From d44972615fcc1774f80d9d01fb6405b7b3874a98 Mon Sep 17 00:00:00 2001 From: Jacob Martin Date: Thu, 21 May 2026 15:52:26 -0500 Subject: [PATCH 01/11] UBUNTU: Start new release Ignore: yes Signed-off-by: Jacob Martin --- debian.nvidia-bos/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian.nvidia-bos/changelog b/debian.nvidia-bos/changelog index afcbeefd4ec40..bbeb520e4347a 100644 --- a/debian.nvidia-bos/changelog +++ b/debian.nvidia-bos/changelog @@ -1,3 +1,11 @@ +linux-nvidia-bos (7.0.0-2006.6) UNRELEASED; urgency=medium + + CHANGELOG: Do not edit directly. Autogenerated at release. + CHANGELOG: Use the printchanges target to see the current changes. + CHANGELOG: Use the insertchanges target to create the final log. + + -- Jacob Martin Thu, 21 May 2026 15:52:26 -0500 + linux-nvidia-bos (7.0.0-2005.5) resolute; urgency=medium * resolute/linux-nvidia-bos: 7.0.0-2005.5 -proposed tracker (LP: #2148362) From 162e9c8b52dc7b433cee73c26883e7b9472981f8 Mon Sep 17 00:00:00 2001 From: Jacob Martin Date: Thu, 21 May 2026 15:55:07 -0500 Subject: [PATCH 02/11] UBUNTU: link-to-tracker: update tracking bug BugLink: https://bugs.launchpad.net/bugs/2153497 Properties: no-test-build Signed-off-by: Jacob Martin --- debian.nvidia-bos/tracking-bug | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian.nvidia-bos/tracking-bug b/debian.nvidia-bos/tracking-bug index 445d5824e700a..572c4a12d5dcf 100644 --- a/debian.nvidia-bos/tracking-bug +++ b/debian.nvidia-bos/tracking-bug @@ -1 +1 @@ -2148362 d2026.04.13-1 +2153497 d2026.05.20-1 From df2ca5cb8bddf74e8e3c51457a8de87912593e15 Mon Sep 17 00:00:00 2001 From: Jacob Martin Date: Thu, 21 May 2026 15:56:02 -0500 Subject: [PATCH 03/11] UBUNTU: [Packaging] debian.nvidia-bos/dkms-versions -- update from kernel-versions (adhoc/d2026.05.20) BugLink: https://bugs.launchpad.net/bugs/1786013 Signed-off-by: Jacob Martin --- debian.nvidia-bos/dkms-versions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian.nvidia-bos/dkms-versions b/debian.nvidia-bos/dkms-versions index fd8e9c633b136..4f3033658247c 100644 --- a/debian.nvidia-bos/dkms-versions +++ b/debian.nvidia-bos/dkms-versions @@ -1,2 +1,3 @@ -zfs-linux 2.4.1-1ubuntu1 modulename=zfs debpath=pool/universe/z/%package%/zfs-dkms_%version%_all.deb arch=amd64 arch=arm64 arch=ppc64el arch=riscv64 arch=s390x rprovides=spl-modules rprovides=spl-dkms rprovides=zfs-modules rprovides=zfs-dkms off_series=true +zfs-linux 2.4.1-1ubuntu5 modulename=zfs debpath=pool/universe/z/%package%/zfs-dkms_%version%_all.deb arch=amd64 arch=arm64 arch=ppc64el arch=riscv64 arch=s390x rprovides=spl-modules rprovides=spl-dkms rprovides=zfs-modules rprovides=zfs-dkms off_series=true v4l2loopback 0.15.3-1ubuntu2 modulename=v4l2loopback debpath=pool/universe/v/%package%/v4l2loopback-dkms_%version%_all.deb arch=amd64 rprovides=v4l2loopback-modules rprovides=v4l2loopback-dkms off_series=true +nvidia-fs 2.28.4-1 modulename=nvidia-fs debpath=pool/universe/n/%package%/nvidia-fs-dkms_%version%_amd64.deb arch=amd64 arch=arm64 rprovides=nvidia-fs-modules rprovides=nvidia-fs-dkms type=standalone From bae790d4dc9b08b2806c2216f1177bf69cf35868 Mon Sep 17 00:00:00 2001 From: Jacob Martin Date: Thu, 21 May 2026 16:27:02 -0500 Subject: [PATCH 04/11] UBUNTU: [Config] nvidia-bos: update annotations Some options were not ordered as the annotations tool expected them to be. Ignore: yes Signed-off-by: Jacob Martin --- debian.nvidia-bos/config/annotations | 37 ++++++++++++++-------------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/debian.nvidia-bos/config/annotations b/debian.nvidia-bos/config/annotations index 854c543bb2a1c..562d154cdd155 100644 --- a/debian.nvidia-bos/config/annotations +++ b/debian.nvidia-bos/config/annotations @@ -45,9 +45,6 @@ CONFIG_ARM64_WORKAROUND_TRBE_OVERWRITE_FILL_MODE note<'Required for Grace enable CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE policy<{'arm64': 'y'}> CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE note<'Required for Grace enablement'> -CONFIG_CACHEMAINT_FOR_HOTPLUG policy<{'amd64': '-', 'arm64': 'n'}> -CONFIG_CACHEMAINT_FOR_HOTPLUG note<'Optional HiSilicon HHA cache maintenance driver; depends on GENERIC_CPU_CACHE_MAINTENANCE; not needed for NVIDIA platforms'> - CONFIG_ARM_FFA_TRANSPORT policy<{'arm64': 'y'}> CONFIG_ARM_FFA_TRANSPORT note<'LP: #2111511'> @@ -57,6 +54,9 @@ CONFIG_ARM_LFA note<'LP: #2138342'> CONFIG_ARM_SMMU_V3_IOMMUFD policy<{'arm64': 'y'}> CONFIG_ARM_SMMU_V3_IOMMUFD note<'LP: #2095028'> +CONFIG_CACHEMAINT_FOR_HOTPLUG policy<{'amd64': '-', 'arm64': 'n'}> +CONFIG_CACHEMAINT_FOR_HOTPLUG note<'Optional HiSilicon HHA cache maintenance driver; depends on GENERIC_CPU_CACHE_MAINTENANCE; not needed for NVIDIA platforms'> + CONFIG_CMA_SIZE_MBYTES policy<{'amd64': '0', 'arm64': '0'}> CONFIG_CMA_SIZE_MBYTES note<'LP: #2150898'> @@ -141,6 +141,15 @@ CONFIG_CXL_PORT note<'Required for CXL port enum CONFIG_CXL_RAS policy<{'amd64': 'y', 'arm64': 'y'}> CONFIG_CXL_RAS note<'New def_bool replacing PCIEAER_CXL; auto-enabled with ACPI_APEI_GHES+PCIEAER+CXL_BUS; CXL RAS error handling support'> +CONFIG_DEV_DAX policy<{'amd64': 'y', 'arm64': 'y'}> +CONFIG_DEV_DAX note<'Override debian.master m-'> + +CONFIG_DEV_DAX_CXL policy<{'amd64': 'y', 'arm64': 'y'}> +CONFIG_DEV_DAX_CXL note<'Override debian.master m-'> + +CONFIG_DEV_DAX_KMEM policy<{'amd64': 'y', 'arm64': 'y'}> +CONFIG_DEV_DAX_KMEM note<'Override debian.master m-'> + CONFIG_DRM_NOUVEAU policy<{'amd64': 'n', 'arm64': 'n'}> CONFIG_DRM_NOUVEAU note<'Disable nouveau for NVIDIA kernels'> @@ -213,9 +222,6 @@ CONFIG_NOUVEAU_PLATFORM_DRIVER note<'Disable nouveau for NVIDIA CONFIG_NR_CPUS policy<{'amd64': '8192', 'arm64': '512'}> CONFIG_NR_CPUS note<'LP: #1864198'> -CONFIG_PCIEAER_CXL policy<{'amd64': '-', 'arm64': '-'}> -CONFIG_PCIEAER_CXL note<'Removed by commit d18f1b7beadf (PCI/AER: Replace PCIEAER_CXL symbol with CXL_RAS)'> - CONFIG_NVGRACE_EGM policy<{'arm64': 'm'}> CONFIG_NVGRACE_EGM note<'LP: #2119656'> @@ -228,6 +234,12 @@ CONFIG_NVIDIA_TEGRA410_C2C_PMU note<'LP: #2139315'> CONFIG_NVIDIA_TEGRA410_CMEM_LATENCY_PMU policy<{'arm64': 'm'}> CONFIG_NVIDIA_TEGRA410_CMEM_LATENCY_PMU note<'LP: #2139315'> +CONFIG_PCIEAER_CXL policy<{'amd64': '-', 'arm64': '-'}> +CONFIG_PCIEAER_CXL note<'Removed by commit d18f1b7beadf (PCI/AER: Replace PCIEAER_CXL symbol with CXL_RAS)'> + +CONFIG_PCI_CXL policy<{'amd64': 'y', 'arm64': 'y'}> +CONFIG_PCI_CXL note<'Hidden bool; auto-enabled by CXL_BUS; PCI core CXL DVSEC and HDM state save/restore support'> + CONFIG_PID_IN_CONTEXTIDR policy<{'arm64': 'y'}> CONFIG_PID_IN_CONTEXTIDR note<'Required for Grace enablement'> @@ -264,18 +276,6 @@ CONFIG_UBUNTU_ODM_DRIVERS note<'Disable all Ubuntu ODM dri CONFIG_ULTRASOC_SMB policy<{'arm64': 'n'}> CONFIG_ULTRASOC_SMB note<'Required for Grace enablement'> -CONFIG_DEV_DAX policy<{'amd64': 'y', 'arm64': 'y'}> -CONFIG_DEV_DAX note<'Override debian.master m->y; required built-in for DEV_DAX_CXL=y'> - -CONFIG_DEV_DAX_CXL policy<{'amd64': 'y', 'arm64': 'y'}> -CONFIG_DEV_DAX_CXL note<'Override debian.master m->y; CXL RAM region DAX access; depends on CXL_BUS+CXL_REGION+DEV_DAX'> - -CONFIG_DEV_DAX_KMEM policy<{'amd64': 'y', 'arm64': 'y'}> -CONFIG_DEV_DAX_KMEM note<'Override debian.master m->y; map CXL DAX devices as System-RAM'> - -CONFIG_PCI_CXL policy<{'amd64': 'y', 'arm64': 'y'}> -CONFIG_PCI_CXL note<'Hidden bool; auto-enabled by CXL_BUS; PCI core CXL DVSEC and HDM state save/restore support'> - CONFIG_VFIO_CONTAINER policy<{'amd64': 'y', 'arm64': 'n'}> CONFIG_VFIO_CONTAINER note<'LP: #2095028'> @@ -286,4 +286,5 @@ CONFIG_VFIO_IOMMU_TYPE1 note<'LP: #2095028'> # ---- Annotations without notes ---- CONFIG_BCH policy<{'amd64': 'm', 'arm64': 'y'}> +CONFIG_HISI_SOC_HHA policy<{'arm64': '-'}> CONFIG_MTD_NAND_CORE policy<{'amd64': 'm', 'arm64': 'y'}> From 3ab3db0e077a03a5fb2ce77c7beb7e754f708882 Mon Sep 17 00:00:00 2001 From: Jacob Martin Date: Thu, 21 May 2026 16:29:41 -0500 Subject: [PATCH 05/11] UBUNTU: Ubuntu-nvidia-bos-7.0.0-2006.6 Signed-off-by: Jacob Martin --- debian.nvidia-bos/changelog | 237 +++++++++++++++++++++++++++++++++++- 1 file changed, 232 insertions(+), 5 deletions(-) diff --git a/debian.nvidia-bos/changelog b/debian.nvidia-bos/changelog index bbeb520e4347a..c277060084cc8 100644 --- a/debian.nvidia-bos/changelog +++ b/debian.nvidia-bos/changelog @@ -1,10 +1,237 @@ -linux-nvidia-bos (7.0.0-2006.6) UNRELEASED; urgency=medium +linux-nvidia-bos (7.0.0-2006.6) resolute; urgency=medium - CHANGELOG: Do not edit directly. Autogenerated at release. - CHANGELOG: Use the printchanges target to see the current changes. - CHANGELOG: Use the insertchanges target to create the final log. + * resolute/linux-nvidia-bos: 7.0.0-2006.6 -proposed tracker (LP: #2153497) - -- Jacob Martin Thu, 21 May 2026 15:52:26 -0500 + * Packaging resync (LP: #1786013) + - [Packaging] debian.nvidia-bos/dkms-versions -- update from kernel- + versions (adhoc/d2026.05.20) + + * Add CXL Type-2 device support, RAS error handling, reset, state + save/restore, and interleaving support (LP: #2143032) // CXL: Backport + Type-2, state save/restore, and reset support (LP: #2153819) + - NVIDIA: VR: SAUCE: [Config] CXL config annotations for Type-2 device and + RAS support + - NVIDIA: VR: SAUCE: [Config] Enable CXL DAX and KMEM built-in for CXL + memory access + - NVIDIA: VR: SAUCE: [Config] Add PCI_CXL annotation for CXL state + save/restore + - NVIDIA: VR: SAUCE: PCI: Add CXL DVSEC control, lock, and range register + definitions + - NVIDIA: VR: SAUCE: cxl: Move HDM decoder and register map definitions to + include/cxl/cxl.h + - NVIDIA: VR: SAUCE: PCI: Add virtual extended cap save buffer for CXL + state + - NVIDIA: VR: SAUCE: PCI: Add cxl DVSEC state save/restore across resets + - NVIDIA: VR: SAUCE: PCI: Add HDM decoder state save/restore + - NVIDIA: VR: SAUCE: PCI: Add CXL DVSEC reset and capability register + definitions + - NVIDIA: VR: SAUCE: PCI: Export pci_dev_save_and_disable() and + pci_dev_restore() + - NVIDIA: VR: SAUCE: cxl: Add memory offlining and cache flush helpers + - NVIDIA: VR: SAUCE: cxl: Add multi-function sibling coordination for CXL + reset + - NVIDIA: VR: SAUCE: cxl: Add CXL DVSEC reset sequence and flow + orchestration + - NVIDIA: VR: SAUCE: cxl: Add cxl_reset sysfs interface for PCI devices + - NVIDIA: VR: SAUCE: Documentation: ABI: Add CXL PCI cxl_reset sysfs + attribute + + * CXL: Backport Type-2, state save/restore, and reset support (LP: #2153819) + - cxl: support Type2 when initializing cxl_dev_state + - cxl: export internal structs for external Type2 drivers + - cxl: Move pci generic code from cxl_pci to core/cxl_pci + - cxl/pci: Remove redundant cxl_pci_find_port() call + - NVIDIA: VR: SAUCE: sfc: add cxl support + - NVIDIA: VR: SAUCE: cxl/sfc: Map cxl regs + - NVIDIA: VR: SAUCE: cxl/sfc: Initialize dpa without a mailbox + - NVIDIA: VR: SAUCE: cxl: Prepare memdev creation for type2 + - NVIDIA: VR: SAUCE: sfc: create type2 cxl memdev + - NVIDIA: VR: SAUCE: cxl: attach region to an accelerator/type2 memdev + - NVIDIA: VR: SAUCE: cxl: Avoid dax creation for accelerators + - NVIDIA: VR: SAUCE: sfc: support pio mapping based on cxl + - NVIDIA: VR: SAUCE: dax/hmem: Request cxl_acpi and cxl_pci before walking + Soft Reserved ranges + - NVIDIA: VR: SAUCE: dax/hmem: Gate Soft Reserved deferral on DEV_DAX_CXL + - NVIDIA: VR: SAUCE: cxl/region: Skip decoder reset on detach for + autodiscovered regions + - NVIDIA: VR: SAUCE: dax/cxl, hmem: Initialize hmem early and defer + dax_cxl binding + - NVIDIA: VR: SAUCE: dax: Track all dax_region allocations under a global + resource tree + - NVIDIA: VR: SAUCE: cxl/region: Add helper to check Soft Reserved + containment by CXL regions + - NVIDIA: VR: SAUCE: dax: Add deferred-work helpers for dax_hmem and + dax_cxl coordination + - NVIDIA: VR: SAUCE: dax/hmem, cxl: Defer and resolve ownership of Soft + Reserved memory ranges + - NVIDIA: VR: SAUCE: dax/hmem: Reintroduce Soft Reserved ranges back into + the iomem tree + - NVIDIA: VR: SAUCE: cxl/region: Support multi-level interleaving with + smaller granularities for lower levels + - NVIDIA: SAUCE: Revert "NVIDIA: VR: SAUCE: cxl: add support for cxl + reset" + + * Installer fails internally with a RSync error due to page fault + (LP: #2150640) + - NVIDIA: SAUCE: ovl: keep err zero after successful ovl_cache_get() + + * Refresh series: Allow ATS to be always on for certain ATS-capable devices + (LP: #2150727) + - Revert "NVIDIA: VR: SAUCE: iommu/arm-smmu-v3: Allow ATS to be always on" + - Revert "NVIDIA: VR: SAUCE: PCI: Allow ATS to be always on for non-CXL + NVIDIA GPUs" + - Revert "NVIDIA: VR: SAUCE: PCI: Allow ATS to be always on for CXL.cache + capable devices" + - NVIDIA: VR: SAUCE: PCI: Allow ATS to be always on for CXL.cache capable + devices + - NVIDIA: VR: SAUCE: PCI: Allow ATS to be always on for pre-CXL devices + - NVIDIA: VR: SAUCE: iommu/arm-smmu-v3: Allow ATS to be always on + + * Pull CPPC mailing list patches for Spark (LP: #2131705) + - ACPI: CPPC: Add cppc_get_perf() API to read performance controls + - ACPI: CPPC: Warn on missing mandatory DESIRED_PERF register + - ACPI: CPPC: Extend cppc_set_epp_perf() for FFH/SystemMemory + - cpufreq: CPPC: Update cached perf_ctrls on sysfs write + - cpufreq: cppc: Update