From 011d713f39ad1af141f39a06efa32381e082876c Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Sun, 19 Nov 2023 21:17:09 +0000 Subject: [PATCH] Revert all manual changes since 4.18.0-477.13.1.rt7.276.el8_8 --- ...ible-race-condition-between-do_tls_g.patch | 83 -- ...CAP-Fix-accepting-connection-request.patch | 77 -- ...x-update-imperfect-hash-filters-resp.patch | 113 --- ...d-tcindex-search-key-must-be-16-bits.patch | 87 -- ...-net-sched-Retire-tcindex-classifier.patch | 836 ------------------ ...fer-contents-when-we-skip-log-replay.patch | 119 --- ...o-Fix-out-of-bounds-bug-in-xgene_sli.patch | 48 - ...efore-add_event_to_groups-in-perf_gr.patch | 45 - ...m-careful-capability-checks-in-hci_s.patch | 56 -- ...t-of-bounds-caused-by-unclear-skb-cb.patch | 172 ---- ...-Fix-improper-refcount-update-leads-.patch | 62 -- ...t_pipapo-fix-improper-element-remova.patch | 63 -- ...les-prevent-OOB-access-in-nft_byteor.patch | 217 ----- ...-fix-possible-OOB-write-in-fl_set_ge.patch | 44 - ...tel-Expose-collect_cpu_info_early-fo.patch | 243 ----- ...rocode-during-restore_processor_stat.patch | 129 --- ...de-Deprecate-MICROCODE_OLD_INTERFACE.patch | 51 -- ...-microcode-Rip-out-the-OLD_INTERFACE.patch | 170 ---- ...crocode-Default-disable-late-loading.patch | 106 --- ...ocode-Taint-and-warn-on-late-loading.patch | 47 - ...ode-Remove-unnecessary-perf-callback.patch | 45 - ...int-previous-version-of-microcode-af.patch | 49 - ...de-Rip-out-the-subsys-interface-gunk.patch | 179 ---- ...crocode-Simplify-init-path-even-more.patch | 212 ----- ...ode-AMD-Rename-a-couple-of-functions.patch | 88 -- ...x-return-value-for-microcode-late-lo.patch | 79 -- ...d-a-parameter-to-microcode_check-to-.patch | 110 --- ...eck-CPU-capabilities-after-late-micr.patch | 135 --- ...just-late-loading-result-reporting-m.patch | 54 -- ...bug-register-values-in-percpu-variab.patch | 148 ---- ...rocode-Remove-request_microcode_user.patch | 94 -- .../1032-x86-microcode-Kill-refresh_fw.patch | 88 -- ...d-Remove-load_microcode_amd-s-bsp-pa.patch | 92 -- ...ode-Drop-struct-ucode_cpu_info.valid.patch | 62 -- ...D-Add-a-cpu-parameter-to-the-reloadi.patch | 110 --- ...D-Track-patch-allocation-size-explic.patch | 63 -- ...code-AMD-Fix-mixed-steppings-support.patch | 111 --- ...re-Return-an-error-only-when-necessa.patch | 40 - ...-apic-Don-t-disable-x2APIC-if-locked.patch | 225 ----- ...-the-errata-checking-functionality-u.patch | 186 ---- ...edundant-extern-x86_read_arch_cap_ms.patch | 63 -- ...m-Add-support-for-CPUID_80000021_EAX.patch | 77 -- ...e-that-the-SMM_CTL-MSR-is-not-suppor.patch | 43 - ...n-coded-CPUID-leaf-0x80000021-EAX-bi.patch | 84 -- ...vm-Add-the-NO_NESTED_DATA_BP-feature.patch | 51 -- ...re-MSR_SPEC_CTRL-is-updated-properly.patch | 148 ---- ...7-x86-cpu-Support-AMD-Automatic-IBRS.patch | 209 ----- ...CPU-AMD-Make-sure-EFER-AIBRSE-is-set.patch | 86 -- .../1049-x86-cpu-amd-Add-a-Zenbleed-fix.patch | 175 ---- ...les-incorrect-error-path-handling-wi.patch | 76 -- ...M-vector-callback-setup-and-interrup.patch | 110 --- ...de-AMD-Load-late-on-both-threads-too.patch | 30 - SOURCES/debrand-rh-i686-cpu.patch | 11 - SOURCES/debrand-rh_taint.patch | 81 -- SOURCES/debrand-single-cpu.patch | 11 - SPECS/kernel.spec | 183 +--- 56 files changed, 6 insertions(+), 6370 deletions(-) delete mode 100644 SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch delete mode 100644 SOURCES/1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch delete mode 100644 SOURCES/1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch delete mode 100644 SOURCES/1004-net-sched-tcindex-search-key-must-be-16-bits.patch delete mode 100644 SOURCES/1005-net-sched-Retire-tcindex-classifier.patch delete mode 100644 SOURCES/1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch delete mode 100644 SOURCES/1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch delete mode 100644 SOURCES/1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch delete mode 100644 SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch delete mode 100644 SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch delete mode 100644 SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch delete mode 100644 SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch delete mode 100644 SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch delete mode 100644 SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch delete mode 100644 SOURCES/1015-x86-microcode-intel-Expose-collect_cpu_info_early-fo.patch delete mode 100644 SOURCES/1016-x86-cpu-Load-microcode-during-restore_processor_stat.patch delete mode 100644 SOURCES/1017-x86-microcode-Deprecate-MICROCODE_OLD_INTERFACE.patch delete mode 100644 SOURCES/1018-x86-microcode-Rip-out-the-OLD_INTERFACE.patch delete mode 100644 SOURCES/1019-x86-microcode-Default-disable-late-loading.patch delete mode 100644 SOURCES/1020-x86-microcode-Taint-and-warn-on-late-loading.patch delete mode 100644 SOURCES/1021-x86-microcode-Remove-unnecessary-perf-callback.patch delete mode 100644 SOURCES/1022-x86-microcode-Print-previous-version-of-microcode-af.patch delete mode 100644 SOURCES/1023-x86-microcode-Rip-out-the-subsys-interface-gunk.patch delete mode 100644 SOURCES/1024-x86-microcode-Simplify-init-path-even-more.patch delete mode 100644 SOURCES/1025-x86-microcode-AMD-Rename-a-couple-of-functions.patch delete mode 100644 SOURCES/1026-x86-microcode-Fix-return-value-for-microcode-late-lo.patch delete mode 100644 SOURCES/1027-x86-microcode-Add-a-parameter-to-microcode_check-to-.patch delete mode 100644 SOURCES/1028-x86-microcode-Check-CPU-capabilities-after-late-micr.patch delete mode 100644 SOURCES/1029-x86-microcode-Adjust-late-loading-result-reporting-m.patch delete mode 100644 SOURCES/1030-x86-amd-Cache-debug-register-values-in-percpu-variab.patch delete mode 100644 SOURCES/1031-x86-microcode-Remove-request_microcode_user.patch delete mode 100644 SOURCES/1032-x86-microcode-Kill-refresh_fw.patch delete mode 100644 SOURCES/1033-x86-microcode-amd-Remove-load_microcode_amd-s-bsp-pa.patch delete mode 100644 SOURCES/1034-x86-microcode-Drop-struct-ucode_cpu_info.valid.patch delete mode 100644 SOURCES/1035-x86-microcode-AMD-Add-a-cpu-parameter-to-the-reloadi.patch delete mode 100644 SOURCES/1036-x86-microcode-AMD-Track-patch-allocation-size-explic.patch delete mode 100644 SOURCES/1037-x86-microcode-AMD-Fix-mixed-steppings-support.patch delete mode 100644 SOURCES/1038-x86-microcode-core-Return-an-error-only-when-necessa.patch delete mode 100644 SOURCES/1039-x86-apic-Don-t-disable-x2APIC-if-locked.patch delete mode 100644 SOURCES/1040-x86-cpu-amd-Move-the-errata-checking-functionality-u.patch delete mode 100644 SOURCES/1041-x86-cpu-Remove-redundant-extern-x86_read_arch_cap_ms.patch delete mode 100644 SOURCES/1042-x86-cpu-kvm-Add-support-for-CPUID_80000021_EAX.patch delete mode 100644 SOURCES/1043-KVM-x86-Advertise-that-the-SMM_CTL-MSR-is-not-suppor.patch delete mode 100644 SOURCES/1044-KVM-x86-Move-open-coded-CPUID-leaf-0x80000021-EAX-bi.patch delete mode 100644 SOURCES/1045-x86-cpu-kvm-Add-the-NO_NESTED_DATA_BP-feature.patch delete mode 100644 SOURCES/1046-x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch delete mode 100644 SOURCES/1047-x86-cpu-Support-AMD-Automatic-IBRS.patch delete mode 100644 SOURCES/1048-x86-CPU-AMD-Make-sure-EFER-AIBRSE-is-set.patch delete mode 100644 SOURCES/1049-x86-cpu-amd-Add-a-Zenbleed-fix.patch delete mode 100644 SOURCES/1050-netfilter-nf_tables-incorrect-error-path-handling-wi.patch delete mode 100644 SOURCES/9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch delete mode 100644 SOURCES/9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch delete mode 100644 SOURCES/debrand-rh-i686-cpu.patch delete mode 100644 SOURCES/debrand-rh_taint.patch delete mode 100644 SOURCES/debrand-single-cpu.patch diff --git a/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch b/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch deleted file mode 100644 index 7cd33b7..0000000 --- a/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch +++ /dev/null @@ -1,83 +0,0 @@ -From f83f793e1fac3df2dda737ab857099e27b983440 Mon Sep 17 00:00:00 2001 -From: Hangyu Hua -Date: Wed, 19 Jul 2023 22:52:35 +0000 -Subject: [PATCH 1/1] net: tls: fix possible race condition between - do_tls_getsockopt_conf() and do_tls_setsockopt_conf() - -ctx->crypto_send.info is not protected by lock_sock in -do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf() -and error paths of do_tls_setsockopt_conf() may lead to a use-after-free -or null-deref. - -More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/ - -Fixes: 3c4d7559159b ("tls: kernel TLS support") -Signed-off-by: Hangyu Hua -Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com -Signed-off-by: Jakub Kicinski -(commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 upstream) - -Conflicts: - net/tls/tls_main.c - -CVE: CVE-2023-28466 -Signed-off-by: Mridula Shastry -Reviewed-by: Bert Barbe ---- - net/tls/tls_main.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c -index a4ca1bfaa..92909eeca 100644 ---- a/net/tls/tls_main.c -+++ b/net/tls/tls_main.c -@@ -386,13 +386,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, - rc = -EINVAL; - goto out; - } -- lock_sock(sk); - memcpy(crypto_info_aes_gcm_128->iv, - cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, - TLS_CIPHER_AES_GCM_128_IV_SIZE); - memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq, - TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); -- release_sock(sk); - if (copy_to_user(optval, - crypto_info_aes_gcm_128, - sizeof(*crypto_info_aes_gcm_128))) -@@ -410,13 +408,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, - rc = -EINVAL; - goto out; - } -- lock_sock(sk); - memcpy(crypto_info_aes_gcm_256->iv, - cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE, - TLS_CIPHER_AES_GCM_256_IV_SIZE); - memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq, - TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); -- release_sock(sk); - if (copy_to_user(optval, - crypto_info_aes_gcm_256, - sizeof(*crypto_info_aes_gcm_256))) -@@ -436,6 +432,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname, - { - int rc = 0; - -+ lock_sock(sk); -+ - switch (optname) { - case TLS_TX: - case TLS_RX: -@@ -446,6 +444,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname, - rc = -ENOPROTOOPT; - break; - } -+ -+ release_sock(sk); -+ - return rc; - } - --- -2.39.3 - diff --git a/SOURCES/1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch b/SOURCES/1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch deleted file mode 100644 index 251de22..0000000 --- a/SOURCES/1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch +++ /dev/null @@ -1,77 +0,0 @@ -From b19a194712d8f25e80d53803ccd0176f619b3fbc Mon Sep 17 00:00:00 2001 -From: Luiz Augusto von Dentz -Date: Tue, 8 Aug 2023 10:38:26 +0000 -Subject: [PATCH 1/7] Bluetooth: L2CAP: Fix accepting connection request for - invalid SPSM - -commit 711f8c3fb3db61897080468586b970c87c61d9e4 upstream -Author: Luiz Augusto von Dentz -Date: Mon Oct 31 16:10:32 2022 -0700 - - Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM - - The Bluetooth spec states that the valid range for SPSM is from - 0x0001-0x00ff so it is invalid to accept values outside of this range: - - BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A - page 1059: - Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges - - CVE: CVE-2022-42896 - CC: stable@vger.kernel.org - Reported-by: Tamás Koczka - Signed-off-by: Luiz Augusto von Dentz - Reviewed-by: Tedd Ho-Jeong An - -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++ - 1 file changed, 25 insertions(+) - -diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index 86ecd4ad4..4fed6d24a 100644 ---- a/net/bluetooth/l2cap_core.c -+++ b/net/bluetooth/l2cap_core.c -@@ -5771,6 +5771,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, - BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), - scid, mtu, mps); - -+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A -+ * page 1059: -+ * -+ * Valid range: 0x0001-0x00ff -+ * -+ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges -+ */ -+ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { -+ result = L2CAP_CR_LE_BAD_PSM; -+ chan = NULL; -+ goto response; -+ } -+ - /* Check if we have socket listening on psm */ - pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, - &conn->hcon->dst, LE_LINK); -@@ -5958,6 +5971,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn, - - psm = req->psm; - -+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A -+ * page 1059: -+ * -+ * Valid range: 0x0001-0x00ff -+ * -+ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges -+ */ -+ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { -+ result = L2CAP_CR_LE_BAD_PSM; -+ goto response; -+ } -+ - BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps); - - memset(&pdu, 0, sizeof(pdu)); --- -2.31.1 - diff --git a/SOURCES/1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch b/SOURCES/1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch deleted file mode 100644 index 6691029..0000000 --- a/SOURCES/1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch +++ /dev/null @@ -1,113 +0,0 @@ -From a11b8451e966830bb9aeaf27a9464fe0ab59907d Mon Sep 17 00:00:00 2001 -From: Jamal Hadi Salim -Date: Tue, 8 Aug 2023 10:46:07 +0000 -Subject: [PATCH 2/7] net/sched: tcindex: update imperfect hash filters - respecting rcu - -commit ee059170b1f7e94e55fa6cadee544e176a6e59c2 upstream -Author: Pedro Tammela -Date: Thu Feb 9 11:37:39 2023 -0300 - - net/sched: tcindex: update imperfect hash filters respecting rcu - - The imperfect hash area can be updated while packets are traversing, - which will cause a use-after-free when 'tcf_exts_exec()' is called - with the destroyed tcf_ext. - - CPU 0: CPU 1: - tcindex_set_parms tcindex_classify - tcindex_lookup - tcindex_lookup - tcf_exts_change - tcf_exts_exec [UAF] - - Stop operating on the shared area directly, by using a local copy, - and update the filter with 'rcu_replace_pointer()'. Delete the old - filter version only after a rcu grace period elapsed. - - Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change") - Reported-by: valis - Suggested-by: valis - Signed-off-by: Jamal Hadi Salim - Signed-off-by: Pedro Tammela - Link: https://lore.kernel.org/r/20230209143739.279867-1-pctammela@mojatatu.com - Signed-off-by: Jakub Kicinski - -CVE: CVE-2023-1281 -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Reviewed-by: Venkat Venkatsubra -Reviewed-by: Laurence Rochfort ---- - net/sched/cls_tcindex.c | 34 ++++++++++++++++++++++++++++++---- - 1 file changed, 30 insertions(+), 4 deletions(-) - -diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c -index df229a808..83042a101 100644 ---- a/net/sched/cls_tcindex.c -+++ b/net/sched/cls_tcindex.c -@@ -11,6 +11,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -337,6 +338,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, - struct tcf_result cr = {}; - int err, balloc = 0; - struct tcf_exts e; -+ bool update_h = false; - - err = tcf_exts_init(&e, net, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE); - if (err < 0) -@@ -454,10 +456,13 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, - } - } - -- if (cp->perfect) -+ if (cp->perfect) { - r = cp->perfect + handle; -- else -- r = tcindex_lookup(cp, handle) ? : &new_filter_result; -+ } else { -+ /* imperfect area is updated in-place using rcu */ -+ update_h = !!tcindex_lookup(cp, handle); -+ r = &new_filter_result; -+ } - - if (r == &new_filter_result) { - f = kzalloc(sizeof(*f), GFP_KERNEL); -@@ -491,7 +496,28 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, - - rcu_assign_pointer(tp->root, cp); - -- if (r == &new_filter_result) { -+ if (update_h) { -+ struct tcindex_filter __rcu **fp; -+ struct tcindex_filter *cf; -+ -+ f->result.res = r->res; -+ tcf_exts_change(&f->result.exts, &r->exts); -+ -+ /* imperfect area bucket */ -+ fp = cp->h + (handle % cp->hash); -+ -+ /* lookup the filter, guaranteed to exist */ -+ for (cf = rcu_dereference_bh_rtnl(*fp); cf; -+ fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp)) -+ if (cf->key == handle) -+ break; -+ -+ f->next = cf->next; -+ -+ cf = rcu_replace_pointer(*fp, f, 1); -+ tcf_exts_get_net(&cf->result.exts); -+ tcf_queue_work(&cf->rwork, tcindex_destroy_fexts_work); -+ } else if (r == &new_filter_result) { - struct tcindex_filter *nfp; - struct tcindex_filter __rcu **fp; - --- -2.31.1 - diff --git a/SOURCES/1004-net-sched-tcindex-search-key-must-be-16-bits.patch b/SOURCES/1004-net-sched-tcindex-search-key-must-be-16-bits.patch deleted file mode 100644 index 4003487..0000000 --- a/SOURCES/1004-net-sched-tcindex-search-key-must-be-16-bits.patch +++ /dev/null @@ -1,87 +0,0 @@ -From ad24994e22b545703a710ae7928a160970ff72db Mon Sep 17 00:00:00 2001 -From: Jamal Hadi Salim -Date: Tue, 8 Aug 2023 11:07:16 +0000 -Subject: [PATCH 3/7] net/sched: tcindex: search key must be 16 bits - -commit 42018a322bd453e38b3ffee294982243e50a484f upstream -Author: Pedro Tammela -Date: Mon Feb 13 22:47:29 2023 -0300 - - net/sched: tcindex: search key must be 16 bits - - Syzkaller found an issue where a handle greater than 16 bits would trigger - a null-ptr-deref in the imperfect hash area update. - - general protection fault, probably for non-canonical address - 0xdffffc0000000015: 0000 [#1] PREEMPT SMP KASAN - KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] - CPU: 0 PID: 5070 Comm: syz-executor456 Not tainted - 6.2.0-rc7-syzkaller-00112-gc68f345b7c42 #0 - Hardware name: Google Google Compute Engine/Google Compute Engine, - BIOS Google 01/21/2023 - RIP: 0010:tcindex_set_parms+0x1a6a/0x2990 net/sched/cls_tcindex.c:509 - Code: 01 e9 e9 fe ff ff 4c 8b bd 28 fe ff ff e8 0e 57 7d f9 48 8d bb - a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c - 02 00 0f 85 94 0c 00 00 48 8b 85 f8 fd ff ff 48 8b 9b a8 00 - RSP: 0018:ffffc90003d3ef88 EFLAGS: 00010202 - RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 - RDX: 0000000000000015 RSI: ffffffff8803a102 RDI: 00000000000000a8 - RBP: ffffc90003d3f1d8 R08: 0000000000000001 R09: 0000000000000000 - R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801e2b10a8 - R13: dffffc0000000000 R14: 0000000000030000 R15: ffff888017b3be00 - FS: 00005555569af300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 000056041c6d2000 CR3: 000000002bfca000 CR4: 00000000003506f0 - DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 - Call Trace: - - tcindex_change+0x1ea/0x320 net/sched/cls_tcindex.c:572 - tc_new_tfilter+0x96e/0x2220 net/sched/cls_api.c:2155 - rtnetlink_rcv_msg+0x959/0xca0 net/core/rtnetlink.c:6132 - netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574 - netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] - netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 - netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942 - sock_sendmsg_nosec net/socket.c:714 [inline] - sock_sendmsg+0xd3/0x120 net/socket.c:734 - ____sys_sendmsg+0x334/0x8c0 net/socket.c:2476 - ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 - __sys_sendmmsg+0x18f/0x460 net/socket.c:2616 - __do_sys_sendmmsg net/socket.c:2645 [inline] - __se_sys_sendmmsg net/socket.c:2642 [inline] - __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 - - Fixes: ee059170b1f7 ("net/sched: tcindex: update imperfect hash filters respecting rcu") - Signed-off-by: Jamal Hadi Salim - Signed-off-by: Pedro Tammela - Reported-by: syzbot - Reviewed-by: Eric Dumazet - Signed-off-by: David S. Miller - -CVE: CVE-2023-1281 -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Reviewed-by: Venkat Venkatsubra -Reviewed-by: Laurence Rochfort ---- - net/sched/cls_tcindex.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c -index 83042a101..a021ba685 100644 ---- a/net/sched/cls_tcindex.c -+++ b/net/sched/cls_tcindex.c -@@ -509,7 +509,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, - /* lookup the filter, guaranteed to exist */ - for (cf = rcu_dereference_bh_rtnl(*fp); cf; - fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp)) -- if (cf->key == handle) -+ if (cf->key == (u16)handle) - break; - - f->next = cf->next; --- -2.31.1 - diff --git a/SOURCES/1005-net-sched-Retire-tcindex-classifier.patch b/SOURCES/1005-net-sched-Retire-tcindex-classifier.patch deleted file mode 100644 index e951ca9..0000000 --- a/SOURCES/1005-net-sched-Retire-tcindex-classifier.patch +++ /dev/null @@ -1,836 +0,0 @@ -From 4670364a13fccc328386157d820f6ff68619187c Mon Sep 17 00:00:00 2001 -From: Jamal Hadi Salim -Date: Tue, 8 Aug 2023 18:26:13 +0000 -Subject: [PATCH 4/7] net/sched: Retire tcindex classifier - -commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28 upstream - -The tcindex classifier has served us well for about a quarter of a century -but has not been getting much TLC due to lack of known users. Most recently -it has become easy prey to syzkaller. For this reason, we are retiring it. - -Signed-off-by: Jamal Hadi Salim -Acked-by: Jiri Pirko -Signed-off-by: Paolo Abeni - -Conflicts: - include/net/tc_wrapper.h - tools/testing/selftests/tc-testing/tc-tests/filters/tcindex.json - -CVE: CVE-2023-1829 -Signed-off-by: Mridula Shastry -Reviewed-by: Reviewed-by: Venkat Venkatsubra -Reviewed-by: Laurence Rochfort ---- - net/sched/Kconfig | 11 - - net/sched/Makefile | 1 - - net/sched/cls_tcindex.c | 763 ---------------------------------------- - 3 files changed, 775 deletions(-) - delete mode 100644 net/sched/cls_tcindex.c - -diff --git a/net/sched/Kconfig b/net/sched/Kconfig -index afe1d506e..882446fce 100644 ---- a/net/sched/Kconfig -+++ b/net/sched/Kconfig -@@ -502,17 +502,6 @@ config NET_CLS_BASIC - To compile this code as a module, choose M here: the - module will be called cls_basic. - --config NET_CLS_TCINDEX -- tristate "Traffic-Control Index (TCINDEX)" -- select NET_CLS -- help -- Say Y here if you want to be able to classify packets based on -- traffic control indices. You will want this feature if you want -- to implement Differentiated Services together with DSMARK. -- -- To compile this code as a module, choose M here: the -- module will be called cls_tcindex. -- - config NET_CLS_ROUTE4 - tristate "Routing decision (ROUTE)" - depends on INET -diff --git a/net/sched/Makefile b/net/sched/Makefile -index dd14ef413..b7dbac5c5 100644 ---- a/net/sched/Makefile -+++ b/net/sched/Makefile -@@ -70,7 +70,6 @@ obj-$(CONFIG_NET_CLS_U32) += cls_u32.o - obj-$(CONFIG_NET_CLS_ROUTE4) += cls_route.o - obj-$(CONFIG_NET_CLS_FW) += cls_fw.o - obj-$(CONFIG_NET_CLS_RSVP) += cls_rsvp.o --obj-$(CONFIG_NET_CLS_TCINDEX) += cls_tcindex.o - obj-$(CONFIG_NET_CLS_RSVP6) += cls_rsvp6.o - obj-$(CONFIG_NET_CLS_BASIC) += cls_basic.o - obj-$(CONFIG_NET_CLS_FLOW) += cls_flow.o -diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c -deleted file mode 100644 -index a021ba685..000000000 ---- a/net/sched/cls_tcindex.c -+++ /dev/null -@@ -1,763 +0,0 @@ --/* -- * net/sched/cls_tcindex.c Packet classifier for skb->tc_index -- * -- * Written 1998,1999 by Werner Almesberger, EPFL ICA -- */ -- --#include --#include --#include --#include --#include --#include --#include --#include --#include --#include --#include --#include -- --/* -- * Passing parameters to the root seems to be done more awkwardly than really -- * necessary. At least, u32 doesn't seem to use such dirty hacks. To be -- * verified. FIXME. -- */ -- --#define PERFECT_HASH_THRESHOLD 64 /* use perfect hash if not bigger */ --#define DEFAULT_HASH_SIZE 64 /* optimized for diffserv */ -- -- --struct tcindex_data; -- --struct tcindex_filter_result { -- struct tcf_exts exts; -- struct tcf_result res; -- struct tcindex_data *p; -- struct rcu_work rwork; --}; -- --struct tcindex_filter { -- u16 key; -- struct tcindex_filter_result result; -- struct tcindex_filter __rcu *next; -- struct rcu_work rwork; --}; -- -- --struct tcindex_data { -- struct tcindex_filter_result *perfect; /* perfect hash; NULL if none */ -- struct tcindex_filter __rcu **h; /* imperfect hash; */ -- struct tcf_proto *tp; -- u16 mask; /* AND key with mask */ -- u32 shift; /* shift ANDed key to the right */ -- u32 hash; /* hash table size; 0 if undefined */ -- u32 alloc_hash; /* allocated size */ -- u32 fall_through; /* 0: only classify if explicit match */ -- refcount_t refcnt; /* a temporary refcnt for perfect hash */ -- struct rcu_work rwork; --}; -- --static inline int tcindex_filter_is_set(struct tcindex_filter_result *r) --{ -- return tcf_exts_has_actions(&r->exts) || r->res.classid; --} -- --static void tcindex_data_get(struct tcindex_data *p) --{ -- refcount_inc(&p->refcnt); --} -- --static void tcindex_data_put(struct tcindex_data *p) --{ -- if (refcount_dec_and_test(&p->refcnt)) { -- kfree(p->perfect); -- kfree(p->h); -- kfree(p); -- } --} -- --static struct tcindex_filter_result *tcindex_lookup(struct tcindex_data *p, -- u16 key) --{ -- if (p->perfect) { -- struct tcindex_filter_result *f = p->perfect + key; -- -- return tcindex_filter_is_set(f) ? f : NULL; -- } else if (p->h) { -- struct tcindex_filter __rcu **fp; -- struct tcindex_filter *f; -- -- fp = &p->h[key % p->hash]; -- for (f = rcu_dereference_bh_rtnl(*fp); -- f; -- fp = &f->next, f = rcu_dereference_bh_rtnl(*fp)) -- if (f->key == key) -- return &f->result; -- } -- -- return NULL; --} -- -- --static int tcindex_classify(struct sk_buff *skb, const struct tcf_proto *tp, -- struct tcf_result *res) --{ -- struct tcindex_data *p = rcu_dereference_bh(tp->root); -- struct tcindex_filter_result *f; -- int key = (skb->tc_index & p->mask) >> p->shift; -- -- pr_debug("tcindex_classify(skb %p,tp %p,res %p),p %p\n", -- skb, tp, res, p); -- -- f = tcindex_lookup(p, key); -- if (!f) { -- struct Qdisc *q = tcf_block_q(tp->chain->block); -- -- if (!p->fall_through) -- return -1; -- res->classid = TC_H_MAKE(TC_H_MAJ(q->handle), key); -- res->class = 0; -- pr_debug("alg 0x%x\n", res->classid); -- return 0; -- } -- *res = f->res; -- pr_debug("map 0x%x\n", res->classid); -- -- return tcf_exts_exec(skb, &f->exts, res); --} -- -- --static void *tcindex_get(struct tcf_proto *tp, u32 handle) --{ -- struct tcindex_data *p = rtnl_dereference(tp->root); -- struct tcindex_filter_result *r; -- -- pr_debug("tcindex_get(tp %p,handle 0x%08x)\n", tp, handle); -- if (p->perfect && handle >= p->alloc_hash) -- return NULL; -- r = tcindex_lookup(p, handle); -- return r && tcindex_filter_is_set(r) ? r : NULL; --} -- --static int tcindex_init(struct tcf_proto *tp) --{ -- struct tcindex_data *p; -- -- pr_debug("tcindex_init(tp %p)\n", tp); -- p = kzalloc(sizeof(struct tcindex_data), GFP_KERNEL); -- if (!p) -- return -ENOMEM; -- -- p->mask = 0xffff; -- p->hash = DEFAULT_HASH_SIZE; -- p->fall_through = 1; -- refcount_set(&p->refcnt, 1); /* Paired with tcindex_destroy_work() */ -- -- rcu_assign_pointer(tp->root, p); -- return 0; --} -- --static void __tcindex_destroy_rexts(struct tcindex_filter_result *r) --{ -- tcf_exts_destroy(&r->exts); -- tcf_exts_put_net(&r->exts); -- tcindex_data_put(r->p); --} -- --static void tcindex_destroy_rexts_work(struct work_struct *work) --{ -- struct tcindex_filter_result *r; -- -- r = container_of(to_rcu_work(work), -- struct tcindex_filter_result, -- rwork); -- rtnl_lock(); -- __tcindex_destroy_rexts(r); -- rtnl_unlock(); --} -- --static void __tcindex_destroy_fexts(struct tcindex_filter *f) --{ -- tcf_exts_destroy(&f->result.exts); -- tcf_exts_put_net(&f->result.exts); -- kfree(f); --} -- --static void tcindex_destroy_fexts_work(struct work_struct *work) --{ -- struct tcindex_filter *f = container_of(to_rcu_work(work), -- struct tcindex_filter, -- rwork); -- -- rtnl_lock(); -- __tcindex_destroy_fexts(f); -- rtnl_unlock(); --} -- --static int tcindex_delete(struct tcf_proto *tp, void *arg, bool *last, -- bool rtnl_held, struct netlink_ext_ack *extack) --{ -- struct tcindex_data *p = rtnl_dereference(tp->root); -- struct tcindex_filter_result *r = arg; -- struct tcindex_filter __rcu **walk; -- struct tcindex_filter *f = NULL; -- -- pr_debug("tcindex_delete(tp %p,arg %p),p %p\n", tp, arg, p); -- if (p->perfect) { -- if (!r->res.class) -- return -ENOENT; -- } else { -- int i; -- -- for (i = 0; i < p->hash; i++) { -- walk = p->h + i; -- for (f = rtnl_dereference(*walk); f; -- walk = &f->next, f = rtnl_dereference(*walk)) { -- if (&f->result == r) -- goto found; -- } -- } -- return -ENOENT; -- --found: -- rcu_assign_pointer(*walk, rtnl_dereference(f->next)); -- } -- tcf_unbind_filter(tp, &r->res); -- /* all classifiers are required to call tcf_exts_destroy() after rcu -- * grace period, since converted-to-rcu actions are relying on that -- * in cleanup() callback -- */ -- if (f) { -- if (tcf_exts_get_net(&f->result.exts)) -- tcf_queue_work(&f->rwork, tcindex_destroy_fexts_work); -- else -- __tcindex_destroy_fexts(f); -- } else { -- tcindex_data_get(p); -- -- if (tcf_exts_get_net(&r->exts)) -- tcf_queue_work(&r->rwork, tcindex_destroy_rexts_work); -- else -- __tcindex_destroy_rexts(r); -- } -- -- *last = false; -- return 0; --} -- --static void tcindex_destroy_work(struct work_struct *work) --{ -- struct tcindex_data *p = container_of(to_rcu_work(work), -- struct tcindex_data, -- rwork); -- -- tcindex_data_put(p); --} -- --static inline int --valid_perfect_hash(struct tcindex_data *p) --{ -- return p->hash > (p->mask >> p->shift); --} -- --static const struct nla_policy tcindex_policy[TCA_TCINDEX_MAX + 1] = { -- [TCA_TCINDEX_HASH] = { .type = NLA_U32 }, -- [TCA_TCINDEX_MASK] = { .type = NLA_U16 }, -- [TCA_TCINDEX_SHIFT] = { .type = NLA_U32 }, -- [TCA_TCINDEX_FALL_THROUGH] = { .type = NLA_U32 }, -- [TCA_TCINDEX_CLASSID] = { .type = NLA_U32 }, --}; -- --static int tcindex_filter_result_init(struct tcindex_filter_result *r, -- struct tcindex_data *p, -- struct net *net) --{ -- memset(r, 0, sizeof(*r)); -- r->p = p; -- return tcf_exts_init(&r->exts, net, TCA_TCINDEX_ACT, -- TCA_TCINDEX_POLICE); --} -- --static void tcindex_free_perfect_hash(struct tcindex_data *cp); -- --static void tcindex_partial_destroy_work(struct work_struct *work) --{ -- struct tcindex_data *p = container_of(to_rcu_work(work), -- struct tcindex_data, -- rwork); -- -- rtnl_lock(); -- if (p->perfect) -- tcindex_free_perfect_hash(p); -- kfree(p); -- rtnl_unlock(); --} -- --static void tcindex_free_perfect_hash(struct tcindex_data *cp) --{ -- int i; -- -- for (i = 0; i < cp->hash; i++) -- tcf_exts_destroy(&cp->perfect[i].exts); -- kfree(cp->perfect); --} -- --static int tcindex_alloc_perfect_hash(struct net *net, struct tcindex_data *cp) --{ -- int i, err = 0; -- -- cp->perfect = kcalloc(cp->hash, sizeof(struct tcindex_filter_result), -- GFP_KERNEL | __GFP_NOWARN); -- if (!cp->perfect) -- return -ENOMEM; -- -- for (i = 0; i < cp->hash; i++) { -- err = tcf_exts_init(&cp->perfect[i].exts, net, -- TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE); -- if (err < 0) -- goto errout; -- cp->perfect[i].p = cp; -- } -- -- return 0; -- --errout: -- tcindex_free_perfect_hash(cp); -- return err; --} -- --static int --tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, -- u32 handle, struct tcindex_data *p, -- struct tcindex_filter_result *r, struct nlattr **tb, -- struct nlattr *est, u32 flags, struct netlink_ext_ack *extack) --{ -- struct tcindex_filter_result new_filter_result, *old_r = r; -- struct tcindex_data *cp = NULL, *oldp; -- struct tcindex_filter *f = NULL; /* make gcc behave */ -- struct tcf_result cr = {}; -- int err, balloc = 0; -- struct tcf_exts e; -- bool update_h = false; -- -- err = tcf_exts_init(&e, net, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE); -- if (err < 0) -- return err; -- err = tcf_exts_validate(net, tp, tb, est, &e, flags, extack); -- if (err < 0) -- goto errout; -- -- err = -ENOMEM; -- /* tcindex_data attributes must look atomic to classifier/lookup so -- * allocate new tcindex data and RCU assign it onto root. Keeping -- * perfect hash and hash pointers from old data. -- */ -- cp = kzalloc(sizeof(*cp), GFP_KERNEL); -- if (!cp) -- goto errout; -- -- cp->mask = p->mask; -- cp->shift = p->shift; -- cp->hash = p->hash; -- cp->alloc_hash = p->alloc_hash; -- cp->fall_through = p->fall_through; -- cp->tp = tp; -- refcount_set(&cp->refcnt, 1); /* Paired with tcindex_destroy_work() */ -- -- if (tb[TCA_TCINDEX_HASH]) -- cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]); -- -- if (tb[TCA_TCINDEX_MASK]) -- cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]); -- -- if (tb[TCA_TCINDEX_SHIFT]) { -- cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]); -- if (cp->shift > 16) { -- err = -EINVAL; -- goto errout; -- } -- } -- if (!cp->hash) { -- /* Hash not specified, use perfect hash if the upper limit -- * of the hashing index is below the threshold. -- */ -- if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD) -- cp->hash = (cp->mask >> cp->shift) + 1; -- else -- cp->hash = DEFAULT_HASH_SIZE; -- } -- -- if (p->perfect) { -- int i; -- -- if (tcindex_alloc_perfect_hash(net, cp) < 0) -- goto errout; -- cp->alloc_hash = cp->hash; -- for (i = 0; i < min(cp->hash, p->hash); i++) -- cp->perfect[i].res = p->perfect[i].res; -- balloc = 1; -- } -- cp->h = p->h; -- -- err = tcindex_filter_result_init(&new_filter_result, cp, net); -- if (err < 0) -- goto errout_alloc; -- if (old_r) -- cr = r->res; -- -- err = -EBUSY; -- -- /* Hash already allocated, make sure that we still meet the -- * requirements for the allocated hash. -- */ -- if (cp->perfect) { -- if (!valid_perfect_hash(cp) || -- cp->hash > cp->alloc_hash) -- goto errout_alloc; -- } else if (cp->h && cp->hash != cp->alloc_hash) { -- goto errout_alloc; -- } -- -- err = -EINVAL; -- if (tb[TCA_TCINDEX_FALL_THROUGH]) -- cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]); -- -- if (!cp->perfect && !cp->h) -- cp->alloc_hash = cp->hash; -- -- /* Note: this could be as restrictive as if (handle & ~(mask >> shift)) -- * but then, we'd fail handles that may become valid after some future -- * mask change. While this is extremely unlikely to ever matter, -- * the check below is safer (and also more backwards-compatible). -- */ -- if (cp->perfect || valid_perfect_hash(cp)) -- if (handle >= cp->alloc_hash) -- goto errout_alloc; -- -- -- err = -ENOMEM; -- if (!cp->perfect && !cp->h) { -- if (valid_perfect_hash(cp)) { -- if (tcindex_alloc_perfect_hash(net, cp) < 0) -- goto errout_alloc; -- balloc = 1; -- } else { -- struct tcindex_filter __rcu **hash; -- -- hash = kcalloc(cp->hash, -- sizeof(struct tcindex_filter *), -- GFP_KERNEL); -- -- if (!hash) -- goto errout_alloc; -- -- cp->h = hash; -- balloc = 2; -- } -- } -- -- if (cp->perfect) { -- r = cp->perfect + handle; -- } else { -- /* imperfect area is updated in-place using rcu */ -- update_h = !!tcindex_lookup(cp, handle); -- r = &new_filter_result; -- } -- -- if (r == &new_filter_result) { -- f = kzalloc(sizeof(*f), GFP_KERNEL); -- if (!f) -- goto errout_alloc; -- f->key = handle; -- f->next = NULL; -- err = tcindex_filter_result_init(&f->result, cp, net); -- if (err < 0) { -- kfree(f); -- goto errout_alloc; -- } -- } -- -- if (tb[TCA_TCINDEX_CLASSID]) { -- cr.classid = nla_get_u32(tb[TCA_TCINDEX_CLASSID]); -- tcf_bind_filter(tp, &cr, base); -- } -- -- if (old_r && old_r != r) { -- err = tcindex_filter_result_init(old_r, cp, net); -- if (err < 0) { -- kfree(f); -- goto errout_alloc; -- } -- } -- -- oldp = p; -- r->res = cr; -- tcf_exts_change(&r->exts, &e); -- -- rcu_assign_pointer(tp->root, cp); -- -- if (update_h) { -- struct tcindex_filter __rcu **fp; -- struct tcindex_filter *cf; -- -- f->result.res = r->res; -- tcf_exts_change(&f->result.exts, &r->exts); -- -- /* imperfect area bucket */ -- fp = cp->h + (handle % cp->hash); -- -- /* lookup the filter, guaranteed to exist */ -- for (cf = rcu_dereference_bh_rtnl(*fp); cf; -- fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp)) -- if (cf->key == (u16)handle) -- break; -- -- f->next = cf->next; -- -- cf = rcu_replace_pointer(*fp, f, 1); -- tcf_exts_get_net(&cf->result.exts); -- tcf_queue_work(&cf->rwork, tcindex_destroy_fexts_work); -- } else if (r == &new_filter_result) { -- struct tcindex_filter *nfp; -- struct tcindex_filter __rcu **fp; -- -- f->result.res = r->res; -- tcf_exts_change(&f->result.exts, &r->exts); -- -- fp = cp->h + (handle % cp->hash); -- for (nfp = rtnl_dereference(*fp); -- nfp; -- fp = &nfp->next, nfp = rtnl_dereference(*fp)) -- ; /* nothing */ -- -- rcu_assign_pointer(*fp, f); -- } else { -- tcf_exts_destroy(&new_filter_result.exts); -- } -- -- if (oldp) -- tcf_queue_work(&oldp->rwork, tcindex_partial_destroy_work); -- return 0; -- --errout_alloc: -- if (balloc == 1) -- tcindex_free_perfect_hash(cp); -- else if (balloc == 2) -- kfree(cp->h); -- tcf_exts_destroy(&new_filter_result.exts); --errout: -- kfree(cp); -- tcf_exts_destroy(&e); -- return err; --} -- --static int --tcindex_change(struct net *net, struct sk_buff *in_skb, -- struct tcf_proto *tp, unsigned long base, u32 handle, -- struct nlattr **tca, void **arg, u32 flags, -- struct netlink_ext_ack *extack) --{ -- struct nlattr *opt = tca[TCA_OPTIONS]; -- struct nlattr *tb[TCA_TCINDEX_MAX + 1]; -- struct tcindex_data *p = rtnl_dereference(tp->root); -- struct tcindex_filter_result *r = *arg; -- int err; -- -- pr_debug("tcindex_change(tp %p,handle 0x%08x,tca %p,arg %p),opt %p," -- "p %p,r %p,*arg %p\n", -- tp, handle, tca, arg, opt, p, r, *arg); -- -- if (!opt) -- return 0; -- -- err = nla_parse_nested_deprecated(tb, TCA_TCINDEX_MAX, opt, -- tcindex_policy, NULL); -- if (err < 0) -- return err; -- -- return tcindex_set_parms(net, tp, base, handle, p, r, tb, -- tca[TCA_RATE], flags, extack); --} -- --static void tcindex_walk(struct tcf_proto *tp, struct tcf_walker *walker, -- bool rtnl_held) --{ -- struct tcindex_data *p = rtnl_dereference(tp->root); -- struct tcindex_filter *f, *next; -- int i; -- -- pr_debug("tcindex_walk(tp %p,walker %p),p %p\n", tp, walker, p); -- if (p->perfect) { -- for (i = 0; i < p->hash; i++) { -- if (!p->perfect[i].res.class) -- continue; -- if (walker->count >= walker->skip) { -- if (walker->fn(tp, p->perfect + i, walker) < 0) { -- walker->stop = 1; -- return; -- } -- } -- walker->count++; -- } -- } -- if (!p->h) -- return; -- for (i = 0; i < p->hash; i++) { -- for (f = rtnl_dereference(p->h[i]); f; f = next) { -- next = rtnl_dereference(f->next); -- if (walker->count >= walker->skip) { -- if (walker->fn(tp, &f->result, walker) < 0) { -- walker->stop = 1; -- return; -- } -- } -- walker->count++; -- } -- } --} -- --static void tcindex_destroy(struct tcf_proto *tp, bool rtnl_held, -- struct netlink_ext_ack *extack) --{ -- struct tcindex_data *p = rtnl_dereference(tp->root); -- int i; -- -- pr_debug("tcindex_destroy(tp %p),p %p\n", tp, p); -- -- if (p->perfect) { -- for (i = 0; i < p->hash; i++) { -- struct tcindex_filter_result *r = p->perfect + i; -- -- /* tcf_queue_work() does not guarantee the ordering we -- * want, so we have to take this refcnt temporarily to -- * ensure 'p' is freed after all tcindex_filter_result -- * here. Imperfect hash does not need this, because it -- * uses linked lists rather than an array. -- */ -- tcindex_data_get(p); -- -- tcf_unbind_filter(tp, &r->res); -- if (tcf_exts_get_net(&r->exts)) -- tcf_queue_work(&r->rwork, -- tcindex_destroy_rexts_work); -- else -- __tcindex_destroy_rexts(r); -- } -- } -- -- for (i = 0; p->h && i < p->hash; i++) { -- struct tcindex_filter *f, *next; -- bool last; -- -- for (f = rtnl_dereference(p->h[i]); f; f = next) { -- next = rtnl_dereference(f->next); -- tcindex_delete(tp, &f->result, &last, rtnl_held, NULL); -- } -- } -- -- tcf_queue_work(&p->rwork, tcindex_destroy_work); --} -- -- --static int tcindex_dump(struct net *net, struct tcf_proto *tp, void *fh, -- struct sk_buff *skb, struct tcmsg *t, bool rtnl_held) --{ -- struct tcindex_data *p = rtnl_dereference(tp->root); -- struct tcindex_filter_result *r = fh; -- struct nlattr *nest; -- -- pr_debug("tcindex_dump(tp %p,fh %p,skb %p,t %p),p %p,r %p\n", -- tp, fh, skb, t, p, r); -- pr_debug("p->perfect %p p->h %p\n", p->perfect, p->h); -- -- nest = nla_nest_start_noflag(skb, TCA_OPTIONS); -- if (nest == NULL) -- goto nla_put_failure; -- -- if (!fh) { -- t->tcm_handle = ~0; /* whatever ... */ -- if (nla_put_u32(skb, TCA_TCINDEX_HASH, p->hash) || -- nla_put_u16(skb, TCA_TCINDEX_MASK, p->mask) || -- nla_put_u32(skb, TCA_TCINDEX_SHIFT, p->shift) || -- nla_put_u32(skb, TCA_TCINDEX_FALL_THROUGH, p->fall_through)) -- goto nla_put_failure; -- nla_nest_end(skb, nest); -- } else { -- if (p->perfect) { -- t->tcm_handle = r - p->perfect; -- } else { -- struct tcindex_filter *f; -- struct tcindex_filter __rcu **fp; -- int i; -- -- t->tcm_handle = 0; -- for (i = 0; !t->tcm_handle && i < p->hash; i++) { -- fp = &p->h[i]; -- for (f = rtnl_dereference(*fp); -- !t->tcm_handle && f; -- fp = &f->next, f = rtnl_dereference(*fp)) { -- if (&f->result == r) -- t->tcm_handle = f->key; -- } -- } -- } -- pr_debug("handle = %d\n", t->tcm_handle); -- if (r->res.class && -- nla_put_u32(skb, TCA_TCINDEX_CLASSID, r->res.classid)) -- goto nla_put_failure; -- -- if (tcf_exts_dump(skb, &r->exts) < 0) -- goto nla_put_failure; -- nla_nest_end(skb, nest); -- -- if (tcf_exts_dump_stats(skb, &r->exts) < 0) -- goto nla_put_failure; -- } -- -- return skb->len; -- --nla_put_failure: -- nla_nest_cancel(skb, nest); -- return -1; --} -- --static void tcindex_bind_class(void *fh, u32 classid, unsigned long cl, -- void *q, unsigned long base) --{ -- struct tcindex_filter_result *r = fh; -- -- if (r && r->res.classid == classid) { -- if (cl) -- __tcf_bind_filter(q, &r->res, base); -- else -- __tcf_unbind_filter(q, &r->res); -- } --} -- --static struct tcf_proto_ops cls_tcindex_ops __read_mostly = { -- .kind = "tcindex", -- .classify = tcindex_classify, -- .init = tcindex_init, -- .destroy = tcindex_destroy, -- .get = tcindex_get, -- .change = tcindex_change, -- .delete = tcindex_delete, -- .walk = tcindex_walk, -- .dump = tcindex_dump, -- .bind_class = tcindex_bind_class, -- .owner = THIS_MODULE, --}; -- --static int __init init_tcindex(void) --{ -- return register_tcf_proto_ops(&cls_tcindex_ops); --} -- --static void __exit exit_tcindex(void) --{ -- unregister_tcf_proto_ops(&cls_tcindex_ops); --} -- --module_init(init_tcindex) --module_exit(exit_tcindex) --MODULE_LICENSE("GPL"); --- -2.31.1 - diff --git a/SOURCES/1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch b/SOURCES/1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch deleted file mode 100644 index 321a5b7..0000000 --- a/SOURCES/1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 124abc5a2d892bffaa2830d3d596f087555f0fd3 Mon Sep 17 00:00:00 2001 -From: "Darrick J. Wong" -Date: Tue, 8 Aug 2023 12:41:24 +0000 -Subject: [PATCH 5/7] xfs: verify buffer contents when we skip log replay - -commit 22ed903eee23a5b174e240f1cdfa9acf393a5210 upstream -Author: Darrick J. Wong -Date: Wed Apr 12 15:49:23 2023 +1000 - - xfs: verify buffer contents when we skip log replay - - syzbot detected a crash during log recovery: - - XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791 - XFS (loop0): Torn write (CRC failure) detected at log block 0x180. Truncating head block from 0x200. - XFS (loop0): Starting recovery (logdev: internal) - ================================================================== - BUG: KASAN: slab-out-of-bounds in xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813 - Read of size 8 at addr ffff88807e89f258 by task syz-executor132/5074 - - CPU: 0 PID: 5074 Comm: syz-executor132 Not tainted 6.2.0-rc1-syzkaller #0 - Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 - Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 - print_address_description+0x74/0x340 mm/kasan/report.c:306 - print_report+0x107/0x1f0 mm/kasan/report.c:417 - kasan_report+0xcd/0x100 mm/kasan/report.c:517 - xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813 - xfs_btree_lookup+0x346/0x12c0 fs/xfs/libxfs/xfs_btree.c:1913 - xfs_btree_simple_query_range+0xde/0x6a0 fs/xfs/libxfs/xfs_btree.c:4713 - xfs_btree_query_range+0x2db/0x380 fs/xfs/libxfs/xfs_btree.c:4953 - xfs_refcount_recover_cow_leftovers+0x2d1/0xa60 fs/xfs/libxfs/xfs_refcount.c:1946 - xfs_reflink_recover_cow+0xab/0x1b0 fs/xfs/xfs_reflink.c:930 - xlog_recover_finish+0x824/0x920 fs/xfs/xfs_log_recover.c:3493 - xfs_log_mount_finish+0x1ec/0x3d0 fs/xfs/xfs_log.c:829 - xfs_mountfs+0x146a/0x1ef0 fs/xfs/xfs_mount.c:933 - xfs_fs_fill_super+0xf95/0x11f0 fs/xfs/xfs_super.c:1666 - get_tree_bdev+0x400/0x620 fs/super.c:1282 - vfs_get_tree+0x88/0x270 fs/super.c:1489 - do_new_mount+0x289/0xad0 fs/namespace.c:3145 - do_mount fs/namespace.c:3488 [inline] - __do_sys_mount fs/namespace.c:3697 [inline] - __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - RIP: 0033:0x7f89fa3f4aca - Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 - RSP: 002b:00007fffd5fb5ef8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 - RAX: ffffffffffffffda RBX: 00646975756f6e2c RCX: 00007f89fa3f4aca - RDX: 0000000020000100 RSI: 0000000020009640 RDI: 00007fffd5fb5f10 - RBP: 00007fffd5fb5f10 R08: 00007fffd5fb5f50 R09: 000000000000970d - R10: 0000000000200800 R11: 0000000000000206 R12: 0000000000000004 - R13: 0000555556c6b2c0 R14: 0000000000200800 R15: 00007fffd5fb5f50 - - - The fuzzed image contains an AGF with an obviously garbage - agf_refcount_level value of 32, and a dirty log with a buffer log item - for that AGF. The ondisk AGF has a higher LSN than the recovered log - item. xlog_recover_buf_commit_pass2 reads the buffer, compares the - LSNs, and decides to skip replay because the ondisk buffer appears to be - newer. - - Unfortunately, the ondisk buffer is corrupt, but recovery just read the - buffer with no buffer ops specified: - - error = xfs_buf_read(mp->m_ddev_targp, buf_f->blf_blkno, - buf_f->blf_len, buf_flags, &bp, NULL); - - Skipping the buffer leaves its contents in memory unverified. This sets - us up for a kernel crash because xfs_refcount_recover_cow_leftovers - reads the buffer (which is still around in XBF_DONE state, so no read - verification) and creates a refcountbt cursor of height 32. This is - impossible so we run off the end of the cursor object and crash. - - Fix this by invoking the verifier on all skipped buffers and aborting - log recovery if the ondisk buffer is corrupt. It might be smarter to - force replay the log item atop the buffer and then see if it'll pass the - write verifier (like ext4 does) but for now let's go with the - conservative option where we stop immediately. - - Link: https://syzkaller.appspot.com/bug?extid=7e9494b8b399902e994e - Signed-off-by: Darrick J. Wong - Reviewed-by: Dave Chinner - Signed-off-by: Dave Chinner - -CVE: CVE-2023-2124 -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - fs/xfs/xfs_buf_item_recover.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/fs/xfs/xfs_buf_item_recover.c b/fs/xfs/xfs_buf_item_recover.c -index aa4d45701..e8eeaf005 100644 ---- a/fs/xfs/xfs_buf_item_recover.c -+++ b/fs/xfs/xfs_buf_item_recover.c -@@ -934,6 +934,16 @@ xlog_recover_buf_commit_pass2( - if (lsn && lsn != -1 && XFS_LSN_CMP(lsn, current_lsn) >= 0) { - trace_xfs_log_recover_buf_skip(log, buf_f); - xlog_recover_validate_buf_type(mp, bp, buf_f, NULLCOMMITLSN); -+ -+ /* -+ * We're skipping replay of this buffer log item due to the log -+ * item LSN being behind the ondisk buffer. Verify the buffer -+ * contents since we aren't going to run the write verifier. -+ */ -+ if (bp->b_ops) { -+ bp->b_ops->verify_read(bp); -+ error = bp->b_error; -+ } - goto out_release; - } - --- -2.31.1 - diff --git a/SOURCES/1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch b/SOURCES/1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch deleted file mode 100644 index 907a6a2..0000000 --- a/SOURCES/1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 24bbece0ab10a61da0356b7d56a07b0055ee143d Mon Sep 17 00:00:00 2001 -From: Wei Chen -Date: Tue, 8 Aug 2023 12:46:05 +0000 -Subject: [PATCH 6/7] i2c: xgene-slimpro: Fix out-of-bounds bug in - xgene_slimpro_i2c_xfer() - -commit 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 upstream -Author: Wei Chen -Date: Tue Mar 14 16:54:21 2023 +0000 - - i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() - - The data->block[0] variable comes from user and is a number between - 0-255. Without proper check, the variable may be very large to cause - an out-of-bounds when performing memcpy in slimpro_i2c_blkwr. - - Fix this bug by checking the value of writelen. - - Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform") - Signed-off-by: Wei Chen - Cc: stable@vger.kernel.org - Reviewed-by: Andi Shyti - Signed-off-by: Wolfram Sang - -CVE: CVE-2023-2194 -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c -index f694b3c31..985ba3a3a 100644 ---- a/drivers/i2c/busses/i2c-xgene-slimpro.c -+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c -@@ -322,6 +322,9 @@ static int slimpro_i2c_blkwr(struct slimpro_i2c_dev *ctx, u32 chip, - u32 msg[3]; - int rc; - -+ if (writelen > I2C_SMBUS_BLOCK_MAX) -+ return -EINVAL; -+ - memcpy(ctx->dma_buffer, data, writelen); - paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen, - DMA_TO_DEVICE); --- -2.31.1 - diff --git a/SOURCES/1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch b/SOURCES/1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch deleted file mode 100644 index f4abbff..0000000 --- a/SOURCES/1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 7dcc341e1a59f07dcd6ac591ecd90b41dcd28611 Mon Sep 17 00:00:00 2001 -From: Budimir Markovic -Date: Tue, 8 Aug 2023 12:48:54 +0000 -Subject: [PATCH 7/7] perf: Fix check before add_event_to_groups() in - perf_group_detach() - -commit fd0815f632c24878e325821943edccc7fde947a2 upstream -Author: Budimir Markovic -Date: Wed Mar 15 00:29:01 2023 -0700 - -Events should only be added to a groups rb tree if they have not been -removed from their context by list_del_event(). Since remove_on_exec -made it possible to call list_del_event() on individual events before -they are detached from their group, perf_group_detach() should check each -sibling's attach_state before calling add_event_to_groups() on it. - -Fixes: 2e498d0a74e5 ("perf: Add support for event removal on exec") - - Signed-off-by: Budimir Markovic - Signed-off-by: Peter Zijlstra (Intel) - Link: https://lkml.kernel.org/r/ZBFzvQV9tEqoHEtH@gentoo - -CVE: CVE-2023-2235 -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - kernel/events/core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/events/core.c b/kernel/events/core.c -index d2adc3cbf..182494495 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -2210,7 +2210,7 @@ static void perf_group_detach(struct perf_event *event) - /* Inherit group flags from the previous leader */ - sibling->group_caps = event->group_caps; - -- if (!RB_EMPTY_NODE(&event->group_node)) { -+ if (sibling->attach_state & PERF_ATTACH_CONTEXT) { - add_event_to_groups(sibling, event->ctx); - - if (sibling->state == PERF_EVENT_STATE_ACTIVE) --- -2.31.1 - diff --git a/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch b/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch deleted file mode 100644 index f24e08e..0000000 --- a/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 5bdcf7f9a8e44d61d724943167c381611b02a5ff Mon Sep 17 00:00:00 2001 -From: Ruihan Li -Date: Sun, 16 Apr 2023 16:14:04 +0800 -Subject: [PATCH 1/6] bluetooth: Perform careful capability checks in - hci_sock_ioctl() - -Previously, capability was checked using capable(), which verified that the -caller of the ioctl system call had the required capability. In addition, -the result of the check would be stored in the HCI_SOCK_TRUSTED flag, -making it persistent for the socket. - -However, malicious programs can abuse this approach by deliberately sharing -an HCI socket with a privileged task. The HCI socket will be marked as -trusted when the privileged task occasionally makes an ioctl call. - -This problem can be solved by using sk_capable() to check capability, which -ensures that not only the current task but also the socket opener has the -specified capability, thus reducing the risk of privilege escalation -through the previously identified vulnerability. - -Cc: stable@vger.kernel.org -Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets") -Signed-off-by: Ruihan Li -Signed-off-by: Luiz Augusto von Dentz -(cherry picked from commit 25c150ac103a4ebeed0319994c742a90634ddf18) - -CVE: CVE-2023-2002 -Signed-off-by: Mridula Shastry -Reviewed-by: Venkat Venkatsubra ---- - net/bluetooth/hci_sock.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c -index d7c9ead69554..3cb8a2879ebb 100644 ---- a/net/bluetooth/hci_sock.c -+++ b/net/bluetooth/hci_sock.c -@@ -1000,7 +1000,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, - if (hci_sock_gen_cookie(sk)) { - struct sk_buff *skb; - -- if (capable(CAP_NET_ADMIN)) -+ /* Perform careful checks before setting the HCI_SOCK_TRUSTED -+ * flag. Make sure that not only the current task but also -+ * the socket opener has the required capability, since -+ * privileged programs can be tricked into making ioctl calls -+ * on HCI sockets, and the socket should not be marked as -+ * trusted simply because the ioctl caller is privileged. -+ */ -+ if (sk_capable(sk, CAP_NET_ADMIN)) - hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); - - /* Send event to monitor */ --- -2.39.3 - diff --git a/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch b/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch deleted file mode 100644 index 1b27d11..0000000 --- a/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch +++ /dev/null @@ -1,172 +0,0 @@ -From e594c8e25c5f6a3432c324cf8df93d34578825bb Mon Sep 17 00:00:00 2001 -From: "t.feng" -Date: Wed, 10 May 2023 11:50:44 +0800 -Subject: [PATCH 2/6] ipvlan:Fix out-of-bounds caused by unclear skb->cb - -If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which -is actually skb->cb, and IPCB(skb_in)->opt will be used in -__ip_options_echo. It is possible that memcpy is out of bounds and lead -to stack overflow. -We should clear skb->cb before ip_local_out or ip6_local_out. - -v2: -1. clean the stack info -2. use IPCB/IP6CB instead of skb->cb - -crash on stable-5.10(reproduce in kasan kernel). -Stack info: -[ 2203.651571] BUG: KASAN: stack-out-of-bounds in -__ip_options_echo+0x589/0x800 -[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task -swapper/3/0 -[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted -5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1 -[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), -BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014 -[ 2203.655475] Call Trace: -[ 2203.655481] -[ 2203.655501] dump_stack+0x9c/0xd3 -[ 2203.655514] print_address_description.constprop.0+0x19/0x170 -[ 2203.655530] __kasan_report.cold+0x6c/0x84 -[ 2203.655586] kasan_report+0x3a/0x50 -[ 2203.655594] check_memory_region+0xfd/0x1f0 -[ 2203.655601] memcpy+0x39/0x60 -[ 2203.655608] __ip_options_echo+0x589/0x800 -[ 2203.655654] __icmp_send+0x59a/0x960 -[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4] -[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT] -[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables] -[ 2203.655821] nf_hook_slow+0x69/0x100 -[ 2203.655828] __ip_local_out+0x21e/0x2b0 -[ 2203.655857] ip_local_out+0x28/0x90 -[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan] -[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan] -[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan] -[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan] -[ 2203.655984] xmit_one.constprop.0+0xe1/0x280 -[ 2203.655992] dev_hard_start_xmit+0x62/0x100 -[ 2203.656000] sch_direct_xmit+0x215/0x640 -[ 2203.656028] __qdisc_run+0x153/0x1f0 -[ 2203.656069] __dev_queue_xmit+0x77f/0x1030 -[ 2203.656173] ip_finish_output2+0x59b/0xc20 -[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0 -[ 2203.656312] ip_finish_output+0x168/0x190 -[ 2203.656320] ip_output+0x12d/0x220 -[ 2203.656357] __ip_queue_xmit+0x392/0x880 -[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0 -[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30 -[ 2203.656505] tcp_retransmit_skb+0x2d/0x190 -[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0 -[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510 -[ 2203.656529] tcp_write_timer+0x55/0x180 -[ 2203.656542] call_timer_fn+0x3f/0x1d0 -[ 2203.656555] expire_timers+0x160/0x200 -[ 2203.656562] run_timer_softirq+0x1f4/0x480 -[ 2203.656606] __do_softirq+0xfd/0x402 -[ 2203.656613] asm_call_irq_on_stack+0x12/0x20 -[ 2203.656617] -[ 2203.656623] do_softirq_own_stack+0x37/0x50 -[ 2203.656631] irq_exit_rcu+0x134/0x1a0 -[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80 -[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20 -[ 2203.656654] RIP: 0010:default_idle+0x13/0x20 -[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc -cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb -f4 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08 -[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256 -[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX: -ffffffffaf290191 -[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI: -ffff88811a3c4f60 -[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09: -ffff88811a3c4f63 -[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12: -0000000000000003 -[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15: -0000000000000000 -[ 2203.656729] default_idle_call+0x5a/0x150 -[ 2203.656735] cpuidle_idle_call+0x1c6/0x220 -[ 2203.656780] do_idle+0xab/0x100 -[ 2203.656786] cpu_startup_entry+0x19/0x20 -[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb - -[ 2203.657409] The buggy address belongs to the page: -[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0 -mapping:0000000000000000 index:0x0 pfn:0x11a388 -[ 2203.658665] flags: -0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff) -[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208 -0000000000000000 -[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff -0000000000000000 -[ 2203.658686] page dumped because: kasan: bad access detected - -To reproduce(ipvlan with IPVLAN_MODE_L3): -Env setting: -======================================================= -modprobe ipvlan ipvlan_default_mode=1 -sysctl net.ipv4.conf.eth0.forwarding=1 -iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j -MASQUERADE -ip link add gw link eth0 type ipvlan -ip -4 addr add 20.0.0.254/24 dev gw -ip netns add net1 -ip link add ipv1 link eth0 type ipvlan -ip link set ipv1 netns net1 -ip netns exec net1 ip link set ipv1 up -ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1 -ip netns exec net1 route add default gw 20.0.0.254 -ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10% -ifconfig gw up -iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with -icmp-port-unreachable -======================================================= -And then excute the shell(curl any address of eth0 can reach): - -for((i=1;i<=100000;i++)) -do - ip netns exec net1 curl x.x.x.x:8888 -done -======================================================= - -Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") -Signed-off-by: "t.feng" -Suggested-by: Florian Westphal -Reviewed-by: Paolo Abeni -Signed-off-by: David S. Miller -(cherry picked from commit 90cbed5247439a966b645b34eb0a2e037836ea8e) - -CVE: CVE-2023-3090 -Signed-off-by: Mridula Shastry -Reviewed-by: Venkat Venkatsubra ---- - drivers/net/ipvlan/ipvlan_core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c -index 62c73a8ed0c3..f1ffe1800754 100644 ---- a/drivers/net/ipvlan/ipvlan_core.c -+++ b/drivers/net/ipvlan/ipvlan_core.c -@@ -443,6 +443,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) - goto err; - } - skb_dst_set(skb, &rt->dst); -+ -+ memset(IPCB(skb), 0, sizeof(*IPCB(skb))); -+ - err = ip_local_out(net, skb->sk, skb); - if (unlikely(net_xmit_eval(err))) - dev->stats.tx_errors++; -@@ -481,6 +484,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) - goto err; - } - skb_dst_set(skb, dst); -+ -+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); -+ - err = ip6_local_out(net, skb->sk, skb); - if (unlikely(net_xmit_eval(err))) - dev->stats.tx_errors++; --- -2.39.3 - diff --git a/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch b/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch deleted file mode 100644 index 2a4a108..0000000 --- a/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 0da574f21ad25aae92e8262b7636dc95cf12aacf Mon Sep 17 00:00:00 2001 -From: M A Ramdhan -Date: Wed, 5 Jul 2023 12:15:30 -0400 -Subject: [PATCH 3/6] net/sched: cls_fw: Fix improper refcount update leads to - use-after-free - -In the event of a failure in tcf_change_indev(), fw_set_parms() will -immediately return an error after incrementing or decrementing -reference counter in tcf_bind_filter(). If attacker can control -reference counter to zero and make reference freed, leading to -use after free. - -In order to prevent this, move the point of possible failure above the -point where the TC_FW_CLASSID is handled. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Reported-by: M A Ramdhan -Signed-off-by: M A Ramdhan -Acked-by: Jamal Hadi Salim -Reviewed-by: Pedro Tammela -Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> -Signed-off-by: Jakub Kicinski -(cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f) - -CVE: CVE-2023-3776 -Signed-off-by: Mridula Shastry -Reviewed-by: Venkat Venkatsubra ---- - net/sched/cls_fw.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c -index 6a0d3ee00758..4240ca68cbc4 100644 ---- a/net/sched/cls_fw.c -+++ b/net/sched/cls_fw.c -@@ -214,11 +214,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, - if (err < 0) - return err; - -- if (tb[TCA_FW_CLASSID]) { -- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); -- tcf_bind_filter(tp, &f->res, base); -- } -- - if (tb[TCA_FW_INDEV]) { - int ret; - ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack); -@@ -235,6 +230,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, - } else if (head->mask != 0xFFFFFFFF) - return err; - -+ if (tb[TCA_FW_CLASSID]) { -+ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); -+ tcf_bind_filter(tp, &f->res, base); -+ } -+ - return 0; - } - --- -2.39.3 - diff --git a/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch deleted file mode 100644 index 8aa2c93..0000000 --- a/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 036bd76b11980194badfb3b281a0307b4f6be7df Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Wed, 19 Jul 2023 21:08:21 +0200 -Subject: [PATCH 4/6] netfilter: nft_set_pipapo: fix improper element removal - -end key should be equal to start unless NFT_SET_EXT_KEY_END is present. - -Its possible to add elements that only have a start key -("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. - -Insertion treats this via: - -if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) - end = (const u8 *)nft_set_ext_key_end(ext)->data; -else - end = start; - -but removal side always uses nft_set_ext_key_end(). -This is wrong and leads to garbage remaining in the set after removal -next lookup/insert attempt will give: - -BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 -Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 -Call Trace: - kasan_report+0x105/0x140 - pipapo_get+0x8eb/0xb90 - nft_pipapo_insert+0x1dc/0x1710 - nf_tables_newsetelem+0x31f5/0x4e00 - .. - -Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") -Reported-by: lonial con -Reviewed-by: Stefano Brivio -Signed-off-by: Florian Westphal -(cherry picked from commit 87b5a5c209405cb6b57424cdfa226a6dbd349232) - -CVE: CVE-2023-4004 -Signed-off-by: Mridula Shastry -Reviewed-by: Venkat Venkatsubra ---- - net/netfilter/nft_set_pipapo.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c -index 1eab335fb14b..0181617f9628 100644 ---- a/net/netfilter/nft_set_pipapo.c -+++ b/net/netfilter/nft_set_pipapo.c -@@ -1797,7 +1797,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, - int i, start, rules_fx; - - match_start = data; -- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; -+ -+ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) -+ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; -+ else -+ match_end = data; - - start = first_rule; - rules_fx = rules_f0; --- -2.39.3 - diff --git a/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch b/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch deleted file mode 100644 index cdec0ec..0000000 --- a/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch +++ /dev/null @@ -1,217 +0,0 @@ -From b8f43f1b9945bb063ef0eae3bcdc6e04d8728d8f Mon Sep 17 00:00:00 2001 -From: Thadeu Lima de Souza Cascardo -Date: Wed, 5 Jul 2023 18:05:35 -0300 -Subject: [PATCH 5/6] netfilter: nf_tables: prevent OOB access in - nft_byteorder_eval - -When evaluating byteorder expressions with size 2, a union with 32-bit and -16-bit members is used. Since the 16-bit members are aligned to 32-bit, -the array accesses will be out-of-bounds. - -It may lead to a stack-out-of-bounds access like the one below: - -[ 23.095215] ================================================================== -[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 -[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 -[ 23.096358] -[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 -[ 23.096770] Call Trace: -[ 23.096910] -[ 23.097030] dump_stack_lvl+0x60/0xc0 -[ 23.097218] print_report+0xcf/0x630 -[ 23.097388] ? nft_byteorder_eval+0x13c/0x320 -[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 -[ 23.097760] ? nft_byteorder_eval+0x13c/0x320 -[ 23.097949] kasan_report+0xc9/0x110 -[ 23.098106] ? nft_byteorder_eval+0x13c/0x320 -[ 23.098298] __asan_load2+0x83/0xd0 -[ 23.098453] nft_byteorder_eval+0x13c/0x320 -[ 23.098659] nft_do_chain+0x1c8/0xc50 -[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 -[ 23.099078] ? __kasan_check_read+0x11/0x20 -[ 23.099295] ? __pfx___lock_acquire+0x10/0x10 -[ 23.099535] ? __pfx___lock_acquire+0x10/0x10 -[ 23.099745] ? __kasan_check_read+0x11/0x20 -[ 23.099929] nft_do_chain_ipv4+0xfe/0x140 -[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 -[ 23.100327] ? lock_release+0x204/0x400 -[ 23.100515] ? nf_hook.constprop.0+0x340/0x550 -[ 23.100779] nf_hook_slow+0x6c/0x100 -[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 -[ 23.101223] nf_hook.constprop.0+0x334/0x550 -[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 -[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 -[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 -[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 -[ 23.102291] ? rcu_read_lock_held+0x4b/0x70 -[ 23.102481] ip_local_deliver+0xbb/0x110 -[ 23.102665] ? __pfx_ip_rcv+0x10/0x10 -[ 23.102839] ip_rcv+0x199/0x2a0 -[ 23.102980] ? __pfx_ip_rcv+0x10/0x10 -[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 -[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 -[ 23.103647] ? mark_held_locks+0x48/0xa0 -[ 23.103819] ? process_backlog+0x36c/0x380 -[ 23.103999] __netif_receive_skb+0x23/0xc0 -[ 23.104179] process_backlog+0x91/0x380 -[ 23.104350] __napi_poll.constprop.0+0x66/0x360 -[ 23.104589] ? net_rx_action+0x1cb/0x610 -[ 23.104811] net_rx_action+0x33e/0x610 -[ 23.105024] ? _raw_spin_unlock+0x23/0x50 -[ 23.105257] ? __pfx_net_rx_action+0x10/0x10 -[ 23.105485] ? mark_held_locks+0x48/0xa0 -[ 23.105741] __do_softirq+0xfa/0x5ab -[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 -[ 23.106193] do_softirq.part.0+0x49/0xc0 -[ 23.106423] -[ 23.106547] -[ 23.106670] __local_bh_enable_ip+0xf5/0x120 -[ 23.106903] __dev_queue_xmit+0x789/0x1c00 -[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 -[ 23.107381] ? find_held_lock+0x8e/0xb0 -[ 23.107585] ? lock_release+0x204/0x400 -[ 23.107798] ? neigh_resolve_output+0x185/0x350 -[ 23.108049] ? mark_held_locks+0x48/0xa0 -[ 23.108265] ? neigh_resolve_output+0x185/0x350 -[ 23.108514] neigh_resolve_output+0x246/0x350 -[ 23.108753] ? neigh_resolve_output+0x246/0x350 -[ 23.109003] ip_finish_output2+0x3c3/0x10b0 -[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 -[ 23.109510] ? __pfx_nf_hook+0x10/0x10 -[ 23.109732] __ip_finish_output+0x217/0x390 -[ 23.109978] ip_finish_output+0x2f/0x130 -[ 23.110207] ip_output+0xc9/0x170 -[ 23.110404] ip_push_pending_frames+0x1a0/0x240 -[ 23.110652] raw_sendmsg+0x102e/0x19e0 -[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 -[ 23.111093] ? lock_release+0x204/0x400 -[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 -[ 23.111567] ? find_held_lock+0x8e/0xb0 -[ 23.111777] ? find_held_lock+0x8e/0xb0 -[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 -[ 23.112225] ? aa_sk_perm+0x18a/0x550 -[ 23.112431] ? filemap_map_pages+0x4f1/0x900 -[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 -[ 23.112880] ? find_held_lock+0x8e/0xb0 -[ 23.113098] inet_sendmsg+0xa0/0xb0 -[ 23.113297] ? inet_sendmsg+0xa0/0xb0 -[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 -[ 23.113727] sock_sendmsg+0xf4/0x100 -[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 -[ 23.114190] __sys_sendto+0x1d4/0x290 -[ 23.114391] ? __pfx___sys_sendto+0x10/0x10 -[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 -[ 23.114869] ? lock_release+0x204/0x400 -[ 23.115076] ? find_held_lock+0x8e/0xb0 -[ 23.115287] ? rcu_is_watching+0x23/0x60 -[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 -[ 23.115778] ? __kasan_check_write+0x14/0x30 -[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 -[ 23.116285] ? mark_held_locks+0x28/0xa0 -[ 23.116503] ? do_syscall_64+0x37/0x90 -[ 23.116713] __x64_sys_sendto+0x7f/0xb0 -[ 23.116924] do_syscall_64+0x59/0x90 -[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 -[ 23.117387] ? irqentry_exit+0x77/0xb0 -[ 23.117593] ? exc_page_fault+0x92/0x140 -[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 -[ 23.118081] RIP: 0033:0x7f744aee2bba -[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 -[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c -[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba -[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 -[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 -[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 -[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 -[ 23.121617] -[ 23.121749] -[ 23.121845] The buggy address belongs to the virtual mapping at -[ 23.121845] [ffffc90000000000, ffffc90000009000) created by: -[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 -[ 23.122707] -[ 23.122803] The buggy address belongs to the physical page: -[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 -[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) -[ 23.123998] page_type: 0xffffffff() -[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 -[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 -[ 23.125023] page dumped because: kasan: bad access detected -[ 23.125326] -[ 23.125421] Memory state around the buggy address: -[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 -[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 -[ 23.126840] ^ -[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 -[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 -[ 23.127906] ================================================================== -[ 23.128324] Disabling lock debugging due to kernel taint - -Using simple s16 pointers for the 16-bit accesses fixes the problem. For -the 32-bit accesses, src and dst can be used directly. - -Fixes: 96518518cc41 ("netfilter: add nftables") -Cc: stable@vger.kernel.org -Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI -Signed-off-by: Thadeu Lima de Souza Cascardo -Reviewed-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd) - -CVE: CVE-2023-35001 -Signed-off-by: Mridula Shastry -Reviewed-by: Venkat Venkatsubra ---- - net/netfilter/nft_byteorder.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c -index 6fc6f2f45b0a..a752c98e97fb 100644 ---- a/net/netfilter/nft_byteorder.c -+++ b/net/netfilter/nft_byteorder.c -@@ -33,11 +33,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, - const struct nft_byteorder *priv = nft_expr_priv(expr); - u32 *src = ®s->data[priv->sreg]; - u32 *dst = ®s->data[priv->dreg]; -- union { u32 u32; u16 u16; } *s, *d; -+ u16 *s16, *d16; - unsigned int i; - -- s = (void *)src; -- d = (void *)dst; -+ s16 = (void *)src; -+ d16 = (void *)dst; - - switch (priv->size) { - case 8: { -@@ -64,11 +64,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, - switch (priv->op) { - case NFT_BYTEORDER_NTOH: - for (i = 0; i < priv->len / 4; i++) -- d[i].u32 = ntohl((__force __be32)s[i].u32); -+ dst[i] = ntohl((__force __be32)src[i]); - break; - case NFT_BYTEORDER_HTON: - for (i = 0; i < priv->len / 4; i++) -- d[i].u32 = (__force __u32)htonl(s[i].u32); -+ dst[i] = (__force __u32)htonl(src[i]); - break; - } - break; -@@ -76,11 +76,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, - switch (priv->op) { - case NFT_BYTEORDER_NTOH: - for (i = 0; i < priv->len / 2; i++) -- d[i].u16 = ntohs((__force __be16)s[i].u16); -+ d16[i] = ntohs((__force __be16)s16[i]); - break; - case NFT_BYTEORDER_HTON: - for (i = 0; i < priv->len / 2; i++) -- d[i].u16 = (__force __u16)htons(s[i].u16); -+ d16[i] = (__force __u16)htons(s16[i]); - break; - } - break; --- -2.39.3 - diff --git a/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch b/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch deleted file mode 100644 index 73bd680..0000000 --- a/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b07f2873225c6e16abd6ec352e9cd52a72fe7785 Mon Sep 17 00:00:00 2001 -From: Hangyu Hua -Date: Wed, 31 May 2023 18:28:04 +0800 -Subject: [PATCH 6/6] net/sched: flower: fix possible OOB write in - fl_set_geneve_opt() - -If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total -size is 252 bytes(key->enc_opts.len = 252) then -key->enc_opts.len = opt->length = data_len / 4 = 0 when the third -TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This -bypasses the next bounds check and results in an out-of-bounds. - -Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") -Signed-off-by: Hangyu Hua -Reviewed-by: Simon Horman -Reviewed-by: Pieter Jansen van Vuuren -Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com -Signed-off-by: Paolo Abeni -(cherry picked from commit 4d56304e5827c8cc8cc18c75343d283af7c4825c) - -CVE: CVE-2023-35788 -Signed-off-by: Mridula Shastry -Reviewed-by: Venkat Venkatsubra ---- - net/sched/cls_flower.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c -index b81abfcd2a19..ca232483cfab 100644 ---- a/net/sched/cls_flower.c -+++ b/net/sched/cls_flower.c -@@ -1151,6 +1151,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, - if (option_len > sizeof(struct geneve_opt)) - data_len = option_len - sizeof(struct geneve_opt); - -+ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) -+ return -ERANGE; -+ - opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; - memset(opt, 0xff, option_len); - opt->length = data_len / 4; --- -2.39.3 - diff --git a/SOURCES/1015-x86-microcode-intel-Expose-collect_cpu_info_early-fo.patch b/SOURCES/1015-x86-microcode-intel-Expose-collect_cpu_info_early-fo.patch deleted file mode 100644 index 2f7666e..0000000 --- a/SOURCES/1015-x86-microcode-intel-Expose-collect_cpu_info_early-fo.patch +++ /dev/null @@ -1,243 +0,0 @@ -From 38871bad2601515be96d1c3eb2ca1dbe2293bfff Mon Sep 17 00:00:00 2001 -From: Jithu Joseph -Date: Fri, 6 May 2022 15:53:59 -0700 -Subject: [PATCH 01/36] x86/microcode/intel: Expose collect_cpu_info_early() - for IFS - -IFS is a CPU feature that allows a binary blob, similar to microcode, -to be loaded and consumed to perform low level validation of CPU -circuitry. In fact, it carries the same Processor Signature -(family/model/stepping) details that are contained in Intel microcode -blobs. - -In support of an IFS driver to trigger loading, validation, and running -of these tests blobs, make the functionality of cpu_signatures_match() -and collect_cpu_info_early() available outside of the microcode driver. - -Add an "intel_" prefix and drop the "_early" suffix from -collect_cpu_info_early() and EXPORT_SYMBOL_GPL() it. Add -declaration to x86 - -Make cpu_signatures_match() an inline function in x86 , -and also give it an "intel_" prefix. - -No functional change intended. - -Reviewed-by: Dan Williams -Signed-off-by: Jithu Joseph -Co-developed-by: Tony Luck -Signed-off-by: Tony Luck -Reviewed-by: Thomas Gleixner -Acked-by: Borislav Petkov -Reviewed-by: Greg Kroah-Hartman -Link: https://lore.kernel.org/r/20220506225410.1652287-2-tony.luck@intel.com -Signed-off-by: Hans de Goede -(cherry picked from commit d3287fb0d3c8afdfd4870a6cd4a852abc9008b3b) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/cpu.h | 19 +++++++++ - arch/x86/kernel/cpu/intel.c | 32 +++++++++++++++ - arch/x86/kernel/cpu/microcode/intel.c | 59 ++++----------------------- - 3 files changed, 58 insertions(+), 52 deletions(-) - -diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h -index 21924730afae..2d62a3f122ee 100644 ---- a/arch/x86/include/asm/cpu.h -+++ b/arch/x86/include/asm/cpu.h -@@ -73,4 +73,23 @@ static inline u8 get_this_hybrid_cpu_type(void) - return 0; - } - #endif -+ -+struct ucode_cpu_info; -+ -+int intel_cpu_collect_info(struct ucode_cpu_info *uci); -+ -+static inline bool intel_cpu_signatures_match(unsigned int s1, unsigned int p1, -+ unsigned int s2, unsigned int p2) -+{ -+ if (s1 != s2) -+ return false; -+ -+ /* Processor flags are either both 0 ... */ -+ if (!p1 && !p2) -+ return true; -+ -+ /* ... or they intersect. */ -+ return p1 & p2; -+} -+ - #endif /* _ASM_X86_CPU_H */ -diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c -index 7579e773e29b..cf85431fb09a 100644 ---- a/arch/x86/kernel/cpu/intel.c -+++ b/arch/x86/kernel/cpu/intel.c -@@ -217,6 +217,38 @@ static bool bad_spectre_microcode(struct cpuinfo_x86 *c) - return false; - } - -+int intel_cpu_collect_info(struct ucode_cpu_info *uci) -+{ -+ unsigned int val[2]; -+ unsigned int family, model; -+ struct cpu_signature csig = { 0 }; -+ unsigned int eax, ebx, ecx, edx; -+ -+ memset(uci, 0, sizeof(*uci)); -+ -+ eax = 0x00000001; -+ ecx = 0; -+ native_cpuid(&eax, &ebx, &ecx, &edx); -+ csig.sig = eax; -+ -+ family = x86_family(eax); -+ model = x86_model(eax); -+ -+ if (model >= 5 || family > 6) { -+ /* get processor flags from MSR 0x17 */ -+ native_rdmsr(MSR_IA32_PLATFORM_ID, val[0], val[1]); -+ csig.pf = 1 << ((val[1] >> 18) & 7); -+ } -+ -+ csig.rev = intel_get_microcode_revision(); -+ -+ uci->cpu_sig = csig; -+ uci->valid = 1; -+ -+ return 0; -+} -+EXPORT_SYMBOL_GPL(intel_cpu_collect_info); -+ - static void early_init_intel(struct cpuinfo_x86 *c) - { - u64 misc_enable; -diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c -index 6a99535d7f37..5f8223909db4 100644 ---- a/arch/x86/kernel/cpu/microcode/intel.c -+++ b/arch/x86/kernel/cpu/microcode/intel.c -@@ -45,20 +45,6 @@ static struct microcode_intel *intel_ucode_patch; - /* last level cache size per core */ - static int llc_size_per_core; - --static inline bool cpu_signatures_match(unsigned int s1, unsigned int p1, -- unsigned int s2, unsigned int p2) --{ -- if (s1 != s2) -- return false; -- -- /* Processor flags are either both 0 ... */ -- if (!p1 && !p2) -- return true; -- -- /* ... or they intersect. */ -- return p1 & p2; --} -- - /* - * Returns 1 if update has been found, 0 otherwise. - */ -@@ -69,7 +55,7 @@ static int find_matching_signature(void *mc, unsigned int csig, int cpf) - struct extended_signature *ext_sig; - int i; - -- if (cpu_signatures_match(csig, cpf, mc_hdr->sig, mc_hdr->pf)) -+ if (intel_cpu_signatures_match(csig, cpf, mc_hdr->sig, mc_hdr->pf)) - return 1; - - /* Look for ext. headers: */ -@@ -80,7 +66,7 @@ static int find_matching_signature(void *mc, unsigned int csig, int cpf) - ext_sig = (void *)ext_hdr + EXT_HEADER_SIZE; - - for (i = 0; i < ext_hdr->count; i++) { -- if (cpu_signatures_match(csig, cpf, ext_sig->sig, ext_sig->pf)) -+ if (intel_cpu_signatures_match(csig, cpf, ext_sig->sig, ext_sig->pf)) - return 1; - ext_sig++; - } -@@ -385,37 +371,6 @@ next: - return patch; - } - --static int collect_cpu_info_early(struct ucode_cpu_info *uci) --{ -- unsigned int val[2]; -- unsigned int family, model; -- struct cpu_signature csig = { 0 }; -- unsigned int eax, ebx, ecx, edx; -- -- memset(uci, 0, sizeof(*uci)); -- -- eax = 0x00000001; -- ecx = 0; -- native_cpuid(&eax, &ebx, &ecx, &edx); -- csig.sig = eax; -- -- family = x86_family(eax); -- model = x86_model(eax); -- -- if ((model >= 5) || (family > 6)) { -- /* get processor flags from MSR 0x17 */ -- native_rdmsr(MSR_IA32_PLATFORM_ID, val[0], val[1]); -- csig.pf = 1 << ((val[1] >> 18) & 7); -- } -- -- csig.rev = intel_get_microcode_revision(); -- -- uci->cpu_sig = csig; -- uci->valid = 1; -- -- return 0; --} -- - static void show_saved_mc(void) - { - #ifdef DEBUG -@@ -429,7 +384,7 @@ static void show_saved_mc(void) - return; - } - -- collect_cpu_info_early(&uci); -+ intel_cpu_collect_info(&uci); - - sig = uci.cpu_sig.sig; - pf = uci.cpu_sig.pf; -@@ -538,7 +493,7 @@ void show_ucode_info_early(void) - struct ucode_cpu_info uci; - - if (delay_ucode_info) { -- collect_cpu_info_early(&uci); -+ intel_cpu_collect_info(&uci); - print_ucode_info(&uci, current_mc_date); - delay_ucode_info = 0; - } -@@ -640,7 +595,7 @@ int __init save_microcode_in_initrd_intel(void) - if (!(cp.data && cp.size)) - return 0; - -- collect_cpu_info_early(&uci); -+ intel_cpu_collect_info(&uci); - - scan_microcode(cp.data, cp.size, &uci, true); - -@@ -673,7 +628,7 @@ static struct microcode_intel *__load_ucode_intel(struct ucode_cpu_info *uci) - if (!(cp.data && cp.size)) - return NULL; - -- collect_cpu_info_early(uci); -+ intel_cpu_collect_info(uci); - - return scan_microcode(cp.data, cp.size, uci, false); - } -@@ -748,7 +703,7 @@ void reload_ucode_intel(void) - struct microcode_intel *p; - struct ucode_cpu_info uci; - -- collect_cpu_info_early(&uci); -+ intel_cpu_collect_info(&uci); - - p = find_patch(&uci); - if (!p) --- -2.39.3 - diff --git a/SOURCES/1016-x86-cpu-Load-microcode-during-restore_processor_stat.patch b/SOURCES/1016-x86-cpu-Load-microcode-during-restore_processor_stat.patch deleted file mode 100644 index c4a0109..0000000 --- a/SOURCES/1016-x86-cpu-Load-microcode-during-restore_processor_stat.patch +++ /dev/null @@ -1,129 +0,0 @@ -From be1cba911af4925ef0f42bdfee9682b01c94dfcb Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Tue, 19 Apr 2022 09:52:41 -0700 -Subject: [PATCH 02/36] x86/cpu: Load microcode during - restore_processor_state() - -When resuming from system sleep state, restore_processor_state() -restores the boot CPU MSRs. These MSRs could be emulated by microcode. -If microcode is not loaded yet, writing to emulated MSRs leads to -unchecked MSR access error: - - ... - PM: Calling lapic_suspend+0x0/0x210 - unchecked MSR access error: WRMSR to 0x10f (tried to write 0x0...0) at rIP: ... (native_write_msr) - Call Trace: - - ? restore_processor_state - x86_acpi_suspend_lowlevel - acpi_suspend_enter - suspend_devices_and_enter - pm_suspend.cold - state_store - kobj_attr_store - sysfs_kf_write - kernfs_fop_write_iter - new_sync_write - vfs_write - ksys_write - __x64_sys_write - do_syscall_64 - entry_SYSCALL_64_after_hwframe - RIP: 0033:0x7fda13c260a7 - -To ensure microcode emulated MSRs are available for restoration, load -the microcode on the boot CPU before restoring these MSRs. - - [ Pawan: write commit message and productize it. ] - -Fixes: e2a1256b17b1 ("x86/speculation: Restore speculation related MSRs during S3 resume") -Reported-by: Kyle D. Pelton -Signed-off-by: Borislav Petkov -Signed-off-by: Pawan Gupta -Tested-by: Kyle D. Pelton -Cc: stable@vger.kernel.org -Link: https://bugzilla.kernel.org/show_bug.cgi?id=215841 -Link: https://lore.kernel.org/r/4350dfbf785cd482d3fafa72b2b49c83102df3ce.1650386317.git.pawan.kumar.gupta@linux.intel.com -(cherry picked from commit f9e14dbbd454581061c736bf70bf5cbb15ac927c) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/microcode.h | 2 ++ - arch/x86/kernel/cpu/microcode/core.c | 6 +++--- - arch/x86/power/cpu.c | 8 ++++++++ - 3 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h -index 2b7cc5397f80..a930a63d1260 100644 ---- a/arch/x86/include/asm/microcode.h -+++ b/arch/x86/include/asm/microcode.h -@@ -133,6 +133,7 @@ extern void load_ucode_ap(void); - void reload_early_microcode(void); - extern bool get_builtin_firmware(struct cpio_data *cd, const char *name); - extern bool initrd_gone; -+void microcode_bsp_resume(void); - #else - static inline int __init microcode_init(void) { return 0; }; - static inline void __init load_ucode_bsp(void) { } -@@ -140,6 +141,7 @@ static inline void load_ucode_ap(void) { } - static inline void reload_early_microcode(void) { } - static inline bool - get_builtin_firmware(struct cpio_data *cd, const char *name) { return false; } -+static inline void microcode_bsp_resume(void) { } - #endif - - #endif /* _ASM_X86_MICROCODE_H */ -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index e263da7247af..f0946658f885 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -778,9 +778,9 @@ static struct subsys_interface mc_cpu_interface = { - }; - - /** -- * mc_bp_resume - Update boot CPU microcode during resume. -+ * microcode_bsp_resume - Update boot CPU microcode during resume. - */ --static void mc_bp_resume(void) -+void microcode_bsp_resume(void) - { - int cpu = smp_processor_id(); - struct ucode_cpu_info *uci = ucode_cpu_info + cpu; -@@ -792,7 +792,7 @@ static void mc_bp_resume(void) - } - - static struct syscore_ops mc_syscore_ops = { -- .resume = mc_bp_resume, -+ .resume = microcode_bsp_resume, - }; - - static int mc_cpu_starting(unsigned int cpu) -diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c -index f48756c903d4..dd5a29553697 100644 ---- a/arch/x86/power/cpu.c -+++ b/arch/x86/power/cpu.c -@@ -25,6 +25,7 @@ - #include - #include - #include -+#include - - #ifdef CONFIG_X86_32 - __visible unsigned long saved_context_ebx; -@@ -266,6 +267,13 @@ static void notrace __restore_processor_state(struct saved_context *ctxt) - x86_platform.restore_sched_clock_state(); - mtrr_bp_restore(); - perf_restore_debug_store(); -+ -+ microcode_bsp_resume(); -+ -+ /* -+ * This needs to happen after the microcode has been updated upon resume -+ * because some of the MSRs are "emulated" in microcode. -+ */ - msr_restore_context(ctxt); - } - --- -2.39.3 - diff --git a/SOURCES/1017-x86-microcode-Deprecate-MICROCODE_OLD_INTERFACE.patch b/SOURCES/1017-x86-microcode-Deprecate-MICROCODE_OLD_INTERFACE.patch deleted file mode 100644 index be41ece..0000000 --- a/SOURCES/1017-x86-microcode-Deprecate-MICROCODE_OLD_INTERFACE.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b31d4c149df44c050b12b7aca2c535e06f1b1237 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Fri, 5 Apr 2019 06:28:11 +0200 -Subject: [PATCH 03/36] x86/microcode: Deprecate MICROCODE_OLD_INTERFACE - -This is the ancient loading interface which requires special tools to be -used. The bigger problem with it is that it is as inadequate for proper -loading of microcode as the late microcode loading interface is because -it happens just as late. - -iucode_tool's manpage already warns people that it is deprecated. - -Deprecate it and turn it off by default along with a big fat warning in -the Kconfig help. It will go away sometime in the future. - -Signed-off-by: Borislav Petkov -Reviewed-by: Thomas Gleixner -Cc: x86@kernel.org -Link: https://lkml.kernel.org/r/20190405133010.24249-4-bp@alien8.de -(cherry picked from commit c02f48e070bde326f55bd94544ca82291f7396e3) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/Kconfig | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index f26d1d596e9a..4f762b807bd4 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1361,8 +1361,16 @@ config MICROCODE_AMD - processors will be enabled. - - config MICROCODE_OLD_INTERFACE -- def_bool y -+ bool "Ancient loading interface (DEPRECATED)" -+ default n - depends on MICROCODE -+ ---help--- -+ DO NOT USE THIS! This is the ancient /dev/cpu/microcode interface -+ which was used by userspace tools like iucode_tool and microcode.ctl. -+ It is inadequate because it runs too late to be able to properly -+ load microcode on a machine and it needs special tools. Instead, you -+ should've switched to the early loading method with the initrd or -+ builtin microcode by now: Documentation/x86/microcode.txt - - config X86_MSR - tristate "/dev/cpu/*/msr - Model-specific register support" --- -2.39.3 - diff --git a/SOURCES/1018-x86-microcode-Rip-out-the-OLD_INTERFACE.patch b/SOURCES/1018-x86-microcode-Rip-out-the-OLD_INTERFACE.patch deleted file mode 100644 index c669767..0000000 --- a/SOURCES/1018-x86-microcode-Rip-out-the-OLD_INTERFACE.patch +++ /dev/null @@ -1,170 +0,0 @@ -From c11a8e91d637901133fad441470d2240cc9d05e7 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Wed, 25 May 2022 18:12:29 +0200 -Subject: [PATCH 04/36] x86/microcode: Rip out the OLD_INTERFACE - -Everything should be using the early initrd loading by now. - -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Link: https://lore.kernel.org/r/20220525161232.14924-2-bp@alien8.de - -(cherry picked from commit 181b6f40e9ea80c76756d4d0cdeed396016c487e) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/Kconfig | 12 ---- - arch/x86/kernel/cpu/microcode/core.c | 100 --------------------------- - 2 files changed, 112 deletions(-) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 4f762b807bd4..b9bcde5c538f 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1360,18 +1360,6 @@ config MICROCODE_AMD - If you select this option, microcode patch loading support for AMD - processors will be enabled. - --config MICROCODE_OLD_INTERFACE -- bool "Ancient loading interface (DEPRECATED)" -- default n -- depends on MICROCODE -- ---help--- -- DO NOT USE THIS! This is the ancient /dev/cpu/microcode interface -- which was used by userspace tools like iucode_tool and microcode.ctl. -- It is inadequate because it runs too late to be able to properly -- load microcode on a machine and it needs special tools. Instead, you -- should've switched to the early loading method with the initrd or -- builtin microcode by now: Documentation/x86/microcode.txt -- - config X86_MSR - tristate "/dev/cpu/*/msr - Model-specific register support" - ---help--- -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index f0946658f885..bbc262a5fc0d 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -392,98 +392,6 @@ static int apply_microcode_on_target(int cpu) - return ret; - } - --#ifdef CONFIG_MICROCODE_OLD_INTERFACE --static int do_microcode_update(const void __user *buf, size_t size) --{ -- int error = 0; -- int cpu; -- -- for_each_online_cpu(cpu) { -- struct ucode_cpu_info *uci = ucode_cpu_info + cpu; -- enum ucode_state ustate; -- -- if (!uci->valid) -- continue; -- -- ustate = microcode_ops->request_microcode_user(cpu, buf, size); -- if (ustate == UCODE_ERROR) { -- error = -1; -- break; -- } else if (ustate == UCODE_NEW) { -- apply_microcode_on_target(cpu); -- } -- } -- -- return error; --} -- --static int microcode_open(struct inode *inode, struct file *file) --{ -- return capable(CAP_SYS_RAWIO) ? nonseekable_open(inode, file) : -EPERM; --} -- --static ssize_t microcode_write(struct file *file, const char __user *buf, -- size_t len, loff_t *ppos) --{ -- ssize_t ret = -EINVAL; -- unsigned long nr_pages = totalram_pages(); -- -- if ((len >> PAGE_SHIFT) > nr_pages) { -- pr_err("too much data (max %ld pages)\n", nr_pages); -- return ret; -- } -- -- get_online_cpus(); -- mutex_lock(µcode_mutex); -- -- if (do_microcode_update(buf, len) == 0) -- ret = (ssize_t)len; -- -- if (ret > 0) -- perf_check_microcode(); -- -- mutex_unlock(µcode_mutex); -- put_online_cpus(); -- -- return ret; --} -- --static const struct file_operations microcode_fops = { -- .owner = THIS_MODULE, -- .write = microcode_write, -- .open = microcode_open, -- .llseek = no_llseek, --}; -- --static struct miscdevice microcode_dev = { -- .minor = MICROCODE_MINOR, -- .name = "microcode", -- .nodename = "cpu/microcode", -- .fops = µcode_fops, --}; -- --static int __init microcode_dev_init(void) --{ -- int error; -- -- error = misc_register(µcode_dev); -- if (error) { -- pr_err("can't misc_register on minor=%d\n", MICROCODE_MINOR); -- return error; -- } -- -- return 0; --} -- --static void __exit microcode_dev_exit(void) --{ -- misc_deregister(µcode_dev); --} --#else --#define microcode_dev_init() 0 --#define microcode_dev_exit() do { } while (0) --#endif -- - /* fake device for request_firmware */ - static struct platform_device *microcode_pdev; - -@@ -876,10 +784,6 @@ int __init microcode_init(void) - goto out_driver; - } - -- error = microcode_dev_init(); -- if (error) -- goto out_ucode_group; -- - register_syscore_ops(&mc_syscore_ops); - cpuhp_setup_state_nocalls(CPUHP_AP_MICROCODE_LOADER, "x86/microcode:starting", - mc_cpu_starting, NULL); -@@ -890,10 +794,6 @@ int __init microcode_init(void) - - return 0; - -- out_ucode_group: -- sysfs_remove_group(&cpu_subsys.dev_root->kobj, -- &cpu_root_microcode_group); -- - out_driver: - get_online_cpus(); - mutex_lock(µcode_mutex); --- -2.39.3 - diff --git a/SOURCES/1019-x86-microcode-Default-disable-late-loading.patch b/SOURCES/1019-x86-microcode-Default-disable-late-loading.patch deleted file mode 100644 index 649c82f..0000000 --- a/SOURCES/1019-x86-microcode-Default-disable-late-loading.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 9cc01dc772e684b7864d8c8a1f526035c991aa76 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Wed, 25 May 2022 18:12:30 +0200 -Subject: [PATCH 05/36] x86/microcode: Default-disable late loading - -It is dangerous and it should not be used anyway - there's a nice early -loading already. - -Requested-by: Peter Zijlstra (Intel) -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Link: https://lore.kernel.org/r/20220525161232.14924-3-bp@alien8.de -(cherry picked from commit a77a94f86273ce42a39cb479217dd8d68acfe0ff) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/Kconfig | 11 +++++++++++ - arch/x86/kernel/cpu/common.c | 2 ++ - arch/x86/kernel/cpu/microcode/core.c | 7 ++++++- - 3 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index b9bcde5c538f..5af5427c50ae 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1360,6 +1360,17 @@ config MICROCODE_AMD - If you select this option, microcode patch loading support for AMD - processors will be enabled. - -+config MICROCODE_LATE_LOADING -+ bool "Late microcode loading (DANGEROUS)" -+ default n -+ depends on MICROCODE -+ help -+ Loading microcode late, when the system is up and executing instructions -+ is a tricky business and should be avoided if possible. Just the sequence -+ of synchronizing all cores and SMT threads is one fragile dance which does -+ not guarantee that cores might not softlock after the loading. Therefore, -+ use this at your own risk. Late loading taints the kernel too. -+ - config X86_MSR - tristate "/dev/cpu/*/msr - Model-specific register support" - ---help--- -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index f59edeef14eb..7be057c7531c 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -2145,6 +2145,7 @@ void cpu_init_secondary(void) - } - #endif - -+#ifdef CONFIG_MICROCODE_LATE_LOADING - /* - * The microcode loader calls this upon late microcode load to recheck features, - * only when microcode has been updated. Caller holds microcode_mutex and CPU -@@ -2174,6 +2175,7 @@ void microcode_check(void) - pr_warn("x86/CPU: CPU features have changed after loading microcode, but might not take effect.\n"); - pr_warn("x86/CPU: Please consider either early loading through initrd/built-in or a potential BIOS update.\n"); - } -+#endif - - /* - * Invoked from core CPU hotplug code after hotplug operations -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index bbc262a5fc0d..c4d19f4b7afb 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -395,6 +395,7 @@ static int apply_microcode_on_target(int cpu) - /* fake device for request_firmware */ - static struct platform_device *microcode_pdev; - -+#ifdef CONFIG_MICROCODE_LATE_LOADING - /* - * Late loading dance. Why the heavy-handed stomp_machine effort? - * -@@ -563,6 +564,9 @@ put: - return ret; - } - -+static DEVICE_ATTR_WO(reload); -+#endif -+ - static ssize_t version_show(struct device *dev, - struct device_attribute *attr, char *buf) - { -@@ -579,7 +583,6 @@ static ssize_t pf_show(struct device *dev, - return sprintf(buf, "0x%x\n", uci->cpu_sig.pf); - } - --static DEVICE_ATTR_WO(reload); - static DEVICE_ATTR(version, 0444, version_show, NULL); - static DEVICE_ATTR(processor_flags, 0444, pf_show, NULL); - -@@ -732,7 +735,9 @@ static int mc_cpu_down_prep(unsigned int cpu) - } - - static struct attribute *cpu_root_microcode_attrs[] = { -+#ifdef CONFIG_MICROCODE_LATE_LOADING - &dev_attr_reload.attr, -+#endif - NULL - }; - --- -2.39.3 - diff --git a/SOURCES/1020-x86-microcode-Taint-and-warn-on-late-loading.patch b/SOURCES/1020-x86-microcode-Taint-and-warn-on-late-loading.patch deleted file mode 100644 index e701762..0000000 --- a/SOURCES/1020-x86-microcode-Taint-and-warn-on-late-loading.patch +++ /dev/null @@ -1,47 +0,0 @@ -From abfdcc849a720f36bbb075ee35d64e84314387fe Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Wed, 25 May 2022 18:12:31 +0200 -Subject: [PATCH 06/36] x86/microcode: Taint and warn on late loading - -Warn before it is attempted and taint the kernel. Late loading microcode -can lead to malfunction of the kernel when the microcode update changes -behaviour. There is no way for the kernel to determine whether its safe or -not. - -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Link: https://lore.kernel.org/r/20220525161232.14924-4-bp@alien8.de - -(cherry picked from commit d23d33ea0fcdc4bbb484990bf53867f99c63ccab) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/core.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index c4d19f4b7afb..a803b839b16e 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -513,6 +513,9 @@ static int microcode_reload_late(void) - { - int ret; - -+ pr_err("Attempting late microcode loading - it is dangerous and taints the kernel.\n"); -+ pr_err("You should switch to early loading, if possible.\n"); -+ - atomic_set(&late_cpus_in, 0); - atomic_set(&late_cpus_out, 0); - -@@ -561,6 +564,8 @@ put: - if (ret >= 0) - ret = size; - -+ add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); -+ - return ret; - } - --- -2.39.3 - diff --git a/SOURCES/1021-x86-microcode-Remove-unnecessary-perf-callback.patch b/SOURCES/1021-x86-microcode-Remove-unnecessary-perf-callback.patch deleted file mode 100644 index 14e1cad..0000000 --- a/SOURCES/1021-x86-microcode-Remove-unnecessary-perf-callback.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 88686baf053310a4bd81088bd733c8be8a68db49 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Wed, 25 May 2022 18:12:32 +0200 -Subject: [PATCH 07/36] x86/microcode: Remove unnecessary perf callback - -c93dc84cbe32 ("perf/x86: Add a microcode revision check for SNB-PEBS") -checks whether the microcode revision has fixed PEBS issues. - -This can happen either: - -1. At PEBS init time, where the early microcode has been loaded already - -2. During late loading, in the microcode_check() callback. - -So remove the unnecessary call in the microcode loader init routine. - -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Link: https://lore.kernel.org/r/20220525161232.14924-5-bp@alien8.de - -(cherry picked from commit 0c0fe08c76485fe0178ebb0fa1a2052c727abe94) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/core.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index a803b839b16e..44bac17304ac 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -776,10 +776,7 @@ int __init microcode_init(void) - - get_online_cpus(); - mutex_lock(µcode_mutex); -- - error = subsys_interface_register(&mc_cpu_interface); -- if (!error) -- perf_check_microcode(); - mutex_unlock(µcode_mutex); - put_online_cpus(); - --- -2.39.3 - diff --git a/SOURCES/1022-x86-microcode-Print-previous-version-of-microcode-af.patch b/SOURCES/1022-x86-microcode-Print-previous-version-of-microcode-af.patch deleted file mode 100644 index 21fe4ac..0000000 --- a/SOURCES/1022-x86-microcode-Print-previous-version-of-microcode-af.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bdaca71f1e3ffeea24c2a02d4eb21879d4dece96 Mon Sep 17 00:00:00 2001 -From: Ashok Raj -Date: Mon, 29 Aug 2022 18:10:30 +0000 -Subject: [PATCH 08/36] x86/microcode: Print previous version of microcode - after reload - -Print both old and new versions of microcode after a reload is complete -because knowing the previous microcode version is sometimes important -from a debugging perspective. - - [ bp: Massage commit message. ] - -Signed-off-by: Ashok Raj -Signed-off-by: Borislav Petkov -Acked-by: Tony Luck -Link: https://lore.kernel.org/r/20220829181030.722891-1-ashok.raj@intel.com -(cherry picked from commit 7fce8d6eccbc31a561d07c79f359ad09f0424347) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/core.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 44bac17304ac..6affa814699d 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -511,7 +511,7 @@ wait_for_siblings: - */ - static int microcode_reload_late(void) - { -- int ret; -+ int old = boot_cpu_data.microcode, ret; - - pr_err("Attempting late microcode loading - it is dangerous and taints the kernel.\n"); - pr_err("You should switch to early loading, if possible.\n"); -@@ -523,7 +523,8 @@ static int microcode_reload_late(void) - if (ret > 0) - microcode_check(); - -- pr_info("Reload completed, microcode revision: 0x%x\n", boot_cpu_data.microcode); -+ pr_info("Reload completed, microcode revision: 0x%x -> 0x%x\n", -+ old, boot_cpu_data.microcode); - - return ret; - } --- -2.39.3 - diff --git a/SOURCES/1023-x86-microcode-Rip-out-the-subsys-interface-gunk.patch b/SOURCES/1023-x86-microcode-Rip-out-the-subsys-interface-gunk.patch deleted file mode 100644 index a3940c8..0000000 --- a/SOURCES/1023-x86-microcode-Rip-out-the-subsys-interface-gunk.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 15a76d02ad4df4dbe37ed5bda874deeba2659843 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Wed, 19 Oct 2022 18:13:06 +0200 -Subject: [PATCH 09/36] x86/microcode: Rip out the subsys interface gunk - -This is a left-over from the old days when CPU hotplug wasn't as robust -as it is now. Currently, microcode gets loaded early on the CPU init -path and there's no need to attempt to load it again, which that subsys -interface callback is doing. - -The only other thing that the subsys interface init path was doing is -adding the - - /sys/devices/system/cpu/cpu*/microcode/ - -hierarchy. - -So add a function which gets called on each CPU after all the necessary -driver setup has happened. Use schedule_on_each_cpu() which can block -because the sysfs creating code does kmem_cache_zalloc() which can block -too and the initial version of this where it did that setup in an IPI -handler of on_each_cpu() can cause a deadlock of the sort: - - lock(fs_reclaim); - - lock(fs_reclaim); - -as the IPI handler runs in IRQ context. - -Signed-off-by: Borislav Petkov -Reviewed-by: Ashok Raj -Link: https://lore.kernel.org/r/20221028142638.28498-2-bp@alien8.de -(cherry picked from commit b6f86689d5b740f2cc3ac3a1032c7374b24381cc) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/core.c | 82 +++++++--------------------- - 1 file changed, 21 insertions(+), 61 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 6affa814699d..8a7fc5d8db6e 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -621,8 +621,8 @@ static enum ucode_state microcode_resume_cpu(int cpu) - - static enum ucode_state microcode_init_cpu(int cpu, bool refresh_fw) - { -- enum ucode_state ustate; - struct ucode_cpu_info *uci = ucode_cpu_info + cpu; -+ enum ucode_state ustate; - - if (uci->valid) - return UCODE_OK; -@@ -656,44 +656,6 @@ static enum ucode_state microcode_update_cpu(int cpu) - return microcode_init_cpu(cpu, false); - } - --static int mc_device_add(struct device *dev, struct subsys_interface *sif) --{ -- int err, cpu = dev->id; -- -- if (!cpu_online(cpu)) -- return 0; -- -- pr_debug("CPU%d added\n", cpu); -- -- err = sysfs_create_group(&dev->kobj, &mc_attr_group); -- if (err) -- return err; -- -- if (microcode_init_cpu(cpu, true) == UCODE_ERROR) -- return -EINVAL; -- -- return err; --} -- --static void mc_device_remove(struct device *dev, struct subsys_interface *sif) --{ -- int cpu = dev->id; -- -- if (!cpu_online(cpu)) -- return; -- -- pr_debug("CPU%d removed\n", cpu); -- microcode_fini_cpu(cpu); -- sysfs_remove_group(&dev->kobj, &mc_attr_group); --} -- --static struct subsys_interface mc_cpu_interface = { -- .name = "microcode", -- .subsys = &cpu_subsys, -- .add_dev = mc_device_add, -- .remove_dev = mc_device_remove, --}; -- - /** - * microcode_bsp_resume - Update boot CPU microcode during resume. - */ -@@ -733,6 +695,9 @@ static int mc_cpu_down_prep(unsigned int cpu) - struct device *dev; - - dev = get_cpu_device(cpu); -+ -+ microcode_fini_cpu(cpu); -+ - /* Suspend is in progress, only remove the interface */ - sysfs_remove_group(&dev->kobj, &mc_attr_group); - pr_debug("CPU%d removed\n", cpu); -@@ -740,6 +705,18 @@ static int mc_cpu_down_prep(unsigned int cpu) - return 0; - } - -+static void setup_online_cpu(struct work_struct *work) -+{ -+ int cpu = smp_processor_id(); -+ struct ucode_cpu_info *uci = ucode_cpu_info + cpu; -+ -+ memset(uci, 0, sizeof(*uci)); -+ -+ microcode_ops->collect_cpu_info(cpu, &uci->cpu_sig); -+ -+ mc_cpu_online(cpu); -+} -+ - static struct attribute *cpu_root_microcode_attrs[] = { - #ifdef CONFIG_MICROCODE_LATE_LOADING - &dev_attr_reload.attr, -@@ -771,27 +748,19 @@ int __init microcode_init(void) - return -ENODEV; - - microcode_pdev = platform_device_register_simple("microcode", -1, -- NULL, 0); -- if (IS_ERR(microcode_pdev)) -- return PTR_ERR(microcode_pdev); -- -- get_online_cpus(); -- mutex_lock(µcode_mutex); -- error = subsys_interface_register(&mc_cpu_interface); -- mutex_unlock(µcode_mutex); -- put_online_cpus(); -- -- if (error) -- goto out_pdev; -+ NULL, 0); - - error = sysfs_create_group(&cpu_subsys.dev_root->kobj, - &cpu_root_microcode_group); - - if (error) { - pr_err("Error creating microcode group!\n"); -- goto out_driver; -+ goto out_pdev; - } - -+ /* Do per-CPU setup */ -+ schedule_on_each_cpu(setup_online_cpu); -+ - register_syscore_ops(&mc_syscore_ops); - cpuhp_setup_state_nocalls(CPUHP_AP_MICROCODE_LOADER, "x86/microcode:starting", - mc_cpu_starting, NULL); -@@ -802,15 +771,6 @@ int __init microcode_init(void) - - return 0; - -- out_driver: -- get_online_cpus(); -- mutex_lock(µcode_mutex); -- -- subsys_interface_unregister(&mc_cpu_interface); -- -- mutex_unlock(µcode_mutex); -- put_online_cpus(); -- - out_pdev: - platform_device_unregister(microcode_pdev); - return error; --- -2.39.3 - diff --git a/SOURCES/1024-x86-microcode-Simplify-init-path-even-more.patch b/SOURCES/1024-x86-microcode-Simplify-init-path-even-more.patch deleted file mode 100644 index ffd9256..0000000 --- a/SOURCES/1024-x86-microcode-Simplify-init-path-even-more.patch +++ /dev/null @@ -1,212 +0,0 @@ -From 1a37aa866d76aaab6901bb331ea1be202ccad636 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Wed, 19 Oct 2022 19:07:30 +0200 -Subject: [PATCH 10/36] x86/microcode: Simplify init path even more - -Get rid of all the IPI-sending functions and their wrappers and use -those which are supposed to be called on each CPU. - -Thus: - -- microcode_init_cpu() gets called on each CPU on init, applying any new - microcode that the driver might've found on the filesystem. - -- mc_cpu_starting() simply tries to apply cached microcode as this is - the cpuhp starting callback which gets called on CPU resume too. - -Even if the driver init function is a late initcall, there is no -filesystem by then (not even a hdd driver has been loaded yet) so a new -firmware load attempt cannot simply be done. - -It is pointless anyway - for that there's late loading if one really -needs it. - -Signed-off-by: Borislav Petkov -Reviewed-by: Ashok Raj -Link: https://lore.kernel.org/r/20221028142638.28498-3-bp@alien8.de -(cherry picked from commit 2071c0aeda228107bf1b9e870b6187c90fbeef1d) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/core.c | 120 ++++----------------------- - 1 file changed, 16 insertions(+), 104 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 8a7fc5d8db6e..50321a43da01 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -338,60 +338,6 @@ void reload_early_microcode(void) - } - } - --static void collect_cpu_info_local(void *arg) --{ -- struct cpu_info_ctx *ctx = arg; -- -- ctx->err = microcode_ops->collect_cpu_info(smp_processor_id(), -- ctx->cpu_sig); --} -- --static int collect_cpu_info_on_target(int cpu, struct cpu_signature *cpu_sig) --{ -- struct cpu_info_ctx ctx = { .cpu_sig = cpu_sig, .err = 0 }; -- int ret; -- -- ret = smp_call_function_single(cpu, collect_cpu_info_local, &ctx, 1); -- if (!ret) -- ret = ctx.err; -- -- return ret; --} -- --static int collect_cpu_info(int cpu) --{ -- struct ucode_cpu_info *uci = ucode_cpu_info + cpu; -- int ret; -- -- memset(uci, 0, sizeof(*uci)); -- -- ret = collect_cpu_info_on_target(cpu, &uci->cpu_sig); -- if (!ret) -- uci->valid = 1; -- -- return ret; --} -- --static void apply_microcode_local(void *arg) --{ -- enum ucode_state *err = arg; -- -- *err = microcode_ops->apply_microcode(smp_processor_id()); --} -- --static int apply_microcode_on_target(int cpu) --{ -- enum ucode_state err; -- int ret; -- -- ret = smp_call_function_single(cpu, apply_microcode_local, &err, 1); -- if (!ret) { -- if (err == UCODE_ERROR) -- ret = 1; -- } -- return ret; --} -- - /* fake device for request_firmware */ - static struct platform_device *microcode_pdev; - -@@ -478,7 +424,7 @@ static int __reload_late(void *info) - * below. - */ - if (cpumask_first(topology_sibling_cpumask(cpu)) == cpu) -- apply_microcode_local(&err); -+ err = microcode_ops->apply_microcode(cpu); - else - goto wait_for_siblings; - -@@ -500,7 +446,7 @@ wait_for_siblings: - * revision. - */ - if (cpumask_first(topology_sibling_cpumask(cpu)) != cpu) -- apply_microcode_local(&err); -+ err = microcode_ops->apply_microcode(cpu); - - return ret; - } -@@ -609,51 +555,15 @@ static void microcode_fini_cpu(int cpu) - microcode_ops->microcode_fini_cpu(cpu); - } - --static enum ucode_state microcode_resume_cpu(int cpu) --{ -- if (apply_microcode_on_target(cpu)) -- return UCODE_ERROR; -- -- pr_debug("CPU%d updated upon resume\n", cpu); -- -- return UCODE_OK; --} -- --static enum ucode_state microcode_init_cpu(int cpu, bool refresh_fw) --{ -- struct ucode_cpu_info *uci = ucode_cpu_info + cpu; -- enum ucode_state ustate; -- -- if (uci->valid) -- return UCODE_OK; -- -- if (collect_cpu_info(cpu)) -- return UCODE_ERROR; -- -- /* --dimm. Trigger a delayed update? */ -- if (system_state != SYSTEM_RUNNING) -- return UCODE_NFOUND; -- -- ustate = microcode_ops->request_microcode_fw(cpu, µcode_pdev->dev, refresh_fw); -- if (ustate == UCODE_NEW) { -- pr_debug("CPU%d updated upon init\n", cpu); -- apply_microcode_on_target(cpu); -- } -- -- return ustate; --} -- --static enum ucode_state microcode_update_cpu(int cpu) -+static enum ucode_state microcode_init_cpu(int cpu) - { - struct ucode_cpu_info *uci = ucode_cpu_info + cpu; - -- /* Refresh CPU microcode revision after resume. */ -- collect_cpu_info(cpu); -+ memset(uci, 0, sizeof(*uci)); - -- if (uci->valid) -- return microcode_resume_cpu(cpu); -+ microcode_ops->collect_cpu_info(cpu, &uci->cpu_sig); - -- return microcode_init_cpu(cpu, false); -+ return microcode_ops->apply_microcode(cpu); - } - - /** -@@ -671,14 +581,14 @@ void microcode_bsp_resume(void) - } - - static struct syscore_ops mc_syscore_ops = { -- .resume = microcode_bsp_resume, -+ .resume = microcode_bsp_resume, - }; - - static int mc_cpu_starting(unsigned int cpu) - { -- microcode_update_cpu(cpu); -- pr_debug("CPU%d added\n", cpu); -- return 0; -+ enum ucode_state err = microcode_ops->apply_microcode(cpu); -+ -+ return err == UCODE_ERROR; - } - - static int mc_cpu_online(unsigned int cpu) -@@ -708,11 +618,13 @@ static int mc_cpu_down_prep(unsigned int cpu) - static void setup_online_cpu(struct work_struct *work) - { - int cpu = smp_processor_id(); -- struct ucode_cpu_info *uci = ucode_cpu_info + cpu; -- -- memset(uci, 0, sizeof(*uci)); -+ enum ucode_state err; - -- microcode_ops->collect_cpu_info(cpu, &uci->cpu_sig); -+ err = microcode_init_cpu(cpu); -+ if (err == UCODE_ERROR) { -+ pr_err("Error applying microcode on CPU%d\n", cpu); -+ return; -+ } - - mc_cpu_online(cpu); - } --- -2.39.3 - diff --git a/SOURCES/1025-x86-microcode-AMD-Rename-a-couple-of-functions.patch b/SOURCES/1025-x86-microcode-AMD-Rename-a-couple-of-functions.patch deleted file mode 100644 index 9bffc76..0000000 --- a/SOURCES/1025-x86-microcode-AMD-Rename-a-couple-of-functions.patch +++ /dev/null @@ -1,88 +0,0 @@ -From a385d6a4761819826f5fb234415f4f1ad43fc141 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Mon, 19 Dec 2022 22:06:55 +0100 -Subject: [PATCH 11/36] x86/microcode/AMD: Rename a couple of functions - -- Rename apply_microcode_early_amd() to early_apply_microcode(): -simplify the name so that it is clear what it does and when does it do -it. - -- Rename __load_ucode_amd() to find_blobs_in_containers(): the new name -actually explains what it does. - -Document some. - -No functional changes. - -Signed-off-by: Borislav Petkov -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/20221219210656.5140-1-bp@alien8.de -(cherry picked from commit 61de9b7036f26448a1916291c456f62dd6bf07ea) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/amd.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c -index 750889d77b56..0b557d04be22 100644 ---- a/arch/x86/kernel/cpu/microcode/amd.c -+++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -415,8 +415,7 @@ static int __apply_microcode_amd(struct microcode_amd *mc) - * - * Returns true if container found (sets @desc), false otherwise. - */ --static bool --apply_microcode_early_amd(u32 cpuid_1_eax, void *ucode, size_t size, bool save_patch) -+static bool early_apply_microcode(u32 cpuid_1_eax, void *ucode, size_t size, bool save_patch) - { - struct cont_desc desc = { 0 }; - u8 (*patch)[PATCH_MAX_SIZE]; -@@ -476,7 +475,7 @@ static bool get_builtin_microcode(struct cpio_data *cp, unsigned int family) - #endif - } - --static void __load_ucode_amd(unsigned int cpuid_1_eax, struct cpio_data *ret) -+static void find_blobs_in_containers(unsigned int cpuid_1_eax, struct cpio_data *ret) - { - struct ucode_cpu_info *uci; - struct cpio_data cp; -@@ -506,11 +505,11 @@ void __init load_ucode_amd_bsp(unsigned int cpuid_1_eax) - { - struct cpio_data cp = { }; - -- __load_ucode_amd(cpuid_1_eax, &cp); -+ find_blobs_in_containers(cpuid_1_eax, &cp); - if (!(cp.data && cp.size)) - return; - -- apply_microcode_early_amd(cpuid_1_eax, cp.data, cp.size, true); -+ early_apply_microcode(cpuid_1_eax, cp.data, cp.size, true); - } - - void load_ucode_amd_ap(unsigned int cpuid_1_eax) -@@ -541,11 +540,11 @@ void load_ucode_amd_ap(unsigned int cpuid_1_eax) - } - } - -- __load_ucode_amd(cpuid_1_eax, &cp); -+ find_blobs_in_containers(cpuid_1_eax, &cp); - if (!