Merge tag 'x86-urgent-2026-03-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull x86 fixes from Ingo Molnar:

- Fix speculative safety in fred_extint()

- Fix __WARN_printf() trap in early_fixup_exception()

- Fix clang-build boot bug for unusual alignments, triggered by
CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y

- Replace the final few __ASSEMBLY__ stragglers that snuck in lately
into non-UAPI x86 headers and use __ASSEMBLER__ consistently (again)

* tag 'x86-urgent-2026-03-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/headers: Replace __ASSEMBLY__ stragglers with __ASSEMBLER__
x86/cfi: Fix CFI rewrite for odd alignments
x86/bug: Handle __WARN_printf() trap in early_fixup_exception()
x86/fred: Correct speculative safety in fred_extint()

Linus Torvalds 3 weeks ago 5920da44 f6542af9

+50 -42

12 changed files

expand all

arch

x86

entry

entry_fred.c

include

asm

bug.h

cfi.h

irqflags.h

linkage.h

percpu.h

runtime-const.h

traps.h

kernel

alternative.c

traps.c

extable.c

net

bpf_jit_comp.c

+2 -3

arch/x86/entry/entry_fred.c

··· 160 160 static noinstr void fred_extint(struct pt_regs *regs) 161 161 { 162 162 unsigned int vector = regs->fred_ss.vector; 163 - unsigned int index = array_index_nospec(vector - FIRST_SYSTEM_VECTOR, 164 - NR_SYSTEM_VECTORS); 165 163 166 164 if (WARN_ON_ONCE(vector < FIRST_EXTERNAL_VECTOR)) 167 165 return; ··· 168 170 irqentry_state_t state = irqentry_enter(regs); 169 171 170 172 instrumentation_begin(); 171 - sysvec_table[index](regs); 173 + sysvec_table[array_index_nospec(vector - FIRST_SYSTEM_VECTOR, 174 + NR_SYSTEM_VECTORS)](regs); 172 175 instrumentation_end(); 173 176 irqentry_exit(regs, state); 174 177 } else {

+3 -3

arch/x86/include/asm/bug.h

··· 7 7 #include <linux/objtool.h> 8 8 #include <asm/asm.h> 9 9 10 - #ifndef __ASSEMBLY__ 10 + #ifndef __ASSEMBLER__ 11 11 struct bug_entry; 12 12 extern void __WARN_trap(struct bug_entry *bug, ...); 13 13 #endif ··· 137 137 138 138 #ifdef HAVE_ARCH_BUG_FORMAT_ARGS 139 139 140 - #ifndef __ASSEMBLY__ 140 + #ifndef __ASSEMBLER__ 141 141 #include <linux/static_call_types.h> 142 142 DECLARE_STATIC_CALL(WARN_trap, __WARN_trap); 143 143 ··· 153 153 struct sysv_va_list args; 154 154 }; 155 155 extern void *__warn_args(struct arch_va_list *args, struct pt_regs *regs); 156 - #endif /* __ASSEMBLY__ */ 156 + #endif /* __ASSEMBLER__ */ 157 157 158 158 #define __WARN_bug_entry(flags, format) ({ \ 159 159 struct bug_entry *bug; \

+8 -4

arch/x86/include/asm/cfi.h

··· 111 111 112 112 struct pt_regs; 113 113 114 + #ifdef CONFIG_CALL_PADDING 115 + #define CFI_OFFSET (CONFIG_FUNCTION_PADDING_CFI+5) 116 + #else 117 + #define CFI_OFFSET 5 118 + #endif 119 + 114 120 #ifdef CONFIG_CFI 115 121 enum bug_trap_type handle_cfi_failure(struct pt_regs *regs); 116 122 #define __bpfcall ··· 125 119 { 126 120 switch (cfi_mode) { 127 121 case CFI_FINEIBT: 128 - return 16; 122 + return /* fineibt_prefix_size */ 16; 129 123 case CFI_KCFI: 130 - if (IS_ENABLED(CONFIG_CALL_PADDING)) 131 - return 16; 132 - return 5; 124 + return CFI_OFFSET; 133 125 default: 134 126 return 0; 135 127 }

+2 -2

arch/x86/include/asm/irqflags.h

··· 77 77 #endif 78 78 79 79 #ifndef CONFIG_PARAVIRT 80 - #ifndef __ASSEMBLY__ 80 + #ifndef __ASSEMBLER__ 81 81 /* 82 82 * Used in the idle loop; sti takes one instruction cycle 83 83 * to complete: ··· 95 95 { 96 96 native_halt(); 97 97 } 98 - #endif /* __ASSEMBLY__ */ 98 + #endif /* __ASSEMBLER__ */ 99 99 #endif /* CONFIG_PARAVIRT */ 100 100 101 101 #ifdef CONFIG_PARAVIRT_XXL

+2 -2

arch/x86/include/asm/linkage.h

··· 68 68 * Depending on -fpatchable-function-entry=N,N usage (CONFIG_CALL_PADDING) the 69 69 * CFI symbol layout changes. 70 70 * 71 - * Without CALL_THUNKS: 71 + * Without CALL_PADDING: 72 72 * 73 73 * .align FUNCTION_ALIGNMENT 74 74 * __cfi_##name: ··· 77 77 * .long __kcfi_typeid_##name 78 78 * name: 79 79 * 80 - * With CALL_THUNKS: 80 + * With CALL_PADDING: 81 81 * 82 82 * .align FUNCTION_ALIGNMENT 83 83 * __cfi_##name:

+1 -1

arch/x86/include/asm/percpu.h

··· 20 20 21 21 #define PER_CPU_VAR(var) __percpu(var)__percpu_rel 22 22 23 - #else /* !__ASSEMBLY__: */ 23 + #else /* !__ASSEMBLER__: */ 24 24 25 25 #include <linux/args.h> 26 26 #include <linux/bits.h>

+3 -3

arch/x86/include/asm/runtime-const.h

··· 6 6 #error "Cannot use runtime-const infrastructure from modules" 7 7 #endif 8 8 9 - #ifdef __ASSEMBLY__ 9 + #ifdef __ASSEMBLER__ 10 10 11 11 .macro RUNTIME_CONST_PTR sym reg 12 12 movq $0x0123456789abcdef, %\reg ··· 16 16 .popsection 17 17 .endm 18 18 19 - #else /* __ASSEMBLY__ */ 19 + #else /* __ASSEMBLER__ */ 20 20 21 21 #define runtime_const_ptr(sym) ({ \ 22 22 typeof(sym) __ret; \ ··· 74 74 } 75 75 } 76 76 77 - #endif /* __ASSEMBLY__ */ 77 + #endif /* __ASSEMBLER__ */ 78 78 #endif

arch/x86/include/asm/traps.h

··· 25 25 void handle_invalid_op(struct pt_regs *regs); 26 26 #endif 27 27 28 + noinstr bool handle_bug(struct pt_regs *regs); 29 + 28 30 static inline int get_si_code(unsigned long condition) 29 31 { 30 32 if (condition & DR_STEP)

