From 83833e0db653bd3d4c5df87b94cef4b53534546c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 30 Jan 2025 10:49:28 +0100 Subject: [PATCH] 5.10-stable patches added patches: bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch net-sched-fix-ets-qdisc-oob-indexing.patch signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch vfio-platform-check-the-bounds-of-read-write-syscalls.patch wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch --- ...not-validating-setsockopt-user-input.patch | 80 ++++++++++++++++ ...-rcu-usage-warning-in-ip_tunnel_find.patch | 74 +++++++++++++++ ...ing-syscall_trace-in-ret_from_signal.patch | 39 ++++++++ ...net-sched-fix-ets-qdisc-oob-indexing.patch | 91 +++++++++++++++++++ queue-5.10/series | 7 ++ ...force_sigsegv-sigsegv-in-fpsp040_die.patch | 63 +++++++++++++ ...ck-the-bounds-of-read-write-syscalls.patch | 54 +++++++++++ ...add-a-few-rate-index-validity-checks.patch | 66 ++++++++++++++ 8 files changed, 474 insertions(+) create mode 100644 queue-5.10/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch create mode 100644 queue-5.10/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch create mode 100644 queue-5.10/m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch create mode 100644 queue-5.10/net-sched-fix-ets-qdisc-oob-indexing.patch create mode 100644 queue-5.10/signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch create mode 100644 queue-5.10/vfio-platform-check-the-bounds-of-read-write-syscalls.patch create mode 100644 queue-5.10/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch diff --git a/queue-5.10/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch b/queue-5.10/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch new file mode 100644 index 0000000000..efefc254c3 --- /dev/null +++ b/queue-5.10/bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch @@ -0,0 +1,80 @@ +From a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 5 Apr 2024 15:43:45 -0400 +Subject: Bluetooth: RFCOMM: Fix not validating setsockopt user input + +From: Luiz Augusto von Dentz + +commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 upstream. + +syzbot reported rfcomm_sock_setsockopt_old() is copying data without +checking user input length. + +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset +include/linux/sockptr.h:49 [inline] +BUG: KASAN: slab-out-of-bounds in copy_from_sockptr +include/linux/sockptr.h:55 [inline] +BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old +net/bluetooth/rfcomm/sock.c:632 [inline] +BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 +net/bluetooth/rfcomm/sock.c:673 +Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064 + +Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level") +Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +Signed-off-by: Keerthana K +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/sock.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -631,7 +631,7 @@ static int rfcomm_sock_setsockopt_old(st + + switch (optname) { + case RFCOMM_LM: +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { ++ if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { + err = -EFAULT; + break; + } +@@ -666,7 +666,6 @@ static int rfcomm_sock_setsockopt(struct + struct sock *sk = sock->sk; + struct bt_security sec; + int err = 0; +- size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -688,11 +687,9 @@ static int rfcomm_sock_setsockopt(struct + + sec.level = BT_SECURITY_LOW; + +- len = min_t(unsigned int, sizeof(sec), optlen); +- if (copy_from_sockptr(&sec, optval, len)) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); ++ if (err) + break; +- } + + if (sec.level > BT_SECURITY_HIGH) { + err = -EINVAL; +@@ -708,10 +705,9 @@ static int rfcomm_sock_setsockopt(struct + break; + } + +- if (copy_from_sockptr(&opt, optval, sizeof(u32))) { +- err = -EFAULT; ++ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); ++ if (err) + break; +- } + + if (opt) + set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); diff --git a/queue-5.10/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch b/queue-5.10/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch new file mode 100644 index 0000000000..293891ec08 --- /dev/null +++ b/queue-5.10/ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch @@ -0,0 +1,74 @@ +From 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 23 Oct 2024 15:30:09 +0300 +Subject: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() + +From: Ido Schimmel + +commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream. + +The per-netns IP tunnel hash table is protected by the RTNL mutex and +ip_tunnel_find() is only called from the control path where the mutex is +taken. + +Add a lockdep expression to hlist_for_each_entry_rcu() in +ip_tunnel_find() in order to validate that the mutex is held and to +silence the suspicious RCU usage warning [1]. + +[1] +WARNING: suspicious RCU usage +6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted +----------------------------- +net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +1 lock held by ip/362: + #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 + +stack backtrace: +CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Call Trace: + + dump_stack_lvl+0xba/0x110 + lockdep_rcu_suspicious.cold+0x4f/0xd6 + ip_tunnel_find+0x435/0x4d0 + ip_tunnel_newlink+0x517/0x7a0 + ipgre_newlink+0x14c/0x170 + __rtnl_newlink+0x1173/0x19c0 + rtnl_newlink+0x6c/0xa0 + rtnetlink_rcv_msg+0x3cc/0xf60 + netlink_rcv_skb+0x171/0x450 + netlink_unicast+0x539/0x7f0 + netlink_sendmsg+0x8c1/0xd80 + ____sys_sendmsg+0x8f9/0xc20 + ___sys_sendmsg+0x197/0x1e0 + __sys_sendmsg+0x122/0x1f0 + do_syscall_64+0xbb/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Suggested-by: Eric Dumazet +Signed-off-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find( + struct ip_tunnel *t = NULL; + struct hlist_head *head = ip_bucket(itn, parms); + +- hlist_for_each_entry_rcu(t, head, hash_node) { ++ hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) { + if (local == t->parms.iph.saddr && + remote == t->parms.iph.daddr && + link == t->parms.link && diff --git a/queue-5.10/m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch b/queue-5.10/m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch new file mode 100644 index 0000000000..488fcddf9a --- /dev/null +++ b/queue-5.10/m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch @@ -0,0 +1,39 @@ +From 50e43a57334400668952f8e551c9d87d3ed2dfef Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 25 Jul 2021 17:19:45 +0000 +Subject: m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal + +From: Al Viro + +commit 50e43a57334400668952f8e551c9d87d3ed2dfef upstream. + +We get there when sigreturn has performed obscene acts on kernel stack; +in particular, the location of pt_regs has shifted. We are about to call +syscall_trace(), which might stop for tracer. If that happens, we'd better +have task_pt_regs() returning correct result... + +Fucked-up-by: Al Viro +Fixes: bd6f56a75bb2 ("m68k: Missing syscall_trace() on sigreturn") +Signed-off-by: Al Viro +Tested-by: Michael Schmitz +Reviewed-by: Michael Schmitz +Tested-by: Finn Thain +Link: https://lore.kernel.org/r/YP2dMWeV1LkHiOpr@zeniv-ca.linux.org.uk +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Finn Thain +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/kernel/entry.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/m68k/kernel/entry.S ++++ b/arch/m68k/kernel/entry.S +@@ -189,6 +189,8 @@ ENTRY(ret_from_signal) + movel %curptr@(TASK_STACK),%a1 + tstb %a1@(TINFO_FLAGS+2) + jge 1f ++ lea %sp@(SWITCH_STACK_SIZE),%a1 ++ movel %a1,%curptr@(TASK_THREAD+THREAD_ESP0) + jbsr syscall_trace + 1: RESTORE_SWITCH_STACK + addql #4,%sp diff --git a/queue-5.10/net-sched-fix-ets-qdisc-oob-indexing.patch b/queue-5.10/net-sched-fix-ets-qdisc-oob-indexing.patch new file mode 100644 index 0000000000..33b543d472 --- /dev/null +++ b/queue-5.10/net-sched-fix-ets-qdisc-oob-indexing.patch @@ -0,0 +1,91 @@ +From d62b04fca4340a0d468d7853bd66e511935a18cb Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Sat, 11 Jan 2025 09:57:39 -0500 +Subject: net: sched: fix ets qdisc OOB Indexing + +From: Jamal Hadi Salim + +commit d62b04fca4340a0d468d7853bd66e511935a18cb upstream. + +Haowei Yan found that ets_class_from_arg() can +index an Out-Of-Bound class in ets_class_from_arg() when passed clid of +0. The overflow may cause local privilege escalation. + + [ 18.852298] ------------[ cut here ]------------ + [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 + [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' + [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 + [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + [ 18.856532] Call Trace: + [ 18.857441] + [ 18.858227] dump_stack_lvl+0xc2/0xf0 + [ 18.859607] dump_stack+0x10/0x20 + [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 + [ 18.864022] ets_class_change+0x3d6/0x3f0 + [ 18.864322] tc_ctl_tclass+0x251/0x910 + [ 18.864587] ? lock_acquire+0x5e/0x140 + [ 18.865113] ? __mutex_lock+0x9c/0xe70 + [ 18.866009] ? __mutex_lock+0xa34/0xe70 + [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 + [ 18.866806] ? __lock_acquire+0x578/0xc10 + [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 + [ 18.867503] netlink_rcv_skb+0x59/0x110 + [ 18.867776] rtnetlink_rcv+0x15/0x30 + [ 18.868159] netlink_unicast+0x1c3/0x2b0 + [ 18.868440] netlink_sendmsg+0x239/0x4b0 + [ 18.868721] ____sys_sendmsg+0x3e2/0x410 + [ 18.869012] ___sys_sendmsg+0x88/0xe0 + [ 18.869276] ? rseq_ip_fixup+0x198/0x260 + [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 + [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 + [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 + [ 18.870547] ? do_syscall_64+0x93/0x150 + [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 + [ 18.871157] __sys_sendmsg+0x69/0xd0 + [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 + [ 18.871699] x64_sys_call+0x9e2/0x2670 + [ 18.871979] do_syscall_64+0x87/0x150 + [ 18.873280] ? do_syscall_64+0x93/0x150 + [ 18.874742] ? lock_release+0x7b/0x160 + [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 + [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 + [ 18.879608] ? irqentry_exit+0x77/0xb0 + [ 18.879808] ? clear_bhb_loop+0x15/0x70 + [ 18.880023] ? clear_bhb_loop+0x15/0x70 + [ 18.880223] ? clear_bhb_loop+0x15/0x70 + [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [ 18.880683] RIP: 0033:0x44a957 + [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 + [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 + [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 + [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 + [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 + [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 + [ 18.888395] + [ 18.888610] ---[ end trace ]--- + +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Reported-by: Haowei Yan +Suggested-by: Haowei Yan +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Eric Dumazet +Reviewed-by: Petr Machata +Link: https://patch.msgid.link/20250111145740.74755-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -91,6 +91,8 @@ ets_class_from_arg(struct Qdisc *sch, un + { + struct ets_sched *q = qdisc_priv(sch); + ++ if (arg == 0 || arg > q->nbands) ++ return NULL; + return &q->classes[arg - 1]; + } + diff --git a/queue-5.10/series b/queue-5.10/series index e4a3d62f55..48bc5b15e8 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -119,3 +119,10 @@ scsi-iscsi-fix-redundant-response-for-iscsi_uevent_g.patch irqchip-sunxi-nmi-add-missing-skip_wake-flag.patch asoc-samsung-add-missing-depends-on-i2c.patch gfs2-truncate-address-space-when-flipping-gfs2_dif_jdata-flag.patch +net-sched-fix-ets-qdisc-oob-indexing.patch +m68k-update-thread.esp0-before-calling-syscall_trace-in-ret_from_signal.patch +signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch +vfio-platform-check-the-bounds-of-read-write-syscalls.patch +bluetooth-rfcomm-fix-not-validating-setsockopt-user-input.patch +ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch +wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch diff --git a/queue-5.10/signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch b/queue-5.10/signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch new file mode 100644 index 0000000000..1fdc274001 --- /dev/null +++ b/queue-5.10/signal-m68k-use-force_sigsegv-sigsegv-in-fpsp040_die.patch @@ -0,0 +1,63 @@ +From a3616a3c02722d1edb95acc7fceade242f6553ba Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 26 Jul 2021 14:23:11 -0500 +Subject: signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die + +From: Eric W. Biederman + +commit a3616a3c02722d1edb95acc7fceade242f6553ba upstream. + +In the fpsp040 code when copyin or copyout fails call +force_sigsegv(SIGSEGV) instead of do_exit(SIGSEGV). + +This solves a couple of problems. Because do_exit embeds the ptrace +stop PTRACE_EVENT_EXIT a complete stack frame needs to be present for +that to work correctly. There is always the information needed for a +ptrace stop where get_signal is called. So exiting with a signal +solves the ptrace issue. + +Further exiting with a signal ensures that all of the threads in a +process are killed not just the thread that malfunctioned. Which +avoids confusing userspace. + +To make force_sigsegv(SIGSEGV) work in fpsp040_die modify the code to +save all of the registers and jump to ret_from_exception (which +ultimately calls get_signal) after fpsp040_die returns. + +v2: Updated the branches to use gas's pseudo ops that automatically + calculate the best branch instruction to use for the purpose. + +v1: https://lkml.kernel.org/r/87a6m8kgtx.fsf_-_@disp2133 +Link: https://lkml.kernel.org/r/87tukghjfs.fsf_-_@disp2133 +Acked-by: Geert Uytterhoeven +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Finn Thain +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/fpsp040/skeleton.S | 3 ++- + arch/m68k/kernel/traps.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/m68k/fpsp040/skeleton.S ++++ b/arch/m68k/fpsp040/skeleton.S +@@ -502,7 +502,8 @@ in_ea: + .section .fixup,"ax" + .even + 1: +- jbra fpsp040_die ++ jbsr fpsp040_die ++ jbra .Lnotkern + + .section __ex_table,"a" + .align 4 +--- a/arch/m68k/kernel/traps.c ++++ b/arch/m68k/kernel/traps.c +@@ -1152,7 +1152,7 @@ asmlinkage void set_esp0(unsigned long s + */ + asmlinkage void fpsp040_die(void) + { +- do_exit(SIGSEGV); ++ force_sigsegv(SIGSEGV); + } + + #ifdef CONFIG_M68KFPU_EMU diff --git a/queue-5.10/vfio-platform-check-the-bounds-of-read-write-syscalls.patch b/queue-5.10/vfio-platform-check-the-bounds-of-read-write-syscalls.patch new file mode 100644 index 0000000000..bd4887e2c1 --- /dev/null +++ b/queue-5.10/vfio-platform-check-the-bounds-of-read-write-syscalls.patch @@ -0,0 +1,54 @@ +From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 22 Jan 2025 10:38:30 -0700 +Subject: vfio/platform: check the bounds of read/write syscalls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream. + +count and offset are passed from user space and not checked, only +offset is capped to 40 bits, which can be used to read/write out of +bounds of the device. + +Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”) +Cc: stable@vger.kernel.org +Reported-by: Mostafa Saleh +Reviewed-by: Eric Auger +Reviewed-by: Mostafa Saleh +Tested-by: Mostafa Saleh +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -405,6 +405,11 @@ static ssize_t vfio_platform_read_mmio(s + { + unsigned int done = 0; + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); +@@ -482,6 +487,11 @@ static ssize_t vfio_platform_write_mmio( + { + unsigned int done = 0; + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); diff --git a/queue-5.10/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch b/queue-5.10/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch new file mode 100644 index 0000000000..25d6c9ed0b --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch @@ -0,0 +1,66 @@ +From efbe8f81952fe469d38655744627d860879dcde8 Mon Sep 17 00:00:00 2001 +From: Anjaneyulu +Date: Wed, 14 Jun 2023 12:41:37 +0300 +Subject: wifi: iwlwifi: add a few rate index validity checks + +From: Anjaneyulu + +commit efbe8f81952fe469d38655744627d860879dcde8 upstream. + +Validate index before access iwl_rate_mcs to keep rate->index +inside the valid boundaries. Use MCS_0_INDEX if index is less +than MCS_0_INDEX and MCS_9_INDEX if index is greater then +MCS_9_INDEX. + +Signed-off-by: Anjaneyulu +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230614123447.79f16b3aef32.If1137f894775d6d07b78cbf3a6163ffce6399507@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 7 +++++-- + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 9 ++++++--- + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +@@ -130,7 +130,7 @@ static int iwl_hwrate_to_plcp_idx(u32 ra + return idx; + } + +- return -1; ++ return IWL_RATE_INVALID; + } + + static void rs_rate_scale_perform(struct iwl_priv *priv, +@@ -3151,7 +3151,10 @@ static ssize_t rs_sta_dbgfs_scale_table_ + for (i = 0; i < LINK_QUAL_MAX_RETRY_NUM; i++) { + index = iwl_hwrate_to_plcp_idx( + le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags)); +- if (is_legacy(tbl->lq_type)) { ++ if (index == IWL_RATE_INVALID) { ++ desc += sprintf(buff + desc, " rate[%d] 0x%X invalid rate\n", ++ i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags)); ++ } else if (is_legacy(tbl->lq_type)) { + desc += sprintf(buff+desc, " rate[%d] 0x%X %smbps\n", + i, le32_to_cpu(lq_sta->lq.rs_table[i].rate_n_flags), + iwl_rate_mcs[index].mbps); +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -1120,10 +1120,13 @@ static void rs_get_lower_rate_down_colum + + rate->bw = RATE_MCS_CHAN_WIDTH_20; + +- WARN_ON_ONCE(rate->index < IWL_RATE_MCS_0_INDEX || +- rate->index > IWL_RATE_MCS_9_INDEX); ++ if (WARN_ON_ONCE(rate->index < IWL_RATE_MCS_0_INDEX)) ++ rate->index = rs_ht_to_legacy[IWL_RATE_MCS_0_INDEX]; ++ else if (WARN_ON_ONCE(rate->index > IWL_RATE_MCS_9_INDEX)) ++ rate->index = rs_ht_to_legacy[IWL_RATE_MCS_9_INDEX]; ++ else ++ rate->index = rs_ht_to_legacy[rate->index]; + +- rate->index = rs_ht_to_legacy[rate->index]; + rate->ldpc = false; + } else { + /* Downgrade to SISO with same MCS if in MIMO */ -- 2.47.3