--- /dev/null
+From cb79fa7118c150c3c76a327894bb2eb878c02619 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:16 +0200
+Subject: i40e: add max boundary check for VF filters
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit cb79fa7118c150c3c76a327894bb2eb878c02619 upstream.
+
+There is no check for max filters that VF can request. Add it.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3665,6 +3665,8 @@ err:
+ aq_ret);
+ }
+
++#define I40E_MAX_VF_CLOUD_FILTER 0xFF00
++
+ /**
+ * i40e_vc_add_cloud_filter
+ * @vf: pointer to the VF info
+@@ -3704,6 +3706,14 @@ static int i40e_vc_add_cloud_filter(stru
+ goto err_out;
+ }
+
++ if (vf->num_cloud_filters >= I40E_MAX_VF_CLOUD_FILTER) {
++ dev_warn(&pf->pdev->dev,
++ "VF %d: Max number of filters reached, can't apply cloud filter\n",
++ vf->vf_id);
++ aq_ret = -ENOSPC;
++ goto err_out;
++ }
++
+ cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL);
+ if (!cfilter)
+ return -ENOMEM;
--- /dev/null
+From aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:12 +0200
+Subject: i40e: fix idx validation in i40e_validate_queue_map
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 upstream.
+
+Ensure idx is within range of active/initialized TCs when iterating over
+vf->ch[idx] in i40e_validate_queue_map().
+
+Fixes: c27eac48160d ("i40e: Enable ADq and create queue channel/s on VF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Kamakshi Nellore <nellorex.kamakshi@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2376,8 +2376,10 @@ static int i40e_validate_queue_map(struc
+ u16 vsi_queue_id, queue_id;
+
+ for_each_set_bit(vsi_queue_id, &queuemap, I40E_MAX_VSI_QP) {
+- if (vf->adq_enabled) {
+- vsi_id = vf->ch[vsi_queue_id / I40E_MAX_VF_VSI].vsi_id;
++ u16 idx = vsi_queue_id / I40E_MAX_VF_VSI;
++
++ if (vf->adq_enabled && idx < vf->num_tc) {
++ vsi_id = vf->ch[idx].vsi_id;
+ queue_id = (vsi_queue_id % I40E_DEFAULT_QUEUES_PER_VF);
+ } else {
+ queue_id = vsi_queue_id;
--- /dev/null
+From 9739d5830497812b0bdeaee356ddefbe60830b88 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:14 +0200
+Subject: i40e: fix input validation logic for action_meta
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit 9739d5830497812b0bdeaee356ddefbe60830b88 upstream.
+
+Fix condition to check 'greater or equal' to prevent OOB dereference.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3367,7 +3367,7 @@ static int i40e_validate_cloud_filter(st
+
+ /* action_meta is TC number here to which the filter is applied */
+ if (!tc_filter->action_meta ||
+- tc_filter->action_meta > vf->num_tc) {
++ tc_filter->action_meta >= vf->num_tc) {
+ dev_info(&pf->pdev->dev, "VF %d: Invalid TC number %u\n",
+ vf->vf_id, tc_filter->action_meta);
+ goto err;
can-mcba_usb-populate-ndo_change_mtu-to-prevent-buff.patch
can-peak_usb-fix-shift-out-of-bounds-issue.patch
drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
+i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
+i40e-fix-input-validation-logic-for-action_meta.patch
+i40e-add-max-boundary-check-for-vf-filters.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
