From: sashiko-bot@kernel.org
To: "Pawan Gupta" <pawan.kumar.gupta@linux.intel.com>
Cc: kvm@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH v12 09/12] x86/vmscape: Use static_call() for predictor flush
Date: Tue, 23 Jun 2026 17:47:14 +0000 [thread overview]
Message-ID: <20260623174715.48B501F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260622-vmscape-bhb-v12-9-76cbda0ae3e5@linux.intel.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [Medium] The patch introduces unconditional memory reads on the highly sensitive kernel-to-user exit and KVM VM-enter fast paths, penalizing all systems where the VMSCAPE mitigation is disabled.
- [Low] The removal of `X86_FEATURE_IBPB_EXIT_TO_USER` from the kernel CPU features header was not mirrored to the corresponding tools header, causing code drift.
- [Low] Usage of `static_call_cond()` without including `<linux/static_call.h>` makes the header non-self-contained.
--
commit 6813e9ba3f5da52dd0859a742860cd03837d50a7
Author: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
x86/vmscape: Use static_call() for predictor flush
This patch replaces the flag-based mitigation selector for VMSCAPE with a
static_call() to the mitigating function. This avoids adding more feature
flags and multiple checks, freeing the X86_FEATURE_IBPB_EXIT_TO_USER flag.
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 1d506e5d6f46a..09f956b72637c 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -504,7 +504,7 @@
> #define X86_FEATURE_TSA_SQ_NO (21*32+11) /* AMD CPU not vulnerable to TSA-SQ */
> #define X86_FEATURE_TSA_L1_NO (21*32+12) /* AMD CPU not vulnerable to TSA-L1 */
> #define X86_FEATURE_CLEAR_CPU_BUF_VM (21*32+13) /* Clear CPU buffers using VERW before VMRUN */
> -#define X86_FEATURE_IBPB_EXIT_TO_USER (21*32+14) /* Use IBPB on exit-to-userspace, see VMSCAPE bug */
> +/* Free */
[Severity: Low]
Does this removal also need to be synced to the tools copy in
tools/arch/x86/include/asm/cpufeatures.h? Leaving them out of sync typically
triggers a 'Kernel ABI header differs' build warning when compiling tools
like perf.
[ ... ]
> diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/entry-common.h
> index 3be6d4c356ed2..d5b390c76f000 100644
> --- a/arch/x86/include/asm/entry-common.h
> +++ b/arch/x86/include/asm/entry-common.h
> @@ -4,6 +4,7 @@
>
> #include <linux/randomize_kstack.h>
> #include <linux/user-return-notifier.h>
> +#include <linux/static_call_types.h>
[Severity: Low]
Should this include <linux/static_call.h> instead? The static_call_cond()
macro is used below but isn't defined in static_call_types.h, which could
cause build failures if relying on implicit dependencies from downstream C
files.
>
> #include <asm/nospec-branch.h>
> #include <asm/io_bitmap.h>
> @@ -82,10 +83,8 @@ static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs,
> current_thread_info()->status &= ~(TS_COMPAT | TS_I386_REGS_POKED);
> #endif
>
> - /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */
> - if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) &&
> - this_cpu_read(x86_predictor_flush_exit_to_user)) {
> - write_ibpb();
> + if (unlikely(this_cpu_read(x86_predictor_flush_exit_to_user))) {
[Severity: Medium]
Will this unconditional per-CPU memory read add overhead on the kernel to
user exit fast path for unaffected CPUs? The previous cpu_feature_enabled()
check used alternative patching to compile out to zero instructions when the
mitigation was disabled.
> + static_call_cond(vmscape_predictor_flush)();
> this_cpu_write(x86_predictor_flush_exit_to_user, false);
> }
> }
[ ... ]
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 721ff7667dc0b..fcd61c47653fa 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -11556,7 +11556,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
> * set for the CPU that actually ran the guest, and not the CPU that it
> * may migrate to.
> */
> - if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER))
> + if (static_call_query(vmscape_predictor_flush))
[Severity: Medium]
Does replacing cpu_feature_enabled() with static_call_query() penalize the
KVM VM-enter fast path for unaffected hosts by introducing an unconditional
global memory read?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260622-vmscape-bhb-v12-0-76cbda0ae3e5@linux.intel.com?part=9
next prev parent reply other threads:[~2026-06-23 17:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 17:32 [PATCH v12 00/12] VMSCAPE optimization for BHI variant Pawan Gupta
2026-06-23 17:32 ` [PATCH v12 01/12] x86/bhi: x86/vmscape: Move LFENCE out of clear_bhb_loop() Pawan Gupta
2026-06-23 17:33 ` [PATCH v12 02/12] x86/bhi: Make clear_bhb_loop() effective on newer CPUs Pawan Gupta
2026-06-23 18:13 ` bot+bpf-ci
2026-06-23 17:33 ` [PATCH v12 03/12] x86/bhi: Rename clear_bhb_loop() to clear_bhb_loop_nofence() Pawan Gupta
2026-06-23 17:33 ` [PATCH v12 04/12] x86/vmscape: Rename x86_ibpb_exit_to_user to x86_predictor_flush_exit_to_user Pawan Gupta
2026-06-23 17:33 ` [PATCH v12 05/12] x86/vmscape: Move mitigation selection to a switch() Pawan Gupta
2026-06-23 17:43 ` sashiko-bot
2026-06-23 17:34 ` [PATCH v12 06/12] x86/vmscape: Use write_ibpb() instead of indirect_branch_prediction_barrier() Pawan Gupta
2026-06-23 17:34 ` [PATCH v12 07/12] static_call: Define EXPORT_STATIC_CALL_FOR_MODULES() Pawan Gupta
2026-06-23 17:34 ` [PATCH v12 08/12] KVM: Define EXPORT_STATIC_CALL_FOR_KVM() Pawan Gupta
2026-06-23 18:13 ` bot+bpf-ci
2026-06-23 17:34 ` [PATCH v12 09/12] x86/vmscape: Use static_call() for predictor flush Pawan Gupta
2026-06-23 17:47 ` sashiko-bot [this message]
2026-06-23 17:35 ` [PATCH v12 10/12] x86/vmscape: Deploy BHB clearing mitigation Pawan Gupta
2026-06-23 17:49 ` sashiko-bot
2026-06-23 17:35 ` [PATCH v12 11/12] x86/vmscape: Resolve conflict between attack-vectors and vmscape=force Pawan Gupta
2026-06-23 18:13 ` bot+bpf-ci
2026-06-23 17:35 ` [PATCH v12 12/12] x86/vmscape: Add cmdline vmscape=on to override attack vector controls Pawan Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623174715.48B501F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.