diff -u linux-laptop-6.5.0/Documentation/admin-guide/kernel-parameters.txt linux-laptop-6.5.0/Documentation/admin-guide/kernel-parameters.txt --- linux-laptop-6.5.0/Documentation/admin-guide/kernel-parameters.txt +++ linux-laptop-6.5.0/Documentation/admin-guide/kernel-parameters.txt @@ -5838,6 +5838,18 @@ sonypi.*= [HW] Sony Programmable I/O Control Device driver See Documentation/admin-guide/laptops/sonypi.rst + spectre_bhi= [X86] Control mitigation of Branch History Injection + (BHI) vulnerability. Syscalls are hardened against BHI + reglardless of this setting. This setting affects the + deployment of the HW BHI control and the SW BHB + clearing sequence. + + on - unconditionally enable. + off - unconditionally disable. + auto - (default) enable hardware mitigation + (BHI_DIS_S) if available, otherwise enable + alternate mitigation in KVM. + spectre_v2= [X86] Control mitigation of Spectre variant 2 (indirect branch speculation) vulnerability. The default operation protects the kernel from diff -u linux-laptop-6.5.0/arch/x86/Kconfig linux-laptop-6.5.0/arch/x86/Kconfig --- linux-laptop-6.5.0/arch/x86/Kconfig +++ linux-laptop-6.5.0/arch/x86/Kconfig @@ -2629,6 +2629,31 @@ If in doubt, say N. +choice + prompt "Clear branch history" + depends on CPU_SUP_INTEL + default SPECTRE_BHI_AUTO + help + Enable BHI mitigations. BHI attacks are a form of Spectre V2 attacks + where the branch history buffer is poisoned to speculatively steer + indirect branches. + See + +config SPECTRE_BHI_ON + bool "on" + help + Equivalent to setting spectre_bhi=on command line parameter. +config SPECTRE_BHI_OFF + bool "off" + help + Equivalent to setting spectre_bhi=off command line parameter. +config SPECTRE_BHI_AUTO + bool "auto" + help + Equivalent to setting spectre_bhi=auto command line parameter. + +endchoice + endif config ARCH_HAS_ADD_PAGES diff -u linux-laptop-6.5.0/arch/x86/entry/common.c linux-laptop-6.5.0/arch/x86/entry/common.c --- linux-laptop-6.5.0/arch/x86/entry/common.c +++ linux-laptop-6.5.0/arch/x86/entry/common.c @@ -48,7 +48,7 @@ if (likely(unr < NR_syscalls)) { unr = array_index_nospec(unr, NR_syscalls); - regs->ax = sys_call_table[unr](regs); + regs->ax = x64_sys_call(regs, unr); return true; } return false; @@ -65,7 +65,7 @@ if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) { xnr = array_index_nospec(xnr, X32_NR_syscalls); - regs->ax = x32_sys_call_table[xnr](regs); + regs->ax = x32_sys_call(regs, xnr); return true; } return false; @@ -114,7 +114,7 @@ if (likely(unr < IA32_NR_syscalls)) { unr = array_index_nospec(unr, IA32_NR_syscalls); - regs->ax = ia32_sys_call_table[unr](regs); + regs->ax = ia32_sys_call(regs, unr); } else if (nr != -1) { regs->ax = __ia32_sys_ni_syscall(regs); } @@ -141,7 +141,7 @@ } /** - * int80_emulation - 32-bit legacy syscall entry + * do_int80_emulation - 32-bit legacy syscall C entry from asm * * This entry point can be used by 32-bit and 64-bit programs to perform * 32-bit system calls. Instances of INT $0x80 can be found inline in @@ -159,7 +159,7 @@ * eax: system call number * ebx, ecx, edx, esi, edi, ebp: arg1 - arg 6 */ -DEFINE_IDTENTRY_RAW(int80_emulation) +__visible noinstr void do_int80_emulation(struct pt_regs *regs) { int nr; diff -u linux-laptop-6.5.0/arch/x86/entry/entry_64_compat.S linux-laptop-6.5.0/arch/x86/entry/entry_64_compat.S --- linux-laptop-6.5.0/arch/x86/entry/entry_64_compat.S +++ linux-laptop-6.5.0/arch/x86/entry/entry_64_compat.S @@ -92,6 +92,7 @@ IBRS_ENTER UNTRAIN_RET + CLEAR_BRANCH_HISTORY /* * SYSENTER doesn't filter flags, so we need to clear NT and AC @@ -209,6 +210,7 @@ IBRS_ENTER UNTRAIN_RET + CLEAR_BRANCH_HISTORY movq %rsp, %rdi call do_fast_syscall_32 @@ -278,0 +281,14 @@ + +/* + * int 0x80 is used by 32 bit mode as a system call entry. Normally idt entries + * point to C routines, however since this is a system call interface the branch + * history needs to be scrubbed to protect against BHI attacks, and that + * scrubbing needs to take place in assembly code prior to entering any C + * routines. + */ +SYM_CODE_START(int80_emulation) + ANNOTATE_NOENDBR + UNWIND_HINT_FUNC + CLEAR_BRANCH_HISTORY + jmp do_int80_emulation +SYM_CODE_END(int80_emulation) diff -u linux-laptop-6.5.0/arch/x86/include/asm/msr-index.h linux-laptop-6.5.0/arch/x86/include/asm/msr-index.h --- linux-laptop-6.5.0/arch/x86/include/asm/msr-index.h +++ linux-laptop-6.5.0/arch/x86/include/asm/msr-index.h @@ -50,10 +50,13 @@ #define SPEC_CTRL_SSBD BIT(SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ #define SPEC_CTRL_RRSBA_DIS_S_SHIFT 6 /* Disable RRSBA behavior */ #define SPEC_CTRL_RRSBA_DIS_S BIT(SPEC_CTRL_RRSBA_DIS_S_SHIFT) +#define SPEC_CTRL_BHI_DIS_S_SHIFT 10 /* Disable Branch History Injection behavior */ +#define SPEC_CTRL_BHI_DIS_S BIT(SPEC_CTRL_BHI_DIS_S_SHIFT) /* A mask for bits which the kernel toggles when controlling mitigations */ #define SPEC_CTRL_MITIGATIONS_MASK (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD \ - | SPEC_CTRL_RRSBA_DIS_S) + | SPEC_CTRL_RRSBA_DIS_S \ + | SPEC_CTRL_BHI_DIS_S) #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ #define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */ @@ -152,6 +155,10 @@ * are restricted to targets in * kernel. */ +#define ARCH_CAP_BHI_NO BIT(20) /* + * CPU is not affected by Branch + * History Injection. + */ #define ARCH_CAP_PBRSB_NO BIT(24) /* * Not susceptible to Post-Barrier * Return Stack Buffer Predictions. diff -u linux-laptop-6.5.0/arch/x86/include/asm/nospec-branch.h linux-laptop-6.5.0/arch/x86/include/asm/nospec-branch.h --- linux-laptop-6.5.0/arch/x86/include/asm/nospec-branch.h +++ linux-laptop-6.5.0/arch/x86/include/asm/nospec-branch.h @@ -329,6 +329,19 @@ #endif .endm +#ifdef CONFIG_X86_64 +.macro CLEAR_BRANCH_HISTORY + ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP +.endm + +.macro CLEAR_BRANCH_HISTORY_VMEXIT + ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT +.endm +#else +#define CLEAR_BRANCH_HISTORY +#define CLEAR_BRANCH_HISTORY_VMEXIT +#endif + #else /* __ASSEMBLY__ */ #define ANNOTATE_RETPOLINE_SAFE \ @@ -359,6 +372,10 @@ extern void entry_untrain_ret(void); extern void entry_ibpb(void); +#ifdef CONFIG_X86_64 +extern void clear_bhb_loop(void); +#endif + extern void (*x86_return_thunk)(void); #ifdef CONFIG_CALL_DEPTH_TRACKING diff -u linux-laptop-6.5.0/arch/x86/kernel/cpu/bugs.c linux-laptop-6.5.0/arch/x86/kernel/cpu/bugs.c --- linux-laptop-6.5.0/arch/x86/kernel/cpu/bugs.c +++ linux-laptop-6.5.0/arch/x86/kernel/cpu/bugs.c @@ -1541,6 +1541,79 @@ dump_stack(); } +/* + * Set BHI_DIS_S to prevent indirect branches in kernel to be influenced by + * branch history in userspace. Not needed if BHI_NO is set. + */ +static bool __init spec_ctrl_bhi_dis(void) +{ + if (!boot_cpu_has(X86_FEATURE_BHI_CTRL)) + return false; + + x86_spec_ctrl_base |= SPEC_CTRL_BHI_DIS_S; + update_spec_ctrl(x86_spec_ctrl_base); + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_HW); + + return true; +} + +enum bhi_mitigations { + BHI_MITIGATION_OFF, + BHI_MITIGATION_ON, + BHI_MITIGATION_AUTO, +}; + +static enum bhi_mitigations bhi_mitigation __ro_after_init = + IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : + IS_ENABLED(CONFIG_SPECTRE_BHI_OFF) ? BHI_MITIGATION_OFF : + BHI_MITIGATION_AUTO; + +static int __init spectre_bhi_parse_cmdline(char *str) +{ + if (!str) + return -EINVAL; + + if (!strcmp(str, "off")) + bhi_mitigation = BHI_MITIGATION_OFF; + else if (!strcmp(str, "on")) + bhi_mitigation = BHI_MITIGATION_ON; + else if (!strcmp(str, "auto")) + bhi_mitigation = BHI_MITIGATION_AUTO; + else + pr_err("Ignoring unknown spectre_bhi option (%s)", str); + + return 0; +} +early_param("spectre_bhi", spectre_bhi_parse_cmdline); + +static void __init bhi_select_mitigation(void) +{ + if (bhi_mitigation == BHI_MITIGATION_OFF) + return; + + /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) && + !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) + return; + + if (spec_ctrl_bhi_dis()) + return; + + if (!IS_ENABLED(CONFIG_X86_64)) + return; + + /* Mitigate KVM by default */ + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); + + if (bhi_mitigation == BHI_MITIGATION_AUTO) + return; + + /* Mitigate syscalls when the mitigation is forced =on */ + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); + pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); +} + static void __init spectre_v2_select_mitigation(void) { enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); @@ -1652,6 +1725,9 @@ mode == SPECTRE_V2_RETPOLINE) spec_ctrl_disable_kernel_rrsba(); + if (boot_cpu_has(X86_BUG_BHI)) + bhi_select_mitigation(); + spectre_v2_enabled = mode; pr_info("%s\n", spectre_v2_strings[mode]); @@ -2626,15 +2702,15 @@ switch (spectre_v2_user_stibp) { case SPECTRE_V2_USER_NONE: - return ", STIBP: disabled"; + return "; STIBP: disabled"; case SPECTRE_V2_USER_STRICT: - return ", STIBP: forced"; + return "; STIBP: forced"; case SPECTRE_V2_USER_STRICT_PREFERRED: - return ", STIBP: always-on"; + return "; STIBP: always-on"; case SPECTRE_V2_USER_PRCTL: case SPECTRE_V2_USER_SECCOMP: if (static_key_enabled(&switch_to_cond_stibp)) - return ", STIBP: conditional"; + return "; STIBP: conditional"; } return ""; } @@ -2643,10 +2719,10 @@ { if (boot_cpu_has(X86_FEATURE_IBPB)) { if (static_key_enabled(&switch_mm_always_ibpb)) - return ", IBPB: always-on"; + return "; IBPB: always-on"; if (static_key_enabled(&switch_mm_cond_ibpb)) - return ", IBPB: conditional"; - return ", IBPB: disabled"; + return "; IBPB: conditional"; + return "; IBPB: disabled"; } return ""; } @@ -2656,14 +2732,31 @@ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) || boot_cpu_has(X86_FEATURE_RSB_VMEXIT)) - return ", PBRSB-eIBRS: SW sequence"; + return "; PBRSB-eIBRS: SW sequence"; else - return ", PBRSB-eIBRS: Vulnerable"; + return "; PBRSB-eIBRS: Vulnerable"; } else { - return ", PBRSB-eIBRS: Not affected"; + return "; PBRSB-eIBRS: Not affected"; } } +static const char * const spectre_bhi_state(void) +{ + if (!boot_cpu_has_bug(X86_BUG_BHI)) + return "; BHI: Not affected"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) + return "; BHI: BHI_DIS_S"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) + return "; BHI: SW loop, KVM: SW loop"; + else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && + !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) + return "; BHI: Retpoline"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) + return "; BHI: Syscall hardening, KVM: SW loop"; + + return "; BHI: Vulnerable (Syscall hardening enabled)"; +} + static ssize_t spectre_v2_show_state(char *buf) { if (spectre_v2_enabled == SPECTRE_V2_LFENCE) @@ -2676,13 +2769,15 @@ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); - return sysfs_emit(buf, "%s%s%s%s%s%s%s\n", + return sysfs_emit(buf, "%s%s%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ibpb_state(), - boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? "; IBRS_FW" : "", stibp_state(), - boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", + boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? "; RSB filling" : "", pbrsb_eibrs_state(), + spectre_bhi_state(), + /* this should always be at the end */ spectre_v2_module_string()); } diff -u linux-laptop-6.5.0/arch/x86/kernel/cpu/common.c linux-laptop-6.5.0/arch/x86/kernel/cpu/common.c --- linux-laptop-6.5.0/arch/x86/kernel/cpu/common.c +++ linux-laptop-6.5.0/arch/x86/kernel/cpu/common.c @@ -1150,6 +1150,7 @@ #define NO_SPECTRE_V2 BIT(8) #define NO_MMIO BIT(9) #define NO_EIBRS_PBRSB BIT(10) +#define NO_BHI BIT(11) #define VULNWL(vendor, family, model, whitelist) \ X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, whitelist) @@ -1212,18 +1213,18 @@ VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB), /* AMD Family 0xf - 0x12 */ - VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), + VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ - VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB), - VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB), + VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB | NO_BHI), + VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB | NO_BHI), /* Zhaoxin Family 7 */ - VULNWL(CENTAUR, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO), - VULNWL(ZHAOXIN, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO), + VULNWL(CENTAUR, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO | NO_BHI), + VULNWL(ZHAOXIN, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO | NO_BHI), {} }; @@ -1428,6 +1429,13 @@ boot_cpu_has(X86_FEATURE_AVX)) setup_force_cpu_bug(X86_BUG_GDS); + /* When virtualized, eIBRS could be hidden, assume vulnerable */ + if (!