| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251013143444.3999-34-david.kaplan@amd.com>
Date: Mon, 13 Oct 2025 09:34:21 -0500
From: David Kaplan <david.kaplan@....com>
To: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Ingo Molnar
<mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
<x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com>
CC: Alexander Graf <graf@...zon.com>, Boris Ostrovsky
<boris.ostrovsky@...cle.com>, <linux-kernel@...r.kernel.org>
Subject: [RFC PATCH 33/56] x86/alternative: Avoid re-patching init code
During boot, all sites should be patched but during re-patch, ignore any
sites that are in the init section of the kernel or a module.
Signed-off-by: David Kaplan <david.kaplan@....com>
---
arch/x86/kernel/alternative.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 9fbec219e98e..a821ea37fc29 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -298,6 +298,27 @@ u8 *its_static_thunk(int reg)
static inline void its_fini_core(void) {}
#endif /* CONFIG_MITIGATION_ITS */
+static bool __maybe_unused repatch_in_progress;
+
+#ifdef CONFIG_DYNAMIC_MITIGATIONS
+/* Do not patch __init text addresses when repatching */
+static bool should_patch(void *addr, struct module *mod)
+{
+ if (!repatch_in_progress)
+ return true;
+
+ if (is_kernel_text((u64) addr))
+ return true;
+
+ return mod && within_module_core((u64) addr, mod);
+}
+#else
+static bool should_patch(void *addr, struct module *mod)
+{
+ return true;
+}
+#endif
+
/*
* Nomenclature for variable names to simplify and clarify this code and ease
* any potential staring at it:
@@ -658,6 +679,10 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
}
instr = instr_va(a);
+
+ if (!should_patch(instr, mod))
+ continue;
+
replacement = (u8 *)&a->repl_offset + a->repl_offset;
BUG_ON(a->instrlen > sizeof(insn_buff));
BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);
@@ -986,6 +1011,10 @@ void __init_or_module noinline apply_retpolines(s32 *start, s32 *end, struct mod
u8 *dest;
ret = insn_decode_kernel(&insn, addr);
+
+ if (!should_patch(addr, mod))
+ continue;
+
if (WARN_ON_ONCE(ret < 0))
continue;
@@ -1092,6 +1121,10 @@ void __init_or_module noinline apply_returns(s32 *start, s32 *end, struct module
u8 op;
ret = insn_decode_kernel(&insn, addr);
+
+ if (!should_patch(addr, mod))
+ continue;
+
if (WARN_ON_ONCE(ret < 0))
continue;
--
2.34.1
Powered by blists - more mailing lists