[PATCH v2 0/7] eIBRS fixes

[PATCH v2 0/7] eIBRS fixes

[Pawan Gupta]

v2:
- Split the ITS stuffing patch into smaller patches. (Borislav)
- Zap spectre_v2_in_retpoline_mode() helper. (Borislav)

v1: https://lore.kernel.org/r/20250520-eibrs-fix-v1-2-91bacd35ed09@linux.intel.com

tip/x86/core that has the restructured bugs.c including the recent ITS
mitigation has some disparities compared to upstream:

1. Spectre-v2 mitigation default is IBRS on eIBRS supported systems.
2. RSB stuffing mitigation for ITS is not allowed with eIBRS.

These couple of patches fixes the above issues.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
Pawan Gupta (7):
      x86/retbleed: Check for AUTO in all cases
      x86/retbleed: Simplify the =stuff checks
      x86/bugs: Exit early if return thunk is already set
      x86/its: Use switch/case to apply mitigation
      x86/retbleed: Introduce cdt_possible()
      x86/its: Remove =stuff dependency on retbleed
      x86/its: Allow stuffing in eIBRS+retpoline mode also

 arch/x86/kernel/cpu/bugs.c | 82 +++++++++++++++++++++++++++-------------------
 1 file changed, 48 insertions(+), 34 deletions(-)
---
base-commit: 6a7c3c2606105a41dde81002c0037420bc1ddf00
change-id: 20250520-eibrs-fix-6c452b697dbf

-- 
Thanks,
Pawan

[PATCH v2 1/7] x86/retbleed: Check for AUTO in all cases

[Pawan Gupta]

When none of mitigation option is selected, AUTO gets converted to NONE.
This is currently only being done for Intel. The check is useful in
general, make it common.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 7f94e6a5497d9a2d312a76095e48d6b364565777..19ff705b3128eacad5659990ed345d7a19bcb0f4 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1294,15 +1294,15 @@ static void __init retbleed_update_mitigation(void)
 			if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
 				pr_err(RETBLEED_INTEL_MSG);
 		}
-		/* If nothing has set the mitigation yet, default to NONE. */
-		if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
-			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 	}
+
+	/* If nothing has set the mitigation yet, default to NONE. */
+	if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
+		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 out:
 	pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
 }
 
-
 static void __init retbleed_apply_mitigation(void)
 {
 	bool mitigate_smt = false;

-- 
2.34.1

[PATCH v2 2/7] x86/retbleed: Simplify the =stuff checks

[Pawan Gupta]

Simplify the nested checks, remove redundant print and comment.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 19ff705b3128eacad5659990ed345d7a19bcb0f4..20d7d14b08298d4f610f2ebc7f13a490ee3d957a 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1258,24 +1258,16 @@ static void __init retbleed_update_mitigation(void)
 	if (retbleed_mitigation == RETBLEED_MITIGATION_NONE)
 		goto out;
 
-	/*
-	 * retbleed=stuff is only allowed on Intel.  If stuffing can't be used
-	 * then a different mitigation will be selected below.
-	 *
-	 * its=stuff will also attempt to enable stuffing.
-	 */
-	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF ||
-	    its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF) {
-		if (spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
-			pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
-			retbleed_mitigation = RETBLEED_MITIGATION_AUTO;
-		} else {
-			if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
-				pr_info("Retbleed mitigation updated to stuffing\n");
+	 /* ITS can also enable stuffing */
+	if (its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF)
+		retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
 
-			retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
-		}
+	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
+	    spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
+		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
+		retbleed_mitigation = RETBLEED_MITIGATION_AUTO;
 	}
+
 	/*
 	 * Let IBRS trump all on Intel without affecting the effects of the
 	 * retbleed= cmdline option except for call depth based stuffing

-- 
2.34.1

[PATCH v2 3/7] x86/bugs: Exit early if return thunk is already set

[Pawan Gupta]

ITS and retbleed can both set CDT return thunk. If the exact same return
thunk is already set, avoid the warning and exit early.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 20d7d14b08298d4f610f2ebc7f13a490ee3d957a..a088302b320cf68344e28be7710b5a3582bba9ea 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -113,6 +113,9 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
 
 static void __init set_return_thunk(void *thunk)
 {
+	if (thunk == x86_return_thunk)
+		return;
+
 	if (x86_return_thunk != __x86_return_thunk)
 		pr_warn("x86/bugs: return thunk changed\n");
 

-- 
2.34.1

[PATCH v2 4/7] x86/its: Use switch/case to apply mitigation

[Pawan Gupta]

