This bug is awaiting verification that the linux/6.8.0-110.110 kernel in
-proposed solves the problem. Please test the kernel and update this bug
with the results. If the problem is solved, change the tag
'verification-needed-noble-linux' to 'verification-done-noble-linux'. If
the problem still exists, change the tag 'verification-needed-noble-
linux' to 'verification-failed-noble-linux'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: kernel-spammed-noble-linux-v2 verification-needed-noble-linux
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2144730
Title:
ITS mitigation is not enabled on affected CPUs
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Noble:
Fix Committed
Bug description:
SRU Justification:
[Impact]
Noble upstream stable patchset 2025-10-29 (LP :#210277) included the
following patch from upstream stable branch linux-6.12.y:
* 68d59e9ba3842 ("x86/its: Enable Indirect Target Selection
mitigation")
The patch disables ITS mitigation if CONFIG_MITIGATION_RETPOLINE or
CONFIG_MITIGATION_RETHUNK are not available:
+ if (!IS_ENABLED(CONFIG_MITIGATION_RETPOLINE) ||
+ !IS_ENABLED(CONFIG_MITIGATION_RETHUNK)) {
+ pr_err("WARNING: ITS mitigation depends on retpoline and rethunk support\n");
+ its_mitigation = ITS_MITIGATION_OFF;
+ goto out;
+ }
However, while linux-6.12.y contains the following two commits, Noble
does not:
* aefb2f2e619b6 ("x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE")
* 0911b8c52c4d6 ("x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK")
This discrepancy will cause the runtime check from above to always fail
in Noble, since the config options have not been renamed and therefore
are undefined, even though we have both CONFIG_RETPOLINE and
CONFIG_RETHUNK enabled through annotations. Consequently, ITS mitigation
will not be enabled when it should be.
On affected CPUs this will cause the kernel to warn about missing ITS
mitigation:
[ 0.966659] ITS: WARNING: ITS mitigation depends on retpoline and rethunk support
[ 0.966851] ITS: Vulnerable
[Fix]
Backport the patches that rename CONFIG_RETPOLINE and CONFIG_RETHUNK to
Noble:
* aefb2f2e619b6 ("x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE")
* 0911b8c52c4d6 ("x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK")
[Test Plan]
Boot on an affected CPU and check that ITS mitigation is enabled as
expected:
[ 3.642521] active return thunk: its_return_thunk
[ 3.643523] ITS: Mitigation: Aligned branch/return thunks
[Where problems could occur]
Any present or future patch that relies on the old naming scheme for the
two options will behave as if the features are unavailable which could
cause critical mitigations to be either less effective or disabled
completely.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2144730/+subscriptions
Комментариев нет:
Отправить комментарий