From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 14 May 2025 12:12:46 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Tag: v5.15.183~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=307e85d940293196f9dd5b3b6fbcbc473242d4e8;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	x86-its-fineibt-paranoid-vs-its.patch
---

diff --git a/queue-6.6/series b/queue-6.6/series
index 0b2ffbe53a..f92b51efbf 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -110,3 +110,4 @@ x86-its-align-rets-in-bhb-clear-sequence-to-avoid-thunking.patch
 x86-ibt-keep-ibt-disabled-during-alternative-patching.patch
 x86-its-use-dynamic-thunks-for-indirect-branches.patch
 x86-its-fix-build-errors-when-config_modules-n.patch
+x86-its-fineibt-paranoid-vs-its.patch
diff --git a/queue-6.6/x86-its-fineibt-paranoid-vs-its.patch b/queue-6.6/x86-its-fineibt-paranoid-vs-its.patch
new file mode 100644
index 0000000000..c21b6787b9
--- /dev/null
+++ b/queue-6.6/x86-its-fineibt-paranoid-vs-its.patch
@@ -0,0 +1,116 @@
+From e52c1dc7455d32c8a55f9949d300e5e87d011fa6 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 23 Apr 2025 09:57:31 +0200
+Subject: x86/its: FineIBT-paranoid vs ITS
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit e52c1dc7455d32c8a55f9949d300e5e87d011fa6 upstream.
+
+FineIBT-paranoid was using the retpoline bytes for the paranoid check,
+disabling retpolines, because all parts that have IBT also have eIBRS
+and thus don't need no stinking retpolines.
+
+Except... ITS needs the retpolines for indirect calls must not be in
+the first half of a cacheline :-/
+
+So what was the paranoid call sequence:
+
+  <fineibt_paranoid_start>:
+   0:   41 ba 78 56 34 12       mov    $0x12345678, %r10d
+   6:   45 3b 53 f7             cmp    -0x9(%r11), %r10d
+   a:   4d 8d 5b <f0>           lea    -0x10(%r11), %r11
+   e:   75 fd                   jne    d <fineibt_paranoid_start+0xd>
+  10:   41 ff d3                call   *%r11
+  13:   90                      nop
+
+Now becomes:
+
+  <fineibt_paranoid_start>:
+   0:   41 ba 78 56 34 12       mov    $0x12345678, %r10d
+   6:   45 3b 53 f7             cmp    -0x9(%r11), %r10d
+   a:   4d 8d 5b f0             lea    -0x10(%r11), %r11
+   e:   2e e8 XX XX XX XX	cs call __x86_indirect_paranoid_thunk_r11
+
+  Where the paranoid_thunk looks like:
+
+   1d:  <ea>                    (bad)
+   __x86_indirect_paranoid_thunk_r11:
+   1e:  75 fd                   jne 1d
+   __x86_indirect_its_thunk_r11:
+   20:  41 ff eb                jmp *%r11
+   23:  cc                      int3
+
+[ dhansen: remove initialization to false ]
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
+[ Just a portion of the original commit, in order to fix a build issue
+  in stable kernels due to backports ]
+Reported-by: Holger Hoffstätte <holger@applied-asynchrony.com>
+Link: https://lore.kernel.org/r/20250514113952.GB16434@noisy.programming.kicks-ass.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/alternative.h |    8 ++++++++
+ arch/x86/kernel/alternative.c      |    7 +++++++
+ arch/x86/net/bpf_jit_comp.c        |    2 +-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/alternative.h
++++ b/arch/x86/include/asm/alternative.h
+@@ -5,6 +5,7 @@
+ #include <linux/types.h>
+ #include <linux/stringify.h>
+ #include <asm/asm.h>
++#include <asm/bug.h>
+ 
+ #define ALT_FLAGS_SHIFT		16
+ 
+@@ -134,10 +135,17 @@ static __always_inline int x86_call_dept
+ extern void its_init_mod(struct module *mod);
+ extern void its_fini_mod(struct module *mod);
+ extern void its_free_mod(struct module *mod);
++extern u8 *its_static_thunk(int reg);
+ #else /* CONFIG_MITIGATION_ITS */
+ static inline void its_init_mod(struct module *mod) { }
+ static inline void its_fini_mod(struct module *mod) { }
+ static inline void its_free_mod(struct module *mod) { }
++static inline u8 *its_static_thunk(int reg)
++{
++	WARN_ONCE(1, "ITS not compiled in");
++
++	return NULL;
++}
+ #endif
+ 
+ #if defined(CONFIG_RETHUNK) && defined(CONFIG_OBJTOOL)
+--- a/arch/x86/kernel/alternative.c
++++ b/arch/x86/kernel/alternative.c
+@@ -250,6 +250,13 @@ static void *its_allocate_thunk(int reg)
+ 	return thunk;
+ }
+ 
++u8 *its_static_thunk(int reg)
++{
++	u8 *thunk = __x86_indirect_its_thunk_array[reg];
++
++	return thunk;
++}
++
+ #endif
+ 
+ /*
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -475,7 +475,7 @@ static void emit_indirect_jump(u8 **ppro
+ 	if (IS_ENABLED(CONFIG_MITIGATION_ITS) &&
+ 	    cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) {
+ 		OPTIMIZER_HIDE_VAR(reg);
+-		emit_jump(&prog, &__x86_indirect_its_thunk_array[reg], ip);
++		emit_jump(&prog, its_static_thunk(reg), ip);
+ 	} else if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) {
+ 		EMIT_LFENCE();
+ 		EMIT2(0xFF, 0xE0 + reg);