[SRU][N][PATCH 0/3] ITS mitigation is not enabled on affected CPUs

Manuel Diewald manuel.diewald at canonical.com
Wed Mar 18 10:23:49 UTC 2026 

BugLink: https://bugs.launchpad.net/bugs/2144730

SRU Justification:

[Impact]

Noble upstream stable patchset 2025-10-29 (LP :#210277) included the
following patch from upstream stable branch linux-6.12.y:

* 68d59e9ba3842 ("x86/its: Enable Indirect Target Selection mitigation")

The patch disables ITS mitigation if CONFIG_MITIGATION_RETPOLINE or
CONFIG_MITIGATION_RETHUNK are not available:

+       if (!IS_ENABLED(CONFIG_MITIGATION_RETPOLINE) ||
+           !IS_ENABLED(CONFIG_MITIGATION_RETHUNK)) {
+               pr_err("WARNING: ITS mitigation depends on retpoline and rethunk support\n");
+               its_mitigation = ITS_MITIGATION_OFF;
+               goto out;
+       }

However, while linux-6.12.y contains the following two commits, Noble
does not:

* aefb2f2e619b6 ("x86/bugs: Rename CONFIG_RETPOLINE            => CONFIG_MITIGATION_RETPOLINE")
* 0911b8c52c4d6 ("x86/bugs: Rename CONFIG_RETHUNK              => CONFIG_MITIGATION_RETHUNK")

This discrepancy will cause the runtime check from above to always fail
in Noble, since the config options have not been renamed and therefore
are undefined, even though we have both CONFIG_RETPOLINE and
CONFIG_RETHUNK enabled through annotations. Consequently, ITS mitigation
will not be enabled when it should be.

On affected CPUs this will cause the kernel to warn about missing ITS
mitigation:

[    0.966659] ITS: WARNING: ITS mitigation depends on retpoline and rethunk support
[    0.966851] ITS: Vulnerable

[Fix]

Backport the patches that rename CONFIG_RETPOLINE and CONFIG_RETHUNK to
Noble:

* aefb2f2e619b6 ("x86/bugs: Rename CONFIG_RETPOLINE            => CONFIG_MITIGATION_RETPOLINE")
* 0911b8c52c4d6 ("x86/bugs: Rename CONFIG_RETHUNK              => CONFIG_MITIGATION_RETHUNK")

[Test Plan]

Boot on an affected CPU and check that ITS mitigation is enabled as
expected:

[    3.642521] active return thunk: its_return_thunk
[    3.643523] ITS: Mitigation: Aligned branch/return thunks

[Where problems could occur]

Any present or future patch that relies on the old naming scheme for the
two options will behave as if the features are unavailable which could
cause critical mitigations to be either less effective or disabled
completely.

Breno Leitao (2):
  x86/bugs: Rename CONFIG_RETPOLINE            =>
    CONFIG_MITIGATION_RETPOLINE
  x86/bugs: Rename CONFIG_RETHUNK              =>
    CONFIG_MITIGATION_RETHUNK

Manuel Diewald (1):
  UBUNTU: [Config] rename config options RETHUNK and RETPOLINE

 Documentation/admin-guide/hw-vuln/spectre.rst   |  8 ++++----
 Documentation/admin-guide/kernel-parameters.txt |  4 ++--
 arch/x86/Kconfig                                | 16 ++++++++--------
 arch/x86/Makefile                               |  6 +++---
 arch/x86/configs/i386_defconfig                 |  2 +-
 arch/x86/entry/vdso/Makefile                    |  4 ++--
 arch/x86/include/asm/alternative.h              |  2 +-
 arch/x86/include/asm/disabled-features.h        |  4 ++--
 arch/x86/include/asm/linkage.h                  | 12 ++++++------
 arch/x86/include/asm/nospec-branch.h            | 12 ++++++------
 arch/x86/include/asm/static_call.h              |  2 +-
 arch/x86/kernel/alternative.c                   | 10 +++++-----
 arch/x86/kernel/cpu/bugs.c                      |  6 +++---
 arch/x86/kernel/ftrace.c                        |  2 +-
 arch/x86/kernel/kprobes/opt.c                   |  2 +-
 arch/x86/kernel/static_call.c                   |  2 +-
 arch/x86/kernel/vmlinux.lds.S                   |  4 ++--
 arch/x86/kvm/mmu/mmu.c                          |  2 +-
 arch/x86/kvm/mmu/mmu_internal.h                 |  2 +-
 arch/x86/kvm/svm/svm.c                          |  2 +-
 arch/x86/kvm/svm/vmenter.S                      |  4 ++--
 arch/x86/kvm/vmx/vmx.c                          |  2 +-
 arch/x86/lib/Makefile                           |  2 +-
 arch/x86/lib/retpoline.S                        |  4 ++--
 arch/x86/net/bpf_jit_comp.c                     |  2 +-
 arch/x86/net/bpf_jit_comp32.c                   |  2 +-
 arch/x86/purgatory/Makefile                     |  2 +-
 debian.master/config/annotations                |  4 ++--
 include/linux/compiler-gcc.h                    |  2 +-
 include/linux/indirect_call_wrapper.h           |  2 +-
 include/linux/module.h                          |  2 +-
 include/net/netfilter/nf_tables_core.h          |  2 +-
 include/net/tc_wrapper.h                        |  2 +-
 kernel/trace/ring_buffer.c                      |  2 +-
 net/netfilter/Makefile                          |  2 +-
 net/netfilter/nf_tables_core.c                  |  6 +++---
 net/netfilter/nft_ct.c                          |  4 ++--
 net/sched/sch_api.c                             |  2 +-
 scripts/Makefile.lib                            |  4 ++--
 scripts/generate_rust_target.rs                 |  2 +-
 scripts/mod/modpost.c                           |  2 +-
 tools/arch/x86/include/asm/disabled-features.h  |  4 ++--
 tools/objtool/arch/x86/special.c                |  2 +-
 tools/objtool/check.c                           |  4 ++--
 44 files changed, 85 insertions(+), 85 deletions(-)

-- 
2.34.1

More information about the kernel-team mailing list