commit f6cf124428f51e3ef07a8e54c743873face9d2b2 Author: Greg Kroah-Hartman Date: Thu Sep 11 17:21:47 2025 +0200 Linux 6.12.47 Signed-off-by: Greg Kroah-Hartman commit 766424cef1e6be8d3a7f0861638a5245b237e0a5 Author: Pawan Gupta Date: Fri Aug 29 15:28:52 2025 -0700 x86/vmscape: Add old Intel CPUs to affected list Commit 8a68d64bb10334426834e8c273319601878e961e upstream. These old CPUs are not tested against VMSCAPE, but are likely vulnerable. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit 8d675611b96a6c59969c570c89f458e253b2d5eb Author: Pawan Gupta Date: Thu Aug 14 10:20:43 2025 -0700 x86/vmscape: Warn when STIBP is disabled with SMT Commit b7cc9887231526ca4fa89f3fa4119e47c2dc7b1e upstream. Cross-thread attacks are generally harder as they require the victim to be co-located on a core. However, with VMSCAPE the adversary targets belong to the same guest execution, that are more likely to get co-located. In particular, a thread that is currently executing userspace hypervisor (after the IBPB) may still be targeted by a guest execution from a sibling thread. Issue a warning about the potential risk, except when: - SMT is disabled - STIBP is enabled system-wide - Intel eIBRS is enabled (which implies STIBP protection) Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit 28504e31029b1612a1cbf2b81db244124cad0bad Author: Pawan Gupta Date: Thu Aug 14 10:20:43 2025 -0700 x86/bugs: Move cpu_bugs_smt_update() down Commit 6449f5baf9c78a7a442d64f4a61378a21c5db113 upstream. cpu_bugs_smt_update() uses global variables from different mitigations. For SMT updates it can't currently use vmscape_mitigation that is defined after it. Since cpu_bugs_smt_update() depends on many other mitigations, move it after all mitigations are defined. With that, it can use vmscape_mitigation in a moment. No functional change. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit 459274c77b37ac63b78c928b4b4e748d1f9d05c8 Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enable the mitigation Commit 556c1ad666ad90c50ec8fccb930dd5046cfbecfb upstream. Enable the previously added mitigation for VMscape. Add the cmdline vmscape={off|ibpb|force} and sysfs reporting. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit d7ddc93392e4a7ffcccc86edf6ef3e64c778db52 Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Add conditional IBPB mitigation Commit 2f8f173413f1cbf52660d04df92d0069c4306d25 upstream. VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ] Suggested-by: Dave Hansen Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Acked-by: Sean Christopherson Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit 7c62c442b6eb95d21bc4c5afc12fee721646ebe2 Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enumerate VMSCAPE bug Commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream. The VMSCAPE vulnerability may allow a guest to cause Branch Target Injection (BTI) in userspace hypervisors. Kernels (both host and guest) have existing defenses against direct BTI attacks from guests. There are also inter-process BTI mitigations which prevent processes from attacking each other. However, the threat in this case is to a userspace hypervisor within the same process as the attacker. Userspace hypervisors have access to their own sensitive data like disk encryption keys and also typically have access to all guest data. This means guest userspace may use the hypervisor as a confused deputy to attack sensitive guest kernel data. There are no existing mitigations for these attacks. Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected Intel and AMD CPUs. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit 4c6fbb4dba3fcdb81324dbd65083f2dc129d0a1a Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 Documentation/hw-vuln: Add VMSCAPE documentation Commit 9969779d0803f5dcd4460ae7aca2bc3fd91bff12 upstream. VMSCAPE is a vulnerability that may allow a guest to influence the branch prediction in host userspace, particularly affecting hypervisors like QEMU. Add the documentation. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman