From 5544b6cf0f616a9efed515ea1d64e9e6e4369561 Mon Sep 17 00:00:00 2001 From: Leonard Foerster Date: Fri, 8 Sep 2023 13:24:49 +0000 Subject: [PATCH] kernel-6.1: update to 6.1.49 Rebase to Amazon Linux upstream version 6.1.49-69.116.amzn2023. Drop downstream backports of fixes for CVE-2023-20588 as these are now included by the upstream base version. Signed-off-by: Leonard Foerster --- ...e-the-x86-bugs-vector-size-to-two-u3.patch | 48 -------- ...ot-leak-quotient-data-after-a-divisi.patch | 111 ------------------ ...MD-Fix-the-DIV-0-initial-fix-attempt.patch | 82 ------------- packages/kernel-6.1/Cargo.toml | 4 +- packages/kernel-6.1/kernel-6.1.spec | 10 +- 5 files changed, 4 insertions(+), 251 deletions(-) delete mode 100644 packages/kernel-6.1/5001-x86-bugs-Increase-the-x86-bugs-vector-size-to-two-u3.patch delete mode 100644 packages/kernel-6.1/5002-x86-CPU-AMD-Do-not-leak-quotient-data-after-a-divisi.patch delete mode 100644 packages/kernel-6.1/5003-x86-CPU-AMD-Fix-the-DIV-0-initial-fix-attempt.patch diff --git a/packages/kernel-6.1/5001-x86-bugs-Increase-the-x86-bugs-vector-size-to-two-u3.patch b/packages/kernel-6.1/5001-x86-bugs-Increase-the-x86-bugs-vector-size-to-two-u3.patch deleted file mode 100644 index 2052baa348b..00000000000 --- a/packages/kernel-6.1/5001-x86-bugs-Increase-the-x86-bugs-vector-size-to-two-u3.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 3bf59e709af08ffd0e321755b5699942474c1962 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sat, 8 Jul 2023 10:21:35 +0200 -Subject: [PATCH] x86/bugs: Increase the x86 bugs vector size to two u32s - -Upstream commit: 0e52740ffd10c6c316837c6c128f460f1aaba1ea - -There was never a doubt in my mind that they would not fit into a single -u32 eventually. - -Signed-off-by: Borislav Petkov (AMD) -Signed-off-by: Greg Kroah-Hartman -(cherry picked from commit dfede4cb8ef732039b7a479d260bd89d3b474f14) -Signed-off-by: Leonard Foerster ---- - arch/x86/include/asm/cpufeatures.h | 2 +- - tools/arch/x86/include/asm/cpufeatures.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index b69f948be454..32221013c45d 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -14,7 +14,7 @@ - * Defines x86 CPU feature bits - */ - #define NCAPINTS 20 /* N 32-bit words worth of info */ --#define NBUGINTS 1 /* N 32-bit bug flags */ -+#define NBUGINTS 2 /* N 32-bit bug flags */ - - /* - * Note: If the comment begins with a quoted string, that string is used -diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h -index b71f4f2ecdd5..9ecc62861194 100644 ---- a/tools/arch/x86/include/asm/cpufeatures.h -+++ b/tools/arch/x86/include/asm/cpufeatures.h -@@ -14,7 +14,7 @@ - * Defines x86 CPU feature bits - */ - #define NCAPINTS 20 /* N 32-bit words worth of info */ --#define NBUGINTS 1 /* N 32-bit bug flags */ -+#define NBUGINTS 2 /* N 32-bit bug flags */ - - /* - * Note: If the comment begins with a quoted string, that string is used --- -2.40.1 - diff --git a/packages/kernel-6.1/5002-x86-CPU-AMD-Do-not-leak-quotient-data-after-a-divisi.patch b/packages/kernel-6.1/5002-x86-CPU-AMD-Do-not-leak-quotient-data-after-a-divisi.patch deleted file mode 100644 index e0ef9e05543..00000000000 --- a/packages/kernel-6.1/5002-x86-CPU-AMD-Do-not-leak-quotient-data-after-a-divisi.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 35131bf2a0cc0d522f294c21be7d9c2a88c06035 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sat, 5 Aug 2023 00:06:43 +0200 -Subject: [PATCH] x86/CPU/AMD: Do not leak quotient data after a division by 0 - -commit 77245f1c3c6495521f6a3af082696ee2f8ce3921 upstream. - -Under certain circumstances, an integer division by 0 which faults, can -leave stale quotient data from a previous division operation on Zen1 -microarchitectures. - -Do a dummy division 0/1 before returning from the #DE exception handler -in order to avoid any leaks of potentially sensitive data. - -Signed-off-by: Borislav Petkov (AMD) -Cc: -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman -(cherry picked from commit f2615bb47be4f53be92c81a6a8aa286c92ef04d9) -Signed-off-by: Leonard Foerster ---- - arch/x86/include/asm/cpufeatures.h | 2 ++ - arch/x86/include/asm/processor.h | 2 ++ - arch/x86/kernel/cpu/amd.c | 19 +++++++++++++++++++ - arch/x86/kernel/traps.c | 2 ++ - 4 files changed, 25 insertions(+) - -diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h -index 32221013c45d..e2d980757511 100644 ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -467,4 +467,6 @@ - #define X86_BUG_RAS_POISONING X86_BUG(30) /* CPU is affected by RAS poisoning */ - #define X86_BUG_GDS X86_BUG(31) /* CPU is affected by Gather Data Sampling */ - -+/* BUG word 2 */ -+#define X86_BUG_DIV0 X86_BUG(1*32 + 1) /* AMD DIV0 speculation bug */ - #endif /* _ASM_X86_CPUFEATURES_H */ -diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index d8277eec1bcd..7dc733062313 100644 ---- a/arch/x86/include/asm/processor.h -+++ b/arch/x86/include/asm/processor.h -@@ -800,9 +800,11 @@ extern u16 get_llc_id(unsigned int cpu); - #ifdef CONFIG_CPU_SUP_AMD - extern u32 amd_get_nodes_per_socket(void); - extern u32 amd_get_highest_perf(void); -+extern void amd_clear_divider(void); - #else - static inline u32 amd_get_nodes_per_socket(void) { return 0; } - static inline u32 amd_get_highest_perf(void) { return 0; } -+static inline void amd_clear_divider(void) { } - #endif - - #define for_each_possible_hypervisor_cpuid_base(function) \ -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 7f4eb8b027cc..7a93bb12302d 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -75,6 +75,10 @@ static const int amd_zenbleed[] = - AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), - AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); - -+static const int amd_div0[] = -+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x00, 0x0, 0x2f, 0xf), -+ AMD_MODEL_RANGE(0x17, 0x50, 0x0, 0x5f, 0xf)); -+ - static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) - { - int osvw_id = *erratum++; -@@ -1115,6 +1119,11 @@ static void init_amd(struct cpuinfo_x86 *c) - check_null_seg_clears_base(c); - - zenbleed_check(c); -+ -+ if (cpu_has_amd_erratum(c, amd_div0)) { -+ pr_notice_once("AMD Zen1 DIV0 bug detected. Disable SMT for full protection.