Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.10 commit in: /
Date: Thu, 11 Aug 2022 12:34:49
Message-Id: 1660221268.68fe36a61d8beb3a44014a32a3ca8c8d98f23a6a.mpagano@gentoo
1 commit: 68fe36a61d8beb3a44014a32a3ca8c8d98f23a6a
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Aug 11 12:34:28 2022 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Aug 11 12:34:28 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=68fe36a6
7
8 Linux patch 5.10.136
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1135_linux-5.10.136.patch | 1250 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1254 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 19bd6321..f9d23a2c 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -583,6 +583,10 @@ Patch: 1134_linux-5.10.135.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.10.135
23
24 +Patch: 1135_linux-5.10.136.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.10.136
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1135_linux-5.10.136.patch b/1135_linux-5.10.136.patch
33 new file mode 100644
34 index 00000000..f6266a42
35 --- /dev/null
36 +++ b/1135_linux-5.10.136.patch
37 @@ -0,0 +1,1250 @@
38 +diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst
39 +index 6bd97cd50d625..7e061ed449aaa 100644
40 +--- a/Documentation/admin-guide/hw-vuln/spectre.rst
41 ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst
42 +@@ -422,6 +422,14 @@ The possible values in this file are:
43 + 'RSB filling' Protection of RSB on context switch enabled
44 + ============= ===========================================
45 +
46 ++ - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
47 ++
48 ++ =========================== =======================================================
49 ++ 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled
50 ++ 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable
51 ++ 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB
52 ++ =========================== =======================================================
53 ++
54 + Full mitigation might require a microcode update from the CPU
55 + vendor. When the necessary microcode is not available, the kernel will
56 + report vulnerability.
57 +diff --git a/Makefile b/Makefile
58 +index 5f4dbcb433075..1730698124c7b 100644
59 +--- a/Makefile
60 ++++ b/Makefile
61 +@@ -1,7 +1,7 @@
62 + # SPDX-License-Identifier: GPL-2.0
63 + VERSION = 5
64 + PATCHLEVEL = 10
65 +-SUBLEVEL = 135
66 ++SUBLEVEL = 136
67 + EXTRAVERSION =
68 + NAME = Dare mighty things
69 +
70 +diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c
71 +index 01e22fe408235..9f4599014854d 100644
72 +--- a/arch/arm64/crypto/poly1305-glue.c
73 ++++ b/arch/arm64/crypto/poly1305-glue.c
74 +@@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
75 + {
76 + if (unlikely(!dctx->sset)) {
77 + if (!dctx->rset) {
78 +- poly1305_init_arch(dctx, src);
79 ++ poly1305_init_arm64(&dctx->h, src);
80 + src += POLY1305_BLOCK_SIZE;
81 + len -= POLY1305_BLOCK_SIZE;
82 + dctx->rset = 1;
83 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
84 +index 16c045906b2ac..159646da3c6bc 100644
85 +--- a/arch/x86/Kconfig
86 ++++ b/arch/x86/Kconfig
87 +@@ -2447,7 +2447,7 @@ config RETPOLINE
88 + config RETHUNK
89 + bool "Enable return-thunks"
90 + depends on RETPOLINE && CC_HAS_RETURN_THUNK
91 +- default y
92 ++ default y if X86_64
93 + help
94 + Compile the kernel with the return-thunks compiler option to guard
95 + against kernel-to-user data leaks by avoiding return speculation.
96 +@@ -2456,21 +2456,21 @@ config RETHUNK
97 +
98 + config CPU_UNRET_ENTRY
99 + bool "Enable UNRET on kernel entry"
100 +- depends on CPU_SUP_AMD && RETHUNK
101 ++ depends on CPU_SUP_AMD && RETHUNK && X86_64
102 + default y
103 + help
104 + Compile the kernel with support for the retbleed=unret mitigation.
105 +
106 + config CPU_IBPB_ENTRY
107 + bool "Enable IBPB on kernel entry"
108 +- depends on CPU_SUP_AMD
109 ++ depends on CPU_SUP_AMD && X86_64
110 + default y
111 + help
112 + Compile the kernel with support for the retbleed=ibpb mitigation.
113 +
114 + config CPU_IBRS_ENTRY
115 + bool "Enable IBRS on kernel entry"
116 +- depends on CPU_SUP_INTEL
117 ++ depends on CPU_SUP_INTEL && X86_64
118 + default y
119 + help
120 + Compile the kernel with support for the spectre_v2=ibrs mitigation.
121 +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
122 +index 2a51ee2f5a0f0..37ba0cdf99aa8 100644
123 +--- a/arch/x86/include/asm/cpufeatures.h
124 ++++ b/arch/x86/include/asm/cpufeatures.h
125 +@@ -299,6 +299,7 @@
126 + #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */
127 + #define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */
128 + #define X86_FEATURE_USE_IBPB_FW (11*32+16) /* "" Use IBPB during runtime firmware calls */
129 ++#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM exit when EIBRS is enabled */
130 +
131 + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
132 + #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */
133 +@@ -429,5 +430,6 @@
134 + #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
135 + #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
136 + #define X86_BUG_RETBLEED X86_BUG(26) /* CPU is affected by RETBleed */
137 ++#define X86_BUG_EIBRS_PBRSB X86_BUG(27) /* EIBRS is vulnerable to Post Barrier RSB Predictions */
138 +
139 + #endif /* _ASM_X86_CPUFEATURES_H */
140 +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
141 +index 407de670cd609..144dc164b7596 100644
142 +--- a/arch/x86/include/asm/msr-index.h
143 ++++ b/arch/x86/include/asm/msr-index.h
144 +@@ -148,6 +148,10 @@
145 + * are restricted to targets in
146 + * kernel.
147 + */
148 ++#define ARCH_CAP_PBRSB_NO BIT(24) /*
149 ++ * Not susceptible to Post-Barrier
150 ++ * Return Stack Buffer Predictions.
151 ++ */
152 +
153 + #define MSR_IA32_FLUSH_CMD 0x0000010b
154 + #define L1D_FLUSH BIT(0) /*
155 +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
156 +index c3e8e50633ea2..0acd99329923c 100644
157 +--- a/arch/x86/include/asm/nospec-branch.h
158 ++++ b/arch/x86/include/asm/nospec-branch.h
159 +@@ -60,7 +60,9 @@
160 + 774: \
161 + add $(BITS_PER_LONG/8) * 2, sp; \
162 + dec reg; \
163 +- jnz 771b;
164 ++ jnz 771b; \
165 ++ /* barrier for jnz misprediction */ \
166 ++ lfence;
167 +
168 + #ifdef __ASSEMBLY__
169 +
170 +@@ -118,13 +120,28 @@
171 + #endif
172 + .endm
173 +
174 ++.macro ISSUE_UNBALANCED_RET_GUARD
175 ++ ANNOTATE_INTRA_FUNCTION_CALL
176 ++ call .Lunbalanced_ret_guard_\@
177 ++ int3
178 ++.Lunbalanced_ret_guard_\@:
179 ++ add $(BITS_PER_LONG/8), %_ASM_SP
180 ++ lfence
181 ++.endm
182 ++
183 + /*
184 + * A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP
185 + * monstrosity above, manually.
186 + */
187 +-.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
188 ++.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req ftr2
189 ++.ifb \ftr2
190 + ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr
191 ++.else
192 ++ ALTERNATIVE_2 "jmp .Lskip_rsb_\@", "", \ftr, "jmp .Lunbalanced_\@", \ftr2
193 ++.endif
194 + __FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)
195 ++.Lunbalanced_\@:
196 ++ ISSUE_UNBALANCED_RET_GUARD
197 + .Lskip_rsb_\@:
198 + .endm
199 +
200 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
201 +index 2e5762faf7740..859a3f59526c7 100644
202 +--- a/arch/x86/kernel/cpu/bugs.c
203 ++++ b/arch/x86/kernel/cpu/bugs.c
204 +@@ -1291,6 +1291,53 @@ static void __init spec_ctrl_disable_kernel_rrsba(void)
205 + }
206 + }
207 +
208 ++static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
209 ++{
210 ++ /*
211 ++ * Similar to context switches, there are two types of RSB attacks
212 ++ * after VM exit:
213 ++ *
214 ++ * 1) RSB underflow
215 ++ *
216 ++ * 2) Poisoned RSB entry
217 ++ *
218 ++ * When retpoline is enabled, both are mitigated by filling/clearing
219 ++ * the RSB.
220 ++ *
221 ++ * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
222 ++ * prediction isolation protections, RSB still needs to be cleared
223 ++ * because of #2. Note that SMEP provides no protection here, unlike
224 ++ * user-space-poisoned RSB entries.
225 ++ *
226 ++ * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
227 ++ * bug is present then a LITE version of RSB protection is required,
228 ++ * just a single call needs to retire before a RET is executed.
229 ++ */
230 ++ switch (mode) {
231 ++ case SPECTRE_V2_NONE:
232 ++ return;
233 ++
234 ++ case SPECTRE_V2_EIBRS_LFENCE:
235 ++ case SPECTRE_V2_EIBRS:
236 ++ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
237 ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
238 ++ pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
239 ++ }
240 ++ return;
241 ++
242 ++ case SPECTRE_V2_EIBRS_RETPOLINE:
243 ++ case SPECTRE_V2_RETPOLINE:
244 ++ case SPECTRE_V2_LFENCE:
245 ++ case SPECTRE_V2_IBRS:
246 ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
247 ++ pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
248 ++ return;
249 ++ }
250 ++
251 ++ pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
252 ++ dump_stack();
253 ++}
254 ++
255 + static void __init spectre_v2_select_mitigation(void)
256 + {
257 + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
258 +@@ -1441,28 +1488,7 @@ static void __init spectre_v2_select_mitigation(void)
259 + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
260 + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
261 +
262 +- /*
263 +- * Similar to context switches, there are two types of RSB attacks
264 +- * after vmexit:
265 +- *
266 +- * 1) RSB underflow
267 +- *
268 +- * 2) Poisoned RSB entry
269 +- *
270 +- * When retpoline is enabled, both are mitigated by filling/clearing
271 +- * the RSB.
272 +- *
273 +- * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
274 +- * prediction isolation protections, RSB still needs to be cleared
275 +- * because of #2. Note that SMEP provides no protection here, unlike
276 +- * user-space-poisoned RSB entries.
277 +- *
278 +- * eIBRS, on the other hand, has RSB-poisoning protections, so it
279 +- * doesn't need RSB clearing after vmexit.
280 +- */
281 +- if (boot_cpu_has(X86_FEATURE_RETPOLINE) ||
282 +- boot_cpu_has(X86_FEATURE_KERNEL_IBRS))
283 +- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
284 ++ spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
285 +
286 + /*
287 + * Retpoline protects the kernel, but doesn't protect firmware. IBRS
288 +@@ -2215,6 +2241,19 @@ static char *ibpb_state(void)
289 + return "";
290 + }
291 +
292 ++static char *pbrsb_eibrs_state(void)
293 ++{
294 ++ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
295 ++ if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
296 ++ boot_cpu_has(X86_FEATURE_RSB_VMEXIT))
297 ++ return ", PBRSB-eIBRS: SW sequence";
298 ++ else
299 ++ return ", PBRSB-eIBRS: Vulnerable";
300 ++ } else {
301 ++ return ", PBRSB-eIBRS: Not affected";
302 ++ }
303 ++}
304 ++
305 + static ssize_t spectre_v2_show_state(char *buf)
306 + {
307 + if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
308 +@@ -2227,12 +2266,13 @@ static ssize_t spectre_v2_show_state(char *buf)
309 + spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
310 + return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
311 +
312 +- return sprintf(buf, "%s%s%s%s%s%s\n",
313 ++ return sprintf(buf, "%s%s%s%s%s%s%s\n",
314 + spectre_v2_strings[spectre_v2_enabled],
315 + ibpb_state(),
316 + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
317 + stibp_state(),
318 + boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
319 ++ pbrsb_eibrs_state(),
320 + spectre_v2_module_string());
321 + }
322 +
323 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
324 +index 901352bd3b426..9fc91482e85e3 100644
325 +--- a/arch/x86/kernel/cpu/common.c
326 ++++ b/arch/x86/kernel/cpu/common.c
327 +@@ -1024,6 +1024,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
328 + #define NO_SWAPGS BIT(6)
329 + #define NO_ITLB_MULTIHIT BIT(7)
330 + #define NO_SPECTRE_V2 BIT(8)
331 ++#define NO_EIBRS_PBRSB BIT(9)
332 +
333 + #define VULNWL(vendor, family, model, whitelist) \
334 + X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, whitelist)
335 +@@ -1064,7 +1065,7 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
336 +
337 + VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
338 + VULNWL_INTEL(ATOM_GOLDMONT_D, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
339 +- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
340 ++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
341 +
342 + /*
343 + * Technically, swapgs isn't serializing on AMD (despite it previously
344 +@@ -1074,7 +1075,9 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
345 + * good enough for our purposes.
346 + */
347 +
348 +- VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT),
349 ++ VULNWL_INTEL(ATOM_TREMONT, NO_EIBRS_PBRSB),
350 ++ VULNWL_INTEL(ATOM_TREMONT_L, NO_EIBRS_PBRSB),
351 ++ VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
352 +
353 + /* AMD Family 0xf - 0x12 */
354 + VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
355 +@@ -1252,6 +1255,11 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
356 + setup_force_cpu_bug(X86_BUG_RETBLEED);
357 + }
358 +
359 ++ if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) &&
360 ++ !cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
361 ++ !(ia32_cap & ARCH_CAP_PBRSB_NO))
362 ++ setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB);
363 ++
364 + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
365 + return;
366 +
367 +diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S
368 +index 857fa0fc49faf..982138bebb70f 100644
369 +--- a/arch/x86/kvm/vmx/vmenter.S
370 ++++ b/arch/x86/kvm/vmx/vmenter.S
371 +@@ -197,11 +197,13 @@ SYM_INNER_LABEL(vmx_vmexit, SYM_L_GLOBAL)
372 + * entries and (in some cases) RSB underflow.
373 + *
374 + * eIBRS has its own protection against poisoned RSB, so it doesn't
375 +- * need the RSB filling sequence. But it does need to be enabled
376 +- * before the first unbalanced RET.
377 ++ * need the RSB filling sequence. But it does need to be enabled, and a
378 ++ * single call to retire, before the first unbalanced RET.
379 + */
380 +
381 +- FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT
382 ++ FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT,\
383 ++ X86_FEATURE_RSB_VMEXIT_LITE
384 ++
385 +
386 + pop %_ASM_ARG2 /* @flags */
387 + pop %_ASM_ARG1 /* @vmx */
388 +diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c
389 +index 598fd19b65fa4..45973aa6e06d4 100644
390 +--- a/drivers/acpi/apei/bert.c
391 ++++ b/drivers/acpi/apei/bert.c
392 +@@ -29,16 +29,26 @@
393 +
394 + #undef pr_fmt
395 + #define pr_fmt(fmt) "BERT: " fmt
396 ++
397 ++#define ACPI_BERT_PRINT_MAX_RECORDS 5
398 + #define ACPI_BERT_PRINT_MAX_LEN 1024
399 +
400 + static int bert_disable;
401 +
402 ++/*
403 ++ * Print "all" the error records in the BERT table, but avoid huge spam to
404 ++ * the console if the BIOS included oversize records, or too many records.
405 ++ * Skipping some records here does not lose anything because the full
406 ++ * data is available to user tools in:
407 ++ * /sys/firmware/acpi/tables/data/BERT
408 ++ */
409 + static void __init bert_print_all(struct acpi_bert_region *region,
410 + unsigned int region_len)
411 + {
412 + struct acpi_hest_generic_status *estatus =
413 + (struct acpi_hest_generic_status *)region;
414 + int remain = region_len;
415 ++ int printed = 0, skipped = 0;
416 + u32 estatus_len;
417 +
418 + while (remain >= sizeof(struct acpi_bert_region)) {
419 +@@ -46,24 +56,26 @@ static void __init bert_print_all(struct acpi_bert_region *region,
420 + if (remain < estatus_len) {
421 + pr_err(FW_BUG "Truncated status block (length: %u).\n",
422 + estatus_len);
423 +- return;
424 ++ break;
425 + }
426 +
427 + /* No more error records. */
428 + if (!estatus->block_status)
429 +- return;
430 ++ break;
431 +
432 + if (cper_estatus_check(estatus)) {
433 + pr_err(FW_BUG "Invalid error record.\n");
434 +- return;
435 ++ break;
436 + }
437 +
438 +- pr_info_once("Error records from previous boot:\n");
439 +- if (region_len < ACPI_BERT_PRINT_MAX_LEN)
440 ++ if (estatus_len < ACPI_BERT_PRINT_MAX_LEN &&
441 ++ printed < ACPI_BERT_PRINT_MAX_RECORDS) {
442 ++ pr_info_once("Error records from previous boot:\n");
443 + cper_estatus_print(KERN_INFO HW_ERR, estatus);
444 +- else
445 +- pr_info_once("Max print length exceeded, table data is available at:\n"
446 +- "/sys/firmware/acpi/tables/data/BERT");
447 ++ printed++;
448 ++ } else {
449 ++ skipped++;
450 ++ }
451 +
452 + /*
453 + * Because the boot error source is "one-time polled" type,
454 +@@ -75,6 +87,9 @@ static void __init bert_print_all(struct acpi_bert_region *region,
455 + estatus = (void *)estatus + estatus_len;
456 + remain -= estatus_len;
457 + }
458 ++
459 ++ if (skipped)
460 ++ pr_info(HW_ERR "Skipped %d error records\n", skipped);
461 + }
462 +
463 + static int __init setup_bert_disable(char *str)
464 +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
465 +index 7b9793cb55c50..e39d59ad64964 100644
466 +--- a/drivers/acpi/video_detect.c
467 ++++ b/drivers/acpi/video_detect.c
468 +@@ -424,7 +424,6 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
469 + .callback = video_detect_force_native,
470 + .ident = "Clevo NL5xRU",
471 + .matches = {
472 +- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
473 + DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
474 + },
475 + },
476 +@@ -432,59 +431,75 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
477 + .callback = video_detect_force_native,
478 + .ident = "Clevo NL5xRU",
479 + .matches = {
480 +- DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
481 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
482 ++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
483 ++ DMI_MATCH(DMI_BOARD_NAME, "AURA1501"),
484 + },
485 + },
486 + {
487 + .callback = video_detect_force_native,
488 + .ident = "Clevo NL5xRU",
489 + .matches = {
490 +- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
491 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
492 ++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
493 ++ DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"),
494 + },
495 + },
496 + {
497 + .callback = video_detect_force_native,
498 +- .ident = "Clevo NL5xRU",
499 ++ .ident = "Clevo NL5xNU",
500 + .matches = {
501 +- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
502 +- DMI_MATCH(DMI_BOARD_NAME, "AURA1501"),
503 ++ DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
504 + },
505 + },
506 ++ /*
507 ++ * The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10,
508 ++ * Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo
509 ++ * NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2. See the description
510 ++ * above.
511 ++ */
512 + {
513 + .callback = video_detect_force_native,
514 +- .ident = "Clevo NL5xRU",
515 ++ .ident = "TongFang PF5PU1G",
516 + .matches = {
517 +- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
518 +- DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"),
519 ++ DMI_MATCH(DMI_BOARD_NAME, "PF5PU1G"),
520 + },
521 + },
522 + {
523 + .callback = video_detect_force_native,
524 +- .ident = "Clevo NL5xNU",
525 ++ .ident = "TongFang PF4NU1F",
526 ++ .matches = {
527 ++ DMI_MATCH(DMI_BOARD_NAME, "PF4NU1F"),
528 ++ },
529 ++ },
530 ++ {
531 ++ .callback = video_detect_force_native,
532 ++ .ident = "TongFang PF4NU1F",
533 + .matches = {
534 + DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
535 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
536 ++ DMI_MATCH(DMI_BOARD_NAME, "PULSE1401"),
537 + },
538 + },
539 + {
540 + .callback = video_detect_force_native,
541 +- .ident = "Clevo NL5xNU",
542 ++ .ident = "TongFang PF5NU1G",
543 + .matches = {
544 +- DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
545 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
546 ++ DMI_MATCH(DMI_BOARD_NAME, "PF5NU1G"),
547 + },
548 + },
549 + {
550 + .callback = video_detect_force_native,
551 +- .ident = "Clevo NL5xNU",
552 ++ .ident = "TongFang PF5NU1G",
553 + .matches = {
554 +- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
555 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
556 ++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
557 ++ DMI_MATCH(DMI_BOARD_NAME, "PULSE1501"),
558 ++ },
559 ++ },
560 ++ {
561 ++ .callback = video_detect_force_native,
562 ++ .ident = "TongFang PF5LUXG",
563 ++ .matches = {
564 ++ DMI_MATCH(DMI_BOARD_NAME, "PF5LUXG"),
565 + },
566 + },
567 +-
568 + /*
569 + * Desktops which falsely report a backlight and which our heuristics
570 + * for this do not catch.
