From 444b51ade2b7468aad439458722e61c9f1c114d7 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 23 Apr 2025 13:22:39 +0200
Subject: [PATCH] 5.15-stable patches

added patches:
	net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
	pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch
---
 ...de-retval-if-we-already-lost-the-skb.patch | 78 +++++++++++++++++++
 ...er-check-to-the-omap_prm_domain_init.patch | 35 +++++++++
 queue-5.15/series                             |  2 +
 3 files changed, 115 insertions(+)
 create mode 100644 queue-5.15/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
 create mode 100644 queue-5.15/pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch

diff --git a/queue-5.15/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch b/queue-5.15/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
new file mode 100644
index 0000000000..8b19d005ff
--- /dev/null
+++ b/queue-5.15/net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
@@ -0,0 +1,78 @@
+From 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Thu, 15 Feb 2024 06:33:46 -0800
+Subject: net/sched: act_mirred: don't override retval if we already lost the skb
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 upstream.
+
+If we're redirecting the skb, and haven't called tcf_mirred_forward(),
+yet, we need to tell the core to drop the skb by setting the retcode
+to SHOT. If we have called tcf_mirred_forward(), however, the skb
+is out of our hands and returning SHOT will lead to UaF.
+
+Move the retval override to the error path which actually need it.
+
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[Minor conflict resolved due to code context change.]
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_mirred.c |   20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -258,13 +258,13 @@ static int tcf_mirred_act(struct sk_buff
+ 	dev = rcu_dereference_bh(m->tcfm_dev);
+ 	if (unlikely(!dev)) {
+ 		pr_notice_once("tc mirred: target device is gone\n");
+-		goto out;
++		goto err_cant_do;
+ 	}
+ 
+ 	if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) {
+ 		net_notice_ratelimited("tc mirred to Houston: device %s is down\n",
+ 				       dev->name);
+-		goto out;
++		goto err_cant_do;
+ 	}
+ 
+ 	/* we could easily avoid the clone only if called by ingress and clsact;
+@@ -278,7 +278,7 @@ static int tcf_mirred_act(struct sk_buff
+ 	if (!use_reinsert) {
+ 		skb2 = skb_clone(skb, GFP_ATOMIC);
+ 		if (!skb2)
+-			goto out;
++			goto err_cant_do;
+ 	}
+ 
+ 	want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
+@@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff
+ 	}
+ 
+ 	err = tcf_mirred_forward(want_ingress, skb2);
+-	if (err) {
+-out:
++	if (err)
+ 		tcf_action_inc_overlimit_qstats(&m->common);
+-		if (tcf_mirred_is_act_redirect(m_eaction))
+-			retval = TC_ACT_SHOT;
+-	}
++	__this_cpu_dec(mirred_nest_level);
++
++	return retval;
++
++err_cant_do:
++	if (is_redirect)
++		retval = TC_ACT_SHOT;
++	tcf_action_inc_overlimit_qstats(&m->common);
+ 	__this_cpu_dec(mirred_nest_level);
+ 
+ 	return retval;
diff --git a/queue-5.15/pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch b/queue-5.15/pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch
new file mode 100644
index 0000000000..694c02c6fd
--- /dev/null
+++ b/queue-5.15/pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch
@@ -0,0 +1,35 @@
+From 5d7f58ee08434a33340f75ac7ac5071eea9673b3 Mon Sep 17 00:00:00 2001
+From: Kunwu Chan <chentao@kylinos.cn>
+Date: Thu, 18 Jan 2024 13:42:57 +0800
+Subject: pmdomain: ti: Add a null pointer check to the omap_prm_domain_init
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+commit 5d7f58ee08434a33340f75ac7ac5071eea9673b3 upstream.
+
+devm_kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure. Ensure the allocation was successful
+by checking the pointer validity.
+
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Link: https://lore.kernel.org/r/20240118054257.200814-1-chentao@kylinos.cn
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[Minor context change fixed]
+Signed-off-by: Feng Liu <Feng.Liu3@windriver.com>
+Signed-off-by: He Zhe <Zhe.He@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/ti/omap_prm.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/soc/ti/omap_prm.c
++++ b/drivers/soc/ti/omap_prm.c
+@@ -696,6 +696,8 @@ static int omap_prm_domain_init(struct d
+ 	data = prm->data;
+ 	name = devm_kasprintf(dev, GFP_KERNEL, "prm_%s",
+ 			      data->name);
++	if (!name)
++		return -ENOMEM;
+ 
+ 	prmd->dev = dev;
+ 	prmd->prm = prm;
diff --git a/queue-5.15/series b/queue-5.15/series
index 32c1ea5e2c..5abcc1a786 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -248,3 +248,5 @@ drm-i915-gt-cleanup-partial-engine-discovery-failures.patch
 fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch
 mm-fix-apply_to_existing_page_range.patch
 f2fs-check-validation-of-fault-attrs-in-f2fs_build_fault_attr.patch
+pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch
+net-sched-act_mirred-don-t-override-retval-if-we-already-lost-the-skb.patch
-- 
2.47.3