From a8defc9cfa8914ce14f569666a1b10f7311a8cdf Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 1 Apr 2024 15:12:40 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	x86-cpu-enable-stibp-on-amd-if-automatic-ibrs-is-enabled.patch
---
 queue-5.10/series                             |  1 +
 ...-on-amd-if-automatic-ibrs-is-enabled.patch | 91 +++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 queue-5.10/x86-cpu-enable-stibp-on-amd-if-automatic-ibrs-is-enabled.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index 8212c209fad..8005db9f242 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -176,3 +176,4 @@ usb-typec-ucsi-clear-ucsi_cci_reset_complete-before-reset.patch
 scsi-qla2xxx-split-fce-eft-trace-control.patch
 scsi-qla2xxx-fix-command-flush-on-cable-pull.patch
 scsi-qla2xxx-delay-i-o-abort-on-pci-error.patch
+x86-cpu-enable-stibp-on-amd-if-automatic-ibrs-is-enabled.patch
diff --git a/queue-5.10/x86-cpu-enable-stibp-on-amd-if-automatic-ibrs-is-enabled.patch b/queue-5.10/x86-cpu-enable-stibp-on-amd-if-automatic-ibrs-is-enabled.patch
new file mode 100644
index 00000000000..6ea759f0187
--- /dev/null
+++ b/queue-5.10/x86-cpu-enable-stibp-on-amd-if-automatic-ibrs-is-enabled.patch
@@ -0,0 +1,91 @@
+From fd470a8beed88440b160d690344fbae05a0b9b1b Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Thu, 20 Jul 2023 14:47:27 -0500
+Subject: x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit fd470a8beed88440b160d690344fbae05a0b9b1b upstream.
+
+Unlike Intel's Enhanced IBRS feature, AMD's Automatic IBRS does not
+provide protection to processes running at CPL3/user mode, see section
+"Extended Feature Enable Register (EFER)" in the APM v2 at
+https://bugzilla.kernel.org/attachment.cgi?id=304652
+
+Explicitly enable STIBP to protect against cross-thread CPL3
+branch target injections on systems with Automatic IBRS enabled.
+
+Also update the relevant documentation.
+
+Fixes: e7862eda309e ("x86/cpu: Support AMD Automatic IBRS")
+Reported-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230720194727.67022-1-kim.phillips@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/hw-vuln/spectre.rst |   11 +++++++----
+ arch/x86/kernel/cpu/bugs.c                    |   15 +++++++++------
+ 2 files changed, 16 insertions(+), 10 deletions(-)
+
+--- a/Documentation/admin-guide/hw-vuln/spectre.rst
++++ b/Documentation/admin-guide/hw-vuln/spectre.rst
+@@ -484,11 +484,14 @@ Spectre variant 2
+ 
+    Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at
+    boot, by setting the IBRS bit, and they're automatically protected against
+-   Spectre v2 variant attacks, including cross-thread branch target injections
+-   on SMT systems (STIBP). In other words, eIBRS enables STIBP too.
++   Spectre v2 variant attacks.
+ 
+-   Legacy IBRS systems clear the IBRS bit on exit to userspace and
+-   therefore explicitly enable STIBP for that
++   On Intel's enhanced IBRS systems, this includes cross-thread branch target
++   injections on SMT systems (STIBP). In other words, Intel eIBRS enables
++   STIBP, too.
++
++   AMD Automatic IBRS does not protect userspace, and Legacy IBRS systems clear
++   the IBRS bit on exit to userspace, therefore both explicitly enable STIBP.
+ 
+    The retpoline mitigation is turned on by default on vulnerable
+    CPUs. It can be forced on or off by the administrator
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1317,19 +1317,21 @@ spectre_v2_user_select_mitigation(void)
+ 	}
+ 
+ 	/*
+-	 * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP
++	 * If no STIBP, Intel enhanced IBRS is enabled, or SMT impossible, STIBP
+ 	 * is not required.
+ 	 *
+-	 * Enhanced IBRS also protects against cross-thread branch target
++	 * Intel's Enhanced IBRS also protects against cross-thread branch target
+ 	 * injection in user-mode as the IBRS bit remains always set which
+ 	 * implicitly enables cross-thread protections.  However, in legacy IBRS
+ 	 * mode, the IBRS bit is set only on kernel entry and cleared on return
+-	 * to userspace. This disables the implicit cross-thread protection,
+-	 * so allow for STIBP to be selected in that case.
++	 * to userspace.  AMD Automatic IBRS also does not protect userspace.
++	 * These modes therefore disable the implicit cross-thread protection,
++	 * so allow for STIBP to be selected in those cases.
+ 	 */
+ 	if (!boot_cpu_has(X86_FEATURE_STIBP) ||
+ 	    !smt_possible ||
+-	    spectre_v2_in_eibrs_mode(spectre_v2_enabled))
++	    (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
++	     !boot_cpu_has(X86_FEATURE_AUTOIBRS)))
+ 		return;
+ 
+ 	/*
+@@ -2596,7 +2598,8 @@ static ssize_t rfds_show_state(char *buf
+ 
+ static char *stibp_state(void)
+ {
+-	if (spectre_v2_in_eibrs_mode(spectre_v2_enabled))
++	if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
++	    !boot_cpu_has(X86_FEATURE_AUTOIBRS))
+ 		return "";
+ 
+ 	switch (spectre_v2_user_stibp) {
-- 
2.39.5