commit 131e2001572ba68b6728bcba91c58647168d237f Author: Greg Kroah-Hartman Date: Thu Sep 11 17:23:23 2025 +0200 Linux 6.16.7 Signed-off-by: Greg Kroah-Hartman commit a6b94f1030917aeff4ef2045a4c70876a71532ac Author: Pawan Gupta Date: Fri Aug 29 15:28:52 2025 -0700 x86/vmscape: Add old Intel CPUs to affected list Commit 8a68d64bb10334426834e8c273319601878e961e upstream. These old CPUs are not tested against VMSCAPE, but are likely vulnerable. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit 2bb658abee57f2613192112bb94c64883bef975f Author: Pawan Gupta Date: Thu Aug 14 10:20:43 2025 -0700 x86/vmscape: Warn when STIBP is disabled with SMT Commit b7cc9887231526ca4fa89f3fa4119e47c2dc7b1e upstream. Cross-thread attacks are generally harder as they require the victim to be co-located on a core. However, with VMSCAPE the adversary targets belong to the same guest execution, that are more likely to get co-located. In particular, a thread that is currently executing userspace hypervisor (after the IBPB) may still be targeted by a guest execution from a sibling thread. Issue a warning about the potential risk, except when: - SMT is disabled - STIBP is enabled system-wide - Intel eIBRS is enabled (which implies STIBP protection) Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit 923ab9f5743de1831b76bc0593cbc2e30c8f034a Author: Pawan Gupta Date: Thu Aug 14 10:20:43 2025 -0700 x86/bugs: Move cpu_bugs_smt_update() down Commit 6449f5baf9c78a7a442d64f4a61378a21c5db113 upstream. cpu_bugs_smt_update() uses global variables from different mitigations. For SMT updates it can't currently use vmscape_mitigation that is defined after it. Since cpu_bugs_smt_update() depends on many other mitigations, move it after all mitigations are defined. With that, it can use vmscape_mitigation in a moment. No functional change. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Dave Hansen Signed-off-by: Greg Kroah-Hartman commit 9c23a90648e831d611152ac08dbcd1283d405e7f Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enable the mitigation Commit 556c1ad666ad90c50ec8fccb930dd5046cfbecfb upstream. Enable the previously added mitigation for VMscape. Add the cmdline vmscape={off|ibpb|force} and sysfs reporting. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Dave Hansen Signed-off-by: Greg Kroah-Hartman commit 510603f504796c3535f67f55fb0b124a303b44c8 Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Add conditional IBPB mitigation Commit 2f8f173413f1cbf52660d04df92d0069c4306d25 upstream. VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ] Suggested-by: Dave Hansen Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Dave Hansen Reviewed-by: Borislav Petkov (AMD) Acked-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman commit d83e6111337f3980cb23af12a99ca73c0e36365f Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enumerate VMSCAPE bug Commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream. The VMSCAPE vulnerability may allow a guest to cause Branch Target Injection (BTI) in userspace hypervisors. Kernels (both host and guest) have existing defenses against direct BTI attacks from guests. There are also inter-process BTI mitigations which prevent processes from attacking each other. However, the threat in this case is to a userspace hypervisor within the same process as the attacker. Userspace hypervisors have access to their own sensitive data like disk encryption keys and also typically have access to all guest data. This means guest userspace may use the hypervisor as a confused deputy to attack sensitive guest kernel data. There are no existing mitigations for these attacks. Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected Intel and AMD CPUs. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Borislav Petkov (AMD) Signed-off-by: Greg Kroah-Hartman commit 781b69117c839b8ba37d879d4895d97f4b72eb84 Author: Pawan Gupta Date: Thu Aug 14 10:20:42 2025 -0700 Documentation/hw-vuln: Add VMSCAPE documentation Commit 9969779d0803f5dcd4460ae7aca2bc3fd91bff12 upstream. VMSCAPE is a vulnerability that may allow a guest to influence the branch prediction in host userspace, particularly affecting hypervisors like QEMU. Add the documentation. Signed-off-by: Pawan Gupta Signed-off-by: Dave Hansen Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Borislav Petkov (AMD) Reviewed-by: Dave Hansen Signed-off-by: Greg Kroah-Hartman