Prepare to apply stuffing mitigation in its_apply_mitigation(). This is
currently only done via retbleed mitigation. Also using switch/case makes
it evident that mitigation mode like VMEXIT_ONLY doesn't need any special
handling.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index a088302b320cf68344e28be7710b5a3582bba9ea..fbfc08f5f9f652beb677a1b5310e4322600082ac 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1471,15 +1471,21 @@ static void __init its_update_mitigation(void)
 
 static void __init its_apply_mitigation(void)
 {
+	switch (its_mitigation) {
+	case ITS_MITIGATION_OFF:
+	case ITS_MITIGATION_AUTO:
+	case ITS_MITIGATION_VMEXIT_ONLY:
 	/* its=stuff forces retbleed stuffing and is enabled there. */
-	if (its_mitigation != ITS_MITIGATION_ALIGNED_THUNKS)
-		return;
-
-	if (!boot_cpu_has(X86_FEATURE_RETPOLINE))
-		setup_force_cpu_cap(X86_FEATURE_INDIRECT_THUNK_ITS);
+	case ITS_MITIGATION_RETPOLINE_STUFF:
+		break;
+	case ITS_MITIGATION_ALIGNED_THUNKS:
+		if (!boot_cpu_has(X86_FEATURE_RETPOLINE))
+			setup_force_cpu_cap(X86_FEATURE_INDIRECT_THUNK_ITS);
 
-	setup_force_cpu_cap(X86_FEATURE_RETHUNK);
-	set_return_thunk(its_return_thunk);
+		setup_force_cpu_cap(X86_FEATURE_RETHUNK);
+		set_return_thunk(its_return_thunk);
+		break;
+	}
 }
 
 #undef pr_fmt

-- 
2.34.1

[PATCH v2 5/7] x86/retbleed: Introduce cdt_possible()

[Pawan Gupta]

In preparation to allow ITS to also enable stuffing a.k.a. Call Depth
Tracking(CDT) independently of retbleed, introduce a helper cdt_possible().

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index fbfc08f5f9f652beb677a1b5310e4322600082ac..59a1f59bf6e2ceda624b6567c5b09ebc524cb9a2 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1123,6 +1123,19 @@ early_param("nospectre_v1", nospectre_v1_cmdline);
 
 enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE;
 
+/* Depends on spectre_v2 mitigation selected already */
+static inline bool cdt_possible(enum spectre_v2_mitigation mode)
+{
+	if (!IS_ENABLED(CONFIG_MITIGATION_CALL_DEPTH_TRACKING) ||
+	    !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE))
+		return false;
+
+	if (mode == SPECTRE_V2_RETPOLINE)
+		return true;
+
+	return false;
+}
+
 #undef pr_fmt
 #define pr_fmt(fmt)     "RETBleed: " fmt
 
@@ -1266,7 +1279,7 @@ static void __init retbleed_update_mitigation(void)
 		retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
 
 	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
-	    spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
+	    !cdt_possible(spectre_v2_enabled)) {
 		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
 		retbleed_mitigation = RETBLEED_MITIGATION_AUTO;
 	}

-- 
2.34.1

[PATCH v2 6/7] x86/its: Remove =stuff dependency on retbleed

[Pawan Gupta]

Allow ITS to enable stuffing independent of retbleed. The dependency is
only on retpoline. It is a valid case for retbleed to be mitigated by eIBRS
while ITS deploys stuffing at the same time.

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 59a1f59bf6e2ceda624b6567c5b09ebc524cb9a2..043da9eaf99c5e1f92ae6c56cb7f779bbceae0e0 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1470,13 +1470,8 @@ static void __init its_update_mitigation(void)
 		break;
 	}
 
-	/*
-	 * retbleed_update_mitigation() will try to do stuffing if its=stuff.
-	 * If it can't, such as if spectre_v2!=retpoline, then fall back to
-	 * aligned thunks.
-	 */
 	if (its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF &&
-	    retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
+	    !cdt_possible(spectre_v2_enabled))
 		its_mitigation = ITS_MITIGATION_ALIGNED_THUNKS;
 
 	pr_info("%s\n", its_strings[its_mitigation]);
@@ -1488,8 +1483,6 @@ static void __init its_apply_mitigation(void)
 	case ITS_MITIGATION_OFF:
 	case ITS_MITIGATION_AUTO:
 	case ITS_MITIGATION_VMEXIT_ONLY:
-	/* its=stuff forces retbleed stuffing and is enabled there. */
-	case ITS_MITIGATION_RETPOLINE_STUFF:
 		break;
 	case ITS_MITIGATION_ALIGNED_THUNKS:
 		if (!boot_cpu_has(X86_FEATURE_RETPOLINE))
@@ -1498,6 +1491,11 @@ static void __init its_apply_mitigation(void)
 		setup_force_cpu_cap(X86_FEATURE_RETHUNK);
 		set_return_thunk(its_return_thunk);
 		break;
+	case ITS_MITIGATION_RETPOLINE_STUFF:
+		setup_force_cpu_cap(X86_FEATURE_RETHUNK);
+		setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH);
+		set_return_thunk(call_depth_return_thunk);
+		break;
 	}
 }
 

-- 
2.34.1

[PATCH v2 7/7] x86/its: Allow stuffing in eIBRS+retpoline mode also

[Pawan Gupta]

After a recent restructuring of ITS mitigation, RSB stuffing can no
longer be enabled in eIBRS+Retpoline mode. Before ITS, retbleed
mitigation only allowed stuffing when eIBRS was not enabled. This was
perfectly fine since eIBRS mitigates retbleed.

However, RSB stuffing mitigation for ITS is still needed with eIBRS. The
restructuring solely relies on retbleed to deploy stuffing, and does not
allow it when eIBRS is enabled. This behavior is different from what was
before the restructuring. Fix it by allowing stuffing in eIBRS+retpoline
mode also.

Fixes: 8c57ca583ebf ("x86/bugs: Restructure ITS mitigation")
Closes: https://lore.kernel.org/lkml/20250519235101.2vm6sc5txyoykb2r@desk/
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 043da9eaf99c5e1f92ae6c56cb7f779bbceae0e0..ad04da8711b24f2d070e84275a77a4e561fe4d2a 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1130,7 +1130,8 @@ static inline bool cdt_possible(enum spectre_v2_mitigation mode)
 	    !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE))
 		return false;
 
-	if (mode == SPECTRE_V2_RETPOLINE)
+	if (mode == SPECTRE_V2_RETPOLINE ||
+	    mode == SPECTRE_V2_EIBRS_RETPOLINE)
 		return true;
 
 	return false;
@@ -1280,7 +1281,7 @@ static void __init retbleed_update_mitigation(void)
 
 	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
 	    !cdt_possible(spectre_v2_enabled)) {
-		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
+		pr_err("WARNING: retbleed=stuff depends on retpoline\n");
 		retbleed_mitigation = RETBLEED_MITIGATION_AUTO;
 	}
 
@@ -1457,6 +1458,7 @@ static void __init its_update_mitigation(void)
 		its_mitigation = ITS_MITIGATION_OFF;
 		break;
 	case SPECTRE_V2_RETPOLINE:
+	case SPECTRE_V2_EIBRS_RETPOLINE:
 		/* Retpoline+CDT mitigates ITS */
 		if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF)
 			its_mitigation = ITS_MITIGATION_RETPOLINE_STUFF;

-- 
2.34.1

Re: [PATCH v2 1/7] x86/retbleed: Check for AUTO in all cases

[Nikolay Borisov]

On 5/22/25 05:44, Pawan Gupta wrote:
> When none of mitigation option is selected, AUTO gets converted to NONE.
> This is currently only being done for Intel. The check is useful in
> general, make it common.
> 
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>

Re: [PATCH v2 2/7] x86/retbleed: Simplify the =stuff checks

[Nikolay Borisov]

On 5/22/25 05:44, Pawan Gupta wrote:
> Simplify the nested checks, remove redundant print and comment.
> 
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>

Re: [PATCH v2 3/7] x86/bugs: Exit early if return thunk is already set

[Nikolay Borisov]

On 5/22/25 05:44, Pawan Gupta wrote:
> ITS and retbleed can both set CDT return thunk. If the exact same return
> thunk is already set, avoid the warning and exit early.

According to the code there is only a single call which sets the CDT 
thunkand its in retbleed_apply_mitigation() if RETBLEED_MITIGATION_STUFF 
is being used.

ITS OTOH only sets 'its_return_thunk'.

While the patch itself is not wrong, the description doesn't reflect the 
current code?

> 
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

Re: [PATCH v2 3/7] x86/bugs: Exit early if return thunk is already set

[Nikolay Borisov]

On 5/22/25 13:22, Nikolay Borisov wrote:
> 
> 
> On 5/22/25 05:44, Pawan Gupta wrote:
>> ITS and retbleed can both set CDT return thunk. If the exact same return
>> thunk is already set, avoid the warning and exit early.
> 
> According to the code there is only a single call which sets the CDT 
> thunkand its in retbleed_apply_mitigation() if RETBLEED_MITIGATION_STUFF 
> is being used.
> 
> ITS OTOH only sets 'its_return_thunk'.
> 
> While the patch itself is not wrong, the description doesn't reflect the 
> current code?

