summaryrefslogtreecommitdiff
path: root/tools
AgeCommit message (Collapse)Author
2026-06-02selftests/rseq: Add config fragmentMark Brown
Currently there is no config fragment for the rseq selftests but there are a couple of configuration options which are required for running them: - CONFIG_RSEQ is required for obvious reasons, it is enabled by default but it doesn't hurt to specify it in case the user is usinsg a defconfig that disables it. - CONFIG_RSEQ_SLICE_EXTENSION is tested by the slice_test test, the test will fail without it. Add a configuration fragment which enables these options, helping encourage CI systems and people doing manual testing to run the tests with all the features. This also requires CONFIG_EXPERT since it is a dependency for slice extension. Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Link: https://patch.msgid.link/20260424-selftests-rseq-config-fragment-v2-1-a9475996edcb@kernel.org
2026-06-02selftests: drv-net: tso: add new tests for ip6tnl, ipip, and sit tunnelsDaniel Zahka
Add new tunnel test cases for ip6tnl, ipip, and sit. ip6tnl supports ipv[46] as inner l3 header, and the other two tunnels only support a single inner l3 type. Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com> Link: https://patch.msgid.link/20260529-tso-tunnels-v1-1-3771ee9eaaa9@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-02selftests: net: add socat syslog for PPPoL2TPQingfang Deng
As done in pppoe.sh, start socat as the syslog listener. In case the test fails, dump its log to see what's going on. Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev> Reviewed-by: Matthieu Baerts <matttbe@kernel.org> Link: https://patch.msgid.link/20260529021146.5739-1-qingfang.deng@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-02tools/power/x86/intel-speed-select: Harden daemon pidfile openAli Ahmet MEMIS
Avoid symlink-based pidfile clobbering by opening the pidfile with O_NOFOLLOW and validating it with fstat() before locking/writing. The daemon currently uses a fixed pidfile path under /tmp. A local unprivileged user can pre-create a symlink at that path and cause a root-run daemon instance to write into an attacker-chosen file. Fixes: 7fd786dfbd2c ("tools/power/x86/intel-speed-select: OOB daemon mode") Signed-off-by: Ali Ahmet MEMIS <dev@unknownbbqr.xyz> Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> Cc: stable@kernel.org
2026-06-02selftests/bpf: Test that exclusive maps are rejected as iter targetsDaniel Borkmann
Add a subtest to map_excl that creates an exclusive map and verifies a bpf_map_elem iterator cannot be attached to it, which would otherwise let an unrelated program read and overwrite the map's contents through the iterator's writable value buffer. # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t map_excl [...] ./test_progs -t map_excl [ 1.704382] bpf_testmod: loading out-of-tree module taints kernel. [ 1.706068] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #215/1 map_excl/map_excl_allowed:OK #215/2 map_excl/map_excl_denied:OK #215/3 map_excl/map_excl_no_map_in_map:OK #215/4 map_excl/map_excl_no_map_iter:OK #215 map_excl:OK Summary: 1/4 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260602133052.423725-5-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-02selftests/bpf: Keep verifier_map_ptr exercising ops pointer accessDaniel Borkmann
sashiko complained that 38498c0ebacd ("selftests/bpf: Adjust verifier_map_ptr for the map's excl field") would slightly decrease the test coverage given before the test was against the verifier rejecting the ops pointer. Recover the old test with the right offsets and add the existing one as an additional test case. # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t verifier_map_ptr [ 1.672932] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #637/1 verifier_map_ptr/bpf_map_ptr: read with negative offset rejected:OK #637/2 verifier_map_ptr/bpf_map_ptr: read with negative offset rejected @unpriv:OK #637/3 verifier_map_ptr/bpf_map_ptr: write rejected:OK #637/4 verifier_map_ptr/bpf_map_ptr: write rejected @unpriv:OK #637/5 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected:OK #637/6 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected @unpriv:OK #637/7 verifier_map_ptr/bpf_map_ptr: read beyond excl field rejected:OK #637/8 verifier_map_ptr/bpf_map_ptr: read beyond excl field rejected @unpriv:OK #637/9 verifier_map_ptr/bpf_map_ptr: read ops field accepted:OK #637/10 verifier_map_ptr/bpf_map_ptr: read ops field accepted @unpriv:OK #637/11 verifier_map_ptr/bpf_map_ptr: r = 0, map_ptr = map_ptr + r:OK #637/12 verifier_map_ptr/bpf_map_ptr: r = 0, map_ptr = map_ptr + r @unpriv:OK #637/13 verifier_map_ptr/bpf_map_ptr: r = 0, r = r + map_ptr:OK #637/14 verifier_map_ptr/bpf_map_ptr: r = 0, r = r + map_ptr @unpriv:OK #637 verifier_map_ptr:OK [...] Summary: 2/20 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260602133052.423725-4-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-02libbpf: Guard add_data() against size overflowDaniel Borkmann
add_data() computes size8 = roundup(size, 8) and then hands size8 to realloc_data_buf() before doing memcpy(gen->data_cur, data, size) with the original size. A wrapped size8 passes through the realloc_data_buf() INT32_MAX check. Harden this against overflow, though not realistic to happen in practice. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260602133052.423725-3-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-02Merge tag 'v7.1-rc6' into workJonathan Cameron
Linux 7.1-rc6
2026-06-02Merge branch 'tip/sched/urgent'Peter Zijlstra
Pick up urgent fixes. Signed-off-by: Peter Zijlstra <peterz@infradead.org>
2026-06-02tools/testing/memblock: fix stale NUMA reservation testsPriyanshu Kumar
memblock allocations now reserve memory with MEMBLOCK_RSRV_KERN and, on NUMA configurations, record the requested node on the reserved region. Several memblock simulator NUMA tests still expected merges that only worked before those reservation semantics changed, so the suite aborted even though the allocator behavior was correct. Update the NUMA merge expectations in the memblock_alloc_try_nid() and memblock_alloc_exact_nid_raw() tests to match the current reserved region metadata rules. For cases that should still merge, create the pre-existing reservation with matching nid and MEMBLOCK_RSRV_KERN metadata. Also strengthen the memblock_alloc_node() coverage by checking the newly created reserved region directly instead of re-reading the source memory node descriptor. Finally, drop the stale README/TODO notes that still claimed memblock_alloc_node() could not be tested. The memblock simulator passes again with NUMA enabled after these updates. Signed-off-by: Priyanshu Kumar <priyanshukumarpu@gmail.com> Link: https://patch.msgid.link/20260415122731.1768912-1-priyanshukumarpu@gmail.com [rppt: dropped unrelated changes] Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
2026-06-01selftests/bpf: Add tests for the new type-tag based __arena identifierEmil Tsalapatis
Add selftests that combine the new type-based __arena identifier with the volatile qualifier both in functions' arguments and return values. This way we test both that they are recognized as arena arguments and that they are not sensitive to the position they are placed in the type compared to other qualifiers. Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260602004120.17087-7-emil@etsalapatis.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: libarena: Directly return arena pointers from functionsEmil Tsalapatis
Now that the __arena annotation includes a BTF type tag, and the verifier can identify arena pointers at BTF loading time, return arena pointers as their true type instead of casting to u64. Remove the preprocessor typecast wrappers used to hide this from the caller. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260602004120.17087-6-emil@etsalapatis.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: Remove __arg_arena from the codebaseEmil Tsalapatis
Now that BPF __arg_arena has been subsumed by __arena, remove __arg_arena from the codebase. This way the user has one fewer annotation to worry about. To remove __arg_arena we remove the typedefs we were previously using to minimize __arena annotations. This is because __arena now also includes a BTF type tag, which is ignored for non-pointer types. As a result, we cannot capture the whole __arena annotation inside a typedef and need to directly annotate the pointer type when declaring the variable. The extra verbosity is worth it because the use of the __arena tag is intuitive to the programmer and removes the __arg_arena tag that has been a consistent source of confusion for users. The typedefs can be reintroduced later (without __arg_arena) once compilers start supporting BTF type tags for non-pointer types. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260602004120.17087-5-emil@etsalapatis.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: libarena: Add "arena" BTF type tag to __arena qualifierEmil Tsalapatis
The arena qualifier currently designates its associated type as belonging to address space 1. This property affects code generation, but is not reflected in the BTF information of the function. This lack of information at the BTF level prevents us from returning arena pointers from global subprograms. Subprogs cannot return any data structure more complex than a scalar, so pointers to structs are rejected as a return type. We have no way of marking the return type as a pointer to an arena, which is safe provided the two subprogs have the same arena. Expand the __arena qualifier to also attach a BTF type tag to the type. This lets us determine whether a variable belongs to an arena from its type alone through BTF parsing. Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260602004120.17087-2-emil@etsalapatis.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: Test that exclusive maps are rejected in map-in-mapDaniel Borkmann
Add a subtest to map_excl that verifies an exclusive map (created with excl_prog_hash) cannot be used in a map-of-maps, covering both kernel enforcement points: i) the inner-map template at map-of-maps creation and, ii) the element inserted into an existing map-of-maps. # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t map_excl ./test_progs -t map_excl [ 1.728106] bpf_testmod: loading out-of-tree module taints kernel. [ 1.730473] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #215/1 map_excl/map_excl_allowed:OK #215/2 map_excl/map_excl_denied:OK #215/3 map_excl/map_excl_no_map_in_map:OK #215 map_excl:OK Summary: 1/3 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260601150248.394863-8-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: Adjust verifier_map_ptr for the map's excl fieldKP Singh
Adding the u32 excl field at offset 32 of struct bpf_map right after the sha[SHA256_DIGEST_SIZE] hash shifts the ops pointer from offset 32 to 40. Therefore, fix up the test case. # LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t verifier_map_ptr [...] #637/1 verifier_map_ptr/bpf_map_ptr: read with negative offset rejected:OK #637/2 verifier_map_ptr/bpf_map_ptr: read with negative offset rejected @unpriv:OK #637/3 verifier_map_ptr/bpf_map_ptr: write rejected:OK #637/4 verifier_map_ptr/bpf_map_ptr: write rejected @unpriv:OK #637/5 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected:OK #637/6 verifier_map_ptr/bpf_map_ptr: read non-existent field rejected @unpriv:OK #637/7 verifier_map_ptr/bpf_map_ptr: read ops field accepted:OK #637/8 verifier_map_ptr/bpf_map_ptr: read ops field accepted @unpriv:OK [...] Summary: 2/18 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: KP Singh <kpsingh@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260601150248.394863-7-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01libbpf: Skip max_entries override on signed loadersDaniel Borkmann
bpf_gen__map_create() lets the host-supplied loader ctx override a map's max_entries at runtime (map_desc[idx].max_entries, when non-zero). This is how the light skeleton sizes maps to the target machine, but it happens after emit_signature_match() and is covered by neither the signed loader instructions nor the hashed blob. For a signed loader this means an untrusted host can re-dimension the program's maps, outside what the signature attests to. Gate the override on gen_hash so signed loaders use the signer-provided max_entries baked into the blob. Fixes: ea923080c145 ("libbpf: Embed and verify the metadata hash in the loader") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260601150248.394863-6-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01libbpf: Skip initial_value override on signed loadersDaniel Borkmann
bpf_gen__map_update_elem() emits code that, when the host-supplied loader ctx provides a non-NULL map_desc[idx].initial_value, overwrites the blob value with bytes read from the host (bpf_copy_from_user / bpf_probe_read_kernel) before the BPF_MAP_UPDATE_ELEM that populates the program's .data/.rodata/.bss maps. This override runs after emit_signature_match() has validated map->sha[], and initial_value is part of neither the signed loader instructions nor the hashed data blob. For a signed loader this lets an untrusted host substitute global-variable contents into a program whose code carries a valid signature, thus weakening what the signature attests to. The blob already contains the signer-provided value (added via add_data() and covered by the embedded, signed hash), so simply skip emitting the override for signed loaders (gen_hash). Runtime initialization stays available for the unsigned light-skeleton path as before. The jump offsets within the override block are internal to it, so guarding the whole block leaves them unchanged. Fixes: ea923080c145 ("libbpf: Embed and verify the metadata hash in the loader") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260601150248.394863-5-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01libbpf: Reject non-exclusive metadata maps in the signed loaderKP Singh
The loader verifies map->sha against the metadata hash in its instructions. map->sha is calculated when BPF_OBJ_GET_INFO_BY_FD is called on the frozen map. While the map is frozen, the /signed loader/ must also ensure the map is exclusive, as, without exclusivity (which a hostile host could just omit when loading the loader), another BPF program with map access can mutate the contents afterwards, so the check passes on stale data. With the extra check as part of the signed loader, it now refuses to move on with map->sha validation if the host set it up wrongly. Fixes: fb2b0e290147 ("libbpf: Update light skeleton for signing") Signed-off-by: KP Singh <kpsingh@kernel.org> Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260601150248.394863-4-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: Test using dynptr after freeing the underlying objectAmery Hung
Make sure the verifier invalidates the dynptr and dynptr slice derived from an skb after the skb is freed. Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20260529014936.2811085-14-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: Test using file dynptr after the reference on file is droppedAmery Hung
File dynptr and slice should be invalidated when the parent file's reference is dropped in the program. Without the verifier tracking dyntpr's parent referenced object, the dynptr would continute to be incorrectly used even if the underlying file is being tear down or gone. Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20260529014936.2811085-13-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: Test using slice after invalidating dynptr cloneAmery Hung
The parent object of a cloned dynptr is skb not the original dynptr. Invalidate the original dynptr should not prevent the program from using the slice derived from the cloned dynptr. Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20260529014936.2811085-12-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01selftests/bpf: Test creating dynptr from dynptr data and sliceAmery Hung
