Several CPU side-channel mitigations require the use of a special return thunk.
The necessary return thunk is installed at runtime via apply_returns(), after
which point the default return thunk (__x86_return_thunk) should never be used.

Patch 3 enforces this by modifying __x86_return_thunk to be a ud2 after
alternatives are applied.  

Patch 1 reverts a recent commit which resulted in retpoline sequences not being
annotated as containing returns, which was leaving them using the default return
thunk.

Patch 2 fixes an issue where functions in vdso32-setup were using the default
return thunk because objtool was not being run on them in some cases.

David Kaplan (3):
  Revert "x86/retpoline: Remove .text..__x86.return_thunk section"
  x86/vdso: Run objtool on vdso32-setup
  x86/retpoline: Ensure default return thunk isn't used at runtime

 arch/x86/entry/vdso/Makefile  |  3 ++-
 arch/x86/kernel/vmlinux.lds.S |  3 +++
 arch/x86/lib/retpoline.S      | 10 +++++++---
 3 files changed, 12 insertions(+), 4 deletions(-)

-- 
2.25.1

On Tue, Oct 10, 2023 at 12:10:17PM -0500, David Kaplan wrote:

> David Kaplan (3):
>   Revert "x86/retpoline: Remove .text..__x86.return_thunk section"
>   x86/vdso: Run objtool on vdso32-setup
>   x86/retpoline: Ensure default return thunk isn't used at runtime
> 
>  arch/x86/entry/vdso/Makefile  |  3 ++-
>  arch/x86/kernel/vmlinux.lds.S |  3 +++
>  arch/x86/lib/retpoline.S      | 10 +++++++---
>  3 files changed, 12 insertions(+), 4 deletions(-)

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>

That said, I'm afraid we might have broken rethunk for i386 somewhere
along the SRSO series.

I suspect the easiest fix is to make CONFIG_RETHUNK hard depend on
x86_64 or something.