From: Greg Kroah-Hartman Date: Sat, 21 Mar 2026 08:30:59 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.1.167~59 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e8fc7a13d4b81d9ef273441edd38cf75a25c5fe;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch ata-libata-scsi-return-residual-for-emulated-scsi-commands.patch --- diff --git a/queue-6.12/ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch b/queue-6.12/ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch new file mode 100644 index 0000000000..b16f1ff2a6 --- /dev/null +++ b/queue-6.12/ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch @@ -0,0 +1,41 @@ +From stable+bounces-227631-greg=kroah.com@vger.kernel.org Fri Mar 20 22:55:12 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 17:54:45 -0400 +Subject: ata: libata-scsi: report correct sense field pointer in ata_scsiop_maint_in() +To: stable@vger.kernel.org +Cc: Damien Le Moal , Guenter Roeck , Niklas Cassel , Sasha Levin +Message-ID: <20260320215445.132838-2-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit e6d7eba23b666d85cacee0643be280d6ce1ebffc ] + +Commit 4ab7bb976343 ("ata: libata-scsi: Refactor ata_scsiop_maint_in()") +modified ata_scsiop_maint_in() to directly call +ata_scsi_set_invalid_field() to set the field pointer of the sense data +of a failed MAINTENANCE IN command. However, in the case of an invalid +command format, the sense data field incorrectly indicates byte 1 of +the CDB. Fix this to indicate byte 2 of the command. + +Reported-by: Guenter Roeck +Fixes: 4ab7bb976343 ("ata: libata-scsi: Refactor ata_scsiop_maint_in()") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3611,7 +3611,7 @@ static unsigned int ata_scsiop_maint_in( + + if (cdb[2] != 1 && cdb[2] != 3) { + ata_dev_warn(dev, "invalid command format %d\n", cdb[2]); +- ata_scsi_set_invalid_field(dev, cmd, 1, 0xff); ++ ata_scsi_set_invalid_field(dev, cmd, 2, 0xff); + return 0; + } + diff --git a/queue-6.12/ata-libata-scsi-return-residual-for-emulated-scsi-commands.patch b/queue-6.12/ata-libata-scsi-return-residual-for-emulated-scsi-commands.patch new file mode 100644 index 0000000000..f3147deba4 --- /dev/null +++ b/queue-6.12/ata-libata-scsi-return-residual-for-emulated-scsi-commands.patch @@ -0,0 +1,294 @@ +From stable+bounces-227630-greg=kroah.com@vger.kernel.org Fri Mar 20 22:55:07 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 17:54:44 -0400 +Subject: ata: libata-scsi: Return residual for emulated SCSI commands +To: stable@vger.kernel.org +Cc: Damien Le Moal , Niklas Cassel , Sasha Levin +Message-ID: <20260320215445.132838-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit 5251ae224d8d3caa21b28d12408062b6e75cffad ] + +The function ata_scsi_rbuf_fill() used to fill the reply buffer of +emulated SCSI commands always copies the ATA reply buffer +(ata_scsi_rbuf) up to the size of the SCSI command buffer (the transfer +length for the command), even if the reply is shorter than the SCSI +command buffer. This leads to issuers of the SCSI command to always get +a result without any residual (resid is always 0) despite the +potentially shorter reply for the command. + +Modify all fill actors used by ata_scsi_rbuf_fill() to return the number +of bytes filled for the reply and 0 in case of error. Using this value, +add a call to scsi_set_resid() in ata_scsi_rbuf_fill() to set the +correct residual for the SCSI command when the reply length is shorter +than the command buffer. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20241022024537.251905-7-dlemoal@kernel.org +Signed-off-by: Niklas Cassel +Stable-dep-of: e6d7eba23b66 ("ata: libata-scsi: report correct sense field pointer in ata_scsiop_maint_in()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 81 ++++++++++++++++++++++++++-------------------- + 1 file changed, 47 insertions(+), 34 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -1920,17 +1920,19 @@ static void ata_scsi_rbuf_fill(struct at + unsigned int (*actor)(struct ata_device *dev, + struct scsi_cmnd *cmd, u8 *rbuf)) + { +- unsigned int rc; + unsigned long flags; ++ unsigned int len; + + spin_lock_irqsave(&ata_scsi_rbuf_lock, flags); + + memset(ata_scsi_rbuf, 0, ATA_SCSI_RBUF_SIZE); +- rc = actor(dev, cmd, ata_scsi_rbuf); +- if (rc == 0) { ++ len = actor(dev, cmd, ata_scsi_rbuf); ++ if (len) { + sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd), + ata_scsi_rbuf, ATA_SCSI_RBUF_SIZE); + cmd->result = SAM_STAT_GOOD; ++ if (scsi_bufflen(cmd) > len) ++ scsi_set_resid(cmd, scsi_bufflen(cmd) - len); + } + + spin_unlock_irqrestore(&ata_scsi_rbuf_lock, flags); +@@ -2018,7 +2020,11 @@ static unsigned int ata_scsiop_inq_std(s + else + memcpy(rbuf + 58, versions, sizeof(versions)); + +- return 0; ++ /* ++ * Include all 8 possible version descriptors, even if not all of ++ * them are popoulated. ++ */ ++ return 96; + } + + /** +@@ -2055,7 +2061,8 @@ static unsigned int ata_scsiop_inq_00(st + num_pages++; + } + rbuf[3] = num_pages; /* number of supported VPD pages */ +- return 0; ++ ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2082,7 +2089,8 @@ static unsigned int ata_scsiop_inq_80(st + memcpy(rbuf, hdr, sizeof(hdr)); + ata_id_string(dev->id, (unsigned char *) &rbuf[4], + ATA_ID_SERNO, ATA_ID_SERNO_LEN); +- return 0; ++ ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2143,7 +2151,8 @@ static unsigned int ata_scsiop_inq_83(st + num += ATA_ID_WWN_LEN; + } + rbuf[3] = num - 4; /* page len (assume less than 256 bytes) */ +- return 0; ++ ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2180,7 +2189,8 @@ static unsigned int ata_scsiop_inq_89(st + rbuf[56] = ATA_CMD_ID_ATA; + + memcpy(&rbuf[60], &dev->id[0], 512); +- return 0; ++ ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2231,7 +2241,7 @@ static unsigned int ata_scsiop_inq_b0(st + put_unaligned_be32(1, &rbuf[28]); + } + +- return 0; ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2261,7 +2271,7 @@ static unsigned int ata_scsiop_inq_b1(st + if (zoned) + rbuf[8] = (zoned << 4); + +- return 0; ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2284,7 +2294,7 @@ static unsigned int ata_scsiop_inq_b2(st + rbuf[3] = 0x4; + rbuf[5] = 1 << 6; /* TPWS */ + +- return 0; ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2304,7 +2314,7 @@ static unsigned int ata_scsiop_inq_b6(st + { + if (!ata_dev_is_zac(dev)) { + ata_scsi_set_invalid_field(dev, cmd, 2, 0xff); +- return 1; ++ return 0; + } + + /* +@@ -2322,7 +2332,7 @@ static unsigned int ata_scsiop_inq_b6(st + put_unaligned_be32(dev->zac_zones_optimal_nonseq, &rbuf[12]); + put_unaligned_be32(dev->zac_zones_max_open, &rbuf[16]); + +- return 0; ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2346,7 +2356,7 @@ static unsigned int ata_scsiop_inq_b9(st + + if (!cpr_log) { + ata_scsi_set_invalid_field(dev, cmd, 2, 0xff); +- return 1; ++ return 0; + } + + /* SCSI Concurrent Positioning Ranges VPD page: SBC-5 rev 1 or later */ +@@ -2360,7 +2370,7 @@ static unsigned int ata_scsiop_inq_b9(st + put_unaligned_be64(cpr_log->cpr[i].num_lbas, &desc[16]); + } + +- return 0; ++ return get_unaligned_be16(&rbuf[2]) + 4; + } + + /** +@@ -2382,7 +2392,7 @@ static unsigned int ata_scsiop_inquiry(s + /* is CmdDt set? */ + if (scsicmd[1] & 2) { + ata_scsi_set_invalid_field(dev, cmd, 1, 0xff); +- return 1; ++ return 0; + } + + /* Is EVPD clear? */ +@@ -2410,7 +2420,7 @@ static unsigned int ata_scsiop_inquiry(s + return ata_scsiop_inq_b9(dev, cmd, rbuf); + default: + ata_scsi_set_invalid_field(dev, cmd, 2, 0xff); +- return 1; ++ return 0; + } + } + +@@ -2741,24 +2751,27 @@ static unsigned int ata_scsiop_mode_sens + rbuf[3] = sizeof(sat_blk_desc); + memcpy(rbuf + 4, sat_blk_desc, sizeof(sat_blk_desc)); + } +- } else { +- put_unaligned_be16(p - rbuf - 2, &rbuf[0]); +- rbuf[3] |= dpofua; +- if (ebd) { +- rbuf[7] = sizeof(sat_blk_desc); +- memcpy(rbuf + 8, sat_blk_desc, sizeof(sat_blk_desc)); +- } ++ ++ return rbuf[0] + 1; + } +- return 0; ++ ++ put_unaligned_be16(p - rbuf - 2, &rbuf[0]); ++ rbuf[3] |= dpofua; ++ if (ebd) { ++ rbuf[7] = sizeof(sat_blk_desc); ++ memcpy(rbuf + 8, sat_blk_desc, sizeof(sat_blk_desc)); ++ } ++ ++ return get_unaligned_be16(&rbuf[0]) + 2; + + invalid_fld: + ata_scsi_set_invalid_field(dev, cmd, fp, bp); +- return 1; ++ return 0; + + saving_not_supp: + ata_scsi_set_sense(dev, cmd, ILLEGAL_REQUEST, 0x39, 0x0); + /* "Saving parameters not supported" */ +- return 1; ++ return 0; + } + + /** +@@ -2801,7 +2814,7 @@ static unsigned int ata_scsiop_read_cap( + rbuf[6] = sector_size >> (8 * 1); + rbuf[7] = sector_size; + +- return 0; ++ return 8; + } + + /* +@@ -2811,7 +2824,7 @@ static unsigned int ata_scsiop_read_cap( + if (scsicmd[0] != SERVICE_ACTION_IN_16 || + (scsicmd[1] & 0x1f) != SAI_READ_CAPACITY_16) { + ata_scsi_set_invalid_field(dev, cmd, 1, 0xff); +- return 1; ++ return 0; + } + + /* sector count, 64-bit */ +@@ -2846,7 +2859,7 @@ static unsigned int ata_scsiop_read_cap( + } + } + +- return 0; ++ return 16; + } + + /** +@@ -2865,7 +2878,7 @@ static unsigned int ata_scsiop_report_lu + { + rbuf[3] = 8; /* just one lun, LUN 0, size 8 bytes */ + +- return 0; ++ return 16; + } + + /* +@@ -3593,13 +3606,13 @@ static unsigned int ata_scsiop_maint_in( + + if ((cdb[1] & 0x1f) != MI_REPORT_SUPPORTED_OPERATION_CODES) { + ata_scsi_set_invalid_field(dev, cmd, 1, 0xff); +- return 1; ++ return 0; + } + + if (cdb[2] != 1 && cdb[2] != 3) { + ata_dev_warn(dev, "invalid command format %d\n", cdb[2]); + ata_scsi_set_invalid_field(dev, cmd, 1, 0xff); +- return 1; ++ return 0; + } + + switch (cdb[3]) { +@@ -3672,7 +3685,7 @@ static unsigned int ata_scsiop_maint_in( + rbuf[0] = rwcdlp; + rbuf[1] = cdlp | supported; + +- return 0; ++ return 4; + } + + /** diff --git a/queue-6.12/series b/queue-6.12/series index 6b290905e5..8ef05305c0 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -361,3 +361,5 @@ drm-amdgpu-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch drm-xe-oa-allow-reading-after-disabling-oa-stream.patch drm-xe-open-code-ggtt-mmio-access-protection.patch bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch +ata-libata-scsi-return-residual-for-emulated-scsi-commands.patch +ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch