--- /dev/null
+From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 13 May 2026 11:37:18 -0700
+Subject: ptrace: slightly saner 'get_dumpable()' logic
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
+
+The 'dumpability' of a task is fundamentally about the memory image of
+the task - the concept comes from whether it can core dump or not - and
+makes no sense when you don't have an associated mm.
+
+And almost all users do in fact use it only for the case where the task
+has a mm pointer.
+
+But we have one odd special case: ptrace_may_access() uses 'dumpable' to
+check various other things entirely independently of the MM (typically
+explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
+threads that no longer have a VM (and maybe never did, like most kernel
+threads).
+
+It's not what this flag was designed for, but it is what it is.
+
+The ptrace code does check that the uid/gid matches, so you do have to
+be uid-0 to see kernel thread details, but this means that the
+traditional "drop capabilities" model doesn't make any difference for
+this all.
+
+Make it all make a *bit* more sense by saying that if you don't have a
+MM pointer, we'll use a cached "last dumpability" flag if the thread
+ever had a MM (it will be zero for kernel threads since it is never
+set), and require a proper CAP_SYS_PTRACE capability to override.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Kees Cook <kees@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 3 +++
+ kernel/exit.c | 1 +
+ kernel/ptrace.c | 22 ++++++++++++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -805,6 +805,9 @@ struct task_struct {
+ */
+ unsigned sched_remote_wakeup:1;
+
++ /* Save user-dumpable when mm goes away */
++ unsigned user_dumpable:1;
++
+ /* Bit to tell LSMs we're in execve(): */
+ unsigned in_execve:1;
+ unsigned in_iowait:1;
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -528,6 +528,7 @@ static void exit_mm(void)
+ BUG_ON(mm != current->active_mm);
+ /* more a memory barrier than a real lock */
+ task_lock(current);
++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
+ current->mm = NULL;
+ mmap_read_unlock(mm);
+ enter_lazy_tlb(mm, current);
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -287,11 +287,24 @@ static bool ptrace_has_cap(struct user_n
+ return ns_capable(ns, CAP_SYS_PTRACE);
+ }
+
++static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
++{
++ struct mm_struct *mm = task->mm;
++ if (mm) {
++ if (get_dumpable(mm) == SUID_DUMP_USER)
++ return true;
++ return ptrace_has_cap(mm->user_ns, mode);
++ }
++
++ if (task->user_dumpable)
++ return true;
++ return ptrace_has_cap(&init_user_ns, mode);
++}
++
+ /* Returns 0 on success, -errno on denial. */
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ {
+ const struct cred *cred = current_cred(), *tcred;
+- struct mm_struct *mm;
+ kuid_t caller_uid;
+ kgid_t caller_gid;
+
+@@ -352,11 +365,8 @@ ok:
+ * Pairs with a write barrier in commit_creds().
+ */
+ smp_rmb();
+- mm = task->mm;
+- if (mm &&
+- ((get_dumpable(mm) != SUID_DUMP_USER) &&
+- !ptrace_has_cap(mm->user_ns, mode)))
+- return -EPERM;
++ if (!task_still_dumpable(task, mode))
++ return -EPERM;
+
+ return security_ptrace_access_check(task, mode);
+ }
--- /dev/null
+ptrace-slightly-saner-get_dumpable-logic.patch
+x86-cpu-amd-add-zenx-generations-flags.patch
+x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch
+x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch
+x86-cpu-amd-add-x86_feature_zen1.patch
+x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch
--- /dev/null
+From 8b11c9f96a0ddb679c11e4a8f2d8dae52e9c15af Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Sat, 2 Dec 2023 12:50:23 +0100
+Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream.
+
+Add a synthetic feature flag specifically for first generation Zen
+machines. There's need to have a generic flag for all Zen generations so
+make X86_FEATURE_ZEN be that flag.
+
+Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags")
+Suggested-by: Brian Gerst <brgerst@gmail.com>
+Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 3 ++-
+ arch/x86/kernel/cpu/amd.c | 9 +++++----
+ tools/arch/x86/include/asm/cpufeatures.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+@@ -309,6 +309,7 @@
+ #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
+ #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
+ #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
++#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */
+
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
+ #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -741,7 +741,7 @@ static void bsp_init_amd(struct cpuinfo_
+ switch (c->x86_model) {
+ case 0x00 ... 0x2f:
+ case 0x50 ... 0x5f:
+- setup_force_cpu_cap(X86_FEATURE_ZEN);
++ setup_force_cpu_cap(X86_FEATURE_ZEN1);
+ break;
+ case 0x30 ... 0x4f:
+ case 0x60 ... 0x7f:
+@@ -1122,12 +1122,13 @@ void init_spectral_chicken(struct cpuinf
+
+ static void init_amd_zen_common(void)
+ {
++ setup_force_cpu_cap(X86_FEATURE_ZEN);
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
+ }
+
+-static void init_amd_zen(struct cpuinfo_x86 *c)
++static void init_amd_zen1(struct cpuinfo_x86 *c)
+ {
+ init_amd_zen_common();
+
+@@ -1239,8 +1240,8 @@ static void init_amd(struct cpuinfo_x86
+ case 0x16: init_amd_jg(c); break;
+ }
+
+- if (boot_cpu_has(X86_FEATURE_ZEN))
+- init_amd_zen(c);
++ if (boot_cpu_has(X86_FEATURE_ZEN1))
++ init_amd_zen1(c);
+ else if (boot_cpu_has(X86_FEATURE_ZEN2))
+ init_amd_zen2(c);
+ else if (boot_cpu_has(X86_FEATURE_ZEN3))
+--- a/tools/arch/x86/include/asm/cpufeatures.h
++++ b/tools/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
--- /dev/null
+From 0505eb46841c27ea9767b7b6270862f29deafc02 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Tue, 31 Oct 2023 23:30:59 +0100
+Subject: x86/CPU/AMD: Add ZenX generations flags
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream.
+
+Add X86_FEATURE flags for each Zen generation. They should be used from
+now on instead of checking f/m/s.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 5 ++
+ arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++--
+ 2 files changed, 72 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+@@ -306,6 +306,9 @@
+ #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */
+ #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */
+ #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */
++#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
++#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
++#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
+
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
+ #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -735,7 +735,50 @@ static void bsp_init_amd(struct cpuinfo_
+
+ resctrl_cpu_detect(c);
+
++ /* Figure out Zen generations: */
++ switch (c->x86) {
++ case 0x17: {
++ switch (c->x86_model) {
++ case 0x00 ... 0x2f:
++ case 0x50 ... 0x5f:
++ setup_force_cpu_cap(X86_FEATURE_ZEN);
++ break;
++ case 0x30 ... 0x4f:
++ case 0x60 ... 0x7f:
++ case 0x90 ... 0x91:
++ case 0xa0 ... 0xaf:
++ setup_force_cpu_cap(X86_FEATURE_ZEN2);
++ break;
++ default:
++ goto warn;
++ }
++ break;
++ }
++ case 0x19: {
++ switch (c->x86_model) {
++ case 0x00 ... 0x0f:
++ case 0x20 ... 0x5f:
++ setup_force_cpu_cap(X86_FEATURE_ZEN3);
++ break;
++ case 0x10 ... 0x1f:
++ case 0x60 ... 0xaf:
++ setup_force_cpu_cap(X86_FEATURE_ZEN4);
++ break;
++ default:
++ goto warn;
++ }
++ break;
++ }
++ default:
++ break;
++ }
++
+ tsa_init(c);
++
++ return;
++
++warn:
++ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model);
+ }
+
+ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
+@@ -1081,8 +1124,6 @@ void init_spectral_chicken(struct cpuinf
+
+ static void init_amd_zn(struct cpuinfo_x86 *c)
+ {
+- set_cpu_cap(c, X86_FEATURE_ZEN);
+-
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
+@@ -1148,6 +1189,22 @@ static void zenbleed_check(struct cpuinf
+ }
+ }
+
++static void init_amd_zen(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen2(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen3(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen4(struct cpuinfo_x86 *c)
++{
++}
++
+ static void init_amd(struct cpuinfo_x86 *c)
+ {
+ early_init_amd(c);
+@@ -1182,6 +1239,15 @@ static void init_amd(struct cpuinfo_x86
+ case 0x19: init_amd_zn(c); break;
+ }
+
++ if (boot_cpu_has(X86_FEATURE_ZEN))
++ init_amd_zen(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN2))
++ init_amd_zen2(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN3))
++ init_amd_zen3(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN4))
++ init_amd_zen4(c);
++
+ /*
+ * Enable workaround for FXSAVE leak on CPUs
+ * without a XSaveErPtr feature
--- /dev/null
+From 6ea9e49236f62c01f32ea0b3e5c4ce41d1ec0389 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 11:20:01 +0100
+Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream.
+
+No functional change.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1101,10 +1101,8 @@ void init_spectral_chicken(struct cpuinf
+ *
+ * This suppresses speculation from the middle of a basic block, i.e. it
+ * suppresses non-branch predictions.
+- *
+- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H
+ */
+- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) {
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+ if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) {
+ value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT;
+ wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value);
+@@ -1195,6 +1193,7 @@ static void init_amd_zen(struct cpuinfo_
+
+ static void init_amd_zen2(struct cpuinfo_x86 *c)
+ {
++ init_spectral_chicken(c);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+@@ -1234,7 +1233,7 @@ static void init_amd(struct cpuinfo_x86
+ case 0x12: init_amd_ln(c); break;
+ case 0x15: init_amd_bd(c); break;
+ case 0x16: init_amd_jg(c); break;
+- case 0x17: init_spectral_chicken(c);
++ case 0x17:
+ fallthrough;
+ case 0x19: init_amd_zn(c); break;
+ }
--- /dev/null
+From d14f0f391370ca45abc208a13c5863a9d05f422c Mon Sep 17 00:00:00 2001
+From: Prathyushi Nangia <prathyushi.nangia@amd.com>
+Date: Tue, 9 Dec 2025 10:01:33 -0600
+Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
+
+From: Prathyushi Nangia <prathyushi.nangia@amd.com>
+
+commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
+
+Make sure resources are not improperly shared in the op cache and
+cause instruction corruption this way.
+
+Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
+Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kernel/cpu/amd.c | 3 +++
+ tools/arch/x86/include/asm/msr-index.h | 3 +++
+ 3 files changed, 7 insertions(+)
+
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
+index 390db709b432..59bee2206d97 100644
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -570,6 +570,7 @@
+ /* Zen4 */
+ #define MSR_ZEN4_BP_CFG 0xc001102e
+ #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
+
+ /* Zen 2 */
+ #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 3a446f2b6d30..519e388083b2 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1197,6 +1197,9 @@ static void init_amd_zen2(struct cpuinfo_x86 *c)
+ {
+ init_amd_zen_common();
+ init_spectral_chicken(c);
++
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h
+index 8fb925676813..c28d75fe4dee 100644
+--- a/tools/arch/x86/include/asm/msr-index.h
++++ b/tools/arch/x86/include/asm/msr-index.h
+@@ -523,6 +523,9 @@
+
+ #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f
+
++#define MSR_ZEN4_BP_CFG 0xc001102e
++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
++
+ /* Fam 17h MSRs */
+ #define MSR_F17H_IRPERF 0xc00000e9
+
+--
+2.51.0
+
--- /dev/null
+From 714aa4501bd485a70c063fc9e98a44dc9ae277a4 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 12:34:29 +0100
+Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream.
+
+Call it from all Zen init functions.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1120,11 +1120,16 @@ void init_spectral_chicken(struct cpuinf
+ clear_cpu_cap(c, X86_FEATURE_XSAVES);
+ }
+
+-static void init_amd_zn(struct cpuinfo_x86 *c)
++static void init_amd_zen_common(void)
+ {
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
++}
++
++static void init_amd_zen(struct cpuinfo_x86 *c)
++{
++ init_amd_zen_common();
+
+ /* Fix up CPUID bits, but only if not virtualised. */
+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+@@ -1187,21 +1192,20 @@ static void zenbleed_check(struct cpuinf
+ }
+ }
+
+-static void init_amd_zen(struct cpuinfo_x86 *c)
+-{
+-}
+-
+ static void init_amd_zen2(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ init_spectral_chicken(c);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ }
+
+ static void init_amd_zen4(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ }
+
+ static void init_amd(struct cpuinfo_x86 *c)
+@@ -1233,9 +1237,6 @@ static void init_amd(struct cpuinfo_x86
+ case 0x12: init_amd_ln(c); break;
+ case 0x15: init_amd_bd(c); break;
+ case 0x16: init_amd_jg(c); break;
+- case 0x17:
+- fallthrough;
+- case 0x19: init_amd_zn(c); break;
+ }
+
+ if (boot_cpu_has(X86_FEATURE_ZEN))
--- /dev/null
+From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 13 May 2026 11:37:18 -0700
+Subject: ptrace: slightly saner 'get_dumpable()' logic
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
+
+The 'dumpability' of a task is fundamentally about the memory image of
+the task - the concept comes from whether it can core dump or not - and
+makes no sense when you don't have an associated mm.
+
+And almost all users do in fact use it only for the case where the task
+has a mm pointer.
+
+But we have one odd special case: ptrace_may_access() uses 'dumpable' to
+check various other things entirely independently of the MM (typically
+explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
+threads that no longer have a VM (and maybe never did, like most kernel
+threads).
+
+It's not what this flag was designed for, but it is what it is.
+
+The ptrace code does check that the uid/gid matches, so you do have to
+be uid-0 to see kernel thread details, but this means that the
+traditional "drop capabilities" model doesn't make any difference for
+this all.
+
+Make it all make a *bit* more sense by saying that if you don't have a
+MM pointer, we'll use a cached "last dumpability" flag if the thread
+ever had a MM (it will be zero for kernel threads since it is never
+set), and require a proper CAP_SYS_PTRACE capability to override.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Kees Cook <kees@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 3 +++
+ kernel/exit.c | 1 +
+ kernel/ptrace.c | 22 ++++++++++++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -896,6 +896,9 @@ struct task_struct {
+ */
+ unsigned sched_remote_wakeup:1;
+
++ /* Save user-dumpable when mm goes away */
++ unsigned user_dumpable:1;
++
+ /* Bit to tell LSMs we're in execve(): */
+ unsigned in_execve:1;
+ unsigned in_iowait:1;
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -540,6 +540,7 @@ static void exit_mm(void)
+ */
+ smp_mb__after_spinlock();
+ local_irq_disable();
++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
+ current->mm = NULL;
+ membarrier_update_current_mm(NULL);
+ enter_lazy_tlb(mm, current);
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -288,11 +288,24 @@ static bool ptrace_has_cap(struct user_n
+ return ns_capable(ns, CAP_SYS_PTRACE);
+ }
+
++static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
++{
++ struct mm_struct *mm = task->mm;
++ if (mm) {
++ if (get_dumpable(mm) == SUID_DUMP_USER)
++ return true;
++ return ptrace_has_cap(mm->user_ns, mode);
++ }
++
++ if (task->user_dumpable)
++ return true;
++ return ptrace_has_cap(&init_user_ns, mode);
++}
++
+ /* Returns 0 on success, -errno on denial. */
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ {
+ const struct cred *cred = current_cred(), *tcred;
+- struct mm_struct *mm;
+ kuid_t caller_uid;
+ kgid_t caller_gid;
+
+@@ -353,11 +366,8 @@ ok:
+ * Pairs with a write barrier in commit_creds().
+ */
+ smp_rmb();
+- mm = task->mm;
+- if (mm &&
+- ((get_dumpable(mm) != SUID_DUMP_USER) &&
+- !ptrace_has_cap(mm->user_ns, mode)))
+- return -EPERM;
++ if (!task_still_dumpable(task, mode))
++ return -EPERM;
+
+ return security_ptrace_access_check(task, mode);
+ }
--- /dev/null
+ptrace-slightly-saner-get_dumpable-logic.patch
+x86-cpu-amd-add-zenx-generations-flags.patch
+x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch
+x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch
+x86-cpu-amd-add-x86_feature_zen1.patch
+x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch
--- /dev/null
+From e72596e11570e82f96805156b122c491f2bfd192 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Sat, 2 Dec 2023 12:50:23 +0100
+Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream.
+
+Add a synthetic feature flag specifically for first generation Zen
+machines. There's need to have a generic flag for all Zen generations so
+make X86_FEATURE_ZEN be that flag.
+
+Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags")
+Suggested-by: Brian Gerst <brgerst@gmail.com>
+Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 3 ++-
+ arch/x86/kernel/cpu/amd.c | 9 +++++----
+ tools/arch/x86/include/asm/cpufeatures.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+@@ -313,6 +313,7 @@
+ #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
+ #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
+ #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
++#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */
+
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
+ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -714,7 +714,7 @@ static void bsp_init_amd(struct cpuinfo_
+ switch (c->x86_model) {
+ case 0x00 ... 0x2f:
+ case 0x50 ... 0x5f:
+- setup_force_cpu_cap(X86_FEATURE_ZEN);
++ setup_force_cpu_cap(X86_FEATURE_ZEN1);
+ break;
+ case 0x30 ... 0x4f:
+ case 0x60 ... 0x7f:
+@@ -1095,12 +1095,13 @@ void init_spectral_chicken(struct cpuinf
+
+ static void init_amd_zen_common(void)
+ {
++ setup_force_cpu_cap(X86_FEATURE_ZEN);
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
+ }
+
+-static void init_amd_zen(struct cpuinfo_x86 *c)
++static void init_amd_zen1(struct cpuinfo_x86 *c)
+ {
+ init_amd_zen_common();
+
+@@ -1212,8 +1213,8 @@ static void init_amd(struct cpuinfo_x86
+ case 0x16: init_amd_jg(c); break;
+ }
+
+- if (boot_cpu_has(X86_FEATURE_ZEN))
+- init_amd_zen(c);
++ if (boot_cpu_has(X86_FEATURE_ZEN1))
++ init_amd_zen1(c);
+ else if (boot_cpu_has(X86_FEATURE_ZEN2))
+ init_amd_zen2(c);
+ else if (boot_cpu_has(X86_FEATURE_ZEN3))
+--- a/tools/arch/x86/include/asm/cpufeatures.h
++++ b/tools/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
--- /dev/null
+From 3afc6ada329c9954054d68f5efa03999a53767be Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Tue, 31 Oct 2023 23:30:59 +0100
+Subject: x86/CPU/AMD: Add ZenX generations flags
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream.
+
+Add X86_FEATURE flags for each Zen generation. They should be used from
+now on instead of checking f/m/s.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 5 ++
+ arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++--
+ 2 files changed, 72 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+@@ -310,6 +310,9 @@
+ #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */
+ #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */
+ #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */
++#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
++#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
++#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
+
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
+ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -708,7 +708,50 @@ static void bsp_init_amd(struct cpuinfo_
+
+ resctrl_cpu_detect(c);
+
++ /* Figure out Zen generations: */
++ switch (c->x86) {
++ case 0x17: {
++ switch (c->x86_model) {
++ case 0x00 ... 0x2f:
++ case 0x50 ... 0x5f:
++ setup_force_cpu_cap(X86_FEATURE_ZEN);
++ break;
++ case 0x30 ... 0x4f:
++ case 0x60 ... 0x7f:
++ case 0x90 ... 0x91:
++ case 0xa0 ... 0xaf:
++ setup_force_cpu_cap(X86_FEATURE_ZEN2);
++ break;
++ default:
++ goto warn;
++ }
++ break;
++ }
++ case 0x19: {
++ switch (c->x86_model) {
++ case 0x00 ... 0x0f:
++ case 0x20 ... 0x5f:
++ setup_force_cpu_cap(X86_FEATURE_ZEN3);
++ break;
++ case 0x10 ... 0x1f:
++ case 0x60 ... 0xaf:
++ setup_force_cpu_cap(X86_FEATURE_ZEN4);
++ break;
++ default:
++ goto warn;
++ }
++ break;
++ }
++ default:
++ break;
++ }
++
+ tsa_init(c);
++
++ return;
++
++warn:
++ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model);
+ }
+
+ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
+@@ -1054,8 +1097,6 @@ void init_spectral_chicken(struct cpuinf
+
+ static void init_amd_zn(struct cpuinfo_x86 *c)
+ {
+- set_cpu_cap(c, X86_FEATURE_ZEN);
+-
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
+@@ -1121,6 +1162,22 @@ static void zenbleed_check(struct cpuinf
+ }
+ }
+
++static void init_amd_zen(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen2(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen3(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen4(struct cpuinfo_x86 *c)
++{
++}
++
+ static void init_amd(struct cpuinfo_x86 *c)
+ {
+ early_init_amd(c);
+@@ -1155,6 +1212,15 @@ static void init_amd(struct cpuinfo_x86
+ case 0x19: init_amd_zn(c); break;
+ }
+
++ if (boot_cpu_has(X86_FEATURE_ZEN))
++ init_amd_zen(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN2))
++ init_amd_zen2(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN3))
++ init_amd_zen3(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN4))
++ init_amd_zen4(c);
++
+ /*
+ * Enable workaround for FXSAVE leak on CPUs
+ * without a XSaveErPtr feature
--- /dev/null
+From da5cfe21657dcc1135f18b02767f6f52e7e04abb Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 11:20:01 +0100
+Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream.
+
+No functional change.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1074,10 +1074,8 @@ void init_spectral_chicken(struct cpuinf
+ *
+ * This suppresses speculation from the middle of a basic block, i.e. it
+ * suppresses non-branch predictions.
+- *
+- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H
+ */
+- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) {
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+ if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) {
+ value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT;
+ wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value);
+@@ -1168,6 +1166,7 @@ static void init_amd_zen(struct cpuinfo_
+
+ static void init_amd_zen2(struct cpuinfo_x86 *c)
+ {
++ init_spectral_chicken(c);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+@@ -1207,7 +1206,7 @@ static void init_amd(struct cpuinfo_x86
+ case 0x12: init_amd_ln(c); break;
+ case 0x15: init_amd_bd(c); break;
+ case 0x16: init_amd_jg(c); break;
+- case 0x17: init_spectral_chicken(c);
++ case 0x17:
+ fallthrough;
+ case 0x19: init_amd_zn(c); break;
+ }
--- /dev/null
+From a88e215025e5fa9cb1f4759aa09f5ff1fcb21b21 Mon Sep 17 00:00:00 2001
+From: Prathyushi Nangia <prathyushi.nangia@amd.com>
+Date: Tue, 9 Dec 2025 10:01:33 -0600
+Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
+
+From: Prathyushi Nangia <prathyushi.nangia@amd.com>
+
+commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
+
+Make sure resources are not improperly shared in the op cache and
+cause instruction corruption this way.
+
+Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
+Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kernel/cpu/amd.c | 3 +++
+ tools/arch/x86/include/asm/msr-index.h | 3 +++
+ 3 files changed, 7 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -580,6 +580,7 @@
+ /* Zen4 */
+ #define MSR_ZEN4_BP_CFG 0xc001102e
+ #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
+
+ /* Zen 2 */
+ #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1170,6 +1170,9 @@ static void init_amd_zen2(struct cpuinfo
+ {
+ init_amd_zen_common();
+ init_spectral_chicken(c);
++
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+--- a/tools/arch/x86/include/asm/msr-index.h
++++ b/tools/arch/x86/include/asm/msr-index.h
+@@ -530,6 +530,9 @@
+
+ #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f
+
++#define MSR_ZEN4_BP_CFG 0xc001102e
++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
++
+ /* Fam 17h MSRs */
+ #define MSR_F17H_IRPERF 0xc00000e9
+
--- /dev/null
+From d796696ded7ee9fdd5e76a0bb854af0d8f5f9cc7 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 12:34:29 +0100
+Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream.
+
+Call it from all Zen init functions.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1093,11 +1093,16 @@ void init_spectral_chicken(struct cpuinf
+ clear_cpu_cap(c, X86_FEATURE_XSAVES);
+ }
+
+-static void init_amd_zn(struct cpuinfo_x86 *c)
++static void init_amd_zen_common(void)
+ {
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
++}
++
++static void init_amd_zen(struct cpuinfo_x86 *c)
++{
++ init_amd_zen_common();
+
+ /* Fix up CPUID bits, but only if not virtualised. */
+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+@@ -1160,21 +1165,20 @@ static void zenbleed_check(struct cpuinf
+ }
+ }
+
+-static void init_amd_zen(struct cpuinfo_x86 *c)
+-{
+-}
+-
+ static void init_amd_zen2(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ init_spectral_chicken(c);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ }
+
+ static void init_amd_zen4(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ }
+
+ static void init_amd(struct cpuinfo_x86 *c)
+@@ -1206,9 +1210,6 @@ static void init_amd(struct cpuinfo_x86
+ case 0x12: init_amd_ln(c); break;
+ case 0x15: init_amd_bd(c); break;
+ case 0x16: init_amd_jg(c); break;
+- case 0x17:
+- fallthrough;
+- case 0x19: init_amd_zn(c); break;
+ }
+
+ if (boot_cpu_has(X86_FEATURE_ZEN))
--- /dev/null
+From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 13 May 2026 11:37:18 -0700
+Subject: ptrace: slightly saner 'get_dumpable()' logic
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
+
+The 'dumpability' of a task is fundamentally about the memory image of
+the task - the concept comes from whether it can core dump or not - and
+makes no sense when you don't have an associated mm.
+
+And almost all users do in fact use it only for the case where the task
+has a mm pointer.
+
+But we have one odd special case: ptrace_may_access() uses 'dumpable' to
+check various other things entirely independently of the MM (typically
+explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
+threads that no longer have a VM (and maybe never did, like most kernel
+threads).
+
+It's not what this flag was designed for, but it is what it is.
+
+The ptrace code does check that the uid/gid matches, so you do have to
+be uid-0 to see kernel thread details, but this means that the
+traditional "drop capabilities" model doesn't make any difference for
+this all.
+
+Make it all make a *bit* more sense by saying that if you don't have a
+MM pointer, we'll use a cached "last dumpability" flag if the thread
+ever had a MM (it will be zero for kernel threads since it is never
+set), and require a proper CAP_SYS_PTRACE capability to override.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Kees Cook <kees@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 3 +++
+ kernel/exit.c | 1 +
+ kernel/ptrace.c | 22 ++++++++++++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -910,6 +910,9 @@ struct task_struct {
+ */
+ unsigned sched_remote_wakeup:1;
+
++ /* Save user-dumpable when mm goes away */
++ unsigned user_dumpable:1;
++
+ /* Bit to tell LSMs we're in execve(): */
+ unsigned in_execve:1;
+ unsigned in_iowait:1;
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -555,6 +555,7 @@ static void exit_mm(void)
+ */
+ smp_mb__after_spinlock();
+ local_irq_disable();
++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
+ current->mm = NULL;
+ membarrier_update_current_mm(NULL);
+ enter_lazy_tlb(mm, current);
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -282,11 +282,24 @@ static bool ptrace_has_cap(struct user_n
+ return ns_capable(ns, CAP_SYS_PTRACE);
+ }
+
++static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
++{
++ struct mm_struct *mm = task->mm;
++ if (mm) {
++ if (get_dumpable(mm) == SUID_DUMP_USER)
++ return true;
++ return ptrace_has_cap(mm->user_ns, mode);
++ }
++
++ if (task->user_dumpable)
++ return true;
++ return ptrace_has_cap(&init_user_ns, mode);
++}
++
+ /* Returns 0 on success, -errno on denial. */
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ {
+ const struct cred *cred = current_cred(), *tcred;
+- struct mm_struct *mm;
+ kuid_t caller_uid;
+ kgid_t caller_gid;
+
+@@ -347,11 +360,8 @@ ok:
+ * Pairs with a write barrier in commit_creds().
+ */
+ smp_rmb();
+- mm = task->mm;
+- if (mm &&
+- ((get_dumpable(mm) != SUID_DUMP_USER) &&
+- !ptrace_has_cap(mm->user_ns, mode)))
+- return -EPERM;
++ if (!task_still_dumpable(task, mode))
++ return -EPERM;
+
+ return security_ptrace_access_check(task, mode);
+ }
--- /dev/null
+ptrace-slightly-saner-get_dumpable-logic.patch
+x86-cpu-amd-add-zenx-generations-flags.patch
+x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch
+x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch
+x86-cpu-amd-add-x86_feature_zen1.patch
+x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch
--- /dev/null
+From 91b64ab5046a17ed993e2d4260c172538ec79ffc Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Sat, 2 Dec 2023 12:50:23 +0100
+Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream.
+
+Add a synthetic feature flag specifically for first generation Zen
+machines. There's need to have a generic flag for all Zen generations so
+make X86_FEATURE_ZEN be that flag.
+
+Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags")
+Suggested-by: Brian Gerst <brgerst@gmail.com>
+Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 3 ++-
+ arch/x86/kernel/cpu/amd.c | 9 +++++----
+ tools/arch/x86/include/asm/cpufeatures.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+@@ -316,6 +316,7 @@
+ #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
+ #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
+ #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
++#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */
+
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
+ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -685,7 +685,7 @@ static void bsp_init_amd(struct cpuinfo_
+ switch (c->x86_model) {
+ case 0x00 ... 0x2f:
+ case 0x50 ... 0x5f:
+- setup_force_cpu_cap(X86_FEATURE_ZEN);
++ setup_force_cpu_cap(X86_FEATURE_ZEN1);
+ break;
+ case 0x30 ... 0x4f:
+ case 0x60 ... 0x7f:
+@@ -1071,12 +1071,13 @@ void init_spectral_chicken(struct cpuinf
+
+ static void init_amd_zen_common(void)
+ {
++ setup_force_cpu_cap(X86_FEATURE_ZEN);
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
+ }
+
+-static void init_amd_zen(struct cpuinfo_x86 *c)
++static void init_amd_zen1(struct cpuinfo_x86 *c)
+ {
+ init_amd_zen_common();
+
+@@ -1188,8 +1189,8 @@ static void init_amd(struct cpuinfo_x86
+ case 0x16: init_amd_jg(c); break;
+ }
+
+- if (boot_cpu_has(X86_FEATURE_ZEN))
+- init_amd_zen(c);
++ if (boot_cpu_has(X86_FEATURE_ZEN1))
++ init_amd_zen1(c);
+ else if (boot_cpu_has(X86_FEATURE_ZEN2))
+ init_amd_zen2(c);
+ else if (boot_cpu_has(X86_FEATURE_ZEN3))
+--- a/tools/arch/x86/include/asm/cpufeatures.h
++++ b/tools/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN (7*32+28) /* "" CPU based on Zen microarchitecture */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
--- /dev/null
+From fbdee830099d470daddc747d751672b73d8c3b96 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Tue, 31 Oct 2023 23:30:59 +0100
+Subject: x86/CPU/AMD: Add ZenX generations flags
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream.
+
+Add X86_FEATURE flags for each Zen generation. They should be used from
+now on instead of checking f/m/s.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/cpufeatures.h | 5 ++
+ arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++--
+ 2 files changed, 72 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -219,7 +219,7 @@
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
+ #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+-#define X86_FEATURE_ZEN (7*32+28) /* "" CPU based on Zen microarchitecture */
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
+ #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+ #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
+ #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+@@ -313,6 +313,9 @@
+ #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */
+ #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */
+ #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */
++#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
++#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
++#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
+
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
+ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -679,7 +679,50 @@ static void bsp_init_amd(struct cpuinfo_
+
+ resctrl_cpu_detect(c);
+
++ /* Figure out Zen generations: */
++ switch (c->x86) {
++ case 0x17: {
++ switch (c->x86_model) {
++ case 0x00 ... 0x2f:
++ case 0x50 ... 0x5f:
++ setup_force_cpu_cap(X86_FEATURE_ZEN);
++ break;
++ case 0x30 ... 0x4f:
++ case 0x60 ... 0x7f:
++ case 0x90 ... 0x91:
++ case 0xa0 ... 0xaf:
++ setup_force_cpu_cap(X86_FEATURE_ZEN2);
++ break;
++ default:
++ goto warn;
++ }
++ break;
++ }
++ case 0x19: {
++ switch (c->x86_model) {
++ case 0x00 ... 0x0f:
++ case 0x20 ... 0x5f:
++ setup_force_cpu_cap(X86_FEATURE_ZEN3);
++ break;
++ case 0x10 ... 0x1f:
++ case 0x60 ... 0xaf:
++ setup_force_cpu_cap(X86_FEATURE_ZEN4);
++ break;
++ default:
++ goto warn;
++ }
++ break;
++ }
++ default:
++ break;
++ }
++
+ tsa_init(c);
++
++ return;
++
++warn:
++ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model);
+ }
+
+ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
+@@ -1030,8 +1073,6 @@ void init_spectral_chicken(struct cpuinf
+
+ static void init_amd_zn(struct cpuinfo_x86 *c)
+ {
+- set_cpu_cap(c, X86_FEATURE_ZEN);
+-
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
+@@ -1097,6 +1138,22 @@ static void zenbleed_check(struct cpuinf
+ }
+ }
+
++static void init_amd_zen(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen2(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen3(struct cpuinfo_x86 *c)
++{
++}
++
++static void init_amd_zen4(struct cpuinfo_x86 *c)
++{
++}
++
+ static void init_amd(struct cpuinfo_x86 *c)
+ {
+ early_init_amd(c);
+@@ -1131,6 +1188,15 @@ static void init_amd(struct cpuinfo_x86
+ case 0x19: init_amd_zn(c); break;
+ }
+
++ if (boot_cpu_has(X86_FEATURE_ZEN))
++ init_amd_zen(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN2))
++ init_amd_zen2(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN3))
++ init_amd_zen3(c);
++ else if (boot_cpu_has(X86_FEATURE_ZEN4))
++ init_amd_zen4(c);
++
+ /*
+ * Enable workaround for FXSAVE leak on CPUs
+ * without a XSaveErPtr feature
--- /dev/null
+From 242bba6bdd3de751556194de4951cf4d95dd8945 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 11:20:01 +0100
+Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream.
+
+No functional change.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1050,10 +1050,8 @@ void init_spectral_chicken(struct cpuinf
+ *
+ * This suppresses speculation from the middle of a basic block, i.e. it
+ * suppresses non-branch predictions.
+- *
+- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H
+ */
+- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) {
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+ if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) {
+ value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT;
+ wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value);
+@@ -1144,6 +1142,7 @@ static void init_amd_zen(struct cpuinfo_
+
+ static void init_amd_zen2(struct cpuinfo_x86 *c)
+ {
++ init_spectral_chicken(c);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+@@ -1183,7 +1182,7 @@ static void init_amd(struct cpuinfo_x86
+ case 0x12: init_amd_ln(c); break;
+ case 0x15: init_amd_bd(c); break;
+ case 0x16: init_amd_jg(c); break;
+- case 0x17: init_spectral_chicken(c);
++ case 0x17:
+ fallthrough;
+ case 0x19: init_amd_zn(c); break;
+ }
--- /dev/null
+From 1ea83dfe1569d2c5699e668d70a5fcbb174aa744 Mon Sep 17 00:00:00 2001
+From: Prathyushi Nangia <prathyushi.nangia@amd.com>
+Date: Tue, 9 Dec 2025 10:01:33 -0600
+Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
+
+From: Prathyushi Nangia <prathyushi.nangia@amd.com>
+
+commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
+
+Make sure resources are not improperly shared in the op cache and
+cause instruction corruption this way.
+
+Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
+Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kernel/cpu/amd.c | 3 +++
+ tools/arch/x86/include/asm/msr-index.h | 3 +++
+ 3 files changed, 7 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -672,6 +672,7 @@
+ /* Zen4 */
+ #define MSR_ZEN4_BP_CFG 0xc001102e
+ #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
+
+ /* Zen 2 */
+ #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1146,6 +1146,9 @@ static void init_amd_zen2(struct cpuinfo
+ {
+ init_amd_zen_common();
+ init_spectral_chicken(c);
++
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+--- a/tools/arch/x86/include/asm/msr-index.h
++++ b/tools/arch/x86/include/asm/msr-index.h
+@@ -598,6 +598,9 @@
+ /* AMD Last Branch Record MSRs */
+ #define MSR_AMD64_LBR_SELECT 0xc000010e
+
++#define MSR_ZEN4_BP_CFG 0xc001102e
++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
++
+ /* Fam 17h MSRs */
+ #define MSR_F17H_IRPERF 0xc00000e9
+
--- /dev/null
+From da1bf81de5808bee1bf70bd234f2bfa58d5e1671 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Wed, 1 Nov 2023 12:34:29 +0100
+Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream.
+
+Call it from all Zen init functions.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1069,11 +1069,16 @@ void init_spectral_chicken(struct cpuinf
+ clear_cpu_cap(c, X86_FEATURE_XSAVES);
+ }
+
+-static void init_amd_zn(struct cpuinfo_x86 *c)
++static void init_amd_zen_common(void)
+ {
+ #ifdef CONFIG_NUMA
+ node_reclaim_distance = 32;
+ #endif
++}
++
++static void init_amd_zen(struct cpuinfo_x86 *c)
++{
++ init_amd_zen_common();
+
+ /* Fix up CPUID bits, but only if not virtualised. */
+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+@@ -1136,21 +1141,20 @@ static void zenbleed_check(struct cpuinf
+ }
+ }
+
+-static void init_amd_zen(struct cpuinfo_x86 *c)
+-{
+-}
+-
+ static void init_amd_zen2(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ init_spectral_chicken(c);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ }
+
+ static void init_amd_zen4(struct cpuinfo_x86 *c)
+ {
++ init_amd_zen_common();
+ }
+
+ static void init_amd(struct cpuinfo_x86 *c)
+@@ -1182,9 +1186,6 @@ static void init_amd(struct cpuinfo_x86
+ case 0x12: init_amd_ln(c); break;
+ case 0x15: init_amd_bd(c); break;
+ case 0x16: init_amd_jg(c); break;
+- case 0x17:
+- fallthrough;
+- case 0x19: init_amd_zn(c); break;
+ }
+
+ if (boot_cpu_has(X86_FEATURE_ZEN))
--- /dev/null
+From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 13 May 2026 11:37:18 -0700
+Subject: ptrace: slightly saner 'get_dumpable()' logic
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
+
+The 'dumpability' of a task is fundamentally about the memory image of
+the task - the concept comes from whether it can core dump or not - and
+makes no sense when you don't have an associated mm.
+
+And almost all users do in fact use it only for the case where the task
+has a mm pointer.
+
+But we have one odd special case: ptrace_may_access() uses 'dumpable' to
+check various other things entirely independently of the MM (typically
+explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
+threads that no longer have a VM (and maybe never did, like most kernel
+threads).
+
+It's not what this flag was designed for, but it is what it is.
+
+The ptrace code does check that the uid/gid matches, so you do have to
+be uid-0 to see kernel thread details, but this means that the
+traditional "drop capabilities" model doesn't make any difference for
+this all.
+
+Make it all make a *bit* more sense by saying that if you don't have a
+MM pointer, we'll use a cached "last dumpability" flag if the thread
+ever had a MM (it will be zero for kernel threads since it is never
+set), and require a proper CAP_SYS_PTRACE capability to override.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Kees Cook <kees@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 3 +++
+ kernel/exit.c | 1 +
+ kernel/ptrace.c | 22 ++++++++++++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -969,6 +969,9 @@ struct task_struct {
+ unsigned sched_rt_mutex:1;
+ #endif
+
++ /* Save user-dumpable when mm goes away */
++ unsigned user_dumpable:1;
++
+ /* Bit to tell TOMOYO we're in execve(): */
+ unsigned in_execve:1;
+ unsigned in_iowait:1;
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -561,6 +561,7 @@ static void exit_mm(void)
+ */
+ smp_mb__after_spinlock();
+ local_irq_disable();
++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
+ current->mm = NULL;
+ membarrier_update_current_mm(NULL);
+ enter_lazy_tlb(mm, current);
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n
+ return ns_capable(ns, CAP_SYS_PTRACE);
+ }
+
++static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
++{
++ struct mm_struct *mm = task->mm;
++ if (mm) {
++ if (get_dumpable(mm) == SUID_DUMP_USER)
++ return true;
++ return ptrace_has_cap(mm->user_ns, mode);
++ }
++
++ if (task->user_dumpable)
++ return true;
++ return ptrace_has_cap(&init_user_ns, mode);
++}
++
+ /* Returns 0 on success, -errno on denial. */
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ {
+ const struct cred *cred = current_cred(), *tcred;
+- struct mm_struct *mm;
+ kuid_t caller_uid;
+ kgid_t caller_gid;
+
+@@ -337,11 +350,8 @@ ok:
+ * Pairs with a write barrier in commit_creds().
+ */
+ smp_rmb();
+- mm = task->mm;
+- if (mm &&
+- ((get_dumpable(mm) != SUID_DUMP_USER) &&
+- !ptrace_has_cap(mm->user_ns, mode)))
+- return -EPERM;
++ if (!task_still_dumpable(task, mode))
++ return -EPERM;
+
+ return security_ptrace_access_check(task, mode);
+ }
--- /dev/null
+ptrace-slightly-saner-get_dumpable-logic.patch
--- /dev/null
+From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 13 May 2026 11:37:18 -0700
+Subject: ptrace: slightly saner 'get_dumpable()' logic
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
+
+The 'dumpability' of a task is fundamentally about the memory image of
+the task - the concept comes from whether it can core dump or not - and
+makes no sense when you don't have an associated mm.
+
+And almost all users do in fact use it only for the case where the task
+has a mm pointer.
+
+But we have one odd special case: ptrace_may_access() uses 'dumpable' to
+check various other things entirely independently of the MM (typically
+explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
+threads that no longer have a VM (and maybe never did, like most kernel
+threads).
+
+It's not what this flag was designed for, but it is what it is.
+
+The ptrace code does check that the uid/gid matches, so you do have to
+be uid-0 to see kernel thread details, but this means that the
+traditional "drop capabilities" model doesn't make any difference for
+this all.
+
+Make it all make a *bit* more sense by saying that if you don't have a
+MM pointer, we'll use a cached "last dumpability" flag if the thread
+ever had a MM (it will be zero for kernel threads since it is never
+set), and require a proper CAP_SYS_PTRACE capability to override.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Kees Cook <kees@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 3 +++
+ kernel/exit.c | 1 +
+ kernel/ptrace.c | 22 ++++++++++++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1003,6 +1003,9 @@ struct task_struct {
+ unsigned sched_rt_mutex:1;
+ #endif
+
++ /* Save user-dumpable when mm goes away */
++ unsigned user_dumpable:1;
++
+ /* Bit to tell TOMOYO we're in execve(): */
+ unsigned in_execve:1;
+ unsigned in_iowait:1;
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -572,6 +572,7 @@ static void exit_mm(void)
+ */
+ smp_mb__after_spinlock();
+ local_irq_disable();
++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
+ current->mm = NULL;
+ membarrier_update_current_mm(NULL);
+ enter_lazy_tlb(mm, current);
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n
+ return ns_capable(ns, CAP_SYS_PTRACE);
+ }
+
++static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
++{
++ struct mm_struct *mm = task->mm;
++ if (mm) {
++ if (get_dumpable(mm) == SUID_DUMP_USER)
++ return true;
++ return ptrace_has_cap(mm->user_ns, mode);
++ }
++
++ if (task->user_dumpable)
++ return true;
++ return ptrace_has_cap(&init_user_ns, mode);
++}
++
+ /* Returns 0 on success, -errno on denial. */
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ {
+ const struct cred *cred = current_cred(), *tcred;
+- struct mm_struct *mm;
+ kuid_t caller_uid;
+ kgid_t caller_gid;
+
+@@ -337,11 +350,8 @@ ok:
+ * Pairs with a write barrier in commit_creds().
+ */
+ smp_rmb();
+- mm = task->mm;
+- if (mm &&
+- ((get_dumpable(mm) != SUID_DUMP_USER) &&
+- !ptrace_has_cap(mm->user_ns, mode)))
+- return -EPERM;
++ if (!task_still_dumpable(task, mode))
++ return -EPERM;
+
+ return security_ptrace_access_check(task, mode);
+ }
--- /dev/null
+ptrace-slightly-saner-get_dumpable-logic.patch
--- /dev/null
+From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 13 May 2026 11:37:18 -0700
+Subject: ptrace: slightly saner 'get_dumpable()' logic
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
+
+The 'dumpability' of a task is fundamentally about the memory image of
+the task - the concept comes from whether it can core dump or not - and
+makes no sense when you don't have an associated mm.
+
+And almost all users do in fact use it only for the case where the task
+has a mm pointer.
+
+But we have one odd special case: ptrace_may_access() uses 'dumpable' to
+check various other things entirely independently of the MM (typically
+explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
+threads that no longer have a VM (and maybe never did, like most kernel
+threads).
+
+It's not what this flag was designed for, but it is what it is.
+
+The ptrace code does check that the uid/gid matches, so you do have to
+be uid-0 to see kernel thread details, but this means that the
+traditional "drop capabilities" model doesn't make any difference for
+this all.
+
+Make it all make a *bit* more sense by saying that if you don't have a
+MM pointer, we'll use a cached "last dumpability" flag if the thread
+ever had a MM (it will be zero for kernel threads since it is never
+set), and require a proper CAP_SYS_PTRACE capability to override.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Kees Cook <kees@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 3 +++
+ kernel/exit.c | 1 +
+ kernel/ptrace.c | 22 ++++++++++++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -916,6 +916,9 @@ struct task_struct {
+ */
+ unsigned sched_remote_wakeup:1;
+
++ /* Save user-dumpable when mm goes away */
++ unsigned user_dumpable:1;
++
+ /* Bit to tell LSMs we're in execve(): */
+ unsigned in_execve:1;
+ unsigned in_iowait:1;
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -559,6 +559,7 @@ static void exit_mm(void)
+ */
+ smp_mb__after_spinlock();
+ local_irq_disable();
++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
+ current->mm = NULL;
+ membarrier_update_current_mm(NULL);
+ enter_lazy_tlb(mm, current);
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -283,11 +283,24 @@ static bool ptrace_has_cap(struct user_n
+ return ns_capable(ns, CAP_SYS_PTRACE);
+ }
+
++static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
++{
++ struct mm_struct *mm = task->mm;
++ if (mm) {
++ if (get_dumpable(mm) == SUID_DUMP_USER)
++ return true;
++ return ptrace_has_cap(mm->user_ns, mode);
++ }
++
++ if (task->user_dumpable)
++ return true;
++ return ptrace_has_cap(&init_user_ns, mode);
++}
++
+ /* Returns 0 on success, -errno on denial. */
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ {
+ const struct cred *cred = current_cred(), *tcred;
+- struct mm_struct *mm;
+ kuid_t caller_uid;
+ kgid_t caller_gid;
+
+@@ -348,11 +361,8 @@ ok:
+ * Pairs with a write barrier in commit_creds().
+ */
+ smp_rmb();
+- mm = task->mm;
+- if (mm &&
+- ((get_dumpable(mm) != SUID_DUMP_USER) &&
+- !ptrace_has_cap(mm->user_ns, mode)))
+- return -EPERM;
++ if (!task_still_dumpable(task, mode))
++ return -EPERM;
+
+ return security_ptrace_access_check(task, mode);
+ }
--- /dev/null
+ptrace-slightly-saner-get_dumpable-logic.patch
+x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch
--- /dev/null
+From f160936aec2e9f80000d7ea606501b1f68d05e15 Mon Sep 17 00:00:00 2001
+From: Prathyushi Nangia <prathyushi.nangia@amd.com>
+Date: Tue, 9 Dec 2025 10:01:33 -0600
+Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
+
+From: Prathyushi Nangia <prathyushi.nangia@amd.com>
+
+commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
+
+Make sure resources are not improperly shared in the op cache and
+cause instruction corruption this way.
+
+Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
+Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kernel/cpu/amd.c | 3 +++
+ tools/arch/x86/include/asm/msr-index.h | 3 +++
+ 3 files changed, 7 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -675,6 +675,7 @@
+ /* Zen4 */
+ #define MSR_ZEN4_BP_CFG 0xc001102e
+ #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
+
+ /* Zen 2 */
+ #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1166,6 +1166,9 @@ static void init_amd_zen2(struct cpuinfo
+ msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18);
+ pr_emerg("RDSEED is not reliable on this platform; disabling.\n");
+ }
++
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
+ }
+
+ static void init_amd_zen3(struct cpuinfo_x86 *c)
+--- a/tools/arch/x86/include/asm/msr-index.h
++++ b/tools/arch/x86/include/asm/msr-index.h
+@@ -638,6 +638,9 @@
+ /* AMD Last Branch Record MSRs */
+ #define MSR_AMD64_LBR_SELECT 0xc000010e
+
++#define MSR_ZEN4_BP_CFG 0xc001102e
++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
++
+ /* Fam 17h MSRs */
+ #define MSR_F17H_IRPERF 0xc00000e9
+
--- /dev/null
+From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 13 May 2026 11:37:18 -0700
+Subject: ptrace: slightly saner 'get_dumpable()' logic
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
+
+The 'dumpability' of a task is fundamentally about the memory image of
+the task - the concept comes from whether it can core dump or not - and
+makes no sense when you don't have an associated mm.
+
+And almost all users do in fact use it only for the case where the task
+has a mm pointer.
+
+But we have one odd special case: ptrace_may_access() uses 'dumpable' to
+check various other things entirely independently of the MM (typically
+explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
+threads that no longer have a VM (and maybe never did, like most kernel
+threads).
+
+It's not what this flag was designed for, but it is what it is.
+
+The ptrace code does check that the uid/gid matches, so you do have to
+be uid-0 to see kernel thread details, but this means that the
+traditional "drop capabilities" model doesn't make any difference for
+this all.
+
+Make it all make a *bit* more sense by saying that if you don't have a
+MM pointer, we'll use a cached "last dumpability" flag if the thread
+ever had a MM (it will be zero for kernel threads since it is never
+set), and require a proper CAP_SYS_PTRACE capability to override.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Kees Cook <kees@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 3 +++
+ kernel/exit.c | 1 +
+ kernel/ptrace.c | 22 ++++++++++++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -998,6 +998,9 @@ struct task_struct {
+ unsigned sched_rt_mutex:1;
+ #endif
+
++ /* Save user-dumpable when mm goes away */
++ unsigned user_dumpable:1;
++
+ /* Bit to tell TOMOYO we're in execve(): */
+ unsigned in_execve:1;
+ unsigned in_iowait:1;
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -571,6 +571,7 @@ static void exit_mm(void)
+ */
+ smp_mb__after_spinlock();
+ local_irq_disable();
++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
+ current->mm = NULL;
+ membarrier_update_current_mm(NULL);
+ enter_lazy_tlb(mm, current);
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n
+ return ns_capable(ns, CAP_SYS_PTRACE);
+ }
+
++static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
++{
++ struct mm_struct *mm = task->mm;
++ if (mm) {
++ if (get_dumpable(mm) == SUID_DUMP_USER)
++ return true;
++ return ptrace_has_cap(mm->user_ns, mode);
++ }
++
++ if (task->user_dumpable)
++ return true;
++ return ptrace_has_cap(&init_user_ns, mode);
++}
++
+ /* Returns 0 on success, -errno on denial. */
+ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ {
+ const struct cred *cred = current_cred(), *tcred;
+- struct mm_struct *mm;
+ kuid_t caller_uid;
+ kgid_t caller_gid;
+
+@@ -337,11 +350,8 @@ ok:
+ * Pairs with a write barrier in commit_creds().
+ */
+ smp_rmb();
+- mm = task->mm;
+- if (mm &&
+- ((get_dumpable(mm) != SUID_DUMP_USER) &&
+- !ptrace_has_cap(mm->user_ns, mode)))
+- return -EPERM;
++ if (!task_still_dumpable(task, mode))
++ return -EPERM;
+
+ return security_ptrace_access_check(task, mode);
+ }
--- /dev/null
+ptrace-slightly-saner-get_dumpable-logic.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
