#endif
++ return thunk;
++}
+
- /*
- * Nomenclature for variable names to simplify and clarify this code and ease
- * any potential staring at it:
-@@ arch/x86/kernel/alternative.c: static int emit_call_track_retpoline(void *addr, struct insn *insn, int reg, u8
- #ifdef CONFIG_MITIGATION_ITS
+ static int __emit_trampoline(void *addr, struct insn *insn, u8 *bytes,
+ void *call_dest, void *jmp_dest)
+ {
+@@ arch/x86/kernel/alternative.c: static int __emit_trampoline(void *addr, struct insn *insn, u8 *bytes,
+
static int emit_its_trampoline(void *addr, struct insn *insn, int reg, u8 *bytes)
{
- return __emit_trampoline(addr, insn, bytes,
@@ arch/x86/kernel/alternative.c: static int emit_call_track_retpoline(void *addr,
## arch/x86/kernel/module.c ##
@@ arch/x86/kernel/module.c: int module_finalize(const Elf_Ehdr *hdr,
- ibt_endbr = s;
+ void *pseg = (void *)para->sh_addr;
+ apply_paravirt(pseg, pseg + para->sh_size);
}
-
++
+ its_init_mod(me);
+
- if (retpolines || cfi) {
- void *rseg = NULL, *cseg = NULL;
- unsigned int rsize = 0, csize = 0;
-@@ arch/x86/kernel/module.c: int module_finalize(const Elf_Ehdr *hdr,
+ if (retpolines) {
void *rseg = (void *)retpolines->sh_addr;
apply_retpolines(rseg, rseg + retpolines->sh_size);
}
@@ arch/x86/kernel/module.c: int module_finalize(const Elf_Ehdr *hdr,
+ its_free_mod(mod);
}
- ## include/linux/execmem.h ##
-@@
-
- #include <linux/types.h>
- #include <linux/moduleloader.h>
-+#include <linux/cleanup.h>
-
- #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \
- !defined(CONFIG_KASAN_VMALLOC)
-@@ include/linux/execmem.h: void *execmem_alloc(enum execmem_type type, size_t size);
- */
- void execmem_free(void *ptr);
-
-+DEFINE_FREE(execmem, void *, if (_T) execmem_free(_T));
-+
- #ifdef CONFIG_MMU
- /**
- * execmem_vmap - create virtual mapping for EXECMEM_MODULE_DATA memory
-
## include/linux/module.h ##
@@ include/linux/module.h: struct module {
atomic_t refcnt;
---
NOTE: These results are for this patch alone. Full series testing will be
performed when all parts are received.
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
next prev parent reply other threads:[~2025-05-17 13:08 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-16 23:59 [PATCH 5.15 v3 00/16] ITS mitigation Pawan Gupta
2025-05-16 23:59 ` [PATCH 5.15 v3 01/16] x86,nospec: Simplify {JMP,CALL}_NOSPEC Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-16 23:59 ` [PATCH 5.15 v3 02/16] x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:00 ` [PATCH 5.15 v3 03/16] x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:00 ` [PATCH 5.15 v3 04/16] x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:00 ` [PATCH 5.15 v3 05/16] Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:01 ` [PATCH 5.15 v3 06/16] x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:01 ` [PATCH 5.15 v3 07/16] x86/its: Add support for ITS-safe indirect thunk Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:01 ` [PATCH 5.15 v3 08/16] x86/alternative: Optimize returns patching Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:01 ` [PATCH 5.15 v3 09/16] x86/alternatives: Remove faulty optimization Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:02 ` [PATCH 5.15 v3 10/16] x86/its: Add support for ITS-safe return thunk Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:02 ` [PATCH 5.15 v3 11/16] x86/its: Enable Indirect Target Selection mitigation Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:02 ` [PATCH 5.15 v3 12/16] x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:02 ` [PATCH 5.15 v3 13/16] x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:03 ` [PATCH 5.15 v3 14/16] x86/its: Use dynamic thunks for indirect branches Pawan Gupta
2025-05-17 13:08 ` Sasha Levin [this message]
2025-05-17 0:03 ` [PATCH 5.15 v3 15/16] x86/its: Fix build errors when CONFIG_MODULES=n Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-05-17 0:03 ` [PATCH 5.15 v3 16/16] x86/its: FineIBT-paranoid vs ITS Pawan Gupta
2025-05-17 13:08 ` Sasha Levin
2025-06-07 9:34 ` [PATCH 5.15 v3 00/16] ITS mitigation Salvatore Bonaccorso
2025-06-09 13:31 ` Pawan Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250516221241-2873375becab2c5e@stable.kernel.org \
--to=sashal@kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.