+22 -7

arch/x86/kernel/alternative.c

··· 1182 1182 1183 1183 poison_endbr(addr); 1184 1184 if (IS_ENABLED(CONFIG_FINEIBT)) 1185 - poison_cfi(addr - 16); 1185 + poison_cfi(addr - CFI_OFFSET); 1186 1186 } 1187 1187 } 1188 1188 ··· 1388 1388 #define fineibt_preamble_bhi (fineibt_preamble_bhi - fineibt_preamble_start) 1389 1389 #define fineibt_preamble_ud 0x13 1390 1390 #define fineibt_preamble_hash 5 1391 + 1392 + #define fineibt_prefix_size (fineibt_preamble_size - ENDBR_INSN_SIZE) 1391 1393 1392 1394 /* 1393 1395 * <fineibt_caller_start>: ··· 1636 1634 * have determined there are no indirect calls to it and we 1637 1635 * don't need no CFI either. 1638 1636 */ 1639 - if (!is_endbr(addr + 16)) 1637 + if (!is_endbr(addr + CFI_OFFSET)) 1640 1638 continue; 1641 1639 1642 1640 hash = decode_preamble_hash(addr, &arity); 1643 1641 if (WARN(!hash, "no CFI hash found at: %pS %px %*ph\n", 1644 1642 addr, addr, 5, addr)) 1645 1643 return -EINVAL; 1644 + 1645 + /* 1646 + * FineIBT relies on being at func-16, so if the preamble is 1647 + * actually larger than that, place it the tail end. 1648 + * 1649 + * NOTE: this is possible with things like DEBUG_CALL_THUNKS 1650 + * and DEBUG_FORCE_FUNCTION_ALIGN_64B. 1651 + */ 1652 + addr += CFI_OFFSET - fineibt_prefix_size; 1646 1653 1647 1654 text_poke_early(addr, fineibt_preamble_start, fineibt_preamble_size); 1648 1655 WARN_ON(*(u32 *)(addr + fineibt_preamble_hash) != 0x12345678); ··· 1675 1664 for (s = start; s < end; s++) { 1676 1665 void *addr = (void *)s + *s; 1677 1666 1678 - if (!exact_endbr(addr + 16)) 1667 + if (!exact_endbr(addr + CFI_OFFSET)) 1679 1668 continue; 1680 1669 1681 - poison_endbr(addr + 16); 1670 + poison_endbr(addr + CFI_OFFSET); 1682 1671 } 1683 1672 } 1684 1673 ··· 1783 1772 if (FINEIBT_WARN(fineibt_preamble_size, 20) || 1784 1773 FINEIBT_WARN(fineibt_preamble_bhi + fineibt_bhi1_size, 20) || 1785 1774 FINEIBT_WARN(fineibt_caller_size, 14) || 1786 - FINEIBT_WARN(fineibt_paranoid_size, 20)) 1775 + FINEIBT_WARN(fineibt_paranoid_size, 20) || 1776 + WARN_ON_ONCE(CFI_OFFSET < fineibt_prefix_size)) 1787 1777 return; 1788 1778 1789 1779 if (cfi_mode == CFI_AUTO) { ··· 1898 1886 switch (cfi_mode) { 1899 1887 case CFI_FINEIBT: 1900 1888 /* 1889 + * FineIBT preamble is at func-16. 1890 + */ 1891 + addr += CFI_OFFSET - fineibt_prefix_size; 1892 + 1893 + /* 1901 1894 * FineIBT prefix should start with an ENDBR. 1902 1895 */ 1903 1896 if (!is_endbr(addr)) ··· 1939 1922 break; 1940 1923 } 1941 1924 } 1942 - 1943 - #define fineibt_prefix_size (fineibt_preamble_size - ENDBR_INSN_SIZE) 1944 1925 1945 1926 /* 1946 1927 * When regs->ip points to a 0xD6 byte in the FineIBT preamble,

+1 -1

arch/x86/kernel/traps.c

··· 397 397 ILL_ILLOPN, error_get_trap_addr(regs)); 398 398 } 399 399 400 - static noinstr bool handle_bug(struct pt_regs *regs) 400 + noinstr bool handle_bug(struct pt_regs *regs) 401 401 { 402 402 unsigned long addr = regs->ip; 403 403 bool handled = false;

+2 -5

arch/x86/mm/extable.c

··· 411 411 return; 412 412 413 413 if (trapnr == X86_TRAP_UD) { 414 - if (report_bug(regs->ip, regs) == BUG_TRAP_TYPE_WARN) { 415 - /* Skip the ud2. */ 416 - regs->ip += LEN_UD2; 414 + if (handle_bug(regs)) 417 415 return; 418 - } 419 416 420 417 /* 421 - * If this was a BUG and report_bug returns or if this 418 + * If this was a BUG and handle_bug returns or if this 422 419 * was just a normal #UD, we want to continue onward and 423 420 * crash. 424 421 */

+2 -11

arch/x86/net/bpf_jit_comp.c

··· 438 438 439 439 EMIT1_off32(0xb8, hash); /* movl $hash, %eax */ 440 440 #ifdef CONFIG_CALL_PADDING 441 - EMIT1(0x90); 442 - EMIT1(0x90); 443 - EMIT1(0x90); 444 - EMIT1(0x90); 445 - EMIT1(0x90); 446 - EMIT1(0x90); 447 - EMIT1(0x90); 448 - EMIT1(0x90); 449 - EMIT1(0x90); 450 - EMIT1(0x90); 451 - EMIT1(0x90); 441 + for (int i = 0; i < CONFIG_FUNCTION_PADDING_CFI; i++) 442 + EMIT1(0x90); 452 443 #endif 453 444 EMIT_ENDBR(); 454 445