From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Jun 2026 13:43:01 +0000 (+0530)
Subject: 6.1-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=beb62b0ef16bf4d8457300aff9fe7539ef93eb1c;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	apparmor-validate-default-dfa-states-are-in-bounds.patch
	x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch
---

diff --git a/queue-6.1/apparmor-validate-default-dfa-states-are-in-bounds.patch b/queue-6.1/apparmor-validate-default-dfa-states-are-in-bounds.patch
new file mode 100644
index 0000000000..c1e5529662
--- /dev/null
+++ b/queue-6.1/apparmor-validate-default-dfa-states-are-in-bounds.patch
@@ -0,0 +1,82 @@
+From benh@debian.org  Tue Jun 16 19:07:21 2026
+From: Ben Hutchings <benh@debian.org>
+Date: Thu, 28 May 2026 17:16:49 +0200
+Subject: apparmor: validate default DFA states are in bounds
+To: Sasha Levin <sashal@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: John Johansen <john.johansen@canonical.com>, Qualys Security Advisory <qsa@qualys.com>, Salvatore Bonaccorso <carnil@debian.org>, Georgia Garcia <georgia.garcia@canonical.com>, Cengiz Can <cengiz.can@canonical.com>, Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>, stable@vger.kernel.org
+Message-ID: <ahhcYci93VUlA_f2@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <benh@debian.org>
+
+Some backports of commit 9063d7e2615f ("apparmor: validate DFA start
+states are in bounds in unpack_pdb") limited the bounds checks on DFA
+start states to the case where the start state was explicit in the
+policy.  However, the default DFA start state (DFA_START = 1) could
+also be out-of-bounds.
+
+Move these checks out of the else-branches so that they are applied
+regardless of how the start state was initialised.
+
+Fixes: 5443c027ec16 ("apparmor: validate DFA start states are in bounds in unpack_pdb")
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy_unpack.c |   27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -829,6 +829,8 @@ static struct aa_profile *unpack_profile
+ 	}
+ 
+ 	if (aa_unpack_nameX(e, AA_STRUCT, "policydb")) {
++		size_t state_count;
++
+ 		/* generic policy dfa - optional and may be NULL */
+ 		info = "failed to unpack policydb";
+ 		profile->policy.dfa = unpack_dfa(e);
+@@ -843,13 +845,12 @@ static struct aa_profile *unpack_profile
+ 		if (!aa_unpack_u32(e, &profile->policy.start[0], "start")) {
+ 			/* default start state */
+ 			profile->policy.start[0] = DFA_START;
+-		} else {
+-			size_t state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
++		}
+ 
+-			if (profile->policy.start[0] >= state_count) {
+-				info = "invalid dfa start state";
+-				goto fail;
+-			}
++		state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
++		if (profile->policy.start[0] >= state_count) {
++			info = "invalid dfa start state";
++			goto fail;
+ 		}
+ 
+ 		/* setup class index */
+@@ -872,16 +873,18 @@ static struct aa_profile *unpack_profile
+ 		info = "failed to unpack profile file rules";
+ 		goto fail;
+ 	} else if (profile->file.dfa) {
++		size_t state_count;
++
+ 		if (!aa_unpack_u32(e, &profile->file.start, "dfa_start")) {
+ 			/* default start state */
+ 			profile->file.start = DFA_START;
+-		} else {
+-			size_t state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
++		}
++
++		state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
+ 
+-			if (profile->file.start >= state_count) {
+-				info = "invalid dfa start state";
+-				goto fail;
+-			}
++		if (profile->file.start >= state_count) {
++			info = "invalid dfa start state";
++			goto fail;
+ 		}
+ 	} else if (profile->policy.dfa &&
+ 		   profile->policy.start[AA_CLASS_FILE]) {
diff --git a/queue-6.1/series b/queue-6.1/series
index 98bb554238..bcdc820a96 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -518,3 +518,5 @@ arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch
 arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt-100-cpu.patch
 revert-selftest-ptp-update-ptp-selftest-to-exercise-the-gettimex-options.patch
 fbdev-vt8500lcdfb-fix-dma_free_coherent-cpu_addr-parameter.patch
+apparmor-validate-default-dfa-states-are-in-bounds.patch
+x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch
diff --git a/queue-6.1/x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch b/queue-6.1/x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch
new file mode 100644
index 0000000000..c95d81a67e
--- /dev/null
+++ b/queue-6.1/x86-cpu-amd-move-the-zen3-btc_no-detection-to-the-zen3-init-function.patch
@@ -0,0 +1,57 @@
+From affc66cb96f865b3763a8e18add52e133d864f04 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 11:28:31 +0100
+Subject: x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+commit affc66cb96f865b3763a8e18add52e133d864f04 upstream.
+
+No functional changes.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-4-bp@alien8.de
+Stable-dep-of: 7c81ad8e8bc2 ("x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()")
+[bwh: Adjusted to apply after backports of the above commit which actually
+ depended on this]
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c |   18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1087,14 +1087,6 @@ static void init_amd_zen1(struct cpuinfo
+ 		/* Erratum 1076: CPB feature bit not being set in CPUID. */
+ 		if (!cpu_has(c, X86_FEATURE_CPB))
+ 			set_cpu_cap(c, X86_FEATURE_CPB);
+-
+-		/*
+-		 * Zen3 (Fam19 model < 0x10) parts are not susceptible to
+-		 * Branch Type Confusion, but predate the allocation of the
+-		 * BTC_NO bit.
+-		 */
+-		if (c->x86 == 0x19 && !cpu_has(c, X86_FEATURE_BTC_NO))
+-			set_cpu_cap(c, X86_FEATURE_BTC_NO);
+ 	}
+ 
+ 	pr_notice_once("AMD Zen1 FPDSS bug detected, enabling mitigation.\n");
+@@ -1154,6 +1146,16 @@ static void init_amd_zen2(struct cpuinfo
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+ {
+ 	init_amd_zen_common();
++
++	if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
++		/*
++		 * Zen3 (Fam19 model < 0x10) parts are not susceptible to
++		 * Branch Type Confusion, but predate the allocation of the
++		 * BTC_NO bit.
++		 */
++		if (!cpu_has(c, X86_FEATURE_BTC_NO))
++			set_cpu_cap(c, X86_FEATURE_BTC_NO);
++	}
+ }
+ 
+ static void init_amd_zen4(struct cpuinfo_x86 *c)