So this is in preparation to allowing ITS to select the CDT, but this 
must be mentioned explicitly or simply squash this change into 'x86/its: 
Remove =stuff dependency on retbleed'

> 
>>
>> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> 
> 
> 

Re: [PATCH v2 4/7] x86/its: Use switch/case to apply mitigation

[Nikolay Borisov]

On 5/22/25 05:45, Pawan Gupta wrote:
> Prepare to apply stuffing mitigation in its_apply_mitigation(). This is
> currently only done via retbleed mitigation. Also using switch/case makes
> it evident that mitigation mode like VMEXIT_ONLY doesn't need any special
> handling.
> 
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>

Re: [PATCH v2 1/7] x86/retbleed: Check for AUTO in all cases

[Borislav Petkov]

On Wed, May 21, 2025 at 07:44:22PM -0700, Pawan Gupta wrote:
> When none of mitigation option is selected, AUTO gets converted to NONE.
> This is currently only being done for Intel. The check is useful in
> general, make it common.
> 
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> ---
>  arch/x86/kernel/cpu/bugs.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 7f94e6a5497d9a2d312a76095e48d6b364565777..19ff705b3128eacad5659990ed345d7a19bcb0f4 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -1294,15 +1294,15 @@ static void __init retbleed_update_mitigation(void)
>  			if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
>  				pr_err(RETBLEED_INTEL_MSG);
>  		}
> -		/* If nothing has set the mitigation yet, default to NONE. */
> -		if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
> -			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
>  	}
> +
> +	/* If nothing has set the mitigation yet, default to NONE. */
> +	if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
> +		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
>  out:
>  	pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
>  }

So, the way I see it is, AUTO means user didn't select anything so we will
select the default thing.
 
And we do that in the select function.

But then in the update function we bring back AUTO from the dead again,
forcing us to having to deal with it, well, again.

So can we simply set to RETBLEED_MITIGATION_NONE in the retbleed + its = stuff
option when SPECTRE_V2_RETPOLINE not selected?

This'll get rid of the AUTO crap.

For that, the select function should probably select something else from AUTO
on Intel too.

My point is, let's deal with AUTO in the select functions only and then forget
it from then on...

Right?

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v2 2/7] x86/retbleed: Simplify the =stuff checks

[Borislav Petkov]

On Wed, May 21, 2025 at 07:44:37PM -0700, Pawan Gupta wrote:
> +	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
> +	    spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
> +		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
> +		retbleed_mitigation = RETBLEED_MITIGATION_AUTO;

What would be the next-best thing fallback for this, short of disabling the
mitigation?

UNRET, IBPB?

I would prefer if we look at STUFFing only when SPECTRE_V2_RETPOLINE - i.e.,
is it even possible.

If not, we fallback to another mitigation which is probably more expensive but
it is better than NONE...

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v2 1/7] x86/retbleed: Check for AUTO in all cases

[Pawan Gupta]

On Thu, May 22, 2025 at 01:27:30PM +0200, Borislav Petkov wrote:
> On Wed, May 21, 2025 at 07:44:22PM -0700, Pawan Gupta wrote:
> > When none of mitigation option is selected, AUTO gets converted to NONE.
> > This is currently only being done for Intel. The check is useful in
> > general, make it common.
> > 
> > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> > ---
> >  arch/x86/kernel/cpu/bugs.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> > index 7f94e6a5497d9a2d312a76095e48d6b364565777..19ff705b3128eacad5659990ed345d7a19bcb0f4 100644
> > --- a/arch/x86/kernel/cpu/bugs.c
> > +++ b/arch/x86/kernel/cpu/bugs.c
> > @@ -1294,15 +1294,15 @@ static void __init retbleed_update_mitigation(void)
> >  			if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
> >  				pr_err(RETBLEED_INTEL_MSG);
> >  		}
> > -		/* If nothing has set the mitigation yet, default to NONE. */
> > -		if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
> > -			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
> >  	}
> > +
> > +	/* If nothing has set the mitigation yet, default to NONE. */
> > +	if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
> > +		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
> >  out:
> >  	pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
> >  }
> 
> So, the way I see it is, AUTO means user didn't select anything so we will
> select the default thing.
>  
> And we do that in the select function.
> 
> But then in the update function we bring back AUTO from the dead again,
> forcing us to having to deal with it, well, again.
> 
> So can we simply set to RETBLEED_MITIGATION_NONE in the retbleed + its = stuff
> option when SPECTRE_V2_RETPOLINE not selected?

That can be done.