\n"); -+ setup_force_cpu_bug(X86_BUG_DIV0); -+ } - } - - #ifdef CONFIG_X86_32 -@@ -1256,3 +1265,13 @@ void amd_check_microcode(void) - { - on_each_cpu(zenbleed_check_cpu, NULL, 1); - } -+ -+/* -+ * Issue a DIV 0/1 insn to clear any division data from previous DIV -+ * operations. -+ */ -+void noinstr amd_clear_divider(void) -+{ -+ asm volatile(ALTERNATIVE("", "div %2\n\t", X86_BUG_DIV0) -+ :: "a" (0), "d" (0), "r" (1)); -+} -diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index d3fdec706f1d..80b719ff60ed 100644 ---- a/arch/x86/kernel/traps.c -+++ b/arch/x86/kernel/traps.c -@@ -206,6 +206,8 @@ DEFINE_IDTENTRY(exc_divide_error) - { - do_error_trap(regs, 0, "divide error", X86_TRAP_DE, SIGFPE, - FPE_INTDIV, error_get_trap_addr(regs)); -+ -+ amd_clear_divider(); - } - - DEFINE_IDTENTRY(exc_overflow) --- -2.40.1 - diff --git a/packages/kernel-6.1/5003-x86-CPU-AMD-Fix-the-DIV-0-initial-fix-attempt.patch b/packages/kernel-6.1/5003-x86-CPU-AMD-Fix-the-DIV-0-initial-fix-attempt.patch deleted file mode 100644 index 0e1a58b6e55..00000000000 --- a/packages/kernel-6.1/5003-x86-CPU-AMD-Fix-the-DIV-0-initial-fix-attempt.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 20eb241125391039b9a7248b82e8e6c892522931 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Fri, 11 Aug 2023 23:38:24 +0200 -Subject: [PATCH] x86/CPU/AMD: Fix the DIV(0) initial fix attempt - -commit f58d6fbcb7c848b7f2469be339bc571f2e9d245b upstream. - -Initially, it was thought that doing an innocuous division in the #DE -handler would take care to prevent any leaking of old data from the -divider but by the time the fault is raised, the speculation has already -advanced too far and such data could already have been used by younger -operations. - -Therefore, do the innocuous division on every exit to userspace so that -userspace doesn't see any potentially old data from integer divisions in -kernel space. - -Do the same before VMRUN too, to protect host data from leaking into the -guest too. - -Fixes: 77245f1c3c64 ("x86/CPU/AMD: Do not leak quotient data after a division by 0") -Signed-off-by: Borislav Petkov (AMD) -Cc: -Link: https://lore.kernel.org/r/20230811213824.10025-1-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/entry-common.h | 1 + - arch/x86/kernel/cpu/amd.c | 1 + - arch/x86/kernel/traps.c | 2 -- - arch/x86/kvm/svm/svm.c | 2 ++ - 4 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/entry-common.h -index 674ed46d3ced..11203a9fe0a8 100644 ---- a/arch/x86/include/asm/entry-common.h -+++ b/arch/x86/include/asm/entry-common.h -@@ -92,6 +92,7 @@ static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs, - static __always_inline void arch_exit_to_user_mode(void) - { - mds_user_clear_cpu_buffers(); -+ amd_clear_divider(); - } - #define arch_exit_to_user_mode arch_exit_to_user_mode - -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 7a93bb12302d..b76e85f8cdb8 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1275,3 +1275,4 @@ void noinstr amd_clear_divider(void) - asm volatile(ALTERNATIVE("", "div %2\n\t", X86_BUG_DIV0) - :: "a" (0), "d" (0), "r" (1)); - } -+EXPORT_SYMBOL_GPL(amd_clear_divider); -diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c -index 80b719ff60ed..d3fdec706f1d 100644 ---- a/arch/x86/kernel/traps.c -+++ b/arch/x86/kernel/traps.c -@@ -206,8 +206,6 @@ DEFINE_IDTENTRY(exc_divide_error) - { - do_error_trap(regs, 0, "divide error", X86_TRAP_DE, SIGFPE, - FPE_INTDIV, error_get_trap_addr(regs)); -- -- amd_clear_divider(); - } - - DEFINE_IDTENTRY(exc_overflow) -diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c -index fc1649b5931a..9d549826b23f 100644 ---- a/arch/x86/kvm/svm/svm.c -+++ b/arch/x86/kvm/svm/svm.c -@@ -3940,6 +3940,8 @@ static noinstr void svm_vcpu_enter_exit(struct kvm_vcpu *vcpu, bool spec_ctrl_in - - guest_state_enter_irqoff(); - -+ amd_clear_divider(); -+ - if (sev_es_guest(vcpu->kvm)) - __svm_sev_es_vcpu_run(svm, spec_ctrl_intercepted); - else --- -2.40.1 - diff --git a/packages/kernel-6.1/Cargo.toml b/packages/kernel-6.1/Cargo.toml index 9f694803db0..e6ad1e28e23 100644 --- a/packages/kernel-6.1/Cargo.toml +++ b/packages/kernel-6.1/Cargo.toml @@ -14,8 +14,8 @@ path = "../packages.rs" [[package.metadata.build-package.external-files]] # Use latest-srpm-url.sh to get this. -url = "https://cdn.amazonlinux.com/al2023/blobstore/789848dec5baccf864b022af695a2a3ac1ba52392a2b6aa83f19dc07d050df0a/kernel-6.1.41-63.114.amzn2023.src.rpm" -sha512 = "6a66562d23a21ac3fba56cb13680ef2cc0c3fe9b2b77e83c3e6da47ca36016413cd5ebac9266419e835d04f10fb509b00536fc3e38eb0e8d707db5f8fdd8f10e" +url = "https://cdn.amazonlinux.com/al2023/blobstore/b7fd4bb92caacd373bbd4cf41dca8c29736bf229c08ef80c59bb6063654d058b/kernel-6.1.49-69.116.amzn2023.src.rpm" +sha512 = "d9ccbf828b0466a226a6bf42e9d8a4482b4acea1bd27f6ba28a823d481d6357688a1594b457a6b8735b611d4d370b2aeb1382726ae694bb03f7aa1cf9ee7a9c2" [build-dependencies] microcode = { path = "../microcode" } diff --git a/packages/kernel-6.1/kernel-6.1.spec b/packages/kernel-6.1/kernel-6.1.spec index 42397792c28..94c6cb0bba7 100644 --- a/packages/kernel-6.1/kernel-6.1.spec +++ b/packages/kernel-6.1/kernel-6.1.spec @@ -1,13 +1,13 @@ %global debug_package %{nil} Name: %{_cross_os}kernel-6.1 -Version: 6.1.41 +Version: 6.1.49 Release: 1%{?dist} Summary: The Linux kernel License: GPL-2.0 WITH Linux-syscall-note URL: https://www.kernel.org/ # Use latest-srpm-url.sh to get this. -Source0: https://cdn.amazonlinux.com/al2023/blobstore/789848dec5baccf864b022af695a2a3ac1ba52392a2b6aa83f19dc07d050df0a/kernel-6.1.41-63.114.amzn2023.src.rpm +Source0: https://cdn.amazonlinux.com/al2023/blobstore/b7fd4bb92caacd373bbd4cf41dca8c29736bf229c08ef80c59bb6063654d058b/kernel-6.1.49-69.116.amzn2023.src.rpm Source100: config-bottlerocket Source101: config-bottlerocket-aws Source102: config-bottlerocket-metal @@ -25,12 +25,6 @@ Patch1004: 1004-af_unix-increase-default-max_dgram_qlen-to-512.patch # options for nvidia are instead included through DRM_SIMPLE Patch1005: 1005-Revert-Revert-drm-fb_helper-improve-CONFIG_FB-depend.patch -# Cherry-picked fixes for CVE-2023-20588 ("DIV0"). Can be dropped when moving -# upstream to 6.1.48 or later -Patch5001: 5001-x86-bugs-Increase-the-x86-bugs-vector-size-to-two-u3.patch -Patch5002: 5002-x86-CPU-AMD-Do-not-leak-quotient-data-after-a-divisi.patch -Patch5003: 5003-x86-CPU-AMD-Fix-the-DIV-0-initial-fix-attempt.patch - BuildRequires: bc BuildRequires: elfutils-devel BuildRequires: hostname