[PATCH v2] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()

From: Michael Zhivich
Date: Tue Jul 22 2025 - 08:31:05 EST

Next message: Greg Kroah-Hartman: "Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in io_poll_remove_entries"
Previous message: Ilpo Järvinen: "Re: [PATCH v8] PCI: hotplug: Add a generic RAS tracepoinggt for hotplug event"
Next in thread: Borislav Petkov: "Re: [PATCH v2] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For kernels compiled with CONFIG_INIT_STACK_NONE=y, the value of __reserved
field in zen_patch_rev union on the stack may be garbage. If so, it will
prevent correct microcode check when consulting p.ucode_rev, resulting in
incorrect mitigation selection.

Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Michael Zhivich <mzhivich@xxxxxxxxxx>
Fixes: 7a0395f6607a5 ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
---

Changes in v2:
- Rework patch per feedback
- Add Cc: stable

arch/x86/kernel/cpu/amd.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index efd42ee9d1cc..289ff197b1b3 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -378,6 +378,8 @@ static bool amd_check_tsa_microcode(void)
p.model = c->x86_model;
p.ext_model = c->x86_model >> 4;
p.stepping = c->x86_stepping;
+ /* reserved bits are expected to be 0 in test below */
+ p.__reserved = 0;

if (cpu_has(c, X86_FEATURE_ZEN3) ||
cpu_has(c, X86_FEATURE_ZEN4)) {
--
2.34.1

Next message: Greg Kroah-Hartman: "Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in io_poll_remove_entries"
Previous message: Ilpo Järvinen: "Re: [PATCH v8] PCI: hotplug: Add a generic RAS tracepoinggt for hotplug event"
Next in thread: Borislav Petkov: "Re: [PATCH v2] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]