> This'll get rid of the AUTO crap.

Yup.

> For that, the select function should probably select something else from AUTO
> on Intel too.
> 
> My point is, let's deal with AUTO in the select functions only and then forget
> it from then on...
> 
> Right?

Yes, makes sense to me.

This is how it is looking:

---
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index ad04da8711b2..156fee146228 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1264,6 +1264,13 @@ static void __init retbleed_select_mitigation(void)
 			retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
 		else
 			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
+	} else if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
+		if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))
+			retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
+		else if (boot_cpu_has(X86_FEATURE_IBRS))
+			retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
+		else
+			retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 	}
 }
 
@@ -1272,9 +1279,6 @@ static void __init retbleed_update_mitigation(void)
 	if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
 		return;
 
-	if (retbleed_mitigation == RETBLEED_MITIGATION_NONE)
-		goto out;
-
 	 /* ITS can also enable stuffing */
 	if (its_mitigation == ITS_MITIGATION_RETPOLINE_STUFF)
 		retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
@@ -1282,7 +1286,7 @@ static void __init retbleed_update_mitigation(void)
 	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
 	    !cdt_possible(spectre_v2_enabled)) {
 		pr_err("WARNING: retbleed=stuff depends on retpoline\n");
-		retbleed_mitigation = RETBLEED_MITIGATION_AUTO;
+		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
 	}
 
 	/*
@@ -1305,10 +1309,6 @@ static void __init retbleed_update_mitigation(void)
 		}
 	}
 
-	/* If nothing has set the mitigation yet, default to NONE. */
-	if (retbleed_mitigation == RETBLEED_MITIGATION_AUTO)
-		retbleed_mitigation = RETBLEED_MITIGATION_NONE;
-out:
 	pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
 }
 

Re: [PATCH v2 2/7] x86/retbleed: Simplify the =stuff checks

[Pawan Gupta]

On Thu, May 22, 2025 at 01:42:58PM +0200, Borislav Petkov wrote:
> On Wed, May 21, 2025 at 07:44:37PM -0700, Pawan Gupta wrote:
> > +	if (retbleed_mitigation == RETBLEED_MITIGATION_STUFF &&
> > +	    spectre_v2_enabled != SPECTRE_V2_RETPOLINE) {
> > +		pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
> > +		retbleed_mitigation = RETBLEED_MITIGATION_AUTO;
> 
> What would be the next-best thing fallback for this, short of disabling the
> mitigation?
> 
> UNRET, IBPB?

Next best is IBRS/eIBRS, which also depends on spectre-v2 mitigation. So
NONE is fine here because the next code block will take care of selecting
the right mitigation.

> I would prefer if we look at STUFFing only when SPECTRE_V2_RETPOLINE - i.e.,
> is it even possible.

retbleed_update_mitigation() is the earliest we know that stuffing is
possible (when spectre-v2 has selected the mitigation).

> If not, we fallback to another mitigation which is probably more expensive but
> it is better than NONE...

Covered above.

Re: [PATCH v2 3/7] x86/bugs: Exit early if return thunk is already set

[Pawan Gupta]

On Thu, May 22, 2025 at 01:26:16PM +0300, Nikolay Borisov wrote:
> 
> 
> On 5/22/25 13:22, Nikolay Borisov wrote:
> > 
> > 
> > On 5/22/25 05:44, Pawan Gupta wrote:
> > > ITS and retbleed can both set CDT return thunk. If the exact same return
> > > thunk is already set, avoid the warning and exit early.
> > 
> > According to the code there is only a single call which sets the CDT
> > thunkand its in retbleed_apply_mitigation() if RETBLEED_MITIGATION_STUFF
> > is being used.
> > 
> > ITS OTOH only sets 'its_return_thunk'.
> > 
> > While the patch itself is not wrong, the description doesn't reflect the
> > current code?
> 
> So this is in preparation to allowing ITS to select the CDT, but this must
> be mentioned explicitly or simply squash this change into 'x86/its: Remove
> =stuff dependency on retbleed'

Right, will update the commit message.

Re: [PATCH v2 4/7] x86/its: Use switch/case to apply mitigation

[Pawan Gupta]

On Thu, May 22, 2025 at 02:15:36PM +0300, Nikolay Borisov wrote:
> 
> 
> On 5/22/25 05:45, Pawan Gupta wrote:
> > Prepare to apply stuffing mitigation in its_apply_mitigation(). This is
> > currently only done via retbleed mitigation. Also using switch/case makes
> > it evident that mitigation mode like VMEXIT_ONLY doesn't need any special
> > handling.
> > 
> > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> 
> Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>

Thanks.