MIN_PERF/MAX_PERF in target callbacks + - ACPI: CPPC: add APIs and sysfs interface for perf_limited + - cpufreq: CPPC: Add sysfs documentation for perf_limited + - ACPI: CPPC: Move reference performance to capabilities + - ACPI: CPPC: Fix uninitialized ref variable in cppc_get_perf_caps() + - ACPI: CPPC: Check cpc_read() return values consistently + - cpufreq: Remove max_freq_req update for pre-existing policy + - cpufreq: Add boost_freq_req QoS request + - cpufreq: Allocate QoS freq_req objects with policy + - cpufreq/amd-pstate: Cache the max frequency in cpudata + - NVIDIA: SAUCE: cpufreq: Extract cpufreq_policy_init_qos() function + - NVIDIA: SAUCE: cpufreq: Set default policy->min/max values for all + drivers + - NVIDIA: SAUCE: cpufreq: Remove driver default policy->min/max init + - NVIDIA: SAUCE: cpufreq: Use policy->min/max init as QoS request + - NVIDIA: SAUCE: cpufreq: CPPC: add autonomous mode boot parameter support + + * Backport Vera PMU support (LP: #2149756) + - Revert "NVIDIA: VR: SAUCE: perf vendor events arm64: Add Tegra410 + Olympus PMU events" + - Revert "NVIDIA: VR: SAUCE: perf: add NVIDIA Tegra410 C2C PMU" + - Revert "NVIDIA: VR: SAUCE: perf: add NVIDIA Tegra410 CPU Memory Latency + PMU" + - Revert "NVIDIA: VR: SAUCE: perf/arm_cspmu: nvidia: Add Tegra410 PCIE-TGT + PMU" + - Revert "NVIDIA: VR: SAUCE: perf/arm_cspmu: nvidia: Add Tegra410 PCIE + PMU" + - Revert "NVIDIA: VR: SAUCE: perf/arm_cspmu: Add arm_cspmu_acpi_dev_get" + - Revert "NVIDIA: VR: SAUCE: perf/arm_cspmu: nvidia: Add Tegra410 UCF PMU" + - Revert "NVIDIA: VR: SAUCE: perf/arm_cspmu: nvidia: Rename doc to + Tegra241" + - perf/arm_cspmu: nvidia: Rename doc to Tegra241 + - perf/arm_cspmu: nvidia: Add Tegra410 UCF PMU + - perf/arm_cspmu: Add arm_cspmu_acpi_dev_get + - perf/arm_cspmu: nvidia: Add Tegra410 PCIE PMU + - perf/arm_cspmu: nvidia: Add Tegra410 PCIE-TGT PMU + - perf: add NVIDIA Tegra410 CPU Memory Latency PMU + - perf: add NVIDIA Tegra410 C2C PMU + - perf vendor events arm64: Add Tegra410 Olympus PMU events + - NVIDIA: VR: SAUCE: perf/arm_pmu: Skip PMCCNTR_EL0 on NVIDIA Olympus + + * Backport lan743x driver patches (LP: #2152064) + - net: microchip: lan743x: add ethtool nway_reset support + - net: lan743x: fix SGMII detection on PCI1xxxx B0+ during warm reset + - net: lan743x: rename chip_rev to fpga_rev + + * Backport SMT-aware asymmetric CPU capacity idle selection (LP: #2150671) + - NVIDIA: VR: SAUCE: sched/fair: Attach sched_domain_shared to + sd_asym_cpucapacity + - NVIDIA: VR: SAUCE: sched/fair: Prefer fully-idle SMT cores in asym- + capacity idle selection + - NVIDIA: VR: SAUCE: sched/fair: Reject misfit pulls onto busy SMT + siblings on asym-capacity + - NVIDIA: VR: SAUCE: sched/fair: Add SIS_UTIL support to + select_idle_capacity() + + * Forward-port of the full Arm Live Firmware Activation (LFA) v2 series + (LP: #2150652) + - Revert "NVIDIA: VR: SAUCE: firmware: smccc: register as platform driver" + - Revert "NVIDIA: VR: SAUCE: firmware: smccc: add timeout, touch wdt" + - Revert "NVIDIA: VR: SAUCE: firmware: smccc: add support for Live + Firmware Activation (LFA)" + - NVIDIA: VR: SAUCE: dt-bindings: arm: Add Live Firmware Activation + binding + - NVIDIA: VR: SAUCE: firmware: smccc: Add support for Live Firmware + Activation (LFA) + - NVIDIA: VR: SAUCE: firmware: smccc: lfa: Move image rescanning + - NVIDIA: VR: SAUCE: firmware: smccc: lfa: Add timeout and trigger + watchdog + - NVIDIA: VR: SAUCE: firmware: smccc: lfa: Register ACPI notification + - NVIDIA: VR: SAUCE: firmware: smccc: lfa: Add auto_activate sysfs file + - NVIDIA: VR: SAUCE: firmware: smccc: lfa: Register DT interrupt + - NVIDIA: VR: SAUCE: firmware: smccc: lfa: introduce SMC access lock + - NVIDIA: VR: SAUCE: firmware: smccc: lfa: handle LFA_BUSY in PRIME and + ACTIVATE + - NVIDIA: VR: SAUCE: firmware: smccc: lfa: Emit a uevent on inventory + updates + + * Introduce a sharded cache affinity scope (LP: #2150467) + - workqueue: fix parse_affn_scope() prefix matching bug + - workqueue: fix typo in WQ_AFFN_SMT comment + - workqueue: add WQ_AFFN_CACHE_SHARD affinity scope + - workqueue: set WQ_AFFN_CACHE_SHARD as the default affinity scope + - tools/workqueue: add CACHE_SHARD support to wq_dump.py + - workqueue: add test_workqueue benchmark module + - docs: workqueue: document WQ_AFFN_CACHE_SHARD affinity scope + - workqueue: avoid unguarded 64-bit division + - workqueue: validate