From: Greg Kroah-Hartman Date: Fri, 19 Mar 2021 08:35:21 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.19.182~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fcfd1d86a1b29fefbb1abaed9291e4d9b32620c5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bpf-add-sanity-check-for-upper-ptr_limit.patch bpf-fix-off-by-one-for-area-size-in-creating-mask-to-left.patch bpf-prohibit-alu-ops-for-pointer-types-not-defining-ptr_limit.patch bpf-selftests-fix-up-some-test_verifier-cases-for-unprivileged.patch bpf-simplify-alu_limit-masking-for-pointer-arithmetic.patch --- diff --git a/queue-5.4/bpf-add-sanity-check-for-upper-ptr_limit.patch b/queue-5.4/bpf-add-sanity-check-for-upper-ptr_limit.patch new file mode 100644 index 00000000000..f177d2180fc --- /dev/null +++ b/queue-5.4/bpf-add-sanity-check-for-upper-ptr_limit.patch @@ -0,0 +1,60 @@ +From 1b1597e64e1a610c7a96710fc4717158e98a08b3 Mon Sep 17 00:00:00 2001 +From: Piotr Krysiuk +Date: Tue, 16 Mar 2021 09:47:02 +0100 +Subject: bpf: Add sanity check for upper ptr_limit + +From: Piotr Krysiuk + +commit 1b1597e64e1a610c7a96710fc4717158e98a08b3 upstream. + +Given we know the max possible value of ptr_limit at the time of retrieving +the latter, add basic assertions, so that the verifier can bail out if +anything looks odd and reject the program. Nothing triggered this so far, +but it also does not hurt to have these. + +Signed-off-by: Piotr Krysiuk +Co-developed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4268,10 +4268,14 @@ static int retrieve_ptr_limit(const stru + { + bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || + (opcode == BPF_SUB && !off_is_neg); +- u32 off; ++ u32 off, max; + + switch (ptr_reg->type) { + case PTR_TO_STACK: ++ /* Offset 0 is out-of-bounds, but acceptable start for the ++ * left direction, see BPF_REG_FP. ++ */ ++ max = MAX_BPF_STACK + mask_to_left; + /* Indirect variable offset stack access is prohibited in + * unprivileged mode so it's not handled here. + */ +@@ -4280,15 +4284,16 @@ static int retrieve_ptr_limit(const stru + *ptr_limit = MAX_BPF_STACK + off; + else + *ptr_limit = -off - 1; +- return 0; ++ return *ptr_limit >= max ? -ERANGE : 0; + case PTR_TO_MAP_VALUE: ++ max = ptr_reg->map_ptr->value_size; + if (mask_to_left) { + *ptr_limit = ptr_reg->umax_value + ptr_reg->off; + } else { + off = ptr_reg->smin_value + ptr_reg->off; + *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; + } +- return 0; ++ return *ptr_limit >= max ? -ERANGE : 0; + default: + return -EINVAL; + } diff --git a/queue-5.4/bpf-fix-off-by-one-for-area-size-in-creating-mask-to-left.patch b/queue-5.4/bpf-fix-off-by-one-for-area-size-in-creating-mask-to-left.patch new file mode 100644 index 00000000000..e175fcbd4ce --- /dev/null +++ b/queue-5.4/bpf-fix-off-by-one-for-area-size-in-creating-mask-to-left.patch @@ -0,0 +1,54 @@ +From 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 Mon Sep 17 00:00:00 2001 +From: Piotr Krysiuk +Date: Tue, 16 Mar 2021 08:20:16 +0100 +Subject: bpf: Fix off-by-one for area size in creating mask to left + +From: Piotr Krysiuk + +commit 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 upstream. + +retrieve_ptr_limit() computes the ptr_limit for registers with stack and +map_value type. ptr_limit is the size of the memory area that is still +valid / in-bounds from the point of the current position and direction +of the operation (add / sub). This size will later be used for masking +the operation such that attempting out-of-bounds access in the speculative +domain is redirected to remain within the bounds of the current map value. + +When masking to the right the size is correct, however, when masking to +the left, the size is off-by-one which would lead to an incorrect mask +and thus incorrect arithmetic operation in the non-speculative domain. +Piotr found that if the resulting alu_limit value is zero, then the +BPF_MOV32_IMM() from the fixup_bpf_calls() rewrite will end up loading +0xffffffff into AX instead of sign-extending to the full 64 bit range, +and as a result, this allows abuse for executing speculatively out-of- +bounds loads against 4GB window of address space and thus extracting the +contents of kernel memory via side-channel. + +Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") +Signed-off-by: Piotr Krysiuk +Co-developed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4277,13 +4277,13 @@ static int retrieve_ptr_limit(const stru + */ + off = ptr_reg->off + ptr_reg->var_off.value; + if (mask_to_left) +- *ptr_limit = MAX_BPF_STACK + off; ++ *ptr_limit = MAX_BPF_STACK + off + 1; + else + *ptr_limit = -off; + return 0; + case PTR_TO_MAP_VALUE: + if (mask_to_left) { +- *ptr_limit = ptr_reg->umax_value + ptr_reg->off; ++ *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1; + } else { + off = ptr_reg->smin_value + ptr_reg->off; + *ptr_limit = ptr_reg->map_ptr->value_size - off; diff --git a/queue-5.4/bpf-prohibit-alu-ops-for-pointer-types-not-defining-ptr_limit.patch b/queue-5.4/bpf-prohibit-alu-ops-for-pointer-types-not-defining-ptr_limit.patch new file mode 100644 index 00000000000..68d67b4d5c4 --- /dev/null +++ b/queue-5.4/bpf-prohibit-alu-ops-for-pointer-types-not-defining-ptr_limit.patch @@ -0,0 +1,83 @@ +From f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 Mon Sep 17 00:00:00 2001 +From: Piotr Krysiuk +Date: Tue, 16 Mar 2021 09:47:02 +0100 +Subject: bpf: Prohibit alu ops for pointer types not defining ptr_limit + +From: Piotr Krysiuk + +commit f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 upstream. + +The purpose of this patch is to streamline error propagation and in particular +to propagate retrieve_ptr_limit() errors for pointer types that are not defining +a ptr_limit such that register-based alu ops against these types can be rejected. + +The main rationale is that a gap has been identified by Piotr in the existing +protection against speculatively out-of-bounds loads, for example, in case of +ctx pointers, unprivileged programs can still perform pointer arithmetic. This +can be abused to execute speculatively out-of-bounds loads without restrictions +and thus extract contents of kernel memory. + +Fix this by rejecting unprivileged programs that attempt any pointer arithmetic +on unprotected pointer types. The two affected ones are pointer to ctx as well +as pointer to map. Field access to a modified ctx' pointer is rejected at a +later point in time in the verifier, and 7c6967326267 ("bpf: Permit map_ptr +arithmetic with opcode add and offset 0") only relevant for root-only use cases. +Risk of unprivileged program breakage is considered very low. + +Fixes: 7c6967326267 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0") +Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") +Signed-off-by: Piotr Krysiuk +Co-developed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4341,6 +4341,7 @@ static int sanitize_ptr_alu(struct bpf_v + u32 alu_state, alu_limit; + struct bpf_reg_state tmp; + bool ret; ++ int err; + + if (can_skip_alu_sanitation(env, insn)) + return 0; +@@ -4356,10 +4357,13 @@ static int sanitize_ptr_alu(struct bpf_v + alu_state |= ptr_is_dst_reg ? + BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; + +- if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg)) +- return 0; +- if (update_alu_sanitation_state(aux, alu_state, alu_limit)) +- return -EACCES; ++ err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg); ++ if (err < 0) ++ return err; ++ ++ err = update_alu_sanitation_state(aux, alu_state, alu_limit); ++ if (err < 0) ++ return err; + do_sim: + /* Simulate and find potential out-of-bounds access under + * speculative execution from truncation as a result of +@@ -4467,7 +4471,7 @@ static int adjust_ptr_min_max_vals(struc + case BPF_ADD: + ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); + if (ret < 0) { +- verbose(env, "R%d tried to add from different maps or paths\n", dst); ++ verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst); + return ret; + } + /* We can take a fixed offset as long as it doesn't overflow +@@ -4522,7 +4526,7 @@ static int adjust_ptr_min_max_vals(struc + case BPF_SUB: + ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); + if (ret < 0) { +- verbose(env, "R%d tried to sub from different maps or paths\n", dst); ++ verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst); + return ret; + } + if (dst_reg == off_reg) { diff --git a/queue-5.4/bpf-selftests-fix-up-some-test_verifier-cases-for-unprivileged.patch b/queue-5.4/bpf-selftests-fix-up-some-test_verifier-cases-for-unprivileged.patch new file mode 100644 index 00000000000..f43e0464b03 --- /dev/null +++ b/queue-5.4/bpf-selftests-fix-up-some-test_verifier-cases-for-unprivileged.patch @@ -0,0 +1,203 @@ +From 0a13e3537ea67452d549a6a80da3776d6b7dedb3 Mon Sep 17 00:00:00 2001 +From: Piotr Krysiuk +Date: Tue, 16 Mar 2021 11:44:42 +0100 +Subject: bpf, selftests: Fix up some test_verifier cases for unprivileged + +From: Piotr Krysiuk + +commit 0a13e3537ea67452d549a6a80da3776d6b7dedb3 upstream. + +Fix up test_verifier error messages for the case where the original error +message changed, or for the case where pointer alu errors differ between +privileged and unprivileged tests. Also, add alternative tests for keeping +coverage of the original verifier rejection error message (fp alu), and +newly reject map_ptr += rX where rX == 0 given we now forbid alu on these +types for unprivileged. All test_verifier cases pass after the change. The +test case fixups were kept separate to ease backporting of core changes. + +Signed-off-by: Piotr Krysiuk +Co-developed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/verifier/bounds_deduction.c | 27 +++++++++++----- + tools/testing/selftests/bpf/verifier/unpriv.c | 15 ++++++++ + tools/testing/selftests/bpf/verifier/value_ptr_arith.c | 23 +++++++++++++ + 3 files changed, 55 insertions(+), 10 deletions(-) + +--- a/tools/testing/selftests/bpf/verifier/bounds_deduction.c ++++ b/tools/testing/selftests/bpf/verifier/bounds_deduction.c +@@ -6,8 +6,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 2", +@@ -20,6 +21,8 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 1, + }, +@@ -31,8 +34,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 4", +@@ -45,6 +49,8 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, + { +@@ -55,8 +61,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 6", +@@ -67,8 +74,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 7", +@@ -80,8 +88,9 @@ + offsetof(struct __sk_buff, mark)), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", + .errstr = "dereference of modified ctx ptr", ++ .result = REJECT, + .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, + }, + { +@@ -94,8 +103,9 @@ + offsetof(struct __sk_buff, mark)), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", + .errstr = "dereference of modified ctx ptr", ++ .result = REJECT, + .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, + }, + { +@@ -106,8 +116,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 10", +@@ -119,6 +130,6 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, + .errstr = "math between ctx pointer and register with unbounded min value is not allowed", ++ .result = REJECT, + }, +--- a/tools/testing/selftests/bpf/verifier/unpriv.c ++++ b/tools/testing/selftests/bpf/verifier/unpriv.c +@@ -495,7 +495,7 @@ + .result = ACCEPT, + }, + { +- "unpriv: adding of fp", ++ "unpriv: adding of fp, reg", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_1, 0), +@@ -503,6 +503,19 @@ + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", ++ .result_unpriv = REJECT, ++ .result = ACCEPT, ++}, ++{ ++ "unpriv: adding of fp, imm", ++ .insns = { ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), ++ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), ++ BPF_EXIT_INSN(), ++ }, + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", + .result_unpriv = REJECT, + .result = ACCEPT, +--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c ++++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c +@@ -169,7 +169,7 @@ + .fixup_map_array_48b = { 1 }, + .result = ACCEPT, + .result_unpriv = REJECT, +- .errstr_unpriv = "R2 tried to add from different maps or paths", ++ .errstr_unpriv = "R2 tried to add from different maps, paths, or prohibited types", + .retval = 0, + }, + { +@@ -517,6 +517,27 @@ + .retval = 0xabcdef12, + }, + { ++ "map access: value_ptr += N, value_ptr -= N known scalar", ++ .insns = { ++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), ++ BPF_MOV32_IMM(BPF_REG_1, 0x12345678), ++ BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), ++ BPF_MOV64_IMM(BPF_REG_1, 2), ++ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .fixup_map_array_48b = { 3 }, ++ .result = ACCEPT, ++ .retval = 0x12345678, ++}, ++{ + "map access: unknown scalar += value_ptr, 1", + .insns = { + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), diff --git a/queue-5.4/bpf-simplify-alu_limit-masking-for-pointer-arithmetic.patch b/queue-5.4/bpf-simplify-alu_limit-masking-for-pointer-arithmetic.patch new file mode 100644 index 00000000000..f9e509fdd87 --- /dev/null +++ b/queue-5.4/bpf-simplify-alu_limit-masking-for-pointer-arithmetic.patch @@ -0,0 +1,57 @@ +From b5871dca250cd391885218b99cc015aca1a51aea Mon Sep 17 00:00:00 2001 +From: Piotr Krysiuk +Date: Tue, 16 Mar 2021 08:26:25 +0100 +Subject: bpf: Simplify alu_limit masking for pointer arithmetic + +From: Piotr Krysiuk + +commit b5871dca250cd391885218b99cc015aca1a51aea upstream. + +Instead of having the mov32 with aux->alu_limit - 1 immediate, move this +operation to retrieve_ptr_limit() instead to simplify the logic and to +allow for subsequent sanity boundary checks inside retrieve_ptr_limit(). +This avoids in future that at the time of the verifier masking rewrite +we'd run into an underflow which would not sign extend due to the nature +of mov32 instruction. + +Signed-off-by: Piotr Krysiuk +Co-developed-by: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4277,16 +4277,16 @@ static int retrieve_ptr_limit(const stru + */ + off = ptr_reg->off + ptr_reg->var_off.value; + if (mask_to_left) +- *ptr_limit = MAX_BPF_STACK + off + 1; ++ *ptr_limit = MAX_BPF_STACK + off; + else +- *ptr_limit = -off; ++ *ptr_limit = -off - 1; + return 0; + case PTR_TO_MAP_VALUE: + if (mask_to_left) { +- *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1; ++ *ptr_limit = ptr_reg->umax_value + ptr_reg->off; + } else { + off = ptr_reg->smin_value + ptr_reg->off; +- *ptr_limit = ptr_reg->map_ptr->value_size - off; ++ *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; + } + return 0; + default: +@@ -9081,7 +9081,7 @@ static int fixup_bpf_calls(struct bpf_ve + off_reg = issrc ? insn->src_reg : insn->dst_reg; + if (isneg) + *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); +- *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1); ++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); + *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); + *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); + *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); diff --git a/queue-5.4/kvm-arm64-nvhe-save-the-spe-context-early.patch b/queue-5.4/kvm-arm64-nvhe-save-the-spe-context-early.patch index a25cff017a7..b0fdf473b1a 100644 --- a/queue-5.4/kvm-arm64-nvhe-save-the-spe-context-early.patch +++ b/queue-5.4/kvm-arm64-nvhe-save-the-spe-context-early.patch @@ -34,16 +34,14 @@ Signed-off-by: Suzuki K Poulose Acked-by: Marc Zyngier Signed-off-by: Sasha Levin --- - arch/arm64/include/asm/kvm_hyp.h | 3 +++ - arch/arm64/kvm/hyp/debug-sr.c | 24 +++++++++++++++--------- - arch/arm64/kvm/hyp/switch.c | 13 ++++++++++++- + arch/arm64/include/asm/kvm_hyp.h | 3 +++ + arch/arm64/kvm/hyp/debug-sr.c | 24 +++++++++++++++--------- + arch/arm64/kvm/hyp/switch.c | 13 ++++++++++++- 3 files changed, 30 insertions(+), 10 deletions(-) -diff --git a/arch/arm64/include/asm/kvm_hyp.h b/arch/arm64/include/asm/kvm_hyp.h -index 97f21cc66657..7f7fdb16bb96 100644 --- a/arch/arm64/include/asm/kvm_hyp.h +++ b/arch/arm64/include/asm/kvm_hyp.h -@@ -71,6 +71,9 @@ void __sysreg32_restore_state(struct kvm_vcpu *vcpu); +@@ -71,6 +71,9 @@ void __sysreg32_restore_state(struct kvm void __debug_switch_to_guest(struct kvm_vcpu *vcpu); void __debug_switch_to_host(struct kvm_vcpu *vcpu); @@ -53,11 +51,9 @@ index 97f21cc66657..7f7fdb16bb96 100644 void __fpsimd_save_state(struct user_fpsimd_state *fp_regs); void __fpsimd_restore_state(struct user_fpsimd_state *fp_regs); -diff --git a/arch/arm64/kvm/hyp/debug-sr.c b/arch/arm64/kvm/hyp/debug-sr.c -index 0fc9872a1467..aead8a5fbe91 100644 --- a/arch/arm64/kvm/hyp/debug-sr.c +++ b/arch/arm64/kvm/hyp/debug-sr.c -@@ -168,6 +168,21 @@ static void __hyp_text __debug_restore_state(struct kvm_vcpu *vcpu, +@@ -168,6 +168,21 @@ static void __hyp_text __debug_restore_s write_sysreg(ctxt->sys_regs[MDCCINT_EL1], mdccint_el1); } @@ -79,7 +75,7 @@ index 0fc9872a1467..aead8a5fbe91 100644 void __hyp_text __debug_switch_to_guest(struct kvm_vcpu *vcpu) { struct kvm_cpu_context *host_ctxt; -@@ -175,13 +190,6 @@ void __hyp_text __debug_switch_to_guest(struct kvm_vcpu *vcpu) +@@ -175,13 +190,6 @@ void __hyp_text __debug_switch_to_guest( struct kvm_guest_debug_arch *host_dbg; struct kvm_guest_debug_arch *guest_dbg; @@ -93,7 +89,7 @@ index 0fc9872a1467..aead8a5fbe91 100644 if (!(vcpu->arch.flags & KVM_ARM64_DEBUG_DIRTY)) return; -@@ -201,8 +209,6 @@ void __hyp_text __debug_switch_to_host(struct kvm_vcpu *vcpu) +@@ -201,8 +209,6 @@ void __hyp_text __debug_switch_to_host(s struct kvm_guest_debug_arch *host_dbg; struct kvm_guest_debug_arch *guest_dbg; @@ -102,11 +98,9 @@ index 0fc9872a1467..aead8a5fbe91 100644 if (!(vcpu->arch.flags & KVM_ARM64_DEBUG_DIRTY)) return; -diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c -index 84964983198e..14607fac7ca3 100644 --- a/arch/arm64/kvm/hyp/switch.c +++ b/arch/arm64/kvm/hyp/switch.c -@@ -682,6 +682,15 @@ int __hyp_text __kvm_vcpu_run_nvhe(struct kvm_vcpu *vcpu) +@@ -682,6 +682,15 @@ int __hyp_text __kvm_vcpu_run_nvhe(struc __sysreg_save_state_nvhe(host_ctxt); @@ -122,7 +116,7 @@ index 84964983198e..14607fac7ca3 100644 __activate_vm(kern_hyp_va(vcpu->kvm)); __activate_traps(vcpu); -@@ -720,11 +729,13 @@ int __hyp_text __kvm_vcpu_run_nvhe(struct kvm_vcpu *vcpu) +@@ -720,11 +729,13 @@ int __hyp_text __kvm_vcpu_run_nvhe(struc if (vcpu->arch.flags & KVM_ARM64_FP_ENABLED) __fpsimd_save_fpexc32(vcpu); @@ -137,6 +131,3 @@ index 84964983198e..14607fac7ca3 100644 if (pmu_switch_needed) __pmu_switch_to_host(host_ctxt); --- -2.30.1 - diff --git a/queue-5.4/series b/queue-5.4/series index 193aacae359..b51dd4f09ca 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,6 @@ kvm-arm64-nvhe-save-the-spe-context-early.patch +bpf-prohibit-alu-ops-for-pointer-types-not-defining-ptr_limit.patch +bpf-fix-off-by-one-for-area-size-in-creating-mask-to-left.patch +bpf-simplify-alu_limit-masking-for-pointer-arithmetic.patch +bpf-add-sanity-check-for-upper-ptr_limit.patch +bpf-selftests-fix-up-some-test_verifier-cases-for-unprivileged.patch