--- /dev/null
+From e08969c4d65ac31297fcb4d31d4808c789152f68 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Tue, 4 Nov 2025 07:03:10 +0000
+Subject: Input: cros_ec_keyb - fix an invalid memory access
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit e08969c4d65ac31297fcb4d31d4808c789152f68 upstream.
+
+If cros_ec_keyb_register_matrix() isn't called (due to
+`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
+NULL. An invalid memory access is observed in cros_ec_keyb_process()
+when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
+in such case.
+
+ Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
+ ...
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : 0000000000000000 x0 : 0000000000000000
+ Call trace:
+ input_event
+ cros_ec_keyb_work
+ blocking_notifier_call_chain
+ ec_irq_thread
+
+It's still unknown about why the kernel receives such malformed event,
+in any cases, the kernel shouldn't access `ckdev->idev` and friends if
+the driver doesn't intend to initialize them.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://patch.msgid.link/20251104070310.3212712-1-tzungbi@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/cros_ec_keyb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/input/keyboard/cros_ec_keyb.c
++++ b/drivers/input/keyboard/cros_ec_keyb.c
+@@ -242,6 +242,12 @@ static int cros_ec_keyb_work(struct noti
+ case EC_MKBP_EVENT_KEY_MATRIX:
+ pm_wakeup_event(ckdev->dev, 0);
+
++ if (!ckdev->idev) {
++ dev_warn_once(ckdev->dev,
++ "Unexpected key matrix event\n");
++ return NOTIFY_OK;
++ }
++
+ if (ckdev->ec->event_size != ckdev->cols) {
+ dev_err(ckdev->dev,
+ "Discarded incomplete key matrix event.\n");
--- /dev/null
+From d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Sat, 1 Nov 2025 16:25:27 +0300
+Subject: Input: imx_sc_key - fix memory corruption on unload
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 upstream.
+
+This is supposed to be "priv" but we accidentally pass "&priv" which is
+an address in the stack and so it will lead to memory corruption when
+the imx_sc_key_action() function is called. Remove the &.
+
+Fixes: 768062fd1284 ("Input: imx_sc_key - use devm_add_action_or_reset() to handle all cleanups")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/aQYKR75r2VMFJutT@stanley.mountain
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/imx_sc_key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/keyboard/imx_sc_key.c
++++ b/drivers/input/keyboard/imx_sc_key.c
+@@ -158,7 +158,7 @@ static int imx_sc_key_probe(struct platf
+ return error;
+ }
+
+- error = devm_add_action_or_reset(&pdev->dev, imx_sc_key_action, &priv);
++ error = devm_add_action_or_reset(&pdev->dev, imx_sc_key_action, priv);
+ if (error)
+ return error;
+
--- /dev/null
+From ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Mon, 20 Oct 2025 02:11:49 +0100
+Subject: MIPS: Malta: Fix !EVA SOC-it PCI MMIO
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e upstream.
+
+Fix a regression that has caused accesses to the PCI MMIO window to
+complete unclaimed in non-EVA configurations with the SOC-it family of
+system controllers, preventing PCI devices from working that use MMIO.
+
+In the non-EVA case PHYS_OFFSET is set to 0, meaning that PCI_BAR0 is
+set with an empty mask (and PCI_HEAD4 matches addresses starting from 0
+accordingly). Consequently all addresses are matched for incoming DMA
+accesses from PCI. This seems to confuse the system controller's logic
+and outgoing bus cycles targeting the PCI MMIO window seem not to make
+it to the intended devices.
+
+This happens as well when a wider mask is used with PCI_BAR0, such as
+0x80000000 or 0xe0000000, that makes addresses match that overlap with
+the PCI MMIO window, which starts at 0x10000000 in our configuration.
+
+Set the mask in PCI_BAR0 to 0xf0000000 for non-EVA then, covering the
+non-EVA maximum 256 MiB of RAM, which is what YAMON does and which used
+to work correctly up to the offending commit. Set PCI_P2SCMSKL to match
+PCI_BAR0 as required by the system controller's specification, and match
+PCI_P2SCMAPL to PCI_HEAD4 for identity mapping.
+
+Verified with:
+
+Core board type/revision = 0x0d (Core74K) / 0x01
+System controller/revision = MIPS SOC-it 101 OCP / 1.3 SDR-FW-4:1
+Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x1c
+Processor ID/revision = 0x97 (MIPS 74Kf) / 0x4c
+
+for non-EVA and with:
+
+Core board type/revision = 0x0c (CoreFPGA-5) / 0x00
+System controller/revision = MIPS ROC-it2 / 0.0 FW-1:1 (CLK_unknown) GIC
+Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x00
+Processor ID/revision = 0xa0 (MIPS interAptiv UP) / 0x20
+
+for EVA/non-EVA, fixing:
+
+defxx 0000:00:12.0: assign IRQ: got 10
+defxx: v1.12 2021/03/10 Lawrence V. Stefani and others
+0000:00:12.0: Could not read adapter factory MAC address!
+
+vs:
+
+defxx 0000:00:12.0: assign IRQ: got 10
+defxx: v1.12 2021/03/10 Lawrence V. Stefani and others
+0000:00:12.0: DEFPA at MMIO addr = 0x10142000, IRQ = 10, Hardware addr = 00-00-f8-xx-xx-xx
+0000:00:12.0: registered as fddi0
+
+for non-EVA and causing no change for EVA.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 422dd256642b ("MIPS: Malta: Allow PCI devices DMA to lower 2GB physical")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mti-malta/malta-init.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/arch/mips/mti-malta/malta-init.c
++++ b/arch/mips/mti-malta/malta-init.c
+@@ -242,16 +242,22 @@ mips_pci_controller:
+ #endif
+
+ /*
+- * Setup the Malta max (2GB) memory for PCI DMA in host bridge
+- * in transparent addressing mode.
++ * Set up memory mapping in host bridge for PCI DMA masters,
++ * in transparent addressing mode. For EVA use the Malta
++ * maximum of 2 GiB memory in the alias space at 0x80000000
++ * as per PHYS_OFFSET. Otherwise use 256 MiB of memory in
++ * the regular space, avoiding mapping the PCI MMIO window
++ * for DMA as it seems to confuse the system controller's
++ * logic, causing PCI MMIO to stop working.
+ */
+- mask = PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH;
+- MSC_WRITE(MSC01_PCI_BAR0, mask);
+- MSC_WRITE(MSC01_PCI_HEAD4, mask);
++ mask = PHYS_OFFSET ? PHYS_OFFSET : 0xf0000000;
++ MSC_WRITE(MSC01_PCI_BAR0,
++ mask | PCI_BASE_ADDRESS_MEM_PREFETCH);
++ MSC_WRITE(MSC01_PCI_HEAD4,
++ PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH);
+
+- mask &= MSC01_PCI_BAR0_SIZE_MSK;
+ MSC_WRITE(MSC01_PCI_P2SCMSKL, mask);
+- MSC_WRITE(MSC01_PCI_P2SCMAPL, mask);
++ MSC_WRITE(MSC01_PCI_P2SCMAPL, PHYS_OFFSET);
+
+ /* Don't handle target retries indefinitely. */
+ if ((data & MSC01_PCI_CFG_MAXRTRY_MSK) ==
--- /dev/null
+From 0a2c5495b6d1ecb0fa18ef6631450f391a888256 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Mon, 10 Nov 2025 16:20:01 -0500
+Subject: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream.
+
+nvme_fc_delete_assocation() waits for pending I/O to complete before
+returning, and an error can cause ->ioerr_work to be queued after
+cancel_work_sync() had been called. Move the call to cancel_work_sync() to
+be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
+when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
+
+[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
+[ 1135.917705] ------------[ cut here ]------------
+[ 1135.922336] kernel BUG at lib/list_debug.c:52!
+[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
+[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
+[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
+[ 1135.950969] Workqueue: 0x0 (nvme-wq)
+[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
+[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
+[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
+[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
+[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
+[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
+[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
+[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
+[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
+[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+[ 1136.055910] PKRU: 55555554
+[ 1136.058623] Call Trace:
+[ 1136.061074] <TASK>
+[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.071898] ? move_linked_works+0x4a/0xa0
+[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.081744] ? __die_body.cold+0x8/0x12
+[ 1136.085584] ? die+0x2e/0x50
+[ 1136.088469] ? do_trap+0xca/0x110
+[ 1136.091789] ? do_error_trap+0x65/0x80
+[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.101289] ? exc_invalid_op+0x50/0x70
+[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20
+[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.120806] move_linked_works+0x4a/0xa0
+[ 1136.124733] worker_thread+0x216/0x3a0
+[ 1136.128485] ? __pfx_worker_thread+0x10/0x10
+[ 1136.132758] kthread+0xfa/0x240
+[ 1136.135904] ? __pfx_kthread+0x10/0x10
+[ 1136.139657] ret_from_fork+0x31/0x50
+[ 1136.143236] ? __pfx_kthread+0x10/0x10
+[ 1136.146988] ret_from_fork_asm+0x1a/0x30
+[ 1136.150915] </TASK>
+
+Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context")
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3257,7 +3257,6 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+
+- cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
+ /*
+ * kill the association on the link side. this will block
+@@ -3321,6 +3320,7 @@ nvme_fc_reset_ctrl_work(struct work_stru
+
+ /* will block will waiting for io to terminate */
+ nvme_fc_delete_association(ctrl);
++ cancel_work_sync(&ctrl->ioerr_work);
+
+ if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING))
+ dev_err(ctrl->ctrl.device,
--- /dev/null
+From 90449f2d1e1f020835cba5417234636937dd657e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 13 Nov 2025 10:16:43 -0800
+Subject: scsi: sg: Do not sleep in atomic context
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 90449f2d1e1f020835cba5417234636937dd657e upstream.
+
+sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may
+sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead
+of disabled.
+
+Reported-by: syzbot+c01f8e6e73f20459912e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google.com/
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: stable@vger.kernel.org
+Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2235,9 +2235,17 @@ sg_remove_sfp_usercontext(struct work_st
+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ while (!list_empty(&sfp->rq_list)) {
+ srp = list_first_entry(&sfp->rq_list, Sg_request, entry);
+- sg_finish_rem_req(srp);
+ list_del(&srp->entry);
++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
++
++ sg_finish_rem_req(srp);
++ /*
++ * sg_rq_end_io() uses srp->parentfp. Hence, only clear
++ * srp->parentfp after blk_mq_free_request() has been called.
++ */
+ srp->parentfp = NULL;
++
++ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ }
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
--- /dev/null
+From e6965188f84a7883e6a0d3448e86b0cf29b24dfc Mon Sep 17 00:00:00 2001
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Date: Wed, 5 Nov 2025 11:25:46 -0800
+Subject: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
+
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+
+commit e6965188f84a7883e6a0d3448e86b0cf29b24dfc upstream.
+
+If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
+attempt to dereference it in tcm_loop_tpg_address_show() we will get a
+segfault, see below for an example. So, check tl_hba->sh before
+dereferencing it.
+
+ Unable to allocate struct scsi_host
+ BUG: kernel NULL pointer dereference, address: 0000000000000194
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024
+ RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]
+...
+ Call Trace:
+ <TASK>
+ configfs_read_iter+0x12d/0x1d0 [configfs]
+ vfs_read+0x1b5/0x300
+ ksys_read+0x6f/0xf0
+...
+
+Cc: stable@vger.kernel.org
+Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs")
+Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Allen Pais <apais@linux.microsoft.com>
+Link: https://patch.msgid.link/1762370746-6304-1-git-send-email-hamzamahfooz@linux.microsoft.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/loopback/tcm_loop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/target/loopback/tcm_loop.c
++++ b/drivers/target/loopback/tcm_loop.c
+@@ -933,6 +933,9 @@ static ssize_t tcm_loop_tpg_address_show
+ struct tcm_loop_tpg, tl_se_tpg);
+ struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba;
+
++ if (!tl_hba->sh)
++ return -ENODEV;
++
+ return snprintf(page, PAGE_SIZE, "%d:0:%d\n",
+ tl_hba->sh->host_no, tl_tpg->tl_tpgt);
+ }
exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch
mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch
be2net-pass-wrb_params-in-case-of-os2bmc.patch
+input-cros_ec_keyb-fix-an-invalid-memory-access.patch
+input-imx_sc_key-fix-memory-corruption-on-unload.patch
+nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+scsi-sg-do-not-sleep-in-atomic-context.patch
+scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch
+mips-malta-fix-eva-soc-it-pci-mmio.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
