From: Greg Kroah-Hartman Date: Thu, 30 Jan 2025 09:49:47 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.13.1~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0dd8b755fa4c1e5e8e1890c3aba388ef0ce31a21;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: block-fix-integer-overflow-in-blksecdiscard.patch ext4-filesystems-without-casefold-feature-cannot-be-mounted-with-siphash.patch ext4-fix-access-to-uninitialised-lock-in-fc-replay-path.patch ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch net-sched-fix-ets-qdisc-oob-indexing.patch revert-hid-multitouch-add-support-for-lenovo-y9000p-touchpad.patch scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch vfio-platform-check-the-bounds-of-read-write-syscalls.patch wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch --- diff --git a/queue-6.1/block-fix-integer-overflow-in-blksecdiscard.patch b/queue-6.1/block-fix-integer-overflow-in-blksecdiscard.patch new file mode 100644 index 0000000000..654db84110 --- /dev/null +++ b/queue-6.1/block-fix-integer-overflow-in-blksecdiscard.patch @@ -0,0 +1,71 @@ +From 697ba0b6ec4ae04afb67d3911799b5e2043b4455 Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan +Date: Tue, 3 Sep 2024 22:48:19 +0300 +Subject: block: fix integer overflow in BLKSECDISCARD + +From: Alexey Dobriyan + +commit 697ba0b6ec4ae04afb67d3911799b5e2043b4455 upstream. + +I independently rediscovered + + commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 + block: fix overflow in blk_ioctl_discard() + +but for secure erase. + +Same problem: + + uint64_t r[2] = {512, 18446744073709551104ULL}; + ioctl(fd, BLKSECDISCARD, r); + +will enter near infinite loop inside blkdev_issue_secure_erase(): + + a.out: attempt to access beyond end of device + loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 + bio_check_eod: 3286214 callbacks suppressed + +Signed-off-by: Alexey Dobriyan +Link: https://lore.kernel.org/r/9e64057f-650a-46d1-b9f7-34af391536ef@p183 +Signed-off-by: Jens Axboe +Signed-off-by: Rajani Kantha +Signed-off-by: Greg Kroah-Hartman +--- + block/ioctl.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -115,7 +115,7 @@ static int blk_ioctl_discard(struct bloc + return -EINVAL; + + filemap_invalidate_lock(inode->i_mapping); +- err = truncate_bdev_range(bdev, mode, start, start + len - 1); ++ err = truncate_bdev_range(bdev, mode, start, end - 1); + if (err) + goto fail; + err = blkdev_issue_discard(bdev, start >> 9, len >> 9, GFP_KERNEL); +@@ -127,7 +127,7 @@ fail: + static int blk_ioctl_secure_erase(struct block_device *bdev, fmode_t mode, + void __user *argp) + { +- uint64_t start, len; ++ uint64_t start, len, end; + uint64_t range[2]; + int err; + +@@ -142,11 +142,12 @@ static int blk_ioctl_secure_erase(struct + len = range[1]; + if ((start & 511) || (len & 511)) + return -EINVAL; +- if (start + len > bdev_nr_bytes(bdev)) ++ if (check_add_overflow(start, len, &end) || ++ end > bdev_nr_bytes(bdev)) + return -EINVAL; + + filemap_invalidate_lock(bdev->bd_inode->i_mapping); +- err = truncate_bdev_range(bdev, mode, start, start + len - 1); ++ err = truncate_bdev_range(bdev, mode, start, end - 1); + if (!err) + err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9, + GFP_KERNEL); diff --git a/queue-6.1/ext4-filesystems-without-casefold-feature-cannot-be-mounted-with-siphash.patch b/queue-6.1/ext4-filesystems-without-casefold-feature-cannot-be-mounted-with-siphash.patch new file mode 100644 index 0000000000..537f4c9a7b --- /dev/null +++ b/queue-6.1/ext4-filesystems-without-casefold-feature-cannot-be-mounted-with-siphash.patch @@ -0,0 +1,38 @@ +From 985b67cd86392310d9e9326de941c22fc9340eec Mon Sep 17 00:00:00 2001 +From: Lizhi Xu +Date: Wed, 5 Jun 2024 09:23:35 +0800 +Subject: ext4: filesystems without casefold feature cannot be mounted with siphash + +From: Lizhi Xu + +commit 985b67cd86392310d9e9326de941c22fc9340eec upstream. + +When mounting the ext4 filesystem, if the default hash version is set to +DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting. + +Reported-by: syzbot+340581ba9dceb7e06fb3@syzkaller.appspotmail.com +Signed-off-by: Lizhi Xu +Link: https://patch.msgid.link/20240605012335.44086-1-lizhi.xu@windriver.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Rajani Kantha +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3546,6 +3546,13 @@ int ext4_feature_set_ok(struct super_blo + return 0; + } + #endif ++ if (EXT4_SB(sb)->s_es->s_def_hash_version == DX_HASH_SIPHASH && ++ !ext4_has_feature_casefold(sb)) { ++ ext4_msg(sb, KERN_ERR, ++ "Filesystem without casefold feature cannot be " ++ "mounted with siphash"); ++ return 0; ++ } + + if (readonly) + return 1; diff --git a/queue-6.1/ext4-fix-access-to-uninitialised-lock-in-fc-replay-path.patch b/queue-6.1/ext4-fix-access-to-uninitialised-lock-in-fc-replay-path.patch new file mode 100644 index 0000000000..4625f8d030 --- /dev/null +++ b/queue-6.1/ext4-fix-access-to-uninitialised-lock-in-fc-replay-path.patch @@ -0,0 +1,78 @@ +From 23dfdb56581ad92a9967bcd720c8c23356af74c1 Mon Sep 17 00:00:00 2001 +From: "Luis Henriques (SUSE)" +Date: Thu, 18 Jul 2024 10:43:56 +0100 +Subject: ext4: fix access to uninitialised lock in fc replay path + +From: Luis Henriques (SUSE) + +commit 23dfdb56581ad92a9967bcd720c8c23356af74c1 upstream. + +The following kernel trace can be triggered with fstest generic/629 when +executed against a filesystem with fast-commit feature enabled: + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x66/0x90 + register_lock_class+0x759/0x7d0 + __lock_acquire+0x85/0x2630 + ? __find_get_block+0xb4/0x380 + lock_acquire+0xd1/0x2d0 + ? __ext4_journal_get_write_access+0xd5/0x160 + _raw_spin_lock+0x33/0x40 + ? __ext4_journal_get_write_access+0xd5/0x160 + __ext4_journal_get_write_access+0xd5/0x160 + ext4_reserve_inode_write+0x61/0xb0 + __ext4_mark_inode_dirty+0x79/0x270 + ? ext4_ext_replay_set_iblocks+0x2f8/0x450 + ext4_ext_replay_set_iblocks+0x330/0x450 + ext4_fc_replay+0x14c8/0x1540 + ? jread+0x88/0x2e0 + ? rcu_is_watching+0x11/0x40 + do_one_pass+0x447/0xd00 + jbd2_journal_recover+0x139/0x1b0 + jbd2_journal_load+0x96/0x390 + ext4_load_and_init_journal+0x253/0xd40 + ext4_fill_super+0x2cc6/0x3180 +... + +In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in +function ext4_check_bdev_write_error(). Unfortunately, at this point this +spinlock has not been initialized yet. Moving it's initialization to an +earlier point in __ext4_fill_super() fixes this splat. + +Signed-off-by: Luis Henriques (SUSE) +Link: https://patch.msgid.link/20240718094356.7863-1-luis.henriques@linux.dev +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Bruno VERNAY +Signed-off-by: Victor Giraud +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5264,6 +5264,8 @@ static int __ext4_fill_super(struct fs_c + INIT_LIST_HEAD(&sbi->s_orphan); /* unlinked but open files */ + mutex_init(&sbi->s_orphan_lock); + ++ spin_lock_init(&sbi->s_bdev_wb_lock); ++ + ext4_fast_commit_init(sb); + + sb->s_root = NULL; +@@ -5514,7 +5516,6 @@ static int __ext4_fill_super(struct fs_c + * Save the original bdev mapping's wb_err value which could be + * used to detect the metadata async write error. + */ +- spin_lock_init(&sbi->s_bdev_wb_lock); + errseq_check_and_advance(&sb->s_bdev->bd_inode->i_mapping->wb_err, + &sbi->s_bdev_wb_err); + sb->s_bdev->bd_super = sb; diff --git a/queue-6.1/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch b/queue-6.1/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch new file mode 100644 index 0000000000..e0d1311600 --- /dev/null +++ b/queue-6.1/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch @@ -0,0 +1,74 @@ +From 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 23 Oct 2024 15:30:09 +0300 +Subject: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() + +From: Ido Schimmel + +commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream. + +The per-netns IP tunnel hash table is protected by the RTNL mutex and +ip_tunnel_find() is only called from the control path where the mutex is +taken. + +Add a lockdep expression to hlist_for_each_entry_rcu() in +ip_tunnel_find() in order to validate that the mutex is held and to +silence the suspicious RCU usage warning [1]. + +[1] +WARNING: suspicious RCU usage +6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted +----------------------------- +net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by ip/362: + #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 + +stack backtrace: +CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Call Trace: + + dump_stack_lvl+0xba/0x110 + lockdep_rcu_suspicious.cold+0x4f/0xd6 + ip_tunnel_find+0x435/0x4d0 + ip_tunnel_newlink+0x517/0x7a0 + ipgre_newlink+0x14c/0x170 + __rtnl_newlink+0x1173/0x19c0 + rtnl_newlink+0x6c/0xa0 + rtnetlink_rcv_msg+0x3cc/0xf60 + netlink_rcv_skb+0x171/0x450 + netlink_unicast+0x539/0x7f0 + netlink_sendmsg+0x8c1/0xd80 + ____sys_sendmsg+0x8f9/0xc20 + ___sys_sendmsg+0x197/0x1e0 + __sys_sendmsg+0x122/0x1f0 + do_syscall_64+0xbb/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Suggested-by: Eric Dumazet +Signed-off-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find( + struct ip_tunnel *t = NULL; + struct hlist_head *head = ip_bucket(itn, parms); + +- hlist_for_each_entry_rcu(t, head, hash_node) { ++ hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) { + if (local == t->parms.iph.saddr && + remote == t->parms.iph.daddr && + link == READ_ONCE(t->parms.link) && diff --git a/queue-6.1/net-sched-fix-ets-qdisc-oob-indexing.patch b/queue-6.1/net-sched-fix-ets-qdisc-oob-indexing.patch new file mode 100644 index 0000000000..33b543d472 --- /dev/null +++ b/queue-6.1/net-sched-fix-ets-qdisc-oob-indexing.patch @@ -0,0 +1,91 @@ +From d62b04fca4340a0d468d7853bd66e511935a18cb Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Sat, 11 Jan 2025 09:57:39 -0500 +Subject: net: sched: fix ets qdisc OOB Indexing + +From: Jamal Hadi Salim + +commit d62b04fca4340a0d468d7853bd66e511935a18cb upstream. + +Haowei Yan found that ets_class_from_arg() can +index an Out-Of-Bound class in ets_class_from_arg() when passed clid of +0. The overflow may cause local privilege escalation. + + [ 18.852298] ------------[ cut here ]------------ + [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 + [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' + [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 + [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + [ 18.856532] Call Trace: + [ 18.857441] + [ 18.858227] dump_stack_lvl+0xc2/0xf0 + [ 18.859607] dump_stack+0x10/0x20 + [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 + [ 18.864022] ets_class_change+0x3d6/0x3f0 + [ 18.864322] tc_ctl_tclass+0x251/0x910 + [ 18.864587] ? lock_acquire+0x5e/0x140 + [ 18.865113] ? __mutex_lock+0x9c/0xe70 + [ 18.866009] ? __mutex_lock+0xa34/0xe70 + [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 + [ 18.866806] ? __lock_acquire+0x578/0xc10 + [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 + [ 18.867503] netlink_rcv_skb+0x59/0x110 + [ 18.867776] rtnetlink_rcv+0x15/0x30 + [ 18.868159] netlink_unicast+0x1c3/0x2b0 + [ 18.868440] netlink_sendmsg+0x239/0x4b0 + [ 18.868721] ____sys_sendmsg+0x3e2/0x410 + [ 18.869012] ___sys_sendmsg+0x88/0xe0 + [ 18.869276] ? rseq_ip_fixup+0x198/0x260 + [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 + [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 + [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 + [ 18.870547] ? do_syscall_64+0x93/0x150 + [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 + [ 18.871157] __sys_sendmsg+0x69/0xd0 + [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 + [ 18.871699] x64_sys_call+0x9e2/0x2670 + [ 18.871979] do_syscall_64+0x87/0x150 + [ 18.873280] ? do_syscall_64+0x93/0x150 + [ 18.874742] ? lock_release+0x7b/0x160 + [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 + [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 + [ 18.879608] ? irqentry_exit+0x77/0xb0 + [ 18.879808] ? clear_bhb_loop+0x15/0x70 + [ 18.880023] ? clear_bhb_loop+0x15/0x70 + [ 18.880223] ? clear_bhb_loop+0x15/0x70 + [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [ 18.880683] RIP: 0033:0x44a957 + [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 + [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 + [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 + [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 + [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 + [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 + [ 18.888395] + [ 18.888610] ---[ end trace ]--- + +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Reported-by: Haowei Yan +Suggested-by: Haowei Yan +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Eric Dumazet +Reviewed-by: Petr Machata +Link: https://patch.msgid.link/20250111145740.74755-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -91,6 +91,8 @@ ets_class_from_arg(struct Qdisc *sch, un + { + struct ets_sched *q = qdisc_priv(sch); + ++ if (arg == 0 || arg > q->nbands) ++ return NULL; + return &q->classes[arg - 1]; + } + diff --git a/queue-6.1/revert-hid-multitouch-add-support-for-lenovo-y9000p-touchpad.patch b/queue-6.1/revert-hid-multitouch-add-support-for-lenovo-y9000p-touchpad.patch new file mode 100644 index 0000000000..0e5d51b5ec --- /dev/null +++ b/queue-6.1/revert-hid-multitouch-add-support-for-lenovo-y9000p-touchpad.patch @@ -0,0 +1,76 @@ +From 3d88ba86ba6f35a0467f25a88c38aa5639190d04 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Thu, 12 Dec 2024 09:53:10 +0100 +Subject: Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Kosina + +commit 3d88ba86ba6f35a0467f25a88c38aa5639190d04 upstream. + +This reverts commit 251efae73bd46b097deec4f9986d926813aed744. + +Quoting Wang Yuli: + + "The 27C6:01E0 touchpad doesn't require the workaround and applying it + would actually break functionality. + + The initial report came from a BBS forum, but we suspect the + information provided by the forum user may be incorrect which could + happen sometimes. [1] + + Further investigation showed that the Lenovo Y9000P 2024 doesn't even + use a Goodix touchpad. [2] + + For the broader issue of 27c6:01e0 being unusable on some devices, it + just need to address it with a libinput quirk. + + In conclusion, we should revert this commit, which is the best + solution." + +Reported-by: Ulrich Müller +Reported-by: WangYuli +Link: https://lore.kernel.org/all/uikt4wwpw@gentoo.org/ +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 - + drivers/hid/hid-multitouch.c | 8 ++------ + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -507,7 +507,6 @@ + #define USB_DEVICE_ID_GENERAL_TOUCH_WIN8_PIT_E100 0xe100 + + #define I2C_VENDOR_ID_GOODIX 0x27c6 +-#define I2C_DEVICE_ID_GOODIX_01E0 0x01e0 + #define I2C_DEVICE_ID_GOODIX_01E8 0x01e8 + #define I2C_DEVICE_ID_GOODIX_01E9 0x01e9 + #define I2C_DEVICE_ID_GOODIX_01F0 0x01f0 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1447,8 +1447,7 @@ static __u8 *mt_report_fixup(struct hid_ + { + if (hdev->vendor == I2C_VENDOR_ID_GOODIX && + (hdev->product == I2C_DEVICE_ID_GOODIX_01E8 || +- hdev->product == I2C_DEVICE_ID_GOODIX_01E9 || +- hdev->product == I2C_DEVICE_ID_GOODIX_01E0)) { ++ hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) { + if (rdesc[607] == 0x15) { + rdesc[607] = 0x25; + dev_info( +@@ -2073,10 +2072,7 @@ static const struct hid_device_id mt_dev + I2C_DEVICE_ID_GOODIX_01E8) }, + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU, + HID_DEVICE(BUS_I2C, HID_GROUP_ANY, I2C_VENDOR_ID_GOODIX, +- I2C_DEVICE_ID_GOODIX_01E9) }, +- { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU, +- HID_DEVICE(BUS_I2C, HID_GROUP_ANY, I2C_VENDOR_ID_GOODIX, +- I2C_DEVICE_ID_GOODIX_01E0) }, ++ I2C_DEVICE_ID_GOODIX_01E8) }, + + /* GoodTouch panels */ + { .driver_data = MT_CLS_NSMU, diff --git a/queue-6.1/scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch b/queue-6.1/scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch new file mode 100644 index 0000000000..f282019d1b --- /dev/null +++ b/queue-6.1/scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch @@ -0,0 +1,48 @@ +From d2138eab8cde61e0e6f62d0713e45202e8457d6d Mon Sep 17 00:00:00 2001 +From: Easwar Hariharan +Date: Tue, 7 Jan 2025 17:28:40 +0000 +Subject: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service + +From: Easwar Hariharan + +commit d2138eab8cde61e0e6f62d0713e45202e8457d6d upstream. + +If there's a persistent error in the hypervisor, the SCSI warning for +failed I/O can flood the kernel log and max out CPU utilization, +preventing troubleshooting from the VM side. Ratelimit the warning so +it doesn't DoS the VM. + +Closes: https://github.com/microsoft/WSL/issues/9173 +Signed-off-by: Easwar Hariharan +Link: https://lore.kernel.org/r/20250107-eahariha-ratelimit-storvsc-v1-1-7fc193d1f2b0@linux.microsoft.com +Reviewed-by: Michael Kelley +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -171,6 +171,12 @@ do { \ + dev_warn(&(dev)->device, fmt, ##__VA_ARGS__); \ + } while (0) + ++#define storvsc_log_ratelimited(dev, level, fmt, ...) \ ++do { \ ++ if (do_logging(level)) \ ++ dev_warn_ratelimited(&(dev)->device, fmt, ##__VA_ARGS__); \ ++} while (0) ++ + struct vmscsi_request { + u16 length; + u8 srb_status; +@@ -1168,7 +1174,7 @@ static void storvsc_on_io_completion(str + int loglevel = (stor_pkt->vm_srb.cdb[0] == TEST_UNIT_READY) ? + STORVSC_LOGGING_WARN : STORVSC_LOGGING_ERROR; + +- storvsc_log(device, loglevel, ++ storvsc_log_ratelimited(device, loglevel, + "tag#%d cmd 0x%x status: scsi 0x%x srb 0x%x hv 0x%x\n", + scsi_cmd_to_rq(request->cmd)->tag, + stor_pkt->vm_srb.cdb[0], diff --git a/queue-6.1/series b/queue-6.1/series index 0215d0c254..6818d9d5bd 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -30,3 +30,12 @@ xfs-clean-up-fs_xflag_realtime-handling-in-xfs_ioctl_setattr_xflags.patch xfs-respect-the-stable-writes-flag-on-the-rt-device.patch gfs2-truncate-address-space-when-flipping-gfs2_dif_jdata-flag.patch io_uring-fix-waiters-missing-wake-ups.patch +net-sched-fix-ets-qdisc-oob-indexing.patch +block-fix-integer-overflow-in-blksecdiscard.patch +revert-hid-multitouch-add-support-for-lenovo-y9000p-touchpad.patch +vfio-platform-check-the-bounds-of-read-write-syscalls.patch +ext4-fix-access-to-uninitialised-lock-in-fc-replay-path.patch +ext4-filesystems-without-casefold-feature-cannot-be-mounted-with-siphash.patch +ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch +scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch +wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch diff --git a/queue-6.1/vfio-platform-check-the-bounds-of-read-write-syscalls.patch b/queue-6.1/vfio-platform-check-the-bounds-of-read-write-syscalls.patch new file mode 100644 index 0000000000..5d85433086 --- /dev/null +++ b/queue-6.1/vfio-platform-check-the-bounds-of-read-write-syscalls.patch @@ -0,0 +1,54 @@ +From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 22 Jan 2025 10:38:30 -0700 +Subject: vfio/platform: check the bounds of read/write syscalls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream. + +count and offset are passed from user space and not checked, only +offset is capped to 40 bits, which can be used to read/write out of +bounds of the device. + +Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”) +Cc: stable@vger.kernel.org +Reported-by: Mostafa Saleh +Reviewed-by: Eric Auger +Reviewed-by: Mostafa Saleh +Tested-by: Mostafa Saleh +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -391,6 +391,11 @@ static ssize_t vfio_platform_read_mmio(s + { + unsigned int done = 0; + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); +@@ -470,6 +475,11 @@ static ssize_t vfio_platform_write_mmio( + { + unsigned int done = 0; + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); diff --git a/queue-6.1/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch b/queue-6.1/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch new file mode 100644 index 0000000000..b90d351f9e --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch @@ -0,0 +1,75 @@ +From efbe8f81952fe469d38655744627d860879dcde8 Mon Sep 17 00:00:00 2001 +From: Anjaneyulu +Date: Wed, 14 Jun 2023 12:41:37 +0300 +Subject: wifi: iwlwifi: add a few rate index validity checks + +From: Anjaneyulu + +commit efbe8f81952fe469d38655744627d860879dcde8 upstream. + +Validate index before access iwl_rate_mcs to keep rate->index +inside the valid boundaries. Use MCS_0_INDEX if index is less +than MCS_0_INDEX and MCS_9_INDEX if index is greater then +MCS_9_INDEX. + +Signed-off-by: Anjaneyulu +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230614123447.79f16b3aef32.If1137f894775d6d07b78cbf3a6163ffce6399507@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 9 ++++++--- + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 9 ++++++--- + 2 files changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +@@ -2,7 +2,7 @@ + /****************************************************************************** + * + * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved. +- * Copyright (C) 2019 - 2020, 2022 Intel Corporation ++ * Copyright (C) 2019 - 2020, 2022 - 2023 Intel Corporation + *****************************************************************************/ + #include + #include +@@ -125,7 +125,7 @@ static int iwl_hwrate_to_plcp_idx(u32 ra + return idx; + } + +- return -1; ++ return IWL_RATE_INVALID; + } + + static void rs_rate_scale_perform(struct iwl_priv *priv, +@@ -3146,7 +3146,10 @@ static ssize_t rs_sta_dbgfs_scale_table_ + for (i = 0; i < LINK_QUAL_MAX_RETRY_NUM; i++) { + index = iwl_hwrate_to_plcp_idx( + le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags)); +- if (is_legacy(tbl->lq_type)) { ++ if (index == IWL_RATE_INVALID) { ++ desc += sprintf(buff + desc, " rate[%d] 0x%X invalid rate\n", ++ i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags)); ++ } else if (is_legacy(tbl->lq_type)) { + desc += sprintf(buff+desc, " rate[%d] 0x%X %smbps\n", + i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags), + iwl_rate_mcs[index].mbps); +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -1072,10 +1072,13 @@ static void rs_get_lower_rate_down_colum + + rate->bw = RATE_MCS_CHAN_WIDTH_20; + +- WARN_ON_ONCE(rate->index < IWL_RATE_MCS_0_INDEX || +- rate->index > IWL_RATE_MCS_9_INDEX); ++ if (WARN_ON_ONCE(rate->index < IWL_RATE_MCS_0_INDEX)) ++ rate->index = rs_ht_to_legacy[IWL_RATE_MCS_0_INDEX]; ++ else if (WARN_ON_ONCE(rate->index > IWL_RATE_MCS_9_INDEX)) ++ rate->index = rs_ht_to_legacy[IWL_RATE_MCS_9_INDEX]; ++ else ++ rate->index = rs_ht_to_legacy[rate->index]; + +- rate->index = rs_ht_to_legacy[rate->index]; + rate->ldpc = false; + } else { + /* Downgrade to SISO with same MCS if in MIMO */