(ia32_cap & ARCH_CAP_BHI_NO) && + !cpu_matches(cpu_vuln_whitelist, NO_BHI) && + (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) || + boot_cpu_has(X86_FEATURE_HYPERVISOR))) + setup_force_cpu_bug(X86_BUG_BHI); + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) return; diff -u linux-laptop-6.5.0/arch/x86/kvm/x86.c linux-laptop-6.5.0/arch/x86/kvm/x86.c --- linux-laptop-6.5.0/arch/x86/kvm/x86.c +++ linux-laptop-6.5.0/arch/x86/kvm/x86.c @@ -1616,7 +1616,8 @@ ARCH_CAP_SKIP_VMENTRY_L1DFLUSH | ARCH_CAP_SSB_NO | ARCH_CAP_MDS_NO | \ ARCH_CAP_PSCHANGE_MC_NO | ARCH_CAP_TSX_CTRL_MSR | ARCH_CAP_TAA_NO | \ ARCH_CAP_SBDR_SSDP_NO | ARCH_CAP_FBSDP_NO | ARCH_CAP_PSDP_NO | \ - ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO | ARCH_CAP_GDS_NO) + ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO | ARCH_CAP_GDS_NO | \ + ARCH_CAP_BHI_NO) static u64 kvm_get_arch_capabilities(void) { diff -u linux-laptop-6.5.0/debian.laptop/changelog linux-laptop-6.5.0/debian.laptop/changelog --- linux-laptop-6.5.0/debian.laptop/changelog +++ linux-laptop-6.5.0/debian.laptop/changelog @@ -1,3 +1,46 @@ +linux-laptop (6.5.0-1016.19) mantic; urgency=medium + + * mantic/linux-laptop: 6.5.0-1016.19 -proposed tracker (LP: #2063565) + + [ Ubuntu: 6.5.0-35.35 ] + + * mantic/linux: 6.5.0-35.35 -proposed tracker (LP: #2063581) + * cifs: Copying file to same directory results in page fault (LP: #2060919) + - SAUCE: Revert "cifs: fix flushing folio regression for 6.1 backport" + * CVE-2024-26805 + - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter + * CVE-2024-26801 + - Bluetooth: Avoid potential use-after-free in hci_error_reset + * CVE-2024-26704 + - ext4: fix double-free of blocks due to wrong extents moved_len + * CVE-2023-52601 + - jfs: fix array-index-out-of-bounds in dbAdjTree + * CVE-2024-26635 + - llc: Drop support for ETH_P_TR_802_2. + * CVE-2024-26622 + - tomoyo: fix UAF write bug in tomoyo_write_control() + * CVE-2024-26614 + - tcp: make sure init the accept_queue's spinlocks once + - ipv6: init the accept_queue's spinlocks in inet6_create + * CVE-2024-52615 + - hwrng: core - Fix page fault dead lock on mmap-ed hwrng + * CVE-2024-52602 + - jfs: fix slab-out-of-bounds Read in dtSearch + * CVE-2023-47233 + - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach + * CVE-2024-2201 + - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file + - x86/syscall: Don't force use of indirect calls for system calls + - x86/bhi: Add support for clearing branch history at syscall entry + - x86/bhi: Define SPEC_CTRL_BHI_DIS_S + - x86/bhi: Enumerate Branch History Injection (BHI) bug + - x86/bhi: Add BHI mitigation knob + - x86/bhi: Mitigate KVM by default + - KVM: x86: Add BHI_NO + - [Config] Set CONFIG_BHI to enabled (auto) + + -- Juerg Haefliger Fri, 03 May 2024 11:14:59 +0200 + linux-laptop (6.5.0-1014.17) mantic; urgency=medium * mantic/linux-laptop: 6.5.0-1014.17 -proposed tracker (LP: #2059691) diff -u linux-laptop-6.5.0/debian.laptop/tracking-bug linux-laptop-6.5.0/debian.laptop/tracking-bug --- linux-laptop-6.5.0/debian.laptop/tracking-bug +++ linux-laptop-6.5.0/debian.laptop/tracking-bug @@ -1 +1 @@ -2059691 s2024.03.04-1 +2063565 s2024.04.01-1 diff -u linux-laptop-6.5.0/debian.master/changelog linux-laptop-6.5.0/debian.master/changelog --- linux-laptop-6.5.0/debian.master/changelog +++ linux-laptop-6.5.0/debian.master/changelog @@ -1,3 +1,54 @@ +linux (6.5.0-35.35) mantic; urgency=medium + + * mantic/linux: 6.5.0-35.35 -proposed tracker (LP: #2063581) + + * cifs: Copying file to same directory results in page fault (LP: #2060919) + - SAUCE: Revert "cifs: fix flushing folio regression for 6.1 backport" + + * CVE-2024-26805 + - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter + + * CVE-2024-26801 + - Bluetooth: Avoid potential use-after-free in hci_error_reset + + * CVE-2024-26704 + - ext4: fix double-free of blocks due to wrong extents moved_len + + * CVE-2023-52601 + - jfs: fix array-index-out-of-bounds in dbAdjTree + + * CVE-2024-26635 + - llc: Drop support for ETH_P_TR_802_2. + + * CVE-2024-26622 + - tomoyo: fix UAF write bug in tomoyo_write_control() + + * CVE-2024-26614 + - tcp: make sure init the accept_queue's spinlocks once + - ipv6: init the accept_queue's spinlocks in inet6_create + + * CVE-2024-52615 + - hwrng: core - Fix page fault dead lock on mmap-ed hwrng + + * CVE-2024-52602 + - jfs: fix slab-out-of-bounds Read in dtSearch + + * CVE-2023-47233 + - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach + + * CVE-2024-2201 + - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file + - x86/syscall: Don't force use of indirect calls for system calls + - x86/bhi: Add support for clearing branch history at syscall entry + - x86/bhi: Define SPEC_CTRL_BHI_DIS_S + - x86/bhi: Enumerate Branch History Injection (BHI) bug + - x86/bhi: Add BHI mitigation knob + - x86/bhi: Mitigate KVM by default + - KVM: x86: Add BHI_NO + - [Config] Set CONFIG_BHI to enabled (auto) + + -- Stefan Bader Fri, 26 Apr 2024 11:32:29 +0200 + linux (6.5.0-28.29) mantic; urgency=medium * mantic/linux: 6.5.0-28.29 -proposed tracker (LP: #2059706) diff -u linux-laptop-6.5.0/debian.master/config/annotations linux-laptop-6.5.0/debian.master/config/annotations --- linux-laptop-6.5.0/debian.master/config/annotations +++ linux-laptop-6.5.0/debian.master/config/annotations @@ -12916,6 +12916,9 @@ CONFIG_SPEAKUP_SYNTH_SOFT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}> CONFIG_SPEAKUP_SYNTH_SPKOUT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}> CONFIG_SPEAKUP_SYNTH_TXPRT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}> +CONFIG_SPECTRE_BHI_AUTO policy<{'amd64': 'y'}> +CONFIG_SPECTRE_BHI_OFF policy<{'amd64': 'n'}> +CONFIG_SPECTRE_BHI_ON policy<{'amd64': 'n'}> CONFIG_SPECULATION_MITIGATIONS policy<{'amd64': 'y'}> CONFIG_SPI policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'n'}> CONFIG_SPI_ALTERA policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm', 's390x': '-'}> diff -u linux-laptop-6.5.0/debian.master/tracking-bug linux-laptop-6.5.0/debian.master/tracking-bug --- linux-laptop-6.5.0/debian.master/tracking-bug +++ linux-laptop-6.5.0/debian.master/tracking-bug @@ -1 +1 @@ -2059706 s2024.03.04-1 +2063581 s2024.04.01-1 diff -u linux-laptop-6.5.0/debian/changelog linux-laptop-6.5.0/debian/changelog --- linux-laptop-6.5.0/debian/changelog +++ linux-laptop-6.5.0/debian/changelog @@ -1,3 +1,46 @@ +linux-laptop (6.5.0-1016.19) mantic; urgency=medium + + * mantic/linux-laptop: 6.5.0-1016.19 -proposed tracker (LP: #2063565) + + [ Ubuntu: 6.5.0-35.35 ] + + * mantic/linux: 6.5.0-35.35 -proposed tracker (LP: #2063581) + * cifs: Copying file to same directory results in page fault (LP: #2060919) + - SAUCE: Revert "cifs: fix flushing folio regression for 6.1 backport" + * CVE-2024-26805 + - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter + * CVE-2024-26801 + - Bluetooth: Avoid potential use-after-free in hci_error_reset + * CVE-2024-26704 + - ext4: fix double-free of blocks due to wrong extents moved_len + * CVE-2023-52601 + - jfs: fix array-index-out-of-bounds in dbAdjTree + * CVE-2024-26635 + - llc: Drop support for ETH_P_TR_802_2. + * CVE-2024-26622 + - tomoyo: fix UAF write bug in tomoyo_write_control() + * CVE-2024-26614 + - tcp: make sure init the accept_queue's spinlocks once + - ipv6: init the accept_queue's spinlocks in inet6_create + * CVE-2024-52615 + - hwrng: core - Fix page fault dead lock on mmap-ed hwrng + * CVE-2024-52602 + - jfs: fix slab-out-of-bounds Read in dtSearch + * CVE-2023-47233 + - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach + * CVE-2024-2201 + - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file + - x86/syscall: Don't force use of indirect calls for system calls + - x86/bhi: Add support for clearing branch history at syscall entry + - x86/bhi: Define SPEC_CTRL_BHI_DIS_S + - x86/bhi: Enumerate Branch History Injection (BHI) bug + - x86/bhi: Add BHI mitigation knob + - x86/bhi: Mitigate KVM by default + - KVM: x86: Add BHI_NO + - [Config] Set CONFIG_BHI to enabled (auto) + + -- Juerg Haefliger Fri, 03 May 2024 11:14:59 +0200 + linux-laptop (6.5.0-1014.17) mantic; urgency=medium * mantic/linux-laptop: 6.5.0-1014.17 -proposed tracker (LP: #2059691) diff -u linux-laptop-6.5.0/debian/control linux-laptop-6.5.0/debian/control --- linux-laptop-6.5.0/debian/control +++ linux-laptop-6.5.0/debian/control @@ -65,7 +65,7 @@ XS-Testsuite: autopkgtest #XS-Testsuite-Depends: gcc-4.7 binutils -Package: linux-laptop-headers-6.5.0-1014 +Package: linux-laptop-headers-6.5.0-1016 Build-Profiles: Architecture: all Multi-Arch: foreign @@ -75,34 +75,34 @@ Description: Header files related to Linux kernel version 6.5.0 This package provides kernel header files for version 6.5.0, for sites that want the latest kernel headers. Please read - /usr/share/doc/linux-laptop-headers-6.5.0-1014/debian.README.gz for details + /usr/share/doc/linux-laptop-headers-6.5.0-1016/debian.README.gz for details -Package: linux-laptop-tools-6.5.0-1014 +Package: linux-laptop-tools-6.5.0-1016 Build-Profiles: Architecture: arm64 Section: devel Priority: optional Depends: ${misc:Depends}, ${shlibs:Depends}, linux-tools-common -Description: Linux kernel version specific tools for version 6.5.0-1014 +Description: Linux kernel version specific tools for version 6.5.0-1016 This package provides the architecture dependant parts for kernel version locked tools (such as perf and x86_energy_perf_policy) for - version 6.5.0-1014 on + version 6.5.0-1016 on . - You probably want to install linux-tools-6.5.0-1014-. + You probably want to install linux-tools-6.5.0-1016-. -Package: linux-image-6.5.0-1014-laptop +Package: linux-image-6.5.0-1016-laptop Build-Profiles: Architecture: arm64 Section: kernel Priority: optional Provides: linux-image, fuse-module, kvm-api-4, redhat-cluster-modules, ivtv-modules, virtualbox-guest-modules [amd64], ${linux:rprovides} -Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.5.0-1014-laptop +Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.5.0-1016-laptop Recommends: grub-pc [amd64] | grub-efi-amd64 [amd64] | grub-efi-ia32 [amd64] | grub [amd64] | lilo [amd64] | flash-kernel [armhf arm64] | grub-efi-arm64 [arm64] | grub-efi-arm [armhf] | grub-ieee1275 [ppc64el], initramfs-tools | linux-initramfs-tool Breaks: flash-kernel (<< 3.90ubuntu2) [arm64 armhf], s390-tools (<< 2.3.0-0ubuntu3) [s390x] -Conflicts: linux-image-unsigned-6.5.0-1014-laptop -Suggests: fdutils, linux-doc | linux-laptop-source-6.5.0, linux-laptop-tools, linux-headers-6.5.0-1014-laptop, linux-modules-extra-6.5.0-1014-laptop +Conflicts: linux-image-unsigned-6.5.0-1016-laptop +Suggests: fdutils, linux-doc | linux-laptop-source-6.5.0, linux-laptop-tools, linux-headers-6.5.0-1016-laptop, linux-modules-extra-6.5.0-1016-laptop Description: Linux kernel image for version 6.5.0 on SMP This package contains the Linux kernel image for version 6.5.0 on SMP. @@ -115,7 +115,7 @@ the linux-laptop meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-modules-6.5.0-1014-laptop +Package: linux-modules-6.5.0-1016-laptop Build-Profiles: Architecture: arm64 Section: kernel @@ -135,12 +135,12 @@ the linux-laptop meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-modules-extra-6.5.0-1014-laptop +Package: linux-modules-extra-6.5.0-1016-laptop Build-Profiles: Architecture: arm64 Section: kernel Priority: optional -Depends: ${misc:Depends}, ${shlibs:Depends}, linux-modules-6.5.0-1014-laptop, wireless-regdb +Depends: ${misc:Depends}, ${shlibs:Depends}, linux-modules-6.5.0-1016-laptop, wireless-regdb Description: Linux kernel extra modules for version 6.5.0 on SMP This package contains the Linux kernel extra modules for version 6.5.0 on SMP. @@ -157,21 +157,21 @@ the linux-laptop meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-headers-6.5.0-1014-laptop +Package: linux-headers-6.5.0-1016-laptop Build-Profiles: Architecture: arm64 Section: devel Priority: optional -Depends: ${misc:Depends}, linux-laptop-headers-6.5.0-1014, ${shlibs:Depends} +Depends: ${misc:Depends}, linux-laptop-headers-6.5.0-1016, ${shlibs:Depends} Provides: linux-headers, linux-headers-3.0 Description: Linux kernel headers for version 6.5.0 on SMP This package provides kernel header files for version 6.5.0 on SMP. . This is for sites that want the latest kernel headers. Please read - /usr/share/doc/linux-headers-6.5.0-1014/debian.README.gz for details. + /usr/share/doc/linux-headers-6.5.0-1016/debian.README.gz for details. -Package: linux-image-6.5.0-1014-laptop-dbgsym +Package: linux-image-6.5.0-1016-laptop-dbgsym Build-Profiles: Architecture: arm64 Section: devel @@ -188,31 +188,31 @@ is uncompressed, and unstripped. This package also includes the unstripped modules. -Package: linux-tools-6.5.0-1014-laptop +Package: linux-tools-6.5.0-1016-laptop Build-Profiles: Architecture: arm64 Section: devel Priority: optional -Depends: ${misc:Depends}, linux-laptop-tools-6.5.0-1014 -Description: Linux kernel version specific tools for version 6.5.0-1014 +Depends: ${misc:Depends}, linux-laptop-tools-6.5.0-1016 +Description: Linux kernel version specific tools for version 6.5.0-1016 This package provides the architecture dependant parts for kernel version locked tools (such as perf and x86_energy_perf_policy) for - version 6.5.0-1014 on + version 6.5.0-1016 on . -Package: linux-cloud-tools-6.5.0-1014-laptop +Package: linux-cloud-tools-6.5.0-1016-laptop Build-Profiles: Architecture: arm64 Section: devel Priority: optional -Depends: ${misc:Depends}, linux-laptop-cloud-tools-6.5.0-1014 -Description: Linux kernel version specific cloud tools for version 6.5.0-1014 +Depends: ${misc:Depends}, linux-laptop-cloud-tools-6.5.0-1016 +Description: Linux kernel version specific cloud tools for version 6.5.0-1016 This package provides the architecture dependant parts for kernel - version locked tools for cloud for version 6.5.0-1014 on + version locked tools for cloud for version 6.5.0-1016 on . -Package: linux-buildinfo-6.5.0-1014-laptop +Package: linux-buildinfo-6.5.0-1016-laptop Build-Profiles: Architecture: arm64 Section: kernel @@ -226,18 +226,18 @@ You likely do not want to install this package. -Package: linux-modules-iwlwifi-6.5.0-1014-laptop +Package: linux-modules-iwlwifi-6.5.0-1016-laptop Build-Profiles: Architecture: arm64 Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-1014-laptop | linux-image-unsigned-6.5.0-1014-laptop, + linux-image-6.5.0-1016-laptop | linux-image-unsigned-6.5.0-1016-laptop, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel iwlwifi modules for version 6.5.0-1014 +Description: Linux kernel iwlwifi modules for version 6.5.0-1016 This package provides the Linux kernel iwlwifi modules for version - 6.5.0-1014. + 6.5.0-1016. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-iwlwifi-laptop* meta-packages, diff -u linux-laptop-6.5.0/drivers/char/hw_random/core.c linux-laptop-6.5.0/drivers/char/hw_random/core.c --- linux-laptop-6.5.0/drivers/char/hw_random/core.c +++ linux-laptop-6.5.0/drivers/char/hw_random/core.c @@ -24,10 +24,13 @@ #include #include #include +#include #include #define RNG_MODULE_NAME "hw_random" +#define RNG_BUFFER_SIZE (SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES) + static struct hwrng *current_rng; /* the current rng has been explicitly chosen by user via sysfs */ static int cur_rng_set_by_user; @@ -59,7 +62,7 @@ static size_t rng_buffer_size(void) { - return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES; + return RNG_BUFFER_SIZE; } static void add_early_randomness(struct hwrng *rng) @@ -210,6 +213,7 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf, size_t size, loff_t *offp) { + u8 buffer[RNG_BUFFER_SIZE]; ssize_t ret = 0; int err = 0; int bytes_read, len; @@ -237,34 +241,37 @@ if (bytes_read < 0) { err = bytes_read; goto out_unlock_reading; + } else if (bytes_read == 0 && + (filp->f_flags & O_NONBLOCK)) { + err = -EAGAIN; + goto out_unlock_reading; } + data_avail = bytes_read; } - if (!data_avail) { - if (filp->f_flags & O_NONBLOCK) { - err = -EAGAIN; - goto out_unlock_reading; - } - } else { - len = data_avail; + len = data_avail; + if (len) { if (len > size) len = size; data_avail -= len; - if (copy_to_user(buf + ret, rng_buffer + data_avail, - len)) { + memcpy(buffer, rng_buffer + data_avail, len); + } + mutex_unlock(&reading_mutex); + put_rng(rng); + + if (len) { + if (copy_to_user(buf + ret, buffer, len)) { err = -EFAULT; - goto out_unlock_reading; + goto out; } size -= len; ret += len; } - mutex_unlock(&reading_mutex); - put_rng(rng); if (need_resched()) schedule_timeout_interruptible(1); @@ -275,6 +282,7 @@ } } out: + memzero_explicit(buffer, sizeof(buffer)); return ret ? : err; out_unlock_reading: diff -u linux-laptop-6.5.0/fs/ext4/move_extent.c linux-laptop-6.5.0/fs/ext4/move_extent.c --- linux-laptop-6.5.0/fs/ext4/move_extent.c +++ linux-laptop-6.5.0/fs/ext4/move_extent.c @@ -622,6 +622,7 @@ goto out; o_end = o_start + len; + *moved_len = 0; while (o_start < o_end) { struct ext4_extent *ex; ext4_lblk_t cur_blk, next_blk; @@ -676,7 +677,7 @@ */ ext4_double_up_write_data_sem(orig_inode, donor_inode); /* Swap original branches with new branches */ - move_extent_per_page(o_filp, donor_inode, + *moved_len += move_extent_per_page(o_filp, donor_inode, orig_page_index, donor_page_index, offset_in_page, cur_len, unwritten, &ret); @@ -686,9 +687,6 @@ o_start += cur_len; d_start += cur_len; } - *moved_len = o_start - orig_blk; - if (*moved_len > len) - *moved_len = len; out: if (*moved_len) { diff -u linux-laptop-6.5.0/fs/jfs/jfs_dmap.c linux-laptop-6.5.0/fs/jfs/jfs_dmap.c --- linux-laptop-6.5.0/fs/jfs/jfs_dmap.c +++ linux-laptop-6.5.0/fs/jfs/jfs_dmap.c @@ -63,10 +63,10 @@ */ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno, int nblocks); -static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval); -static int dbBackSplit(dmtree_t * tp, int leafno); -static int dbJoin(dmtree_t * tp, int leafno, int newval); -static void dbAdjTree(dmtree_t * tp, int leafno, int newval); +static void dbSplit(dmtree_t *tp, int leafno, int splitsz, int newval, bool is_ctl); +static int dbBackSplit(dmtree_t *tp, int leafno, bool is_ctl); +static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl); +static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl); static int dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level); static int dbAllocAny(struct bmap * bmp, s64 nblocks, int l2nb, s64 * results); @@ -2103,7 +2103,7 @@ * system. */ if (dp->tree.stree[word] == NOFREE) - dbBackSplit((dmtree_t *) & dp->tree, word); + dbBackSplit((dmtree_t *)&dp->tree, word, false); dbAllocBits(bmp, dp, blkno, nblocks); } @@ -2189,7 +2189,7 @@ * the binary system of the leaves if need be. */ dbSplit(tp, word, BUDMIN, - dbMaxBud((u8 *) & dp->wmap[word])); + dbMaxBud((u8 *)&dp->wmap[word]), false); word += 1; } else { @@ -2229,7 +2229,7 @@ * system of the leaves to reflect the current * allocation (size). */ - dbSplit(tp, word, size, NOFREE); + dbSplit(tp, word, size, NOFREE, false); /* get the number of dmap words handled */ nw = BUDSIZE(size, BUDMIN); @@ -2336,7 +2336,7 @@ /* update the leaf for this dmap word. */ rc = dbJoin(tp, word, - dbMaxBud((u8 *) & dp->wmap[word])); + dbMaxBud((u8 *)&dp->wmap[word]), false); if (rc) return rc; @@ -2369,7 +2369,7 @@ /* update the leaf. */ - rc = dbJoin(tp, word, size); + rc = dbJoin(tp, word, size, false); if (rc) return rc; @@ -2521,16 +2521,16 @@ * that it is at the front of a binary buddy system. */ if (oldval == NOFREE) { - rc = dbBackSplit((dmtree_t *) dcp, leafno); + rc = dbBackSplit((dmtree_t *)dcp, leafno, true); if (rc) { release_metapage(mp); return rc; } oldval = dcp->stree[ti]; } - dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval); + dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval, true); } else { - rc = dbJoin((dmtree_t *) dcp, leafno, newval); + rc = dbJoin((dmtree_t *) dcp, leafno, newval, true); if (rc) { release_metapage(mp); return rc; @@ -2561,7 +2561,7 @@ */ if (alloc) { dbJoin((dmtree_t *) dcp, leafno, - oldval); + oldval, true); } else { /* the dbJoin() above might have * caused a larger binary buddy system @@ -2571,9 +2571,9 @@ */ if (dcp->stree[ti] == NOFREE) dbBackSplit((dmtree_t *) - dcp, leafno); + dcp, leafno, true); dbSplit((dmtree_t *) dcp, leafno, - dcp->budmin, oldval); + dcp->budmin, oldval, true); } /* release the buffer and return the error. @@ -2621,7 +2621,7 @@ * * serialization: IREAD_LOCK(ipbmap) or IWRITE_LOCK(ipbmap) held on entry/exit; */ -static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) +static void dbSplit(dmtree_t *tp, int leafno, int splitsz, int newval, bool is_ctl) { int budsz; int cursz; @@ -2643,7 +2643,7 @@ while (cursz >= splitsz) { /* update the buddy's leaf with its new value. */ - dbAdjTree(tp, leafno ^ budsz, cursz); + dbAdjTree(tp, leafno ^ budsz, cursz, is_ctl); /* on to the next size and buddy. */ @@ -2655,7 +2655,7 @@ /* adjust the dmap tree to reflect the specified leaf's new * value. */ - dbAdjTree(tp, leafno, newval); + dbAdjTree(tp, leafno, newval, is_ctl); } @@ -2686,7 +2686,7 @@ * * serialization: IREAD_LOCK(ipbmap) or IWRITE_LOCK(ipbmap) held on entry/exit; */ -static int dbBackSplit(dmtree_t * tp, int leafno) +static int dbBackSplit(dmtree_t *tp, int leafno, bool is_ctl) { int budsz, bud, w, bsz, size; int cursz; @@ -2737,7 +2737,7 @@ * system in two. */ cursz = leaf[bud] - 1; - dbSplit(tp, bud, cursz, cursz); + dbSplit(tp, bud, cursz, cursz, is_ctl); break; } } @@ -2765,7 +2765,7 @@ * * RETURN VALUES: none */ -static int dbJoin(dmtree_t * tp, int leafno, int newval) +static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl) { int budsz, buddy; s8 *leaf; @@ -2820,12 +2820,12 @@ if (leafno < buddy) { /* leafno is the left buddy. */ - dbAdjTree(tp, buddy, NOFREE); + dbAdjTree(tp, buddy, NOFREE, is_ctl); } else { /* buddy is the left buddy and becomes * leafno. */ - dbAdjTree(tp, leafno, NOFREE); + dbAdjTree(tp, leafno, NOFREE, is_ctl); leafno = buddy; } @@ -2838,7 +2838,7 @@ /* update the leaf value. */ - dbAdjTree(tp, leafno, newval); + dbAdjTree(tp, leafno, newval, is_ctl); return 0; } @@ -2859,15 +2859,20 @@ * * RETURN VALUES: none */ -static void dbAdjTree(dmtree_t * tp, int leafno, int newval) +static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) { int lp, pp, k; - int max; + int max, size; + + size = is_ctl ? CTLTREESIZE : TREESIZE; /* pick up the index of the leaf for this leafno. */ lp = leafno + le32_to_cpu(tp->dmt_leafidx); + if (WARN_ON_ONCE(lp >= size || lp < 0)) + return; + /* is the current value the same as the old value ? if so, * there is nothing to do. */ diff -u linux-laptop-6.5.0/fs/jfs/jfs_dtree.c linux-laptop-6.5.0/fs/jfs/jfs_dtree.c --- linux-laptop-6.5.0/fs/jfs/jfs_dtree.c +++ linux-laptop-6.5.0/fs/jfs/jfs_dtree.c @@ -633,6 +633,11 @@ for (base = 0, lim = p->header.nextindex; lim; lim >>= 1) { index = base + (lim >> 1); + if (stbl[index] < 0) { + rc = -EIO; + goto out; + } + if (p->header.flag & BT_LEAF) { /* uppercase leaf name to compare */ cmp = diff -u linux-laptop-6.5.0/fs/smb/client/cifsfs.c linux-laptop-6.5.0/fs/smb/client/cifsfs.c --- linux-laptop-6.5.0/fs/smb/client/cifsfs.c +++ linux-laptop-6.5.0/fs/smb/client/cifsfs.c @@ -1245,7 +1245,7 @@ int rc = 0; folio = filemap_get_folio(inode->i_mapping, index); - if (!folio) + if (IS_ERR(folio)) return 0; size = folio_size(folio); diff -u linux-laptop-6.5.0/net/bluetooth/hci_core.c linux-laptop-6.5.0/net/bluetooth/hci_core.c --- linux-laptop-6.5.0/net/bluetooth/hci_core.c +++ linux-laptop-6.5.0/net/bluetooth/hci_core.c @@ -1049,6 +1049,7 @@ { struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset); + hci_dev_hold(hdev); BT_DBG("%s", hdev->name); if (hdev->hw_error) @@ -1056,10 +1057,10 @@ else bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code); - if (hci_dev_do_close(hdev)) - return; + if (!hci_dev_do_close(hdev)) + hci_dev_do_open(hdev); - hci_dev_do_open(hdev); + hci_dev_put(hdev); } void hci_uuids_clear(struct hci_dev *hdev) diff -u linux-laptop-6.5.0/net/ipv4/af_inet.c linux-laptop-6.5.0/net/ipv4/af_inet.c --- linux-laptop-6.5.0/net/ipv4/af_inet.c +++ linux-laptop-6.5.0/net/ipv4/af_inet.c @@ -324,6 +324,9 @@ if (INET_PROTOSW_REUSE & answer_flags) sk->sk_reuse = SK_CAN_REUSE; + if (INET_PROTOSW_ICSK & answer_flags) + inet_init_csk_locks(sk); + inet = inet_sk(sk); inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) != 0; diff -u linux-laptop-6.5.0/net/ipv4/inet_connection_sock.c linux-laptop-6.5.0/net/ipv4/inet_connection_sock.c --- linux-laptop-6.5.0/net/ipv4/inet_connection_sock.c +++ linux-laptop-6.5.0/net/ipv4/inet_connection_sock.c @@ -730,6 +730,10 @@ } if (req) reqsk_put(req); + + if (newsk) + inet_init_csk_locks(newsk); + return newsk; out_err: newsk = NULL; diff -u linux-laptop-6.5.0/net/ipv6/af_inet6.c linux-laptop-6.5.0/net/ipv6/af_inet6.c --- linux-laptop-6.5.0/net/ipv6/af_inet6.c +++ linux-laptop-6.5.0/net/ipv6/af_inet6.c @@ -199,6 +199,9 @@ if (INET_PROTOSW_REUSE & answer_flags) sk->sk_reuse = SK_CAN_REUSE; + if (INET_PROTOSW_ICSK & answer_flags) + inet_init_csk_locks(sk); + inet = inet_sk(sk); inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) != 0; diff -u linux-laptop-6.5.0/net/netlink/af_netlink.c linux-laptop-6.5.0/net/netlink/af_netlink.c --- linux-laptop-6.5.0/net/netlink/af_netlink.c +++ linux-laptop-6.5.0/net/netlink/af_netlink.c @@ -167,7 +167,7 @@ static struct sk_buff *netlink_to_full_skb(const struct sk_buff *skb, gfp_t gfp_mask) { - unsigned int len = skb_end_offset(skb); + unsigned int len = skb->len; struct sk_buff *new; new = alloc_skb(len, gfp_mask); only in patch2: unchanged: --- linux-laptop-6.5.0.orig/Documentation/admin-guide/hw-vuln/spectre.rst +++ linux-laptop-6.5.0/Documentation/admin-guide/hw-vuln/spectre.rst @@ -138,11 +138,10 @@ the BHB might be shared across privilege levels even in the presence of Enhanced IBRS. -Currently the only known real-world BHB attack vector is via -unprivileged eBPF. Therefore, it's highly recommended to not enable -unprivileged eBPF, especially when eIBRS is used (without retpolines). -For a full mitigation against BHB attacks, it's recommended to use -retpolines (or eIBRS combined with retpolines). +Previously the only known real-world BHB attack vector was via unprivileged +eBPF. Further research has found attacks that don't require unprivileged eBPF. +For a full mitigation against BHB attacks it is recommended to set BHI_DIS_S or +use the BHB clearing sequence. Attack scenarios ---------------- @@ -430,6 +429,23 @@ 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB =========================== ======================================================= + - Branch History Injection (BHI) protection status: + +.. list-table:: + + * - BHI: Not affected + - System is not affected + * - BHI: Retpoline + - System is protected by retpoline + * - BHI: BHI_DIS_S + - System is protected by BHI_DIS_S + * - BHI: SW loop; KVM SW loop + - System is protected by software clearing sequence + * - BHI: Syscall hardening + - Syscalls are hardened against BHI + * - BHI: Syscall hardening; KVM: SW loop + - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence + Full mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will report vulnerability. @@ -484,7 +500,11 @@ Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at boot, by setting the IBRS bit, and they're automatically protected against - Spectre v2 variant attacks. + some Spectre v2 variant attacks. The BHB can still influence the choice of + indirect branch predictor entry, and although branch predictor entries are + isolated between modes when eIBRS is enabled, the BHB itself is not isolated + between modes. Systems which support BHI_DIS_S will set it to protect against + BHI attacks. On Intel's enhanced IBRS systems, this includes cross-thread branch target injections on SMT systems (STIBP). In other words, Intel eIBRS enables @@ -638,6 +658,22 @@ spectre_v2=off. Spectre variant 1 mitigations cannot be disabled. + spectre_bhi= + + [X86] Control mitigation of Branch History Injection + (BHI) vulnerability. Syscalls are hardened against BHI + regardless of this setting. This setting affects the deployment + of the HW BHI control and the SW BHB clearing sequence. + + on + unconditionally enable. + off + unconditionally disable. + auto + enable if hardware mitigation + control(BHI_DIS_S) is available, otherwise + enable alternate mitigation in KVM. + For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt Mitigation selection guide only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/entry/entry_64.S +++ linux-laptop-6.5.0/arch/x86/entry/entry_64.S @@ -116,6 +116,7 @@ /* clobbers %rax, make sure it is after saving the syscall nr */ IBRS_ENTER UNTRAIN_RET + CLEAR_BRANCH_HISTORY call do_syscall_64 /* returns with IRQs disabled */ @@ -1538,3 +1539,63 @@ call make_task_dead SYM_CODE_END(rewind_stack_and_make_dead) .popsection + +/* + * This sequence executes branches in order to remove user branch information + * from the branch history tracker in the Branch Predictor, therefore removing + * user influence on subsequent BTB lookups. + * + * It should be used on parts prior to Alder Lake. Newer parts should use the + * BHI_DIS_S hardware control instead. If a pre-Alder Lake part is being + * virtualized on newer hardware the VMM should protect against BHI attacks by + * setting BHI_DIS_S for the guests. + * + * CALLs/RETs are necessary to prevent Loop Stream Detector(LSD) from engaging + * and not clearing the branch history. The call tree looks like: + * + * call 1 + * call 2 + * call 2 + * call 2 + * call 2 + * call 2 + * ret + * ret + * ret + * ret + * ret + * ret + * + * This means that the stack is non-constant and ORC can't unwind it with %rsp + * alone. Therefore we unconditionally set up the frame pointer, which allows + * ORC to unwind properly. + * + * The alignment is for performance and not for safety, and may be safely + * refactored in the future if needed. + */ +SYM_FUNC_START(clear_bhb_loop) + push %rbp + mov %rsp, %rbp + movl $5, %ecx + ANNOTATE_INTRA_FUNCTION_CALL + call 1f + jmp 5f + .align 64, 0xcc + ANNOTATE_INTRA_FUNCTION_CALL +1: call 2f + RET + .align 64, 0xcc +2: movl $5, %eax +3: jmp 4f + nop +4: sub $1, %eax + jnz 3b + sub $1, %ecx + jnz 1b + RET +5: lfence + pop %rbp + RET +SYM_FUNC_END(clear_bhb_loop) +EXPORT_SYMBOL_GPL(clear_bhb_loop) +STACK_FRAME_NON_STANDARD(clear_bhb_loop) only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/entry/syscall_32.c +++ linux-laptop-6.5.0/arch/x86/entry/syscall_32.c @@ -18,8 +18,25 @@ #include #undef __SYSCALL +/* + * The sys_call_table[] is no longer used for system calls, but + * kernel/trace/trace_syscalls.c still wants to know the system + * call address. + */ +#ifdef CONFIG_X86_32 #define __SYSCALL(nr, sym) __ia32_##sym, - -__visible const sys_call_ptr_t ia32_sys_call_table[] = { +const sys_call_ptr_t sys_call_table[] = { #include }; +#undef __SYSCALL +#endif + +#define __SYSCALL(nr, sym) case nr: return __ia32_##sym(regs); + +long ia32_sys_call(const struct pt_regs *regs, unsigned int nr) +{ + switch (nr) { + #include + default: return __ia32_sys_ni_syscall(regs); + } +}; only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/entry/syscall_64.c +++ linux-laptop-6.5.0/arch/x86/entry/syscall_64.c @@ -11,8 +11,23 @@ #include #undef __SYSCALL +/* + * The sys_call_table[] is no longer used for system calls, but + * kernel/trace/trace_syscalls.c still wants to know the system + * call address. + */ #define __SYSCALL(nr, sym) __x64_##sym, - -asmlinkage const sys_call_ptr_t sys_call_table[] = { +const sys_call_ptr_t sys_call_table[] = { #include }; +#undef __SYSCALL + +#define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); + +long x64_sys_call(const struct pt_regs *regs, unsigned int nr) +{ + switch (nr) { + #include + default: return __x64_sys_ni_syscall(regs); + } +}; only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/entry/syscall_x32.c +++ linux-laptop-6.5.0/arch/x86/entry/syscall_x32.c @@ -11,8 +11,12 @@ #include #undef __SYSCALL -#define __SYSCALL(nr, sym) __x64_##sym, +#define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); -asmlinkage const sys_call_ptr_t x32_sys_call_table[] = { -#include +long x32_sys_call(const struct pt_regs *regs, unsigned int nr) +{ + switch (nr) { + #include + default: return __x64_sys_ni_syscall(regs); + } }; only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/include/asm/cpufeatures.h +++ linux-laptop-6.5.0/arch/x86/include/asm/cpufeatures.h @@ -451,6 +451,17 @@ #define X86_FEATURE_SRSO_NO (20*32+29) /* "" CPU is not affected by SRSO */ /* + * Extended auxiliary flags: Linux defined - for features scattered in various + * CPUID levels like 0x80000022, etc and Linux defined features. + * + * Reuse free bits when adding new feature flags! + */ +#define X86_FEATURE_CLEAR_BHB_LOOP (21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */ +#define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control available */ +#define X86_FEATURE_CLEAR_BHB_HW (21*32+ 3) /* "" BHI_DIS_S HW control enabled */ +#define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch history at vmexit using SW loop */ + +/* * BUG word(s) */ #define X86_BUG(x) (NCAPINTS*32 + (x)) @@ -496,4 +507,5 @@ /* BUG word 2 */ #define X86_BUG_SRSO X86_BUG(1*32 + 0) /* AMD SRSO bug */ #define X86_BUG_DIV0 X86_BUG(1*32 + 1) /* AMD DIV0 speculation bug */ +#define X86_BUG_BHI X86_BUG(1*32 + 3) /* CPU is affected by Branch History Injection */ #endif /* _ASM_X86_CPUFEATURES_H */ only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/include/asm/syscall.h +++ linux-laptop-6.5.0/arch/x86/include/asm/syscall.h @@ -16,19 +16,17 @@ #include /* for TS_COMPAT */ #include +/* This is used purely for kernel/trace/trace_syscalls.c */ typedef long (*sys_call_ptr_t)(const struct pt_regs *); extern const sys_call_ptr_t sys_call_table[]; -#if defined(CONFIG_X86_32) -#define ia32_sys_call_table sys_call_table -#else /* * These may not exist, but still put the prototypes in so we * can use IS_ENABLED(). */ -extern const sys_call_ptr_t ia32_sys_call_table[]; -extern const sys_call_ptr_t x32_sys_call_table[]; -#endif +extern long ia32_sys_call(const struct pt_regs *, unsigned int nr); +extern long x32_sys_call(const struct pt_regs *, unsigned int nr); +extern long x64_sys_call(const struct pt_regs *, unsigned int nr); /* * Only the low 32 bits of orig_ax are meaningful, so we return int. @@ -127,6 +125,7 @@ } void do_syscall_64(struct pt_regs *regs, int nr); +void do_int80_emulation(struct pt_regs *regs); #endif /* CONFIG_X86_32 */ only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/kernel/cpu/scattered.c +++ linux-laptop-6.5.0/arch/x86/kernel/cpu/scattered.c @@ -28,6 +28,7 @@ { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 }, { X86_FEATURE_INTEL_PPIN, CPUID_EBX, 0, 0x00000007, 1 }, { X86_FEATURE_RRSBA_CTRL, CPUID_EDX, 2, 0x00000007, 2 }, + { X86_FEATURE_BHI_CTRL, CPUID_EDX, 4, 0x00000007, 2 }, { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 }, { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 }, { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 }, only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/kvm/reverse_cpuid.h +++ linux-laptop-6.5.0/arch/x86/kvm/reverse_cpuid.h @@ -45,6 +45,9 @@ #define X86_FEATURE_AVX_NE_CONVERT KVM_X86_FEATURE(CPUID_7_1_EDX, 5) #define X86_FEATURE_PREFETCHITI KVM_X86_FEATURE(CPUID_7_1_EDX, 14) +/* Intel-defined sub-features, CPUID level 0x00000007:2 (EDX) */ +#define KVM_X86_FEATURE_BHI_CTRL KVM_X86_FEATURE(CPUID_7_2_EDX, 4) + /* CPUID level 0x80000007 (EDX). */ #define KVM_X86_FEATURE_CONSTANT_TSC KVM_X86_FEATURE(CPUID_8000_0007_EDX, 8) @@ -115,6 +118,8 @@ return KVM_X86_FEATURE_CONSTANT_TSC; else if (x86_feature == X86_FEATURE_PERFMON_V2) return KVM_X86_FEATURE_PERFMON_V2; + else if (x86_feature == X86_FEATURE_BHI_CTRL) + return X86_FEATURE_BHI_CTRL; return x86_feature; } only in patch2: unchanged: --- linux-laptop-6.5.0.orig/arch/x86/kvm/vmx/vmenter.S +++ linux-laptop-6.5.0/arch/x86/kvm/vmx/vmenter.S @@ -272,6 +272,8 @@ call vmx_spec_ctrl_restore_host + CLEAR_BRANCH_HISTORY_VMEXIT + /* Put return value in AX */ mov %_ASM_BX, %_ASM_AX only in patch2: unchanged: --- linux-laptop-6.5.0.orig/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ linux-laptop-6.5.0/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -1179,8 +1179,7 @@ scan_request = cfg->scan_request; cfg->scan_request = NULL; - if (timer_pending(&cfg->escan_timeout)) - del_timer_sync(&cfg->escan_timeout); + timer_delete_sync(&cfg->escan_timeout); if (fw_abort) { /* Do a scan abort to stop the driver's scan engine */ @@ -8436,6 +8435,7 @@ brcmf_btcoex_detach(cfg); wiphy_unregister(cfg->wiphy); wl_deinit_priv(cfg); + cancel_work_sync(&cfg->escan_timeout_work); brcmf_free_wiphy(cfg->wiphy); kfree(cfg); } only in patch2: unchanged: --- linux-laptop-6.5.0.orig/include/net/inet_connection_sock.h +++ linux-laptop-6.5.0/include/net/inet_connection_sock.h @@ -346,4 +346,12 @@ return inet_sk(sk)->is_icsk && !!inet_csk(sk)->icsk_ulp_ops; } +static inline void inet_init_csk_locks(struct sock *sk) +{ + struct inet_connection_sock *icsk = inet_csk(sk); + + spin_lock_init(&icsk->icsk_accept_queue.rskq_lock); + spin_lock_init(&icsk->icsk_accept_queue.fastopenq.lock); +} + #endif /* _INET_CONNECTION_SOCK_H */ only in patch2: unchanged: --- linux-laptop-6.5.0.orig/include/net/llc_pdu.h +++ linux-laptop-6.5.0/include/net/llc_pdu.h @@ -262,8 +262,7 @@ */ static inline void llc_pdu_decode_sa(struct sk_buff *skb, u8 *sa) { - if (skb->protocol == htons(ETH_P_802_2)) - memcpy(sa, eth_hdr(skb)->h_source, ETH_ALEN); + memcpy(sa, eth_hdr(skb)->h_source, ETH_ALEN); } /** @@ -275,8 +274,7 @@ */ static inline void llc_pdu_decode_da(struct sk_buff *skb, u8 *da) { - if (skb->protocol == htons(ETH_P_802_2)) - memcpy(da, eth_hdr(skb)->h_dest, ETH_ALEN); + memcpy(da, eth_hdr(skb)->h_dest, ETH_ALEN); } /** only in patch2: unchanged: --- linux-laptop-6.5.0.orig/net/core/request_sock.c +++ linux-laptop-6.5.0/net/core/request_sock.c @@ -33,9 +33,6 @@ void reqsk_queue_alloc(struct request_sock_queue *queue) { - spin_lock_init(&queue->rskq_lock); - - spin_lock_init(&queue->fastopenq.lock); queue->fastopenq.rskq_rst_head = NULL; queue->fastopenq.rskq_rst_tail = NULL; queue->fastopenq.qlen = 0; only in patch2: unchanged: --- linux-laptop-6.5.0.orig/net/llc/llc_core.c +++ linux-laptop-6.5.0/net/llc/llc_core.c @@ -135,22 +135,15 @@ .func = llc_rcv, }; -static struct packet_type llc_tr_packet_type __read_mostly = { - .type = cpu_to_be16(ETH_P_TR_802_2), - .func = llc_rcv, -}; - static int __init llc_init(void) { dev_add_pack(&llc_packet_type); - dev_add_pack(&llc_tr_packet_type); return 0; } static void __exit llc_exit(void) { dev_remove_pack(&llc_packet_type); - dev_remove_pack(&llc_tr_packet_type); } module_init(llc_init); only in patch2: unchanged: --- linux-laptop-6.5.0.orig/security/tomoyo/common.c +++ linux-laptop-6.5.0/security/tomoyo/common.c @@ -2648,13 +2648,14 @@ { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */