Author: Pawan Gupta <[email protected]> Date: Thu Aug 14 10:20:42 2025 -0700 Documentation/hw-vuln: Add VMSCAPE documentation commit 9969779d0803f5dcd4460ae7aca2bc3fd91bff12 upstream. VMSCAPE is a vulnerability that may allow a guest to influence the branch prediction in host userspace, particularly affecting hypervisors like QEMU. Add the documentation. Signed-off-by: Pawan Gupta <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Reviewed-by: Borislav Petkov (AMD) <[email protected]> Reviewed-by: Dave Hansen <[email protected]> Signed-off-by: Amit Shah <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Greg Kroah-Hartman <[email protected]> Date: Thu Sep 11 17:17:17 2025 +0200 Linux 5.15.193 Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pawan Gupta <[email protected]> Date: Thu Aug 21 13:32:06 2025 +0200 x86/bugs: Move cpu_bugs_smt_update() down commit 6449f5baf9c78a7a442d64f4a61378a21c5db113 upstream. cpu_bugs_smt_update() uses global variables from different mitigations. For SMT updates it can't currently use vmscape_mitigation that is defined after it. Since cpu_bugs_smt_update() depends on many other mitigations, move it after all mitigations are defined. With that, it can use vmscape_mitigation in a moment. No functional change. Signed-off-by: Pawan Gupta <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Reviewed-by: Dave Hansen <[email protected]> Signed-off-by: Amit Shah <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pawan Gupta <[email protected]> Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Add conditional IBPB mitigation commit 2f8f173413f1cbf52660d04df92d0069c4306d25 upstream. VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ] Suggested-by: Dave Hansen <[email protected]> Signed-off-by: Pawan Gupta <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Reviewed-by: Dave Hansen <[email protected]> Reviewed-by: Borislav Petkov (AMD) <[email protected]> Acked-by: Sean Christopherson <[email protected]> Signed-off-by: Amit Shah <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pawan Gupta <[email protected]> Date: Tue Sep 2 15:27:04 2025 +0200 x86/vmscape: Add old Intel CPUs to affected list commit 8a68d64bb10334426834e8c273319601878e961e upstream. These old CPUs are not tested against VMSCAPE, but are likely vulnerable. Signed-off-by: Pawan Gupta <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Signed-off-by: Amit Shah <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pawan Gupta <[email protected]> Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enable the mitigation commit 556c1ad666ad90c50ec8fccb930dd5046cfbecfb upstream. Enable the previously added mitigation for VMscape. Add the cmdline vmscape={off|ibpb|force} and sysfs reporting. Signed-off-by: Pawan Gupta <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Reviewed-by: Borislav Petkov (AMD) <[email protected]> Reviewed-by: Dave Hansen <[email protected]> Signed-off-by: Amit Shah <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pawan Gupta <[email protected]> Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enumerate VMSCAPE bug commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream. The VMSCAPE vulnerability may allow a guest to cause Branch Target Injection (BTI) in userspace hypervisors. Kernels (both host and guest) have existing defenses against direct BTI attacks from guests. There are also inter-process BTI mitigations which prevent processes from attacking each other. However, the threat in this case is to a userspace hypervisor within the same process as the attacker. Userspace hypervisors have access to their own sensitive data like disk encryption keys and also typically have access to all guest data. This means guest userspace may use the hypervisor as a confused deputy to attack sensitive guest kernel data. There are no existing mitigations for these attacks. Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected Intel and AMD CPUs. Signed-off-by: Pawan Gupta <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Reviewed-by: Borislav Petkov (AMD) <[email protected]> [Amit: * Drop unsupported Intel families: ARROWLAKE, METEORLAKE, ATOM_CRESTMONT_X; and unlisted ATOM types for RAPTORLAKE and ALDERLAKE * s/ATOM_GRACEMONT/ALDERLAKE_N/ * Drop unsupported AMD family: 0x1a] Signed-off-by: Amit Shah <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pawan Gupta <[email protected]> Date: Thu Aug 14 10:20:43 2025 -0700 x86/vmscape: Warn when STIBP is disabled with SMT commit b7cc9887231526ca4fa89f3fa4119e47c2dc7b1e upstream. Cross-thread attacks are generally harder as they require the victim to be co-located on a core. However, with VMSCAPE the adversary targets belong to the same guest execution, that are more likely to get co-located. In particular, a thread that is currently executing userspace hypervisor (after the IBPB) may still be targeted by a guest execution from a sibling thread. Issue a warning about the potential risk, except when: - SMT is disabled - STIBP is enabled system-wide - Intel eIBRS is enabled (which implies STIBP protection) Signed-off-by: Pawan Gupta <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Signed-off-by: Amit Shah <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>