--- /dev/null
+From 697ba0b6ec4ae04afb67d3911799b5e2043b4455 Mon Sep 17 00:00:00 2001
+From: Alexey Dobriyan <adobriyan@gmail.com>
+Date: Tue, 3 Sep 2024 22:48:19 +0300
+Subject: block: fix integer overflow in BLKSECDISCARD
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+commit 697ba0b6ec4ae04afb67d3911799b5e2043b4455 upstream.
+
+I independently rediscovered
+
+ commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
+ block: fix overflow in blk_ioctl_discard()
+
+but for secure erase.
+
+Same problem:
+
+ uint64_t r[2] = {512, 18446744073709551104ULL};
+ ioctl(fd, BLKSECDISCARD, r);
+
+will enter near infinite loop inside blkdev_issue_secure_erase():
+
+ a.out: attempt to access beyond end of device
+ loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048
+ bio_check_eod: 3286214 callbacks suppressed
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Link: https://lore.kernel.org/r/9e64057f-650a-46d1-b9f7-34af391536ef@p183
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Rajani Kantha <rajanikantha@engineer.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/ioctl.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -115,7 +115,7 @@ static int blk_ioctl_discard(struct bloc
+ return -EINVAL;
+
+ filemap_invalidate_lock(inode->i_mapping);
+- err = truncate_bdev_range(bdev, mode, start, start + len - 1);
++ err = truncate_bdev_range(bdev, mode, start, end - 1);
+ if (err)
+ goto fail;
+ err = blkdev_issue_discard(bdev, start >> 9, len >> 9, GFP_KERNEL);
+@@ -127,7 +127,7 @@ fail:
+ static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode,
+ void __user *argp)
+ {
+- uint64_t start, len;
++ uint64_t start, len, end;
+ uint64_t range[2];
+ int err;
+
+@@ -142,11 +142,12 @@ static int blk_ioctl_secure_erase(struct
+ len = range[1];
+ if ((start & 511) || (len & 511))
+ return -EINVAL;
+- if (start + len > bdev_nr_bytes(bdev))
++ if (check_add_overflow(start, len, &end) ||
++ end > bdev_nr_bytes(bdev))
+ return -EINVAL;
+
+ filemap_invalidate_lock(bdev->bd_inode->i_mapping);
+- err = truncate_bdev_range(bdev, mode, start, start + len - 1);
++ err = truncate_bdev_range(bdev, mode, start, end - 1);
+ if (!err)
+ err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9,
+ GFP_KERNEL);
--- /dev/null
+From 5f537664e705b0bf8b7e329861f20128534f6a83 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 21 Jan 2025 09:27:22 -0800
+Subject: cachestat: fix page cache statistics permission checking
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5f537664e705b0bf8b7e329861f20128534f6a83 upstream.
+
+When the 'cachestat()' system call was added in commit cf264e1329fb
+("cachestat: implement cachestat syscall"), it was meant to be a much
+more convenient (and performant) version of mincore() that didn't need
+mapping things into the user virtual address space in order to work.
+
+But it ended up missing the "check for writability or ownership" fix for
+mincore(), done in commit 134fca9063ad ("mm/mincore.c: make mincore()
+more conservative").
+
+This just adds equivalent logic to 'cachestat()', modified for the file
+context (rather than vma).
+
+Reported-by: Sudheendra Raghav Neela <sneela@tugraz.at>
+Fixes: cf264e1329fb ("cachestat: implement cachestat syscall")
+Tested-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Nhat Pham <nphamcs@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -4271,6 +4271,20 @@ resched:
+ }
+
+ /*
++ * See mincore: reveal pagecache information only for files
++ * that the calling process has write access to, or could (if
++ * tried) open for writing.
++ */
++static inline bool can_do_cachestat(struct file *f)
++{
++ if (f->f_mode & FMODE_WRITE)
++ return true;
++ if (inode_owner_or_capable(file_mnt_idmap(f), file_inode(f)))
++ return true;
++ return file_permission(f, MAY_WRITE) == 0;
++}
++
++/*
+ * The cachestat(2) system call.
+ *
+ * cachestat() returns the page cache statistics of a file in the
+@@ -4329,6 +4343,11 @@ SYSCALL_DEFINE4(cachestat, unsigned int,
+ return -EOPNOTSUPP;
+ }
+
++ if (!can_do_cachestat(f.file)) {
++ fdput(f);
++ return -EPERM;
++ }
++
+ if (flags != 0) {
+ fdput(f);
+ return -EINVAL;
--- /dev/null
+From 985b67cd86392310d9e9326de941c22fc9340eec Mon Sep 17 00:00:00 2001
+From: Lizhi Xu <lizhi.xu@windriver.com>
+Date: Wed, 5 Jun 2024 09:23:35 +0800
+Subject: ext4: filesystems without casefold feature cannot be mounted with siphash
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+commit 985b67cd86392310d9e9326de941c22fc9340eec upstream.
+
+When mounting the ext4 filesystem, if the default hash version is set to
+DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
+
+Reported-by: syzbot+340581ba9dceb7e06fb3@syzkaller.appspotmail.com
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://patch.msgid.link/20240605012335.44086-1-lizhi.xu@windriver.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Rajani Kantha <rajanikantha@engineer.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3626,6 +3626,13 @@ int ext4_feature_set_ok(struct super_blo
+ return 0;
+ }
+ #endif
++ if (EXT4_SB(sb)->s_es->s_def_hash_version == DX_HASH_SIPHASH &&
++ !ext4_has_feature_casefold(sb)) {
++ ext4_msg(sb, KERN_ERR,
++ "Filesystem without casefold feature cannot be "
++ "mounted with siphash");
++ return 0;
++ }
+
+ if (readonly)
+ return 1;
--- /dev/null
+From 23dfdb56581ad92a9967bcd720c8c23356af74c1 Mon Sep 17 00:00:00 2001
+From: "Luis Henriques (SUSE)" <luis.henriques@linux.dev>
+Date: Thu, 18 Jul 2024 10:43:56 +0100
+Subject: ext4: fix access to uninitialised lock in fc replay path
+
+From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
+
+commit 23dfdb56581ad92a9967bcd720c8c23356af74c1 upstream.
+
+The following kernel trace can be triggered with fstest generic/629 when
+executed against a filesystem with fast-commit feature enabled:
+
+INFO: trying to register non-static key.
+The code is fine but needs lockdep annotation, or maybe
+you didn't initialize this object before use?
+turning off the locking correctness validator.
+CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x66/0x90
+ register_lock_class+0x759/0x7d0
+ __lock_acquire+0x85/0x2630
+ ? __find_get_block+0xb4/0x380
+ lock_acquire+0xd1/0x2d0
+ ? __ext4_journal_get_write_access+0xd5/0x160
+ _raw_spin_lock+0x33/0x40
+ ? __ext4_journal_get_write_access+0xd5/0x160
+ __ext4_journal_get_write_access+0xd5/0x160
+ ext4_reserve_inode_write+0x61/0xb0
+ __ext4_mark_inode_dirty+0x79/0x270
+ ? ext4_ext_replay_set_iblocks+0x2f8/0x450
+ ext4_ext_replay_set_iblocks+0x330/0x450
+ ext4_fc_replay+0x14c8/0x1540
+ ? jread+0x88/0x2e0
+ ? rcu_is_watching+0x11/0x40
+ do_one_pass+0x447/0xd00
+ jbd2_journal_recover+0x139/0x1b0
+ jbd2_journal_load+0x96/0x390
+ ext4_load_and_init_journal+0x253/0xd40
+ ext4_fill_super+0x2cc6/0x3180
+...
+
+In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in
+function ext4_check_bdev_write_error(). Unfortunately, at this point this
+spinlock has not been initialized yet. Moving it's initialization to an
+earlier point in __ext4_fill_super() fixes this splat.
+
+Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
+Link: https://patch.msgid.link/20240718094356.7863-1-luis.henriques@linux.dev
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
+Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5366,6 +5366,8 @@ static int __ext4_fill_super(struct fs_c
+ INIT_LIST_HEAD(&sbi->s_orphan); /* unlinked but open files */
+ mutex_init(&sbi->s_orphan_lock);
+
++ spin_lock_init(&sbi->s_bdev_wb_lock);
++
+ ext4_fast_commit_init(sb);
+
+ sb->s_root = NULL;
+@@ -5586,7 +5588,6 @@ static int __ext4_fill_super(struct fs_c
+ * Save the original bdev mapping's wb_err value which could be
+ * used to detect the metadata async write error.
+ */
+- spin_lock_init(&sbi->s_bdev_wb_lock);
+ errseq_check_and_advance(&sb->s_bdev->bd_inode->i_mapping->wb_err,
+ &sbi->s_bdev_wb_err);
+ EXT4_SB(sb)->s_mount_state |= EXT4_ORPHAN_FS;
--- /dev/null
+From 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Wed, 23 Oct 2024 15:30:09 +0300
+Subject: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream.
+
+The per-netns IP tunnel hash table is protected by the RTNL mutex and
+ip_tunnel_find() is only called from the control path where the mutex is
+taken.
+
+Add a lockdep expression to hlist_for_each_entry_rcu() in
+ip_tunnel_find() in order to validate that the mutex is held and to
+silence the suspicious RCU usage warning [1].
+
+[1]
+WARNING: suspicious RCU usage
+6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted
+-----------------------------
+net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by ip/362:
+ #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60
+
+stack backtrace:
+CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xba/0x110
+ lockdep_rcu_suspicious.cold+0x4f/0xd6
+ ip_tunnel_find+0x435/0x4d0
+ ip_tunnel_newlink+0x517/0x7a0
+ ipgre_newlink+0x14c/0x170
+ __rtnl_newlink+0x1173/0x19c0
+ rtnl_newlink+0x6c/0xa0
+ rtnetlink_rcv_msg+0x3cc/0xf60
+ netlink_rcv_skb+0x171/0x450
+ netlink_unicast+0x539/0x7f0
+ netlink_sendmsg+0x8c1/0xd80
+ ____sys_sendmsg+0x8f9/0xc20
+ ___sys_sendmsg+0x197/0x1e0
+ __sys_sendmsg+0x122/0x1f0
+ do_syscall_64+0xbb/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find(
+ struct ip_tunnel *t = NULL;
+ struct hlist_head *head = ip_bucket(itn, parms);
+
+- hlist_for_each_entry_rcu(t, head, hash_node) {
++ hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) {
+ if (local == t->parms.iph.saddr &&
+ remote == t->parms.iph.daddr &&
+ link == READ_ONCE(t->parms.link) &&
--- /dev/null
+From d62b04fca4340a0d468d7853bd66e511935a18cb Mon Sep 17 00:00:00 2001
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+Date: Sat, 11 Jan 2025 09:57:39 -0500
+Subject: net: sched: fix ets qdisc OOB Indexing
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+commit d62b04fca4340a0d468d7853bd66e511935a18cb upstream.
+
+Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can
+index an Out-Of-Bound class in ets_class_from_arg() when passed clid of
+0. The overflow may cause local privilege escalation.
+
+ [ 18.852298] ------------[ cut here ]------------
+ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20
+ [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]'
+ [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17
+ [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+ [ 18.856532] Call Trace:
+ [ 18.857441] <TASK>
+ [ 18.858227] dump_stack_lvl+0xc2/0xf0
+ [ 18.859607] dump_stack+0x10/0x20
+ [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0
+ [ 18.864022] ets_class_change+0x3d6/0x3f0
+ [ 18.864322] tc_ctl_tclass+0x251/0x910
+ [ 18.864587] ? lock_acquire+0x5e/0x140
+ [ 18.865113] ? __mutex_lock+0x9c/0xe70
+ [ 18.866009] ? __mutex_lock+0xa34/0xe70
+ [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0
+ [ 18.866806] ? __lock_acquire+0x578/0xc10
+ [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
+ [ 18.867503] netlink_rcv_skb+0x59/0x110
+ [ 18.867776] rtnetlink_rcv+0x15/0x30
+ [ 18.868159] netlink_unicast+0x1c3/0x2b0
+ [ 18.868440] netlink_sendmsg+0x239/0x4b0
+ [ 18.868721] ____sys_sendmsg+0x3e2/0x410
+ [ 18.869012] ___sys_sendmsg+0x88/0xe0
+ [ 18.869276] ? rseq_ip_fixup+0x198/0x260
+ [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190
+ [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0
+ [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220
+ [ 18.870547] ? do_syscall_64+0x93/0x150
+ [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290
+ [ 18.871157] __sys_sendmsg+0x69/0xd0
+ [ 18.871416] __x64_sys_sendmsg+0x1d/0x30
+ [ 18.871699] x64_sys_call+0x9e2/0x2670
+ [ 18.871979] do_syscall_64+0x87/0x150
+ [ 18.873280] ? do_syscall_64+0x93/0x150
+ [ 18.874742] ? lock_release+0x7b/0x160
+ [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0
+ [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210
+ [ 18.879608] ? irqentry_exit+0x77/0xb0
+ [ 18.879808] ? clear_bhb_loop+0x15/0x70
+ [ 18.880023] ? clear_bhb_loop+0x15/0x70
+ [ 18.880223] ? clear_bhb_loop+0x15/0x70
+ [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [ 18.880683] RIP: 0033:0x44a957
+ [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10
+ [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957
+ [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003
+ [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0
+ [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001
+ [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001
+ [ 18.888395] </TASK>
+ [ 18.888610] ---[ end trace ]---
+
+Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
+Reported-by: Haowei Yan <g1042620637@gmail.com>
+Suggested-by: Haowei Yan <g1042620637@gmail.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/20250111145740.74755-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -91,6 +91,8 @@ ets_class_from_arg(struct Qdisc *sch, un
+ {
+ struct ets_sched *q = qdisc_priv(sch);
+
++ if (arg == 0 || arg > q->nbands)
++ return NULL;
+ return &q->classes[arg - 1];
+ }
+
--- /dev/null
+From 3d88ba86ba6f35a0467f25a88c38aa5639190d04 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.com>
+Date: Thu, 12 Dec 2024 09:53:10 +0100
+Subject: Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Kosina <jkosina@suse.com>
+
+commit 3d88ba86ba6f35a0467f25a88c38aa5639190d04 upstream.
+
+This reverts commit 251efae73bd46b097deec4f9986d926813aed744.
+
+Quoting Wang Yuli:
+
+ "The 27C6:01E0 touchpad doesn't require the workaround and applying it
+ would actually break functionality.
+
+ The initial report came from a BBS forum, but we suspect the
+ information provided by the forum user may be incorrect which could
+ happen sometimes. [1]
+
+ Further investigation showed that the Lenovo Y9000P 2024 doesn't even
+ use a Goodix touchpad. [2]
+
+ For the broader issue of 27c6:01e0 being unusable on some devices, it
+ just need to address it with a libinput quirk.
+
+ In conclusion, we should revert this commit, which is the best
+ solution."
+
+Reported-by: Ulrich Müller <ulm@gentoo.org>
+Reported-by: WangYuli <wangyuli@uniontech.com>
+Link: https://lore.kernel.org/all/uikt4wwpw@gentoo.org/
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 1 -
+ drivers/hid/hid-multitouch.c | 8 ++------
+ 2 files changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -506,7 +506,6 @@
+ #define USB_DEVICE_ID_GENERAL_TOUCH_WIN8_PIT_E100 0xe100
+
+ #define I2C_VENDOR_ID_GOODIX 0x27c6
+-#define I2C_DEVICE_ID_GOODIX_01E0 0x01e0
+ #define I2C_DEVICE_ID_GOODIX_01E8 0x01e8
+ #define I2C_DEVICE_ID_GOODIX_01E9 0x01e9
+ #define I2C_DEVICE_ID_GOODIX_01F0 0x01f0
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1447,8 +1447,7 @@ static __u8 *mt_report_fixup(struct hid_
+ {
+ if (hdev->vendor == I2C_VENDOR_ID_GOODIX &&
+ (hdev->product == I2C_DEVICE_ID_GOODIX_01E8 ||
+- hdev->product == I2C_DEVICE_ID_GOODIX_01E9 ||
+- hdev->product == I2C_DEVICE_ID_GOODIX_01E0)) {
++ hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) {
+ if (rdesc[607] == 0x15) {
+ rdesc[607] = 0x25;
+ dev_info(
+@@ -2073,10 +2072,7 @@ static const struct hid_device_id mt_dev
+ I2C_DEVICE_ID_GOODIX_01E8) },
+ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU,
+ HID_DEVICE(BUS_I2C, HID_GROUP_ANY, I2C_VENDOR_ID_GOODIX,
+- I2C_DEVICE_ID_GOODIX_01E9) },
+- { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU,
+- HID_DEVICE(BUS_I2C, HID_GROUP_ANY, I2C_VENDOR_ID_GOODIX,
+- I2C_DEVICE_ID_GOODIX_01E0) },
++ I2C_DEVICE_ID_GOODIX_01E8) },
+
+ /* GoodTouch panels */
+ { .driver_data = MT_CLS_NSMU,
--- /dev/null
+From d2138eab8cde61e0e6f62d0713e45202e8457d6d Mon Sep 17 00:00:00 2001
+From: Easwar Hariharan <eahariha@linux.microsoft.com>
+Date: Tue, 7 Jan 2025 17:28:40 +0000
+Subject: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
+
+From: Easwar Hariharan <eahariha@linux.microsoft.com>
+
+commit d2138eab8cde61e0e6f62d0713e45202e8457d6d upstream.
+
+If there's a persistent error in the hypervisor, the SCSI warning for
+failed I/O can flood the kernel log and max out CPU utilization,
+preventing troubleshooting from the VM side. Ratelimit the warning so
+it doesn't DoS the VM.
+
+Closes: https://github.com/microsoft/WSL/issues/9173
+Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20250107-eahariha-ratelimit-storvsc-v1-1-7fc193d1f2b0@linux.microsoft.com
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/storvsc_drv.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -171,6 +171,12 @@ do { \
+ dev_warn(&(dev)->device, fmt, ##__VA_ARGS__); \
+ } while (0)
+
++#define storvsc_log_ratelimited(dev, level, fmt, ...) \
++do { \
++ if (do_logging(level)) \
++ dev_warn_ratelimited(&(dev)->device, fmt, ##__VA_ARGS__); \
++} while (0)
++
+ struct vmscsi_request {
+ u16 length;
+ u8 srb_status;
+@@ -1177,7 +1183,7 @@ static void storvsc_on_io_completion(str
+ int loglevel = (stor_pkt->vm_srb.cdb[0] == TEST_UNIT_READY) ?
+ STORVSC_LOGGING_WARN : STORVSC_LOGGING_ERROR;
+
+- storvsc_log(device, loglevel,
++ storvsc_log_ratelimited(device, loglevel,
+ "tag#%d cmd 0x%x status: scsi 0x%x srb 0x%x hv 0x%x\n",
+ scsi_cmd_to_rq(request->cmd)->tag,
+ stor_pkt->vm_srb.cdb[0],
libfs-replace-simple_offset-end-of-directory-detection.patch
libfs-use-d_children-list-to-iterate-simple_offset-directories.patch
smb-client-handle-lack-of-ea-support-in-smb2_query_path_info.patch
+net-sched-fix-ets-qdisc-oob-indexing.patch
+block-fix-integer-overflow-in-blksecdiscard.patch
+revert-hid-multitouch-add-support-for-lenovo-y9000p-touchpad.patch
+cachestat-fix-page-cache-statistics-permission-checking.patch
+vfio-platform-check-the-bounds-of-read-write-syscalls.patch
+ext4-fix-access-to-uninitialised-lock-in-fc-replay-path.patch
+ext4-filesystems-without-casefold-feature-cannot-be-mounted-with-siphash.patch
+ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch
+scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch
--- /dev/null
+From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 22 Jan 2025 10:38:30 -0700
+Subject: vfio/platform: check the bounds of read/write syscalls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.
+
+count and offset are passed from user space and not checked, only
+offset is capped to 40 bits, which can be used to read/write out of
+bounds of the device.
+
+Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
+Cc: stable@vger.kernel.org
+Reported-by: Mostafa Saleh <smostafa@google.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Mostafa Saleh <smostafa@google.com>
+Tested-by: Mostafa Saleh <smostafa@google.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/vfio/platform/vfio_platform_common.c
++++ b/drivers/vfio/platform/vfio_platform_common.c
+@@ -388,6 +388,11 @@ static ssize_t vfio_platform_read_mmio(s
+ {
+ unsigned int done = 0;
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap(reg->addr, reg->size);
+@@ -467,6 +472,11 @@ static ssize_t vfio_platform_write_mmio(
+ {
+ unsigned int done = 0;
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap(reg->addr, reg->size);
projects / thirdparty / kernel / stable-queue.git / commitdiff
