From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Jun 2026 13:42:04 +0000 (+0530)
Subject: 5.10-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b7993d92cf179a3e869525079e86d1d3b5e7f7d9;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	apparmor-validate-default-dfa-states-are-in-bounds.patch
	x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch
---

diff --git a/queue-5.10/apparmor-validate-default-dfa-states-are-in-bounds.patch b/queue-5.10/apparmor-validate-default-dfa-states-are-in-bounds.patch
new file mode 100644
index 0000000000..d0b54d894d
--- /dev/null
+++ b/queue-5.10/apparmor-validate-default-dfa-states-are-in-bounds.patch
@@ -0,0 +1,82 @@
+From benh@debian.org  Tue Jun 16 19:06:38 2026
+From: Ben Hutchings <benh@debian.org>
+Date: Thu, 28 May 2026 17:15:26 +0200
+Subject: apparmor: validate default DFA states are in bounds
+To: Sasha Levin <sashal@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: John Johansen <john.johansen@canonical.com>, Qualys Security Advisory <qsa@qualys.com>, Salvatore Bonaccorso <carnil@debian.org>, Georgia Garcia <georgia.garcia@canonical.com>, Cengiz Can <cengiz.can@canonical.com>, Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>, stable@vger.kernel.org
+Message-ID: <ahhcDsPMJ3Cu3J-E@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <benh@debian.org>
+
+Some backports of commit 9063d7e2615f ("apparmor: validate DFA start
+states are in bounds in unpack_pdb") limited the bounds checks on DFA
+start states to the case where the start state was explicit in the
+policy.  However, the default DFA start state (DFA_START = 1) could
+also be out-of-bounds.
+
+Move these checks out of the else-branches so that they are applied
+regardless of how the start state was initialised.
+
+Fixes: f43eea8ae010 ("apparmor: validate DFA start states are in bounds in unpack_pdb")
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy_unpack.c |   27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -846,6 +846,8 @@ static struct aa_profile *unpack_profile
+ 	}
+ 
+ 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
++		size_t state_count;
++
+ 		/* generic policy dfa - optional and may be NULL */
+ 		info = "failed to unpack policydb";
+ 		profile->policy.dfa = unpack_dfa(e);
+@@ -860,13 +862,12 @@ static struct aa_profile *unpack_profile
+ 		if (!unpack_u32(e, &profile->policy.start[0], "start")) {
+ 			/* default start state */
+ 			profile->policy.start[0] = DFA_START;
+-		} else {
+-			size_t state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
++		}
+ 
+-			if (profile->policy.start[0] >= state_count) {
+-				info = "invalid dfa start state";
+-				goto fail;
+-			}
++		state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
++		if (profile->policy.start[0] >= state_count) {
++			info = "invalid dfa start state";
++			goto fail;
+ 		}
+ 
+ 		/* setup class index */
+@@ -889,16 +890,18 @@ static struct aa_profile *unpack_profile
+ 		info = "failed to unpack profile file rules";
+ 		goto fail;
+ 	} else if (profile->file.dfa) {
++		size_t state_count;
++
+ 		if (!unpack_u32(e, &profile->file.start, "dfa_start")) {
+ 			/* default start state */
+ 			profile->file.start = DFA_START;
+-		} else {
+-			size_t state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
++		}
++
++		state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
+ 
+-			if (profile->file.start >= state_count) {
+-				info = "invalid dfa start state";
+-				goto fail;
+-			}
++		if (profile->file.start >= state_count) {
++			info = "invalid dfa start state";
++			goto fail;
+ 		}
+ 	} else if (profile->policy.dfa &&
+ 		   profile->policy.start[AA_CLASS_FILE]) {
diff --git a/queue-5.10/series b/queue-5.10/series
index 073509870d..2667b03248 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -338,3 +338,5 @@ arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch
 arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch
 arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt-100-cpu.patch
 fbdev-vt8500lcdfb-fix-dma_free_coherent-cpu_addr-parameter.patch
+apparmor-validate-default-dfa-states-are-in-bounds.patch
+x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch
diff --git a/queue-5.10/x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch b/queue-5.10/x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch
new file mode 100644
index 0000000000..30d31786cc
--- /dev/null
+++ b/queue-5.10/x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch
@@ -0,0 +1,57 @@
+From affc66cb96f865b3763a8e18add52e133d864f04 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 11:28:31 +0100
+Subject: x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+commit affc66cb96f865b3763a8e18add52e133d864f04 upstream.
+
+No functional changes.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-4-bp@alien8.de
+Stable-dep-of: 7c81ad8e8bc2 ("x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()")
+[bwh: Adjusted to apply after backports of the above commit which actually
+ depended on this]
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c |   18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1138,14 +1138,6 @@ static void init_amd_zen1(struct cpuinfo
+ 		/* Erratum 1076: CPB feature bit not being set in CPUID. */
+ 		if (!cpu_has(c, X86_FEATURE_CPB))
+ 			set_cpu_cap(c, X86_FEATURE_CPB);
+-
+-		/*
+-		 * Zen3 (Fam19 model < 0x10) parts are not susceptible to
+-		 * Branch Type Confusion, but predate the allocation of the
+-		 * BTC_NO bit.
+-		 */
+-		if (c->x86 == 0x19 && !cpu_has(c, X86_FEATURE_BTC_NO))
+-			set_cpu_cap(c, X86_FEATURE_BTC_NO);
+ 	}
+ 
+ 	pr_notice_once("AMD Zen1 FPDSS bug detected, enabling mitigation.\n");
+@@ -1205,6 +1197,16 @@ static void init_amd_zen2(struct cpuinfo
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+ {
+ 	init_amd_zen_common();
++
++	if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
++		/*
++		 * Zen3 (Fam19 model < 0x10) parts are not susceptible to
++		 * Branch Type Confusion, but predate the allocation of the
++		 * BTC_NO bit.
++		 */
++		if (!cpu_has(c, X86_FEATURE_BTC_NO))
++			set_cpu_cap(c, X86_FEATURE_BTC_NO);
++	}
+ }
+ 
+ static void init_amd_zen4(struct cpuinfo_x86 *c)