Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.256 2026-05-15T12:48:08+00:00 2026-05-15T12:48:08+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-05-15T12:48:08+00:00 urn:sha1:6b2498787ec6803cf0d0a983321796babe5392d4 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-15T12:48:07+00:00 Prathyushi Nangia prathyushi.nangia@amd.com 2025-12-09T16:01:33+00:00 urn:sha1:1e23b30a80b14e5764657401ee2cca030525ae8e commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. Make sure resources are not improperly shared in the op cache and cause instruction corruption this way. Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com> Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-15T12:48:07+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-12-02T11:50:23+00:00 urn:sha1:e1a52d9d02dc819912c81d7e3bcd526602776340 Commit 232afb557835d6f6859c73bf610bad308c96b131 upstream. Add a synthetic feature flag specifically for first generation Zen machines. There's need to have a generic flag for all Zen generations so make X86_FEATURE_ZEN be that flag. Fixes: 30fa92832f40 ("x86/CPU/AMD: Add ZenX generations flags") Suggested-by: Brian Gerst <brgerst@gmail.com> Suggested-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Link: https://lore.kernel.org/r/dc3835e3-0731-4230-bbb9-336bbe3d042b@amd.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-15T12:48:07+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-11-01T11:34:29+00:00 urn:sha1:c9a96bc8c878f44437c7367b41c204f5f60c3777 Commit 7c81ad8e8bc28a1847e87c5afe1bae6bffb2f73e upstream. Call it from all Zen init functions. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Nikolay Borisov <nik.borisov@suse.com> Link: http://lore.kernel.org/r/20231120104152.13740-7-bp@alien8.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-15T12:48:07+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-11-01T10:20:01+00:00 urn:sha1:af2d0b615d82a4ef66d962e55fc7b45f61d5090f Commit cfbf4f992bfce1fa9f2f347a79cbbea0368e7971 upstream. No functional change. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Nikolay Borisov <nik.borisov@suse.com> Link: http://lore.kernel.org/r/20231120104152.13740-6-bp@alien8.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-15T12:48:07+00:00 Borislav Petkov (AMD) bp@alien8.de 2023-10-31T22:30:59+00:00 urn:sha1:dcadd6bf9090faf593f31319b02e4bc61814dc5c Commit 30fa92832f405d5ac9f263e99f62445fa3084008 upstream. Add X86_FEATURE flags for each Zen generation. They should be used from now on instead of checking f/m/s. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Nikolay Borisov <nik.borisov@suse.com> Acked-by: Thomas Gleixner <tglx@linutronix.de> Link: http://lore.kernel.org/r/20231120104152.13740-2-bp@alien8.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-15T12:48:07+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-05-13T18:37:18+00:00 urn:sha1:93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6 commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override. Reported-by: Qualys Security Advisory <qsa@qualys.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Kees Cook <kees@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-08T10:45:22+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-05-08T10:45:22+00:00 urn:sha1:8d9ad8de1c07b07bc75178cda26a7c47f2cc0812 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-08T10:45:22+00:00 Kuan-Ting Chen h3xrabbit@gmail.com 2026-05-04T15:27:12+00:00 urn:sha1:a6cb440f274a22456ef3e86b457344f1678f38f9 commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 upstream. MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES") Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES") Reported-by: Hyunwoo Kim <imv4bel@gmail.com> Reported-by: Kuan-Ting Chen <h3xrabbit@gmail.com> Tested-by: Hyunwoo Kim <imv4bel@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Kuan-Ting Chen <h3xrabbit@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> [bwh: Backported to 5.10: set the SKBTX_SHARED_FRAG flag in ip_append_page() instead of __ip{,6}_append_data()] Signed-off-by: Ben Hutchings <benh@debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-30T09:25:29+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-04-30T09:25:29+00:00 urn:sha1:484bc8b8a0b5816ecc80375b1bc38382abf6bcf5 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>