(cp.data && cp.size)) - return; - -- apply_microcode_early_amd(cpuid_1_eax, cp.data, cp.size, false); -+ early_apply_microcode(cpuid_1_eax, cp.data, cp.size, false); - } - - static enum ucode_state -@@ -810,6 +809,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover, - return 0; - } - -+/* Scan the blob in @data and add microcode patches to the cache. */ - static enum ucode_state __load_microcode_amd(u8 family, const u8 *data, - size_t size) - { --- -2.39.3 - diff --git a/SOURCES/1026-x86-microcode-Fix-return-value-for-microcode-late-lo.patch b/SOURCES/1026-x86-microcode-Fix-return-value-for-microcode-late-lo.patch deleted file mode 100644 index 9f7ef0c..0000000 --- a/SOURCES/1026-x86-microcode-Fix-return-value-for-microcode-late-lo.patch +++ /dev/null @@ -1,79 +0,0 @@ -From f19ca27f91db6320d02ba1cd28751a217616e282 Mon Sep 17 00:00:00 2001 -From: Mihai Carabas -Date: Tue, 21 Apr 2020 22:28:38 +0300 -Subject: [PATCH 12/36] x86/microcode: Fix return value for microcode late - loading - -The return value from stop_machine() might not be consistent. - -stop_machine_cpuslocked() returns: -- zero if all functions have returned 0. -- a non-zero value if at least one of the functions returned -a non-zero value. - -There is no way to know if it is negative or positive. So make -__reload_late() return 0 on success or negative otherwise. - - [ bp: Unify ret val check and touch up. ] - -Signed-off-by: Mihai Carabas -Signed-off-by: Borislav Petkov -Link: https://lkml.kernel.org/r/1587497318-4438-1-git-send-email-mihai.carabas@oracle.com -(cherry picked from commit 9adbf3c609af92a57a73000a3cb8f4c2d307dfa3) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/core.c | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 50321a43da01..36f78ceca5f2 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -400,8 +400,7 @@ static int __wait_for_cpus(atomic_t *t, long long timeout) - /* - * Returns: - * < 0 - on error -- * 0 - no update done -- * 1 - microcode was updated -+ * 0 - success (no update done or microcode was updated) - */ - static int __reload_late(void *info) - { -@@ -428,11 +427,11 @@ static int __reload_late(void *info) - else - goto wait_for_siblings; - -- if (err > UCODE_NFOUND) { -- pr_warn("Error reloading microcode on CPU %d\n", cpu); -+ if (err >= UCODE_NFOUND) { -+ if (err == UCODE_ERROR) -+ pr_warn("Error reloading microcode on CPU %d\n", cpu); -+ - ret = -1; -- } else if (err == UCODE_UPDATED || err == UCODE_OK) { -- ret = 1; - } - - wait_for_siblings: -@@ -466,7 +465,7 @@ static int microcode_reload_late(void) - atomic_set(&late_cpus_out, 0); - - ret = stop_machine_cpuslocked(__reload_late, NULL, cpu_online_mask); -- if (ret > 0) -+ if (ret == 0) - microcode_check(); - - pr_info("Reload completed, microcode revision: 0x%x -> 0x%x\n", -@@ -508,7 +507,7 @@ static ssize_t reload_store(struct device *dev, - put: - put_online_cpus(); - -- if (ret >= 0) -+ if (ret == 0) - ret = size; - - add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); --- -2.39.3 - diff --git a/SOURCES/1027-x86-microcode-Add-a-parameter-to-microcode_check-to-.patch b/SOURCES/1027-x86-microcode-Add-a-parameter-to-microcode_check-to-.patch deleted file mode 100644 index b80ea67..0000000 --- a/SOURCES/1027-x86-microcode-Add-a-parameter-to-microcode_check-to-.patch +++ /dev/null @@ -1,110 +0,0 @@ -From e298b1596a0ace2d3b272747a645856f6eb61128 Mon Sep 17 00:00:00 2001 -From: Ashok Raj -Date: Mon, 9 Jan 2023 07:35:50 -0800 -Subject: [PATCH 13/36] x86/microcode: Add a parameter to microcode_check() to - store CPU capabilities - -Add a parameter to store CPU capabilities before performing a microcode -update so that CPU capabilities can be compared before and after update. - - [ bp: Massage. ] - -Signed-off-by: Ashok Raj -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/20230109153555.4986-2-ashok.raj@intel.com -(cherry picked from commit ab31c74455c64e69342ddab21fd9426fcbfefde7) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/processor.h | 2 +- - arch/x86/kernel/cpu/common.c | 21 +++++++++++++-------- - arch/x86/kernel/cpu/microcode/core.c | 3 ++- - 3 files changed, 16 insertions(+), 10 deletions(-) - -diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 605740dfd017..9968d456d7e8 100644 ---- a/arch/x86/include/asm/processor.h -+++ b/arch/x86/include/asm/processor.h -@@ -919,7 +919,7 @@ bool xen_set_default_idle(void); - - void stop_this_cpu(void *dummy); - void df_debug(struct pt_regs *regs, long error_code); --void microcode_check(void); -+void microcode_check(struct cpuinfo_x86 *prev_info); - - enum l1tf_mitigations { - L1TF_MITIGATION_OFF, -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 7be057c7531c..437fe55acce8 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -2146,30 +2146,35 @@ void cpu_init_secondary(void) - #endif - - #ifdef CONFIG_MICROCODE_LATE_LOADING --/* -+/** -+ * microcode_check() - Check if any CPU capabilities changed after an update. -+ * @prev_info: CPU capabilities stored before an update. -+ * - * The microcode loader calls this upon late microcode load to recheck features, - * only when microcode has been updated. Caller holds microcode_mutex and CPU - * hotplug lock. -+ * -+ * Return: None - */ --void microcode_check(void) -+void microcode_check(struct cpuinfo_x86 *prev_info) - { -- struct cpuinfo_x86 info; -- - perf_check_microcode(); - - /* Reload CPUID max function as it might've changed. */ -- info.cpuid_level = cpuid_eax(0); -+ prev_info->cpuid_level = cpuid_eax(0); - - /* - * Copy all capability leafs to pick up the synthetic ones so that - * memcmp() below doesn't fail on that. The ones coming from CPUID will - * get overwritten in get_cpu_cap(). - */ -- memcpy(&info.x86_capability, &boot_cpu_data.x86_capability, sizeof(info.x86_capability)); -+ memcpy(&prev_info->x86_capability, &boot_cpu_data.x86_capability, -+ sizeof(prev_info->x86_capability)); - -- get_cpu_cap(&info); -+ get_cpu_cap(prev_info); - -- if (!memcmp(&info.x86_capability, &boot_cpu_data.x86_capability, sizeof(info.x86_capability))) -+ if (!memcmp(&prev_info->x86_capability, &boot_cpu_data.x86_capability, -+ sizeof(prev_info->x86_capability))) - return; - - pr_warn("x86/CPU: CPU features have changed after loading microcode, but might not take effect.\n"); -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 36f78ceca5f2..41a90074df21 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -457,6 +457,7 @@ wait_for_siblings: - static int microcode_reload_late(void) - { - int old = boot_cpu_data.microcode, ret; -+ struct cpuinfo_x86 prev_info; - - pr_err("Attempting late microcode loading - it is dangerous and taints the kernel.\n"); - pr_err("You should switch to early loading, if possible.\n"); -@@ -466,7 +467,7 @@ static int microcode_reload_late(void) - - ret = stop_machine_cpuslocked(__reload_late, NULL, cpu_online_mask); - if (ret == 0) -- microcode_check(); -+ microcode_check(&prev_info); - - pr_info("Reload completed, microcode revision: 0x%x -> 0x%x\n", - old, boot_cpu_data.microcode); --- -2.39.3 - diff --git a/SOURCES/1028-x86-microcode-Check-CPU-capabilities-after-late-micr.patch b/SOURCES/1028-x86-microcode-Check-CPU-capabilities-after-late-micr.patch deleted file mode 100644 index 174b0c6..0000000 --- a/SOURCES/1028-x86-microcode-Check-CPU-capabilities-after-late-micr.patch +++ /dev/null @@ -1,135 +0,0 @@ -From a8cd7508b4dfd8cedd394da8cdb0253f18bdb1a8 Mon Sep 17 00:00:00 2001 -From: Ashok Raj -Date: Mon, 9 Jan 2023 07:35:51 -0800 -Subject: [PATCH 14/36] x86/microcode: Check CPU capabilities after late - microcode update correctly - -The kernel caches each CPU's feature bits at boot in an x86_capability[] -structure. However, the capabilities in the BSP's copy can be turned off -as a result of certain command line parameters or configuration -restrictions, for example the SGX bit. This can cause a mismatch when -comparing the values before and after the microcode update. - -microcode_check() is called after an update to report any previously -cached CPUID bits which might have changed due to the update. - -Therefore, store the cached CPU caps before the update and compare them -with the CPU caps after the microcode update has succeeded. - -Thus, the comparison is done between the CPUID *hardware* bits before -and after the upgrade instead of using the cached, possibly runtime -modified values in BSP's boot_cpu_data copy. - -As a result, false warnings about CPUID bits changes are avoided. - - [ bp: - - Massage. - - Add SRBDS_CTRL example. - - Add kernel-doc. - - Incorporate forgotten review feedback from dhansen. - ] - -Fixes: 1008c52c09dc ("x86/CPU: Add a microcode loader callback") -Signed-off-by: Ashok Raj -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/20230109153555.4986-3-ashok.raj@intel.com -(cherry picked from commit c0dd9245aa9e25a697181f6085692272c9ec61bc) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/processor.h | 1 + - arch/x86/kernel/cpu/common.c | 36 ++++++++++++++++++---------- - arch/x86/kernel/cpu/microcode/core.c | 6 +++++ - 3 files changed, 30 insertions(+), 13 deletions(-) - -diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 9968d456d7e8..820104bdee1f 100644 ---- a/arch/x86/include/asm/processor.h -+++ b/arch/x86/include/asm/processor.h -@@ -920,6 +920,7 @@ bool xen_set_default_idle(void); - void stop_this_cpu(void *dummy); - void df_debug(struct pt_regs *regs, long error_code); - void microcode_check(struct cpuinfo_x86 *prev_info); -+void store_cpu_caps(struct cpuinfo_x86 *info); - - enum l1tf_mitigations { - L1TF_MITIGATION_OFF, -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 437fe55acce8..22763a691b7b 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -2146,6 +2146,25 @@ void cpu_init_secondary(void) - #endif - - #ifdef CONFIG_MICROCODE_LATE_LOADING -+/** -+ * store_cpu_caps() - Store a snapshot of CPU capabilities -+ * @curr_info: Pointer where to store it -+ * -+ * Returns: None -+ */ -+void store_cpu_caps(struct cpuinfo_x86 *curr_info) -+{ -+ /* Reload CPUID max function as it might've changed. */ -+ curr_info->cpuid_level = cpuid_eax(0); -+ -+ /* Copy all capability leafs and pick up the synthetic ones. */ -+ memcpy(&curr_info->x86_capability, &boot_cpu_data.x86_capability, -+ sizeof(curr_info->x86_capability)); -+ -+ /* Get the hardware CPUID leafs */ -+ get_cpu_cap(curr_info); -+} -+ - /** - * microcode_check() - Check if any CPU capabilities changed after an update. - * @prev_info: CPU capabilities stored before an update. -@@ -2158,22 +2177,13 @@ void cpu_init_secondary(void) - */ - void microcode_check(struct cpuinfo_x86 *prev_info) - { -- perf_check_microcode(); -- -- /* Reload CPUID max function as it might've changed. */ -- prev_info->cpuid_level = cpuid_eax(0); -+ struct cpuinfo_x86 curr_info; - -- /* -- * Copy all capability leafs to pick up the synthetic ones so that -- * memcmp() below doesn't fail on that. The ones coming from CPUID will -- * get overwritten in get_cpu_cap(). -- */ -- memcpy(&prev_info->x86_capability, &boot_cpu_data.x86_capability, -- sizeof(prev_info->x86_capability)); -+ perf_check_microcode(); - -- get_cpu_cap(prev_info); -+ store_cpu_caps(&curr_info); - -- if (!memcmp(&prev_info->x86_capability, &boot_cpu_data.x86_capability, -+ if (!memcmp(&prev_info->x86_capability, &curr_info.x86_capability, - sizeof(prev_info->x86_capability))) - return; - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 41a90074df21..9df2c40a4ddf 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -465,6 +465,12 @@ static int microcode_reload_late(void) - atomic_set(&late_cpus_in, 0); - atomic_set(&late_cpus_out, 0); - -+ /* -+ * Take a snapshot before the microcode update in order to compare and -+ * check whether any bits changed after an update. -+ */ -+ store_cpu_caps(&prev_info); -+ - ret = stop_machine_cpuslocked(__reload_late, NULL, cpu_online_mask); - if (ret == 0) - microcode_check(&prev_info); --- -2.39.3 - diff --git a/SOURCES/1029-x86-microcode-Adjust-late-loading-result-reporting-m.patch b/SOURCES/1029-x86-microcode-Adjust-late-loading-result-reporting-m.patch deleted file mode 100644 index 4d325ae..0000000 --- a/SOURCES/1029-x86-microcode-Adjust-late-loading-result-reporting-m.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 527c5ac4a29d4b854b10586ea877c65174cbd40d Mon Sep 17 00:00:00 2001 -From: Ashok Raj -Date: Mon, 9 Jan 2023 07:35:52 -0800 -Subject: [PATCH 15/36] x86/microcode: Adjust late loading result reporting - message - -During late microcode loading, the "Reload completed" message is issued -unconditionally, regardless of success or failure. - -Adjust the message to report the result of the update. - - [ bp: Massage. ] - -Fixes: 9bd681251b7c ("x86/microcode: Announce reload operation's completion") -Suggested-by: Thomas Gleixner -Signed-off-by: Ashok Raj -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Tony Luck -Link: https://lore.kernel.org/lkml/874judpqqd.ffs@tglx/ -(cherry picked from commit 6eab3abac7043226e5375e9ead0c7607ced6767b) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/core.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 9df2c40a4ddf..fb383088bede 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -472,11 +472,14 @@ static int microcode_reload_late(void) - store_cpu_caps(&prev_info); - - ret = stop_machine_cpuslocked(__reload_late, NULL, cpu_online_mask); -- if (ret == 0) -+ if (!ret) { -+ pr_info("Reload succeeded, microcode revision: 0x%x -> 0x%x\n", -+ old, boot_cpu_data.microcode); - microcode_check(&prev_info); -- -- pr_info("Reload completed, microcode revision: 0x%x -> 0x%x\n", -- old, boot_cpu_data.microcode); -+ } else { -+ pr_info("Reload failed, current microcode revision: 0x%x\n", -+ boot_cpu_data.microcode); -+ } - - return ret; - } --- -2.39.3 - diff --git a/SOURCES/1030-x86-amd-Cache-debug-register-values-in-percpu-variab.patch b/SOURCES/1030-x86-amd-Cache-debug-register-values-in-percpu-variab.patch deleted file mode 100644 index d94878a..0000000 --- a/SOURCES/1030-x86-amd-Cache-debug-register-values-in-percpu-variab.patch +++ /dev/null @@ -1,148 +0,0 @@ -From e167d6613aef8356261f97e2b50489142f8e1406 Mon Sep 17 00:00:00 2001 -From: Alexey Kardashevskiy -Date: Fri, 20 Jan 2023 14:10:45 +1100 -Subject: [PATCH 16/36] x86/amd: Cache debug register values in percpu - variables - -Reading DR[0-3]_ADDR_MASK MSRs takes about 250 cycles which is going to -be noticeable with the AMD KVM SEV-ES DebugSwap feature enabled. KVM is -going to store host's DR[0-3] and DR[0-3]_ADDR_MASK before switching to -a guest; the hardware is going to swap these on VMRUN and VMEXIT. - -Store MSR values passed to set_dr_addr_mask() in percpu variables -(when changed) and return them via new amd_get_dr_addr_mask(). -The gain here is about 10x. - -As set_dr_addr_mask() uses the array too, change the @dr type to -unsigned to avoid checking for <0. And give it the amd_ prefix to match -the new helper as the whole DR_ADDR_MASK feature is AMD-specific anyway. - -While at it, replace deprecated boot_cpu_has() with cpu_feature_enabled() -in set_dr_addr_mask(). - -Signed-off-by: Alexey Kardashevskiy -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/20230120031047.628097-2-aik@amd.com -(cherry picked from commit 7914695743d598b189d549f2f57af24aa5633705) - -The conflict is due to patch 84b6a34 which is not present -in this repo. This is an optimization/not a bug fix. Hence -not porting it. - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/debugreg.h | 9 +++++-- - arch/x86/kernel/cpu/amd.c | 47 +++++++++++++++++++++++---------- - arch/x86/kernel/hw_breakpoint.c | 4 +-- - 3 files changed, 42 insertions(+), 18 deletions(-) - -diff --git a/arch/x86/include/asm/debugreg.h b/arch/x86/include/asm/debugreg.h -index 1c964123f2dd..ccf6639c8df9 100644 ---- a/arch/x86/include/asm/debugreg.h -+++ b/arch/x86/include/asm/debugreg.h -@@ -144,9 +144,14 @@ static __always_inline void local_db_restore(unsigned long dr7) - } - - #ifdef CONFIG_CPU_SUP_AMD --extern void set_dr_addr_mask(unsigned long mask, int dr); -+extern void amd_set_dr_addr_mask(unsigned long mask, unsigned int dr); -+extern unsigned long amd_get_dr_addr_mask(unsigned int dr); - #else --static inline void set_dr_addr_mask(unsigned long mask, int dr) { } -+static inline void amd_set_dr_addr_mask(unsigned long mask, unsigned int dr) { } -+static inline unsigned long amd_get_dr_addr_mask(unsigned int dr) -+{ -+ return 0; -+} - #endif - - #endif /* _ASM_X86_DEBUGREG_H */ -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index efa49b3f87b9..6eb7923f5f08 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1146,24 +1146,43 @@ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) - return false; - } - --void set_dr_addr_mask(unsigned long mask, int dr) -+static DEFINE_PER_CPU_READ_MOSTLY(unsigned long[4], amd_dr_addr_mask); -+ -+static unsigned int amd_msr_dr_addr_masks[] = { -+ MSR_F16H_DR0_ADDR_MASK, -+ MSR_F16H_DR1_ADDR_MASK, -+ MSR_F16H_DR1_ADDR_MASK + 1, -+ MSR_F16H_DR1_ADDR_MASK + 2 -+}; -+ -+void amd_set_dr_addr_mask(unsigned long mask, unsigned int dr) - { -- if (!boot_cpu_has(X86_FEATURE_BPEXT)) -+ int cpu = smp_processor_id(); -+ -+ if (!cpu_feature_enabled(X86_FEATURE_BPEXT)) - return; - -- switch (dr) { -- case 0: -- wrmsr(MSR_F16H_DR0_ADDR_MASK, mask, 0); -- break; -- case 1: -- case 2: -- case 3: -- wrmsr(MSR_F16H_DR1_ADDR_MASK - 1 + dr, mask, 0); -- break; -- default: -- break; -- } -+ if (WARN_ON_ONCE(dr >= ARRAY_SIZE(amd_msr_dr_addr_masks))) -+ return; -+ -+ if (per_cpu(amd_dr_addr_mask, cpu)[dr] == mask) -+ return; -+ -+ wrmsr(amd_msr_dr_addr_masks[dr], mask, 0); -+ per_cpu(amd_dr_addr_mask, cpu)[dr] = mask; -+} -+ -+unsigned long amd_get_dr_addr_mask(unsigned int dr) -+{ -+ if (!cpu_feature_enabled(X86_FEATURE_BPEXT)) -+ return 0; -+ -+ if (WARN_ON_ONCE(dr >= ARRAY_SIZE(amd_msr_dr_addr_masks))) -+ return 0; -+ -+ return per_cpu(amd_dr_addr_mask[dr], smp_processor_id()); - } -+EXPORT_SYMBOL_GPL(amd_get_dr_addr_mask); - - u32 amd_get_highest_perf(void) - { -diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c -index 3871950432d6..d38d4648512d 100644 ---- a/arch/x86/kernel/hw_breakpoint.c -+++ b/arch/x86/kernel/hw_breakpoint.c -@@ -129,7 +129,7 @@ int arch_install_hw_breakpoint(struct perf_event *bp) - - set_debugreg(*dr7, 7); - if (info->mask) -- set_dr_addr_mask(info->mask, i); -+ amd_set_dr_addr_mask(info->mask, i); - - return 0; - } -@@ -166,7 +166,7 @@ void arch_uninstall_hw_breakpoint(struct perf_event *bp) - - set_debugreg(*dr7, 7); - if (info->mask) -- set_dr_addr_mask(0, i); -+ amd_set_dr_addr_mask(0, i); - } - - static int arch_bp_generic_len(int x86_len) --- -2.39.3 - diff --git a/SOURCES/1031-x86-microcode-Remove-request_microcode_user.patch b/SOURCES/1031-x86-microcode-Remove-request_microcode_user.patch deleted file mode 100644 index 3189ce7..0000000 --- a/SOURCES/1031-x86-microcode-Remove-request_microcode_user.patch +++ /dev/null @@ -1,94 +0,0 @@ -From a53f36400559990c1a3716f11ecb46c03cc7cde7 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Thu, 25 Aug 2022 09:51:57 +0200 -Subject: [PATCH 17/36] x86/microcode: Remove ->request_microcode_user() - - 181b6f40e9ea ("x86/microcode: Rip out the OLD_INTERFACE") - -removed the old microcode loading interface but forgot to remove the -related ->request_microcode_user() functionality which it uses. - -Rip it out now too. - -Signed-off-by: Borislav Petkov -Link: https://lore.kernel.org/r/20220825075445.28171-1-bp@alien8.de -(cherry picked from commit 8c61eafd22d7207039bff85c6e1d386f15abd17e) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/microcode.h | 3 --- - arch/x86/kernel/cpu/microcode/amd.c | 7 ------- - arch/x86/kernel/cpu/microcode/intel.c | 17 ----------------- - 3 files changed, 27 deletions(-) - -diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h -index a930a63d1260..215ea340e7f9 100644 ---- a/arch/x86/include/asm/microcode.h -+++ b/arch/x86/include/asm/microcode.h -@@ -32,9 +32,6 @@ enum ucode_state { - }; - - struct microcode_ops { -- enum ucode_state (*request_microcode_user) (int cpu, -- const void __user *buf, size_t size); -- - enum ucode_state (*request_microcode_fw) (int cpu, struct device *, - bool refresh_fw); - -diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c -index 0b557d04be22..9d15b7e5a13e 100644 ---- a/arch/x86/kernel/cpu/microcode/amd.c -+++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -929,12 +929,6 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device, - return ret; - } - --static enum ucode_state --request_microcode_user(int cpu, const void __user *buf, size_t size) --{ -- return UCODE_ERROR; --} -- - static void microcode_fini_cpu_amd(int cpu) - { - struct ucode_cpu_info *uci = ucode_cpu_info + cpu; -@@ -943,7 +937,6 @@ static void microcode_fini_cpu_amd(int cpu) - } - - static struct microcode_ops microcode_amd_ops = { -- .request_microcode_user = request_microcode_user, - .request_microcode_fw = request_microcode_amd, - .collect_cpu_info = collect_cpu_info_amd, - .apply_microcode = apply_microcode_amd, -diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c -index 5f8223909db4..6fa667192bd9 100644 ---- a/arch/x86/kernel/cpu/microcode/intel.c -+++ b/arch/x86/kernel/cpu/microcode/intel.c -@@ -952,24 +952,7 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device, - return ret; - } - --static enum ucode_state --request_microcode_user(int cpu, const void __user *buf, size_t size) --{ -- struct iov_iter iter; -- struct iovec iov; -- -- if (is_blacklisted(cpu)) -- return UCODE_NFOUND; -- -- iov.iov_base = (void __user *)buf; -- iov.iov_len = size; -- iov_iter_init(&iter, WRITE, &iov, 1, size); -- -- return generic_load_microcode(cpu, &iter); --} -- - static struct microcode_ops microcode_intel_ops = { -- .request_microcode_user = request_microcode_user, - .request_microcode_fw = request_microcode_fw, - .collect_cpu_info = collect_cpu_info, - .apply_microcode = apply_microcode_intel, --- -2.39.3 - diff --git a/SOURCES/1032-x86-microcode-Kill-refresh_fw.patch b/SOURCES/1032-x86-microcode-Kill-refresh_fw.patch deleted file mode 100644 index 536adeb..0000000 --- a/SOURCES/1032-x86-microcode-Kill-refresh_fw.patch +++ /dev/null @@ -1,88 +0,0 @@ -From f93ce31159692d4be33e05f6a63361c7b9a29292 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Wed, 19 Oct 2022 19:16:20 +0200 -Subject: [PATCH 18/36] x86/microcode: Kill refresh_fw - -request_microcode_fw() can always request firmware now so drop this -superfluous argument. - -Signed-off-by: Borislav Petkov -Reviewed-by: Ashok Raj -Link: https://lore.kernel.org/r/20221028142638.28498-4-bp@alien8.de -(cherry picked from commit a61ac80ae52ea349416472cd52005f9988537208) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/microcode.h | 3 +-- - arch/x86/kernel/cpu/microcode/amd.c | 5 ++--- - arch/x86/kernel/cpu/microcode/core.c | 2 +- - arch/x86/kernel/cpu/microcode/intel.c | 3 +-- - 4 files changed, 5 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h -index 215ea340e7f9..af1ba544c800 100644 ---- a/arch/x86/include/asm/microcode.h -+++ b/arch/x86/include/asm/microcode.h -@@ -32,8 +32,7 @@ enum ucode_state { - }; - - struct microcode_ops { -- enum ucode_state (*request_microcode_fw) (int cpu, struct device *, -- bool refresh_fw); -+ enum ucode_state (*request_microcode_fw) (int cpu, struct device *); - - void (*microcode_fini_cpu) (int cpu); - -diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c -index 9d15b7e5a13e..381addff7fc8 100644 ---- a/arch/x86/kernel/cpu/microcode/amd.c -+++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -895,8 +895,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size) - * - * These might be larger than 2K. - */ --static enum ucode_state request_microcode_amd(int cpu, struct device *device, -- bool refresh_fw) -+static enum ucode_state request_microcode_amd(int cpu, struct device *device) - { - char fw_name[36] = "amd-ucode/microcode_amd.bin"; - struct cpuinfo_x86 *c = &cpu_data(cpu); -@@ -905,7 +904,7 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device, - const struct firmware *fw; - - /* reload ucode container only on the boot cpu */ -- if (!refresh_fw || !bsp) -+ if (!bsp) - return UCODE_OK; - - if (c->x86 >= 0x15) -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index fb383088bede..3d4c2c1aae11 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -506,7 +506,7 @@ static ssize_t reload_store(struct device *dev, - if (ret) - goto put; - -- tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev, true); -+ tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev); - if (tmp_ret != UCODE_NEW) - goto put; - -diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c -index 6fa667192bd9..818d5fa8ca20 100644 ---- a/arch/x86/kernel/cpu/microcode/intel.c -+++ b/arch/x86/kernel/cpu/microcode/intel.c -@@ -921,8 +921,7 @@ static bool is_blacklisted(unsigned int cpu) - return false; - } - --static enum ucode_state request_microcode_fw(int cpu, struct device *device, -- bool refresh_fw) -+static enum ucode_state request_microcode_fw(int cpu, struct device *device) - { - struct cpuinfo_x86 *c = &cpu_data(cpu); - const struct firmware *firmware; --- -2.39.3 - diff --git a/SOURCES/1033-x86-microcode-amd-Remove-load_microcode_amd-s-bsp-pa.patch b/SOURCES/1033-x86-microcode-amd-Remove-load_microcode_amd-s-bsp-pa.patch deleted file mode 100644 index c966f64..0000000 --- a/SOURCES/1033-x86-microcode-amd-Remove-load_microcode_amd-s-bsp-pa.patch +++ /dev/null @@ -1,92 +0,0 @@ -From cb425451860828e0ac0516f58a37b131f0476b3c Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Tue, 17 Jan 2023 23:59:24 +0100 -Subject: [PATCH 19/36] x86/microcode/amd: Remove load_microcode_amd()'s bsp - parameter - -It is always the BSP. - -No functional changes. - -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/20230130161709.11615-2-bp@alien8.de -(cherry picked from commit 2355370cd941cbb20882cc3f34460f9f2b8f9a18) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/amd.c | 19 ++++--------------- - 1 file changed, 4 insertions(+), 15 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c -index 381addff7fc8..68643a68fa11 100644 ---- a/arch/x86/kernel/cpu/microcode/amd.c -+++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -547,8 +547,7 @@ void load_ucode_amd_ap(unsigned int cpuid_1_eax) - early_apply_microcode(cpuid_1_eax, cp.data, cp.size, false); - } - --static enum ucode_state --load_microcode_amd(bool save, u8 family, const u8 *data, size_t size); -+static enum ucode_state load_microcode_amd(u8 family, const u8 *data, size_t size); - - int __init save_microcode_in_initrd_amd(unsigned int cpuid_1_eax) - { -@@ -566,7 +565,7 @@ int __init save_microcode_in_initrd_amd(unsigned int cpuid_1_eax) - if (!desc.mc) - return -EINVAL; - -- ret = load_microcode_amd(true, x86_family(cpuid_1_eax), desc.data, desc.size); -+ ret = load_microcode_amd(x86_family(cpuid_1_eax), desc.data, desc.size); - if (ret > UCODE_UPDATED) - return -EINVAL; - -@@ -844,8 +843,7 @@ static enum ucode_state __load_microcode_amd(u8 family, const u8 *data, - return UCODE_OK; - } - --static enum ucode_state --load_microcode_amd(bool save, u8 family, const u8 *data, size_t size) -+static enum ucode_state load_microcode_amd(u8 family, const u8 *data, size_t size) - { - struct ucode_patch *p; - enum ucode_state ret; -@@ -869,10 +867,6 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size) - ret = UCODE_NEW; - } - -- /* save BSP's matching patch for early load */ -- if (!save) -- return ret; -- - memset(amd_ucode_patch, 0, PATCH_MAX_SIZE); - memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE)); - -@@ -899,14 +893,9 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device) - { - char fw_name[36] = "amd-ucode/microcode_amd.bin"; - struct cpuinfo_x86 *c = &cpu_data(cpu); -- bool bsp = c->cpu_index == boot_cpu_data.cpu_index; - enum ucode_state ret = UCODE_NFOUND; - const struct firmware *fw; - -- /* reload ucode container only on the boot cpu */ -- if (!bsp) -- return UCODE_OK; -- - if (c->x86 >= 0x15) - snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86); - -@@ -919,7 +908,7 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device) - if (!verify_container(fw->data, fw->size, false)) - goto fw_release; - -- ret = load_microcode_amd(bsp, c->x86, fw->data, fw->size); -+ ret = load_microcode_amd(c->x86, fw->data, fw->size); - - fw_release: - release_firmware(fw); --- -2.39.3 - diff --git a/SOURCES/1034-x86-microcode-Drop-struct-ucode_cpu_info.valid.patch b/SOURCES/1034-x86-microcode-Drop-struct-ucode_cpu_info.valid.patch deleted file mode 100644 index fbba3bc..0000000 --- a/SOURCES/1034-x86-microcode-Drop-struct-ucode_cpu_info.valid.patch +++ /dev/null @@ -1,62 +0,0 @@ -From fbc8e41bf83779c3c6727075c5d131a3aa9f7a2b Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Wed, 19 Oct 2022 19:25:27 +0200 -Subject: [PATCH 20/36] x86/microcode: Drop struct ucode_cpu_info.valid - -It is not needed anymore. - -Signed-off-by: Borislav Petkov -Reviewed-by: Ashok Raj -Link: https://lore.kernel.org/r/20221028142638.28498-6-bp@alien8.de -(cherry picked from commit 254ed7cf4dd79a18bbc496ab53f6c82d45431c78) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/microcode.h | 1 - - arch/x86/kernel/cpu/intel.c | 1 - - arch/x86/kernel/cpu/microcode/core.c | 4 ++-- - 3 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h -index af1ba544c800..e65c39a1f5fa 100644 ---- a/arch/x86/include/asm/microcode.h -+++ b/arch/x86/include/asm/microcode.h -@@ -48,7 +48,6 @@ struct microcode_ops { - - struct ucode_cpu_info { - struct cpu_signature cpu_sig; -- int valid; - void *mc; - }; - extern struct ucode_cpu_info ucode_cpu_info[]; -diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c -index cf85431fb09a..c7935482c58a 100644 ---- a/arch/x86/kernel/cpu/intel.c -+++ b/arch/x86/kernel/cpu/intel.c -@@ -243,7 +243,6 @@ int intel_cpu_collect_info(struct ucode_cpu_info *uci) - csig.rev = intel_get_microcode_revision(); - - uci->cpu_sig = csig; -- uci->valid = 1; - - return 0; - } -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 3d4c2c1aae11..6cd0db1e7b96 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -583,9 +583,9 @@ void microcode_bsp_resume(void) - int cpu = smp_processor_id(); - struct ucode_cpu_info *uci = ucode_cpu_info + cpu; - -- if (uci->valid && uci->mc) -+ if (uci->mc) - microcode_ops->apply_microcode(cpu); -- else if (!uci->mc) -+ else - reload_early_microcode(); - } - --- -2.39.3 - diff --git a/SOURCES/1035-x86-microcode-AMD-Add-a-cpu-parameter-to-the-reloadi.patch b/SOURCES/1035-x86-microcode-AMD-Add-a-cpu-parameter-to-the-reloadi.patch deleted file mode 100644 index 29e78b7..0000000 --- a/SOURCES/1035-x86-microcode-AMD-Add-a-cpu-parameter-to-the-reloadi.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 077f4f2e376a6489736ee5994db3539593941c0c Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Thu, 26 Jan 2023 00:08:03 +0100 -Subject: [PATCH 21/36] x86/microcode/AMD: Add a @cpu parameter to the - reloading functions - -Will be used in a subsequent change. - -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/20230130161709.11615-3-bp@alien8.de -(cherry picked from commit a5ad92134bd153a9ccdcddf09a95b088f36c3cce) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/microcode.h | 4 ++-- - arch/x86/include/asm/microcode_amd.h | 4 ++-- - arch/x86/kernel/cpu/microcode/amd.c | 2 +- - arch/x86/kernel/cpu/microcode/core.c | 6 +++--- - 4 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h -index e65c39a1f5fa..67051a58a18b 100644 ---- a/arch/x86/include/asm/microcode.h -+++ b/arch/x86/include/asm/microcode.h -@@ -125,7 +125,7 @@ static inline unsigned int x86_cpuid_family(void) - int __init microcode_init(void); - extern void __init load_ucode_bsp(void); - extern void load_ucode_ap(void); --void reload_early_microcode(void); -+void reload_early_microcode(unsigned int cpu); - extern bool get_builtin_firmware(struct cpio_data *cd, const char *name); - extern bool initrd_gone; - void microcode_bsp_resume(void); -@@ -133,7 +133,7 @@ void microcode_bsp_resume(void); - static inline int __init microcode_init(void) { return 0; }; - static inline void __init load_ucode_bsp(void) { } - static inline void load_ucode_ap(void) { } --static inline void reload_early_microcode(void) { } -+static inline void reload_early_microcode(unsigned int cpu) { } - static inline bool - get_builtin_firmware(struct cpio_data *cd, const char *name) { return false; } - static inline void microcode_bsp_resume(void) { } -diff --git a/arch/x86/include/asm/microcode_amd.h b/arch/x86/include/asm/microcode_amd.h -index 7063b5a43220..a645b25ee442 100644 ---- a/arch/x86/include/asm/microcode_amd.h -+++ b/arch/x86/include/asm/microcode_amd.h -@@ -47,12 +47,12 @@ struct microcode_amd { - extern void __init load_ucode_amd_bsp(unsigned int family); - extern void load_ucode_amd_ap(unsigned int family); - extern int __init save_microcode_in_initrd_amd(unsigned int family); --void reload_ucode_amd(void); -+void reload_ucode_amd(unsigned int cpu); - #else - static inline void __init load_ucode_amd_bsp(unsigned int family) {} - static inline void load_ucode_amd_ap(unsigned int family) {} - static inline int __init - save_microcode_in_initrd_amd(unsigned int family) { return -EINVAL; } --static inline void reload_ucode_amd(void) {} -+static inline void reload_ucode_amd(unsigned int cpu) {} - #endif - #endif /* _ASM_X86_MICROCODE_AMD_H */ -diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c -index 68643a68fa11..6ab27650f8a7 100644 ---- a/arch/x86/kernel/cpu/microcode/amd.c -+++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -572,7 +572,7 @@ int __init save_microcode_in_initrd_amd(unsigned int cpuid_1_eax) - return 0; - } - --void reload_ucode_amd(void) -+void reload_ucode_amd(unsigned int cpu) - { - struct microcode_amd *mc; - u32 rev, dummy __always_unused; -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 6cd0db1e7b96..681df41e5b69 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -317,7 +317,7 @@ struct cpio_data find_microcode_in_initrd(const char *path, bool use_pa) - #endif - } - --void reload_early_microcode(void) -+void reload_early_microcode(unsigned int cpu) - { - int vendor, family; - -@@ -331,7 +331,7 @@ void reload_early_microcode(void) - break; - case X86_VENDOR_AMD: - if (family >= 0x10) -- reload_ucode_amd(); -+ reload_ucode_amd(cpu); - break; - default: - break; -@@ -586,7 +586,7 @@ void microcode_bsp_resume(void) - if (uci->mc) - microcode_ops->apply_microcode(cpu); - else -- reload_early_microcode(); -+ reload_early_microcode(cpu); - } - - static struct syscore_ops mc_syscore_ops = { --- -2.39.3 - diff --git a/SOURCES/1036-x86-microcode-AMD-Track-patch-allocation-size-explic.patch b/SOURCES/1036-x86-microcode-AMD-Track-patch-allocation-size-explic.patch deleted file mode 100644 index 38ced25..0000000 --- a/SOURCES/1036-x86-microcode-AMD-Track-patch-allocation-size-explic.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d9032189bbe791846b2c3e224ae164e106e2be1b Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 21 Sep 2022 20:10:10 -0700 -Subject: [PATCH 22/36] x86/microcode/AMD: Track patch allocation size - explicitly - -In preparation for reducing the use of ksize(), record the actual -allocation size for later memcpy(). This avoids copying extra -(uninitialized!) bytes into the patch buffer when the requested -allocation size isn't exactly the size of a kmalloc bucket. -Additionally, fix potential future issues where runtime bounds checking -will notice that the buffer was allocated to a smaller value than -returned by ksize(). - -Fixes: 757885e94a22 ("x86, microcode, amd: Early microcode patch loading support for AMD") -Suggested-by: Daniel Micay -Signed-off-by: Kees Cook -Signed-off-by: Borislav Petkov -Link: https://lore.kernel.org/lkml/CA+DvKQ+bp7Y7gmaVhacjv9uF6Ar-o4tet872h4Q8RPYPJjcJQA@mail.gmail.com/ -(cherry picked from commit 712f210a457d9c32414df246a72781550bc23ef6) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/microcode.h | 1 + - arch/x86/kernel/cpu/microcode/amd.c | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h -index 67051a58a18b..629330986955 100644 ---- a/arch/x86/include/asm/microcode.h -+++ b/arch/x86/include/asm/microcode.h -@@ -9,6 +9,7 @@ - struct ucode_patch { - struct list_head plist; - void *data; /* Intel uses only this one */ -+ unsigned int size; - u32 patch_id; - u16 equiv_cpu; - }; -diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c -index 6ab27650f8a7..030f69f93c00 100644 ---- a/arch/x86/kernel/cpu/microcode/amd.c -+++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -791,6 +791,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover, - kfree(patch); - return -EINVAL; - } -+ patch->size = *patch_size; - - mc_hdr = (struct microcode_header_amd *)(fw + SECTION_HDR_SIZE); - proc_id = mc_hdr->processor_rev_id; -@@ -868,7 +869,7 @@ static enum ucode_state load_microcode_amd(u8 family, const u8 *data, size_t siz - } - - memset(amd_ucode_patch, 0, PATCH_MAX_SIZE); -- memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE)); -+ memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE)); - - return ret; - } --- -2.39.3 - diff --git a/SOURCES/1037-x86-microcode-AMD-Fix-mixed-steppings-support.patch b/SOURCES/1037-x86-microcode-AMD-Fix-mixed-steppings-support.patch deleted file mode 100644 index 5fb30c9..0000000 --- a/SOURCES/1037-x86-microcode-AMD-Fix-mixed-steppings-support.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 34d3d5458f58c88954bb3087219610f35e2b5c37 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Thu, 26 Jan 2023 16:26:17 +0100 -Subject: [PATCH 23/36] x86/microcode/AMD: Fix mixed steppings support - -The AMD side of the loader has always claimed to support mixed -steppings. But somewhere along the way, it broke that by assuming that -the cached patch blob is a single one instead of it being one per -*node*. - -So turn it into a per-node one so that each node can stash the blob -relevant for it. - - [ NB: Fixes tag is not really the exactly correct one but it is good - enough. ] - -Fixes: fe055896c040 ("x86/microcode: Merge the early microcode loader") -Signed-off-by: Borislav Petkov (AMD) -Cc: # 2355370cd941 ("x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter") -Cc: # a5ad92134bd1 ("x86/microcode/AMD: Add a @cpu parameter to the reloading functions") -Link: https://lore.kernel.org/r/20230130161709.11615-4-bp@alien8.de -(cherry picked from commit 7ff6edf4fef38ab404ee7861f257e28eaaeed35f) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/amd.c | 34 ++++++++++++++++++----------- - 1 file changed, 21 insertions(+), 13 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c -index 030f69f93c00..d1d31011b8fa 100644 ---- a/arch/x86/kernel/cpu/microcode/amd.c -+++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -55,7 +55,9 @@ struct cont_desc { - }; - - static u32 ucode_new_rev; --static u8 amd_ucode_patch[PATCH_MAX_SIZE]; -+ -+/* One blob per node. */ -+static u8 amd_ucode_patch[MAX_NUMNODES][PATCH_MAX_SIZE]; - - /* - * Microcode patch container file is prepended to the initrd in cpio -@@ -428,7 +430,7 @@ static bool early_apply_microcode(u32 cpuid_1_eax, void *ucode, size_t size, boo - patch = (u8 (*)[PATCH_MAX_SIZE])__pa_nodebug(&amd_ucode_patch); - #else - new_rev = &ucode_new_rev; -- patch = &amd_ucode_patch; -+ patch = &amd_ucode_patch[0]; - #endif - - desc.cpuid_1_eax = cpuid_1_eax; -@@ -574,10 +576,10 @@ int __init save_microcode_in_initrd_amd(unsigned int cpuid_1_eax) - - void reload_ucode_amd(unsigned int cpu) - { -- struct microcode_amd *mc; - u32 rev, dummy __always_unused; -+ struct microcode_amd *mc; - -- mc = (struct microcode_amd *)amd_ucode_patch; -+ mc = (struct microcode_amd *)amd_ucode_patch[cpu_to_node(cpu)]; - - rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); - -@@ -846,6 +848,8 @@ static enum ucode_state __load_microcode_amd(u8 family, const u8 *data, - - static enum ucode_state load_microcode_amd(u8 family, const u8 *data, size_t size) - { -+ struct cpuinfo_x86 *c; -+ unsigned int nid, cpu; - struct ucode_patch *p; - enum ucode_state ret; - -@@ -858,18 +862,22 @@ static enum ucode_state load_microcode_amd(u8 family, const u8 *data, size_t siz - return ret; - } - -- p = find_patch(0); -- if (!p) { -- return ret; -- } else { -- if (boot_cpu_data.microcode >= p->patch_id) -- return ret; -+ for_each_node(nid) { -+ cpu = cpumask_first(cpumask_of_node(nid)); -+ c = &cpu_data(cpu); -+ -+ p = find_patch(cpu); -+ if (!p) -+ continue; -+ -+ if (c->microcode >= p->patch_id) -+ continue; - - ret = UCODE_NEW; -- } - -- memset(amd_ucode_patch, 0, PATCH_MAX_SIZE); -- memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE)); -+ memset(&amd_ucode_patch[nid], 0, PATCH_MAX_SIZE); -+ memcpy(&amd_ucode_patch[nid], p->data, min_t(u32, p->size, PATCH_MAX_SIZE)); -+ } - - return ret; - } --- -2.39.3 - diff --git a/SOURCES/1038-x86-microcode-core-Return-an-error-only-when-necessa.patch b/SOURCES/1038-x86-microcode-core-Return-an-error-only-when-necessa.patch deleted file mode 100644 index fab151c..0000000 --- a/SOURCES/1038-x86-microcode-core-Return-an-error-only-when-necessa.patch +++ /dev/null @@ -1,40 +0,0 @@ -From c6dc156a35536e30bb96df8a1b8c93cb16bd219b Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Mon, 30 Jan 2023 13:48:04 +0100 -Subject: [PATCH 24/36] x86/microcode/core: Return an error only when necessary - -Return an error from the late loading function which is run on each CPU -only when an error has actually been encountered during the update. - -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/20230130161709.11615-5-bp@alien8.de -(cherry picked from commit f33e0c893b22bf94d7985f1f2aa3872237560c74) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/microcode/core.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c -index 681df41e5b69..23b88e66fa7c 100644 ---- a/arch/x86/kernel/cpu/microcode/core.c -+++ b/arch/x86/kernel/cpu/microcode/core.c -@@ -428,10 +428,10 @@ static int __reload_late(void *info) - goto wait_for_siblings; - - if (err >= UCODE_NFOUND) { -- if (err == UCODE_ERROR) -+ if (err == UCODE_ERROR) { - pr_warn("Error reloading microcode on CPU %d\n", cpu); -- -- ret = -1; -+ ret = -1; -+ } - } - - wait_for_siblings: --- -2.39.3 - diff --git a/SOURCES/1039-x86-apic-Don-t-disable-x2APIC-if-locked.patch b/SOURCES/1039-x86-apic-Don-t-disable-x2APIC-if-locked.patch deleted file mode 100644 index e841faa..0000000 --- a/SOURCES/1039-x86-apic-Don-t-disable-x2APIC-if-locked.patch +++ /dev/null @@ -1,225 +0,0 @@ -From ce57ab2e87f50d1176abea086f4aad38ba87886b Mon Sep 17 00:00:00 2001 -From: Daniel Sneddon -Date: Tue, 16 Aug 2022 16:19:42 -0700 -Subject: [PATCH 25/36] x86/apic: Don't disable x2APIC if locked - -The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC -(or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but -it disables the memory-mapped APIC interface in favor of one that uses -MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR. - -The MMIO/xAPIC interface has some problems, most notably the APIC LEAK -[1]. This bug allows an attacker to use the APIC MMIO interface to -extract data from the SGX enclave. - -Introduce support for a new feature that will allow the BIOS to lock -the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the -kernel tries to disable the APIC or revert to legacy APIC mode a GP -fault will occur. - -Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle -the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by -preventing the kernel from trying to disable the x2APIC. - -On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are -enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If -legacy APIC is required, then it SGX and TDX need to be disabled in the -BIOS. - -[1]: https://aepicleak.com/aepicleak.pdf - -Signed-off-by: Daniel Sneddon -Signed-off-by: Dave Hansen -Acked-by: Dave Hansen -Tested-by: Neelima Krishnan -Link: https://lkml.kernel.org/r/20220816231943.1152579-1-daniel.sneddon@linux.intel.com -(cherry picked from commit b8d1d163604bd1e600b062fb00de5dc42baa355f) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - .../admin-guide/kernel-parameters.txt | 4 ++ - arch/x86/Kconfig | 7 ++- - arch/x86/include/asm/cpu.h | 2 + - arch/x86/include/asm/msr-index.h | 13 ++++++ - arch/x86/kernel/apic/apic.c | 44 +++++++++++++++++-- - 5 files changed, 65 insertions(+), 5 deletions(-) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 25f0b3a543e9..73a92fb9e3c6 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -3355,6 +3355,10 @@ - - nox2apic [X86-64,APIC] Do not enable x2APIC mode. - -+ NOTE: this parameter will be ignored on systems with the -+ LEGACY_XAPIC_DISABLED bit set in the -+ IA32_XAPIC_DISABLE_STATUS MSR. -+ - cpu0_hotplug [X86] Turn on CPU0 hotplug feature when - CONFIG_BOOTPARAM_HOTPLUG_CPU0 is off. - Some features depend on CPU0. Known dependencies are: -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 5af5427c50ae..585893a349b6 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -449,6 +449,11 @@ config X86_X2APIC - This allows 32-bit apic IDs (so it can support very large systems), - and accesses the local apic via MSRs not via mmio. - -+ Some Intel systems circa 2022 and later are locked into x2APIC mode -+ and can not fall back to the legacy APIC modes if SGX or TDX are -+ enabled in the BIOS. They will be unable to boot without enabling -+ this option. -+ - If you don't know what to do here, say N. - - config X86_MPPARSE -@@ -1979,7 +1984,7 @@ endchoice - - config X86_SGX - bool "Software Guard eXtensions (SGX)" -- depends on X86_64 && CPU_SUP_INTEL -+ depends on X86_64 && CPU_SUP_INTEL && X86_X2APIC - depends on CRYPTO=y - depends on CRYPTO_SHA256=y - select SRCU -diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h -index 2d62a3f122ee..66f9715b01c9 100644 ---- a/arch/x86/include/asm/cpu.h -+++ b/arch/x86/include/asm/cpu.h -@@ -92,4 +92,6 @@ static inline bool intel_cpu_signatures_match(unsigned int s1, unsigned int p1, - return p1 & p2; - } - -+extern u64 x86_read_arch_cap_msr(void); -+ - #endif /* _ASM_X86_CPU_H */ -diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h -index e30f8e289deb..9b0d407dd1ae 100644 ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -153,6 +153,11 @@ - * Return Stack Buffer Predictions. - */ - -+#define ARCH_CAP_XAPIC_DISABLE BIT(21) /* -+ * IA32_XAPIC_DISABLE_STATUS MSR -+ * supported -+ */ -+ - #define MSR_IA32_FLUSH_CMD 0x0000010b - #define L1D_FLUSH BIT(0) /* - * Writeback and invalidate the -@@ -1015,4 +1020,12 @@ - #define MSR_IA32_HW_FEEDBACK_PTR 0x17d0 - #define MSR_IA32_HW_FEEDBACK_CONFIG 0x17d1 - -+/* x2APIC locked status */ -+#define MSR_IA32_XAPIC_DISABLE_STATUS 0xBD -+#define LEGACY_XAPIC_DISABLED BIT(0) /* -+ * x2APIC mode is locked and -+ * disabling x2APIC will cause -+ * a #GP -+ */ -+ - #endif /* _ASM_X86_MSR_INDEX_H */ -diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c -index b191e575e53c..d73f1037961a 100644 ---- a/arch/x86/kernel/apic/apic.c -+++ b/arch/x86/kernel/apic/apic.c -@@ -57,6 +57,7 @@ - #include - #include - #include -+#include - - unsigned int num_processors; - -@@ -1734,11 +1735,26 @@ EXPORT_SYMBOL_GPL(x2apic_mode); - - enum { - X2APIC_OFF, -- X2APIC_ON, - X2APIC_DISABLED, -+ /* All states below here have X2APIC enabled */ -+ X2APIC_ON, -+ X2APIC_ON_LOCKED - }; - static int x2apic_state; - -+static bool x2apic_hw_locked(void) -+{ -+ u64 ia32_cap; -+ u64 msr; -+ -+ ia32_cap = x86_read_arch_cap_msr(); -+ if (ia32_cap & ARCH_CAP_XAPIC_DISABLE) { -+ rdmsrl(MSR_IA32_XAPIC_DISABLE_STATUS, msr); -+ return (msr & LEGACY_XAPIC_DISABLED); -+ } -+ return false; -+} -+ - static void __x2apic_disable(void) - { - u64 msr; -@@ -1776,6 +1792,10 @@ static int __init setup_nox2apic(char *str) - apicid); - return 0; - } -+ if (x2apic_hw_locked()) { -+ pr_warn("APIC locked in x2apic mode, can't disable\n"); -+ return 0; -+ } - pr_warn("x2apic already enabled.\n"); - __x2apic_disable(); - } -@@ -1790,10 +1810,18 @@ early_param("nox2apic", setup_nox2apic); - void x2apic_setup(void) - { - /* -- * If x2apic is not in ON state, disable it if already enabled -+ * Try to make the AP's APIC state match that of the BSP, but if the -+ * BSP is unlocked and the AP is locked then there is a state mismatch. -+ * Warn about the mismatch in case a GP fault occurs due to a locked AP -+ * trying to be turned off. -+ */ -+ if (x2apic_state != X2APIC_ON_LOCKED && x2apic_hw_locked()) -+ pr_warn("x2apic lock mismatch between BSP and AP.\n"); -+ /* -+ * If x2apic is not in ON or LOCKED state, disable it if already enabled - * from BIOS. - */ -- if (x2apic_state != X2APIC_ON) { -+ if (x2apic_state < X2APIC_ON) { - __x2apic_disable(); - return; - } -@@ -1814,6 +1842,11 @@ static __init void x2apic_disable(void) - if (x2apic_id >= 255) - panic("Cannot disable x2apic, id: %08x\n", x2apic_id); - -+ if (x2apic_hw_locked()) { -+ pr_warn("Cannot disable locked x2apic, id: %08x\n", x2apic_id); -+ return; -+ } -+ - __x2apic_disable(); - register_lapic_address(mp_lapic_addr); - } -@@ -1872,7 +1905,10 @@ void __init check_x2apic(void) - if (x2apic_enabled()) { - pr_info("x2apic: enabled by BIOS, switching to x2apic ops\n"); - x2apic_mode = 1; -- x2apic_state = X2APIC_ON; -+ if (x2apic_hw_locked()) -+ x2apic_state = X2APIC_ON_LOCKED; -+ else -+ x2apic_state = X2APIC_ON; - } else if (!boot_cpu_has(X86_FEATURE_X2APIC)) { - x2apic_state = X2APIC_DISABLED; - } --- -2.39.3 - diff --git a/SOURCES/1040-x86-cpu-amd-Move-the-errata-checking-functionality-u.patch b/SOURCES/1040-x86-cpu-amd-Move-the-errata-checking-functionality-u.patch deleted file mode 100644 index 5aa9575..0000000 --- a/SOURCES/1040-x86-cpu-amd-Move-the-errata-checking-functionality-u.patch +++ /dev/null @@ -1,186 +0,0 @@ -From 53173ac5885435f751b54a87710e6111a51a819c Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sat, 15 Jul 2023 13:31:32 +0200 -Subject: [PATCH 26/36] x86/cpu/amd: Move the errata checking functionality up - -Avoid new and remove old forward declarations. - -No functional changes. - -Signed-off-by: Borislav Petkov (AMD) -(cherry picked from commit 8b6f687743dacce83dbb0c7cfacf88bab00f808a) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/amd.c | 139 ++++++++++++++++++-------------------- - 1 file changed, 67 insertions(+), 72 deletions(-) - -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 6eb7923f5f08..2406a71a1eb6 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -26,11 +26,6 @@ - - #include "cpu.h" - --static const int amd_erratum_383[]; --static const int amd_erratum_400[]; --static const int amd_erratum_1054[]; --static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); -- - /* - * nodes_per_socket: Stores the number of nodes per socket. - * Refer to Fam15h Models 00-0fh BKDG - CPUID Fn8000_001E_ECX -@@ -38,6 +33,73 @@ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); - */ - static u32 nodes_per_socket = 1; - -+/* -+ * AMD errata checking -+ * -+ * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or -+ * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that -+ * have an OSVW id assigned, which it takes as first argument. Both take a -+ * variable number of family-specific model-stepping ranges created by -+ * AMD_MODEL_RANGE(). -+ * -+ * Example: -+ * -+ * const int amd_erratum_319[] = -+ * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), -+ * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), -+ * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); -+ */ -+ -+#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } -+#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } -+#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ -+ ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) -+#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) -+#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) -+#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) -+ -+static const int amd_erratum_400[] = -+ AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), -+ AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); -+ -+static const int amd_erratum_383[] = -+ AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); -+ -+/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ -+static const int amd_erratum_1054[] = -+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); -+ -+static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) -+{ -+ int osvw_id = *erratum++; -+ u32 range; -+ u32 ms; -+ -+ if (osvw_id >= 0 && osvw_id < 65536 && -+ cpu_has(cpu, X86_FEATURE_OSVW)) { -+ u64 osvw_len; -+ -+ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); -+ if (osvw_id < osvw_len) { -+ u64 osvw_bits; -+ -+ rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), -+ osvw_bits); -+ return osvw_bits & (1ULL << (osvw_id & 0x3f)); -+ } -+ } -+ -+ /* OSVW unavailable or ID unknown, match family-model-stepping range */ -+ ms = (cpu->x86_model << 4) | cpu->x86_stepping; -+ while ((range = *erratum++)) -+ if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && -+ (ms >= AMD_MODEL_RANGE_START(range)) && -+ (ms <= AMD_MODEL_RANGE_END(range))) -+ return true; -+ -+ return false; -+} -+ - static inline int rdmsrl_amd_safe(unsigned msr, unsigned long long *p) - { - u32 gprs[8] = { 0 }; -@@ -1079,73 +1141,6 @@ static const struct cpu_dev amd_cpu_dev = { - - cpu_dev_register(amd_cpu_dev); - --/* -- * AMD errata checking -- * -- * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or -- * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that -- * have an OSVW id assigned, which it takes as first argument. Both take a -- * variable number of family-specific model-stepping ranges created by -- * AMD_MODEL_RANGE(). -- * -- * Example: -- * -- * const int amd_erratum_319[] = -- * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), -- * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), -- * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); -- */ -- --#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } --#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } --#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ -- ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) --#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) --#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) --#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) -- --static const int amd_erratum_400[] = -- AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), -- AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); -- --static const int amd_erratum_383[] = -- AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); -- --/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ --static const int amd_erratum_1054[] = -- AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); -- --static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) --{ -- int osvw_id = *erratum++; -- u32 range; -- u32 ms; -- -- if (osvw_id >= 0 && osvw_id < 65536 && -- cpu_has(cpu, X86_FEATURE_OSVW)) { -- u64 osvw_len; -- -- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); -- if (osvw_id < osvw_len) { -- u64 osvw_bits; -- -- rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), -- osvw_bits); -- return osvw_bits & (1ULL << (osvw_id & 0x3f)); -- } -- } -- -- /* OSVW unavailable or ID unknown, match family-model-stepping range */ -- ms = (cpu->x86_model << 4) | cpu->x86_stepping; -- while ((range = *erratum++)) -- if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && -- (ms >= AMD_MODEL_RANGE_START(range)) && -- (ms <= AMD_MODEL_RANGE_END(range))) -- return true; -- -- return false; --} -- - static DEFINE_PER_CPU_READ_MOSTLY(unsigned long[4], amd_dr_addr_mask); - - static unsigned int amd_msr_dr_addr_masks[] = { --- -2.39.3 - diff --git a/SOURCES/1041-x86-cpu-Remove-redundant-extern-x86_read_arch_cap_ms.patch b/SOURCES/1041-x86-cpu-Remove-redundant-extern-x86_read_arch_cap_ms.patch deleted file mode 100644 index b7f8e2b..0000000 --- a/SOURCES/1041-x86-cpu-Remove-redundant-extern-x86_read_arch_cap_ms.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d2d2944b80b99ecdcb1c10b0704bbdf78fbf5f79 Mon Sep 17 00:00:00 2001 -From: Ashok Raj -Date: Mon, 28 Nov 2022 09:24:51 -0800 -Subject: [PATCH 27/36] x86/cpu: Remove redundant extern - x86_read_arch_cap_msr() - -The prototype for the x86_read_arch_cap_msr() function has moved to -arch/x86/include/asm/cpu.h - kill the redundant definition in arch/x86/kernel/cpu.h -and include the header. - -Signed-off-by: Ashok Raj -Signed-off-by: Ingo Molnar -Reviewed-by: Daniel Sneddon -Link: https://lore.kernel.org/r/20221128172451.792595-1-ashok.raj@intel.com -(cherry picked from commit bb5525a50601f8be7d0ffb04740e1714506e60c4) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/bugs.c | 1 + - arch/x86/kernel/cpu/cpu.h | 2 -- - arch/x86/kernel/cpu/tsx.c | 1 + - 3 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 848a0cce2243..5dc79427d047 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -33,6 +33,7 @@ - #include - #include - #include -+#include - - #include "cpu.h" - -diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h -index 54afd004624b..1add3618f766 100644 ---- a/arch/x86/kernel/cpu/cpu.h -+++ b/arch/x86/kernel/cpu/cpu.h -@@ -84,8 +84,6 @@ unsigned int aperfmperf_get_khz(int cpu); - extern void x86_spec_ctrl_setup_ap(void); - extern void update_srbds_msr(void); - --extern u64 x86_read_arch_cap_msr(void); -- - #ifdef CONFIG_IA32_FEAT_CTL - void init_ia32_feat_ctl(struct cpuinfo_x86 *c); - #endif -diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c -index 39b3e65c9c8d..73b7226d042b 100644 ---- a/arch/x86/kernel/cpu/tsx.c -+++ b/arch/x86/kernel/cpu/tsx.c -@@ -11,6 +11,7 @@ - #include - - #include -+#include - - #include "cpu.h" - --- -2.39.3 - diff --git a/SOURCES/1042-x86-cpu-kvm-Add-support-for-CPUID_80000021_EAX.patch b/SOURCES/1042-x86-cpu-kvm-Add-support-for-CPUID_80000021_EAX.patch deleted file mode 100644 index 60c39ba..0000000 --- a/SOURCES/1042-x86-cpu-kvm-Add-support-for-CPUID_80000021_EAX.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 58f7b0c78ff579aef5a470804ff76e4ed913056b Mon Sep 17 00:00:00 2001 -From: Kim Phillips -Date: Tue, 10 Jan 2023 16:46:37 -0600 -Subject: [PATCH 28/36] x86/cpu, kvm: Add support for CPUID_80000021_EAX - -Add support for CPUID leaf 80000021, EAX. The majority of the features will be -used in the kernel and thus a separate leaf is appropriate. - -Include KVM's reverse_cpuid entry because features are used by VM guests, too. - - [ bp: Massage commit message. ] - -Signed-off-by: Kim Phillips -Signed-off-by: Borislav Petkov (AMD) -Acked-by: Sean Christopherson -Link: https://lore.kernel.org/r/20230124163319.2277355-2-kim.phillips@amd.com -(cherry picked from commit 8415a74852d7c24795007ee9862d25feb519007c) - -The conflicts in arch/x86/include/asm/cpufeature.h, -arch/x86/include/asm/cpufeatures.h, arch/x86/include/asm/disabled-features.h -and arch/x86/include/asm/required-features.h are due to -the below commit added for kABI compatibility: -Repo: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/: -commit: 219a085bc8ba328d65a1e12bc1886415525a38d9 - -The conflict in arch/x86/kvm/reverse_cpuid.h is due to -upstream commit 24d74b9f5f2a972ac9228372adeac62b2dc10ea2 - -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/cpufeature.h | 1 + - arch/x86/kernel/cpu/common.c | 3 +++ - arch/x86/kvm/reverse_cpuid.h | 1 + - 3 files changed, 5 insertions(+) - -diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index 925722baef7c..3b2473cdf2ad 100644 ---- a/arch/x86/include/asm/cpufeature.h -+++ b/arch/x86/include/asm/cpufeature.h -@@ -31,6 +31,7 @@ enum cpuid_leafs - CPUID_8000_0007_EBX, - CPUID_7_EDX, - CPUID_8000_001F_EAX, -+ CPUID_8000_0021_EAX, - }; - - #ifdef CONFIG_X86_FEATURE_NAMES -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 22763a691b7b..a8dfd75588cd 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -962,6 +962,9 @@ void get_cpu_cap(struct cpuinfo_x86 *c) - if (c->extended_cpuid_level >= 0x8000001f) - c->x86_capability[CPUID_8000_001F_EAX] = cpuid_eax(0x8000001f); - -+ if (c->extended_cpuid_level >= 0x80000021) -+ c->x86_capability[CPUID_8000_0021_EAX] = cpuid_eax(0x80000021); -+ - init_scattered_cpuid_features(c); - init_speculation_control(c); - -diff --git a/arch/x86/kvm/reverse_cpuid.h b/arch/x86/kvm/reverse_cpuid.h -index a19d473d0184..7eeade35a425 100644 ---- a/arch/x86/kvm/reverse_cpuid.h -+++ b/arch/x86/kvm/reverse_cpuid.h -@@ -48,6 +48,7 @@ static const struct cpuid_reg reverse_cpuid[] = { - [CPUID_7_1_EAX] = { 7, 1, CPUID_EAX}, - [CPUID_12_EAX] = {0x00000012, 0, CPUID_EAX}, - [CPUID_8000_001F_EAX] = {0x8000001f, 0, CPUID_EAX}, -+ [CPUID_8000_0021_EAX] = {0x80000021, 0, CPUID_EAX}, - }; - - /* --- -2.39.3 - diff --git a/SOURCES/1043-KVM-x86-Advertise-that-the-SMM_CTL-MSR-is-not-suppor.patch b/SOURCES/1043-KVM-x86-Advertise-that-the-SMM_CTL-MSR-is-not-suppor.patch deleted file mode 100644 index 6acca4c..0000000 --- a/SOURCES/1043-KVM-x86-Advertise-that-the-SMM_CTL-MSR-is-not-suppor.