September 2025 - Linux-stable-mirror

[PATCH 6.12.y 0/3] Fix a backport of VMSCAPE enumeration fix

by Harshit Mogalapalli

Bug-report: https://lore.kernel.org/all/915c0e00-b92d-4e37-9d4b-0f6a4580da97@oracle.com/ Summary: While backporting commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug") to 6.12.y --> VULNBL_AMD(0x1a, SRSO | VMSCAPE) was added even when 6.12.y doesn't have commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support"). Boris Ostrovsky suggested backporting three commits to 6.12.y: 1. commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") 2. commit: 8442df2b49ed ("x86/bugs: KVM: Add support for SRSO_MSR_FIX") and its fix 3. commit: e3417ab75ab2 ("KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions") -- Maybe optional Which changes current mitigation status on turin for 6.12.48 from Safe RET to Reduced Speculation, leaving it with Safe RET liely causes heavy performance regressions. This three patches together change mitigation status from Safe RET to Reduced Speculation Tested on Turin: [ 3.188134] Speculative Return Stack Overflow: Mitigation: Reduced Speculation Backports: 1. Patch 1 had minor conflict as VMSCAPE commit added VULNBL_AMD(0x1a, SRSO | VMSCAPE), and resolution is to skip that line. 2. Patch 2 and 3 are clean cherry-picks, 3 is a fix for 2. Note: I verified if this problem is also on other stable trees like (6.6 --> 5.10, no they don't have this backport problem) Thanks, Harshit Borislav Petkov (1): x86/bugs: KVM: Add support for SRSO_MSR_FIX Borislav Petkov (AMD) (1): x86/bugs: Add SRSO_USER_KERNEL_NO support Sean Christopherson (1): KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions Documentation/admin-guide/hw-vuln/srso.rst | 13 +++++ arch/x86/include/asm/cpufeatures.h | 5 ++ arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/bugs.c | 28 ++++++++-- arch/x86/kvm/svm/svm.c | 65 ++++++++++++++++++++++ arch/x86/kvm/svm/svm.h | 2 + arch/x86/lib/msr.c | 2 + 7 files changed, 112 insertions(+), 4 deletions(-) -- 2.50.1

1 day, 21 hours

2
4
0 0

[tip: x86/cpu] x86/umip: Check that the instruction opcode is at least two bytes

by tip-bot2 for Sean Christopherson

The following commit has been merged into the x86/cpu branch of tip: Commit-ID: 32278c677947ae2f042c9535674a7fff9a245dd3 Gitweb: https://git.kernel.org/tip/32278c677947ae2f042c9535674a7fff9a245dd3 Author: Sean Christopherson <seanjc(a)google.com> AuthorDate: Fri, 08 Aug 2025 10:23:56 -07:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 19 Sep 2025 20:21:12 +02:00 x86/umip: Check that the instruction opcode is at least two bytes When checking for a potential UMIP violation on #GP, verify the decoder found at least two opcode bytes to avoid false positives when the kernel encounters an unknown instruction that starts with 0f. Because the array of opcode.bytes is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret garbage as a potential SLDT or STR instruction, and can incorrectly trigger emulation. E.g. if a VPALIGNR instruction 62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts the userspace code stream). Arguably the check should look for exactly two bytes, but no three byte opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be impossible to get a false positive if the first two opcode bytes match '0f 00' or '0f 01'. Go with a more conservative check with respect to the existing code to minimize the chances of breaking userspace, e.g. due to decoder weirdness. Analyzed by Nick Bray <ncbray(a)google.com>. Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") Reported-by: Dan Snyder <dansnyder(a)google.com> Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/umip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index 5a4b213..406ac01 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -156,8 +156,8 @@ static int identify_insn(struct insn *insn) if (!insn->modrm.nbytes) return -EINVAL; - /* All the instructions of interest start with 0x0f. */ - if (insn->opcode.bytes[0] != 0xf) + /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */ + if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf) return -EINVAL; if (insn->opcode.bytes[1] == 0x1) {

