From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, pawan.kumar.gupta@linux.intel.com
Cc: Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 5.10 v2 14/16] x86/its: Use dynamic thunks for indirect branches
Date: Thu, 19 Jun 2025 05:03:16 -0400 [thread overview]
Message-ID: <20250618191253-b7cbd0fce517a243@stable.kernel.org> (raw)
In-Reply-To: <20250617-its-5-10-v2-14-3e925a1512a1@linux.intel.com>
[ Sasha's backport helper bot ]
Hi,
Summary of potential issues:
ℹ️ This is part 14/16 of a series
⚠️ Found follow-up fixes in mainline
The upstream commit SHA1 provided is correct: 872df34d7c51a79523820ea6a14860398c639b87
WARNING: Author mismatch between patch and upstream commit:
Backport author: Pawan Gupta<pawan.kumar.gupta@linux.intel.com>
Commit author: Peter Zijlstra<peterz@infradead.org>
Status in newer kernel trees:
6.15.y | Present (exact SHA1)
6.12.y | Present (different SHA1: 88a817e60dbb)
6.6.y | Present (different SHA1: 3b2234cd50a9)
6.1.y | Present (different SHA1: 959cadf09dba)
5.15.y | Present (different SHA1: 1b231a497756)
Found fixes commits:
a82b26451de1 x86/its: explicitly manage permissions for ITS pages
0b0cae7119a0 x86/its: move its_pages array to struct mod_arch_specific
9f35e33144ae x86/its: Fix build errors when CONFIG_MODULES=n
Note: The patch differs from the upstream commit:
---
1: 872df34d7c51a ! 1: cddeb7cb88fa8 x86/its: Use dynamic thunks for indirect branches
@@ Metadata
## Commit message ##
x86/its: Use dynamic thunks for indirect branches
+ commit 872df34d7c51a79523820ea6a14860398c639b87 upstream.
+
ITS mitigation moves the unsafe indirect branches to a safe thunk. This
could degrade the prediction accuracy as the source address of indirect
branches becomes same for different execution paths.
@@ Commit message
they are both more flexible (got to extend them later) and live in 2M TLBs,
just like kernel code, avoiding undue TLB pressure.
+ [ pawan: CONFIG_EXECMEM and CONFIG_EXECMEM_ROX are not supported on
+ backport kernel, made changes to use module_alloc() and
+ set_memory_*() for dynamic thunks. ]
+
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
- Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
-
- ## arch/x86/Kconfig ##
-@@ arch/x86/Kconfig: config MITIGATION_ITS
- bool "Enable Indirect Target Selection mitigation"
- depends on CPU_SUP_INTEL && X86_64
- depends on MITIGATION_RETPOLINE && MITIGATION_RETHUNK
-+ select EXECMEM
- default y
- help
- Enable Indirect Target Selection (ITS) mitigation. ITS is a bug in
+ Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
## arch/x86/include/asm/alternative.h ##
-@@ arch/x86/include/asm/alternative.h: static __always_inline int x86_call_depth_emit_accounting(u8 **pprog,
- }
- #endif
+@@ arch/x86/include/asm/alternative.h: extern void apply_returns(s32 *start, s32 *end);
+
+ struct module;
+#ifdef CONFIG_MITIGATION_ITS
+extern void its_init_mod(struct module *mod);
@@ arch/x86/include/asm/alternative.h: static __always_inline int x86_call_depth_em
+static inline void its_free_mod(struct module *mod) { }
+#endif
+
- #if defined(CONFIG_MITIGATION_RETHUNK) && defined(CONFIG_OBJTOOL)
+ #if defined(CONFIG_RETHUNK) && defined(CONFIG_STACK_VALIDATION)
extern bool cpu_wants_rethunk(void);
extern bool cpu_wants_rethunk_at(void *addr);
@@ arch/x86/kernel/alternative.c
#include <linux/mmu_context.h>
#include <linux/bsearch.h>
#include <linux/sync_core.h>
-+#include <linux/execmem.h>
++#include <linux/moduleloader.h>
#include <asm/text-patching.h>
#include <asm/alternative.h>
#include <asm/sections.h>
@@
+ #include <asm/io.h>
+ #include <asm/fixmap.h>
#include <asm/asm-prototypes.h>
- #include <asm/cfi.h>
- #include <asm/ibt.h>
+#include <asm/set_memory.h>
int __read_mostly alternatives_patched;
-@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+1] =
- #endif
- };
+@@ arch/x86/kernel/alternative.c: static int emit_indirect(int op, int reg, u8 *bytes)
+
+ #ifdef CONFIG_MITIGATION_ITS
-+#ifdef CONFIG_MITIGATION_ITS
-+
