TSA mitigation doesn't work on 6.6.y

TSA mitigation doesn't work on 6.6.y

[Thomas Voegtle]

Hello,

with kernel v6.16-rc5-121-gbc9ff192a6c9 I see this:

cat /sys/devices/system/cpu/vulnerabilities/tsa
Mitigation: Clear CPU buffers

dmesg | grep micro
[    1.479203] microcode: Current revision: 0x0a20102e
[    1.479206] microcode: Updated early from: 0x0a201016

So, this works.

but same machine with 6.6.97:
dmesg | grep micro
[    0.451496] Transient Scheduler Attacks: Vulnerable: Clear CPU buffers
attempted, no microcode
[    1.077149] microcode: Current revision: 0x0a20102e
[    1.077152] microcode: Updated early from: 0x0a201016

so:
cat /sys/devices/system/cpu/vulnerabilities/tsa
Vulnerable: Clear CPU buffers attempted, no microcode

but it is switched on:
zcat /proc/config.gz | grep TSA
CONFIG_MITIGATION_TSA=y

And other stuff which need microcode works:
cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
Mitigation: Safe RET

without microcode you wwould see:
Vulnerable: Safe RET, no microcode


6.12.37 broken too
6.15.6 works
v6.16-rc5-121-gbc9ff192a6c9 works


This is a:
processor       : 11
vendor_id       : AuthenticAMD
cpu family      : 25
model           : 33
model name      : AMD Ryzen 5 5600X 6-Core Processor
stepping        : 0
microcode       : 0xa20102e


Is something missing in 6.6.y and 6.12.y?


     Thomas

Re: TSA mitigation doesn't work on 6.6.y

[Borislav Petkov]

On Fri, Jul 11, 2025 at 02:03:31PM +0200, Thomas Voegtle wrote:
> Is something missing in 6.6.y and 6.12.y?

I have a suspicion. Run the below patch, pls, and send me full dmesg.

Also send me your .config.

Thx.

---
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 1180689a2390..104a2375c281 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -569,12 +569,15 @@ static bool amd_check_tsa_microcode(void)
 		case 0xa70c0:	min_rev = 0x0a70c008; break;
 		case 0xaa002:	min_rev = 0x0aa00216; break;
 		default:
-			pr_debug("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
+			pr_info("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
 				 __func__, p.ucode_rev, c->microcode);
 			return false;
 		}
 	}
 
+	pr_info("c->microcode: 0x%x, min_rev: 0x%x\n",
+		c->microcode, min_rev);
+
 	if (!min_rev)
 		return false;
 

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: TSA mitigation doesn't work on 6.6.y

[Thomas Voegtle]

[-- Attachment #1: Type: text/plain, Size: 1410 bytes --]

On Fri, 11 Jul 2025, Borislav Petkov wrote:

> On Fri, Jul 11, 2025 at 02:03:31PM +0200, Thomas Voegtle wrote:
>> Is something missing in 6.6.y and 6.12.y?
>
> I have a suspicion. Run the below patch, pls, and send me full dmesg.
>
> Also send me your .config.
>
> Thx.
>
> ---
> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
> index 1180689a2390..104a2375c281 100644
> --- a/arch/x86/kernel/cpu/amd.c
> +++ b/arch/x86/kernel/cpu/amd.c
> @@ -569,12 +569,15 @@ static bool amd_check_tsa_microcode(void)
> 		case 0xa70c0:	min_rev = 0x0a70c008; break;
> 		case 0xaa002:	min_rev = 0x0aa00216; break;
> 		default:
> -			pr_debug("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
> +			pr_info("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
> 				 __func__, p.ucode_rev, c->microcode);
> 			return false;
> 		}
> 	}
>
> +	pr_info("c->microcode: 0x%x, min_rev: 0x%x\n",
> +		c->microcode, min_rev);
> +
> 	if (!min_rev)
> 		return false;
>
>
>

dmesg | grep -E '(micro|min_rev)'
[    0.000000] amd_check_tsa_microcode: ucode_rev: 0xa001000, current 
revision: 0xa20102e
[    0.543235] Transient Scheduler Attacks: Vulnerable: Clear CPU buffers 
attempted, no microcode
[    1.168831] microcode: Current revision: 0x0a20102e
[    1.168835] microcode: Updated early from: 0x0a201016
[    1.168922] microcode: Microcode Update Driver: v2.2.


dmesg and config are attached.

thanks,

        Thomas

[-- Attachment #2: Type: application/x-gzip, Size: 46027 bytes --]

[-- Attachment #3: Type: application/x-gzip, Size: 19117 bytes --]

Re: TSA mitigation doesn't work on 6.6.y

[Borislav Petkov]

On Fri, Jul 11, 2025 at 03:15:22PM +0200, Thomas Voegtle wrote:
> dmesg | grep -E '(micro|min_rev)'
> [    0.000000] amd_check_tsa_microcode: ucode_rev: 0xa001000, current
> revision: 0xa20102e

Damn ext model.

Try the below and send dmesg again pls. I think this should work.

---

diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 1180689a2390..6717abe569c8 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -547,6 +547,7 @@ static bool amd_check_tsa_microcode(void)
 
 	p.ext_fam	= c->x86 - 0xf;
 	p.model		= c->x86_model;
+	p.ext_model	= c->x86_model >> 4;
 	p.stepping	= c->x86_stepping;
 
 	if (cpu_has(c, X86_FEATURE_ZEN3) ||
@@ -569,12 +570,15 @@ static bool amd_check_tsa_microcode(void)
 		case 0xa70c0:	min_rev = 0x0a70c008; break;
 		case 0xaa002:	min_rev = 0x0aa00216; break;
 		default:
-			pr_debug("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
+			pr_info("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
 				 __func__, p.ucode_rev, c->microcode);
 			return false;
 		}
 	}
 
+	pr_info("c->microcode: 0x%x, min_rev: 0x%x, ucode_rev: 0x%x\n",
+		c->microcode, min_rev, p.ucode_rev);
+
 	if (!min_rev)
 		return false;
 

Re: TSA mitigation doesn't work on 6.6.y

[Thomas Voegtle]

[-- Attachment #1: Type: text/plain, Size: 1693 bytes --]

On Fri, 11 Jul 2025, Borislav Petkov wrote:

> On Fri, Jul 11, 2025 at 03:15:22PM +0200, Thomas Voegtle wrote:
>> dmesg | grep -E '(micro|min_rev)'
>> [    0.000000] amd_check_tsa_microcode: ucode_rev: 0xa001000, current
>> revision: 0xa20102e
>
> Damn ext model.
>
> Try the below and send dmesg again pls. I think this should work.
>
> ---
>
> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
> index 1180689a2390..6717abe569c8 100644
> --- a/arch/x86/kernel/cpu/amd.c
> +++ b/arch/x86/kernel/cpu/amd.c
> @@ -547,6 +547,7 @@ static bool amd_check_tsa_microcode(void)
>
> 	p.ext_fam	= c->x86 - 0xf;
> 	p.model		= c->x86_model;
> +	p.ext_model	= c->x86_model >> 4;
> 	p.stepping	= c->x86_stepping;
>
> 	if (cpu_has(c, X86_FEATURE_ZEN3) ||
> @@ -569,12 +570,15 @@ static bool amd_check_tsa_microcode(void)
> 		case 0xa70c0:	min_rev = 0x0a70c008; break;
> 		case 0xaa002:	min_rev = 0x0aa00216; break;
> 		default:
> -			pr_debug("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
> +			pr_info("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
> 				 __func__, p.ucode_rev, c->microcode);
> 			return false;
> 		}
> 	}
>
> +	pr_info("c->microcode: 0x%x, min_rev: 0x%x, ucode_rev: 0x%x\n",
> +		c->microcode, min_rev, p.ucode_rev);
> +
> 	if (!min_rev)
> 		return false;
>
>
>

This works.


cat /sys/devices/system/cpu/vulnerabilities/tsa
Mitigation: Clear CPU buffers


dmesg | grep -E '(micro|min_rev)'
[    0.000000] c->microcode: 0xa20102e, min_rev: 0xa20102e, ucode_rev: 
0xa201000
[    1.086174] microcode: Current revision: 0x0a20102e
[    1.086178] microcode: Updated early from: 0x0a201016
[    1.086269] microcode: Microcode Update Driver: v2.2.

thanks,

       Thomas

[-- Attachment #2: Type: application/x-gzip, Size: 18972 bytes --]

Re: TSA mitigation doesn't work on 6.6.y

[Borislav Petkov]

On Fri, Jul 11, 2025 at 06:03:39PM +0200, Thomas Voegtle wrote:
> This works.

Cool, thanks.

