From: Sasha Levin Date: Sun, 13 Apr 2025 17:12:39 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.12.24~116 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a8309fa2e11ec034133a2a8e175cf8ff611ce4be;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/ata-pata_pxa-fix-potential-null-pointer-dereference-.patch b/queue-5.15/ata-pata_pxa-fix-potential-null-pointer-dereference-.patch new file mode 100644 index 0000000000..5b4854e469 --- /dev/null +++ b/queue-5.15/ata-pata_pxa-fix-potential-null-pointer-dereference-.patch @@ -0,0 +1,47 @@ +From d8f756ff1a5d047aa7d2db2521e48f1847f0f156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 14:14:38 +0800 +Subject: ata: pata_pxa: Fix potential NULL pointer dereference in + pxa_ata_probe() + +From: Henry Martin + +[ Upstream commit ad320e408a8c95a282ab9c05cdf0c9b95e317985 ] + +devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does +not check for this case, which can result in a NULL pointer dereference. + +Add NULL check after devm_ioremap() to prevent this issue. + +Fixes: 2dc6c6f15da9 ("[ARM] pata_pxa: DMA-capable PATA driver") +Signed-off-by: Henry Martin +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_pxa.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c +index 41430f79663c1..3502bfb03c56c 100644 +--- a/drivers/ata/pata_pxa.c ++++ b/drivers/ata/pata_pxa.c +@@ -223,10 +223,16 @@ static int pxa_ata_probe(struct platform_device *pdev) + + ap->ioaddr.cmd_addr = devm_ioremap(&pdev->dev, cmd_res->start, + resource_size(cmd_res)); ++ if (!ap->ioaddr.cmd_addr) ++ return -ENOMEM; + ap->ioaddr.ctl_addr = devm_ioremap(&pdev->dev, ctl_res->start, + resource_size(ctl_res)); ++ if (!ap->ioaddr.ctl_addr) ++ return -ENOMEM; + ap->ioaddr.bmdma_addr = devm_ioremap(&pdev->dev, dma_res->start, + resource_size(dma_res)); ++ if (!ap->ioaddr.bmdma_addr) ++ return -ENOMEM; + + /* + * Adjust register offsets +-- +2.39.5 + diff --git a/queue-5.15/ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch b/queue-5.15/ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch new file mode 100644 index 0000000000..1995215a79 --- /dev/null +++ b/queue-5.15/ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch @@ -0,0 +1,66 @@ +From df3615ce1c12868f34e499d3c3b3ded0c308182a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 15:30:01 +0800 +Subject: ata: sata_sx4: Add error handling in pdc20621_i2c_read() + +From: Wentao Liang + +[ Upstream commit 8d46a27085039158eb5e253ab8a35a0e33b5e864 ] + +The function pdc20621_prog_dimm0() calls the function pdc20621_i2c_read() +but does not handle the error if the read fails. This could lead to +process with invalid data. A proper implementation can be found in +/source/drivers/ata/sata_sx4.c, pdc20621_prog_dimm_global(). As mentioned +in its commit: bb44e154e25125bef31fa956785e90fccd24610b, the variable spd0 +might be used uninitialized when pdc20621_i2c_read() fails. + +Add error handling to pdc20621_i2c_read(). If a read operation fails, +an error message is logged via dev_err(), and return a negative error +code. + +Add error handling to pdc20621_prog_dimm0() in pdc20621_dimm_init(), and +return a negative error code if pdc20621_prog_dimm0() fails. + +Fixes: 4447d3515616 ("libata: convert the remaining SATA drivers to new init model") +Signed-off-by: Wentao Liang +Reviewed-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_sx4.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c +index 7b28334aa26a2..20b73e0d835a3 100644 +--- a/drivers/ata/sata_sx4.c ++++ b/drivers/ata/sata_sx4.c +@@ -1124,9 +1124,14 @@ static int pdc20621_prog_dimm0(struct ata_host *host) + mmio += PDC_CHIP0_OFS; + + for (i = 0; i < ARRAY_SIZE(pdc_i2c_read_data); i++) +- pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS, +- pdc_i2c_read_data[i].reg, +- &spd0[pdc_i2c_read_data[i].ofs]); ++ if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS, ++ pdc_i2c_read_data[i].reg, ++ &spd0[pdc_i2c_read_data[i].ofs])) { ++ dev_err(host->dev, ++ "Failed in i2c read at index %d: device=%#x, reg=%#x\n", ++ i, PDC_DIMM0_SPD_DEV_ADDRESS, pdc_i2c_read_data[i].reg); ++ return -EIO; ++ } + + data |= (spd0[4] - 8) | ((spd0[21] != 0) << 3) | ((spd0[3]-11) << 4); + data |= ((spd0[17] / 4) << 6) | ((spd0[5] / 2) << 7) | +@@ -1290,6 +1295,8 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + + /* Programming DIMM0 Module Control Register (index_CID0:80h) */ + size = pdc20621_prog_dimm0(host); ++ if (size < 0) ++ return size; + dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size); + + /* Programming DIMM Module Global Control Register (index_CID0:88h) */ +-- +2.39.5 + diff --git a/queue-5.15/ata-sata_sx4-drop-pointless-vprintk-calls-and-conver.patch b/queue-5.15/ata-sata_sx4-drop-pointless-vprintk-calls-and-conver.patch new file mode 100644 index 0000000000..5cbd524536 --- /dev/null +++ b/queue-5.15/ata-sata_sx4-drop-pointless-vprintk-calls-and-conver.patch @@ -0,0 +1,358 @@ +From e20bf2002fd509dc737b71d6eab481542137283b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Dec 2021 08:20:59 +0100 +Subject: ata: sata_sx4: Drop pointless VPRINTK() calls and convert the + remaining ones + +From: Hannes Reinecke + +[ Upstream commit bc21c1056d08525d9c5a5d74db4b8f14e6691991 ] + +Drop pointless VPRINTK() calls for setting up SG tables +and convert the remaining calls to structured logging. + +Signed-off-by: Hannes Reinecke +Signed-off-by: Damien Le Moal +Stable-dep-of: 8d46a2708503 ("ata: sata_sx4: Add error handling in pdc20621_i2c_read()") +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_sx4.c | 105 +++++++++++++---------------------------- + 1 file changed, 34 insertions(+), 71 deletions(-) + +diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c +index c95685f693a68..7b28334aa26a2 100644 +--- a/drivers/ata/sata_sx4.c ++++ b/drivers/ata/sata_sx4.c +@@ -308,15 +308,9 @@ static inline void pdc20621_ata_sg(u8 *buf, unsigned int portno, + /* output ATA packet S/G table */ + addr = PDC_20621_DIMM_BASE + PDC_20621_DIMM_DATA + + (PDC_DIMM_DATA_STEP * portno); +- VPRINTK("ATA sg addr 0x%x, %d\n", addr, addr); ++ + buf32[dw] = cpu_to_le32(addr); + buf32[dw + 1] = cpu_to_le32(total_len | ATA_PRD_EOT); +- +- VPRINTK("ATA PSG @ %x == (0x%x, 0x%x)\n", +- PDC_20621_DIMM_BASE + +- (PDC_DIMM_WINDOW_STEP * portno) + +- PDC_DIMM_APKT_PRD, +- buf32[dw], buf32[dw + 1]); + } + + static inline void pdc20621_host_sg(u8 *buf, unsigned int portno, +@@ -332,12 +326,6 @@ static inline void pdc20621_host_sg(u8 *buf, unsigned int portno, + + buf32[dw] = cpu_to_le32(addr); + buf32[dw + 1] = cpu_to_le32(total_len | ATA_PRD_EOT); +- +- VPRINTK("HOST PSG @ %x == (0x%x, 0x%x)\n", +- PDC_20621_DIMM_BASE + +- (PDC_DIMM_WINDOW_STEP * portno) + +- PDC_DIMM_HPKT_PRD, +- buf32[dw], buf32[dw + 1]); + } + + static inline unsigned int pdc20621_ata_pkt(struct ata_taskfile *tf, +@@ -351,7 +339,6 @@ static inline unsigned int pdc20621_ata_pkt(struct ata_taskfile *tf, + unsigned int dimm_sg = PDC_20621_DIMM_BASE + + (PDC_DIMM_WINDOW_STEP * portno) + + PDC_DIMM_APKT_PRD; +- VPRINTK("ENTER, dimm_sg == 0x%x, %d\n", dimm_sg, dimm_sg); + + i = PDC_DIMM_ATA_PKT; + +@@ -406,8 +393,6 @@ static inline void pdc20621_host_pkt(struct ata_taskfile *tf, u8 *buf, + unsigned int dimm_sg = PDC_20621_DIMM_BASE + + (PDC_DIMM_WINDOW_STEP * portno) + + PDC_DIMM_HPKT_PRD; +- VPRINTK("ENTER, dimm_sg == 0x%x, %d\n", dimm_sg, dimm_sg); +- VPRINTK("host_sg == 0x%x, %d\n", host_sg, host_sg); + + dw = PDC_DIMM_HOST_PKT >> 2; + +@@ -424,14 +409,6 @@ static inline void pdc20621_host_pkt(struct ata_taskfile *tf, u8 *buf, + buf32[dw + 1] = cpu_to_le32(host_sg); + buf32[dw + 2] = cpu_to_le32(dimm_sg); + buf32[dw + 3] = 0; +- +- VPRINTK("HOST PKT @ %x == (0x%x 0x%x 0x%x 0x%x)\n", +- PDC_20621_DIMM_BASE + (PDC_DIMM_WINDOW_STEP * portno) + +- PDC_DIMM_HOST_PKT, +- buf32[dw + 0], +- buf32[dw + 1], +- buf32[dw + 2], +- buf32[dw + 3]); + } + + static void pdc20621_dma_prep(struct ata_queued_cmd *qc) +@@ -447,8 +424,6 @@ static void pdc20621_dma_prep(struct ata_queued_cmd *qc) + + WARN_ON(!(qc->flags & ATA_QCFLAG_DMAMAP)); + +- VPRINTK("ata%u: ENTER\n", ap->print_id); +- + /* hard-code chip #0 */ + mmio += PDC_CHIP0_OFS; + +@@ -492,7 +467,8 @@ static void pdc20621_dma_prep(struct ata_queued_cmd *qc) + + readl(dimm_mmio); /* MMIO PCI posting flush */ + +- VPRINTK("ata pkt buf ofs %u, prd size %u, mmio copied\n", i, sgt_len); ++ ata_port_dbg(ap, "ata pkt buf ofs %u, prd size %u, mmio copied\n", ++ i, sgt_len); + } + + static void pdc20621_nodata_prep(struct ata_queued_cmd *qc) +@@ -504,8 +480,6 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc) + unsigned int portno = ap->port_no; + unsigned int i; + +- VPRINTK("ata%u: ENTER\n", ap->print_id); +- + /* hard-code chip #0 */ + mmio += PDC_CHIP0_OFS; + +@@ -527,7 +501,7 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc) + + readl(dimm_mmio); /* MMIO PCI posting flush */ + +- VPRINTK("ata pkt buf ofs %u, mmio copied\n", i); ++ ata_port_dbg(ap, "ata pkt buf ofs %u, mmio copied\n", i); + } + + static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc) +@@ -633,8 +607,6 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc) + /* hard-code chip #0 */ + mmio += PDC_CHIP0_OFS; + +- VPRINTK("ata%u: ENTER\n", ap->print_id); +- + wmb(); /* flush PRD, pkt writes */ + + port_ofs = PDC_20621_DIMM_BASE + (PDC_DIMM_WINDOW_STEP * port_no); +@@ -645,7 +617,7 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc) + + pdc20621_dump_hdma(qc); + pdc20621_push_hdma(qc, seq, port_ofs + PDC_DIMM_HOST_PKT); +- VPRINTK("queued ofs 0x%x (%u), seq %u\n", ++ ata_port_dbg(ap, "queued ofs 0x%x (%u), seq %u\n", + port_ofs + PDC_DIMM_HOST_PKT, + port_ofs + PDC_DIMM_HOST_PKT, + seq); +@@ -656,7 +628,7 @@ static void pdc20621_packet_start(struct ata_queued_cmd *qc) + writel(port_ofs + PDC_DIMM_ATA_PKT, + ap->ioaddr.cmd_addr + PDC_PKT_SUBMIT); + readl(ap->ioaddr.cmd_addr + PDC_PKT_SUBMIT); +- VPRINTK("submitted ofs 0x%x (%u), seq %u\n", ++ ata_port_dbg(ap, "submitted ofs 0x%x (%u), seq %u\n", + port_ofs + PDC_DIMM_ATA_PKT, + port_ofs + PDC_DIMM_ATA_PKT, + seq); +@@ -696,14 +668,12 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap, + u8 status; + unsigned int handled = 0; + +- VPRINTK("ENTER\n"); +- + if ((qc->tf.protocol == ATA_PROT_DMA) && /* read */ + (!(qc->tf.flags & ATA_TFLAG_WRITE))) { + + /* step two - DMA from DIMM to host */ + if (doing_hdma) { +- VPRINTK("ata%u: read hdma, 0x%x 0x%x\n", ap->print_id, ++ ata_port_dbg(ap, "read hdma, 0x%x 0x%x\n", + readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT)); + /* get drive status; clear intr; complete txn */ + qc->err_mask |= ac_err_mask(ata_wait_idle(ap)); +@@ -714,7 +684,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap, + /* step one - exec ATA command */ + else { + u8 seq = (u8) (port_no + 1 + 4); +- VPRINTK("ata%u: read ata, 0x%x 0x%x\n", ap->print_id, ++ ata_port_dbg(ap, "read ata, 0x%x 0x%x\n", + readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT)); + + /* submit hdma pkt */ +@@ -729,7 +699,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap, + /* step one - DMA from host to DIMM */ + if (doing_hdma) { + u8 seq = (u8) (port_no + 1); +- VPRINTK("ata%u: write hdma, 0x%x 0x%x\n", ap->print_id, ++ ata_port_dbg(ap, "write hdma, 0x%x 0x%x\n", + readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT)); + + /* submit ata pkt */ +@@ -742,7 +712,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap, + + /* step two - execute ATA command */ + else { +- VPRINTK("ata%u: write ata, 0x%x 0x%x\n", ap->print_id, ++ ata_port_dbg(ap, "write ata, 0x%x 0x%x\n", + readl(mmio + 0x104), readl(mmio + PDC_HDMA_CTLSTAT)); + /* get drive status; clear intr; complete txn */ + qc->err_mask |= ac_err_mask(ata_wait_idle(ap)); +@@ -755,7 +725,7 @@ static inline unsigned int pdc20621_host_intr(struct ata_port *ap, + } else if (qc->tf.protocol == ATA_PROT_NODATA) { + + status = ata_sff_busy_wait(ap, ATA_BUSY | ATA_DRQ, 1000); +- DPRINTK("BUS_NODATA (drv_stat 0x%X)\n", status); ++ ata_port_dbg(ap, "BUS_NODATA (drv_stat 0x%X)\n", status); + qc->err_mask |= ac_err_mask(status); + ata_qc_complete(qc); + handled = 1; +@@ -781,29 +751,21 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance) + unsigned int handled = 0; + void __iomem *mmio_base; + +- VPRINTK("ENTER\n"); +- +- if (!host || !host->iomap[PDC_MMIO_BAR]) { +- VPRINTK("QUICK EXIT\n"); ++ if (!host || !host->iomap[PDC_MMIO_BAR]) + return IRQ_NONE; +- } + + mmio_base = host->iomap[PDC_MMIO_BAR]; + + /* reading should also clear interrupts */ + mmio_base += PDC_CHIP0_OFS; + mask = readl(mmio_base + PDC_20621_SEQMASK); +- VPRINTK("mask == 0x%x\n", mask); + +- if (mask == 0xffffffff) { +- VPRINTK("QUICK EXIT 2\n"); ++ if (mask == 0xffffffff) + return IRQ_NONE; +- } ++ + mask &= 0xffff; /* only 16 tags possible */ +- if (!mask) { +- VPRINTK("QUICK EXIT 3\n"); ++ if (!mask) + return IRQ_NONE; +- } + + spin_lock(&host->lock); + +@@ -816,7 +778,8 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance) + else + ap = host->ports[port_no]; + tmp = mask & (1 << i); +- VPRINTK("seq %u, port_no %u, ap %p, tmp %x\n", i, port_no, ap, tmp); ++ if (ap) ++ ata_port_dbg(ap, "seq %u, tmp %x\n", i, tmp); + if (tmp && ap) { + struct ata_queued_cmd *qc; + +@@ -829,10 +792,6 @@ static irqreturn_t pdc20621_interrupt(int irq, void *dev_instance) + + spin_unlock(&host->lock); + +- VPRINTK("mask == 0x%x\n", mask); +- +- VPRINTK("EXIT\n"); +- + return IRQ_RETVAL(handled); + } + +@@ -1272,7 +1231,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + /* Initialize Time Period Register */ + writel(0xffffffff, mmio + PDC_TIME_PERIOD); + time_period = readl(mmio + PDC_TIME_PERIOD); +- VPRINTK("Time Period Register (0x40): 0x%x\n", time_period); ++ dev_dbg(host->dev, "Time Period Register (0x40): 0x%x\n", time_period); + + /* Enable timer */ + writel(PDC_TIMER_DEFAULT, mmio + PDC_TIME_CONTROL); +@@ -1287,7 +1246,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + */ + + tcount = readl(mmio + PDC_TIME_COUNTER); +- VPRINTK("Time Counter Register (0x44): 0x%x\n", tcount); ++ dev_dbg(host->dev, "Time Counter Register (0x44): 0x%x\n", tcount); + + /* + If SX4 is on PCI-X bus, after 3 seconds, the timer counter +@@ -1295,17 +1254,19 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + */ + if (tcount >= PCI_X_TCOUNT) { + ticks = (time_period - tcount); +- VPRINTK("Num counters 0x%x (%d)\n", ticks, ticks); ++ dev_dbg(host->dev, "Num counters 0x%x (%d)\n", ticks, ticks); + + clock = (ticks / 300000); +- VPRINTK("10 * Internal clk = 0x%x (%d)\n", clock, clock); ++ dev_dbg(host->dev, "10 * Internal clk = 0x%x (%d)\n", ++ clock, clock); + + clock = (clock * 33); +- VPRINTK("10 * Internal clk * 33 = 0x%x (%d)\n", clock, clock); ++ dev_dbg(host->dev, "10 * Internal clk * 33 = 0x%x (%d)\n", ++ clock, clock); + + /* PLL F Param (bit 22:16) */ + fparam = (1400000 / clock) - 2; +- VPRINTK("PLL F Param: 0x%x (%d)\n", fparam, fparam); ++ dev_dbg(host->dev, "PLL F Param: 0x%x (%d)\n", fparam, fparam); + + /* OD param = 0x2 (bit 31:30), R param = 0x5 (bit 29:25) */ + pci_status = (0x8a001824 | (fparam << 16)); +@@ -1313,7 +1274,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + pci_status = PCI_PLL_INIT; + + /* Initialize PLL. */ +- VPRINTK("pci_status: 0x%x\n", pci_status); ++ dev_dbg(host->dev, "pci_status: 0x%x\n", pci_status); + writel(pci_status, mmio + PDC_CTL_STATUS); + readl(mmio + PDC_CTL_STATUS); + +@@ -1325,15 +1286,16 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + printk(KERN_ERR "Detect Local DIMM Fail\n"); + return 1; /* DIMM error */ + } +- VPRINTK("Local DIMM Speed = %d\n", speed); ++ dev_dbg(host->dev, "Local DIMM Speed = %d\n", speed); + + /* Programming DIMM0 Module Control Register (index_CID0:80h) */ + size = pdc20621_prog_dimm0(host); +- VPRINTK("Local DIMM Size = %dMB\n", size); ++ dev_dbg(host->dev, "Local DIMM Size = %dMB\n", size); + + /* Programming DIMM Module Global Control Register (index_CID0:88h) */ + if (pdc20621_prog_dimm_global(host)) { +- printk(KERN_ERR "Programming DIMM Module Global Control Register Fail\n"); ++ dev_err(host->dev, ++ "Programming DIMM Module Global Control Register Fail\n"); + return 1; + } + +@@ -1370,13 +1332,14 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + + if (!pdc20621_i2c_read(host, PDC_DIMM0_SPD_DEV_ADDRESS, + PDC_DIMM_SPD_TYPE, &spd0)) { +- pr_err("Failed in i2c read: device=%#x, subaddr=%#x\n", ++ dev_err(host->dev, ++ "Failed in i2c read: device=%#x, subaddr=%#x\n", + PDC_DIMM0_SPD_DEV_ADDRESS, PDC_DIMM_SPD_TYPE); + return 1; + } + if (spd0 == 0x02) { + void *buf; +- VPRINTK("Start ECC initialization\n"); ++ dev_dbg(host->dev, "Start ECC initialization\n"); + addr = 0; + length = size * 1024 * 1024; + buf = kzalloc(ECC_ERASE_BUF_SZ, GFP_KERNEL); +@@ -1388,7 +1351,7 @@ static unsigned int pdc20621_dimm_init(struct ata_host *host) + addr += ECC_ERASE_BUF_SZ; + } + kfree(buf); +- VPRINTK("Finish ECC initialization\n"); ++ dev_dbg(host->dev, "Finish ECC initialization\n"); + } + return 0; + } +-- +2.39.5 + diff --git a/queue-5.15/codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch b/queue-5.15/codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch new file mode 100644 index 0000000000..ace8ca20fa --- /dev/null +++ b/queue-5.15/codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch @@ -0,0 +1,63 @@ +From 8b18b6cf40e25b8c55333077a46775b2ff9959a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 14:16:31 -0700 +Subject: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() + +From: Cong Wang + +[ Upstream commit 342debc12183b51773b3345ba267e9263bdfaaef ] + +After making all ->qlen_notify() callbacks idempotent, now it is safe to +remove the check of qlen!=0 from both fq_codel_dequeue() and +codel_qdisc_dequeue(). + +Reported-by: Gerrard Tai +Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") +Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") +Signed-off-by: Cong Wang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250403211636.166257-1-xiyou.wangcong@gmail.com +Acked-by: Jamal Hadi Salim +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_codel.c | 5 +---- + net/sched/sch_fq_codel.c | 6 ++---- + 2 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c +index 30169b3adbbb0..d9eff03deada4 100644 +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -95,10 +95,7 @@ static struct sk_buff *codel_qdisc_dequeue(struct Qdisc *sch) + &q->stats, qdisc_pkt_len, codel_get_enqueue_time, + drop_func, dequeue_func); + +- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0, +- * or HTB crashes. Defer it for next round. +- */ +- if (q->stats.drop_count && sch->q.qlen) { ++ if (q->stats.drop_count) { + qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len); + q->stats.drop_count = 0; + q->stats.drop_len = 0; +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index efda894bbb78b..9a3df6884c5cd 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -314,10 +314,8 @@ static struct sk_buff *fq_codel_dequeue(struct Qdisc *sch) + } + qdisc_bstats_update(sch, skb); + flow->deficit -= qdisc_pkt_len(skb); +- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0, +- * or HTB crashes. Defer it for next round. +- */ +- if (q->cstats.drop_count && sch->q.qlen) { ++ ++ if (q->cstats.drop_count) { + qdisc_tree_reduce_backlog(sch, q->cstats.drop_count, + q->cstats.drop_len); + q->cstats.drop_count = 0; +-- +2.39.5 + diff --git a/queue-5.15/net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch b/queue-5.15/net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch new file mode 100644 index 0000000000..403d10dbeb --- /dev/null +++ b/queue-5.15/net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch @@ -0,0 +1,78 @@ +From 6eda5b77039aa9624ab900ff87ebd40923fb49f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 15:05:10 +0200 +Subject: net: ethtool: Don't call .cleanup_data when prepare_data fails + +From: Maxime Chevallier + +[ Upstream commit 4f038a6a02d20859a3479293cbf172b0f14cbdd6 ] + +There's a consistent pattern where the .cleanup_data() callback is +called when .prepare_data() fails, when it should really be called to +clean after a successful .prepare_data() as per the documentation. + +Rewrite the error-handling paths to make sure we don't cleanup +un-prepared data. + +Fixes: c781ff12a2f3 ("ethtool: Allow network drivers to dump arbitrary EEPROM data") +Reviewed-by: Kory Maincent +Reviewed-by: Simon Horman +Reviewed-by: Michal Kubecek +Signed-off-by: Maxime Chevallier +Link: https://patch.msgid.link/20250407130511.75621-1-maxime.chevallier@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ethtool/netlink.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/ethtool/netlink.c b/net/ethtool/netlink.c +index 0ffcd0e873b60..e35a3e5736cfd 100644 +--- a/net/ethtool/netlink.c ++++ b/net/ethtool/netlink.c +@@ -377,7 +377,7 @@ static int ethnl_default_doit(struct sk_buff *skb, struct genl_info *info) + ret = ops->prepare_data(req_info, reply_data, info); + rtnl_unlock(); + if (ret < 0) +- goto err_cleanup; ++ goto err_dev; + ret = ops->reply_size(req_info, reply_data); + if (ret < 0) + goto err_cleanup; +@@ -435,7 +435,7 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev, + ret = ctx->ops->prepare_data(ctx->req_info, ctx->reply_data, NULL); + rtnl_unlock(); + if (ret < 0) +- goto out; ++ goto out_cancel; + ret = ethnl_fill_reply_header(skb, dev, ctx->ops->hdr_attr); + if (ret < 0) + goto out; +@@ -444,6 +444,7 @@ static int ethnl_default_dump_one(struct sk_buff *skb, struct net_device *dev, + out: + if (ctx->ops->cleanup_data) + ctx->ops->cleanup_data(ctx->reply_data); ++out_cancel: + ctx->reply_data->dev = NULL; + if (ret < 0) + genlmsg_cancel(skb, ehdr); +@@ -628,7 +629,7 @@ static void ethnl_default_notify(struct net_device *dev, unsigned int cmd, + ethnl_init_reply_data(reply_data, ops, dev); + ret = ops->prepare_data(req_info, reply_data, NULL); + if (ret < 0) +- goto err_cleanup; ++ goto err_rep; + ret = ops->reply_size(req_info, reply_data); + if (ret < 0) + goto err_cleanup; +@@ -664,6 +665,7 @@ static void ethnl_default_notify(struct net_device *dev, unsigned int cmd, + err_cleanup: + if (ops->cleanup_data) + ops->cleanup_data(reply_data); ++err_rep: + kfree(reply_data); + kfree(req_info); + return; +-- +2.39.5 + diff --git a/queue-5.15/net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch b/queue-5.15/net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch new file mode 100644 index 0000000000..64d38d0345 --- /dev/null +++ b/queue-5.15/net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch @@ -0,0 +1,73 @@ +From 8f759a71260c54c524fd6ec35dc06abf83041a78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:55:08 +0200 +Subject: net: ppp: Add bound checking for skb data on ppp_sync_txmung +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaud Lecomte + +[ Upstream commit aabc6596ffb377c4c9c8f335124b92ea282c9821 ] + +Ensure we have enough data in linear buffer from skb before accessing +initial bytes. This prevents potential out-of-bounds accesses +when processing short packets. + +When ppp_sync_txmung receives an incoming package with an empty +payload: +(remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header) +$18 = { + type = 0x1, + ver = 0x1, + code = 0x0, + sid = 0x2, + length = 0x0, + tag = 0xffff8880371cdb96 +} + +from the skb struct (trimmed) + tail = 0x16, + end = 0x140, + head = 0xffff88803346f400 "4", + data = 0xffff88803346f416 ":\377", + truesize = 0x380, + len = 0x0, + data_len = 0x0, + mac_len = 0xe, + hdr_len = 0x0, + +it is not safe to access data[2]. + +Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40 +Tested-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Arnaud Lecomte +Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com +[pabeni@redhat.com: fixed subj typo] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_synctty.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c +index 692c558beed54..c8d9c580ed503 100644 +--- a/drivers/net/ppp/ppp_synctty.c ++++ b/drivers/net/ppp/ppp_synctty.c +@@ -517,6 +517,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb) + unsigned char *data; + int islcp; + ++ /* Ensure we can safely access protocol field and LCP code */ ++ if (!pskb_may_pull(skb, 3)) { ++ kfree_skb(skb); ++ return NULL; ++ } + data = skb->data; + proto = get_unaligned_be16(data); + +-- +2.39.5 + diff --git a/queue-5.15/net-tls-explicitly-disallow-disconnect.patch b/queue-5.15/net-tls-explicitly-disallow-disconnect.patch new file mode 100644 index 0000000000..142d1060ea --- /dev/null +++ b/queue-5.15/net-tls-explicitly-disallow-disconnect.patch @@ -0,0 +1,69 @@ +From d4367671f3eea63dce5f6c4eb24c591da7492560 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 11:03:33 -0700 +Subject: net: tls: explicitly disallow disconnect + +From: Jakub Kicinski + +[ Upstream commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6 ] + +syzbot discovered that it can disconnect a TLS socket and then +run into all sort of unexpected corner cases. I have a vague +recollection of Eric pointing this out to us a long time ago. +Supporting disconnect is really hard, for one thing if offload +is enabled we'd need to wait for all packets to be _acked_. +Disconnect is not commonly used, disallow it. + +The immediate problem syzbot run into is the warning in the strp, +but that's just the easiest bug to trigger: + + WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 + RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 + Call Trace: + + tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 + tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 + inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 + sock_recvmsg_nosec net/socket.c:1023 [inline] + sock_recvmsg+0x109/0x280 net/socket.c:1045 + __sys_recvfrom+0x202/0x380 net/socket.c:2237 + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Reported-by: syzbot+b4cd76826045a1eb93c1@syzkaller.appspotmail.com +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Reviewed-by: Sabrina Dubroca +Link: https://patch.msgid.link/20250404180334.3224206-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tls/tls_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 4a3bf8528da7c..ba170f1f38a4c 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -626,6 +626,11 @@ static int tls_setsockopt(struct sock *sk, int level, int optname, + return do_tls_setsockopt(sk, optname, optval, optlen); + } + ++static int tls_disconnect(struct sock *sk, int flags) ++{ ++ return -EOPNOTSUPP; ++} ++ + struct tls_context *tls_ctx_create(struct sock *sk) + { + struct inet_connection_sock *icsk = inet_csk(sk); +@@ -720,6 +725,7 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG], + prot[TLS_BASE][TLS_BASE] = *base; + prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt; + prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt; ++ prot[TLS_BASE][TLS_BASE].disconnect = tls_disconnect; + prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close; + + prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE]; +-- +2.39.5 + diff --git a/queue-5.15/nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch b/queue-5.15/nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch new file mode 100644 index 0000000000..131f13a2f5 --- /dev/null +++ b/queue-5.15/nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch @@ -0,0 +1,53 @@ +From 6944ea6e6463bfc38351760174f8a1a0060abbaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 19:40:18 +0200 +Subject: nft_set_pipapo: fix incorrect avx2 match of 5th field octet + +From: Florian Westphal + +[ Upstream commit e042ed950d4e176379ba4c0722146cd96fb38aa2 ] + +Given a set element like: + + icmpv6 . dead:beef:00ff::1 + +The value of 'ff' is irrelevant, any address will be matched +as long as the other octets are the same. + +This is because of too-early register clobbering: +ymm7 is reloaded with new packet data (pkt[9]) but it still holds data +of an earlier load that wasn't processed yet. + +The existing tests in nft_concat_range.sh selftests do exercise this code +path, but do not trigger incorrect matching due to the network prefix +limitation. + +Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation") +Reported-by: sontu mazumdar +Closes: https://lore.kernel.org/netfilter/CANgxkqwnMH7fXra+VUfODT-8+qFLgskq3set1cAzqqJaV4iEZg@mail.gmail.com/T/#t +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index dfae90cd34939..ecabe66368eab 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -994,8 +994,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt, 8, pkt[8], bsize); + + NFT_PIPAPO_AVX2_AND(6, 2, 3); ++ NFT_PIPAPO_AVX2_AND(3, 4, 7); + NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt, 9, pkt[9], bsize); +- NFT_PIPAPO_AVX2_AND(0, 4, 5); ++ NFT_PIPAPO_AVX2_AND(0, 3, 5); + NFT_PIPAPO_AVX2_BUCKET_LOAD8(1, lt, 10, pkt[10], bsize); + NFT_PIPAPO_AVX2_AND(2, 6, 7); + NFT_PIPAPO_AVX2_BUCKET_LOAD8(3, lt, 11, pkt[11], bsize); +-- +2.39.5 + diff --git a/queue-5.15/nvmet-fcloop-swap-list_add_tail-arguments.patch b/queue-5.15/nvmet-fcloop-swap-list_add_tail-arguments.patch new file mode 100644 index 0000000000..01cfe36382 --- /dev/null +++ b/queue-5.15/nvmet-fcloop-swap-list_add_tail-arguments.patch @@ -0,0 +1,38 @@ +From fbb2197503633bc3e903ddf18534df98d44f03bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:29:03 +0200 +Subject: nvmet-fcloop: swap list_add_tail arguments + +From: Daniel Wagner + +[ Upstream commit 2b5f0c5bc819af2b0759a8fcddc1b39102735c0f ] + +The newly element to be added to the list is the first argument of +list_add_tail. This fix is missing dcfad4ab4d67 ("nvmet-fcloop: swap +the list_add_tail arguments"). + +Fixes: 437c0b824dbd ("nvme-fcloop: add target to host LS request support") +Signed-off-by: Daniel Wagner +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fcloop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c +index f5b8442b653db..787dfb3859a0d 100644 +--- a/drivers/nvme/target/fcloop.c ++++ b/drivers/nvme/target/fcloop.c +@@ -478,7 +478,7 @@ fcloop_t2h_xmt_ls_rsp(struct nvme_fc_local_port *localport, + if (targetport) { + tport = targetport->private; + spin_lock(&tport->lock); +- list_add_tail(&tport->ls_list, &tls_req->ls_list); ++ list_add_tail(&tls_req->ls_list, &tport->ls_list); + spin_unlock(&tport->lock); + queue_work(nvmet_wq, &tport->ls_work); + } +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 0000000000..ac2b8535c6 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,10 @@ +ata-pata_pxa-fix-potential-null-pointer-dereference-.patch +tipc-fix-memory-leak-in-tipc_link_xmit.patch +codel-remove-sch-q.qlen-check-before-qdisc_tree_redu.patch +net-tls-explicitly-disallow-disconnect.patch +net-ethtool-don-t-call-.cleanup_data-when-prepare_da.patch +ata-sata_sx4-drop-pointless-vprintk-calls-and-conver.patch +ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch +nvmet-fcloop-swap-list_add_tail-arguments.patch +net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch +nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch diff --git a/queue-5.15/tipc-fix-memory-leak-in-tipc_link_xmit.patch b/queue-5.15/tipc-fix-memory-leak-in-tipc_link_xmit.patch new file mode 100644 index 0000000000..5001bf42bf --- /dev/null +++ b/queue-5.15/tipc-fix-memory-leak-in-tipc_link_xmit.patch @@ -0,0 +1,40 @@ +From 791116e77a25ba7762e7d462bea5abc621e2edf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 09:24:31 +0000 +Subject: tipc: fix memory leak in tipc_link_xmit + +From: Tung Nguyen + +[ Upstream commit 69ae94725f4fc9e75219d2d69022029c5b24bc9a ] + +In case the backlog transmit queue for system-importance messages is overloaded, +tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to +memory leak and failure when a skb is allocated. + +This commit fixes this issue by purging the skb list before tipc_link_xmit() +returns. + +Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion") +Signed-off-by: Tung Nguyen +Link: https://patch.msgid.link/20250403092431.514063-1-tung.quang.nguyen@est.tech +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index d13a85b9cdb2d..b098b74516d16 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -1068,6 +1068,7 @@ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list, + if (unlikely(l->backlog[imp].len >= l->backlog[imp].limit)) { + if (imp == TIPC_SYSTEM_IMPORTANCE) { + pr_warn("%s<%s>, link overflow", link_rst_msg, l->name); ++ __skb_queue_purge(list); + return -ENOBUFS; + } + rc = link_schedule_user(l, hdr); +-- +2.39.5 +