+++ /dev/null
-From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Wed, 13 May 2026 11:37:18 -0700
-Subject: ptrace: slightly saner 'get_dumpable()' logic
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
-
-The 'dumpability' of a task is fundamentally about the memory image of
-the task - the concept comes from whether it can core dump or not - and
-makes no sense when you don't have an associated mm.
-
-And almost all users do in fact use it only for the case where the task
-has a mm pointer.
-
-But we have one odd special case: ptrace_may_access() uses 'dumpable' to
-check various other things entirely independently of the MM (typically
-explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
-threads that no longer have a VM (and maybe never did, like most kernel
-threads).
-
-It's not what this flag was designed for, but it is what it is.
-
-The ptrace code does check that the uid/gid matches, so you do have to
-be uid-0 to see kernel thread details, but this means that the
-traditional "drop capabilities" model doesn't make any difference for
-this all.
-
-Make it all make a *bit* more sense by saying that if you don't have a
-MM pointer, we'll use a cached "last dumpability" flag if the thread
-ever had a MM (it will be zero for kernel threads since it is never
-set), and require a proper CAP_SYS_PTRACE capability to override.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/sched.h | 3 +++
- kernel/exit.c | 1 +
- kernel/ptrace.c | 22 ++++++++++++++++------
- 3 files changed, 20 insertions(+), 6 deletions(-)
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -805,6 +805,9 @@ struct task_struct {
- */
- unsigned sched_remote_wakeup:1;
-
-+ /* Save user-dumpable when mm goes away */
-+ unsigned user_dumpable:1;
-+
- /* Bit to tell LSMs we're in execve(): */
- unsigned in_execve:1;
- unsigned in_iowait:1;
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -528,6 +528,7 @@ static void exit_mm(void)
- BUG_ON(mm != current->active_mm);
- /* more a memory barrier than a real lock */
- task_lock(current);
-+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
- current->mm = NULL;
- mmap_read_unlock(mm);
- enter_lazy_tlb(mm, current);
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -287,11 +287,24 @@ static bool ptrace_has_cap(struct user_n
- return ns_capable(ns, CAP_SYS_PTRACE);
- }
-
-+static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
-+{
-+ struct mm_struct *mm = task->mm;
-+ if (mm) {
-+ if (get_dumpable(mm) == SUID_DUMP_USER)
-+ return true;
-+ return ptrace_has_cap(mm->user_ns, mode);
-+ }
-+
-+ if (task->user_dumpable)
-+ return true;
-+ return ptrace_has_cap(&init_user_ns, mode);
-+}
-+
- /* Returns 0 on success, -errno on denial. */
- static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- {
- const struct cred *cred = current_cred(), *tcred;
-- struct mm_struct *mm;
- kuid_t caller_uid;
- kgid_t caller_gid;
-
-@@ -352,11 +365,8 @@ ok:
- * Pairs with a write barrier in commit_creds().
- */
- smp_rmb();
-- mm = task->mm;
-- if (mm &&
-- ((get_dumpable(mm) != SUID_DUMP_USER) &&
-- !ptrace_has_cap(mm->user_ns, mode)))
-- return -EPERM;
-+ if (!task_still_dumpable(task, mode))
-+ return -EPERM;
-
- return security_ptrace_access_check(task, mode);
- }
fbdev-udlfb-add-vm_ops-to-dlfb_ops_mmap-to-prevent-use-after-free.patch
acpi-video-force-native-backlight-on-hp-omen-16-8a44.patch
spi-rockchip-fix-controller-deregistration.patch
-x86-cpu-amd-add-zenx-generations-flags.patch
-x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch
-x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch
-x86-cpu-amd-add-x86_feature_zen1.patch
net-sched-sch_red-replace-direct-dequeue-call-with-peek-and-qdisc_dequeue_peeked.patch
ipmi-ssif-fix-a-shutdown-race.patch
ipmi-ssif-clean-up-kthread-on-errors.patch
rdma-ocrdma-don-t-null-deref-uctx-on-errors-in-ocrdma_copy_pd_uresp.patch
rdma-rxe-reject-unknown-opcodes-before-icrc-processing.patch
rdma-vmw_pvrdma-fix-double-free-on-pvrdma_alloc_ucontext-error-path.patch
-x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch
-ptrace-slightly-saner-get_dumpable-logic.patch
media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch
staging-media-atomisp-disallow-all-private-ioctls.patch
regulator-max77650-fix-of-node-reference-imbalance.patch
+++ /dev/null
-From 8b11c9f96a0ddb679c11e4a8f2d8dae52e9c15af Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Sat, 2 Dec 2023 12:50:23 +0100
-Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream.
-
-Add a synthetic feature flag specifically for first generation Zen
-machines. There's need to have a generic flag for all Zen generations so
-make X86_FEATURE_ZEN be that flag.
-
-Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags")
-Suggested-by: Brian Gerst <brgerst@gmail.com>
-Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 3 ++-
- arch/x86/kernel/cpu/amd.c | 9 +++++----
- tools/arch/x86/include/asm/cpufeatures.h | 2 +-
- 3 files changed, 8 insertions(+), 6 deletions(-)
-
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
-@@ -309,6 +309,7 @@
- #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
- #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
- #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
-+#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */
-
- /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
- #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -741,7 +741,7 @@ static void bsp_init_amd(struct cpuinfo_
- switch (c->x86_model) {
- case 0x00 ... 0x2f:
- case 0x50 ... 0x5f:
-- setup_force_cpu_cap(X86_FEATURE_ZEN);
-+ setup_force_cpu_cap(X86_FEATURE_ZEN1);
- break;
- case 0x30 ... 0x4f:
- case 0x60 ... 0x7f:
-@@ -1122,12 +1122,13 @@ void init_spectral_chicken(struct cpuinf
-
- static void init_amd_zen_common(void)
- {
-+ setup_force_cpu_cap(X86_FEATURE_ZEN);
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
- }
-
--static void init_amd_zen(struct cpuinfo_x86 *c)
-+static void init_amd_zen1(struct cpuinfo_x86 *c)
- {
- init_amd_zen_common();
-
-@@ -1239,8 +1240,8 @@ static void init_amd(struct cpuinfo_x86
- case 0x16: init_amd_jg(c); break;
- }
-
-- if (boot_cpu_has(X86_FEATURE_ZEN))
-- init_amd_zen(c);
-+ if (boot_cpu_has(X86_FEATURE_ZEN1))
-+ init_amd_zen1(c);
- else if (boot_cpu_has(X86_FEATURE_ZEN2))
- init_amd_zen2(c);
- else if (boot_cpu_has(X86_FEATURE_ZEN3))
---- a/tools/arch/x86/include/asm/cpufeatures.h
-+++ b/tools/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+++ /dev/null
-From 0505eb46841c27ea9767b7b6270862f29deafc02 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Tue, 31 Oct 2023 23:30:59 +0100
-Subject: x86/CPU/AMD: Add ZenX generations flags
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream.
-
-Add X86_FEATURE flags for each Zen generation. They should be used from
-now on instead of checking f/m/s.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 5 ++
- arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++--
- 2 files changed, 72 insertions(+), 3 deletions(-)
-
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
-@@ -306,6 +306,9 @@
- #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */
- #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */
- #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */
-+#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
-+#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
-+#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
-
- /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
- #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -735,7 +735,50 @@ static void bsp_init_amd(struct cpuinfo_
-
- resctrl_cpu_detect(c);
-
-+ /* Figure out Zen generations: */
-+ switch (c->x86) {
-+ case 0x17: {
-+ switch (c->x86_model) {
-+ case 0x00 ... 0x2f:
-+ case 0x50 ... 0x5f:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN);
-+ break;
-+ case 0x30 ... 0x4f:
-+ case 0x60 ... 0x7f:
-+ case 0x90 ... 0x91:
-+ case 0xa0 ... 0xaf:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN2);
-+ break;
-+ default:
-+ goto warn;
-+ }
-+ break;
-+ }
-+ case 0x19: {
-+ switch (c->x86_model) {
-+ case 0x00 ... 0x0f:
-+ case 0x20 ... 0x5f:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN3);
-+ break;
-+ case 0x10 ... 0x1f:
-+ case 0x60 ... 0xaf:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN4);
-+ break;
-+ default:
-+ goto warn;
-+ }
-+ break;
-+ }
-+ default:
-+ break;
-+ }
-+
- tsa_init(c);
-+
-+ return;
-+
-+warn:
-+ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model);
- }
-
- static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
-@@ -1081,8 +1124,6 @@ void init_spectral_chicken(struct cpuinf
-
- static void init_amd_zn(struct cpuinfo_x86 *c)
- {
-- set_cpu_cap(c, X86_FEATURE_ZEN);
--
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
-@@ -1148,6 +1189,22 @@ static void zenbleed_check(struct cpuinf
- }
- }
-
-+static void init_amd_zen(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen2(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen3(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen4(struct cpuinfo_x86 *c)
-+{
-+}
-+
- static void init_amd(struct cpuinfo_x86 *c)
- {
- early_init_amd(c);
-@@ -1182,6 +1239,15 @@ static void init_amd(struct cpuinfo_x86
- case 0x19: init_amd_zn(c); break;
- }
-
-+ if (boot_cpu_has(X86_FEATURE_ZEN))
-+ init_amd_zen(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN2))
-+ init_amd_zen2(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN3))
-+ init_amd_zen3(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN4))
-+ init_amd_zen4(c);
-+
- /*
- * Enable workaround for FXSAVE leak on CPUs
- * without a XSaveErPtr feature
+++ /dev/null
-From 6ea9e49236f62c01f32ea0b3e5c4ce41d1ec0389 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Wed, 1 Nov 2023 11:20:01 +0100
-Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream.
-
-No functional change.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/amd.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1101,10 +1101,8 @@ void init_spectral_chicken(struct cpuinf
- *
- * This suppresses speculation from the middle of a basic block, i.e. it
- * suppresses non-branch predictions.
-- *
-- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H
- */
-- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) {
-+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
- if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) {
- value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT;
- wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value);
-@@ -1195,6 +1193,7 @@ static void init_amd_zen(struct cpuinfo_
-
- static void init_amd_zen2(struct cpuinfo_x86 *c)
- {
-+ init_spectral_chicken(c);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
-@@ -1234,7 +1233,7 @@ static void init_amd(struct cpuinfo_x86
- case 0x12: init_amd_ln(c); break;
- case 0x15: init_amd_bd(c); break;
- case 0x16: init_amd_jg(c); break;
-- case 0x17: init_spectral_chicken(c);
-+ case 0x17:
- fallthrough;
- case 0x19: init_amd_zn(c); break;
- }
+++ /dev/null
-From d14f0f391370ca45abc208a13c5863a9d05f422c Mon Sep 17 00:00:00 2001
-From: Prathyushi Nangia <prathyushi.nangia@amd.com>
-Date: Tue, 9 Dec 2025 10:01:33 -0600
-Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
-
-From: Prathyushi Nangia <prathyushi.nangia@amd.com>
-
-commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
-
-Make sure resources are not improperly shared in the op cache and
-cause instruction corruption this way.
-
-Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
-Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/msr-index.h | 1 +
- arch/x86/kernel/cpu/amd.c | 3 +++
- tools/arch/x86/include/asm/msr-index.h | 3 +++
- 3 files changed, 7 insertions(+)
-
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index 390db709b432..59bee2206d97 100644
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -570,6 +570,7 @@
- /* Zen4 */
- #define MSR_ZEN4_BP_CFG 0xc001102e
- #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
-+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
-
- /* Zen 2 */
- #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index 3a446f2b6d30..519e388083b2 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1197,6 +1197,9 @@ static void init_amd_zen2(struct cpuinfo_x86 *c)
- {
- init_amd_zen_common();
- init_spectral_chicken(c);
-+
-+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
-+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
-diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h
-index 8fb925676813..c28d75fe4dee 100644
---- a/tools/arch/x86/include/asm/msr-index.h
-+++ b/tools/arch/x86/include/asm/msr-index.h
-@@ -523,6 +523,9 @@
-
- #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f
-
-+#define MSR_ZEN4_BP_CFG 0xc001102e
-+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
-+
- /* Fam 17h MSRs */
- #define MSR_F17H_IRPERF 0xc00000e9
-
---
-2.51.0
-
+++ /dev/null
-From 714aa4501bd485a70c063fc9e98a44dc9ae277a4 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Wed, 1 Nov 2023 12:34:29 +0100
-Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream.
-
-Call it from all Zen init functions.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/amd.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1120,11 +1120,16 @@ void init_spectral_chicken(struct cpuinf
- clear_cpu_cap(c, X86_FEATURE_XSAVES);
- }
-
--static void init_amd_zn(struct cpuinfo_x86 *c)
-+static void init_amd_zen_common(void)
- {
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
-+}
-+
-+static void init_amd_zen(struct cpuinfo_x86 *c)
-+{
-+ init_amd_zen_common();
-
- /* Fix up CPUID bits, but only if not virtualised. */
- if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
-@@ -1187,21 +1192,20 @@ static void zenbleed_check(struct cpuinf
- }
- }
-
--static void init_amd_zen(struct cpuinfo_x86 *c)
--{
--}
--
- static void init_amd_zen2(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- init_spectral_chicken(c);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- }
-
- static void init_amd_zen4(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- }
-
- static void init_amd(struct cpuinfo_x86 *c)
-@@ -1233,9 +1237,6 @@ static void init_amd(struct cpuinfo_x86
- case 0x12: init_amd_ln(c); break;
- case 0x15: init_amd_bd(c); break;
- case 0x16: init_amd_jg(c); break;
-- case 0x17:
-- fallthrough;
-- case 0x19: init_amd_zn(c); break;
- }
-
- if (boot_cpu_has(X86_FEATURE_ZEN))
+++ /dev/null
-From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Wed, 13 May 2026 11:37:18 -0700
-Subject: ptrace: slightly saner 'get_dumpable()' logic
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
-
-The 'dumpability' of a task is fundamentally about the memory image of
-the task - the concept comes from whether it can core dump or not - and
-makes no sense when you don't have an associated mm.
-
-And almost all users do in fact use it only for the case where the task
-has a mm pointer.
-
-But we have one odd special case: ptrace_may_access() uses 'dumpable' to
-check various other things entirely independently of the MM (typically
-explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
-threads that no longer have a VM (and maybe never did, like most kernel
-threads).
-
-It's not what this flag was designed for, but it is what it is.
-
-The ptrace code does check that the uid/gid matches, so you do have to
-be uid-0 to see kernel thread details, but this means that the
-traditional "drop capabilities" model doesn't make any difference for
-this all.
-
-Make it all make a *bit* more sense by saying that if you don't have a
-MM pointer, we'll use a cached "last dumpability" flag if the thread
-ever had a MM (it will be zero for kernel threads since it is never
-set), and require a proper CAP_SYS_PTRACE capability to override.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/sched.h | 3 +++
- kernel/exit.c | 1 +
- kernel/ptrace.c | 22 ++++++++++++++++------
- 3 files changed, 20 insertions(+), 6 deletions(-)
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -896,6 +896,9 @@ struct task_struct {
- */
- unsigned sched_remote_wakeup:1;
-
-+ /* Save user-dumpable when mm goes away */
-+ unsigned user_dumpable:1;
-+
- /* Bit to tell LSMs we're in execve(): */
- unsigned in_execve:1;
- unsigned in_iowait:1;
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -540,6 +540,7 @@ static void exit_mm(void)
- */
- smp_mb__after_spinlock();
- local_irq_disable();
-+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
- current->mm = NULL;
- membarrier_update_current_mm(NULL);
- enter_lazy_tlb(mm, current);
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -288,11 +288,24 @@ static bool ptrace_has_cap(struct user_n
- return ns_capable(ns, CAP_SYS_PTRACE);
- }
-
-+static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
-+{
-+ struct mm_struct *mm = task->mm;
-+ if (mm) {
-+ if (get_dumpable(mm) == SUID_DUMP_USER)
-+ return true;
-+ return ptrace_has_cap(mm->user_ns, mode);
-+ }
-+
-+ if (task->user_dumpable)
-+ return true;
-+ return ptrace_has_cap(&init_user_ns, mode);
-+}
-+
- /* Returns 0 on success, -errno on denial. */
- static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- {
- const struct cred *cred = current_cred(), *tcred;
-- struct mm_struct *mm;
- kuid_t caller_uid;
- kgid_t caller_gid;
-
-@@ -353,11 +366,8 @@ ok:
- * Pairs with a write barrier in commit_creds().
- */
- smp_rmb();
-- mm = task->mm;
-- if (mm &&
-- ((get_dumpable(mm) != SUID_DUMP_USER) &&
-- !ptrace_has_cap(mm->user_ns, mode)))
-- return -EPERM;
-+ if (!task_still_dumpable(task, mode))
-+ return -EPERM;
-
- return security_ptrace_access_check(task, mode);
- }
acpi-cppc-fix-related_cpus-inconsistency-during-cpu-hotplug.patch
acpi-video-force-native-backlight-on-hp-omen-16-8a44.patch
spi-rockchip-fix-controller-deregistration.patch
-x86-cpu-amd-add-zenx-generations-flags.patch
-x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch
-x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch
-x86-cpu-amd-add-x86_feature_zen1.patch
ksmbd-do-not-expire-session-on-binding-failure.patch
spi-meson-spicc-fix-double-put-in-remove-path.patch
um-virt-pci-fix-build-failure.patch
mptcp-use-mptcp_rst_emptcp-for-ack-hmac-validation-failure.patch
mptcp-sockopt-set-timestamp-flags-on-subflow-socket-not-msk.patch
mptcp-fix-scheduling-with-atomic-in-timestamp-sockopt.patch
-x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch
-ptrace-slightly-saner-get_dumpable-logic.patch
platform-x86-hp-wmi-ignore-backlight-and-fnlock-events.patch
media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch
media-i2c-ov8856-free-control-handler-on-error-in-ov8856_init_controls.patch
+++ /dev/null
-From e72596e11570e82f96805156b122c491f2bfd192 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Sat, 2 Dec 2023 12:50:23 +0100
-Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream.
-
-Add a synthetic feature flag specifically for first generation Zen
-machines. There's need to have a generic flag for all Zen generations so
-make X86_FEATURE_ZEN be that flag.
-
-Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags")
-Suggested-by: Brian Gerst <brgerst@gmail.com>
-Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 3 ++-
- arch/x86/kernel/cpu/amd.c | 9 +++++----
- tools/arch/x86/include/asm/cpufeatures.h | 2 +-
- 3 files changed, 8 insertions(+), 6 deletions(-)
-
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
-@@ -313,6 +313,7 @@
- #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
- #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
- #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
-+#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */
-
- /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
- #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -714,7 +714,7 @@ static void bsp_init_amd(struct cpuinfo_
- switch (c->x86_model) {
- case 0x00 ... 0x2f:
- case 0x50 ... 0x5f:
-- setup_force_cpu_cap(X86_FEATURE_ZEN);
-+ setup_force_cpu_cap(X86_FEATURE_ZEN1);
- break;
- case 0x30 ... 0x4f:
- case 0x60 ... 0x7f:
-@@ -1095,12 +1095,13 @@ void init_spectral_chicken(struct cpuinf
-
- static void init_amd_zen_common(void)
- {
-+ setup_force_cpu_cap(X86_FEATURE_ZEN);
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
- }
-
--static void init_amd_zen(struct cpuinfo_x86 *c)
-+static void init_amd_zen1(struct cpuinfo_x86 *c)
- {
- init_amd_zen_common();
-
-@@ -1212,8 +1213,8 @@ static void init_amd(struct cpuinfo_x86
- case 0x16: init_amd_jg(c); break;
- }
-
-- if (boot_cpu_has(X86_FEATURE_ZEN))
-- init_amd_zen(c);
-+ if (boot_cpu_has(X86_FEATURE_ZEN1))
-+ init_amd_zen1(c);
- else if (boot_cpu_has(X86_FEATURE_ZEN2))
- init_amd_zen2(c);
- else if (boot_cpu_has(X86_FEATURE_ZEN3))
---- a/tools/arch/x86/include/asm/cpufeatures.h
-+++ b/tools/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+++ /dev/null
-From 3afc6ada329c9954054d68f5efa03999a53767be Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Tue, 31 Oct 2023 23:30:59 +0100
-Subject: x86/CPU/AMD: Add ZenX generations flags
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream.
-
-Add X86_FEATURE flags for each Zen generation. They should be used from
-now on instead of checking f/m/s.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 5 ++
- arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++--
- 2 files changed, 72 insertions(+), 3 deletions(-)
-
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
-@@ -310,6 +310,9 @@
- #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */
- #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */
- #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */
-+#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
-+#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
-+#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
-
- /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
- #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -708,7 +708,50 @@ static void bsp_init_amd(struct cpuinfo_
-
- resctrl_cpu_detect(c);
-
-+ /* Figure out Zen generations: */
-+ switch (c->x86) {
-+ case 0x17: {
-+ switch (c->x86_model) {
-+ case 0x00 ... 0x2f:
-+ case 0x50 ... 0x5f:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN);
-+ break;
-+ case 0x30 ... 0x4f:
-+ case 0x60 ... 0x7f:
-+ case 0x90 ... 0x91:
-+ case 0xa0 ... 0xaf:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN2);
-+ break;
-+ default:
-+ goto warn;
-+ }
-+ break;
-+ }
-+ case 0x19: {
-+ switch (c->x86_model) {
-+ case 0x00 ... 0x0f:
-+ case 0x20 ... 0x5f:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN3);
-+ break;
-+ case 0x10 ... 0x1f:
-+ case 0x60 ... 0xaf:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN4);
-+ break;
-+ default:
-+ goto warn;
-+ }
-+ break;
-+ }
-+ default:
-+ break;
-+ }
-+
- tsa_init(c);
-+
-+ return;
-+
-+warn:
-+ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model);
- }
-
- static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
-@@ -1054,8 +1097,6 @@ void init_spectral_chicken(struct cpuinf
-
- static void init_amd_zn(struct cpuinfo_x86 *c)
- {
-- set_cpu_cap(c, X86_FEATURE_ZEN);
--
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
-@@ -1121,6 +1162,22 @@ static void zenbleed_check(struct cpuinf
- }
- }
-
-+static void init_amd_zen(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen2(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen3(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen4(struct cpuinfo_x86 *c)
-+{
-+}
-+
- static void init_amd(struct cpuinfo_x86 *c)
- {
- early_init_amd(c);
-@@ -1155,6 +1212,15 @@ static void init_amd(struct cpuinfo_x86
- case 0x19: init_amd_zn(c); break;
- }
-
-+ if (boot_cpu_has(X86_FEATURE_ZEN))
-+ init_amd_zen(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN2))
-+ init_amd_zen2(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN3))
-+ init_amd_zen3(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN4))
-+ init_amd_zen4(c);
-+
- /*
- * Enable workaround for FXSAVE leak on CPUs
- * without a XSaveErPtr feature
+++ /dev/null
-From da5cfe21657dcc1135f18b02767f6f52e7e04abb Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Wed, 1 Nov 2023 11:20:01 +0100
-Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream.
-
-No functional change.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/amd.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1074,10 +1074,8 @@ void init_spectral_chicken(struct cpuinf
- *
- * This suppresses speculation from the middle of a basic block, i.e. it
- * suppresses non-branch predictions.
-- *
-- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H
- */
-- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) {
-+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
- if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) {
- value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT;
- wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value);
-@@ -1168,6 +1166,7 @@ static void init_amd_zen(struct cpuinfo_
-
- static void init_amd_zen2(struct cpuinfo_x86 *c)
- {
-+ init_spectral_chicken(c);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
-@@ -1207,7 +1206,7 @@ static void init_amd(struct cpuinfo_x86
- case 0x12: init_amd_ln(c); break;
- case 0x15: init_amd_bd(c); break;
- case 0x16: init_amd_jg(c); break;
-- case 0x17: init_spectral_chicken(c);
-+ case 0x17:
- fallthrough;
- case 0x19: init_amd_zn(c); break;
- }
+++ /dev/null
-From a88e215025e5fa9cb1f4759aa09f5ff1fcb21b21 Mon Sep 17 00:00:00 2001
-From: Prathyushi Nangia <prathyushi.nangia@amd.com>
-Date: Tue, 9 Dec 2025 10:01:33 -0600
-Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
-
-From: Prathyushi Nangia <prathyushi.nangia@amd.com>
-
-commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
-
-Make sure resources are not improperly shared in the op cache and
-cause instruction corruption this way.
-
-Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
-Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/msr-index.h | 1 +
- arch/x86/kernel/cpu/amd.c | 3 +++
- tools/arch/x86/include/asm/msr-index.h | 3 +++
- 3 files changed, 7 insertions(+)
-
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -580,6 +580,7 @@
- /* Zen4 */
- #define MSR_ZEN4_BP_CFG 0xc001102e
- #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
-+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
-
- /* Zen 2 */
- #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1170,6 +1170,9 @@ static void init_amd_zen2(struct cpuinfo
- {
- init_amd_zen_common();
- init_spectral_chicken(c);
-+
-+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
-+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
---- a/tools/arch/x86/include/asm/msr-index.h
-+++ b/tools/arch/x86/include/asm/msr-index.h
-@@ -530,6 +530,9 @@
-
- #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f
-
-+#define MSR_ZEN4_BP_CFG 0xc001102e
-+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
-+
- /* Fam 17h MSRs */
- #define MSR_F17H_IRPERF 0xc00000e9
-
+++ /dev/null
-From d796696ded7ee9fdd5e76a0bb854af0d8f5f9cc7 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Wed, 1 Nov 2023 12:34:29 +0100
-Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream.
-
-Call it from all Zen init functions.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/amd.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1093,11 +1093,16 @@ void init_spectral_chicken(struct cpuinf
- clear_cpu_cap(c, X86_FEATURE_XSAVES);
- }
-
--static void init_amd_zn(struct cpuinfo_x86 *c)
-+static void init_amd_zen_common(void)
- {
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
-+}
-+
-+static void init_amd_zen(struct cpuinfo_x86 *c)
-+{
-+ init_amd_zen_common();
-
- /* Fix up CPUID bits, but only if not virtualised. */
- if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
-@@ -1160,21 +1165,20 @@ static void zenbleed_check(struct cpuinf
- }
- }
-
--static void init_amd_zen(struct cpuinfo_x86 *c)
--{
--}
--
- static void init_amd_zen2(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- init_spectral_chicken(c);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- }
-
- static void init_amd_zen4(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- }
-
- static void init_amd(struct cpuinfo_x86 *c)
-@@ -1206,9 +1210,6 @@ static void init_amd(struct cpuinfo_x86
- case 0x12: init_amd_ln(c); break;
- case 0x15: init_amd_bd(c); break;
- case 0x16: init_amd_jg(c); break;
-- case 0x17:
-- fallthrough;
-- case 0x19: init_amd_zn(c); break;
- }
-
- if (boot_cpu_has(X86_FEATURE_ZEN))
--- a/kernel/exit.c
+++ b/kernel/exit.c
-@@ -978,6 +978,7 @@ void __noreturn make_task_dead(int signr
+@@ -979,6 +979,7 @@ void __noreturn make_task_dead(int signr
futex_exit_recursive(tsk);
tsk->exit_state = EXIT_DEAD;
refcount_inc(&tsk->rcu_users);
+++ /dev/null
-From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Wed, 13 May 2026 11:37:18 -0700
-Subject: ptrace: slightly saner 'get_dumpable()' logic
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
-
-The 'dumpability' of a task is fundamentally about the memory image of
-the task - the concept comes from whether it can core dump or not - and
-makes no sense when you don't have an associated mm.
-
-And almost all users do in fact use it only for the case where the task
-has a mm pointer.
-
-But we have one odd special case: ptrace_may_access() uses 'dumpable' to
-check various other things entirely independently of the MM (typically
-explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
-threads that no longer have a VM (and maybe never did, like most kernel
-threads).
-
-It's not what this flag was designed for, but it is what it is.
-
-The ptrace code does check that the uid/gid matches, so you do have to
-be uid-0 to see kernel thread details, but this means that the
-traditional "drop capabilities" model doesn't make any difference for
-this all.
-
-Make it all make a *bit* more sense by saying that if you don't have a
-MM pointer, we'll use a cached "last dumpability" flag if the thread
-ever had a MM (it will be zero for kernel threads since it is never
-set), and require a proper CAP_SYS_PTRACE capability to override.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/sched.h | 3 +++
- kernel/exit.c | 1 +
- kernel/ptrace.c | 22 ++++++++++++++++------
- 3 files changed, 20 insertions(+), 6 deletions(-)
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -910,6 +910,9 @@ struct task_struct {
- */
- unsigned sched_remote_wakeup:1;
-
-+ /* Save user-dumpable when mm goes away */
-+ unsigned user_dumpable:1;
-+
- /* Bit to tell LSMs we're in execve(): */
- unsigned in_execve:1;
- unsigned in_iowait:1;
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -555,6 +555,7 @@ static void exit_mm(void)
- */
- smp_mb__after_spinlock();
- local_irq_disable();
-+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
- current->mm = NULL;
- membarrier_update_current_mm(NULL);
- enter_lazy_tlb(mm, current);
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -282,11 +282,24 @@ static bool ptrace_has_cap(struct user_n
- return ns_capable(ns, CAP_SYS_PTRACE);
- }
-
-+static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
-+{
-+ struct mm_struct *mm = task->mm;
-+ if (mm) {
-+ if (get_dumpable(mm) == SUID_DUMP_USER)
-+ return true;
-+ return ptrace_has_cap(mm->user_ns, mode);
-+ }
-+
-+ if (task->user_dumpable)
-+ return true;
-+ return ptrace_has_cap(&init_user_ns, mode);
-+}
-+
- /* Returns 0 on success, -errno on denial. */
- static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- {
- const struct cred *cred = current_cred(), *tcred;
-- struct mm_struct *mm;
- kuid_t caller_uid;
- kgid_t caller_gid;
-
-@@ -347,11 +360,8 @@ ok:
- * Pairs with a write barrier in commit_creds().
- */
- smp_rmb();
-- mm = task->mm;
-- if (mm &&
-- ((get_dumpable(mm) != SUID_DUMP_USER) &&
-- !ptrace_has_cap(mm->user_ns, mode)))
-- return -EPERM;
-+ if (!task_still_dumpable(task, mode))
-+ return -EPERM;
-
- return security_ptrace_access_check(task, mode);
- }
#endif
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
-@@ -1488,6 +1488,10 @@ struct task_struct {
+@@ -1491,6 +1491,10 @@ struct task_struct {
unsigned long prev_lowest_stack;
#endif
acpi-video-force-native-backlight-on-hp-omen-16-8a44.patch
asoc-sof-don-t-allow-pointer-operations-on-unconfigured-streams.patch
spi-rockchip-fix-controller-deregistration.patch
-x86-cpu-amd-add-zenx-generations-flags.patch
-x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch
-x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch
-x86-cpu-amd-add-x86_feature_zen1.patch
drm-amd-display-do-not-skip-unrelated-mode-changes-i.patch
spi-meson-spicc-fix-double-put-in-remove-path.patch
ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch
loongarch-use-per-root-bridge-pcih-flag-to-skip-mem-resource-fixup.patch
f2fs-compress-change-the-first-parameter-of-page_arr.patch
f2fs-compress-fix-uaf-of-f2fs_inode_info-in-f2fs_fre.patch
-x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch
exit-sleep-at-task_idle-when-waiting-for-application-core-dump.patch
-ptrace-slightly-saner-get_dumpable-logic.patch
media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch
media-i2c-ov8856-free-control-handler-on-error-in-ov8856_init_controls.patch
staging-media-atomisp-disallow-all-private-ioctls.patch
+++ /dev/null
-From 91b64ab5046a17ed993e2d4260c172538ec79ffc Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Sat, 2 Dec 2023 12:50:23 +0100
-Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream.
-
-Add a synthetic feature flag specifically for first generation Zen
-machines. There's need to have a generic flag for all Zen generations so
-make X86_FEATURE_ZEN be that flag.
-
-Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags")
-Suggested-by: Brian Gerst <brgerst@gmail.com>
-Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 3 ++-
- arch/x86/kernel/cpu/amd.c | 9 +++++----
- tools/arch/x86/include/asm/cpufeatures.h | 2 +-
- 3 files changed, 8 insertions(+), 6 deletions(-)
-
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
-@@ -316,6 +316,7 @@
- #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
- #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
- #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
-+#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */
-
- /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
- #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -685,7 +685,7 @@ static void bsp_init_amd(struct cpuinfo_
- switch (c->x86_model) {
- case 0x00 ... 0x2f:
- case 0x50 ... 0x5f:
-- setup_force_cpu_cap(X86_FEATURE_ZEN);
-+ setup_force_cpu_cap(X86_FEATURE_ZEN1);
- break;
- case 0x30 ... 0x4f:
- case 0x60 ... 0x7f:
-@@ -1071,12 +1071,13 @@ void init_spectral_chicken(struct cpuinf
-
- static void init_amd_zen_common(void)
- {
-+ setup_force_cpu_cap(X86_FEATURE_ZEN);
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
- }
-
--static void init_amd_zen(struct cpuinfo_x86 *c)
-+static void init_amd_zen1(struct cpuinfo_x86 *c)
- {
- init_amd_zen_common();
-
-@@ -1188,8 +1189,8 @@ static void init_amd(struct cpuinfo_x86
- case 0x16: init_amd_jg(c); break;
- }
-
-- if (boot_cpu_has(X86_FEATURE_ZEN))
-- init_amd_zen(c);
-+ if (boot_cpu_has(X86_FEATURE_ZEN1))
-+ init_amd_zen1(c);
- else if (boot_cpu_has(X86_FEATURE_ZEN2))
- init_amd_zen2(c);
- else if (boot_cpu_has(X86_FEATURE_ZEN3))
---- a/tools/arch/x86/include/asm/cpufeatures.h
-+++ b/tools/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN (7*32+28) /* "" CPU based on Zen microarchitecture */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
+++ /dev/null
-From fbdee830099d470daddc747d751672b73d8c3b96 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Tue, 31 Oct 2023 23:30:59 +0100
-Subject: x86/CPU/AMD: Add ZenX generations flags
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream.
-
-Add X86_FEATURE flags for each Zen generation. They should be used from
-now on instead of checking f/m/s.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Acked-by: Thomas Gleixner <tglx@linutronix.de>
-Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/cpufeatures.h | 5 ++
- arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++--
- 2 files changed, 72 insertions(+), 3 deletions(-)
-
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -219,7 +219,7 @@
- #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
- #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */
- #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
--#define X86_FEATURE_ZEN (7*32+28) /* "" CPU based on Zen microarchitecture */
-+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */
- #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
- #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
- #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */
-@@ -313,6 +313,9 @@
- #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */
- #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */
- #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */
-+#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */
-+#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */
-+#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */
-
- /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
- #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -679,7 +679,50 @@ static void bsp_init_amd(struct cpuinfo_
-
- resctrl_cpu_detect(c);
-
-+ /* Figure out Zen generations: */
-+ switch (c->x86) {
-+ case 0x17: {
-+ switch (c->x86_model) {
-+ case 0x00 ... 0x2f:
-+ case 0x50 ... 0x5f:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN);
-+ break;
-+ case 0x30 ... 0x4f:
-+ case 0x60 ... 0x7f:
-+ case 0x90 ... 0x91:
-+ case 0xa0 ... 0xaf:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN2);
-+ break;
-+ default:
-+ goto warn;
-+ }
-+ break;
-+ }
-+ case 0x19: {
-+ switch (c->x86_model) {
-+ case 0x00 ... 0x0f:
-+ case 0x20 ... 0x5f:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN3);
-+ break;
-+ case 0x10 ... 0x1f:
-+ case 0x60 ... 0xaf:
-+ setup_force_cpu_cap(X86_FEATURE_ZEN4);
-+ break;
-+ default:
-+ goto warn;
-+ }
-+ break;
-+ }
-+ default:
-+ break;
-+ }
-+
- tsa_init(c);
-+
-+ return;
-+
-+warn:
-+ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model);
- }
-
- static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
-@@ -1030,8 +1073,6 @@ void init_spectral_chicken(struct cpuinf
-
- static void init_amd_zn(struct cpuinfo_x86 *c)
- {
-- set_cpu_cap(c, X86_FEATURE_ZEN);
--
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
-@@ -1097,6 +1138,22 @@ static void zenbleed_check(struct cpuinf
- }
- }
-
-+static void init_amd_zen(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen2(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen3(struct cpuinfo_x86 *c)
-+{
-+}
-+
-+static void init_amd_zen4(struct cpuinfo_x86 *c)
-+{
-+}
-+
- static void init_amd(struct cpuinfo_x86 *c)
- {
- early_init_amd(c);
-@@ -1131,6 +1188,15 @@ static void init_amd(struct cpuinfo_x86
- case 0x19: init_amd_zn(c); break;
- }
-
-+ if (boot_cpu_has(X86_FEATURE_ZEN))
-+ init_amd_zen(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN2))
-+ init_amd_zen2(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN3))
-+ init_amd_zen3(c);
-+ else if (boot_cpu_has(X86_FEATURE_ZEN4))
-+ init_amd_zen4(c);
-+
- /*
- * Enable workaround for FXSAVE leak on CPUs
- * without a XSaveErPtr feature
+++ /dev/null
-From 242bba6bdd3de751556194de4951cf4d95dd8945 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Wed, 1 Nov 2023 11:20:01 +0100
-Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream.
-
-No functional change.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/amd.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1050,10 +1050,8 @@ void init_spectral_chicken(struct cpuinf
- *
- * This suppresses speculation from the middle of a basic block, i.e. it
- * suppresses non-branch predictions.
-- *
-- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H
- */
-- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) {
-+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
- if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) {
- value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT;
- wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value);
-@@ -1144,6 +1142,7 @@ static void init_amd_zen(struct cpuinfo_
-
- static void init_amd_zen2(struct cpuinfo_x86 *c)
- {
-+ init_spectral_chicken(c);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
-@@ -1183,7 +1182,7 @@ static void init_amd(struct cpuinfo_x86
- case 0x12: init_amd_ln(c); break;
- case 0x15: init_amd_bd(c); break;
- case 0x16: init_amd_jg(c); break;
-- case 0x17: init_spectral_chicken(c);
-+ case 0x17:
- fallthrough;
- case 0x19: init_amd_zn(c); break;
- }
+++ /dev/null
-From 1ea83dfe1569d2c5699e668d70a5fcbb174aa744 Mon Sep 17 00:00:00 2001
-From: Prathyushi Nangia <prathyushi.nangia@amd.com>
-Date: Tue, 9 Dec 2025 10:01:33 -0600
-Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
-
-From: Prathyushi Nangia <prathyushi.nangia@amd.com>
-
-commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
-
-Make sure resources are not improperly shared in the op cache and
-cause instruction corruption this way.
-
-Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
-Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/msr-index.h | 1 +
- arch/x86/kernel/cpu/amd.c | 3 +++
- tools/arch/x86/include/asm/msr-index.h | 3 +++
- 3 files changed, 7 insertions(+)
-
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -672,6 +672,7 @@
- /* Zen4 */
- #define MSR_ZEN4_BP_CFG 0xc001102e
- #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
-+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
-
- /* Zen 2 */
- #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1146,6 +1146,9 @@ static void init_amd_zen2(struct cpuinfo
- {
- init_amd_zen_common();
- init_spectral_chicken(c);
-+
-+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
-+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
---- a/tools/arch/x86/include/asm/msr-index.h
-+++ b/tools/arch/x86/include/asm/msr-index.h
-@@ -598,6 +598,9 @@
- /* AMD Last Branch Record MSRs */
- #define MSR_AMD64_LBR_SELECT 0xc000010e
-
-+#define MSR_ZEN4_BP_CFG 0xc001102e
-+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
-+
- /* Fam 17h MSRs */
- #define MSR_F17H_IRPERF 0xc00000e9
-
+++ /dev/null
-From da1bf81de5808bee1bf70bd234f2bfa58d5e1671 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Wed, 1 Nov 2023 12:34:29 +0100
-Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
-
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-
-Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream.
-
-Call it from all Zen init functions.
-
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
-Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/amd.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1069,11 +1069,16 @@ void init_spectral_chicken(struct cpuinf
- clear_cpu_cap(c, X86_FEATURE_XSAVES);
- }
-
--static void init_amd_zn(struct cpuinfo_x86 *c)
-+static void init_amd_zen_common(void)
- {
- #ifdef CONFIG_NUMA
- node_reclaim_distance = 32;
- #endif
-+}
-+
-+static void init_amd_zen(struct cpuinfo_x86 *c)
-+{
-+ init_amd_zen_common();
-
- /* Fix up CPUID bits, but only if not virtualised. */
- if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
-@@ -1136,21 +1141,20 @@ static void zenbleed_check(struct cpuinf
- }
- }
-
--static void init_amd_zen(struct cpuinfo_x86 *c)
--{
--}
--
- static void init_amd_zen2(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- init_spectral_chicken(c);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- }
-
- static void init_amd_zen4(struct cpuinfo_x86 *c)
- {
-+ init_amd_zen_common();
- }
-
- static void init_amd(struct cpuinfo_x86 *c)
-@@ -1182,9 +1186,6 @@ static void init_amd(struct cpuinfo_x86
- case 0x12: init_amd_ln(c); break;
- case 0x15: init_amd_bd(c); break;
- case 0x16: init_amd_jg(c); break;
-- case 0x17:
-- fallthrough;
-- case 0x19: init_amd_zn(c); break;
- }
-
- if (boot_cpu_has(X86_FEATURE_ZEN))
+++ /dev/null
-From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Wed, 13 May 2026 11:37:18 -0700
-Subject: ptrace: slightly saner 'get_dumpable()' logic
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
-
-The 'dumpability' of a task is fundamentally about the memory image of
-the task - the concept comes from whether it can core dump or not - and
-makes no sense when you don't have an associated mm.
-
-And almost all users do in fact use it only for the case where the task
-has a mm pointer.
-
-But we have one odd special case: ptrace_may_access() uses 'dumpable' to
-check various other things entirely independently of the MM (typically
-explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
-threads that no longer have a VM (and maybe never did, like most kernel
-threads).
-
-It's not what this flag was designed for, but it is what it is.
-
-The ptrace code does check that the uid/gid matches, so you do have to
-be uid-0 to see kernel thread details, but this means that the
-traditional "drop capabilities" model doesn't make any difference for
-this all.
-
-Make it all make a *bit* more sense by saying that if you don't have a
-MM pointer, we'll use a cached "last dumpability" flag if the thread
-ever had a MM (it will be zero for kernel threads since it is never
-set), and require a proper CAP_SYS_PTRACE capability to override.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/sched.h | 3 +++
- kernel/exit.c | 1 +
- kernel/ptrace.c | 22 ++++++++++++++++------
- 3 files changed, 20 insertions(+), 6 deletions(-)
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -969,6 +969,9 @@ struct task_struct {
- unsigned sched_rt_mutex:1;
- #endif
-
-+ /* Save user-dumpable when mm goes away */
-+ unsigned user_dumpable:1;
-+
- /* Bit to tell TOMOYO we're in execve(): */
- unsigned in_execve:1;
- unsigned in_iowait:1;
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -561,6 +561,7 @@ static void exit_mm(void)
- */
- smp_mb__after_spinlock();
- local_irq_disable();
-+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
- current->mm = NULL;
- membarrier_update_current_mm(NULL);
- enter_lazy_tlb(mm, current);
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n
- return ns_capable(ns, CAP_SYS_PTRACE);
- }
-
-+static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
-+{
-+ struct mm_struct *mm = task->mm;
-+ if (mm) {
-+ if (get_dumpable(mm) == SUID_DUMP_USER)
-+ return true;
-+ return ptrace_has_cap(mm->user_ns, mode);
-+ }
-+
-+ if (task->user_dumpable)
-+ return true;
-+ return ptrace_has_cap(&init_user_ns, mode);
-+}
-+
- /* Returns 0 on success, -errno on denial. */
- static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- {
- const struct cred *cred = current_cred(), *tcred;
-- struct mm_struct *mm;
- kuid_t caller_uid;
- kgid_t caller_gid;
-
-@@ -337,11 +350,8 @@ ok:
- * Pairs with a write barrier in commit_creds().
- */
- smp_rmb();
-- mm = task->mm;
-- if (mm &&
-- ((get_dumpable(mm) != SUID_DUMP_USER) &&
-- !ptrace_has_cap(mm->user_ns, mode)))
-- return -EPERM;
-+ if (!task_still_dumpable(task, mode))
-+ return -EPERM;
-
- return security_ptrace_access_check(task, mode);
- }
-ptrace-slightly-saner-get_dumpable-logic.patch
hid-playstation-clamp-num_touch_reports.patch
media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch
media-nxp-imx8-isi-reduce-minimum-queued-buffers-from-2-to-0.patch
+++ /dev/null
-From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Wed, 13 May 2026 11:37:18 -0700
-Subject: ptrace: slightly saner 'get_dumpable()' logic
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
-
-The 'dumpability' of a task is fundamentally about the memory image of
-the task - the concept comes from whether it can core dump or not - and
-makes no sense when you don't have an associated mm.
-
-And almost all users do in fact use it only for the case where the task
-has a mm pointer.
-
-But we have one odd special case: ptrace_may_access() uses 'dumpable' to
-check various other things entirely independently of the MM (typically
-explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
-threads that no longer have a VM (and maybe never did, like most kernel
-threads).
-
-It's not what this flag was designed for, but it is what it is.
-
-The ptrace code does check that the uid/gid matches, so you do have to
-be uid-0 to see kernel thread details, but this means that the
-traditional "drop capabilities" model doesn't make any difference for
-this all.
-
-Make it all make a *bit* more sense by saying that if you don't have a
-MM pointer, we'll use a cached "last dumpability" flag if the thread
-ever had a MM (it will be zero for kernel threads since it is never
-set), and require a proper CAP_SYS_PTRACE capability to override.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/sched.h | 3 +++
- kernel/exit.c | 1 +
- kernel/ptrace.c | 22 ++++++++++++++++------
- 3 files changed, 20 insertions(+), 6 deletions(-)
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -1003,6 +1003,9 @@ struct task_struct {
- unsigned sched_rt_mutex:1;
- #endif
-
-+ /* Save user-dumpable when mm goes away */
-+ unsigned user_dumpable:1;
-+
- /* Bit to tell TOMOYO we're in execve(): */
- unsigned in_execve:1;
- unsigned in_iowait:1;
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -572,6 +572,7 @@ static void exit_mm(void)
- */
- smp_mb__after_spinlock();
- local_irq_disable();
-+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
- current->mm = NULL;
- membarrier_update_current_mm(NULL);
- enter_lazy_tlb(mm, current);
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n
- return ns_capable(ns, CAP_SYS_PTRACE);
- }
-
-+static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
-+{
-+ struct mm_struct *mm = task->mm;
-+ if (mm) {
-+ if (get_dumpable(mm) == SUID_DUMP_USER)
-+ return true;
-+ return ptrace_has_cap(mm->user_ns, mode);
-+ }
-+
-+ if (task->user_dumpable)
-+ return true;
-+ return ptrace_has_cap(&init_user_ns, mode);
-+}
-+
- /* Returns 0 on success, -errno on denial. */
- static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- {
- const struct cred *cred = current_cred(), *tcred;
-- struct mm_struct *mm;
- kuid_t caller_uid;
- kgid_t caller_gid;
-
-@@ -337,11 +350,8 @@ ok:
- * Pairs with a write barrier in commit_creds().
- */
- smp_rmb();
-- mm = task->mm;
-- if (mm &&
-- ((get_dumpable(mm) != SUID_DUMP_USER) &&
-- !ptrace_has_cap(mm->user_ns, mode)))
-- return -EPERM;
-+ if (!task_still_dumpable(task, mode))
-+ return -EPERM;
-
- return security_ptrace_access_check(task, mode);
- }
-ptrace-slightly-saner-get_dumpable-logic.patch
hid-playstation-clamp-num_touch_reports.patch
hid-appletb-kbd-fix-uaf-in-inactivity-timer-cleanup-path.patch
hid-appletb-kbd-run-inactivity-autodim-from-workqueues.patch
--- a/kernel/exit.c
+++ b/kernel/exit.c
-@@ -980,6 +980,7 @@ void __noreturn make_task_dead(int signr
+@@ -981,6 +981,7 @@ void __noreturn make_task_dead(int signr
futex_exit_recursive(tsk);
tsk->exit_state = EXIT_DEAD;
refcount_inc(&tsk->rcu_users);
+++ /dev/null
-From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Wed, 13 May 2026 11:37:18 -0700
-Subject: ptrace: slightly saner 'get_dumpable()' logic
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
-
-The 'dumpability' of a task is fundamentally about the memory image of
-the task - the concept comes from whether it can core dump or not - and
-makes no sense when you don't have an associated mm.
-
-And almost all users do in fact use it only for the case where the task
-has a mm pointer.
-
-But we have one odd special case: ptrace_may_access() uses 'dumpable' to
-check various other things entirely independently of the MM (typically
-explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
-threads that no longer have a VM (and maybe never did, like most kernel
-threads).
-
-It's not what this flag was designed for, but it is what it is.
-
-The ptrace code does check that the uid/gid matches, so you do have to
-be uid-0 to see kernel thread details, but this means that the
-traditional "drop capabilities" model doesn't make any difference for
-this all.
-
-Make it all make a *bit* more sense by saying that if you don't have a
-MM pointer, we'll use a cached "last dumpability" flag if the thread
-ever had a MM (it will be zero for kernel threads since it is never
-set), and require a proper CAP_SYS_PTRACE capability to override.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/sched.h | 3 +++
- kernel/exit.c | 1 +
- kernel/ptrace.c | 22 ++++++++++++++++------
- 3 files changed, 20 insertions(+), 6 deletions(-)
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -916,6 +916,9 @@ struct task_struct {
- */
- unsigned sched_remote_wakeup:1;
-
-+ /* Save user-dumpable when mm goes away */
-+ unsigned user_dumpable:1;
-+
- /* Bit to tell LSMs we're in execve(): */
- unsigned in_execve:1;
- unsigned in_iowait:1;
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -559,6 +559,7 @@ static void exit_mm(void)
- */
- smp_mb__after_spinlock();
- local_irq_disable();
-+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
- current->mm = NULL;
- membarrier_update_current_mm(NULL);
- enter_lazy_tlb(mm, current);
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -283,11 +283,24 @@ static bool ptrace_has_cap(struct user_n
- return ns_capable(ns, CAP_SYS_PTRACE);
- }
-
-+static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
-+{
-+ struct mm_struct *mm = task->mm;
-+ if (mm) {
-+ if (get_dumpable(mm) == SUID_DUMP_USER)
-+ return true;
-+ return ptrace_has_cap(mm->user_ns, mode);
-+ }
-+
-+ if (task->user_dumpable)
-+ return true;
-+ return ptrace_has_cap(&init_user_ns, mode);
-+}
-+
- /* Returns 0 on success, -errno on denial. */
- static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- {
- const struct cred *cred = current_cred(), *tcred;
-- struct mm_struct *mm;
- kuid_t caller_uid;
- kgid_t caller_gid;
-
-@@ -348,11 +361,8 @@ ok:
- * Pairs with a write barrier in commit_creds().
- */
- smp_rmb();
-- mm = task->mm;
-- if (mm &&
-- ((get_dumpable(mm) != SUID_DUMP_USER) &&
-- !ptrace_has_cap(mm->user_ns, mode)))
-- return -EPERM;
-+ if (!task_still_dumpable(task, mode))
-+ return -EPERM;
-
- return security_ptrace_access_check(task, mode);
- }
#endif
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
-@@ -1498,6 +1498,10 @@ struct task_struct {
+@@ -1501,6 +1501,10 @@ struct task_struct {
unsigned long prev_lowest_stack;
#endif
kvm-arm64-fix-initialisation-order-in-__pkvm_init_finalise.patch
loongarch-fix-potential-ade-in-loongson_gpu_fixup_dma_hang.patch
loongarch-use-per-root-bridge-pcih-flag-to-skip-mem-resource-fixup.patch
-x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch
exit-sleep-at-task_idle-when-waiting-for-application-core-dump.patch
-ptrace-slightly-saner-get_dumpable-logic.patch
hid-playstation-clamp-num_touch_reports.patch
media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch
media-i2c-ov8856-free-control-handler-on-error-in-ov8856_init_controls.patch
+++ /dev/null
-From f160936aec2e9f80000d7ea606501b1f68d05e15 Mon Sep 17 00:00:00 2001
-From: Prathyushi Nangia <prathyushi.nangia@amd.com>
-Date: Tue, 9 Dec 2025 10:01:33 -0600
-Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
-
-From: Prathyushi Nangia <prathyushi.nangia@amd.com>
-
-commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream.
-
-Make sure resources are not improperly shared in the op cache and
-cause instruction corruption this way.
-
-Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com>
-Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/include/asm/msr-index.h | 1 +
- arch/x86/kernel/cpu/amd.c | 3 +++
- tools/arch/x86/include/asm/msr-index.h | 3 +++
- 3 files changed, 7 insertions(+)
-
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -675,6 +675,7 @@
- /* Zen4 */
- #define MSR_ZEN4_BP_CFG 0xc001102e
- #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
-+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
-
- /* Zen 2 */
- #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -1166,6 +1166,9 @@ static void init_amd_zen2(struct cpuinfo
- msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18);
- pr_emerg("RDSEED is not reliable on this platform; disabling.\n");
- }
-+
-+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR))
-+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT);
- }
-
- static void init_amd_zen3(struct cpuinfo_x86 *c)
---- a/tools/arch/x86/include/asm/msr-index.h
-+++ b/tools/arch/x86/include/asm/msr-index.h
-@@ -638,6 +638,9 @@
- /* AMD Last Branch Record MSRs */
- #define MSR_AMD64_LBR_SELECT 0xc000010e
-
-+#define MSR_ZEN4_BP_CFG 0xc001102e
-+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33
-+
- /* Fam 17h MSRs */
- #define MSR_F17H_IRPERF 0xc00000e9
-
+++ /dev/null
-From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Wed, 13 May 2026 11:37:18 -0700
-Subject: ptrace: slightly saner 'get_dumpable()' logic
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream.
-
-The 'dumpability' of a task is fundamentally about the memory image of
-the task - the concept comes from whether it can core dump or not - and
-makes no sense when you don't have an associated mm.
-
-And almost all users do in fact use it only for the case where the task
-has a mm pointer.
-
-But we have one odd special case: ptrace_may_access() uses 'dumpable' to
-check various other things entirely independently of the MM (typically
-explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
-threads that no longer have a VM (and maybe never did, like most kernel
-threads).
-
-It's not what this flag was designed for, but it is what it is.
-
-The ptrace code does check that the uid/gid matches, so you do have to
-be uid-0 to see kernel thread details, but this means that the
-traditional "drop capabilities" model doesn't make any difference for
-this all.
-
-Make it all make a *bit* more sense by saying that if you don't have a
-MM pointer, we'll use a cached "last dumpability" flag if the thread
-ever had a MM (it will be zero for kernel threads since it is never
-set), and require a proper CAP_SYS_PTRACE capability to override.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/sched.h | 3 +++
- kernel/exit.c | 1 +
- kernel/ptrace.c | 22 ++++++++++++++++------
- 3 files changed, 20 insertions(+), 6 deletions(-)
-
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -998,6 +998,9 @@ struct task_struct {
- unsigned sched_rt_mutex:1;
- #endif
-
-+ /* Save user-dumpable when mm goes away */
-+ unsigned user_dumpable:1;
-+
- /* Bit to tell TOMOYO we're in execve(): */
- unsigned in_execve:1;
- unsigned in_iowait:1;
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -571,6 +571,7 @@ static void exit_mm(void)
- */
- smp_mb__after_spinlock();
- local_irq_disable();
-+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER);
- current->mm = NULL;
- membarrier_update_current_mm(NULL);
- enter_lazy_tlb(mm, current);
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n
- return ns_capable(ns, CAP_SYS_PTRACE);
- }
-
-+static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
-+{
-+ struct mm_struct *mm = task->mm;
-+ if (mm) {
-+ if (get_dumpable(mm) == SUID_DUMP_USER)
-+ return true;
-+ return ptrace_has_cap(mm->user_ns, mode);
-+ }
-+
-+ if (task->user_dumpable)
-+ return true;
-+ return ptrace_has_cap(&init_user_ns, mode);
-+}
-+
- /* Returns 0 on success, -errno on denial. */
- static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- {
- const struct cred *cred = current_cred(), *tcred;
-- struct mm_struct *mm;
- kuid_t caller_uid;
- kgid_t caller_gid;
-
-@@ -337,11 +350,8 @@ ok:
- * Pairs with a write barrier in commit_creds().
- */
- smp_rmb();
-- mm = task->mm;
-- if (mm &&
-- ((get_dumpable(mm) != SUID_DUMP_USER) &&
-- !ptrace_has_cap(mm->user_ns, mode)))
-- return -EPERM;
-+ if (!task_still_dumpable(task, mode))
-+ return -EPERM;
-
- return security_ptrace_access_check(task, mode);
- }
-ptrace-slightly-saner-get_dumpable-logic.patch
hid-playstation-clamp-num_touch_reports.patch
hid-appletb-kbd-fix-uaf-in-inactivity-timer-cleanup-path.patch
hid-appletb-kbd-run-inactivity-autodim-from-workqueues.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
