[PATCH v3 0/7] eIBRS fixes

[PATCH v3 0/7] eIBRS fixes

[Pawan Gupta]

v3:
- Get rid of AUTO check in retbleed mitigation. (Borislav)
- Update commit message to mention the preparatory patch. (Nikolay)
- Collected tags.

v2: https://lore.kernel.org/r/20250521-eibrs-fix-v2-0-70e2598e932c@linux.intel.com
- Split the ITS stuffing patch into smaller patches. (Borislav)
- Zap spectre_v2_in_retpoline_mode() helper. (Borislav)

v1: https://lore.kernel.org/r/20250520-eibrs-fix-v1-2-91bacd35ed09@linux.intel.com

tip/x86/core that has the restructured bugs.c including the recent ITS
mitigation has some disparities compared to upstream:

1. Spectre-v2 mitigation default is IBRS on eIBRS supported systems.
2. RSB stuffing mitigation for ITS is not allowed with eIBRS.

These couple of patches fixes the above issues.

---
Pawan Gupta (7):
      x86/retbleed: Avoid AUTO after the select step
      x86/retbleed: Simplify the =stuff checks
      x86/bugs: Exit early if return thunk is already set
      x86/its: Use switch/case to apply mitigation
      x86/retbleed: Introduce cdt_possible()
      x86/its: Remove =stuff dependency on retbleed
      x86/its: Allow stuffing in eIBRS+retpoline mode also

 arch/x86/kernel/cpu/bugs.c | 91 +++++++++++++++++++++++++++-------------------
 1 file changed, 53 insertions(+), 38 deletions(-)
---
base-commit: 6a7c3c2606105a41dde81002c0037420bc1ddf00
change-id: 20250520-eibrs-fix-6c452b697dbf

-- 
Thanks,
Pawan

[PATCH v3 1/7] x86/retbleed: Avoid AUTO after the select step

[Pawan Gupta]

Retbleed select function leaves the mitigation to AUTO in some cases.
Moreover, the update function can also set the mitigation to AUTO. This is
inconsistent with other mitigations and requires explicit handling of AUTO
at the end of update step.

Make sure a mitigation gets selected in the select step, and do not change
it to AUTO in the update step. When no mitigation can be selected leave it
to NONE, which is what AUTO was getting changed to in the end.

Suggested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 7f94e6a5497d9a2d312a76095e48d6b364565777..53649df2c4d66c6bd3aa34dec69af9df253bccfc 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1247,6 +1247,14 @@ static void __init retbleed_select_mitigation(void)
 			retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
 		else
 			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+	} else if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
+		/* Final mitigation depends on spectre-v2 selection */
+		if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))
+			retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
+		else if (boot_cpu_has(X86_FEATURE_IBRS))
+			retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
+		else
+			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 	}
 }
 
@@ -1255,9 +1263,6 @@ static void __init retbleed_update_mitigation(void)
 	if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
 		return;
 
-	if (retbleed_mitigation == RETBLEED_MITIGATION_NONE)
-		goto out;
-
 	/*
 	 * retbleed=stuff is only allowed on Intel.  If stuffing can't be used
 	 * then a different mitigation will be selected below.
@@ -1268,7 +1273,7 @@ static void __init retbleed_update_mitigation(void)
 	    its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF) {
 		if (spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
 			pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
-			retbleed_mitigation = RETBLEED_MITIGATION_AUTO;
+			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 		} else {
 			if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
 				pr_info("Retbleed mitigation updated to stuffing\n");
@@ -1294,15 +1299,11 @@ static void __init retbleed_update_mitigation(void)
 			if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
 				pr_err(RETBLEED_INTEL_MSG);
 		}
-		/* If nothing has set the mitigation yet, default to NONE. */
-		if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
-			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 	}
-out:
+
 	pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
 }
 
-
 static void __init retbleed_apply_mitigation(void)
 {
 	bool mitigate_smt = false;

-- 
2.34.1

Re: [PATCH v3 1/7] x86/retbleed: Avoid AUTO after the select step

[Borislav Petkov]

On Thu, May 22, 2025 at 06:20:31PM -0700, Pawan Gupta wrote:
> Retbleed select function leaves the mitigation to AUTO in some cases.
> Moreover, the update function can also set the mitigation to AUTO. This is
> inconsistent with other mitigations and requires explicit handling of AUTO
> at the end of update step.
> 
> Make sure a mitigation gets selected in the select step, and do not change
> it to AUTO in the update step. When no mitigation can be selected leave it
> to NONE, which is what AUTO was getting changed to in the end.
> 
> Suggested-by: Borislav Petkov <bp@alien8.de>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> ---
>  arch/x86/kernel/cpu/bugs.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)

Yap, much better.

Thx.

Acked-by: Borislav Petkov (AMD) <bp@alien8.de>

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

[PATCH v3 2/7] x86/retbleed: Simplify the =stuff checks

[Pawan Gupta]

Simplify the nested checks, remove redundant print and comment.

Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 53649df2c4d66c6bd3aa34dec69af9df253bccfc..94d0de3e61aec32b3b67c8d21f89a8c67b93dff3 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1263,24 +1263,16 @@ static void __init retbleed_update_mitigation(void)
 	if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
 		return;
 
-	/*
-	 * retbleed=stuff is only allowed on Intel.  If stuffing can't be used
-	 * then a different mitigation will be selected below.
-	 *
-	 * its=stuff will also attempt to enable stuffing.
-	 */
-	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF ||
-	    its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF) {
-		if (spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
-			pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
-			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
-		} else {
-			if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
-				pr_info("Retbleed mitigation updated to stuffing\n");
+	 /* ITS can also enable stuffing */
+	if (its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF)
+		retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
 
-			retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
-		}
+	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
+	    spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
+		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
+		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 	}
+
 	/*
 	 * Let IBRS trump all on Intel without affecting the effects of the
 	 * retbleed= cmdline option except for call depth based stuffing

-- 
2.34.1

Re: [PATCH v3 2/7] x86/retbleed: Simplify the =stuff checks

[Borislav Petkov]

On Thu, May 22, 2025 at 06:20:47PM -0700, Pawan Gupta wrote:
> Simplify the nested checks, remove redundant print and comment.
> 
> Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> ---
>  arch/x86/kernel/cpu/bugs.c | 24 ++++++++----------------
>  1 file changed, 8 insertions(+), 16 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 53649df2c4d66c6bd3aa34dec69af9df253bccfc..94d0de3e61aec32b3b67c8d21f89a8c67b93dff3 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -1263,24 +1263,16 @@ static void __init retbleed_update_mitigation(void)
>  	if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
>  		return;
>  
> -	/*
> -	 * retbleed=stuff is only allowed on Intel.  If stuffing can't be used
> -	 * then a different mitigation will be selected below.
> -	 *
> -	 * its=stuff will also attempt to enable stuffing.
> -	 */
> -	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF ||
> -	    its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF) {
> -		if (spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
> -			pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
> -			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
> -		} else {
> -			if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
> -				pr_info("Retbleed mitigation updated to stuffing\n");
> +	 /* ITS can also enable stuffing */
> +	if (its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF)
> +		retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
>  
> -			retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
> -		}
> +	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
> +	    spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
> +		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
> +		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
>  	}
> +
>  	/*
>  	 * Let IBRS trump all on Intel without affecting the effects of the
>  	 * retbleed= cmdline option except for call depth based stuffing
> 
> -- 

Acked-by: Borislav Petkov (AMD) <bp@alien8.de>

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

[PATCH v3 3/7] x86/bugs: Exit early if return thunk is already set

[Pawan Gupta]

When the exact same return thunk is already set, avoid the warning and exit
early. This is to prepare for ITS to also set CDT return thunk independent
of retbleed.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 94d0de3e61aec32b3b67c8d21f89a8c67b93dff3..354593065025fd7c5727e955d76523777b3da9ee 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -113,6 +113,9 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
 
 static void __init set_return_thunk(void *thunk)
 {
+	if (thunk == x86_return_thunk)
+		return;
+
 	if (x86_return_thunk != __x86_return_thunk)
 		pr_warn("x86/bugs: return thunk changed\n");
 

-- 
2.34.1

Re: [PATCH v3 3/7] x86/bugs: Exit early if return thunk is already set

[Nikolay Borisov]

On 5/23/25 04:21, Pawan Gupta wrote:
> When the exact same return thunk is already set, avoid the warning and exit
> early. This is to prepare for ITS to also set CDT return thunk independent
> of retbleed.

Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>

> 
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> ---
>   arch/x86/kernel/cpu/bugs.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 94d0de3e61aec32b3b67c8d21f89a8c67b93dff3..354593065025fd7c5727e955d76523777b3da9ee 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -113,6 +113,9 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
>   
>   static void __init set_return_thunk(void *thunk)
>   {
> +	if (thunk == x86_return_thunk)
> +		return;
> +
>   	if (x86_return_thunk != __x86_return_thunk)
>   		pr_warn("x86/bugs: return thunk changed\n");
>   
> 

Re: [PATCH v3 3/7] x86/bugs: Exit early if return thunk is already set

[Borislav Petkov]

On Thu, May 22, 2025 at 06:21:02PM -0700, Pawan Gupta wrote:
> When the exact same return thunk is already set, avoid the warning and exit
> early. This is to prepare for ITS to also set CDT return thunk independent
> of retbleed.
> 
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> ---
>  arch/x86/kernel/cpu/bugs.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 94d0de3e61aec32b3b67c8d21f89a8c67b93dff3..354593065025fd7c5727e955d76523777b3da9ee 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -113,6 +113,9 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
>  
>  static void __init set_return_thunk(void *thunk)
>  {
> +	if (thunk == x86_return_thunk)
> +		return;
> +
>  	if (x86_return_thunk != __x86_return_thunk)
>  		pr_warn("x86/bugs: return thunk changed\n");

Ok, let's drop those silly conditionals here and simply issue the name. We'll
see later whether this needs to be louder...

---
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 94d0de3e61ae..20696abd1bef 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -113,10 +113,9 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
 
 static void __init set_return_thunk(void *thunk)
 {
-	if (x86_return_thunk != __x86_return_thunk)
-		pr_warn("x86/bugs: return thunk changed\n");
-
 	x86_return_thunk = thunk;
+
+	pr_info("active return thunk: %ps\n", thunk);
 }
 
 /* Update SPEC_CTRL MSR and its cached copy unconditionally */

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v3 3/7] x86/bugs: Exit early if return thunk is already set

[Pawan Gupta]

On Sat, May 24, 2025 at 01:27:29PM +0200, Borislav Petkov wrote:
> On Thu, May 22, 2025 at 06:21:02PM -0700, Pawan Gupta wrote:
> > When the exact same return thunk is already set, avoid the warning and exit
> > early. This is to prepare for ITS to also set CDT return thunk independent
> > of retbleed.
> > 
> > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> > ---
> >  arch/x86/kernel/cpu/bugs.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> > index 94d0de3e61aec32b3b67c8d21f89a8c67b93dff3..354593065025fd7c5727e955d76523777b3da9ee 100644
> > --- a/arch/x86/kernel/cpu/bugs.c
> > +++ b/arch/x86/kernel/cpu/bugs.c
> > @@ -113,6 +113,9 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
> >  
> >  static void __init set_return_thunk(void *thunk)
> >  {
> > +	if (thunk == x86_return_thunk)
> > +		return;
> > +
> >  	if (x86_return_thunk != __x86_return_thunk)
> >  		pr_warn("x86/bugs: return thunk changed\n");
> 
> Ok, let's drop those silly conditionals here and simply issue the name. We'll
> see later whether this needs to be louder...

Ok, will do.

[PATCH v3 4/7] x86/its: Use switch/case to apply mitigation

[Pawan Gupta]

Prepare to apply stuffing mitigation in its_apply_mitigation(). This is
currently only done via retbleed mitigation. Also using switch/case makes
it evident that mitigation mode like VMEXIT_ONLY doesn't need any special
handling.

Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 354593065025fd7c5727e955d76523777b3da9ee..aa51fa8d6e8c8f7b2f5020fdb2e44a274badc0e7 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1472,15 +1472,21 @@ static void __init its_update_mitigation(void)
 
 static void __init its_apply_mitigation(void)
 {
+	switch (its_mitigation) {
+	case ITS_MITIGATION_OFF:
+	case ITS_MITIGATION_AUTO:
+	case ITS_MITIGATION_VMEXIT_ONLY:
 	/* its=stuff forces retbleed stuffing and is enabled there. */
-	if (its_mitigation != ITS_MITIGATION_ALIGNED_THUNKS)
-		return;
-
-	if (!boot_cpu_has(X86_FEATURE_RETPOLINE))
-		setup_force_cpu_cap(X86_FEATURE_INDIRECT_THUNK_ITS);
+	case ITS_MITIGATION_RETPOLINE_STUFF:
+		break;
+	case ITS_MITIGATION_ALIGNED_THUNKS:
+		if (!boot_cpu_has(X86_FEATURE_RETPOLINE))
+			setup_force_cpu_cap(X86_FEATURE_INDIRECT_THUNK_ITS);
 
-	setup_force_cpu_cap(X86_FEATURE_RETHUNK);
-	set_return_thunk(its_return_thunk);
+		setup_force_cpu_cap(X86_FEATURE_RETHUNK);
+		set_return_thunk(its_return_thunk);
+		break;
+	}
 }
 
 #undef pr_fmt

-- 
2.34.1

[PATCH v3 5/7] x86/retbleed: Introduce cdt_possible()

[Pawan Gupta]

In preparation to allow ITS to also enable stuffing a.k.a. Call Depth
Tracking(CDT) independently of retbleed, introduce a helper cdt_possible().

