* [PATCH] x86/its: Move ITS indirect branch thunks to .text..__x86.indirect_thunk
@ 2025-06-06 16:55 Josh Poimboeuf
2025-06-06 17:39 ` Pawan Gupta
2025-08-22 13:53 ` [tip: x86/bugs] " tip-bot2 for Josh Poimboeuf
0 siblings, 2 replies; 3+ messages in thread
From: Josh Poimboeuf @ 2025-06-06 16:55 UTC (permalink / raw)
To: x86
Cc: linux-kernel, Pawan Gupta, Peter Zijlstra, Ingo Molnar,
Alexandre Chartre, Dave Hansen
The ITS mitigation includes both indirect branch thunks and return
thunks. Both are currently placed in .text..__x86.return_thunk, which
is appropriate for the latter but not the former.
For consistency with other mitigations, move the indirect branch thunks
to .text..__x86.indirect_thunk.
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
arch/x86/lib/retpoline.S | 75 +++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 35 deletions(-)
diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
index d78d769a02bd..f513d33b6d37 100644
--- a/arch/x86/lib/retpoline.S
+++ b/arch/x86/lib/retpoline.S
@@ -15,7 +15,6 @@
.section .text..__x86.indirect_thunk
-
.macro POLINE reg
ANNOTATE_INTRA_FUNCTION_CALL
call .Ldo_rop_\@
@@ -73,6 +72,7 @@ SYM_CODE_END(__x86_indirect_thunk_array)
#undef GEN
#ifdef CONFIG_MITIGATION_CALL_DEPTH_TRACKING
+
.macro CALL_THUNK reg
.align RETPOLINE_THUNK_SIZE
@@ -126,7 +126,45 @@ SYM_CODE_END(__x86_indirect_jump_thunk_array)
#define GEN(reg) __EXPORT_THUNK(__x86_indirect_jump_thunk_ ## reg)
#include <asm/GEN-for-each-reg.h>
#undef GEN
-#endif
+
+#endif /* CONFIG_MITIGATION_CALL_DEPTH_TRACKING */
+
+#ifdef CONFIG_MITIGATION_ITS
+
+.macro ITS_THUNK reg
+
+/*
+ * If CFI paranoid is used then the ITS thunk starts with opcodes (0xea; jne 1b)
+ * that complete the fineibt_paranoid caller sequence.
+ */
+1: .byte 0xea
+SYM_INNER_LABEL(__x86_indirect_paranoid_thunk_\reg, SYM_L_GLOBAL)
+ UNWIND_HINT_UNDEFINED
+ ANNOTATE_NOENDBR
+ jne 1b
+SYM_INNER_LABEL(__x86_indirect_its_thunk_\reg, SYM_L_GLOBAL)
+ UNWIND_HINT_UNDEFINED
+ ANNOTATE_NOENDBR
+ ANNOTATE_RETPOLINE_SAFE
+ jmp *%\reg
+ int3
+ .align 32, 0xcc /* fill to the end of the line */
+ .skip 32 - (__x86_indirect_its_thunk_\reg - 1b), 0xcc /* skip to the next upper half */
+.endm
+
+/* ITS mitigation requires thunks be aligned to upper half of cacheline */
+.align 64, 0xcc
+.skip 29, 0xcc
+
+#define GEN(reg) ITS_THUNK reg
+#include <asm/GEN-for-each-reg.h>
+#undef GEN
+
+ .align 64, 0xcc
+SYM_FUNC_ALIAS(__x86_indirect_its_thunk_array, __x86_indirect_its_thunk_rax)
+SYM_CODE_END(__x86_indirect_its_thunk_array)
+
+#endif /* CONFIG_MITIGATION_ITS */
#ifdef CONFIG_MITIGATION_RETHUNK
@@ -370,39 +408,6 @@ SYM_FUNC_END(call_depth_return_thunk)
#ifdef CONFIG_MITIGATION_ITS
-.macro ITS_THUNK reg
-
-/*
- * If CFI paranoid is used then the ITS thunk starts with opcodes (0xea; jne 1b)
- * that complete the fineibt_paranoid caller sequence.
- */
-1: .byte 0xea
-SYM_INNER_LABEL(__x86_indirect_paranoid_thunk_\reg, SYM_L_GLOBAL)
- UNWIND_HINT_UNDEFINED
- ANNOTATE_NOENDBR
- jne 1b
-SYM_INNER_LABEL(__x86_indirect_its_thunk_\reg, SYM_L_GLOBAL)
- UNWIND_HINT_UNDEFINED
- ANNOTATE_NOENDBR
- ANNOTATE_RETPOLINE_SAFE
- jmp *%\reg
- int3
- .align 32, 0xcc /* fill to the end of the line */
- .skip 32 - (__x86_indirect_its_thunk_\reg - 1b), 0xcc /* skip to the next upper half */
-.endm
-
-/* ITS mitigation requires thunks be aligned to upper half of cacheline */
-.align 64, 0xcc
-.skip 29, 0xcc
-
-#define GEN(reg) ITS_THUNK reg
-#include <asm/GEN-for-each-reg.h>
-#undef GEN
-
- .align 64, 0xcc
-SYM_FUNC_ALIAS(__x86_indirect_its_thunk_array, __x86_indirect_its_thunk_rax)
-SYM_CODE_END(__x86_indirect_its_thunk_array)
-
.align 64, 0xcc
.skip 32, 0xcc
SYM_CODE_START(its_return_thunk)
--
2.49.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] x86/its: Move ITS indirect branch thunks to .text..__x86.indirect_thunk
2025-06-06 16:55 [PATCH] x86/its: Move ITS indirect branch thunks to .text..__x86.indirect_thunk Josh Poimboeuf
@ 2025-06-06 17:39 ` Pawan Gupta
2025-08-22 13:53 ` [tip: x86/bugs] " tip-bot2 for Josh Poimboeuf
1 sibling, 0 replies; 3+ messages in thread
From: Pawan Gupta @ 2025-06-06 17:39 UTC (permalink / raw)
To: Josh Poimboeuf
Cc: x86, linux-kernel, Peter Zijlstra, Ingo Molnar, Alexandre Chartre,
Dave Hansen
On Fri, Jun 06, 2025 at 09:55:02AM -0700, Josh Poimboeuf wrote:
> The ITS mitigation includes both indirect branch thunks and return
> thunks. Both are currently placed in .text..__x86.return_thunk, which
> is appropriate for the latter but not the former.
>
> For consistency with other mitigations, move the indirect branch thunks
> to .text..__x86.indirect_thunk.
>
> Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [tip: x86/bugs] x86/its: Move ITS indirect branch thunks to .text..__x86.indirect_thunk
2025-06-06 16:55 [PATCH] x86/its: Move ITS indirect branch thunks to .text..__x86.indirect_thunk Josh Poimboeuf
2025-06-06 17:39 ` Pawan Gupta
@ 2025-08-22 13:53 ` tip-bot2 for Josh Poimboeuf
1 sibling, 0 replies; 3+ messages in thread
From: tip-bot2 for Josh Poimboeuf @ 2025-08-22 13:53 UTC (permalink / raw)
To: linux-tip-commits
Cc: Josh Poimboeuf, Borislav Petkov (AMD), Pawan Gupta, x86,
linux-kernel
The following commit has been merged into the x86/bugs branch of tip:
Commit-ID: 6bca6b9d414c8127350341f193caa11944ce6fa9
Gitweb: https://git.kernel.org/tip/6bca6b9d414c8127350341f193caa11944ce6fa9
Author: Josh Poimboeuf <jpoimboe@kernel.org>
AuthorDate: Fri, 06 Jun 2025 09:55:02 -07:00
Committer: Borislav Petkov (AMD) <bp@alien8.de>
CommitterDate: Fri, 22 Aug 2025 15:35:57 +02:00
x86/its: Move ITS indirect branch thunks to .text..__x86.indirect_thunk
The ITS mitigation includes both indirect branch thunks and return
thunks. Both are currently placed in .text..__x86.return_thunk, which is
appropriate for the latter but not the former.
For consistency with other mitigations, move the indirect branch thunks to
.text..__x86.indirect_thunk.
