Add function to reset SSB mitigations back to their boot-time defaults.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
 arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 4ca46f58e384..cc7b1b67d22d 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -380,6 +380,16 @@ static void x86_amd_ssb_disable(void)
 		wrmsrq(MSR_AMD64_LS_CFG, msrval);
 }
 
+static void x86_amd_ssb_enable(void)
+{
+	u64 msrval = x86_amd_ls_cfg_base;
+
+	if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
+		wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, 0);
+	else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
+		wrmsrl(MSR_AMD64_LS_CFG, msrval);
+}
+
 #undef pr_fmt
 #define pr_fmt(fmt)	"MDS: " fmt
 
@@ -2672,6 +2682,17 @@ static void __init ssb_apply_mitigation(void)
 	}
 }
 
+#ifdef CONFIG_DYNAMIC_MITIGATIONS
+static void ssb_reset_mitigation(void)
+{
+	setup_clear_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
+	x86_spec_ctrl_base &= ~SPEC_CTRL_SSBD;
+	nossb = false;
+	ssb_mode = IS_ENABLED(CONFIG_MITIGATION_SSB) ?
+		SPEC_STORE_BYPASS_AUTO : SPEC_STORE_BYPASS_NONE;
+}
+#endif
+
 #undef pr_fmt
 #define pr_fmt(fmt)     "Speculation prctl: " fmt
 
@@ -2916,6 +2937,8 @@ void x86_spec_ctrl_setup_ap(void)
 
 	if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
 		x86_amd_ssb_disable();
+	else
+		x86_amd_ssb_enable();
 }
 
 bool itlb_multihit_kvm_mitigation;
@@ -3857,5 +3880,6 @@ void arch_cpu_reset_mitigations(void)
 	spectre_v2_reset_mitigation();
 	retbleed_reset_mitigation();
 	spectre_v2_user_reset_mitigation();
+	ssb_reset_mitigation();
 }
 #endif
-- 
2.34.1

On Mon, Oct 13, 2025 at 09:33:56AM -0500, David Kaplan wrote:
> @@ -2916,6 +2937,8 @@ void x86_spec_ctrl_setup_ap(void)
>  
>  	if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
>  		x86_amd_ssb_disable();
> +	else
> +		x86_amd_ssb_enable();

I'm assuming we need this for the case when we do alternatives-patch and then
some CPUs are coming online later so they have to get SSBD properly set
there...

In any case, lemme suggest a simplification (I hope I've gotten the booleans
right):

---

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 6b25192560f0..e78e010b4752 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -221,24 +221,20 @@ x86_virt_spec_ctrl(u64 guest_virt_spec_ctrl, bool setguest)
 }
 EXPORT_SYMBOL_FOR_KVM(x86_virt_spec_ctrl);
 
-static void x86_amd_ssb_disable(void)
+static void x86_amd_ssb_toggle(bool disable)
 {
-	u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
+	u64 msrval  = x86_amd_ls_cfg_base;
+	u64 msrvirt = 0;
 
-	if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
-		wrmsrq(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
-	else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
-		wrmsrq(MSR_AMD64_LS_CFG, msrval);
-}
-
-static void x86_amd_ssb_enable(void)
-{
-	u64 msrval = x86_amd_ls_cfg_base;
+	if (disable) {
+		msrval  |= x86_amd_ls_cfg_ssbd_mask;
+		msrvirt  = SPEC_CTRL_SSBD;
+	}
 
 	if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
-		wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, 0);
+		wrmsrq(MSR_AMD64_VIRT_SPEC_CTRL, msrvirt);
 	else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
-		wrmsrl(MSR_AMD64_LS_CFG, msrval);
+		wrmsrq(MSR_AMD64_LS_CFG, msrval);
 }
 
 #undef pr_fmt
@@ -2524,7 +2520,7 @@ static void __init ssb_apply_mitigation(void)
 		 */
 		if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
 		    !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
-			x86_amd_ssb_disable();
+			x86_amd_ssb_toggle(true);
 		} else {
 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
 			update_spec_ctrl(x86_spec_ctrl_base);
@@ -2785,10 +2781,7 @@ void x86_spec_ctrl_setup_ap(void)
 	if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
 		update_spec_ctrl(x86_spec_ctrl_base);
 
-	if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
-		x86_amd_ssb_disable();
-	else
-		x86_amd_ssb_enable();
+	x86_amd_ssb_toggle(ssb_mode == SPEC_STORE_BYPASS_DISABLE);
 }
 
 bool itlb_multihit_kvm_mitigation;

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

On 10/13/25 17:33, David Kaplan wrote:
> Add function to reset SSB mitigations back to their boot-time defaults.
> 
> Signed-off-by: David Kaplan <david.kaplan@amd.com>
> ---
>   arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++++++++++++++
>   1 file changed, 24 insertions(+)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 4ca46f58e384..cc7b1b67d22d 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -380,6 +380,16 @@ static void x86_amd_ssb_disable(void)
>   		wrmsrq(MSR_AMD64_LS_CFG, msrval);
>   }
>   
> +static void x86_amd_ssb_enable(void)
> +{
> +	u64 msrval = x86_amd_ls_cfg_base;
> +
> +	if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
> +		wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, 0);
> +	else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
> +		wrmsrl(MSR_AMD64_LS_CFG, msrval);

nit: No need for the local msrval variable, just pass x86_amd_ls_cfg_base.

> +}
> +
>   #undef pr_fmt
>   #define pr_fmt(fmt)	"MDS: " fmt
>   
> @@ -2672,6 +2682,17 @@ static void __init ssb_apply_mitigation(void)
>   	}
>   }
>   
> +#ifdef CONFIG_DYNAMIC_MITIGATIONS
> +static void ssb_reset_mitigation(void)
> +{
> +	setup_clear_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
> +	x86_spec_ctrl_base &= ~SPEC_CTRL_SSBD;
> +	nossb = false;
> +	ssb_mode = IS_ENABLED(CONFIG_MITIGATION_SSB) ?
> +		SPEC_STORE_BYPASS_AUTO : SPEC_STORE_BYPASS_NONE;
> +}
> +#endif
> +
>   #undef pr_fmt
>   #define pr_fmt(fmt)     "Speculation prctl: " fmt
>   
> @@ -2916,6 +2937,8 @@ void x86_spec_ctrl_setup_ap(void)
>   
>   	if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
>   		x86_amd_ssb_disable();
> +	else
> +		x86_amd_ssb_enable();

Does it mean SSB hasn't been working correctly up until now since 
_enable function has been missing?

<snip>