Patch kernel to fix CVE-2026-46333

[omkhar]

Backport upstream fix for CVE-2026-46333.

CVE-2026-46333 — ptrace_may_access() skips the get_dumpable() check
whenever the target task's mm pointer is NULL, allowing a local
unprivileged user (matching uid/gid only) to ptrace kernel threads or
any task whose mm has been torn down. Reported by Qualys Security
Advisory.

Upstream commit: torvalds/linux@31e62c2
Author: Linus Torvalds torvalds@linux-foundation.org
Reported-by: Qualys Security Advisory qsa@qualys.com

The stable backport for 5.15.y landed at upstream linux-5.15.207
(commit 15b828a46f305ae9f05a7c16914b3ce273474205 on linux-stable).
Mariner 2.0 ships 5.15.202.1 (five stable revs behind), so this PR
adds a single forward-ported patch file. The forward-port reuses the
6.6 backport hunk verbatim because the surrounding task_struct,
exit_mm(), and __ptrace_may_access() shapes are identical between
5.15.y and 6.6.y in the affected region (no sched_rt_mutex:1
bitfield refactor on 5.15.y).

No follow-up Fixes: commits found on torvalds/master as of
2026-05-23.

Validation evidence

Carried over from /Users/oarasara/src/kernel/ptrace-exploit/ (prior
in-house validation; full transcript available on request):

• Azure Linux 3 (kernel 6.6.138.1, identical hunk): stock kernel
  reproduced the exploit — pidfd_getfd against a kernel thread
  exfiltrated /etc/shadow content and a 4096-byte RSA SSH host
  private key. Patched kernel survived 15,000,000 pidfd_getfd
  attempts with zero leakage.
• CBL-Mariner 2 (kernel 5.15.202.1 with this exact patch):
  rebuilt cleanly, installed, booted, fingerprinted. Patched-phase
  PoCs returned exploit-blocked across 500 spawn rounds. (Stock
  baseline was not captured separately on Mariner 2 because the
  kernel had already been upgraded — relying on the shared-hunk
  argument with the Azure Linux 3 stock-vs-patched proof.)
• Patch is byte-identical to the validated Azure Linux 3 hunk; only
  the trailer line [Forward-ported for Azure Linux 3 / CBL-Mariner- Linux-Kernel 6.6.138.1: ...] is preserved verbatim.

Mariner 2.0 caveat: AKS support ended 2025-11-30 per
https://learn.microsoft.com/en-us/azure/azure-linux/support-cycle ;
the 2.0 branch still receives kernel auto-upgrades and this PR is
intended for non-AKS Mariner 2.0 consumers.

PR checklist

• Patch attribution preserved verbatim (From:, Reported-by:,
  Signed-off-by: lines from upstream git format-patch -1).
• Single-purpose, single-CVE, single-commit, human-reviewable.
• Release: incremented 1 → 2.
• PoC reproduces ≥7/10 on unpatched (15M/15M on the shared-hunk
  lane) and 0/10 on patched.
• kernel-64k spec parity — N/A (Mariner 2.0 ships only the
  non-64k spec).
• LTP baseline-vs-patched diff — pending. Will run on request;
  LTP runltp was deprecated upstream so the run uses kirk.

[omkhar]

Closing — this is a Mariner 2.0 kernel backport (head branch is kernel-2.0 / kernel-mariner2, kernel.spec edits target 5.15.y) and should have been filed against microsoft/CBL-Mariner, not this repo. The misfile is on me; I retargeted the base to 3.0-dev earlier today which made the diff explode to ~2.9k files because the branch was never compatible with 3.0-dev. Sorry for the noise.

Holding on opening the equivalent PR on microsoft/CBL-Mariner until I hear back from the Mariner-2.0 maintainers on whether OOT carries are wanted there post-AKS-EOL — open question raised on #17414.