drop queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines...

diff --git a/queue-6.12/series b/queue-6.12/series
index 5b2ec61602ec66461006ddb8dcb753b415e6ce49..c8e22c851e761e5f47b8d289c7406b08fd9972d7 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -180,7 +180,6 @@ usb-cdns3-plat-fix-leaked-usb2_phy-initialization-on-usb3_phy-acquisition-failur
 usb-cdns3-plat-fix-unbalanced-pm_runtime_forbid-call-permanently-leaks-the-runtime-pm-usage-counter-across-bind-unbind-cycles.patch
 usb-dwc2-fix-use-after-free-in-debug-code.patch
 input-elan_i2c-validate-firmware-size-before-use.patch
-x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch
 wireguard-send-append-trailer-after-expanding-head.patch
 bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch
 macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch

diff --git a/queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch b/queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch
deleted file mode 100644 (file)
index c417927..0000000
--- a/queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From a17dc12bfed8868e6a86f3b45c16065a70641acb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alexis=20Lothor=C3=A9=20=28eBPF=20Foundation=29?=
- <alexis.lothore@bootlin.com>
-Date: Wed, 27 May 2026 21:12:31 +0200
-Subject: x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
-
-commit a17dc12bfed8868e6a86f3b45c16065a70641acb upstream.
-
-With CONFIG_CALL_DEPTH_TRACKING enabled on an x86 retbleed-affected platform
-(eg: Skylake), with retbleed=stuff, registering a dynamic ftrace trampoline
-crashes on the first call into the traced function:
-
-  BUG: unable to handle page fault for address: ffff88817ae18880
-  #PF: supervisor write access in kernel mode
-  #PF: error_code(0x0002) - not-present page
-  PGD 4b53067 P4D 4b53067 PUD 0
-  Oops: Oops: 0002 [#1] SMP PTI
-  CPU: 3 UID: 0 PID: 187 Comm: usleep Not tainted 7.0.10 #243 PREEMPT(full)
-  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014
-  Code: 24 78 00 00 00 00 48 89 ea 48 89 54 24 20 48 8b b4 24 b8 00 00 00 48 8b bc 24 b0 00 00 00 48 89 bc 24 80 00 00 00 48 83 ef 05 <65> 48 c1 3d 1f a8 b6 02 05 48 8b 15 f6 00 00 00 4c 89 3c 24 4c 89
-  Call Trace:
-   <TASK>
-   ? find_held_lock
-   ? exc_page_fault
-   ? lock_release
-   ? __x64_sys_clock_nanosleep
-   ? lockdep_hardirqs_on_prepare
-   ? trace_hardirqs_on
-   __x64_sys_clock_nanosleep
-   do_syscall_64
-   ? exc_page_fault
-   ? call_depth_return_thunk
-   entry_SYSCALL_64_after_hwframe
-  ...
-  Kernel panic - not syncing: Fatal exception
-
-This small reproducer allows to easily trigger the crash:
-
-  # echo 'p __x64_sys_clock_nanosleep' > /sys/kernel/tracing/kprobe_events
-  # echo 1 > /sys/kernel/tracing/events/kprobes/p___x64_sys_clock_nanosleep_0/enable
-  # usleep 1
-
-Monitoring the crash under GDB points to the exact instruction in charge of
-incrementing the call depth:
-
-  sarq $5, %gs:__x86_call_depth(%rip)
-
-This instruction matches the one inserted by the ftrace_regs_caller from
-ftrace_64.S. This emitted code was likely working fine until the introduction
-of
-
-  59bec00ace28 ("x86/percpu: Introduce %rip-relative addressing to PER_CPU_VAR()"):
-
-it has made the call depth accounting addressing relative to $rip, instead of
-being based on an absolute address.
-
-As this code exact location depends on where the trampoline lives in memory,
-the corresponding displacement needs to be adjusted at runtime to actually
-correctly find the per-cpu __x86_call_depth value, otherwise the targeted
-address is wrong, leading to the page fault seen above.
-
-Fix the %rip-relative displacement of the copied CALL_DEPTH_ACCOUNT
-instruction (from ftrace_regs_caller) by calling text_poke_apply_relocation(),
-as it is done for example by the x86 BPF JIT compiler through
-x86_call_depth_emit_accounting(). This corrects both CALL_DEPTH_ACCOUNT slots,
-in ftrace_caller and ftrace_regs_caller.
-
-  [ bp: Massage. ]
-
-Fixes: 59bec00ace28 ("x86/percpu: Introduce %rip-relative addressing to PER_CPU_VAR()")
-Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Acked-by: Steven Rostedt <rostedt@goodmis.org>
-Cc: <stable@kernel.org>
-Link: https://patch.msgid.link/20260527-fix_call_depth_in_trampoline-v1-1-1c1abc8ae310@bootlin.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/ftrace.c |    7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/arch/x86/kernel/ftrace.c
-+++ b/arch/x86/kernel/ftrace.c
-@@ -371,6 +371,13 @@ create_trampoline(struct ftrace_ops *ops
-       }
- 
-       /*
-+       * Generated trampoline may contain rIP-relative addressing which
-+       * displacement needs to be fixed.
-+       */
-+      text_poke_apply_relocation(trampoline, trampoline, size,
-+                                 (void *)start_offset, size);
-+
-+      /*
-        * The address of the ftrace_ops that is used for this trampoline
-        * is stored at the end of the trampoline. This will be used to
-        * load the third parameter for the callback. Basically, that