--- /dev/null
+From a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 5 Apr 2024 15:43:45 -0400
+Subject: Bluetooth: RFCOMM: Fix not validating setsockopt user input
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 upstream.
+
+syzbot reported rfcomm_sock_setsockopt_old() is copying data without
+checking user input length.
+
+BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset
+include/linux/sockptr.h:49 [inline]
+BUG: KASAN: slab-out-of-bounds in copy_from_sockptr
+include/linux/sockptr.h:55 [inline]
+BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old
+net/bluetooth/rfcomm/sock.c:632 [inline]
+BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70
+net/bluetooth/rfcomm/sock.c:673
+Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064
+
+Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level")
+Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/rfcomm/sock.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -636,7 +636,7 @@ static int rfcomm_sock_setsockopt_old(st
+
+ switch (optname) {
+ case RFCOMM_LM:
+- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
++ if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
+ err = -EFAULT;
+ break;
+ }
+@@ -671,7 +671,6 @@ static int rfcomm_sock_setsockopt(struct
+ struct sock *sk = sock->sk;
+ struct bt_security sec;
+ int err = 0;
+- size_t len;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -693,11 +692,9 @@ static int rfcomm_sock_setsockopt(struct
+
+ sec.level = BT_SECURITY_LOW;
+
+- len = min_t(unsigned int, sizeof(sec), optlen);
+- if (copy_from_sockptr(&sec, optval, len)) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (sec.level > BT_SECURITY_HIGH) {
+ err = -EINVAL;
+@@ -713,10 +710,9 @@ static int rfcomm_sock_setsockopt(struct
+ break;
+ }
+
+- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (opt)
+ set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
--- /dev/null
+From 51eda36d33e43201e7a4fd35232e069b2c850b01 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 5 Apr 2024 15:41:52 -0400
+Subject: Bluetooth: SCO: Fix not validating setsockopt user input
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 51eda36d33e43201e7a4fd35232e069b2c850b01 upstream.
+
+syzbot reported sco_sock_setsockopt() is copying data without
+checking user input length.
+
+BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset
+include/linux/sockptr.h:49 [inline]
+BUG: KASAN: slab-out-of-bounds in copy_from_sockptr
+include/linux/sockptr.h:55 [inline]
+BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90
+net/bluetooth/sco.c:893
+Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578
+
+Fixes: ad10b1a48754 ("Bluetooth: Add Bluetooth socket voice option")
+Fixes: b96e9c671b05 ("Bluetooth: Add BT_DEFER_SETUP option to sco socket")
+Fixes: 00398e1d5183 ("Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections")
+Fixes: f6873401a608 ("Bluetooth: Allow setting of codec for HFP offload use case")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/bluetooth.h | 9 +++++++++
+ net/bluetooth/sco.c | 19 ++++++++-----------
+ 2 files changed, 17 insertions(+), 11 deletions(-)
+
+--- a/include/net/bluetooth/bluetooth.h
++++ b/include/net/bluetooth/bluetooth.h
+@@ -487,6 +487,15 @@ static inline struct sk_buff *bt_skb_sen
+ return skb;
+ }
+
++static inline int bt_copy_from_sockptr(void *dst, size_t dst_size,
++ sockptr_t src, size_t src_size)
++{
++ if (dst_size > src_size)
++ return -EINVAL;
++
++ return copy_from_sockptr(dst, src, dst_size);
++}
++
+ int bt_to_errno(u16 code);
+
+ void hci_sock_set_flag(struct sock *sk, int nr);
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -829,7 +829,7 @@ static int sco_sock_setsockopt(struct so
+ sockptr_t optval, unsigned int optlen)
+ {
+ struct sock *sk = sock->sk;
+- int len, err = 0;
++ int err = 0;
+ struct bt_voice voice;
+ u32 opt;
+
+@@ -845,10 +845,9 @@ static int sco_sock_setsockopt(struct so
+ break;
+ }
+
+- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (opt)
+ set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
+@@ -865,11 +864,10 @@ static int sco_sock_setsockopt(struct so
+
+ voice.setting = sco_pi(sk)->setting;
+
+- len = min_t(unsigned int, sizeof(voice), optlen);
+- if (copy_from_sockptr(&voice, optval, len)) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&voice, sizeof(voice), optval,
++ optlen);
++ if (err)
+ break;
+- }
+
+ /* Explicitly check for these values */
+ if (voice.setting != BT_VOICE_TRANSPARENT &&
+@@ -882,10 +880,9 @@ static int sco_sock_setsockopt(struct so
+ break;
+
+ case BT_PKT_STATUS:
+- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
+- err = -EFAULT;
++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (opt)
+ sco_pi(sk)->cmsg_mask |= SCO_CMSG_PKT_STATUS;
--- /dev/null
+From 031d6f608290c847ba6378322d0986d08d1a645a Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Wed, 4 Sep 2024 12:57:31 +0300
+Subject: fs/ntfs3: Additional check in ntfs_file_release
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 031d6f608290c847ba6378322d0986d08d1a645a upstream.
+
+Reported-by: syzbot+8c652f14a0fde76ff11d@syzkaller.appspotmail.com
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Suraj Jitindar Singh <surajjs@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/file.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/ntfs3/file.c
++++ b/fs/ntfs3/file.c
+@@ -1192,8 +1192,16 @@ static int ntfs_file_release(struct inod
+ int err = 0;
+
+ /* If we are last writer on the inode, drop the block reservation. */
+- if (sbi->options->prealloc && ((file->f_mode & FMODE_WRITE) &&
+- atomic_read(&inode->i_writecount) == 1)) {
++ if (sbi->options->prealloc &&
++ ((file->f_mode & FMODE_WRITE) &&
++ atomic_read(&inode->i_writecount) == 1)
++ /*
++ * The only file when inode->i_fop = &ntfs_file_operations and
++ * init_rwsem(&ni->file.run_lock) is not called explicitly is MFT.
++ *
++ * Add additional check here.
++ */
++ && inode->i_ino != MFT_REC_MFT) {
+ ni_lock(ni);
+ down_write(&ni->file.run_lock);
+
--- /dev/null
+From 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Wed, 23 Oct 2024 15:30:09 +0300
+Subject: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream.
+
+The per-netns IP tunnel hash table is protected by the RTNL mutex and
+ip_tunnel_find() is only called from the control path where the mutex is
+taken.
+
+Add a lockdep expression to hlist_for_each_entry_rcu() in
+ip_tunnel_find() in order to validate that the mutex is held and to
+silence the suspicious RCU usage warning [1].
+
+[1]
+WARNING: suspicious RCU usage
+6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted
+-----------------------------
+net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by ip/362:
+ #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60
+
+stack backtrace:
+CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xba/0x110
+ lockdep_rcu_suspicious.cold+0x4f/0xd6
+ ip_tunnel_find+0x435/0x4d0
+ ip_tunnel_newlink+0x517/0x7a0
+ ipgre_newlink+0x14c/0x170
+ __rtnl_newlink+0x1173/0x19c0
+ rtnl_newlink+0x6c/0xa0
+ rtnetlink_rcv_msg+0x3cc/0xf60
+ netlink_rcv_skb+0x171/0x450
+ netlink_unicast+0x539/0x7f0
+ netlink_sendmsg+0x8c1/0xd80
+ ____sys_sendmsg+0x8f9/0xc20
+ ___sys_sendmsg+0x197/0x1e0
+ __sys_sendmsg+0x122/0x1f0
+ do_syscall_64+0xbb/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find(
+ struct ip_tunnel *t = NULL;
+ struct hlist_head *head = ip_bucket(itn, parms);
+
+- hlist_for_each_entry_rcu(t, head, hash_node) {
++ hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) {
+ if (local == t->parms.iph.saddr &&
+ remote == t->parms.iph.daddr &&
+ link == t->parms.link &&
--- /dev/null
+From d62b04fca4340a0d468d7853bd66e511935a18cb Mon Sep 17 00:00:00 2001
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+Date: Sat, 11 Jan 2025 09:57:39 -0500
+Subject: net: sched: fix ets qdisc OOB Indexing
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+commit d62b04fca4340a0d468d7853bd66e511935a18cb upstream.
+
+Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can
+index an Out-Of-Bound class in ets_class_from_arg() when passed clid of
+0. The overflow may cause local privilege escalation.
+
+ [ 18.852298] ------------[ cut here ]------------
+ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20
+ [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]'
+ [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17
+ [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+ [ 18.856532] Call Trace:
+ [ 18.857441] <TASK>
+ [ 18.858227] dump_stack_lvl+0xc2/0xf0
+ [ 18.859607] dump_stack+0x10/0x20
+ [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0
+ [ 18.864022] ets_class_change+0x3d6/0x3f0
+ [ 18.864322] tc_ctl_tclass+0x251/0x910
+ [ 18.864587] ? lock_acquire+0x5e/0x140
+ [ 18.865113] ? __mutex_lock+0x9c/0xe70
+ [ 18.866009] ? __mutex_lock+0xa34/0xe70
+ [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0
+ [ 18.866806] ? __lock_acquire+0x578/0xc10
+ [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
+ [ 18.867503] netlink_rcv_skb+0x59/0x110
+ [ 18.867776] rtnetlink_rcv+0x15/0x30
+ [ 18.868159] netlink_unicast+0x1c3/0x2b0
+ [ 18.868440] netlink_sendmsg+0x239/0x4b0
+ [ 18.868721] ____sys_sendmsg+0x3e2/0x410
+ [ 18.869012] ___sys_sendmsg+0x88/0xe0
+ [ 18.869276] ? rseq_ip_fixup+0x198/0x260
+ [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190
+ [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0
+ [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220
+ [ 18.870547] ? do_syscall_64+0x93/0x150
+ [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290
+ [ 18.871157] __sys_sendmsg+0x69/0xd0
+ [ 18.871416] __x64_sys_sendmsg+0x1d/0x30
+ [ 18.871699] x64_sys_call+0x9e2/0x2670
+ [ 18.871979] do_syscall_64+0x87/0x150
+ [ 18.873280] ? do_syscall_64+0x93/0x150
+ [ 18.874742] ? lock_release+0x7b/0x160
+ [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0
+ [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210
+ [ 18.879608] ? irqentry_exit+0x77/0xb0
+ [ 18.879808] ? clear_bhb_loop+0x15/0x70
+ [ 18.880023] ? clear_bhb_loop+0x15/0x70
+ [ 18.880223] ? clear_bhb_loop+0x15/0x70
+ [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [ 18.880683] RIP: 0033:0x44a957
+ [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10
+ [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957
+ [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003
+ [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0
+ [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001
+ [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001
+ [ 18.888395] </TASK>
+ [ 18.888610] ---[ end trace ]---
+
+Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
+Reported-by: Haowei Yan <g1042620637@gmail.com>
+Suggested-by: Haowei Yan <g1042620637@gmail.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/20250111145740.74755-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -91,6 +91,8 @@ ets_class_from_arg(struct Qdisc *sch, un
+ {
+ struct ets_sched *q = qdisc_priv(sch);
+
++ if (arg == 0 || arg > q->nbands)
++ return NULL;
+ return &q->classes[arg - 1];
+ }
+
--- /dev/null
+From 7464ff8bf2d762251b9537863db0e1caf9b0e402 Mon Sep 17 00:00:00 2001
+From: Akihiko Odaki <akihiko.odaki@gmail.com>
+Date: Mon, 4 Apr 2022 13:11:01 +0900
+Subject: platform/chrome: cros_ec_typec: Check for EC driver
+
+From: Akihiko Odaki <akihiko.odaki@gmail.com>
+
+commit 7464ff8bf2d762251b9537863db0e1caf9b0e402 upstream.
+
+The EC driver may not be initialized when cros_typec_probe is called,
+particulary when CONFIG_CROS_EC_CHARDEV=m.
+
+Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Link: https://lore.kernel.org/r/20220404041101.6276-1-akihiko.odaki@gmail.com
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Signed-off-by: Laura Nao <laura.nao@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -1123,6 +1123,9 @@ static int cros_typec_probe(struct platf
+ }
+
+ ec_dev = dev_get_drvdata(&typec->ec->ec->dev);
++ if (!ec_dev)
++ return -EPROBE_DEFER;
++
+ typec->typec_cmd_supported = !!cros_ec_check_features(ec_dev, EC_FEATURE_TYPEC_CMD);
+ typec->needs_mux_ack = !!cros_ec_check_features(ec_dev,
+ EC_FEATURE_TYPEC_MUX_REQUIRE_AP_ACK);
--- /dev/null
+From d2138eab8cde61e0e6f62d0713e45202e8457d6d Mon Sep 17 00:00:00 2001
+From: Easwar Hariharan <eahariha@linux.microsoft.com>
+Date: Tue, 7 Jan 2025 17:28:40 +0000
+Subject: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
+
+From: Easwar Hariharan <eahariha@linux.microsoft.com>
+
+commit d2138eab8cde61e0e6f62d0713e45202e8457d6d upstream.
+
+If there's a persistent error in the hypervisor, the SCSI warning for
+failed I/O can flood the kernel log and max out CPU utilization,
+preventing troubleshooting from the VM side. Ratelimit the warning so
+it doesn't DoS the VM.
+
+Closes: https://github.com/microsoft/WSL/issues/9173
+Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20250107-eahariha-ratelimit-storvsc-v1-1-7fc193d1f2b0@linux.microsoft.com
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/storvsc_drv.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -189,6 +189,12 @@ struct vmscsi_win8_extension {
+ u32 queue_sort_ey;
+ } __packed;
+
++#define storvsc_log_ratelimited(dev, level, fmt, ...) \
++do { \
++ if (do_logging(level)) \
++ dev_warn_ratelimited(&(dev)->device, fmt, ##__VA_ARGS__); \
++} while (0)
++
+ struct vmscsi_request {
+ u16 length;
+ u8 srb_status;
+@@ -1231,7 +1237,7 @@ static void storvsc_on_io_completion(str
+ int loglevel = (stor_pkt->vm_srb.cdb[0] == TEST_UNIT_READY) ?
+ STORVSC_LOGGING_WARN : STORVSC_LOGGING_ERROR;
+
+- storvsc_log(device, loglevel,
++ storvsc_log_ratelimited(device, loglevel,
+ "tag#%d cmd 0x%x status: scsi 0x%x srb 0x%x hv 0x%x\n",
+ scsi_cmd_to_rq(request->cmd)->tag,
+ stor_pkt->vm_srb.cdb[0],
regmap-detach-regmap-from-dev-on-regmap_exit.patch
mptcp-don-t-always-assume-copied-data-in-mptcp_cleanup_rbuf.patch
gfs2-truncate-address-space-when-flipping-gfs2_dif_jdata-flag.patch
+net-sched-fix-ets-qdisc-oob-indexing.patch
+vfio-platform-check-the-bounds-of-read-write-syscalls.patch
+bluetooth-sco-fix-not-validating-setsockopt-user-input.patch
+bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch
+fs-ntfs3-additional-check-in-ntfs_file_release.patch
+platform-chrome-cros_ec_typec-check-for-ec-driver.patch
+ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch
+scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch
+wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch
--- /dev/null
+From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 22 Jan 2025 10:38:30 -0700
+Subject: vfio/platform: check the bounds of read/write syscalls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.
+
+count and offset are passed from user space and not checked, only
+offset is capped to 40 bits, which can be used to read/write out of
+bounds of the device.
+
+Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
+Cc: stable@vger.kernel.org
+Reported-by: Mostafa Saleh <smostafa@google.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Mostafa Saleh <smostafa@google.com>
+Tested-by: Mostafa Saleh <smostafa@google.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/vfio/platform/vfio_platform_common.c
++++ b/drivers/vfio/platform/vfio_platform_common.c
+@@ -388,6 +388,11 @@ static ssize_t vfio_platform_read_mmio(s
+ {
+ unsigned int done = 0;
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap(reg->addr, reg->size);
+@@ -466,6 +471,11 @@ static ssize_t vfio_platform_write_mmio(
+ {
+ unsigned int done = 0;
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap(reg->addr, reg->size);
--- /dev/null
+From efbe8f81952fe469d38655744627d860879dcde8 Mon Sep 17 00:00:00 2001
+From: Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
+Date: Wed, 14 Jun 2023 12:41:37 +0300
+Subject: wifi: iwlwifi: add a few rate index validity checks
+
+From: Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
+
+commit efbe8f81952fe469d38655744627d860879dcde8 upstream.
+
+Validate index before access iwl_rate_mcs to keep rate->index
+inside the valid boundaries. Use MCS_0_INDEX if index is less
+than MCS_0_INDEX and MCS_9_INDEX if index is greater then
+MCS_9_INDEX.
+
+Signed-off-by: Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230614123447.79f16b3aef32.If1137f894775d6d07b78cbf3a6163ffce6399507@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 7 +++++--
+ drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 9 ++++++---
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+@@ -130,7 +130,7 @@ static int iwl_hwrate_to_plcp_idx(u32 ra
+ return idx;
+ }
+
+- return -1;
++ return IWL_RATE_INVALID;
+ }
+
+ static void rs_rate_scale_perform(struct iwl_priv *priv,
+@@ -3151,7 +3151,10 @@ static ssize_t rs_sta_dbgfs_scale_table_
+ for (i = 0; i < LINK_QUAL_MAX_RETRY_NUM; i++) {
+ index = iwl_hwrate_to_plcp_idx(
+ le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags));
+- if (is_legacy(tbl->lq_type)) {
++ if (index == IWL_RATE_INVALID) {
++ desc += sprintf(buff + desc, " rate[%d] 0x%X invalid rate\n",
++ i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags));
++ } else if (is_legacy(tbl->lq_type)) {
+ desc += sprintf(buff+desc, " rate[%d] 0x%X %smbps\n",
+ i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags),
+ iwl_rate_mcs[index].mbps);
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+@@ -1119,10 +1119,13 @@ static void rs_get_lower_rate_down_colum
+
+ rate->bw = RATE_MCS_CHAN_WIDTH_20;
+
+- WARN_ON_ONCE(rate->index < IWL_RATE_MCS_0_INDEX ||
+- rate->index > IWL_RATE_MCS_9_INDEX);
++ if (WARN_ON_ONCE(rate->index < IWL_RATE_MCS_0_INDEX))
++ rate->index = rs_ht_to_legacy[IWL_RATE_MCS_0_INDEX];
++ else if (WARN_ON_ONCE(rate->index > IWL_RATE_MCS_9_INDEX))
++ rate->index = rs_ht_to_legacy[IWL_RATE_MCS_9_INDEX];
++ else
++ rate->index = rs_ht_to_legacy[rate->index];
+
+- rate->index = rs_ht_to_legacy[rate->index];
+ rate->ldpc = false;
+ } else {
+ /* Downgrade to SISO with same MCS if in MIMO */
projects / thirdparty / kernel / stable-queue.git / commitdiff
