--- /dev/null
+From eac04428abe9f9cb203ffae4600791ea1d24eb18 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:17 +0200
+Subject: i40e: add mask to apply valid bits for itr_idx
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit eac04428abe9f9cb203ffae4600791ea1d24eb18 upstream.
+
+The ITR index (itr_idx) is only 2 bits wide. When constructing the
+register value for QINT_RQCTL, all fields are ORed together. Without
+masking, higher bits from itr_idx may overwrite adjacent fields in the
+register.
+
+Apply I40E_QINT_RQCTL_ITR_INDX_MASK to ensure only the intended bits are
+set.
+
+Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -446,7 +446,7 @@ static void i40e_config_irq_link_list(st
+ (qtype << I40E_QINT_RQCTL_NEXTQ_TYPE_SHIFT) |
+ (pf_queue_id << I40E_QINT_RQCTL_NEXTQ_INDX_SHIFT) |
+ BIT(I40E_QINT_RQCTL_CAUSE_ENA_SHIFT) |
+- (itr_idx << I40E_QINT_RQCTL_ITR_INDX_SHIFT);
++ FIELD_PREP(I40E_QINT_RQCTL_ITR_INDX_MASK, itr_idx);
+ wr32(hw, reg_idx, reg);
+ }
+
--- /dev/null
+From cb79fa7118c150c3c76a327894bb2eb878c02619 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:16 +0200
+Subject: i40e: add max boundary check for VF filters
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit cb79fa7118c150c3c76a327894bb2eb878c02619 upstream.
+
+There is no check for max filters that VF can request. Add it.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3770,6 +3770,8 @@ err:
+ aq_ret);
+ }
+
++#define I40E_MAX_VF_CLOUD_FILTER 0xFF00
++
+ /**
+ * i40e_vc_add_cloud_filter
+ * @vf: pointer to the VF info
+@@ -3809,6 +3811,14 @@ static int i40e_vc_add_cloud_filter(stru
+ goto err_out;
+ }
+
++ if (vf->num_cloud_filters >= I40E_MAX_VF_CLOUD_FILTER) {
++ dev_warn(&pf->pdev->dev,
++ "VF %d: Max number of filters reached, can't apply cloud filter\n",
++ vf->vf_id);
++ aq_ret = -ENOSPC;
++ goto err_out;
++ }
++
+ cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL);
+ if (!cfilter)
+ return -ENOMEM;
--- /dev/null
+From aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:12 +0200
+Subject: i40e: fix idx validation in i40e_validate_queue_map
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 upstream.
+
+Ensure idx is within range of active/initialized TCs when iterating over
+vf->ch[idx] in i40e_validate_queue_map().
+
+Fixes: c27eac48160d ("i40e: Enable ADq and create queue channel/s on VF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Kamakshi Nellore <nellorex.kamakshi@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2457,8 +2457,10 @@ static int i40e_validate_queue_map(struc
+ u16 vsi_queue_id, queue_id;
+
+ for_each_set_bit(vsi_queue_id, &queuemap, I40E_MAX_VSI_QP) {
+- if (vf->adq_enabled) {
+- vsi_id = vf->ch[vsi_queue_id / I40E_MAX_VF_VSI].vsi_id;
++ u16 idx = vsi_queue_id / I40E_MAX_VF_VSI;
++
++ if (vf->adq_enabled && idx < vf->num_tc) {
++ vsi_id = vf->ch[idx].vsi_id;
+ queue_id = (vsi_queue_id % I40E_DEFAULT_QUEUES_PER_VF);
+ } else {
+ queue_id = vsi_queue_id;
--- /dev/null
+From 9739d5830497812b0bdeaee356ddefbe60830b88 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:14 +0200
+Subject: i40e: fix input validation logic for action_meta
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit 9739d5830497812b0bdeaee356ddefbe60830b88 upstream.
+
+Fix condition to check 'greater or equal' to prevent OOB dereference.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3472,7 +3472,7 @@ static int i40e_validate_cloud_filter(st
+
+ /* action_meta is TC number here to which the filter is applied */
+ if (!tc_filter->action_meta ||
+- tc_filter->action_meta > vf->num_tc) {
++ tc_filter->action_meta >= vf->num_tc) {
+ dev_info(&pf->pdev->dev, "VF %d: Invalid TC number %u\n",
+ vf->vf_id, tc_filter->action_meta);
+ goto err;
drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
crypto-af_alg-disallow-concurrent-writes-in-af_alg_s.patch
crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch
+i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
+i40e-fix-input-validation-logic-for-action_meta.patch
+i40e-add-max-boundary-check-for-vf-filters.patch
+i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
+tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch
--- /dev/null
+From 456c32e3c4316654f95f9d49c12cbecfb77d5660 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Fri, 19 Sep 2025 10:15:56 +0900
+Subject: tracing: dynevent: Add a missing lockdown check on dynevent
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 456c32e3c4316654f95f9d49c12cbecfb77d5660 upstream.
+
+Since dynamic_events interface on tracefs is compatible with
+kprobe_events and uprobe_events, it should also check the lockdown
+status and reject if it is set.
+
+Link: https://lore.kernel.org/all/175824455687.45175.3734166065458520748.stgit@devnote2/
+
+Fixes: 17911ff38aa5 ("tracing: Add locked_down checks to the open calls of files created for tracefs")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_dynevent.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/trace_dynevent.c
++++ b/kernel/trace/trace_dynevent.c
+@@ -239,6 +239,10 @@ static int dyn_event_open(struct inode *
+ {
+ int ret;
+
++ ret = security_locked_down(LOCKDOWN_TRACEFS);
++ if (ret)
++ return ret;
++
+ ret = tracing_check_open_get_tr(NULL);
+ if (ret)
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
