From: Greg Kroah-Hartman Date: Tue, 16 Jun 2026 13:19:41 +0000 (+0530) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d4abef1ee3d4d65d9b7c451e0feacac1d42d8be0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-cputype-add-c1-premium-definitions.patch arm64-cputype-add-c1-ultra-definitions.patch arm64-cputype-add-nvidia-olympus-definitions.patch arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt-100-cpu.patch arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch mptcp-close-toctou-race-while-computing-rcv_wnd.patch --- diff --git a/queue-5.15/arm64-cputype-add-c1-premium-definitions.patch b/queue-5.15/arm64-cputype-add-c1-premium-definitions.patch new file mode 100644 index 0000000000..9f75c8a572 --- /dev/null +++ b/queue-5.15/arm64-cputype-add-c1-premium-definitions.patch @@ -0,0 +1,50 @@ +From stable+bounces-263593-greg=kroah.com@vger.kernel.org Tue Jun 16 10:53:34 2026 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:04 +0100 +Subject: arm64: cputype: Add C1-Premium definitions +To: stable@vger.kernel.org +Cc: anshuman.khandual@arm.com, catalin.marinas@arm.com, gregkh@linuxfoundation.org, lee@kernel.org, mark.rutland@arm.com, maz@kernel.org, oupton@kernel.org, ryan.roberts@arm.com, sdonthineni@nvidia.com, will@kernel.org, yuzenghui@huawei.com +Message-ID: <20260616052307.112083-7-mark.rutland@arm.com> + +From: Mark Rutland + +commit d28413bfc5a255957241f1df5d7fd0c2cd74fe18 upstream. + +Add cputype definitions for C1-Premium. These will be used for errata +detection in subsequent patches. + +These values can be found in the C1-Premium TRM: + + https://developer.arm.com/documentation/109416/0100/ + +... in section A.5.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -99,6 +99,7 @@ + #define ARM_CPU_PART_CORTEX_A725 0xD87 + #define ARM_CPU_PART_C1_ULTRA 0xD8C + #define ARM_CPU_PART_NEOVERSE_N3 0xD8E ++#define ARM_CPU_PART_C1_PREMIUM 0xD90 + + #define APM_CPU_PART_POTENZA 0x000 + +@@ -169,6 +170,7 @@ + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) + #define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) + #define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3) ++#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) diff --git a/queue-5.15/arm64-cputype-add-c1-ultra-definitions.patch b/queue-5.15/arm64-cputype-add-c1-ultra-definitions.patch new file mode 100644 index 0000000000..ca2da4940a --- /dev/null +++ b/queue-5.15/arm64-cputype-add-c1-ultra-definitions.patch @@ -0,0 +1,50 @@ +From stable+bounces-263592-greg=kroah.com@vger.kernel.org Tue Jun 16 10:53:32 2026 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:03 +0100 +Subject: arm64: cputype: Add C1-Ultra definitions +To: stable@vger.kernel.org +Cc: anshuman.khandual@arm.com, catalin.marinas@arm.com, gregkh@linuxfoundation.org, lee@kernel.org, mark.rutland@arm.com, maz@kernel.org, oupton@kernel.org, ryan.roberts@arm.com, sdonthineni@nvidia.com, will@kernel.org, yuzenghui@huawei.com +Message-ID: <20260616052307.112083-6-mark.rutland@arm.com> + +From: Mark Rutland + +commit 60349e64a6c65f9f0aa118af711b3c7e137f07ff upstream. + +Add cputype definitions for C1-Ultra. These will be used for errata +detection in subsequent patches. + +These values can be found in the C1-Ultra TRM: + + https://developer.arm.com/documentation/108014/0100/ + +... in section A.5.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -97,6 +97,7 @@ + #define ARM_CPU_PART_NEOVERSE_V3 0xD84 + #define ARM_CPU_PART_CORTEX_X925 0xD85 + #define ARM_CPU_PART_CORTEX_A725 0xD87 ++#define ARM_CPU_PART_C1_ULTRA 0xD8C + #define ARM_CPU_PART_NEOVERSE_N3 0xD8E + + #define APM_CPU_PART_POTENZA 0x000 +@@ -166,6 +167,7 @@ + #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) + #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) ++#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA) + #define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) diff --git a/queue-5.15/arm64-cputype-add-nvidia-olympus-definitions.patch b/queue-5.15/arm64-cputype-add-nvidia-olympus-definitions.patch new file mode 100644 index 0000000000..ffb474fef9 --- /dev/null +++ b/queue-5.15/arm64-cputype-add-nvidia-olympus-definitions.patch @@ -0,0 +1,41 @@ +From stable+bounces-263591-greg=kroah.com@vger.kernel.org Tue Jun 16 10:53:30 2026 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:02 +0100 +Subject: arm64: cputype: Add NVIDIA Olympus definitions +To: stable@vger.kernel.org +Cc: anshuman.khandual@arm.com, catalin.marinas@arm.com, gregkh@linuxfoundation.org, lee@kernel.org, mark.rutland@arm.com, maz@kernel.org, oupton@kernel.org, ryan.roberts@arm.com, sdonthineni@nvidia.com, will@kernel.org, yuzenghui@huawei.com +Message-ID: <20260616052307.112083-5-mark.rutland@arm.com> + +From: Shanker Donthineni + +commit e185c8a0d84236d14af61faff8147c953a878a77 upstream. + +Add cpu part and model macro definitions for NVIDIA Olympus core. + +Signed-off-by: Shanker Donthineni +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -121,6 +121,7 @@ + + #define NVIDIA_CPU_PART_DENVER 0x003 + #define NVIDIA_CPU_PART_CARMEL 0x004 ++#define NVIDIA_CPU_PART_OLYMPUS 0x010 + + #define FUJITSU_CPU_PART_A64FX 0x001 + +@@ -183,6 +184,7 @@ + #define MIDR_QCOM_KRYO_4XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_SILVER) + #define MIDR_NVIDIA_DENVER MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_DENVER) + #define MIDR_NVIDIA_CARMEL MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_CARMEL) ++#define MIDR_NVIDIA_OLYMPUS MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_OLYMPUS) + #define MIDR_FUJITSU_A64FX MIDR_CPU_MODEL(ARM_CPU_IMP_FUJITSU, FUJITSU_CPU_PART_A64FX) + #define MIDR_HISI_TSV110 MIDR_CPU_MODEL(ARM_CPU_IMP_HISI, HISI_CPU_PART_TSV110) + #define MIDR_APPLE_M1_ICESTORM MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M1_ICESTORM) diff --git a/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt-100-cpu.patch b/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt-100-cpu.patch new file mode 100644 index 0000000000..aeeecd32f1 --- /dev/null +++ b/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt-100-cpu.patch @@ -0,0 +1,58 @@ +From stable+bounces-263596-greg=kroah.com@vger.kernel.org Tue Jun 16 10:53:44 2026 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:07 +0100 +Subject: arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU +To: stable@vger.kernel.org +Cc: anshuman.khandual@arm.com, catalin.marinas@arm.com, gregkh@linuxfoundation.org, lee@kernel.org, mark.rutland@arm.com, maz@kernel.org, oupton@kernel.org, ryan.roberts@arm.com, sdonthineni@nvidia.com, will@kernel.org, yuzenghui@huawei.com +Message-ID: <20260616052307.112083-10-mark.rutland@arm.com> + +From: Will Deacon + +commit 1940e70a8144bf75e6df26bf6f600862ea7f7ea1 upstream. + +Commit fb091ff39479 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM +Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a +Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and +therefore suffers from all the same errata.". + +So enable the workaround for the latest broadcast TLB invalidation bug +on these parts. + +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arm64/silicon-errata.rst | 2 ++ + arch/arm64/Kconfig | 1 + + arch/arm64/kernel/cpu_errata.c | 1 + + 3 files changed, 4 insertions(+) + +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -291,3 +291,5 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 | + +----------------+-----------------+-----------------+-----------------------------+ ++| Microsoft | Azure Cobalt 100| #4193789 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -929,6 +929,7 @@ config ARM64_ERRATUM_4118414 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 ++ * Microsoft Azure Cobalt 100 4193789 + * NVIDIA Olympus erratum T410-OLY-1029 + + On affected cores, some memory accesses might not be completed by +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -250,6 +250,7 @@ static const struct arm64_cpu_capabiliti + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS), ++ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), + {} + })), + }, diff --git a/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch b/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch new file mode 100644 index 0000000000..14a87e7e5e --- /dev/null +++ b/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch @@ -0,0 +1,77 @@ +From stable+bounces-263595-greg=kroah.com@vger.kernel.org Tue Jun 16 10:53:40 2026 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:06 +0100 +Subject: arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU +To: stable@vger.kernel.org +Cc: anshuman.khandual@arm.com, catalin.marinas@arm.com, gregkh@linuxfoundation.org, lee@kernel.org, mark.rutland@arm.com, maz@kernel.org, oupton@kernel.org, ryan.roberts@arm.com, sdonthineni@nvidia.com, will@kernel.org, yuzenghui@huawei.com +Message-ID: <20260616052307.112083-9-mark.rutland@arm.com> + +From: Shanker Donthineni + +commit ec7216f92e4ebd485b1c6dc6aa3f6064b71a5768 upstream. + +NVIDIA Olympus cores are affected by the TLBI completion issue tracked as +CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses +ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB +sequence and ensure affected memory write effects are globally observed. + +Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same +mitigation is enabled on affected Olympus systems. Also document the +NVIDIA Olympus erratum in the arm64 silicon errata table and list it in +the Kconfig help text. + +Signed-off-by: Shanker Donthineni +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Mark Rutland +Acked-by: Mark Rutland +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Shanker Donthineni +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arm64/silicon-errata.rst | 2 ++ + arch/arm64/Kconfig | 3 ++- + arch/arm64/kernel/cpu_errata.c | 1 + + 3 files changed, 5 insertions(+), 1 deletion(-) + +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -242,6 +242,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | NVIDIA | Carmel Core | N/A | NVIDIA_CARMEL_CNP_ERRATUM | + +----------------+-----------------+-----------------+-----------------------------+ ++| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ + | Freescale/NXP | LS2080A/LS1043A | A-008585 | FSL_ERRATUM_A008585 | + +----------------+-----------------+-----------------+-----------------------------+ +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -902,7 +902,7 @@ config ARM64_ERRATUM_4193714 + If unsure, say Y. + + config ARM64_ERRATUM_4118414 +- bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" ++ bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" + default y + select ARM64_WORKAROUND_REPEAT_TLBI + help +@@ -929,6 +929,7 @@ config ARM64_ERRATUM_4118414 + * ARM Neoverse-V2 erratum 4193787 + * ARM Neoverse-V3 erratum 4193784 + * ARM Neoverse-V3AE erratum 4193784 ++ * NVIDIA Olympus erratum T410-OLY-1029 + + On affected cores, some memory accesses might not be completed by + broadcast TLB invalidation. +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -249,6 +249,7 @@ static const struct arm64_cpu_capabiliti + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), ++ MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS), + {} + })), + }, diff --git a/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch b/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch new file mode 100644 index 0000000000..bc04c7f2f7 --- /dev/null +++ b/queue-5.15/arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch @@ -0,0 +1,262 @@ +From stable+bounces-263594-greg=kroah.com@vger.kernel.org Tue Jun 16 10:53:37 2026 +From: Mark Rutland +Date: Tue, 16 Jun 2026 06:23:05 +0100 +Subject: arm64: errata: Mitigate TLBI errata on various Arm CPUs +To: stable@vger.kernel.org +Cc: anshuman.khandual@arm.com, catalin.marinas@arm.com, gregkh@linuxfoundation.org, lee@kernel.org, mark.rutland@arm.com, maz@kernel.org, oupton@kernel.org, ryan.roberts@arm.com, sdonthineni@nvidia.com, will@kernel.org, yuzenghui@huawei.com +Message-ID: <20260616052307.112083-8-mark.rutland@arm.com> + +From: Mark Rutland + +commit cfd391e74134db664feb499d43af286380b10ba8 upstream. + +A number of CPUs developed by Arm suffer from errata whereby a broadcast +TLBI;DSB sequence may complete before the global observation of writes +which are translated by an affected TLB entry. + +These errata ONLY affect the completion of memory accesses which have +been translated by an invalidated TLB entry, and these errata DO NOT +affect the actual invalidation of TLB entries. TLB entries are removed +correctly. + +This issue has been assigned CVE ID CVE-2025-10263. + +To mitigate this issue, Arm recommends that software follows any +affected TLBI;DSB sequence with an additional TLBI;DSB, which will +ensure that all memory write effects affected by the first TLBI have +been globally observed. The additional TLBI can use any operation that +is broadcast to affected CPUs, and the additional DSB can use any option +that is sufficient to complete the additional TLBI. + +The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate +the issue. Enable this workaround for affected CPUs, and update the +silicon errata documentation accordingly. + +Note that due to the manner in which Arm develops IP and tracks errata, +some CPUs share a common erratum number. + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +[Mark: backport to v5.15.y] +Signed-off-by: Mark Rutland +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arm64/silicon-errata.rst | 42 ++++++++++++++++++++++++++++ + arch/arm64/Kconfig | 48 +++++++++++++++++++++++++++++++++ + arch/arm64/kernel/cpu_errata.c | 32 ++++++++++++++++++++-- + 3 files changed, 120 insertions(+), 2 deletions(-) + +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -98,14 +98,26 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A76 | #3324349 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A77 | #4193798 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A78 | #4193791 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A78AE | #4193793 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A78C | #4193794 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A510 | #2441009 | ARM64_ERRATUM_2441009 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A510 | #2457168 | ARM64_ERRATUM_2457168 | +@@ -118,6 +130,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A710 | #4193788 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 | +@@ -126,16 +140,28 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X1 | #4193791 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X1C | #3324346 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X1C | #4193792 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X2 | #3324338 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X2 | #4193788 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X3 | #3324335 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X3 | #4193786 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #1349291 | N/A | +@@ -144,6 +170,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-N1 | #4193800 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #2139208 | ARM64_ERRATUM_2139208 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #2067961 | ARM64_ERRATUM_2067961 | +@@ -152,16 +180,30 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-N2 | #4193789 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V1 | #4193790 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V2 | #4193787 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ ++| ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | MMU-500 | #841119,826419 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | MMU-600 | #1076982,1209401| N/A | +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -889,6 +889,54 @@ config ARM64_ERRATUM_3194386 + + If unsure, say Y. + ++config ARM64_ERRATUM_4193714 ++ bool "C1-Pro: 4193714: SME DVMSync early acknowledgement" ++ depends on ARM64_SME ++ default y ++ help ++ Enable workaround for C1-Pro acknowledging the DVMSync before ++ the SME memory accesses are complete. This will cause TLB ++ maintenance for processes using SME to also issue an IPI to ++ the affected CPUs. ++ ++ If unsure, say Y. ++ ++config ARM64_ERRATUM_4118414 ++ bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI" ++ default y ++ select ARM64_WORKAROUND_REPEAT_TLBI ++ help ++ This option adds a workaround for the following errata: ++ ++ * ARM C1-Premium erratum 4193780 ++ * ARM C1-Ultra erratum 4193780 ++ * ARM Cortex-A76 erratum 4193800 ++ * ARM Cortex-A76AE erratum 4193801 ++ * ARM Cortex-A77 erratum 4193798 ++ * ARM Cortex-A78 erratum 4193791 ++ * ARM Cortex-A78AE erratum 4193793 ++ * ARM Cortex-A78C erratum 4193794 ++ * ARM Cortex-A710 erratum 4193788 ++ * ARM Cortex-X1 erratum 4193791 ++ * ARM Cortex-X1C erratum 4193792 ++ * ARM Cortex-X2 erratum 4193788 ++ * ARM Cortex-X3 erratum 4193786 ++ * ARM Cortex-X4 erratum 4118414 ++ * ARM Cortex-X925 erratum 4193781 ++ * ARM Neoverse-N1 erratum 4193800 ++ * ARM Neoverse-N2 erratum 4193789 ++ * ARM Neoverse-V1 erratum 4193790 ++ * ARM Neoverse-V2 erratum 4193787 ++ * ARM Neoverse-V3 erratum 4193784 ++ * ARM Neoverse-V3AE erratum 4193784 ++ ++ On affected cores, some memory accesses might not be completed by ++ broadcast TLB invalidation. ++ ++ This issue is also known as CVE-2025-10263. ++ ++ If unsure, say Y. ++ + config CAVIUM_ERRATUM_22375 + bool "Cavium erratum 22375, 24313" + default y +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -225,7 +225,35 @@ static const struct arm64_cpu_capabiliti + ERRATA_MIDR_RANGE(MIDR_CORTEX_A510, 0, 0, 1, 1), + }, + #endif +- {}, ++#ifdef CONFIG_ARM64_ERRATUM_4118414 ++ { ++ ERRATA_MIDR_RANGE_LIST(((const struct midr_range[]) { ++ MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM), ++ MIDR_ALL_VERSIONS(MIDR_C1_ULTRA), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), ++ {} ++ })), ++ }, ++#endif ++ {} + }; + #endif + +@@ -514,7 +542,7 @@ const struct arm64_cpu_capabilities arm6 + #endif + #ifdef CONFIG_ARM64_WORKAROUND_REPEAT_TLBI + { +- .desc = "Qualcomm erratum 1009, or ARM erratum 1286807, 2441009", ++ .desc = "Broken broadcast TLBI completion", + .capability = ARM64_WORKAROUND_REPEAT_TLBI, + .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, + .matches = cpucap_multi_entry_cap_matches, diff --git a/queue-5.15/mptcp-close-toctou-race-while-computing-rcv_wnd.patch b/queue-5.15/mptcp-close-toctou-race-while-computing-rcv_wnd.patch new file mode 100644 index 0000000000..5946e248e8 --- /dev/null +++ b/queue-5.15/mptcp-close-toctou-race-while-computing-rcv_wnd.patch @@ -0,0 +1,118 @@ +From stable+bounces-263695-greg=kroah.com@vger.kernel.org Tue Jun 16 17:50:49 2026 +From: Sasha Levin +Date: Tue, 16 Jun 2026 08:19:47 -0400 +Subject: mptcp: close TOCTOU race while computing rcv_wnd +To: stable@vger.kernel.org +Cc: Paolo Abeni , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20260616121947.3136498-1-sashal@kernel.org> + +From: Paolo Abeni + +[ Upstream commit 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 ] + +The MPTCP output path access locklessly the MPTCP-level ack_seq +in multiple times, using possibly different values for the data_ack +in the DSS option and to compute the announced rcv wnd for the same +packet. + +Refactor the cote to avoid inconsistencies which may confuse the +peer. Also ensure that the MPTCP level rcv wnd is updated only when +the egress packet actually contains a DSS ack. + +Fixes: fa3fe2b15031 ("mptcp: track window announced to peer") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-3-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -555,7 +555,6 @@ static bool mptcp_established_options_ds + struct mptcp_ext *mpext; + unsigned int ack_size; + bool ret = false; +- u64 ack_seq; + + opts->csum_reqd = READ_ONCE(msk->csum_enabled); + mpext = skb ? mptcp_get_ext(skb) : NULL; +@@ -587,14 +586,11 @@ static bool mptcp_established_options_ds + return ret; + } + +- ack_seq = READ_ONCE(msk->ack_seq); + if (READ_ONCE(msk->use_64bit_ack)) { + ack_size = TCPOLEN_MPTCP_DSS_ACK64; +- opts->ext_copy.data_ack = ack_seq; + opts->ext_copy.ack64 = 1; + } else { + ack_size = TCPOLEN_MPTCP_DSS_ACK32; +- opts->ext_copy.data_ack32 = (uint32_t)ack_seq; + opts->ext_copy.ack64 = 0; + } + opts->ext_copy.use_ack = 1; +@@ -1235,17 +1231,16 @@ bool mptcp_incoming_options(struct sock + return true; + } + +-static void mptcp_set_rwin(const struct tcp_sock *tp) ++static void mptcp_set_rwin(const struct tcp_sock *tp, u64 ack_seq) + { + const struct sock *ssk = (const struct sock *)tp; + struct mptcp_subflow_context *subflow; + struct mptcp_sock *msk; +- u64 ack_seq; + + subflow = mptcp_subflow_ctx(ssk); + msk = mptcp_sk(subflow->conn); + +- ack_seq = READ_ONCE(msk->ack_seq) + tp->rcv_wnd; ++ ack_seq += tp->rcv_wnd; + + if (after64(ack_seq, READ_ONCE(msk->rcv_wnd_sent))) { + WRITE_ONCE(msk->rcv_wnd_sent, ack_seq); +@@ -1369,13 +1364,26 @@ void mptcp_write_options(__be32 *ptr, co + *ptr++ = mptcp_option(MPTCPOPT_DSS, len, 0, flags); + + if (mpext->use_ack) { ++ const struct sock *ssk = (const struct sock *)tp; ++ struct mptcp_subflow_context *subflow; ++ struct mptcp_sock *msk; ++ u64 ack_seq; ++ ++ /* DSS option is set only by mptcp_established_options, ++ * the caller is __tcp_transmit_skb() and ssk is always ++ * not NULL. ++ */ ++ subflow = mptcp_subflow_ctx(ssk); ++ msk = mptcp_sk(subflow->conn); ++ ack_seq = READ_ONCE(msk->ack_seq); + if (mpext->ack64) { +- put_unaligned_be64(mpext->data_ack, ptr); ++ put_unaligned_be64(ack_seq, ptr); + ptr += 2; + } else { +- put_unaligned_be32(mpext->data_ack32, ptr); ++ put_unaligned_be32(ack_seq, ptr); + ptr += 1; + } ++ mptcp_set_rwin(tp, ack_seq); + } + + if (mpext->use_map) { +@@ -1559,9 +1567,6 @@ mp_capable_done: + i += 4; + } + } +- +- if (tp) +- mptcp_set_rwin(tp); + } + + __be32 mptcp_get_reset_option(const struct sk_buff *skb) diff --git a/queue-5.15/series b/queue-5.15/series index bd8868b268..50073f21de 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -399,3 +399,10 @@ ksmbd-compare-macs-in-constant-time.patch nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch alsa-hda-hdmi-add-quirk-for-tuxedo-ibs14g6.patch selinux-enable-genfscon-labeling-for-securityfs.patch +arm64-cputype-add-nvidia-olympus-definitions.patch +arm64-cputype-add-c1-ultra-definitions.patch +arm64-cputype-add-c1-premium-definitions.patch +arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch +arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch +arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt-100-cpu.patch +mptcp-close-toctou-race-while-computing-rcv_wnd.patch