From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, James Morse <james.morse@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH 6.6 096/113] arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users
Date: Mon, 12 May 2025 19:46:25 +0200 [thread overview]
Message-ID: <20250512172031.588213643@linuxfoundation.org> (raw)
In-Reply-To: <20250512172027.691520737@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Morse <james.morse@arm.com>
commit f300769ead032513a68e4a02e806393402e626f8 upstream.
Support for eBPF programs loaded by unprivileged users is typically
disabled. This means only cBPF programs need to be mitigated for BHB.
In addition, only mitigate cBPF programs that were loaded by an
unprivileged user. Privileged users can also load the same program
via eBPF, making the mitigation pointless.
Signed-off-by: James Morse <james.morse@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/net/bpf_jit_comp.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -666,6 +666,9 @@ static void __maybe_unused build_bhb_mit
arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
return;
+ if (capable(CAP_SYS_ADMIN))
+ return;
+
if (supports_clearbhb(SCOPE_SYSTEM)) {
emit(aarch64_insn_gen_hint(AARCH64_INSN_HINT_CLEARBHB), ctx);
return;
next prev parent reply other threads:[~2025-05-12 18:11 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-12 17:44 [PATCH 6.6 000/113] 6.6.91-rc1 review Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 001/113] dm: add missing unlock on in dm_keyslot_evict() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 002/113] arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 003/113] can: mcan: m_can_class_unregister(): fix order of unregistration calls Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 004/113] wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 005/113] can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 006/113] ksmbd: prevent rename with empty string Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 007/113] ksmbd: prevent out-of-bounds stream writes by validating *pos Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 008/113] ksmbd: Fix UAF in __close_file_table_ids Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 009/113] openvswitch: Fix unsafe attribute parsing in output_userspace() Greg Kroah-Hartman
2025-05-12 17:44 ` [PATCH 6.6 010/113] ksmbd: fix memory leak in parse_lease_state() Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 011/113] sch_htb: make htb_deactivate() idempotent Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 012/113] gre: Fix again IPv6 link-local address generation Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 013/113] netdevice: add netdev_tx_reset_subqueue() shorthand Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 014/113] net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 015/113] can: mcp251xfd: fix TDC setting for low data bit rates Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 016/113] can: gw: fix RCU/BH usage in cgw_create_job() Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 017/113] ipvs: fix uninit-value for saddr in do_output_route4 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 018/113] netfilter: ipset: fix region locking in hash types Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 019/113] bpf: Scrub packet on bpf_redirect_peer Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 020/113] net: dsa: b53: allow leaky reserved multicast Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 021/113] net: dsa: b53: fix clearing PVID of a port Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 022/113] net: dsa: b53: fix flushing old pvid VLAN on pvid change Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 023/113] net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 024/113] net: dsa: b53: always rejoin default untagged VLAN " Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 025/113] net: dsa: b53: fix learning on VLAN unaware bridges Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 026/113] Input: cyttsp5 - ensure minimum reset pulse width Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 027/113] Input: cyttsp5 - fix power control issue on wakeup Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 028/113] Input: mtk-pmic-keys - fix possible null pointer dereference Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 029/113] Input: xpad - fix Share button on Xbox One controllers Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 030/113] Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 031/113] Input: xpad - fix two controller table values Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 032/113] Input: synaptics - enable InterTouch on Dynabook Portege X30-D Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 033/113] Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 034/113] Input: synaptics - enable InterTouch on Dell Precision M3800 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 035/113] Input: synaptics - enable SMBus for HP Elitebook 850 G1 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 036/113] Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 037/113] staging: iio: adc: ad7816: Correct conditional logic for store mode Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 038/113] staging: axis-fifo: Remove hardware resets for user errors Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 039/113] staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 040/113] x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 041/113] drm/amd/display: Shift DMUB AUX reply command if necessary Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 042/113] iio: adc: ad7606: fix serial register access Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 043/113] iio: adc: rockchip: Fix clock initialization sequence Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 044/113] iio: adis16201: Correct inclinometer channel resolution Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 045/113] iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 046/113] iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 047/113] drm/v3d: Add job to pending list if the reset was skipped Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 048/113] drm/amd/display: more liberal vmin/vmax update for freesync Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 049/113] drm/amd/display: Fix the checking condition in dmub aux handling Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 050/113] drm/amd/display: Remove incorrect checking in dmub aux handler Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 051/113] drm/amd/display: Fix wrong handling for AUX_DEFER case Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 052/113] drm/amd/display: Copy AUX read reply data whenever length > 0 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 053/113] drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 054/113] drm/amdgpu/hdp5.2: " Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 055/113] drm/amdgpu/hdp5: " Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 056/113] drm/amdgpu/hdp6: " Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 057/113] usb: uhci-platform: Make the clock really optional Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 058/113] smb: client: Avoid race in open_cached_dir with lease breaks Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 059/113] xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 060/113] xenbus: Use kref to track req lifetime Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 061/113] clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 062/113] module: ensure that kobject_put() is safe for module type kobjects Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 063/113] x86/microcode: Consolidate the loader enablement checking Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 064/113] ocfs2: switch osb->disable_recovery to enum Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 065/113] ocfs2: implement handshaking with ocfs2 recovery thread Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 066/113] ocfs2: stop quota recovery before disabling quotas Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 067/113] usb: cdnsp: Fix issue with resuming from L1 Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 068/113] usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 069/113] usb: gadget: f_ecm: Add get_status callback Greg Kroah-Hartman
2025-05-12 17:45 ` [PATCH 6.6 070/113] usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 071/113] usb: gadget: Use get_status callback to set remote wakeup capability Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 072/113] usb: host: tegra: Prevent host controller crash when OTG port is used Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 073/113] usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 074/113] usb: typec: ucsi: displayport: Fix NULL pointer access Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 075/113] USB: usbtmc: use interruptible sleep in usbtmc_read Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 076/113] usb: usbtmc: Fix erroneous get_stb ioctl error returns Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 077/113] usb: usbtmc: Fix erroneous wait_srq ioctl return Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 078/113] usb: usbtmc: Fix erroneous generic_read " Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 079/113] iio: accel: adxl367: fix setting odr for activity time update Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 080/113] iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 081/113] types: Complement the aligned types with signed 64-bit one Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 082/113] iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 083/113] iio: adc: dln2: Use aligned_s64 for timestamp Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 084/113] MIPS: Fix idle VS timer enqueue Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 085/113] MIPS: Move r4k_wait() to .cpuidle.text section Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 086/113] MIPS: Fix MAX_REG_OFFSET Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 087/113] drm/panel: simple: Update timings for AUO G101EVN010 Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 088/113] nvme: unblock ctrl state transition for firmware update Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 089/113] do_umount(): add missing barrier before refcount checks in sync case Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 090/113] io_uring: always arm linked timeouts prior to issue Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 091/113] io_uring: ensure deferred completions are posted for multishot Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 092/113] arm64: insn: Add support for encoding DSB Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 093/113] arm64: proton-pack: Expose whether the platform is mitigated by firmware Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 094/113] arm64: proton-pack: Expose whether the branchy loop k value Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 095/113] arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs Greg Kroah-Hartman
2025-05-12 17:46 ` Greg Kroah-Hartman [this message]
2025-05-12 17:46 ` [PATCH 6.6 097/113] arm64: proton-pack: Add new CPUs k values for branch mitigation Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 098/113] x86/bpf: Call branch history clearing sequence on exit Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 099/113] x86/bpf: Add IBHF call at end of classic BPF Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 100/113] x86/bhi: Do not set BHI_DIS_S in 32-bit mode Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 101/113] x86/speculation: Simplify and make CALL_NOSPEC consistent Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 102/113] x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 103/113] x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 104/113] Documentation: x86/bugs/its: Add ITS documentation Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 105/113] x86/its: Enumerate Indirect Target Selection (ITS) bug Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 106/113] x86/its: Add support for ITS-safe indirect thunk Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 107/113] x86/its: Add support for ITS-safe return thunk Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 108/113] x86/its: Enable Indirect Target Selection mitigation Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 109/113] x86/its: Add "vmexit" option to skip mitigation on some CPUs Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 110/113] x86/its: Add support for RSB stuffing mitigation Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 111/113] x86/its: Align RETs in BHB clear sequence to avoid thunking Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 112/113] x86/ibt: Keep IBT disabled during alternative patching Greg Kroah-Hartman
2025-05-12 17:46 ` [PATCH 6.6 113/113] x86/its: Use dynamic thunks for indirect branches Greg Kroah-Hartman
2025-05-12 20:56 ` [PATCH 6.6 000/113] 6.6.91-rc1 review Jon Hunter
2025-05-13 9:46 ` Mark Brown
2025-05-13 9:56 ` Florian Fainelli
2025-05-13 9:57 ` Ron Economos
2025-05-13 13:55 ` Peter Schneider
2025-05-13 17:31 ` Shuah Khan
2025-05-13 17:32 ` Naresh Kamboju
2025-05-13 18:30 ` Harshit Mogalapalli
2025-05-14 17:06 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250512172031.588213643@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=catalin.marinas@arm.com \
--cc=daniel@iogearbox.net \
--cc=james.morse@arm.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).