From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 29 Sep 2025 11:37:18 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v5.4.300~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fba4d11f22e59b0b777115443b67db90072edea7;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
	i40e-add-max-boundary-check-for-vf-filters.patch
	i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
	i40e-fix-input-validation-logic-for-action_meta.patch
---

diff --git a/queue-5.10/i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch b/queue-5.10/i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
new file mode 100644
index 0000000000..a819d329d3
--- /dev/null
+++ b/queue-5.10/i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
@@ -0,0 +1,41 @@
+From eac04428abe9f9cb203ffae4600791ea1d24eb18 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:17 +0200
+Subject: i40e: add mask to apply valid bits for itr_idx
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit eac04428abe9f9cb203ffae4600791ea1d24eb18 upstream.
+
+The ITR index (itr_idx) is only 2 bits wide. When constructing the
+register value for QINT_RQCTL, all fields are ORed together. Without
+masking, higher bits from itr_idx may overwrite adjacent fields in the
+register.
+
+Apply I40E_QINT_RQCTL_ITR_INDX_MASK to ensure only the intended bits are
+set.
+
+Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -393,7 +393,7 @@ static void i40e_config_irq_link_list(st
+ 		    (qtype << I40E_QINT_RQCTL_NEXTQ_TYPE_SHIFT) |
+ 		    (pf_queue_id << I40E_QINT_RQCTL_NEXTQ_INDX_SHIFT) |
+ 		    BIT(I40E_QINT_RQCTL_CAUSE_ENA_SHIFT) |
+-		    (itr_idx << I40E_QINT_RQCTL_ITR_INDX_SHIFT);
++		    FIELD_PREP(I40E_QINT_RQCTL_ITR_INDX_MASK, itr_idx);
+ 		wr32(hw, reg_idx, reg);
+ 	}
+ 
diff --git a/queue-5.10/i40e-add-max-boundary-check-for-vf-filters.patch b/queue-5.10/i40e-add-max-boundary-check-for-vf-filters.patch
new file mode 100644
index 0000000000..4b860ddd2c
--- /dev/null
+++ b/queue-5.10/i40e-add-max-boundary-check-for-vf-filters.patch
@@ -0,0 +1,50 @@
+From cb79fa7118c150c3c76a327894bb2eb878c02619 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:16 +0200
+Subject: i40e: add max boundary check for VF filters
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit cb79fa7118c150c3c76a327894bb2eb878c02619 upstream.
+
+There is no check for max filters that VF can request. Add it.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3710,6 +3710,8 @@ err:
+ 				       aq_ret);
+ }
+ 
++#define I40E_MAX_VF_CLOUD_FILTER 0xFF00
++
+ /**
+  * i40e_vc_add_cloud_filter
+  * @vf: pointer to the VF info
+@@ -3749,6 +3751,14 @@ static int i40e_vc_add_cloud_filter(stru
+ 		goto err_out;
+ 	}
+ 
++	if (vf->num_cloud_filters >= I40E_MAX_VF_CLOUD_FILTER) {
++		dev_warn(&pf->pdev->dev,
++			 "VF %d: Max number of filters reached, can't apply cloud filter\n",
++			 vf->vf_id);
++		aq_ret = -ENOSPC;
++		goto err_out;
++	}
++
+ 	cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL);
+ 	if (!cfilter)
+ 		return -ENOMEM;
diff --git a/queue-5.10/i40e-fix-idx-validation-in-i40e_validate_queue_map.patch b/queue-5.10/i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
new file mode 100644
index 0000000000..9fcb577b8f
--- /dev/null
+++ b/queue-5.10/i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
@@ -0,0 +1,40 @@
+From aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:12 +0200
+Subject: i40e: fix idx validation in i40e_validate_queue_map
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 upstream.
+
+Ensure idx is within range of active/initialized TCs when iterating over
+vf->ch[idx] in i40e_validate_queue_map().
+
+Fixes: c27eac48160d ("i40e: Enable ADq and create queue channel/s on VF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Kamakshi Nellore <nellorex.kamakshi@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2397,8 +2397,10 @@ static int i40e_validate_queue_map(struc
+ 	u16 vsi_queue_id, queue_id;
+ 
+ 	for_each_set_bit(vsi_queue_id, &queuemap, I40E_MAX_VSI_QP) {
+-		if (vf->adq_enabled) {
+-			vsi_id = vf->ch[vsi_queue_id / I40E_MAX_VF_VSI].vsi_id;
++		u16 idx = vsi_queue_id / I40E_MAX_VF_VSI;
++
++		if (vf->adq_enabled && idx < vf->num_tc) {
++			vsi_id = vf->ch[idx].vsi_id;
+ 			queue_id = (vsi_queue_id % I40E_DEFAULT_QUEUES_PER_VF);
+ 		} else {
+ 			queue_id = vsi_queue_id;
diff --git a/queue-5.10/i40e-fix-input-validation-logic-for-action_meta.patch b/queue-5.10/i40e-fix-input-validation-logic-for-action_meta.patch
new file mode 100644
index 0000000000..ee14886c8b
--- /dev/null
+++ b/queue-5.10/i40e-fix-input-validation-logic-for-action_meta.patch
@@ -0,0 +1,35 @@
+From 9739d5830497812b0bdeaee356ddefbe60830b88 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:14 +0200
+Subject: i40e: fix input validation logic for action_meta
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit 9739d5830497812b0bdeaee356ddefbe60830b88 upstream.
+
+Fix condition to check 'greater or equal' to prevent OOB dereference.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3412,7 +3412,7 @@ static int i40e_validate_cloud_filter(st
+ 
+ 	/* action_meta is TC number here to which the filter is applied */
+ 	if (!tc_filter->action_meta ||
+-	    tc_filter->action_meta > vf->num_tc) {
++	    tc_filter->action_meta >= vf->num_tc) {
+ 		dev_info(&pf->pdev->dev, "VF %d: Invalid TC number %u\n",
+ 			 vf->vf_id, tc_filter->action_meta);
+ 		goto err;
diff --git a/queue-5.10/series b/queue-5.10/series
index 5b0e6c3141..5a41271fac 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -107,3 +107,7 @@ nexthop-forbid-fdb-status-change-while-nexthop-is-in.patch
 selftests-fib_nexthops-fix-creation-of-non-fdb-nexth.patch
 drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
 crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch
+i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
+i40e-fix-input-validation-logic-for-action_meta.patch
+i40e-add-max-boundary-check-for-vf-filters.patch
+i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch