Hi Pawan,
On Fri, May 16, 2025 at 04:59:28PM -0700, Pawan Gupta wrote:
v3:
- Added patches: x86/its: Fix build errors when CONFIG_MODULES=n x86/its: FineIBT-paranoid vs ITS
v2:
- Added missing patch to 6.1 backport.
This is a backport of mitigation for Indirect Target Selection (ITS).
ITS is a bug in some Intel CPUs that affects indirect branches including RETs in the first half of a cacheline. Mitigation is to relocate the affected branches to an ITS-safe thunk.
Below additional upstream commits are required to cover some of the special cases like indirects in asm and returns in static calls:
cfceff8526a4 ("x86/speculation: Simplify and make CALL_NOSPEC consistent") 052040e34c08 ("x86/speculation: Add a conditional CS prefix to CALL_NOSPEC") c8c81458863a ("x86/speculation: Remove the extra #ifdef around CALL_NOSPEC") d2408e043e72 ("x86/alternative: Optimize returns patching") 4ba89dd6ddec ("x86/alternatives: Remove faulty optimization")
[1] https://github.com/torvalds/linux/commit/6f5bf947bab06f37ff931c359fd5770c4d9...
AFAICS there are no backports yet for as well older stable series than 5.15, in particular 5.10.y (which is used in Debian bullseye yet). Are you planning to make as well backports for the 5.10.y stable series?
Regards, Salvatore