571 +diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
572 +index 1b9743b7f2ef9..d263eac784daa 100644
573 +--- a/drivers/bluetooth/btbcm.c
574 ++++ b/drivers/bluetooth/btbcm.c
575 +@@ -401,6 +401,8 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = {
576 + { 0x6606, "BCM4345C5" }, /* 003.006.006 */
577 + { 0x230f, "BCM4356A2" }, /* 001.003.015 */
578 + { 0x220e, "BCM20702A1" }, /* 001.002.014 */
579 ++ { 0x420d, "BCM4349B1" }, /* 002.002.013 */
580 ++ { 0x420e, "BCM4349B1" }, /* 002.002.014 */
581 + { 0x4217, "BCM4329B1" }, /* 002.002.023 */
582 + { 0x6106, "BCM4359C0" }, /* 003.001.006 */
583 + { 0x4106, "BCM4335A0" }, /* 002.001.006 */
584 +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
585 +index 538232b4c42ac..a699e6166aefe 100644
586 +--- a/drivers/bluetooth/btusb.c
587 ++++ b/drivers/bluetooth/btusb.c
588 +@@ -399,6 +399,18 @@ static const struct usb_device_id blacklist_table[] = {
589 + { USB_DEVICE(0x0bda, 0xc822), .driver_info = BTUSB_REALTEK |
590 + BTUSB_WIDEBAND_SPEECH },
591 +
592 ++ /* Realtek 8852CE Bluetooth devices */
593 ++ { USB_DEVICE(0x04ca, 0x4007), .driver_info = BTUSB_REALTEK |
594 ++ BTUSB_WIDEBAND_SPEECH },
595 ++ { USB_DEVICE(0x04c5, 0x1675), .driver_info = BTUSB_REALTEK |
596 ++ BTUSB_WIDEBAND_SPEECH },
597 ++ { USB_DEVICE(0x0cb8, 0xc558), .driver_info = BTUSB_REALTEK |
598 ++ BTUSB_WIDEBAND_SPEECH },
599 ++ { USB_DEVICE(0x13d3, 0x3587), .driver_info = BTUSB_REALTEK |
600 ++ BTUSB_WIDEBAND_SPEECH },
601 ++ { USB_DEVICE(0x13d3, 0x3586), .driver_info = BTUSB_REALTEK |
602 ++ BTUSB_WIDEBAND_SPEECH },
603 ++
604 + /* Realtek Bluetooth devices */
605 + { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01),
606 + .driver_info = BTUSB_REALTEK },
607 +@@ -416,6 +428,9 @@ static const struct usb_device_id blacklist_table[] = {
608 + { USB_DEVICE(0x0489, 0xe0d9), .driver_info = BTUSB_MEDIATEK |
609 + BTUSB_WIDEBAND_SPEECH |
610 + BTUSB_VALID_LE_STATES },
611 ++ { USB_DEVICE(0x13d3, 0x3568), .driver_info = BTUSB_MEDIATEK |
612 ++ BTUSB_WIDEBAND_SPEECH |
613 ++ BTUSB_VALID_LE_STATES },
614 +
615 + /* Additional Realtek 8723AE Bluetooth devices */
616 + { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK },
617 +diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
618 +index 259a643377c24..3f6e96a4e1147 100644
619 +--- a/drivers/bluetooth/hci_bcm.c
620 ++++ b/drivers/bluetooth/hci_bcm.c
621 +@@ -1489,8 +1489,10 @@ static const struct of_device_id bcm_bluetooth_of_match[] = {
622 + { .compatible = "brcm,bcm4345c5" },
623 + { .compatible = "brcm,bcm4330-bt" },
624 + { .compatible = "brcm,bcm43438-bt", .data = &bcm43438_device_data },
625 ++ { .compatible = "brcm,bcm4349-bt", .data = &bcm43438_device_data },
626 + { .compatible = "brcm,bcm43540-bt", .data = &bcm4354_device_data },
627 + { .compatible = "brcm,bcm4335a0" },
628 ++ { .compatible = "infineon,cyw55572-bt" },
629 + { },
630 + };
631 + MODULE_DEVICE_TABLE(of, bcm_bluetooth_of_match);
632 +diff --git a/drivers/macintosh/adb.c b/drivers/macintosh/adb.c
633 +index 73b3961890397..afb0942ccc293 100644
634 +--- a/drivers/macintosh/adb.c
635 ++++ b/drivers/macintosh/adb.c
636 +@@ -647,7 +647,7 @@ do_adb_query(struct adb_request *req)
637 +
638 + switch(req->data[1]) {
639 + case ADB_QUERY_GETDEVINFO:
640 +- if (req->nbytes < 3)
641 ++ if (req->nbytes < 3 || req->data[2] >= 16)
642 + break;
643 + mutex_lock(&adb_handler_mutex);
644 + req->reply[0] = adb_handler[req->data[2]].original_address;
645 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
646 +index be9ff6a74ecce..a643b2f2f4de9 100644
647 +--- a/drivers/net/tun.c
648 ++++ b/drivers/net/tun.c
649 +@@ -220,6 +220,9 @@ struct tun_struct {
650 + struct tun_prog __rcu *steering_prog;
651 + struct tun_prog __rcu *filter_prog;
652 + struct ethtool_link_ksettings link_ksettings;
653 ++ /* init args */
654 ++ struct file *file;
655 ++ struct ifreq *ifr;
656 + };
657 +
658 + struct veth {
659 +@@ -227,6 +230,9 @@ struct veth {
660 + __be16 h_vlan_TCI;
661 + };
662 +
663 ++static void tun_flow_init(struct tun_struct *tun);
664 ++static void tun_flow_uninit(struct tun_struct *tun);
665 ++
666 + static int tun_napi_receive(struct napi_struct *napi, int budget)
667 + {
668 + struct tun_file *tfile = container_of(napi, struct tun_file, napi);
669 +@@ -975,6 +981,49 @@ static int check_filter(struct tap_filter *filter, const struct sk_buff *skb)
670 +
671 + static const struct ethtool_ops tun_ethtool_ops;
672 +
673 ++static int tun_net_init(struct net_device *dev)
674 ++{
675 ++ struct tun_struct *tun = netdev_priv(dev);
676 ++ struct ifreq *ifr = tun->ifr;
677 ++ int err;
678 ++
679 ++ tun->pcpu_stats = netdev_alloc_pcpu_stats(struct tun_pcpu_stats);
680 ++ if (!tun->pcpu_stats)
681 ++ return -ENOMEM;
682 ++
683 ++ spin_lock_init(&tun->lock);
684 ++
685 ++ err = security_tun_dev_alloc_security(&tun->security);
686 ++ if (err < 0) {
687 ++ free_percpu(tun->pcpu_stats);
688 ++ return err;
689 ++ }
690 ++
691 ++ tun_flow_init(tun);
692 ++
693 ++ dev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST |
694 ++ TUN_USER_FEATURES | NETIF_F_HW_VLAN_CTAG_TX |
695 ++ NETIF_F_HW_VLAN_STAG_TX;
696 ++ dev->features = dev->hw_features | NETIF_F_LLTX;
697 ++ dev->vlan_features = dev->features &
698 ++ ~(NETIF_F_HW_VLAN_CTAG_TX |
699 ++ NETIF_F_HW_VLAN_STAG_TX);
700 ++
701 ++ tun->flags = (tun->flags & ~TUN_FEATURES) |
702 ++ (ifr->ifr_flags & TUN_FEATURES);
703 ++
704 ++ INIT_LIST_HEAD(&tun->disabled);
705 ++ err = tun_attach(tun, tun->file, false, ifr->ifr_flags & IFF_NAPI,
706 ++ ifr->ifr_flags & IFF_NAPI_FRAGS, false);
707 ++ if (err < 0) {
708 ++ tun_flow_uninit(tun);
709 ++ security_tun_dev_free_security(tun->security);
710 ++ free_percpu(tun->pcpu_stats);
711 ++ return err;
712 ++ }
713 ++ return 0;
714 ++}
715 ++
716 + /* Net device detach from fd. */
717 + static void tun_net_uninit(struct net_device *dev)
718 + {
719 +@@ -1216,6 +1265,7 @@ static int tun_net_change_carrier(struct net_device *dev, bool new_carrier)
720 + }
721 +
722 + static const struct net_device_ops tun_netdev_ops = {
723 ++ .ndo_init = tun_net_init,
724 + .ndo_uninit = tun_net_uninit,
725 + .ndo_open = tun_net_open,
726 + .ndo_stop = tun_net_close,
727 +@@ -1296,6 +1346,7 @@ static int tun_xdp_tx(struct net_device *dev, struct xdp_buff *xdp)
728 + }
729 +
730 + static const struct net_device_ops tap_netdev_ops = {
731 ++ .ndo_init = tun_net_init,
732 + .ndo_uninit = tun_net_uninit,
733 + .ndo_open = tun_net_open,
734 + .ndo_stop = tun_net_close,
735 +@@ -1336,7 +1387,7 @@ static void tun_flow_uninit(struct tun_struct *tun)
736 + #define MAX_MTU 65535
737 +
738 + /* Initialize net device. */
739 +-static void tun_net_init(struct net_device *dev)
740 ++static void tun_net_initialize(struct net_device *dev)
741 + {
742 + struct tun_struct *tun = netdev_priv(dev);
743 +
744 +@@ -2268,10 +2319,6 @@ static void tun_free_netdev(struct net_device *dev)
745 + BUG_ON(!(list_empty(&tun->disabled)));
746 +
747 + free_percpu(tun->pcpu_stats);
748 +- /* We clear pcpu_stats so that tun_set_iff() can tell if
749 +- * tun_free_netdev() has been called from register_netdevice().
750 +- */
751 +- tun->pcpu_stats = NULL;
752 +
753 + tun_flow_uninit(tun);
754 + security_tun_dev_free_security(tun->security);
755 +@@ -2784,41 +2831,16 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
756 + tun->rx_batched = 0;
757 + RCU_INIT_POINTER(tun->steering_prog, NULL);
758 +
759 +- tun->pcpu_stats = netdev_alloc_pcpu_stats(struct tun_pcpu_stats);
760 +- if (!tun->pcpu_stats) {
761 +- err = -ENOMEM;
762 +- goto err_free_dev;
763 +- }
764 ++ tun->ifr = ifr;
765 ++ tun->file = file;
766 +
767 +- spin_lock_init(&tun->lock);
768 +-
769 +- err = security_tun_dev_alloc_security(&tun->security);
770 +- if (err < 0)
771 +- goto err_free_stat;
772 +-
773 +- tun_net_init(dev);
774 +- tun_flow_init(tun);
775 +-
776 +- dev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST |
777 +- TUN_USER_FEATURES | NETIF_F_HW_VLAN_CTAG_TX |
778 +- NETIF_F_HW_VLAN_STAG_TX;
779 +- dev->features = dev->hw_features | NETIF_F_LLTX;
780 +- dev->vlan_features = dev->features &
781 +- ~(NETIF_F_HW_VLAN_CTAG_TX |
782 +- NETIF_F_HW_VLAN_STAG_TX);
783 +-
784 +- tun->flags = (tun->flags & ~TUN_FEATURES) |
785 +- (ifr->ifr_flags & TUN_FEATURES);
786 +-
787 +- INIT_LIST_HEAD(&tun->disabled);
788 +- err = tun_attach(tun, file, false, ifr->ifr_flags & IFF_NAPI,
789 +- ifr->ifr_flags & IFF_NAPI_FRAGS, false);
790 +- if (err < 0)
791 +- goto err_free_flow;
792 ++ tun_net_initialize(dev);
793 +
794 + err = register_netdevice(tun->dev);
795 +- if (err < 0)
796 +- goto err_detach;
797 ++ if (err < 0) {
798 ++ free_netdev(dev);
799 ++ return err;
800 ++ }
801 + /* free_netdev() won't check refcnt, to aovid race
802 + * with dev_put() we need publish tun after registration.
803 + */
804 +@@ -2835,24 +2857,6 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
805 +
806 + strcpy(ifr->ifr_name, tun->dev->name);
807 + return 0;
808 +-
809 +-err_detach:
810 +- tun_detach_all(dev);
811 +- /* We are here because register_netdevice() has failed.
812 +- * If register_netdevice() already called tun_free_netdev()
813 +- * while dealing with the error, tun->pcpu_stats has been cleared.
814 +- */
815 +- if (!tun->pcpu_stats)
816 +- goto err_free_dev;
817 +-
818 +-err_free_flow:
819 +- tun_flow_uninit(tun);
820 +- security_tun_dev_free_security(tun->security);
821 +-err_free_stat:
822 +- free_percpu(tun->pcpu_stats);
823 +-err_free_dev:
824 +- free_netdev(dev);
825 +- return err;
826 + }
827 +
828 + static void tun_get_iff(struct tun_struct *tun, struct ifreq *ifr)
829 +diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
830 +index 0a1634238e673..6b45e63fae4ba 100644
831 +--- a/drivers/net/wireless/ath/ath9k/htc.h
832 ++++ b/drivers/net/wireless/ath/ath9k/htc.h
833 +@@ -281,6 +281,7 @@ struct ath9k_htc_rxbuf {
834 + struct ath9k_htc_rx {
835 + struct list_head rxbuf;
836 + spinlock_t rxbuflock;
837 ++ bool initialized;
838 + };
839 +
840 + #define ATH9K_HTC_TX_CLEANUP_INTERVAL 50 /* ms */
841 +@@ -305,6 +306,7 @@ struct ath9k_htc_tx {
842 + DECLARE_BITMAP(tx_slot, MAX_TX_BUF_NUM);
843 + struct timer_list cleanup_timer;
844 + spinlock_t tx_lock;
845 ++ bool initialized;
846 + };
847 +
848 + struct ath9k_htc_tx_ctl {
849 +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
850 +index 30ddf333e04dc..43a743ec9d9e0 100644
851 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
852 ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
853 +@@ -808,6 +808,11 @@ int ath9k_tx_init(struct ath9k_htc_priv *priv)
854 + skb_queue_head_init(&priv->tx.data_vi_queue);
855 + skb_queue_head_init(&priv->tx.data_vo_queue);
856 + skb_queue_head_init(&priv->tx.tx_failed);
857 ++
858 ++ /* Allow ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) to operate. */
859 ++ smp_wmb();
860 ++ priv->tx.initialized = true;
861 ++
862 + return 0;
863 + }
864 +
865 +@@ -1133,6 +1138,10 @@ void ath9k_htc_rxep(void *drv_priv, struct sk_buff *skb,
866 + struct ath9k_htc_rxbuf *rxbuf = NULL, *tmp_buf = NULL;
867 + unsigned long flags;
868 +
869 ++ /* Check if ath9k_rx_init() completed. */
870 ++ if (!data_race(priv->rx.initialized))
871 ++ goto err;
872 ++
873 + spin_lock_irqsave(&priv->rx.rxbuflock, flags);
874 + list_for_each_entry(tmp_buf, &priv->rx.rxbuf, list) {
875 + if (!tmp_buf->in_process) {
876 +@@ -1188,6 +1197,10 @@ int ath9k_rx_init(struct ath9k_htc_priv *priv)
877 + list_add_tail(&rxbuf->list, &priv->rx.rxbuf);
878 + }
879 +
880 ++ /* Allow ath9k_htc_rxep() to operate. */
881 ++ smp_wmb();
882 ++ priv->rx.initialized = true;
883 ++
884 + return 0;
885 +
886 + err:
887 +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
888 +index fe29ad4b9023c..f315c54bd3ac0 100644
889 +--- a/drivers/net/wireless/ath/ath9k/wmi.c
890 ++++ b/drivers/net/wireless/ath/ath9k/wmi.c
891 +@@ -169,6 +169,10 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t)
892 + &wmi->drv_priv->fatal_work);
893 + break;
894 + case WMI_TXSTATUS_EVENTID:
895 ++ /* Check if ath9k_tx_init() completed. */
896 ++ if (!data_race(priv->tx.initialized))
897 ++ break;
898 ++
899 + spin_lock_bh(&priv->tx.tx_lock);
900 + if (priv->tx.flags & ATH9K_HTC_OP_TX_DRAIN) {
901 + spin_unlock_bh(&priv->tx.tx_lock);
902 +diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h
903 +index 54ba20492ad11..ec53f52a06a58 100644
904 +--- a/tools/arch/x86/include/asm/cpufeatures.h
905 ++++ b/tools/arch/x86/include/asm/cpufeatures.h
906 +@@ -296,6 +296,7 @@
907 + #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */
908 + #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */
909 + #define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */
910 ++#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM-Exit when EIBRS is enabled */
911 +
912 + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
913 + #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */
914 +diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h
915 +index 407de670cd609..144dc164b7596 100644
916 +--- a/tools/arch/x86/include/asm/msr-index.h
917 ++++ b/tools/arch/x86/include/asm/msr-index.h
918 +@@ -148,6 +148,10 @@
919 + * are restricted to targets in
920 + * kernel.
921 + */
922 ++#define ARCH_CAP_PBRSB_NO BIT(24) /*
923 ++ * Not susceptible to Post-Barrier
924 ++ * Return Stack Buffer Predictions.
925 ++ */
926 +
927 + #define MSR_IA32_FLUSH_CMD 0x0000010b
928 + #define L1D_FLUSH BIT(0) /*
929 +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
930 +index b9ee2ded381ab..7943e748916d4 100644
931 +--- a/tools/include/uapi/linux/bpf.h
932 ++++ b/tools/include/uapi/linux/bpf.h
933 +@@ -4180,7 +4180,8 @@ struct bpf_sock {
934 + __u32 src_ip4;
935 + __u32 src_ip6[4];
936 + __u32 src_port; /* host byte order */
937 +- __u32 dst_port; /* network byte order */
938 ++ __be16 dst_port; /* network byte order */
939 ++ __u16 :16; /* zero padding */
940 + __u32 dst_ip4;
941 + __u32 dst_ip6[4];
942 + __u32 state;
943 +diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat
944 +index b0bf56c5f1202..a1efcfbd8b9e6 100755
945 +--- a/tools/kvm/kvm_stat/kvm_stat
946 ++++ b/tools/kvm/kvm_stat/kvm_stat
947 +@@ -1646,7 +1646,8 @@ Press any other key to refresh statistics immediately.
948 + .format(values))
949 + if len(pids) > 1:
950 + sys.exit('Error: Multiple processes found (pids: {}). Use "-p"'
951 +- ' to specify the desired pid'.format(" ".join(pids)))
952 ++ ' to specify the desired pid'
953 ++ .format(" ".join(map(str, pids))))
954 + namespace.pid = pids[0]
955 +
956 + argparser = argparse.ArgumentParser(description=description_text,
957 +diff --git a/tools/testing/selftests/bpf/prog_tests/sock_fields.c b/tools/testing/selftests/bpf/prog_tests/sock_fields.c
958 +index af87118e748e5..e8b5bf707cd45 100644
959 +--- a/tools/testing/selftests/bpf/prog_tests/sock_fields.c
960 ++++ b/tools/testing/selftests/bpf/prog_tests/sock_fields.c
961 +@@ -1,9 +1,11 @@
962 + // SPDX-License-Identifier: GPL-2.0
963 + /* Copyright (c) 2019 Facebook */
964 +
965 ++#define _GNU_SOURCE
966 + #include <netinet/in.h>
967 + #include <arpa/inet.h>
968 + #include <unistd.h>
969 ++#include <sched.h>
970 + #include <stdlib.h>
971 + #include <string.h>
972 + #include <errno.h>
973 +@@ -21,6 +23,7 @@
974 + enum bpf_linum_array_idx {
975 + EGRESS_LINUM_IDX,
976 + INGRESS_LINUM_IDX,
977 ++ READ_SK_DST_PORT_LINUM_IDX,
978 + __NR_BPF_LINUM_ARRAY_IDX,
979 + };
980 +
981 +@@ -43,8 +46,16 @@ static __u64 child_cg_id;
982 + static int linum_map_fd;
983 + static __u32 duration;
984 +
985 +-static __u32 egress_linum_idx = EGRESS_LINUM_IDX;
986 +-static __u32 ingress_linum_idx = INGRESS_LINUM_IDX;
987 ++static bool create_netns(void)
988 ++{
989 ++ if (!ASSERT_OK(unshare(CLONE_NEWNET), "create netns"))
990 ++ return false;
991 ++
992 ++ if (!ASSERT_OK(system("ip link set dev lo up"), "bring up lo"))
993 ++ return false;
994 ++
995 ++ return true;
996 ++}
997 +
998 + static void print_sk(const struct bpf_sock *sk, const char *prefix)
999 + {
1000 +@@ -92,19 +103,24 @@ static void check_result(void)
1001 + {
1002 + struct bpf_tcp_sock srv_tp, cli_tp, listen_tp;
1003 + struct bpf_sock srv_sk, cli_sk, listen_sk;
1004 +- __u32 ingress_linum, egress_linum;
1005 ++ __u32 idx, ingress_linum, egress_linum, linum;
1006 + int err;
1007 +
1008 +- err = bpf_map_lookup_elem(linum_map_fd, &egress_linum_idx,
1009 +- &egress_linum);
1010 ++ idx = EGRESS_LINUM_IDX;
1011 ++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &egress_linum);
1012 + CHECK(err == -1, "bpf_map_lookup_elem(linum_map_fd)",
1013 + "err:%d errno:%d\n", err, errno);
1014 +
1015 +- err = bpf_map_lookup_elem(linum_map_fd, &ingress_linum_idx,
1016 +- &ingress_linum);
1017 ++ idx = INGRESS_LINUM_IDX;
1018 ++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &ingress_linum);
1019 + CHECK(err == -1, "bpf_map_lookup_elem(linum_map_fd)",
1020 + "err:%d errno:%d\n", err, errno);
1021 +
1022 ++ idx = READ_SK_DST_PORT_LINUM_IDX;
1023 ++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &linum);
1024 ++ ASSERT_OK(err, "bpf_map_lookup_elem(linum_map_fd, READ_SK_DST_PORT_IDX)");
1025 ++ ASSERT_EQ(linum, 0, "failure in read_sk_dst_port on line");
1026 ++
1027 + memcpy(&srv_sk, &skel->bss->srv_sk, sizeof(srv_sk));
1028 + memcpy(&srv_tp, &skel->bss->srv_tp, sizeof(srv_tp));
1029 + memcpy(&cli_sk, &skel->bss->cli_sk, sizeof(cli_sk));
1030 +@@ -263,7 +279,7 @@ static void test(void)
1031 + char buf[DATA_LEN];
1032 +
1033 + /* Prepare listen_fd */
1034 +- listen_fd = start_server(AF_INET6, SOCK_STREAM, "::1", 0, 0);
1035 ++ listen_fd = start_server(AF_INET6, SOCK_STREAM, "::1", 0xcafe, 0);
1036 + /* start_server() has logged the error details */
1037 + if (CHECK_FAIL(listen_fd == -1))
1038 + goto done;
1039 +@@ -331,8 +347,12 @@ done:
1040 +
1041 + void test_sock_fields(void)
1042 + {
1043 +- struct bpf_link *egress_link = NULL, *ingress_link = NULL;
1044 + int parent_cg_fd = -1, child_cg_fd = -1;
1045 ++ struct bpf_link *link;
1046 ++
1047 ++ /* Use a dedicated netns to have a fixed listen port */
1048 ++ if (!create_netns())
1049 ++ return;
1050 +
1051 + /* Create a cgroup, get fd, and join it */
1052 + parent_cg_fd = test__join_cgroup(PARENT_CGROUP);
1053 +@@ -353,17 +373,20 @@ void test_sock_fields(void)
1054 + if (CHECK(!skel, "test_sock_fields__open_and_load", "failed\n"))
1055 + goto done;
1056 +
1057 +- egress_link = bpf_program__attach_cgroup(skel->progs.egress_read_sock_fields,
1058 +- child_cg_fd);
1059 +- if (CHECK(IS_ERR(egress_link), "attach_cgroup(egress)", "err:%ld\n",
1060 +- PTR_ERR(egress_link)))
1061 ++ link = bpf_program__attach_cgroup(skel->progs.egress_read_sock_fields, child_cg_fd);
1062 ++ if (!ASSERT_OK_PTR(link, "attach_cgroup(egress_read_sock_fields)"))
1063 ++ goto done;
1064 ++ skel->links.egress_read_sock_fields = link;
1065 ++
1066 ++ link = bpf_program__attach_cgroup(skel->progs.ingress_read_sock_fields, child_cg_fd);
1067 ++ if (!ASSERT_OK_PTR(link, "attach_cgroup(ingress_read_sock_fields)"))
1068 + goto done;
1069 ++ skel->links.ingress_read_sock_fields = link;
1070 +
1071 +- ingress_link = bpf_program__attach_cgroup(skel->progs.ingress_read_sock_fields,
1072 +- child_cg_fd);
1073 +- if (CHECK(IS_ERR(ingress_link), "attach_cgroup(ingress)", "err:%ld\n",
1074 +- PTR_ERR(ingress_link)))
1075 ++ link = bpf_program__attach_cgroup(skel->progs.read_sk_dst_port, child_cg_fd);
1076 ++ if (!ASSERT_OK_PTR(link, "attach_cgroup(read_sk_dst_port"))
1077 + goto done;
1078 ++ skel->links.read_sk_dst_port = link;
1079 +
1080 + linum_map_fd = bpf_map__fd(skel->maps.linum_map);
1081 + sk_pkt_out_cnt_fd = bpf_map__fd(skel->maps.sk_pkt_out_cnt);
1082 +@@ -372,8 +395,7 @@ void test_sock_fields(void)
1083 + test();
1084 +
1085 + done:
1086 +- bpf_link__destroy(egress_link);
1087 +- bpf_link__destroy(ingress_link);
1088 ++ test_sock_fields__detach(skel);
1089 + test_sock_fields__destroy(skel);
1090 + if (child_cg_fd != -1)
1091 + close(child_cg_fd);
1092 +diff --git a/tools/testing/selftests/bpf/progs/test_sock_fields.c b/tools/testing/selftests/bpf/progs/test_sock_fields.c
1093 +index 7967348b11af6..43b31aa1fcf72 100644
1094 +--- a/tools/testing/selftests/bpf/progs/test_sock_fields.c
1095 ++++ b/tools/testing/selftests/bpf/progs/test_sock_fields.c
1096 +@@ -12,6 +12,7 @@
1097 + enum bpf_linum_array_idx {
1098 + EGRESS_LINUM_IDX,
1099 + INGRESS_LINUM_IDX,
1100 ++ READ_SK_DST_PORT_LINUM_IDX,
1101 + __NR_BPF_LINUM_ARRAY_IDX,
1102 + };
1103 +
1104 +@@ -250,4 +251,48 @@ int ingress_read_sock_fields(struct __sk_buff *skb)
1105 + return CG_OK;
1106 + }
1107 +
1108 ++static __noinline bool sk_dst_port__load_word(struct bpf_sock *sk)
1109 ++{
1110 ++ __u32 *word = (__u32 *)&sk->dst_port;
1111 ++ return word[0] == bpf_htonl(0xcafe0000);
1112 ++}
1113 ++
1114 ++static __noinline bool sk_dst_port__load_half(struct bpf_sock *sk)
1115 ++{
1116 ++ __u16 *half = (__u16 *)&sk->dst_port;
1117 ++ return half[0] == bpf_htons(0xcafe);
1118 ++}
1119 ++
1120 ++static __noinline bool sk_dst_port__load_byte(struct bpf_sock *sk)
1121 ++{
1122 ++ __u8 *byte = (__u8 *)&sk->dst_port;
1123 ++ return byte[0] == 0xca && byte[1] == 0xfe;
1124 ++}
1125 ++
1126 ++SEC("cgroup_skb/egress")
1127 ++int read_sk_dst_port(struct __sk_buff *skb)
1128 ++{
1129 ++ __u32 linum, linum_idx;
1130 ++ struct bpf_sock *sk;
1131 ++
1132 ++ linum_idx = READ_SK_DST_PORT_LINUM_IDX;
1133 ++
1134 ++ sk = skb->sk;
1135 ++ if (!sk)
1136 ++ RET_LOG();
1137 ++
1138 ++ /* Ignore everything but the SYN from the client socket */
1139 ++ if (sk->state != BPF_TCP_SYN_SENT)
1140 ++ return CG_OK;
1141 ++
1142 ++ if (!sk_dst_port__load_word(sk))
1143 ++ RET_LOG();
1144 ++ if (!sk_dst_port__load_half(sk))
1145 ++ RET_LOG();
1146 ++ if (!sk_dst_port__load_byte(sk))
1147 ++ RET_LOG();
1148 ++
1149 ++ return CG_OK;
1150 ++}
1151 ++
1152 + char _license[] SEC("license") = "GPL";
1153 +diff --git a/tools/testing/selftests/bpf/verifier/sock.c b/tools/testing/selftests/bpf/verifier/sock.c
1154 +index ce13ece08d51c..8c224eac93df7 100644
1155 +--- a/tools/testing/selftests/bpf/verifier/sock.c
1156 ++++ b/tools/testing/selftests/bpf/verifier/sock.c
1157 +@@ -121,7 +121,25 @@
1158 + .result = ACCEPT,
1159 + },
1160 + {
1161 +- "sk_fullsock(skb->sk): sk->dst_port [narrow load]",
1162 ++ "sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)",
1163 ++ .insns = {
1164 ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1165 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1166 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1167 ++ BPF_EXIT_INSN(),
1168 ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
1169 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1170 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1171 ++ BPF_EXIT_INSN(),
1172 ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
1173 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1174 ++ BPF_EXIT_INSN(),
1175 ++ },
1176 ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1177 ++ .result = ACCEPT,
1178 ++},
1179 ++{
1180 ++ "sk_fullsock(skb->sk): sk->dst_port [half load]",
1181 + .insns = {
1182 + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1183 + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1184 +@@ -139,7 +157,64 @@
1185 + .result = ACCEPT,
1186 + },
1187 + {
1188 +- "sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]",
1189 ++ "sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)",
1190 ++ .insns = {
1191 ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1192 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1193 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1194 ++ BPF_EXIT_INSN(),
1195 ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
1196 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1197 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1198 ++ BPF_EXIT_INSN(),
1199 ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
1200 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1201 ++ BPF_EXIT_INSN(),
1202 ++ },
1203 ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1204 ++ .result = REJECT,
1205 ++ .errstr = "invalid sock access",
1206 ++},
1207 ++{
1208 ++ "sk_fullsock(skb->sk): sk->dst_port [byte load]",
1209 ++ .insns = {
1210 ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1211 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1212 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1213 ++ BPF_EXIT_INSN(),
1214 ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
1215 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1216 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1217 ++ BPF_EXIT_INSN(),
1218 ++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
1219 ++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
1220 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1221 ++ BPF_EXIT_INSN(),
1222 ++ },
1223 ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1224 ++ .result = ACCEPT,
1225 ++},
1226 ++{
1227 ++ "sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)",
1228 ++ .insns = {
1229 ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1230 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1231 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1232 ++ BPF_EXIT_INSN(),
1233 ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
1234 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1235 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1236 ++ BPF_EXIT_INSN(),
1237 ++ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
1238 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1239 ++ BPF_EXIT_INSN(),
1240 ++ },
1241 ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1242 ++ .result = REJECT,
1243 ++ .errstr = "invalid sock access",
1244 ++},
1245 ++{
1246 ++ "sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)",
1247 + .insns = {
1248 + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1249 + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1250 +@@ -149,7 +224,7 @@
1251 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1252 + BPF_MOV64_IMM(BPF_REG_0, 0),
1253 + BPF_EXIT_INSN(),
1254 +- BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
1255 ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)),
1256 + BPF_MOV64_IMM(BPF_REG_0, 0),
1257 + BPF_EXIT_INSN(),
1258 + },
1259 +diff --git a/tools/testing/selftests/kvm/lib/aarch64/ucall.c b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
1260 +index 2f37b90ee1a94..f600311fdc6ae 100644
1261 +--- a/tools/testing/selftests/kvm/lib/aarch64/ucall.c
1262 ++++ b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
1263 +@@ -73,20 +73,19 @@ void ucall_uninit(struct kvm_vm *vm)
1264 +
1265 + void ucall(uint64_t cmd, int nargs, ...)
1266 + {
1267 +- struct ucall uc = {
1268 +- .cmd = cmd,
1269 +- };
1270 ++ struct ucall uc = {};
1271 + va_list va;
1272 + int i;
1273 +
1274 ++ WRITE_ONCE(uc.cmd, cmd);
1275 + nargs = nargs <= UCALL_MAX_ARGS ? nargs : UCALL_MAX_ARGS;
1276 +
1277 + va_start(va, nargs);
1278 + for (i = 0; i < nargs; ++i)
1279 +- uc.args[i] = va_arg(va, uint64_t);
1280 ++ WRITE_ONCE(uc.args[i], va_arg(va, uint64_t));
1281 + va_end(va);
1282 +
1283 +- *ucall_exit_mmio_addr = (vm_vaddr_t)&uc;
1284 ++ WRITE_ONCE(*ucall_exit_mmio_addr, (vm_vaddr_t)&uc);
1285 + }
1286 +
1287 + uint64_t get_ucall(struct kvm_vm *vm, uint32_t vcpu_id, struct ucall *uc)
Report Message
Find on MARC Find on Google Groups