commit 43bb85222e53926decace01ce6584ca88e09a0a9 Author: Greg Kroah-Hartman Date: Thu Sep 11 17:17:17 2025 +0200 Linux 5.15.193 Signed-off-by: Greg Kroah-Hartman commit 70de678302a8314e131f23ac1f9efaba64765bd5 Author: Pawan Gupta Date: Tue Sep 2 15:27:04 2025 +0200 x86/vmscape: Add old Intel CPUs to affected list commit 8a68d64bb10334426834e8c273319601878e961e upstream. These old CPUs are not tested against VMSCAPE, but are likely vulnerable. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Amit Shah Signed-off-by: Greg Kroah-Hartman commit 79ec330d124e12671aa15a0fe9eb5b93a5db07a6 Author: Pawan Gupta Date: Thu Aug 14 10:20:43 2025 -0700 x86/vmscape: Warn when STIBP is disabled with SMT commit b7cc9887231526ca4fa89f3fa4119e47c2dc7b1e upstream. Cross-thread attacks are generally harder as they require the victim to be co-located on a core. However, with VMSCAPE the adversary targets belong to the same guest execution, that are more likely to get co-located. In particular, a thread that is currently executing userspace hypervisor (after the IBPB) may still be targeted by a guest execution from a sibling thread. Issue a warning about the potential risk, except when: - SMT is disabled - STIBP is enabled system-wide - Intel eIBRS is enabled (which implies STIBP protection) Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Amit Shah Signed-off-by: Greg Kroah-Hartman commit 1cd71b057f0528bcaececa93611e3f6165fb0685 Author: Pawan Gupta Date: Thu Aug 21 13:32:06 2025 +0200 x86/bugs: Move cpu_bugs_smt_update() down commit 6449f5baf9c78a7a442d64f4a61378a21c5db113 upstream. cpu_bugs_smt_update() uses global variables from different mitigations. For SMT updates it can't currently use vmscape_mitigation that is defined after it. Since cpu_bugs_smt_update() depends on many other mitigations, move it after all mitigations are defined. With that, it can use vmscape_mitigation in a moment. No functional change. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Dave Hansen Signed-off-by: Amit Shah Signed-off-by: Greg Kroah-Hartman commit 2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enable the mitigation commit 556c1ad666ad90c50ec8fccb930dd5046cfbecfb upstream. Enable the previously added mitigation for VMscape. Add the cmdline vmscape={off|ibpb|force} and sysfs reporting. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Dave Hansen Signed-off-by: Amit Shah Signed-off-by: Greg Kroah-Hartman commit d5490dfa35427a2967e00a4c7a1b95fdbc8ede34 Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Add conditional IBPB mitigation commit 2f8f173413f1cbf52660d04df92d0069c4306d25 upstream. VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ] Suggested-by: Dave Hansen Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Acked-by: Sean Christopherson Signed-off-by: Amit Shah Signed-off-by: Greg Kroah-Hartman commit f2ed886bb650423b5a1e0478f5d4349fdc576d7f Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enumerate VMSCAPE bug commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream. The VMSCAPE vulnerability may allow a guest to cause Branch Target Injection (BTI) in userspace hypervisors. Kernels (both host and guest) have existing defenses against direct BTI attacks from guests. There are also inter-process BTI mitigations which prevent processes from attacking each other. However, the threat in this case is to a userspace hypervisor within the same process as the attacker. Userspace hypervisors have access to their own sensitive data like disk encryption keys and also typically have access to all guest data. This means guest userspace may use the hypervisor as a confused deputy to attack sensitive guest kernel data. There are no existing mitigations for these attacks. Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected Intel and AMD CPUs. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) [Amit: * Drop unsupported Intel families: ARROWLAKE, METEORLAKE, ATOM_CRESTMONT_X; and unlisted ATOM types for RAPTORLAKE and ALDERLAKE * s/ATOM_GRACEMONT/ALDERLAKE_N/ * Drop unsupported AMD family: 0x1a] Signed-off-by: Amit Shah Signed-off-by: Greg Kroah-Hartman commit a4fff4e5c054bbbba0d1924f13306f1c2358133d Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 Documentation/hw-vuln: Add VMSCAPE documentation commit 9969779d0803f5dcd4460ae7aca2bc3fd91bff12 upstream. VMSCAPE is a vulnerability that may allow a guest to influence the branch prediction in host userspace, particularly affecting hypervisors like QEMU. Add the documentation. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Dave Hansen Signed-off-by: Amit Shah Signed-off-by: Greg Kroah-Hartman