This option will disable uprivileged BPF by default. It can be reenabled,
though, as it uses the new value 2 for the kernel.unprivileged_bpf_disabled
sysctl. That value disables it, but allows the sysctl knob to be set back
to 0.
This allows sysadmins to enable unprivileged BPF back by using sysctl
config files.
Sync the changes with what was done with all other kernels.
Signed-off-by: Stefan Bader <email address hidden>
When kernel boots with a NUMA topology with some NUMA nodes offline, the PCI
driver should only set an online NUMA node on the device. This can happen
during KDUMP where some NUMA nodes are not made online by the KDUMP kernel.
This patch also fixes the case where kernel is booting with "numa=off".
Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2")
Signed-off-by: Long Li <email address hidden>
Reviewed-by: Michael Kelley <email address hidden>
Tested-by: Purna Pavan Chandra Aekkaladevi <email address hidden>
Acked-by: Lorenzo Pieralisi <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Wei Liu <email address hidden>
(cherry picked from commit 3149efcdf2c6314420c418dfc94de53bfd076b1f)
Signed-off-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Krzysztof Kozlowski <email address hidden>
Signed-off-by: Tim Gardner <email address hidden>
6716487...
by
Pablo Neira Ayuso <email address hidden>
immediate verdict expression needs to allocate one slot in the flow offload
action array, however, immediate data expression does not need to do so.
fwd and dup expression need to allocate one slot, this is missing.
Add a new offload_action interface to report if this expression needs to
allocate one slot in the flow offload action array.
Fixes: be2861dc36d7 ("netfilter: nft_{fwd,dup}_netdev: add offload support")
Reported-and-tested-by: Nick Gregory <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(backported from commit b1a5983f56e371046dcf164f90bfaf704d2b89f6 net.git)
[cascardo: there is no offload_stats at struct nft_expr_ops]
CVE-2022-25636
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Andrea Righi <email address hidden>
a34ca4a...
by
Peter Zijlstra <email address hidden>
Thanks to the chaps at VUsec it is now clear that eIBRS is not
sufficient, therefore allow enabling of retpolines along with eIBRS.
Add spectre_v2=eibrs, spectre_v2=eibrs,lfence and
spectre_v2=eibrs,retpoline options to explicitly pick your preferred
means of mitigation.
Since there's new mitigations there's also user visible changes in
/sys/devices/system/cpu/vulnerabilities/spectre_v2 to reflect these
new mitigations.
[ bp: Massage commit message, trim error messages,
do more precise eIBRS mode checking. ]
Co-developed-by: Josh Poimboeuf <email address hidden>
Signed-off-by: Josh Poimboeuf <email address hidden>
Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
Signed-off-by: Borislav Petkov <email address hidden>
Reviewed-by: Patrick Colp <email address hidden>
Reviewed-by: Thomas Gleixner <email address hidden>
CVE-2022-0001
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
9910b89...
by
"Peter Zijlstra (Intel)" <email address hidden>
UBUNTU: SAUCE: x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
The RETPOLINE_AMD name is unfortunate since it isn't necessarily
AMD only, in fact Hygon also uses it. Furthermore it will likely be
sufficient for some Intel processors. Therefore rename the thing to
RETPOLINE_LFENCE to better describe what it is.
Add the spectre_v2=retpoline,lfence option as an alias to
spectre_v2=retpoline,amd to preserve existing setups. However, the output
of /sys/devices/system/cpu/vulnerabilities/spectre_v2 will be changed.
[ bp: Fix typos, massage. ]
Co-developed-by: Josh Poimboeuf <email address hidden>
Signed-off-by: Josh Poimboeuf <email address hidden>
Signed-off-by: Peter Zijlstra (Intel) <email address hidden>
Signed-off-by: Borislav Petkov <email address hidden>
Reviewed-by: Thomas Gleixner <email address hidden>
[<email address hidden>: backported to 5.10]
Signed-off-by: Frank van der Linden <email address hidden>
CVE-2022-0001
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
