DLPX-97147 Ubuntu Security Notification for kmod update Vulnerability (USN-8226-1)

[prakashsurya]

Summary

USN-8226-1 ships kmod and libkmod2 at 31+20240202-2ubuntu7.2. dlpx-develop already absorbed the fix (verified on psurya-dev-usn8226, 2026.4.0.0 / post-push #4117); dlpx-release ships the older 31+20240202-2ubuntu7.1 (verified on psurya-rel-usn8226, 2026.3.0.0 / post-push #366). Jira: DLPX-97147.

This PR backports the kmod and libkmod2 .debs to the release-track appliance via packages/misc-debs/config.sh's debs=(), using the same mechanism the openssh USN-8222-1 backport (#391) introduced.

Paired with

This PR is one half of a coordinated two-repo fix (OpenSpec change kmod-usn-8226-1 in delphix/cd-aidlc#47):

1. DLPX-97204 Upgrade 2026.3→2026.4 fails: dpkg file conflict on /etc/modprobe.d/disable-algif_aead.conf between delphix-platform-aws and kmod 2ubuntu7.2 delphix-platform#561 (release branch) — drops /etc/modprobe.d/disable-algif_aead.conf from delphix-platform-aws so kmod can own the conffile. Lands first.
2. THIS PR — adds kmod + libkmod2 to misc-debs. Lands after #561 (its CI gates on #561 being on the release branch, otherwise the appliance build hits a dpkg file-overwrite conflict).

The pair resolves both DLPX-97147 (USN security parity) and DLPX-97204 (the 2026.3 → 2026.4 upgrade conflict that surfaced on 2026-05-06).

What changed

• Two new entries in packages/misc-debs/config.sh::debs=(), each as "<filename> <sha256>":
  • kmod_31+20240202-2ubuntu7.2_amd64.deb sha256 687693dfad23c96570d96a1c7cc1b8709d31a93f82ac765a11b2bd9130f1dfae
  • libkmod2_31+20240202-2ubuntu7.2_amd64.deb sha256 a9cbdc424bc0a5c8af3d6445488a48de76df5ff4d76b7dab8aaf88f712358bbc
• Comment block above the entries names USN-8226-1, DLPX-97147, DLPX-97204, and the Ubuntu archive source — matching the file's IMPORTANT NOTE convention.

Note: libkmod-dev is NOT in the array — it is uploaded to artifactory (append-only bucket) but not installed on the appliance per VM-side scan.

Validation

• make shellcheck exit 0 (no findings).
• shfmt -d packages/misc-debs/config.sh exit 0.
• Each .deb pulled from Ubuntu's archive on 2026-05-12; dpkg-deb -f confirms Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> + exact target version. Round-trip read-back from artifactory matches local sha256 byte-for-byte.

Test plan

• appliance-build-orchestrator-pre-push #14010 (in flight, kicked off 2026-05-12) — running with -b "misc-debs delphix-platform" --extra-repo <delphix-platform-feature-branch>. Four stages: Build Packages → Build Appliance → Import to DCenter (AMI in dlpx-psurya-release) → Run Tests, including test_upgrade_linux_system which is the canonical DLPX-97204 pass gate.
• Post-build AMI smoke: dpkg-query -W kmod libkmod2 ≥ 31+20240202-2ubuntu7.2; dpkg-query -S /etc/modprobe.d/disable-algif_aead.conf → kmod: ....
• Manual Jenkins commit-status check posted to this PR's HEAD sha pointing at the #14010 result once available.

🤖 Generated with Claude Code

[dbjwhs-perforce]

LGTM

[prakashsurya]

Manual smoke test on a fresh dlpx-release VM — dpkg-level necessity + sufficiency

To unblock the release without waiting for the full Jenkins
#14010
matrix (currently in stage 2 of 4, ETA ~6h), I ran a focused dpkg-level smoke test
that brackets DLPX-97204's failure scenario as both necessary and sufficient.

Setup: two fresh dlpx-release VMs cloned from the same post-push #366 image
(2026.3.0.0), identical baseline. Both have
delphix-platform-aws 1.0.0-delphix.2026.05.11.21.45 (still shipping
/etc/modprobe.d/disable-algif_aead.conf) and kmod 31+20240202-2ubuntu7.1.
Each .deb installed below was downloaded straight from Jenkins #14010 stage 1's
build artifacts (sha256 matches SHA256SUMS byte-for-byte).

Control (necessity): kmod-only install → FAIL, exactly as DLPX-97204 reports

On a baseline VM, installed ONLY kmod + libkmod2 (skipping the new
delphix-platform-aws):

$ sudo dpkg -i kmod_31+20240202-2ubuntu7.2_amd64.deb \
               libkmod2_31+20240202-2ubuntu7.2_amd64.deb
Preparing to unpack kmod_31+20240202-2ubuntu7.2_amd64.deb ...
Unpacking kmod (31+20240202-2ubuntu7.2) over (31+20240202-2ubuntu7.1) ...
dpkg: error processing archive kmod_31+20240202-2ubuntu7.2_amd64.deb (--install):
 trying to overwrite '/etc/modprobe.d/disable-algif_aead.conf',
 which is also in package delphix-platform-aws 1.0.0-delphix.2026.05.11.21.45
...
Errors were encountered while processing:
 kmod_31+20240202-2ubuntu7.2_amd64.deb
$ echo $?
1

Byte-identical to DLPX-97204's reported error. After-state: kmod
rolls back to 2ubuntu7.1, delphix-platform-aws still owns the
file. Confirms the bug requires the delphix-platform-aws fix to land
alongside kmod.

Treatment (sufficiency): both fixes installed together → PASS

On a second baseline VM with identical state, installed all three Jenkins-built
.debs together:

$ sudo dpkg -i delphix-platform-aws_1.0.0-delphix.2026.05.12.19.11_amd64.deb \
               kmod_31+20240202-2ubuntu7.2_amd64.deb \
               libkmod2_31+20240202-2ubuntu7.2_amd64.deb
# … (normal unpack / postinst output, NO "trying to overwrite" error) …
$ echo $?
0

$ dpkg-query -S /etc/modprobe.d/disable-algif_aead.conf
kmod: /etc/modprobe.d/disable-algif_aead.conf          ← OWNERSHIP TRANSITIONED

$ dpkg -l kmod libkmod2 delphix-platform-aws | grep ^ii
ii  delphix-platform-aws 1.0.0-delphix.2026.05.12.19.11 amd64
ii  kmod                 31+20240202-2ubuntu7.2         amd64
ii  libkmod2:amd64       31+20240202-2ubuntu7.2         amd64

The new kmod 31+20240202-2ubuntu7.2 package successfully takes over
/etc/modprobe.d/disable-algif_aead.conf as a conffile. File content
is byte-identical to what delphix-platform-aws previously shipped
(install algif_aead /bin/false), so the algif_aead mitigation
continues uninterrupted.

Why this is sufficient to land now (instead of waiting for stage 4)

• The DLPX-97204 failure surface is a dpkg-layer file-overwrite check. The
  control above reproduces that exact error verbatim; the treatment exercises
  the same dpkg path with the fix and passes.
• The Replaces: kmod (<< 31+20240202-2ubuntu7.2) clause in the new
  delphix-platform-aws is sufficient — no postrm upgrade fallback
  is needed.
• Jenkins #14010 stage 1 (Build Necessary Packages) passed —
  confirms all 7 per-cloud delphix-platform-<cloud> variants build
  cleanly with the file removed. dpkg-deb -f on the built .deb
  shows Replaces: landed correctly; dpkg-deb -c confirms the file
  is no longer in package contents (only dirty-frag.conf from
  DLPX-97202 remains under ./etc/modprobe.d/).
• The upgrade-execute script in test_upgrade_linux_system ultimately
  runs apt-get install against packages.list.gz — same dpkg
  unpacking layer the manual test exercises directly.

Stage 4 (test_upgrade_linux_system) on #14010 is still the unattended
end-to-end confirmation and will follow, but the dpkg-level evidence
directly addresses the bug's failure mode.

Merge plan: delphix/delphix-platform#561 and #392
land simultaneously (in the same merge window) so no release-track
appliance build runs between them — linux-pkg alone on release would
hit the same dpkg conflict the control test reproduces.

Full evidence and tracking: delphix/cd-aidlc#47 (OpenSpec change
kmod-usn-8226-1), branch projects/openspec/kmod-usn-8226-1-rollup's
verification.md.