+static struct module *its_mod;
+static void *its_page;
+static unsigned int its_offset;
@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+
+
+void its_fini_mod(struct module *mod)
+{
++ int i;
++
+ if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
+ return;
+
@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+
+ its_page = NULL;
+ mutex_unlock(&text_mutex);
+
-+ for (int i = 0; i < mod->its_num_pages; i++) {
++ for (i = 0; i < mod->its_num_pages; i++) {
+ void *page = mod->its_page_array[i];
-+ execmem_restore_rox(page, PAGE_SIZE);
++ set_memory_ro((unsigned long)page, 1);
++ set_memory_x((unsigned long)page, 1);
+ }
+}
+
+void its_free_mod(struct module *mod)
+{
++ int i;
++
+ if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS))
+ return;
+
-+ for (int i = 0; i < mod->its_num_pages; i++) {
++ for (i = 0; i < mod->its_num_pages; i++) {
+ void *page = mod->its_page_array[i];
-+ execmem_free(page);
++ module_memfree(page);
+ }
+ kfree(mod->its_page_array);
+}
+
+static void *its_alloc(void)
+{
-+ void *page __free(execmem) = execmem_alloc(EXECMEM_MODULE_TEXT, PAGE_SIZE);
++ void *page = module_alloc(PAGE_SIZE);
+
+ if (!page)
+ return NULL;
@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+
+ void *tmp = krealloc(its_mod->its_page_array,
+ (its_mod->its_num_pages+1) * sizeof(void *),
+ GFP_KERNEL);
-+ if (!tmp)
++ if (!tmp) {
++ module_memfree(page);
+ return NULL;
++ }
+
+ its_mod->its_page_array = tmp;
+ its_mod->its_page_array[its_mod->its_num_pages++] = page;
-+
-+ execmem_make_temp_rw(page, PAGE_SIZE);
+ }
+
-+ return no_free_ptr(page);
++ return page;
+}
+
+static void *its_allocate_thunk(int reg)
@@ arch/x86/kernel/alternative.c: const unsigned char * const x86_nops[ASM_NOP_MAX+
+ thunk = its_page + its_offset;
+ its_offset += size;
+
-+ return its_init_thunk(thunk, reg);
-+}
++ set_memory_rw((unsigned long)its_page, 1);
++ thunk = its_init_thunk(thunk, reg);
++ set_memory_ro((unsigned long)its_page, 1);
++ set_memory_x((unsigned long)its_page, 1);
+
-+#endif
++ return thunk;
++}
+
- /*
- * Nomenclature for variable names to simplify and clarify this code and ease
- * any potential staring at it:
-@@ arch/x86/kernel/alternative.c: static int emit_call_track_retpoline(void *addr, struct insn *insn, int reg, u8
- #ifdef CONFIG_MITIGATION_ITS
+ static int __emit_trampoline(void *addr, struct insn *insn, u8 *bytes,
+ void *call_dest, void *jmp_dest)
+ {
+@@ arch/x86/kernel/alternative.c: static int __emit_trampoline(void *addr, struct insn *insn, u8 *bytes,
+
static int emit_its_trampoline(void *addr, struct insn *insn, int reg, u8 *bytes)
{
- return __emit_trampoline(addr, insn, bytes,
@@ arch/x86/kernel/alternative.c: static int emit_call_track_retpoline(void *addr,
## arch/x86/kernel/module.c ##
@@ arch/x86/kernel/module.c: int module_finalize(const Elf_Ehdr *hdr,
- ibt_endbr = s;
+ returns = s;
}
+ its_init_mod(me);
+
- if (retpolines || cfi) {
- void *rseg = NULL, *cseg = NULL;
- unsigned int rsize = 0, csize = 0;
-@@ arch/x86/kernel/module.c: int module_finalize(const Elf_Ehdr *hdr,
+ if (retpolines) {
void *rseg = (void *)retpolines->sh_addr;
apply_retpolines(rseg, rseg + retpolines->sh_size);
}
@@ arch/x86/kernel/module.c: int module_finalize(const Elf_Ehdr *hdr,
+ its_free_mod(mod);
}
- ## include/linux/execmem.h ##
-@@
-
- #include <linux/types.h>
- #include <linux/moduleloader.h>
-+#include <linux/cleanup.h>
-
- #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \
- !defined(CONFIG_KASAN_VMALLOC)
-@@ include/linux/execmem.h: void *execmem_alloc(enum execmem_type type, size_t size);
- */
- void execmem_free(void *ptr);
-
-+DEFINE_FREE(execmem, void *, if (_T) execmem_free(_T));
-+
- #ifdef CONFIG_MMU
- /**
- * execmem_vmap - create virtual mapping for EXECMEM_MODULE_DATA memory
-
## include/linux/module.h ##
@@ include/linux/module.h: struct module {
atomic_t refcnt;
---
NOTE: These results are for this patch alone. Full series testing will be
performed when all parts are received.