1 day, 21 hours

1
0
0 0

[tip: x86/cpu] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)

by tip-bot2 for Sean Christopherson

The following commit has been merged into the x86/cpu branch of tip: Commit-ID: 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Gitweb: https://git.kernel.org/tip/27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Author: Sean Christopherson <seanjc(a)google.com> AuthorDate: Fri, 08 Aug 2025 10:23:57 -07:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 19 Sep 2025 21:34:48 +02:00 x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Filter out the register forms of 0F 01 when determining whether or not to emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only accept memory operands. The register variants of 0F 01 are used to encode instructions for things like VMX and SGX, i.e. not checking the Mod field would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL violation on VMLAUNCH. Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/umip.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index 406ac01..d432f38 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -163,8 +163,19 @@ static int identify_insn(struct insn *insn) if (insn->opcode.bytes[1] == 0x1) { switch (X86_MODRM_REG(insn->modrm.value)) { case 0: + /* The reg form of 0F 01 /0 encodes VMX instructions. */ + if (X86_MODRM_MOD(insn->modrm.value) == 3) + return -EINVAL; + return UMIP_INST_SGDT; case 1: + /* + * The reg form of 0F 01 /1 encodes MONITOR/MWAIT, + * STAC/CLAC, and ENCLS. + */ + if (X86_MODRM_MOD(insn->modrm.value) == 3) + return -EINVAL; + return UMIP_INST_SIDT; case 4: return UMIP_INST_SMSW;

1 day, 21 hours

1
0
0 0

[PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")' Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed. Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO". Reported-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj; obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, -- 2.43.0

1 day, 22 hours

3
2
0 0

[PATCH net v3] net: nfc: nci: Add parameter validation for packet data

by Deepak Sharma

Syzbot reported an uninit-value bug at nci_init_req for commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16'..). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers). Reported-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8 Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation) Tested-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Signed-off-by: Deepak Sharma <deepak.sharma.472935(a)gmail.com> --- v3: - Move the checks inside the packet data handlers - Improvements to the commit message v2: - Fix the release of skb in case of the early return v1: - Add checks in `nci_ntf_packet` on the skb->len and do early return on failure net/nfc/nci/ntf.c | 139 +++++++++++++++++++++++++++++++++------------- 1 file changed, 101 insertions(+), 38 deletions(-) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index a818eff27e6b..c0edf8242e22 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -27,11 +27,16 @@ /* Handle NCI Notification packets */ -static void nci_core_reset_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_reset_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { /* Handle NCI 2.x core reset notification */ - const struct nci_core_reset_ntf *ntf = (void *)skb->data; + const struct nci_core_reset_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_reset_ntf)) + return -EINVAL; + + ntf = (struct nci_core_reset_ntf *)skb->data; ndev->nci_ver = ntf->nci_ver; pr_debug("nci_ver 0x%x, config_status 0x%x\n", @@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(struct nci_dev *ndev, __le32_to_cpu(ntf->manufact_specific_info); nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_conn_credit_ntf *ntf = (void *) skb->data; + struct nci_core_conn_credit_ntf *ntf; struct nci_conn_info *conn_info; int i; + if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + return -EINVAL; + + ntf = (struct nci_core_conn_credit_ntf *)skb->data; + pr_debug("num_entries %d\n", ntf->num_entries); if (ntf->num_entries > NCI_MAX_NUM_CONN) @@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, conn_info = nci_get_conn_info_by_conn_id(ndev, ntf->conn_entries[i].conn_id); if (!conn_info) - return; + return 0; atomic_add(ntf->conn_entries[i].credits, &conn_info->credits_cnt); @@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, /* trigger the next tx */ if (!skb_queue_empty(&ndev->tx_q)) queue_work(ndev->tx_wq, &ndev->tx_work); + + return 0; } -static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { - __u8 status = skb->data[0]; + __u8 status; + + if (skb->len < 1) + return -EINVAL; + + status = skb->data[0]; pr_debug("status 0x%x\n", status); @@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, (the state remains the same) */ nci_req_complete(ndev, status); } + + return 0; } -static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_intf_error_ntf *ntf = (void *) skb->data; + struct nci_core_intf_error_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_intf_error_ntf)) + return -EINVAL; + + ntf = (struct nci_core_intf_error_ntf *)skb->data; ntf->conn_id = nci_conn_id(&ntf->conn_id); @@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, /* complete the data exchange transaction, if exists */ if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags)) nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO); + + return 0; } static const __u8 * @@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_dev *ndev) ndev->n_targets = 0; } -static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_rf_discover_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; bool add_target = true; + if (skb->len < sizeof(struct nci_rf_discover_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_protocol = *data++; ntf.rf_tech_and_mode = *data++; @@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets); } + + return 0; } static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, @@ -501,7 +536,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_POLL_MODE: case NCI_NFC_F_PASSIVE_POLL_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.poll_nfc_dep.atr_res_len + (ntf->activation_params.poll_nfc_dep.atr_res_len - NFC_ATR_RES_GT_OFFSET), NFC_ATR_RES_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -513,7 +548,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_LISTEN_MODE: case NCI_NFC_F_PASSIVE_LISTEN_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.listen_nfc_dep.atr_req_len + (ntf->activation_params.listen_nfc_dep.atr_req_len - NFC_ATR_REQ_GT_OFFSET), NFC_ATR_REQ_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -553,14 +588,19 @@ static int nci_store_ats_nfc_iso_dep(struct nci_dev *ndev, return NCI_STATUS_OK; } -static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_conn_info *conn_info; struct nci_rf_intf_activated_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; int err = NCI_STATUS_OK; + if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_interface = *data++; ntf.rf_protocol = *data++; @@ -667,7 +707,7 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, if (err == NCI_STATUS_OK) { conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size; conn_info->initial_num_credits = ntf.initial_num_credits; @@ -721,19 +761,26 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, pr_err("error when signaling tm activation\n"); } } + + return 0; } -static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { const struct nci_conn_info *conn_info; - const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data; + const struct nci_rf_deactivate_ntf *ntf; + + if (skb->len < sizeof(struct nci_rf_deactivate_ntf)) + return -EINVAL; + + ntf = (struct nci_rf_deactivate_ntf *)skb->data; pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason); conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; /* drop tx data queue */ skb_queue_purge(&ndev->tx_q); @@ -765,14 +812,20 @@ static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, } nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { u8 status = NCI_STATUS_OK; - const struct nci_nfcee_discover_ntf *nfcee_ntf = - (struct nci_nfcee_discover_ntf *)skb->data; + const struct nci_nfcee_discover_ntf *nfcee_ntf; + + if (skb->len < sizeof(struct nci_nfcee_discover_ntf)) + return -EINVAL; + + nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data; /* NFCForum NCI 9.2.1 HCI Network Specific Handling * If the NFCC supports the HCI Network, it SHALL return one, @@ -783,6 +836,8 @@ static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, ndev->cur_params.id = nfcee_ntf->nfcee_id; nci_req_complete(ndev, status); + + return 0; } void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) @@ -809,35 +864,43 @@ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) switch (ntf_opcode) { case NCI_OP_CORE_RESET_NTF: - nci_core_reset_ntf_packet(ndev, skb); + if (nci_core_reset_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_CONN_CREDITS_NTF: - nci_core_conn_credits_ntf_packet(ndev, skb); + if (nci_core_conn_credits_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_GENERIC_ERROR_NTF: - nci_core_generic_error_ntf_packet(ndev, skb); + if (nci_core_generic_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_INTF_ERROR_NTF: - nci_core_conn_intf_error_ntf_packet(ndev, skb); + if (nci_core_conn_intf_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DISCOVER_NTF: - nci_rf_discover_ntf_packet(ndev, skb); + if (nci_rf_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_INTF_ACTIVATED_NTF: - nci_rf_intf_activated_ntf_packet(ndev, skb); + if (nci_rf_intf_activated_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DEACTIVATE_NTF: - nci_rf_deactivate_ntf_packet(ndev, skb); + if (nci_rf_deactivate_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_NFCEE_DISCOVER_NTF: - nci_nfcee_discover_ntf_packet(ndev, skb); + if (nci_nfcee_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_NFCEE_ACTION_NTF: -- 2.51.0

1 day, 22 hours

4
3
0 0

[PATCH net 0/8][pull request] i40e: virtchnl improvements

by Tony Nguyen

Przemek Kitszel says: Improvements hardening PF-VF communication for i40e driver. This patchset targets several issues that can cause undefined behavior or be exploited in some other way. --- IWL: https://lore.kernel.org/intel-wired-lan/20250813104552.61027-1-przemyslaw.k… The following are changes since commit cbf658dd09419f1ef9de11b9604e950bdd5c170b: Merge tag 'net-6.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net and are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue 40GbE Lukasz Czapnik (8): i40e: add validation for ring_len param i40e: fix idx validation in i40e_validate_queue_map i40e: fix idx validation in config queues msg i40e: fix input validation logic for action_meta i40e: fix validation of VF state in get resources i40e: add max boundary check for VF filters i40e: add mask to apply valid bits for itr_idx i40e: improve VF MAC filters accounting drivers/net/ethernet/intel/i40e/i40e.h | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 26 ++++- .../ethernet/intel/i40e/i40e_virtchnl_pf.c | 110 ++++++++++-------- .../ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 +- 4 files changed, 90 insertions(+), 52 deletions(-) -- 2.47.1

1 day, 22 hours

1
8
0 0

[PATCH net RESEND] net/core : fix KMSAN: uninit value in tipc_rcv

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")' Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed. Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO". Reported-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> # 6.16 Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- RESEND: - added Cc stable as suggested from kernel test robot net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj; obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, -- 2.43.0

1 day, 22 hours

1
0
0 0

[PATCH v2 RESEND] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.25.1

1 day, 23 hours

2
1
0 0

Mate dar vo vyske dva miliony patstotisic euro.

by Dr Leonard Valentinovic Blavatnik

1 day, 23 hours

1
0
0 0

[bug-report 6.12.y] Probably a problematic stable backport commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug")

by Harshit Mogalapalli

Hi stable maintainers, While skimming over stable backports for VMSCAPE commits, I found something unusual. This is regarding the 6.12.y commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug") commit 7c62c442b6eb95d21bc4c5afc12fee721646ebe2 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enumerate VMSCAPE bug Commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream. The VMSCAPE vulnerability may allow a guest to cause Branch Target Injection (BTI) in userspace hypervisors. Kernels (both host and guest) have existing defenses against direct BTI attacks from guests. There are also inter-process BTI mitigations which prevent processes from attacking each other. However, the threat in this case is to a userspace hypervisor within the same process as the attacker. Userspace hypervisors have access to their own sensitive data like disk encryption keys and also typically have access to all guest data. This means guest userspace may use the hypervisor as a confused deputy to attack sensitive guest kernel data. There are no existing mitigations for these attacks. Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected Intel and AMD CPUs. Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> So the problem in this commit is this part of the backport: in file: arch/x86/kernel/cpu/common.c VULNBL_AMD(0x15, RETBLEED), VULNBL_AMD(0x16, RETBLEED), - VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO), - VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO), - VULNBL_AMD(0x19, SRSO | TSA), + VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO | VMSCAPE), + VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO | VMSCAPE), + VULNBL_AMD(0x19, SRSO | TSA | VMSCAPE), + VULNBL_AMD(0x1a, SRSO | VMSCAPE), + {} Notice the part where VULNBL_AMD(0x1a, SRSO | VMSCAPE) is added, 6.12.y doesn't have commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") so I think we shouldn't be adding VULNBL_AMD(0x1a, SRSO | VMSCAPE) directly. Boris Ostrovsky suggested me to verify this on a Turin machine as this could cause a very big performance regression : and stated if SRSO mitigation status is Safe RET we are likely in a problem, and we are in that situation. # lscpu | grep -E "CPU family" CPU family: 26 Notes: CPU ID 26 -> 0x1a And Turin machine reports the SRSO mitigation status as "Safe RET" # uname -r 6.12.48-master.20250917.el8.rc1.x86_64 # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET Boris Ostrovsky suggested backporting three commits to 6.12.y: 1. commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") 2. commit: 8442df2b49ed ("x86/bugs: KVM: Add support for SRSO_MSR_FIX") and its fix 3. commit: e3417ab75ab2 ("KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions") -- Maybe optional After backporting these three: # uname -r 6.12.48-master.20250919.el8.dev.x86_64 // Note this this is kernel with patches above three applied. # dmesg | grep -C 2 Reduce [ 3.186135] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl [ 3.187135] Speculative Return Stack Overflow: Reducing speculation to address VM/HV SRSO attack vector. [ 3.188134] Speculative Return Stack Overflow: Mitigation: Reduced Speculation [ 3.189135] VMSCAPE: Mitigation: IBPB before exit to userspace [ 3.191139] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Reduced Speculation I can send my backports to stable if this looks good. Thoughts ? Thanks, Harshit

1 day, 23 hours

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2025