Note: I believe this change only applies to stable backports.
For kernels compiled with CONFIG_INIT_STACK_NONE=y, the value of __reserved bitfield in zen_patch_rev union on the stack may be garbage. If so, it will prevent correct microcode check when consulting p.ucode_rev, resulting in incorrect mitigation selection.
Signed-off-by: Michael Zhivich mzhivich@akamai.com Fixes: 7a0395f6607a ("x86/bugs: Add a Transient Scheduler Attacks mitigation") --- arch/x86/kernel/cpu/amd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index efd42ee9d1cc..91b21814ce8c 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -371,7 +371,7 @@ static void bsp_determine_snp(struct cpuinfo_x86 *c) static bool amd_check_tsa_microcode(void) { struct cpuinfo_x86 *c = &boot_cpu_data; - union zen_patch_rev p; + union zen_patch_rev p = {0}; u32 min_rev = 0;
p.ext_fam = c->x86 - 0xf;
Hi,
Thanks for your patch.
FYI: kernel test robot notices the stable kernel rule is not satisfied.
The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opti...
Rule: add the tag "Cc: stable@vger.kernel.org" in the sign-off area to have the patch automatically included in the stable tree. Subject: [PATCH] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode() Link: https://lore.kernel.org/stable/20250721230712.2093341-1-mzhivich%40akamai.co...
On Mon, Jul 21, 2025 at 07:07:12PM -0400, Michael Zhivich wrote:
Note: I believe this change only applies to stable backports.
Right, I need to go look in detail which of the 5.10-6.12 stable trees which got this variant, do have CONFIG_INIT_STACK_NONE.
For kernels compiled with CONFIG_INIT_STACK_NONE=y, the value of __reserved bitfield in zen_patch_rev union on the stack may be garbage. If so, it will prevent correct microcode check when consulting p.ucode_rev, resulting in incorrect mitigation selection.
Uuuh, nasty. Good catch.
Signed-off-by: Michael Zhivich mzhivich@akamai.com Fixes: 7a0395f6607a ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
arch/x86/kernel/cpu/amd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index efd42ee9d1cc..91b21814ce8c 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -371,7 +371,7 @@ static void bsp_determine_snp(struct cpuinfo_x86 *c) static bool amd_check_tsa_microcode(void) { struct cpuinfo_x86 *c = &boot_cpu_data;
- union zen_patch_rev p;
- union zen_patch_rev p = {0};
Instead of doing this...
u32 min_rev = 0; p.ext_fam = c->x86 - 0xf;
... you should assign __reserved here to 0 too and put a comment above it why we're doing that.
This will save us the init writes to 0 which get overwritten with the actual f/m/s anyway.
Thx.
linux-stable-mirror@lists.linaro.org
-
Borislav Petkov -
kernel test robot -
Michael Zhivich