Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.44 2023-08-08T18:03:51+00:00 2023-08-08T18:03:51+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2023-08-08T18:03:51+00:00 urn:sha1:0a4a7855302d56a1d75cec3aa9a6914a3af9c6af Tested-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:51+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2023-08-08T17:20:48+00:00 urn:sha1:dd5f2ef16e3c6b83f14b5e620f51f42bc05a5d47 Stable-tree-only change. Due to the way the GDS and SRSO patches flowed into the stable tree, it was a 50% chance that the merge of the which value GDS and SRSO should be. Of course, I lost that bet, and chose the opposite of what Linus chose in commit 64094e7e3118 ("Merge tag 'gds-for-linus-2023-08-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip") Fix this up by switching the values to match what is now in Linus's tree as that is the correct value to mirror. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:51+00:00 Ross Lagerwall ross.lagerwall@citrix.com 2023-08-03T06:41:22+00:00 urn:sha1:fa5b932b77c815d0e416612859d5899424bb4212 commit 534fc31d09b706a16d83533e16b5dc855caf7576 upstream. It is possible that a guest can send a packet that contains a head + 18 slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots to underflow in xenvif_get_requests() which then causes the subsequent loop's termination condition to be wrong, causing a buffer overrun of queue->tx_map_ops. Rework the code to account for the extra frag_overflow slots. This is CVE-2023-34319 / XSA-432. Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Reviewed-by: Paul Durrant <paul@xen.org> Reviewed-by: Wei Liu <wei.liu@kernel.org> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:51+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-08-07T08:46:04+00:00 urn:sha1:4f25355540ad4d40dd3445f66159a321dad29cc8 commit 5a15d8348881e9371afdf9f5357a135489496955 upstream. The SBPB bit in MSR_IA32_PRED_CMD is supported only after a microcode patch has been applied so set X86_FEATURE_SBPB only then. Otherwise, guests would attempt to set that bit and #GP on the MSR write. While at it, make SMT detection more robust as some guests - depending on how and what CPUID leafs their report - lead to cpu_smt_control getting set to CPU_SMT_NOT_SUPPORTED but SRSO_NO should be set for any guest incarnation where one simply cannot do SMT, for whatever reason. Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reported-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:51+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-07-28T21:03:22+00:00 urn:sha1:77cf32d0dbfbf575fe66561e069228c532dc1da9 Upstream commit: 3bbbe97ad83db8d9df06daf027b0840188de625d Fix: vmlinux.o: warning: objtool: .export_symbol+0x29e40: data relocation to !ENDBR: srso_untrain_ret_alias+0x0 Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:51+00:00 Josh Poimboeuf jpoimboe@kernel.org 2023-07-28T22:28:43+00:00 urn:sha1:c7f2cd04554259c2474c4f9fa134528bc2826b22 Upstream commit: 238ec850b95a02dcdff3edc86781aa913549282f Set X86_FEATURE_RETHUNK when enabling the SRSO mitigation so that generated code (e.g., ftrace, static call, eBPF) generates "jmp __x86_return_thunk" instead of RET. [ bp: Add a comment. ] Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:50+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-07-07T11:53:41+00:00 urn:sha1:c9ae63d773ca182c4ef63fbdd22cdf090d9c1cd7 Upstream commit: d893832d0e1ef41c72cdae444268c1d64a2be8ad Add the option to flush IBPB only on VMEXIT in order to protect from malicious guests but one otherwise trusts the software that runs on the hypervisor. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:50+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-07-06T13:04:35+00:00 urn:sha1:79c8091888ef61aac79ef72122d1e6cd0b620669 Upstream commit: 233d6f68b98d480a7c42ebe78c38f79d44741ca9 Add the option to mitigate using IBPB on a kernel entry. Pull in the Retbleed alternative so that the IBPB call from there can be used. Also, if Retbleed mitigation is done using IBPB, the same mitigation can and must be used here. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:50+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-06-29T15:43:40+00:00 urn:sha1:98f62883e7519011bf63f85381d637f65d7f180e Upstream commit: 1b5277c0ea0b247393a9c426769fde18cff5e2f6 Add support for the CPUID flag which denotes that the CPU is not affected by SRSO. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-08T18:03:50+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-07-18T09:13:40+00:00 urn:sha1:9139f4b6dd4fe1003ba79ab317d1a9f48849b369 Upstream commit: 79113e4060aba744787a81edb9014f2865193854 Add support for the synthetic CPUID flag which "if this bit is 1, it indicates that MSR 49h (PRED_CMD) bit 0 (IBPB) flushes all branch type predictions from the CPU branch predictor." This flag is there so that this capability in guests can be detected easily (otherwise one would have to track microcode revisions which is impossible for guests). It is also needed only for Zen3 and -4. The other two (Zen1 and -2) always flush branch type predictions by default. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>