--- /dev/null
+From d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Wed, 24 Sep 2025 13:18:22 -0700
+Subject: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb upstream.
+
+Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in
+af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of
+type u32.
+
+However, some assignments to these fields, specifically 'more' and
+'merge', assign values greater than 1. These relied on C's implicit
+conversion to bool, such that zero becomes false and nonzero becomes
+true.
+
+With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken
+instead, resulting in 0 being assigned in some cases when 1 was intended.
+
+Fix this by restoring the bool type.
+
+Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/crypto/if_alg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/crypto/if_alg.h
++++ b/include/crypto/if_alg.h
+@@ -152,7 +152,7 @@ struct af_alg_ctx {
+ size_t used;
+ atomic_t rcvused;
+
+- u32 more:1,
++ bool more:1,
+ merge:1,
+ enc:1,
+ write:1,
--- /dev/null
+From eac04428abe9f9cb203ffae4600791ea1d24eb18 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:17 +0200
+Subject: i40e: add mask to apply valid bits for itr_idx
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit eac04428abe9f9cb203ffae4600791ea1d24eb18 upstream.
+
+The ITR index (itr_idx) is only 2 bits wide. When constructing the
+register value for QINT_RQCTL, all fields are ORed together. Without
+masking, higher bits from itr_idx may overwrite adjacent fields in the
+register.
+
+Apply I40E_QINT_RQCTL_ITR_INDX_MASK to ensure only the intended bits are
+set.
+
+Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -446,7 +446,7 @@ static void i40e_config_irq_link_list(st
+ (qtype << I40E_QINT_RQCTL_NEXTQ_TYPE_SHIFT) |
+ (pf_queue_id << I40E_QINT_RQCTL_NEXTQ_INDX_SHIFT) |
+ BIT(I40E_QINT_RQCTL_CAUSE_ENA_SHIFT) |
+- (itr_idx << I40E_QINT_RQCTL_ITR_INDX_SHIFT);
++ FIELD_PREP(I40E_QINT_RQCTL_ITR_INDX_MASK, itr_idx);
+ wr32(hw, reg_idx, reg);
+ }
+
--- /dev/null
+From cb79fa7118c150c3c76a327894bb2eb878c02619 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:16 +0200
+Subject: i40e: add max boundary check for VF filters
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit cb79fa7118c150c3c76a327894bb2eb878c02619 upstream.
+
+There is no check for max filters that VF can request. Add it.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3823,6 +3823,8 @@ err:
+ aq_ret);
+ }
+
++#define I40E_MAX_VF_CLOUD_FILTER 0xFF00
++
+ /**
+ * i40e_vc_add_cloud_filter
+ * @vf: pointer to the VF info
+@@ -3862,6 +3864,14 @@ static int i40e_vc_add_cloud_filter(stru
+ goto err_out;
+ }
+
++ if (vf->num_cloud_filters >= I40E_MAX_VF_CLOUD_FILTER) {
++ dev_warn(&pf->pdev->dev,
++ "VF %d: Max number of filters reached, can't apply cloud filter\n",
++ vf->vf_id);
++ aq_ret = -ENOSPC;
++ goto err_out;
++ }
++
+ cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL);
+ if (!cfilter) {
+ aq_ret = -ENOMEM;
--- /dev/null
+From aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:12 +0200
+Subject: i40e: fix idx validation in i40e_validate_queue_map
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 upstream.
+
+Ensure idx is within range of active/initialized TCs when iterating over
+vf->ch[idx] in i40e_validate_queue_map().
+
+Fixes: c27eac48160d ("i40e: Enable ADq and create queue channel/s on VF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Kamakshi Nellore <nellorex.kamakshi@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2457,8 +2457,10 @@ static int i40e_validate_queue_map(struc
+ u16 vsi_queue_id, queue_id;
+
+ for_each_set_bit(vsi_queue_id, &queuemap, I40E_MAX_VSI_QP) {
+- if (vf->adq_enabled) {
+- vsi_id = vf->ch[vsi_queue_id / I40E_MAX_VF_VSI].vsi_id;
++ u16 idx = vsi_queue_id / I40E_MAX_VF_VSI;
++
++ if (vf->adq_enabled && idx < vf->num_tc) {
++ vsi_id = vf->ch[idx].vsi_id;
+ queue_id = (vsi_queue_id % I40E_DEFAULT_QUEUES_PER_VF);
+ } else {
+ queue_id = vsi_queue_id;
--- /dev/null
+From 9739d5830497812b0bdeaee356ddefbe60830b88 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:14 +0200
+Subject: i40e: fix input validation logic for action_meta
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit 9739d5830497812b0bdeaee356ddefbe60830b88 upstream.
+
+Fix condition to check 'greater or equal' to prevent OOB dereference.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3525,7 +3525,7 @@ static int i40e_validate_cloud_filter(st
+
+ /* action_meta is TC number here to which the filter is applied */
+ if (!tc_filter->action_meta ||
+- tc_filter->action_meta > vf->num_tc) {
++ tc_filter->action_meta >= vf->num_tc) {
+ dev_info(&pf->pdev->dev, "VF %d: Invalid TC number %u\n",
+ vf->vf_id, tc_filter->action_meta);
+ goto err;
--- /dev/null
+From b99dd77076bd3fddac6f7f1cbfa081c38fde17f5 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:18 +0200
+Subject: i40e: improve VF MAC filters accounting
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit b99dd77076bd3fddac6f7f1cbfa081c38fde17f5 upstream.
+
+When adding new VM MAC, driver checks only *active* filters in
+vsi->mac_filter_hash. Each MAC, even in non-active state is using resources.
+
+To determine number of MACs VM uses, count VSI filters in *any* state.
+
+Add i40e_count_all_filters() to simply count all filters, and rename
+i40e_count_filters() to i40e_count_active_filters() to avoid ambiguity.
+
+Fixes: cfb1d572c986 ("i40e: Add ensurance of MacVlan resources for every trusted VF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 3
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 26 +++++++-
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 65 ++++++++-------------
+ 3 files changed, 50 insertions(+), 44 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1255,7 +1255,8 @@ struct i40e_mac_filter *i40e_add_mac_fil
+ const u8 *macaddr);
+ int i40e_del_mac_filter(struct i40e_vsi *vsi, const u8 *macaddr);
+ bool i40e_is_vsi_in_vlan(struct i40e_vsi *vsi);
+-int i40e_count_filters(struct i40e_vsi *vsi);
++int i40e_count_all_filters(struct i40e_vsi *vsi);
++int i40e_count_active_filters(struct i40e_vsi *vsi);
+ struct i40e_mac_filter *i40e_find_mac(struct i40e_vsi *vsi, const u8 *macaddr);
+ void i40e_vlan_stripping_enable(struct i40e_vsi *vsi);
+ static inline bool i40e_is_sw_dcb(struct i40e_pf *pf)
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -1233,12 +1233,30 @@ void i40e_update_stats(struct i40e_vsi *
+ }
+
+ /**
+- * i40e_count_filters - counts VSI mac filters
++ * i40e_count_all_filters - counts VSI MAC filters
+ * @vsi: the VSI to be searched
+ *
+- * Returns count of mac filters
+- **/
+-int i40e_count_filters(struct i40e_vsi *vsi)
++ * Return: count of MAC filters in any state.
++ */
++int i40e_count_all_filters(struct i40e_vsi *vsi)
++{
++ struct i40e_mac_filter *f;
++ struct hlist_node *h;
++ int bkt, cnt = 0;
++
++ hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist)
++ cnt++;
++
++ return cnt;
++}
++
++/**
++ * i40e_count_active_filters - counts VSI MAC filters
++ * @vsi: the VSI to be searched
++ *
++ * Return: count of active MAC filters.
++ */
++int i40e_count_active_filters(struct i40e_vsi *vsi)
+ {
+ struct i40e_mac_filter *f;
+ struct hlist_node *h;
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2848,24 +2848,6 @@ error_param:
+ (u8 *)&stats, sizeof(stats));
+ }
+
+-/**
+- * i40e_can_vf_change_mac
+- * @vf: pointer to the VF info
+- *
+- * Return true if the VF is allowed to change its MAC filters, false otherwise
+- */
+-static bool i40e_can_vf_change_mac(struct i40e_vf *vf)
+-{
+- /* If the VF MAC address has been set administratively (via the
+- * ndo_set_vf_mac command), then deny permission to the VF to
+- * add/delete unicast MAC addresses, unless the VF is trusted
+- */
+- if (vf->pf_set_mac && !vf->trusted)
+- return false;
+-
+- return true;
+-}
+-
+ #define I40E_MAX_MACVLAN_PER_HW 3072
+ #define I40E_MAX_MACVLAN_PER_PF(num_ports) (I40E_MAX_MACVLAN_PER_HW / \
+ (num_ports))
+@@ -2904,8 +2886,10 @@ static inline int i40e_check_vf_permissi
+ struct i40e_pf *pf = vf->pf;
+ struct i40e_vsi *vsi = pf->vsi[vf->lan_vsi_idx];
+ struct i40e_hw *hw = &pf->hw;
+- int mac2add_cnt = 0;
+- int i;
++ int i, mac_add_max, mac_add_cnt = 0;
++ bool vf_trusted;
++
++ vf_trusted = test_bit(I40E_VIRTCHNL_VF_CAP_PRIVILEGE, &vf->vf_caps);
+
+ for (i = 0; i < al->num_elements; i++) {
+ struct i40e_mac_filter *f;
+@@ -2925,9 +2909,8 @@ static inline int i40e_check_vf_permissi
+ * The VF may request to set the MAC address filter already
+ * assigned to it so do not return an error in that case.
+ */
+- if (!i40e_can_vf_change_mac(vf) &&
+- !is_multicast_ether_addr(addr) &&
+- !ether_addr_equal(addr, vf->default_lan_addr.addr)) {
++ if (!vf_trusted && !is_multicast_ether_addr(addr) &&
++ vf->pf_set_mac && !ether_addr_equal(addr, vf->default_lan_addr.addr)) {
+ dev_err(&pf->pdev->dev,
+ "VF attempting to override administratively set MAC address, bring down and up the VF interface to resume normal operation\n");
+ return -EPERM;
+@@ -2936,29 +2919,33 @@ static inline int i40e_check_vf_permissi
+ /*count filters that really will be added*/
+ f = i40e_find_mac(vsi, addr);
+ if (!f)
+- ++mac2add_cnt;
++ ++mac_add_cnt;
+ }
+
+ /* If this VF is not privileged, then we can't add more than a limited
+- * number of addresses. Check to make sure that the additions do not
+- * push us over the limit.
+- */
+- if (!test_bit(I40E_VIRTCHNL_VF_CAP_PRIVILEGE, &vf->vf_caps)) {
+- if ((i40e_count_filters(vsi) + mac2add_cnt) >
+- I40E_VC_MAX_MAC_ADDR_PER_VF) {
+- dev_err(&pf->pdev->dev,
+- "Cannot add more MAC addresses, VF is not trusted, switch the VF to trusted to add more functionality\n");
+- return -EPERM;
+- }
+- /* If this VF is trusted, it can use more resources than untrusted.
++ * number of addresses.
++ *
++ * If this VF is trusted, it can use more resources than untrusted.
+ * However to ensure that every trusted VF has appropriate number of
+ * resources, divide whole pool of resources per port and then across
+ * all VFs.
+ */
+- } else {
+- if ((i40e_count_filters(vsi) + mac2add_cnt) >
+- I40E_VC_MAX_MACVLAN_PER_TRUSTED_VF(pf->num_alloc_vfs,
+- hw->num_ports)) {
++ if (!vf_trusted)
++ mac_add_max = I40E_VC_MAX_MAC_ADDR_PER_VF;
++ else
++ mac_add_max = I40E_VC_MAX_MACVLAN_PER_TRUSTED_VF(pf->num_alloc_vfs, hw->num_ports);
++
++ /* VF can replace all its filters in one step, in this case mac_add_max
++ * will be added as active and another mac_add_max will be in
++ * a to-be-removed state. Account for that.
++ */
++ if ((i40e_count_active_filters(vsi) + mac_add_cnt) > mac_add_max ||
++ (i40e_count_all_filters(vsi) + mac_add_cnt) > 2 * mac_add_max) {
++ if (!vf_trusted) {
++ dev_err(&pf->pdev->dev,
++ "Cannot add more MAC addresses, VF is not trusted, switch the VF to trusted to add more functionality\n");
++ return -EPERM;
++ } else {
+ dev_err(&pf->pdev->dev,
+ "Cannot add more MAC addresses, trusted VF exhausted it's resources\n");
+ return -EPERM;
octeontx2-pf-fix-potential-use-after-free-in-otx2_tc.patch
drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
futex-prevent-use-after-free-during-requeue-pi.patch
+i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
+i40e-fix-input-validation-logic-for-action_meta.patch
+i40e-add-max-boundary-check-for-vf-filters.patch
+i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
+i40e-improve-vf-mac-filters-accounting.patch
+crypto-af_alg-fix-incorrect-boolean-values-in-af_alg_ctx.patch
+tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch
--- /dev/null
+From 456c32e3c4316654f95f9d49c12cbecfb77d5660 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Fri, 19 Sep 2025 10:15:56 +0900
+Subject: tracing: dynevent: Add a missing lockdown check on dynevent
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 456c32e3c4316654f95f9d49c12cbecfb77d5660 upstream.
+
+Since dynamic_events interface on tracefs is compatible with
+kprobe_events and uprobe_events, it should also check the lockdown
+status and reject if it is set.
+
+Link: https://lore.kernel.org/all/175824455687.45175.3734166065458520748.stgit@devnote2/
+
+Fixes: 17911ff38aa5 ("tracing: Add locked_down checks to the open calls of files created for tracefs")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_dynevent.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/trace_dynevent.c
++++ b/kernel/trace/trace_dynevent.c
+@@ -239,6 +239,10 @@ static int dyn_event_open(struct inode *
+ {
+ int ret;
+
++ ret = security_locked_down(LOCKDOWN_TRACEFS);
++ if (ret)
++ return ret;
++
+ ret = tracing_check_open_get_tr(NULL);
+ if (ret)
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