If you have 6.12-stable ready, can you pls check it works there too?

The diff applies there too.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: TSA mitigation doesn't work on 6.6.y

[Thomas Voegtle]

[-- Attachment #1: Type: text/plain, Size: 1438 bytes --]

On Fri, 11 Jul 2025, Borislav Petkov wrote:

> On Fri, Jul 11, 2025 at 06:03:39PM +0200, Thomas Voegtle wrote:
>> This works.
>
> Cool, thanks.
>
> If you have 6.12-stable ready, can you pls check it works there too?
>
> The diff applies there too.


Already did that, 6.12-stable + patch also works.

And then I tried 5.15.187, patch applies, but doesn't work.

dmesg | grep -E '(micro|min_rev)'
[    0.364500] Transient Scheduler Attacks: Vulnerable: Clear CPU buffers 
attempted, no microcode
[    1.524345] microcode: microcode updated early to new 
patch_level=0x0a20102e
[    1.524364] microcode: CPU0: patch_level=0x0a20102e
[    1.524370] microcode: CPU1: patch_level=0x0a20102e
[    1.524376] microcode: CPU2: patch_level=0x0a20102e
[    1.524384] microcode: CPU3: patch_level=0x0a20102e
[    1.524392] microcode: CPU4: patch_level=0x0a20102e
[    1.524400] microcode: CPU5: patch_level=0x0a20102e
[    1.524407] microcode: CPU6: patch_level=0x0a20102e
[    1.524412] microcode: CPU7: patch_level=0x0a20102e
[    1.524416] microcode: CPU8: patch_level=0x0a20102e
[    1.524422] microcode: CPU9: patch_level=0x0a20102e
[    1.524428] microcode: CPU10: patch_level=0x0a20102e
[    1.524434] microcode: CPU11: patch_level=0x0a20102e
[    1.524438] microcode: Microcode Update Driver: v2.2.

cat /sys/devices/system/cpu/vulnerabilities/tsa
Vulnerable: Clear CPU buffers attempted, no microcode

dmesg attached.


thanks,

    Thomas

[-- Attachment #2: Type: application/x-gzip, Size: 18121 bytes --]

Re: TSA mitigation doesn't work on 6.6.y

[Borislav Petkov]

On Fri, Jul 11, 2025 at 06:56:18PM +0200, Thomas Voegtle wrote:
> And then I tried 5.15.187, patch applies, but doesn't work.

Pff, try this:

---

diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index d409ba7fba85..8b9753d4822d 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -590,6 +590,7 @@ static bool amd_check_tsa_microcode(void)
 
 	p.ext_fam	= c->x86 - 0xf;
 	p.model		= c->x86_model;
+	p.ext_model	= c->x86_model >> 4;
 	p.stepping	= c->x86_stepping;
 
 	if (c->x86 == 0x19) {
@@ -611,12 +612,15 @@ static bool amd_check_tsa_microcode(void)
 		case 0xa70c0:	min_rev = 0x0a70c008; break;
 		case 0xaa002:	min_rev = 0x0aa00216; break;
 		default:
-			pr_debug("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
+			pr_info("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
 				 __func__, p.ucode_rev, c->microcode);
 			return false;
 		}
 	}
 
+	pr_info("c->microcode: 0x%x, min_rev: 0x%x, ucode_rev: 0x%x\n",
+		c->microcode, min_rev, p.ucode_rev);
+
 	if (!min_rev)
 		return false;
 
@@ -704,6 +708,8 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
 	}
 
 	resctrl_cpu_detect(c);
+
+	tsa_init(c);
 }
 
 static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
@@ -743,8 +749,6 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
 			goto clear_sev;
 
 
-	tsa_init(c);
-
 		return;
 
 clear_all:


-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: TSA mitigation doesn't work on 6.6.y

[Thomas Voegtle]

[-- Attachment #1: Type: text/plain, Size: 1610 bytes --]

On Fri, 11 Jul 2025, Borislav Petkov wrote:

> On Fri, Jul 11, 2025 at 06:56:18PM +0200, Thomas Voegtle wrote:
>> And then I tried 5.15.187, patch applies, but doesn't work.
>
> Pff, try this:
>
> ---
>
> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
> index d409ba7fba85..8b9753d4822d 100644
> --- a/arch/x86/kernel/cpu/amd.c
> +++ b/arch/x86/kernel/cpu/amd.c
> @@ -590,6 +590,7 @@ static bool amd_check_tsa_microcode(void)
>
> 	p.ext_fam	= c->x86 - 0xf;
> 	p.model		= c->x86_model;
> +	p.ext_model	= c->x86_model >> 4;
> 	p.stepping	= c->x86_stepping;
>
> 	if (c->x86 == 0x19) {
> @@ -611,12 +612,15 @@ static bool amd_check_tsa_microcode(void)
> 		case 0xa70c0:	min_rev = 0x0a70c008; break;
> 		case 0xaa002:	min_rev = 0x0aa00216; break;
> 		default:
> -			pr_debug("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
> +			pr_info("%s: ucode_rev: 0x%x, current revision: 0x%x\n",
> 				 __func__, p.ucode_rev, c->microcode);
> 			return false;
> 		}
> 	}
>
> +	pr_info("c->microcode: 0x%x, min_rev: 0x%x, ucode_rev: 0x%x\n",
> +		c->microcode, min_rev, p.ucode_rev);
> +
> 	if (!min_rev)
> 		return false;
>
> @@ -704,6 +708,8 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
> 	}
>
> 	resctrl_cpu_detect(c);
> +
> +	tsa_init(c);
> }
>
> static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
> @@ -743,8 +749,6 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
> 			goto clear_sev;
>
>
> -	tsa_init(c);
> -
> 		return;
>
> clear_all:
>
>
>

works.
cat /sys/devices/system/cpu/vulnerabilities/tsa
Mitigation: Clear CPU buffers

dmesg attached


thanks,

       Thomas

[-- Attachment #2: Type: application/x-gzip, Size: 18146 bytes --]

Re: TSA mitigation doesn't work on 6.6.y

[Borislav Petkov]

On Fri, Jul 11, 2025 at 08:11:03PM +0200, Thomas Voegtle wrote:
> works.
> cat /sys/devices/system/cpu/vulnerabilities/tsa
> Mitigation: Clear CPU buffers

Thanks a lot for reporting and testing!

I'll add your tags to the fixes.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

[PATCH 6.12-stable] x86/CPU/AMD: Properly check the TSA microcode

[Borislav Petkov]

From 619edb968458b6c558abfa1062c8e27a90eae662 Mon Sep 17 00:00:00 2001
From: "Borislav Petkov (AMD)" <bp@alien8.de>
Date: Fri, 11 Jul 2025 17:40:18 +0200

In order to simplify backports, I resorted to an older version of the
microcode revision checking which didn't pull in the whole struct
x86_cpu_id matching machinery.

My simpler method, however, forgot to add the extended CPU model to the
patch revision, which lead to mismatches when determining whether TSA
mitigation support is present.

So add that forgotten extended model.

This is a stable-only fix and the preference is to do it this way
because it is a lot simpler. Also, the Fixes: tag below points to the
respective stable patch.

Fixes: 7a0395f6607a ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
Reported-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Thomas Voegtle <tv@lio96.de>
Message-ID: <04ea0a8e-edb0-c59e-ce21-5f3d5d167af3@lio96.de>
---
 arch/x86/kernel/cpu/amd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 8a740e92e483..b42307200e98 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -376,6 +376,7 @@ static bool amd_check_tsa_microcode(void)
 
 	p.ext_fam	= c->x86 - 0xf;
 	p.model		= c->x86_model;
+	p.ext_model	= c->x86_model >> 4;
 	p.stepping	= c->x86_stepping;
 
 	if (cpu_has(c, X86_FEATURE_ZEN3) ||
-- 
2.43.0

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH 6.12-stable] x86/CPU/AMD: Properly check the TSA microcode

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
⚠️ Could not find matching upstream commit

No upstream commit was identified. Using temporary commit for testing.

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.12.y       |  Success    |  Success   |

[PATCH 6.6-stable] x86/CPU/AMD: Properly check the TSA microcode

[Borislav Petkov]

From: "Borislav Petkov (AMD)" <bp@alien8.de>
Date: Fri, 11 Jul 2025 17:40:18 +0200

In order to simplify backports, I resorted to an older version of the
microcode revision checking which didn't pull in the whole struct
x86_cpu_id matching machinery.

My simpler method, however, forgot to add the extended CPU model to the
patch revision, which lead to mismatches when determining whether TSA
mitigation support is present.

So add that forgotten extended model.

This is a stable-only fix and the preference is to do it this way
because it is a lot simpler. Also, the Fixes: tag below points to the
respective stable patch.

