From: Greg Kroah-Hartman Date: Thu, 30 Jan 2025 09:49:37 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.13.1~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b7ba133315ae3873bcf2485e1da28e2d1c4607d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch bluetooth-sco-fix-not-validating-setsockopt-user-input.patch fs-ntfs3-additional-check-in-ntfs_file_release.patch ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch net-sched-fix-ets-qdisc-oob-indexing.patch platform-chrome-cros_ec_typec-check-for-ec-driver.patch scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch vfio-platform-check-the-bounds-of-read-write-syscalls.patch wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch --- diff --git a/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch b/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch new file mode 100644 index 0000000000..ea566746dd --- /dev/null +++ b/queue-5.15/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch @@ -0,0 +1,80 @@ +From a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 5 Apr 2024 15:43:45 -0400 +Subject: Bluetooth: RFCOMM: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 upstream. + +syzbot reported rfcomm_sock_setsockopt_old() is copying data without +checking user input length. + +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset +include/linux/sockptr.h:49 [inline] +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr +include/linux/sockptr.h:55 [inline] +BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old +net/bluetooth/rfcomm/sock.c:632 [inline] +BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 +net/bluetooth/rfcomm/sock.c:673 +Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064 + +Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level") +Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Keerthana K +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/sock.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -636,7 +636,7 @@ static int rfcomm_sock_setsockopt_old(st + + switch (optname) { + case RFCOMM_LM: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { ++ if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { + err = -EFAULT; + break; + } +@@ -671,7 +671,6 @@ static int rfcomm_sock_setsockopt(struct + struct sock *sk = sock->sk; + struct bt_security sec; + int err = 0; +- size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -693,11 +692,9 @@ static int rfcomm_sock_setsockopt(struct + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); +- if (copy_from_sockptr(&sec, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ if (err) + break; +- } + + if (sec.level > BT_SECURITY_HIGH) { + err = -EINVAL; +@@ -713,10 +710,9 @@ static int rfcomm_sock_setsockopt(struct + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); diff --git a/queue-5.15/bluetooth-sco-fix-not-validating-setsockopt-user-input.patch b/queue-5.15/bluetooth-sco-fix-not-validating-setsockopt-user-input.patch new file mode 100644 index 0000000000..a0c2a9ec34 --- /dev/null +++ b/queue-5.15/bluetooth-sco-fix-not-validating-setsockopt-user-input.patch @@ -0,0 +1,105 @@ +From 51eda36d33e43201e7a4fd35232e069b2c850b01 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 5 Apr 2024 15:41:52 -0400 +Subject: Bluetooth: SCO: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +commit 51eda36d33e43201e7a4fd35232e069b2c850b01 upstream. + +syzbot reported sco_sock_setsockopt() is copying data without +checking user input length. + +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset +include/linux/sockptr.h:49 [inline] +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr +include/linux/sockptr.h:55 [inline] +BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 +net/bluetooth/sco.c:893 +Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578 + +Fixes: ad10b1a48754 ("Bluetooth: Add Bluetooth socket voice option") +Fixes: b96e9c671b05 ("Bluetooth: Add BT_DEFER_SETUP option to sco socket") +Fixes: 00398e1d5183 ("Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections") +Fixes: f6873401a608 ("Bluetooth: Allow setting of codec for HFP offload use case") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Keerthana K +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/bluetooth.h | 9 +++++++++ + net/bluetooth/sco.c | 19 ++++++++----------- + 2 files changed, 17 insertions(+), 11 deletions(-) + +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -487,6 +487,15 @@ static inline struct sk_buff *bt_skb_sen + return skb; + } + ++static inline int bt_copy_from_sockptr(void *dst, size_t dst_size, ++ sockptr_t src, size_t src_size) ++{ ++ if (dst_size > src_size) ++ return -EINVAL; ++ ++ return copy_from_sockptr(dst, src, dst_size); ++} ++ + int bt_to_errno(u16 code); + + void hci_sock_set_flag(struct sock *sk, int nr); +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -829,7 +829,7 @@ static int sco_sock_setsockopt(struct so + sockptr_t optval, unsigned int optlen) + { + struct sock *sk = sock->sk; +- int len, err = 0; ++ int err = 0; + struct bt_voice voice; + u32 opt; + +@@ -845,10 +845,9 @@ static int sco_sock_setsockopt(struct so + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); +@@ -865,11 +864,10 @@ static int sco_sock_setsockopt(struct so + + voice.setting = sco_pi(sk)->setting; + +- len = min_t(unsigned int, sizeof(voice), optlen); +- if (copy_from_sockptr(&voice, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&voice, sizeof(voice), optval, ++ optlen); ++ if (err) + break; +- } + + /* Explicitly check for these values */ + if (voice.setting != BT_VOICE_TRANSPARENT && +@@ -882,10 +880,9 @@ static int sco_sock_setsockopt(struct so + break; + + case BT_PKT_STATUS: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + sco_pi(sk)->cmsg_mask |= SCO_CMSG_PKT_STATUS; diff --git a/queue-5.15/fs-ntfs3-additional-check-in-ntfs_file_release.patch b/queue-5.15/fs-ntfs3-additional-check-in-ntfs_file_release.patch new file mode 100644 index 0000000000..c9e7ab8e1f --- /dev/null +++ b/queue-5.15/fs-ntfs3-additional-check-in-ntfs_file_release.patch @@ -0,0 +1,40 @@ +From 031d6f608290c847ba6378322d0986d08d1a645a Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Wed, 4 Sep 2024 12:57:31 +0300 +Subject: fs/ntfs3: Additional check in ntfs_file_release + +From: Konstantin Komarov + +commit 031d6f608290c847ba6378322d0986d08d1a645a upstream. + +Reported-by: syzbot+8c652f14a0fde76ff11d@syzkaller.appspotmail.com +Signed-off-by: Konstantin Komarov +Signed-off-by: Bin Lan +Signed-off-by: Sasha Levin +Signed-off-by: Suraj Jitindar Singh +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/file.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -1192,8 +1192,16 @@ static int ntfs_file_release(struct inod + int err = 0; + + /* If we are last writer on the inode, drop the block reservation. */ +- if (sbi->options->prealloc && ((file->f_mode & FMODE_WRITE) && +- atomic_read(&inode->i_writecount) == 1)) { ++ if (sbi->options->prealloc && ++ ((file->f_mode & FMODE_WRITE) && ++ atomic_read(&inode->i_writecount) == 1) ++ /* ++ * The only file when inode->i_fop = &ntfs_file_operations and ++ * init_rwsem(&ni->file.run_lock) is not called explicitly is MFT. ++ * ++ * Add additional check here. ++ */ ++ && inode->i_ino != MFT_REC_MFT) { + ni_lock(ni); + down_write(&ni->file.run_lock); + diff --git a/queue-5.15/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch b/queue-5.15/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch new file mode 100644 index 0000000000..293891ec08 --- /dev/null +++ b/queue-5.15/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch @@ -0,0 +1,74 @@ +From 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 23 Oct 2024 15:30:09 +0300 +Subject: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() + +From: Ido Schimmel + +commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream. + +The per-netns IP tunnel hash table is protected by the RTNL mutex and +ip_tunnel_find() is only called from the control path where the mutex is +taken. + +Add a lockdep expression to hlist_for_each_entry_rcu() in +ip_tunnel_find() in order to validate that the mutex is held and to +silence the suspicious RCU usage warning [1]. + +[1] +WARNING: suspicious RCU usage +6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted +----------------------------- +net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by ip/362: + #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 + +stack backtrace: +CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Call Trace: + + dump_stack_lvl+0xba/0x110 + lockdep_rcu_suspicious.cold+0x4f/0xd6 + ip_tunnel_find+0x435/0x4d0 + ip_tunnel_newlink+0x517/0x7a0 + ipgre_newlink+0x14c/0x170 + __rtnl_newlink+0x1173/0x19c0 + rtnl_newlink+0x6c/0xa0 + rtnetlink_rcv_msg+0x3cc/0xf60 + netlink_rcv_skb+0x171/0x450 + netlink_unicast+0x539/0x7f0 + netlink_sendmsg+0x8c1/0xd80 + ____sys_sendmsg+0x8f9/0xc20 + ___sys_sendmsg+0x197/0x1e0 + __sys_sendmsg+0x122/0x1f0 + do_syscall_64+0xbb/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Suggested-by: Eric Dumazet +Signed-off-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find( + struct ip_tunnel *t = NULL; + struct hlist_head *head = ip_bucket(itn, parms); + +- hlist_for_each_entry_rcu(t, head, hash_node) { ++ hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) { + if (local == t->parms.iph.saddr && + remote == t->parms.iph.daddr && + link == t->parms.link && diff --git a/queue-5.15/net-sched-fix-ets-qdisc-oob-indexing.patch b/queue-5.15/net-sched-fix-ets-qdisc-oob-indexing.patch new file mode 100644 index 0000000000..33b543d472 --- /dev/null +++ b/queue-5.15/net-sched-fix-ets-qdisc-oob-indexing.patch @@ -0,0 +1,91 @@ +From d62b04fca4340a0d468d7853bd66e511935a18cb Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Sat, 11 Jan 2025 09:57:39 -0500 +Subject: net: sched: fix ets qdisc OOB Indexing + +From: Jamal Hadi Salim + +commit d62b04fca4340a0d468d7853bd66e511935a18cb upstream. + +Haowei Yan found that ets_class_from_arg() can +index an Out-Of-Bound class in ets_class_from_arg() when passed clid of +0. The overflow may cause local privilege escalation. + + [ 18.852298] ------------[ cut here ]------------ + [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 + [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' + [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 + [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + [ 18.856532] Call Trace: + [ 18.857441] + [ 18.858227] dump_stack_lvl+0xc2/0xf0 + [ 18.859607] dump_stack+0x10/0x20 + [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 + [ 18.864022] ets_class_change+0x3d6/0x3f0 + [ 18.864322] tc_ctl_tclass+0x251/0x910 + [ 18.864587] ? lock_acquire+0x5e/0x140 + [ 18.865113] ? __mutex_lock+0x9c/0xe70 + [ 18.866009] ? __mutex_lock+0xa34/0xe70 + [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 + [ 18.866806] ? __lock_acquire+0x578/0xc10 + [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 + [ 18.867503] netlink_rcv_skb+0x59/0x110 + [ 18.867776] rtnetlink_rcv+0x15/0x30 + [ 18.868159] netlink_unicast+0x1c3/0x2b0 + [ 18.868440] netlink_sendmsg+0x239/0x4b0 + [ 18.868721] ____sys_sendmsg+0x3e2/0x410 + [ 18.869012] ___sys_sendmsg+0x88/0xe0 + [ 18.869276] ? rseq_ip_fixup+0x198/0x260 + [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 + [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 + [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 + [ 18.870547] ? do_syscall_64+0x93/0x150 + [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 + [ 18.871157] __sys_sendmsg+0x69/0xd0 + [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 + [ 18.871699] x64_sys_call+0x9e2/0x2670 + [ 18.871979] do_syscall_64+0x87/0x150 + [ 18.873280] ? do_syscall_64+0x93/0x150 + [ 18.874742] ? lock_release+0x7b/0x160 + [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 + [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 + [ 18.879608] ? irqentry_exit+0x77/0xb0 + [ 18.879808] ? clear_bhb_loop+0x15/0x70 + [ 18.880023] ? clear_bhb_loop+0x15/0x70 + [ 18.880223] ? clear_bhb_loop+0x15/0x70 + [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [ 18.880683] RIP: 0033:0x44a957 + [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 + [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 + [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 + [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 + [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 + [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 + [ 18.888395] + [ 18.888610] ---[ end trace ]--- + +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Reported-by: Haowei Yan +Suggested-by: Haowei Yan +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Eric Dumazet +Reviewed-by: Petr Machata +Link: https://patch.msgid.link/20250111145740.74755-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -91,6 +91,8 @@ ets_class_from_arg(struct Qdisc *sch, un + { + struct ets_sched *q = qdisc_priv(sch); + ++ if (arg == 0 || arg > q->nbands) ++ return NULL; + return &q->classes[arg - 1]; + } + diff --git a/queue-5.15/platform-chrome-cros_ec_typec-check-for-ec-driver.patch b/queue-5.15/platform-chrome-cros_ec_typec-check-for-ec-driver.patch new file mode 100644 index 0000000000..e376c62dd3 --- /dev/null +++ b/queue-5.15/platform-chrome-cros_ec_typec-check-for-ec-driver.patch @@ -0,0 +1,34 @@ +From 7464ff8bf2d762251b9537863db0e1caf9b0e402 Mon Sep 17 00:00:00 2001 +From: Akihiko Odaki +Date: Mon, 4 Apr 2022 13:11:01 +0900 +Subject: platform/chrome: cros_ec_typec: Check for EC driver + +From: Akihiko Odaki + +commit 7464ff8bf2d762251b9537863db0e1caf9b0e402 upstream. + +The EC driver may not be initialized when cros_typec_probe is called, +particulary when CONFIG_CROS_EC_CHARDEV=m. + +Signed-off-by: Akihiko Odaki +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20220404041101.6276-1-akihiko.odaki@gmail.com +Signed-off-by: Prashant Malani +Signed-off-by: Laura Nao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_typec.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/platform/chrome/cros_ec_typec.c ++++ b/drivers/platform/chrome/cros_ec_typec.c +@@ -1123,6 +1123,9 @@ static int cros_typec_probe(struct platf + } + + ec_dev = dev_get_drvdata(&typec->ec->ec->dev); ++ if (!ec_dev) ++ return -EPROBE_DEFER; ++ + typec->typec_cmd_supported = !!cros_ec_check_features(ec_dev, EC_FEATURE_TYPEC_CMD); + typec->needs_mux_ack = !!cros_ec_check_features(ec_dev, + EC_FEATURE_TYPEC_MUX_REQUIRE_AP_ACK); diff --git a/queue-5.15/scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch b/queue-5.15/scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch new file mode 100644 index 0000000000..e3e6c99f80 --- /dev/null +++ b/queue-5.15/scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch @@ -0,0 +1,48 @@ +From d2138eab8cde61e0e6f62d0713e45202e8457d6d Mon Sep 17 00:00:00 2001 +From: Easwar Hariharan +Date: Tue, 7 Jan 2025 17:28:40 +0000 +Subject: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service + +From: Easwar Hariharan + +commit d2138eab8cde61e0e6f62d0713e45202e8457d6d upstream. + +If there's a persistent error in the hypervisor, the SCSI warning for +failed I/O can flood the kernel log and max out CPU utilization, +preventing troubleshooting from the VM side. Ratelimit the warning so +it doesn't DoS the VM. + +Closes: https://github.com/microsoft/WSL/issues/9173 +Signed-off-by: Easwar Hariharan +Link: https://lore.kernel.org/r/20250107-eahariha-ratelimit-storvsc-v1-1-7fc193d1f2b0@linux.microsoft.com +Reviewed-by: Michael Kelley +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -189,6 +189,12 @@ struct vmscsi_win8_extension { + u32 queue_sort_ey; + } __packed; + ++#define storvsc_log_ratelimited(dev, level, fmt, ...) \ ++do { \ ++ if (do_logging(level)) \ ++ dev_warn_ratelimited(&(dev)->device, fmt, ##__VA_ARGS__); \ ++} while (0) ++ + struct vmscsi_request { + u16 length; + u8 srb_status; +@@ -1231,7 +1237,7 @@ static void storvsc_on_io_completion(str + int loglevel = (stor_pkt->vm_srb.cdb[0] == TEST_UNIT_READY) ? + STORVSC_LOGGING_WARN : STORVSC_LOGGING_ERROR; + +- storvsc_log(device, loglevel, ++ storvsc_log_ratelimited(device, loglevel, + "tag#%d cmd 0x%x status: scsi 0x%x srb 0x%x hv 0x%x\n", + scsi_cmd_to_rq(request->cmd)->tag, + stor_pkt->vm_srb.cdb[0], diff --git a/queue-5.15/series b/queue-5.15/series index 15fcf1f5c3..11bcdff589 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -7,3 +7,12 @@ asoc-samsung-add-missing-depends-on-i2c.patch regmap-detach-regmap-from-dev-on-regmap_exit.patch mptcp-don-t-always-assume-copied-data-in-mptcp_cleanup_rbuf.patch gfs2-truncate-address-space-when-flipping-gfs2_dif_jdata-flag.patch +net-sched-fix-ets-qdisc-oob-indexing.patch +vfio-platform-check-the-bounds-of-read-write-syscalls.patch +bluetooth-sco-fix-not-validating-setsockopt-user-input.patch +bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch +fs-ntfs3-additional-check-in-ntfs_file_release.patch +platform-chrome-cros_ec_typec-check-for-ec-driver.patch +ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch +scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch +wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch diff --git a/queue-5.15/vfio-platform-check-the-bounds-of-read-write-syscalls.patch b/queue-5.15/vfio-platform-check-the-bounds-of-read-write-syscalls.patch new file mode 100644 index 0000000000..3b213ac3c4 --- /dev/null +++ b/queue-5.15/vfio-platform-check-the-bounds-of-read-write-syscalls.patch @@ -0,0 +1,54 @@ +From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 22 Jan 2025 10:38:30 -0700 +Subject: vfio/platform: check the bounds of read/write syscalls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream. + +count and offset are passed from user space and not checked, only +offset is capped to 40 bits, which can be used to read/write out of +bounds of the device. + +Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”) +Cc: stable@vger.kernel.org +Reported-by: Mostafa Saleh +Reviewed-by: Eric Auger +Reviewed-by: Mostafa Saleh +Tested-by: Mostafa Saleh +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -388,6 +388,11 @@ static ssize_t vfio_platform_read_mmio(s + { + unsigned int done = 0; + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); +@@ -466,6 +471,11 @@ static ssize_t vfio_platform_write_mmio( + { + unsigned int done = 0; + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); diff --git a/queue-5.15/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch b/queue-5.15/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch new file mode 100644 index 0000000000..cd2860b1b0 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch @@ -0,0 +1,66 @@ +From efbe8f81952fe469d38655744627d860879dcde8 Mon Sep 17 00:00:00 2001 +From: Anjaneyulu +Date: Wed, 14 Jun 2023 12:41:37 +0300 +Subject: wifi: iwlwifi: add a few rate index validity checks + +From: Anjaneyulu + +commit efbe8f81952fe469d38655744627d860879dcde8 upstream. + +Validate index before access iwl_rate_mcs to keep rate->index +inside the valid boundaries. Use MCS_0_INDEX if index is less +than MCS_0_INDEX and MCS_9_INDEX if index is greater then +MCS_9_INDEX. + +Signed-off-by: Anjaneyulu +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230614123447.79f16b3aef32.If1137f894775d6d07b78cbf3a6163ffce6399507@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 7 +++++-- + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 9 ++++++--- + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +@@ -130,7 +130,7 @@ static int iwl_hwrate_to_plcp_idx(u32 ra + return idx; + } + +- return -1; ++ return IWL_RATE_INVALID; + } + + static void rs_rate_scale_perform(struct iwl_priv *priv, +@@ -3151,7 +3151,10 @@ static ssize_t rs_sta_dbgfs_scale_table_ + for (i = 0; i < LINK_QUAL_MAX_RETRY_NUM; i++) { + index = iwl_hwrate_to_plcp_idx( + le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags)); +- if (is_legacy(tbl->lq_type)) { ++ if (index == IWL_RATE_INVALID) { ++ desc += sprintf(buff + desc, " rate[%d] 0x%X invalid rate\n", ++ i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags)); ++ } else if (is_legacy(tbl->lq_type)) { + desc += sprintf(buff+desc, " rate[%d] 0x%X %smbps\n", + i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags), + iwl_rate_mcs[index].mbps); +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -1119,10 +1119,13 @@ static void rs_get_lower_rate_down_colum + + rate->bw = RATE_MCS_CHAN_WIDTH_20; + +- WARN_ON_ONCE(rate->index < IWL_RATE_MCS_0_INDEX || +- rate->index > IWL_RATE_MCS_9_INDEX); ++ if (WARN_ON_ONCE(rate->index < IWL_RATE_MCS_0_INDEX)) ++ rate->index = rs_ht_to_legacy[IWL_RATE_MCS_0_INDEX]; ++ else if (WARN_ON_ONCE(rate->index > IWL_RATE_MCS_9_INDEX)) ++ rate->index = rs_ht_to_legacy[IWL_RATE_MCS_9_INDEX]; ++ else ++ rate->index = rs_ht_to_legacy[rate->index]; + +- rate->index = rs_ht_to_legacy[rate->index]; + rate->ldpc = false; + } else { + /* Downgrade to SISO with same MCS if in MIMO */