ACK/Cmnt: [SRU][N][PATCH 0/3] ITS mitigation is not enabled on affected CPUs
Stefan Bader
stefan.bader at canonical.com
Wed Mar 18 14:34:14 UTC 2026
On 18/03/2026 11:23, Manuel Diewald wrote:
> BugLink: https://bugs.launchpad.net/bugs/2144730
>
> SRU Justification:
>
> [Impact]
>
> Noble upstream stable patchset 2025-10-29 (LP :#210277) included the
> following patch from upstream stable branch linux-6.12.y:
>
> * 68d59e9ba3842 ("x86/its: Enable Indirect Target Selection mitigation")
>
> The patch disables ITS mitigation if CONFIG_MITIGATION_RETPOLINE or
> CONFIG_MITIGATION_RETHUNK are not available:
>
> + if (!IS_ENABLED(CONFIG_MITIGATION_RETPOLINE) ||
> + !IS_ENABLED(CONFIG_MITIGATION_RETHUNK)) {
> + pr_err("WARNING: ITS mitigation depends on retpoline and rethunk support\n");
> + its_mitigation = ITS_MITIGATION_OFF;
> + goto out;
> + }
>
> However, while linux-6.12.y contains the following two commits, Noble
> does not:
>
> * aefb2f2e619b6 ("x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE")
> * 0911b8c52c4d6 ("x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK")
>
> This discrepancy will cause the runtime check from above to always fail
> in Noble, since the config options have not been renamed and therefore
> are undefined, even though we have both CONFIG_RETPOLINE and
> CONFIG_RETHUNK enabled through annotations. Consequently, ITS mitigation
> will not be enabled when it should be.
>
> On affected CPUs this will cause the kernel to warn about missing ITS
> mitigation:
>
> [ 0.966659] ITS: WARNING: ITS mitigation depends on retpoline and rethunk support
> [ 0.966851] ITS: Vulnerable
>
> [Fix]
>
> Backport the patches that rename CONFIG_RETPOLINE and CONFIG_RETHUNK to
> Noble:
>
> * aefb2f2e619b6 ("x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE")
> * 0911b8c52c4d6 ("x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK")
>
> [Test Plan]
>
> Boot on an affected CPU and check that ITS mitigation is enabled as
> expected:
>
> [ 3.642521] active return thunk: its_return_thunk
> [ 3.643523] ITS: Mitigation: Aligned branch/return thunks
>
> [Where problems could occur]
>
> Any present or future patch that relies on the old naming scheme for the
> two options will behave as if the features are unavailable which could
> cause critical mitigations to be either less effective or disabled
> completely.
>
> Breno Leitao (2):
> x86/bugs: Rename CONFIG_RETPOLINE =>
> CONFIG_MITIGATION_RETPOLINE
> x86/bugs: Rename CONFIG_RETHUNK =>
> CONFIG_MITIGATION_RETHUNK
>
> Manuel Diewald (1):
> UBUNTU: [Config] rename config options RETHUNK and RETPOLINE
>
> Documentation/admin-guide/hw-vuln/spectre.rst | 8 ++++----
> Documentation/admin-guide/kernel-parameters.txt | 4 ++--
> arch/x86/Kconfig | 16 ++++++++--------
> arch/x86/Makefile | 6 +++---
> arch/x86/configs/i386_defconfig | 2 +-
> arch/x86/entry/vdso/Makefile | 4 ++--
> arch/x86/include/asm/alternative.h | 2 +-
> arch/x86/include/asm/disabled-features.h | 4 ++--
> arch/x86/include/asm/linkage.h | 12 ++++++------
> arch/x86/include/asm/nospec-branch.h | 12 ++++++------
> arch/x86/include/asm/static_call.h | 2 +-
> arch/x86/kernel/alternative.c | 10 +++++-----
> arch/x86/kernel/cpu/bugs.c | 6 +++---
> arch/x86/kernel/ftrace.c | 2 +-
> arch/x86/kernel/kprobes/opt.c | 2 +-
> arch/x86/kernel/static_call.c | 2 +-
> arch/x86/kernel/vmlinux.lds.S | 4 ++--
> arch/x86/kvm/mmu/mmu.c | 2 +-
> arch/x86/kvm/mmu/mmu_internal.h | 2 +-
> arch/x86/kvm/svm/svm.c | 2 +-
> arch/x86/kvm/svm/vmenter.S | 4 ++--
> arch/x86/kvm/vmx/vmx.c | 2 +-
> arch/x86/lib/Makefile | 2 +-
> arch/x86/lib/retpoline.S | 4 ++--
> arch/x86/net/bpf_jit_comp.c | 2 +-
> arch/x86/net/bpf_jit_comp32.c | 2 +-
> arch/x86/purgatory/Makefile | 2 +-
> debian.master/config/annotations | 4 ++--
> include/linux/compiler-gcc.h | 2 +-
> include/linux/indirect_call_wrapper.h | 2 +-
> include/linux/module.h | 2 +-
> include/net/netfilter/nf_tables_core.h | 2 +-
> include/net/tc_wrapper.h | 2 +-
> kernel/trace/ring_buffer.c | 2 +-
> net/netfilter/Makefile | 2 +-
> net/netfilter/nf_tables_core.c | 6 +++---
> net/netfilter/nft_ct.c | 4 ++--
> net/sched/sch_api.c | 2 +-
> scripts/Makefile.lib | 4 ++--
> scripts/generate_rust_target.rs | 2 +-
> scripts/mod/modpost.c | 2 +-
> tools/arch/x86/include/asm/disabled-features.h | 4 ++--
> tools/objtool/arch/x86/special.c | 2 +-
> tools/objtool/check.c | 4 ++--
> 44 files changed, 85 insertions(+), 85 deletions(-)
>
I hope I did not miss anything but to me it looks like the complete set
of changes.
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260318/2478d398/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260318/2478d398/attachment-0001.sig>
More information about the kernel-team
mailing list