--- /dev/null
+From e52c1dc7455d32c8a55f9949d300e5e87d011fa6 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 23 Apr 2025 09:57:31 +0200
+Subject: x86/its: FineIBT-paranoid vs ITS
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit e52c1dc7455d32c8a55f9949d300e5e87d011fa6 upstream.
+
+FineIBT-paranoid was using the retpoline bytes for the paranoid check,
+disabling retpolines, because all parts that have IBT also have eIBRS
+and thus don't need no stinking retpolines.
+
+Except... ITS needs the retpolines for indirect calls must not be in
+the first half of a cacheline :-/
+
+So what was the paranoid call sequence:
+
+ <fineibt_paranoid_start>:
+ 0: 41 ba 78 56 34 12 mov $0x12345678, %r10d
+ 6: 45 3b 53 f7 cmp -0x9(%r11), %r10d
+ a: 4d 8d 5b <f0> lea -0x10(%r11), %r11
+ e: 75 fd jne d <fineibt_paranoid_start+0xd>
+ 10: 41 ff d3 call *%r11
+ 13: 90 nop
+
+Now becomes:
+
+ <fineibt_paranoid_start>:
+ 0: 41 ba 78 56 34 12 mov $0x12345678, %r10d
+ 6: 45 3b 53 f7 cmp -0x9(%r11), %r10d
+ a: 4d 8d 5b f0 lea -0x10(%r11), %r11
+ e: 2e e8 XX XX XX XX cs call __x86_indirect_paranoid_thunk_r11
+
+ Where the paranoid_thunk looks like:
+
+ 1d: <ea> (bad)
+ __x86_indirect_paranoid_thunk_r11:
+ 1e: 75 fd jne 1d
+ __x86_indirect_its_thunk_r11:
+ 20: 41 ff eb jmp *%r11
+ 23: cc int3
+
+[ dhansen: remove initialization to false ]
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
+[ Just a portion of the original commit, in order to fix a build issue
+ in stable kernels due to backports ]
+Reported-by: Holger Hoffstätte <holger@applied-asynchrony.com>
+Link: https://lore.kernel.org/r/20250514113952.GB16434@noisy.programming.kicks-ass.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/alternative.h | 8 ++++++++
+ arch/x86/kernel/alternative.c | 8 ++++++++
+ arch/x86/net/bpf_jit_comp.c | 2 +-
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/alternative.h
++++ b/arch/x86/include/asm/alternative.h
+@@ -5,6 +5,7 @@
+ #include <linux/types.h>
+ #include <linux/stringify.h>
+ #include <asm/asm.h>
++#include <asm/bug.h>
+
+ #define ALTINSTR_FLAG_INV (1 << 15)
+ #define ALT_NOT(feat) ((feat) | ALTINSTR_FLAG_INV)
+@@ -85,10 +86,17 @@ struct module;
+ extern void its_init_mod(struct module *mod);
+ extern void its_fini_mod(struct module *mod);
+ extern void its_free_mod(struct module *mod);
++extern u8 *its_static_thunk(int reg);
+ #else /* CONFIG_MITIGATION_ITS */
+ static inline void its_init_mod(struct module *mod) { }
+ static inline void its_fini_mod(struct module *mod) { }
+ static inline void its_free_mod(struct module *mod) { }
++static inline u8 *its_static_thunk(int reg)
++{
++ WARN_ONCE(1, "ITS not compiled in");
++
++ return NULL;
++}
+ #endif
+
+ #if defined(CONFIG_RETHUNK) && defined(CONFIG_OBJTOOL)
+--- a/arch/x86/kernel/alternative.c
++++ b/arch/x86/kernel/alternative.c
+@@ -593,6 +593,14 @@ static bool cpu_wants_indirect_its_thunk
+ /* Lower-half of the cacheline? */
+ return !(addr & 0x20);
+ }
++
++u8 *its_static_thunk(int reg)
++{
++ u8 *thunk = __x86_indirect_its_thunk_array[reg];
++
++ return thunk;
++}
++
+ #endif
+
+ /*
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -467,7 +467,7 @@ static void emit_indirect_jump(u8 **ppro
+ if (IS_ENABLED(CONFIG_MITIGATION_ITS) &&
+ cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) {
+ OPTIMIZER_HIDE_VAR(reg);
+- emit_jump(&prog, &__x86_indirect_its_thunk_array[reg], ip);
++ emit_jump(&prog, its_static_thunk(reg), ip);
+ } else if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) {
+ EMIT_LFENCE();
+ EMIT2(0xFF, 0xE0 + reg);
projects / thirdparty / kernel / stable-queue.git / commitdiff
