From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 11:15:05 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.12.24~79 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=61ebb64af709f6dbd7b1321ea65c899406d4beea;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: arm64-dts-exynos-gs101-disable-pinctrl_gsacore-node.patch arm64-dts-mediatek-mt8173-fix-disp-pwm-compatible-string.patch i3c-add-null-pointer-check-in-i3c_master_queue_ibi.patch i3c-master-svc-use-readsb-helper-for-reading-mdb.patch jbd2-remove-wrong-sb-s_sequence-check.patch lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets.patch locking-lockdep-decrease-nr_unused_locks-if-lock-unused-in-zap_class.patch mfd-ene-kb3930-fix-a-potential-null-pointer-dereference.patch mptcp-fix-null-pointer-in-can_accept_new_subflow.patch mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch mtd-inftlcore-add-error-check-for-inftl_read_oob.patch mtd-rawnand-add-status-chack-in-r852_ready.patch --- diff --git a/queue-5.15/arm64-dts-exynos-gs101-disable-pinctrl_gsacore-node.patch b/queue-5.15/arm64-dts-exynos-gs101-disable-pinctrl_gsacore-node.patch new file mode 100644 index 0000000000..9d4a4f13f0 --- /dev/null +++ b/queue-5.15/arm64-dts-exynos-gs101-disable-pinctrl_gsacore-node.patch @@ -0,0 +1,52 @@ +From 168e24966f10ff635b0ec9728aa71833bf850ee5 Mon Sep 17 00:00:00 2001 +From: Peter Griffin +Date: Mon, 6 Jan 2025 14:57:46 +0000 +Subject: arm64: dts: exynos: gs101: disable pinctrl_gsacore node + +From: Peter Griffin + +commit 168e24966f10ff635b0ec9728aa71833bf850ee5 upstream. + +gsacore registers are not accessible from normal world. + +Disable this node, so that the suspend/resume callbacks +in the pinctrl driver don't cause a Serror attempting to +access the registers. + +Fixes: ea89fdf24fd9 ("arm64: dts: exynos: google: Add initial Google gs101 SoC support") +Signed-off-by: Peter Griffin +To: Rob Herring +To: Krzysztof Kozlowski +To: Conor Dooley +To: Alim Akhtar +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-samsung-soc@vger.kernel.org +Cc: devicetree@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: tudor.ambarus@linaro.org +Cc: andre.draszik@linaro.org +Cc: kernel-team@android.com +Cc: willmcvicker@google.com +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250106-contrib-pg-pinctrl_gsacore_disable-v1-1-d3fc88a48aed@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/exynos/google/gs101.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/exynos/google/gs101.dtsi b/arch/arm64/boot/dts/exynos/google/gs101.dtsi +index c5335dd59dfe..813f96089578 100644 +--- a/arch/arm64/boot/dts/exynos/google/gs101.dtsi ++++ b/arch/arm64/boot/dts/exynos/google/gs101.dtsi +@@ -1454,6 +1454,7 @@ pinctrl_gsacore: pinctrl@17a80000 { + /* TODO: update once support for this CMU exists */ + clocks = <0>; + clock-names = "pclk"; ++ status = "disabled"; + }; + + cmu_top: clock-controller@1e080000 { +-- +2.49.0 + diff --git a/queue-5.15/arm64-dts-mediatek-mt8173-fix-disp-pwm-compatible-string.patch b/queue-5.15/arm64-dts-mediatek-mt8173-fix-disp-pwm-compatible-string.patch new file mode 100644 index 0000000000..bde849c2da --- /dev/null +++ b/queue-5.15/arm64-dts-mediatek-mt8173-fix-disp-pwm-compatible-string.patch @@ -0,0 +1,63 @@ +From 46ad36002088eff8fc5cae200aa42ae9f9310ddd Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 8 Jan 2025 16:34:22 +0800 +Subject: arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string + +From: Chen-Yu Tsai + +commit 46ad36002088eff8fc5cae200aa42ae9f9310ddd upstream. + +The MT8173 disp-pwm device should have only one compatible string, based +on the following DT validation error: + + arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401e000: compatible: 'oneOf' conditional failed, one must be fixed: + ['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long + 'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm'] + 'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm'] + 'mediatek,mt8173-disp-pwm' was expected + 'mediatek,mt8183-disp-pwm' was expected + from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml# + arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401f000: compatible: 'oneOf' conditional failed, one must be fixed: + ['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long + 'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm'] + 'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm'] + 'mediatek,mt8173-disp-pwm' was expected + 'mediatek,mt8183-disp-pwm' was expected + from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml# + +Drop the extra "mediatek,mt6595-disp-pwm" compatible string. + +Fixes: 61aee9342514 ("arm64: dts: mt8173: add MT8173 display PWM driver support node") +Cc: YH Huang +Cc: stable@vger.kernel.org # v4.5+ +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20250108083424.2732375-2-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi +@@ -1260,8 +1260,7 @@ + }; + + pwm0: pwm@1401e000 { +- compatible = "mediatek,mt8173-disp-pwm", +- "mediatek,mt6595-disp-pwm"; ++ compatible = "mediatek,mt8173-disp-pwm"; + reg = <0 0x1401e000 0 0x1000>; + #pwm-cells = <2>; + clocks = <&mmsys CLK_MM_DISP_PWM026M>, +@@ -1271,8 +1270,7 @@ + }; + + pwm1: pwm@1401f000 { +- compatible = "mediatek,mt8173-disp-pwm", +- "mediatek,mt6595-disp-pwm"; ++ compatible = "mediatek,mt8173-disp-pwm"; + reg = <0 0x1401f000 0 0x1000>; + #pwm-cells = <2>; + clocks = <&mmsys CLK_MM_DISP_PWM126M>, diff --git a/queue-5.15/i3c-add-null-pointer-check-in-i3c_master_queue_ibi.patch b/queue-5.15/i3c-add-null-pointer-check-in-i3c_master_queue_ibi.patch new file mode 100644 index 0000000000..02b85f5a2b --- /dev/null +++ b/queue-5.15/i3c-add-null-pointer-check-in-i3c_master_queue_ibi.patch @@ -0,0 +1,56 @@ +From bd496a44f041da9ef3afe14d1d6193d460424e91 Mon Sep 17 00:00:00 2001 +From: Manjunatha Venkatesh +Date: Wed, 26 Mar 2025 18:00:46 +0530 +Subject: i3c: Add NULL pointer check in i3c_master_queue_ibi() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Manjunatha Venkatesh + +commit bd496a44f041da9ef3afe14d1d6193d460424e91 upstream. + +The I3C master driver may receive an IBI from a target device that has not +been probed yet. In such cases, the master calls `i3c_master_queue_ibi()` +to queue an IBI work task, leading to "Unable to handle kernel read from +unreadable memory" and resulting in a kernel panic. + +Typical IBI handling flow: +1. The I3C master scans target devices and probes their respective drivers. +2. The target device driver calls `i3c_device_request_ibi()` to enable IBI + and assigns `dev->ibi = ibi`. +3. The I3C master receives an IBI from the target device and calls + `i3c_master_queue_ibi()` to queue the target device driver’s IBI + handler task. + +However, since target device events are asynchronous to the I3C probe +sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`, +leading to a kernel panic. + +Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing +an uninitialized `dev->ibi`, ensuring stability. + +Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/Z9gjGYudiYyl3bSe@lizhi-Precision-Tower-5810/ +Signed-off-by: Manjunatha Venkatesh +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250326123047.2797946-1-manjunatha.venkatesh@nxp.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -2240,6 +2240,9 @@ static void i3c_master_unregister_i3c_de + */ + void i3c_master_queue_ibi(struct i3c_dev_desc *dev, struct i3c_ibi_slot *slot) + { ++ if (!dev->ibi || !slot) ++ return; ++ + atomic_inc(&dev->ibi->pending_ibis); + queue_work(dev->common.master->wq, &slot->work); + } diff --git a/queue-5.15/i3c-master-svc-use-readsb-helper-for-reading-mdb.patch b/queue-5.15/i3c-master-svc-use-readsb-helper-for-reading-mdb.patch new file mode 100644 index 0000000000..f54f2acfb7 --- /dev/null +++ b/queue-5.15/i3c-master-svc-use-readsb-helper-for-reading-mdb.patch @@ -0,0 +1,36 @@ +From c06acf7143bddaa3c0f7bedd8b99e48f6acb85c3 Mon Sep 17 00:00:00 2001 +From: Stanley Chu +Date: Tue, 18 Mar 2025 13:36:05 +0800 +Subject: i3c: master: svc: Use readsb helper for reading MDB + +From: Stanley Chu + +commit c06acf7143bddaa3c0f7bedd8b99e48f6acb85c3 upstream. + +The target can send the MDB byte followed by additional data bytes. +The readl on MRDATAB reads one actual byte, but the readsl advances +the destination pointer by 4 bytes. This causes the subsequent payload +to be copied to wrong position in the destination buffer. + +Cc: stable@kernel.org +Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver") +Signed-off-by: Stanley Chu +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250318053606.3087121-3-yschu@nuvoton.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master/svc-i3c-master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -315,7 +315,7 @@ static int svc_i3c_master_handle_ibi(str + slot->len < SVC_I3C_FIFO_SIZE) { + mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL); + count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl); +- readsl(master->regs + SVC_I3C_MRDATAB, buf, count); ++ readsb(master->regs + SVC_I3C_MRDATAB, buf, count); + slot->len += count; + buf += count; + } diff --git a/queue-5.15/jbd2-remove-wrong-sb-s_sequence-check.patch b/queue-5.15/jbd2-remove-wrong-sb-s_sequence-check.patch new file mode 100644 index 0000000000..da6f31937e --- /dev/null +++ b/queue-5.15/jbd2-remove-wrong-sb-s_sequence-check.patch @@ -0,0 +1,34 @@ +From e6eff39dd0fe4190c6146069cc16d160e71d1148 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 6 Feb 2025 10:46:58 +0100 +Subject: jbd2: remove wrong sb->s_sequence check + +From: Jan Kara + +commit e6eff39dd0fe4190c6146069cc16d160e71d1148 upstream. + +Journal emptiness is not determined by sb->s_sequence == 0 but rather by +sb->s_start == 0 (which is set a few lines above). Furthermore 0 is a +valid transaction ID so the check can spuriously trigger. Remove the +invalid WARN_ON. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20250206094657.20865-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/journal.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1701,7 +1701,6 @@ int jbd2_journal_update_sb_log_tail(jour + + /* Log is no longer empty */ + write_lock(&journal->j_state_lock); +- WARN_ON(!sb->s_sequence); + journal->j_flags &= ~JBD2_FLUSHED; + write_unlock(&journal->j_state_lock); + diff --git a/queue-5.15/lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets.patch b/queue-5.15/lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets.patch new file mode 100644 index 0000000000..d921bdb250 --- /dev/null +++ b/queue-5.15/lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets.patch @@ -0,0 +1,56 @@ +From 8b46fdaea819a679da176b879e7b0674a1161a5e Mon Sep 17 00:00:00 2001 +From: T Pratham +Date: Wed, 19 Mar 2025 16:44:38 +0530 +Subject: lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets + +From: T Pratham + +commit 8b46fdaea819a679da176b879e7b0674a1161a5e upstream. + +The split_sg_phys function was incorrectly setting the offsets of all +scatterlist entries (except the first) to 0. Only the first scatterlist +entry's offset and length needs to be modified to account for the skip. +Setting the rest entries' offsets to 0 could lead to incorrect data +access. + +I am using this function in a crypto driver that I'm currently developing +(not yet sent to mailing list). During testing, it was observed that the +output scatterlists (except the first one) contained incorrect garbage +data. + +I narrowed this issue down to the call of sg_split(). Upon debugging +inside this function, I found that this resetting of offset is the cause +of the problem, causing the subsequent scatterlists to point to incorrect +memory locations in a page. By removing this code, I am obtaining +expected data in all the split output scatterlists. Thus, this was indeed +causing observable runtime effects! + +This patch removes the offending code, ensuring that the page offsets in +the input scatterlist are preserved in the output scatterlist. + +Link: https://lkml.kernel.org/r/20250319111437.1969903-1-t-pratham@ti.com +Fixes: f8bcbe62acd0 ("lib: scatterlist: add sg splitting function") +Signed-off-by: T Pratham +Cc: Robert Jarzmik +Cc: Jens Axboe +Cc: Kamlesh Gurudasani +Cc: Praneeth Bajjuri +Cc: Vignesh Raghavendra +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/sg_split.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/lib/sg_split.c ++++ b/lib/sg_split.c +@@ -88,8 +88,6 @@ static void sg_split_phys(struct sg_spli + if (!j) { + out_sg->offset += split->skip_sg0; + out_sg->length -= split->skip_sg0; +- } else { +- out_sg->offset = 0; + } + sg_dma_address(out_sg) = 0; + sg_dma_len(out_sg) = 0; diff --git a/queue-5.15/locking-lockdep-decrease-nr_unused_locks-if-lock-unused-in-zap_class.patch b/queue-5.15/locking-lockdep-decrease-nr_unused_locks-if-lock-unused-in-zap_class.patch new file mode 100644 index 0000000000..b2c55e7174 --- /dev/null +++ b/queue-5.15/locking-lockdep-decrease-nr_unused_locks-if-lock-unused-in-zap_class.patch @@ -0,0 +1,47 @@ +From 495f53d5cca0f939eaed9dca90b67e7e6fb0e30c Mon Sep 17 00:00:00 2001 +From: Boqun Feng +Date: Wed, 26 Mar 2025 11:08:30 -0700 +Subject: locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() + +From: Boqun Feng + +commit 495f53d5cca0f939eaed9dca90b67e7e6fb0e30c upstream. + +Currently, when a lock class is allocated, nr_unused_locks will be +increased by 1, until it gets used: nr_unused_locks will be decreased by +1 in mark_lock(). However, one scenario is missed: a lock class may be +zapped without even being used once. This could result into a situation +that nr_unused_locks != 0 but no unused lock class is active in the +system, and when `cat /proc/lockdep_stats`, a WARN_ON() will +be triggered in a CONFIG_DEBUG_LOCKDEP=y kernel: + + [...] DEBUG_LOCKS_WARN_ON(debug_atomic_read(nr_unused_locks) != nr_unused) + [...] WARNING: CPU: 41 PID: 1121 at kernel/locking/lockdep_proc.c:283 lockdep_stats_show+0xba9/0xbd0 + +And as a result, lockdep will be disabled after this. + +Therefore, nr_unused_locks needs to be accounted correctly at +zap_class() time. + +Signed-off-by: Boqun Feng +Signed-off-by: Ingo Molnar +Reviewed-by: Waiman Long +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250326180831.510348-1-boqun.feng@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/lockdep.