From: Greg Kroah-Hartman Date: Fri, 15 May 2026 13:09:51 +0000 (+0200) Subject: drop patches already applied X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c50c3130291f1d5e816adf870fce3ed27d7b70d7;p=thirdparty%2Fkernel%2Fstable-queue.git drop patches already applied queues back and ready to roll --- diff --git a/queue-5.10/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-5.10/ptrace-slightly-saner-get_dumpable-logic.patch deleted file mode 100644 index 430b069276..0000000000 --- a/queue-5.10/ptrace-slightly-saner-get_dumpable-logic.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Wed, 13 May 2026 11:37:18 -0700 -Subject: ptrace: slightly saner 'get_dumpable()' logic - -From: Linus Torvalds - -commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. - -The 'dumpability' of a task is fundamentally about the memory image of -the task - the concept comes from whether it can core dump or not - and -makes no sense when you don't have an associated mm. - -And almost all users do in fact use it only for the case where the task -has a mm pointer. - -But we have one odd special case: ptrace_may_access() uses 'dumpable' to -check various other things entirely independently of the MM (typically -explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for -threads that no longer have a VM (and maybe never did, like most kernel -threads). - -It's not what this flag was designed for, but it is what it is. - -The ptrace code does check that the uid/gid matches, so you do have to -be uid-0 to see kernel thread details, but this means that the -traditional "drop capabilities" model doesn't make any difference for -this all. - -Make it all make a *bit* more sense by saying that if you don't have a -MM pointer, we'll use a cached "last dumpability" flag if the thread -ever had a MM (it will be zero for kernel threads since it is never -set), and require a proper CAP_SYS_PTRACE capability to override. - -Reported-by: Qualys Security Advisory -Cc: Oleg Nesterov -Cc: Kees Cook -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/sched.h | 3 +++ - kernel/exit.c | 1 + - kernel/ptrace.c | 22 ++++++++++++++++------ - 3 files changed, 20 insertions(+), 6 deletions(-) - ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -805,6 +805,9 @@ struct task_struct { - */ - unsigned sched_remote_wakeup:1; - -+ /* Save user-dumpable when mm goes away */ -+ unsigned user_dumpable:1; -+ - /* Bit to tell LSMs we're in execve(): */ - unsigned in_execve:1; - unsigned in_iowait:1; ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -528,6 +528,7 @@ static void exit_mm(void) - BUG_ON(mm != current->active_mm); - /* more a memory barrier than a real lock */ - task_lock(current); -+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); - current->mm = NULL; - mmap_read_unlock(mm); - enter_lazy_tlb(mm, current); ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -287,11 +287,24 @@ static bool ptrace_has_cap(struct user_n - return ns_capable(ns, CAP_SYS_PTRACE); - } - -+static bool task_still_dumpable(struct task_struct *task, unsigned int mode) -+{ -+ struct mm_struct *mm = task->mm; -+ if (mm) { -+ if (get_dumpable(mm) == SUID_DUMP_USER) -+ return true; -+ return ptrace_has_cap(mm->user_ns, mode); -+ } -+ -+ if (task->user_dumpable) -+ return true; -+ return ptrace_has_cap(&init_user_ns, mode); -+} -+ - /* Returns 0 on success, -errno on denial. */ - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -- struct mm_struct *mm; - kuid_t caller_uid; - kgid_t caller_gid; - -@@ -352,11 +365,8 @@ ok: - * Pairs with a write barrier in commit_creds(). - */ - smp_rmb(); -- mm = task->mm; -- if (mm && -- ((get_dumpable(mm) != SUID_DUMP_USER) && -- !ptrace_has_cap(mm->user_ns, mode))) -- return -EPERM; -+ if (!task_still_dumpable(task, mode)) -+ return -EPERM; - - return security_ptrace_access_check(task, mode); - } diff --git a/queue-5.10/series b/queue-5.10/series index edbf56ca63..eef74f9856 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -212,10 +212,6 @@ ipmi-si-return-state-to-normal-if-message-allocation-fails.patch fbdev-udlfb-add-vm_ops-to-dlfb_ops_mmap-to-prevent-use-after-free.patch acpi-video-force-native-backlight-on-hp-omen-16-8a44.patch spi-rockchip-fix-controller-deregistration.patch -x86-cpu-amd-add-zenx-generations-flags.patch -x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch -x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch -x86-cpu-amd-add-x86_feature_zen1.patch net-sched-sch_red-replace-direct-dequeue-call-with-peek-and-qdisc_dequeue_peeked.patch ipmi-ssif-fix-a-shutdown-race.patch ipmi-ssif-clean-up-kthread-on-errors.patch @@ -269,8 +265,6 @@ rdma-mlx4-fix-resource-leak-on-error-in-mlx4_ib_create_srq.patch rdma-ocrdma-don-t-null-deref-uctx-on-errors-in-ocrdma_copy_pd_uresp.patch rdma-rxe-reject-unknown-opcodes-before-icrc-processing.patch rdma-vmw_pvrdma-fix-double-free-on-pvrdma_alloc_ucontext-error-path.patch -x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch -ptrace-slightly-saner-get_dumpable-logic.patch media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch staging-media-atomisp-disallow-all-private-ioctls.patch regulator-max77650-fix-of-node-reference-imbalance.patch diff --git a/queue-5.10/x86-cpu-amd-add-x86_feature_zen1.patch b/queue-5.10/x86-cpu-amd-add-x86_feature_zen1.patch deleted file mode 100644 index b0dde90d44..0000000000 --- a/queue-5.10/x86-cpu-amd-add-x86_feature_zen1.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 8b11c9f96a0ddb679c11e4a8f2d8dae52e9c15af Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sat, 2 Dec 2023 12:50:23 +0100 -Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1 - -From: "Borislav Petkov (AMD)" - -Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream. - -Add a synthetic feature flag specifically for first generation Zen -machines. There's need to have a generic flag for all Zen generations so -make X86_FEATURE_ZEN be that flag. - -Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags") -Suggested-by: Brian Gerst -Suggested-by: Tom Lendacky -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 3 ++- - arch/x86/kernel/cpu/amd.c | 9 +++++---- - tools/arch/x86/include/asm/cpufeatures.h | 2 +- - 3 files changed, 8 insertions(+), 6 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ -@@ -309,6 +309,7 @@ - #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ - #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ - #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ -+#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */ - - /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ - #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -741,7 +741,7 @@ static void bsp_init_amd(struct cpuinfo_ - switch (c->x86_model) { - case 0x00 ... 0x2f: - case 0x50 ... 0x5f: -- setup_force_cpu_cap(X86_FEATURE_ZEN); -+ setup_force_cpu_cap(X86_FEATURE_ZEN1); - break; - case 0x30 ... 0x4f: - case 0x60 ... 0x7f: -@@ -1122,12 +1122,13 @@ void init_spectral_chicken(struct cpuinf - - static void init_amd_zen_common(void) - { -+ setup_force_cpu_cap(X86_FEATURE_ZEN); - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif - } - --static void init_amd_zen(struct cpuinfo_x86 *c) -+static void init_amd_zen1(struct cpuinfo_x86 *c) - { - init_amd_zen_common(); - -@@ -1239,8 +1240,8 @@ static void init_amd(struct cpuinfo_x86 - case 0x16: init_amd_jg(c); break; - } - -- if (boot_cpu_has(X86_FEATURE_ZEN)) -- init_amd_zen(c); -+ if (boot_cpu_has(X86_FEATURE_ZEN1)) -+ init_amd_zen1(c); - else if (boot_cpu_has(X86_FEATURE_ZEN2)) - init_amd_zen2(c); - else if (boot_cpu_has(X86_FEATURE_ZEN3)) ---- a/tools/arch/x86/include/asm/cpufeatures.h -+++ b/tools/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ diff --git a/queue-5.10/x86-cpu-amd-add-zenx-generations-flags.patch b/queue-5.10/x86-cpu-amd-add-zenx-generations-flags.patch deleted file mode 100644 index 6673c4a0a7..0000000000 --- a/queue-5.10/x86-cpu-amd-add-zenx-generations-flags.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 0505eb46841c27ea9767b7b6270862f29deafc02 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Tue, 31 Oct 2023 23:30:59 +0100 -Subject: x86/CPU/AMD: Add ZenX generations flags - -From: "Borislav Petkov (AMD)" - -Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream. - -Add X86_FEATURE flags for each Zen generation. They should be used from -now on instead of checking f/m/s. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Acked-by: Thomas Gleixner -Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 5 ++ - arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++-- - 2 files changed, 72 insertions(+), 3 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ -@@ -306,6 +306,9 @@ - #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */ - #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */ - #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */ -+#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ -+#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ -+#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ - - /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ - #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -735,7 +735,50 @@ static void bsp_init_amd(struct cpuinfo_ - - resctrl_cpu_detect(c); - -+ /* Figure out Zen generations: */ -+ switch (c->x86) { -+ case 0x17: { -+ switch (c->x86_model) { -+ case 0x00 ... 0x2f: -+ case 0x50 ... 0x5f: -+ setup_force_cpu_cap(X86_FEATURE_ZEN); -+ break; -+ case 0x30 ... 0x4f: -+ case 0x60 ... 0x7f: -+ case 0x90 ... 0x91: -+ case 0xa0 ... 0xaf: -+ setup_force_cpu_cap(X86_FEATURE_ZEN2); -+ break; -+ default: -+ goto warn; -+ } -+ break; -+ } -+ case 0x19: { -+ switch (c->x86_model) { -+ case 0x00 ... 0x0f: -+ case 0x20 ... 0x5f: -+ setup_force_cpu_cap(X86_FEATURE_ZEN3); -+ break; -+ case 0x10 ... 0x1f: -+ case 0x60 ... 0xaf: -+ setup_force_cpu_cap(X86_FEATURE_ZEN4); -+ break; -+ default: -+ goto warn; -+ } -+ break; -+ } -+ default: -+ break; -+ } -+ - tsa_init(c); -+ -+ return; -+ -+warn: -+ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model); - } - - static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) -@@ -1081,8 +1124,6 @@ void init_spectral_chicken(struct cpuinf - - static void init_amd_zn(struct cpuinfo_x86 *c) - { -- set_cpu_cap(c, X86_FEATURE_ZEN); -- - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif -@@ -1148,6 +1189,22 @@ static void zenbleed_check(struct cpuinf - } - } - -+static void init_amd_zen(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen2(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen3(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen4(struct cpuinfo_x86 *c) -+{ -+} -+ - static void init_amd(struct cpuinfo_x86 *c) - { - early_init_amd(c); -@@ -1182,6 +1239,15 @@ static void init_amd(struct cpuinfo_x86 - case 0x19: init_amd_zn(c); break; - } - -+ if (boot_cpu_has(X86_FEATURE_ZEN)) -+ init_amd_zen(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN2)) -+ init_amd_zen2(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN3)) -+ init_amd_zen3(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN4)) -+ init_amd_zen4(c); -+ - /* - * Enable workaround for FXSAVE leak on CPUs - * without a XSaveErPtr feature diff --git a/queue-5.10/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch b/queue-5.10/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch deleted file mode 100644 index 3e34324c80..0000000000 --- a/queue-5.10/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 6ea9e49236f62c01f32ea0b3e5c4ce41d1ec0389 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Wed, 1 Nov 2023 11:20:01 +0100 -Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function - -From: "Borislav Petkov (AMD)" - -Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream. - -No functional change. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/amd.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1101,10 +1101,8 @@ void init_spectral_chicken(struct cpuinf - * - * This suppresses speculation from the middle of a basic block, i.e. it - * suppresses non-branch predictions. -- * -- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H - */ -- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) { -+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { - if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) { - value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT; - wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value); -@@ -1195,6 +1193,7 @@ static void init_amd_zen(struct cpuinfo_ - - static void init_amd_zen2(struct cpuinfo_x86 *c) - { -+ init_spectral_chicken(c); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) -@@ -1234,7 +1233,7 @@ static void init_amd(struct cpuinfo_x86 - case 0x12: init_amd_ln(c); break; - case 0x15: init_amd_bd(c); break; - case 0x16: init_amd_jg(c); break; -- case 0x17: init_spectral_chicken(c); -+ case 0x17: - fallthrough; - case 0x19: init_amd_zn(c); break; - } diff --git a/queue-5.10/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch b/queue-5.10/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch deleted file mode 100644 index e3778e4645..0000000000 --- a/queue-5.10/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch +++ /dev/null @@ -1,66 +0,0 @@ -From d14f0f391370ca45abc208a13c5863a9d05f422c Mon Sep 17 00:00:00 2001 -From: Prathyushi Nangia -Date: Tue, 9 Dec 2025 10:01:33 -0600 -Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - -From: Prathyushi Nangia - -commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. - -Make sure resources are not improperly shared in the op cache and -cause instruction corruption this way. - -Signed-off-by: Prathyushi Nangia -Co-developed-by: Borislav Petkov (AMD) -Signed-off-by: Borislav Petkov (AMD) -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/msr-index.h | 1 + - arch/x86/kernel/cpu/amd.c | 3 +++ - tools/arch/x86/include/asm/msr-index.h | 3 +++ - 3 files changed, 7 insertions(+) - -diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h -index 390db709b432..59bee2206d97 100644 ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -570,6 +570,7 @@ - /* Zen4 */ - #define MSR_ZEN4_BP_CFG 0xc001102e - #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 -+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 - - /* Zen 2 */ - #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 3a446f2b6d30..519e388083b2 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1197,6 +1197,9 @@ static void init_amd_zen2(struct cpuinfo_x86 *c) - { - init_amd_zen_common(); - init_spectral_chicken(c); -+ -+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) -+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) -diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h -index 8fb925676813..c28d75fe4dee 100644 ---- a/tools/arch/x86/include/asm/msr-index.h -+++ b/tools/arch/x86/include/asm/msr-index.h -@@ -523,6 +523,9 @@ - - #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f - -+#define MSR_ZEN4_BP_CFG 0xc001102e -+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 -+ - /* Fam 17h MSRs */ - #define MSR_F17H_IRPERF 0xc00000e9 - --- -2.51.0 - diff --git a/queue-5.10/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch b/queue-5.10/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch deleted file mode 100644 index 7ec5e5b13d..0000000000 --- a/queue-5.10/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 714aa4501bd485a70c063fc9e98a44dc9ae277a4 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Wed, 1 Nov 2023 12:34:29 +0100 -Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common() - -From: "Borislav Petkov (AMD)" - -Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream. - -Call it from all Zen init functions. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/amd.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1120,11 +1120,16 @@ void init_spectral_chicken(struct cpuinf - clear_cpu_cap(c, X86_FEATURE_XSAVES); - } - --static void init_amd_zn(struct cpuinfo_x86 *c) -+static void init_amd_zen_common(void) - { - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif -+} -+ -+static void init_amd_zen(struct cpuinfo_x86 *c) -+{ -+ init_amd_zen_common(); - - /* Fix up CPUID bits, but only if not virtualised. */ - if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { -@@ -1187,21 +1192,20 @@ static void zenbleed_check(struct cpuinf - } - } - --static void init_amd_zen(struct cpuinfo_x86 *c) --{ --} -- - static void init_amd_zen2(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - init_spectral_chicken(c); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - } - - static void init_amd_zen4(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - } - - static void init_amd(struct cpuinfo_x86 *c) -@@ -1233,9 +1237,6 @@ static void init_amd(struct cpuinfo_x86 - case 0x12: init_amd_ln(c); break; - case 0x15: init_amd_bd(c); break; - case 0x16: init_amd_jg(c); break; -- case 0x17: -- fallthrough; -- case 0x19: init_amd_zn(c); break; - } - - if (boot_cpu_has(X86_FEATURE_ZEN)) diff --git a/queue-5.15/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-5.15/ptrace-slightly-saner-get_dumpable-logic.patch deleted file mode 100644 index 815872a98b..0000000000 --- a/queue-5.15/ptrace-slightly-saner-get_dumpable-logic.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Wed, 13 May 2026 11:37:18 -0700 -Subject: ptrace: slightly saner 'get_dumpable()' logic - -From: Linus Torvalds - -commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. - -The 'dumpability' of a task is fundamentally about the memory image of -the task - the concept comes from whether it can core dump or not - and -makes no sense when you don't have an associated mm. - -And almost all users do in fact use it only for the case where the task -has a mm pointer. - -But we have one odd special case: ptrace_may_access() uses 'dumpable' to -check various other things entirely independently of the MM (typically -explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for -threads that no longer have a VM (and maybe never did, like most kernel -threads). - -It's not what this flag was designed for, but it is what it is. - -The ptrace code does check that the uid/gid matches, so you do have to -be uid-0 to see kernel thread details, but this means that the -traditional "drop capabilities" model doesn't make any difference for -this all. - -Make it all make a *bit* more sense by saying that if you don't have a -MM pointer, we'll use a cached "last dumpability" flag if the thread -ever had a MM (it will be zero for kernel threads since it is never -set), and require a proper CAP_SYS_PTRACE capability to override. - -Reported-by: Qualys Security Advisory -Cc: Oleg Nesterov -Cc: Kees Cook -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/sched.h | 3 +++ - kernel/exit.c | 1 + - kernel/ptrace.c | 22 ++++++++++++++++------ - 3 files changed, 20 insertions(+), 6 deletions(-) - ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -896,6 +896,9 @@ struct task_struct { - */ - unsigned sched_remote_wakeup:1; - -+ /* Save user-dumpable when mm goes away */ -+ unsigned user_dumpable:1; -+ - /* Bit to tell LSMs we're in execve(): */ - unsigned in_execve:1; - unsigned in_iowait:1; ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -540,6 +540,7 @@ static void exit_mm(void) - */ - smp_mb__after_spinlock(); - local_irq_disable(); -+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); - current->mm = NULL; - membarrier_update_current_mm(NULL); - enter_lazy_tlb(mm, current); ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -288,11 +288,24 @@ static bool ptrace_has_cap(struct user_n - return ns_capable(ns, CAP_SYS_PTRACE); - } - -+static bool task_still_dumpable(struct task_struct *task, unsigned int mode) -+{ -+ struct mm_struct *mm = task->mm; -+ if (mm) { -+ if (get_dumpable(mm) == SUID_DUMP_USER) -+ return true; -+ return ptrace_has_cap(mm->user_ns, mode); -+ } -+ -+ if (task->user_dumpable) -+ return true; -+ return ptrace_has_cap(&init_user_ns, mode); -+} -+ - /* Returns 0 on success, -errno on denial. */ - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -- struct mm_struct *mm; - kuid_t caller_uid; - kgid_t caller_gid; - -@@ -353,11 +366,8 @@ ok: - * Pairs with a write barrier in commit_creds(). - */ - smp_rmb(); -- mm = task->mm; -- if (mm && -- ((get_dumpable(mm) != SUID_DUMP_USER) && -- !ptrace_has_cap(mm->user_ns, mode))) -- return -EPERM; -+ if (!task_still_dumpable(task, mode)) -+ return -EPERM; - - return security_ptrace_access_check(task, mode); - } diff --git a/queue-5.15/series b/queue-5.15/series index 892fbe0fa0..79cfac4740 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -281,10 +281,6 @@ acpi-scan-use-acpi_dev_put-in-object-add-error-paths.patch acpi-cppc-fix-related_cpus-inconsistency-during-cpu-hotplug.patch acpi-video-force-native-backlight-on-hp-omen-16-8a44.patch spi-rockchip-fix-controller-deregistration.patch -x86-cpu-amd-add-zenx-generations-flags.patch -x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch -x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch -x86-cpu-amd-add-x86_feature_zen1.patch ksmbd-do-not-expire-session-on-binding-failure.patch spi-meson-spicc-fix-double-put-in-remove-path.patch um-virt-pci-fix-build-failure.patch @@ -356,8 +352,6 @@ mptcp-use-mpjoinsynackhmacfailure-for-synack-hmac-failure.patch mptcp-use-mptcp_rst_emptcp-for-ack-hmac-validation-failure.patch mptcp-sockopt-set-timestamp-flags-on-subflow-socket-not-msk.patch mptcp-fix-scheduling-with-atomic-in-timestamp-sockopt.patch -x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch -ptrace-slightly-saner-get_dumpable-logic.patch platform-x86-hp-wmi-ignore-backlight-and-fnlock-events.patch media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch media-i2c-ov8856-free-control-handler-on-error-in-ov8856_init_controls.patch diff --git a/queue-5.15/x86-cpu-amd-add-x86_feature_zen1.patch b/queue-5.15/x86-cpu-amd-add-x86_feature_zen1.patch deleted file mode 100644 index 2c26ba7e44..0000000000 --- a/queue-5.15/x86-cpu-amd-add-x86_feature_zen1.patch +++ /dev/null @@ -1,92 +0,0 @@ -From e72596e11570e82f96805156b122c491f2bfd192 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sat, 2 Dec 2023 12:50:23 +0100 -Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1 - -From: "Borislav Petkov (AMD)" - -Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream. - -Add a synthetic feature flag specifically for first generation Zen -machines. There's need to have a generic flag for all Zen generations so -make X86_FEATURE_ZEN be that flag. - -Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags") -Suggested-by: Brian Gerst -Suggested-by: Tom Lendacky -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 3 ++- - arch/x86/kernel/cpu/amd.c | 9 +++++---- - tools/arch/x86/include/asm/cpufeatures.h | 2 +- - 3 files changed, 8 insertions(+), 6 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ -@@ -313,6 +313,7 @@ - #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ - #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ - #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ -+#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */ - - /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ - #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -714,7 +714,7 @@ static void bsp_init_amd(struct cpuinfo_ - switch (c->x86_model) { - case 0x00 ... 0x2f: - case 0x50 ... 0x5f: -- setup_force_cpu_cap(X86_FEATURE_ZEN); -+ setup_force_cpu_cap(X86_FEATURE_ZEN1); - break; - case 0x30 ... 0x4f: - case 0x60 ... 0x7f: -@@ -1095,12 +1095,13 @@ void init_spectral_chicken(struct cpuinf - - static void init_amd_zen_common(void) - { -+ setup_force_cpu_cap(X86_FEATURE_ZEN); - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif - } - --static void init_amd_zen(struct cpuinfo_x86 *c) -+static void init_amd_zen1(struct cpuinfo_x86 *c) - { - init_amd_zen_common(); - -@@ -1212,8 +1213,8 @@ static void init_amd(struct cpuinfo_x86 - case 0x16: init_amd_jg(c); break; - } - -- if (boot_cpu_has(X86_FEATURE_ZEN)) -- init_amd_zen(c); -+ if (boot_cpu_has(X86_FEATURE_ZEN1)) -+ init_amd_zen1(c); - else if (boot_cpu_has(X86_FEATURE_ZEN2)) - init_amd_zen2(c); - else if (boot_cpu_has(X86_FEATURE_ZEN3)) ---- a/tools/arch/x86/include/asm/cpufeatures.h -+++ b/tools/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ diff --git a/queue-5.15/x86-cpu-amd-add-zenx-generations-flags.patch b/queue-5.15/x86-cpu-amd-add-zenx-generations-flags.patch deleted file mode 100644 index e1cc24025b..0000000000 --- a/queue-5.15/x86-cpu-amd-add-zenx-generations-flags.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 3afc6ada329c9954054d68f5efa03999a53767be Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Tue, 31 Oct 2023 23:30:59 +0100 -Subject: x86/CPU/AMD: Add ZenX generations flags - -From: "Borislav Petkov (AMD)" - -Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream. - -Add X86_FEATURE flags for each Zen generation. They should be used from -now on instead of checking f/m/s. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Acked-by: Thomas Gleixner -Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 5 ++ - arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++-- - 2 files changed, 72 insertions(+), 3 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 or above (Zen) */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ -@@ -310,6 +310,9 @@ - #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */ - #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */ - #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */ -+#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ -+#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ -+#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ - - /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ - #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -708,7 +708,50 @@ static void bsp_init_amd(struct cpuinfo_ - - resctrl_cpu_detect(c); - -+ /* Figure out Zen generations: */ -+ switch (c->x86) { -+ case 0x17: { -+ switch (c->x86_model) { -+ case 0x00 ... 0x2f: -+ case 0x50 ... 0x5f: -+ setup_force_cpu_cap(X86_FEATURE_ZEN); -+ break; -+ case 0x30 ... 0x4f: -+ case 0x60 ... 0x7f: -+ case 0x90 ... 0x91: -+ case 0xa0 ... 0xaf: -+ setup_force_cpu_cap(X86_FEATURE_ZEN2); -+ break; -+ default: -+ goto warn; -+ } -+ break; -+ } -+ case 0x19: { -+ switch (c->x86_model) { -+ case 0x00 ... 0x0f: -+ case 0x20 ... 0x5f: -+ setup_force_cpu_cap(X86_FEATURE_ZEN3); -+ break; -+ case 0x10 ... 0x1f: -+ case 0x60 ... 0xaf: -+ setup_force_cpu_cap(X86_FEATURE_ZEN4); -+ break; -+ default: -+ goto warn; -+ } -+ break; -+ } -+ default: -+ break; -+ } -+ - tsa_init(c); -+ -+ return; -+ -+warn: -+ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model); - } - - static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) -@@ -1054,8 +1097,6 @@ void init_spectral_chicken(struct cpuinf - - static void init_amd_zn(struct cpuinfo_x86 *c) - { -- set_cpu_cap(c, X86_FEATURE_ZEN); -- - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif -@@ -1121,6 +1162,22 @@ static void zenbleed_check(struct cpuinf - } - } - -+static void init_amd_zen(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen2(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen3(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen4(struct cpuinfo_x86 *c) -+{ -+} -+ - static void init_amd(struct cpuinfo_x86 *c) - { - early_init_amd(c); -@@ -1155,6 +1212,15 @@ static void init_amd(struct cpuinfo_x86 - case 0x19: init_amd_zn(c); break; - } - -+ if (boot_cpu_has(X86_FEATURE_ZEN)) -+ init_amd_zen(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN2)) -+ init_amd_zen2(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN3)) -+ init_amd_zen3(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN4)) -+ init_amd_zen4(c); -+ - /* - * Enable workaround for FXSAVE leak on CPUs - * without a XSaveErPtr feature diff --git a/queue-5.15/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch b/queue-5.15/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch deleted file mode 100644 index 47f71d1a35..0000000000 --- a/queue-5.15/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch +++ /dev/null @@ -1,50 +0,0 @@ -From da5cfe21657dcc1135f18b02767f6f52e7e04abb Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Wed, 1 Nov 2023 11:20:01 +0100 -Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function - -From: "Borislav Petkov (AMD)" - -Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream. - -No functional change. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/amd.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1074,10 +1074,8 @@ void init_spectral_chicken(struct cpuinf - * - * This suppresses speculation from the middle of a basic block, i.e. it - * suppresses non-branch predictions. -- * -- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H - */ -- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) { -+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { - if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) { - value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT; - wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value); -@@ -1168,6 +1166,7 @@ static void init_amd_zen(struct cpuinfo_ - - static void init_amd_zen2(struct cpuinfo_x86 *c) - { -+ init_spectral_chicken(c); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) -@@ -1207,7 +1206,7 @@ static void init_amd(struct cpuinfo_x86 - case 0x12: init_amd_ln(c); break; - case 0x15: init_amd_bd(c); break; - case 0x16: init_amd_jg(c); break; -- case 0x17: init_spectral_chicken(c); -+ case 0x17: - fallthrough; - case 0x19: init_amd_zn(c); break; - } diff --git a/queue-5.15/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch b/queue-5.15/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch deleted file mode 100644 index 3416220dd9..0000000000 --- a/queue-5.15/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch +++ /dev/null @@ -1,57 +0,0 @@ -From a88e215025e5fa9cb1f4759aa09f5ff1fcb21b21 Mon Sep 17 00:00:00 2001 -From: Prathyushi Nangia -Date: Tue, 9 Dec 2025 10:01:33 -0600 -Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - -From: Prathyushi Nangia - -commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. - -Make sure resources are not improperly shared in the op cache and -cause instruction corruption this way. - -Signed-off-by: Prathyushi Nangia -Co-developed-by: Borislav Petkov (AMD) -Signed-off-by: Borislav Petkov (AMD) -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/msr-index.h | 1 + - arch/x86/kernel/cpu/amd.c | 3 +++ - tools/arch/x86/include/asm/msr-index.h | 3 +++ - 3 files changed, 7 insertions(+) - ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -580,6 +580,7 @@ - /* Zen4 */ - #define MSR_ZEN4_BP_CFG 0xc001102e - #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 -+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 - - /* Zen 2 */ - #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1170,6 +1170,9 @@ static void init_amd_zen2(struct cpuinfo - { - init_amd_zen_common(); - init_spectral_chicken(c); -+ -+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) -+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) ---- a/tools/arch/x86/include/asm/msr-index.h -+++ b/tools/arch/x86/include/asm/msr-index.h -@@ -530,6 +530,9 @@ - - #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f - -+#define MSR_ZEN4_BP_CFG 0xc001102e -+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 -+ - /* Fam 17h MSRs */ - #define MSR_F17H_IRPERF 0xc00000e9 - diff --git a/queue-5.15/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch b/queue-5.15/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch deleted file mode 100644 index e51e9338d0..0000000000 --- a/queue-5.15/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch +++ /dev/null @@ -1,74 +0,0 @@ -From d796696ded7ee9fdd5e76a0bb854af0d8f5f9cc7 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Wed, 1 Nov 2023 12:34:29 +0100 -Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common() - -From: "Borislav Petkov (AMD)" - -Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream. - -Call it from all Zen init functions. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/amd.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1093,11 +1093,16 @@ void init_spectral_chicken(struct cpuinf - clear_cpu_cap(c, X86_FEATURE_XSAVES); - } - --static void init_amd_zn(struct cpuinfo_x86 *c) -+static void init_amd_zen_common(void) - { - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif -+} -+ -+static void init_amd_zen(struct cpuinfo_x86 *c) -+{ -+ init_amd_zen_common(); - - /* Fix up CPUID bits, but only if not virtualised. */ - if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { -@@ -1160,21 +1165,20 @@ static void zenbleed_check(struct cpuinf - } - } - --static void init_amd_zen(struct cpuinfo_x86 *c) --{ --} -- - static void init_amd_zen2(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - init_spectral_chicken(c); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - } - - static void init_amd_zen4(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - } - - static void init_amd(struct cpuinfo_x86 *c) -@@ -1206,9 +1210,6 @@ static void init_amd(struct cpuinfo_x86 - case 0x12: init_amd_ln(c); break; - case 0x15: init_amd_bd(c); break; - case 0x16: init_amd_jg(c); break; -- case 0x17: -- fallthrough; -- case 0x19: init_amd_zn(c); break; - } - - if (boot_cpu_has(X86_FEATURE_ZEN)) diff --git a/queue-6.1/exit-prevent-preemption-of-oopsing-task_dead-task.patch b/queue-6.1/exit-prevent-preemption-of-oopsing-task_dead-task.patch index 74607be1ba..6ad4ac8143 100644 --- a/queue-6.1/exit-prevent-preemption-of-oopsing-task_dead-task.patch +++ b/queue-6.1/exit-prevent-preemption-of-oopsing-task_dead-task.patch @@ -40,7 +40,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/kernel/exit.c +++ b/kernel/exit.c -@@ -978,6 +978,7 @@ void __noreturn make_task_dead(int signr +@@ -979,6 +979,7 @@ void __noreturn make_task_dead(int signr futex_exit_recursive(tsk); tsk->exit_state = EXIT_DEAD; refcount_inc(&tsk->rcu_users); diff --git a/queue-6.1/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-6.1/ptrace-slightly-saner-get_dumpable-logic.patch deleted file mode 100644 index 7a0efc1893..0000000000 --- a/queue-6.1/ptrace-slightly-saner-get_dumpable-logic.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Wed, 13 May 2026 11:37:18 -0700 -Subject: ptrace: slightly saner 'get_dumpable()' logic - -From: Linus Torvalds - -commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. - -The 'dumpability' of a task is fundamentally about the memory image of -the task - the concept comes from whether it can core dump or not - and -makes no sense when you don't have an associated mm. - -And almost all users do in fact use it only for the case where the task -has a mm pointer. - -But we have one odd special case: ptrace_may_access() uses 'dumpable' to -check various other things entirely independently of the MM (typically -explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for -threads that no longer have a VM (and maybe never did, like most kernel -threads). - -It's not what this flag was designed for, but it is what it is. - -The ptrace code does check that the uid/gid matches, so you do have to -be uid-0 to see kernel thread details, but this means that the -traditional "drop capabilities" model doesn't make any difference for -this all. - -Make it all make a *bit* more sense by saying that if you don't have a -MM pointer, we'll use a cached "last dumpability" flag if the thread -ever had a MM (it will be zero for kernel threads since it is never -set), and require a proper CAP_SYS_PTRACE capability to override. - -Reported-by: Qualys Security Advisory -Cc: Oleg Nesterov -Cc: Kees Cook -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/sched.h | 3 +++ - kernel/exit.c | 1 + - kernel/ptrace.c | 22 ++++++++++++++++------ - 3 files changed, 20 insertions(+), 6 deletions(-) - ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -910,6 +910,9 @@ struct task_struct { - */ - unsigned sched_remote_wakeup:1; - -+ /* Save user-dumpable when mm goes away */ -+ unsigned user_dumpable:1; -+ - /* Bit to tell LSMs we're in execve(): */ - unsigned in_execve:1; - unsigned in_iowait:1; ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -555,6 +555,7 @@ static void exit_mm(void) - */ - smp_mb__after_spinlock(); - local_irq_disable(); -+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); - current->mm = NULL; - membarrier_update_current_mm(NULL); - enter_lazy_tlb(mm, current); ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -282,11 +282,24 @@ static bool ptrace_has_cap(struct user_n - return ns_capable(ns, CAP_SYS_PTRACE); - } - -+static bool task_still_dumpable(struct task_struct *task, unsigned int mode) -+{ -+ struct mm_struct *mm = task->mm; -+ if (mm) { -+ if (get_dumpable(mm) == SUID_DUMP_USER) -+ return true; -+ return ptrace_has_cap(mm->user_ns, mode); -+ } -+ -+ if (task->user_dumpable) -+ return true; -+ return ptrace_has_cap(&init_user_ns, mode); -+} -+ - /* Returns 0 on success, -errno on denial. */ - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -- struct mm_struct *mm; - kuid_t caller_uid; - kgid_t caller_gid; - -@@ -347,11 +360,8 @@ ok: - * Pairs with a write barrier in commit_creds(). - */ - smp_rmb(); -- mm = task->mm; -- if (mm && -- ((get_dumpable(mm) != SUID_DUMP_USER) && -- !ptrace_has_cap(mm->user_ns, mode))) -- return -EPERM; -+ if (!task_still_dumpable(task, mode)) -+ return -EPERM; - - return security_ptrace_access_check(task, mode); - } diff --git a/queue-6.1/randomize_kstack-maintain-kstack_offset-per-task.patch b/queue-6.1/randomize_kstack-maintain-kstack_offset-per-task.patch index 02480b1221..d9a7be5d69 100644 --- a/queue-6.1/randomize_kstack-maintain-kstack_offset-per-task.patch +++ b/queue-6.1/randomize_kstack-maintain-kstack_offset-per-task.patch @@ -114,7 +114,7 @@ Signed-off-by: Greg Kroah-Hartman #endif --- a/include/linux/sched.h +++ b/include/linux/sched.h -@@ -1488,6 +1488,10 @@ struct task_struct { +@@ -1491,6 +1491,10 @@ struct task_struct { unsigned long prev_lowest_stack; #endif diff --git a/queue-6.1/series b/queue-6.1/series index afafa1d54c..2add9ae7c6 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -286,10 +286,6 @@ acpi-cppc-fix-related_cpus-inconsistency-during-cpu-hotplug.patch acpi-video-force-native-backlight-on-hp-omen-16-8a44.patch asoc-sof-don-t-allow-pointer-operations-on-unconfigured-streams.patch spi-rockchip-fix-controller-deregistration.patch -x86-cpu-amd-add-zenx-generations-flags.patch -x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch -x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch -x86-cpu-amd-add-x86_feature_zen1.patch drm-amd-display-do-not-skip-unrelated-mode-changes-i.patch spi-meson-spicc-fix-double-put-in-remove-path.patch ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch @@ -385,9 +381,7 @@ loongarch-fix-potential-ade-in-loongson_gpu_fixup_dma_hang.patch loongarch-use-per-root-bridge-pcih-flag-to-skip-mem-resource-fixup.patch f2fs-compress-change-the-first-parameter-of-page_arr.patch f2fs-compress-fix-uaf-of-f2fs_inode_info-in-f2fs_fre.patch -x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch exit-sleep-at-task_idle-when-waiting-for-application-core-dump.patch -ptrace-slightly-saner-get_dumpable-logic.patch media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch media-i2c-ov8856-free-control-handler-on-error-in-ov8856_init_controls.patch staging-media-atomisp-disallow-all-private-ioctls.patch diff --git a/queue-6.1/x86-cpu-amd-add-x86_feature_zen1.patch b/queue-6.1/x86-cpu-amd-add-x86_feature_zen1.patch deleted file mode 100644 index 427bc40e72..0000000000 --- a/queue-6.1/x86-cpu-amd-add-x86_feature_zen1.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 91b64ab5046a17ed993e2d4260c172538ec79ffc Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Sat, 2 Dec 2023 12:50:23 +0100 -Subject: x86/CPU/AMD: Add X86_FEATURE_ZEN1 - -From: "Borislav Petkov (AMD)" - -Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream. - -Add a synthetic feature flag specifically for first generation Zen -machines. There's need to have a generic flag for all Zen generations so -make X86_FEATURE_ZEN be that flag. - -Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags") -Suggested-by: Brian Gerst -Suggested-by: Tom Lendacky -Signed-off-by: Borislav Petkov (AMD) -Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 3 ++- - arch/x86/kernel/cpu/amd.c | 9 +++++---- - tools/arch/x86/include/asm/cpufeatures.h | 2 +- - 3 files changed, 8 insertions(+), 6 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ -@@ -316,6 +316,7 @@ - #define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ - #define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ - #define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ -+#define X86_FEATURE_ZEN1 (11*32+31) /* "" CPU based on Zen1 microarchitecture */ - - /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ - #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -685,7 +685,7 @@ static void bsp_init_amd(struct cpuinfo_ - switch (c->x86_model) { - case 0x00 ... 0x2f: - case 0x50 ... 0x5f: -- setup_force_cpu_cap(X86_FEATURE_ZEN); -+ setup_force_cpu_cap(X86_FEATURE_ZEN1); - break; - case 0x30 ... 0x4f: - case 0x60 ... 0x7f: -@@ -1071,12 +1071,13 @@ void init_spectral_chicken(struct cpuinf - - static void init_amd_zen_common(void) - { -+ setup_force_cpu_cap(X86_FEATURE_ZEN); - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif - } - --static void init_amd_zen(struct cpuinfo_x86 *c) -+static void init_amd_zen1(struct cpuinfo_x86 *c) - { - init_amd_zen_common(); - -@@ -1188,8 +1189,8 @@ static void init_amd(struct cpuinfo_x86 - case 0x16: init_amd_jg(c); break; - } - -- if (boot_cpu_has(X86_FEATURE_ZEN)) -- init_amd_zen(c); -+ if (boot_cpu_has(X86_FEATURE_ZEN1)) -+ init_amd_zen1(c); - else if (boot_cpu_has(X86_FEATURE_ZEN2)) - init_amd_zen2(c); - else if (boot_cpu_has(X86_FEATURE_ZEN3)) ---- a/tools/arch/x86/include/asm/cpufeatures.h -+++ b/tools/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN (7*32+28) /* "" CPU based on Zen microarchitecture */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" Generic flag for all Zen and newer */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ diff --git a/queue-6.1/x86-cpu-amd-add-zenx-generations-flags.patch b/queue-6.1/x86-cpu-amd-add-zenx-generations-flags.patch deleted file mode 100644 index 5b562010ce..0000000000 --- a/queue-6.1/x86-cpu-amd-add-zenx-generations-flags.patch +++ /dev/null @@ -1,144 +0,0 @@ -From fbdee830099d470daddc747d751672b73d8c3b96 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Tue, 31 Oct 2023 23:30:59 +0100 -Subject: x86/CPU/AMD: Add ZenX generations flags - -From: "Borislav Petkov (AMD)" - -Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream. - -Add X86_FEATURE flags for each Zen generation. They should be used from -now on instead of checking f/m/s. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Acked-by: Thomas Gleixner -Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 5 ++ - arch/x86/kernel/cpu/amd.c | 70 +++++++++++++++++++++++++++++++++++-- - 2 files changed, 72 insertions(+), 3 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -219,7 +219,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* "ibpb" Indirect Branch Prediction Barrier without a guaranteed RSB flush */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ --#define X86_FEATURE_ZEN (7*32+28) /* "" CPU based on Zen microarchitecture */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU based on Zen microarchitecture */ - #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ - #define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */ - #define X86_FEATURE_MSR_IA32_FEAT_CTL ( 7*32+31) /* "" MSR IA32_FEAT_CTL configured */ -@@ -313,6 +313,9 @@ - #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */ - #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */ - #define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */ -+#define X86_FEATURE_ZEN2 (11*32+28) /* "" CPU based on Zen2 microarchitecture */ -+#define X86_FEATURE_ZEN3 (11*32+29) /* "" CPU based on Zen3 microarchitecture */ -+#define X86_FEATURE_ZEN4 (11*32+30) /* "" CPU based on Zen4 microarchitecture */ - - /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ - #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -679,7 +679,50 @@ static void bsp_init_amd(struct cpuinfo_ - - resctrl_cpu_detect(c); - -+ /* Figure out Zen generations: */ -+ switch (c->x86) { -+ case 0x17: { -+ switch (c->x86_model) { -+ case 0x00 ... 0x2f: -+ case 0x50 ... 0x5f: -+ setup_force_cpu_cap(X86_FEATURE_ZEN); -+ break; -+ case 0x30 ... 0x4f: -+ case 0x60 ... 0x7f: -+ case 0x90 ... 0x91: -+ case 0xa0 ... 0xaf: -+ setup_force_cpu_cap(X86_FEATURE_ZEN2); -+ break; -+ default: -+ goto warn; -+ } -+ break; -+ } -+ case 0x19: { -+ switch (c->x86_model) { -+ case 0x00 ... 0x0f: -+ case 0x20 ... 0x5f: -+ setup_force_cpu_cap(X86_FEATURE_ZEN3); -+ break; -+ case 0x10 ... 0x1f: -+ case 0x60 ... 0xaf: -+ setup_force_cpu_cap(X86_FEATURE_ZEN4); -+ break; -+ default: -+ goto warn; -+ } -+ break; -+ } -+ default: -+ break; -+ } -+ - tsa_init(c); -+ -+ return; -+ -+warn: -+ WARN_ONCE(1, "Family 0x%x, model: 0x%x??\n", c->x86, c->x86_model); - } - - static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) -@@ -1030,8 +1073,6 @@ void init_spectral_chicken(struct cpuinf - - static void init_amd_zn(struct cpuinfo_x86 *c) - { -- set_cpu_cap(c, X86_FEATURE_ZEN); -- - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif -@@ -1097,6 +1138,22 @@ static void zenbleed_check(struct cpuinf - } - } - -+static void init_amd_zen(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen2(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen3(struct cpuinfo_x86 *c) -+{ -+} -+ -+static void init_amd_zen4(struct cpuinfo_x86 *c) -+{ -+} -+ - static void init_amd(struct cpuinfo_x86 *c) - { - early_init_amd(c); -@@ -1131,6 +1188,15 @@ static void init_amd(struct cpuinfo_x86 - case 0x19: init_amd_zn(c); break; - } - -+ if (boot_cpu_has(X86_FEATURE_ZEN)) -+ init_amd_zen(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN2)) -+ init_amd_zen2(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN3)) -+ init_amd_zen3(c); -+ else if (boot_cpu_has(X86_FEATURE_ZEN4)) -+ init_amd_zen4(c); -+ - /* - * Enable workaround for FXSAVE leak on CPUs - * without a XSaveErPtr feature diff --git a/queue-6.1/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch b/queue-6.1/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch deleted file mode 100644 index 6ef1558571..0000000000 --- a/queue-6.1/x86-cpu-amd-call-the-spectral-chicken-in-the-zen2-init-function.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 242bba6bdd3de751556194de4951cf4d95dd8945 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Wed, 1 Nov 2023 11:20:01 +0100 -Subject: x86/CPU/AMD: Call the spectral chicken in the Zen2 init function - -From: "Borislav Petkov (AMD)" - -Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream. - -No functional change. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/amd.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1050,10 +1050,8 @@ void init_spectral_chicken(struct cpuinf - * - * This suppresses speculation from the middle of a basic block, i.e. it - * suppresses non-branch predictions. -- * -- * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H - */ -- if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) { -+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { - if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) { - value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT; - wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value); -@@ -1144,6 +1142,7 @@ static void init_amd_zen(struct cpuinfo_ - - static void init_amd_zen2(struct cpuinfo_x86 *c) - { -+ init_spectral_chicken(c); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) -@@ -1183,7 +1182,7 @@ static void init_amd(struct cpuinfo_x86 - case 0x12: init_amd_ln(c); break; - case 0x15: init_amd_bd(c); break; - case 0x16: init_amd_jg(c); break; -- case 0x17: init_spectral_chicken(c); -+ case 0x17: - fallthrough; - case 0x19: init_amd_zn(c); break; - } diff --git a/queue-6.1/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch b/queue-6.1/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch deleted file mode 100644 index 385b88f809..0000000000 --- a/queue-6.1/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 1ea83dfe1569d2c5699e668d70a5fcbb174aa744 Mon Sep 17 00:00:00 2001 -From: Prathyushi Nangia -Date: Tue, 9 Dec 2025 10:01:33 -0600 -Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - -From: Prathyushi Nangia - -commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. - -Make sure resources are not improperly shared in the op cache and -cause instruction corruption this way. - -Signed-off-by: Prathyushi Nangia -Co-developed-by: Borislav Petkov (AMD) -Signed-off-by: Borislav Petkov (AMD) -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/msr-index.h | 1 + - arch/x86/kernel/cpu/amd.c | 3 +++ - tools/arch/x86/include/asm/msr-index.h | 3 +++ - 3 files changed, 7 insertions(+) - ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -672,6 +672,7 @@ - /* Zen4 */ - #define MSR_ZEN4_BP_CFG 0xc001102e - #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 -+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 - - /* Zen 2 */ - #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1146,6 +1146,9 @@ static void init_amd_zen2(struct cpuinfo - { - init_amd_zen_common(); - init_spectral_chicken(c); -+ -+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) -+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) ---- a/tools/arch/x86/include/asm/msr-index.h -+++ b/tools/arch/x86/include/asm/msr-index.h -@@ -598,6 +598,9 @@ - /* AMD Last Branch Record MSRs */ - #define MSR_AMD64_LBR_SELECT 0xc000010e - -+#define MSR_ZEN4_BP_CFG 0xc001102e -+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 -+ - /* Fam 17h MSRs */ - #define MSR_F17H_IRPERF 0xc00000e9 - diff --git a/queue-6.1/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch b/queue-6.1/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch deleted file mode 100644 index 16244d5674..0000000000 --- a/queue-6.1/x86-cpu-amd-rename-init_amd_zn-to-init_amd_zen_common.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da1bf81de5808bee1bf70bd234f2bfa58d5e1671 Mon Sep 17 00:00:00 2001 -From: "Borislav Petkov (AMD)" -Date: Wed, 1 Nov 2023 12:34:29 +0100 -Subject: x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common() - -From: "Borislav Petkov (AMD)" - -Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream. - -Call it from all Zen init functions. - -Signed-off-by: Borislav Petkov (AMD) -Reviewed-by: Nikolay Borisov -Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/amd.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1069,11 +1069,16 @@ void init_spectral_chicken(struct cpuinf - clear_cpu_cap(c, X86_FEATURE_XSAVES); - } - --static void init_amd_zn(struct cpuinfo_x86 *c) -+static void init_amd_zen_common(void) - { - #ifdef CONFIG_NUMA - node_reclaim_distance = 32; - #endif -+} -+ -+static void init_amd_zen(struct cpuinfo_x86 *c) -+{ -+ init_amd_zen_common(); - - /* Fix up CPUID bits, but only if not virtualised. */ - if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) { -@@ -1136,21 +1141,20 @@ static void zenbleed_check(struct cpuinf - } - } - --static void init_amd_zen(struct cpuinfo_x86 *c) --{ --} -- - static void init_amd_zen2(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - init_spectral_chicken(c); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - } - - static void init_amd_zen4(struct cpuinfo_x86 *c) - { -+ init_amd_zen_common(); - } - - static void init_amd(struct cpuinfo_x86 *c) -@@ -1182,9 +1186,6 @@ static void init_amd(struct cpuinfo_x86 - case 0x12: init_amd_ln(c); break; - case 0x15: init_amd_bd(c); break; - case 0x16: init_amd_jg(c); break; -- case 0x17: -- fallthrough; -- case 0x19: init_amd_zn(c); break; - } - - if (boot_cpu_has(X86_FEATURE_ZEN)) diff --git a/queue-6.12/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-6.12/ptrace-slightly-saner-get_dumpable-logic.patch deleted file mode 100644 index c558dacb51..0000000000 --- a/queue-6.12/ptrace-slightly-saner-get_dumpable-logic.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Wed, 13 May 2026 11:37:18 -0700 -Subject: ptrace: slightly saner 'get_dumpable()' logic - -From: Linus Torvalds - -commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. - -The 'dumpability' of a task is fundamentally about the memory image of -the task - the concept comes from whether it can core dump or not - and -makes no sense when you don't have an associated mm. - -And almost all users do in fact use it only for the case where the task -has a mm pointer. - -But we have one odd special case: ptrace_may_access() uses 'dumpable' to -check various other things entirely independently of the MM (typically -explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for -threads that no longer have a VM (and maybe never did, like most kernel -threads). - -It's not what this flag was designed for, but it is what it is. - -The ptrace code does check that the uid/gid matches, so you do have to -be uid-0 to see kernel thread details, but this means that the -traditional "drop capabilities" model doesn't make any difference for -this all. - -Make it all make a *bit* more sense by saying that if you don't have a -MM pointer, we'll use a cached "last dumpability" flag if the thread -ever had a MM (it will be zero for kernel threads since it is never -set), and require a proper CAP_SYS_PTRACE capability to override. - -Reported-by: Qualys Security Advisory -Cc: Oleg Nesterov -Cc: Kees Cook -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/sched.h | 3 +++ - kernel/exit.c | 1 + - kernel/ptrace.c | 22 ++++++++++++++++------ - 3 files changed, 20 insertions(+), 6 deletions(-) - ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -969,6 +969,9 @@ struct task_struct { - unsigned sched_rt_mutex:1; - #endif - -+ /* Save user-dumpable when mm goes away */ -+ unsigned user_dumpable:1; -+ - /* Bit to tell TOMOYO we're in execve(): */ - unsigned in_execve:1; - unsigned in_iowait:1; ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -561,6 +561,7 @@ static void exit_mm(void) - */ - smp_mb__after_spinlock(); - local_irq_disable(); -+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); - current->mm = NULL; - membarrier_update_current_mm(NULL); - enter_lazy_tlb(mm, current); ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n - return ns_capable(ns, CAP_SYS_PTRACE); - } - -+static bool task_still_dumpable(struct task_struct *task, unsigned int mode) -+{ -+ struct mm_struct *mm = task->mm; -+ if (mm) { -+ if (get_dumpable(mm) == SUID_DUMP_USER) -+ return true; -+ return ptrace_has_cap(mm->user_ns, mode); -+ } -+ -+ if (task->user_dumpable) -+ return true; -+ return ptrace_has_cap(&init_user_ns, mode); -+} -+ - /* Returns 0 on success, -errno on denial. */ - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -- struct mm_struct *mm; - kuid_t caller_uid; - kgid_t caller_gid; - -@@ -337,11 +350,8 @@ ok: - * Pairs with a write barrier in commit_creds(). - */ - smp_rmb(); -- mm = task->mm; -- if (mm && -- ((get_dumpable(mm) != SUID_DUMP_USER) && -- !ptrace_has_cap(mm->user_ns, mode))) -- return -EPERM; -+ if (!task_still_dumpable(task, mode)) -+ return -EPERM; - - return security_ptrace_access_check(task, mode); - } diff --git a/queue-6.12/series b/queue-6.12/series index 1abdb3dd44..f3909c1773 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -1,4 +1,3 @@ -ptrace-slightly-saner-get_dumpable-logic.patch hid-playstation-clamp-num_touch_reports.patch media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch media-nxp-imx8-isi-reduce-minimum-queued-buffers-from-2-to-0.patch diff --git a/queue-6.18/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-6.18/ptrace-slightly-saner-get_dumpable-logic.patch deleted file mode 100644 index 7a7dc111db..0000000000 --- a/queue-6.18/ptrace-slightly-saner-get_dumpable-logic.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Wed, 13 May 2026 11:37:18 -0700 -Subject: ptrace: slightly saner 'get_dumpable()' logic - -From: Linus Torvalds - -commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. - -The 'dumpability' of a task is fundamentally about the memory image of -the task - the concept comes from whether it can core dump or not - and -makes no sense when you don't have an associated mm. - -And almost all users do in fact use it only for the case where the task -has a mm pointer. - -But we have one odd special case: ptrace_may_access() uses 'dumpable' to -check various other things entirely independently of the MM (typically -explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for -threads that no longer have a VM (and maybe never did, like most kernel -threads). - -It's not what this flag was designed for, but it is what it is. - -The ptrace code does check that the uid/gid matches, so you do have to -be uid-0 to see kernel thread details, but this means that the -traditional "drop capabilities" model doesn't make any difference for -this all. - -Make it all make a *bit* more sense by saying that if you don't have a -MM pointer, we'll use a cached "last dumpability" flag if the thread -ever had a MM (it will be zero for kernel threads since it is never -set), and require a proper CAP_SYS_PTRACE capability to override. - -Reported-by: Qualys Security Advisory -Cc: Oleg Nesterov -Cc: Kees Cook -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/sched.h | 3 +++ - kernel/exit.c | 1 + - kernel/ptrace.c | 22 ++++++++++++++++------ - 3 files changed, 20 insertions(+), 6 deletions(-) - ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -1003,6 +1003,9 @@ struct task_struct { - unsigned sched_rt_mutex:1; - #endif - -+ /* Save user-dumpable when mm goes away */ -+ unsigned user_dumpable:1; -+ - /* Bit to tell TOMOYO we're in execve(): */ - unsigned in_execve:1; - unsigned in_iowait:1; ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -572,6 +572,7 @@ static void exit_mm(void) - */ - smp_mb__after_spinlock(); - local_irq_disable(); -+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); - current->mm = NULL; - membarrier_update_current_mm(NULL); - enter_lazy_tlb(mm, current); ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n - return ns_capable(ns, CAP_SYS_PTRACE); - } - -+static bool task_still_dumpable(struct task_struct *task, unsigned int mode) -+{ -+ struct mm_struct *mm = task->mm; -+ if (mm) { -+ if (get_dumpable(mm) == SUID_DUMP_USER) -+ return true; -+ return ptrace_has_cap(mm->user_ns, mode); -+ } -+ -+ if (task->user_dumpable) -+ return true; -+ return ptrace_has_cap(&init_user_ns, mode); -+} -+ - /* Returns 0 on success, -errno on denial. */ - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -- struct mm_struct *mm; - kuid_t caller_uid; - kgid_t caller_gid; - -@@ -337,11 +350,8 @@ ok: - * Pairs with a write barrier in commit_creds(). - */ - smp_rmb(); -- mm = task->mm; -- if (mm && -- ((get_dumpable(mm) != SUID_DUMP_USER) && -- !ptrace_has_cap(mm->user_ns, mode))) -- return -EPERM; -+ if (!task_still_dumpable(task, mode)) -+ return -EPERM; - - return security_ptrace_access_check(task, mode); - } diff --git a/queue-6.18/series b/queue-6.18/series index 1082766207..28c32c2d03 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -1,4 +1,3 @@ -ptrace-slightly-saner-get_dumpable-logic.patch hid-playstation-clamp-num_touch_reports.patch hid-appletb-kbd-fix-uaf-in-inactivity-timer-cleanup-path.patch hid-appletb-kbd-run-inactivity-autodim-from-workqueues.patch diff --git a/queue-6.6/exit-prevent-preemption-of-oopsing-task_dead-task.patch b/queue-6.6/exit-prevent-preemption-of-oopsing-task_dead-task.patch index 64296fc55a..b16b880e6c 100644 --- a/queue-6.6/exit-prevent-preemption-of-oopsing-task_dead-task.patch +++ b/queue-6.6/exit-prevent-preemption-of-oopsing-task_dead-task.patch @@ -40,7 +40,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/kernel/exit.c +++ b/kernel/exit.c -@@ -980,6 +980,7 @@ void __noreturn make_task_dead(int signr +@@ -981,6 +981,7 @@ void __noreturn make_task_dead(int signr futex_exit_recursive(tsk); tsk->exit_state = EXIT_DEAD; refcount_inc(&tsk->rcu_users); diff --git a/queue-6.6/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-6.6/ptrace-slightly-saner-get_dumpable-logic.patch deleted file mode 100644 index c805c00c11..0000000000 --- a/queue-6.6/ptrace-slightly-saner-get_dumpable-logic.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Wed, 13 May 2026 11:37:18 -0700 -Subject: ptrace: slightly saner 'get_dumpable()' logic - -From: Linus Torvalds - -commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. - -The 'dumpability' of a task is fundamentally about the memory image of -the task - the concept comes from whether it can core dump or not - and -makes no sense when you don't have an associated mm. - -And almost all users do in fact use it only for the case where the task -has a mm pointer. - -But we have one odd special case: ptrace_may_access() uses 'dumpable' to -check various other things entirely independently of the MM (typically -explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for -threads that no longer have a VM (and maybe never did, like most kernel -threads). - -It's not what this flag was designed for, but it is what it is. - -The ptrace code does check that the uid/gid matches, so you do have to -be uid-0 to see kernel thread details, but this means that the -traditional "drop capabilities" model doesn't make any difference for -this all. - -Make it all make a *bit* more sense by saying that if you don't have a -MM pointer, we'll use a cached "last dumpability" flag if the thread -ever had a MM (it will be zero for kernel threads since it is never -set), and require a proper CAP_SYS_PTRACE capability to override. - -Reported-by: Qualys Security Advisory -Cc: Oleg Nesterov -Cc: Kees Cook -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/sched.h | 3 +++ - kernel/exit.c | 1 + - kernel/ptrace.c | 22 ++++++++++++++++------ - 3 files changed, 20 insertions(+), 6 deletions(-) - ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -916,6 +916,9 @@ struct task_struct { - */ - unsigned sched_remote_wakeup:1; - -+ /* Save user-dumpable when mm goes away */ -+ unsigned user_dumpable:1; -+ - /* Bit to tell LSMs we're in execve(): */ - unsigned in_execve:1; - unsigned in_iowait:1; ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -559,6 +559,7 @@ static void exit_mm(void) - */ - smp_mb__after_spinlock(); - local_irq_disable(); -+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); - current->mm = NULL; - membarrier_update_current_mm(NULL); - enter_lazy_tlb(mm, current); ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -283,11 +283,24 @@ static bool ptrace_has_cap(struct user_n - return ns_capable(ns, CAP_SYS_PTRACE); - } - -+static bool task_still_dumpable(struct task_struct *task, unsigned int mode) -+{ -+ struct mm_struct *mm = task->mm; -+ if (mm) { -+ if (get_dumpable(mm) == SUID_DUMP_USER) -+ return true; -+ return ptrace_has_cap(mm->user_ns, mode); -+ } -+ -+ if (task->user_dumpable) -+ return true; -+ return ptrace_has_cap(&init_user_ns, mode); -+} -+ - /* Returns 0 on success, -errno on denial. */ - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -- struct mm_struct *mm; - kuid_t caller_uid; - kgid_t caller_gid; - -@@ -348,11 +361,8 @@ ok: - * Pairs with a write barrier in commit_creds(). - */ - smp_rmb(); -- mm = task->mm; -- if (mm && -- ((get_dumpable(mm) != SUID_DUMP_USER) && -- !ptrace_has_cap(mm->user_ns, mode))) -- return -EPERM; -+ if (!task_still_dumpable(task, mode)) -+ return -EPERM; - - return security_ptrace_access_check(task, mode); - } diff --git a/queue-6.6/randomize_kstack-maintain-kstack_offset-per-task.patch b/queue-6.6/randomize_kstack-maintain-kstack_offset-per-task.patch index 0eb0c99ad4..b7e52f3218 100644 --- a/queue-6.6/randomize_kstack-maintain-kstack_offset-per-task.patch +++ b/queue-6.6/randomize_kstack-maintain-kstack_offset-per-task.patch @@ -114,7 +114,7 @@ Signed-off-by: Greg Kroah-Hartman #endif --- a/include/linux/sched.h +++ b/include/linux/sched.h -@@ -1498,6 +1498,10 @@ struct task_struct { +@@ -1501,6 +1501,10 @@ struct task_struct { unsigned long prev_lowest_stack; #endif diff --git a/queue-6.6/series b/queue-6.6/series index 35b02d7123..5652688ed0 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -293,9 +293,7 @@ kvm-arm64-vgic-fix-iidr-revision-field-extracted-from-wrong-value.patch kvm-arm64-fix-initialisation-order-in-__pkvm_init_finalise.patch loongarch-fix-potential-ade-in-loongson_gpu_fixup_dma_hang.patch loongarch-use-per-root-bridge-pcih-flag-to-skip-mem-resource-fixup.patch -x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch exit-sleep-at-task_idle-when-waiting-for-application-core-dump.patch -ptrace-slightly-saner-get_dumpable-logic.patch hid-playstation-clamp-num_touch_reports.patch media-uvcvideo-enable-vb2_dmabuf-for-metadata-stream.patch media-i2c-ov8856-free-control-handler-on-error-in-ov8856_init_controls.patch diff --git a/queue-6.6/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch b/queue-6.6/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch deleted file mode 100644 index 2fedbb37e6..0000000000 --- a/queue-6.6/x86-cpu-amd-prevent-improper-isolation-of-shared-resources-in-zen2-s-op-cache.patch +++ /dev/null @@ -1,57 +0,0 @@ -From f160936aec2e9f80000d7ea606501b1f68d05e15 Mon Sep 17 00:00:00 2001 -From: Prathyushi Nangia -Date: Tue, 9 Dec 2025 10:01:33 -0600 -Subject: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - -From: Prathyushi Nangia - -commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. - -Make sure resources are not improperly shared in the op cache and -cause instruction corruption this way. - -Signed-off-by: Prathyushi Nangia -Co-developed-by: Borislav Petkov (AMD) -Signed-off-by: Borislav Petkov (AMD) -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/msr-index.h | 1 + - arch/x86/kernel/cpu/amd.c | 3 +++ - tools/arch/x86/include/asm/msr-index.h | 3 +++ - 3 files changed, 7 insertions(+) - ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -675,6 +675,7 @@ - /* Zen4 */ - #define MSR_ZEN4_BP_CFG 0xc001102e - #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 -+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 - - /* Zen 2 */ - #define MSR_ZEN2_SPECTRAL_CHICKEN 0xc00110e3 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -1166,6 +1166,9 @@ static void init_amd_zen2(struct cpuinfo - msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18); - pr_emerg("RDSEED is not reliable on this platform; disabling.\n"); - } -+ -+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) -+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN2_BP_CFG_BUG_FIX_BIT); - } - - static void init_amd_zen3(struct cpuinfo_x86 *c) ---- a/tools/arch/x86/include/asm/msr-index.h -+++ b/tools/arch/x86/include/asm/msr-index.h -@@ -638,6 +638,9 @@ - /* AMD Last Branch Record MSRs */ - #define MSR_AMD64_LBR_SELECT 0xc000010e - -+#define MSR_ZEN4_BP_CFG 0xc001102e -+#define MSR_ZEN2_BP_CFG_BUG_FIX_BIT 33 -+ - /* Fam 17h MSRs */ - #define MSR_F17H_IRPERF 0xc00000e9 - diff --git a/queue-7.0/ptrace-slightly-saner-get_dumpable-logic.patch b/queue-7.0/ptrace-slightly-saner-get_dumpable-logic.patch deleted file mode 100644 index ba24fe717d..0000000000 --- a/queue-7.0/ptrace-slightly-saner-get_dumpable-logic.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Wed, 13 May 2026 11:37:18 -0700 -Subject: ptrace: slightly saner 'get_dumpable()' logic - -From: Linus Torvalds - -commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. - -The 'dumpability' of a task is fundamentally about the memory image of -the task - the concept comes from whether it can core dump or not - and -makes no sense when you don't have an associated mm. - -And almost all users do in fact use it only for the case where the task -has a mm pointer. - -But we have one odd special case: ptrace_may_access() uses 'dumpable' to -check various other things entirely independently of the MM (typically -explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for -threads that no longer have a VM (and maybe never did, like most kernel -threads). - -It's not what this flag was designed for, but it is what it is. - -The ptrace code does check that the uid/gid matches, so you do have to -be uid-0 to see kernel thread details, but this means that the -traditional "drop capabilities" model doesn't make any difference for -this all. - -Make it all make a *bit* more sense by saying that if you don't have a -MM pointer, we'll use a cached "last dumpability" flag if the thread -ever had a MM (it will be zero for kernel threads since it is never -set), and require a proper CAP_SYS_PTRACE capability to override. - -Reported-by: Qualys Security Advisory -Cc: Oleg Nesterov -Cc: Kees Cook -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/sched.h | 3 +++ - kernel/exit.c | 1 + - kernel/ptrace.c | 22 ++++++++++++++++------ - 3 files changed, 20 insertions(+), 6 deletions(-) - ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -998,6 +998,9 @@ struct task_struct { - unsigned sched_rt_mutex:1; - #endif - -+ /* Save user-dumpable when mm goes away */ -+ unsigned user_dumpable:1; -+ - /* Bit to tell TOMOYO we're in execve(): */ - unsigned in_execve:1; - unsigned in_iowait:1; ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -571,6 +571,7 @@ static void exit_mm(void) - */ - smp_mb__after_spinlock(); - local_irq_disable(); -+ current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); - current->mm = NULL; - membarrier_update_current_mm(NULL); - enter_lazy_tlb(mm, current); ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_n - return ns_capable(ns, CAP_SYS_PTRACE); - } - -+static bool task_still_dumpable(struct task_struct *task, unsigned int mode) -+{ -+ struct mm_struct *mm = task->mm; -+ if (mm) { -+ if (get_dumpable(mm) == SUID_DUMP_USER) -+ return true; -+ return ptrace_has_cap(mm->user_ns, mode); -+ } -+ -+ if (task->user_dumpable) -+ return true; -+ return ptrace_has_cap(&init_user_ns, mode); -+} -+ - /* Returns 0 on success, -errno on denial. */ - static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - { - const struct cred *cred = current_cred(), *tcred; -- struct mm_struct *mm; - kuid_t caller_uid; - kgid_t caller_gid; - -@@ -337,11 +350,8 @@ ok: - * Pairs with a write barrier in commit_creds(). - */ - smp_rmb(); -- mm = task->mm; -- if (mm && -- ((get_dumpable(mm) != SUID_DUMP_USER) && -- !ptrace_has_cap(mm->user_ns, mode))) -- return -EPERM; -+ if (!task_still_dumpable(task, mode)) -+ return -EPERM; - - return security_ptrace_access_check(task, mode); - } diff --git a/queue-7.0/series b/queue-7.0/series index 80e6b3e7e3..08f088b6b3 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -1,4 +1,3 @@ -ptrace-slightly-saner-get_dumpable-logic.patch hid-playstation-clamp-num_touch_reports.patch hid-appletb-kbd-fix-uaf-in-inactivity-timer-cleanup-path.patch hid-appletb-kbd-run-inactivity-autodim-from-workqueues.patch