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 35b7cde8ddf1c374c533ec0de2958d2cd74e587d Mon Sep 17 00:00:00 2001 -From: Jim Mattson -Date: Fri, 7 Oct 2022 15:16:44 -0700 -Subject: [PATCH 29/36] KVM: x86: Advertise that the SMM_CTL MSR is not - supported - -CPUID.80000021H:EAX[bit 9] indicates that the SMM_CTL MSR (0xc0010116) is -not supported. This defeature can be advertised by KVM_GET_SUPPORTED_CPUID -regardless of whether or not the host enumerates it; currently it will be -included only if the host enumerates at least leaf 8000001DH, due to a -preexisting bug in QEMU that KVM has to work around (commit f751d8eac176, -"KVM: x86: work around QEMU issue with synthetic CPUID leaves", 2022-04-29). - -Signed-off-by: Jim Mattson -Message-Id: <20221007221644.138355-1-jmattson@google.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 74bee0cad8dcd8ddec5e763c369239fc5990676a) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kvm/cpuid.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c -index 6e3f385a3648..3726861ae52a 100644 ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -1180,8 +1180,12 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function) - * Other defined bits are for MSRs that KVM does not expose: - * EAX 3 SPCL, SMM page configuration lock - * EAX 13 PCMSR, Prefetch control MSR -+ * -+ * KVM doesn't support SMM_CTL. -+ * EAX 9 SMM_CTL MSR is not supported - */ - entry->eax &= BIT(0) | BIT(2) | BIT(6); -+ entry->eax |= BIT(9); - if (static_cpu_has(X86_FEATURE_LFENCE_RDTSC)) - entry->eax |= BIT(2); - if (!static_cpu_has_bug(X86_BUG_NULL_SEG)) --- -2.39.3 - diff --git a/SOURCES/1044-KVM-x86-Move-open-coded-CPUID-leaf-0x80000021-EAX-bi.patch b/SOURCES/1044-KVM-x86-Move-open-coded-CPUID-leaf-0x80000021-EAX-bi.patch deleted file mode 100644 index 372baaf..0000000 --- a/SOURCES/1044-KVM-x86-Move-open-coded-CPUID-leaf-0x80000021-EAX-bi.patch +++ /dev/null @@ -1,84 +0,0 @@ -From d8cd9882c866de836235c5761b11e1bc4272508e Mon Sep 17 00:00:00 2001 -From: Kim Phillips -Date: Tue, 24 Jan 2023 10:33:13 -0600 -Subject: [PATCH 30/36] KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit - propagation code - -Move code from __do_cpuid_func() to kvm_set_cpu_caps() in preparation for adding -the features in their native leaf. - -Also drop the bit description comments as it will be more self-describing once -the individual features are added. - -Whilst there, switch to using the more efficient cpu_feature_enabled() instead -of static_cpu_has(). - -Note, LFENCE_RDTSC and "NULL selector clears base" are currently synthetic, -Linux-defined feature flags as Linux tracking of the features predates AMD's -definition. Keep the manual propagation of the flags from their synthetic -counterparts until the kernel fully converts to AMD's definition, otherwise KVM -would stop synthesizing the flags as intended. - -Signed-off-by: Kim Phillips -Signed-off-by: Borislav Petkov (AMD) -Acked-by: Sean Christopherson -Link: https://lore.kernel.org/r/20230124163319.2277355-3-kim.phillips@amd.com -(cherry picked from commit c35ac8c4bf600ee23bacb20f863aa7830efb23fb) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kvm/cpuid.c | 31 ++++++++++++------------------- - 1 file changed, 12 insertions(+), 19 deletions(-) - -diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c -index 3726861ae52a..2ca5ac683c44 100644 ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -682,6 +682,17 @@ void kvm_set_cpu_caps(void) - 0 /* SME */ | F(SEV) | 0 /* VM_PAGE_FLUSH */ | F(SEV_ES) | - F(SME_COHERENT)); - -+ kvm_cpu_cap_mask(CPUID_8000_0021_EAX, -+ BIT(0) /* NO_NESTED_DATA_BP */ | -+ BIT(2) /* LFENCE Always serializing */ | 0 /* SmmPgCfgLock */ | -+ BIT(6) /* NULL_SEL_CLR_BASE */ | 0 /* PrefetchCtlMsr */ -+ ); -+ if (cpu_feature_enabled(X86_FEATURE_LFENCE_RDTSC)) -+ kvm_cpu_caps[CPUID_8000_0021_EAX] |= BIT(2) /* LFENCE Always serializing */; -+ if (!static_cpu_has_bug(X86_BUG_NULL_SEG)) -+ kvm_cpu_caps[CPUID_8000_0021_EAX] |= BIT(6) /* NULL_SEL_CLR_BASE */; -+ kvm_cpu_caps[CPUID_8000_0021_EAX] |= BIT(9) /* NO_SMM_CTL_MSR */; -+ - kvm_cpu_cap_mask(CPUID_C000_0001_EDX, - F(XSTORE) | F(XSTORE_EN) | F(XCRYPT) | F(XCRYPT_EN) | - F(ACE2) | F(ACE2_EN) | F(PHE) | F(PHE_EN) | -@@ -1171,25 +1182,7 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function) - break; - case 0x80000021: - entry->ebx = entry->ecx = entry->edx = 0; -- /* -- * Pass down these bits: -- * EAX 0 NNDBP, Processor ignores nested data breakpoints -- * EAX 2 LAS, LFENCE always serializing -- * EAX 6 NSCB, Null selector clear base -- * -- * Other defined bits are for MSRs that KVM does not expose: -- * EAX 3 SPCL, SMM page configuration lock -- * EAX 13 PCMSR, Prefetch control MSR -- * -- * KVM doesn't support SMM_CTL. -- * EAX 9 SMM_CTL MSR is not supported -- */ -- entry->eax &= BIT(0) | BIT(2) | BIT(6); -- entry->eax |= BIT(9); -- if (static_cpu_has(X86_FEATURE_LFENCE_RDTSC)) -- entry->eax |= BIT(2); -- if (!static_cpu_has_bug(X86_BUG_NULL_SEG)) -- entry->eax |= BIT(6); -+ cpuid_entry_override(entry, CPUID_8000_0021_EAX); - break; - /*Add support for Centaur's CPUID instruction*/ - case 0xC0000000: --- -2.39.3 - diff --git a/SOURCES/1045-x86-cpu-kvm-Add-the-NO_NESTED_DATA_BP-feature.patch b/SOURCES/1045-x86-cpu-kvm-Add-the-NO_NESTED_DATA_BP-feature.patch deleted file mode 100644 index fb827e3..0000000 --- a/SOURCES/1045-x86-cpu-kvm-Add-the-NO_NESTED_DATA_BP-feature.patch +++ /dev/null @@ -1,51 +0,0 @@ -From a1116fd67a3178ce220ee6c2c8abe6bf792e26f2 Mon Sep 17 00:00:00 2001 -From: Kim Phillips -Date: Tue, 24 Jan 2023 10:33:14 -0600 -Subject: [PATCH 31/36] x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature - -The "Processor ignores nested data breakpoints" feature was being -open-coded for KVM. Add the feature to its newly introduced CPUID leaf -0x80000021 EAX proper. - -Signed-off-by: Kim Phillips -Signed-off-by: Borislav Petkov (AMD) -Acked-by: Sean Christopherson -Link: https://lore.kernel.org/r/20230124163319.2277355-4-kim.phillips@amd.com -(cherry picked from commit a9dc9ec5a1fafc3d2fe7a7b594eefaeaccf89a6b) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/cpufeatures.h | 3 +++ - arch/x86/kvm/cpuid.c | 2 +- - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index ffc806d3a863..ac6e58a79fad 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -421,6 +421,9 @@ - #define X86_FEATURE_IBRS_EXIT_SET (22*32+ 0) /* "" Set IBRS on kernel exit */ - #define X86_FEATURE_IBRS_EXIT_SKIP (22*32+ 1) /* "" Skip SPEC_CTRL MSR write on exit */ - -+/* AMD-defined Extended Feature 2 EAX, CPUID level 0x80000021 (EAX), word 20 */ -+#define X86_FEATURE_NO_NESTED_DATA_BP (20*32+ 0) /* "" No Nested Data Breakpoints */ -+ - /* - * BUG word(s) - */ -diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c -index 2ca5ac683c44..1a8dbad7e2d9 100644 ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -683,7 +683,7 @@ void kvm_set_cpu_caps(void) - F(SME_COHERENT)); - - kvm_cpu_cap_mask(CPUID_8000_0021_EAX, -- BIT(0) /* NO_NESTED_DATA_BP */ | -+ F(NO_NESTED_DATA_BP) | - BIT(2) /* LFENCE Always serializing */ | 0 /* SmmPgCfgLock */ | - BIT(6) /* NULL_SEL_CLR_BASE */ | 0 /* PrefetchCtlMsr */ - ); --- -2.39.3 - diff --git a/SOURCES/1046-x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch b/SOURCES/1046-x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch deleted file mode 100644 index 0c327c2..0000000 --- a/SOURCES/1046-x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 97e9891f4f6253ec70fc870e639d7e4d07b9e361 Mon Sep 17 00:00:00 2001 -From: Pawan Gupta -Date: Wed, 30 Nov 2022 07:25:51 -0800 -Subject: [PATCH 32/36] x86/bugs: Make sure MSR_SPEC_CTRL is updated properly - upon resume from S3 - -The "force" argument to write_spec_ctrl_current() is currently ambiguous -as it does not guarantee the MSR write. This is due to the optimization -that writes to the MSR happen only when the new value differs from the -cached value. - -This is fine in most cases, but breaks for S3 resume when the cached MSR -value gets out of sync with the hardware MSR value due to S3 resetting -it. - -When x86_spec_ctrl_current is same as x86_spec_ctrl_base, the MSR write -is skipped. Which results in SPEC_CTRL mitigations not getting restored. - -Move the MSR write from write_spec_ctrl_current() to a new function that -unconditionally writes to the MSR. Update the callers accordingly and -rename functions. - - [ bp: Rework a bit. ] - -Fixes: caa0ff24d5d0 ("x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value") -Suggested-by: Borislav Petkov -Signed-off-by: Pawan Gupta -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Thomas Gleixner -Cc: -Link: https://lore.kernel.org/r/806d39b0bfec2fe8f50dc5446dff20f5bb24a959.1669821572.git.pawan.kumar.gupta@linux.intel.com -Signed-off-by: Linus Torvalds -(cherry picked from commit 66065157420c5b9b3f078f43d313c153e1ff7f83) -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/nospec-branch.h | 2 +- - arch/x86/kernel/cpu/bugs.c | 21 ++++++++++++++------- - arch/x86/kernel/process.c | 2 +- - 3 files changed, 16 insertions(+), 9 deletions(-) - -diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h -index 442e62e7be47..53e56fc9cf70 100644 ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -318,7 +318,7 @@ static inline void indirect_branch_prediction_barrier(void) - /* The Intel SPEC CTRL MSR base value cache */ - extern u64 x86_spec_ctrl_base; - DECLARE_PER_CPU(u64, x86_spec_ctrl_current); --extern void write_spec_ctrl_current(u64 val, bool force); -+extern void update_spec_ctrl_cond(u64 val); - extern u64 spec_ctrl_current(void); - - /* -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 5dc79427d047..53623ea69873 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -60,11 +60,18 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_current); - - static DEFINE_MUTEX(spec_ctrl_mutex); - -+/* Update SPEC_CTRL MSR and its cached copy unconditionally */ -+static void update_spec_ctrl(u64 val) -+{ -+ this_cpu_write(x86_spec_ctrl_current, val); -+ wrmsrl(MSR_IA32_SPEC_CTRL, val); -+} -+ - /* - * Keep track of the SPEC_CTRL MSR value for the current task, which may differ - * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update(). - */ --void write_spec_ctrl_current(u64 val, bool force) -+void update_spec_ctrl_cond(u64 val) - { - if (this_cpu_read(x86_spec_ctrl_current) == val) - return; -@@ -76,7 +83,7 @@ void write_spec_ctrl_current(u64 val, bool force) - * forced or the exit MSR write is skipped the update can be delayed - * until that time. - */ -- if (force || !cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS) || -+ if (!cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS) || - cpu_feature_enabled(X86_FEATURE_IBRS_EXIT_SKIP)) - wrmsrl(MSR_IA32_SPEC_CTRL, val); - } -@@ -1308,7 +1315,7 @@ static void __init spec_ctrl_disable_kernel_rrsba(void) - - if (ia32_cap & ARCH_CAP_RRSBA) { - x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; -- write_spec_ctrl_current(x86_spec_ctrl_base, true); -+ update_spec_ctrl(x86_spec_ctrl_base); - } - } - -@@ -1440,7 +1447,7 @@ static void __init spectre_v2_select_mitigation(void) - - if (spectre_v2_in_ibrs_mode(mode)) { - x86_spec_ctrl_base |= SPEC_CTRL_IBRS; -- write_spec_ctrl_current(x86_spec_ctrl_base, true); -+ update_spec_ctrl(x86_spec_ctrl_base); - } - - switch (mode) { -@@ -1565,7 +1572,7 @@ static void __init spectre_v2_select_mitigation(void) - static void update_stibp_msr(void * __unused) - { - u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP); -- write_spec_ctrl_current(val, true); -+ update_spec_ctrl(val); - } - - /* Update x86_spec_ctrl_base in case SMT state changed. */ -@@ -1798,7 +1805,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void) - x86_amd_ssb_disable(); - } else { - x86_spec_ctrl_base |= SPEC_CTRL_SSBD; -- write_spec_ctrl_current(x86_spec_ctrl_base, true); -+ update_spec_ctrl(x86_spec_ctrl_base); - } - } - -@@ -2016,7 +2023,7 @@ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) - void x86_spec_ctrl_setup_ap(void) - { - if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) -- write_spec_ctrl_current(x86_spec_ctrl_base, true); -+ update_spec_ctrl(x86_spec_ctrl_base); - - if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) - x86_amd_ssb_disable(); -diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c -index 87bcb25ff8b2..a62f200aa736 100644 ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -583,7 +583,7 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp, - } - - if (updmsr) -- write_spec_ctrl_current(msr, false); -+ update_spec_ctrl_cond(msr); - } - - static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk) --- -2.39.3 - diff --git a/SOURCES/1047-x86-cpu-Support-AMD-Automatic-IBRS.patch b/SOURCES/1047-x86-cpu-Support-AMD-Automatic-IBRS.patch deleted file mode 100644 index fe2f06f..0000000 --- a/SOURCES/1047-x86-cpu-Support-AMD-Automatic-IBRS.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 6b575d67beff6c1ce5f7643cb9326327170114a8 Mon Sep 17 00:00:00 2001 -From: Kim Phillips -Date: Tue, 24 Jan 2023 10:33:18 -0600 -Subject: [PATCH 33/36] x86/cpu: Support AMD Automatic IBRS - -The AMD Zen4 core supports a new feature called Automatic IBRS. - -It is a "set-and-forget" feature that means that, like Intel's Enhanced IBRS, -h/w manages its IBRS mitigation resources automatically across CPL transitions. - -The feature is advertised by CPUID_Fn80000021_EAX bit 8 and is enabled by -setting MSR C000_0080 (EFER) bit 21. - -Enable Automatic IBRS by default if the CPU feature is present. It typically -provides greater performance over the incumbent generic retpolines mitigation. - -Reuse the SPECTRE_V2_EIBRS spectre_v2_mitigation enum. AMD Automatic IBRS and -Intel Enhanced IBRS have similar enablement. Add NO_EIBRS_PBRSB to -cpu_vuln_whitelist, since AMD Automatic IBRS isn't affected by PBRSB-eIBRS. - -The kernel command line option spectre_v2=eibrs is used to select AMD Automatic -IBRS, if available. - -Signed-off-by: Kim Phillips -Signed-off-by: Borislav Petkov (AMD) -Acked-by: Sean Christopherson -Acked-by: Dave Hansen -Link: https://lore.kernel.org/r/20230124163319.2277355-8-kim.phillips@amd.com -(cherry picked from commit e7862eda309ecfccc36bb5558d937ed3ace07f3f) - -Also add fix 06cb31cc761823ef444ba4e1df11347342a6e745 upstream found -while resolving conflicts. It's a minor doc change. - -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - Documentation/admin-guide/hw-vuln/spectre.rst | 7 ++++--- - .../admin-guide/kernel-parameters.txt | 6 +++--- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/include/asm/msr-index.h | 2 ++ - arch/x86/kernel/cpu/bugs.c | 20 +++++++++++-------- - arch/x86/kernel/cpu/common.c | 17 +++++++++------- - 6 files changed, 32 insertions(+), 21 deletions(-) - -diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst -index fb2572ed9674..bf161b5aa98f 100644 ---- a/Documentation/admin-guide/hw-vuln/spectre.rst -+++ b/Documentation/admin-guide/hw-vuln/spectre.rst -@@ -610,9 +610,10 @@ kernel command line. - retpoline,generic Retpolines - retpoline,lfence LFENCE; indirect branch - retpoline,amd alias for retpoline,lfence -- eibrs enhanced IBRS -- eibrs,retpoline enhanced IBRS + Retpolines -- eibrs,lfence enhanced IBRS + LFENCE -+ eibrs Enhanced/Auto IBRS -+ eibrs,retpoline Enhanced/Auto IBRS + Retpolines -+ eibrs,lfence Enhanced/Auto IBRS + LFENCE -+ ibrs use IBRS to protect kernel - - Not specifying this option is equivalent to - spectre_v2=auto. -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 73a92fb9e3c6..b6da8048f62c 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4968,9 +4968,9 @@ - retpoline,generic - Retpolines - retpoline,lfence - LFENCE; indirect branch - retpoline,amd - alias for retpoline,lfence -- eibrs - enhanced IBRS -- eibrs,retpoline - enhanced IBRS + Retpolines -- eibrs,lfence - enhanced IBRS + LFENCE -+ eibrs - Enhanced/Auto IBRS -+ eibrs,retpoline - Enhanced/Auto IBRS + Retpolines -+ eibrs,lfence - Enhanced/Auto IBRS + LFENCE - ibrs - use IBRS to protect kernel - ibrs_always - use IBRS to protect both kernel - and userland -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index ac6e58a79fad..316b11ea50ca 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -423,6 +423,7 @@ - - /* AMD-defined Extended Feature 2 EAX, CPUID level 0x80000021 (EAX), word 20 */ - #define X86_FEATURE_NO_NESTED_DATA_BP (20*32+ 0) /* "" No Nested Data Breakpoints */ -+#define X86_FEATURE_AUTOIBRS (20*32+ 8) /* "" Automatic IBRS */ - - /* - * BUG word(s) -diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h -index 9b0d407dd1ae..bf54eb786776 100644 ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -30,6 +30,7 @@ - #define _EFER_SVME 12 /* Enable virtualization */ - #define _EFER_LMSLE 13 /* Long Mode Segment Limit Enable */ - #define _EFER_FFXSR 14 /* Enable Fast FXSAVE/FXRSTOR */ -+#define _EFER_AUTOIBRS 21 /* Enable Automatic IBRS */ - - #define EFER_SCE (1<<_EFER_SCE) - #define EFER_LME (1<<_EFER_LME) -@@ -38,6 +39,7 @@ - #define EFER_SVME (1<<_EFER_SVME) - #define EFER_LMSLE (1<<_EFER_LMSLE) - #define EFER_FFXSR (1<<_EFER_FFXSR) -+#define EFER_AUTOIBRS (1<<_EFER_AUTOIBRS) - - /* Intel MSRs. Some also available on other CPUs */ - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 53623ea69873..43295a878b8f 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -1177,9 +1177,9 @@ static const char * const spectre_v2_strings[] = { - [SPECTRE_V2_NONE] = "Vulnerable", - [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines", - [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE", -- [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS", -- [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE", -- [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines", -+ [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced / Automatic IBRS", -+ [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced / Automatic IBRS + LFENCE", -+ [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced / Automatic IBRS + Retpolines", - [SPECTRE_V2_IBRS] = "Mitigation: IBRS", - [SPECTRE_V2_IBRS_ALWAYS] = "Mitigation: IBRS (kernel and user space)", - [SPECTRE_V2_RETPOLINE_IBRS_USER] = "Mitigation: Full retpoline and IBRS (user space)", -@@ -1253,7 +1253,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) - cmd == SPECTRE_V2_CMD_EIBRS_LFENCE || - cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) && - !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { -- pr_err("%s selected but CPU doesn't have eIBRS. Switching to AUTO select\n", -+ pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n", - mitigation_options[i].option); - return SPECTRE_V2_CMD_AUTO; - } -@@ -1446,8 +1446,12 @@ static void __init spectre_v2_select_mitigation(void) - pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); - - if (spectre_v2_in_ibrs_mode(mode)) { -- x86_spec_ctrl_base |= SPEC_CTRL_IBRS; -- update_spec_ctrl(x86_spec_ctrl_base); -+ if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) { -+ msr_set_bit(MSR_EFER, _EFER_AUTOIBRS); -+ } else { -+ x86_spec_ctrl_base |= SPEC_CTRL_IBRS; -+ update_spec_ctrl(x86_spec_ctrl_base); -+ } - } - - switch (mode) { -@@ -1542,8 +1546,8 @@ static void __init spectre_v2_select_mitigation(void) - /* - * Retpoline protects the kernel, but doesn't protect firmware. IBRS - * and Enhanced IBRS protect firmware too, so enable IBRS around -- * firmware calls only when IBRS / Enhanced IBRS aren't otherwise -- * enabled. -+ * firmware calls only when IBRS / Enhanced / Automatic IBRS aren't -+ * otherwise enabled. - * - * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because - * the user might select retpoline on the kernel command line and if -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index a8dfd75588cd..c5c08a3ace2a 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -1091,7 +1091,7 @@ static const __initconst struct x86_cpu_id_v2 cpu_vuln_whitelist[] = { - VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - - /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ -- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), -+ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB), - {} - }; - -@@ -1196,8 +1196,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - !cpu_has(c, X86_FEATURE_AMD_SSB_NO)) - setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); - -- if (ia32_cap & ARCH_CAP_IBRS_ALL) -+ /* -+ * AMD's AutoIBRS is equivalent to Intel's eIBRS - use the Intel feature -+ * flag and protect from vendor-specific bugs via the whitelist. -+ */ -+ if ((ia32_cap & ARCH_CAP_IBRS_ALL) || cpu_has(c, X86_FEATURE_AUTOIBRS)) { - setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); -+ if (!cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) && -+ !(ia32_cap & ARCH_CAP_PBRSB_NO)) -+ setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB); -+ } - - if (!cpu_matches(cpu_vuln_whitelist, NO_MDS) && - !(ia32_cap & ARCH_CAP_MDS_NO)) { -@@ -1259,11 +1267,6 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - setup_force_cpu_bug(X86_BUG_RETBLEED); - } - -- if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) && -- !cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) && -- !(ia32_cap & ARCH_CAP_PBRSB_NO)) -- setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB); -- - if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) - return; - --- -2.39.3 - diff --git a/SOURCES/1048-x86-CPU-AMD-Make-sure-EFER-AIBRSE-is-set.patch b/SOURCES/1048-x86-CPU-AMD-Make-sure-EFER-AIBRSE-is-set.patch deleted file mode 100644 index ce99dfb..0000000 --- a/SOURCES/1048-x86-CPU-AMD-Make-sure-EFER-AIBRSE-is-set.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 373fedf7ca5674e2ab511685e183e6e6c6e00d91 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sat, 25 Feb 2023 01:11:31 +0100 -Subject: [PATCH 34/36] x86/CPU/AMD: Make sure EFER[AIBRSE] is set - -The AutoIBRS bit gets set only on the BSP as part of determining which -mitigation to enable on AMD. Setting on the APs relies on the -circumstance that the APs get booted through the trampoline and EFER -- the MSR which contains that bit - gets replicated on every AP from the -BSP. - -However, this can change in the future and considering the security -implications of this bit not being set on every CPU, make sure it is set -by verifying EFER later in the boot process and on every AP. - -Reported-by: Josh Poimboeuf -Signed-off-by: Borislav Petkov (AMD) -Acked-by: Dave Hansen -Link: https://lore.kernel.org/r/20230224185257.o3mcmloei5zqu7wa@treble -(cherry picked from commit 8cc68c9c9e92dbaae51a711454c66eb668045508) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/kernel/cpu/amd.c | 11 +++++++++++ - arch/x86/kernel/cpu/bugs.c | 3 +-- - arch/x86/kernel/cpu/cpu.h | 8 ++++++++ - 3 files changed, 20 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 2406a71a1eb6..c2979e3bed04 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1046,6 +1046,17 @@ static void init_amd(struct cpuinfo_x86 *c) - msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); - - check_null_seg_clears_base(c); -+ -+ /* -+ * Make sure EFER[AIBRSE - Automatic IBRS Enable] is set. The APs are brought up -+ * using the trampoline code and as part of it, MSR_EFER gets prepared there in -+ * order to be replicated onto them. Regardless, set it here again, if not set, -+ * to protect against any future refactoring/code reorganization which might -+ * miss setting this important bit. -+ */ -+ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) && -+ cpu_has(c, X86_FEATURE_AUTOIBRS)) -+ WARN_ON_ONCE(msr_set_bit(MSR_EFER, _EFER_AUTOIBRS)); - } - - #ifdef CONFIG_X86_32 -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index 43295a878b8f..d8c1bbea4e90 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -748,8 +748,7 @@ static int __init nospectre_v1_cmdline(char *str) - } - early_param("nospectre_v1", nospectre_v1_cmdline); - --static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = -- SPECTRE_V2_NONE; -+enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE; - - #undef pr_fmt - #define pr_fmt(fmt) "RETBleed: " fmt -diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h -index 1add3618f766..0af870727bfa 100644 ---- a/arch/x86/kernel/cpu/cpu.h -+++ b/arch/x86/kernel/cpu/cpu.h -@@ -88,4 +88,12 @@ extern void update_srbds_msr(void); - void init_ia32_feat_ctl(struct cpuinfo_x86 *c); - #endif - -+extern enum spectre_v2_mitigation spectre_v2_enabled; -+ -+static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode) -+{ -+ return mode == SPECTRE_V2_EIBRS || -+ mode == SPECTRE_V2_EIBRS_RETPOLINE || -+ mode == SPECTRE_V2_EIBRS_LFENCE; -+} - #endif /* ARCH_X86_CPU_H */ --- -2.39.3 - diff --git a/SOURCES/1049-x86-cpu-amd-Add-a-Zenbleed-fix.patch b/SOURCES/1049-x86-cpu-amd-Add-a-Zenbleed-fix.patch deleted file mode 100644 index f18d8bc..0000000 --- a/SOURCES/1049-x86-cpu-amd-Add-a-Zenbleed-fix.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 661c6baa7f0dd4ef365c1cfd5aee9e999304fab2 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sat, 15 Jul 2023 13:41:28 +0200 -Subject: [PATCH 35/36] x86/cpu/amd: Add a Zenbleed fix - -Add a fix for the Zen2 VZEROUPPER data corruption bug where under -certain circumstances executing VZEROUPPER can cause register -corruption or leak data. - -The optimal fix is through microcode but in the case the proper -microcode revision has not been applied, enable a fallback fix using -a chicken bit. - -Signed-off-by: Borislav Petkov (AMD) -(cherry picked from commit 522b1d69219d8f083173819fde04f994aa051a98) - -CVE: CVE-2023-20593 -Signed-off-by: Mridula Shastry -Reviewed-by: Todd Vierling ---- - arch/x86/include/asm/microcode.h | 1 + - arch/x86/include/asm/microcode_amd.h | 2 + - arch/x86/include/asm/msr-index.h | 2 + - arch/x86/kernel/cpu/amd.c | 60 ++++++++++++++++++++++++++++ - arch/x86/kernel/cpu/common.c | 2 + - 5 files changed, 67 insertions(+) - -diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h -index 629330986955..2e23f658c69b 100644 ---- a/arch/x86/include/asm/microcode.h -+++ b/arch/x86/include/asm/microcode.h -@@ -5,6 +5,7 @@ - #include - #include - #include -+#include - - struct ucode_patch { - struct list_head plist; -diff --git a/arch/x86/include/asm/microcode_amd.h b/arch/x86/include/asm/microcode_amd.h -index a645b25ee442..403a8e76b310 100644 ---- a/arch/x86/include/asm/microcode_amd.h -+++ b/arch/x86/include/asm/microcode_amd.h -@@ -48,11 +48,13 @@ extern void __init load_ucode_amd_bsp(unsigned int family); - extern void load_ucode_amd_ap(unsigned int family); - extern int __init save_microcode_in_initrd_amd(unsigned int family); - void reload_ucode_amd(unsigned int cpu); -+extern void amd_check_microcode(void); - #else - static inline void __init load_ucode_amd_bsp(unsigned int family) {} - static inline void load_ucode_amd_ap(unsigned int family) {} - static inline int __init - save_microcode_in_initrd_amd(unsigned int family) { return -EINVAL; } - static inline void reload_ucode_amd(unsigned int cpu) {} -+static inline void amd_check_microcode(void) {} - #endif - #endif /* _ASM_X86_MICROCODE_AMD_H */ -diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h -index bf54eb786776..bc38cbf0ac20 100644 ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -498,6 +498,8 @@ - #define MSR_AMD_PPIN 0xc00102f1 - #define MSR_AMD64_LS_CFG 0xc0011020 - #define MSR_AMD64_DC_CFG 0xc0011022 -+#define MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT 9 -+ - #define MSR_AMD64_BU_CFG2 0xc001102a - #define MSR_AMD64_IBSFETCHCTL 0xc0011030 - #define MSR_AMD64_IBSFETCHLINAD 0xc0011031 -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index c2979e3bed04..384e484cbbdc 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -69,6 +69,11 @@ static const int amd_erratum_383[] = - static const int amd_erratum_1054[] = - AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); - -+static const int amd_zenbleed[] = -+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x30, 0x0, 0x4f, 0xf), -+ AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), -+ AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); -+ - static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) - { - int osvw_id = *erratum++; -@@ -957,6 +962,47 @@ static void init_amd_zn(struct cpuinfo_x86 *c) - } - } - -+static bool cpu_has_zenbleed_microcode(void) -+{ -+ u32 good_rev = 0; -+ -+ switch (boot_cpu_data.x86_model) { -+ case 0x30 ... 0x3f: good_rev = 0x0830107a; break; -+ case 0x60 ... 0x67: good_rev = 0x0860010b; break; -+ case 0x68 ... 0x6f: good_rev = 0x08608105; break; -+ case 0x70 ... 0x7f: good_rev = 0x08701032; break; -+ case 0xa0 ... 0xaf: good_rev = 0x08a00008; break; -+ -+ default: -+ return false; -+ break; -+ } -+ -+ if (boot_cpu_data.microcode < good_rev) -+ return false; -+ -+ return true; -+} -+ -+static void zenbleed_check(struct cpuinfo_x86 *c) -+{ -+ if (!cpu_has_amd_erratum(c, amd_zenbleed)) -+ return; -+ -+ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) -+ return; -+ -+ if (!cpu_has(c, X86_FEATURE_AVX)) -+ return; -+ -+ if (!cpu_has_zenbleed_microcode()) { -+ pr_notice_once("Zenbleed: please update your microcode for the most optimal fix\n"); -+ msr_set_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); -+ } else { -+ msr_clear_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); -+ } -+} -+ - static void init_amd(struct cpuinfo_x86 *c) - { - early_init_amd(c); -@@ -1057,6 +1103,8 @@ static void init_amd(struct cpuinfo_x86 *c) - if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) && - cpu_has(c, X86_FEATURE_AUTOIBRS)) - WARN_ON_ONCE(msr_set_bit(MSR_EFER, _EFER_AUTOIBRS)); -+ -+ zenbleed_check(c); - } - - #ifdef CONFIG_X86_32 -@@ -1205,3 +1253,15 @@ u32 amd_get_highest_perf(void) - return 255; - } - EXPORT_SYMBOL_GPL(amd_get_highest_perf); -+ -+static void zenbleed_check_cpu(void *unused) -+{ -+ struct cpuinfo_x86 *c = &cpu_data(smp_processor_id()); -+ -+ zenbleed_check(c); -+} -+ -+void amd_check_microcode(void) -+{ -+ on_each_cpu(zenbleed_check_cpu, NULL, 1); -+} -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index c5c08a3ace2a..61039cf3d6eb 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -2187,6 +2187,8 @@ void microcode_check(struct cpuinfo_x86 *prev_info) - - perf_check_microcode(); - -+ amd_check_microcode(); -+ - store_cpu_caps(&curr_info); - - if (!memcmp(&prev_info->x86_capability, &curr_info.x86_capability, --- -2.39.3 - diff --git a/SOURCES/1050-netfilter-nf_tables-incorrect-error-path-handling-wi.patch b/SOURCES/1050-netfilter-nf_tables-incorrect-error-path-handling-wi.patch deleted file mode 100644 index cea336f..0000000 --- a/SOURCES/1050-netfilter-nf_tables-incorrect-error-path-handling-wi.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 516c2ee4fa03f50738843aae224410f1c532ddd3 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso -Date: Thu, 8 Jun 2023 02:32:02 +0200 -Subject: [PATCH 36/36] netfilter: nf_tables: incorrect error path handling with - NFT_MSG_NEWRULE - -In case of error when adding a new rule that refers to an anonymous set, -deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. -Thus, the lookup expression marks anonymous sets as inactive in the next -generation to ensure it is not reachable in this transaction anymore and -decrement the set refcount as introduced by c1592a89942e ("netfilter: -nf_tables: deactivate anonymous set from preparation phase"). The abort -step takes care of undoing the anonymous set. - -This is also consistent with rule deletion, where NFT_TRANS_PREPARE is -used. Note that this error path is exercised in the preparation step of -the commit protocol. This patch replaces nf_tables_rule_release() by the -deactivate and destroy calls, this time with NFT_TRANS_PREPARE. - -Due to this incorrect error handling, it is possible to access a -dangling pointer to the anonymous set that remains in the transaction -list. - -[1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] -[1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 -[1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 -[1009.379128] Call Trace: -[1009.379132] -[1009.379135] dump_stack_lvl+0x33/0x50 -[1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] -[1009.379191] print_address_description.constprop.0+0x27/0x300 -[1009.379201] kasan_report+0x107/0x120 -[1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] -[1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] -[1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] -[1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] -[1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] -[1009.379441] ? kasan_unpoison+0x23/0x50 -[1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] -[1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] -[1009.379485] ? __alloc_skb+0xb8/0x1e0 -[1009.379493] ? __alloc_skb+0xb8/0x1e0 -[1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 -[1009.379509] ? unwind_get_return_address+0x2a/0x40 -[1009.379517] ? write_profile+0xc0/0xc0 -[1009.379524] ? avc_lookup+0x8f/0xc0 -[1009.379532] ? __rcu_read_unlock+0x43/0x60 - -Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit 1240eb93f0616b21c675416516ff3d74798fdc97) - -CVE: CVE-2023-3390 -Signed-off-by: Mridula Shastry -Reviewed-by: Venkat Venkatsubra ---- - net/netfilter/nf_tables_api.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index c7d98b011cd6..f9bf6e156051 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -3260,7 +3260,8 @@ err_destroy_flow_rule: - if (flow) - nft_flow_rule_destroy(flow); - err_release_rule: -- nf_tables_rule_release(&ctx, rule); -+ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); -+ nf_tables_rule_destroy(&ctx, rule); - err_release_expr: - for (i = 0; i < n; i++) { - if (info[i].ops) { --- -2.39.3 - diff --git a/SOURCES/9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch b/SOURCES/9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch deleted file mode 100644 index e1b1bf4..0000000 --- a/SOURCES/9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch +++ /dev/null @@ -1,110 +0,0 @@ -From a0bb51f2638e0810c347024679239fd10a8f7990 Mon Sep 17 00:00:00 2001 -From: Vitaly Kuznetsov -Date: Tue, 28 Apr 2020 11:38:22 +0200 -Subject: [PATCH] x86/xen: Split HVM vector callback setup and interrupt gate - allocation - -As a preparatory change for making alloc_intr_gate() __init split -xen_callback_vector() into callback vector setup via hypercall -(xen_setup_callback_vector()) and interrupt gate allocation -(xen_alloc_callback_vector()). - -xen_setup_callback_vector() is being called twice: on init and upon -system resume from xen_hvm_post_suspend(). alloc_intr_gate() only -needs to be called once. - -Suggested-by: Thomas Gleixner -Signed-off-by: Vitaly Kuznetsov -Signed-off-by: Thomas Gleixner -Link: https://lkml.kernel.org/r/20200428093824.1451532-2-vkuznets@redhat.com ---- - arch/x86/xen/suspend_hvm.c | 2 +- - arch/x86/xen/xen-ops.h | 2 +- - drivers/xen/events/events_base.c | 28 +++++++++++++++++----------- - 3 files changed, 19 insertions(+), 13 deletions(-) - -diff --git a/arch/x86/xen/suspend_hvm.c b/arch/x86/xen/suspend_hvm.c -index e666b614cf6d..5152afe16876 100644 ---- a/arch/x86/xen/suspend_hvm.c -+++ b/arch/x86/xen/suspend_hvm.c -@@ -13,6 +13,6 @@ void xen_hvm_post_suspend(int suspend_cancelled) - xen_hvm_init_shared_info(); - xen_vcpu_restore(); - } -- xen_callback_vector(); -+ xen_setup_callback_vector(); - xen_unplug_emulated_devices(); - } -diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h -index 45a441c33d6d..1cc1568bfe04 100644 ---- a/arch/x86/xen/xen-ops.h -+++ b/arch/x86/xen/xen-ops.h -@@ -55,7 +55,7 @@ void xen_enable_sysenter(void); - void xen_enable_syscall(void); - void xen_vcpu_restore(void); - --void xen_callback_vector(void); -+void xen_setup_callback_vector(void); - void xen_hvm_init_shared_info(void); - void xen_unplug_emulated_devices(void); - -diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c -index 3a791c8485d0..eb35c3cda9a6 100644 ---- a/drivers/xen/events/events_base.c -+++ b/drivers/xen/events/events_base.c -@@ -1639,26 +1639,30 @@ EXPORT_SYMBOL_GPL(xen_set_callback_via); - /* Vector callbacks are better than PCI interrupts to receive event - * channel notifications because we can receive vector callbacks on any - * vcpu and we don't need PCI support or APIC interactions. */ --void xen_callback_vector(void) -+void xen_setup_callback_vector(void) - { -- int rc; - uint64_t callback_via; - - if (xen_have_vector_callback) { - callback_via = HVM_CALLBACK_VECTOR(HYPERVISOR_CALLBACK_VECTOR); -- rc = xen_set_callback_via(callback_via); -- if (rc) { -+ if (xen_set_callback_via(callback_via)) { - pr_err("Request for Xen HVM callback vector failed\n"); - xen_have_vector_callback = 0; -- return; - } -- pr_info("Xen HVM callback vector for event delivery is enabled\n"); -- alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR, -- xen_hvm_callback_vector); - } - } -+ -+static __init void xen_alloc_callback_vector(void) -+{ -+ if (!xen_have_vector_callback) -+ return; -+ -+ pr_info("Xen HVM callback vector for event delivery is enabled\n"); -+ alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR, xen_hvm_callback_vector); -+} - #else --void xen_callback_vector(void) {} -+void xen_setup_callback_vector(void) {} -+static inline void xen_alloc_callback_vector(void) {} - #endif - - #undef MODULE_PARAM_PREFIX -@@ -1692,8 +1696,10 @@ void __init xen_init_IRQ(void) - if (xen_initial_domain()) - pci_xen_initial_domain(); - } -- if (xen_feature(XENFEAT_hvm_callback_vector)) -- xen_callback_vector(); -+ if (xen_feature(XENFEAT_hvm_callback_vector)) { -+ xen_setup_callback_vector(); -+ xen_alloc_callback_vector(); -+ } - - if (xen_hvm_domain()) { - native_init_IRQ(); --- -2.27.0 - diff --git a/SOURCES/9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch b/SOURCES/9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch deleted file mode 100644 index e67ff57..0000000 --- a/SOURCES/9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Tue, 2 May 2023 19:53:50 +0200 -Subject: [PATCH] x86/microcode/AMD: Load late on both threads too - -Do the same as early loading - load on both threads. - -Signed-off-by: Borislav Petkov (AMD) -Cc: -Link: https://lore.kernel.org/r/20230605141332.25948-1-bp@alien8.de ---- - arch/x86/kernel/cpu/microcode/amd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c -index f14f4ea0b537..87208e46f7ed 100644 ---- a/arch/x86/kernel/cpu/microcode/amd.c -+++ b/arch/x86/kernel/cpu/microcode/amd.c -@@ -700,7 +700,7 @@ static enum ucode_state apply_microcode_amd(int cpu) - rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); - - /* need to apply patch? */ -- if (rev >= mc_amd->hdr.patch_id) { -+ if (rev > mc_amd->hdr.patch_id) { - ret = UCODE_OK; - goto out; - } --- -2.27.0 - diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch deleted file mode 100644 index 8e2e5b8..0000000 --- a/SOURCES/debrand-rh-i686-cpu.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700 -+++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700 -@@ -147,7 +147,7 @@ void main(void) - - /* Make sure we have all the proper CPU support */ - if (validate_cpu()) { -- puts("This processor is not supported in this version of RHEL.\n"); -+ puts("This processor is not supported in this version of AlmaLinux.\n"); - die(); - } - diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch deleted file mode 100644 index d39bf1a..0000000 --- a/SOURCES/debrand-rh_taint.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- a/kernel/rh_taint.c 2020-10-16 10:41:51.000000000 -0500 -+++ b/kernel/rh_taint.c 2020-11-19 10:50:24.853039167 -0600 -@@ -2,12 +2,12 @@ - #include - - /* -- * The following functions are used by Red Hat to indicate to users that -- * hardware and drivers are unsupported, or have limited support in RHEL major -+ * The following functions are used by AlmaLinux to indicate to users that -+ * hardware and drivers are unsupported, or have limited support in AlmaLinux major - * and minor releases. These functions output loud warning messages to the end - * user and should be USED WITH CAUTION. - * -- * Any use of these functions _MUST_ be documented in the RHEL Release Notes, -+ * Any use of these functions _MUST_ be documented in the AlmaLinux Release Notes, - * and have approval of management. - */ - -@@ -16,15 +16,15 @@ - * @msg: Hardware name, class, or type - * - * Called to mark a device, class of devices, or types of devices as not having -- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat -- * will not fix bugs against this hardware in this minor release. Red Hat may -+ * support in any AlmaLinux minor release. This does not TAINT the kernel. AlmaLinux -+ * will not fix bugs against this hardware in this minor release. AlmaLinux may - * declare support in a future major or minor update release. This cannot be - * used to mark drivers unsupported. - */ - void mark_hardware_unsupported(const char *msg) - { - /* Print one single message */ -- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg); -+ pr_crit("Warning: %s - this hardware has not undergone testing by AlmaLinux and might not be certified.\n", msg); - } - EXPORT_SYMBOL(mark_hardware_unsupported); - -@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported) - * Called to minimize the support status of a previously supported device in - * a minor release. This does not TAINT the kernel. Marking hardware - * deprecated is usually done in conjunction with the hardware vendor. Future -- * RHEL major releases may not include this driver. Driver updates and fixes -+ * AlmaLinux major releases may not include this driver. Driver updates and fixes - * for this device will be limited to critical issues in future minor releases. - */ - void mark_hardware_deprecated(const char *msg) - { -- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg); -+ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this AlmaLinux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact AlmaLinux Support or your device's hardware vendor for additional information.\n", msg); - } - EXPORT_SYMBOL(mark_hardware_deprecated); - -@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated); - * - * Called to minimize the support status of a new driver. This does TAINT the - * kernel. Calling this function indicates that the driver or subsystem has -- * had limited testing and is not marked for full support within this RHEL -- * minor release. The next RHEL minor release may contain full support for -- * this driver. Red Hat does not guarantee that bugs reported against this -+ * had limited testing and is not marked for full support within this AlmaLinux -+ * minor release. The next AlmaLinux minor release may contain full support for -+ * this driver. AlmaLinux does not guarantee that bugs reported against this - * driver or subsystem will be resolved. - */ - void mark_tech_preview(const char *msg, struct module *mod) -@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview); - * mark_driver_unsupported - drivers that we know we don't want to support - * @name: the name of the driver - * -- * In some cases Red Hat has chosen to build a driver for internal QE -+ * In some cases AlmaLinux has chosen to build a driver for internal QE - * use. Use this function to mark those drivers as unsupported for - * customers. - */ - void mark_driver_unsupported(const char *name) - { -- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n", -+ pr_crit("Warning: %s - This driver has not undergone sufficient testing by AlmaLinux for this release and therefore cannot be used in production systems.\n", - name ? name : "kernel"); - } - EXPORT_SYMBOL(mark_driver_unsupported); diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch deleted file mode 100644 index 32b00a5..0000000 --- a/SOURCES/debrand-single-cpu.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 -+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 -@@ -900,7 +900,7 @@ static void rh_check_supported(void) - if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && - !guest && is_kdump_kernel()) { - pr_crit("Detected single cpu native boot.\n"); -- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); -+ pr_crit("Important: In AlmaLinux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see https://www.almalinux.org for more information"); - } - - /* diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 2eb85fa..3271b5a 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -38,11 +38,10 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 477.27.2.rt7.290.el8_8 -%define tarfile_release 477.13.1.rt7.276.el8_8 +%define pkgrelease 477.13.1.rt7.276.el8_8 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 477.27.2.rt7.290%{?dist} +%define specrelease 477.13.1.rt7.276%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -149,7 +148,7 @@ # The preempt RT patch level %global rttag .rt7 # realtimeN -%global rtbuild .290 +%global rtbuild .276 %define with_doc 0 %define with_headers 0 %define with_cross_headers 0 @@ -436,7 +435,7 @@ BuildRequires: xmlto BuildRequires: asciidoc %endif -Source0: linux-%{rpmversion}-%{tarfile_release}.tar.xz +Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz Source9: x509.genkey @@ -521,62 +520,6 @@ Source4000: gating.yaml Source4001: rpminspect.yaml ## Patches needed for building this package -Patch0001: debrand-single-cpu.patch -# Patch0002: debrand-rh_taint.patch -Patch0003: debrand-rh-i686-cpu.patch -Patch1001: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch -Patch1002: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch -Patch1003: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch -Patch1004: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch -Patch1005: 1005-net-sched-Retire-tcindex-classifier.patch -Patch1006: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch -Patch1007: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch -Patch1008: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch -Patch1009: 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch -Patch1010: 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch -Patch1011: 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch -Patch1012: 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch -Patch1013: 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch -Patch1014: 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch -Patch1015: 1015-x86-microcode-intel-Expose-collect_cpu_info_early-fo.patch -Patch1016: 1016-x86-cpu-Load-microcode-during-restore_processor_stat.patch -Patch1017: 1017-x86-microcode-Deprecate-MICROCODE_OLD_INTERFACE.patch -Patch1018: 1018-x86-microcode-Rip-out-the-OLD_INTERFACE.patch -Patch1019: 1019-x86-microcode-Default-disable-late-loading.patch -Patch1020: 1020-x86-microcode-Taint-and-warn-on-late-loading.patch -Patch1021: 1021-x86-microcode-Remove-unnecessary-perf-callback.patch -Patch1022: 1022-x86-microcode-Print-previous-version-of-microcode-af.patch -Patch1023: 1023-x86-microcode-Rip-out-the-subsys-interface-gunk.patch -Patch1024: 1024-x86-microcode-Simplify-init-path-even-more.patch -Patch1025: 1025-x86-microcode-AMD-Rename-a-couple-of-functions.patch -Patch1026: 1026-x86-microcode-Fix-return-value-for-microcode-late-lo.patch -Patch1027: 1027-x86-microcode-Add-a-parameter-to-microcode_check-to-.patch -Patch1028: 1028-x86-microcode-Check-CPU-capabilities-after-late-micr.patch -Patch1029: 1029-x86-microcode-Adjust-late-loading-result-reporting-m.patch -Patch1030: 1030-x86-amd-Cache-debug-register-values-in-percpu-variab.patch -Patch1031: 1031-x86-microcode-Remove-request_microcode_user.patch -Patch1032: 1032-x86-microcode-Kill-refresh_fw.patch -Patch1033: 1033-x86-microcode-amd-Remove-load_microcode_amd-s-bsp-pa.patch -Patch1034: 1034-x86-microcode-Drop-struct-ucode_cpu_info.valid.patch -Patch1035: 1035-x86-microcode-AMD-Add-a-cpu-parameter-to-the-reloadi.patch -Patch1036: 1036-x86-microcode-AMD-Track-patch-allocation-size-explic.patch -Patch1037: 1037-x86-microcode-AMD-Fix-mixed-steppings-support.patch -Patch1038: 1038-x86-microcode-core-Return-an-error-only-when-necessa.patch -Patch1039: 1039-x86-apic-Don-t-disable-x2APIC-if-locked.patch -Patch1040: 1040-x86-cpu-amd-Move-the-errata-checking-functionality-u.patch -Patch1041: 1041-x86-cpu-Remove-redundant-extern-x86_read_arch_cap_ms.patch -Patch1042: 1042-x86-cpu-kvm-Add-support-for-CPUID_80000021_EAX.patch -Patch1043: 1043-KVM-x86-Advertise-that-the-SMM_CTL-MSR-is-not-suppor.patch -Patch1044: 1044-KVM-x86-Move-open-coded-CPUID-leaf-0x80000021-EAX-bi.patch -Patch1045: 1045-x86-cpu-kvm-Add-the-NO_NESTED_DATA_BP-feature.patch -Patch1046: 1046-x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch -Patch1047: 1047-x86-cpu-Support-AMD-Automatic-IBRS.patch -Patch1048: 1048-x86-CPU-AMD-Make-sure-EFER-AIBRSE-is-set.patch -Patch1049: 1049-x86-cpu-amd-Add-a-Zenbleed-fix.patch -Patch1050: 1050-netfilter-nf_tables-incorrect-error-path-handling-wi.patch - -Patch9001: 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch -Patch9002: 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch @@ -1133,68 +1076,11 @@ ApplyOptionalPatch() fi } -%setup -q -n %{name}-%{rpmversion}-%{tarfile_release} -c -mv linux-%{rpmversion}-%{tarfile_release} linux-%{KVERREL} +%setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c +mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} -ApplyPatch debrand-single-cpu.patch -# ApplyPatch debrand-rh_taint.patch -ApplyPatch debrand-rh-i686-cpu.patch -ApplyPatch 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch -ApplyPatch 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch -ApplyPatch 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch -ApplyPatch 1004-net-sched-tcindex-search-key-must-be-16-bits.patch -ApplyPatch 1005-net-sched-Retire-tcindex-classifier.patch -ApplyPatch 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch -ApplyPatch 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch -ApplyPatch 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch -ApplyPatch 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch -ApplyPatch 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch -ApplyPatch 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch -ApplyPatch 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch -ApplyPatch 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch -ApplyPatch 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch -ApplyPatch 1015-x86-microcode-intel-Expose-collect_cpu_info_early-fo.patch -ApplyPatch 1016-x86-cpu-Load-microcode-during-restore_processor_stat.patch -ApplyPatch 1017-x86-microcode-Deprecate-MICROCODE_OLD_INTERFACE.patch -ApplyPatch 1018-x86-microcode-Rip-out-the-OLD_INTERFACE.patch -ApplyPatch 1019-x86-microcode-Default-disable-late-loading.patch -ApplyPatch 1020-x86-microcode-Taint-and-warn-on-late-loading.patch -ApplyPatch 1021-x86-microcode-Remove-unnecessary-perf-callback.patch -ApplyPatch 1022-x86-microcode-Print-previous-version-of-microcode-af.patch -ApplyPatch 1023-x86-microcode-Rip-out-the-subsys-interface-gunk.patch -ApplyPatch 1024-x86-microcode-Simplify-init-path-even-more.patch -ApplyPatch 1025-x86-microcode-AMD-Rename-a-couple-of-functions.patch -ApplyPatch 1026-x86-microcode-Fix-return-value-for-microcode-late-lo.patch -ApplyPatch 1027-x86-microcode-Add-a-parameter-to-microcode_check-to-.patch -ApplyPatch 1028-x86-microcode-Check-CPU-capabilities-after-late-micr.patch -ApplyPatch 1029-x86-microcode-Adjust-late-loading-result-reporting-m.patch -ApplyPatch 1030-x86-amd-Cache-debug-register-values-in-percpu-variab.patch -ApplyPatch 1031-x86-microcode-Remove-request_microcode_user.patch -ApplyPatch 1032-x86-microcode-Kill-refresh_fw.patch -ApplyPatch 1033-x86-microcode-amd-Remove-load_microcode_amd-s-bsp-pa.patch -ApplyPatch 1034-x86-microcode-Drop-struct-ucode_cpu_info.valid.patch -ApplyPatch 1035-x86-microcode-AMD-Add-a-cpu-parameter-to-the-reloadi.patch -ApplyPatch 1036-x86-microcode-AMD-Track-patch-allocation-size-explic.patch -ApplyPatch 1037-x86-microcode-AMD-Fix-mixed-steppings-support.patch -ApplyPatch 1038-x86-microcode-core-Return-an-error-only-when-necessa.patch -ApplyPatch 1039-x86-apic-Don-t-disable-x2APIC-if-locked.patch -ApplyPatch 1040-x86-cpu-amd-Move-the-errata-checking-functionality-u.patch -ApplyPatch 1041-x86-cpu-Remove-redundant-extern-x86_read_arch_cap_ms.patch -ApplyPatch 1042-x86-cpu-kvm-Add-support-for-CPUID_80000021_EAX.patch -ApplyPatch 1043-KVM-x86-Advertise-that-the-SMM_CTL-MSR-is-not-suppor.patch -ApplyPatch 1044-KVM-x86-Move-open-coded-CPUID-leaf-0x80000021-EAX-bi.patch -ApplyPatch 1045-x86-cpu-kvm-Add-the-NO_NESTED_DATA_BP-feature.patch -ApplyPatch 1046-x86-bugs-Make-sure-MSR_SPEC_CTRL-is-updated-properly.patch -ApplyPatch 1047-x86-cpu-Support-AMD-Automatic-IBRS.patch -ApplyPatch 1048-x86-CPU-AMD-Make-sure-EFER-AIBRSE-is-set.patch -ApplyPatch 1049-x86-cpu-amd-Add-a-Zenbleed-fix.patch -ApplyPatch 1050-netfilter-nf_tables-incorrect-error-path-handling-wi.patch - -ApplyPatch 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch -ApplyPatch 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch - ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -2803,63 +2689,6 @@ fi # # %changelog -* Thu Sep 29 2023 Andrew Lukoshko [4.18.0-477.27.2.rt7.290.el8_8] -- x86/microcode/intel: Expose collect_cpu_info_early() for IFS -- x86/cpu: Load microcode during restore_processor_state() -- x86/microcode: Deprecate MICROCODE_OLD_INTERFACE -- x86/microcode: Rip out the OLD_INTERFACE -- x86/microcode: Default-disable late loading -- x86/microcode: Taint and warn on late loading -- x86/microcode: Remove unnecessary perf callback -- x86/microcode: Print previous version of microcode after reload -- x86/microcode: Rip out the subsys interface gunk -- x86/microcode: Simplify init path even more -- x86/microcode/AMD: Rename a couple of functions {CVE-2023-20593} -- x86/microcode: Add a parameter to microcode_check() to store CPU capabilities {CVE-2023-20593} -- x86/microcode: Check CPU capabilities after late microcode update correctly {CVE-2023-20593} -- x86/microcode: Adjust late loading result reporting message {CVE-2023-20593} -- x86/amd: Cache debug register values in percpu variables {CVE-2023-20593} -- x86/microcode: Remove ->request_microcode_user() -- x86/microcode: Kill refresh_fw -- x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter {CVE-2023-20593} -- x86/microcode: Drop struct ucode_cpu_info.valid -- x86/microcode/AMD: Add a @cpu parameter to the reloading functions {CVE-2023-20593} -- x86/microcode/AMD: Track patch allocation size explicitly -- x86/microcode/AMD: Fix mixed steppings support {CVE-2023-20593} -- x86/microcode/core: Return an error only when necessary {CVE-2023-20593} -- x86/apic: Don't disable x2APIC if locked -- x86/cpu/amd: Move the errata checking functionality up {CVE-2023-20593} -- x86/cpu: Remove redundant extern x86_read_arch_cap_msr() -- x86/cpu, kvm: Add support for CPUID_80000021_EAX -- KVM: x86: Advertise that the SMM_CTL MSR is not supported -- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code -- x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature -- x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3 -- x86/cpu: Support AMD Automatic IBRS -- x86/CPU/AMD: Make sure EFER[AIBRSE] is set -- x86/cpu/amd: Add a Zenbleed fix {CVE-2023-20593} -- netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE {CVE-2023-3390} - -* Thu Sep 21 2023 Andrew Lukoshko [4.18.0-477.27.1.rt7.290.el8_8] -- bluetooth: Perform careful capability checks in hci_sock_ioctl() {CVE-2023-2002} -- ipvlan:Fix out-of-bounds caused by unclear skb->cb {CVE-2023-3090} -- net/sched: cls_fw: Fix improper refcount update leads to use-after-free {CVE-2023-3776} -- netfilter: nft_set_pipapo: fix improper element removal {CVE-2023-4004} -- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval {CVE-2023-35001} -- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() {CVE-2023-35788} - -* Tue Aug 8 2023 Nagappan Ramasamy Palaniappan [4.18.0-477.21.1.rt7.284.el8_8] -- Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM (Tamás Koczka) {CVE-2022-42896} -- net/sched: tcindex: update imperfect hash filters respecting rcu (Jamal Hadi Salim) {CVE-2023-1281} -- net/sched: tcindex: search key must be 16 bits (Jamal Hadi Salim) {CVE-2023-1281} -- net/sched: Retire tcindex classifier (Jamal Hadi Salim) {CVE-2023-1829} -- xfs: verify buffer contents when we skip log replay (Darrick J. Wong) {CVE-2023-2124} -- i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() (Wei Chen) {CVE-2023-2194} -- perf: Fix check before add_event_to_groups() in perf_group_detach() (Budimir Markovic) {CVE-2023-2235} - -* Mon Jul 24 2023 Andrew Lukoshko [4.18.0-477.15.1.rt7.278.el8_8] -- net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (Hangyu Hua) {CVE-2023-28466} - * Thu May 18 2023 Lucas Zampieri [4.18.0-477.13.1.rt7.276.el8_8.g3045] - [rt] build kernel-rt-4.18.0-477.13.1.rt7.276.el8_8.g3045 [2196667] - netfilter: nf_tables: deactivate anonymous set from preparation phase (Florian Westphal) [2196154 2196153] {CVE-2023-32233}