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -5982,6 +5982,9 @@ static void zap_class(struct pending_fre + hlist_del_rcu(&class->hash_entry); + WRITE_ONCE(class->key, NULL); + WRITE_ONCE(class->name, NULL); ++ /* Class allocated but not used, -1 in nr_unused_locks */ ++ if (class->usage_mask == 0) ++ debug_atomic_dec(nr_unused_locks); + nr_lock_classes--; + __clear_bit(class - lock_classes, lock_classes_in_use); + if (class - lock_classes == max_lock_class_idx) diff --git a/queue-5.15/mfd-ene-kb3930-fix-a-potential-null-pointer-dereference.patch b/queue-5.15/mfd-ene-kb3930-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 0000000000..2831e390dd --- /dev/null +++ b/queue-5.15/mfd-ene-kb3930-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From 4cdf1d2a816a93fa02f7b6b5492dc7f55af2a199 Mon Sep 17 00:00:00 2001 +From: Chenyuan Yang +Date: Mon, 24 Feb 2025 17:37:36 -0600 +Subject: mfd: ene-kb3930: Fix a potential NULL pointer dereference + +From: Chenyuan Yang + +commit 4cdf1d2a816a93fa02f7b6b5492dc7f55af2a199 upstream. + +The off_gpios could be NULL. Add missing check in the kb3930_probe(). +This is similar to the issue fixed in commit b1ba8bcb2d1f +("backlight: hx8357: Fix potential NULL pointer dereference"). + +This was detected by our static analysis tool. + +Cc: stable@vger.kernel.org +Fixes: ede6b2d1dfc0 ("mfd: ene-kb3930: Add driver for ENE KB3930 Embedded Controller") +Suggested-by: Lee Jones +Signed-off-by: Chenyuan Yang +Link: https://lore.kernel.org/r/20250224233736.1919739-1-chenyuan0y@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/ene-kb3930.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mfd/ene-kb3930.c ++++ b/drivers/mfd/ene-kb3930.c +@@ -162,7 +162,7 @@ static int kb3930_probe(struct i2c_clien + devm_gpiod_get_array_optional(dev, "off", GPIOD_IN); + if (IS_ERR(ddata->off_gpios)) + return PTR_ERR(ddata->off_gpios); +- if (ddata->off_gpios->ndescs < 2) { ++ if (ddata->off_gpios && ddata->off_gpios->ndescs < 2) { + dev_err(dev, "invalid off-gpios property\n"); + return -EINVAL; + } diff --git a/queue-5.15/mptcp-fix-null-pointer-in-can_accept_new_subflow.patch b/queue-5.15/mptcp-fix-null-pointer-in-can_accept_new_subflow.patch new file mode 100644 index 0000000000..8d72b68434 --- /dev/null +++ b/queue-5.15/mptcp-fix-null-pointer-in-can_accept_new_subflow.patch @@ -0,0 +1,92 @@ +From 443041deb5ef6a1289a99ed95015ec7442f141dc Mon Sep 17 00:00:00 2001 +From: Gang Yan +Date: Fri, 28 Mar 2025 15:27:16 +0100 +Subject: mptcp: fix NULL pointer in can_accept_new_subflow + +From: Gang Yan + +commit 443041deb5ef6a1289a99ed95015ec7442f141dc upstream. + +When testing valkey benchmark tool with MPTCP, the kernel panics in +'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. + +Call trace: + + mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) + subflow_syn_recv_sock (./net/mptcp/subflow.c:854) + tcp_check_req (./net/ipv4/tcp_minisocks.c:863) + tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) + ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) + ip_local_deliver_finish (./net/ipv4/ip_input.c:234) + ip_local_deliver (./net/ipv4/ip_input.c:254) + ip_rcv_finish (./net/ipv4/ip_input.c:449) + ... + +According to the debug log, the same req received two SYN-ACK in a very +short time, very likely because the client retransmits the syn ack due +to multiple reasons. + +Even if the packets are transmitted with a relevant time interval, they +can be processed by the server on different CPUs concurrently). The +'subflow_req->msk' ownership is transferred to the subflow the first, +and there will be a risk of a null pointer dereference here. + +This patch fixes this issue by moving the 'subflow_req->msk' under the +`own_req == true` conditional. + +Note that the !msk check in subflow_hmac_valid() can be dropped, because +the same check already exists under the own_req mpj branch where the +code has been moved to. + +Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use") +Cc: stable@vger.kernel.org +Suggested-by: Paolo Abeni +Signed-off-by: Gang Yan +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-1-34161a482a7f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -589,8 +589,6 @@ static bool subflow_hmac_valid(const str + + subflow_req = mptcp_subflow_rsk(req); + msk = subflow_req->msk; +- if (!msk) +- return false; + + subflow_generate_hmac(msk->remote_key, msk->local_key, + subflow_req->remote_nonce, +@@ -716,12 +714,8 @@ static struct sock *subflow_syn_recv_soc + fallback = true; + } else if (subflow_req->mp_join) { + mptcp_get_options(skb, &mp_opt); +- if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK) || +- !subflow_hmac_valid(req, &mp_opt) || +- !mptcp_can_accept_new_subflow(subflow_req->msk)) { +- SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); ++ if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK)) + fallback = true; +- } + } + + create_child: +@@ -787,6 +781,13 @@ create_child: + subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); + goto dispose_child; + } ++ ++ if (!subflow_hmac_valid(req, &mp_opt) || ++ !mptcp_can_accept_new_subflow(subflow_req->msk)) { ++ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); ++ subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); ++ goto dispose_child; ++ } + + /* move the msk reference ownership to the subflow */ + subflow_req->msk = NULL; diff --git a/queue-5.15/mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch b/queue-5.15/mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch new file mode 100644 index 0000000000..ab75db2762 --- /dev/null +++ b/queue-5.15/mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch @@ -0,0 +1,50 @@ +From 21c02e8272bc95ba0dd44943665c669029b42760 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 7 Apr 2025 20:26:32 +0200 +Subject: mptcp: only inc MPJoinAckHMacFailure for HMAC failures + +From: Matthieu Baerts (NGI0) + +commit 21c02e8272bc95ba0dd44943665c669029b42760 upstream. + +Recently, during a debugging session using local MPTCP connections, I +noticed MPJoinAckHMacFailure was not zero on the server side. The +counter was in fact incremented when the PM rejected new subflows, +because the 'subflow' limit was reached. + +The fix is easy, simply dissociating the two cases: only the HMAC +validation check should increase MPTCP_MIB_JOINACKMAC counter. + +Fixes: 4cf8b7e48a09 ("subflow: introduce and use mptcp_can_accept_new_subflow()") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250407-net-mptcp-hmac-failure-mib-v1-1-3c9ecd0a3a50@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -782,12 +782,16 @@ create_child: + goto dispose_child; + } + +- if (!subflow_hmac_valid(req, &mp_opt) || +- !mptcp_can_accept_new_subflow(subflow_req->msk)) { ++ if (!subflow_hmac_valid(req, &mp_opt)) { + SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); + subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); + goto dispose_child; + } ++ ++ if (!mptcp_can_accept_new_subflow(owner)) { ++ subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); ++ goto dispose_child; ++ } + + /* move the msk reference ownership to the subflow */ + subflow_req->msk = NULL; diff --git a/queue-5.15/mtd-inftlcore-add-error-check-for-inftl_read_oob.patch b/queue-5.15/mtd-inftlcore-add-error-check-for-inftl_read_oob.patch new file mode 100644 index 0000000000..b086152bbe --- /dev/null +++ b/queue-5.15/mtd-inftlcore-add-error-check-for-inftl_read_oob.patch @@ -0,0 +1,42 @@ +From d027951dc85cb2e15924c980dc22a6754d100c7c Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Wed, 2 Apr 2025 11:16:43 +0800 +Subject: mtd: inftlcore: Add error check for inftl_read_oob() + +From: Wentao Liang + +commit d027951dc85cb2e15924c980dc22a6754d100c7c upstream. + +In INFTL_findwriteunit(), the return value of inftl_read_oob() +need to be checked. A proper implementation can be +found in INFTL_deleteblock(). The status will be set as +SECTOR_IGNORE to break from the while-loop correctly +if the inftl_read_oob() fails. + +Fixes: 8593fbc68b0d ("[MTD] Rework the out of band handling completely") +Cc: stable@vger.kernel.org # v2.6+ +Signed-off-by: Wentao Liang +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/inftlcore.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/inftlcore.c ++++ b/drivers/mtd/inftlcore.c +@@ -482,10 +482,11 @@ static inline u16 INFTL_findwriteunit(st + silly = MAX_LOOPS; + + while (thisEUN <= inftl->lastEUN) { +- inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) + +- blockofs, 8, &retlen, (char *)&bci); +- +- status = bci.Status | bci.Status1; ++ if (inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) + ++ blockofs, 8, &retlen, (char *)&bci) < 0) ++ status = SECTOR_IGNORE; ++ else ++ status = bci.Status | bci.Status1; + pr_debug("INFTL: status of block %d in EUN %d is %x\n", + block , writeEUN, status); + diff --git a/queue-5.15/mtd-rawnand-add-status-chack-in-r852_ready.patch b/queue-5.15/mtd-rawnand-add-status-chack-in-r852_ready.patch new file mode 100644 index 0000000000..316a863877 --- /dev/null +++ b/queue-5.15/mtd-rawnand-add-status-chack-in-r852_ready.patch @@ -0,0 +1,35 @@ +From b79fe1829975556854665258cf4d2476784a89db Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Wed, 2 Apr 2025 15:56:23 +0800 +Subject: mtd: rawnand: Add status chack in r852_ready() + +From: Wentao Liang + +commit b79fe1829975556854665258cf4d2476784a89db upstream. + +In r852_ready(), the dev get from r852_get_dev() need to be checked. +An unstable device should not be ready. A proper implementation can +be found in r852_read_byte(). Add a status check and return 0 when it is +unstable. + +Fixes: 50a487e7719c ("mtd: rawnand: Pass a nand_chip object to chip->dev_ready()") +Cc: stable@vger.kernel.org # v4.20+ +Signed-off-by: Wentao Liang +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/r852.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/nand/raw/r852.c ++++ b/drivers/mtd/nand/raw/r852.c +@@ -387,6 +387,9 @@ static int r852_wait(struct nand_chip *c + static int r852_ready(struct nand_chip *chip) + { + struct r852_device *dev = r852_get_dev(nand_to_mtd(chip)); ++ if (dev->card_unstable) ++ return 0; ++ + return !(r852_read_reg(dev, R852_CARD_STA) & R852_CARD_STA_BUSY); + } + diff --git a/queue-5.15/series b/queue-5.15/series index 2e7e6abce1..96ea3e6f6b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -85,3 +85,15 @@ asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch bus-mhi-host-fix-race-between-unprepare-and-queue_buf.patch ext4-fix-off-by-one-error-in-do_split.patch vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch +i3c-master-svc-use-readsb-helper-for-reading-mdb.patch +i3c-add-null-pointer-check-in-i3c_master_queue_ibi.patch +jbd2-remove-wrong-sb-s_sequence-check.patch +mfd-ene-kb3930-fix-a-potential-null-pointer-dereference.patch +locking-lockdep-decrease-nr_unused_locks-if-lock-unused-in-zap_class.patch +lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets.patch +mptcp-fix-null-pointer-in-can_accept_new_subflow.patch +mptcp-only-inc-mpjoinackhmacfailure-for-hmac-failures.patch +mtd-inftlcore-add-error-check-for-inftl_read_oob.patch +mtd-rawnand-add-status-chack-in-r852_ready.patch +arm64-dts-mediatek-mt8173-fix-disp-pwm-compatible-string.patch +arm64-dts-exynos-gs101-disable-pinctrl_gsacore-node.patch