Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.15 commit in: /
Date: Thu, 11 Aug 2022 12:34:01
Message-Id: 1660221222.95a4b9c4036d7f10bd7b559ddb7326f70b142cc5.mpagano@gentoo
1 commit: 95a4b9c4036d7f10bd7b559ddb7326f70b142cc5
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu Aug 11 12:33:42 2022 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu Aug 11 12:33:42 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=95a4b9c4
7
8 Linux patch 5.15.60
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1059_linux-5.15.60.patch | 1475 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1479 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 71e13cee..a6bf4af4 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -279,6 +279,10 @@ Patch: 1058_linux-5.15.59.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.15.59
23
24 +Patch: 1059_linux-5.15.60.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.15.60
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1059_linux-5.15.60.patch b/1059_linux-5.15.60.patch
33 new file mode 100644
34 index 00000000..9afdb82b
35 --- /dev/null
36 +++ b/1059_linux-5.15.60.patch
37 @@ -0,0 +1,1475 @@
38 +diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst
39 +index 6bd97cd50d625..7e061ed449aaa 100644
40 +--- a/Documentation/admin-guide/hw-vuln/spectre.rst
41 ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst
42 +@@ -422,6 +422,14 @@ The possible values in this file are:
43 + 'RSB filling' Protection of RSB on context switch enabled
44 + ============= ===========================================
45 +
46 ++ - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
47 ++
48 ++ =========================== =======================================================
49 ++ 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled
50 ++ 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable
51 ++ 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB
52 ++ =========================== =======================================================
53 ++
54 + Full mitigation might require a microcode update from the CPU
55 + vendor. When the necessary microcode is not available, the kernel will
56 + report vulnerability.
57 +diff --git a/Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml b/Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml
58 +index fbdc2083bec4f..20ee96584aba2 100644
59 +--- a/Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml
60 ++++ b/Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml
61 +@@ -23,6 +23,7 @@ properties:
62 + - brcm,bcm4345c5
63 + - brcm,bcm43540-bt
64 + - brcm,bcm4335a0
65 ++ - brcm,bcm4349-bt
66 +
67 + shutdown-gpios:
68 + maxItems: 1
69 +diff --git a/Makefile b/Makefile
70 +index 22bca3948306b..4ea646f496c9c 100644
71 +--- a/Makefile
72 ++++ b/Makefile
73 +@@ -1,7 +1,7 @@
74 + # SPDX-License-Identifier: GPL-2.0
75 + VERSION = 5
76 + PATCHLEVEL = 15
77 +-SUBLEVEL = 59
78 ++SUBLEVEL = 60
79 + EXTRAVERSION =
80 + NAME = Trick or Treat
81 +
82 +diff --git a/arch/arm64/crypto/poly1305-glue.c b/arch/arm64/crypto/poly1305-glue.c
83 +index 9c3d86e397bf3..1fae18ba11ed1 100644
84 +--- a/arch/arm64/crypto/poly1305-glue.c
85 ++++ b/arch/arm64/crypto/poly1305-glue.c
86 +@@ -52,7 +52,7 @@ static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
87 + {
88 + if (unlikely(!dctx->sset)) {
89 + if (!dctx->rset) {
90 +- poly1305_init_arch(dctx, src);
91 ++ poly1305_init_arm64(&dctx->h, src);
92 + src += POLY1305_BLOCK_SIZE;
93 + len -= POLY1305_BLOCK_SIZE;
94 + dctx->rset = 1;
95 +diff --git a/arch/arm64/include/asm/kernel-pgtable.h b/arch/arm64/include/asm/kernel-pgtable.h
96 +index 96dc0f7da258d..a971d462f531c 100644
97 +--- a/arch/arm64/include/asm/kernel-pgtable.h
98 ++++ b/arch/arm64/include/asm/kernel-pgtable.h
99 +@@ -103,8 +103,8 @@
100 + /*
101 + * Initial memory map attributes.
102 + */
103 +-#define SWAPPER_PTE_FLAGS (PTE_TYPE_PAGE | PTE_AF | PTE_SHARED)
104 +-#define SWAPPER_PMD_FLAGS (PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S)
105 ++#define SWAPPER_PTE_FLAGS (PTE_TYPE_PAGE | PTE_AF | PTE_SHARED | PTE_UXN)
106 ++#define SWAPPER_PMD_FLAGS (PMD_TYPE_SECT | PMD_SECT_AF | PMD_SECT_S | PMD_SECT_UXN)
107 +
108 + #if ARM64_KERNEL_USES_PMD_MAPS
109 + #define SWAPPER_MM_MMUFLAGS (PMD_ATTRINDX(MT_NORMAL) | SWAPPER_PMD_FLAGS)
110 +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
111 +index 17962452e31de..ab6566bf1c332 100644
112 +--- a/arch/arm64/kernel/head.S
113 ++++ b/arch/arm64/kernel/head.S
114 +@@ -285,7 +285,7 @@ SYM_FUNC_START_LOCAL(__create_page_tables)
115 + subs x1, x1, #64
116 + b.ne 1b
117 +
118 +- mov x7, SWAPPER_MM_MMUFLAGS
119 ++ mov_q x7, SWAPPER_MM_MMUFLAGS
120 +
121 + /*
122 + * Create the identity mapping.
123 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
124 +index a170cfdae2a7a..fe6981a387957 100644
125 +--- a/arch/x86/Kconfig
126 ++++ b/arch/x86/Kconfig
127 +@@ -2427,7 +2427,7 @@ config RETPOLINE
128 + config RETHUNK
129 + bool "Enable return-thunks"
130 + depends on RETPOLINE && CC_HAS_RETURN_THUNK
131 +- default y
132 ++ default y if X86_64
133 + help
134 + Compile the kernel with the return-thunks compiler option to guard
135 + against kernel-to-user data leaks by avoiding return speculation.
136 +@@ -2436,21 +2436,21 @@ config RETHUNK
137 +
138 + config CPU_UNRET_ENTRY
139 + bool "Enable UNRET on kernel entry"
140 +- depends on CPU_SUP_AMD && RETHUNK
141 ++ depends on CPU_SUP_AMD && RETHUNK && X86_64
142 + default y
143 + help
144 + Compile the kernel with support for the retbleed=unret mitigation.
145 +
146 + config CPU_IBPB_ENTRY
147 + bool "Enable IBPB on kernel entry"
148 +- depends on CPU_SUP_AMD
149 ++ depends on CPU_SUP_AMD && X86_64
150 + default y
151 + help
152 + Compile the kernel with support for the retbleed=ibpb mitigation.
153 +
154 + config CPU_IBRS_ENTRY
155 + bool "Enable IBRS on kernel entry"
156 +- depends on CPU_SUP_INTEL
157 ++ depends on CPU_SUP_INTEL && X86_64
158 + default y
159 + help
160 + Compile the kernel with support for the spectre_v2=ibrs mitigation.
161 +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
162 +index d370718e222ba..be744fa100048 100644
163 +--- a/arch/x86/include/asm/cpufeatures.h
164 ++++ b/arch/x86/include/asm/cpufeatures.h
165 +@@ -301,6 +301,7 @@
166 + #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */
167 + #define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */
168 + #define X86_FEATURE_USE_IBPB_FW (11*32+16) /* "" Use IBPB during runtime firmware calls */
169 ++#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM exit when EIBRS is enabled */
170 +
171 + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
172 + #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
173 +@@ -446,5 +447,6 @@
174 + #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
175 + #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
176 + #define X86_BUG_RETBLEED X86_BUG(26) /* CPU is affected by RETBleed */
177 ++#define X86_BUG_EIBRS_PBRSB X86_BUG(27) /* EIBRS is vulnerable to Post Barrier RSB Predictions */
178 +
179 + #endif /* _ASM_X86_CPUFEATURES_H */
180 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
181 +index 49d814b2a341a..a35f5e23fc2ac 100644
182 +--- a/arch/x86/include/asm/kvm_host.h
183 ++++ b/arch/x86/include/asm/kvm_host.h
184 +@@ -642,6 +642,7 @@ struct kvm_vcpu_arch {
185 + u64 ia32_misc_enable_msr;
186 + u64 smbase;
187 + u64 smi_count;
188 ++ bool at_instruction_boundary;
189 + bool tpr_access_reporting;
190 + bool xsaves_enabled;
191 + u64 ia32_xss;
192 +@@ -1271,6 +1272,8 @@ struct kvm_vcpu_stat {
193 + u64 nested_run;
194 + u64 directed_yield_attempted;
195 + u64 directed_yield_successful;
196 ++ u64 preemption_reported;
197 ++ u64 preemption_other;
198 + u64 guest_mode;
199 + };
200 +
201 +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
202 +index ec2967e7249f5..8f38265bc81dc 100644
203 +--- a/arch/x86/include/asm/msr-index.h
204 ++++ b/arch/x86/include/asm/msr-index.h
205 +@@ -148,6 +148,10 @@
206 + * are restricted to targets in
207 + * kernel.
208 + */
209 ++#define ARCH_CAP_PBRSB_NO BIT(24) /*
210 ++ * Not susceptible to Post-Barrier
211 ++ * Return Stack Buffer Predictions.
212 ++ */
213 +
214 + #define MSR_IA32_FLUSH_CMD 0x0000010b
215 + #define L1D_FLUSH BIT(0) /*
216 +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
217 +index 9a79b96e55214..6a59b2d58a3a9 100644
218 +--- a/arch/x86/include/asm/nospec-branch.h
219 ++++ b/arch/x86/include/asm/nospec-branch.h
220 +@@ -60,7 +60,9 @@
221 + 774: \
222 + add $(BITS_PER_LONG/8) * 2, sp; \
223 + dec reg; \
224 +- jnz 771b;
225 ++ jnz 771b; \
226 ++ /* barrier for jnz misprediction */ \
227 ++ lfence;
228 +
229 + #ifdef __ASSEMBLY__
230 +
231 +@@ -118,13 +120,28 @@
232 + #endif
233 + .endm
234 +
235 ++.macro ISSUE_UNBALANCED_RET_GUARD
236 ++ ANNOTATE_INTRA_FUNCTION_CALL
237 ++ call .Lunbalanced_ret_guard_\@
238 ++ int3
239 ++.Lunbalanced_ret_guard_\@:
240 ++ add $(BITS_PER_LONG/8), %_ASM_SP
241 ++ lfence
242 ++.endm
243 ++
244 + /*
245 + * A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP
246 + * monstrosity above, manually.
247 + */
248 +-.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
249 ++.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req ftr2
250 ++.ifb \ftr2
251 + ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr
252 ++.else
253 ++ ALTERNATIVE_2 "jmp .Lskip_rsb_\@", "", \ftr, "jmp .Lunbalanced_\@", \ftr2
254 ++.endif
255 + __FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)
256 ++.Lunbalanced_\@:
257 ++ ISSUE_UNBALANCED_RET_GUARD
258 + .Lskip_rsb_\@:
259 + .endm
260 +
261 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
262 +index a37814c8547e4..837e617f3b76d 100644
263 +--- a/arch/x86/kernel/cpu/bugs.c
264 ++++ b/arch/x86/kernel/cpu/bugs.c
265 +@@ -1328,6 +1328,53 @@ static void __init spec_ctrl_disable_kernel_rrsba(void)
266 + }
267 + }
268 +
269 ++static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
270 ++{
271 ++ /*
272 ++ * Similar to context switches, there are two types of RSB attacks
273 ++ * after VM exit:
274 ++ *
275 ++ * 1) RSB underflow
276 ++ *
277 ++ * 2) Poisoned RSB entry
278 ++ *
279 ++ * When retpoline is enabled, both are mitigated by filling/clearing
280 ++ * the RSB.
281 ++ *
282 ++ * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
283 ++ * prediction isolation protections, RSB still needs to be cleared
284 ++ * because of #2. Note that SMEP provides no protection here, unlike
285 ++ * user-space-poisoned RSB entries.
286 ++ *
287 ++ * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
288 ++ * bug is present then a LITE version of RSB protection is required,
289 ++ * just a single call needs to retire before a RET is executed.
290 ++ */
291 ++ switch (mode) {
292 ++ case SPECTRE_V2_NONE:
293 ++ return;
294 ++
295 ++ case SPECTRE_V2_EIBRS_LFENCE:
296 ++ case SPECTRE_V2_EIBRS:
297 ++ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
298 ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
299 ++ pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
300 ++ }
301 ++ return;
302 ++
303 ++ case SPECTRE_V2_EIBRS_RETPOLINE:
304 ++ case SPECTRE_V2_RETPOLINE:
305 ++ case SPECTRE_V2_LFENCE:
306 ++ case SPECTRE_V2_IBRS:
307 ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
308 ++ pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
309 ++ return;
310 ++ }
311 ++
312 ++ pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
313 ++ dump_stack();
314 ++}
315 ++
316 + static void __init spectre_v2_select_mitigation(void)
317 + {
318 + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
319 +@@ -1478,28 +1525,7 @@ static void __init spectre_v2_select_mitigation(void)
320 + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
321 + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
322 +
323 +- /*
324 +- * Similar to context switches, there are two types of RSB attacks
325 +- * after vmexit:
326 +- *
327 +- * 1) RSB underflow
328 +- *
329 +- * 2) Poisoned RSB entry
330 +- *
331 +- * When retpoline is enabled, both are mitigated by filling/clearing
332 +- * the RSB.
333 +- *
334 +- * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
335 +- * prediction isolation protections, RSB still needs to be cleared
336 +- * because of #2. Note that SMEP provides no protection here, unlike
337 +- * user-space-poisoned RSB entries.
338 +- *
339 +- * eIBRS, on the other hand, has RSB-poisoning protections, so it
340 +- * doesn't need RSB clearing after vmexit.
341 +- */
342 +- if (boot_cpu_has(X86_FEATURE_RETPOLINE) ||
343 +- boot_cpu_has(X86_FEATURE_KERNEL_IBRS))
344 +- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
345 ++ spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
346 +
347 + /*
348 + * Retpoline protects the kernel, but doesn't protect firmware. IBRS
349 +@@ -2285,6 +2311,19 @@ static char *ibpb_state(void)
350 + return "";
351 + }
352 +
353 ++static char *pbrsb_eibrs_state(void)
354 ++{
355 ++ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
356 ++ if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
357 ++ boot_cpu_has(X86_FEATURE_RSB_VMEXIT))
358 ++ return ", PBRSB-eIBRS: SW sequence";
359 ++ else
360 ++ return ", PBRSB-eIBRS: Vulnerable";
361 ++ } else {
362 ++ return ", PBRSB-eIBRS: Not affected";
363 ++ }
364 ++}
365 ++
366 + static ssize_t spectre_v2_show_state(char *buf)
367 + {
368 + if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
369 +@@ -2297,12 +2336,13 @@ static ssize_t spectre_v2_show_state(char *buf)
370 + spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
371 + return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
372 +
373 +- return sprintf(buf, "%s%s%s%s%s%s\n",
374 ++ return sprintf(buf, "%s%s%s%s%s%s%s\n",
375 + spectre_v2_strings[spectre_v2_enabled],
376 + ibpb_state(),
377 + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
378 + stibp_state(),
379 + boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
380 ++ pbrsb_eibrs_state(),
381 + spectre_v2_module_string());
382 + }
383 +
384 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
385 +index 80cc41f797830..4a538ec413b8b 100644
386 +--- a/arch/x86/kernel/cpu/common.c
387 ++++ b/arch/x86/kernel/cpu/common.c
388 +@@ -1027,6 +1027,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
389 + #define NO_SWAPGS BIT(6)
390 + #define NO_ITLB_MULTIHIT BIT(7)
391 + #define NO_SPECTRE_V2 BIT(8)
392 ++#define NO_EIBRS_PBRSB BIT(9)
393 +
394 + #define VULNWL(vendor, family, model, whitelist) \
395 + X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, whitelist)
396 +@@ -1067,7 +1068,7 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
397 +
398 + VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
399 + VULNWL_INTEL(ATOM_GOLDMONT_D, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
400 +- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
401 ++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
402 +
403 + /*
404 + * Technically, swapgs isn't serializing on AMD (despite it previously
405 +@@ -1077,7 +1078,9 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
406 + * good enough for our purposes.
407 + */
408 +
409 +- VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT),
410 ++ VULNWL_INTEL(ATOM_TREMONT, NO_EIBRS_PBRSB),
411 ++ VULNWL_INTEL(ATOM_TREMONT_L, NO_EIBRS_PBRSB),
412 ++ VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
413 +
414 + /* AMD Family 0xf - 0x12 */
415 + VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
416 +@@ -1255,6 +1258,11 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
417 + setup_force_cpu_bug(X86_BUG_RETBLEED);
418 + }
419 +
420 ++ if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) &&
421 ++ !cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
422 ++ !(ia32_cap & ARCH_CAP_PBRSB_NO))
423 ++ setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB);
424 ++
425 + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
426 + return;
427 +
428 +diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
429 +index 4a4dc105552e3..86f3096f042f7 100644
430 +--- a/arch/x86/kvm/svm/sev.c
431 ++++ b/arch/x86/kvm/svm/sev.c
432 +@@ -832,7 +832,7 @@ static int __sev_dbg_encrypt_user(struct kvm *kvm, unsigned long paddr,
433 +
434 + /* If source buffer is not aligned then use an intermediate buffer */
435 + if (!IS_ALIGNED((unsigned long)vaddr, 16)) {
436 +- src_tpage = alloc_page(GFP_KERNEL);
437 ++ src_tpage = alloc_page(GFP_KERNEL_ACCOUNT);
438 + if (!src_tpage)
439 + return -ENOMEM;
440 +
441 +@@ -853,7 +853,7 @@ static int __sev_dbg_encrypt_user(struct kvm *kvm, unsigned long paddr,
442 + if (!IS_ALIGNED((unsigned long)dst_vaddr, 16) || !IS_ALIGNED(size, 16)) {
443 + int dst_offset;
444 +
445 +- dst_tpage = alloc_page(GFP_KERNEL);
446 ++ dst_tpage = alloc_page(GFP_KERNEL_ACCOUNT);
447 + if (!dst_tpage) {
448 + ret = -ENOMEM;
449 + goto e_free;
450 +diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
451 +index 26f2da1590eda..5b51156712f74 100644
452 +--- a/arch/x86/kvm/svm/svm.c
453 ++++ b/arch/x86/kvm/svm/svm.c
454 +@@ -4263,6 +4263,8 @@ out:
455 +
456 + static void svm_handle_exit_irqoff(struct kvm_vcpu *vcpu)
457 + {
458 ++ if (to_svm(vcpu)->vmcb->control.exit_code == SVM_EXIT_INTR)
459 ++ vcpu->arch.at_instruction_boundary = true;
460 + }
461 +
462 + static void svm_sched_in(struct kvm_vcpu *vcpu, int cpu)
463 +diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S
464 +index 857fa0fc49faf..982138bebb70f 100644
465 +--- a/arch/x86/kvm/vmx/vmenter.S
466 ++++ b/arch/x86/kvm/vmx/vmenter.S
467 +@@ -197,11 +197,13 @@ SYM_INNER_LABEL(vmx_vmexit, SYM_L_GLOBAL)
468 + * entries and (in some cases) RSB underflow.
469 + *
470 + * eIBRS has its own protection against poisoned RSB, so it doesn't
471 +- * need the RSB filling sequence. But it does need to be enabled
472 +- * before the first unbalanced RET.
473 ++ * need the RSB filling sequence. But it does need to be enabled, and a
474 ++ * single call to retire, before the first unbalanced RET.
475 + */
476 +
477 +- FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT
478 ++ FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT,\
479 ++ X86_FEATURE_RSB_VMEXIT_LITE
480 ++
481 +
482 + pop %_ASM_ARG2 /* @flags */
483 + pop %_ASM_ARG1 /* @vmx */
484 +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
485 +index a236104fc7439..359292767e177 100644
486 +--- a/arch/x86/kvm/vmx/vmx.c
487 ++++ b/arch/x86/kvm/vmx/vmx.c
488 +@@ -6471,6 +6471,7 @@ static void handle_external_interrupt_irqoff(struct kvm_vcpu *vcpu)
489 + return;
490 +
491 + handle_interrupt_nmi_irqoff(vcpu, gate_offset(desc));
492 ++ vcpu->arch.at_instruction_boundary = true;
493 + }
494 +
495 + static void vmx_handle_exit_irqoff(struct kvm_vcpu *vcpu)
496 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
497 +index bd410926fda59..8a6ee5d8adc74 100644
498 +--- a/arch/x86/kvm/x86.c
499 ++++ b/arch/x86/kvm/x86.c
500 +@@ -277,6 +277,8 @@ const struct _kvm_stats_desc kvm_vcpu_stats_desc[] = {
501 + STATS_DESC_COUNTER(VCPU, nested_run),
502 + STATS_DESC_COUNTER(VCPU, directed_yield_attempted),
503 + STATS_DESC_COUNTER(VCPU, directed_yield_successful),
504 ++ STATS_DESC_COUNTER(VCPU, preemption_reported),
505 ++ STATS_DESC_COUNTER(VCPU, preemption_other),
506 + STATS_DESC_ICOUNTER(VCPU, guest_mode)
507 + };
508 +
509 +@@ -4371,6 +4373,19 @@ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu)
510 + struct kvm_memslots *slots;
511 + static const u8 preempted = KVM_VCPU_PREEMPTED;
512 +
513 ++ /*
514 ++ * The vCPU can be marked preempted if and only if the VM-Exit was on
515 ++ * an instruction boundary and will not trigger guest emulation of any
516 ++ * kind (see vcpu_run). Vendor specific code controls (conservatively)
517 ++ * when this is true, for example allowing the vCPU to be marked
518 ++ * preempted if and only if the VM-Exit was due to a host interrupt.
519 ++ */
520 ++ if (!vcpu->arch.at_instruction_boundary) {
521 ++ vcpu->stat.preemption_other++;
522 ++ return;
523 ++ }
524 ++
525 ++ vcpu->stat.preemption_reported++;
526 + if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
527 + return;
528 +
529 +@@ -4400,19 +4415,21 @@ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
530 + {
531 + int idx;
532 +
533 +- if (vcpu->preempted && !vcpu->arch.guest_state_protected)
534 +- vcpu->arch.preempted_in_kernel = !static_call(kvm_x86_get_cpl)(vcpu);
535 ++ if (vcpu->preempted) {
536 ++ if (!vcpu->arch.guest_state_protected)
537 ++ vcpu->arch.preempted_in_kernel = !static_call(kvm_x86_get_cpl)(vcpu);
538 +
539 +- /*
540 +- * Take the srcu lock as memslots will be accessed to check the gfn
541 +- * cache generation against the memslots generation.
542 +- */
543 +- idx = srcu_read_lock(&vcpu->kvm->srcu);
544 +- if (kvm_xen_msr_enabled(vcpu->kvm))
545 +- kvm_xen_runstate_set_preempted(vcpu);
546 +- else
547 +- kvm_steal_time_set_preempted(vcpu);
548 +- srcu_read_unlock(&vcpu->kvm->srcu, idx);
549 ++ /*
550 ++ * Take the srcu lock as memslots will be accessed to check the gfn
551 ++ * cache generation against the memslots generation.
552 ++ */
553 ++ idx = srcu_read_lock(&vcpu->kvm->srcu);
554 ++ if (kvm_xen_msr_enabled(vcpu->kvm))
555 ++ kvm_xen_runstate_set_preempted(vcpu);
556 ++ else
557 ++ kvm_steal_time_set_preempted(vcpu);
558 ++ srcu_read_unlock(&vcpu->kvm->srcu, idx);
559 ++ }
560 +
561 + static_call(kvm_x86_vcpu_put)(vcpu);
562 + vcpu->arch.last_host_tsc = rdtsc();
563 +@@ -9934,6 +9951,13 @@ static int vcpu_run(struct kvm_vcpu *vcpu)
564 + vcpu->arch.l1tf_flush_l1d = true;
565 +
566 + for (;;) {
567 ++ /*
568 ++ * If another guest vCPU requests a PV TLB flush in the middle
569 ++ * of instruction emulation, the rest of the emulation could
570 ++ * use a stale page translation. Assume that any code after
571 ++ * this point can start executing an instruction.
572 ++ */
573 ++ vcpu->arch.at_instruction_boundary = false;
574 + if (kvm_vcpu_running(vcpu)) {
575 + r = vcpu_enter_guest(vcpu);
576 + } else {
577 +diff --git a/arch/x86/kvm/xen.h b/arch/x86/kvm/xen.h
578 +index cc0cf5f37450b..a7693a286e401 100644
579 +--- a/arch/x86/kvm/xen.h
580 ++++ b/arch/x86/kvm/xen.h
581 +@@ -97,8 +97,10 @@ static inline void kvm_xen_runstate_set_preempted(struct kvm_vcpu *vcpu)
582 + * behalf of the vCPU. Only if the VMM does actually block
583 + * does it need to enter RUNSTATE_blocked.
584 + */
585 +- if (vcpu->preempted)
586 +- kvm_xen_update_runstate_guest(vcpu, RUNSTATE_runnable);
587 ++ if (WARN_ON_ONCE(!vcpu->preempted))
588 ++ return;
589 ++
590 ++ kvm_xen_update_runstate_guest(vcpu, RUNSTATE_runnable);
591 + }
592 +
593 + /* 32-bit compatibility definitions, also used natively in 32-bit build */
594 +diff --git a/block/blk-ioc.c b/block/blk-ioc.c
595 +index 57299f860d41e..90c05971f71e0 100644
596 +--- a/block/blk-ioc.c
597 ++++ b/block/blk-ioc.c
598 +@@ -265,6 +265,7 @@ int create_task_io_context(struct task_struct *task, gfp_t gfp_flags, int node)
599 + INIT_RADIX_TREE(&ioc->icq_tree, GFP_ATOMIC);
600 + INIT_HLIST_HEAD(&ioc->icq_list);
601 + INIT_WORK(&ioc->release_work, ioc_release_fn);
602 ++ ioc->ioprio = IOPRIO_DEFAULT;
603 +
604 + /*
605 + * Try to install. ioc shouldn't be installed if someone else
606 +diff --git a/block/ioprio.c b/block/ioprio.c
607 +index 6f01d35a5145a..6c830154856fc 100644
608 +--- a/block/ioprio.c
609 ++++ b/block/ioprio.c
610 +@@ -189,9 +189,9 @@ out:
611 + int ioprio_best(unsigned short aprio, unsigned short bprio)
612 + {
613 + if (!ioprio_valid(aprio))
614 +- aprio = IOPRIO_DEFAULT;
615 ++ aprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_BE_NORM);
616 + if (!ioprio_valid(bprio))
617 +- bprio = IOPRIO_DEFAULT;
618 ++ bprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_BE_NORM);
619 +
620 + return min(aprio, bprio);
621 + }
622 +diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c
623 +index 598fd19b65fa4..45973aa6e06d4 100644
624 +--- a/drivers/acpi/apei/bert.c
625 ++++ b/drivers/acpi/apei/bert.c
626 +@@ -29,16 +29,26 @@
627 +
628 + #undef pr_fmt
629 + #define pr_fmt(fmt) "BERT: " fmt
630 ++
631 ++#define ACPI_BERT_PRINT_MAX_RECORDS 5
632 + #define ACPI_BERT_PRINT_MAX_LEN 1024
633 +
634 + static int bert_disable;
635 +
636 ++/*
637 ++ * Print "all" the error records in the BERT table, but avoid huge spam to
638 ++ * the console if the BIOS included oversize records, or too many records.
639 ++ * Skipping some records here does not lose anything because the full
640 ++ * data is available to user tools in:
641 ++ * /sys/firmware/acpi/tables/data/BERT
642 ++ */
643 + static void __init bert_print_all(struct acpi_bert_region *region,
644 + unsigned int region_len)
645 + {
646 + struct acpi_hest_generic_status *estatus =
647 + (struct acpi_hest_generic_status *)region;
648 + int remain = region_len;
649 ++ int printed = 0, skipped = 0;
650 + u32 estatus_len;
651 +
652 + while (remain >= sizeof(struct acpi_bert_region)) {
653 +@@ -46,24 +56,26 @@ static void __init bert_print_all(struct acpi_bert_region *region,
654 + if (remain < estatus_len) {
655 + pr_err(FW_BUG "Truncated status block (length: %u).\n",
656 + estatus_len);
657 +- return;
658 ++ break;
659 + }
660 +
661 + /* No more error records. */
662 + if (!estatus->block_status)
663 +- return;
664 ++ break;
665 +
666 + if (cper_estatus_check(estatus)) {
667 + pr_err(FW_BUG "Invalid error record.\n");
668 +- return;
669 ++ break;
670 + }
671 +
672 +- pr_info_once("Error records from previous boot:\n");
673 +- if (region_len < ACPI_BERT_PRINT_MAX_LEN)
674 ++ if (estatus_len < ACPI_BERT_PRINT_MAX_LEN &&
675 ++ printed < ACPI_BERT_PRINT_MAX_RECORDS) {
676 ++ pr_info_once("Error records from previous boot:\n");
677 + cper_estatus_print(KERN_INFO HW_ERR, estatus);
678 +- else
679 +- pr_info_once("Max print length exceeded, table data is available at:\n"
680 +- "/sys/firmware/acpi/tables/data/BERT");
681 ++ printed++;
682 ++ } else {
683 ++ skipped++;
684 ++ }
685 +
686 + /*
687 + * Because the boot error source is "one-time polled" type,
688 +@@ -75,6 +87,9 @@ static void __init bert_print_all(struct acpi_bert_region *region,
689 + estatus = (void *)estatus + estatus_len;
690 + remain -= estatus_len;
691 + }
692 ++
693 ++ if (skipped)
694 ++ pr_info(HW_ERR "Skipped %d error records\n", skipped);
695 + }
696 +
697 + static int __init setup_bert_disable(char *str)
698 +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
699 +index 7b9793cb55c50..e39d59ad64964 100644
700 +--- a/drivers/acpi/video_detect.c
701 ++++ b/drivers/acpi/video_detect.c
702 +@@ -424,7 +424,6 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
703 + .callback = video_detect_force_native,
704 + .ident = "Clevo NL5xRU",
705 + .matches = {
706 +- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
707 + DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
708 + },
709 + },
710 +@@ -432,59 +431,75 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
711 + .callback = video_detect_force_native,
712 + .ident = "Clevo NL5xRU",
713 + .matches = {
714 +- DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
715 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
716 ++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
717 ++ DMI_MATCH(DMI_BOARD_NAME, "AURA1501"),
718 + },
719 + },
720 + {
721 + .callback = video_detect_force_native,
722 + .ident = "Clevo NL5xRU",
723 + .matches = {
724 +- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
725 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
726 ++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
727 ++ DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"),
728 + },
729 + },
730 + {
731 + .callback = video_detect_force_native,
732 +- .ident = "Clevo NL5xRU",
733 ++ .ident = "Clevo NL5xNU",
734 + .matches = {
735 +- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
736 +- DMI_MATCH(DMI_BOARD_NAME, "AURA1501"),
737 ++ DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
738 + },
739 + },
740 ++ /*
741 ++ * The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10,
742 ++ * Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo
743 ++ * NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2. See the description
744 ++ * above.
745 ++ */
746 + {
747 + .callback = video_detect_force_native,
748 +- .ident = "Clevo NL5xRU",
749 ++ .ident = "TongFang PF5PU1G",
750 + .matches = {
751 +- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
752 +- DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"),
753 ++ DMI_MATCH(DMI_BOARD_NAME, "PF5PU1G"),
754 + },
755 + },
756 + {
757 + .callback = video_detect_force_native,
758 +- .ident = "Clevo NL5xNU",
759 ++ .ident = "TongFang PF4NU1F",
760 ++ .matches = {
761 ++ DMI_MATCH(DMI_BOARD_NAME, "PF4NU1F"),
762 ++ },
763 ++ },
764 ++ {
765 ++ .callback = video_detect_force_native,
766 ++ .ident = "TongFang PF4NU1F",
767 + .matches = {
768 + DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
769 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
770 ++ DMI_MATCH(DMI_BOARD_NAME, "PULSE1401"),
771 + },
772 + },
773 + {
774 + .callback = video_detect_force_native,
775 +- .ident = "Clevo NL5xNU",
776 ++ .ident = "TongFang PF5NU1G",
777 + .matches = {
778 +- DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
779 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
780 ++ DMI_MATCH(DMI_BOARD_NAME, "PF5NU1G"),
781 + },
782 + },
783 + {
784 + .callback = video_detect_force_native,
785 +- .ident = "Clevo NL5xNU",
786 ++ .ident = "TongFang PF5NU1G",
787 + .matches = {
788 +- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
789 +- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
790 ++ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
791 ++ DMI_MATCH(DMI_BOARD_NAME, "PULSE1501"),
792 ++ },
793 ++ },
794 ++ {
795 ++ .callback = video_detect_force_native,
796 ++ .ident = "TongFang PF5LUXG",
797 ++ .matches = {
798 ++ DMI_MATCH(DMI_BOARD_NAME, "PF5LUXG"),
799 + },
800 + },
801 +-
802 + /*
803 + * Desktops which falsely report a backlight and which our heuristics
804 + * for this do not catch.
805 +diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
806 +index d9ceca7a7935c..a18f289d73466 100644
807 +--- a/drivers/bluetooth/btbcm.c
808 ++++ b/drivers/bluetooth/btbcm.c
809 +@@ -453,6 +453,8 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = {
810 + { 0x6606, "BCM4345C5" }, /* 003.006.006 */
811 + { 0x230f, "BCM4356A2" }, /* 001.003.015 */
812 + { 0x220e, "BCM20702A1" }, /* 001.002.014 */
813 ++ { 0x420d, "BCM4349B1" }, /* 002.002.013 */
814 ++ { 0x420e, "BCM4349B1" }, /* 002.002.014 */
815 + { 0x4217, "BCM4329B1" }, /* 002.002.023 */
816 + { 0x6106, "BCM4359C0" }, /* 003.001.006 */
817 + { 0x4106, "BCM4335A0" }, /* 002.001.006 */
818 +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
819 +index a68edbc7be0ff..627436329b502 100644
820 +--- a/drivers/bluetooth/btusb.c
821 ++++ b/drivers/bluetooth/btusb.c
822 +@@ -420,6 +420,18 @@ static const struct usb_device_id blacklist_table[] = {
823 + { USB_DEVICE(0x04ca, 0x4006), .driver_info = BTUSB_REALTEK |
824 + BTUSB_WIDEBAND_SPEECH },
825 +
826 ++ /* Realtek 8852CE Bluetooth devices */
827 ++ { USB_DEVICE(0x04ca, 0x4007), .driver_info = BTUSB_REALTEK |
828 ++ BTUSB_WIDEBAND_SPEECH },
829 ++ { USB_DEVICE(0x04c5, 0x1675), .driver_info = BTUSB_REALTEK |
830 ++ BTUSB_WIDEBAND_SPEECH },
831 ++ { USB_DEVICE(0x0cb8, 0xc558), .driver_info = BTUSB_REALTEK |
832 ++ BTUSB_WIDEBAND_SPEECH },
833 ++ { USB_DEVICE(0x13d3, 0x3587), .driver_info = BTUSB_REALTEK |
834 ++ BTUSB_WIDEBAND_SPEECH },
835 ++ { USB_DEVICE(0x13d3, 0x3586), .driver_info = BTUSB_REALTEK |
836 ++ BTUSB_WIDEBAND_SPEECH },
837 ++
838 + /* Realtek Bluetooth devices */
839 + { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01),
840 + .driver_info = BTUSB_REALTEK },
841 +@@ -459,6 +471,9 @@ static const struct usb_device_id blacklist_table[] = {
842 + { USB_DEVICE(0x0489, 0xe0d9), .driver_info = BTUSB_MEDIATEK |
843 + BTUSB_WIDEBAND_SPEECH |
844 + BTUSB_VALID_LE_STATES },
845 ++ { USB_DEVICE(0x13d3, 0x3568), .driver_info = BTUSB_MEDIATEK |
846 ++ BTUSB_WIDEBAND_SPEECH |
847 ++ BTUSB_VALID_LE_STATES },
848 +
849 + /* Additional Realtek 8723AE Bluetooth devices */
850 + { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK },
851 +diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
852 +index 7abf99f0ee399..cf622e4596055 100644
853 +--- a/drivers/bluetooth/hci_bcm.c
854 ++++ b/drivers/bluetooth/hci_bcm.c
855 +@@ -1515,8 +1515,10 @@ static const struct of_device_id bcm_bluetooth_of_match[] = {
856 + { .compatible = "brcm,bcm4345c5" },
857 + { .compatible = "brcm,bcm4330-bt" },
858 + { .compatible = "brcm,bcm43438-bt", .data = &bcm43438_device_data },
859 ++ { .compatible = "brcm,bcm4349-bt", .data = &bcm43438_device_data },
860 + { .compatible = "brcm,bcm43540-bt", .data = &bcm4354_device_data },
861 + { .compatible = "brcm,bcm4335a0" },
862 ++ { .compatible = "infineon,cyw55572-bt" },
863 + { },
864 + };
865 + MODULE_DEVICE_TABLE(of, bcm_bluetooth_of_match);
866 +diff --git a/drivers/macintosh/adb.c b/drivers/macintosh/adb.c
867 +index 73b3961890397..afb0942ccc293 100644
868 +--- a/drivers/macintosh/adb.c
869 ++++ b/drivers/macintosh/adb.c
870 +@@ -647,7 +647,7 @@ do_adb_query(struct adb_request *req)
871 +
872 + switch(req->data[1]) {
873 + case ADB_QUERY_GETDEVINFO:
874 +- if (req->nbytes < 3)
875 ++ if (req->nbytes < 3 || req->data[2] >= 16)
876 + break;
877 + mutex_lock(&adb_handler_mutex);
878 + req->reply[0] = adb_handler[req->data[2]].original_address;
879 +diff --git a/fs/btrfs/block-group.h b/fs/btrfs/block-group.h
880 +index 37e55ebde735b..d73db0dfacb26 100644
881 +--- a/fs/btrfs/block-group.h
882 ++++ b/fs/btrfs/block-group.h
883 +@@ -98,6 +98,7 @@ struct btrfs_block_group {
884 + unsigned int to_copy:1;
885 + unsigned int relocating_repair:1;
886 + unsigned int chunk_item_inserted:1;
887 ++ unsigned int zoned_data_reloc_ongoing:1;
888 +
889 + int disk_cache_state;
890 +
891 +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
892 +index e3514f9a4e8dd..248ea15c97346 100644
893 +--- a/fs/btrfs/extent-tree.c
894 ++++ b/fs/btrfs/extent-tree.c
895 +@@ -3804,7 +3804,7 @@ static int do_allocation_zoned(struct btrfs_block_group *block_group,
896 + block_group->start == fs_info->data_reloc_bg ||
897 + fs_info->data_reloc_bg == 0);
898 +
899 +- if (block_group->ro) {
900 ++ if (block_group->ro || block_group->zoned_data_reloc_ongoing) {
901 + ret = 1;
902 + goto out;
903 + }
904 +@@ -3865,8 +3865,24 @@ static int do_allocation_zoned(struct btrfs_block_group *block_group,
905 + out:
906 + if (ret && ffe_ctl->for_treelog)
907 + fs_info->treelog_bg = 0;
908 +- if (ret && ffe_ctl->for_data_reloc)
909 ++ if (ret && ffe_ctl->for_data_reloc &&
910 ++ fs_info->data_reloc_bg == block_group->start) {
911 ++ /*
912 ++ * Do not allow further allocations from this block group.
913 ++ * Compared to increasing the ->ro, setting the
914 ++ * ->zoned_data_reloc_ongoing flag still allows nocow
915 ++ * writers to come in. See btrfs_inc_nocow_writers().
916 ++ *
917 ++ * We need to disable an allocation to avoid an allocation of
918 ++ * regular (non-relocation data) extent. With mix of relocation
919 ++ * extents and regular extents, we can dispatch WRITE commands
920 ++ * (for relocation extents) and ZONE APPEND commands (for
921 ++ * regular extents) at the same time to the same zone, which
922 ++ * easily break the write pointer.
923 ++ */
924 ++ block_group->zoned_data_reloc_ongoing = 1;
925 + fs_info->data_reloc_bg = 0;
926 ++ }
927 + spin_unlock(&fs_info->relocation_bg_lock);
928 + spin_unlock(&fs_info->treelog_bg_lock);
929 + spin_unlock(&block_group->lock);
930 +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
931 +index b791e280af0ca..a90546b3107c5 100644
932 +--- a/fs/btrfs/extent_io.c
933 ++++ b/fs/btrfs/extent_io.c
934 +@@ -5152,13 +5152,14 @@ int extent_writepages(struct address_space *mapping,
935 + */
936 + btrfs_zoned_data_reloc_lock(BTRFS_I(inode));
937 + ret = extent_write_cache_pages(mapping, wbc, &epd);
938 +- btrfs_zoned_data_reloc_unlock(BTRFS_I(inode));
939 + ASSERT(ret <= 0);
940 + if (ret < 0) {
941 ++ btrfs_zoned_data_reloc_unlock(BTRFS_I(inode));
942 + end_write_bio(&epd, ret);
943 + return ret;
944 + }
945 + ret = flush_write_bio(&epd);
946 ++ btrfs_zoned_data_reloc_unlock(BTRFS_I(inode));
947 + return ret;
948 + }
949 +
950 +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
951 +index ea72620507901..1b4fee8a2f28b 100644
952 +--- a/fs/btrfs/inode.c
953 ++++ b/fs/btrfs/inode.c
954 +@@ -3069,6 +3069,8 @@ static int btrfs_finish_ordered_io(struct btrfs_ordered_extent *ordered_extent)
955 + ordered_extent->file_offset,
956 + ordered_extent->file_offset +
957 + logical_len);
958 ++ btrfs_zoned_release_data_reloc_bg(fs_info, ordered_extent->disk_bytenr,
959 ++ ordered_extent->disk_num_bytes);
960 + } else {
961 + BUG_ON(root == fs_info->tree_root);
962 + ret = insert_ordered_extent_file_extent(trans, ordered_extent);
963 +diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c
964 +index 574769f921a22..fc791f7c71428 100644
965 +--- a/fs/btrfs/zoned.c
966 ++++ b/fs/btrfs/zoned.c
967 +@@ -1623,3 +1623,30 @@ void btrfs_free_zone_cache(struct btrfs_fs_info *fs_info)
968 + }
969 + mutex_unlock(&fs_devices->device_list_mutex);
970 + }
971 ++
972 ++void btrfs_zoned_release_data_reloc_bg(struct btrfs_fs_info *fs_info, u64 logical,
973 ++ u64 length)
974 ++{
975 ++ struct btrfs_block_group *block_group;
976 ++
977 ++ if (!btrfs_is_zoned(fs_info))
978 ++ return;
979 ++
980 ++ block_group = btrfs_lookup_block_group(fs_info, logical);
981 ++ /* It should be called on a previous data relocation block group. */
982 ++ ASSERT(block_group && (block_group->flags & BTRFS_BLOCK_GROUP_DATA));
983 ++
984 ++ spin_lock(&block_group->lock);
985 ++ if (!block_group->zoned_data_reloc_ongoing)
986 ++ goto out;
987 ++
988 ++ /* All relocation extents are written. */
989 ++ if (block_group->start + block_group->alloc_offset == logical + length) {
990 ++ /* Now, release this block group for further allocations. */
991 ++ block_group->zoned_data_reloc_ongoing = 0;
992 ++ }
993 ++
994 ++out:
995 ++ spin_unlock(&block_group->lock);
996 ++ btrfs_put_block_group(block_group);
997 ++}
998 +diff --git a/fs/btrfs/zoned.h b/fs/btrfs/zoned.h
999 +index 3a826f7c20403..574490ea2cc87 100644
1000 +--- a/fs/btrfs/zoned.h
1001 ++++ b/fs/btrfs/zoned.h
1002 +@@ -70,6 +70,8 @@ struct btrfs_device *btrfs_zoned_get_device(struct btrfs_fs_info *fs_info,
1003 + u64 logical, u64 length);
1004 + void btrfs_clear_data_reloc_bg(struct btrfs_block_group *bg);
1005 + void btrfs_free_zone_cache(struct btrfs_fs_info *fs_info);
1006 ++void btrfs_zoned_release_data_reloc_bg(struct btrfs_fs_info *fs_info, u64 logical,
1007 ++ u64 length);
1008 + #else /* CONFIG_BLK_DEV_ZONED */
1009 + static inline int btrfs_get_dev_zone(struct btrfs_device *device, u64 pos,
1010 + struct blk_zone *zone)
1011 +@@ -207,6 +209,9 @@ static inline struct btrfs_device *btrfs_zoned_get_device(
1012 + static inline void btrfs_clear_data_reloc_bg(struct btrfs_block_group *bg) { }
1013 +
1014 + static inline void btrfs_free_zone_cache(struct btrfs_fs_info *fs_info) { }
1015 ++
1016 ++static inline void btrfs_zoned_release_data_reloc_bg(struct btrfs_fs_info *fs_info,
1017 ++ u64 logical, u64 length) { }
1018 + #endif
1019 +
1020 + static inline bool btrfs_dev_is_sequential(struct btrfs_device *device, u64 pos)
1021 +diff --git a/include/linux/ioprio.h b/include/linux/ioprio.h
1022 +index 3f53bc27a19bf..3d088a88f8320 100644
1023 +--- a/include/linux/ioprio.h
1024 ++++ b/include/linux/ioprio.h
1025 +@@ -11,7 +11,7 @@
1026 + /*
1027 + * Default IO priority.
1028 + */
1029 +-#define IOPRIO_DEFAULT IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_BE_NORM)
1030 ++#define IOPRIO_DEFAULT IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, 0)
1031 +
1032 + /*
1033 + * Check that a priority value has a valid class.
1034 +diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h
1035 +index 3781a7f489ef3..bcaedfe60572f 100644
1036 +--- a/tools/arch/x86/include/asm/cpufeatures.h
1037 ++++ b/tools/arch/x86/include/asm/cpufeatures.h
1038 +@@ -300,6 +300,7 @@
1039 + #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */
1040 + #define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */
1041 + #define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */
1042 ++#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM-Exit when EIBRS is enabled */
1043 +
1044 + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
1045 + #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
1046 +diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h
1047 +index ec2967e7249f5..8f38265bc81dc 100644
1048 +--- a/tools/arch/x86/include/asm/msr-index.h
1049 ++++ b/tools/arch/x86/include/asm/msr-index.h
1050 +@@ -148,6 +148,10 @@
1051 + * are restricted to targets in
1052 + * kernel.
1053 + */
1054 ++#define ARCH_CAP_PBRSB_NO BIT(24) /*
1055 ++ * Not susceptible to Post-Barrier
1056 ++ * Return Stack Buffer Predictions.
1057 ++ */
1058 +
1059 + #define MSR_IA32_FLUSH_CMD 0x0000010b
1060 + #define L1D_FLUSH BIT(0) /*
1061 +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
1062 +index e2c8f946c5416..8330e3ca8fbfb 100644
1063 +--- a/tools/include/uapi/linux/bpf.h
1064 ++++ b/tools/include/uapi/linux/bpf.h
1065 +@@ -5347,7 +5347,8 @@ struct bpf_sock {
1066 + __u32 src_ip4;
1067 + __u32 src_ip6[4];
1068 + __u32 src_port; /* host byte order */
1069 +- __u32 dst_port; /* network byte order */
1070 ++ __be16 dst_port; /* network byte order */
1071 ++ __u16 :16; /* zero padding */
1072 + __u32 dst_ip4;
1073 + __u32 dst_ip6[4];
1074 + __u32 state;
1075 +diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat
1076 +index 5a5bd74f55bd5..9c366b3a676db 100755
1077 +--- a/tools/kvm/kvm_stat/kvm_stat
1078 ++++ b/tools/kvm/kvm_stat/kvm_stat
1079 +@@ -1646,7 +1646,8 @@ Press any other key to refresh statistics immediately.
1080 + .format(values))
1081 + if len(pids) > 1:
1082 + sys.exit('Error: Multiple processes found (pids: {}). Use "-p"'
1083 +- ' to specify the desired pid'.format(" ".join(pids)))
1084 ++ ' to specify the desired pid'
1085 ++ .format(" ".join(map(str, pids))))
1086 + namespace.pid = pids[0]
1087 +
1088 + argparser = argparse.ArgumentParser(description=description_text,
1089 +diff --git a/tools/testing/selftests/bpf/prog_tests/sock_fields.c b/tools/testing/selftests/bpf/prog_tests/sock_fields.c
1090 +index 577d619fb07ed..197ec1d1b7026 100644
1091 +--- a/tools/testing/selftests/bpf/prog_tests/sock_fields.c
1092 ++++ b/tools/testing/selftests/bpf/prog_tests/sock_fields.c
1093 +@@ -1,9 +1,11 @@
1094 + // SPDX-License-Identifier: GPL-2.0
1095 + /* Copyright (c) 2019 Facebook */
1096 +
1097 ++#define _GNU_SOURCE
1098 + #include <netinet/in.h>
1099 + #include <arpa/inet.h>
1100 + #include <unistd.h>
1101 ++#include <sched.h>
1102 + #include <stdlib.h>
1103 + #include <string.h>
1104 + #include <errno.h>
1105 +@@ -21,6 +23,7 @@
1106 + enum bpf_linum_array_idx {
1107 + EGRESS_LINUM_IDX,
1108 + INGRESS_LINUM_IDX,
1109 ++ READ_SK_DST_PORT_LINUM_IDX,
1110 + __NR_BPF_LINUM_ARRAY_IDX,
1111 + };
1112 +
1113 +@@ -43,8 +46,16 @@ static __u64 child_cg_id;
1114 + static int linum_map_fd;
1115 + static __u32 duration;
1116 +
1117 +-static __u32 egress_linum_idx = EGRESS_LINUM_IDX;
1118 +-static __u32 ingress_linum_idx = INGRESS_LINUM_IDX;
1119 ++static bool create_netns(void)
1120 ++{
1121 ++ if (!ASSERT_OK(unshare(CLONE_NEWNET), "create netns"))
1122 ++ return false;
1123 ++
1124 ++ if (!ASSERT_OK(system("ip link set dev lo up"), "bring up lo"))
1125 ++ return false;
1126 ++
1127 ++ return true;
1128 ++}
1129 +
1130 + static void print_sk(const struct bpf_sock *sk, const char *prefix)
1131 + {
1132 +@@ -92,19 +103,24 @@ static void check_result(void)
1133 + {
1134 + struct bpf_tcp_sock srv_tp, cli_tp, listen_tp;
1135 + struct bpf_sock srv_sk, cli_sk, listen_sk;
1136 +- __u32 ingress_linum, egress_linum;
1137 ++ __u32 idx, ingress_linum, egress_linum, linum;
1138 + int err;
1139 +
1140 +- err = bpf_map_lookup_elem(linum_map_fd, &egress_linum_idx,
1141 +- &egress_linum);
1142 ++ idx = EGRESS_LINUM_IDX;
1143 ++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &egress_linum);
1144 + CHECK(err < 0, "bpf_map_lookup_elem(linum_map_fd)",
1145 + "err:%d errno:%d\n", err, errno);
1146 +
1147 +- err = bpf_map_lookup_elem(linum_map_fd, &ingress_linum_idx,
1148 +- &ingress_linum);
1149 ++ idx = INGRESS_LINUM_IDX;
1150 ++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &ingress_linum);
1151 + CHECK(err < 0, "bpf_map_lookup_elem(linum_map_fd)",
1152 + "err:%d errno:%d\n", err, errno);
1153 +
1154 ++ idx = READ_SK_DST_PORT_LINUM_IDX;
1155 ++ err = bpf_map_lookup_elem(linum_map_fd, &idx, &linum);
1156 ++ ASSERT_OK(err, "bpf_map_lookup_elem(linum_map_fd, READ_SK_DST_PORT_IDX)");
1157 ++ ASSERT_EQ(linum, 0, "failure in read_sk_dst_port on line");
1158 ++
1159 + memcpy(&srv_sk, &skel->bss->srv_sk, sizeof(srv_sk));
1160 + memcpy(&srv_tp, &skel->bss->srv_tp, sizeof(srv_tp));
1161 + memcpy(&cli_sk, &skel->bss->cli_sk, sizeof(cli_sk));
1162 +@@ -263,7 +279,7 @@ static void test(void)
1163 + char buf[DATA_LEN];
1164 +
1165 + /* Prepare listen_fd */
1166 +- listen_fd = start_server(AF_INET6, SOCK_STREAM, "::1", 0, 0);
1167 ++ listen_fd = start_server(AF_INET6, SOCK_STREAM, "::1", 0xcafe, 0);
1168 + /* start_server() has logged the error details */
1169 + if (CHECK_FAIL(listen_fd == -1))
1170 + goto done;
1171 +@@ -331,8 +347,12 @@ done:
1172 +
1173 + void test_sock_fields(void)
1174 + {
1175 +- struct bpf_link *egress_link = NULL, *ingress_link = NULL;
1176 + int parent_cg_fd = -1, child_cg_fd = -1;
1177 ++ struct bpf_link *link;
1178 ++
1179 ++ /* Use a dedicated netns to have a fixed listen port */
1180 ++ if (!create_netns())
1181 ++ return;
1182 +
1183 + /* Create a cgroup, get fd, and join it */
1184 + parent_cg_fd = test__join_cgroup(PARENT_CGROUP);
1185 +@@ -353,15 +373,20 @@ void test_sock_fields(void)
1186 + if (CHECK(!skel, "test_sock_fields__open_and_load", "failed\n"))
1187 + goto done;
1188 +
1189 +- egress_link = bpf_program__attach_cgroup(skel->progs.egress_read_sock_fields,
1190 +- child_cg_fd);
1191 +- if (!ASSERT_OK_PTR(egress_link, "attach_cgroup(egress)"))
1192 ++ link = bpf_program__attach_cgroup(skel->progs.egress_read_sock_fields, child_cg_fd);
1193 ++ if (!ASSERT_OK_PTR(link, "attach_cgroup(egress_read_sock_fields)"))
1194 ++ goto done;
1195 ++ skel->links.egress_read_sock_fields = link;
1196 ++
1197 ++ link = bpf_program__attach_cgroup(skel->progs.ingress_read_sock_fields, child_cg_fd);
1198 ++ if (!ASSERT_OK_PTR(link, "attach_cgroup(ingress_read_sock_fields)"))
1199 + goto done;
1200 ++ skel->links.ingress_read_sock_fields = link;
1201 +
1202 +- ingress_link = bpf_program__attach_cgroup(skel->progs.ingress_read_sock_fields,
1203 +- child_cg_fd);
1204 +- if (!ASSERT_OK_PTR(ingress_link, "attach_cgroup(ingress)"))
1205 ++ link = bpf_program__attach_cgroup(skel->progs.read_sk_dst_port, child_cg_fd);
1206 ++ if (!ASSERT_OK_PTR(link, "attach_cgroup(read_sk_dst_port"))
1207 + goto done;
1208 ++ skel->links.read_sk_dst_port = link;
1209 +
1210 + linum_map_fd = bpf_map__fd(skel->maps.linum_map);
1211 + sk_pkt_out_cnt_fd = bpf_map__fd(skel->maps.sk_pkt_out_cnt);
1212 +@@ -370,8 +395,7 @@ void test_sock_fields(void)
1213 + test();
1214 +
1215 + done:
1216 +- bpf_link__destroy(egress_link);
1217 +- bpf_link__destroy(ingress_link);
1218 ++ test_sock_fields__detach(skel);
1219 + test_sock_fields__destroy(skel);
1220 + if (child_cg_fd >= 0)
1221 + close(child_cg_fd);
1222 +diff --git a/tools/testing/selftests/bpf/progs/test_sock_fields.c b/tools/testing/selftests/bpf/progs/test_sock_fields.c
1223 +index 7967348b11af6..43b31aa1fcf72 100644
1224 +--- a/tools/testing/selftests/bpf/progs/test_sock_fields.c
1225 ++++ b/tools/testing/selftests/bpf/progs/test_sock_fields.c
1226 +@@ -12,6 +12,7 @@
1227 + enum bpf_linum_array_idx {
1228 + EGRESS_LINUM_IDX,
1229 + INGRESS_LINUM_IDX,
1230 ++ READ_SK_DST_PORT_LINUM_IDX,
1231 + __NR_BPF_LINUM_ARRAY_IDX,
1232 + };
1233 +
1234 +@@ -250,4 +251,48 @@ int ingress_read_sock_fields(struct __sk_buff *skb)
1235 + return CG_OK;
1236 + }
1237 +
1238 ++static __noinline bool sk_dst_port__load_word(struct bpf_sock *sk)
1239 ++{
1240 ++ __u32 *word = (__u32 *)&sk->dst_port;
1241 ++ return word[0] == bpf_htonl(0xcafe0000);
1242 ++}
1243 ++
1244 ++static __noinline bool sk_dst_port__load_half(struct bpf_sock *sk)
1245 ++{
1246 ++ __u16 *half = (__u16 *)&sk->dst_port;
1247 ++ return half[0] == bpf_htons(0xcafe);
1248 ++}
1249 ++
1250 ++static __noinline bool sk_dst_port__load_byte(struct bpf_sock *sk)
1251 ++{
1252 ++ __u8 *byte = (__u8 *)&sk->dst_port;
1253 ++ return byte[0] == 0xca && byte[1] == 0xfe;
1254 ++}
1255 ++
1256 ++SEC("cgroup_skb/egress")
1257 ++int read_sk_dst_port(struct __sk_buff *skb)
1258 ++{
1259 ++ __u32 linum, linum_idx;
1260 ++ struct bpf_sock *sk;
1261 ++
1262 ++ linum_idx = READ_SK_DST_PORT_LINUM_IDX;
1263 ++
1264 ++ sk = skb->sk;
1265 ++ if (!sk)
1266 ++ RET_LOG();
1267 ++
1268 ++ /* Ignore everything but the SYN from the client socket */
1269 ++ if (sk->state != BPF_TCP_SYN_SENT)
1270 ++ return CG_OK;
1271 ++
1272 ++ if (!sk_dst_port__load_word(sk))
1273 ++ RET_LOG();
1274 ++ if (!sk_dst_port__load_half(sk))
1275 ++ RET_LOG();
1276 ++ if (!sk_dst_port__load_byte(sk))
1277 ++ RET_LOG();
1278 ++
1279 ++ return CG_OK;
1280 ++}
1281 ++
1282 + char _license[] SEC("license") = "GPL";
1283 +diff --git a/tools/testing/selftests/bpf/verifier/sock.c b/tools/testing/selftests/bpf/verifier/sock.c
1284 +index ce13ece08d51c..8c224eac93df7 100644
1285 +--- a/tools/testing/selftests/bpf/verifier/sock.c
1286 ++++ b/tools/testing/selftests/bpf/verifier/sock.c
1287 +@@ -121,7 +121,25 @@
1288 + .result = ACCEPT,
1289 + },
1290 + {
1291 +- "sk_fullsock(skb->sk): sk->dst_port [narrow load]",
1292 ++ "sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)",
1293 ++ .insns = {
1294 ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1295 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1296 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1297 ++ BPF_EXIT_INSN(),
1298 ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
1299 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1300 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1301 ++ BPF_EXIT_INSN(),
1302 ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
1303 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1304 ++ BPF_EXIT_INSN(),
1305 ++ },
1306 ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1307 ++ .result = ACCEPT,
1308 ++},
1309 ++{
1310 ++ "sk_fullsock(skb->sk): sk->dst_port [half load]",
1311 + .insns = {
1312 + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1313 + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1314 +@@ -139,7 +157,64 @@
1315 + .result = ACCEPT,
1316 + },
1317 + {
1318 +- "sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]",
1319 ++ "sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)",
1320 ++ .insns = {
1321 ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1322 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1323 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1324 ++ BPF_EXIT_INSN(),
1325 ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
1326 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1327 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1328 ++ BPF_EXIT_INSN(),
1329 ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
1330 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1331 ++ BPF_EXIT_INSN(),
1332 ++ },
1333 ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1334 ++ .result = REJECT,
1335 ++ .errstr = "invalid sock access",
1336 ++},
1337 ++{
1338 ++ "sk_fullsock(skb->sk): sk->dst_port [byte load]",
1339 ++ .insns = {
1340 ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1341 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1342 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1343 ++ BPF_EXIT_INSN(),
1344 ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
1345 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1346 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1347 ++ BPF_EXIT_INSN(),
1348 ++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
1349 ++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
1350 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1351 ++ BPF_EXIT_INSN(),
1352 ++ },
1353 ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1354 ++ .result = ACCEPT,
1355 ++},
1356 ++{
1357 ++ "sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)",
1358 ++ .insns = {
1359 ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1360 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1361 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1362 ++ BPF_EXIT_INSN(),
1363 ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
1364 ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1365 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1366 ++ BPF_EXIT_INSN(),
1367 ++ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
1368 ++ BPF_MOV64_IMM(BPF_REG_0, 0),
1369 ++ BPF_EXIT_INSN(),
1370 ++ },
1371 ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1372 ++ .result = REJECT,
1373 ++ .errstr = "invalid sock access",
1374 ++},
1375 ++{
1376 ++ "sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)",
1377 + .insns = {
1378 + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
1379 + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1380 +@@ -149,7 +224,7 @@
1381 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1382 + BPF_MOV64_IMM(BPF_REG_0, 0),
1383 + BPF_EXIT_INSN(),
1384 +- BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
1385 ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)),
1386 + BPF_MOV64_IMM(BPF_REG_0, 0),
1387 + BPF_EXIT_INSN(),
1388 + },
1389 +diff --git a/tools/testing/selftests/kvm/lib/aarch64/ucall.c b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
1390 +index e0b0164e9af85..be1d9728c4cea 100644
1391 +--- a/tools/testing/selftests/kvm/lib/aarch64/ucall.c
1392 ++++ b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
1393 +@@ -73,20 +73,19 @@ void ucall_uninit(struct kvm_vm *vm)
1394 +
1395 + void ucall(uint64_t cmd, int nargs, ...)
1396 + {
1397 +- struct ucall uc = {
1398 +- .cmd = cmd,
1399 +- };
1400 ++ struct ucall uc = {};
1401 + va_list va;
1402 + int i;
1403 +
1404 ++ WRITE_ONCE(uc.cmd, cmd);
1405 + nargs = nargs <= UCALL_MAX_ARGS ? nargs : UCALL_MAX_ARGS;
1406 +
1407 + va_start(va, nargs);
1408 + for (i = 0; i < nargs; ++i)
1409 +- uc.args[i] = va_arg(va, uint64_t);
1410 ++ WRITE_ONCE(uc.args[i], va_arg(va, uint64_t));
1411 + va_end(va);
1412 +
1413 +- *ucall_exit_mmio_addr = (vm_vaddr_t)&uc;
1414 ++ WRITE_ONCE(*ucall_exit_mmio_addr, (vm_vaddr_t)&uc);
1415 + }
1416 +
1417 + uint64_t get_ucall(struct kvm_vm *vm, uint32_t vcpu_id, struct ucall *uc)
1418 +diff --git a/tools/testing/selftests/kvm/x86_64/hyperv_clock.c b/tools/testing/selftests/kvm/x86_64/hyperv_clock.c
1419 +index e0b2bb1339b16..3330fb183c680 100644
1420 +--- a/tools/testing/selftests/kvm/x86_64/hyperv_clock.c
1421 ++++ b/tools/testing/selftests/kvm/x86_64/hyperv_clock.c
1422 +@@ -44,7 +44,7 @@ static inline void nop_loop(void)
1423 + {
1424 + int i;
1425 +
1426 +- for (i = 0; i < 1000000; i++)
1427 ++ for (i = 0; i < 100000000; i++)
1428 + asm volatile("nop");
1429 + }
1430 +
1431 +@@ -56,12 +56,14 @@ static inline void check_tsc_msr_rdtsc(void)
1432 + tsc_freq = rdmsr(HV_X64_MSR_TSC_FREQUENCY);
1433 + GUEST_ASSERT(tsc_freq > 0);
1434 +
1435 +- /* First, check MSR-based clocksource */
1436 ++ /* For increased accuracy, take mean rdtsc() before and afrer rdmsr() */
1437 + r1 = rdtsc();
1438 + t1 = rdmsr(HV_X64_MSR_TIME_REF_COUNT);
1439 ++ r1 = (r1 + rdtsc()) / 2;
1440 + nop_loop();
1441 + r2 = rdtsc();
1442 + t2 = rdmsr(HV_X64_MSR_TIME_REF_COUNT);
1443 ++ r2 = (r2 + rdtsc()) / 2;
1444 +
1445 + GUEST_ASSERT(r2 > r1 && t2 > t1);
1446 +
1447 +@@ -181,12 +183,14 @@ static void host_check_tsc_msr_rdtsc(struct kvm_vm *vm)
1448 + tsc_freq = vcpu_get_msr(vm, VCPU_ID, HV_X64_MSR_TSC_FREQUENCY);
1449 + TEST_ASSERT(tsc_freq > 0, "TSC frequency must be nonzero");
1450 +
1451 +- /* First, check MSR-based clocksource */
1452 ++ /* For increased accuracy, take mean rdtsc() before and afrer ioctl */
1453 + r1 = rdtsc();
1454 + t1 = vcpu_get_msr(vm, VCPU_ID, HV_X64_MSR_TIME_REF_COUNT);
1455 ++ r1 = (r1 + rdtsc()) / 2;
1456 + nop_loop();
1457 + r2 = rdtsc();
1458 + t2 = vcpu_get_msr(vm, VCPU_ID, HV_X64_MSR_TIME_REF_COUNT);
1459 ++ r2 = (r2 + rdtsc()) / 2;
1460 +
1461 + TEST_ASSERT(t2 > t1, "Time reference MSR is not monotonic (%ld <= %ld)", t1, t2);
1462 +
1463 +diff --git a/tools/vm/slabinfo.c b/tools/vm/slabinfo.c
1464 +index 9b68658b6bb85..5b98f3ee58a58 100644
1465 +--- a/tools/vm/slabinfo.c
1466 ++++ b/tools/vm/slabinfo.c
1467 +@@ -233,6 +233,24 @@ static unsigned long read_slab_obj(struct slabinfo *s, const char *name)
1468 + return l;
1469 + }
1470 +
1471 ++static unsigned long read_debug_slab_obj(struct slabinfo *s, const char *name)
1472 ++{
1473 ++ char x[128];
1474 ++ FILE *f;
1475 ++ size_t l;
1476 ++
1477 ++ snprintf(x, 128, "/sys/kernel/debug/slab/%s/%s", s->name, name);
1478 ++ f = fopen(x, "r");
1479 ++ if (!f) {
1480 ++ buffer[0] = 0;
1481 ++ l = 0;
1482 ++ } else {
1483 ++ l = fread(buffer, 1, sizeof(buffer), f);
1484 ++ buffer[l] = 0;
1485 ++ fclose(f);
1486 ++ }
1487 ++ return l;
1488 ++}
1489 +
1490 + /*
1491 + * Put a size string together
1492 +@@ -409,14 +427,18 @@ static void show_tracking(struct slabinfo *s)
1493 + {
1494 + printf("\n%s: Kernel object allocation\n", s->name);
1495 + printf("-----------------------------------------------------------------------\n");
1496 +- if (read_slab_obj(s, "alloc_calls"))
1497 ++ if (read_debug_slab_obj(s, "alloc_traces"))
1498 ++ printf("%s", buffer);
1499 ++ else if (read_slab_obj(s, "alloc_calls"))
1500 + printf("%s", buffer);
1501 + else
1502 + printf("No Data\n");
1503 +
1504 + printf("\n%s: Kernel object freeing\n", s->name);
1505 + printf("------------------------------------------------------------------------\n");
1506 +- if (read_slab_obj(s, "free_calls"))
1507 ++ if (read_debug_slab_obj(s, "free_traces"))
1508 ++ printf("%s", buffer);
1509 ++ else if (read_slab_obj(s, "free_calls"))
1510 + printf("%s", buffer);
1511 + else
1512 + printf("No Data\n");