The verifier currently does not allow creating dynptr from dynptr data or slice. Add a selftest to test this explicitly. Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20260529014936.2811085-11-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01bpf: Unify release handling for helpers and kfuncsAmery Hung
Introduce release_reg() to consolidate the release logic shared by both helpers and kfuncs: dynptr release, kptr_xchg percpu-to-RCU conversion, regular reference release, and NULL pass-through. NULL pass-through is only allowed if the prototype indicates the argument may be null. Determine release_regno from the function prototype/metadata before argument checking, rather than discovering it dynamically during argument processing. For helpers, scan the arg_type array in check_func_proto() via check_proto_release_reg(). For kfuncs, set release_regno to BPF_REG_1 in bpf_fetch_kfunc_arg_meta() when KF_RELEASE is set. In the future when we start adding decl_tag to kfunc arguments, we can just look at the function prototype instead of a release_regno. Extract ref_convert_alloc_rcu_protected() and invalidate_rcu_protected_refs() to make it more clear what the code is doing. For ref_convert_alloc_rcu_protected(), it pre-converts MEM_ALLOC | MEM_PERCPU registers to MEM_RCU (clearing id so they survive), then calls release_reference() to invalidate the remaining registers and release the reference state. Add KF_RELEASE to bpf_dynptr_file_discard() so its release_regno is set via fetch_kfunc_meta rather than being assigned manually in the dynptr argument processing. Set arg_type to ARG_PTR_TO_DYNPTR for KF_ARG_PTR_TO_DYNPTR so that check_func_arg_reg_off() correctly allows non-zero stack offsets for dynptr release arguments same as helper. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20260529014936.2811085-9-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01bpf: Unify referenced object tracking in verifierAmery Hung
Helpers and kfuncs independently tracked referenced object metadata using standalone id fields in their respective arg_meta structs. This led to duplicated logic and inconsistent error handling between the two paths. Introduce struct ref_obj_desc to consolidate id and parent_id along with a count of how many arguments carry a reference. Add update_ref_obj() to populate it from a bpf_reg_state, replacing open-coded assignments in check_func_arg(), check_kfunc_args(), and process_iter_arg(). Add validate_ref_obj() to check for ambiguous ref_obj before using it. For ref_obj releasing helpers and kfuncs, keep checking it before calling update_ref_obj() for now. A later patch will make these functions not depending on ref_obj. For other users of ref_obj, move the checks to the use locations. For helper, this means moving the checks inside helper_multiple_ref_obj_use() to use locations. is_acquire_function() is dropped as ref_obj is never used. Pass ref_obj_desc into process_dynptr_func()/mark_stack_slots_dynptr() instead of a bare parent_id to make it less confusing. Drop the selftest introduced in 7ec899ac90a2 ("selftests/bpf: Negative test case for ref_obj_id in args") since the verifier no longer complains about ambiguous ref_obj if it is not used. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20260529014936.2811085-8-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01bpf: Remove redundant dynptr arg check for helperAmery Hung
unmark_stack_slots_dynptr() already makes sure that CONST_PTR_TO_DYNPTR cannot be released. process_dynptr_func() also prevents passing uninitialized dynptr to helpers expecting initialized dynptr. Now that unmark_stack_slots_dynptr() also reports error returned from release_reference(), there should be no reason to keep these redundant checks. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Amery Hung <ameryhung@gmail.com> Link: https://lore.kernel.org/r/20260529014936.2811085-7-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01bpf: Refactor object relationship tracking and fix dynptr UAF bugAmery Hung
Refactor object relationship tracking in the verifier and fix a dynptr use-after-free bug where file/skb dynptrs are not invalidated when the parent referenced object is freed. Add parent_id to bpf_reg_state to precisely track child-parent relationships. A child object's parent_id points to the parent object's id. This replaces the PTR_TO_MEM-specific dynptr_id. Remove ref_obj_id from bpf_reg_state by folding its role into the existing id field. Previously, id tracked pointer identity for null checking while ref_obj_id tracked the owning reference for lifetime management. These are now unified: acquire helpers and kfuncs set id to the acquired reference id, and release paths use id directly. Add reg_is_referenced() which checks if a register is referenced by looking up its id in the reference array. This replaces all former ref_obj_id checks. For release_reference(), invalidating an object now also invalidates all descendants by traversing the object tree. This is done using stack-based DFS to avoid recursive call chains of release_reference() -> unmark_stack_slots_dynptr() -> release_reference(). Referenced objects encountered during tree traversal are reported as leaked references. Add parent_id to bpf_reference_state to enable hierarchical reference tracking. When acquiring a reference, a parent_id can be specified to link the new reference to an existing one (e.g., referenced dynptrs acquire a reference with parent_id linking to the parent object's reference). Pointer casting: For pointer casting helpers (bpf_sk_fullsock, bpf_tcp_sock), instead of propagating ref_obj_id, the cast result reuses the same reference id as the source pointer. Since the cast may return NULL for a non-NULL input, the NULL case is explored as a separate verifier branch. This allows releasing any of the original or cast pointers to invalidate all others. Referenced dynptrs: When constructing a referenced dynptr, acquire a intermediate reference with parent_id linking to the parent referenced object. The dynptr and all clones share the same parent_id (pointing to the intermediate ref) but get unique ids for independent slice tracking. Releasing a referenced dynptr releases the parent reference, which in turn invalidates all clones and their derived slices. Owning to non-owning reference conversion: After converting owning to non-owning by clearing id (e.g., object(id=1) -> object(id=0)), the verifier releases the reference state via release_reference_nomark(). Note that the error message "reference has not been acquired before" in the helper and kfunc release paths is removed. This message was already unreachable. The verifier only calls release_reference() after confirming the reference is valid, so the condition could never trigger in practice. Fixes: 870c28588afa ("bpf: net_sched: Add basic bpf qdisc kfuncs") Signed-off-by: Amery Hung <ameryhung@gmail.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20260529014936.2811085-6-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01iommufd/selftest: Add boundary tests for veventq_depthNicolin Chen
Test veventq_depth to cover a memory exhaustion vulnerability. Keep veventq_depth=2 for the existing callers. Link: https://patch.msgid.link/r/acfa370fa4e89e4626f71954bad7ad2bd64cf63b.1779408671.git.nicolinc@nvidia.com Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2026-06-01selftests/sched_ext: Fix dsq_move_to_local checkCheng-Yang Chou
scan_dsq_pool() checked == 0 against scx_bpf_dsq_move_to_local(), which returns true on success. This inverted success and failure, causing peek_dsq_dispatch() to double-dispatch on success and skip the real_dsq fallback on failure. Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com> Signed-off-by: Tejun Heo <tj@kernel.org>
2026-06-01Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netPaolo Abeni
Conflicts: drivers/net/ethernet/microsoft/mana/mana_en.c: 17bfe0a8c014e ("net: mana: Add NULL guards in teardown path to prevent panic on attach failure") d07efe5a6e641 ("net: mana: Use per-queue allocation for tx_qp to reduce allocation size") Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-31bpf: reject overlarge global subprog argument sizesTaegu Ha
Global subprogram argument checking derives generic pointer sizes from BTF and passes the resolved size to check_mem_reg() as a u32. The access-size validation path then uses a signed int, and stack pointers negate the value before calling check_helper_mem_access(). This creates a wrap when BTF describes a pointee size larger than S32_MAX. For example, a global subprogram argument of type: int (*p)[0x3fffffff] has a BTF-resolved pointee size of 0xfffffffc bytes. At a call site the caller can pass a pointer to a 4-byte stack slot at fp-4. The current PTR_TO_STACK path computes: size = -(int)mem_size so 0xfffffffc becomes -4 as a signed int and the negation validates only a 4-byte stack range. That range is covered by the caller's stack slot, so the call is accepted. The callee is then verified independently with R1 as PTR_TO_MEM and mem_size 0xfffffffc. A small instruction such as: r0 = *(u32 *)(r1 + 4) is accepted as being inside that BTF-described memory region. At run time, however, the actual argument value is still fp-4, so r1 + 4 addresses fp+0, outside the 4-byte object that the caller provided. Reject sizes that cannot be represented by the verifier's signed access-size API before the stack-specific negation. Add a verifier regression test for the oversized BTF argument. Fixes: 2cb27158adb3 ("bpf: poison dead stack slots") Signed-off-by: Taegu Ha <hataegu0826@gmail.com> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260528062155.3988156-1-hataegu0826@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-31selftests/bpf: Use at least 10 args in stack argument testsPuranjay Mohan
On arm64, the first 8 arguments are passed in registers (x0-x7), so tests with 8 or fewer arguments never exercise the native stack argument path in the JIT. Increase argument counts to at least 10 across all BPF-to-BPF subprog and kfunc stack argument tests so that at least 2 arguments land on the arm64 stack. For the two-callees test, bump foo1 from 8 to 10 and foo2 from 10 to 12 args to preserve the different-stack-depth flavor of the test. The bpf_kfunc_call_stack_arg_mem kfunc is left unchanged at 7 args to avoid breaking the precision backtracking test which relies on hardcoded verifier log instruction indices. Suggested-by: Will Deacon <will@kernel.org> Signed-off-by: Puranjay Mohan <puranjay@kernel.org> Acked-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260528161750.1900674-3-puranjay@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-31libbpf: Skip endianness swap when loader generation failedDaniel Borkmann
bpf_gen__prog_load() byte-swaps the program insns and the {func,line}_info and CO-RE relo blobs in place for cross-endian targets. The blob offsets come from add_data(), which returns 0 on failure: realloc_data_buf() either frees and NULLs gen->data_start (realloc OOM) or returns early on an already-latched gen->error, leaving a stale, possibly too-small buffer. Neither bswap site checked for this. With gen->swapped_endian set and a failed generation, "gen->data_start + off" becomes NULL + 0. Guard the same way via !gen->error so they are skipped once generation has failed. Fixes: 8ca3323dce43 ("libbpf: Support creating light skeleton of either endianness") Reported-by: sashiko <sashiko@sashiko.dev> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260529162829.315921-1-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-31libbpf: Also reset {insn,data}_cur on realloc failureDaniel Borkmann
realloc_insn_buf() as well as realloc_data_buf() free and NULL gen->insn_start / gen->data_start on -ENOMEM but leave gen->insn_cur / gen->data_cur pointing into the old, freed buffer. Just reset the cursors to NULL alongside the base pointers so the freed state is coherent. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260529094119.307264-3-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-31libbpf: Skip hash computation when loader generation failedDaniel Borkmann
bpf_gen__finish() calls compute_sha_update_offsets() gated only on the gen_hash option, without first consulting gen->error. On a failed generation this is buggy: a failed realloc_data_buf() sets gen->data_start to NULL (leaving gen->data_cur dangling), so compute_sha_update_offsets() runs libbpf_sha256() over a NULL buffer with a bogus length; a failed realloc_insn_buf() likewise sets gen->insn_start to NULL and the hash immediates get patched through that NULL base. The computed program is discarded in either case, since the following "if (!gen->error)" block does not publish opts->insns once an error is set. Thus, skip the hash pass when generation has already failed. Fixes: ea923080c145 ("libbpf: Embed and verify the metadata hash in the loader") Reported-by: sashiko <sashiko@sashiko.dev> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260529094119.307264-2-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-31libbpf: Drop redundant self-loop in emit_check_errDaniel Borkmann
When the cleanup-label jump offset does not fit in s16, emit_check_err() sets gen->error = -ERANGE and then emits a BPF_JMP_IMM(BPF_JA, 0, 0, -1) self-loop. The latter emit() is dead: gen->error is assigned on the preceding line, and emit() then bails out early in realloc_insn_buf() the moment gen->error is set, so the jump is never written into the instruction stream. gen->error alone already marks the generation as failed. This is a follow-up to 7dd62566e0d1 ("libbpf: fix off-by-one in emit_signature_match jump offset") which removed the jump in emit_signature_match() but not in other locations. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260529094119.307264-1-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-06-01memblock tests: define MIGRATE_CMAPratyush Yadav (Google)
kho_scratch_migratetype(), defined in include/linux/memblock.h uses enum migratetype. This breaks build for memblock tests with: ./linux/memblock.h:634:73: error: parameter 2 (‘mt’) has incomplete type 634 | enum migratetype mt) Fix it by defining enum migratetype and MIGRATE_CMA. As is the case with the other headers in tools/testing/memblock, do not bring in the whole thing, only what is needed. Reported-by: Mike Rapoport <rppt@kernel.org> Closes: https://lore.kernel.org/linux-mm/afcdDm4aAJvNaQqH@kernel.org/ Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org> Link: https://patch.msgid.link/20260504102742.3833159-1-pratyush@kernel.org Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
2026-06-01selftests/liveupdate: add test cases for LIVEUPDATE_SESSION_GET_NAMELuca Boccassi
Verify that the new LIVEUPDATE_SESSION_GET_NAME ioctl works as expected via new test cases in the existing liveupdate selftest. Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com> Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com> Reviewed-by: Pratyush Yadav <pratyush@kernel.org> Link: https://lore.kernel.org/r/20260429212221.814107-5-luca.boccassi@gmail.com Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com> Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
2026-06-01selftests/liveupdate: add test cases for LIVEUPDATE_IOCTL_CREATE_SESSION ↵Luca Boccassi
calls with invalid length Verify that LIVEUPDATE_IOCTL_CREATE_SESSION ioctl which provide a name that is an empty string or too long are not allowed. Cc: stable@vger.kernel.org Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com> Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com> Reviewed-by: Pratyush Yadav <pratyush@kernel.org> Link: https://lore.kernel.org/r/20260429212221.814107-3-luca.boccassi@gmail.com Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com> Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
2026-06-01selftests: kho: test with deferred struct page initMichal Clapinski
Enable DEFERRED_STRUCT_PAGE_INIT which depends on SMP. Also enable additional debugging options. Signed-off-by: Michal Clapinski <mclapinski@google.com> Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Acked-by: Pasha Tatashin <pasha.tatashin@soleen.com> Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org> Link: https://patch.msgid.link/20260423122538.140993-4-mclapinski@google.com Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
2026-05-31selftests/bpf: add verification for BPF_PROG_QUERY attr size boundariesYuyang Huang
Add a new selftest to verify that the BPF syscall (specifically BPF_PROG_QUERY) correctly handles different user-declared attribute sizes. Specifically, verify that: - For cgroup queries, a query with a size that covers 'prog_cnt' but is smaller than 'revision' (OLD_QUERY_SIZE) succeeds, but does not write to 'revision' (verifying backward compatibility). - A query with full size (FULL_QUERY_SIZE) succeeds and writes both 'prog_cnt' and 'revision'. Fixes: 120933984460 ("bpf: Implement mprog API on top of existing cgroup progs") Cc: Maciej Żenczykowski <maze@google.com> Cc: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Yuyang Huang <yuyanghuang@google.com> Link: https://lore.kernel.org/r/20260531075600.4058207-3-yuyanghuang@google.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-31iio: core: Add IIO_COVERAGE channel typeLiviu Stan
Add a new channel type for sensors that report fractional coverage as a percentage. The sysfs attribute is in_coverageY_raw; after applying in_coverageY_scale the value is in percent. The first user is the ADT7604 leak detector, where the value represents the portion of the sensing element that is wetted. Signed-off-by: Liviu Stan <liviu.stan@analog.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2026-05-30tracing/probes: Point the error offset correctly for eprobe argument errorMasami Hiramatsu (Google)
Fix to point the error offset correctly for eprobe argument error. In the cleanup commit 1b8b0cd754cd ("tracing/probes: Move event parameter fetching code to common parser"), due to incorrect backward compatibility aimed at conforming to the test specifications, the error location was set to 0 when a non-existent formal parameter was specified for Eprobe. However, this should be corrected in both the test and the implementation to point correct error position. Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/ Fixes: 1b8b0cd754cd ("tracing/probes: Move event parameter fetching code to common parser") Cc: stable@vger.kernel.org Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
2026-05-29perf annotate: Fix missing branch counter column in TUI modeThomas Falcon
'perf annotate' checks that evlist->nr_br_cntr has been incremented to determine whether to show branch counter information. However, this data is not populated until after the check when events are processed. Therefore, this counter will always be less than zero and the Branch Count column is never shown. Do this check after events have been processed and branch counter data is updated. Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com> Signed-off-by: Thomas Falcon <thomas.falcon@intel.com> Acked-by: Ian Rogers <irogers@google.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-05-29perf script: Fix missing '+' indicator when branch counter reaches upper limitDapeng Mi
When displaying branch counter (br_cntr) information, a "+" suffix represents that event occurrences may have been lost due to branch counter saturation. However, this indicator was missing in perf script. Add it back. Before: # Branch counter abbr list: # cpu_core/event=0xc4,umask=0x20/ppp = A # cpu_core/instructions/ = B # cpu_core/MEM_INST_RETIRED.ALL_LOADS/ = C # cpu_core/MEM_LOAD_RETIRED.L2_MISS/ = D # '-' No event occurs # '+' Event occurrences may be lost due to branch counter saturated ... datasym+190: 00005567f9951676 jz 0x5567f995162dr_cntr: BBBC # PRED 1 cycles [1] ... After: ... datasym+190: 00005567f9951676 jz 0x5567f995162dr_cntr: BBB+C # PRED 1 cycles [1] ... Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com> Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com> Signed-off-by: Thomas Falcon <thomas.falcon@intel.com> Acked-by: Ian Rogers <irogers@google.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-05-29perf arm-spe: Don't warn about the discard bit if it doesn't existJames Clark
Opening an SPE event shows a warning that doesn't concern the user: $ perf record -e arm_spe Unknown/empty format name: discard Perf only wants to know if the discard bit is set for configuring the event, not in response to anything the user has done. Fix it by adding another helper that returns if a config bit exists without warning. We should probably keep the warning in evsel__get_config_val() to avoid having every caller having to do it, and most format bits should never be missing. Add a test for the new helper. Rename the parent test function to be more generic rather than adding a new one as it requires a lot of boilerplate. Reviewed-by: Ian Rogers <irogers@google.com> Reviewed-by: Leo Yan <leo.yan@arm.com> Signed-off-by: James Clark <james.clark@linaro.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: John Garry <john.g.garry@oracle.com> Cc: Leo Yan <leo.yan@linux.dev> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Mike Leach <mike.leach@linaro.org> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Will Deacon <will@kernel.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-05-29perf util: Fix perf_exe() buffer write past endMiguel Martín Gil
perf_exe() passes len to readlink() and then unconditionally writes a trailing NUL at buf[n]. If readlink() returns len, the write lands one byte past the buffer. Read at most len - 1 bytes and keep the existing NUL termination. Also guard the fallback path for tiny buffers so copying "perf" cannot overflow. Reviewed-by: Ian Rogers <irogers@google.com> Signed-off-by: Miguel Martín Gil <miguel.martin.gil.uni@gmail.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-05-29perf jevents: Add IOMMU metrics for IntelChun-Tse Shao
Add IOMMU Translation Lookaside Buffer (TLB) and interrupt cache metrics to perf jevents for Intel platforms. This enhances I/O performance observability, allowing fleet-wide monitoring of IOMMU overhead. These metrics are supported on platforms that expose the required uncore IIO IOMMU events (such as Emerald Rapids and Granite Rapids). The Intel implementation dynamically detects event availability at generation time. It requires at least the TLB events to expose the metric group, while the interrupt cache events are optional. This allows platforms like Emerald Rapids, which lack IOMMU interrupt cache events, to still expose the IOMMU TLB metrics. The following metrics are added: - iotlb_total_hit: Total IOTLB hits (4K, 2M, 1G pages). - iotlb_total_miss: Total IOTLB misses. - iotlb_miss_rate: IOTLB miss rate. - iotlb_interrupt_cache_hit: Interrupt cache hits. - iotlb_interrupt_cache_miss: Interrupt cache misses (calculated as lookup - hit, clamped to zero). - iotlb_interrupt_cache_lookup: Interrupt cache lookups. - iotlb_interrupt_cache_miss_rate: Interrupt cache miss rate. Tested: # perf stat -M \ iotlb_total_hit,iotlb_total_miss,iotlb_miss_rate \ --per-socket --metric-only -a -j -- sleep 10 {"socket" : "S0", "counters" : 10, "hits iotlb_total_hit" : "3579249.0", "% iotlb_miss_rate" : "0.0", "misses iotlb_total_miss" : "3.0"} {"socket" : "S1", "counters" : 10, "hits iotlb_total_hit" : "0.0", "% iotlb_miss_rate" : "0.0", "misses iotlb_total_miss" : "0.0"} Reviewed-by: Ian Rogers <irogers@google.com> Signed-off-by: Chun-Tse Shao <ctshao@google.com> Assisted-by: Gemini:gemini-3.1-pro-preview Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Dapeng Mi <dapeng1.mi@intel.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Perry Taylor <perry.taylor@intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Sandipan Das <sandipan.das@amd.com> Link: https://lore.kernel.org/r/20260528234455.434027-3-ctshao@google.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-05-29perf jevents: Add IOMMU metrics for AMDChun-Tse Shao
Add IOMMU Translation Lookaside Buffer (TLB) and interrupt cache metrics to perf jevents for AMD platforms. This enhances I/O performance observability, allowing fleet-wide monitoring of IOMMU overhead. These metrics are supported on Zen 2 and newer processors (Rome, Milan, Genoa, Turin) and are implemented using the standard `amd_iommu` PMU events. The implementation uses the existing `_zen_model` helper to ensure these are only generated for Zen 2+. Note that the pde events on AMD cover both 2M and 1G pages, so 1G pages are implicitly included in the total hits/misses metrics (sum of pte and pde events). The following metrics are added: - iotlb_total_hit: Total IOTLB hits (4K, 2M, 1G pages). - iotlb_total_miss: Total IOTLB misses. - iotlb_miss_rate: IOTLB miss rate. - iotlb_interrupt_cache_hit: Interrupt cache hits. - iotlb_interrupt_cache_miss: Interrupt cache misses. - iotlb_interrupt_cache_lookup: Interrupt cache lookups. - iotlb_interrupt_cache_miss_rate: Interrupt cache miss rate. Tested: # perf stat -M \ iotlb_total_hit,iotlb_total_miss,iotlb_miss_rate \ --per-socket --metric-only -a -j -- sleep 10 {"socket" : "S0", "counters" : 10, "hits iotlb_total_hit" : "3579249.0", "% iotlb_miss_rate" : "0.0", "misses iotlb_total_miss" : "3.0"} {"socket" : "S1", "counters" : 10, "hits iotlb_total_hit" : "0.0", "% iotlb_miss_rate" : "0.0", "misses iotlb_total_miss" : "0.0"} Reviewed-by: Ian Rogers <irogers@google.com> Reviewed-by: Sandipan Das <sandipan.das@amd.com> Signed-off-by: Chun-Tse Shao <ctshao@google.com> Assisted-by: Gemini:gemini-3.1-pro-preview Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Dapeng Mi <dapeng1.mi@intel.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Perry Taylor <perry.taylor@intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2026-05-29perf vendor events intel: Update sierraforest events from 1.15 to 1.17Ian Rogers
The updated events and metrics were published in: https://github.com/intel/perfmon/commit/efa15280e0577982744642a77af18208aab3635b https://github.com/intel/perfmon/commit/5cdba6c2ccfde2ec13e0e701bc2a374849ce9a44 Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com> Signed-off-by: Ian Rogers <irogers@google.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Andreas Färber <afaerber@suse.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Clark <james.clark@linaro.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Manivannan Sadhasivam <mani@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Falcon <thomas.falcon@intel.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>