[xen staging-4.18] x86/amd: Mitigate AMD-SN-7053 / FP-DSS

[patchbot@xxxxxxx]

commit 9f070ec7885693af289add01cdf4a4d7918a3f34
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Fri Apr 10 21:55:46 2026 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Apr 17 18:18:28 2026 +0100

    x86/amd: Mitigate AMD-SN-7053 / FP-DSS
    
    This is XSA-488 / CVE-2025-54505
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    (cherry picked from commit 99912d346009fda1e7fb1510c9501fbab17e92a0)
---
 xen/arch/x86/cpu/amd.c               | 38 ++++++++++++++++++++++++++++++++++++
 xen/arch/x86/include/asm/msr-index.h |  1 +
 2 files changed, 39 insertions(+)

diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c
index c448997be5..43cd3ae9ba 100644
--- a/xen/arch/x86/cpu/amd.c
+++ b/xen/arch/x86/cpu/amd.c
@@ -1009,6 +1009,42 @@ static void cf_check fam17_disable_c6(void *arg)
        wrmsrl(MSR_AMD_CSTATE_CFG, val & mask);
 }
 
+static void amd_init_fp_cfg(const struct cpuinfo_x86 *c)
+{
+    uint64_t val, new = 0;
+
+    /* If virtualised, we won't have mutable access even if we can read it. */
+    if ( cpu_has_hypervisor )
+        return;
+
+    /*
+     * On Zen1, mitigate SB-7053 / FP-DSS Floating Point Divider State
+     * Sampling by setting bit 9 as instructed.
+     */
+    if ( c->x86 == 0x17 && is_zen1_uarch() )
+        new |= 1 << 9;
+
+    /*
+     * Avoid reading FP_CFG if we don't intend to change anything.  The
+     * register doesn't exist on all families.
+     */
+    if ( !new )
+        return;
+
+    rdmsrl(MSR_AMD64_FP_CFG, val);
+
+    if ( (val & new) == new )
+        return;
+
+    /*
+     * FP_CFG is a Core-scoped MSR, and this write is racy.  However, both
+     * threads calculate the new value from state which expected to be
+     * consistent across CPUs and unrelated to the old value, so the result
+     * should be consistent.
+     */
+    wrmsrl(MSR_AMD64_FP_CFG, val | new);
+}
+
 static void amd_check_bp_cfg(void)
 {
        uint64_t val, new = 0;
@@ -1053,6 +1089,8 @@ static void cf_check init_amd(struct cpuinfo_x86 *c)
 
        unsigned long long value;
 
+       amd_init_fp_cfg(c);
+
        /* Disable TLB flush filter by setting HWCR.FFDIS on K8
         * bit 6 of msr C001_0015
         *
diff --git a/xen/arch/x86/include/asm/msr-index.h 
b/xen/arch/x86/include/asm/msr-index.h
index c9f980cd57..516ee26d70 100644
--- a/xen/arch/x86/include/asm/msr-index.h
+++ b/xen/arch/x86/include/asm/msr-index.h
@@ -411,6 +411,7 @@
 #define MSR_AMD64_LS_CFG               0xc0011020
 #define MSR_AMD64_IC_CFG               0xc0011021
 #define MSR_AMD64_DC_CFG               0xc0011022
+#define MSR_AMD64_FP_CFG               0xc0011028
 #define MSR_AMD64_DE_CFG               0xc0011029
 #define AMD64_DE_CFG_LFENCE_SERIALISE  (_AC(1, ULL) << 1)
 #define MSR_AMD64_EX_CFG               0xc001102c
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.18