This is the start of the stable review cycle for the 5.15.187 release. There are 160 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Thu, 10 Jul 2025 16:22:09 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.187-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below.
thanks,
greg k-h
------------- Pseudo-Shortlog of commits:
Greg Kroah-Hartman gregkh@linuxfoundation.org Linux 5.15.187-rc1
Borislav Petkov (AMD) bp@alien8.de x86/process: Move the buffer clearing before MONITOR
Borislav Petkov (AMD) bp@alien8.de KVM: SVM: Advertise TSA CPUID bits to guests
Paolo Bonzini pbonzini@redhat.com KVM: x86: add support for CPUID leaf 0x80000021
Borislav Petkov (AMD) bp@alien8.de x86/bugs: Add a Transient Scheduler Attacks mitigation
Borislav Petkov (AMD) bp@alien8.de x86/bugs: Rename MDS machinery to something more generic
Andrei Kuchynski akuchynski@chromium.org usb: typec: displayport: Fix potential deadlock
Kurt Borja kuurtb@gmail.com platform/x86: think-lmi: Create ksets consecutively
Oliver Neukum oneukum@suse.com Logitech C-270 even more broken
Michael J. Ruhl michael.j.ruhl@intel.com i2c/designware: Fix an initialization issue
Peter Chen peter.chen@cixtech.com usb: cdnsp: do not disable slot for disabled slot
Mathias Nyman mathias.nyman@linux.intel.com xhci: dbc: Flush queued requests before stopping dbc
Łukasz Bartosik ukaszb@chromium.org xhci: dbctty: disable ECHO flag by default
Kurt Borja kuurtb@gmail.com platform/x86: dell-wmi-sysman: Fix class device unregistration
Kurt Borja kuurtb@gmail.com platform/x86: think-lmi: Fix class device unregistration
Fushuai Wang wangfushuai@baidu.com dpaa2-eth: fix xdp_rxq_info leak
Ioana Ciornei ioana.ciornei@nxp.com net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats
Radu Bulie radu-andrei.bulie@nxp.com dpaa2-eth: Update SINGLE_STEP register access
Radu Bulie radu-andrei.bulie@nxp.com dpaa2-eth: Update dpni_get_single_step_cfg command
Thomas Fourier fourier.thomas@gmail.com ethernet: atl1: Add missing DMA mapping error checks and count errors
Trond Myklebust trond.myklebust@hammerspace.com NFSv4/flexfiles: Fix handling of NFS level errors in I/O
Maíra Canal mcanal@igalia.com drm/v3d: Disable interrupts before resetting the GPU
Manivannan Sadhasivam mani@kernel.org regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods
Jerome Neanne jneanne@baylibre.com regulator: gpio: Add input_supply support in gpio_regulator_config
Avri Altman avri.altman@sandisk.com mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier
Uladzislau Rezki (Sony) urezki@gmail.com rcu: Return early if callback is not specified
Pablo Martin-Gomez pmartin-gomez@freebox.fr mtd: spinand: fix memory leak of ECC engine conf
Rafael J. Wysocki rafael.j.wysocki@intel.com ACPICA: Refuse to evaluate a method if arguments are missing
Johannes Berg johannes.berg@intel.com wifi: ath6kl: remove WARN on bad firmware input
Johannes Berg johannes.berg@intel.com wifi: mac80211: drop invalid source address OCB frames
Maurizio Lombardi mlombard@redhat.com scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()
Madhavan Srinivasan maddy@linux.ibm.com powerpc: Fix struct termio related ioctl macros
Johannes Berg johannes.berg@intel.com ata: pata_cs5536: fix build on 32-bit UML
Takashi Iwai tiwai@suse.de ALSA: sb: Force to disable DMAs once when DMA mode is changed
Takashi Iwai tiwai@suse.de ALSA: sb: Don't allow changing the DMA mode during operations
Rob Clark robdclark@chromium.org drm/msm: Fix a fence leak in submit error path
Lion Ackermann nnamrec@gmail.com net/sched: Always pass notifications when child class becomes empty
Thomas Fourier fourier.thomas@gmail.com nui: Fix dma_mapping_error() check
Kohei Enju enjuk@amazon.com rose: fix dangling neighbour pointers in rose_rt_device_down()
Alok Tiwari alok.a.tiwari@oracle.com enic: fix incorrect MTU comparison in enic_change_mtu()
Raju Rangoju Raju.Rangoju@amd.com amd-xgbe: align CL37 AN sequence as per databook
Dan Carpenter dan.carpenter@linaro.org lib: test_objagg: Set error message in check_expect_hints_stats()
Vitaly Lifshits vitaly.lifshits@intel.com igc: disable L1.2 PCI-E link substate to avoid performance issue
Janusz Krzysztofik janusz.krzysztofik@linux.intel.com drm/i915/gt: Fix timeline left held on VMA alloc error
Kurt Borja kuurtb@gmail.com platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks
Dan Carpenter dan.carpenter@linaro.org drm/i915/selftests: Change mock_request() to return error pointers
James Clark james.clark@linaro.org spi: spi-fsl-dspi: Clear completion counter before initiating transfer
Marek Szyprowski m.szyprowski@samsung.com drm/exynos: fimd: Guard display clock control with runtime PM calls
Filipe Manana fdmanana@suse.com btrfs: fix missing error handling when searching for inode refs during log replay
Patrisious Haddad phaddad@nvidia.com RDMA/mlx5: Fix CC counters query for MPV
Bart Van Assche bvanassche@acm.org scsi: ufs: core: Fix spelling of a sysfs attribute name
Thomas Fourier fourier.thomas@gmail.com scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()
Thomas Fourier fourier.thomas@gmail.com scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()
Benjamin Coddington bcodding@redhat.com NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN
Kuniyuki Iwashima kuniyu@google.com nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.
Mark Zhang markzhang@nvidia.com RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
David Thompson davthompson@nvidia.com platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment
Sergey Senozhatsky senozhatsky@chromium.org mtk-sd: reset host->mrq on prepare_data() error
Masami Hiramatsu (Google) mhiramat@kernel.org mtk-sd: Prevent memory corruption from DMA map failure
Masami Hiramatsu (Google) mhiramat@kernel.org mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data
RD Babiera rdbabiera@google.com usb: typec: altmodes/displayport: do not index invalid pin_assignments
Ulf Hansson ulf.hansson@linaro.org Revert "mmc: sdhci: Disable SD card clock before changing parameters"
Victor Shih victor.shih@genesyslogic.com.tw mmc: sdhci: Add a helper function for dump register in dynamic debug mode
HarshaVardhana S A harshavardhana.sa@broadcom.com vsock/vmci: Clear the vmci transport packet properly when initializing it
Mateusz Jończyk mat.jonczyk@o2.pl rtc: cmos: use spin_lock_irqsave in cmos_interrupt
Geert Uytterhoeven geert+renesas@glider.be ARM: 9354/1: ptrace: Use bitfield helpers
Josef Bacik josef@toxicpanda.com btrfs: don't drop extent_map for free space inode on write error
Dev Jain dev.jain@arm.com arm64: Restrict pagetable teardown to avoid false warning
Brett A C Sheffield (Librecast) bacs@librecast.net Revert "ipv6: save dontfrag in cork"
Nathan Chancellor nathan@kernel.org s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS
Heiko Carstens hca@linux.ibm.com s390/entry: Fix last breaking event handling in case of stack corruption
Ricardo Ribalda ribalda@chromium.org media: uvcvideo: Rollback non processed entities on error
Dexuan Cui decui@microsoft.com PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time
Wentao Liang vulab@iscas.ac.cn drm/amd/display: Add null pointer check for get_first_active_display()
Aradhya Bhatia a-bhatia1@ti.com drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready
Aradhya Bhatia a-bhatia1@ti.com drm/bridge: cdns-dsi: Check return value when getting default PHY config
Aradhya Bhatia a-bhatia1@ti.com drm/bridge: cdns-dsi: Fix connecting to next bridge
Aradhya Bhatia a-bhatia1@ti.com drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()
Jay Cornwall jay.cornwall@amd.com drm/amdkfd: Fix race in GWS queue scheduling
Thomas Zimmermann tzimmermann@suse.de drm/udl: Unregister device before cleaning up on disconnect
Qiu-ji Chen chenqiuji666@gmail.com drm/tegra: Fix a possible null pointer dereference
Thierry Reding treding@nvidia.com drm/tegra: Assign plane type before registration
Qasim Ijaz qasdev00@gmail.com HID: wacom: fix kobject reference count leak
Qasim Ijaz qasdev00@gmail.com HID: wacom: fix memory leak on sysfs attribute creation failure
Qasim Ijaz qasdev00@gmail.com HID: wacom: fix memory leak on kobject creation failure
Mark Harmstone maharmstone@fb.com btrfs: update superblock's device bytes_used when dropping chunk
Heinz Mauelshagen heinzm@redhat.com dm-raid: fix variable in journal device check
Frédéric Danis frederic.danis@collabora.com Bluetooth: L2CAP: Fix L2CAP MTU negotiation
Yao Zi ziyao@disroot.org dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive
Nathan Chancellor nathan@kernel.org staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()
Jakub Kicinski kuba@kernel.org net: selftests: fix TCP packet checksum
Kuniyuki Iwashima kuniyu@google.com atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().
Simon Horman horms@kernel.org net: enetc: Correct endianness handling in _enetc_rd_reg64
Tiwei Bie tiwei.btw@antgroup.com um: ubd: Add missing error check in start_io_thread()
Stefano Garzarella sgarzare@redhat.com vsock/uapi: fix linux/vm_sockets.h userspace compilation errors
Kuniyuki Iwashima kuniyu@google.com af_unix: Don't set -ECONNRESET for consumed OOB skb.
Lachlan Hodges lachlan.hodges@morsemicro.com wifi: mac80211: fix beacon interval calculation overflow
Yuan Chen chenyuan@kylinos.cn libbpf: Fix null pointer dereference in btf_dump__free on allocation failure
Al Viro viro@zeniv.linux.org.uk attach_recursive_mnt(): do not lock the covering tree when sliding something under it
Youngjun Lee yjjuny.lee@samsung.com ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()
Eric Dumazet edumazet@google.com atm: clip: prevent NULL deref in clip_push()
Fedor Pchelkin pchelkin@ispras.ru s390/pkey: Prevent overflow in size calculation for memdup_user()
Wolfram Sang wsa+renesas@sang-engineering.com i2c: robotfuzz-osif: disable zero-length read messages
Wolfram Sang wsa+renesas@sang-engineering.com i2c: tiny-usb: disable zero-length read messages
Rong Zhang i@rong.moe platform/x86: ideapad-laptop: use usleep_range() for EC polling
Thomas Zimmermann tzimmermann@suse.de dummycon: Trigger redraw when switching consoles with deferred takeover
Jiri Slaby (SUSE) jirislaby@kernel.org tty: vt: make consw::con_switch() return a bool
Jiri Slaby (SUSE) jirislaby@kernel.org tty: vt: sanitize arguments of consw::con_clear()
Jiri Slaby (SUSE) jirislaby@kernel.org tty: vt: make init parameter of consw::con_init() a bool
Jiri Slaby (SUSE) jirislaby@kernel.org vgacon: remove unneeded forward declarations
Jiri Slaby (SUSE) jirislaby@kernel.org vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen()
Jiri Slaby jirislaby@kernel.org tty/vt: consolemap: rename and document struct uni_pagedir
Daniel Vetter daniel.vetter@ffwll.ch fbcon: delete a few unneeded forward decl
Long Li longli@microsoft.com uio_hv_generic: Align ring size to system page
Saurabh Sengar ssengar@linux.microsoft.com uio_hv_generic: Query the ringbuffer size for device
Saurabh Sengar ssengar@linux.microsoft.com Drivers: hv: vmbus: Add utility function for querying ring size
Vitaly Kuznetsov vkuznets@redhat.com Drivers: hv: Rename 'alloced' to 'allocated'
Murad Masimov m.masimov@mt-integration.ru fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var
Daniel Vetter daniel.vetter@ffwll.ch fbcon: Move console_lock for register/unlink/unregister
Daniel Vetter daniel.vetter@ffwll.ch fbcon: use lock_fb_info in fbcon_open/release
Daniel Vetter daniel.vetter@ffwll.ch fbcon: move more common code into fb_open()
Daniel Vetter daniel.vetter@ffwll.ch fbcon: Extract fbcon_open/release helpers
Daniel Vetter daniel.vetter@ffwll.ch fbcon: Use delayed work for cursor
Chao Yu chao@kernel.org f2fs: don't over-report free space or inodes in statvfs
Krzysztof Kozlowski krzysztof.kozlowski@linaro.org ASoC: codecs: wcd9335: Fix missing free of regulator supplies
Peng Fan peng.fan@nxp.com ASoC: codec: wcd9335: Convert to GPIO descriptors
Krzysztof Kozlowski krzysztof.kozlowski@linaro.org ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe()
Matti Vaittinen mazziesaccount@gmail.com regulator: Add devm helpers for get and enable
Douglas Anderson dianders@chromium.org regulator: core: Allow drivers to define their init data as const
Ming Qian ming.qian@oss.nxp.com media: imx-jpeg: Drop the first error frames
Miquel Raynal miquel.raynal@bootlin.com clk: ti: am43xx: Add clkctrl data for am43xx ADC1
Marek Szyprowski m.szyprowski@samsung.com media: omap3isp: use sgtable-based scatterlist wrappers
Dmitry Nikiforov Dm1tryNk@yandex.ru media: davinci: vpif: Fix memory leak in probe error path
Vasiliy Kovalev kovalev@altlinux.org jfs: validate AG parameters in dbMount() to prevent crashes
Dave Kleikamp dave.kleikamp@oracle.com fs/jfs: consolidate sanity checking in dbMount
Kees Cook kees@kernel.org ovl: Check for NULL d_inode() in ovl_dentry_upper()
Dmitry Kandybka d.kandybka@gmail.com ceph: fix possible integer overflow in ceph_zero_objects()
Mario Limonciello mario.limonciello@amd.com ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock
Vijendar Mukunda Vijendar.Mukunda@amd.com ALSA: hda: Add new pci id for AMD GPU display HD audio controller
Cezary Rojewski cezary.rojewski@intel.com ALSA: hda: Ignore unsol events for cards being shut down
Jos Wang joswang@lenovo.com usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode
Robert Hodaszi robert.hodaszi@digi.com usb: cdc-wdm: avoid setting WDM_READ for ZLP-s
Andy Shevchenko andriy.shevchenko@linux.intel.com usb: Add checks for snprintf() calls in usb_alloc_dev()
Chance Yang chance.yang@kneron.us usb: common: usb-conn-gpio: use a unique name for usb connector device
Jakub Lewalski jakub.lewalski@nokia.com tty: serial: uartlite: register uart driver in init
Chen Yufeng chenyufeng@iie.ac.cn usb: potential integer overflow in usbg_make_tpg()
Michael Grzeschik m.grzeschik@pengutronix.de usb: dwc2: also exit clock_gating when stopping udc while suspended
James Clark james.clark@linaro.org coresight: Only check bottom two claim bits
Sami Tolvanen samitolvanen@google.com um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h
Jonathan Cameron Jonathan.Cameron@huawei.com iio: pressure: zpa2326: Use aligned_s64 for the timestamp
Linggang Zeng linggang.zeng@easystack.cn bcache: fix NULL pointer in cache_set_flush()
Yu Kuai yukuai3@huawei.com md/md-bitmap: fix dm-raid max_write_behind setting
Thomas Gessler thomas.gessler@brueckmann-gmbh.de dmaengine: xilinx_dma: Set dma_device directions
Namjae Jeon linkinjeon@kernel.org ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension
Alexis Czezar Torreno alexisczezar.torreno@analog.com hwmon: (pmbus/max34440) Fix support for max34451
Sven Schwermer sven.schwermer@disruptive-technologies.com leds: multicolor: Fix intensity setting while SW blinking
Krzysztof Kozlowski krzysztof.kozlowski@linaro.org mfd: max14577: Fix wakeup source leaks on device unbind
Peng Fan peng.fan@nxp.com mailbox: Not protect module_put with spin_lock_irqsave
Olga Kornievskaia okorniev@redhat.com NFSv4.2: fix listxattr to return selinux security label
Han Young hanyang.tony@bytedance.com NFSv4: Always set NLINK even if the server doesn't support it
Pali Rohár pali@kernel.org cifs: Fix cifs_query_path_info() for Windows NT servers
-------------
Diffstat:
Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/ABI/testing/sysfs-driver-ufs | 2 +- .../hw-vuln/processor_mmio_stale_data.rst | 4 +- Documentation/admin-guide/kernel-parameters.txt | 13 + Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm/include/asm/ptrace.h | 5 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/include/uapi/asm/ioctls.h | 8 +- arch/s390/Makefile | 2 +- arch/s390/kernel/entry.S | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/include/asm/asm-prototypes.h | 5 + arch/x86/Kconfig | 9 + arch/x86/entry/entry.S | 8 +- arch/x86/include/asm/cpu.h | 13 + arch/x86/include/asm/cpufeatures.h | 6 + arch/x86/include/asm/irqflags.h | 4 +- arch/x86/include/asm/mwait.h | 19 +- arch/x86/include/asm/nospec-branch.h | 39 ++- arch/x86/kernel/cpu/amd.c | 58 ++++ arch/x86/kernel/cpu/bugs.c | 133 +++++++- arch/x86/kernel/cpu/common.c | 14 +- arch/x86/kernel/cpu/scattered.c | 2 + arch/x86/kernel/process.c | 15 +- arch/x86/kvm/cpuid.c | 25 +- arch/x86/kvm/reverse_cpuid.h | 8 + arch/x86/kvm/svm/vmenter.S | 6 + arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/um/asm/checksum.h | 3 + drivers/acpi/acpica/dsmethod.c | 7 + drivers/ata/pata_cs5536.c | 2 +- drivers/base/cpu.c | 2 + drivers/clk/ti/clk-43xx.c | 1 + drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 + drivers/gpu/drm/bridge/cdns-dsi.c | 27 +- drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 +- drivers/gpu/drm/i915/selftests/i915_request.c | 20 +- drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- drivers/gpu/drm/msm/msm_gem_submit.c | 9 + drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/gpu/drm/v3d/v3d_drv.h | 8 + drivers/gpu/drm/v3d/v3d_gem.c | 2 + drivers/gpu/drm/v3d/v3d_irq.c | 39 ++- drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 33 +- drivers/hv/hyperv_vmbus.h | 19 +- drivers/hv/vmbus_drv.c | 2 +- drivers/hwmon/pmbus/max34440.c | 48 ++- drivers/hwtracing/coresight/coresight-core.c | 3 +- drivers/hwtracing/coresight/coresight-priv.h | 1 + drivers/i2c/busses/i2c-designware-master.c | 1 + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/infiniband/hw/mlx5/counters.c | 2 +- drivers/infiniband/hw/mlx5/devx.c | 2 +- drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/media/platform/davinci/vpif.c | 4 +- drivers/media/platform/imx-jpeg/mxc-jpeg.c | 12 +- drivers/media/platform/omap3isp/ispccdc.c | 8 +- drivers/media/platform/omap3isp/ispstat.c | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 42 ++- drivers/mfd/max14577.c | 1 + drivers/mmc/core/quirks.h | 16 +- drivers/mmc/host/mtk-sd.c | 21 +- drivers/mmc/host/sdhci.c | 9 +- drivers/mmc/host/sdhci.h | 16 + drivers/mtd/nand/spi/core.c | 1 + drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 +- drivers/net/ethernet/atheros/atlx/atl1.c | 78 +++-- drivers/net/ethernet/cisco/enic/enic_main.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 115 ++++++- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 14 +- .../net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 18 +- drivers/net/ethernet/freescale/dpaa2/dpni-cmd.h | 6 +- drivers/net/ethernet/freescale/dpaa2/dpni.c | 2 + drivers/net/ethernet/freescale/dpaa2/dpni.h | 6 + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/net/ethernet/intel/igc/igc_main.c | 10 + drivers/net/ethernet/sun/niu.c | 31 +- drivers/net/ethernet/sun/niu.h | 4 + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +- drivers/pci/controller/pci-hyperv.c | 17 +- drivers/platform/mellanox/mlxbf-tmfifo.c | 3 +- .../x86/dell/dell-wmi-sysman/dell-wmi-sysman.h | 5 + .../x86/dell/dell-wmi-sysman/enum-attributes.c | 5 +- .../x86/dell/dell-wmi-sysman/int-attributes.c | 5 +- .../x86/dell/dell-wmi-sysman/passobj-attributes.c | 5 +- .../x86/dell/dell-wmi-sysman/string-attributes.c | 5 +- drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 12 +- drivers/platform/x86/ideapad-laptop.c | 19 +- drivers/platform/x86/think-lmi.c | 18 +- drivers/regulator/devres.c | 192 ++++++++++++ drivers/regulator/gpio-regulator.c | 19 +- drivers/rtc/rtc-cmos.c | 10 +- drivers/s390/crypto/pkey_api.c | 2 +- drivers/scsi/qla2xxx/qla_mbx.c | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/ufs/ufs-sysfs.c | 4 +- drivers/spi/spi-fsl-dspi.c | 11 +- drivers/staging/rtl8723bs/core/rtw_security.c | 44 +-- drivers/target/target_core_pr.c | 4 +- drivers/tty/serial/uartlite.c | 25 +- drivers/tty/vt/consolemap.c | 47 +-- drivers/tty/vt/vt.c | 12 +- drivers/uio/uio_hv_generic.c | 10 +- drivers/usb/cdns3/cdnsp-ring.c | 4 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/quirks.c | 3 +- drivers/usb/core/usb.c | 14 +- drivers/usb/dwc2/gadget.c | 6 + drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/host/xhci-dbgcap.c | 4 + drivers/usb/host/xhci-dbgtty.c | 1 + drivers/usb/typec/altmodes/displayport.c | 5 +- drivers/video/console/dummycon.c | 24 +- drivers/video/console/mdacon.c | 21 +- drivers/video/console/newport_con.c | 12 +- drivers/video/console/sticon.c | 14 +- drivers/video/console/vgacon.c | 38 +-- drivers/video/fbdev/core/fbcon.c | 336 ++++++++++----------- drivers/video/fbdev/core/fbcon.h | 4 +- drivers/video/fbdev/core/fbmem.c | 43 +-- fs/btrfs/inode.c | 19 +- fs/btrfs/tree-log.c | 4 +- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/cifs/misc.c | 8 + fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +-- fs/ksmbd/smb2pdu.c | 53 ++-- fs/namespace.c | 8 +- fs/nfs/flexfilelayout/flexfilelayout.c | 121 +++++--- fs/nfs/inode.c | 19 +- fs/nfs/nfs4proc.c | 12 +- fs/nfs/pnfs.c | 4 +- fs/overlayfs/util.c | 4 +- include/dt-bindings/clock/am4.h | 1 + include/linux/console.h | 13 +- include/linux/console_struct.h | 6 +- include/linux/cpu.h | 1 + include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/linux/regulator/consumer.h | 31 ++ include/linux/regulator/gpio-regulator.h | 2 + include/linux/usb/typec_dp.h | 1 + include/uapi/linux/vm_sockets.h | 4 + kernel/rcu/tree.c | 4 + lib/test_objagg.c | 4 +- net/atm/clip.c | 11 +- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/core/selftests.c | 5 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/rx.c | 4 + net/mac80211/util.c | 2 +- net/rose/rose_route.c | 15 +- net/sched/sch_api.c | 19 +- net/unix/af_unix.c | 18 +- net/vmw_vsock/vmci_transport.c | 4 +- sound/isa/sb/sb16_main.c | 7 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/soc/codecs/wcd9335.c | 62 ++-- sound/usb/quirks.c | 2 + sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 182 files changed, 1971 insertions(+), 847 deletions(-)
On 7/8/25 09:20, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.15.187 release. There are 160 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Thu, 10 Jul 2025 16:22:09 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.187-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below.
thanks,
greg k-h
The ARM 32-bit kernel fails to build with:
/local/users/fainelli/buildroot/output/arm/host/bin/arm-linux-ld: drivers/base/cpu.o: in function `.LANCHOR2': cpu.c:(.data+0xbc): undefined reference to `cpu_show_tsa' host-make[2]: *** [Makefile:1246: vmlinux] Error 1
This is caused by:
commit 5799df885785024821d09c334612c00992aa4c4b Author: Borislav Petkov (AMD) bp@alien8.de Date: Wed Sep 11 10:53:08 2024 +0200
x86/bugs: Add a Transient Scheduler Attacks mitigation
Commit d8010d4ba43e9f790925375a7de100604a5e2dba upstream.
Add the required features detection glue to bugs.c et all in order to support the TSA mitigation.
Co-developed-by: Kim Phillips kim.phillips@amd.com Signed-off-by: Kim Phillips kim.phillips@amd.com Signed-off-by: Borislav Petkov (AMD) bp@alien8.de Reviewed-by: Pawan Gupta pawan.kumar.gupta@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
I don't see this in Linus' tree but it's not clear yet why that is not happening there.
On Tue, Jul 08, 2025 at 10:20:01AM -0700, Florian Fainelli wrote:
The ARM 32-bit kernel fails to build with:
Can you give .config pls?
On 7/8/25 10:23, Borislav Petkov wrote:
On Tue, Jul 08, 2025 at 10:20:01AM -0700, Florian Fainelli wrote:
The ARM 32-bit kernel fails to build with:
Can you give .config pls?
Sure, here it is:
https://gist.github.com/ffainelli/2319e6857247796f0a9bd99c5fe6e211
FWIW, I also have the same build failure on 6.1.
On Tue, Jul 08, 2025 at 10:26:56AM -0700, Florian Fainelli wrote:
On 7/8/25 10:23, Borislav Petkov wrote:
On Tue, Jul 08, 2025 at 10:20:01AM -0700, Florian Fainelli wrote:
The ARM 32-bit kernel fails to build with:
Can you give .config pls?
Sure, here it is:
https://gist.github.com/ffainelli/2319e6857247796f0a9bd99c5fe6e211
FWIW, I also have the same build failure on 6.1.
Right, it needs the __weak functions - this is solved differently on newer kernels. Lemme send updated patches.
---
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c index 2c8e98532310..0e7f7f54665d 100644 --- a/drivers/base/cpu.c +++ b/drivers/base/cpu.c @@ -601,6 +601,11 @@ ssize_t __weak cpu_show_indirect_target_selection(struct device *dev, return sysfs_emit(buf, "Not affected\n"); }
+ssize_t __weak cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf) +{ + return sysfs_emit(buf, "Not affected\n"); +} + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
On Tue, Jul 08, 2025 at 07:45:09PM +0200, Borislav Petkov wrote:
Right, it needs the __weak functions - this is solved differently on newer kernels. Lemme send updated patches.
Greg, here's an updated 5.15 patch:
From: "Borislav Petkov (AMD)" bp@alien8.de Date: Wed, 11 Sep 2024 10:53:08 +0200 Subject: [PATCH] x86/bugs: Add a Transient Scheduler Attacks mitigation
Commit d8010d4ba43e9f790925375a7de100604a5e2dba upstream.
Add the required features detection glue to bugs.c et all in order to support the TSA mitigation.
Co-developed-by: Kim Phillips kim.phillips@amd.com Signed-off-by: Kim Phillips kim.phillips@amd.com Signed-off-by: Borislav Petkov (AMD) bp@alien8.de Reviewed-by: Pawan Gupta pawan.kumar.gupta@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- .../ABI/testing/sysfs-devices-system-cpu | 1 + .../admin-guide/kernel-parameters.txt | 13 ++ arch/x86/Kconfig | 9 ++ arch/x86/include/asm/cpu.h | 13 ++ arch/x86/include/asm/cpufeatures.h | 6 + arch/x86/include/asm/mwait.h | 2 +- arch/x86/include/asm/nospec-branch.h | 12 +- arch/x86/kernel/cpu/amd.c | 58 +++++++++ arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++++ arch/x86/kernel/cpu/common.c | 14 +- arch/x86/kernel/cpu/scattered.c | 2 + arch/x86/kvm/svm/vmenter.S | 6 + drivers/base/cpu.c | 7 + include/linux/cpu.h | 1 + 14 files changed, 260 insertions(+), 5 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu index 1d657a6b1b53..0301ac606cdd 100644 --- a/Documentation/ABI/testing/sysfs-devices-system-cpu +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu @@ -524,6 +524,7 @@ What: /sys/devices/system/cpu/vulnerabilities /sys/devices/system/cpu/vulnerabilities/spectre_v1 /sys/devices/system/cpu/vulnerabilities/spectre_v2 /sys/devices/system/cpu/vulnerabilities/srbds + /sys/devices/system/cpu/vulnerabilities/tsa /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Date: January 2018 Contact: Linux kernel mailing list linux-kernel@vger.kernel.org diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index e5e7fddc962f..f12ba5c12b91 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -5990,6 +5990,19 @@ If not specified, "default" is used. In this case, the RNG's choice is left to each individual trust source.
+ tsa= [X86] Control mitigation for Transient Scheduler + Attacks on AMD CPUs. Search the following in your + favourite search engine for more details: + + "Technical guidance for mitigating transient scheduler + attacks". + + off - disable the mitigation + on - enable the mitigation (default) + user - mitigate only user/kernel transitions + vm - mitigate only guest/host transitions + + tsc= Disable clocksource stability checks for TSC. Format: <string> [x86] reliable: mark tsc clocksource as reliable, this diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 026a5714f78f..4eca434fd80b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2528,6 +2528,15 @@ config MITIGATION_ITS disabled, mitigation cannot be enabled via cmdline. See file:Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
+config MITIGATION_TSA + bool "Mitigate Transient Scheduler Attacks" + depends on CPU_SUP_AMD + default y + help + Enable mitigation for Transient Scheduler Attacks. TSA is a hardware + security vulnerability on AMD CPUs which can lead to forwarding of + invalid info to subsequent instructions and thus can affect their + timing and thereby cause a leakage. endif
config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h index 33d41e350c79..5a7491f968cd 100644 --- a/arch/x86/include/asm/cpu.h +++ b/arch/x86/include/asm/cpu.h @@ -72,4 +72,17 @@ void init_ia32_feat_ctl(struct cpuinfo_x86 *c); #else static inline void init_ia32_feat_ctl(struct cpuinfo_x86 *c) {} #endif + +union zen_patch_rev { + struct { + __u32 rev : 8, + stepping : 4, + model : 4, + __reserved : 4, + ext_model : 4, + ext_fam : 8; + }; + __u32 ucode_rev; +}; + #endif /* _ASM_X86_CPU_H */ diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index e2bf1cba02cd..63b84540cfb3 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -419,6 +419,7 @@ #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */
#define X86_FEATURE_AUTOIBRS (20*32+ 8) /* "" Automatic IBRS */ +#define X86_FEATURE_VERW_CLEAR (20*32+ 10) /* "" The memory form of VERW mitigates TSA */ #define X86_FEATURE_SBPB (20*32+27) /* "" Selective Branch Prediction Barrier */ #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* "" MSR_PRED_CMD[IBPB] flushes all branch type predictions */ #define X86_FEATURE_SRSO_NO (20*32+29) /* "" CPU is not affected by SRSO */ @@ -435,6 +436,10 @@ #define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch history at vmexit using SW loop */ #define X86_FEATURE_INDIRECT_THUNK_ITS (21*32 + 5) /* "" Use thunk for indirect branches in lower half of cacheline */
+#define X86_FEATURE_TSA_SQ_NO (21*32+11) /* "" AMD CPU not vulnerable to TSA-SQ */ +#define X86_FEATURE_TSA_L1_NO (21*32+12) /* "" AMD CPU not vulnerable to TSA-L1 */ +#define X86_FEATURE_CLEAR_CPU_BUF_VM (21*32+13) /* "" Clear CPU buffers using VERW before VMRUN */ + /* * BUG word(s) */ @@ -486,4 +491,5 @@ #define X86_BUG_IBPB_NO_RET X86_BUG(1*32 + 4) /* "ibpb_no_ret" IBPB omits return target predictions */ #define X86_BUG_ITS X86_BUG(1*32 + 5) /* CPU is affected by Indirect Target Selection */ #define X86_BUG_ITS_NATIVE_ONLY X86_BUG(1*32 + 6) /* CPU is affected by ITS, VMX is not affected */ +#define X86_BUG_TSA X86_BUG(1*32+ 9) /* "tsa" CPU is affected by Transient Scheduler Attacks */ #endif /* _ASM_X86_CPUFEATURES_H */ diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h index 35e20e8a7cc6..20b33e6370c3 100644 --- a/arch/x86/include/asm/mwait.h +++ b/arch/x86/include/asm/mwait.h @@ -79,7 +79,7 @@ static inline void __mwait(unsigned long eax, unsigned long ecx) static inline void __mwaitx(unsigned long eax, unsigned long ebx, unsigned long ecx) { - /* No MDS buffer clear as this is AMD/HYGON only */ + /* No need for TSA buffer clearing on AMD */
/* "mwaitx %eax, %ebx, %ecx;" */ asm volatile(".byte 0x0f, 0x01, 0xfb;" diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index f651b0a1f5e2..b62ce153a3c4 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -208,8 +208,8 @@ * CFLAGS.ZF. * Note: Only the memory operand variant of VERW clears the CPU buffers. */ -.macro CLEAR_CPU_BUFFERS - ALTERNATIVE "jmp .Lskip_verw_@", "", X86_FEATURE_CLEAR_CPU_BUF +.macro __CLEAR_CPU_BUFFERS feature + ALTERNATIVE "jmp .Lskip_verw_@", "", \feature #ifdef CONFIG_X86_64 verw x86_verw_sel(%rip) #else @@ -223,6 +223,12 @@ .Lskip_verw_@: .endm
+#define CLEAR_CPU_BUFFERS \ + __CLEAR_CPU_BUFFERS X86_FEATURE_CLEAR_CPU_BUF + +#define VM_CLEAR_CPU_BUFFERS \ + __CLEAR_CPU_BUFFERS X86_FEATURE_CLEAR_CPU_BUF_VM + #ifdef CONFIG_X86_64 .macro CLEAR_BRANCH_HISTORY ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP @@ -464,7 +470,7 @@ static __always_inline void x86_clear_cpu_buffers(void)
/** * x86_idle_clear_cpu_buffers - Buffer clearing support in idle for the MDS - * vulnerability + * and TSA vulnerabilities. * * Clear CPU buffers if the corresponding static key is enabled */ diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index a8dc7fe5f100..d409ba7fba85 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -582,6 +582,61 @@ static void early_init_amd_mc(struct cpuinfo_x86 *c) #endif }
+static bool amd_check_tsa_microcode(void) +{ + struct cpuinfo_x86 *c = &boot_cpu_data; + union zen_patch_rev p; + u32 min_rev = 0; + + p.ext_fam = c->x86 - 0xf; + p.model = c->x86_model; + p.stepping = c->x86_stepping; + + if (c->x86 == 0x19) { + switch (p.ucode_rev >> 8) { + case 0xa0011: min_rev = 0x0a0011d7; break; + case 0xa0012: min_rev = 0x0a00123b; break; + case 0xa0082: min_rev = 0x0a00820d; break; + case 0xa1011: min_rev = 0x0a10114c; break; + case 0xa1012: min_rev = 0x0a10124c; break; + case 0xa1081: min_rev = 0x0a108109; break; + case 0xa2010: min_rev = 0x0a20102e; break; + case 0xa2012: min_rev = 0x0a201211; break; + case 0xa4041: min_rev = 0x0a404108; break; + case 0xa5000: min_rev = 0x0a500012; break; + case 0xa6012: min_rev = 0x0a60120a; break; + case 0xa7041: min_rev = 0x0a704108; break; + case 0xa7052: min_rev = 0x0a705208; break; + case 0xa7080: min_rev = 0x0a708008; break; + case 0xa70c0: min_rev = 0x0a70c008; break; + case 0xaa002: min_rev = 0x0aa00216; break; + default: + pr_debug("%s: ucode_rev: 0x%x, current revision: 0x%x\n", + __func__, p.ucode_rev, c->microcode); + return false; + } + } + + if (!min_rev) + return false; + + return c->microcode >= min_rev; +} + +static void tsa_init(struct cpuinfo_x86 *c) +{ + if (cpu_has(c, X86_FEATURE_HYPERVISOR)) + return; + + if (c->x86 == 0x19) { + if (amd_check_tsa_microcode()) + setup_force_cpu_cap(X86_FEATURE_VERW_CLEAR); + } else { + setup_force_cpu_cap(X86_FEATURE_TSA_SQ_NO); + setup_force_cpu_cap(X86_FEATURE_TSA_L1_NO); + } +} + static void bsp_init_amd(struct cpuinfo_x86 *c) { if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) { @@ -687,6 +742,9 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) if (!(msr & MSR_K7_HWCR_SMMLOCK)) goto clear_sev;
+ + tsa_init(c); + return;
clear_all: diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 9d84a82dcdc9..261aa716971d 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -49,6 +49,7 @@ static void __init l1d_flush_select_mitigation(void); static void __init gds_select_mitigation(void); static void __init srso_select_mitigation(void); static void __init its_select_mitigation(void); +static void __init tsa_select_mitigation(void);
/* The base value of the SPEC_CTRL MSR without task-specific bits set */ u64 x86_spec_ctrl_base; @@ -184,6 +185,7 @@ void __init cpu_select_mitigations(void) srso_select_mitigation(); gds_select_mitigation(); its_select_mitigation(); + tsa_select_mitigation(); }
/* @@ -2039,6 +2041,94 @@ static void update_mds_branch_idle(void) #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.h... for more details.\n" #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_st... for more details.\n"
+#undef pr_fmt +#define pr_fmt(fmt) "Transient Scheduler Attacks: " fmt + +enum tsa_mitigations { + TSA_MITIGATION_NONE, + TSA_MITIGATION_UCODE_NEEDED, + TSA_MITIGATION_USER_KERNEL, + TSA_MITIGATION_VM, + TSA_MITIGATION_FULL, +}; + +static const char * const tsa_strings[] = { + [TSA_MITIGATION_NONE] = "Vulnerable", + [TSA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode", + [TSA_MITIGATION_USER_KERNEL] = "Mitigation: Clear CPU buffers: user/kernel boundary", + [TSA_MITIGATION_VM] = "Mitigation: Clear CPU buffers: VM", + [TSA_MITIGATION_FULL] = "Mitigation: Clear CPU buffers", +}; + +static enum tsa_mitigations tsa_mitigation __ro_after_init = + IS_ENABLED(CONFIG_MITIGATION_TSA) ? TSA_MITIGATION_FULL : TSA_MITIGATION_NONE; + +static int __init tsa_parse_cmdline(char *str) +{ + if (!str) + return -EINVAL; + + if (!strcmp(str, "off")) + tsa_mitigation = TSA_MITIGATION_NONE; + else if (!strcmp(str, "on")) + tsa_mitigation = TSA_MITIGATION_FULL; + else if (!strcmp(str, "user")) + tsa_mitigation = TSA_MITIGATION_USER_KERNEL; + else if (!strcmp(str, "vm")) + tsa_mitigation = TSA_MITIGATION_VM; + else + pr_err("Ignoring unknown tsa=%s option.\n", str); + + return 0; +} +early_param("tsa", tsa_parse_cmdline); + +static void __init tsa_select_mitigation(void) +{ + if (tsa_mitigation == TSA_MITIGATION_NONE) + return; + + if (cpu_mitigations_off() || !boot_cpu_has_bug(X86_BUG_TSA)) { + tsa_mitigation = TSA_MITIGATION_NONE; + return; + } + + if (!boot_cpu_has(X86_FEATURE_VERW_CLEAR)) + tsa_mitigation = TSA_MITIGATION_UCODE_NEEDED; + + switch (tsa_mitigation) { + case TSA_MITIGATION_USER_KERNEL: + setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); + break; + + case TSA_MITIGATION_VM: + setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF_VM); + break; + + case TSA_MITIGATION_UCODE_NEEDED: + if (!boot_cpu_has(X86_FEATURE_HYPERVISOR)) + goto out; + + pr_notice("Forcing mitigation on in a VM\n"); + + /* + * On the off-chance that microcode has been updated + * on the host, enable the mitigation in the guest just + * in case. + */ + fallthrough; + case TSA_MITIGATION_FULL: + setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); + setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF_VM); + break; + default: + break; + } + +out: + pr_info("%s\n", tsa_strings[tsa_mitigation]); +} + void cpu_bugs_smt_update(void) { mutex_lock(&spec_ctrl_mutex); @@ -2092,6 +2182,24 @@ void cpu_bugs_smt_update(void) break; }
+ switch (tsa_mitigation) { + case TSA_MITIGATION_USER_KERNEL: + case TSA_MITIGATION_VM: + case TSA_MITIGATION_FULL: + case TSA_MITIGATION_UCODE_NEEDED: + /* + * TSA-SQ can potentially lead to info leakage between + * SMT threads. + */ + if (sched_smt_active()) + static_branch_enable(&cpu_buf_idle_clear); + else + static_branch_disable(&cpu_buf_idle_clear); + break; + case TSA_MITIGATION_NONE: + break; + } + mutex_unlock(&spec_ctrl_mutex); }
@@ -3026,6 +3134,11 @@ static ssize_t srso_show_state(char *buf) boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ? "" : ", no microcode"); }
+static ssize_t tsa_show_state(char *buf) +{ + return sysfs_emit(buf, "%s\n", tsa_strings[tsa_mitigation]); +} + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, char *buf, unsigned int bug) { @@ -3087,6 +3200,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr case X86_BUG_ITS: return its_show_state(buf);
+ case X86_BUG_TSA: + return tsa_show_state(buf); + default: break; } @@ -3171,4 +3287,9 @@ ssize_t cpu_show_indirect_target_selection(struct device *dev, struct device_att { return cpu_show_common(dev, attr, buf, X86_BUG_ITS); } + +ssize_t cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf) +{ + return cpu_show_common(dev, attr, buf, X86_BUG_TSA); +} #endif diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 8db11483e1e1..b16a77386236 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1146,6 +1146,8 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { #define ITS BIT(8) /* CPU is affected by Indirect Target Selection, but guest-host isolation is not affected */ #define ITS_NATIVE_ONLY BIT(9) +/* CPU is affected by Transient Scheduler Attacks */ +#define TSA BIT(10)
static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS), @@ -1193,7 +1195,7 @@ static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { VULNBL_AMD(0x16, RETBLEED), VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO), VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO), - VULNBL_AMD(0x19, SRSO), + VULNBL_AMD(0x19, SRSO | TSA), {} };
@@ -1398,6 +1400,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) setup_force_cpu_bug(X86_BUG_ITS_NATIVE_ONLY); }
+ if (c->x86_vendor == X86_VENDOR_AMD) { + if (!cpu_has(c, X86_FEATURE_TSA_SQ_NO) || + !cpu_has(c, X86_FEATURE_TSA_L1_NO)) { + if (cpu_matches(cpu_vuln_blacklist, TSA) || + /* Enable bug on Zen guests to allow for live migration. */ + (cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_ZEN))) + setup_force_cpu_bug(X86_BUG_TSA); + } + } + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) return;
diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c index 0f5211087810..dfcd3ed94c1c 100644 --- a/arch/x86/kernel/cpu/scattered.c +++ b/arch/x86/kernel/cpu/scattered.c @@ -44,6 +44,8 @@ static const struct cpuid_bit cpuid_bits[] = { { X86_FEATURE_CPB, CPUID_EDX, 9, 0x80000007, 0 }, { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX, 11, 0x80000007, 0 }, { X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 }, + { X86_FEATURE_TSA_SQ_NO, CPUID_ECX, 1, 0x80000021, 0 }, + { X86_FEATURE_TSA_L1_NO, CPUID_ECX, 2, 0x80000021, 0 }, { 0, 0, 0, 0, 0 } };
diff --git a/arch/x86/kvm/svm/vmenter.S b/arch/x86/kvm/svm/vmenter.S index f96060855522..eeab012e4ee0 100644 --- a/arch/x86/kvm/svm/vmenter.S +++ b/arch/x86/kvm/svm/vmenter.S @@ -77,6 +77,9 @@ SYM_FUNC_START(__svm_vcpu_run) /* "POP" @vmcb to RAX. */ pop %_ASM_AX
+ /* Clobbers EFLAGS.ZF */ + VM_CLEAR_CPU_BUFFERS + /* Enter guest mode */ sti
@@ -190,6 +193,9 @@ SYM_FUNC_START(__svm_sev_es_vcpu_run) /* Move @vmcb to RAX. */ mov %_ASM_ARG1, %_ASM_AX
+ /* Clobbers EFLAGS.ZF */ + VM_CLEAR_CPU_BUFFERS + /* Enter guest mode */ sti
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c index df196e073097..0e7f7f54665d 100644 --- a/drivers/base/cpu.c +++ b/drivers/base/cpu.c @@ -601,6 +601,11 @@ ssize_t __weak cpu_show_indirect_target_selection(struct device *dev, return sysfs_emit(buf, "Not affected\n"); }
+ssize_t __weak cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf) +{ + return sysfs_emit(buf, "Not affected\n"); +} + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); @@ -616,6 +621,7 @@ static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL); static DEVICE_ATTR(spec_rstack_overflow, 0444, cpu_show_spec_rstack_overflow, NULL); static DEVICE_ATTR(reg_file_data_sampling, 0444, cpu_show_reg_file_data_sampling, NULL); static DEVICE_ATTR(indirect_target_selection, 0444, cpu_show_indirect_target_selection, NULL); +static DEVICE_ATTR(tsa, 0444, cpu_show_tsa, NULL);
static struct attribute *cpu_root_vulnerabilities_attrs[] = { &dev_attr_meltdown.attr, @@ -633,6 +639,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { &dev_attr_spec_rstack_overflow.attr, &dev_attr_reg_file_data_sampling.attr, &dev_attr_indirect_target_selection.attr, + &dev_attr_tsa.attr, NULL };
diff --git a/include/linux/cpu.h b/include/linux/cpu.h index 87b5a176e848..ab1b88b16982 100644 --- a/include/linux/cpu.h +++ b/include/linux/cpu.h @@ -78,6 +78,7 @@ extern ssize_t cpu_show_reg_file_data_sampling(struct device *dev, struct device_attribute *attr, char *buf); extern ssize_t cpu_show_indirect_target_selection(struct device *dev, struct device_attribute *attr, char *buf); +extern ssize_t cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf);
extern __printf(4, 5) struct device *cpu_device_create(struct device *parent, void *drvdata,
On Tue, Jul 08, 2025 at 07:51:01PM +0200, Borislav Petkov wrote:
On Tue, Jul 08, 2025 at 07:45:09PM +0200, Borislav Petkov wrote:
Right, it needs the __weak functions - this is solved differently on newer kernels. Lemme send updated patches.
Greg, here's an updated 5.15 patch:
Now updated, thanks.
greg k-h
On Tue, Jul 08, 2025 at 07:45:09PM +0200, Borislav Petkov wrote:
Right, it needs the __weak functions - this is solved differently on newer kernels. Lemme send updated patches.
...and 6.1:
Thanks Florian!
--- From 69fdd5ec45b0adfe91432c2288302b124ffc7d6a Mon Sep 17 00:00:00 2001 From: "Borislav Petkov (AMD)" bp@alien8.de Date: Wed, 11 Sep 2024 10:53:08 +0200 Subject: [PATCH] x86/bugs: Add a Transient Scheduler Attacks mitigation
Commit d8010d4ba43e9f790925375a7de100604a5e2dba upstream.
Add the required features detection glue to bugs.c et all in order to support the TSA mitigation.
Co-developed-by: Kim Phillips kim.phillips@amd.com Signed-off-by: Kim Phillips kim.phillips@amd.com Signed-off-by: Borislav Petkov (AMD) bp@alien8.de Reviewed-by: Pawan Gupta pawan.kumar.gupta@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- .../ABI/testing/sysfs-devices-system-cpu | 1 + .../admin-guide/kernel-parameters.txt | 13 ++ arch/x86/Kconfig | 9 ++ arch/x86/include/asm/cpu.h | 12 ++ arch/x86/include/asm/cpufeatures.h | 6 + arch/x86/include/asm/mwait.h | 2 +- arch/x86/include/asm/nospec-branch.h | 12 +- arch/x86/kernel/cpu/amd.c | 58 +++++++++ arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++++ arch/x86/kernel/cpu/common.c | 14 +- arch/x86/kernel/cpu/scattered.c | 2 + arch/x86/kvm/svm/vmenter.S | 6 + drivers/base/cpu.c | 7 + include/linux/cpu.h | 1 + 14 files changed, 259 insertions(+), 5 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu index 1468609052c7..97e695efa959 100644 --- a/Documentation/ABI/testing/sysfs-devices-system-cpu +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu @@ -526,6 +526,7 @@ What: /sys/devices/system/cpu/vulnerabilities /sys/devices/system/cpu/vulnerabilities/spectre_v1 /sys/devices/system/cpu/vulnerabilities/spectre_v2 /sys/devices/system/cpu/vulnerabilities/srbds + /sys/devices/system/cpu/vulnerabilities/tsa /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Date: January 2018 Contact: Linux kernel mailing list linux-kernel@vger.kernel.org diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 6938c8cd7a6f..eaeabff9beff 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -6400,6 +6400,19 @@ If not specified, "default" is used. In this case, the RNG's choice is left to each individual trust source.
+ tsa= [X86] Control mitigation for Transient Scheduler + Attacks on AMD CPUs. Search the following in your + favourite search engine for more details: + + "Technical guidance for mitigating transient scheduler + attacks". + + off - disable the mitigation + on - enable the mitigation (default) + user - mitigate only user/kernel transitions + vm - mitigate only guest/host transitions + + tsc= Disable clocksource stability checks for TSC. Format: <string> [x86] reliable: mark tsc clocksource as reliable, this diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 8e66bb443351..1da950b1d41a 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2586,6 +2586,15 @@ config MITIGATION_ITS disabled, mitigation cannot be enabled via cmdline. See file:Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
+config MITIGATION_TSA + bool "Mitigate Transient Scheduler Attacks" + depends on CPU_SUP_AMD + default y + help + Enable mitigation for Transient Scheduler Attacks. TSA is a hardware + security vulnerability on AMD CPUs which can lead to forwarding of + invalid info to subsequent instructions and thus can affect their + timing and thereby cause a leakage. endif
config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h index 37639a2d9c34..c976bbf909e0 100644 --- a/arch/x86/include/asm/cpu.h +++ b/arch/x86/include/asm/cpu.h @@ -98,4 +98,16 @@ extern u64 x86_read_arch_cap_msr(void);
extern struct cpumask cpus_stop_mask;
+union zen_patch_rev { + struct { + __u32 rev : 8, + stepping : 4, + model : 4, + __reserved : 4, + ext_model : 4, + ext_fam : 8; + }; + __u32 ucode_rev; +}; + #endif /* _ASM_X86_CPU_H */ diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 28edef597282..1c71f947b426 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -430,6 +430,7 @@ #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */
#define X86_FEATURE_AUTOIBRS (20*32+ 8) /* "" Automatic IBRS */ +#define X86_FEATURE_VERW_CLEAR (20*32+ 10) /* "" The memory form of VERW mitigates TSA */ #define X86_FEATURE_SBPB (20*32+27) /* "" Selective Branch Prediction Barrier */ #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* "" MSR_PRED_CMD[IBPB] flushes all branch type predictions */ #define X86_FEATURE_SRSO_NO (20*32+29) /* "" CPU is not affected by SRSO */ @@ -447,6 +448,10 @@ #define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch history at vmexit using SW loop */ #define X86_FEATURE_INDIRECT_THUNK_ITS (21*32 + 5) /* "" Use thunk for indirect branches in lower half of cacheline */
+#define X86_FEATURE_TSA_SQ_NO (21*32+11) /* "" AMD CPU not vulnerable to TSA-SQ */ +#define X86_FEATURE_TSA_L1_NO (21*32+12) /* "" AMD CPU not vulnerable to TSA-L1 */ +#define X86_FEATURE_CLEAR_CPU_BUF_VM (21*32+13) /* "" Clear CPU buffers using VERW before VMRUN */ + /* * BUG word(s) */ @@ -498,4 +503,5 @@ #define X86_BUG_IBPB_NO_RET X86_BUG(1*32 + 4) /* "ibpb_no_ret" IBPB omits return target predictions */ #define X86_BUG_ITS X86_BUG(1*32 + 5) /* CPU is affected by Indirect Target Selection */ #define X86_BUG_ITS_NATIVE_ONLY X86_BUG(1*32 + 6) /* CPU is affected by ITS, VMX is not affected */ +#define X86_BUG_TSA X86_BUG(1*32+ 9) /* "tsa" CPU is affected by Transient Scheduler Attacks */ #endif /* _ASM_X86_CPUFEATURES_H */ diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h index 209dce2c79b7..2c6020729dd1 100644 --- a/arch/x86/include/asm/mwait.h +++ b/arch/x86/include/asm/mwait.h @@ -80,7 +80,7 @@ static inline void __mwait(unsigned long eax, unsigned long ecx) static inline void __mwaitx(unsigned long eax, unsigned long ebx, unsigned long ecx) { - /* No MDS buffer clear as this is AMD/HYGON only */ + /* No need for TSA buffer clearing on AMD */
/* "mwaitx %eax, %ebx, %ecx;" */ asm volatile(".byte 0x0f, 0x01, 0xfb;" diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 3713b6dab7f4..c77a65a3e5f1 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -208,8 +208,8 @@ * CFLAGS.ZF. * Note: Only the memory operand variant of VERW clears the CPU buffers. */ -.macro CLEAR_CPU_BUFFERS - ALTERNATIVE "jmp .Lskip_verw_@", "", X86_FEATURE_CLEAR_CPU_BUF +.macro __CLEAR_CPU_BUFFERS feature + ALTERNATIVE "jmp .Lskip_verw_@", "", \feature #ifdef CONFIG_X86_64 verw x86_verw_sel(%rip) #else @@ -223,6 +223,12 @@ .Lskip_verw_@: .endm
+#define CLEAR_CPU_BUFFERS \ + __CLEAR_CPU_BUFFERS X86_FEATURE_CLEAR_CPU_BUF + +#define VM_CLEAR_CPU_BUFFERS \ + __CLEAR_CPU_BUFFERS X86_FEATURE_CLEAR_CPU_BUF_VM + #ifdef CONFIG_X86_64 .macro CLEAR_BRANCH_HISTORY ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP @@ -462,7 +468,7 @@ static __always_inline void x86_clear_cpu_buffers(void)
/** * x86_idle_clear_cpu_buffers - Buffer clearing support in idle for the MDS - * vulnerability + * and TSA vulnerabilities. * * Clear CPU buffers if the corresponding static key is enabled */ diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index 9ac93b4ba67b..3e3679709e90 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -553,6 +553,61 @@ static void early_init_amd_mc(struct cpuinfo_x86 *c) #endif }
+static bool amd_check_tsa_microcode(void) +{ + struct cpuinfo_x86 *c = &boot_cpu_data; + union zen_patch_rev p; + u32 min_rev = 0; + + p.ext_fam = c->x86 - 0xf; + p.model = c->x86_model; + p.stepping = c->x86_stepping; + + if (c->x86 == 0x19) { + switch (p.ucode_rev >> 8) { + case 0xa0011: min_rev = 0x0a0011d7; break; + case 0xa0012: min_rev = 0x0a00123b; break; + case 0xa0082: min_rev = 0x0a00820d; break; + case 0xa1011: min_rev = 0x0a10114c; break; + case 0xa1012: min_rev = 0x0a10124c; break; + case 0xa1081: min_rev = 0x0a108109; break; + case 0xa2010: min_rev = 0x0a20102e; break; + case 0xa2012: min_rev = 0x0a201211; break; + case 0xa4041: min_rev = 0x0a404108; break; + case 0xa5000: min_rev = 0x0a500012; break; + case 0xa6012: min_rev = 0x0a60120a; break; + case 0xa7041: min_rev = 0x0a704108; break; + case 0xa7052: min_rev = 0x0a705208; break; + case 0xa7080: min_rev = 0x0a708008; break; + case 0xa70c0: min_rev = 0x0a70c008; break; + case 0xaa002: min_rev = 0x0aa00216; break; + default: + pr_debug("%s: ucode_rev: 0x%x, current revision: 0x%x\n", + __func__, p.ucode_rev, c->microcode); + return false; + } + } + + if (!min_rev) + return false; + + return c->microcode >= min_rev; +} + +static void tsa_init(struct cpuinfo_x86 *c) +{ + if (cpu_has(c, X86_FEATURE_HYPERVISOR)) + return; + + if (c->x86 == 0x19) { + if (amd_check_tsa_microcode()) + setup_force_cpu_cap(X86_FEATURE_VERW_CLEAR); + } else { + setup_force_cpu_cap(X86_FEATURE_TSA_SQ_NO); + setup_force_cpu_cap(X86_FEATURE_TSA_L1_NO); + } +} + static void bsp_init_amd(struct cpuinfo_x86 *c) { if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) { @@ -663,6 +718,9 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) if (!(msr & MSR_K7_HWCR_SMMLOCK)) goto clear_sev;
+ + tsa_init(c); + return;
clear_all: diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d0a5df576e90..dba5262e1509 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -49,6 +49,7 @@ static void __init l1d_flush_select_mitigation(void); static void __init gds_select_mitigation(void); static void __init srso_select_mitigation(void); static void __init its_select_mitigation(void); +static void __init tsa_select_mitigation(void);
/* The base value of the SPEC_CTRL MSR without task-specific bits set */ u64 x86_spec_ctrl_base; @@ -184,6 +185,7 @@ void __init cpu_select_mitigations(void) srso_select_mitigation(); gds_select_mitigation(); its_select_mitigation(); + tsa_select_mitigation(); }
/* @@ -2039,6 +2041,94 @@ static void update_mds_branch_idle(void) #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.h... for more details.\n" #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_st... for more details.\n"
+#undef pr_fmt +#define pr_fmt(fmt) "Transient Scheduler Attacks: " fmt + +enum tsa_mitigations { + TSA_MITIGATION_NONE, + TSA_MITIGATION_UCODE_NEEDED, + TSA_MITIGATION_USER_KERNEL, + TSA_MITIGATION_VM, + TSA_MITIGATION_FULL, +}; + +static const char * const tsa_strings[] = { + [TSA_MITIGATION_NONE] = "Vulnerable", + [TSA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode", + [TSA_MITIGATION_USER_KERNEL] = "Mitigation: Clear CPU buffers: user/kernel boundary", + [TSA_MITIGATION_VM] = "Mitigation: Clear CPU buffers: VM", + [TSA_MITIGATION_FULL] = "Mitigation: Clear CPU buffers", +}; + +static enum tsa_mitigations tsa_mitigation __ro_after_init = + IS_ENABLED(CONFIG_MITIGATION_TSA) ? TSA_MITIGATION_FULL : TSA_MITIGATION_NONE; + +static int __init tsa_parse_cmdline(char *str) +{ + if (!str) + return -EINVAL; + + if (!strcmp(str, "off")) + tsa_mitigation = TSA_MITIGATION_NONE; + else if (!strcmp(str, "on")) + tsa_mitigation = TSA_MITIGATION_FULL; + else if (!strcmp(str, "user")) + tsa_mitigation = TSA_MITIGATION_USER_KERNEL; + else if (!strcmp(str, "vm")) + tsa_mitigation = TSA_MITIGATION_VM; + else + pr_err("Ignoring unknown tsa=%s option.\n", str); + + return 0; +} +early_param("tsa", tsa_parse_cmdline); + +static void __init tsa_select_mitigation(void) +{ + if (tsa_mitigation == TSA_MITIGATION_NONE) + return; + + if (cpu_mitigations_off() || !boot_cpu_has_bug(X86_BUG_TSA)) { + tsa_mitigation = TSA_MITIGATION_NONE; + return; + } + + if (!boot_cpu_has(X86_FEATURE_VERW_CLEAR)) + tsa_mitigation = TSA_MITIGATION_UCODE_NEEDED; + + switch (tsa_mitigation) { + case TSA_MITIGATION_USER_KERNEL: + setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); + break; + + case TSA_MITIGATION_VM: + setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF_VM); + break; + + case TSA_MITIGATION_UCODE_NEEDED: + if (!boot_cpu_has(X86_FEATURE_HYPERVISOR)) + goto out; + + pr_notice("Forcing mitigation on in a VM\n"); + + /* + * On the off-chance that microcode has been updated + * on the host, enable the mitigation in the guest just + * in case. + */ + fallthrough; + case TSA_MITIGATION_FULL: + setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); + setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF_VM); + break; + default: + break; + } + +out: + pr_info("%s\n", tsa_strings[tsa_mitigation]); +} + void cpu_bugs_smt_update(void) { mutex_lock(&spec_ctrl_mutex); @@ -2092,6 +2182,24 @@ void cpu_bugs_smt_update(void) break; }
+ switch (tsa_mitigation) { + case TSA_MITIGATION_USER_KERNEL: + case TSA_MITIGATION_VM: + case TSA_MITIGATION_FULL: + case TSA_MITIGATION_UCODE_NEEDED: + /* + * TSA-SQ can potentially lead to info leakage between + * SMT threads. + */ + if (sched_smt_active()) + static_branch_enable(&cpu_buf_idle_clear); + else + static_branch_disable(&cpu_buf_idle_clear); + break; + case TSA_MITIGATION_NONE: + break; + } + mutex_unlock(&spec_ctrl_mutex); }
@@ -3026,6 +3134,11 @@ static ssize_t srso_show_state(char *buf) boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ? "" : ", no microcode"); }
+static ssize_t tsa_show_state(char *buf) +{ + return sysfs_emit(buf, "%s\n", tsa_strings[tsa_mitigation]); +} + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, char *buf, unsigned int bug) { @@ -3087,6 +3200,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr case X86_BUG_ITS: return its_show_state(buf);
+ case X86_BUG_TSA: + return tsa_show_state(buf); + default: break; } @@ -3171,4 +3287,9 @@ ssize_t cpu_show_indirect_target_selection(struct device *dev, struct device_att { return cpu_show_common(dev, attr, buf, X86_BUG_ITS); } + +ssize_t cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf) +{ + return cpu_show_common(dev, attr, buf, X86_BUG_TSA); +} #endif diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 722eac51beae..9c849a4160cd 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1256,6 +1256,8 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { #define ITS BIT(8) /* CPU is affected by Indirect Target Selection, but guest-host isolation is not affected */ #define ITS_NATIVE_ONLY BIT(9) +/* CPU is affected by Transient Scheduler Attacks */ +#define TSA BIT(10)
static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS), @@ -1303,7 +1305,7 @@ static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { VULNBL_AMD(0x16, RETBLEED), VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO), VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO), - VULNBL_AMD(0x19, SRSO), + VULNBL_AMD(0x19, SRSO | TSA), {} };
@@ -1508,6 +1510,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) setup_force_cpu_bug(X86_BUG_ITS_NATIVE_ONLY); }
+ if (c->x86_vendor == X86_VENDOR_AMD) { + if (!cpu_has(c, X86_FEATURE_TSA_SQ_NO) || + !cpu_has(c, X86_FEATURE_TSA_L1_NO)) { + if (cpu_matches(cpu_vuln_blacklist, TSA) || + /* Enable bug on Zen guests to allow for live migration. */ + (cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_ZEN))) + setup_force_cpu_bug(X86_BUG_TSA); + } + } + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) return;
diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c index 28c357cf7c75..b9e39c9eb274 100644 --- a/arch/x86/kernel/cpu/scattered.c +++ b/arch/x86/kernel/cpu/scattered.c @@ -45,6 +45,8 @@ static const struct cpuid_bit cpuid_bits[] = { { X86_FEATURE_CPB, CPUID_EDX, 9, 0x80000007, 0 }, { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX, 11, 0x80000007, 0 }, { X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 }, + { X86_FEATURE_TSA_SQ_NO, CPUID_ECX, 1, 0x80000021, 0 }, + { X86_FEATURE_TSA_L1_NO, CPUID_ECX, 2, 0x80000021, 0 }, { X86_FEATURE_PERFMON_V2, CPUID_EAX, 0, 0x80000022, 0 }, { X86_FEATURE_AMD_LBR_V2, CPUID_EAX, 1, 0x80000022, 0 }, { X86_FEATURE_AMD_LBR_PMC_FREEZE, CPUID_EAX, 2, 0x80000022, 0 }, diff --git a/arch/x86/kvm/svm/vmenter.S b/arch/x86/kvm/svm/vmenter.S index 5be9a63f09ff..42824f9b06a2 100644 --- a/arch/x86/kvm/svm/vmenter.S +++ b/arch/x86/kvm/svm/vmenter.S @@ -166,6 +166,9 @@ SYM_FUNC_START(__svm_vcpu_run) #endif mov VCPU_RDI(%_ASM_DI), %_ASM_DI
+ /* Clobbers EFLAGS.ZF */ + VM_CLEAR_CPU_BUFFERS + /* Enter guest mode */ sti
@@ -336,6 +339,9 @@ SYM_FUNC_START(__svm_sev_es_vcpu_run) mov SVM_current_vmcb(%_ASM_DI), %_ASM_AX mov KVM_VMCB_pa(%_ASM_AX), %_ASM_AX
+ /* Clobbers EFLAGS.ZF */ + VM_CLEAR_CPU_BUFFERS + /* Enter guest mode */ sti
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c index 27aff2503765..d68c60f35764 100644 --- a/drivers/base/cpu.c +++ b/drivers/base/cpu.c @@ -601,6 +601,11 @@ ssize_t __weak cpu_show_indirect_target_selection(struct device *dev, return sysfs_emit(buf, "Not affected\n"); }
+ssize_t __weak cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf) +{ + return sysfs_emit(buf, "Not affected\n"); +} + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); @@ -616,6 +621,7 @@ static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL); static DEVICE_ATTR(spec_rstack_overflow, 0444, cpu_show_spec_rstack_overflow, NULL); static DEVICE_ATTR(reg_file_data_sampling, 0444, cpu_show_reg_file_data_sampling, NULL); static DEVICE_ATTR(indirect_target_selection, 0444, cpu_show_indirect_target_selection, NULL); +static DEVICE_ATTR(tsa, 0444, cpu_show_tsa, NULL);
static struct attribute *cpu_root_vulnerabilities_attrs[] = { &dev_attr_meltdown.attr, @@ -633,6 +639,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { &dev_attr_spec_rstack_overflow.attr, &dev_attr_reg_file_data_sampling.attr, &dev_attr_indirect_target_selection.attr, + &dev_attr_tsa.attr, NULL };
diff --git a/include/linux/cpu.h b/include/linux/cpu.h index 186e0e0f2e40..3d3ceccf8224 100644 --- a/include/linux/cpu.h +++ b/include/linux/cpu.h @@ -78,6 +78,7 @@ extern ssize_t cpu_show_reg_file_data_sampling(struct device *dev, struct device_attribute *attr, char *buf); extern ssize_t cpu_show_indirect_target_selection(struct device *dev, struct device_attribute *attr, char *buf); +extern ssize_t cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf);
extern __printf(4, 5) struct device *cpu_device_create(struct device *parent, void *drvdata,
On Tue, Jul 08, 2025 at 08:04:00PM +0200, Borislav Petkov wrote:
On Tue, Jul 08, 2025 at 07:45:09PM +0200, Borislav Petkov wrote:
Right, it needs the __weak functions - this is solved differently on newer kernels. Lemme send updated patches.
...and 6.1:
Now applied, thanks!
I'll push out -rc2 versions of both of these now.
greg k-h
On 7/8/2025 11:09 AM, Greg Kroah-Hartman wrote:
On Tue, Jul 08, 2025 at 08:04:00PM +0200, Borislav Petkov wrote:
On Tue, Jul 08, 2025 at 07:45:09PM +0200, Borislav Petkov wrote:
Right, it needs the __weak functions - this is solved differently on newer kernels. Lemme send updated patches.
...and 6.1:
Now applied, thanks!
I'll push out -rc2 versions of both of these now.
Thank you both for the prompt reply!
On Tue, Jul 08, 2025 at 10:20:01AM -0700, Florian Fainelli wrote:
On 7/8/25 09:20, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.15.187 release. There are 160 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Thu, 10 Jul 2025 16:22:09 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.187-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below.
thanks,
greg k-h
The ARM 32-bit kernel fails to build with:
/local/users/fainelli/buildroot/output/arm/host/bin/arm-linux-ld: drivers/base/cpu.o: in function `.LANCHOR2': cpu.c:(.data+0xbc): undefined reference to `cpu_show_tsa' host-make[2]: *** [Makefile:1246: vmlinux] Error 1
This is caused by:
commit 5799df885785024821d09c334612c00992aa4c4b Author: Borislav Petkov (AMD) bp@alien8.de Date: Wed Sep 11 10:53:08 2024 +0200
x86/bugs: Add a Transient Scheduler Attacks mitigation Commit d8010d4ba43e9f790925375a7de100604a5e2dba upstream. Add the required features detection glue to bugs.c et all in order to support the TSA mitigation. Co-developed-by: Kim Phillips <kim.phillips@amd.com> Signed-off-by: Kim Phillips <kim.phillips@amd.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>I don't see this in Linus' tree but it's not clear yet why that is not happening there.
I see it in Linus's tree, you might want to do a sync :)
On 7/8/25 10:20, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.15.187 release. There are 160 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Thu, 10 Jul 2025 16:22:09 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.187-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below.
thanks,
greg k-h
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan skhan@linuxfoundation.org
thanks, -- Shuah
-
Borislav Petkov -
Florian Fainelli -
Greg Kroah-Hartman -
Shuah Khan