From 0aa8643f9f6c3fc8d9e496c5d9eb18e54c311ca3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 4 Jun 2026 13:03:53 +0200 Subject: [PATCH] drop queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch --- queue-6.12/series | 1 - ...e-percpu-refs-in-dynamic-trampolines.patch | 102 ------------------ 2 files changed, 103 deletions(-) delete mode 100644 queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch diff --git a/queue-6.12/series b/queue-6.12/series index 5b2ec61602..c8e22c851e 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -180,7 +180,6 @@ usb-cdns3-plat-fix-leaked-usb2_phy-initialization-on-usb3_phy-acquisition-failur usb-cdns3-plat-fix-unbalanced-pm_runtime_forbid-call-permanently-leaks-the-runtime-pm-usage-counter-across-bind-unbind-cycles.patch usb-dwc2-fix-use-after-free-in-debug-code.patch input-elan_i2c-validate-firmware-size-before-use.patch -x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch wireguard-send-append-trailer-after-expanding-head.patch bpf-sockmap-fix-tail-fragment-offset-in-bpf_msg_push_data.patch macsec-fix-replay-protection-at-xpn-lower-pn-wrap.patch diff --git a/queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch b/queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch deleted file mode 100644 index c417927482..0000000000 --- a/queue-6.12/x86-ftrace-relocate-rip-relative-percpu-refs-in-dynamic-trampolines.patch +++ /dev/null @@ -1,102 +0,0 @@ -From a17dc12bfed8868e6a86f3b45c16065a70641acb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alexis=20Lothor=C3=A9=20=28eBPF=20Foundation=29?= - -Date: Wed, 27 May 2026 21:12:31 +0200 -Subject: x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Alexis Lothoré (eBPF Foundation) - -commit a17dc12bfed8868e6a86f3b45c16065a70641acb upstream. - -With CONFIG_CALL_DEPTH_TRACKING enabled on an x86 retbleed-affected platform -(eg: Skylake), with retbleed=stuff, registering a dynamic ftrace trampoline -crashes on the first call into the traced function: - - BUG: unable to handle page fault for address: ffff88817ae18880 - #PF: supervisor write access in kernel mode - #PF: error_code(0x0002) - not-present page - PGD 4b53067 P4D 4b53067 PUD 0 - Oops: Oops: 0002 [#1] SMP PTI - CPU: 3 UID: 0 PID: 187 Comm: usleep Not tainted 7.0.10 #243 PREEMPT(full) - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 - Code: 24 78 00 00 00 00 48 89 ea 48 89 54 24 20 48 8b b4 24 b8 00 00 00 48 8b bc 24 b0 00 00 00 48 89 bc 24 80 00 00 00 48 83 ef 05 <65> 48 c1 3d 1f a8 b6 02 05 48 8b 15 f6 00 00 00 4c 89 3c 24 4c 89 - Call Trace: - - ? find_held_lock - ? exc_page_fault - ? lock_release - ? __x64_sys_clock_nanosleep - ? lockdep_hardirqs_on_prepare - ? trace_hardirqs_on - __x64_sys_clock_nanosleep - do_syscall_64 - ? exc_page_fault - ? call_depth_return_thunk - entry_SYSCALL_64_after_hwframe - ... - Kernel panic - not syncing: Fatal exception - -This small reproducer allows to easily trigger the crash: - - # echo 'p __x64_sys_clock_nanosleep' > /sys/kernel/tracing/kprobe_events - # echo 1 > /sys/kernel/tracing/events/kprobes/p___x64_sys_clock_nanosleep_0/enable - # usleep 1 - -Monitoring the crash under GDB points to the exact instruction in charge of -incrementing the call depth: - - sarq $5, %gs:__x86_call_depth(%rip) - -This instruction matches the one inserted by the ftrace_regs_caller from -ftrace_64.S. This emitted code was likely working fine until the introduction -of - - 59bec00ace28 ("x86/percpu: Introduce %rip-relative addressing to PER_CPU_VAR()"): - -it has made the call depth accounting addressing relative to $rip, instead of -being based on an absolute address. - -As this code exact location depends on where the trampoline lives in memory, -the corresponding displacement needs to be adjusted at runtime to actually -correctly find the per-cpu __x86_call_depth value, otherwise the targeted -address is wrong, leading to the page fault seen above. - -Fix the %rip-relative displacement of the copied CALL_DEPTH_ACCOUNT -instruction (from ftrace_regs_caller) by calling text_poke_apply_relocation(), -as it is done for example by the x86 BPF JIT compiler through -x86_call_depth_emit_accounting(). This corrects both CALL_DEPTH_ACCOUNT slots, -in ftrace_caller and ftrace_regs_caller. - - [ bp: Massage. ] - -Fixes: 59bec00ace28 ("x86/percpu: Introduce %rip-relative addressing to PER_CPU_VAR()") -Signed-off-by: Alexis Lothoré (eBPF Foundation) -Signed-off-by: Borislav Petkov (AMD) -Acked-by: Peter Zijlstra (Intel) -Acked-by: Steven Rostedt -Cc: -Link: https://patch.msgid.link/20260527-fix_call_depth_in_trampoline-v1-1-1c1abc8ae310@bootlin.com -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/ftrace.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/arch/x86/kernel/ftrace.c -+++ b/arch/x86/kernel/ftrace.c -@@ -371,6 +371,13 @@ create_trampoline(struct ftrace_ops *ops - } - - /* -+ * Generated trampoline may contain rIP-relative addressing which -+ * displacement needs to be fixed. -+ */ -+ text_poke_apply_relocation(trampoline, trampoline, size, -+ (void *)start_offset, size); -+ -+ /* - * The address of the ftrace_ops that is used for this trampoline - * is stored at the end of the trampoline. This will be used to - * load the third parameter for the callback. Basically, that -- 2.47.3