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index aa51fa8d6e8c8f7b2f5020fdb2e44a274badc0e7..7cf2b6e42b70b665842de5a3a96e10a356d343c9 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1123,6 +1123,19 @@ early_param("nospectre_v1", nospectre_v1_cmdline);
 
 enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE;
 
+/* Depends on spectre_v2 mitigation selected already */
+static inline bool cdt_possible(enum spectre_v2_mitigation mode)
+{
+	if (!IS_ENABLED(CONFIG_MITIGATION_CALL_DEPTH_TRACKING) ||
+	    !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE))
+		return false;
+
+	if (mode == SPECTRE_V2_RETPOLINE)
+		return true;
+
+	return false;
+}
+
 #undef pr_fmt
 #define pr_fmt(fmt)     "RETBleed: " fmt
 
@@ -1271,7 +1284,7 @@ static void __init retbleed_update_mitigation(void)
 		retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
 
 	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
-	    spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
+	    !cdt_possible(spectre_v2_enabled)) {
 		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
 		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 	}

-- 
2.34.1

[PATCH v3 6/7] x86/its: Remove =stuff dependency on retbleed

[Pawan Gupta]

Allow ITS to enable stuffing independent of retbleed. The dependency is
only on retpoline. It is a valid case for retbleed to be mitigated by eIBRS
while ITS deploys stuffing at the same time.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 7cf2b6e42b70b665842de5a3a96e10a356d343c9..3d56e258876234b802b6682050c46917a6cf7401 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1471,13 +1471,8 @@ static void __init its_update_mitigation(void)
 		break;
 	}
 
-	/*
-	 * retbleed_update_mitigation() will try to do stuffing if its=stuff.
-	 * If it can't, such as if spectre_v2!=retpoline, then fall back to
-	 * aligned thunks.
-	 */
 	if (its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF &&
-	    retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
+	    !cdt_possible(spectre_v2_enabled))
 		its_mitigation = ITS_MITIGATION_ALIGNED_THUNKS;
 
 	pr_info("%s\n", its_strings[its_mitigation]);
@@ -1489,8 +1484,6 @@ static void __init its_apply_mitigation(void)
 	case ITS_MITIGATION_OFF:
 	case ITS_MITIGATION_AUTO:
 	case ITS_MITIGATION_VMEXIT_ONLY:
-	/* its=stuff forces retbleed stuffing and is enabled there. */
-	case ITS_MITIGATION_RETPOLINE_STUFF:
 		break;
 	case ITS_MITIGATION_ALIGNED_THUNKS:
 		if (!boot_cpu_has(X86_FEATURE_RETPOLINE))
@@ -1499,6 +1492,11 @@ static void __init its_apply_mitigation(void)
 		setup_force_cpu_cap(X86_FEATURE_RETHUNK);
 		set_return_thunk(its_return_thunk);
 		break;
+	case ITS_MITIGATION_RETPOLINE_STUFF:
+		setup_force_cpu_cap(X86_FEATURE_RETHUNK);
+		setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH);
+		set_return_thunk(call_depth_return_thunk);
+		break;
 	}
 }
 

-- 
2.34.1

[PATCH v3 7/7] x86/its: Allow stuffing in eIBRS+retpoline mode also

[Pawan Gupta]

After a recent restructuring of ITS mitigation, RSB stuffing can no
longer be enabled in eIBRS+Retpoline mode. Before ITS, retbleed
mitigation only allowed stuffing when eIBRS was not enabled. This was
perfectly fine since eIBRS mitigates retbleed.

However, RSB stuffing mitigation for ITS is still needed with eIBRS. The
restructuring solely relies on retbleed to deploy stuffing, and does not
allow it when eIBRS is enabled. This behavior is different from what was
before the restructuring. Fix it by allowing stuffing in eIBRS+retpoline
mode also.

Fixes: 8c57ca583ebf ("x86/bugs: Restructure ITS mitigation")
Closes: https://lore.kernel.org/lkml/20250519235101.2vm6sc5txyoykb2r@desk/
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 3d56e258876234b802b6682050c46917a6cf7401..66c64dc2d14f5584b892286f060598595fd67ce0 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1130,7 +1130,8 @@ static inline bool cdt_possible(enum spectre_v2_mitigation mode)
 	    !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE))
 		return false;
 
-	if (mode == SPECTRE_V2_RETPOLINE)
+	if (mode == SPECTRE_V2_RETPOLINE ||
+	    mode == SPECTRE_V2_EIBRS_RETPOLINE)
 		return true;
 
 	return false;
@@ -1285,7 +1286,7 @@ static void __init retbleed_update_mitigation(void)
 
 	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
 	    !cdt_possible(spectre_v2_enabled)) {
-		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
+		pr_err("WARNING: retbleed=stuff depends on retpoline\n");
 		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 	}
 
@@ -1458,6 +1459,7 @@ static void __init its_update_mitigation(void)
 		its_mitigation = ITS_MITIGATION_OFF;
 		break;
 	case SPECTRE_V2_RETPOLINE:
+	case SPECTRE_V2_EIBRS_RETPOLINE:
 		/* Retpoline+CDT mitigates ITS */
 		if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF)
 			its_mitigation = ITS_MITIGATION_RETPOLINE_STUFF;

-- 
2.34.1