From nobody Sat Feb 7 15:59:14 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0FAF230999 for ; Wed, 21 May 2025 05:35:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.13 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747805723; cv=none; b=oLbhf/UFXLP8cNgsFAwhNyTwuPd9i8c7c3I97GMgtOx4oNgGJU5HhmacYxloNfbzKJaHzjBcYT8Bsz9BAY/EzkCY18ICtke/pe74upgLxu9B8nKQb0fvLrRCngXSc8enrJ+++vL44e69NYavhVVSKKb/n7cbrDeHZa0ldZ6ZF+Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747805723; c=relaxed/simple; bh=7kvh+o0MNB7yZjX/RtCettiz+uzIiUoQvfIhCX0no4I=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Dm6q6idWOPBgNW0jAMyzrxsitJF/SZNVq3zGywx7GtHYPrkp9Yb9tAtF1kWy7t0R+fhxRuLWZZ+FrLP5OcWyNv1tuhUlZ3ym3ttul/FaOWfKgZDZHnAkZI8RxFdBX1rOkd8y9/uZnDHpQIdiatKRLGmtJ7Chejy9GZo/f/rbY7Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=gOzE/6lK; arc=none smtp.client-ip=192.198.163.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="gOzE/6lK" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1747805722; x=1779341722; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=7kvh+o0MNB7yZjX/RtCettiz+uzIiUoQvfIhCX0no4I=; b=gOzE/6lKffalZj3pQX3LTb+8irdCZHy6BaKNEIJfdl7XkmqhRH9/z9ZN OHKbP4PoVGxXUPleXSlYzmLQmhPkNkvic7KPJLgHJVISmN9QdSkhgj/+M W21B9CXIpRspbjzQV8faJ9Iy3KCm02vOAna9n2FFPojIa5i6kQmRVgo8Q pBpeBG+1bq98kjmtF95CL12C9X5Xw8ihtmRTLPo2DvdAZ2ltwY5sgCWVt 8e8LXBxVDhVWTJnnZzv9rXWBH07bl1ycDYW+nL9DUa9BNy/tg9bS2Kl6V O8E+JWpuA+KDkA+iZvSL0YCysvpcDvUYWMZqqyNCUWLtGjF276613zVsV Q==; X-CSE-ConnectionGUID: INVRm3c/Q1+6LoasN0J4QQ== X-CSE-MsgGUID: wZIWK9kkTiGJOCNbTqc5Vg== X-IronPort-AV: E=McAfee;i="6700,10204,11439"; a="52393094" X-IronPort-AV: E=Sophos;i="6.15,303,1739865600"; d="scan'208";a="52393094" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by fmvoesa107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 May 2025 22:35:21 -0700 X-CSE-ConnectionGUID: 6EWY6pwuTyOX7hgC7UF8Iw== X-CSE-MsgGUID: hWHmW2RtRtW/LQ3qPql0ww== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.15,303,1739865600"; d="scan'208";a="144792648" Received: from nsridha1-mobl.amr.corp.intel.com (HELO desk) ([10.125.146.22]) by fmviesa005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 May 2025 22:35:20 -0700 Date: Tue, 20 May 2025 22:35:20 -0700 From: Pawan Gupta To: x86@kernel.org Cc: David Kaplan , linux-kernel@vger.kernel.org, "H. Peter Anvin" , Josh Poimboeuf Subject: [PATCH 1/2] x86/spectre_v2: Fix mitigation default on Intel Message-ID: <20250520-eibrs-fix-v1-1-91bacd35ed09@linux.intel.com> X-Mailer: b4 0.14.2 References: <20250520-eibrs-fix-v1-0-91bacd35ed09@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20250520-eibrs-fix-v1-0-91bacd35ed09@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" commit 480e803dacf8 ("x86/bugs: Restructure spectre_v2 mitigation") inadvertently changed the spectre-v2 mitigation default from eIBRS to IBRS on Intel. While splitting the spectre_v2 mitigation in select/update/apply functions, eIBRS and IBRS selection logic was separated in select and update. This caused IBRS selection to not consider that eIBRS mitigation is already selected, fix it. Fixes: commit 480e803dacf8 ("x86/bugs: Restructure spectre_v2 mitigation") Signed-off-by: Pawan Gupta --- arch/x86/kernel/cpu/bugs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 3d5796d25f786837df59f9ce6358bc875cabe731..7f94e6a5497d9a2d312a76095e4= 8d6b364565777 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2105,7 +2105,8 @@ static void __init spectre_v2_select_mitigation(void) =20 static void __init spectre_v2_update_mitigation(void) { - if (spectre_v2_cmd =3D=3D SPECTRE_V2_CMD_AUTO) { + if (spectre_v2_cmd =3D=3D SPECTRE_V2_CMD_AUTO && + !spectre_v2_in_eibrs_mode(spectre_v2_enabled)) { if (IS_ENABLED(CONFIG_MITIGATION_IBRS_ENTRY) && boot_cpu_has_bug(X86_BUG_RETBLEED) && retbleed_mitigation !=3D RETBLEED_MITIGATION_NONE && --=20 2.34.1 From nobody Sat Feb 7 15:59:14 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AE5F148827 for ; Wed, 21 May 2025 05:35:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747805739; cv=none; b=dBTP88iboAVKtmpG8wkw0x0h8g8MdW6i31ncD5hQQCbtXWvahErQi66rEEe+q+ruZotDDdbUXKbDdPqEQ7CnPvDZo1H+jeZsevEGvg+Jsgx/jCdxD56CxMyZpR2NuTiPjDWyZ/CU/Wq0hJmLPsnTMIAv5acbOMJxURtmubih63Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747805739; c=relaxed/simple; bh=XTJDhOjFIz3A0lRC57SD4GC75m19HWeyJ4ZBYHxBULE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=kI3e96nOswipGbWYo38NQgHLf+uIyao1HPL5/rtKM4YcOsMKNMP4t7AFO7M/pghnSRLl5XL+sei8/opEy6d9IWAbLbiIyGrpGmrGa6nqVzjn0YBZqJA3NXw90jW/yKCgFdOiZobee5D2mzP/E3yVDTAY8M45GiwM7K0j64j+cwE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=OQ030row; arc=none smtp.client-ip=192.198.163.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="OQ030row" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1747805737; x=1779341737; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=XTJDhOjFIz3A0lRC57SD4GC75m19HWeyJ4ZBYHxBULE=; b=OQ030rowiELDKVayq0YHILiG/Z14z+2GQSsMwga2FCnK6TLxujHb4VB6 iO/tvnYzMlXB9zU1cTX7TARd2niMly4Og+efHVK+DfltCk1JRa6KfIK1a 3FELRmFVFasGpCWBijNv0RnaTurGM1RKbqwUFpEd4WDVJ4yWxIwk8GBKl V/CvRb3qAhpQDZvEojMDCZIm4OUw7wYLyDbmJ7SfJuWkCRoxx1/k/mMNp GV6/aMaoG352PUYJDs9LAbESIsYDvYDN3XsvZvVl+XQcxUzZthgZjW9ZG nDWoW6yFFlvmV5bxYcprvGY9CH5hNiYhNjxd1b7/UqNZhFYhwJOtbQjnE g==; X-CSE-ConnectionGUID: tvKmEejyQP2qK9e1aDj7CQ== X-CSE-MsgGUID: CAiM4nifQ9WXBa9kIluCQQ== X-IronPort-AV: E=McAfee;i="6700,10204,11439"; a="60406279" X-IronPort-AV: E=Sophos;i="6.15,303,1739865600"; d="scan'208";a="60406279" Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by fmvoesa105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 May 2025 22:35:36 -0700 X-CSE-ConnectionGUID: bFm+i5WdTnC121GZwoCjYQ== X-CSE-MsgGUID: ec6wl4k7Q7efR0uPS9kqHA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.15,303,1739865600"; d="scan'208";a="140326697" Received: from nsridha1-mobl.amr.corp.intel.com (HELO desk) ([10.125.146.22]) by fmviesa008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 May 2025 22:35:36 -0700 Date: Tue, 20 May 2025 22:35:36 -0700 From: Pawan Gupta To: x86@kernel.org Cc: David Kaplan , linux-kernel@vger.kernel.org, "H. Peter Anvin" , Josh Poimboeuf Subject: [PATCH 2/2] x86/its: Allow "=stuff" mitigation when eIBRS is enabled Message-ID: <20250520-eibrs-fix-v1-2-91bacd35ed09@linux.intel.com> X-Mailer: b4 0.14.2 References: <20250520-eibrs-fix-v1-0-91bacd35ed09@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20250520-eibrs-fix-v1-0-91bacd35ed09@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After a recent restructuring of ITS mitigation, RSB stuffing can no longer be enabled in eIBRS+Retpoline mode. Before ITS, retbleed mitigation only allowed stuffing when eIBRS was not enabled. This was perfectly fine since eIBRS mitigates retbleed. However, RSB stuffing mitigation for ITS is still required with eIBRS. The restructuring solely relies on retbleed to deploy stuffing, and does not allow it when eIBRS is enabled. This behavior is different from what was before the restructuring. Allow RSB stuffing mitigation when eIBRS+retpoline is enabled. Also allow retbleed and ITS mitigation to independently enable stuffing. The dependency is only with respect to retpoline. It is a valid case for retbleed to be mitigated by eIBRS while ITS deploys stuffing at the same time. Fixes: 8c57ca583ebf ("x86/bugs: Restructure ITS mitigation") Closes: https://lore.kernel.org/lkml/20250519235101.2vm6sc5txyoykb2r@desk/ Signed-off-by: Pawan Gupta --- arch/x86/kernel/cpu/bugs.c | 101 ++++++++++++++++++++++++++++++-----------= ---- 1 file changed, 67 insertions(+), 34 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 7f94e6a5497d9a2d312a76095e48d6b364565777..642d234943fe8fc657c7331ceb3= a605201444166 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -113,6 +113,9 @@ void (*x86_return_thunk)(void) __ro_after_init =3D __x8= 6_return_thunk; =20 static void __init set_return_thunk(void *thunk) { + if (thunk =3D=3D x86_return_thunk) + return; + if (x86_return_thunk !=3D __x86_return_thunk) pr_warn("x86/bugs: return thunk changed\n"); =20 @@ -1120,6 +1123,39 @@ early_param("nospectre_v1", nospectre_v1_cmdline); =20 enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =3D SPECTRE_= V2_NONE; =20 +static inline bool spectre_v2_in_retpoline_mode(enum spectre_v2_mitigation= mode) +{ + switch (mode) { + case SPECTRE_V2_NONE: + case SPECTRE_V2_IBRS: + case SPECTRE_V2_EIBRS: + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_EIBRS_LFENCE: + return false; + + case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_EIBRS_RETPOLINE: + return true; + } + + pr_warn("Unknown spectre_v2 mitigation mode %d\n", mode); + + return false; +} + +/* Depends on spectre_v2 mitigation selected already */ +static inline bool cdt_possible(enum spectre_v2_mitigation mode) +{ + if (!IS_ENABLED(CONFIG_MITIGATION_CALL_DEPTH_TRACKING) || + !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE)) + return false; + + if (!spectre_v2_in_retpoline_mode(mode)) + return false; + + return true; +} + #undef pr_fmt #define pr_fmt(fmt) "RETBleed: " fmt =20 @@ -1258,24 +1294,16 @@ static void __init retbleed_update_mitigation(void) if (retbleed_mitigation =3D=3D RETBLEED_MITIGATION_NONE) goto out; =20 - /* - * retbleed=3Dstuff is only allowed on Intel. If stuffing can't be used - * then a different mitigation will be selected below. - * - * its=3Dstuff will also attempt to enable stuffing. - */ - if (retbleed_mitigation =3D=3D RETBLEED_MITIGATION_STUFF || - its_mitigation =3D=3D ITS_MITIGATION_RETPOLINE_STUFF) { - if (spectre_v2_enabled !=3D SPECTRE_V2_RETPOLINE) { - pr_err("WARNING: retbleed=3Dstuff depends on spectre_v2=3Dretpoline\n"); - retbleed_mitigation =3D RETBLEED_MITIGATION_AUTO; - } else { - if (retbleed_mitigation !=3D RETBLEED_MITIGATION_STUFF) - pr_info("Retbleed mitigation updated to stuffing\n"); + /* ITS can also enable stuffing */ + if (its_mitigation =3D=3D ITS_MITIGATION_RETPOLINE_STUFF) + retbleed_mitigation =3D RETBLEED_MITIGATION_STUFF; =20 - retbleed_mitigation =3D RETBLEED_MITIGATION_STUFF; - } + if (retbleed_mitigation =3D=3D RETBLEED_MITIGATION_STUFF && + !cdt_possible(spectre_v2_enabled)) { + pr_err("WARNING: retbleed=3Dstuff depends on retpoline\n"); + retbleed_mitigation =3D RETBLEED_MITIGATION_AUTO; } + /* * Let IBRS trump all on Intel without affecting the effects of the * retbleed=3D cmdline option except for call depth based stuffing @@ -1294,15 +1322,15 @@ static void __init retbleed_update_mitigation(void) if (retbleed_mitigation !=3D RETBLEED_MITIGATION_STUFF) pr_err(RETBLEED_INTEL_MSG); } - /* If nothing has set the mitigation yet, default to NONE. */ - if (retbleed_mitigation =3D=3D RETBLEED_MITIGATION_AUTO) - retbleed_mitigation =3D RETBLEED_MITIGATION_NONE; } + + /* If nothing has set the mitigation yet, default to NONE. */ + if (retbleed_mitigation =3D=3D RETBLEED_MITIGATION_AUTO) + retbleed_mitigation =3D RETBLEED_MITIGATION_NONE; out: pr_info("%s\n", retbleed_strings[retbleed_mitigation]); } =20 - static void __init retbleed_apply_mitigation(void) { bool mitigate_smt =3D false; @@ -1449,6 +1477,7 @@ static void __init its_update_mitigation(void) its_mitigation =3D ITS_MITIGATION_OFF; break; case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_EIBRS_RETPOLINE: /* Retpoline+CDT mitigates ITS */ if (retbleed_mitigation =3D=3D RETBLEED_MITIGATION_STUFF) its_mitigation =3D ITS_MITIGATION_RETPOLINE_STUFF; @@ -1462,13 +1491,8 @@ static void __init its_update_mitigation(void) break; } =20 - /* - * retbleed_update_mitigation() will try to do stuffing if its=3Dstuff. - * If it can't, such as if spectre_v2!=3Dretpoline, then fall back to - * aligned thunks. - */ if (its_mitigation =3D=3D ITS_MITIGATION_RETPOLINE_STUFF && - retbleed_mitigation !=3D RETBLEED_MITIGATION_STUFF) + !cdt_possible(spectre_v2_enabled)) its_mitigation =3D ITS_MITIGATION_ALIGNED_THUNKS; =20 pr_info("%s\n", its_strings[its_mitigation]); @@ -1476,15 +1500,24 @@ static void __init its_update_mitigation(void) =20 static void __init its_apply_mitigation(void) { - /* its=3Dstuff forces retbleed stuffing and is enabled there. */ - if (its_mitigation !=3D ITS_MITIGATION_ALIGNED_THUNKS) - return; - - if (!boot_cpu_has(X86_FEATURE_RETPOLINE)) - setup_force_cpu_cap(X86_FEATURE_INDIRECT_THUNK_ITS); + switch (its_mitigation) { + case ITS_MITIGATION_OFF: + case ITS_MITIGATION_AUTO: + case ITS_MITIGATION_VMEXIT_ONLY: + break; + case ITS_MITIGATION_ALIGNED_THUNKS: + if (!boot_cpu_has(X86_FEATURE_RETPOLINE)) + setup_force_cpu_cap(X86_FEATURE_INDIRECT_THUNK_ITS); =20 - setup_force_cpu_cap(X86_FEATURE_RETHUNK); - set_return_thunk(its_return_thunk); + setup_force_cpu_cap(X86_FEATURE_RETHUNK); + set_return_thunk(its_return_thunk); + break; + case ITS_MITIGATION_RETPOLINE_STUFF: + setup_force_cpu_cap(X86_FEATURE_RETHUNK); + setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH); + set_return_thunk(call_depth_return_thunk); + break; + } } =20 #undef pr_fmt --=20 2.34.1