Fixes: 90293047df18 ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
Reported-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Thomas Voegtle <tv@lio96.de>
Message-ID: <04ea0a8e-edb0-c59e-ce21-5f3d5d167af3@lio96.de>
---
 arch/x86/kernel/cpu/amd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 1180689a2390..f6690df70b43 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -547,6 +547,7 @@ static bool amd_check_tsa_microcode(void)
 
 	p.ext_fam	= c->x86 - 0xf;
 	p.model		= c->x86_model;
+	p.ext_model	= c->x86_model >> 4;
 	p.stepping	= c->x86_stepping;
 
 	if (cpu_has(c, X86_FEATURE_ZEN3) ||
-- 
2.43.0

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH 6.6-stable] x86/CPU/AMD: Properly check the TSA microcode

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
⚠️ Could not find matching upstream commit

No upstream commit was identified. Using temporary commit for testing.

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y        |  Success    |  Success   |

[PATCH 6.1-stable] x86/CPU/AMD: Properly check the TSA microcode

[Borislav Petkov]

From: "Borislav Petkov (AMD)" <bp@alien8.de>
Date: Fri, 11 Jul 2025 17:40:18 +0200

In order to simplify backports, I resorted to an older version of the
microcode revision checking which didn't pull in the whole struct
x86_cpu_id matching machinery.

My simpler method, however, forgot to add the extended CPU model to the
patch revision, which lead to mismatches when determining whether TSA
mitigation support is present.

So add that forgotten extended model.

Also, fix a backport mismerge which put tsa_init() where it doesn't
belong.

This is a stable-only fix and the preference is to do it this way
because it is a lot simpler. Also, the Fixes: tag below points to the
respective stable patch.

Fixes: 90293047df18 ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
Reported-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Message-ID: <04ea0a8e-edb0-c59e-ce21-5f3d5d167af3@lio96.de>
---
 arch/x86/kernel/cpu/amd.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 3e3679709e90..4785d41558d6 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -561,6 +561,7 @@ static bool amd_check_tsa_microcode(void)
 
 	p.ext_fam	= c->x86 - 0xf;
 	p.model		= c->x86_model;
+	p.ext_model	= c->x86_model >> 4;
 	p.stepping	= c->x86_stepping;
 
 	if (c->x86 == 0x19) {
@@ -675,6 +676,8 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
 	}
 
 	resctrl_cpu_detect(c);
+
+	tsa_init(c);
 }
 
 static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
@@ -719,8 +722,6 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
 			goto clear_sev;
 
 
-	tsa_init(c);
-
 		return;
 
 clear_all:
-- 
2.43.0


-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH 6.1-stable] x86/CPU/AMD: Properly check the TSA microcode

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
⚠️ Could not find matching upstream commit

No upstream commit was identified. Using temporary commit for testing.

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

[PATCH 5.15-stable] x86/CPU/AMD: Properly check the TSA microcode

[Borislav Petkov]

From: "Borislav Petkov (AMD)" <bp@alien8.de>
Date: Fri, 11 Jul 2025 17:40:18 +0200

In order to simplify backports, I resorted to an older version of the
microcode revision checking which didn't pull in the whole struct
x86_cpu_id matching machinery.

My simpler method, however, forgot to add the extended CPU model to the
patch revision, which lead to mismatches when determining whether TSA
mitigation support is present.

So add that forgotten extended model.

Also, fix a backport mismerge which put tsa_init() where it doesn't
belong.

This is a stable-only fix and the preference is to do it this way
because it is a lot simpler. Also, the Fixes: tag below points to the
respective stable patch.

Fixes: 90293047df18 ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
Reported-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Thomas Voegtle <tv@lio96.de>
Message-ID: <04ea0a8e-edb0-c59e-ce21-5f3d5d167af3@lio96.de>
---
 arch/x86/kernel/cpu/amd.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index d409ba7fba85..04ac18ff022f 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -590,6 +590,7 @@ static bool amd_check_tsa_microcode(void)
 
 	p.ext_fam	= c->x86 - 0xf;
 	p.model		= c->x86_model;
+	p.ext_model	= c->x86_model >> 4;
 	p.stepping	= c->x86_stepping;
 
 	if (c->x86 == 0x19) {
@@ -704,6 +705,8 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
 	}
 
 	resctrl_cpu_detect(c);
+
+	tsa_init(c);
 }
 
 static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
@@ -743,8 +746,6 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
 			goto clear_sev;
 
 
-	tsa_init(c);
-
 		return;
 
 clear_all:
-- 
2.43.0


-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH 5.15-stable] x86/CPU/AMD: Properly check the TSA microcode

[Greg KH]

On Fri, Jul 11, 2025 at 09:45:58PM +0200, Borislav Petkov wrote:
> From: "Borislav Petkov (AMD)" <bp@alien8.de>
> Date: Fri, 11 Jul 2025 17:40:18 +0200
> 
> In order to simplify backports, I resorted to an older version of the
> microcode revision checking which didn't pull in the whole struct
> x86_cpu_id matching machinery.
> 
> My simpler method, however, forgot to add the extended CPU model to the
> patch revision, which lead to mismatches when determining whether TSA
> mitigation support is present.
> 
> So add that forgotten extended model.
> 
> Also, fix a backport mismerge which put tsa_init() where it doesn't
> belong.
> 
> This is a stable-only fix and the preference is to do it this way
> because it is a lot simpler. Also, the Fixes: tag below points to the
> respective stable patch.
> 
> Fixes: 90293047df18 ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
> Reported-by: Thomas Voegtle <tv@lio96.de>
> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> Tested-by: Thomas Voegtle <tv@lio96.de>
> Message-ID: <04ea0a8e-edb0-c59e-ce21-5f3d5d167af3@lio96.de>
> ---
>  arch/x86/kernel/cpu/amd.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)

All now queued up, thanks.

greg k-h

Re: [PATCH 5.15-stable] x86/CPU/AMD: Properly check the TSA microcode

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
⚠️ Could not find matching upstream commit

No upstream commit was identified. Using temporary commit for testing.

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y       |  Success    |  Success   |

Re: [PATCH 5.15-stable] x86/CPU/AMD: Properly check the TSA microcode

[Borislav Petkov]

Dear Sasha's backport helper bot,

On Sun, Jul 13, 2025 at 09:06:05AM -0400, Sasha Levin wrote:
> [ Sasha's backport helYper bot ]
> 
> Hi,
> 
> Summary of potential issues:
> ⚠️ Could not find matching upstream commit
> 
> No upstream commit was identified. Using temporary commit for testing.

I think you need to be trained more to actually read commit messages too.
Because there it is explained why.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH 5.15-stable] x86/CPU/AMD: Properly check the TSA microcode

[Sasha Levin]

On Sun, Jul 13, 2025 at 06:10:32PM +0200, Borislav Petkov wrote:
>Dear Sasha's backport helper bot,
>
>On Sun, Jul 13, 2025 at 09:06:05AM -0400, Sasha Levin wrote:
>> [ Sasha's backport helYper bot ]
>>
>> Hi,
>>
>> Summary of potential issues:
>> ⚠️ Could not find matching upstream commit
>>
>> No upstream commit was identified. Using temporary commit for testing.
>
>I think you need to be trained more to actually read commit messages too.
>Because there it is explained why.

I'll add "stable-only" as a filter, but you have to promise using it on
all of these backports going forward :)

-- 
Thanks,
Sasha

Re: [PATCH 5.15-stable] x86/CPU/AMD: Properly check the TSA microcode

[Borislav Petkov]

On Sun, Jul 13, 2025 at 09:50:25PM -0400, Sasha Levin wrote:
> I'll add "stable-only" as a filter, but you have to promise using it on
> all of these backports going forward :)

Pinky swear!

:-P

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH 5.15-stable] x86/CPU/AMD: Properly check the TSA microcode

[Sasha Levin]

On Mon, Jul 14, 2025 at 12:28:19PM +0200, Borislav Petkov wrote:
>On Sun, Jul 13, 2025 at 09:50:25PM -0400, Sasha Levin wrote:
>> I'll add "stable-only" as a filter, but you have to promise using it on
>> all of these backports going forward :)
>
>Pinky swear!
>
>:-P

https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=821ca5c7308ff85cef8028124dd0755d0eeced0c

-- 
Thanks,
Sasha

Re: [PATCH 5.15-stable] x86/CPU/AMD: Properly check the TSA microcode

[Borislav Petkov]

On Mon, Jul 14, 2025 at 12:30:11PM -0400, Sasha Levin wrote:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=821ca5c7308ff85cef8028124dd0755d0eeced0c

LOOL.

I might have another one though but I'll stick to the protocol.

:-P

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette