1 |
commit: 68fe36a61d8beb3a44014a32a3ca8c8d98f23a6a |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Aug 11 12:34:28 2022 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Aug 11 12:34:28 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=68fe36a6 |
7 |
|
8 |
Linux patch 5.10.136 |
9 |
|
10 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
11 |
|
12 |
0000_README | 4 + |
13 |
1135_linux-5.10.136.patch | 1250 +++++++++++++++++++++++++++++++++++++++++++++ |
14 |
2 files changed, 1254 insertions(+) |
15 |
|
16 |
diff --git a/0000_README b/0000_README |
17 |
index 19bd6321..f9d23a2c 100644 |
18 |
--- a/0000_README |
19 |
+++ b/0000_README |
20 |
@@ -583,6 +583,10 @@ Patch: 1134_linux-5.10.135.patch |
21 |
From: http://www.kernel.org |
22 |
Desc: Linux 5.10.135 |
23 |
|
24 |
+Patch: 1135_linux-5.10.136.patch |
25 |
+From: http://www.kernel.org |
26 |
+Desc: Linux 5.10.136 |
27 |
+ |
28 |
Patch: 1500_XATTR_USER_PREFIX.patch |
29 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
30 |
Desc: Support for namespace user.pax.* on tmpfs. |
31 |
|
32 |
diff --git a/1135_linux-5.10.136.patch b/1135_linux-5.10.136.patch |
33 |
new file mode 100644 |
34 |
index 00000000..f6266a42 |
35 |
--- /dev/null |
36 |
+++ b/1135_linux-5.10.136.patch |
37 |
@@ -0,0 +1,1250 @@ |
38 |
+diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst |
39 |
+index 6bd97cd50d625..7e061ed449aaa 100644 |
40 |
+--- a/Documentation/admin-guide/hw-vuln/spectre.rst |
41 |
++++ b/Documentation/admin-guide/hw-vuln/spectre.rst |
42 |
+@@ -422,6 +422,14 @@ The possible values in this file are: |
43 |
+ 'RSB filling' Protection of RSB on context switch enabled |
44 |
+ ============= =========================================== |
45 |
+ |
46 |
++ - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status: |
47 |
++ |
48 |
++ =========================== ======================================================= |
49 |
++ 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled |
50 |
++ 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable |
51 |
++ 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB |
52 |
++ =========================== ======================================================= |
53 |
++ |
54 |
+ Full mitigation might require a microcode update from the CPU |
55 |
+ vendor. When the necessary microcode is not available, the kernel will |
56 |
+ report vulnerability. |
57 |
+diff --git a/Makefile b/Makefile |
58 |
+index 5f4dbcb433075..1730698124c7b 100644 |
59 |
+--- a/Makefile |
60 |
++++ b/Makefile |
61 |
+@@ -1,7 +1,7 @@ |
62 |
+ # SPDX-License-Identifier: GPL-2.0 |
63 |
+ VERSION = 5 |
64 |
+ PATCHLEVEL = 10 |
65 |
+-SUBLEVEL = 135 |
66 |
++SUBLEVEL = 136 |
67 |
+ EXTRAVERSION = |
68 |
+ NAME = Dare mighty things |
69 |
+ |
70 |
+diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c |
71 |
+index 01e22fe408235..9f4599014854d 100644 |
72 |
+--- a/arch/arm64/crypto/poly1305-glue.c |
73 |
++++ b/arch/arm64/crypto/poly1305-glue.c |
74 |
+@@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src, |
75 |
+ { |
76 |
+ if (unlikely(!dctx->sset)) { |
77 |
+ if (!dctx->rset) { |
78 |
+- poly1305_init_arch(dctx, src); |
79 |
++ poly1305_init_arm64(&dctx->h, src); |
80 |
+ src += POLY1305_BLOCK_SIZE; |
81 |
+ len -= POLY1305_BLOCK_SIZE; |
82 |
+ dctx->rset = 1; |
83 |
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig |
84 |
+index 16c045906b2ac..159646da3c6bc 100644 |
85 |
+--- a/arch/x86/Kconfig |
86 |
++++ b/arch/x86/Kconfig |
87 |
+@@ -2447,7 +2447,7 @@ config RETPOLINE |
88 |
+ config RETHUNK |
89 |
+ bool "Enable return-thunks" |
90 |
+ depends on RETPOLINE && CC_HAS_RETURN_THUNK |
91 |
+- default y |
92 |
++ default y if X86_64 |
93 |
+ help |
94 |
+ Compile the kernel with the return-thunks compiler option to guard |
95 |
+ against kernel-to-user data leaks by avoiding return speculation. |
96 |
+@@ -2456,21 +2456,21 @@ config RETHUNK |
97 |
+ |
98 |
+ config CPU_UNRET_ENTRY |
99 |
+ bool "Enable UNRET on kernel entry" |
100 |
+- depends on CPU_SUP_AMD && RETHUNK |
101 |
++ depends on CPU_SUP_AMD && RETHUNK && X86_64 |
102 |
+ default y |
103 |
+ help |
104 |
+ Compile the kernel with support for the retbleed=unret mitigation. |
105 |
+ |
106 |
+ config CPU_IBPB_ENTRY |
107 |
+ bool "Enable IBPB on kernel entry" |
108 |
+- depends on CPU_SUP_AMD |
109 |
++ depends on CPU_SUP_AMD && X86_64 |
110 |
+ default y |
111 |
+ help |
112 |
+ Compile the kernel with support for the retbleed=ibpb mitigation. |
113 |
+ |
114 |
+ config CPU_IBRS_ENTRY |
115 |
+ bool "Enable IBRS on kernel entry" |
116 |
+- depends on CPU_SUP_INTEL |
117 |
++ depends on CPU_SUP_INTEL && X86_64 |
118 |
+ default y |
119 |
+ help |
120 |
+ Compile the kernel with support for the spectre_v2=ibrs mitigation. |
121 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
122 |
+index 2a51ee2f5a0f0..37ba0cdf99aa8 100644 |
123 |
+--- a/arch/x86/include/asm/cpufeatures.h |
124 |
++++ b/arch/x86/include/asm/cpufeatures.h |
125 |
+@@ -299,6 +299,7 @@ |
126 |
+ #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */ |
127 |
+ #define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */ |
128 |
+ #define X86_FEATURE_USE_IBPB_FW (11*32+16) /* "" Use IBPB during runtime firmware calls */ |
129 |
++#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM exit when EIBRS is enabled */ |
130 |
+ |
131 |
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ |
132 |
+ #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ |
133 |
+@@ -429,5 +430,6 @@ |
134 |
+ #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */ |
135 |
+ #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */ |
136 |
+ #define X86_BUG_RETBLEED X86_BUG(26) /* CPU is affected by RETBleed */ |
137 |
++#define X86_BUG_EIBRS_PBRSB X86_BUG(27) /* EIBRS is vulnerable to Post Barrier RSB Predictions */ |
138 |
+ |
139 |
+ #endif /* _ASM_X86_CPUFEATURES_H */ |
140 |
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
141 |
+index 407de670cd609..144dc164b7596 100644 |
142 |
+--- a/arch/x86/include/asm/msr-index.h |
143 |
++++ b/arch/x86/include/asm/msr-index.h |
144 |
+@@ -148,6 +148,10 @@ |
145 |
+ * are restricted to targets in |
146 |
+ * kernel. |
147 |
+ */ |
148 |
++#define ARCH_CAP_PBRSB_NO BIT(24) /* |
149 |
++ * Not susceptible to Post-Barrier |
150 |
++ * Return Stack Buffer Predictions. |
151 |
++ */ |
152 |
+ |
153 |
+ #define MSR_IA32_FLUSH_CMD 0x0000010b |
154 |
+ #define L1D_FLUSH BIT(0) /* |
155 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
156 |
+index c3e8e50633ea2..0acd99329923c 100644 |
157 |
+--- a/arch/x86/include/asm/nospec-branch.h |
158 |
++++ b/arch/x86/include/asm/nospec-branch.h |
159 |
+@@ -60,7 +60,9 @@ |
160 |
+ 774: \ |
161 |
+ add $(BITS_PER_LONG/8) * 2, sp; \ |
162 |
+ dec reg; \ |
163 |
+- jnz 771b; |
164 |
++ jnz 771b; \ |
165 |
++ /* barrier for jnz misprediction */ \ |
166 |
++ lfence; |
167 |
+ |
168 |
+ #ifdef __ASSEMBLY__ |
169 |
+ |
170 |
+@@ -118,13 +120,28 @@ |
171 |
+ #endif |
172 |
+ .endm |
173 |
+ |
174 |
++.macro ISSUE_UNBALANCED_RET_GUARD |
175 |
++ ANNOTATE_INTRA_FUNCTION_CALL |
176 |
++ call .Lunbalanced_ret_guard_\@ |
177 |
++ int3 |
178 |
++.Lunbalanced_ret_guard_\@: |
179 |
++ add $(BITS_PER_LONG/8), %_ASM_SP |
180 |
++ lfence |
181 |
++.endm |
182 |
++ |
183 |
+ /* |
184 |
+ * A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP |
185 |
+ * monstrosity above, manually. |
186 |
+ */ |
187 |
+-.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req |
188 |
++.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req ftr2 |
189 |
++.ifb \ftr2 |
190 |
+ ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr |
191 |
++.else |
192 |
++ ALTERNATIVE_2 "jmp .Lskip_rsb_\@", "", \ftr, "jmp .Lunbalanced_\@", \ftr2 |
193 |
++.endif |
194 |
+ __FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP) |
195 |
++.Lunbalanced_\@: |
196 |
++ ISSUE_UNBALANCED_RET_GUARD |
197 |
+ .Lskip_rsb_\@: |
198 |
+ .endm |
199 |
+ |
200 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
201 |
+index 2e5762faf7740..859a3f59526c7 100644 |
202 |
+--- a/arch/x86/kernel/cpu/bugs.c |
203 |
++++ b/arch/x86/kernel/cpu/bugs.c |
204 |
+@@ -1291,6 +1291,53 @@ static void __init spec_ctrl_disable_kernel_rrsba(void) |
205 |
+ } |
206 |
+ } |
207 |
+ |
208 |
++static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode) |
209 |
++{ |
210 |
++ /* |
211 |
++ * Similar to context switches, there are two types of RSB attacks |
212 |
++ * after VM exit: |
213 |
++ * |
214 |
++ * 1) RSB underflow |
215 |
++ * |
216 |
++ * 2) Poisoned RSB entry |
217 |
++ * |
218 |
++ * When retpoline is enabled, both are mitigated by filling/clearing |
219 |
++ * the RSB. |
220 |
++ * |
221 |
++ * When IBRS is enabled, while #1 would be mitigated by the IBRS branch |
222 |
++ * prediction isolation protections, RSB still needs to be cleared |
223 |
++ * because of #2. Note that SMEP provides no protection here, unlike |
224 |
++ * user-space-poisoned RSB entries. |
225 |
++ * |
226 |
++ * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB |
227 |
++ * bug is present then a LITE version of RSB protection is required, |
228 |
++ * just a single call needs to retire before a RET is executed. |
229 |
++ */ |
230 |
++ switch (mode) { |
231 |
++ case SPECTRE_V2_NONE: |
232 |
++ return; |
233 |
++ |
234 |
++ case SPECTRE_V2_EIBRS_LFENCE: |
235 |
++ case SPECTRE_V2_EIBRS: |
236 |
++ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { |
237 |
++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); |
238 |
++ pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); |
239 |
++ } |
240 |
++ return; |
241 |
++ |
242 |
++ case SPECTRE_V2_EIBRS_RETPOLINE: |
243 |
++ case SPECTRE_V2_RETPOLINE: |
244 |
++ case SPECTRE_V2_LFENCE: |
245 |
++ case SPECTRE_V2_IBRS: |
246 |
++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); |
247 |
++ pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); |
248 |
++ return; |
249 |
++ } |
250 |
++ |
251 |
++ pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit"); |
252 |
++ dump_stack(); |
253 |
++} |
254 |
++ |
255 |
+ static void __init spectre_v2_select_mitigation(void) |
256 |
+ { |
257 |
+ enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); |
258 |
+@@ -1441,28 +1488,7 @@ static void __init spectre_v2_select_mitigation(void) |
259 |
+ setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); |
260 |
+ pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); |
261 |
+ |
262 |
+- /* |
263 |
+- * Similar to context switches, there are two types of RSB attacks |
264 |
+- * after vmexit: |
265 |
+- * |
266 |
+- * 1) RSB underflow |
267 |
+- * |
268 |
+- * 2) Poisoned RSB entry |
269 |
+- * |
270 |
+- * When retpoline is enabled, both are mitigated by filling/clearing |
271 |
+- * the RSB. |
272 |
+- * |
273 |
+- * When IBRS is enabled, while #1 would be mitigated by the IBRS branch |
274 |
+- * prediction isolation protections, RSB still needs to be cleared |
275 |
+- * because of #2. Note that SMEP provides no protection here, unlike |
276 |
+- * user-space-poisoned RSB entries. |
277 |
+- * |
278 |
+- * eIBRS, on the other hand, has RSB-poisoning protections, so it |
279 |
+- * doesn't need RSB clearing after vmexit. |
280 |
+- */ |
281 |
+- if (boot_cpu_has(X86_FEATURE_RETPOLINE) || |
282 |
+- boot_cpu_has(X86_FEATURE_KERNEL_IBRS)) |
283 |
+- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); |
284 |
++ spectre_v2_determine_rsb_fill_type_at_vmexit(mode); |
285 |
+ |
286 |
+ /* |
287 |
+ * Retpoline protects the kernel, but doesn't protect firmware. IBRS |
288 |
+@@ -2215,6 +2241,19 @@ static char *ibpb_state(void) |
289 |
+ return ""; |
290 |
+ } |
291 |
+ |
292 |
++static char *pbrsb_eibrs_state(void) |
293 |
++{ |
294 |
++ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { |
295 |
++ if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) || |
296 |
++ boot_cpu_has(X86_FEATURE_RSB_VMEXIT)) |
297 |
++ return ", PBRSB-eIBRS: SW sequence"; |
298 |
++ else |
299 |
++ return ", PBRSB-eIBRS: Vulnerable"; |
300 |
++ } else { |
301 |
++ return ", PBRSB-eIBRS: Not affected"; |
302 |
++ } |
303 |
++} |
304 |
++ |
305 |
+ static ssize_t spectre_v2_show_state(char *buf) |
306 |
+ { |
307 |
+ if (spectre_v2_enabled == SPECTRE_V2_LFENCE) |
308 |
+@@ -2227,12 +2266,13 @@ static ssize_t spectre_v2_show_state(char *buf) |
309 |
+ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) |
310 |
+ return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); |
311 |
+ |
312 |
+- return sprintf(buf, "%s%s%s%s%s%s\n", |
313 |
++ return sprintf(buf, "%s%s%s%s%s%s%s\n", |
314 |
+ spectre_v2_strings[spectre_v2_enabled], |
315 |
+ ibpb_state(), |
316 |
+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", |
317 |
+ stibp_state(), |
318 |
+ boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", |
319 |
++ pbrsb_eibrs_state(), |
320 |
+ spectre_v2_module_string()); |
321 |
+ } |
322 |
+ |
323 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
324 |
+index 901352bd3b426..9fc91482e85e3 100644 |
325 |
+--- a/arch/x86/kernel/cpu/common.c |
326 |
++++ b/arch/x86/kernel/cpu/common.c |
327 |
+@@ -1024,6 +1024,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) |
328 |
+ #define NO_SWAPGS BIT(6) |
329 |
+ #define NO_ITLB_MULTIHIT BIT(7) |
330 |
+ #define NO_SPECTRE_V2 BIT(8) |
331 |
++#define NO_EIBRS_PBRSB BIT(9) |
332 |
+ |
333 |
+ #define VULNWL(vendor, family, model, whitelist) \ |
334 |
+ X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, whitelist) |
335 |
+@@ -1064,7 +1065,7 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { |
336 |
+ |
337 |
+ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT), |
338 |
+ VULNWL_INTEL(ATOM_GOLDMONT_D, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT), |
339 |
+- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT), |
340 |
++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB), |
341 |
+ |
342 |
+ /* |
343 |
+ * Technically, swapgs isn't serializing on AMD (despite it previously |
344 |
+@@ -1074,7 +1075,9 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { |
345 |
+ * good enough for our purposes. |
346 |
+ */ |
347 |
+ |
348 |
+- VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT), |
349 |
++ VULNWL_INTEL(ATOM_TREMONT, NO_EIBRS_PBRSB), |
350 |
++ VULNWL_INTEL(ATOM_TREMONT_L, NO_EIBRS_PBRSB), |
351 |
++ VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB), |
352 |
+ |
353 |
+ /* AMD Family 0xf - 0x12 */ |
354 |
+ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT), |
355 |
+@@ -1252,6 +1255,11 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) |
356 |
+ setup_force_cpu_bug(X86_BUG_RETBLEED); |
357 |
+ } |
358 |
+ |
359 |
++ if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) && |
360 |
++ !cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) && |
361 |
++ !(ia32_cap & ARCH_CAP_PBRSB_NO)) |
362 |
++ setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB); |
363 |
++ |
364 |
+ if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) |
365 |
+ return; |
366 |
+ |
367 |
+diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S |
368 |
+index 857fa0fc49faf..982138bebb70f 100644 |
369 |
+--- a/arch/x86/kvm/vmx/vmenter.S |
370 |
++++ b/arch/x86/kvm/vmx/vmenter.S |
371 |
+@@ -197,11 +197,13 @@ SYM_INNER_LABEL(vmx_vmexit, SYM_L_GLOBAL) |
372 |
+ * entries and (in some cases) RSB underflow. |
373 |
+ * |
374 |
+ * eIBRS has its own protection against poisoned RSB, so it doesn't |
375 |
+- * need the RSB filling sequence. But it does need to be enabled |
376 |
+- * before the first unbalanced RET. |
377 |
++ * need the RSB filling sequence. But it does need to be enabled, and a |
378 |
++ * single call to retire, before the first unbalanced RET. |
379 |
+ */ |
380 |
+ |
381 |
+- FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT |
382 |
++ FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT,\ |
383 |
++ X86_FEATURE_RSB_VMEXIT_LITE |
384 |
++ |
385 |
+ |
386 |
+ pop %_ASM_ARG2 /* @flags */ |
387 |
+ pop %_ASM_ARG1 /* @vmx */ |
388 |
+diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c |
389 |
+index 598fd19b65fa4..45973aa6e06d4 100644 |
390 |
+--- a/drivers/acpi/apei/bert.c |
391 |
++++ b/drivers/acpi/apei/bert.c |
392 |
+@@ -29,16 +29,26 @@ |
393 |
+ |
394 |
+ #undef pr_fmt |
395 |
+ #define pr_fmt(fmt) "BERT: " fmt |
396 |
++ |
397 |
++#define ACPI_BERT_PRINT_MAX_RECORDS 5 |
398 |
+ #define ACPI_BERT_PRINT_MAX_LEN 1024 |
399 |
+ |
400 |
+ static int bert_disable; |
401 |
+ |
402 |
++/* |
403 |
++ * Print "all" the error records in the BERT table, but avoid huge spam to |
404 |
++ * the console if the BIOS included oversize records, or too many records. |
405 |
++ * Skipping some records here does not lose anything because the full |
406 |
++ * data is available to user tools in: |
407 |
++ * /sys/firmware/acpi/tables/data/BERT |
408 |
++ */ |
409 |
+ static void __init bert_print_all(struct acpi_bert_region *region, |
410 |
+ unsigned int region_len) |
411 |
+ { |
412 |
+ struct acpi_hest_generic_status *estatus = |
413 |
+ (struct acpi_hest_generic_status *)region; |
414 |
+ int remain = region_len; |
415 |
++ int printed = 0, skipped = 0; |
416 |
+ u32 estatus_len; |
417 |
+ |
418 |
+ while (remain >= sizeof(struct acpi_bert_region)) { |
419 |
+@@ -46,24 +56,26 @@ static void __init bert_print_all(struct acpi_bert_region *region, |
420 |
+ if (remain < estatus_len) { |
421 |
+ pr_err(FW_BUG "Truncated status block (length: %u).\n", |
422 |
+ estatus_len); |
423 |
+- return; |
424 |
++ break; |
425 |
+ } |
426 |
+ |
427 |
+ /* No more error records. */ |
428 |
+ if (!estatus->block_status) |
429 |
+- return; |
430 |
++ break; |
431 |
+ |
432 |
+ if (cper_estatus_check(estatus)) { |
433 |
+ pr_err(FW_BUG "Invalid error record.\n"); |
434 |
+- return; |
435 |
++ break; |
436 |
+ } |
437 |
+ |
438 |
+- pr_info_once("Error records from previous boot:\n"); |
439 |
+- if (region_len < ACPI_BERT_PRINT_MAX_LEN) |
440 |
++ if (estatus_len < ACPI_BERT_PRINT_MAX_LEN && |
441 |
++ printed < ACPI_BERT_PRINT_MAX_RECORDS) { |
442 |
++ pr_info_once("Error records from previous boot:\n"); |
443 |
+ cper_estatus_print(KERN_INFO HW_ERR, estatus); |
444 |
+- else |
445 |
+- pr_info_once("Max print length exceeded, table data is available at:\n" |
446 |
+- "/sys/firmware/acpi/tables/data/BERT"); |
447 |
++ printed++; |
448 |
++ } else { |
449 |
++ skipped++; |
450 |
++ } |
451 |
+ |
452 |
+ /* |
453 |
+ * Because the boot error source is "one-time polled" type, |
454 |
+@@ -75,6 +87,9 @@ static void __init bert_print_all(struct acpi_bert_region *region, |
455 |
+ estatus = (void *)estatus + estatus_len; |
456 |
+ remain -= estatus_len; |
457 |
+ } |
458 |
++ |
459 |
++ if (skipped) |
460 |
++ pr_info(HW_ERR "Skipped %d error records\n", skipped); |
461 |
+ } |
462 |
+ |
463 |
+ static int __init setup_bert_disable(char *str) |
464 |
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c |
465 |
+index 7b9793cb55c50..e39d59ad64964 100644 |
466 |
+--- a/drivers/acpi/video_detect.c |
467 |
++++ b/drivers/acpi/video_detect.c |
468 |
+@@ -424,7 +424,6 @@ static const struct dmi_system_id video_detect_dmi_table[] = { |
469 |
+ .callback = video_detect_force_native, |
470 |
+ .ident = "Clevo NL5xRU", |
471 |
+ .matches = { |
472 |
+- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), |
473 |
+ DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), |
474 |
+ }, |
475 |
+ }, |
476 |
+@@ -432,59 +431,75 @@ static const struct dmi_system_id video_detect_dmi_table[] = { |
477 |
+ .callback = video_detect_force_native, |
478 |
+ .ident = "Clevo NL5xRU", |
479 |
+ .matches = { |
480 |
+- DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), |
481 |
+- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), |
482 |
++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), |
483 |
++ DMI_MATCH(DMI_BOARD_NAME, "AURA1501"), |
484 |
+ }, |
485 |
+ }, |
486 |
+ { |
487 |
+ .callback = video_detect_force_native, |
488 |
+ .ident = "Clevo NL5xRU", |
489 |
+ .matches = { |
490 |
+- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), |
491 |
+- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), |
492 |
++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), |
493 |
++ DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"), |
494 |
+ }, |
495 |
+ }, |
496 |
+ { |
497 |
+ .callback = video_detect_force_native, |
498 |
+- .ident = "Clevo NL5xRU", |
499 |
++ .ident = "Clevo NL5xNU", |
500 |
+ .matches = { |
501 |
+- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), |
502 |
+- DMI_MATCH(DMI_BOARD_NAME, "AURA1501"), |
503 |
++ DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), |
504 |
+ }, |
505 |
+ }, |
506 |
++ /* |
507 |
++ * The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10, |
508 |
++ * Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo |
509 |
++ * NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2. See the description |
510 |
++ * above. |
511 |
++ */ |
512 |
+ { |
513 |
+ .callback = video_detect_force_native, |
514 |
+- .ident = "Clevo NL5xRU", |
515 |
++ .ident = "TongFang PF5PU1G", |
516 |
+ .matches = { |
517 |
+- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), |
518 |
+- DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"), |
519 |
++ DMI_MATCH(DMI_BOARD_NAME, "PF5PU1G"), |
520 |
+ }, |
521 |
+ }, |
522 |
+ { |
523 |
+ .callback = video_detect_force_native, |
524 |
+- .ident = "Clevo NL5xNU", |
525 |
++ .ident = "TongFang PF4NU1F", |
526 |
++ .matches = { |
527 |
++ DMI_MATCH(DMI_BOARD_NAME, "PF4NU1F"), |
528 |
++ }, |
529 |
++ }, |
530 |
++ { |
531 |
++ .callback = video_detect_force_native, |
532 |
++ .ident = "TongFang PF4NU1F", |
533 |
+ .matches = { |
534 |
+ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), |
535 |
+- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), |
536 |
++ DMI_MATCH(DMI_BOARD_NAME, "PULSE1401"), |
537 |
+ }, |
538 |
+ }, |
539 |
+ { |
540 |
+ .callback = video_detect_force_native, |
541 |
+- .ident = "Clevo NL5xNU", |
542 |
++ .ident = "TongFang PF5NU1G", |
543 |
+ .matches = { |
544 |
+- DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), |
545 |
+- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), |
546 |
++ DMI_MATCH(DMI_BOARD_NAME, "PF5NU1G"), |
547 |
+ }, |
548 |
+ }, |
549 |
+ { |
550 |
+ .callback = video_detect_force_native, |
551 |
+- .ident = "Clevo NL5xNU", |
552 |
++ .ident = "TongFang PF5NU1G", |
553 |
+ .matches = { |
554 |
+- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), |
555 |
+- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), |
556 |
++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), |
557 |
++ DMI_MATCH(DMI_BOARD_NAME, "PULSE1501"), |
558 |
++ }, |
559 |
++ }, |
560 |
++ { |
561 |
++ .callback = video_detect_force_native, |
562 |
++ .ident = "TongFang PF5LUXG", |
563 |
++ .matches = { |
564 |
++ DMI_MATCH(DMI_BOARD_NAME, "PF5LUXG"), |
565 |
+ }, |
566 |
+ }, |
567 |
+- |
568 |
+ /* |
569 |
+ * Desktops which falsely report a backlight and which our heuristics |
570 |
+ * for this do not catch. |
571 |
+diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c |
572 |
+index 1b9743b7f2ef9..d263eac784daa 100644 |
573 |
+--- a/drivers/bluetooth/btbcm.c |
574 |
++++ b/drivers/bluetooth/btbcm.c |
575 |
+@@ -401,6 +401,8 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = { |
576 |
+ { 0x6606, "BCM4345C5" }, /* 003.006.006 */ |
577 |
+ { 0x230f, "BCM4356A2" }, /* 001.003.015 */ |
578 |
+ { 0x220e, "BCM20702A1" }, /* 001.002.014 */ |
579 |
++ { 0x420d, "BCM4349B1" }, /* 002.002.013 */ |
580 |
++ { 0x420e, "BCM4349B1" }, /* 002.002.014 */ |
581 |
+ { 0x4217, "BCM4329B1" }, /* 002.002.023 */ |
582 |
+ { 0x6106, "BCM4359C0" }, /* 003.001.006 */ |
583 |
+ { 0x4106, "BCM4335A0" }, /* 002.001.006 */ |
584 |
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c |
585 |
+index 538232b4c42ac..a699e6166aefe 100644 |
586 |
+--- a/drivers/bluetooth/btusb.c |
587 |
++++ b/drivers/bluetooth/btusb.c |
588 |
+@@ -399,6 +399,18 @@ static const struct usb_device_id blacklist_table[] = { |
589 |
+ { USB_DEVICE(0x0bda, 0xc822), .driver_info = BTUSB_REALTEK | |
590 |
+ BTUSB_WIDEBAND_SPEECH }, |
591 |
+ |
592 |
++ /* Realtek 8852CE Bluetooth devices */ |
593 |
++ { USB_DEVICE(0x04ca, 0x4007), .driver_info = BTUSB_REALTEK | |
594 |
++ BTUSB_WIDEBAND_SPEECH }, |
595 |
++ { USB_DEVICE(0x04c5, 0x1675), .driver_info = BTUSB_REALTEK | |
596 |
++ BTUSB_WIDEBAND_SPEECH }, |
597 |
++ { USB_DEVICE(0x0cb8, 0xc558), .driver_info = BTUSB_REALTEK | |
598 |
++ BTUSB_WIDEBAND_SPEECH }, |
599 |
++ { USB_DEVICE(0x13d3, 0x3587), .driver_info = BTUSB_REALTEK | |
600 |
++ BTUSB_WIDEBAND_SPEECH }, |
601 |
++ { USB_DEVICE(0x13d3, 0x3586), .driver_info = BTUSB_REALTEK | |
602 |
++ BTUSB_WIDEBAND_SPEECH }, |
603 |
++ |
604 |
+ /* Realtek Bluetooth devices */ |
605 |
+ { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01), |
606 |
+ .driver_info = BTUSB_REALTEK }, |
607 |
+@@ -416,6 +428,9 @@ static const struct usb_device_id blacklist_table[] = { |
608 |
+ { USB_DEVICE(0x0489, 0xe0d9), .driver_info = BTUSB_MEDIATEK | |
609 |
+ BTUSB_WIDEBAND_SPEECH | |
610 |
+ BTUSB_VALID_LE_STATES }, |
611 |
++ { USB_DEVICE(0x13d3, 0x3568), .driver_info = BTUSB_MEDIATEK | |
612 |
++ BTUSB_WIDEBAND_SPEECH | |
613 |
++ BTUSB_VALID_LE_STATES }, |
614 |
+ |
615 |
+ /* Additional Realtek 8723AE Bluetooth devices */ |
616 |
+ { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK }, |
617 |
+diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c |
618 |
+index 259a643377c24..3f6e96a4e1147 100644 |
619 |
+--- a/drivers/bluetooth/hci_bcm.c |
620 |
++++ b/drivers/bluetooth/hci_bcm.c |
621 |
+@@ -1489,8 +1489,10 @@ static const struct of_device_id bcm_bluetooth_of_match[] = { |
622 |
+ { .compatible = "brcm,bcm4345c5" }, |
623 |
+ { .compatible = "brcm,bcm4330-bt" }, |
624 |
+ { .compatible = "brcm,bcm43438-bt", .data = &bcm43438_device_data }, |
625 |
++ { .compatible = "brcm,bcm4349-bt", .data = &bcm43438_device_data }, |
626 |
+ { .compatible = "brcm,bcm43540-bt", .data = &bcm4354_device_data }, |
627 |
+ { .compatible = "brcm,bcm4335a0" }, |
628 |
++ { .compatible = "infineon,cyw55572-bt" }, |
629 |
+ { }, |
630 |
+ }; |
631 |
+ MODULE_DEVICE_TABLE(of, bcm_bluetooth_of_match); |
632 |
+diff --git a/drivers/macintosh/adb.c b/drivers/macintosh/adb.c |
633 |
+index 73b3961890397..afb0942ccc293 100644 |
634 |
+--- a/drivers/macintosh/adb.c |
635 |
++++ b/drivers/macintosh/adb.c |
636 |
+@@ -647,7 +647,7 @@ do_adb_query(struct adb_request *req) |
637 |
+ |
638 |
+ switch(req->data[1]) { |
639 |
+ case ADB_QUERY_GETDEVINFO: |
640 |
+- if (req->nbytes < 3) |
641 |
++ if (req->nbytes < 3 || req->data[2] >= 16) |
642 |
+ break; |
643 |
+ mutex_lock(&adb_handler_mutex); |
644 |
+ req->reply[0] = adb_handler[req->data[2]].original_address; |
645 |
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c |
646 |
+index be9ff6a74ecce..a643b2f2f4de9 100644 |
647 |
+--- a/drivers/net/tun.c |
648 |
++++ b/drivers/net/tun.c |
649 |
+@@ -220,6 +220,9 @@ struct tun_struct { |
650 |
+ struct tun_prog __rcu *steering_prog; |
651 |
+ struct tun_prog __rcu *filter_prog; |
652 |
+ struct ethtool_link_ksettings link_ksettings; |
653 |
++ /* init args */ |
654 |
++ struct file *file; |
655 |
++ struct ifreq *ifr; |
656 |
+ }; |
657 |
+ |
658 |
+ struct veth { |
659 |
+@@ -227,6 +230,9 @@ struct veth { |
660 |
+ __be16 h_vlan_TCI; |
661 |
+ }; |
662 |
+ |
663 |
++static void tun_flow_init(struct tun_struct *tun); |
664 |
++static void tun_flow_uninit(struct tun_struct *tun); |
665 |
++ |
666 |
+ static int tun_napi_receive(struct napi_struct *napi, int budget) |
667 |
+ { |
668 |
+ struct tun_file *tfile = container_of(napi, struct tun_file, napi); |
669 |
+@@ -975,6 +981,49 @@ static int check_filter(struct tap_filter *filter, const struct sk_buff *skb) |
670 |
+ |
671 |
+ static const struct ethtool_ops tun_ethtool_ops; |
672 |
+ |
673 |
++static int tun_net_init(struct net_device *dev) |
674 |
++{ |
675 |
++ struct tun_struct *tun = netdev_priv(dev); |
676 |
++ struct ifreq *ifr = tun->ifr; |
677 |
++ int err; |
678 |
++ |
679 |
++ tun->pcpu_stats = netdev_alloc_pcpu_stats(struct tun_pcpu_stats); |
680 |
++ if (!tun->pcpu_stats) |
681 |
++ return -ENOMEM; |
682 |
++ |
683 |
++ spin_lock_init(&tun->lock); |
684 |
++ |
685 |
++ err = security_tun_dev_alloc_security(&tun->security); |
686 |
++ if (err < 0) { |
687 |
++ free_percpu(tun->pcpu_stats); |
688 |
++ return err; |
689 |
++ } |
690 |
++ |
691 |
++ tun_flow_init(tun); |
692 |
++ |
693 |
++ dev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST | |
694 |
++ TUN_USER_FEATURES | NETIF_F_HW_VLAN_CTAG_TX | |
695 |
++ NETIF_F_HW_VLAN_STAG_TX; |
696 |
++ dev->features = dev->hw_features | NETIF_F_LLTX; |
697 |
++ dev->vlan_features = dev->features & |
698 |
++ ~(NETIF_F_HW_VLAN_CTAG_TX | |
699 |
++ NETIF_F_HW_VLAN_STAG_TX); |
700 |
++ |
701 |
++ tun->flags = (tun->flags & ~TUN_FEATURES) | |
702 |
++ (ifr->ifr_flags & TUN_FEATURES); |
703 |
++ |
704 |
++ INIT_LIST_HEAD(&tun->disabled); |
705 |
++ err = tun_attach(tun, tun->file, false, ifr->ifr_flags & IFF_NAPI, |
706 |
++ ifr->ifr_flags & IFF_NAPI_FRAGS, false); |
707 |
++ if (err < 0) { |
708 |
++ tun_flow_uninit(tun); |
709 |
++ security_tun_dev_free_security(tun->security); |
710 |
++ free_percpu(tun->pcpu_stats); |
711 |
++ return err; |
712 |
++ } |
713 |
++ return 0; |
714 |
++} |
715 |
++ |
716 |
+ /* Net device detach from fd. */ |
717 |
+ static void tun_net_uninit(struct net_device *dev) |
718 |
+ { |
719 |
+@@ -1216,6 +1265,7 @@ static int tun_net_change_carrier(struct net_device *dev, bool new_carrier) |
720 |
+ } |
721 |
+ |
722 |
+ static const struct net_device_ops tun_netdev_ops = { |
723 |
++ .ndo_init = tun_net_init, |
724 |
+ .ndo_uninit = tun_net_uninit, |
725 |
+ .ndo_open = tun_net_open, |
726 |
+ .ndo_stop = tun_net_close, |
727 |
+@@ -1296,6 +1346,7 @@ static int tun_xdp_tx(struct net_device *dev, struct xdp_buff *xdp) |
728 |
+ } |
729 |
+ |
730 |
+ static const struct net_device_ops tap_netdev_ops = { |
731 |
++ .ndo_init = tun_net_init, |
732 |
+ .ndo_uninit = tun_net_uninit, |
733 |
+ .ndo_open = tun_net_open, |
734 |
+ .ndo_stop = tun_net_close, |
735 |
+@@ -1336,7 +1387,7 @@ static void tun_flow_uninit(struct tun_struct *tun) |
736 |
+ #define MAX_MTU 65535 |
737 |
+ |
738 |
+ /* Initialize net device. */ |
739 |
+-static void tun_net_init(struct net_device *dev) |
740 |
++static void tun_net_initialize(struct net_device *dev) |
741 |
+ { |
742 |
+ struct tun_struct *tun = netdev_priv(dev); |
743 |
+ |
744 |
+@@ -2268,10 +2319,6 @@ static void tun_free_netdev(struct net_device *dev) |
745 |
+ BUG_ON(!(list_empty(&tun->disabled))); |
746 |
+ |
747 |
+ free_percpu(tun->pcpu_stats); |
748 |
+- /* We clear pcpu_stats so that tun_set_iff() can tell if |
749 |
+- * tun_free_netdev() has been called from register_netdevice(). |
750 |
+- */ |
751 |
+- tun->pcpu_stats = NULL; |
752 |
+ |
753 |
+ tun_flow_uninit(tun); |
754 |
+ security_tun_dev_free_security(tun->security); |
755 |
+@@ -2784,41 +2831,16 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) |
756 |
+ tun->rx_batched = 0; |
757 |
+ RCU_INIT_POINTER(tun->steering_prog, NULL); |
758 |
+ |
759 |
+- tun->pcpu_stats = netdev_alloc_pcpu_stats(struct tun_pcpu_stats); |
760 |
+- if (!tun->pcpu_stats) { |
761 |
+- err = -ENOMEM; |
762 |
+- goto err_free_dev; |
763 |
+- } |
764 |
++ tun->ifr = ifr; |
765 |
++ tun->file = file; |
766 |
+ |
767 |
+- spin_lock_init(&tun->lock); |
768 |
+- |
769 |
+- err = security_tun_dev_alloc_security(&tun->security); |
770 |
+- if (err < 0) |
771 |
+- goto err_free_stat; |
772 |
+- |
773 |
+- tun_net_init(dev); |
774 |
+- tun_flow_init(tun); |
775 |
+- |
776 |
+- dev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST | |
777 |
+- TUN_USER_FEATURES | NETIF_F_HW_VLAN_CTAG_TX | |
778 |
+- NETIF_F_HW_VLAN_STAG_TX; |
779 |
+- dev->features = dev->hw_features | NETIF_F_LLTX; |
780 |
+- dev->vlan_features = dev->features & |
781 |
+- ~(NETIF_F_HW_VLAN_CTAG_TX | |
782 |
+- NETIF_F_HW_VLAN_STAG_TX); |
783 |
+- |
784 |
+- tun->flags = (tun->flags & ~TUN_FEATURES) | |
785 |
+- (ifr->ifr_flags & TUN_FEATURES); |
786 |
+- |
787 |
+- INIT_LIST_HEAD(&tun->disabled); |
788 |
+- err = tun_attach(tun, file, false, ifr->ifr_flags & IFF_NAPI, |
789 |
+- ifr->ifr_flags & IFF_NAPI_FRAGS, false); |
790 |
+- if (err < 0) |
791 |
+- goto err_free_flow; |
792 |
++ tun_net_initialize(dev); |
793 |
+ |
794 |
+ err = register_netdevice(tun->dev); |
795 |
+- if (err < 0) |
796 |
+- goto err_detach; |
797 |
++ if (err < 0) { |
798 |
++ free_netdev(dev); |
799 |
++ return err; |
800 |
++ } |
801 |
+ /* free_netdev() won't check refcnt, to aovid race |
802 |
+ * with dev_put() we need publish tun after registration. |
803 |
+ */ |
804 |
+@@ -2835,24 +2857,6 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) |
805 |
+ |
806 |
+ strcpy(ifr->ifr_name, tun->dev->name); |
807 |
+ return 0; |
808 |
+- |
809 |
+-err_detach: |
810 |
+- tun_detach_all(dev); |
811 |
+- /* We are here because register_netdevice() has failed. |
812 |
+- * If register_netdevice() already called tun_free_netdev() |
813 |
+- * while dealing with the error, tun->pcpu_stats has been cleared. |
814 |
+- */ |
815 |
+- if (!tun->pcpu_stats) |
816 |
+- goto err_free_dev; |
817 |
+- |
818 |
+-err_free_flow: |
819 |
+- tun_flow_uninit(tun); |
820 |
+- security_tun_dev_free_security(tun->security); |
821 |
+-err_free_stat: |
822 |
+- free_percpu(tun->pcpu_stats); |
823 |
+-err_free_dev: |
824 |
+- free_netdev(dev); |
825 |
+- return err; |
826 |
+ } |
827 |
+ |
828 |
+ static void tun_get_iff(struct tun_struct *tun, struct ifreq *ifr) |
829 |
+diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h |
830 |
+index 0a1634238e673..6b45e63fae4ba 100644 |
831 |
+--- a/drivers/net/wireless/ath/ath9k/htc.h |
832 |
++++ b/drivers/net/wireless/ath/ath9k/htc.h |
833 |
+@@ -281,6 +281,7 @@ struct ath9k_htc_rxbuf { |
834 |
+ struct ath9k_htc_rx { |
835 |
+ struct list_head rxbuf; |
836 |
+ spinlock_t rxbuflock; |
837 |
++ bool initialized; |
838 |
+ }; |
839 |
+ |
840 |
+ #define ATH9K_HTC_TX_CLEANUP_INTERVAL 50 /* ms */ |
841 |
+@@ -305,6 +306,7 @@ struct ath9k_htc_tx { |
842 |
+ DECLARE_BITMAP(tx_slot, MAX_TX_BUF_NUM); |
843 |
+ struct timer_list cleanup_timer; |
844 |
+ spinlock_t tx_lock; |
845 |
++ bool initialized; |
846 |
+ }; |
847 |
+ |
848 |
+ struct ath9k_htc_tx_ctl { |
849 |
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c |
850 |
+index 30ddf333e04dc..43a743ec9d9e0 100644 |
851 |
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c |
852 |
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c |
853 |
+@@ -808,6 +808,11 @@ int ath9k_tx_init(struct ath9k_htc_priv *priv) |
854 |
+ skb_queue_head_init(&priv->tx.data_vi_queue); |
855 |
+ skb_queue_head_init(&priv->tx.data_vo_queue); |
856 |
+ skb_queue_head_init(&priv->tx.tx_failed); |
857 |
++ |
858 |
++ /* Allow ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) to operate. */ |
859 |
++ smp_wmb(); |
860 |
++ priv->tx.initialized = true; |
861 |
++ |
862 |
+ return 0; |
863 |
+ } |
864 |
+ |
865 |
+@@ -1133,6 +1138,10 @@ void ath9k_htc_rxep(void *drv_priv, struct sk_buff *skb, |
866 |
+ struct ath9k_htc_rxbuf *rxbuf = NULL, *tmp_buf = NULL; |
867 |
+ unsigned long flags; |
868 |
+ |
869 |
++ /* Check if ath9k_rx_init() completed. */ |
870 |
++ if (!data_race(priv->rx.initialized)) |
871 |
++ goto err; |
872 |
++ |
873 |
+ spin_lock_irqsave(&priv->rx.rxbuflock, flags); |
874 |
+ list_for_each_entry(tmp_buf, &priv->rx.rxbuf, list) { |
875 |
+ if (!tmp_buf->in_process) { |
876 |
+@@ -1188,6 +1197,10 @@ int ath9k_rx_init(struct ath9k_htc_priv *priv) |
877 |
+ list_add_tail(&rxbuf->list, &priv->rx.rxbuf); |
878 |
+ } |
879 |
+ |
880 |
++ /* Allow ath9k_htc_rxep() to operate. */ |
881 |
++ smp_wmb(); |
882 |
++ priv->rx.initialized = true; |
883 |
++ |
884 |
+ return 0; |
885 |
+ |
886 |
+ err: |
887 |
+diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c |
888 |
+index fe29ad4b9023c..f315c54bd3ac0 100644 |
889 |
+--- a/drivers/net/wireless/ath/ath9k/wmi.c |
890 |
++++ b/drivers/net/wireless/ath/ath9k/wmi.c |
891 |
+@@ -169,6 +169,10 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t) |
892 |
+ &wmi->drv_priv->fatal_work); |
893 |
+ break; |
894 |
+ case WMI_TXSTATUS_EVENTID: |
895 |
++ /* Check if ath9k_tx_init() completed. */ |
896 |
++ if (!data_race(priv->tx.initialized)) |
897 |
++ break; |
898 |
++ |
899 |
+ spin_lock_bh(&priv->tx.tx_lock); |
900 |
+ if (priv->tx.flags & ATH9K_HTC_OP_TX_DRAIN) { |
901 |
+ spin_unlock_bh(&priv->tx.tx_lock); |
902 |
+diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h |
903 |
+index 54ba20492ad11..ec53f52a06a58 100644 |
904 |
+--- a/tools/arch/x86/include/asm/cpufeatures.h |
905 |
++++ b/tools/arch/x86/include/asm/cpufeatures.h |
906 |
+@@ -296,6 +296,7 @@ |
907 |
+ #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ |
908 |
+ #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */ |
909 |
+ #define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */ |
910 |
++#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM-Exit when EIBRS is enabled */ |
911 |
+ |
912 |
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ |
913 |
+ #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ |
914 |
+diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h |
915 |
+index 407de670cd609..144dc164b7596 100644 |
916 |
+--- a/tools/arch/x86/include/asm/msr-index.h |
917 |
++++ b/tools/arch/x86/include/asm/msr-index.h |
918 |
+@@ -148,6 +148,10 @@ |
919 |
+ * are restricted to targets in |
920 |
+ * kernel. |
921 |
+ */ |
922 |
++#define ARCH_CAP_PBRSB_NO BIT(24) /* |
923 |
++ * Not susceptible to Post-Barrier |
924 |
++ * Return Stack Buffer Predictions. |
925 |
++ */ |
926 |
+ |
927 |
+ #define MSR_IA32_FLUSH_CMD 0x0000010b |
928 |
+ #define L1D_FLUSH BIT(0) /* |
929 |
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h |
930 |
+index b9ee2ded381ab..7943e748916d4 100644 |
931 |
+--- a/tools/include/uapi/linux/bpf.h |
932 |
++++ b/tools/include/uapi/linux/bpf.h |
933 |
+@@ -4180,7 +4180,8 @@ struct bpf_sock { |
934 |
+ __u32 src_ip4; |
935 |
+ __u32 src_ip6[4]; |
936 |
+ __u32 src_port; /* host byte order */ |
937 |
+- __u32 dst_port; /* network byte order */ |
938 |
++ __be16 dst_port; /* network byte order */ |
939 |
++ __u16 :16; /* zero padding */ |
940 |
+ __u32 dst_ip4; |
941 |
+ __u32 dst_ip6[4]; |
942 |
+ __u32 state; |
943 |
+diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat |
944 |
+index b0bf56c5f1202..a1efcfbd8b9e6 100755 |
945 |
+--- a/tools/kvm/kvm_stat/kvm_stat |
946 |
++++ b/tools/kvm/kvm_stat/kvm_stat |
947 |
+@@ -1646,7 +1646,8 @@ Press any other key to refresh statistics immediately. |
948 |
+ .format(values)) |
949 |
+ if len(pids) > 1: |
950 |
+ sys.exit('Error: Multiple processes found (pids: {}). Use "-p"' |
951 |
+- ' to specify the desired pid'.format(" ".join(pids))) |
952 |
++ ' to specify the desired pid' |
953 |
++ .format(" ".join(map(str, pids)))) |
954 |
+ namespace.pid = pids[0] |
955 |
+ |
956 |
+ argparser = argparse.ArgumentParser(description=description_text, |
957 |
+diff --git a/tools/testing/selftests/bpf/prog_tests/sock_fields.c b/tools/testing/selftests/bpf/prog_tests/sock_fields.c |
958 |
+index af87118e748e5..e8b5bf707cd45 100644 |
959 |
+--- a/tools/testing/selftests/bpf/prog_tests/sock_fields.c |
960 |
++++ b/tools/testing/selftests/bpf/prog_tests/sock_fields.c |
961 |
+@@ -1,9 +1,11 @@ |
962 |
+ // SPDX-License-Identifier: GPL-2.0 |
963 |
+ /* Copyright (c) 2019 Facebook */ |
964 |
+ |
965 |
++#define _GNU_SOURCE |
966 |
+ #include <netinet/in.h> |
967 |
+ #include <arpa/inet.h> |
968 |
+ #include <unistd.h> |
969 |
++#include <sched.h> |
970 |
+ #include <stdlib.h> |
971 |
+ #include <string.h> |
972 |
+ #include <errno.h> |
973 |
+@@ -21,6 +23,7 @@ |
974 |
+ enum bpf_linum_array_idx { |
975 |
+ EGRESS_LINUM_IDX, |
976 |
+ INGRESS_LINUM_IDX, |
977 |
++ READ_SK_DST_PORT_LINUM_IDX, |
978 |
+ __NR_BPF_LINUM_ARRAY_IDX, |
979 |
+ }; |
980 |
+ |
981 |
+@@ -43,8 +46,16 @@ static __u64 child_cg_id; |
982 |
+ static int linum_map_fd; |
983 |
+ static __u32 duration; |
984 |
+ |
985 |
+-static __u32 egress_linum_idx = EGRESS_LINUM_IDX; |
986 |
+-static __u32 ingress_linum_idx = INGRESS_LINUM_IDX; |
987 |
++static bool create_netns(void) |
988 |
++{ |
989 |
++ if (!ASSERT_OK(unshare(CLONE_NEWNET), "create netns")) |
990 |
++ return false; |
991 |
++ |
992 |
++ if (!ASSERT_OK(system("ip link set dev lo up"), "bring up lo")) |
993 |
++ return false; |
994 |
++ |
995 |
++ return true; |
996 |
++} |
997 |
+ |
998 |
+ static void print_sk(const struct bpf_sock *sk, const char *prefix) |
999 |
+ { |
1000 |
+@@ -92,19 +103,24 @@ static void check_result(void) |
1001 |
+ { |
1002 |
+ struct bpf_tcp_sock srv_tp, cli_tp, listen_tp; |
1003 |
+ struct bpf_sock srv_sk, cli_sk, listen_sk; |
1004 |
+- __u32 ingress_linum, egress_linum; |
1005 |
++ __u32 idx, ingress_linum, egress_linum, linum; |
1006 |
+ int err; |
1007 |
+ |
1008 |
+- err = bpf_map_lookup_elem(linum_map_fd, &egress_linum_idx, |
1009 |
+- &egress_linum); |
1010 |
++ idx = EGRESS_LINUM_IDX; |
1011 |
++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &egress_linum); |
1012 |
+ CHECK(err == -1, "bpf_map_lookup_elem(linum_map_fd)", |
1013 |
+ "err:%d errno:%d\n", err, errno); |
1014 |
+ |
1015 |
+- err = bpf_map_lookup_elem(linum_map_fd, &ingress_linum_idx, |
1016 |
+- &ingress_linum); |
1017 |
++ idx = INGRESS_LINUM_IDX; |
1018 |
++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &ingress_linum); |
1019 |
+ CHECK(err == -1, "bpf_map_lookup_elem(linum_map_fd)", |
1020 |
+ "err:%d errno:%d\n", err, errno); |
1021 |
+ |
1022 |
++ idx = READ_SK_DST_PORT_LINUM_IDX; |
1023 |
++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &linum); |
1024 |
++ ASSERT_OK(err, "bpf_map_lookup_elem(linum_map_fd, READ_SK_DST_PORT_IDX)"); |
1025 |
++ ASSERT_EQ(linum, 0, "failure in read_sk_dst_port on line"); |
1026 |
++ |
1027 |
+ memcpy(&srv_sk, &skel->bss->srv_sk, sizeof(srv_sk)); |
1028 |
+ memcpy(&srv_tp, &skel->bss->srv_tp, sizeof(srv_tp)); |
1029 |
+ memcpy(&cli_sk, &skel->bss->cli_sk, sizeof(cli_sk)); |
1030 |
+@@ -263,7 +279,7 @@ static void test(void) |
1031 |
+ char buf[DATA_LEN]; |
1032 |
+ |
1033 |
+ /* Prepare listen_fd */ |
1034 |
+- listen_fd = start_server(AF_INET6, SOCK_STREAM, "::1", 0, 0); |
1035 |
++ listen_fd = start_server(AF_INET6, SOCK_STREAM, "::1", 0xcafe, 0); |
1036 |
+ /* start_server() has logged the error details */ |
1037 |
+ if (CHECK_FAIL(listen_fd == -1)) |
1038 |
+ goto done; |
1039 |
+@@ -331,8 +347,12 @@ done: |
1040 |
+ |
1041 |
+ void test_sock_fields(void) |
1042 |
+ { |
1043 |
+- struct bpf_link *egress_link = NULL, *ingress_link = NULL; |
1044 |
+ int parent_cg_fd = -1, child_cg_fd = -1; |
1045 |
++ struct bpf_link *link; |
1046 |
++ |
1047 |
++ /* Use a dedicated netns to have a fixed listen port */ |
1048 |
++ if (!create_netns()) |
1049 |
++ return; |
1050 |
+ |
1051 |
+ /* Create a cgroup, get fd, and join it */ |
1052 |
+ parent_cg_fd = test__join_cgroup(PARENT_CGROUP); |
1053 |
+@@ -353,17 +373,20 @@ void test_sock_fields(void) |
1054 |
+ if (CHECK(!skel, "test_sock_fields__open_and_load", "failed\n")) |
1055 |
+ goto done; |
1056 |
+ |
1057 |
+- egress_link = bpf_program__attach_cgroup(skel->progs.egress_read_sock_fields, |
1058 |
+- child_cg_fd); |
1059 |
+- if (CHECK(IS_ERR(egress_link), "attach_cgroup(egress)", "err:%ld\n", |
1060 |
+- PTR_ERR(egress_link))) |
1061 |
++ link = bpf_program__attach_cgroup(skel->progs.egress_read_sock_fields, child_cg_fd); |
1062 |
++ if (!ASSERT_OK_PTR(link, "attach_cgroup(egress_read_sock_fields)")) |
1063 |
++ goto done; |
1064 |
++ skel->links.egress_read_sock_fields = link; |
1065 |
++ |
1066 |
++ link = bpf_program__attach_cgroup(skel->progs.ingress_read_sock_fields, child_cg_fd); |
1067 |
++ if (!ASSERT_OK_PTR(link, "attach_cgroup(ingress_read_sock_fields)")) |
1068 |
+ goto done; |
1069 |
++ skel->links.ingress_read_sock_fields = link; |
1070 |
+ |
1071 |
+- ingress_link = bpf_program__attach_cgroup(skel->progs.ingress_read_sock_fields, |
1072 |
+- child_cg_fd); |
1073 |
+- if (CHECK(IS_ERR(ingress_link), "attach_cgroup(ingress)", "err:%ld\n", |
1074 |
+- PTR_ERR(ingress_link))) |
1075 |
++ link = bpf_program__attach_cgroup(skel->progs.read_sk_dst_port, child_cg_fd); |
1076 |
++ if (!ASSERT_OK_PTR(link, "attach_cgroup(read_sk_dst_port")) |
1077 |
+ goto done; |
1078 |
++ skel->links.read_sk_dst_port = link; |
1079 |
+ |
1080 |
+ linum_map_fd = bpf_map__fd(skel->maps.linum_map); |
1081 |
+ sk_pkt_out_cnt_fd = bpf_map__fd(skel->maps.sk_pkt_out_cnt); |
1082 |
+@@ -372,8 +395,7 @@ void test_sock_fields(void) |
1083 |
+ test(); |
1084 |
+ |
1085 |
+ done: |
1086 |
+- bpf_link__destroy(egress_link); |
1087 |
+- bpf_link__destroy(ingress_link); |
1088 |
++ test_sock_fields__detach(skel); |
1089 |
+ test_sock_fields__destroy(skel); |
1090 |
+ if (child_cg_fd != -1) |
1091 |
+ close(child_cg_fd); |
1092 |
+diff --git a/tools/testing/selftests/bpf/progs/test_sock_fields.c b/tools/testing/selftests/bpf/progs/test_sock_fields.c |
1093 |
+index 7967348b11af6..43b31aa1fcf72 100644 |
1094 |
+--- a/tools/testing/selftests/bpf/progs/test_sock_fields.c |
1095 |
++++ b/tools/testing/selftests/bpf/progs/test_sock_fields.c |
1096 |
+@@ -12,6 +12,7 @@ |
1097 |
+ enum bpf_linum_array_idx { |
1098 |
+ EGRESS_LINUM_IDX, |
1099 |
+ INGRESS_LINUM_IDX, |
1100 |
++ READ_SK_DST_PORT_LINUM_IDX, |
1101 |
+ __NR_BPF_LINUM_ARRAY_IDX, |
1102 |
+ }; |
1103 |
+ |
1104 |
+@@ -250,4 +251,48 @@ int ingress_read_sock_fields(struct __sk_buff *skb) |
1105 |
+ return CG_OK; |
1106 |
+ } |
1107 |
+ |
1108 |
++static __noinline bool sk_dst_port__load_word(struct bpf_sock *sk) |
1109 |
++{ |
1110 |
++ __u32 *word = (__u32 *)&sk->dst_port; |
1111 |
++ return word[0] == bpf_htonl(0xcafe0000); |
1112 |
++} |
1113 |
++ |
1114 |
++static __noinline bool sk_dst_port__load_half(struct bpf_sock *sk) |
1115 |
++{ |
1116 |
++ __u16 *half = (__u16 *)&sk->dst_port; |
1117 |
++ return half[0] == bpf_htons(0xcafe); |
1118 |
++} |
1119 |
++ |
1120 |
++static __noinline bool sk_dst_port__load_byte(struct bpf_sock *sk) |
1121 |
++{ |
1122 |
++ __u8 *byte = (__u8 *)&sk->dst_port; |
1123 |
++ return byte[0] == 0xca && byte[1] == 0xfe; |
1124 |
++} |
1125 |
++ |
1126 |
++SEC("cgroup_skb/egress") |
1127 |
++int read_sk_dst_port(struct __sk_buff *skb) |
1128 |
++{ |
1129 |
++ __u32 linum, linum_idx; |
1130 |
++ struct bpf_sock *sk; |
1131 |
++ |
1132 |
++ linum_idx = READ_SK_DST_PORT_LINUM_IDX; |
1133 |
++ |
1134 |
++ sk = skb->sk; |
1135 |
++ if (!sk) |
1136 |
++ RET_LOG(); |
1137 |
++ |
1138 |
++ /* Ignore everything but the SYN from the client socket */ |
1139 |
++ if (sk->state != BPF_TCP_SYN_SENT) |
1140 |
++ return CG_OK; |
1141 |
++ |
1142 |
++ if (!sk_dst_port__load_word(sk)) |
1143 |
++ RET_LOG(); |
1144 |
++ if (!sk_dst_port__load_half(sk)) |
1145 |
++ RET_LOG(); |
1146 |
++ if (!sk_dst_port__load_byte(sk)) |
1147 |
++ RET_LOG(); |
1148 |
++ |
1149 |
++ return CG_OK; |
1150 |
++} |
1151 |
++ |
1152 |
+ char _license[] SEC("license") = "GPL"; |
1153 |
+diff --git a/tools/testing/selftests/bpf/verifier/sock.c b/tools/testing/selftests/bpf/verifier/sock.c |
1154 |
+index ce13ece08d51c..8c224eac93df7 100644 |
1155 |
+--- a/tools/testing/selftests/bpf/verifier/sock.c |
1156 |
++++ b/tools/testing/selftests/bpf/verifier/sock.c |
1157 |
+@@ -121,7 +121,25 @@ |
1158 |
+ .result = ACCEPT, |
1159 |
+ }, |
1160 |
+ { |
1161 |
+- "sk_fullsock(skb->sk): sk->dst_port [narrow load]", |
1162 |
++ "sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)", |
1163 |
++ .insns = { |
1164 |
++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), |
1165 |
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), |
1166 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1167 |
++ BPF_EXIT_INSN(), |
1168 |
++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), |
1169 |
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), |
1170 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1171 |
++ BPF_EXIT_INSN(), |
1172 |
++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)), |
1173 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1174 |
++ BPF_EXIT_INSN(), |
1175 |
++ }, |
1176 |
++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, |
1177 |
++ .result = ACCEPT, |
1178 |
++}, |
1179 |
++{ |
1180 |
++ "sk_fullsock(skb->sk): sk->dst_port [half load]", |
1181 |
+ .insns = { |
1182 |
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), |
1183 |
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), |
1184 |
+@@ -139,7 +157,64 @@ |
1185 |
+ .result = ACCEPT, |
1186 |
+ }, |
1187 |
+ { |
1188 |
+- "sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]", |
1189 |
++ "sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)", |
1190 |
++ .insns = { |
1191 |
++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), |
1192 |
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), |
1193 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1194 |
++ BPF_EXIT_INSN(), |
1195 |
++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), |
1196 |
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), |
1197 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1198 |
++ BPF_EXIT_INSN(), |
1199 |
++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2), |
1200 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1201 |
++ BPF_EXIT_INSN(), |
1202 |
++ }, |
1203 |
++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, |
1204 |
++ .result = REJECT, |
1205 |
++ .errstr = "invalid sock access", |
1206 |
++}, |
1207 |
++{ |
1208 |
++ "sk_fullsock(skb->sk): sk->dst_port [byte load]", |
1209 |
++ .insns = { |
1210 |
++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), |
1211 |
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), |
1212 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1213 |
++ BPF_EXIT_INSN(), |
1214 |
++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), |
1215 |
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), |
1216 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1217 |
++ BPF_EXIT_INSN(), |
1218 |
++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)), |
1219 |
++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1), |
1220 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1221 |
++ BPF_EXIT_INSN(), |
1222 |
++ }, |
1223 |
++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, |
1224 |
++ .result = ACCEPT, |
1225 |
++}, |
1226 |
++{ |
1227 |
++ "sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)", |
1228 |
++ .insns = { |
1229 |
++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), |
1230 |
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), |
1231 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1232 |
++ BPF_EXIT_INSN(), |
1233 |
++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), |
1234 |
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), |
1235 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1236 |
++ BPF_EXIT_INSN(), |
1237 |
++ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2), |
1238 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1239 |
++ BPF_EXIT_INSN(), |
1240 |
++ }, |
1241 |
++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, |
1242 |
++ .result = REJECT, |
1243 |
++ .errstr = "invalid sock access", |
1244 |
++}, |
1245 |
++{ |
1246 |
++ "sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)", |
1247 |
+ .insns = { |
1248 |
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), |
1249 |
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), |
1250 |
+@@ -149,7 +224,7 @@ |
1251 |
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), |
1252 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1253 |
+ BPF_EXIT_INSN(), |
1254 |
+- BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1), |
1255 |
++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)), |
1256 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1257 |
+ BPF_EXIT_INSN(), |
1258 |
+ }, |
1259 |
+diff --git a/tools/testing/selftests/kvm/lib/aarch64/ucall.c b/tools/testing/selftests/kvm/lib/aarch64/ucall.c |
1260 |
+index 2f37b90ee1a94..f600311fdc6ae 100644 |
1261 |
+--- a/tools/testing/selftests/kvm/lib/aarch64/ucall.c |
1262 |
++++ b/tools/testing/selftests/kvm/lib/aarch64/ucall.c |
1263 |
+@@ -73,20 +73,19 @@ void ucall_uninit(struct kvm_vm *vm) |
1264 |
+ |
1265 |
+ void ucall(uint64_t cmd, int nargs, ...) |
1266 |
+ { |
1267 |
+- struct ucall uc = { |
1268 |
+- .cmd = cmd, |
1269 |
+- }; |
1270 |
++ struct ucall uc = {}; |
1271 |
+ va_list va; |
1272 |
+ int i; |
1273 |
+ |
1274 |
++ WRITE_ONCE(uc.cmd, cmd); |
1275 |
+ nargs = nargs <= UCALL_MAX_ARGS ? nargs : UCALL_MAX_ARGS; |
1276 |
+ |
1277 |
+ va_start(va, nargs); |
1278 |
+ for (i = 0; i < nargs; ++i) |
1279 |
+- uc.args[i] = va_arg(va, uint64_t); |
1280 |
++ WRITE_ONCE(uc.args[i], va_arg(va, uint64_t)); |
1281 |
+ va_end(va); |
1282 |
+ |
1283 |
+- *ucall_exit_mmio_addr = (vm_vaddr_t)&uc; |
1284 |
++ WRITE_ONCE(*ucall_exit_mmio_addr, (vm_vaddr_t)&uc); |
1285 |
+ } |
1286 |
+ |
1287 |
+ uint64_t get_ucall(struct kvm_vm *vm, uint32_t vcpu_id, struct ucall *uc) |