From 2cb12408a12a4bd2cdf001292d736ce751e1e371 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 16 Oct 2025 14:06:33 +0200 Subject: [PATCH] 6.17-stable patches added patches: blk-crypto-fix-missing-blktrace-bio-split-events.patch btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch bus-mhi-ep-fix-chained-transfer-handling-in-read-path.patch bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch --- ...ix-missing-blktrace-bio-split-events.patch | 43 ++++++ ...ial-out-of-bounds-in-btrfs_encode_fh.patch | 71 ++++++++++ ...ained-transfer-handling-in-read-path.patch | 128 ++++++++++++++++++ ...ed-dev-pointer-in-mhi_init_irq_setup.patch | 53 ++++++++ queue-6.17/series | 4 + 5 files changed, 299 insertions(+) create mode 100644 queue-6.17/blk-crypto-fix-missing-blktrace-bio-split-events.patch create mode 100644 queue-6.17/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch create mode 100644 queue-6.17/bus-mhi-ep-fix-chained-transfer-handling-in-read-path.patch create mode 100644 queue-6.17/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch diff --git a/queue-6.17/blk-crypto-fix-missing-blktrace-bio-split-events.patch b/queue-6.17/blk-crypto-fix-missing-blktrace-bio-split-events.patch new file mode 100644 index 0000000000..ce41240e38 --- /dev/null +++ b/queue-6.17/blk-crypto-fix-missing-blktrace-bio-split-events.patch @@ -0,0 +1,43 @@ +From 06d712d297649f48ebf1381d19bd24e942813b37 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Wed, 10 Sep 2025 14:30:45 +0800 +Subject: blk-crypto: fix missing blktrace bio split events + +From: Yu Kuai + +commit 06d712d297649f48ebf1381d19bd24e942813b37 upstream. + +trace_block_split() is missing, resulting in blktrace inability to catch +BIO split events and making it harder to analyze the BIO sequence. + +Cc: stable@vger.kernel.org +Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption") +Signed-off-by: Yu Kuai +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto-fallback.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/blk-crypto-fallback.c ++++ b/block/blk-crypto-fallback.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include "blk-cgroup.h" + #include "blk-crypto-internal.h" +@@ -231,7 +232,9 @@ static bool blk_crypto_fallback_split_bi + bio->bi_status = BLK_STS_RESOURCE; + return false; + } ++ + bio_chain(split_bio, bio); ++ trace_block_split(split_bio, bio->bi_iter.bi_sector); + submit_bio_noacct(bio); + *bio_ptr = split_bio; + } diff --git a/queue-6.17/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch b/queue-6.17/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch new file mode 100644 index 0000000000..5d16277111 --- /dev/null +++ b/queue-6.17/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch @@ -0,0 +1,71 @@ +From dff4f9ff5d7f289e4545cc936362e01ed3252742 Mon Sep 17 00:00:00 2001 +From: Anderson Nascimento +Date: Mon, 8 Sep 2025 09:49:02 -0300 +Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() + +From: Anderson Nascimento + +commit dff4f9ff5d7f289e4545cc936362e01ed3252742 upstream. + +The function btrfs_encode_fh() does not properly account for the three +cases it handles. + +Before writing to the file handle (fh), the function only returns to the +user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or +BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). + +However, when a parent exists and the root ID of the parent and the +inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT +(10 dwords, 40 bytes). + +If *max_len is not large enough, this write goes out of bounds because +BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than +BTRFS_FID_SIZE_CONNECTABLE originally returned. + +This results in an 8-byte out-of-bounds write at +fid->parent_root_objectid = parent_root_id. + +A previous attempt to fix this issue was made but was lost. + +https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ + +Although this issue does not seem to be easily triggerable, it is a +potential memory corruption bug that should be fixed. This patch +resolves the issue by ensuring the function returns the appropriate size +for all three cases and validates that *max_len is large enough before +writing any data. + +Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3") +CC: stable@vger.kernel.org # 3.0+ +Signed-off-by: Anderson Nascimento +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/export.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -23,7 +23,11 @@ static int btrfs_encode_fh(struct inode + int type; + + if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) { +- *max_len = BTRFS_FID_SIZE_CONNECTABLE; ++ if (btrfs_root_id(BTRFS_I(inode)->root) != ++ btrfs_root_id(BTRFS_I(parent)->root)) ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; ++ else ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE; + return FILEID_INVALID; + } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) { + *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE; +@@ -45,6 +49,8 @@ static int btrfs_encode_fh(struct inode + parent_root_id = btrfs_root_id(BTRFS_I(parent)->root); + + if (parent_root_id != fid->root_objectid) { ++ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT) ++ return FILEID_INVALID; + fid->parent_root_objectid = parent_root_id; + len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; + type = FILEID_BTRFS_WITH_PARENT_ROOT; diff --git a/queue-6.17/bus-mhi-ep-fix-chained-transfer-handling-in-read-path.patch b/queue-6.17/bus-mhi-ep-fix-chained-transfer-handling-in-read-path.patch new file mode 100644 index 0000000000..cbc11c6ae8 --- /dev/null +++ b/queue-6.17/bus-mhi-ep-fix-chained-transfer-handling-in-read-path.patch @@ -0,0 +1,128 @@ +From f5225a34bd8f9f64eec37f6ae1461289aaa3eb86 Mon Sep 17 00:00:00 2001 +From: Sumit Kumar +Date: Wed, 10 Sep 2025 18:11:09 +0530 +Subject: bus: mhi: ep: Fix chained transfer handling in read path + +From: Sumit Kumar + +commit f5225a34bd8f9f64eec37f6ae1461289aaa3eb86 upstream. + +The mhi_ep_read_channel function incorrectly assumes the End of Transfer +(EOT) bit is present for each packet in a chained transactions, causing +it to advance mhi_chan->rd_offset beyond wr_offset during host-to-device +transfers when EOT has not yet arrived. This leads to access of unmapped +host memory, causing IOMMU faults and processing of stale TREs. + +Modify the loop condition to ensure mhi_queue is not empty, allowing the +function to process only valid TREs up to the current write pointer to +prevent premature reads and ensure safe traversal of chained TREs. + +Due to this change, buf_left needs to be removed from the while loop +condition to avoid exiting prematurely before reading the ring completely, +and also remove write_offset since it will always be zero because the new +cache buffer is allocated every time. + +Fixes: 5301258899773 ("bus: mhi: ep: Add support for reading from the host") +Co-developed-by: Akhil Vinod +Signed-off-by: Akhil Vinod +Signed-off-by: Sumit Kumar +[mani: reworded description slightly] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Krishna Chaitanya Chundru +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250910-final_chained-v3-1-ec77c9d88ace@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/ep/main.c | 37 ++++++++++++------------------------- + 1 file changed, 12 insertions(+), 25 deletions(-) + +--- a/drivers/bus/mhi/ep/main.c ++++ b/drivers/bus/mhi/ep/main.c +@@ -403,17 +403,13 @@ static int mhi_ep_read_channel(struct mh + { + struct mhi_ep_chan *mhi_chan = &mhi_cntrl->mhi_chan[ring->ch_id]; + struct device *dev = &mhi_cntrl->mhi_dev->dev; +- size_t tr_len, read_offset, write_offset; ++ size_t tr_len, read_offset; + struct mhi_ep_buf_info buf_info = {}; + u32 len = MHI_EP_DEFAULT_MTU; + struct mhi_ring_element *el; +- bool tr_done = false; + void *buf_addr; +- u32 buf_left; + int ret; + +- buf_left = len; +- + do { + /* Don't process the transfer ring if the channel is not in RUNNING state */ + if (mhi_chan->state != MHI_CH_STATE_RUNNING) { +@@ -426,24 +422,23 @@ static int mhi_ep_read_channel(struct mh + /* Check if there is data pending to be read from previous read operation */ + if (mhi_chan->tre_bytes_left) { + dev_dbg(dev, "TRE bytes remaining: %u\n", mhi_chan->tre_bytes_left); +- tr_len = min(buf_left, mhi_chan->tre_bytes_left); ++ tr_len = min(len, mhi_chan->tre_bytes_left); + } else { + mhi_chan->tre_loc = MHI_TRE_DATA_GET_PTR(el); + mhi_chan->tre_size = MHI_TRE_DATA_GET_LEN(el); + mhi_chan->tre_bytes_left = mhi_chan->tre_size; + +- tr_len = min(buf_left, mhi_chan->tre_size); ++ tr_len = min(len, mhi_chan->tre_size); + } + + read_offset = mhi_chan->tre_size - mhi_chan->tre_bytes_left; +- write_offset = len - buf_left; + + buf_addr = kmem_cache_zalloc(mhi_cntrl->tre_buf_cache, GFP_KERNEL); + if (!buf_addr) + return -ENOMEM; + + buf_info.host_addr = mhi_chan->tre_loc + read_offset; +- buf_info.dev_addr = buf_addr + write_offset; ++ buf_info.dev_addr = buf_addr; + buf_info.size = tr_len; + buf_info.cb = mhi_ep_read_completion; + buf_info.cb_buf = buf_addr; +@@ -459,16 +454,12 @@ static int mhi_ep_read_channel(struct mh + goto err_free_buf_addr; + } + +- buf_left -= tr_len; + mhi_chan->tre_bytes_left -= tr_len; + +- if (!mhi_chan->tre_bytes_left) { +- if (MHI_TRE_DATA_GET_IEOT(el)) +- tr_done = true; +- ++ if (!mhi_chan->tre_bytes_left) + mhi_chan->rd_offset = (mhi_chan->rd_offset + 1) % ring->ring_size; +- } +- } while (buf_left && !tr_done); ++ /* Read until the some buffer is left or the ring becomes not empty */ ++ } while (!mhi_ep_queue_is_empty(mhi_chan->mhi_dev, DMA_TO_DEVICE)); + + return 0; + +@@ -502,15 +493,11 @@ static int mhi_ep_process_ch_ring(struct + mhi_chan->xfer_cb(mhi_chan->mhi_dev, &result); + } else { + /* UL channel */ +- do { +- ret = mhi_ep_read_channel(mhi_cntrl, ring); +- if (ret < 0) { +- dev_err(&mhi_chan->mhi_dev->dev, "Failed to read channel\n"); +- return ret; +- } +- +- /* Read until the ring becomes empty */ +- } while (!mhi_ep_queue_is_empty(mhi_chan->mhi_dev, DMA_TO_DEVICE)); ++ ret = mhi_ep_read_channel(mhi_cntrl, ring); ++ if (ret < 0) { ++ dev_err(&mhi_chan->mhi_dev->dev, "Failed to read channel\n"); ++ return ret; ++ } + } + + return 0; diff --git a/queue-6.17/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch b/queue-6.17/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch new file mode 100644 index 0000000000..a45e918e71 --- /dev/null +++ b/queue-6.17/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch @@ -0,0 +1,53 @@ +From d0856a6dff57f95cc5d2d74e50880f01697d0cc4 Mon Sep 17 00:00:00 2001 +From: Adam Xue +Date: Fri, 5 Sep 2025 10:41:18 -0700 +Subject: bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() + +From: Adam Xue + +commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 upstream. + +In mhi_init_irq_setup, the device pointer used for dev_err() was not +initialized. Use the pointer from mhi_cntrl instead. + +Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings") +Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations") +Signed-off-by: Adam Xue +[mani: reworded subject/description and CCed stable] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Krishna Chaitanya Chundru +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/init.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/bus/mhi/host/init.c ++++ b/drivers/bus/mhi/host/init.c +@@ -194,7 +194,6 @@ static void mhi_deinit_free_irq(struct m + static int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl) + { + struct mhi_event *mhi_event = mhi_cntrl->mhi_event; +- struct device *dev = &mhi_cntrl->mhi_dev->dev; + unsigned long irq_flags = IRQF_SHARED | IRQF_NO_SUSPEND; + int i, ret; + +@@ -221,7 +220,7 @@ static int mhi_init_irq_setup(struct mhi + continue; + + if (mhi_event->irq >= mhi_cntrl->nr_irqs) { +- dev_err(dev, "irq %d not available for event ring\n", ++ dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n", + mhi_event->irq); + ret = -EINVAL; + goto error_request; +@@ -232,7 +231,7 @@ static int mhi_init_irq_setup(struct mhi + irq_flags, + "mhi", mhi_event); + if (ret) { +- dev_err(dev, "Error requesting irq:%d for ev:%d\n", ++ dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n", + mhi_cntrl->irq[mhi_event->irq], i); + goto error_request; + } diff --git a/queue-6.17/series b/queue-6.17/series index 077ce84981..68900406b6 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -192,3 +192,7 @@ drm-xe-uapi-loosen-used-tracking-restriction.patch drm-amd-display-incorrect-mirror-cositing.patch drm-amd-display-enable-dynamic-dtbclk-switch.patch drm-amd-display-fix-unsafe-uses-of-kernel-mode-fpu.patch +blk-crypto-fix-missing-blktrace-bio-split-events.patch +btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch +bus-mhi-ep-fix-chained-transfer-handling-in-read-path.patch +bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch -- 2.47.3