From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 Feb 2025 14:08:50 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v6.6.80~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73124313dcc3dbd20702c342cb0c7638ef9d77f5;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	x86-cpu-kvm-srso-fix-possible-missing-ibpb-on-vm-exit.patch
---

diff --git a/queue-5.15/series b/queue-5.15/series
index 12d2741bbd..539253133a 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -486,3 +486,4 @@ acct-block-access-to-kernel-internal-filesystems.patch
 mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch
 mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch
 mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch
+x86-cpu-kvm-srso-fix-possible-missing-ibpb-on-vm-exit.patch
diff --git a/queue-5.15/x86-cpu-kvm-srso-fix-possible-missing-ibpb-on-vm-exit.patch b/queue-5.15/x86-cpu-kvm-srso-fix-possible-missing-ibpb-on-vm-exit.patch
new file mode 100644
index 0000000000..e8abfd173a
--- /dev/null
+++ b/queue-5.15/x86-cpu-kvm-srso-fix-possible-missing-ibpb-on-vm-exit.patch
@@ -0,0 +1,148 @@
+From 318e8c339c9a0891c389298bb328ed0762a9935e Mon Sep 17 00:00:00 2001
+From: Patrick Bellasi <derkling@google.com>
+Date: Wed, 5 Feb 2025 14:04:41 +0000
+Subject: x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit
+
+From: Patrick Bellasi <derkling@google.com>
+
+commit 318e8c339c9a0891c389298bb328ed0762a9935e upstream.
+
+In [1] the meaning of the synthetic IBPB flags has been redefined for a
+better separation of concerns:
+ - ENTRY_IBPB     -- issue IBPB on entry only
+ - IBPB_ON_VMEXIT -- issue IBPB on VM-Exit only
+and the Retbleed mitigations have been updated to match this new
+semantics.
+
+Commit [2] was merged shortly before [1], and their interaction was not
+handled properly. This resulted in IBPB not being triggered on VM-Exit
+in all SRSO mitigation configs requesting an IBPB there.
+
+Specifically, an IBPB on VM-Exit is triggered only when
+X86_FEATURE_IBPB_ON_VMEXIT is set. However:
+
+ - X86_FEATURE_IBPB_ON_VMEXIT is not set for "spec_rstack_overflow=ibpb",
+   because before [1] having X86_FEATURE_ENTRY_IBPB was enough. Hence,
+   an IBPB is triggered on entry but the expected IBPB on VM-exit is
+   not.
+
+ - X86_FEATURE_IBPB_ON_VMEXIT is not set also when
+   "spec_rstack_overflow=ibpb-vmexit" if X86_FEATURE_ENTRY_IBPB is
+   already set.
+
+   That's because before [1] this was effectively redundant. Hence, e.g.
+   a "retbleed=ibpb spec_rstack_overflow=bpb-vmexit" config mistakenly
+   reports the machine still vulnerable to SRSO, despite an IBPB being
+   triggered both on entry and VM-Exit, because of the Retbleed selected
+   mitigation config.
+
+ - UNTRAIN_RET_VM won't still actually do anything unless
+   CONFIG_MITIGATION_IBPB_ENTRY is set.
+
+For "spec_rstack_overflow=ibpb", enable IBPB on both entry and VM-Exit
+and clear X86_FEATURE_RSB_VMEXIT which is made superfluous by
+X86_FEATURE_IBPB_ON_VMEXIT. This effectively makes this mitigation
+option similar to the one for 'retbleed=ibpb', thus re-order the code
+for the RETBLEED_MITIGATION_IBPB option to be less confusing by having
+all features enabling before the disabling of the not needed ones.
+
+For "spec_rstack_overflow=ibpb-vmexit", guard this mitigation setting
+with CONFIG_MITIGATION_IBPB_ENTRY to ensure UNTRAIN_RET_VM sequence is
+effectively compiled in. Drop instead the CONFIG_MITIGATION_SRSO guard,
+since none of the SRSO compile cruft is required in this configuration.
+Also, check only that the required microcode is present to effectively
+enabled the IBPB on VM-Exit.
+
+Finally, update the KConfig description for CONFIG_MITIGATION_IBPB_ENTRY
+to list also all SRSO config settings enabled by this guard.
+
+Fixes: 864bcaa38ee4 ("x86/cpu/kvm: Provide UNTRAIN_RET_VM") [1]
+Fixes: d893832d0e1e ("x86/srso: Add IBPB on VMEXIT") [2]
+Reported-by: Yosry Ahmed <yosryahmed@google.com>
+Signed-off-by: Patrick Bellasi <derkling@google.com>
+Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/Kconfig           |    3 ++-
+ arch/x86/kernel/cpu/bugs.c |   20 ++++++++++++++------
+ 2 files changed, 16 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -2449,7 +2449,8 @@ config CPU_IBPB_ENTRY
+ 	depends on CPU_SUP_AMD && X86_64
+ 	default y
+ 	help
+-	  Compile the kernel with support for the retbleed=ibpb mitigation.
++	  Compile the kernel with support for the retbleed=ibpb and
++	  spec_rstack_overflow={ibpb,ibpb-vmexit} mitigations.
+ 
+ config CPU_IBRS_ENTRY
+ 	bool "Enable IBRS on kernel entry"
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1092,6 +1092,8 @@ do_cmd_auto:
+ 
+ 	case RETBLEED_MITIGATION_IBPB:
+ 		setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
++		setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
++		mitigate_smt = true;
+ 
+ 		/*
+ 		 * IBPB on entry already obviates the need for
+@@ -1101,8 +1103,6 @@ do_cmd_auto:
+ 		setup_clear_cpu_cap(X86_FEATURE_UNRET);
+ 		setup_clear_cpu_cap(X86_FEATURE_RETHUNK);
+ 
+-		mitigate_smt = true;
+-
+ 		/*
+ 		 * There is no need for RSB filling: entry_ibpb() ensures
+ 		 * all predictions, including the RSB, are invalidated,
+@@ -2607,6 +2607,7 @@ static void __init srso_select_mitigatio
+ 		if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {
+ 			if (has_microcode) {
+ 				setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
++				setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
+ 				srso_mitigation = SRSO_MITIGATION_IBPB;
+ 
+ 				/*
+@@ -2616,6 +2617,13 @@ static void __init srso_select_mitigatio
+ 				 */
+ 				setup_clear_cpu_cap(X86_FEATURE_UNRET);
+ 				setup_clear_cpu_cap(X86_FEATURE_RETHUNK);
++
++				/*
++				 * There is no need for RSB filling: entry_ibpb() ensures
++				 * all predictions, including the RSB, are invalidated,
++				 * regardless of IBPB implementation.
++				 */
++				setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT);
+ 			}
+ 		} else {
+ 			pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");
+@@ -2624,8 +2632,8 @@ static void __init srso_select_mitigatio
+ 		break;
+ 
+ 	case SRSO_CMD_IBPB_ON_VMEXIT:
+-		if (IS_ENABLED(CONFIG_CPU_SRSO)) {
+-			if (!boot_cpu_has(X86_FEATURE_ENTRY_IBPB) && has_microcode) {
++		if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {
++			if (has_microcode) {
+ 				setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
+ 				srso_mitigation = SRSO_MITIGATION_IBPB_ON_VMEXIT;
+ 
+@@ -2637,9 +2645,9 @@ static void __init srso_select_mitigatio
+ 				setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT);
+ 			}
+ 		} else {
+-			pr_err("WARNING: kernel not compiled with CPU_SRSO.\n");
++			pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");
+ 			goto pred_cmd;
+-                }
++		}
+ 		break;
+ 
+ 	default: