--- /dev/null
+From stable+bounces-151844-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:20 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:19 +0000
+Subject: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-13-pulehui@huaweicloud.com>
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit 0dfefc2ea2f29ced2416017d7e5b1253a54c2735 ]
+
+A malicious BPF program may manipulate the branch history to influence
+what the hardware speculates will happen next.
+
+On exit from a BPF program, emit the BHB mititgation sequence.
+
+This is only applied for 'classic' cBPF programs that are loaded by
+seccomp.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/spectre.h | 1
+ arch/arm64/kernel/proton-pack.c | 2 -
+ arch/arm64/net/bpf_jit_comp.c | 55 ++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 53 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/include/asm/spectre.h
++++ b/arch/arm64/include/asm/spectre.h
+@@ -32,6 +32,7 @@ void spectre_v4_enable_task_mitigation(s
+
+ enum mitigation_state arm64_get_spectre_bhb_state(void);
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
++extern bool __nospectre_bhb;
+ u8 get_spectre_bhb_loop_value(void);
+ bool is_spectre_bhb_fw_mitigated(void);
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -1088,7 +1088,7 @@ static void kvm_setup_bhb_slot(const cha
+ #endif /* CONFIG_KVM */
+
+ static bool spectre_bhb_fw_mitigated;
+-static bool __read_mostly __nospectre_bhb;
++bool __read_mostly __nospectre_bhb;
+ static int __init parse_spectre_bhb_param(char *str)
+ {
+ __nospectre_bhb = true;
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -7,14 +7,17 @@
+
+ #define pr_fmt(fmt) "bpf_jit: " fmt
+
++#include <linux/arm-smccc.h>
+ #include <linux/bitfield.h>
+ #include <linux/bpf.h>
++#include <linux/cpu.h>
+ #include <linux/filter.h>
+ #include <linux/printk.h>
+ #include <linux/slab.h>
+
+ #include <asm/byteorder.h>
+ #include <asm/cacheflush.h>
++#include <asm/cpufeature.h>
+ #include <asm/debug-monitors.h>
+ #include <asm/set_memory.h>
+
+@@ -328,7 +331,48 @@ static int emit_bpf_tail_call(struct jit
+ #undef jmp_offset
+ }
+
+-static void build_epilogue(struct jit_ctx *ctx)
++/* Clobbers BPF registers 1-4, aka x0-x3 */
++static void __maybe_unused build_bhb_mitigation(struct jit_ctx *ctx)
++{
++ const u8 r1 = bpf2a64[BPF_REG_1]; /* aka x0 */
++ u8 k = get_spectre_bhb_loop_value();
++
++ if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY) ||
++ cpu_mitigations_off() || __nospectre_bhb ||
++ arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
++ return;
++
++ if (supports_clearbhb(SCOPE_SYSTEM)) {
++ emit(aarch64_insn_gen_hint(AARCH64_INSN_HINT_CLEARBHB), ctx);
++ return;
++ }
++
++ if (k) {
++ emit_a64_mov_i64(r1, k, ctx);
++ emit(A64_B(1), ctx);
++ emit(A64_SUBS_I(true, r1, r1, 1), ctx);
++ emit(A64_B_(A64_COND_NE, -2), ctx);
++ emit(aarch64_insn_gen_dsb(AARCH64_INSN_MB_ISH), ctx);
++ emit(aarch64_insn_get_isb_value(), ctx);
++ }
++
++ if (is_spectre_bhb_fw_mitigated()) {
++ emit(A64_ORR_I(false, r1, AARCH64_INSN_REG_ZR,
++ ARM_SMCCC_ARCH_WORKAROUND_3), ctx);
++ switch (arm_smccc_1_1_get_conduit()) {
++ case SMCCC_CONDUIT_HVC:
++ emit(aarch64_insn_get_hvc_value(), ctx);
++ break;
++ case SMCCC_CONDUIT_SMC:
++ emit(aarch64_insn_get_smc_value(), ctx);
++ break;
++ default:
++ pr_err_once("Firmware mitigation enabled with unknown conduit\n");
++ }
++ }
++}
++
++static void build_epilogue(struct jit_ctx *ctx, bool was_classic)
+ {
+ const u8 r0 = bpf2a64[BPF_REG_0];
+ const u8 r6 = bpf2a64[BPF_REG_6];
+@@ -347,10 +391,13 @@ static void build_epilogue(struct jit_ct
+ emit(A64_POP(r8, r9, A64_SP), ctx);
+ emit(A64_POP(r6, r7, A64_SP), ctx);
+
++ if (was_classic)
++ build_bhb_mitigation(ctx);
++
+ /* Restore FP/LR registers */
+ emit(A64_POP(A64_FP, A64_LR, A64_SP), ctx);
+
+- /* Set return value */
++ /* Move the return value from bpf:r0 (aka x7) to x0 */
+ emit(A64_MOV(1, A64_R(0), r0), ctx);
+
+ emit(A64_RET(A64_LR), ctx);
+@@ -1057,7 +1104,7 @@ struct bpf_prog *bpf_int_jit_compile(str
+ }
+
+ ctx.epilogue_offset = ctx.idx;
+- build_epilogue(&ctx);
++ build_epilogue(&ctx, was_classic);
+
+ extable_size = prog->aux->num_exentries *
+ sizeof(struct exception_table_entry);
+@@ -1089,7 +1136,7 @@ skip_init_ctx:
+ goto out_off;
+ }
+
+- build_epilogue(&ctx);
++ build_epilogue(&ctx, was_classic);
+
+ /* 3. Extra pass to validate JITed code. */
+ if (validate_code(&ctx)) {
--- /dev/null
+From stable+bounces-151859-greg=kroah.com@vger.kernel.org Sat Jun 7 17:41:37 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:20 +0000
+Subject: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-14-pulehui@huaweicloud.com>
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit f300769ead032513a68e4a02e806393402e626f8 ]
+
+Support for eBPF programs loaded by unprivileged users is typically
+disabled. This means only cBPF programs need to be mitigated for BHB.
+
+In addition, only mitigate cBPF programs that were loaded by an
+unprivileged user. Privileged users can also load the same program
+via eBPF, making the mitigation pointless.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/net/bpf_jit_comp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -342,6 +342,9 @@ static void __maybe_unused build_bhb_mit
+ arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
+ return;
+
++ if (capable(CAP_SYS_ADMIN))
++ return;
++
+ if (supports_clearbhb(SCOPE_SYSTEM)) {
+ emit(aarch64_insn_gen_hint(AARCH64_INSN_HINT_CLEARBHB), ctx);
+ return;
--- /dev/null
+From stable+bounces-151860-greg=kroah.com@vger.kernel.org Sat Jun 7 17:41:38 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:14 +0000
+Subject: arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-8-pulehui@huaweicloud.com>
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 ]
+
+Qualcomm has confirmed that, much like Cortex A53 and A55, KRYO
+2XX/3XX/4XX silver cores are unaffected by Spectre BHB. Add them to
+the safe list.
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Cc: Scott Bauer <sbauer@quicinc.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
+Link: https://lore.kernel.org/r/20250107120555.v4.3.Iab8dbfb5c9b1e143e7a29f410bce5f9525a0ba32@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/proton-pack.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -862,6 +862,9 @@ static bool is_spectre_bhb_safe(int scop
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
+ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_2XX_SILVER),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER),
+ {},
+ };
+ static bool all_safe = true;
--- /dev/null
+From stable+bounces-151846-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:23 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:16 +0000
+Subject: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-10-pulehui@huaweicloud.com>
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit fee4d171451c1ad9e8aaf65fc0ab7d143a33bd72 ]
+
+Commit a5951389e58d ("arm64: errata: Add newer ARM cores to the
+spectre_bhb_loop_affected() lists") added some additional CPUs to the
+Spectre-BHB workaround, including some new arrays for designs that
+require new 'k' values for the workaround to be effective.
+
+Unfortunately, the new arrays omitted the sentinel entry and so
+is_midr_in_range_list() will walk off the end when it doesn't find a
+match. With UBSAN enabled, this leads to a crash during boot when
+is_midr_in_range_list() is inlined (which was more common prior to
+c8c2647e69be ("arm64: Make _midr_in_range_list() an exported
+function")):
+
+ | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP
+ | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ | pc : spectre_bhb_loop_affected+0x28/0x30
+ | lr : is_spectre_bhb_affected+0x170/0x190
+ | [...]
+ | Call trace:
+ | spectre_bhb_loop_affected+0x28/0x30
+ | update_cpu_capabilities+0xc0/0x184
+ | init_cpu_features+0x188/0x1a4
+ | cpuinfo_store_boot_cpu+0x4c/0x60
+ | smp_prepare_boot_cpu+0x38/0x54
+ | start_kernel+0x8c/0x478
+ | __primary_switched+0xc8/0xd4
+ | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020)
+ | ---[ end trace 0000000000000000 ]---
+ | Kernel panic - not syncing: aarch64 BRK: Fatal exception
+
+Add the missing sentinel entries.
+
+Cc: Lee Jones <lee@kernel.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Doug Anderson <dianders@chromium.org>
+Cc: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Cc: <stable@vger.kernel.org>
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Fixes: a5951389e58d ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists")
+Signed-off-by: Will Deacon <will@kernel.org>
+Reviewed-by: Lee Jones <lee@kernel.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250501104747.28431-1-will@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/proton-pack.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -887,10 +887,12 @@ static u8 spectre_bhb_loop_affected(void
+ static const struct midr_range spectre_bhb_k132_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
++ {},
+ };
+ static const struct midr_range spectre_bhb_k38_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A715),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
++ {},
+ };
+ static const struct midr_range spectre_bhb_k32_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
--- /dev/null
+From stable+bounces-151843-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:18 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:15 +0000
+Subject: arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-9-pulehui@huaweicloud.com>
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit a5951389e58d2e816eed3dbec5877de9327fd881 ]
+
+When comparing to the ARM list [1], it appears that several ARM cores
+were missing from the lists in spectre_bhb_loop_affected(). Add them.
+
+NOTE: for some of these cores it may not matter since other ways of
+clearing the BHB may be used (like the CLRBHB instruction or ECBHB),
+but it still seems good to have all the info from ARM's whitepaper
+included.
+
+[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: James Morse <james.morse@arm.com>
+Link: https://lore.kernel.org/r/20250107120555.v4.5.I4a9a527e03f663040721c5401c41de587d015c82@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/proton-pack.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -884,6 +884,14 @@ static u8 spectre_bhb_loop_affected(void
+ {
+ u8 k = 0;
+
++ static const struct midr_range spectre_bhb_k132_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
++ };
++ static const struct midr_range spectre_bhb_k38_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A715),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
++ };
+ static const struct midr_range spectre_bhb_k32_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+@@ -897,6 +905,7 @@ static u8 spectre_bhb_loop_affected(void
+ };
+ static const struct midr_range spectre_bhb_k24_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
+@@ -912,7 +921,11 @@ static u8 spectre_bhb_loop_affected(void
+ {},
+ };
+
+- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k132_list))
++ k = 132;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k38_list))
++ k = 38;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+ k = 32;
+ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
+ k = 24;
--- /dev/null
+From stable+bounces-151845-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:23 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:13 +0000
+Subject: arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-7-pulehui@huaweicloud.com>
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit e403e8538359d8580cbee1976ff71813e947101e ]
+
+The code for detecting CPUs that are vulnerable to Spectre BHB was
+based on a hardcoded list of CPU IDs that were known to be affected.
+Unfortunately, the list mostly only contained the IDs of standard ARM
+cores. The IDs for many cores that are minor variants of the standard
+ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the
+code to assume that those variants were not affected.
+
+Flip the code on its head and instead assume that a core is vulnerable
+if it doesn't have CSV2_3 but is unrecognized as being safe. This
+involves creating a "Spectre BHB safe" list.
+
+As of right now, the only CPU IDs added to the "Spectre BHB safe" list
+are ARM Cortex A35, A53, A55, A510, and A520. This list was created by
+looking for cores that weren't listed in ARM's list [1] as per review
+feedback on v2 of this patch [2]. Additionally Brahma A53 is added as
+per mailing list feedback [3].
+
+NOTE: this patch will not actually _mitigate_ anyone, it will simply
+cause them to report themselves as vulnerable. If any cores in the
+system are reported as vulnerable but not mitigated then the whole
+system will be reported as vulnerable though the system will attempt
+to mitigate with the information it has about the known cores.
+
+[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
+[2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck
+[3] https://lore.kernel.org/r/18dbd7d1-a46c-4112-a425-320c99f67a8d@broadcom.com
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Reviewed-by: Julius Werner <jwerner@chromium.org>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20250107120555.v4.2.I2040fa004dafe196243f67ebcc647cbedbb516e6@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+[The conflicts were mainly due to LTS commit e192c8baa69a
+differ from mainline commit 558c303c9734]
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/spectre.h | 1
+ arch/arm64/kernel/proton-pack.c | 167 +++++++++++++++++++--------------------
+ 2 files changed, 84 insertions(+), 84 deletions(-)
+
+--- a/arch/arm64/include/asm/spectre.h
++++ b/arch/arm64/include/asm/spectre.h
+@@ -33,7 +33,6 @@ void spectre_v4_enable_task_mitigation(s
+ enum mitigation_state arm64_get_spectre_bhb_state(void);
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
+ bool is_spectre_bhb_fw_mitigated(void);
+-u8 spectre_bhb_loop_affected(int scope);
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
+ bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr);
+ #endif /* __ASM_SPECTRE_H */
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -853,53 +853,70 @@ enum mitigation_state arm64_get_spectre_
+ * This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any
+ * SCOPE_SYSTEM call will give the right answer.
+ */
+-u8 spectre_bhb_loop_affected(int scope)
++static bool is_spectre_bhb_safe(int scope)
++{
++ static const struct midr_range spectre_bhb_safe_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
++ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
++ {},
++ };
++ static bool all_safe = true;
++
++ if (scope != SCOPE_LOCAL_CPU)
++ return all_safe;
++
++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list))
++ return true;
++
++ all_safe = false;
++
++ return false;
++}
++
++static u8 spectre_bhb_loop_affected(void)
+ {
+ u8 k = 0;
+- static u8 max_bhb_k;
+
+- if (scope == SCOPE_LOCAL_CPU) {
+- static const struct midr_range spectre_bhb_k32_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k24_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+- MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k11_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_AMPERE1),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k8_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
+- {},
+- };
+-
+- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+- k = 32;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
+- k = 24;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
+- k = 11;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
+- k = 8;
+-
+- max_bhb_k = max(max_bhb_k, k);
+- } else {
+- k = max_bhb_k;
+- }
++ static const struct midr_range spectre_bhb_k32_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k24_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k11_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_AMPERE1),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k8_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
++ {},
++ };
++
++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
++ k = 32;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
++ k = 24;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
++ k = 11;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
++ k = 8;
+
+ return k;
+ }
+@@ -925,29 +942,13 @@ static enum mitigation_state spectre_bhb
+ }
+ }
+
+-static bool is_spectre_bhb_fw_affected(int scope)
++static bool has_spectre_bhb_fw_mitigation(void)
+ {
+- static bool system_affected;
+ enum mitigation_state fw_state;
+ bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE;
+- static const struct midr_range spectre_bhb_firmware_mitigated_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A75),
+- {},
+- };
+- bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(),
+- spectre_bhb_firmware_mitigated_list);
+-
+- if (scope != SCOPE_LOCAL_CPU)
+- return system_affected;
+
+ fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
+- if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) {
+- system_affected = true;
+- return true;
+- }
+-
+- return false;
++ return has_smccc && fw_state == SPECTRE_MITIGATED;
+ }
+
+ static bool supports_ecbhb(int scope)
+@@ -963,6 +964,8 @@ static bool supports_ecbhb(int scope)
+ ID_AA64MMFR1_ECBHB_SHIFT);
+ }
+
++static u8 max_bhb_k;
++
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry,
+ int scope)
+ {
+@@ -971,16 +974,18 @@ bool is_spectre_bhb_affected(const struc
+ if (supports_csv2p3(scope))
+ return false;
+
+- if (supports_clearbhb(scope))
+- return true;
+-
+- if (spectre_bhb_loop_affected(scope))
+- return true;
++ if (is_spectre_bhb_safe(scope))
++ return false;
+
+- if (is_spectre_bhb_fw_affected(scope))
+- return true;
++ /*
++ * At this point the core isn't known to be "safe" so we're going to
++ * assume it's vulnerable. We still need to update `max_bhb_k` though,
++ * but only if we aren't mitigating with clearbhb though.
++ */
++ if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU))
++ max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected());
+
+- return false;
++ return true;
+ }
+
+ static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot)
+@@ -1063,7 +1068,7 @@ static bool spectre_bhb_fw_mitigated;
+
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
+ {
+- enum mitigation_state fw_state, state = SPECTRE_VULNERABLE;
++ enum mitigation_state state = SPECTRE_VULNERABLE;
+
+ if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU))
+ return;
+@@ -1081,8 +1086,8 @@ void spectre_bhb_enable_mitigation(const
+ this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN);
+
+ state = SPECTRE_MITIGATED;
+- } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) {
+- switch (spectre_bhb_loop_affected(SCOPE_SYSTEM)) {
++ } else if (spectre_bhb_loop_affected()) {
++ switch (max_bhb_k) {
+ case 8:
+ kvm_setup_bhb_slot(__spectre_bhb_loop_k8);
+ break;
+@@ -1098,15 +1103,12 @@ void spectre_bhb_enable_mitigation(const
+ this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP);
+
+ state = SPECTRE_MITIGATED;
+- } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) {
+- fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
+- if (fw_state == SPECTRE_MITIGATED) {
+- kvm_setup_bhb_slot(__smccc_workaround_3_smc);
+- this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
++ } else if (has_spectre_bhb_fw_mitigation()) {
++ kvm_setup_bhb_slot(__smccc_workaround_3_smc);
++ this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
+
+- state = SPECTRE_MITIGATED;
+- spectre_bhb_fw_mitigated = true;
+- }
++ state = SPECTRE_MITIGATED;
++ spectre_bhb_fw_mitigated = true;
+ }
+
+ update_mitigation_state(&spectre_bhb_state, state);
+@@ -1123,7 +1125,6 @@ void noinstr spectre_bhb_patch_loop_iter
+ {
+ u8 rd;
+ u32 insn;
+- u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM);
+
+ BUG_ON(nr_inst != 1); /* MOV -> MOV */
+
+@@ -1132,7 +1133,7 @@ void noinstr spectre_bhb_patch_loop_iter
+
+ insn = le32_to_cpu(*origptr);
+ rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn);
+- insn = aarch64_insn_gen_movewide(rd, loop_count, 0,
++ insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0,
+ AARCH64_INSN_VARIANT_64BIT,
+ AARCH64_INSN_MOVEWIDE_ZERO);
+ *updptr++ = cpu_to_le32(insn);
--- /dev/null
+From stable+bounces-151840-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:16 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:08 +0000
+Subject: arm64: insn: Add barrier encodings
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-2-pulehui@huaweicloud.com>
+
+From: Julien Thierry <jthierry@redhat.com>
+
+[ Upstream commit d4b217330d7e0320084ff04c8491964f1f68980a ]
+
+Create necessary functions to encode/decode aarch64 barrier
+instructions.
+
+DSB needs special case handling as it has multiple encodings.
+
+Signed-off-by: Julien Thierry <jthierry@redhat.com>
+Link: https://lore.kernel.org/r/20210303170536.1838032-7-jthierry@redhat.com
+[will: Don't reject DSB #4]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/insn.h | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/arch/arm64/include/asm/insn.h
++++ b/arch/arm64/include/asm/insn.h
+@@ -370,6 +370,14 @@ __AARCH64_INSN_FUNCS(eret_auth, 0xFFFFFB
+ __AARCH64_INSN_FUNCS(mrs, 0xFFF00000, 0xD5300000)
+ __AARCH64_INSN_FUNCS(msr_imm, 0xFFF8F01F, 0xD500401F)
+ __AARCH64_INSN_FUNCS(msr_reg, 0xFFF00000, 0xD5100000)
++__AARCH64_INSN_FUNCS(dmb, 0xFFFFF0FF, 0xD50330BF)
++__AARCH64_INSN_FUNCS(dsb_base, 0xFFFFF0FF, 0xD503309F)
++__AARCH64_INSN_FUNCS(dsb_nxs, 0xFFFFF3FF, 0xD503323F)
++__AARCH64_INSN_FUNCS(isb, 0xFFFFF0FF, 0xD50330DF)
++__AARCH64_INSN_FUNCS(sb, 0xFFFFFFFF, 0xD50330FF)
++__AARCH64_INSN_FUNCS(clrex, 0xFFFFF0FF, 0xD503305F)
++__AARCH64_INSN_FUNCS(ssbb, 0xFFFFFFFF, 0xD503309F)
++__AARCH64_INSN_FUNCS(pssbb, 0xFFFFFFFF, 0xD503349F)
+
+ #undef __AARCH64_INSN_FUNCS
+
+@@ -381,6 +389,19 @@ static inline bool aarch64_insn_is_adr_a
+ return aarch64_insn_is_adr(insn) || aarch64_insn_is_adrp(insn);
+ }
+
++static inline bool aarch64_insn_is_dsb(u32 insn)
++{
++ return aarch64_insn_is_dsb_base(insn) || aarch64_insn_is_dsb_nxs(insn);
++}
++
++static inline bool aarch64_insn_is_barrier(u32 insn)
++{
++ return aarch64_insn_is_dmb(insn) || aarch64_insn_is_dsb(insn) ||
++ aarch64_insn_is_isb(insn) || aarch64_insn_is_sb(insn) ||
++ aarch64_insn_is_clrex(insn) || aarch64_insn_is_ssbb(insn) ||
++ aarch64_insn_is_pssbb(insn);
++}
++
+ int aarch64_insn_read(void *addr, u32 *insnp);
+ int aarch64_insn_write(void *addr, u32 insn);
+ enum aarch64_insn_encoding_class aarch64_get_insn_class(u32 insn);
--- /dev/null
+From stable+bounces-151839-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:13 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:10 +0000
+Subject: arm64: insn: add encoders for atomic operations
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-4-pulehui@huaweicloud.com>
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit fa1114d9eba5087ba5e81aab4c56f546995e6cd3 ]
+
+It is a preparation patch for eBPF atomic supports under arm64. eBPF
+needs support atomic[64]_fetch_add, atomic[64]_[fetch_]{and,or,xor} and
+atomic[64]_{xchg|cmpxchg}. The ordering semantics of eBPF atomics are
+the same with the implementations in linux kernel.
+
+Add three helpers to support LDCLR/LDEOR/LDSET/SWP, CAS and DMB
+instructions. STADD/STCLR/STEOR/STSET are simply encoded as aliases for
+LDADD/LDCLR/LDEOR/LDSET with XZR as the destination register, so no extra
+helper is added. atomic_fetch_add() and other atomic ops needs support for
+STLXR instruction, so extend enum aarch64_insn_ldst_type to do that.
+
+LDADD/LDEOR/LDSET/SWP and CAS instructions are only available when LSE
+atomics is enabled, so just return AARCH64_BREAK_FAULT directly in
+these newly-added helpers if CONFIG_ARM64_LSE_ATOMICS is disabled.
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20220217072232.1186625-3-houtao1@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/insn.h | 80 ++++++++++++++++--
+ arch/arm64/kernel/insn.c | 185 ++++++++++++++++++++++++++++++++++++++----
+ arch/arm64/net/bpf_jit.h | 11 ++
+ 3 files changed, 253 insertions(+), 23 deletions(-)
+
+--- a/arch/arm64/include/asm/insn.h
++++ b/arch/arm64/include/asm/insn.h
+@@ -218,7 +218,9 @@ enum aarch64_insn_ldst_type {
+ AARCH64_INSN_LDST_LOAD_PAIR_POST_INDEX,
+ AARCH64_INSN_LDST_STORE_PAIR_POST_INDEX,
+ AARCH64_INSN_LDST_LOAD_EX,
++ AARCH64_INSN_LDST_LOAD_ACQ_EX,
+ AARCH64_INSN_LDST_STORE_EX,
++ AARCH64_INSN_LDST_STORE_REL_EX,
+ };
+
+ enum aarch64_insn_adsb_type {
+@@ -293,6 +295,36 @@ enum aarch64_insn_adr_type {
+ AARCH64_INSN_ADR_TYPE_ADR,
+ };
+
++enum aarch64_insn_mem_atomic_op {
++ AARCH64_INSN_MEM_ATOMIC_ADD,
++ AARCH64_INSN_MEM_ATOMIC_CLR,
++ AARCH64_INSN_MEM_ATOMIC_EOR,
++ AARCH64_INSN_MEM_ATOMIC_SET,
++ AARCH64_INSN_MEM_ATOMIC_SWP,
++};
++
++enum aarch64_insn_mem_order_type {
++ AARCH64_INSN_MEM_ORDER_NONE,
++ AARCH64_INSN_MEM_ORDER_ACQ,
++ AARCH64_INSN_MEM_ORDER_REL,
++ AARCH64_INSN_MEM_ORDER_ACQREL,
++};
++
++enum aarch64_insn_mb_type {
++ AARCH64_INSN_MB_SY,
++ AARCH64_INSN_MB_ST,
++ AARCH64_INSN_MB_LD,
++ AARCH64_INSN_MB_ISH,
++ AARCH64_INSN_MB_ISHST,
++ AARCH64_INSN_MB_ISHLD,
++ AARCH64_INSN_MB_NSH,
++ AARCH64_INSN_MB_NSHST,
++ AARCH64_INSN_MB_NSHLD,
++ AARCH64_INSN_MB_OSH,
++ AARCH64_INSN_MB_OSHST,
++ AARCH64_INSN_MB_OSHLD,
++};
++
+ #define __AARCH64_INSN_FUNCS(abbr, mask, val) \
+ static __always_inline bool aarch64_insn_is_##abbr(u32 code) \
+ { \
+@@ -310,6 +342,11 @@ __AARCH64_INSN_FUNCS(prfm, 0x3FC00000, 0
+ __AARCH64_INSN_FUNCS(prfm_lit, 0xFF000000, 0xD8000000)
+ __AARCH64_INSN_FUNCS(str_reg, 0x3FE0EC00, 0x38206800)
+ __AARCH64_INSN_FUNCS(ldadd, 0x3F20FC00, 0x38200000)
++__AARCH64_INSN_FUNCS(ldclr, 0x3F20FC00, 0x38201000)
++__AARCH64_INSN_FUNCS(ldeor, 0x3F20FC00, 0x38202000)
++__AARCH64_INSN_FUNCS(ldset, 0x3F20FC00, 0x38203000)
++__AARCH64_INSN_FUNCS(swp, 0x3F20FC00, 0x38208000)
++__AARCH64_INSN_FUNCS(cas, 0x3FA07C00, 0x08A07C00)
+ __AARCH64_INSN_FUNCS(ldr_reg, 0x3FE0EC00, 0x38606800)
+ __AARCH64_INSN_FUNCS(ldr_lit, 0xBF000000, 0x18000000)
+ __AARCH64_INSN_FUNCS(ldrsw_lit, 0xFF000000, 0x98000000)
+@@ -452,13 +489,6 @@ u32 aarch64_insn_gen_load_store_ex(enum
+ enum aarch64_insn_register state,
+ enum aarch64_insn_size_type size,
+ enum aarch64_insn_ldst_type type);
+-u32 aarch64_insn_gen_ldadd(enum aarch64_insn_register result,
+- enum aarch64_insn_register address,
+- enum aarch64_insn_register value,
+- enum aarch64_insn_size_type size);
+-u32 aarch64_insn_gen_stadd(enum aarch64_insn_register address,
+- enum aarch64_insn_register value,
+- enum aarch64_insn_size_type size);
+ u32 aarch64_insn_gen_add_sub_imm(enum aarch64_insn_register dst,
+ enum aarch64_insn_register src,
+ int imm, enum aarch64_insn_variant variant,
+@@ -519,6 +549,42 @@ u32 aarch64_insn_gen_prefetch(enum aarch
+ enum aarch64_insn_prfm_type type,
+ enum aarch64_insn_prfm_target target,
+ enum aarch64_insn_prfm_policy policy);
++#ifdef CONFIG_ARM64_LSE_ATOMICS
++u32 aarch64_insn_gen_atomic_ld_op(enum aarch64_insn_register result,
++ enum aarch64_insn_register address,
++ enum aarch64_insn_register value,
++ enum aarch64_insn_size_type size,
++ enum aarch64_insn_mem_atomic_op op,
++ enum aarch64_insn_mem_order_type order);
++u32 aarch64_insn_gen_cas(enum aarch64_insn_register result,
++ enum aarch64_insn_register address,
++ enum aarch64_insn_register value,
++ enum aarch64_insn_size_type size,
++ enum aarch64_insn_mem_order_type order);
++#else
++static inline
++u32 aarch64_insn_gen_atomic_ld_op(enum aarch64_insn_register result,
++ enum aarch64_insn_register address,
++ enum aarch64_insn_register value,
++ enum aarch64_insn_size_type size,
++ enum aarch64_insn_mem_atomic_op op,
++ enum aarch64_insn_mem_order_type order)
++{
++ return AARCH64_BREAK_FAULT;
++}
++
++static inline
++u32 aarch64_insn_gen_cas(enum aarch64_insn_register result,
++ enum aarch64_insn_register address,
++ enum aarch64_insn_register value,
++ enum aarch64_insn_size_type size,
++ enum aarch64_insn_mem_order_type order)
++{
++ return AARCH64_BREAK_FAULT;
++}
++#endif
++u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type);
++
+ s32 aarch64_get_branch_offset(u32 insn);
+ u32 aarch64_set_branch_offset(u32 insn, s32 offset);
+
+--- a/arch/arm64/kernel/insn.c
++++ b/arch/arm64/kernel/insn.c
+@@ -721,10 +721,16 @@ u32 aarch64_insn_gen_load_store_ex(enum
+
+ switch (type) {
+ case AARCH64_INSN_LDST_LOAD_EX:
++ case AARCH64_INSN_LDST_LOAD_ACQ_EX:
+ insn = aarch64_insn_get_load_ex_value();
++ if (type == AARCH64_INSN_LDST_LOAD_ACQ_EX)
++ insn |= BIT(15);
+ break;
+ case AARCH64_INSN_LDST_STORE_EX:
++ case AARCH64_INSN_LDST_STORE_REL_EX:
+ insn = aarch64_insn_get_store_ex_value();
++ if (type == AARCH64_INSN_LDST_STORE_REL_EX)
++ insn |= BIT(15);
+ break;
+ default:
+ pr_err("%s: unknown load/store exclusive encoding %d\n", __func__, type);
+@@ -746,12 +752,65 @@ u32 aarch64_insn_gen_load_store_ex(enum
+ state);
+ }
+
+-u32 aarch64_insn_gen_ldadd(enum aarch64_insn_register result,
+- enum aarch64_insn_register address,
+- enum aarch64_insn_register value,
+- enum aarch64_insn_size_type size)
++#ifdef CONFIG_ARM64_LSE_ATOMICS
++static u32 aarch64_insn_encode_ldst_order(enum aarch64_insn_mem_order_type type,
++ u32 insn)
+ {
+- u32 insn = aarch64_insn_get_ldadd_value();
++ u32 order;
++
++ switch (type) {
++ case AARCH64_INSN_MEM_ORDER_NONE:
++ order = 0;
++ break;
++ case AARCH64_INSN_MEM_ORDER_ACQ:
++ order = 2;
++ break;
++ case AARCH64_INSN_MEM_ORDER_REL:
++ order = 1;
++ break;
++ case AARCH64_INSN_MEM_ORDER_ACQREL:
++ order = 3;
++ break;
++ default:
++ pr_err("%s: unknown mem order %d\n", __func__, type);
++ return AARCH64_BREAK_FAULT;
++ }
++
++ insn &= ~GENMASK(23, 22);
++ insn |= order << 22;
++
++ return insn;
++}
++
++u32 aarch64_insn_gen_atomic_ld_op(enum aarch64_insn_register result,
++ enum aarch64_insn_register address,
++ enum aarch64_insn_register value,
++ enum aarch64_insn_size_type size,
++ enum aarch64_insn_mem_atomic_op op,
++ enum aarch64_insn_mem_order_type order)
++{
++ u32 insn;
++
++ switch (op) {
++ case AARCH64_INSN_MEM_ATOMIC_ADD:
++ insn = aarch64_insn_get_ldadd_value();
++ break;
++ case AARCH64_INSN_MEM_ATOMIC_CLR:
++ insn = aarch64_insn_get_ldclr_value();
++ break;
++ case AARCH64_INSN_MEM_ATOMIC_EOR:
++ insn = aarch64_insn_get_ldeor_value();
++ break;
++ case AARCH64_INSN_MEM_ATOMIC_SET:
++ insn = aarch64_insn_get_ldset_value();
++ break;
++ case AARCH64_INSN_MEM_ATOMIC_SWP:
++ insn = aarch64_insn_get_swp_value();
++ break;
++ default:
++ pr_err("%s: unimplemented mem atomic op %d\n", __func__, op);
++ return AARCH64_BREAK_FAULT;
++ }
+
+ switch (size) {
+ case AARCH64_INSN_SIZE_32:
+@@ -764,6 +823,8 @@ u32 aarch64_insn_gen_ldadd(enum aarch64_
+
+ insn = aarch64_insn_encode_ldst_size(size, insn);
+
++ insn = aarch64_insn_encode_ldst_order(order, insn);
++
+ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RT, insn,
+ result);
+
+@@ -774,18 +835,69 @@ u32 aarch64_insn_gen_ldadd(enum aarch64_
+ value);
+ }
+
+-u32 aarch64_insn_gen_stadd(enum aarch64_insn_register address,
+- enum aarch64_insn_register value,
+- enum aarch64_insn_size_type size)
++static u32 aarch64_insn_encode_cas_order(enum aarch64_insn_mem_order_type type,
++ u32 insn)
+ {
+- /*
+- * STADD is simply encoded as an alias for LDADD with XZR as
+- * the destination register.
+- */
+- return aarch64_insn_gen_ldadd(AARCH64_INSN_REG_ZR, address,
+- value, size);
++ u32 order;
++
++ switch (type) {
++ case AARCH64_INSN_MEM_ORDER_NONE:
++ order = 0;
++ break;
++ case AARCH64_INSN_MEM_ORDER_ACQ:
++ order = BIT(22);
++ break;
++ case AARCH64_INSN_MEM_ORDER_REL:
++ order = BIT(15);
++ break;
++ case AARCH64_INSN_MEM_ORDER_ACQREL:
++ order = BIT(15) | BIT(22);
++ break;
++ default:
++ pr_err("%s: unknown mem order %d\n", __func__, type);
++ return AARCH64_BREAK_FAULT;
++ }
++
++ insn &= ~(BIT(15) | BIT(22));
++ insn |= order;
++
++ return insn;
+ }
+
++u32 aarch64_insn_gen_cas(enum aarch64_insn_register result,
++ enum aarch64_insn_register address,
++ enum aarch64_insn_register value,
++ enum aarch64_insn_size_type size,
++ enum aarch64_insn_mem_order_type order)
++{
++ u32 insn;
++
++ switch (size) {
++ case AARCH64_INSN_SIZE_32:
++ case AARCH64_INSN_SIZE_64:
++ break;
++ default:
++ pr_err("%s: unimplemented size encoding %d\n", __func__, size);
++ return AARCH64_BREAK_FAULT;
++ }
++
++ insn = aarch64_insn_get_cas_value();
++
++ insn = aarch64_insn_encode_ldst_size(size, insn);
++
++ insn = aarch64_insn_encode_cas_order(order, insn);
++
++ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RT, insn,
++ result);
++
++ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RN, insn,
++ address);
++
++ return aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RS, insn,
++ value);
++}
++#endif
++
+ static u32 aarch64_insn_encode_prfm_imm(enum aarch64_insn_prfm_type type,
+ enum aarch64_insn_prfm_target target,
+ enum aarch64_insn_prfm_policy policy,
+@@ -1697,3 +1809,48 @@ u32 aarch64_insn_gen_extr(enum aarch64_i
+ insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RN, insn, Rn);
+ return aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RM, insn, Rm);
+ }
++
++u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type)
++{
++ u32 opt;
++ u32 insn;
++
++ switch (type) {
++ case AARCH64_INSN_MB_SY:
++ opt = 0xf;
++ break;
++ case AARCH64_INSN_MB_ST:
++ opt = 0xe;
++ break;
++ case AARCH64_INSN_MB_LD:
++ opt = 0xd;
++ break;
++ case AARCH64_INSN_MB_ISH:
++ opt = 0xb;
++ break;
++ case AARCH64_INSN_MB_ISHST:
++ opt = 0xa;
++ break;
++ case AARCH64_INSN_MB_ISHLD:
++ opt = 0x9;
++ break;
++ case AARCH64_INSN_MB_NSH:
++ opt = 0x7;
++ break;
++ case AARCH64_INSN_MB_NSHST:
++ opt = 0x6;
++ break;
++ case AARCH64_INSN_MB_NSHLD:
++ opt = 0x5;
++ break;
++ default:
++ pr_err("%s: unknown dmb type %d\n", __func__, type);
++ return AARCH64_BREAK_FAULT;
++ }
++
++ insn = aarch64_insn_get_dmb_value();
++ insn &= ~GENMASK(11, 8);
++ insn |= (opt << 8);
++
++ return insn;
++}
+--- a/arch/arm64/net/bpf_jit.h
++++ b/arch/arm64/net/bpf_jit.h
+@@ -89,9 +89,16 @@
+ #define A64_STXR(sf, Rt, Rn, Rs) \
+ A64_LSX(sf, Rt, Rn, Rs, STORE_EX)
+
+-/* LSE atomics */
++/*
++ * LSE atomics
++ *
++ * STADD is simply encoded as an alias for LDADD with XZR as
++ * the destination register.
++ */
+ #define A64_STADD(sf, Rn, Rs) \
+- aarch64_insn_gen_stadd(Rn, Rs, A64_SIZE(sf))
++ aarch64_insn_gen_atomic_ld_op(A64_ZR, Rn, Rs, \
++ A64_SIZE(sf), AARCH64_INSN_MEM_ATOMIC_ADD, \
++ AARCH64_INSN_MEM_ORDER_NONE)
+
+ /* Add/subtract (immediate) */
+ #define A64_ADDSUB_IMM(sf, Rd, Rn, imm12, type) \
--- /dev/null
+From stable+bounces-151838-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:12 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:11 +0000
+Subject: arm64: insn: Add support for encoding DSB
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-5-pulehui@huaweicloud.com>
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit 63de8abd97ddb9b758bd8f915ecbd18e1f1a87a0 ]
+
+To generate code in the eBPF epilogue that uses the DSB instruction,
+insn.c needs a heler to encode the type and domain.
+
+Re-use the crm encoding logic from the DMB instruction.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/insn.h | 1
+ arch/arm64/kernel/insn.c | 60 +++++++++++++++++++++++++-----------------
+ 2 files changed, 38 insertions(+), 23 deletions(-)
+
+--- a/arch/arm64/include/asm/insn.h
++++ b/arch/arm64/include/asm/insn.h
+@@ -584,6 +584,7 @@ u32 aarch64_insn_gen_cas(enum aarch64_in
+ }
+ #endif
+ u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type);
++u32 aarch64_insn_gen_dsb(enum aarch64_insn_mb_type type);
+
+ s32 aarch64_get_branch_offset(u32 insn);
+ u32 aarch64_set_branch_offset(u32 insn, s32 offset);
+--- a/arch/arm64/kernel/insn.c
++++ b/arch/arm64/kernel/insn.c
+@@ -5,6 +5,7 @@
+ *
+ * Copyright (C) 2014-2016 Zi Shen Lim <zlim.lnx@gmail.com>
+ */
++#include <linux/bitfield.h>
+ #include <linux/bitops.h>
+ #include <linux/bug.h>
+ #include <linux/compiler.h>
+@@ -1810,47 +1811,60 @@ u32 aarch64_insn_gen_extr(enum aarch64_i
+ return aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RM, insn, Rm);
+ }
+
+-u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type)
++static u32 __get_barrier_crm_val(enum aarch64_insn_mb_type type)
+ {
+- u32 opt;
+- u32 insn;
+-
+ switch (type) {
+ case AARCH64_INSN_MB_SY:
+- opt = 0xf;
+- break;
++ return 0xf;
+ case AARCH64_INSN_MB_ST:
+- opt = 0xe;
+- break;
++ return 0xe;
+ case AARCH64_INSN_MB_LD:
+- opt = 0xd;
+- break;
++ return 0xd;
+ case AARCH64_INSN_MB_ISH:
+- opt = 0xb;
+- break;
++ return 0xb;
+ case AARCH64_INSN_MB_ISHST:
+- opt = 0xa;
+- break;
++ return 0xa;
+ case AARCH64_INSN_MB_ISHLD:
+- opt = 0x9;
+- break;
++ return 0x9;
+ case AARCH64_INSN_MB_NSH:
+- opt = 0x7;
+- break;
++ return 0x7;
+ case AARCH64_INSN_MB_NSHST:
+- opt = 0x6;
+- break;
++ return 0x6;
+ case AARCH64_INSN_MB_NSHLD:
+- opt = 0x5;
+- break;
++ return 0x5;
+ default:
+- pr_err("%s: unknown dmb type %d\n", __func__, type);
++ pr_err("%s: unknown barrier type %d\n", __func__, type);
+ return AARCH64_BREAK_FAULT;
+ }
++}
++
++u32 aarch64_insn_gen_dmb(enum aarch64_insn_mb_type type)
++{
++ u32 opt;
++ u32 insn;
++
++ opt = __get_barrier_crm_val(type);
++ if (opt == AARCH64_BREAK_FAULT)
++ return AARCH64_BREAK_FAULT;
+
+ insn = aarch64_insn_get_dmb_value();
+ insn &= ~GENMASK(11, 8);
+ insn |= (opt << 8);
+
++ return insn;
++}
++
++u32 aarch64_insn_gen_dsb(enum aarch64_insn_mb_type type)
++{
++ u32 opt, insn;
++
++ opt = __get_barrier_crm_val(type);
++ if (opt == AARCH64_BREAK_FAULT)
++ return AARCH64_BREAK_FAULT;
++
++ insn = aarch64_insn_get_dsb_base_value();
++ insn &= ~GENMASK(11, 8);
++ insn |= (opt << 8);
++
+ return insn;
+ }
--- /dev/null
+From stable+bounces-151841-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:18 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:09 +0000
+Subject: arm64: move AARCH64_BREAK_FAULT into insn-def.h
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-3-pulehui@huaweicloud.com>
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 97e58e395e9c074fd096dad13c54e9f4112cf71d ]
+
+If CONFIG_ARM64_LSE_ATOMICS is off, encoders for LSE-related instructions
+can return AARCH64_BREAK_FAULT directly in insn.h. In order to access
+AARCH64_BREAK_FAULT in insn.h, we can not include debug-monitors.h in
+insn.h, because debug-monitors.h has already depends on insn.h, so just
+move AARCH64_BREAK_FAULT into insn-def.h.
+
+It will be used by the following patch to eliminate unnecessary LSE-related
+encoders when CONFIG_ARM64_LSE_ATOMICS is off.
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20220217072232.1186625-2-houtao1@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+[not exist insn-def.h file, move to insn.h]
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/debug-monitors.h | 12 ------------
+ arch/arm64/include/asm/insn.h | 12 ++++++++++++
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+--- a/arch/arm64/include/asm/debug-monitors.h
++++ b/arch/arm64/include/asm/debug-monitors.h
+@@ -34,18 +34,6 @@
+ */
+ #define BREAK_INSTR_SIZE AARCH64_INSN_SIZE
+
+-/*
+- * BRK instruction encoding
+- * The #imm16 value should be placed at bits[20:5] within BRK ins
+- */
+-#define AARCH64_BREAK_MON 0xd4200000
+-
+-/*
+- * BRK instruction for provoking a fault on purpose
+- * Unlike kgdb, #imm16 value with unallocated handler is used for faulting.
+- */
+-#define AARCH64_BREAK_FAULT (AARCH64_BREAK_MON | (FAULT_BRK_IMM << 5))
+-
+ #define AARCH64_BREAK_KGDB_DYN_DBG \
+ (AARCH64_BREAK_MON | (KGDB_DYN_DBG_BRK_IMM << 5))
+
+--- a/arch/arm64/include/asm/insn.h
++++ b/arch/arm64/include/asm/insn.h
+@@ -13,6 +13,18 @@
+ /* A64 instructions are always 32 bits. */
+ #define AARCH64_INSN_SIZE 4
+
++/*
++ * BRK instruction encoding
++ * The #imm16 value should be placed at bits[20:5] within BRK ins
++ */
++#define AARCH64_BREAK_MON 0xd4200000
++
++/*
++ * BRK instruction for provoking a fault on purpose
++ * Unlike kgdb, #imm16 value with unallocated handler is used for faulting.
++ */
++#define AARCH64_BREAK_FAULT (AARCH64_BREAK_MON | (FAULT_BRK_IMM << 5))
++
+ #ifndef __ASSEMBLY__
+ /*
+ * ARM Architecture Reference Manual for ARMv8 Profile-A, Issue A.a
--- /dev/null
+From stable+bounces-151847-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:25 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:21 +0000
+Subject: arm64: proton-pack: Add new CPUs 'k' values for branch mitigation
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-15-pulehui@huaweicloud.com>
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit efe676a1a7554219eae0b0dcfe1e0cdcc9ef9aef ]
+
+Update the list of 'k' values for the branch mitigation from arm's
+website.
+
+Add the values for Cortex-X1C. The MIDR_EL1 value can be found here:
+https://developer.arm.com/documentation/101968/0002/Register-descriptions/AArch>
+
+Link: https://developer.arm.com/documentation/110280/2-0/?lang=en
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/cputype.h | 2 ++
+ arch/arm64/kernel/proton-pack.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -80,6 +80,7 @@
+ #define ARM_CPU_PART_CORTEX_A78AE 0xD42
+ #define ARM_CPU_PART_CORTEX_X1 0xD44
+ #define ARM_CPU_PART_CORTEX_A510 0xD46
++#define ARM_CPU_PART_CORTEX_X1C 0xD4C
+ #define ARM_CPU_PART_CORTEX_A520 0xD80
+ #define ARM_CPU_PART_CORTEX_A710 0xD47
+ #define ARM_CPU_PART_CORTEX_A715 0xD4D
+@@ -144,6 +145,7 @@
+ #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE)
+ #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1)
+ #define MIDR_CORTEX_A510 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A510)
++#define MIDR_CORTEX_X1C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1C)
+ #define MIDR_CORTEX_A520 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A520)
+ #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710)
+ #define MIDR_CORTEX_A715 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A715)
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -899,6 +899,7 @@ static u8 spectre_bhb_loop_affected(void
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
--- /dev/null
+From stable+bounces-151858-greg=kroah.com@vger.kernel.org Sat Jun 7 17:41:36 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:17 +0000
+Subject: arm64: proton-pack: Expose whether the branchy loop k value
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-11-pulehui@huaweicloud.com>
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit a1152be30a043d2d4dcb1683415f328bf3c51978 ]
+
+Add a helper to expose the k value of the branchy loop. This is needed
+by the BPF JIT to generate the mitigation sequence in BPF programs.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/spectre.h | 1 +
+ arch/arm64/kernel/proton-pack.c | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+--- a/arch/arm64/include/asm/spectre.h
++++ b/arch/arm64/include/asm/spectre.h
+@@ -32,6 +32,7 @@ void spectre_v4_enable_task_mitigation(s
+
+ enum mitigation_state arm64_get_spectre_bhb_state(void);
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
++u8 get_spectre_bhb_loop_value(void);
+ bool is_spectre_bhb_fw_mitigated(void);
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
+ bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr);
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -1006,6 +1006,11 @@ bool is_spectre_bhb_affected(const struc
+ return true;
+ }
+
++u8 get_spectre_bhb_loop_value(void)
++{
++ return max_bhb_k;
++}
++
+ static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot)
+ {
+ const char *v = arm64_get_bp_hardening_vector(slot);
--- /dev/null
+From stable+bounces-151842-greg=kroah.com@vger.kernel.org Sat Jun 7 17:23:20 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:12 +0000
+Subject: arm64: proton-pack: Expose whether the platform is mitigated by firmware
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-6-pulehui@huaweicloud.com>
+
+From: James Morse <james.morse@arm.com>
+
+[ Upstream commit e7956c92f396a44eeeb6eaf7a5b5e1ad24db6748 ]
+
+is_spectre_bhb_fw_affected() allows the caller to determine if the CPU
+is known to need a firmware mitigation. CPUs are either on the list
+of CPUs we know about, or firmware has been queried and reported that
+the platform is affected - and mitigated by firmware.
+
+This helper is not useful to determine if the platform is mitigated
+by firmware. A CPU could be on the know list, but the firmware may
+not be implemented. Its affected but not mitigated.
+
+spectre_bhb_enable_mitigation() handles this distinction by checking
+the firmware state before enabling the mitigation.
+
+Add a helper to expose this state. This will be used by the BPF JIT
+to determine if calling firmware for a mitigation is necessary and
+supported.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+[The conflicts were due to not include bitmap of mitigations]
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/spectre.h | 1 +
+ arch/arm64/kernel/proton-pack.c | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/arch/arm64/include/asm/spectre.h
++++ b/arch/arm64/include/asm/spectre.h
+@@ -32,6 +32,7 @@ void spectre_v4_enable_task_mitigation(s
+
+ enum mitigation_state arm64_get_spectre_bhb_state(void);
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
++bool is_spectre_bhb_fw_mitigated(void);
+ u8 spectre_bhb_loop_affected(int scope);
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
+ bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr);
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -1059,6 +1059,8 @@ static void kvm_setup_bhb_slot(const cha
+ static void kvm_setup_bhb_slot(const char *hyp_vecs_start) { }
+ #endif /* CONFIG_KVM */
+
++static bool spectre_bhb_fw_mitigated;
++
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
+ {
+ enum mitigation_state fw_state, state = SPECTRE_VULNERABLE;
+@@ -1103,12 +1105,18 @@ void spectre_bhb_enable_mitigation(const
+ this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
+
+ state = SPECTRE_MITIGATED;
++ spectre_bhb_fw_mitigated = true;
+ }
+ }
+
+ update_mitigation_state(&spectre_bhb_state, state);
+ }
+
++bool is_spectre_bhb_fw_mitigated(void)
++{
++ return spectre_bhb_fw_mitigated;
++}
++
+ /* Patched to correct the immediate */
+ void noinstr spectre_bhb_patch_loop_iter(struct alt_instr *alt,
+ __le32 *origptr, __le32 *updptr, int nr_inst)
--- /dev/null
+From stable+bounces-151861-greg=kroah.com@vger.kernel.org Sat Jun 7 17:41:40 2025
+From: Pu Lehui <pulehui@huaweicloud.com>
+Date: Sat, 7 Jun 2025 15:25:18 +0000
+Subject: arm64: spectre: increase parameters that can be used to turn off bhb mitigation individually
+To: stable@vger.kernel.org
+Cc: james.morse@arm.com, catalin.marinas@arm.com, daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, xukuohai@huawei.com, pulehui@huawei.com
+Message-ID: <20250607152521.2828291-12-pulehui@huaweicloud.com>
+
+From: Liu Song <liusong@linux.alibaba.com>
+
+[ Upstream commit 877ace9eab7de032f954533afd5d1ecd0cf62eaf ]
+
+In our environment, it was found that the mitigation BHB has a great
+impact on the benchmark performance. For example, in the lmbench test,
+the "process fork && exit" test performance drops by 20%.
+So it is necessary to have the ability to turn off the mitigation
+individually through cmdline, thus avoiding having to compile the
+kernel by adjusting the config.
+
+Signed-off-by: Liu Song <liusong@linux.alibaba.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Link: https://lore.kernel.org/r/1661514050-22263-1-git-send-email-liusong@linux.alibaba.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 5 +++++
+ arch/arm64/kernel/proton-pack.c | 9 ++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2954,6 +2954,7 @@
+ spec_store_bypass_disable=off [X86,PPC]
+ spectre_v2_user=off [X86]
+ ssbd=force-off [ARM64]
++ nospectre_bhb [ARM64]
+ tsx_async_abort=off [X86]
+
+ Exceptions:
+@@ -3367,6 +3368,10 @@
+ vulnerability. System may allow data leaks with this
+ option.
+
++ nospectre_bhb [ARM64] Disable all mitigations for Spectre-BHB (branch
++ history injection) vulnerability. System may allow data leaks
++ with this option.
++
+ nospec_store_bypass_disable
+ [HW] Disable all mitigations for the Speculative Store Bypass vulnerability
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -1088,6 +1088,13 @@ static void kvm_setup_bhb_slot(const cha
+ #endif /* CONFIG_KVM */
+
+ static bool spectre_bhb_fw_mitigated;
++static bool __read_mostly __nospectre_bhb;
++static int __init parse_spectre_bhb_param(char *str)
++{
++ __nospectre_bhb = true;
++ return 0;
++}
++early_param("nospectre_bhb", parse_spectre_bhb_param);
+
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
+ {
+@@ -1100,7 +1107,7 @@ void spectre_bhb_enable_mitigation(const
+ /* No point mitigating Spectre-BHB alone. */
+ } else if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY)) {
+ pr_info_once("spectre-bhb mitigation disabled by compile time option\n");
+- } else if (cpu_mitigations_off()) {
++ } else if (cpu_mitigations_off() || __nospectre_bhb) {
+ pr_info_once("spectre-bhb mitigation disabled by command line option\n");
+ } else if (supports_ecbhb(SCOPE_LOCAL_CPU)) {
+ state = SPECTRE_MITIGATED;
arm-dts-am335x-bone-common-increase-mdio-reset-deassert-time.patch
arm-dts-am335x-bone-common-increase-mdio-reset-deassert-delay-to-50ms.patch
serial-sh-sci-increment-the-runtime-usage-counter-for-the-earlycon-device.patch
+arm64-insn-add-barrier-encodings.patch
+arm64-move-aarch64_break_fault-into-insn-def.h.patch
+arm64-insn-add-encoders-for-atomic-operations.patch
+arm64-insn-add-support-for-encoding-dsb.patch
+arm64-proton-pack-expose-whether-the-platform-is-mitigated-by-firmware.patch
+arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch
+arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch
+arm64-errata-add-newer-arm-cores-to-the-spectre_bhb_loop_affected-lists.patch
+arm64-errata-add-missing-sentinels-to-spectre-bhb-midr-arrays.patch
+arm64-proton-pack-expose-whether-the-branchy-loop-k-value.patch
+arm64-spectre-increase-parameters-that-can-be-used-to-turn-off-bhb-mitigation-individually.patch
+arm64-bpf-add-bhb-mitigation-to-the-epilogue-for-cbpf-programs.patch
+arm64-bpf-only-mitigate-cbpf-programs-loaded-by-unprivileged-users.patch
+arm64-proton-pack-add-new-cpus-k-values-for-branch-mitigation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
