From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Andrew Cooper <andrew.cooper3@citrix.com>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Alexandre Chartre <alexandre.chartre@oracle.com>
Subject: [PATCH 6.1 90/92] x86/its: Align RETs in BHB clear sequence to avoid thunking
Date: Mon, 12 May 2025 19:46:05 +0200 [thread overview]
Message-ID: <20250512172026.792645108@linuxfoundation.org> (raw)
In-Reply-To: <20250512172023.126467649@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
commit f0cd7091cc5a032c8870b4285305d9172569d126 upstream.
The software mitigation for BHI is to execute BHB clear sequence at syscall
entry, and possibly after a cBPF program. ITS mitigation thunks RETs in the
lower half of the cacheline. This causes the RETs in the BHB clear sequence
to be thunked as well, adding unnecessary branches to the BHB clear
sequence.
Since the sequence is in hot path, align the RET instructions in the
sequence to avoid thunking.
This is how disassembly clear_bhb_loop() looks like after this change:
0x44 <+4>: mov $0x5,%ecx
0x49 <+9>: call 0xffffffff81001d9b <clear_bhb_loop+91>
0x4e <+14>: jmp 0xffffffff81001de5 <clear_bhb_loop+165>
0x53 <+19>: int3
...
0x9b <+91>: call 0xffffffff81001dce <clear_bhb_loop+142>
0xa0 <+96>: ret
0xa1 <+97>: int3
...
0xce <+142>: mov $0x5,%eax
0xd3 <+147>: jmp 0xffffffff81001dd6 <clear_bhb_loop+150>
0xd5 <+149>: nop
0xd6 <+150>: sub $0x1,%eax
0xd9 <+153>: jne 0xffffffff81001dd3 <clear_bhb_loop+147>
0xdb <+155>: sub $0x1,%ecx
0xde <+158>: jne 0xffffffff81001d9b <clear_bhb_loop+91>
0xe0 <+160>: ret
0xe1 <+161>: int3
0xe2 <+162>: int3
0xe3 <+163>: int3
0xe4 <+164>: int3
0xe5 <+165>: lfence
0xe8 <+168>: pop %rbp
0xe9 <+169>: ret
Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/entry/entry_64.S | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -1559,7 +1559,9 @@ SYM_CODE_END(rewind_stack_and_make_dead)
* ORC to unwind properly.
*
* The alignment is for performance and not for safety, and may be safely
- * refactored in the future if needed.
+ * refactored in the future if needed. The .skips are for safety, to ensure
+ * that all RETs are in the second half of a cacheline to mitigate Indirect
+ * Target Selection, rather than taking the slowpath via its_return_thunk.
*/
SYM_FUNC_START(clear_bhb_loop)
push %rbp
@@ -1569,10 +1571,22 @@ SYM_FUNC_START(clear_bhb_loop)
call 1f
jmp 5f
.align 64, 0xcc
+ /*
+ * Shift instructions so that the RET is in the upper half of the
+ * cacheline and don't take the slowpath to its_return_thunk.
+ */
+ .skip 32 - (.Lret1 - 1f), 0xcc
ANNOTATE_INTRA_FUNCTION_CALL
1: call 2f
- RET
+.Lret1: RET
.align 64, 0xcc
+ /*
+ * As above shift instructions for RET at .Lret2 as well.
+ *
+ * This should be ideally be: .skip 32 - (.Lret2 - 2f), 0xcc
+ * but some Clang versions (e.g. 18) don't like this.
+ */
+ .skip 32 - 18, 0xcc
2: movl $5, %eax
3: jmp 4f
nop
@@ -1580,7 +1594,7 @@ SYM_FUNC_START(clear_bhb_loop)
jnz 3b
sub $1, %ecx
jnz 1b
- RET
+.Lret2: RET
5: lfence
pop %rbp
RET
next prev parent reply other threads:[~2025-05-12 17:57 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-12 17:44 [PATCH 6.1 00/92] 6.1.139-rc1 review Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 01/92] dm: add missing unlock on in dm_keyslot_evict() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 02/92] arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 03/92] can: mcan: m_can_class_unregister(): fix order of unregistration calls Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 04/92] can: mcp251xfd: mcp251xfd_remove(): " Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 05/92] ksmbd: prevent out-of-bounds stream writes by validating *pos Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 06/92] openvswitch: Fix unsafe attribute parsing in output_userspace() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 07/92] ksmbd: fix memory leak in parse_lease_state() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 08/92] sch_htb: make htb_deactivate() idempotent Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 09/92] gre: Fix again IPv6 link-local address generation Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 10/92] can: mcp251xfd: fix TDC setting for low data bit rates Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 11/92] rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 12/92] can: gw: fix RCU/BH usage in cgw_create_job() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 13/92] ipv4: Drop tos parameter from flowi4_update_output() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 14/92] ipvs: fix uninit-value for saddr in do_output_route4 Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 15/92] netfilter: ipset: fix region locking in hash types Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 16/92] bpf: Scrub packet on bpf_redirect_peer Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 17/92] net: dsa: b53: allow leaky reserved multicast Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 18/92] net: dsa: b53: fix clearing PVID of a port Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 19/92] net: dsa: b53: fix flushing old pvid VLAN on pvid change Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 20/92] net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 21/92] net: dsa: b53: always rejoin default untagged VLAN " Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 22/92] net: dsa: b53: fix learning on VLAN unaware bridges Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 23/92] Input: mtk-pmic-keys - fix possible null pointer dereference Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.1 24/92] Input: synaptics - enable InterTouch on Dynabook Portege X30-D Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 25/92] Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 26/92] Input: synaptics - enable InterTouch on Dell Precision M3800 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 27/92] Input: synaptics - enable SMBus for HP Elitebook 850 G1 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 28/92] Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 29/92] staging: iio: adc: ad7816: Correct conditional logic for store mode Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 30/92] staging: axis-fifo: Remove hardware resets for user errors Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 31/92] staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 32/92] x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 33/92] drm/amd/display: Shift DMUB AUX reply command if necessary Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 34/92] iio: adc: ad7606: fix serial register access Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 35/92] iio: adis16201: Correct inclinometer channel resolution Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 36/92] iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 37/92] iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 38/92] drm/v3d: Add job to pending list if the reset was skipped Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 39/92] drm/amd/display: Fix the checking condition in dmub aux handling Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 40/92] drm/amd/display: Remove incorrect checking in dmub aux handler Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 41/92] drm/amd/display: Fix wrong handling for AUX_DEFER case Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 42/92] drm/amd/display: Copy AUX read reply data whenever length > 0 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 43/92] drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 44/92] usb: uhci-platform: Make the clock really optional Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 45/92] xenbus: Use kref to track req lifetime Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 46/92] module: ensure that kobject_put() is safe for module type kobjects Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 47/92] ocfs2: switch osb->disable_recovery to enum Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 48/92] ocfs2: implement handshaking with ocfs2 recovery thread Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 49/92] ocfs2: stop quota recovery before disabling quotas Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 50/92] usb: cdnsp: Fix issue with resuming from L1 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 51/92] usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 52/92] usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 53/92] usb: host: tegra: Prevent host controller crash when OTG port is used Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 54/92] usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 55/92] usb: typec: ucsi: displayport: Fix NULL pointer access Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 56/92] USB: usbtmc: use interruptible sleep in usbtmc_read Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 57/92] usb: usbtmc: Fix erroneous get_stb ioctl error returns Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 58/92] usb: usbtmc: Fix erroneous wait_srq ioctl return Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 59/92] usb: usbtmc: Fix erroneous generic_read " Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 60/92] iio: accel: adxl367: fix setting odr for activity time update Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 61/92] iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 62/92] types: Complement the aligned types with signed 64-bit one Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 63/92] iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 64/92] iio: adc: dln2: Use aligned_s64 for timestamp Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 65/92] MIPS: Fix MAX_REG_OFFSET Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 66/92] drm/panel: simple: Update timings for AUO G101EVN010 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 67/92] nvme: unblock ctrl state transition for firmware update Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 68/92] do_umount(): add missing barrier before refcount checks in sync case Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 69/92] io_uring: always arm linked timeouts prior to issue Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 70/92] io_uring: ensure deferred completions are posted for multishot Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 71/92] Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 72/92] arm64: insn: Add support for encoding DSB Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 73/92] arm64: proton-pack: Expose whether the platform is mitigated by firmware Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 74/92] arm64: proton-pack: Expose whether the branchy loop k value Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 75/92] arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 76/92] arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 77/92] arm64: proton-pack: Add new CPUs k values for branch mitigation Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 78/92] x86/bpf: Call branch history clearing sequence on exit Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 79/92] x86/bpf: Add IBHF call at end of classic BPF Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 80/92] x86/bhi: Do not set BHI_DIS_S in 32-bit mode Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 81/92] x86/speculation: Simplify and make CALL_NOSPEC consistent Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 82/92] x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 83/92] x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.1 84/92] Documentation: x86/bugs/its: Add ITS documentation Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 85/92] x86/its: Enumerate Indirect Target Selection (ITS) bug Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 86/92] x86/its: Add support for ITS-safe indirect thunk Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 87/92] x86/its: Add support for ITS-safe return thunk Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 88/92] x86/its: Enable Indirect Target Selection mitigation Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 89/92] x86/its: Add "vmexit" option to skip mitigation on some CPUs Greg Kroah-Hartman
2025-05-12 17:46 ` Greg Kroah-Hartman [this message]
2025-05-12 17:46 ` [PATCH 6.1 91/92] x86/ibt: Keep IBT disabled during alternative patching Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.1 92/92] x86/its: Use dynamic thunks for indirect branches Greg Kroah-Hartman
2025-05-12 20:56 ` [PATCH 6.1 00/92] 6.1.139-rc1 review Jon Hunter
2025-05-13 6:45 ` Pavel Machek
2025-05-13 9:43 ` Florian Fainelli
2025-05-13 9:48 ` Mark Brown
2025-05-13 10:04 ` Ron Economos
2025-05-13 11:39 ` Peter Schneider
2025-05-13 17:19 ` Naresh Kamboju
2025-05-13 17:32 ` Shuah Khan
2025-05-14 17:11 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250512172026.792645108@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexandre.chartre@oracle.com \
--cc=andrew.cooper3@citrix.com \
--cc=dave.hansen@linux.intel.com \
--cc=patches@lists.linux.dev \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox