[Bug 2152613] [NEW] dmesg: Unpatched return thunk in use. This should not happen!

Thu, 14 May 2026 04:40:36 -0700 

Public bug reported:

In dmesg right after loading the broadcom wl driver the following issue
happens:

```
[    5.222019] ------------[ cut here ]------------
[    5.222027] Unpatched return thunk in use. This should not happen!
[    5.222029] WARNING: arch/x86/kernel/cpu/bugs.c:3736 at 
__warn_thunk+0x10/0x20, CPU#0: (udev-worker)/345
[    5.222040] Modules linked in: wl(POE+) apple_bl(+) snd_hda_intel 
snd_hda_codec snd_hda_core i2c_i801 snd_intel_dspcfg i2c_smbus snd_seq_midi 
drm_buddy ttm i2c_mux snd_intel_sdw_acpi snd_seq_midi_event sbs(+) acpi_als 
lpc_ich snd_rawmidi snd_hwdep drm_display_helper industrialio_triggered_buffer 
cfg80211 sbshc snd_pcm snd_seq mei_me cec kfifo_buf snd_seq_device mei rc_core 
snd_timer industrialio snd soundcore i2c_algo_bit nls_iso8859_1 mac_hid 
sch_fq_codel msr parport_pc lp ppdev parport nvme_fabrics efi_pstore nfnetlink 
dmi_sysfs autofs4 hid_apple hid_generic nvme uas usbhid nvme_core hid 
usb_storage nvme_keyring nvme_auth hkdf video wmi
[    5.222121] CPU: 0 UID: 0 PID: 345 Comm: (udev-worker) Tainted: P           
OE       7.0.0-15-generic #15-Ubuntu PREEMPT(lazy) 
[    5.222126] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE, 
[E]=UNSIGNED_MODULE
[    5.222128] Hardware name: Apple Inc. MacBookPro11,1/Mac-189A3D4F975D5FFC, 
BIOS 478.0.0.0.0 01/13/2023
[    5.222131] RIP: 0010:__warn_thunk+0x10/0x20
[    5.222138] Code: 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 48 8d 3d 40 40 b1 02 <67> 48 0f 
b9 3a 5d 31 ff c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90
[    5.222141] RSP: 0018:ffffcd1a40aa3890 EFLAGS: 00010246
[    5.222145] RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000
[    5.222147] RDX: 0000000000000000 RSI: ffffffffc12a5c00 RDI: ffffffffbc8d7d50
[    5.222150] RBP: ffffcd1a40aa3890 R08: 0000000000000000 R09: 0000000000000000
[    5.222152] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc12a5c00
[    5.222154] R13: ffffffffc0f62c40 R14: ffffffffc0dac010 R15: 00007ce8076ea317
[    5.222157] FS:  00007ce80772dc80(0000) GS:ffff8cb1aa400000(0000) 
knlGS:0000000000000000
[    5.222160] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    5.222163] CR2: 000064fc076f9868 CR3: 00000001106d0005 CR4: 00000000001706f0
[    5.222166] Call Trace:
[    5.222168]  <TASK>
[    5.222172]  warn_thunk_thunk+0x16/0x30
[    5.222181]  getvar+0x20/0x70 [wl]
[    5.222248]  wl_module_init+0x17/0xb0 [wl]
[    5.222321]  do_one_initcall+0x59/0x350
[    5.222328]  do_init_module+0x8b/0x290
[    5.222333]  load_module+0x855/0x960
[    5.222338]  init_module_from_file+0xfb/0x180
[    5.222344]  idempotent_init_module+0x10e/0x300
[    5.222350]  __x64_sys_finit_module+0x73/0xf0
[    5.222354]  x64_sys_call+0xe2e/0x2390
[    5.222359]  do_syscall_64+0x115/0x5a0
[    5.222367]  ? putname+0x41/0x90
[    5.222374]  ? restore_fpregs_from_fpstate+0x46/0xe0
[    5.222379]  ? switch_fpu_return+0x64/0x110
[    5.222382]  ? exit_to_user_mode_loop+0x346/0x500
[    5.222388]  ? arch_exit_to_user_mode_prepare.isra.0+0xc5/0xe0
[    5.222392]  ? do_syscall_64+0x150/0x5a0
[    5.222398]  ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0
[    5.222402]  ? do_syscall_64+0x150/0x5a0
[    5.222405]  ? arch_exit_to_user_mode_prepare.isra.0+0xc5/0xe0
[    5.222409]  ? do_syscall_64+0x150/0x5a0
[    5.222413]  ? arch_exit_to_user_mode_prepare.isra.0+0xd/0x100
[    5.222418]  ? irqentry_exit+0x97/0x5a0
[    5.222424]  ? exc_page_fault+0x94/0x1e0
[    5.222429]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[    5.222433] RIP: 0033:0x7ce806f34d0d
[    5.222436] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 
f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 
f0 ff ff 73 01 c3 48 8b 0d cb d0 0d 00 f7 d8 64 89 01 48
[    5.222439] RSP: 002b:00007fffac5e0ee8 EFLAGS: 00000246 ORIG_RAX: 
0000000000000139
[    5.222443] RAX: ffffffffffffffda RBX: 000064fc07b44310 RCX: 00007ce806f34d0d
[    5.222446] RDX: 0000000000000004 RSI: 00007ce8076ea317 RDI: 000000000000002a
[    5.222448] RBP: 00007fffac5e0f80 R08: 0000000000000000 R09: 000064fc07b54660
[    5.222450] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ce8076ea317
[    5.222453] R13: 000064fc07b414b0 R14: 0000000000020000 R15: 0000000000000000
[    5.222457]  </TASK>
[    5.222459] ---[ end trace 0000000000000000 ]---
```

But Claude Code told me how to fix it and I can confirm that he's right,
his patch works:


Root cause (verified via disassembly and relocation inspection)

     The kernel's arch/x86/Makefile adds -mfunction-return=thunk-extern to 
KBUILD_CFLAGS when CONFIG_MITIGATION_RETHUNK=y. This causes
      all DKMS-compiled C source files (linux_osl.c, wl_linux.c, etc.) to 
replace RET with JMP __x86_return_thunk. objtool records
     those return sites in .return_sites per-object.

     The Makefile already has (line 195) wl.o: override objtool-enabled = — 
added by Ubuntu to fix a Linux 6.15+ build error — which
     skips objtool on the final linked wl.o. Without objtool's post-link fixup 
pass, the .return_sites section retains pre-linking
     virtual addresses that are wrong after relocation.

     At module load, apply_returns() patches the wrong addresses. The C 
functions' actual JMP __x86_return_thunk instructions are
     never patched. The kernel briefly sets __x86_return_thunk to 
warn_thunk_thunk during module-load validation; osl_strlen hits that
      unpatched call and fires WARN_ONCE.

     Confirmed via:
     - objdump -d lib/wlc_hybrid.o_amd64 → getvar ends with plain RET (2015 
blob, no thunk support)
     - readelf -r lib/wlc_hybrid.o_amd64 → relocation at b823 targets 
osl_strlen (C-compiled function)
     - Stack trace: wl_module_init → getvar → [osl_strlen via getvar+0x1b] → 
warn_thunk_thunk

     Fix

     Override -mfunction-return=thunk-extern back to keep for this module's C 
sources. The C code will use plain RET (matching the
     binary blob), no .return_sites entries are created, and nothing is left 
unpatched.

     Security note: The binary blob always lacked return-thunk mitigation; 
adding -mfunction-return=keep to C code does not introduce
     a new regression. This system (Intel Haswell / MacBookPro11,1) is not 
vulnerable to Retbleed, so the trade-off is acceptable.

     Critical files

     - /usr/src/broadcom-sta-6.30.223.271/Makefile — single-line
addition near line 126

     Implementation

     Step 1 — Patch the DKMS Makefile

     In /usr/src/broadcom-sta-6.30.223.271/Makefile, after the line
ccflags-y := (line 126), add:

     # wlc_hybrid.o_amd64 (binary blob) has no return-thunk support; prevent
     # C sources from generating JMP __x86_return_thunk so objtool's disabled
     # post-link pass (wl.o: override objtool-enabled =) doesn't leave stale
     # .return_sites entries that trigger "Unpatched return thunk in use".
     ccflags-y += -mfunction-return=keep

     Step 2 — Rebuild DKMS module for current kernel

     KVER=$(uname -r)
     dkms remove broadcom-sta/6.30.223.271 -k $KVER
     dkms build  broadcom-sta/6.30.223.271 -k $KVER
     dkms install broadcom-sta/6.30.223.271 -k $KVER

     Step 3 — Reload the module

     modprobe -r wl
     modprobe wl

** Affects: broadcom-sta (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2152613

Title:
  dmesg: Unpatched return thunk in use. This should not happen!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/broadcom-sta/+bug/2152613/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to