From: Greg Kroah-Hartman Date: Fri, 15 May 2026 12:23:03 +0000 (+0200) Subject: copy some patches back X-Git-Tag: v5.10.256~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35a9f4d523c7e4358519852012dc873f4bd1700e;p=thirdparty%2Fkernel%2Fstable-queue.git copy some patches back --- diff --git a/queue-5.10/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-5.10/ptrace-slightly-saner-get_dumpable-logic.patch new file mode 100644 index 0000000000..430b069276 --- /dev/null +++ b/queue-5.10/ptrace-slightly-saner-get_dumpable-logic.patch @@ -0,0 +1,109 @@ +From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 13 May 2026 11:37:18 -0700 +Subject: ptrace: slightly saner 'get_dumpable()' logic + +From: Linus Torvalds + +commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. + +The 'dumpability' of a task is fundamentally about the memory image of +the task - the concept comes from whether it can core dump or not - and +makes no sense when you don't have an associated mm. + +And almost all users do in fact use it only for the case where the task +has a mm pointer. + +But we have one odd special case: ptrace_may_access() uses 'dumpable' to +check various other things entirely independently of the MM (typically +explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for +threads that no longer have a VM (and maybe never did, like most kernel +threads). + +It's not what this flag was designed for, but it is what it is. + +The ptrace code does check that the uid/gid matches, so you do have to +be uid-0 to see kernel thread details, but this means that the +traditional "drop capabilities" model doesn't make any difference for +this all. + +Make it all make a *bit* more sense by saying that if you don't have a +MM pointer, we'll use a cached "last dumpability" flag if the thread +ever had a MM (it will be zero for kernel threads since it is never +set), and require a proper CAP_SYS_PTRACE capability to override. + +Reported-by: Qualys Security Advisory +Cc: Oleg Nesterov +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 +++ + kernel/exit.c | 1 + + kernel/ptrace.c | 22 ++++++++++++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -805,6 +805,9 @@ struct task_struct { + */ + unsigned sched_remote_wakeup:1; + ++ /* Save user-dumpable when mm goes away */ ++ unsigned user_dumpable:1; ++ + /* Bit to tell LSMs we're in execve(): */ + unsigned in_execve:1; + unsigned in_iowait:1; +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -528,6 +528,7 @@ static void exit_mm(void) + BUG_ON(mm != current->active_mm); + /* more a memory barrier than a real lock */ + task_lock(current); ++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); + current->mm = NULL; + mmap_read_unlock(mm); + enter_lazy_tlb(mm, current); +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -287,11 +287,24 @@ static bool ptrace_has_cap(struct user_n + return ns_capable(ns, CAP_SYS_PTRACE); + } + ++static bool task_still_dumpable(struct task_struct *task, unsigned int mode) ++{ ++ struct mm_struct *mm = task->mm; ++ if (mm) { ++ if (get_dumpable(mm) == SUID_DUMP_USER) ++ return true; ++ return ptrace_has_cap(mm->user_ns, mode); ++ } ++ ++ if (task->user_dumpable) ++ return true; ++ return ptrace_has_cap(&init_user_ns, mode); ++} ++ + /* Returns 0 on success, -errno on denial. */ + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; +- struct mm_struct *mm; + kuid_t caller_uid; + kgid_t caller_gid; + +@@ -352,11 +365,8 @@ ok: + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); +- mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (!task_still_dumpable(task, mode)) ++ return -EPERM; + + return security_ptrace_access_check(task, mode); + } diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 0000000000..07f45522b9 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,6 @@ +ptrace-slightly-saner-get_dumpable-logic.patch +x86-cpu-amd-add-zenx-generations-flags.patch +x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch +x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch +x86-cpu-amd-add-x86_feature_zen1.patch +x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch diff --git a/queue-5.10/x86-cpu-amd-add-x86_feature_zen1.patch b/queue-5.10/x86-cpu-amd-add-x86_feature_zen1.patch new file mode 100644 index 0000000000..b0dde90d44 --- /dev/null +++ b/queue-5.10/x86-cpu-amd-add-x86_feature_zen1.patch @@ -0,0 +1,92 @@ +From 8b11c9f96a0ddb679c11e4a8f2d8dae52e9c15af Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 2 Dec 2023 12:50:23 +0100 +Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1 + +From: "Borislav Petkov (AMD)" + +Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream. + +Add a synthetic feature flag specifically for first generation Zen +machines. There's need to have a generic flag for all Zen generations so +make X86_FEATURE_ZEN be that flag. + +Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags") +Suggested-by: Brian Gerst +Suggested-by: Tom Lendacky +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 3 ++- + arch/x86/kernel/cpu/amd.c | 9 +++++---- + tools/arch/x86/include/asm/cpufeatures.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ +@@ -309,6 +309,7 @@ + #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ + #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ + #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ ++#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -741,7 +741,7 @@ static void bsp_init_amd(struct cpuinfo_ + switch (c->x86_model) { + case 0x00 ... 0x2f: + case 0x50 ... 0x5f: +- setup_force_cpu_cap(X86_FEATURE_ZEN); ++ setup_force_cpu_cap(X86_FEATURE_ZEN1); + break; + case 0x30 ... 0x4f: + case 0x60 ... 0x7f: +@@ -1122,12 +1122,13 @@ void init_spectral_chicken(struct cpuinf + + static void init_amd_zen_common(void) + { ++ setup_force_cpu_cap(X86_FEATURE_ZEN); + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif + } + +-static void init_amd_zen(struct cpuinfo_x86 *c) ++static void init_amd_zen1(struct cpuinfo_x86 *c) + { + init_amd_zen_common(); + +@@ -1239,8 +1240,8 @@ static void init_amd(struct cpuinfo_x86 + case 0x16: init_amd_jg(c); break; + } + +- if (boot_cpu_has(X86_FEATURE_ZEN)) +- init_amd_zen(c); ++ if (boot_cpu_has(X86_FEATURE_ZEN1)) ++ init_amd_zen1(c); + else if (boot_cpu_has(X86_FEATURE_ZEN2)) + init_amd_zen2(c); + else if (boot_cpu_has(X86_FEATURE_ZEN3)) +--- a/tools/arch/x86/include/asm/cpufeatures.h ++++ b/tools/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ diff --git a/queue-5.10/x86-cpu-amd-add-zenx-generations-flags.patch b/queue-5.10/x86-cpu-amd-add-zenx-generations-flags.patch new file mode 100644 index 0000000000..6673c4a0a7 --- /dev/null +++ b/queue-5.10/x86-cpu-amd-add-zenx-generations-flags.patch @@ -0,0 +1,144 @@ +From 0505eb46841c27ea9767b7b6270862f29deafc02 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Tue, 31 Oct 2023 23:30:59 +0100 +Subject: x86/CPU/AMD: Add ZenX generations flags + +From: "Borislav Petkov (AMD)" + +Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream. + +Add X86_FEATURE flags for each Zen generation. They should be used from +now on instead of checking f/m/s. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Acked-by: Thomas Gleixner +Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 5 ++ + arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++-- + 2 files changed, 72 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ +@@ -306,6 +306,9 @@ + #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */ + #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */ + #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */ ++#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ ++#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ ++#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -735,7 +735,50 @@ static void bsp_init_amd(struct cpuinfo_ + + resctrl_cpu_detect(c); + ++ /* Figure out Zen generations: */ ++ switch (c->x86) { ++ case 0x17: { ++ switch (c->x86_model) { ++ case 0x00 ... 0x2f: ++ case 0x50 ... 0x5f: ++ setup_force_cpu_cap(X86_FEATURE_ZEN); ++ break; ++ case 0x30 ... 0x4f: ++ case 0x60 ... 0x7f: ++ case 0x90 ... 0x91: ++ case 0xa0 ... 0xaf: ++ setup_force_cpu_cap(X86_FEATURE_ZEN2); ++ break; ++ default: ++ goto warn; ++ } ++ break; ++ } ++ case 0x19: { ++ switch (c->x86_model) { ++ case 0x00 ... 0x0f: ++ case 0x20 ... 0x5f: ++ setup_force_cpu_cap(X86_FEATURE_ZEN3); ++ break; ++ case 0x10 ... 0x1f: ++ case 0x60 ... 0xaf: ++ setup_force_cpu_cap(X86_FEATURE_ZEN4); ++ break; ++ default: ++ goto warn; ++ } ++ break; ++ } ++ default: ++ break; ++ } ++ + tsa_init(c); ++ ++ return; ++ ++warn: ++ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model); + } + + static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) +@@ -1081,8 +1124,6 @@ void init_spectral_chicken(struct cpuinf + + static void init_amd_zn(struct cpuinfo_x86 *c) + { +- set_cpu_cap(c, X86_FEATURE_ZEN); +- + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif +@@ -1148,6 +1189,22 @@ static void zenbleed_check(struct cpuinf + } + } + ++static void init_amd_zen(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen2(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen3(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen4(struct cpuinfo_x86 *c) ++{ ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1182,6 +1239,15 @@ static void init_amd(struct cpuinfo_x86 + case 0x19: init_amd_zn(c); break; + } + ++ if (boot_cpu_has(X86_FEATURE_ZEN)) ++ init_amd_zen(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN2)) ++ init_amd_zen2(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN3)) ++ init_amd_zen3(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN4)) ++ init_amd_zen4(c); ++ + /* + * Enable workaround for FXSAVE leak on CPUs + * without a XSaveErPtr feature diff --git a/queue-5.10/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch b/queue-5.10/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch new file mode 100644 index 0000000000..3e34324c80 --- /dev/null +++ b/queue-5.10/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch @@ -0,0 +1,50 @@ +From 6ea9e49236f62c01f32ea0b3e5c4ce41d1ec0389 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Wed, 1 Nov 2023 11:20:01 +0100 +Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function + +From: "Borislav Petkov (AMD)" + +Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream. + +No functional change. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1101,10 +1101,8 @@ void init_spectral_chicken(struct cpuinf + * + * This suppresses speculation from the middle of a basic block, i.e. it + * suppresses non-branch predictions. +- * +- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H + */ +- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) { ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { + if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) { + value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT; + wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value); +@@ -1195,6 +1193,7 @@ static void init_amd_zen(struct cpuinfo_ + + static void init_amd_zen2(struct cpuinfo_x86 *c) + { ++ init_spectral_chicken(c); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +@@ -1234,7 +1233,7 @@ static void init_amd(struct cpuinfo_x86 + case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + case 0x16: init_amd_jg(c); break; +- case 0x17: init_spectral_chicken(c); ++ case 0x17: + fallthrough; + case 0x19: init_amd_zn(c); break; + } diff --git a/queue-5.10/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch b/queue-5.10/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch new file mode 100644 index 0000000000..e3778e4645 --- /dev/null +++ b/queue-5.10/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch @@ -0,0 +1,66 @@ +From d14f0f391370ca45abc208a13c5863a9d05f422c Mon Sep 17 00:00:00 2001 +From: Prathyushi Nangia +Date: Tue, 9 Dec 2025 10:01:33 -0600 +Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache + +From: Prathyushi Nangia + +commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. + +Make sure resources are not improperly shared in the op cache and +cause instruction corruption this way. + +Signed-off-by: Prathyushi Nangia +Co-developed-by: Borislav Petkov (AMD) +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kernel/cpu/amd.c | 3 +++ + tools/arch/x86/include/asm/msr-index.h | 3 +++ + 3 files changed, 7 insertions(+) + +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h +index 390db709b432..59bee2206d97 100644 +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -570,6 +570,7 @@ + /* Zen4 */ + #define MSR_ZEN4_BP_CFG 0xc001102e + #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 ++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 + + /* Zen 2 */ + #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 3a446f2b6d30..519e388083b2 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1197,6 +1197,9 @@ static void init_amd_zen2(struct cpuinfo_x86 *c) + { + init_amd_zen_common(); + init_spectral_chicken(c); ++ ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h +index 8fb925676813..c28d75fe4dee 100644 +--- a/tools/arch/x86/include/asm/msr-index.h ++++ b/tools/arch/x86/include/asm/msr-index.h +@@ -523,6 +523,9 @@ + + #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f + ++#define MSR_ZEN4_BP_CFG 0xc001102e ++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 ++ + /* Fam 17h MSRs */ + #define MSR_F17H_IRPERF 0xc00000e9 + +-- +2.51.0 + diff --git a/queue-5.10/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch b/queue-5.10/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch new file mode 100644 index 0000000000..7ec5e5b13d --- /dev/null +++ b/queue-5.10/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch @@ -0,0 +1,74 @@ +From 714aa4501bd485a70c063fc9e98a44dc9ae277a4 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Wed, 1 Nov 2023 12:34:29 +0100 +Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common() + +From: "Borislav Petkov (AMD)" + +Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream. + +Call it from all Zen init functions. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1120,11 +1120,16 @@ void init_spectral_chicken(struct cpuinf + clear_cpu_cap(c, X86_FEATURE_XSAVES); + } + +-static void init_amd_zn(struct cpuinfo_x86 *c) ++static void init_amd_zen_common(void) + { + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif ++} ++ ++static void init_amd_zen(struct cpuinfo_x86 *c) ++{ ++ init_amd_zen_common(); + + /* Fix up CPUID bits, but only if not virtualised. */ + if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { +@@ -1187,21 +1192,20 @@ static void zenbleed_check(struct cpuinf + } + } + +-static void init_amd_zen(struct cpuinfo_x86 *c) +-{ +-} +- + static void init_amd_zen2(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + init_spectral_chicken(c); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + } + + static void init_amd_zen4(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + } + + static void init_amd(struct cpuinfo_x86 *c) +@@ -1233,9 +1237,6 @@ static void init_amd(struct cpuinfo_x86 + case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + case 0x16: init_amd_jg(c); break; +- case 0x17: +- fallthrough; +- case 0x19: init_amd_zn(c); break; + } + + if (boot_cpu_has(X86_FEATURE_ZEN)) diff --git a/queue-5.15/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-5.15/ptrace-slightly-saner-get_dumpable-logic.patch new file mode 100644 index 0000000000..815872a98b --- /dev/null +++ b/queue-5.15/ptrace-slightly-saner-get_dumpable-logic.patch @@ -0,0 +1,109 @@ +From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 13 May 2026 11:37:18 -0700 +Subject: ptrace: slightly saner 'get_dumpable()' logic + +From: Linus Torvalds + +commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. + +The 'dumpability' of a task is fundamentally about the memory image of +the task - the concept comes from whether it can core dump or not - and +makes no sense when you don't have an associated mm. + +And almost all users do in fact use it only for the case where the task +has a mm pointer. + +But we have one odd special case: ptrace_may_access() uses 'dumpable' to +check various other things entirely independently of the MM (typically +explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for +threads that no longer have a VM (and maybe never did, like most kernel +threads). + +It's not what this flag was designed for, but it is what it is. + +The ptrace code does check that the uid/gid matches, so you do have to +be uid-0 to see kernel thread details, but this means that the +traditional "drop capabilities" model doesn't make any difference for +this all. + +Make it all make a *bit* more sense by saying that if you don't have a +MM pointer, we'll use a cached "last dumpability" flag if the thread +ever had a MM (it will be zero for kernel threads since it is never +set), and require a proper CAP_SYS_PTRACE capability to override. + +Reported-by: Qualys Security Advisory +Cc: Oleg Nesterov +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 +++ + kernel/exit.c | 1 + + kernel/ptrace.c | 22 ++++++++++++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -896,6 +896,9 @@ struct task_struct { + */ + unsigned sched_remote_wakeup:1; + ++ /* Save user-dumpable when mm goes away */ ++ unsigned user_dumpable:1; ++ + /* Bit to tell LSMs we're in execve(): */ + unsigned in_execve:1; + unsigned in_iowait:1; +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -540,6 +540,7 @@ static void exit_mm(void) + */ + smp_mb__after_spinlock(); + local_irq_disable(); ++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); + current->mm = NULL; + membarrier_update_current_mm(NULL); + enter_lazy_tlb(mm, current); +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -288,11 +288,24 @@ static bool ptrace_has_cap(struct user_n + return ns_capable(ns, CAP_SYS_PTRACE); + } + ++static bool task_still_dumpable(struct task_struct *task, unsigned int mode) ++{ ++ struct mm_struct *mm = task->mm; ++ if (mm) { ++ if (get_dumpable(mm) == SUID_DUMP_USER) ++ return true; ++ return ptrace_has_cap(mm->user_ns, mode); ++ } ++ ++ if (task->user_dumpable) ++ return true; ++ return ptrace_has_cap(&init_user_ns, mode); ++} ++ + /* Returns 0 on success, -errno on denial. */ + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; +- struct mm_struct *mm; + kuid_t caller_uid; + kgid_t caller_gid; + +@@ -353,11 +366,8 @@ ok: + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); +- mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (!task_still_dumpable(task, mode)) ++ return -EPERM; + + return security_ptrace_access_check(task, mode); + } diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 0000000000..07f45522b9 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,6 @@ +ptrace-slightly-saner-get_dumpable-logic.patch +x86-cpu-amd-add-zenx-generations-flags.patch +x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch +x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch +x86-cpu-amd-add-x86_feature_zen1.patch +x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch diff --git a/queue-5.15/x86-cpu-amd-add-x86_feature_zen1.patch b/queue-5.15/x86-cpu-amd-add-x86_feature_zen1.patch new file mode 100644 index 0000000000..2c26ba7e44 --- /dev/null +++ b/queue-5.15/x86-cpu-amd-add-x86_feature_zen1.patch @@ -0,0 +1,92 @@ +From e72596e11570e82f96805156b122c491f2bfd192 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 2 Dec 2023 12:50:23 +0100 +Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1 + +From: "Borislav Petkov (AMD)" + +Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream. + +Add a synthetic feature flag specifically for first generation Zen +machines. There's need to have a generic flag for all Zen generations so +make X86_FEATURE_ZEN be that flag. + +Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags") +Suggested-by: Brian Gerst +Suggested-by: Tom Lendacky +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 3 ++- + arch/x86/kernel/cpu/amd.c | 9 +++++---- + tools/arch/x86/include/asm/cpufeatures.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ +@@ -313,6 +313,7 @@ + #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ + #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ + #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ ++#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -714,7 +714,7 @@ static void bsp_init_amd(struct cpuinfo_ + switch (c->x86_model) { + case 0x00 ... 0x2f: + case 0x50 ... 0x5f: +- setup_force_cpu_cap(X86_FEATURE_ZEN); ++ setup_force_cpu_cap(X86_FEATURE_ZEN1); + break; + case 0x30 ... 0x4f: + case 0x60 ... 0x7f: +@@ -1095,12 +1095,13 @@ void init_spectral_chicken(struct cpuinf + + static void init_amd_zen_common(void) + { ++ setup_force_cpu_cap(X86_FEATURE_ZEN); + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif + } + +-static void init_amd_zen(struct cpuinfo_x86 *c) ++static void init_amd_zen1(struct cpuinfo_x86 *c) + { + init_amd_zen_common(); + +@@ -1212,8 +1213,8 @@ static void init_amd(struct cpuinfo_x86 + case 0x16: init_amd_jg(c); break; + } + +- if (boot_cpu_has(X86_FEATURE_ZEN)) +- init_amd_zen(c); ++ if (boot_cpu_has(X86_FEATURE_ZEN1)) ++ init_amd_zen1(c); + else if (boot_cpu_has(X86_FEATURE_ZEN2)) + init_amd_zen2(c); + else if (boot_cpu_has(X86_FEATURE_ZEN3)) +--- a/tools/arch/x86/include/asm/cpufeatures.h ++++ b/tools/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ diff --git a/queue-5.15/x86-cpu-amd-add-zenx-generations-flags.patch b/queue-5.15/x86-cpu-amd-add-zenx-generations-flags.patch new file mode 100644 index 0000000000..e1cc24025b --- /dev/null +++ b/queue-5.15/x86-cpu-amd-add-zenx-generations-flags.patch @@ -0,0 +1,144 @@ +From 3afc6ada329c9954054d68f5efa03999a53767be Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Tue, 31 Oct 2023 23:30:59 +0100 +Subject: x86/CPU/AMD: Add ZenX generations flags + +From: "Borislav Petkov (AMD)" + +Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream. + +Add X86_FEATURE flags for each Zen generation. They should be used from +now on instead of checking f/m/s. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Acked-by: Thomas Gleixner +Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 5 ++ + arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++-- + 2 files changed, 72 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ +@@ -310,6 +310,9 @@ + #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */ + #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */ + #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */ ++#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ ++#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ ++#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -708,7 +708,50 @@ static void bsp_init_amd(struct cpuinfo_ + + resctrl_cpu_detect(c); + ++ /* Figure out Zen generations: */ ++ switch (c->x86) { ++ case 0x17: { ++ switch (c->x86_model) { ++ case 0x00 ... 0x2f: ++ case 0x50 ... 0x5f: ++ setup_force_cpu_cap(X86_FEATURE_ZEN); ++ break; ++ case 0x30 ... 0x4f: ++ case 0x60 ... 0x7f: ++ case 0x90 ... 0x91: ++ case 0xa0 ... 0xaf: ++ setup_force_cpu_cap(X86_FEATURE_ZEN2); ++ break; ++ default: ++ goto warn; ++ } ++ break; ++ } ++ case 0x19: { ++ switch (c->x86_model) { ++ case 0x00 ... 0x0f: ++ case 0x20 ... 0x5f: ++ setup_force_cpu_cap(X86_FEATURE_ZEN3); ++ break; ++ case 0x10 ... 0x1f: ++ case 0x60 ... 0xaf: ++ setup_force_cpu_cap(X86_FEATURE_ZEN4); ++ break; ++ default: ++ goto warn; ++ } ++ break; ++ } ++ default: ++ break; ++ } ++ + tsa_init(c); ++ ++ return; ++ ++warn: ++ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model); + } + + static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) +@@ -1054,8 +1097,6 @@ void init_spectral_chicken(struct cpuinf + + static void init_amd_zn(struct cpuinfo_x86 *c) + { +- set_cpu_cap(c, X86_FEATURE_ZEN); +- + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif +@@ -1121,6 +1162,22 @@ static void zenbleed_check(struct cpuinf + } + } + ++static void init_amd_zen(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen2(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen3(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen4(struct cpuinfo_x86 *c) ++{ ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1155,6 +1212,15 @@ static void init_amd(struct cpuinfo_x86 + case 0x19: init_amd_zn(c); break; + } + ++ if (boot_cpu_has(X86_FEATURE_ZEN)) ++ init_amd_zen(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN2)) ++ init_amd_zen2(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN3)) ++ init_amd_zen3(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN4)) ++ init_amd_zen4(c); ++ + /* + * Enable workaround for FXSAVE leak on CPUs + * without a XSaveErPtr feature diff --git a/queue-5.15/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch b/queue-5.15/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch new file mode 100644 index 0000000000..47f71d1a35 --- /dev/null +++ b/queue-5.15/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch @@ -0,0 +1,50 @@ +From da5cfe21657dcc1135f18b02767f6f52e7e04abb Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Wed, 1 Nov 2023 11:20:01 +0100 +Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function + +From: "Borislav Petkov (AMD)" + +Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream. + +No functional change. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1074,10 +1074,8 @@ void init_spectral_chicken(struct cpuinf + * + * This suppresses speculation from the middle of a basic block, i.e. it + * suppresses non-branch predictions. +- * +- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H + */ +- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) { ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { + if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) { + value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT; + wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value); +@@ -1168,6 +1166,7 @@ static void init_amd_zen(struct cpuinfo_ + + static void init_amd_zen2(struct cpuinfo_x86 *c) + { ++ init_spectral_chicken(c); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +@@ -1207,7 +1206,7 @@ static void init_amd(struct cpuinfo_x86 + case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + case 0x16: init_amd_jg(c); break; +- case 0x17: init_spectral_chicken(c); ++ case 0x17: + fallthrough; + case 0x19: init_amd_zn(c); break; + } diff --git a/queue-5.15/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch b/queue-5.15/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch new file mode 100644 index 0000000000..3416220dd9 --- /dev/null +++ b/queue-5.15/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch @@ -0,0 +1,57 @@ +From a88e215025e5fa9cb1f4759aa09f5ff1fcb21b21 Mon Sep 17 00:00:00 2001 +From: Prathyushi Nangia +Date: Tue, 9 Dec 2025 10:01:33 -0600 +Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache + +From: Prathyushi Nangia + +commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. + +Make sure resources are not improperly shared in the op cache and +cause instruction corruption this way. + +Signed-off-by: Prathyushi Nangia +Co-developed-by: Borislav Petkov (AMD) +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kernel/cpu/amd.c | 3 +++ + tools/arch/x86/include/asm/msr-index.h | 3 +++ + 3 files changed, 7 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -580,6 +580,7 @@ + /* Zen4 */ + #define MSR_ZEN4_BP_CFG 0xc001102e + #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 ++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 + + /* Zen 2 */ + #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1170,6 +1170,9 @@ static void init_amd_zen2(struct cpuinfo + { + init_amd_zen_common(); + init_spectral_chicken(c); ++ ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +--- a/tools/arch/x86/include/asm/msr-index.h ++++ b/tools/arch/x86/include/asm/msr-index.h +@@ -530,6 +530,9 @@ + + #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f + ++#define MSR_ZEN4_BP_CFG 0xc001102e ++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 ++ + /* Fam 17h MSRs */ + #define MSR_F17H_IRPERF 0xc00000e9 + diff --git a/queue-5.15/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch b/queue-5.15/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch new file mode 100644 index 0000000000..e51e9338d0 --- /dev/null +++ b/queue-5.15/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch @@ -0,0 +1,74 @@ +From d796696ded7ee9fdd5e76a0bb854af0d8f5f9cc7 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Wed, 1 Nov 2023 12:34:29 +0100 +Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common() + +From: "Borislav Petkov (AMD)" + +Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream. + +Call it from all Zen init functions. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1093,11 +1093,16 @@ void init_spectral_chicken(struct cpuinf + clear_cpu_cap(c, X86_FEATURE_XSAVES); + } + +-static void init_amd_zn(struct cpuinfo_x86 *c) ++static void init_amd_zen_common(void) + { + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif ++} ++ ++static void init_amd_zen(struct cpuinfo_x86 *c) ++{ ++ init_amd_zen_common(); + + /* Fix up CPUID bits, but only if not virtualised. */ + if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { +@@ -1160,21 +1165,20 @@ static void zenbleed_check(struct cpuinf + } + } + +-static void init_amd_zen(struct cpuinfo_x86 *c) +-{ +-} +- + static void init_amd_zen2(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + init_spectral_chicken(c); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + } + + static void init_amd_zen4(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + } + + static void init_amd(struct cpuinfo_x86 *c) +@@ -1206,9 +1210,6 @@ static void init_amd(struct cpuinfo_x86 + case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + case 0x16: init_amd_jg(c); break; +- case 0x17: +- fallthrough; +- case 0x19: init_amd_zn(c); break; + } + + if (boot_cpu_has(X86_FEATURE_ZEN)) diff --git a/queue-6.1/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-6.1/ptrace-slightly-saner-get_dumpable-logic.patch new file mode 100644 index 0000000000..7a0efc1893 --- /dev/null +++ b/queue-6.1/ptrace-slightly-saner-get_dumpable-logic.patch @@ -0,0 +1,109 @@ +From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 13 May 2026 11:37:18 -0700 +Subject: ptrace: slightly saner 'get_dumpable()' logic + +From: Linus Torvalds + +commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. + +The 'dumpability' of a task is fundamentally about the memory image of +the task - the concept comes from whether it can core dump or not - and +makes no sense when you don't have an associated mm. + +And almost all users do in fact use it only for the case where the task +has a mm pointer. + +But we have one odd special case: ptrace_may_access() uses 'dumpable' to +check various other things entirely independently of the MM (typically +explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for +threads that no longer have a VM (and maybe never did, like most kernel +threads). + +It's not what this flag was designed for, but it is what it is. + +The ptrace code does check that the uid/gid matches, so you do have to +be uid-0 to see kernel thread details, but this means that the +traditional "drop capabilities" model doesn't make any difference for +this all. + +Make it all make a *bit* more sense by saying that if you don't have a +MM pointer, we'll use a cached "last dumpability" flag if the thread +ever had a MM (it will be zero for kernel threads since it is never +set), and require a proper CAP_SYS_PTRACE capability to override. + +Reported-by: Qualys Security Advisory +Cc: Oleg Nesterov +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 +++ + kernel/exit.c | 1 + + kernel/ptrace.c | 22 ++++++++++++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -910,6 +910,9 @@ struct task_struct { + */ + unsigned sched_remote_wakeup:1; + ++ /* Save user-dumpable when mm goes away */ ++ unsigned user_dumpable:1; ++ + /* Bit to tell LSMs we're in execve(): */ + unsigned in_execve:1; + unsigned in_iowait:1; +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -555,6 +555,7 @@ static void exit_mm(void) + */ + smp_mb__after_spinlock(); + local_irq_disable(); ++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); + current->mm = NULL; + membarrier_update_current_mm(NULL); + enter_lazy_tlb(mm, current); +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -282,11 +282,24 @@ static bool ptrace_has_cap(struct user_n + return ns_capable(ns, CAP_SYS_PTRACE); + } + ++static bool task_still_dumpable(struct task_struct *task, unsigned int mode) ++{ ++ struct mm_struct *mm = task->mm; ++ if (mm) { ++ if (get_dumpable(mm) == SUID_DUMP_USER) ++ return true; ++ return ptrace_has_cap(mm->user_ns, mode); ++ } ++ ++ if (task->user_dumpable) ++ return true; ++ return ptrace_has_cap(&init_user_ns, mode); ++} ++ + /* Returns 0 on success, -errno on denial. */ + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; +- struct mm_struct *mm; + kuid_t caller_uid; + kgid_t caller_gid; + +@@ -347,11 +360,8 @@ ok: + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); +- mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (!task_still_dumpable(task, mode)) ++ return -EPERM; + + return security_ptrace_access_check(task, mode); + } diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..07f45522b9 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,6 @@ +ptrace-slightly-saner-get_dumpable-logic.patch +x86-cpu-amd-add-zenx-generations-flags.patch +x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch +x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch +x86-cpu-amd-add-x86_feature_zen1.patch +x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch diff --git a/queue-6.1/x86-cpu-amd-add-x86_feature_zen1.patch b/queue-6.1/x86-cpu-amd-add-x86_feature_zen1.patch new file mode 100644 index 0000000000..427bc40e72 --- /dev/null +++ b/queue-6.1/x86-cpu-amd-add-x86_feature_zen1.patch @@ -0,0 +1,92 @@ +From 91b64ab5046a17ed993e2d4260c172538ec79ffc Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 2 Dec 2023 12:50:23 +0100 +Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1 + +From: "Borislav Petkov (AMD)" + +Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream. + +Add a synthetic feature flag specifically for first generation Zen +machines. There's need to have a generic flag for all Zen generations so +make X86_FEATURE_ZEN be that flag. + +Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags") +Suggested-by: Brian Gerst +Suggested-by: Tom Lendacky +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 3 ++- + arch/x86/kernel/cpu/amd.c | 9 +++++---- + tools/arch/x86/include/asm/cpufeatures.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ +@@ -316,6 +316,7 @@ + #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ + #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ + #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ ++#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -685,7 +685,7 @@ static void bsp_init_amd(struct cpuinfo_ + switch (c->x86_model) { + case 0x00 ... 0x2f: + case 0x50 ... 0x5f: +- setup_force_cpu_cap(X86_FEATURE_ZEN); ++ setup_force_cpu_cap(X86_FEATURE_ZEN1); + break; + case 0x30 ... 0x4f: + case 0x60 ... 0x7f: +@@ -1071,12 +1071,13 @@ void init_spectral_chicken(struct cpuinf + + static void init_amd_zen_common(void) + { ++ setup_force_cpu_cap(X86_FEATURE_ZEN); + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif + } + +-static void init_amd_zen(struct cpuinfo_x86 *c) ++static void init_amd_zen1(struct cpuinfo_x86 *c) + { + init_amd_zen_common(); + +@@ -1188,8 +1189,8 @@ static void init_amd(struct cpuinfo_x86 + case 0x16: init_amd_jg(c); break; + } + +- if (boot_cpu_has(X86_FEATURE_ZEN)) +- init_amd_zen(c); ++ if (boot_cpu_has(X86_FEATURE_ZEN1)) ++ init_amd_zen1(c); + else if (boot_cpu_has(X86_FEATURE_ZEN2)) + init_amd_zen2(c); + else if (boot_cpu_has(X86_FEATURE_ZEN3)) +--- a/tools/arch/x86/include/asm/cpufeatures.h ++++ b/tools/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN (7*32+28) /* "" CPU based on Zen microarchitecture */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ diff --git a/queue-6.1/x86-cpu-amd-add-zenx-generations-flags.patch b/queue-6.1/x86-cpu-amd-add-zenx-generations-flags.patch new file mode 100644 index 0000000000..5b562010ce --- /dev/null +++ b/queue-6.1/x86-cpu-amd-add-zenx-generations-flags.patch @@ -0,0 +1,144 @@ +From fbdee830099d470daddc747d751672b73d8c3b96 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Tue, 31 Oct 2023 23:30:59 +0100 +Subject: x86/CPU/AMD: Add ZenX generations flags + +From: "Borislav Petkov (AMD)" + +Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream. + +Add X86_FEATURE flags for each Zen generation. They should be used from +now on instead of checking f/m/s. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Acked-by: Thomas Gleixner +Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 5 ++ + arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++-- + 2 files changed, 72 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -219,7 +219,7 @@ + #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ + #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ + #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ +-#define X86_FEATURE_ZEN (7*32+28) /* "" CPU based on Zen microarchitecture */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ + #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ + #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ + #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ +@@ -313,6 +313,9 @@ + #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */ + #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */ + #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */ ++#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ ++#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ ++#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -679,7 +679,50 @@ static void bsp_init_amd(struct cpuinfo_ + + resctrl_cpu_detect(c); + ++ /* Figure out Zen generations: */ ++ switch (c->x86) { ++ case 0x17: { ++ switch (c->x86_model) { ++ case 0x00 ... 0x2f: ++ case 0x50 ... 0x5f: ++ setup_force_cpu_cap(X86_FEATURE_ZEN); ++ break; ++ case 0x30 ... 0x4f: ++ case 0x60 ... 0x7f: ++ case 0x90 ... 0x91: ++ case 0xa0 ... 0xaf: ++ setup_force_cpu_cap(X86_FEATURE_ZEN2); ++ break; ++ default: ++ goto warn; ++ } ++ break; ++ } ++ case 0x19: { ++ switch (c->x86_model) { ++ case 0x00 ... 0x0f: ++ case 0x20 ... 0x5f: ++ setup_force_cpu_cap(X86_FEATURE_ZEN3); ++ break; ++ case 0x10 ... 0x1f: ++ case 0x60 ... 0xaf: ++ setup_force_cpu_cap(X86_FEATURE_ZEN4); ++ break; ++ default: ++ goto warn; ++ } ++ break; ++ } ++ default: ++ break; ++ } ++ + tsa_init(c); ++ ++ return; ++ ++warn: ++ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model); + } + + static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) +@@ -1030,8 +1073,6 @@ void init_spectral_chicken(struct cpuinf + + static void init_amd_zn(struct cpuinfo_x86 *c) + { +- set_cpu_cap(c, X86_FEATURE_ZEN); +- + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif +@@ -1097,6 +1138,22 @@ static void zenbleed_check(struct cpuinf + } + } + ++static void init_amd_zen(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen2(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen3(struct cpuinfo_x86 *c) ++{ ++} ++ ++static void init_amd_zen4(struct cpuinfo_x86 *c) ++{ ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1131,6 +1188,15 @@ static void init_amd(struct cpuinfo_x86 + case 0x19: init_amd_zn(c); break; + } + ++ if (boot_cpu_has(X86_FEATURE_ZEN)) ++ init_amd_zen(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN2)) ++ init_amd_zen2(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN3)) ++ init_amd_zen3(c); ++ else if (boot_cpu_has(X86_FEATURE_ZEN4)) ++ init_amd_zen4(c); ++ + /* + * Enable workaround for FXSAVE leak on CPUs + * without a XSaveErPtr feature diff --git a/queue-6.1/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch b/queue-6.1/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch new file mode 100644 index 0000000000..6ef1558571 --- /dev/null +++ b/queue-6.1/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch @@ -0,0 +1,50 @@ +From 242bba6bdd3de751556194de4951cf4d95dd8945 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Wed, 1 Nov 2023 11:20:01 +0100 +Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function + +From: "Borislav Petkov (AMD)" + +Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream. + +No functional change. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1050,10 +1050,8 @@ void init_spectral_chicken(struct cpuinf + * + * This suppresses speculation from the middle of a basic block, i.e. it + * suppresses non-branch predictions. +- * +- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H + */ +- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) { ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { + if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) { + value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT; + wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value); +@@ -1144,6 +1142,7 @@ static void init_amd_zen(struct cpuinfo_ + + static void init_amd_zen2(struct cpuinfo_x86 *c) + { ++ init_spectral_chicken(c); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +@@ -1183,7 +1182,7 @@ static void init_amd(struct cpuinfo_x86 + case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + case 0x16: init_amd_jg(c); break; +- case 0x17: init_spectral_chicken(c); ++ case 0x17: + fallthrough; + case 0x19: init_amd_zn(c); break; + } diff --git a/queue-6.1/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch b/queue-6.1/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch new file mode 100644 index 0000000000..385b88f809 --- /dev/null +++ b/queue-6.1/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch @@ -0,0 +1,57 @@ +From 1ea83dfe1569d2c5699e668d70a5fcbb174aa744 Mon Sep 17 00:00:00 2001 +From: Prathyushi Nangia +Date: Tue, 9 Dec 2025 10:01:33 -0600 +Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache + +From: Prathyushi Nangia + +commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. + +Make sure resources are not improperly shared in the op cache and +cause instruction corruption this way. + +Signed-off-by: Prathyushi Nangia +Co-developed-by: Borislav Petkov (AMD) +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kernel/cpu/amd.c | 3 +++ + tools/arch/x86/include/asm/msr-index.h | 3 +++ + 3 files changed, 7 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -672,6 +672,7 @@ + /* Zen4 */ + #define MSR_ZEN4_BP_CFG 0xc001102e + #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 ++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 + + /* Zen 2 */ + #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1146,6 +1146,9 @@ static void init_amd_zen2(struct cpuinfo + { + init_amd_zen_common(); + init_spectral_chicken(c); ++ ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +--- a/tools/arch/x86/include/asm/msr-index.h ++++ b/tools/arch/x86/include/asm/msr-index.h +@@ -598,6 +598,9 @@ + /* AMD Last Branch Record MSRs */ + #define MSR_AMD64_LBR_SELECT 0xc000010e + ++#define MSR_ZEN4_BP_CFG 0xc001102e ++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 ++ + /* Fam 17h MSRs */ + #define MSR_F17H_IRPERF 0xc00000e9 + diff --git a/queue-6.1/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch b/queue-6.1/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch new file mode 100644 index 0000000000..16244d5674 --- /dev/null +++ b/queue-6.1/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch @@ -0,0 +1,74 @@ +From da1bf81de5808bee1bf70bd234f2bfa58d5e1671 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Wed, 1 Nov 2023 12:34:29 +0100 +Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common() + +From: "Borislav Petkov (AMD)" + +Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream. + +Call it from all Zen init functions. + +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikolay Borisov +Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1069,11 +1069,16 @@ void init_spectral_chicken(struct cpuinf + clear_cpu_cap(c, X86_FEATURE_XSAVES); + } + +-static void init_amd_zn(struct cpuinfo_x86 *c) ++static void init_amd_zen_common(void) + { + #ifdef CONFIG_NUMA + node_reclaim_distance = 32; + #endif ++} ++ ++static void init_amd_zen(struct cpuinfo_x86 *c) ++{ ++ init_amd_zen_common(); + + /* Fix up CPUID bits, but only if not virtualised. */ + if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { +@@ -1136,21 +1141,20 @@ static void zenbleed_check(struct cpuinf + } + } + +-static void init_amd_zen(struct cpuinfo_x86 *c) +-{ +-} +- + static void init_amd_zen2(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + init_spectral_chicken(c); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + } + + static void init_amd_zen4(struct cpuinfo_x86 *c) + { ++ init_amd_zen_common(); + } + + static void init_amd(struct cpuinfo_x86 *c) +@@ -1182,9 +1186,6 @@ static void init_amd(struct cpuinfo_x86 + case 0x12: init_amd_ln(c); break; + case 0x15: init_amd_bd(c); break; + case 0x16: init_amd_jg(c); break; +- case 0x17: +- fallthrough; +- case 0x19: init_amd_zn(c); break; + } + + if (boot_cpu_has(X86_FEATURE_ZEN)) diff --git a/queue-6.12/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-6.12/ptrace-slightly-saner-get_dumpable-logic.patch new file mode 100644 index 0000000000..c558dacb51 --- /dev/null +++ b/queue-6.12/ptrace-slightly-saner-get_dumpable-logic.patch @@ -0,0 +1,109 @@ +From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 13 May 2026 11:37:18 -0700 +Subject: ptrace: slightly saner 'get_dumpable()' logic + +From: Linus Torvalds + +commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. + +The 'dumpability' of a task is fundamentally about the memory image of +the task - the concept comes from whether it can core dump or not - and +makes no sense when you don't have an associated mm. + +And almost all users do in fact use it only for the case where the task +has a mm pointer. + +But we have one odd special case: ptrace_may_access() uses 'dumpable' to +check various other things entirely independently of the MM (typically +explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for +threads that no longer have a VM (and maybe never did, like most kernel +threads). + +It's not what this flag was designed for, but it is what it is. + +The ptrace code does check that the uid/gid matches, so you do have to +be uid-0 to see kernel thread details, but this means that the +traditional "drop capabilities" model doesn't make any difference for +this all. + +Make it all make a *bit* more sense by saying that if you don't have a +MM pointer, we'll use a cached "last dumpability" flag if the thread +ever had a MM (it will be zero for kernel threads since it is never +set), and require a proper CAP_SYS_PTRACE capability to override. + +Reported-by: Qualys Security Advisory +Cc: Oleg Nesterov +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 +++ + kernel/exit.c | 1 + + kernel/ptrace.c | 22 ++++++++++++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -969,6 +969,9 @@ struct task_struct { + unsigned sched_rt_mutex:1; + #endif + ++ /* Save user-dumpable when mm goes away */ ++ unsigned user_dumpable:1; ++ + /* Bit to tell TOMOYO we're in execve(): */ + unsigned in_execve:1; + unsigned in_iowait:1; +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -561,6 +561,7 @@ static void exit_mm(void) + */ + smp_mb__after_spinlock(); + local_irq_disable(); ++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); + current->mm = NULL; + membarrier_update_current_mm(NULL); + enter_lazy_tlb(mm, current); +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n + return ns_capable(ns, CAP_SYS_PTRACE); + } + ++static bool task_still_dumpable(struct task_struct *task, unsigned int mode) ++{ ++ struct mm_struct *mm = task->mm; ++ if (mm) { ++ if (get_dumpable(mm) == SUID_DUMP_USER) ++ return true; ++ return ptrace_has_cap(mm->user_ns, mode); ++ } ++ ++ if (task->user_dumpable) ++ return true; ++ return ptrace_has_cap(&init_user_ns, mode); ++} ++ + /* Returns 0 on success, -errno on denial. */ + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; +- struct mm_struct *mm; + kuid_t caller_uid; + kgid_t caller_gid; + +@@ -337,11 +350,8 @@ ok: + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); +- mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (!task_still_dumpable(task, mode)) ++ return -EPERM; + + return security_ptrace_access_check(task, mode); + } diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..fe11e174df --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1 @@ +ptrace-slightly-saner-get_dumpable-logic.patch diff --git a/queue-6.18/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-6.18/ptrace-slightly-saner-get_dumpable-logic.patch new file mode 100644 index 0000000000..7a7dc111db --- /dev/null +++ b/queue-6.18/ptrace-slightly-saner-get_dumpable-logic.patch @@ -0,0 +1,109 @@ +From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 13 May 2026 11:37:18 -0700 +Subject: ptrace: slightly saner 'get_dumpable()' logic + +From: Linus Torvalds + +commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. + +The 'dumpability' of a task is fundamentally about the memory image of +the task - the concept comes from whether it can core dump or not - and +makes no sense when you don't have an associated mm. + +And almost all users do in fact use it only for the case where the task +has a mm pointer. + +But we have one odd special case: ptrace_may_access() uses 'dumpable' to +check various other things entirely independently of the MM (typically +explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for +threads that no longer have a VM (and maybe never did, like most kernel +threads). + +It's not what this flag was designed for, but it is what it is. + +The ptrace code does check that the uid/gid matches, so you do have to +be uid-0 to see kernel thread details, but this means that the +traditional "drop capabilities" model doesn't make any difference for +this all. + +Make it all make a *bit* more sense by saying that if you don't have a +MM pointer, we'll use a cached "last dumpability" flag if the thread +ever had a MM (it will be zero for kernel threads since it is never +set), and require a proper CAP_SYS_PTRACE capability to override. + +Reported-by: Qualys Security Advisory +Cc: Oleg Nesterov +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 +++ + kernel/exit.c | 1 + + kernel/ptrace.c | 22 ++++++++++++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1003,6 +1003,9 @@ struct task_struct { + unsigned sched_rt_mutex:1; + #endif + ++ /* Save user-dumpable when mm goes away */ ++ unsigned user_dumpable:1; ++ + /* Bit to tell TOMOYO we're in execve(): */ + unsigned in_execve:1; + unsigned in_iowait:1; +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -572,6 +572,7 @@ static void exit_mm(void) + */ + smp_mb__after_spinlock(); + local_irq_disable(); ++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); + current->mm = NULL; + membarrier_update_current_mm(NULL); + enter_lazy_tlb(mm, current); +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n + return ns_capable(ns, CAP_SYS_PTRACE); + } + ++static bool task_still_dumpable(struct task_struct *task, unsigned int mode) ++{ ++ struct mm_struct *mm = task->mm; ++ if (mm) { ++ if (get_dumpable(mm) == SUID_DUMP_USER) ++ return true; ++ return ptrace_has_cap(mm->user_ns, mode); ++ } ++ ++ if (task->user_dumpable) ++ return true; ++ return ptrace_has_cap(&init_user_ns, mode); ++} ++ + /* Returns 0 on success, -errno on denial. */ + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; +- struct mm_struct *mm; + kuid_t caller_uid; + kgid_t caller_gid; + +@@ -337,11 +350,8 @@ ok: + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); +- mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (!task_still_dumpable(task, mode)) ++ return -EPERM; + + return security_ptrace_access_check(task, mode); + } diff --git a/queue-6.18/series b/queue-6.18/series new file mode 100644 index 0000000000..fe11e174df --- /dev/null +++ b/queue-6.18/series @@ -0,0 +1 @@ +ptrace-slightly-saner-get_dumpable-logic.patch diff --git a/queue-6.6/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-6.6/ptrace-slightly-saner-get_dumpable-logic.patch new file mode 100644 index 0000000000..c805c00c11 --- /dev/null +++ b/queue-6.6/ptrace-slightly-saner-get_dumpable-logic.patch @@ -0,0 +1,109 @@ +From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 13 May 2026 11:37:18 -0700 +Subject: ptrace: slightly saner 'get_dumpable()' logic + +From: Linus Torvalds + +commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. + +The 'dumpability' of a task is fundamentally about the memory image of +the task - the concept comes from whether it can core dump or not - and +makes no sense when you don't have an associated mm. + +And almost all users do in fact use it only for the case where the task +has a mm pointer. + +But we have one odd special case: ptrace_may_access() uses 'dumpable' to +check various other things entirely independently of the MM (typically +explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for +threads that no longer have a VM (and maybe never did, like most kernel +threads). + +It's not what this flag was designed for, but it is what it is. + +The ptrace code does check that the uid/gid matches, so you do have to +be uid-0 to see kernel thread details, but this means that the +traditional "drop capabilities" model doesn't make any difference for +this all. + +Make it all make a *bit* more sense by saying that if you don't have a +MM pointer, we'll use a cached "last dumpability" flag if the thread +ever had a MM (it will be zero for kernel threads since it is never +set), and require a proper CAP_SYS_PTRACE capability to override. + +Reported-by: Qualys Security Advisory +Cc: Oleg Nesterov +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 +++ + kernel/exit.c | 1 + + kernel/ptrace.c | 22 ++++++++++++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -916,6 +916,9 @@ struct task_struct { + */ + unsigned sched_remote_wakeup:1; + ++ /* Save user-dumpable when mm goes away */ ++ unsigned user_dumpable:1; ++ + /* Bit to tell LSMs we're in execve(): */ + unsigned in_execve:1; + unsigned in_iowait:1; +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -559,6 +559,7 @@ static void exit_mm(void) + */ + smp_mb__after_spinlock(); + local_irq_disable(); ++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); + current->mm = NULL; + membarrier_update_current_mm(NULL); + enter_lazy_tlb(mm, current); +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -283,11 +283,24 @@ static bool ptrace_has_cap(struct user_n + return ns_capable(ns, CAP_SYS_PTRACE); + } + ++static bool task_still_dumpable(struct task_struct *task, unsigned int mode) ++{ ++ struct mm_struct *mm = task->mm; ++ if (mm) { ++ if (get_dumpable(mm) == SUID_DUMP_USER) ++ return true; ++ return ptrace_has_cap(mm->user_ns, mode); ++ } ++ ++ if (task->user_dumpable) ++ return true; ++ return ptrace_has_cap(&init_user_ns, mode); ++} ++ + /* Returns 0 on success, -errno on denial. */ + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; +- struct mm_struct *mm; + kuid_t caller_uid; + kgid_t caller_gid; + +@@ -348,11 +361,8 @@ ok: + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); +- mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (!task_still_dumpable(task, mode)) ++ return -EPERM; + + return security_ptrace_access_check(task, mode); + } diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..ec39d00eb3 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,2 @@ +ptrace-slightly-saner-get_dumpable-logic.patch +x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch diff --git a/queue-6.6/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch b/queue-6.6/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch new file mode 100644 index 0000000000..2fedbb37e6 --- /dev/null +++ b/queue-6.6/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch @@ -0,0 +1,57 @@ +From f160936aec2e9f80000d7ea606501b1f68d05e15 Mon Sep 17 00:00:00 2001 +From: Prathyushi Nangia +Date: Tue, 9 Dec 2025 10:01:33 -0600 +Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache + +From: Prathyushi Nangia + +commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. + +Make sure resources are not improperly shared in the op cache and +cause instruction corruption this way. + +Signed-off-by: Prathyushi Nangia +Co-developed-by: Borislav Petkov (AMD) +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kernel/cpu/amd.c | 3 +++ + tools/arch/x86/include/asm/msr-index.h | 3 +++ + 3 files changed, 7 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -675,6 +675,7 @@ + /* Zen4 */ + #define MSR_ZEN4_BP_CFG 0xc001102e + #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 ++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 + + /* Zen 2 */ + #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1166,6 +1166,9 @@ static void init_amd_zen2(struct cpuinfo + msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18); + pr_emerg("RDSEED is not reliable on this platform; disabling.\n"); + } ++ ++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT); + } + + static void init_amd_zen3(struct cpuinfo_x86 *c) +--- a/tools/arch/x86/include/asm/msr-index.h ++++ b/tools/arch/x86/include/asm/msr-index.h +@@ -638,6 +638,9 @@ + /* AMD Last Branch Record MSRs */ + #define MSR_AMD64_LBR_SELECT 0xc000010e + ++#define MSR_ZEN4_BP_CFG 0xc001102e ++#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 ++ + /* Fam 17h MSRs */ + #define MSR_F17H_IRPERF 0xc00000e9 + diff --git a/queue-7.0/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-7.0/ptrace-slightly-saner-get_dumpable-logic.patch new file mode 100644 index 0000000000..ba24fe717d --- /dev/null +++ b/queue-7.0/ptrace-slightly-saner-get_dumpable-logic.patch @@ -0,0 +1,109 @@ +From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 13 May 2026 11:37:18 -0700 +Subject: ptrace: slightly saner 'get_dumpable()' logic + +From: Linus Torvalds + +commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. + +The 'dumpability' of a task is fundamentally about the memory image of +the task - the concept comes from whether it can core dump or not - and +makes no sense when you don't have an associated mm. + +And almost all users do in fact use it only for the case where the task +has a mm pointer. + +But we have one odd special case: ptrace_may_access() uses 'dumpable' to +check various other things entirely independently of the MM (typically +explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for +threads that no longer have a VM (and maybe never did, like most kernel +threads). + +It's not what this flag was designed for, but it is what it is. + +The ptrace code does check that the uid/gid matches, so you do have to +be uid-0 to see kernel thread details, but this means that the +traditional "drop capabilities" model doesn't make any difference for +this all. + +Make it all make a *bit* more sense by saying that if you don't have a +MM pointer, we'll use a cached "last dumpability" flag if the thread +ever had a MM (it will be zero for kernel threads since it is never +set), and require a proper CAP_SYS_PTRACE capability to override. + +Reported-by: Qualys Security Advisory +Cc: Oleg Nesterov +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 3 +++ + kernel/exit.c | 1 + + kernel/ptrace.c | 22 ++++++++++++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -998,6 +998,9 @@ struct task_struct { + unsigned sched_rt_mutex:1; + #endif + ++ /* Save user-dumpable when mm goes away */ ++ unsigned user_dumpable:1; ++ + /* Bit to tell TOMOYO we're in execve(): */ + unsigned in_execve:1; + unsigned in_iowait:1; +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -571,6 +571,7 @@ static void exit_mm(void) + */ + smp_mb__after_spinlock(); + local_irq_disable(); ++ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); + current->mm = NULL; + membarrier_update_current_mm(NULL); + enter_lazy_tlb(mm, current); +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n + return ns_capable(ns, CAP_SYS_PTRACE); + } + ++static bool task_still_dumpable(struct task_struct *task, unsigned int mode) ++{ ++ struct mm_struct *mm = task->mm; ++ if (mm) { ++ if (get_dumpable(mm) == SUID_DUMP_USER) ++ return true; ++ return ptrace_has_cap(mm->user_ns, mode); ++ } ++ ++ if (task->user_dumpable) ++ return true; ++ return ptrace_has_cap(&init_user_ns, mode); ++} ++ + /* Returns 0 on success, -errno on denial. */ + static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + { + const struct cred *cred = current_cred(), *tcred; +- struct mm_struct *mm; + kuid_t caller_uid; + kgid_t caller_gid; + +@@ -337,11 +350,8 @@ ok: + * Pairs with a write barrier in commit_creds(). + */ + smp_rmb(); +- mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (!task_still_dumpable(task, mode)) ++ return -EPERM; + + return security_ptrace_access_check(task, mode); + } diff --git a/queue-7.0/series b/queue-7.0/series new file mode 100644 index 0000000000..fe11e174df --- /dev/null +++ b/queue-7.0/series @@ -0,0 +1 @@ +ptrace-slightly-saner-get_dumpable-logic.patch