cpumask_first() result in + llc_populate_cpu_shard_id() + - [Config] nvidia: Defaults for CONFIG_TEST_WORKQUEUE + + * UBUNTU: [Config] nvidia: Disable default CMA reservation (LP: #2150898) + - [Config] nvidia: Disable default CMA reservation + + * Backport Use device ID range for DGX Spark iGPU (LP: #2150487) + - NVIDIA: SAUCE: iommu/arm-smmu-v3: Use device ID range for DGX Spark iGPU + iommu quirk + + * Backport NVIDIA: SAUCE: iommu/arm-smmu-v3: Use identity domain for ASPEED + BMC devices (LP: #2150470) + - NVIDIA: SAUCE: iommu/arm-smmu-v3: Use identity domain for ASPEED BMC + devices + + * Update GDS/NVMe SAUCE for v6.17 (LP: #2134960) // [linux-nvidia-7.0]: + Forward-port GDS/NVFS content (LP: #2150289) + - NVIDIA: SAUCE: Patch NVMe/NVMeoF driver to support GDS on Linux 7.0 + Kernel + + * Backport Set LED_HW_PLUGGABLE for NPEM and fix class init ordering issue + of CXL/fwctl (LP: #2149918) + - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports + - fwctl: Fix class init ordering to avoid NULL pointer dereference on + device removal + + * gpio: tegra186: Simplify GPIO line name prefix and support multi-socket + devices (LP: #2148664) + - gpio: tegra186: Simplify GPIO line name prefix handling + - gpio: tegra186: Support multi-socket devices + - Revert "NVIDIA: SAUCE: serial: 8250_mtk: Add ACPI support" + - NVIDIA: SAUCE: MEDIATEK: serial: 8250_mtk: Add ACPI support + + * fix r8169 vs r8127 contention for Spark (LP: #2144345) + - NVIDIA: SAUCE: r8169: remove PCI IDs claimed by r8127 driver + + * Backport of the vfio/nvgrace-gpu Blackwell-Next GPU readiness check (v3) + from LKML to 26.04_linux-nvidia. (LP: #2148701) + - NVIDIA: SAUCE: vfio/nvgrace-gpu: Add Blackwell-Next GPU readiness check + via CXL DVSEC + + [ Ubuntu: 7.0.0-15.15 ] + + * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866) + * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown + (LP: #2149808) + - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes + * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest + Resolute kernels, breaking Secure Boot systems (LP: #2148718) + - [packaging] add intel-ipu7 to signature inclusion list + + -- Jacob Martin Thu, 21 May 2026 16:29:40 -0500 linux-nvidia-bos (7.0.0-2005.5) resolute; urgency=medium From ee04f0715147039bde9d81482d0cd99d43ded952 Mon Sep 17 00:00:00 2001 From: Kuan-Ting Chen Date: Mon, 4 May 2026 23:27:12 +0800 Subject: [PATCH 06/11] xfrm: esp: avoid in-place decrypt on shared skb frags commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 upstream. MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES") Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES") Reported-by: Hyunwoo Kim Reported-by: Kuan-Ting Chen Tested-by: Hyunwoo Kim Cc: stable@vger.kernel.org Signed-off-by: Kuan-Ting Chen Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 52646cbd00e765a6db9c3afe9535f26218276034 linux-stable) Signed-off-by: Lee Trager --- net/ipv4/esp4.c | 3 ++- net/ipv4/ip_output.c | 2 ++ net/ipv6/esp6.c | 3 ++- net/ipv6/ip6_output.c | 2 ++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 6dfc0bcdef654..6a5febbdbee49 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -873,7 +873,8 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) nfrags = 1; goto skip_cow; - } else if (!skb_has_frag_list(skb)) { + } else if (!skb_has_frag_list(skb) && + !skb_has_shared_frag(skb)) { nfrags = skb_shinfo(skb)->nr_frags; nfrags++; diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index e4790cc7b5c2e..5bcd73cbdb41c 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -1233,6 +1233,8 @@ static int __ip_append_data(struct sock *sk, if (err < 0) goto error; copy = err; + if (!(flags & MSG_NO_SHARED_FRAGS)) + skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; wmem_alloc_delta += copy; } else if (!zc) { int i = skb_shinfo(skb)->nr_frags; diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 9f75313734f8c..9c06c5a1419dc 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -915,7 +915,8 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) nfrags = 1; goto skip_cow; - } else if (!skb_has_frag_list(skb)) { + } else if (!skb_has_frag_list(skb) && + !skb_has_shared_frag(skb)) { nfrags = skb_shinfo(skb)->nr_frags; nfrags++; diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 8e2a6b28cea7a..3f14e363c96e2 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1765,6 +1765,8 @@ static int __ip6_append_data(struct sock *sk, if (err < 0) goto error; copy = err; + if (!(flags & MSG_NO_SHARED_FRAGS)) + skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; wmem_alloc_delta += copy; } else if (!zc) { int i = skb_shinfo(skb)->nr_frags; From 4854821147b459b44ab6e5571522ed88443fa5c4 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 22 Apr 2026 17:14:32 +0100 Subject: [PATCH 07/11] rxrpc: Fix potential UAF after skb_unshare() failure If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops. Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer. Fixes: 2d1faf7a0ca3 ("rxrpc: Simplify skbuff accounting in receive path") Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Simon Horman cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260422161438.2593376-4-dhowells@redhat.com Signed-off-by: Jakub Kicinski (cherry picked from commit 1f2740150f904bfa60e4bad74d65add3ccb5e7f8) Signed-off-by: Lee Trager --- include/trace/events/rxrpc.h | 4 ++-- net/rxrpc/ar-internal.h | 1 - net/rxrpc/call_event.c | 19 ++++++++++++++++++- net/rxrpc/io_thread.c | 24 ++---------------------- net/rxrpc/skbuff.c | 9 --------- 5 files changed, 22 insertions(+), 35 deletions(-) diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h index 578b8038b2117..8d77828b75155 100644 --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -161,8 +161,6 @@ E_(rxrpc_call_poke_timer_now, "Timer-now") #define rxrpc_skb_traces \ - EM(rxrpc_skb_eaten_by_unshare, "ETN unshare ") \ - EM(rxrpc_skb_eaten_by_unshare_nomem, "ETN unshar-nm") \ EM(rxrpc_skb_get_call_rx, "GET call-rx ") \ EM(rxrpc_skb_get_conn_secured, "GET conn-secd") \ EM(rxrpc_skb_get_conn_work, "GET conn-work") \ @@ -189,6 +187,7 @@ EM(rxrpc_skb_put_purge, "PUT purge ") \ EM(rxrpc_skb_put_purge_oob, "PUT purge-oob") \ EM(rxrpc_skb_put_response, "PUT response ") \ + EM(rxrpc_skb_put_response_copy, "PUT resp-cpy ") \ EM(rxrpc_skb_put_rotate, "PUT rotate ") \ EM(rxrpc_skb_put_unknown, "PUT unknown ") \ EM(rxrpc_skb_see_conn_work, "SEE conn-work") \ @@ -197,6 +196,7 @@ EM(rxrpc_skb_see_recvmsg_oob, "SEE recvm-oob") \ EM(rxrpc_skb_see_reject, "SEE reject ") \ EM(rxrpc_skb_see_rotate, "SEE rotate ") \ + EM(rxrpc_skb_see_unshare_nomem, "SEE unshar-nm") \ E_(rxrpc_skb_see_version, "SEE version ") #define rxrpc_local_traces \ diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h index 96ecb83c90715..27c2aa2dd023c 100644 --- a/net/rxrpc/ar-internal.h +++ b/net/rxrpc/ar-internal.h @@ -1486,7 +1486,6 @@ int rxrpc_server_keyring(struct rxrpc_sock *, sockptr_t, int); void rxrpc_kernel_data_consumed(struct rxrpc_call *, struct sk_buff *); void rxrpc_new_skb(struct sk_buff *, enum rxrpc_skb_trace); void rxrpc_see_skb(struct sk_buff *, enum rxrpc_skb_trace); -void rxrpc_eaten_skb(struct sk_buff *, enum rxrpc_skb_trace); void rxrpc_get_skb(struct sk_buff *, enum rxrpc_skb_trace); void rxrpc_free_skb(struct sk_buff *, enum rxrpc_skb_trace); void rxrpc_purge_queue(struct sk_buff_head *); diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c index fec59d9338b9f..cc8f9dfa44e8a 100644 --- a/net/rxrpc/call_event.c +++ b/net/rxrpc/call_event.c @@ -332,7 +332,24 @@ bool rxrpc_input_call_event(struct rxrpc_call *call) saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK; - rxrpc_input_call_packet(call, skb); + if (sp->hdr.securityIndex != 0 && + skb_cloned(skb)) { + /* Unshare the packet so that it can be + * modified by in-place decryption. + */ + struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC); + + if (nskb) { + rxrpc_new_skb(nskb, rxrpc_skb_new_unshared); + rxrpc_input_call_packet(call, nskb); + rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx); + } else { + /* OOM - Drop the packet. */ + rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem); + } + } else { + rxrpc_input_call_packet(call, skb); + } rxrpc_free_skb(skb, rxrpc_skb_put_call_rx); did_receive = true; } diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c index 6979569319252..dc5184a2fa9d1 100644 --- a/net/rxrpc/io_thread.c +++ b/net/rxrpc/io_thread.c @@ -192,13 +192,12 @@ static bool rxrpc_extract_abort(struct sk_buff *skb) /* * Process packets received on the local endpoint */ -static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb) +static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff *skb) { struct rxrpc_connection *conn; struct sockaddr_rxrpc peer_srx; struct rxrpc_skb_priv *sp; struct rxrpc_peer *peer = NULL; - struct sk_buff *skb = *_skb; bool ret = false; skb_pull(skb, sizeof(struct udphdr)); @@ -244,25 +243,6 @@ static bool rxrpc_input_packet(struct rxrpc_local *local, struct sk_buff **_skb) return rxrpc_bad_message(skb, rxrpc_badmsg_zero_call); if (sp->hdr.seq == 0) return rxrpc_bad_message(skb, rxrpc_badmsg_zero_seq); - - /* Unshare the packet so that it can be modified for in-place - * decryption. - */ - if (sp->hdr.securityIndex != 0) { - skb = skb_unshare(skb, GFP_ATOMIC); - if (!skb) { - rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); - *_skb = NULL; - return just_discard; - } - - if (skb != *_skb) { - rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); - *_skb = skb; - rxrpc_new_skb(skb, rxrpc_skb_new_unshared); - sp = rxrpc_skb(skb); - } - } break; case RXRPC_PACKET_TYPE_CHALLENGE: @@ -494,7 +474,7 @@ int rxrpc_io_thread(void *data) switch (skb->mark) { case RXRPC_SKB_MARK_PACKET: skb->priority = 0; - if (!rxrpc_input_packet(local, &skb)) + if (!rxrpc_input_packet(local, skb)) rxrpc_reject_packet(local, skb); trace_rxrpc_rx_done(skb->mark, skb->priority); rxrpc_free_skb(skb, rxrpc_skb_put_input); diff --git a/net/rxrpc/skbuff.c b/net/rxrpc/skbuff.c index 3bcd6ee803960..e2169d1a14b5f 100644 --- a/net/rxrpc/skbuff.c +++ b/net/rxrpc/skbuff.c @@ -46,15 +46,6 @@ void rxrpc_get_skb(struct sk_buff *skb, enum rxrpc_skb_trace why) skb_get(skb); } -/* - * Note the dropping of a ref on a socket buffer by the core. - */ -void rxrpc_eaten_skb(struct sk_buff *skb, enum rxrpc_skb_trace why) -{ - int n = atomic_inc_return(&rxrpc_n_rx_skbs); - trace_rxrpc_skb(skb, 0, n, why); -} - /* * Note the destruction of a socket buffer. */ From ff3c259a69184df1e3f45185978a8282be1fbe38 Mon Sep 17 00:00:00 2001 From: David Howells Date: Thu, 23 Apr 2026 21:09:06 +0100 Subject: [PATCH 08/11] rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets Fix rxrpc_input_call_event() to only unshare DATA packets and not ACK, ABORT, etc.. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer. Fixes: 1f2740150f90 ("rxrpc: Fix potential UAF after skb_unshare() failure") Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Simon Horman cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260423200909.3049438-2-dhowells@redhat.com Signed-off-by: Jakub Kicinski (cherry picked from commit 55b2984c96c37f909bbfe8851f13152693951382) Signed-off-by: Lee Trager --- net/rxrpc/call_event.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c index cc8f9dfa44e8a..fdd683261226c 100644 --- a/net/rxrpc/call_event.c +++ b/net/rxrpc/call_event.c @@ -332,7 +332,8 @@ bool rxrpc_input_call_event(struct rxrpc_call *call) saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK; - if (sp->hdr.securityIndex != 0 && + if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA && + sp->hdr.securityIndex != 0 && skb_cloned(skb)) { /* Unshare the packet so that it can be * modified by in-place decryption. From 95a663a03da68c017936f37c77a4988e04b91137 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 22 Apr 2026 17:14:33 +0100 Subject: [PATCH 09/11] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned. Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com Signed-off-by: David Howells cc: Marc Dionne cc: Jeffrey Altman cc: Simon Horman cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260422161438.2593376-5-dhowells@redhat.com Signed-off-by: Jakub Kicinski (cherry picked from commit 24481a7f573305706054c59e275371f8d0fe919f) Signed-off-by: Lee Trager --- net/rxrpc/conn_event.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 9a41ec708aeb9..aee977291d90b 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -240,6 +240,33 @@ static void rxrpc_call_is_secure(struct rxrpc_call *call) rxrpc_notify_socket(call); } +static int rxrpc_verify_response(struct rxrpc_connection *conn, + struct sk_buff *skb) +{ + int ret; + + if (skb_cloned(skb)) { + /* Copy the packet if shared so that we can do in-place + * decryption. + */ + struct sk_buff *nskb = skb_copy(skb, GFP_NOFS); + + if (nskb) { + rxrpc_new_skb(nskb, rxrpc_skb_new_unshared); + ret = conn->security->verify_response(conn, nskb); + rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy); + } else { + /* OOM - Drop the packet. */ + rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem); + ret = -ENOMEM; + } + } else { + ret = conn->security->verify_response(conn, skb); + } + + return ret; +} + /* * connection-level Rx packet processor */ @@ -270,7 +297,7 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, } spin_unlock_irq(&conn->state_lock); - ret = conn->security->verify_response(conn, skb); + ret = rxrpc_verify_response(conn, skb); if (ret < 0) return ret; From 99488abe8e893bc352f469ca3330d0f5a87430b2 Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim Date: Fri, 8 May 2026 17:53:09 +0900 Subject: [PATCH 10/11] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present commit aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 upstream. The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused. Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Cc: stable@vger.kernel.org Signed-off-by: Hyunwoo Kim Reviewed-by: Jiayuan Chen Acked-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d45179f8795222ce858770dc619abe51f9d24411 linux-stable) Signed-off-by: Lee Trager --- net/rxrpc/call_event.c | 4 +++- net/rxrpc/conn_event.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c index fdd683261226c..2b19b252225e5 100644 --- a/net/rxrpc/call_event.c +++ b/net/rxrpc/call_event.c @@ -334,7 +334,9 @@ bool rxrpc_input_call_event(struct rxrpc_call *call) if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA && sp->hdr.securityIndex != 0 && - skb_cloned(skb)) { + (skb_cloned(skb) || + skb_has_frag_list(skb) || + skb_has_shared_frag(skb))) { /* Unshare the packet so that it can be * modified by in-place decryption. */ diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index aee977291d90b..b582ad91d610a 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -245,7 +245,8 @@ static int rxrpc_verify_response(struct rxrpc_connection *conn, { int ret; - if (skb_cloned(skb)) { + if (skb_cloned(skb) || skb_has_frag_list(skb) || + skb_has_shared_frag(skb)) { /* Copy the packet if shared so that we can do in-place * decryption. */ From af968a3d551ba6afba6e96cb3389ba9198cbc154 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Wed, 13 May 2026 11:37:18 -0700 Subject: [PATCH 11/11] ptrace: slightly saner 'get_dumpable()' logic commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a upstream. The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override. Reported-by: Qualys Security Advisory Cc: Oleg Nesterov Cc: Kees Cook Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 01363cb3fbd0238ffdeb09f53e9039c9edf8a730 linux-stable) Signed-off-by: Lee Trager --- include/linux/sched.h | 3 +++ kernel/exit.c | 1 + kernel/ptrace.c | 22 ++++++++++++++++------ 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/include/linux/sched.h b/include/linux/sched.h index 5a5d3dbc9cdf3..9d4fb641a6c1d 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -998,6 +998,9 @@ struct task_struct { unsigned sched_rt_mutex:1; #endif + /* Save user-dumpable when mm goes away */ + unsigned user_dumpable:1; + /* Bit to tell TOMOYO we're in execve(): */ unsigned in_execve:1; unsigned in_iowait:1; diff --git a/kernel/exit.c b/kernel/exit.c index ede3117fa7d41..bbb44fd3ffba2 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -571,6 +571,7 @@ static void exit_mm(void) */ smp_mb__after_spinlock(); local_irq_disable(); + current->user_dumpable = (get_dumpable(mm) == SUID_DUMP_USER); current->mm = NULL; membarrier_update_current_mm(NULL); enter_lazy_tlb(mm, current); diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 392ec2f75f013..0e3ab697cff5c 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -272,11 +272,24 @@ static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode) return ns_capable(ns, CAP_SYS_PTRACE); } +static bool task_still_dumpable(struct task_struct *task, unsigned int mode) +{ + struct mm_struct *mm = task->mm; + if (mm) { + if (get_dumpable(mm) == SUID_DUMP_USER) + return true; + return ptrace_has_cap(mm->user_ns, mode); + } + + if (task->user_dumpable) + return true; + return ptrace_has_cap(&init_user_ns, mode); +} + /* Returns 0 on success, -errno on denial. */ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) { const struct cred *cred = current_cred(), *tcred; - struct mm_struct *mm; kuid_t caller_uid; kgid_t caller_gid; @@ -337,11 +350,8 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) * Pairs with a write barrier in commit_creds(). */ smp_rmb(); - mm = task->mm; - if (mm && - ((get_dumpable(mm) != SUID_DUMP_USER) && - !ptrace_has_cap(mm->user_ns, mode))) - return -EPERM; + if (!task_still_dumpable(task, mode)) + return -EPERM; return security_ptrace_access_check(task, mode); }