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Link: https://lore.kernel.org/67a17ed2fc8d12111e76504c8364b1597657c29a.1749228881.git.jpoimboe@kernel.org
---
arch/x86/lib/retpoline.S | 75 ++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 35 deletions(-)
diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
index d78d769..f513d33 100644
--- a/arch/x86/lib/retpoline.S
+++ b/arch/x86/lib/retpoline.S
@@ -15,7 +15,6 @@
.section .text..__x86.indirect_thunk
-
.macro POLINE reg
ANNOTATE_INTRA_FUNCTION_CALL
call .Ldo_rop_\@
@@ -73,6 +72,7 @@ SYM_CODE_END(__x86_indirect_thunk_array)
#undef GEN
#ifdef CONFIG_MITIGATION_CALL_DEPTH_TRACKING
+
.macro CALL_THUNK reg
.align RETPOLINE_THUNK_SIZE
@@ -126,7 +126,45 @@ SYM_CODE_END(__x86_indirect_jump_thunk_array)
#define GEN(reg) __EXPORT_THUNK(__x86_indirect_jump_thunk_ ## reg)
#include <asm/GEN-for-each-reg.h>
#undef GEN
-#endif
+
+#endif /* CONFIG_MITIGATION_CALL_DEPTH_TRACKING */
+
+#ifdef CONFIG_MITIGATION_ITS
+
+.macro ITS_THUNK reg
+
+/*
+ * If CFI paranoid is used then the ITS thunk starts with opcodes (0xea; jne 1b)
+ * that complete the fineibt_paranoid caller sequence.
+ */
+1: .byte 0xea
+SYM_INNER_LABEL(__x86_indirect_paranoid_thunk_\reg, SYM_L_GLOBAL)
+ UNWIND_HINT_UNDEFINED
+ ANNOTATE_NOENDBR
+ jne 1b
+SYM_INNER_LABEL(__x86_indirect_its_thunk_\reg, SYM_L_GLOBAL)
+ UNWIND_HINT_UNDEFINED
+ ANNOTATE_NOENDBR
+ ANNOTATE_RETPOLINE_SAFE
+ jmp *%\reg
+ int3
+ .align 32, 0xcc /* fill to the end of the line */
+ .skip 32 - (__x86_indirect_its_thunk_\reg - 1b), 0xcc /* skip to the next upper half */
+.endm
+
+/* ITS mitigation requires thunks be aligned to upper half of cacheline */
+.align 64, 0xcc
+.skip 29, 0xcc
+
+#define GEN(reg) ITS_THUNK reg
+#include <asm/GEN-for-each-reg.h>
+#undef GEN
+
+ .align 64, 0xcc
+SYM_FUNC_ALIAS(__x86_indirect_its_thunk_array, __x86_indirect_its_thunk_rax)
+SYM_CODE_END(__x86_indirect_its_thunk_array)
+
+#endif /* CONFIG_MITIGATION_ITS */
#ifdef CONFIG_MITIGATION_RETHUNK
@@ -370,39 +408,6 @@ SYM_FUNC_END(call_depth_return_thunk)
#ifdef CONFIG_MITIGATION_ITS
-.macro ITS_THUNK reg
-
-/*
- * If CFI paranoid is used then the ITS thunk starts with opcodes (0xea; jne 1b)
- * that complete the fineibt_paranoid caller sequence.
- */
-1: .byte 0xea
-SYM_INNER_LABEL(__x86_indirect_paranoid_thunk_\reg, SYM_L_GLOBAL)
- UNWIND_HINT_UNDEFINED
- ANNOTATE_NOENDBR
- jne 1b
-SYM_INNER_LABEL(__x86_indirect_its_thunk_\reg, SYM_L_GLOBAL)
- UNWIND_HINT_UNDEFINED
- ANNOTATE_NOENDBR
- ANNOTATE_RETPOLINE_SAFE
- jmp *%\reg
- int3
- .align 32, 0xcc /* fill to the end of the line */
- .skip 32 - (__x86_indirect_its_thunk_\reg - 1b), 0xcc /* skip to the next upper half */
-.endm
-
-/* ITS mitigation requires thunks be aligned to upper half of cacheline */
-.align 64, 0xcc
-.skip 29, 0xcc
-
-#define GEN(reg) ITS_THUNK reg
-#include <asm/GEN-for-each-reg.h>
-#undef GEN
-
- .align 64, 0xcc
-SYM_FUNC_ALIAS(__x86_indirect_its_thunk_array, __x86_indirect_its_thunk_rax)
-SYM_CODE_END(__x86_indirect_its_thunk_array)
-
.align 64, 0xcc
.skip 32, 0xcc
SYM_CODE_START(its_return_thunk)
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-08-22 13:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-06 16:55 [PATCH] x86/its: Move ITS indirect branch thunks to .text..__x86.indirect_thunk Josh Poimboeuf
2025-06-06 17:39 ` Pawan Gupta
2025-08-22 13:53 ` [tip: x86/bugs] " tip-bot2 for Josh Poimboeuf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).