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y | Success | Success |
next prev parent reply other threads:[~2025-06-19 9:03 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 0:44 [PATCH 5.10 v2 00/16] ITS mitigation for 5.10 Pawan Gupta
2025-06-18 0:44 ` [PATCH 5.10 v2 01/16] Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta
2025-06-19 9:03 ` Sasha Levin
2025-06-18 0:44 ` [PATCH 5.10 v2 02/16] x86/bhi: Define SPEC_CTRL_BHI_DIS_S Pawan Gupta
2025-06-19 9:04 ` Sasha Levin
2025-06-18 0:44 ` [PATCH 5.10 v2 03/16] x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta
2025-06-19 9:04 ` Sasha Levin
2025-06-18 0:45 ` [PATCH 5.10 v2 04/16] x86/alternatives: Introduce int3_emulate_jcc() Pawan Gupta
2025-06-19 9:04 ` Sasha Levin
2025-06-18 0:45 ` [PATCH 5.10 v2 05/16] x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions Pawan Gupta
2025-06-19 9:03 ` Sasha Levin
2025-06-18 0:45 ` [PATCH 5.10 v2 06/16] x86/its: Add support for ITS-safe indirect thunk Pawan Gupta
2025-06-19 9:03 ` Sasha Levin
2025-06-18 0:45 ` [PATCH 5.10 v2 07/16] x86/alternative: Optimize returns patching Pawan Gupta
2025-06-19 9:04 ` Sasha Levin
2025-06-23 19:10 ` Pawan Gupta
2025-06-18 0:46 ` [PATCH 5.10 v2 08/16] x86/alternatives: Remove faulty optimization Pawan Gupta
2025-06-19 9:03 ` Sasha Levin
2025-06-18 0:46 ` [PATCH 5.10 v2 09/16] x86/its: Add support for ITS-safe return thunk Pawan Gupta
2025-06-19 9:02 ` Sasha Levin
2025-06-18 0:46 ` [PATCH 5.10 v2 10/16] x86/its: Fix undefined reference to cpu_wants_rethunk_at() Pawan Gupta
2025-06-19 9:03 ` Sasha Levin
2025-06-23 19:17 ` Pawan Gupta
2025-06-18 0:46 ` [PATCH 5.10 v2 11/16] x86/its: Enable Indirect Target Selection mitigation Pawan Gupta
2025-06-19 9:04 ` Sasha Levin
2025-06-18 0:47 ` [PATCH 5.10 v2 12/16] x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta
2025-06-19 9:02 ` Sasha Levin
2025-06-18 0:47 ` [PATCH 5.10 v2 13/16] x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Pawan Gupta
2025-06-19 9:02 ` Sasha Levin
2025-06-18 0:47 ` [PATCH 5.10 v2 14/16] x86/its: Use dynamic thunks for indirect branches Pawan Gupta
2025-06-19 9:03 ` Sasha Levin [this message]
2025-06-23 19:33 ` Pawan Gupta
2025-06-18 0:47 ` [PATCH 5.10 v2 15/16] x86/its: Fix build errors when CONFIG_MODULES=n Pawan Gupta
2025-06-19 9:02 ` Sasha Levin
2025-06-18 0:48 ` [PATCH 5.10 v2 16/16] x86/its: FineIBT-paranoid vs ITS Pawan Gupta
2025-06-19 9:02 ` Sasha Levin
2025-07-12 13:50 ` [PATCH 5.10 v2 00/16] ITS mitigation for 5.10 Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250618191253-b7cbd0fce517a243@stable.kernel.org \
--to=sashal@kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox