From 231869b716844b62970b06b4cc46fe569b77aecc Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 29 Sep 2025 14:07:07 +0200
Subject: [PATCH] 5.15-stable patches

added patches:
	i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
	i40e-add-max-boundary-check-for-vf-filters.patch
	i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
	i40e-fix-input-validation-logic-for-action_meta.patch
	tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch
---
 ...mask-to-apply-valid-bits-for-itr_idx.patch | 41 +++++++++++++++
 ...dd-max-boundary-check-for-vf-filters.patch | 50 +++++++++++++++++++
 ...alidation-in-i40e_validate_queue_map.patch | 40 +++++++++++++++
 ...put-validation-logic-for-action_meta.patch | 35 +++++++++++++
 queue-5.15/series                             |  5 ++
 ...a-missing-lockdown-check-on-dynevent.patch | 36 +++++++++++++
 6 files changed, 207 insertions(+)
 create mode 100644 queue-5.15/i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
 create mode 100644 queue-5.15/i40e-add-max-boundary-check-for-vf-filters.patch
 create mode 100644 queue-5.15/i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
 create mode 100644 queue-5.15/i40e-fix-input-validation-logic-for-action_meta.patch
 create mode 100644 queue-5.15/tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch

diff --git a/queue-5.15/i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch b/queue-5.15/i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
new file mode 100644
index 0000000000..f6abb71690
--- /dev/null
+++ b/queue-5.15/i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
@@ -0,0 +1,41 @@
+From eac04428abe9f9cb203ffae4600791ea1d24eb18 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:17 +0200
+Subject: i40e: add mask to apply valid bits for itr_idx
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit eac04428abe9f9cb203ffae4600791ea1d24eb18 upstream.
+
+The ITR index (itr_idx) is only 2 bits wide. When constructing the
+register value for QINT_RQCTL, all fields are ORed together. Without
+masking, higher bits from itr_idx may overwrite adjacent fields in the
+register.
+
+Apply I40E_QINT_RQCTL_ITR_INDX_MASK to ensure only the intended bits are
+set.
+
+Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -446,7 +446,7 @@ static void i40e_config_irq_link_list(st
+ 		    (qtype << I40E_QINT_RQCTL_NEXTQ_TYPE_SHIFT) |
+ 		    (pf_queue_id << I40E_QINT_RQCTL_NEXTQ_INDX_SHIFT) |
+ 		    BIT(I40E_QINT_RQCTL_CAUSE_ENA_SHIFT) |
+-		    (itr_idx << I40E_QINT_RQCTL_ITR_INDX_SHIFT);
++		    FIELD_PREP(I40E_QINT_RQCTL_ITR_INDX_MASK, itr_idx);
+ 		wr32(hw, reg_idx, reg);
+ 	}
+ 
diff --git a/queue-5.15/i40e-add-max-boundary-check-for-vf-filters.patch b/queue-5.15/i40e-add-max-boundary-check-for-vf-filters.patch
new file mode 100644
index 0000000000..23136c8c9f
--- /dev/null
+++ b/queue-5.15/i40e-add-max-boundary-check-for-vf-filters.patch
@@ -0,0 +1,50 @@
+From cb79fa7118c150c3c76a327894bb2eb878c02619 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:16 +0200
+Subject: i40e: add max boundary check for VF filters
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit cb79fa7118c150c3c76a327894bb2eb878c02619 upstream.
+
+There is no check for max filters that VF can request. Add it.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3770,6 +3770,8 @@ err:
+ 				       aq_ret);
+ }
+ 
++#define I40E_MAX_VF_CLOUD_FILTER 0xFF00
++
+ /**
+  * i40e_vc_add_cloud_filter
+  * @vf: pointer to the VF info
+@@ -3809,6 +3811,14 @@ static int i40e_vc_add_cloud_filter(stru
+ 		goto err_out;
+ 	}
+ 
++	if (vf->num_cloud_filters >= I40E_MAX_VF_CLOUD_FILTER) {
++		dev_warn(&pf->pdev->dev,
++			 "VF %d: Max number of filters reached, can't apply cloud filter\n",
++			 vf->vf_id);
++		aq_ret = -ENOSPC;
++		goto err_out;
++	}
++
+ 	cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL);
+ 	if (!cfilter)
+ 		return -ENOMEM;
diff --git a/queue-5.15/i40e-fix-idx-validation-in-i40e_validate_queue_map.patch b/queue-5.15/i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
new file mode 100644
index 0000000000..cb71602882
--- /dev/null
+++ b/queue-5.15/i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
@@ -0,0 +1,40 @@
+From aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:12 +0200
+Subject: i40e: fix idx validation in i40e_validate_queue_map
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit aa68d3c3ac8d1dcec40d52ae27e39f6d32207009 upstream.
+
+Ensure idx is within range of active/initialized TCs when iterating over
+vf->ch[idx] in i40e_validate_queue_map().
+
+Fixes: c27eac48160d ("i40e: Enable ADq and create queue channel/s on VF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Kamakshi Nellore <nellorex.kamakshi@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2457,8 +2457,10 @@ static int i40e_validate_queue_map(struc
+ 	u16 vsi_queue_id, queue_id;
+ 
+ 	for_each_set_bit(vsi_queue_id, &queuemap, I40E_MAX_VSI_QP) {
+-		if (vf->adq_enabled) {
+-			vsi_id = vf->ch[vsi_queue_id / I40E_MAX_VF_VSI].vsi_id;
++		u16 idx = vsi_queue_id / I40E_MAX_VF_VSI;
++
++		if (vf->adq_enabled && idx < vf->num_tc) {
++			vsi_id = vf->ch[idx].vsi_id;
+ 			queue_id = (vsi_queue_id % I40E_DEFAULT_QUEUES_PER_VF);
+ 		} else {
+ 			queue_id = vsi_queue_id;
diff --git a/queue-5.15/i40e-fix-input-validation-logic-for-action_meta.patch b/queue-5.15/i40e-fix-input-validation-logic-for-action_meta.patch
new file mode 100644
index 0000000000..6347975d43
--- /dev/null
+++ b/queue-5.15/i40e-fix-input-validation-logic-for-action_meta.patch
@@ -0,0 +1,35 @@
+From 9739d5830497812b0bdeaee356ddefbe60830b88 Mon Sep 17 00:00:00 2001
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Date: Wed, 13 Aug 2025 12:45:14 +0200
+Subject: i40e: fix input validation logic for action_meta
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+commit 9739d5830497812b0bdeaee356ddefbe60830b88 upstream.
+
+Fix condition to check 'greater or equal' to prevent OOB dereference.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3472,7 +3472,7 @@ static int i40e_validate_cloud_filter(st
+ 
+ 	/* action_meta is TC number here to which the filter is applied */
+ 	if (!tc_filter->action_meta ||
+-	    tc_filter->action_meta > vf->num_tc) {
++	    tc_filter->action_meta >= vf->num_tc) {
+ 		dev_info(&pf->pdev->dev, "VF %d: Invalid TC number %u\n",
+ 			 vf->vf_id, tc_filter->action_meta);
+ 		goto err;
diff --git a/queue-5.15/series b/queue-5.15/series
index 45c90eee78..efbc357c95 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -135,3 +135,8 @@ net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch
 drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
 crypto-af_alg-disallow-concurrent-writes-in-af_alg_s.patch
 crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch
+i40e-fix-idx-validation-in-i40e_validate_queue_map.patch
+i40e-fix-input-validation-logic-for-action_meta.patch
+i40e-add-max-boundary-check-for-vf-filters.patch
+i40e-add-mask-to-apply-valid-bits-for-itr_idx.patch
+tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch
diff --git a/queue-5.15/tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch b/queue-5.15/tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch
new file mode 100644
index 0000000000..17ea364abb
--- /dev/null
+++ b/queue-5.15/tracing-dynevent-add-a-missing-lockdown-check-on-dynevent.patch
@@ -0,0 +1,36 @@
+From 456c32e3c4316654f95f9d49c12cbecfb77d5660 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Fri, 19 Sep 2025 10:15:56 +0900
+Subject: tracing: dynevent: Add a missing lockdown check on dynevent
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 456c32e3c4316654f95f9d49c12cbecfb77d5660 upstream.
+
+Since dynamic_events interface on tracefs is compatible with
+kprobe_events and uprobe_events, it should also check the lockdown
+status and reject if it is set.
+
+Link: https://lore.kernel.org/all/175824455687.45175.3734166065458520748.stgit@devnote2/
+
+Fixes: 17911ff38aa5 ("tracing: Add locked_down checks to the open calls of files created for tracefs")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_dynevent.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/trace_dynevent.c
++++ b/kernel/trace/trace_dynevent.c
+@@ -239,6 +239,10 @@ static int dyn_event_open(struct inode *
+ {
+ 	int ret;
+ 
++	ret = security_locked_down(LOCKDOWN_TRACEFS);
++	if (ret)
++		return ret;
++
+ 	ret = tracing_check_open_get_tr(NULL);
+ 	if (ret)
+ 		return ret;
-- 
2.47.3