--- /dev/null
+From 06d712d297649f48ebf1381d19bd24e942813b37 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Wed, 10 Sep 2025 14:30:45 +0800
+Subject: blk-crypto: fix missing blktrace bio split events
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit 06d712d297649f48ebf1381d19bd24e942813b37 upstream.
+
+trace_block_split() is missing, resulting in blktrace inability to catch
+BIO split events and making it harder to analyze the BIO sequence.
+
+Cc: stable@vger.kernel.org
+Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto-fallback.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-crypto-fallback.c
++++ b/block/blk-crypto-fallback.c
+@@ -18,6 +18,7 @@
+ #include <linux/module.h>
+ #include <linux/random.h>
+ #include <linux/scatterlist.h>
++#include <trace/events/block.h>
+
+ #include "blk-cgroup.h"
+ #include "blk-crypto-internal.h"
+@@ -231,7 +232,9 @@ static bool blk_crypto_fallback_split_bi
+ bio->bi_status = BLK_STS_RESOURCE;
+ return false;
+ }
++
+ bio_chain(split_bio, bio);
++ trace_block_split(split_bio, bio->bi_iter.bi_sector);
+ submit_bio_noacct(bio);
+ *bio_ptr = split_bio;
+ }
--- /dev/null
+From dff4f9ff5d7f289e4545cc936362e01ed3252742 Mon Sep 17 00:00:00 2001
+From: Anderson Nascimento <anderson@allelesecurity.com>
+Date: Mon, 8 Sep 2025 09:49:02 -0300
+Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
+
+From: Anderson Nascimento <anderson@allelesecurity.com>
+
+commit dff4f9ff5d7f289e4545cc936362e01ed3252742 upstream.
+
+The function btrfs_encode_fh() does not properly account for the three
+cases it handles.
+
+Before writing to the file handle (fh), the function only returns to the
+user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
+BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
+
+However, when a parent exists and the root ID of the parent and the
+inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
+(10 dwords, 40 bytes).
+
+If *max_len is not large enough, this write goes out of bounds because
+BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
+BTRFS_FID_SIZE_CONNECTABLE originally returned.
+
+This results in an 8-byte out-of-bounds write at
+fid->parent_root_objectid = parent_root_id.
+
+A previous attempt to fix this issue was made but was lost.
+
+https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
+
+Although this issue does not seem to be easily triggerable, it is a
+potential memory corruption bug that should be fixed. This patch
+resolves the issue by ensuring the function returns the appropriate size
+for all three cases and validates that *max_len is large enough before
+writing any data.
+
+Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3")
+CC: stable@vger.kernel.org # 3.0+
+Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/export.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/export.c
++++ b/fs/btrfs/export.c
+@@ -23,7 +23,11 @@ static int btrfs_encode_fh(struct inode
+ int type;
+
+ if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) {
+- *max_len = BTRFS_FID_SIZE_CONNECTABLE;
++ if (btrfs_root_id(BTRFS_I(inode)->root) !=
++ btrfs_root_id(BTRFS_I(parent)->root))
++ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
++ else
++ *max_len = BTRFS_FID_SIZE_CONNECTABLE;
+ return FILEID_INVALID;
+ } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) {
+ *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE;
+@@ -45,6 +49,8 @@ static int btrfs_encode_fh(struct inode
+ parent_root_id = btrfs_root_id(BTRFS_I(parent)->root);
+
+ if (parent_root_id != fid->root_objectid) {
++ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT)
++ return FILEID_INVALID;
+ fid->parent_root_objectid = parent_root_id;
+ len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
+ type = FILEID_BTRFS_WITH_PARENT_ROOT;
--- /dev/null
+From f5225a34bd8f9f64eec37f6ae1461289aaa3eb86 Mon Sep 17 00:00:00 2001
+From: Sumit Kumar <sumit.kumar@oss.qualcomm.com>
+Date: Wed, 10 Sep 2025 18:11:09 +0530
+Subject: bus: mhi: ep: Fix chained transfer handling in read path
+
+From: Sumit Kumar <sumit.kumar@oss.qualcomm.com>
+
+commit f5225a34bd8f9f64eec37f6ae1461289aaa3eb86 upstream.
+
+The mhi_ep_read_channel function incorrectly assumes the End of Transfer
+(EOT) bit is present for each packet in a chained transactions, causing
+it to advance mhi_chan->rd_offset beyond wr_offset during host-to-device
+transfers when EOT has not yet arrived. This leads to access of unmapped
+host memory, causing IOMMU faults and processing of stale TREs.
+
+Modify the loop condition to ensure mhi_queue is not empty, allowing the
+function to process only valid TREs up to the current write pointer to
+prevent premature reads and ensure safe traversal of chained TREs.
+
+Due to this change, buf_left needs to be removed from the while loop
+condition to avoid exiting prematurely before reading the ring completely,
+and also remove write_offset since it will always be zero because the new
+cache buffer is allocated every time.
+
+Fixes: 5301258899773 ("bus: mhi: ep: Add support for reading from the host")
+Co-developed-by: Akhil Vinod <akhil.vinod@oss.qualcomm.com>
+Signed-off-by: Akhil Vinod <akhil.vinod@oss.qualcomm.com>
+Signed-off-by: Sumit Kumar <sumit.kumar@oss.qualcomm.com>
+[mani: reworded description slightly]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250910-final_chained-v3-1-ec77c9d88ace@oss.qualcomm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/ep/main.c | 37 ++++++++++++-------------------------
+ 1 file changed, 12 insertions(+), 25 deletions(-)
+
+--- a/drivers/bus/mhi/ep/main.c
++++ b/drivers/bus/mhi/ep/main.c
+@@ -403,17 +403,13 @@ static int mhi_ep_read_channel(struct mh
+ {
+ struct mhi_ep_chan *mhi_chan = &mhi_cntrl->mhi_chan[ring->ch_id];
+ struct device *dev = &mhi_cntrl->mhi_dev->dev;
+- size_t tr_len, read_offset, write_offset;
++ size_t tr_len, read_offset;
+ struct mhi_ep_buf_info buf_info = {};
+ u32 len = MHI_EP_DEFAULT_MTU;
+ struct mhi_ring_element *el;
+- bool tr_done = false;
+ void *buf_addr;
+- u32 buf_left;
+ int ret;
+
+- buf_left = len;
+-
+ do {
+ /* Don't process the transfer ring if the channel is not in RUNNING state */
+ if (mhi_chan->state != MHI_CH_STATE_RUNNING) {
+@@ -426,24 +422,23 @@ static int mhi_ep_read_channel(struct mh
+ /* Check if there is data pending to be read from previous read operation */
+ if (mhi_chan->tre_bytes_left) {
+ dev_dbg(dev, "TRE bytes remaining: %u\n", mhi_chan->tre_bytes_left);
+- tr_len = min(buf_left, mhi_chan->tre_bytes_left);
++ tr_len = min(len, mhi_chan->tre_bytes_left);
+ } else {
+ mhi_chan->tre_loc = MHI_TRE_DATA_GET_PTR(el);
+ mhi_chan->tre_size = MHI_TRE_DATA_GET_LEN(el);
+ mhi_chan->tre_bytes_left = mhi_chan->tre_size;
+
+- tr_len = min(buf_left, mhi_chan->tre_size);
++ tr_len = min(len, mhi_chan->tre_size);
+ }
+
+ read_offset = mhi_chan->tre_size - mhi_chan->tre_bytes_left;
+- write_offset = len - buf_left;
+
+ buf_addr = kmem_cache_zalloc(mhi_cntrl->tre_buf_cache, GFP_KERNEL);
+ if (!buf_addr)
+ return -ENOMEM;
+
+ buf_info.host_addr = mhi_chan->tre_loc + read_offset;
+- buf_info.dev_addr = buf_addr + write_offset;
++ buf_info.dev_addr = buf_addr;
+ buf_info.size = tr_len;
+ buf_info.cb = mhi_ep_read_completion;
+ buf_info.cb_buf = buf_addr;
+@@ -459,16 +454,12 @@ static int mhi_ep_read_channel(struct mh
+ goto err_free_buf_addr;
+ }
+
+- buf_left -= tr_len;
+ mhi_chan->tre_bytes_left -= tr_len;
+
+- if (!mhi_chan->tre_bytes_left) {
+- if (MHI_TRE_DATA_GET_IEOT(el))
+- tr_done = true;
+-
++ if (!mhi_chan->tre_bytes_left)
+ mhi_chan->rd_offset = (mhi_chan->rd_offset + 1) % ring->ring_size;
+- }
+- } while (buf_left && !tr_done);
++ /* Read until the some buffer is left or the ring becomes not empty */
++ } while (!mhi_ep_queue_is_empty(mhi_chan->mhi_dev, DMA_TO_DEVICE));
+
+ return 0;
+
+@@ -502,15 +493,11 @@ static int mhi_ep_process_ch_ring(struct
+ mhi_chan->xfer_cb(mhi_chan->mhi_dev, &result);
+ } else {
+ /* UL channel */
+- do {
+- ret = mhi_ep_read_channel(mhi_cntrl, ring);
+- if (ret < 0) {
+- dev_err(&mhi_chan->mhi_dev->dev, "Failed to read channel\n");
+- return ret;
+- }
+-
+- /* Read until the ring becomes empty */
+- } while (!mhi_ep_queue_is_empty(mhi_chan->mhi_dev, DMA_TO_DEVICE));
++ ret = mhi_ep_read_channel(mhi_cntrl, ring);
++ if (ret < 0) {
++ dev_err(&mhi_chan->mhi_dev->dev, "Failed to read channel\n");
++ return ret;
++ }
+ }
+
+ return 0;
--- /dev/null
+From d0856a6dff57f95cc5d2d74e50880f01697d0cc4 Mon Sep 17 00:00:00 2001
+From: Adam Xue <zxue@semtech.com>
+Date: Fri, 5 Sep 2025 10:41:18 -0700
+Subject: bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup()
+
+From: Adam Xue <zxue@semtech.com>
+
+commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 upstream.
+
+In mhi_init_irq_setup, the device pointer used for dev_err() was not
+initialized. Use the pointer from mhi_cntrl instead.
+
+Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings")
+Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations")
+Signed-off-by: Adam Xue <zxue@semtech.com>
+[mani: reworded subject/description and CCed stable]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/init.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/mhi/host/init.c
++++ b/drivers/bus/mhi/host/init.c
+@@ -194,7 +194,6 @@ static void mhi_deinit_free_irq(struct m
+ static int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl)
+ {
+ struct mhi_event *mhi_event = mhi_cntrl->mhi_event;
+- struct device *dev = &mhi_cntrl->mhi_dev->dev;
+ unsigned long irq_flags = IRQF_SHARED | IRQF_NO_SUSPEND;
+ int i, ret;
+
+@@ -221,7 +220,7 @@ static int mhi_init_irq_setup(struct mhi
+ continue;
+
+ if (mhi_event->irq >= mhi_cntrl->nr_irqs) {
+- dev_err(dev, "irq %d not available for event ring\n",
++ dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n",
+ mhi_event->irq);
+ ret = -EINVAL;
+ goto error_request;
+@@ -232,7 +231,7 @@ static int mhi_init_irq_setup(struct mhi
+ irq_flags,
+ "mhi", mhi_event);
+ if (ret) {
+- dev_err(dev, "Error requesting irq:%d for ev:%d\n",
++ dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n",
+ mhi_cntrl->irq[mhi_event->irq], i);
+ goto error_request;
+ }
drm-amd-display-incorrect-mirror-cositing.patch
drm-amd-display-enable-dynamic-dtbclk-switch.patch
drm-amd-display-fix-unsafe-uses-of-kernel-mode-fpu.patch
+blk-crypto-fix-missing-blktrace-bio-split-events.patch
+btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch
+bus-mhi-ep-fix-chained-transfer-handling-in-read-path.patch
+bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
