--- /dev/null
+From 6d8177a22ebcb0ef84f81530aa4829df4a95c02c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 14:14:38 +0800
+Subject: ata: pata_pxa: Fix potential NULL pointer dereference in
+ pxa_ata_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit ad320e408a8c95a282ab9c05cdf0c9b95e317985 ]
+
+devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does
+not check for this case, which can result in a NULL pointer dereference.
+
+Add NULL check after devm_ioremap() to prevent this issue.
+
+Fixes: 2dc6c6f15da9 ("[ARM] pata_pxa: DMA-capable PATA driver")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_pxa.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c
+index 41430f79663c1..3502bfb03c56c 100644
+--- a/drivers/ata/pata_pxa.c
++++ b/drivers/ata/pata_pxa.c
+@@ -223,10 +223,16 @@ static int pxa_ata_probe(struct platform_device *pdev)
+
+ ap->ioaddr.cmd_addr = devm_ioremap(&pdev->dev, cmd_res->start,
+ resource_size(cmd_res));
++ if (!ap->ioaddr.cmd_addr)
++ return -ENOMEM;
+ ap->ioaddr.ctl_addr = devm_ioremap(&pdev->dev, ctl_res->start,
+ resource_size(ctl_res));
++ if (!ap->ioaddr.ctl_addr)
++ return -ENOMEM;
+ ap->ioaddr.bmdma_addr = devm_ioremap(&pdev->dev, dma_res->start,
+ resource_size(dma_res));
++ if (!ap->ioaddr.bmdma_addr)
++ return -ENOMEM;
+
+ /*
+ * Adjust register offsets
+--
+2.39.5
+
--- /dev/null
+From 772d1f2bb15459f1e8dd103d3add4c20cf8722ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 15:30:01 +0800
+Subject: ata: sata_sx4: Add error handling in pdc20621_i2c_read()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+[ Upstream commit 8d46a27085039158eb5e253ab8a35a0e33b5e864 ]
+
+The function pdc20621_prog_dimm0() calls the function pdc20621_i2c_read()
+but does not handle the error if the read fails. This could lead to
+process with invalid data. A proper implementation can be found in
+/source/drivers/ata/sata_sx4.c, pdc20621_prog_dimm_global(). As mentioned
+in its commit: bb44e154e25125bef31fa956785e90fccd24610b, the variable spd0
+might be used uninitialized when pdc20621_i2c_read() fails.
+
+Add error handling to pdc20621_i2c_read(). If a read operation fails,
+an error message is logged via dev_err(), and return a negative error
+code.
+
+Add error handling to pdc20621_prog_dimm0() in pdc20621_dimm_init(), and
+return a negative error code if pdc20621_prog_dimm0() fails.
+
+Fixes: 4447d3515616 ("libata: convert the remaining SATA drivers to new init model")
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_sx4.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
+index 7b28334aa26a2..20b73e0d835a3 100644
+--- a/drivers/ata/sata_sx4.c
++++ b/drivers/ata/sata_sx4.c
+@@ -1124,9 +1124,14 @@ static int pdc20621_prog_dimm0(struct ata_host *host)
+ mmio += PDC_CHIP0_OFS;
+
+ for (i = 0; i < ARRAY_SIZE(pdc_i2c_read_data); i++)
+- pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
+- pdc_i2c_read_data[i].reg,
+- &spd0[pdc_i2c_read_data[i].ofs]);
++ if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
++ pdc_i2c_read_data[i].reg,
++ &spd0[pdc_i2c_read_data[i].ofs])) {
++ dev_err(host->dev,
++ "Failed in i2c read at index %d: device=%#x, reg=%#x\n",
++ i, PDC_DIMM0_SPD_DEV_ADDRESS, pdc_i2c_read_data[i].reg);
++ return -EIO;
++ }
+
+ data |= (spd0[4] - 8) | ((spd0[21] != 0) << 3) | ((spd0[3]-11) << 4);
+ data |= ((spd0[17] / 4) << 6) | ((spd0[5] / 2) << 7) |
+@@ -1290,6 +1295,8 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
+
+ /* Programming DIMM0 Module Control Register (index_CID0:80h) */
+ size = pdc20621_prog_dimm0(host);
++ if (size < 0)
++ return size;
+ dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size);
+
+ /* Programming DIMM Module Global Control Register (index_CID0:88h) */
+--
+2.39.5
+
--- /dev/null
+From 8606ff9565d80b304a84f12fb61f822f3deb0a9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Dec 2021 08:20:59 +0100
+Subject: ata: sata_sx4: Drop pointless VPRINTK() calls and convert the
+ remaining ones
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit bc21c1056d08525d9c5a5d74db4b8f14e6691991 ]
+
+Drop pointless VPRINTK() calls for setting up SG tables
+and convert the remaining calls to structured logging.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Stable-dep-of: 8d46a2708503 ("ata: sata_sx4: Add error handling in pdc20621_i2c_read()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_sx4.c | 105 +++++++++++++----------------------------
+ 1 file changed, 34 insertions(+), 71 deletions(-)
+
+diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
+index c95685f693a68..7b28334aa26a2 100644
+--- a/drivers/ata/sata_sx4.c
++++ b/drivers/ata/sata_sx4.c
+@@ -308,15 +308,9 @@ static inline void pdc20621_ata_sg(u8 *buf, unsigned int portno,
+ /* output ATA packet S/G table */
+ addr = PDC_20621_DIMM_BASE + PDC_20621_DIMM_DATA +
+ (PDC_DIMM_DATA_STEP * portno);
+- VPRINTK("ATA sg addr 0x%x, %d\n", addr, addr);
++
+ buf32[dw] = cpu_to_le32(addr);
+ buf32[dw + 1] = cpu_to_le32(total_len | ATA_PRD_EOT);
+-
+- VPRINTK("ATA PSG @ %x == (0x%x, 0x%x)\n",
+- PDC_20621_DIMM_BASE +
+- (PDC_DIMM_WINDOW_STEP * portno) +
+- PDC_DIMM_APKT_PRD,
+- buf32[dw], buf32[dw + 1]);
+ }
+
+ static inline void pdc20621_host_sg(u8 *buf, unsigned int portno,
+@@ -332,12 +326,6 @@ static inline void pdc20621_host_sg(u8 *buf, unsigned int portno,
+
+ buf32[dw] = cpu_to_le32(addr);
+ buf32[dw + 1] = cpu_to_le32(total_len | ATA_PRD_EOT);
+-
+- VPRINTK("HOST PSG @ %x == (0x%x, 0x%x)\n",
+- PDC_20621_DIMM_BASE +
+- (PDC_DIMM_WINDOW_STEP * portno) +
+- PDC_DIMM_HPKT_PRD,
+- buf32[dw], buf32[dw + 1]);
+ }
+
+ static inline unsigned int pdc20621_ata_pkt(struct ata_taskfile *tf,
+@@ -351,7 +339,6 @@ static inline unsigned int pdc20621_ata_pkt(struct ata_taskfile *tf,
+ unsigned int dimm_sg = PDC_20621_DIMM_BASE +
+ (PDC_DIMM_WINDOW_STEP * portno) +
+ PDC_DIMM_APKT_PRD;
+- VPRINTK("ENTER, dimm_sg == 0x%x, %d\n", dimm_sg, dimm_sg);
+
+ i = PDC_DIMM_ATA_PKT;
+
+@@ -406,8 +393,6 @@ static inline void pdc20621_host_pkt(struct ata_taskfile *tf, u8 *buf,
+ unsigned int dimm_sg = PDC_20621_DIMM_BASE +
+ (PDC_DIMM_WINDOW_STEP * portno) +
+ PDC_DIMM_HPKT_PRD;
+- VPRINTK("ENTER, dimm_sg == 0x%x, %d\n", dimm_sg, dimm_sg);
+- VPRINTK("host_sg == 0x%x, %d\n", host_sg, host_sg);
+
+ dw = PDC_DIMM_HOST_PKT >> 2;
+
+@@ -424,14 +409,6 @@ static inline void pdc20621_host_pkt(struct ata_taskfile *tf, u8 *buf,
+ buf32[dw + 1] = cpu_to_le32(host_sg);
+ buf32[dw + 2] = cpu_to_le32(dimm_sg);
+ buf32[dw + 3] = 0;
+-
+- VPRINTK("HOST PKT @ %x == (0x%x 0x%x 0x%x 0x%x)\n",
+- PDC_20621_DIMM_BASE + (PDC_DIMM_WINDOW_STEP * portno) +
+- PDC_DIMM_HOST_PKT,
+- buf32[dw + 0],
+- buf32[dw + 1],
+- buf32[dw + 2],
+- buf32[dw + 3]);
+ }
+
+ static void pdc20621_dma_prep(struct ata_queued_cmd *qc)
+@@ -447,8 +424,6 @@ static void pdc20621_dma_prep(struct ata_queued_cmd *qc)
+
+ WARN_ON(!(qc->flags & ATA_QCFLAG_DMAMAP));
+
+- VPRINTK("ata%u: ENTER\n", ap->print_id);
+-
+ /* hard-code chip #0 */
+ mmio += PDC_CHIP0_OFS;
+
+@@ -492,7 +467,8 @@ static void pdc20621_dma_prep(struct ata_queued_cmd *qc)
+
+ readl(dimm_mmio); /* MMIO PCI posting flush */
+
+- VPRINTK("ata pkt buf ofs %u, prd size %u, mmio copied\n", i, sgt_len);
++ ata_port_dbg(ap, "ata pkt buf ofs %u, prd size %u, mmio copied\n",
++ i, sgt_len);
+ }
+
+ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc)
+@@ -504,8 +480,6 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc)
+ unsigned int portno = ap->port_no;
+ unsigned int i;
+
+- VPRINTK("ata%u: ENTER\n", ap->print_id);
+-
+ /* hard-code chip #0 */
+ mmio += PDC_CHIP0_OFS;
+
+@@ -527,7 +501,7 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc)
+
+ readl(dimm_mmio); /* MMIO PCI posting flush */
+
+- VPRINTK("ata pkt buf ofs %u, mmio copied\n", i);
++ ata_port_dbg(ap, "ata pkt buf ofs %u, mmio copied\n", i);
+ }
+
+ static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc)
+@@ -633,8 +607,6 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc)
+ /* hard-code chip #0 */
+ mmio += PDC_CHIP0_OFS;
+
+- VPRINTK("ata%u: ENTER\n", ap->print_id);
+-
+ wmb(); /* flush PRD, pkt writes */
+
+ port_ofs = PDC_20621_DIMM_BASE + (PDC_DIMM_WINDOW_STEP * port_no);
+@@ -645,7 +617,7 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc)
+
+ pdc20621_dump_hdma(qc);
+ pdc20621_push_hdma(qc, seq, port_ofs + PDC_DIMM_HOST_PKT);
+- VPRINTK("queued ofs 0x%x (%u), seq %u\n",
++ ata_port_dbg(ap, "queued ofs 0x%x (%u), seq %u\n",
+ port_ofs + PDC_DIMM_HOST_PKT,
+ port_ofs + PDC_DIMM_HOST_PKT,
+ seq);
+@@ -656,7 +628,7 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc)
+ writel(port_ofs + PDC_DIMM_ATA_PKT,
+ ap->ioaddr.cmd_addr + PDC_PKT_SUBMIT);
+ readl(ap->ioaddr.cmd_addr + PDC_PKT_SUBMIT);
+- VPRINTK("submitted ofs 0x%x (%u), seq %u\n",
++ ata_port_dbg(ap, "submitted ofs 0x%x (%u), seq %u\n",
+ port_ofs + PDC_DIMM_ATA_PKT,
+ port_ofs + PDC_DIMM_ATA_PKT,
+ seq);
+@@ -696,14 +668,12 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
+ u8 status;
+ unsigned int handled = 0;
+
+- VPRINTK("ENTER\n");
+-
+ if ((qc->tf.protocol == ATA_PROT_DMA) && /* read */
+ (!(qc->tf.flags & ATA_TFLAG_WRITE))) {
+
+ /* step two - DMA from DIMM to host */
+ if (doing_hdma) {
+- VPRINTK("ata%u: read hdma, 0x%x 0x%x\n", ap->print_id,
++ ata_port_dbg(ap, "read hdma, 0x%x 0x%x\n",
+ readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT));
+ /* get drive status; clear intr; complete txn */
+ qc->err_mask |= ac_err_mask(ata_wait_idle(ap));
+@@ -714,7 +684,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
+ /* step one - exec ATA command */
+ else {
+ u8 seq = (u8) (port_no + 1 + 4);
+- VPRINTK("ata%u: read ata, 0x%x 0x%x\n", ap->print_id,
++ ata_port_dbg(ap, "read ata, 0x%x 0x%x\n",
+ readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT));
+
+ /* submit hdma pkt */
+@@ -729,7 +699,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
+ /* step one - DMA from host to DIMM */
+ if (doing_hdma) {
+ u8 seq = (u8) (port_no + 1);
+- VPRINTK("ata%u: write hdma, 0x%x 0x%x\n", ap->print_id,
++ ata_port_dbg(ap, "write hdma, 0x%x 0x%x\n",
+ readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT));
+
+ /* submit ata pkt */
+@@ -742,7 +712,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
+
+ /* step two - execute ATA command */
+ else {
+- VPRINTK("ata%u: write ata, 0x%x 0x%x\n", ap->print_id,
++ ata_port_dbg(ap, "write ata, 0x%x 0x%x\n",
+ readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT));
+ /* get drive status; clear intr; complete txn */
+ qc->err_mask |= ac_err_mask(ata_wait_idle(ap));
+@@ -755,7 +725,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap,
+ } else if (qc->tf.protocol == ATA_PROT_NODATA) {
+
+ status = ata_sff_busy_wait(ap, ATA_BUSY | ATA_DRQ, 1000);
+- DPRINTK("BUS_NODATA (drv_stat 0x%X)\n", status);
++ ata_port_dbg(ap, "BUS_NODATA (drv_stat 0x%X)\n", status);
+ qc->err_mask |= ac_err_mask(status);
+ ata_qc_complete(qc);
+ handled = 1;
+@@ -781,29 +751,21 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance)
+ unsigned int handled = 0;
+ void __iomem *mmio_base;
+
+- VPRINTK("ENTER\n");
+-
+- if (!host || !host->iomap[PDC_MMIO_BAR]) {
+- VPRINTK("QUICK EXIT\n");
++ if (!host || !host->iomap[PDC_MMIO_BAR])
+ return IRQ_NONE;
+- }
+
+ mmio_base = host->iomap[PDC_MMIO_BAR];
+
+ /* reading should also clear interrupts */
+ mmio_base += PDC_CHIP0_OFS;
+ mask = readl(mmio_base + PDC_20621_SEQMASK);
+- VPRINTK("mask == 0x%x\n", mask);
+
+- if (mask == 0xffffffff) {
+- VPRINTK("QUICK EXIT 2\n");
++ if (mask == 0xffffffff)
+ return IRQ_NONE;
+- }
++
+ mask &= 0xffff; /* only 16 tags possible */
+- if (!mask) {
+- VPRINTK("QUICK EXIT 3\n");
++ if (!mask)
+ return IRQ_NONE;
+- }
+
+ spin_lock(&host->lock);
+
+@@ -816,7 +778,8 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance)
+ else
+ ap = host->ports[port_no];
+ tmp = mask & (1 << i);
+- VPRINTK("seq %u, port_no %u, ap %p, tmp %x\n", i, port_no, ap, tmp);
++ if (ap)
++ ata_port_dbg(ap, "seq %u, tmp %x\n", i, tmp);
+ if (tmp && ap) {
+ struct ata_queued_cmd *qc;
+
+@@ -829,10 +792,6 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance)
+
+ spin_unlock(&host->lock);
+
+- VPRINTK("mask == 0x%x\n", mask);
+-
+- VPRINTK("EXIT\n");
+-
+ return IRQ_RETVAL(handled);
+ }
+
+@@ -1272,7 +1231,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
+ /* Initialize Time Period Register */
+ writel(0xffffffff, mmio + PDC_TIME_PERIOD);
+ time_period = readl(mmio + PDC_TIME_PERIOD);
+- VPRINTK("Time Period Register (0x40): 0x%x\n", time_period);
++ dev_dbg(host->dev, "Time Period Register (0x40): 0x%x\n", time_period);
+
+ /* Enable timer */
+ writel(PDC_TIMER_DEFAULT, mmio + PDC_TIME_CONTROL);
+@@ -1287,7 +1246,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
+ */
+
+ tcount = readl(mmio + PDC_TIME_COUNTER);
+- VPRINTK("Time Counter Register (0x44): 0x%x\n", tcount);
++ dev_dbg(host->dev, "Time Counter Register (0x44): 0x%x\n", tcount);
+
+ /*
+ If SX4 is on PCI-X bus, after 3 seconds, the timer counter
+@@ -1295,17 +1254,19 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
+ */
+ if (tcount >= PCI_X_TCOUNT) {
+ ticks = (time_period - tcount);
+- VPRINTK("Num counters 0x%x (%d)\n", ticks, ticks);
++ dev_dbg(host->dev, "Num counters 0x%x (%d)\n", ticks, ticks);
+
+ clock = (ticks / 300000);
+- VPRINTK("10 * Internal clk = 0x%x (%d)\n", clock, clock);
++ dev_dbg(host->dev, "10 * Internal clk = 0x%x (%d)\n",
++ clock, clock);
+
+ clock = (clock * 33);
+- VPRINTK("10 * Internal clk * 33 = 0x%x (%d)\n", clock, clock);
++ dev_dbg(host->dev, "10 * Internal clk * 33 = 0x%x (%d)\n",
++ clock, clock);
+
+ /* PLL F Param (bit 22:16) */
+ fparam = (1400000 / clock) - 2;
+- VPRINTK("PLL F Param: 0x%x (%d)\n", fparam, fparam);
++ dev_dbg(host->dev, "PLL F Param: 0x%x (%d)\n", fparam, fparam);
+
+ /* OD param = 0x2 (bit 31:30), R param = 0x5 (bit 29:25) */
+ pci_status = (0x8a001824 | (fparam << 16));
+@@ -1313,7 +1274,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
+ pci_status = PCI_PLL_INIT;
+
+ /* Initialize PLL. */
+- VPRINTK("pci_status: 0x%x\n", pci_status);
++ dev_dbg(host->dev, "pci_status: 0x%x\n", pci_status);
+ writel(pci_status, mmio + PDC_CTL_STATUS);
+ readl(mmio + PDC_CTL_STATUS);
+
+@@ -1325,15 +1286,16 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
+ printk(KERN_ERR "Detect Local DIMM Fail\n");
+ return 1; /* DIMM error */
+ }
+- VPRINTK("Local DIMM Speed = %d\n", speed);
++ dev_dbg(host->dev, "Local DIMM Speed = %d\n", speed);
+
+ /* Programming DIMM0 Module Control Register (index_CID0:80h) */
+ size = pdc20621_prog_dimm0(host);
+- VPRINTK("Local DIMM Size = %dMB\n", size);
++ dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size);
+
+ /* Programming DIMM Module Global Control Register (index_CID0:88h) */
+ if (pdc20621_prog_dimm_global(host)) {
+- printk(KERN_ERR "Programming DIMM Module Global Control Register Fail\n");
++ dev_err(host->dev,
++ "Programming DIMM Module Global Control Register Fail\n");
+ return 1;
+ }
+
+@@ -1370,13 +1332,14 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
+
+ if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS,
+ PDC_DIMM_SPD_TYPE, &spd0)) {
+- pr_err("Failed in i2c read: device=%#x, subaddr=%#x\n",
++ dev_err(host->dev,
++ "Failed in i2c read: device=%#x, subaddr=%#x\n",
+ PDC_DIMM0_SPD_DEV_ADDRESS, PDC_DIMM_SPD_TYPE);
+ return 1;
+ }
+ if (spd0 == 0x02) {
+ void *buf;
+- VPRINTK("Start ECC initialization\n");
++ dev_dbg(host->dev, "Start ECC initialization\n");
+ addr = 0;
+ length = size * 1024 * 1024;
+ buf = kzalloc(ECC_ERASE_BUF_SZ, GFP_KERNEL);
+@@ -1388,7 +1351,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host)
+ addr += ECC_ERASE_BUF_SZ;
+ }
+ kfree(buf);
+- VPRINTK("Finish ECC initialization\n");
++ dev_dbg(host->dev, "Finish ECC initialization\n");
+ }
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 53e24d1b4bd0fdc61e2206dc0bb116b09c8dd473 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 14:16:31 -0700
+Subject: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 342debc12183b51773b3345ba267e9263bdfaaef ]
+
+After making all ->qlen_notify() callbacks idempotent, now it is safe to
+remove the check of qlen!=0 from both fq_codel_dequeue() and
+codel_qdisc_dequeue().
+
+Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
+Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
+Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250403211636.166257-1-xiyou.wangcong@gmail.com
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_codel.c | 5 +----
+ net/sched/sch_fq_codel.c | 6 ++----
+ 2 files changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
+index 30169b3adbbb0..d9eff03deada4 100644
+--- a/net/sched/sch_codel.c
++++ b/net/sched/sch_codel.c
+@@ -95,10 +95,7 @@ static struct sk_buff *codel_qdisc_dequeue(struct Qdisc *sch)
+ &q->stats, qdisc_pkt_len, codel_get_enqueue_time,
+ drop_func, dequeue_func);
+
+- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
+- * or HTB crashes. Defer it for next round.
+- */
+- if (q->stats.drop_count && sch->q.qlen) {
++ if (q->stats.drop_count) {
+ qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len);
+ q->stats.drop_count = 0;
+ q->stats.drop_len = 0;
+diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
+index 01d6eea5b0ce9..6adea8e7f1531 100644
+--- a/net/sched/sch_fq_codel.c
++++ b/net/sched/sch_fq_codel.c
+@@ -314,10 +314,8 @@ static struct sk_buff *fq_codel_dequeue(struct Qdisc *sch)
+ }
+ qdisc_bstats_update(sch, skb);
+ flow->deficit -= qdisc_pkt_len(skb);
+- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
+- * or HTB crashes. Defer it for next round.
+- */
+- if (q->cstats.drop_count && sch->q.qlen) {
++
++ if (q->cstats.drop_count) {
+ qdisc_tree_reduce_backlog(sch, q->cstats.drop_count,
+ q->cstats.drop_len);
+ q->cstats.drop_count = 0;
+--
+2.39.5
+
--- /dev/null
+From 416bc28fadcb42b9a563d5cc8a0321010c96c915 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 17:55:08 +0200
+Subject: net: ppp: Add bound checking for skb data on ppp_sync_txmung
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaud Lecomte <contact@arnaud-lcm.com>
+
+[ Upstream commit aabc6596ffb377c4c9c8f335124b92ea282c9821 ]
+
+Ensure we have enough data in linear buffer from skb before accessing
+initial bytes. This prevents potential out-of-bounds accesses
+when processing short packets.
+
+When ppp_sync_txmung receives an incoming package with an empty
+payload:
+(remote) gef⤠p *(struct pppoe_hdr *) (skb->head + skb->network_header)
+$18 = {
+ type = 0x1,
+ ver = 0x1,
+ code = 0x0,
+ sid = 0x2,
+ length = 0x0,
+ tag = 0xffff8880371cdb96
+}
+
+from the skb struct (trimmed)
+ tail = 0x16,
+ end = 0x140,
+ head = 0xffff88803346f400 "4",
+ data = 0xffff88803346f416 ":\377",
+ truesize = 0x380,
+ len = 0x0,
+ data_len = 0x0,
+ mac_len = 0xe,
+ hdr_len = 0x0,
+
+it is not safe to access data[2].
+
+Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
+Tested-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
+Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com
+[pabeni@redhat.com: fixed subj typo]
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_synctty.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
+index 7174316362758..11725cab4912b 100644
+--- a/drivers/net/ppp/ppp_synctty.c
++++ b/drivers/net/ppp/ppp_synctty.c
+@@ -517,6 +517,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
+ unsigned char *data;
+ int islcp;
+
++ /* Ensure we can safely access protocol field and LCP code */
++ if (!pskb_may_pull(skb, 3)) {
++ kfree_skb(skb);
++ return NULL;
++ }
+ data = skb->data;
+ proto = get_unaligned_be16(data);
+
+--
+2.39.5
+
--- /dev/null
+From dd58af5da0c80157c9c0212c20f40632b22d00f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 11:03:33 -0700
+Subject: net: tls: explicitly disallow disconnect
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6 ]
+
+syzbot discovered that it can disconnect a TLS socket and then
+run into all sort of unexpected corner cases. I have a vague
+recollection of Eric pointing this out to us a long time ago.
+Supporting disconnect is really hard, for one thing if offload
+is enabled we'd need to wait for all packets to be _acked_.
+Disconnect is not commonly used, disallow it.
+
+The immediate problem syzbot run into is the warning in the strp,
+but that's just the easiest bug to trigger:
+
+ WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
+ RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
+ Call Trace:
+ <TASK>
+ tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363
+ tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043
+ inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678
+ sock_recvmsg_nosec net/socket.c:1023 [inline]
+ sock_recvmsg+0x109/0x280 net/socket.c:1045
+ __sys_recvfrom+0x202/0x380 net/socket.c:2237
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Reported-by: syzbot+b4cd76826045a1eb93c1@syzkaller.appspotmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250404180334.3224206-1-kuba@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index ebf856cf821da..9d7b52370155b 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -623,6 +623,11 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
+ return do_tls_setsockopt(sk, optname, optval, optlen);
+ }
+
++static int tls_disconnect(struct sock *sk, int flags)
++{
++ return -EOPNOTSUPP;
++}
++
+ struct tls_context *tls_ctx_create(struct sock *sk)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+@@ -717,6 +722,7 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
+ prot[TLS_BASE][TLS_BASE] = *base;
+ prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt;
+ prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt;
++ prot[TLS_BASE][TLS_BASE].disconnect = tls_disconnect;
+ prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close;
+
+ prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
+--
+2.39.5
+
--- /dev/null
+From 19628b6f5c169fe4fc1d9d3b8778079a565285ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 19:40:18 +0200
+Subject: nft_set_pipapo: fix incorrect avx2 match of 5th field octet
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e042ed950d4e176379ba4c0722146cd96fb38aa2 ]
+
+Given a set element like:
+
+ icmpv6 . dead:beef:00ff::1
+
+The value of 'ff' is irrelevant, any address will be matched
+as long as the other octets are the same.
+
+This is because of too-early register clobbering:
+ymm7 is reloaded with new packet data (pkt[9]) but it still holds data
+of an earlier load that wasn't processed yet.
+
+The existing tests in nft_concat_range.sh selftests do exercise this code
+path, but do not trigger incorrect matching due to the network prefix
+limitation.
+
+Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
+Reported-by: sontu mazumdar <sontu21@gmail.com>
+Closes: https://lore.kernel.org/netfilter/CANgxkqwnMH7fXra+VUfODT-8+qFLgskq3set1cAzqqJaV4iEZg@mail.gmail.com/T/#t
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index 13c7e22c93842..0a23d297084d4 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -985,8 +985,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
+ NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt, 8, pkt[8], bsize);
+
+ NFT_PIPAPO_AVX2_AND(6, 2, 3);
++ NFT_PIPAPO_AVX2_AND(3, 4, 7);
+ NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt, 9, pkt[9], bsize);
+- NFT_PIPAPO_AVX2_AND(0, 4, 5);
++ NFT_PIPAPO_AVX2_AND(0, 3, 5);
+ NFT_PIPAPO_AVX2_BUCKET_LOAD8(1, lt, 10, pkt[10], bsize);
+ NFT_PIPAPO_AVX2_AND(2, 6, 7);
+ NFT_PIPAPO_AVX2_BUCKET_LOAD8(3, lt, 11, pkt[11], bsize);
+--
+2.39.5
+
--- /dev/null
+From bffede080f132dce038450f5c83b7865fd6ac1fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 17:29:03 +0200
+Subject: nvmet-fcloop: swap list_add_tail arguments
+
+From: Daniel Wagner <wagi@kernel.org>
+
+[ Upstream commit 2b5f0c5bc819af2b0759a8fcddc1b39102735c0f ]
+
+The newly element to be added to the list is the first argument of
+list_add_tail. This fix is missing dcfad4ab4d67 ("nvmet-fcloop: swap
+the list_add_tail arguments").
+
+Fixes: 437c0b824dbd ("nvme-fcloop: add target to host LS request support")
+Signed-off-by: Daniel Wagner <wagi@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fcloop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
+index f2c5136bf2b82..f1aaabc5bec7d 100644
+--- a/drivers/nvme/target/fcloop.c
++++ b/drivers/nvme/target/fcloop.c
+@@ -478,7 +478,7 @@ fcloop_t2h_xmt_ls_rsp(struct nvme_fc_local_port *localport,
+ if (targetport) {
+ tport = targetport->private;
+ spin_lock(&tport->lock);
+- list_add_tail(&tport->ls_list, &tls_req->ls_list);
++ list_add_tail(&tls_req->ls_list, &tport->ls_list);
+ spin_unlock(&tport->lock);
+ schedule_work(&tport->ls_work);
+ }
+--
+2.39.5
+
--- /dev/null
+ata-pata_pxa-fix-potential-null-pointer-dereference-.patch
+tipc-fix-memory-leak-in-tipc_link_xmit.patch
+codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch
+net-tls-explicitly-disallow-disconnect.patch
+ata-sata_sx4-drop-pointless-vprintk-calls-and-conver.patch
+ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch
+nvmet-fcloop-swap-list_add_tail-arguments.patch
+net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch
+nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch
--- /dev/null
+From 179bb8cea26420c265d920016abe84771256fa73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 09:24:31 +0000
+Subject: tipc: fix memory leak in tipc_link_xmit
+
+From: Tung Nguyen <tung.quang.nguyen@est.tech>
+
+[ Upstream commit 69ae94725f4fc9e75219d2d69022029c5b24bc9a ]
+
+In case the backlog transmit queue for system-importance messages is overloaded,
+tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to
+memory leak and failure when a skb is allocated.
+
+This commit fixes this issue by purging the skb list before tipc_link_xmit()
+returns.
+
+Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion")
+Signed-off-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20250403092431.514063-1-tung.quang.nguyen@est.tech
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/link.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/tipc/link.c b/net/tipc/link.c
+index 5f849c7300283..336d1bb2cf6a3 100644
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -1033,6 +1033,7 @@ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list,
+ if (unlikely(l->backlog[imp].len >= l->backlog[imp].limit)) {
+ if (imp == TIPC_SYSTEM_IMPORTANCE) {
+ pr_warn("%s<%s>, link overflow", link_rst_msg, l->name);
++ __skb_queue_purge(list);
+ return -ENOBUFS;
+ }
+ rc = link_schedule_user(l, hdr);
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
