--- /dev/null
+From e08969c4d65ac31297fcb4d31d4808c789152f68 Mon Sep 17 00:00:00 2001
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+Date: Tue, 4 Nov 2025 07:03:10 +0000
+Subject: Input: cros_ec_keyb - fix an invalid memory access
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+commit e08969c4d65ac31297fcb4d31d4808c789152f68 upstream.
+
+If cros_ec_keyb_register_matrix() isn't called (due to
+`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
+NULL. An invalid memory access is observed in cros_ec_keyb_process()
+when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
+in such case.
+
+ Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
+ ...
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : 0000000000000000 x0 : 0000000000000000
+ Call trace:
+ input_event
+ cros_ec_keyb_work
+ blocking_notifier_call_chain
+ ec_irq_thread
+
+It's still unknown about why the kernel receives such malformed event,
+in any cases, the kernel shouldn't access `ckdev->idev` and friends if
+the driver doesn't intend to initialize them.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://patch.msgid.link/20251104070310.3212712-1-tzungbi@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/cros_ec_keyb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/input/keyboard/cros_ec_keyb.c
++++ b/drivers/input/keyboard/cros_ec_keyb.c
+@@ -244,6 +244,12 @@ static int cros_ec_keyb_work(struct noti
+ case EC_MKBP_EVENT_KEY_MATRIX:
+ pm_wakeup_event(ckdev->dev, 0);
+
++ if (!ckdev->idev) {
++ dev_warn_once(ckdev->dev,
++ "Unexpected key matrix event\n");
++ return NOTIFY_OK;
++ }
++
+ if (ckdev->ec->event_size != ckdev->cols) {
+ dev_err(ckdev->dev,
+ "Discarded incomplete key matrix event.\n");
--- /dev/null
+From ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Mon, 20 Oct 2025 02:11:49 +0100
+Subject: MIPS: Malta: Fix !EVA SOC-it PCI MMIO
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e upstream.
+
+Fix a regression that has caused accesses to the PCI MMIO window to
+complete unclaimed in non-EVA configurations with the SOC-it family of
+system controllers, preventing PCI devices from working that use MMIO.
+
+In the non-EVA case PHYS_OFFSET is set to 0, meaning that PCI_BAR0 is
+set with an empty mask (and PCI_HEAD4 matches addresses starting from 0
+accordingly). Consequently all addresses are matched for incoming DMA
+accesses from PCI. This seems to confuse the system controller's logic
+and outgoing bus cycles targeting the PCI MMIO window seem not to make
+it to the intended devices.
+
+This happens as well when a wider mask is used with PCI_BAR0, such as
+0x80000000 or 0xe0000000, that makes addresses match that overlap with
+the PCI MMIO window, which starts at 0x10000000 in our configuration.
+
+Set the mask in PCI_BAR0 to 0xf0000000 for non-EVA then, covering the
+non-EVA maximum 256 MiB of RAM, which is what YAMON does and which used
+to work correctly up to the offending commit. Set PCI_P2SCMSKL to match
+PCI_BAR0 as required by the system controller's specification, and match
+PCI_P2SCMAPL to PCI_HEAD4 for identity mapping.
+
+Verified with:
+
+Core board type/revision = 0x0d (Core74K) / 0x01
+System controller/revision = MIPS SOC-it 101 OCP / 1.3 SDR-FW-4:1
+Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x1c
+Processor ID/revision = 0x97 (MIPS 74Kf) / 0x4c
+
+for non-EVA and with:
+
+Core board type/revision = 0x0c (CoreFPGA-5) / 0x00
+System controller/revision = MIPS ROC-it2 / 0.0 FW-1:1 (CLK_unknown) GIC
+Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x00
+Processor ID/revision = 0xa0 (MIPS interAptiv UP) / 0x20
+
+for EVA/non-EVA, fixing:
+
+defxx 0000:00:12.0: assign IRQ: got 10
+defxx: v1.12 2021/03/10 Lawrence V. Stefani and others
+0000:00:12.0: Could not read adapter factory MAC address!
+
+vs:
+
+defxx 0000:00:12.0: assign IRQ: got 10
+defxx: v1.12 2021/03/10 Lawrence V. Stefani and others
+0000:00:12.0: DEFPA at MMIO addr = 0x10142000, IRQ = 10, Hardware addr = 00-00-f8-xx-xx-xx
+0000:00:12.0: registered as fddi0
+
+for non-EVA and causing no change for EVA.
+
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Fixes: 422dd256642b ("MIPS: Malta: Allow PCI devices DMA to lower 2GB physical")
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mti-malta/malta-init.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/arch/mips/mti-malta/malta-init.c
++++ b/arch/mips/mti-malta/malta-init.c
+@@ -242,16 +242,22 @@ mips_pci_controller:
+ #endif
+
+ /*
+- * Setup the Malta max (2GB) memory for PCI DMA in host bridge
+- * in transparent addressing mode.
++ * Set up memory mapping in host bridge for PCI DMA masters,
++ * in transparent addressing mode. For EVA use the Malta
++ * maximum of 2 GiB memory in the alias space at 0x80000000
++ * as per PHYS_OFFSET. Otherwise use 256 MiB of memory in
++ * the regular space, avoiding mapping the PCI MMIO window
++ * for DMA as it seems to confuse the system controller's
++ * logic, causing PCI MMIO to stop working.
+ */
+- mask = PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH;
+- MSC_WRITE(MSC01_PCI_BAR0, mask);
+- MSC_WRITE(MSC01_PCI_HEAD4, mask);
++ mask = PHYS_OFFSET ? PHYS_OFFSET : 0xf0000000;
++ MSC_WRITE(MSC01_PCI_BAR0,
++ mask | PCI_BASE_ADDRESS_MEM_PREFETCH);
++ MSC_WRITE(MSC01_PCI_HEAD4,
++ PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH);
+
+- mask &= MSC01_PCI_BAR0_SIZE_MSK;
+ MSC_WRITE(MSC01_PCI_P2SCMSKL, mask);
+- MSC_WRITE(MSC01_PCI_P2SCMAPL, mask);
++ MSC_WRITE(MSC01_PCI_P2SCMAPL, PHYS_OFFSET);
+
+ /* Don't handle target retries indefinitely. */
+ if ((data & MSC01_PCI_CFG_MAXRTRY_MSK) ==
--- /dev/null
+From 90449f2d1e1f020835cba5417234636937dd657e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 13 Nov 2025 10:16:43 -0800
+Subject: scsi: sg: Do not sleep in atomic context
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 90449f2d1e1f020835cba5417234636937dd657e upstream.
+
+sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may
+sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead
+of disabled.
+
+Reported-by: syzbot+c01f8e6e73f20459912e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google.com/
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: stable@vger.kernel.org
+Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2214,9 +2214,17 @@ sg_remove_sfp_usercontext(struct work_st
+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ while (!list_empty(&sfp->rq_list)) {
+ srp = list_first_entry(&sfp->rq_list, Sg_request, entry);
+- sg_finish_rem_req(srp);
+ list_del(&srp->entry);
++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
++
++ sg_finish_rem_req(srp);
++ /*
++ * sg_rq_end_io() uses srp->parentfp. Hence, only clear
++ * srp->parentfp after blk_mq_free_request() has been called.
++ */
+ srp->parentfp = NULL;
++
++ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ }
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
--- /dev/null
+From e6965188f84a7883e6a0d3448e86b0cf29b24dfc Mon Sep 17 00:00:00 2001
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Date: Wed, 5 Nov 2025 11:25:46 -0800
+Subject: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
+
+From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+
+commit e6965188f84a7883e6a0d3448e86b0cf29b24dfc upstream.
+
+If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
+attempt to dereference it in tcm_loop_tpg_address_show() we will get a
+segfault, see below for an example. So, check tl_hba->sh before
+dereferencing it.
+
+ Unable to allocate struct scsi_host
+ BUG: kernel NULL pointer dereference, address: 0000000000000194
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024
+ RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]
+...
+ Call Trace:
+ <TASK>
+ configfs_read_iter+0x12d/0x1d0 [configfs]
+ vfs_read+0x1b5/0x300
+ ksys_read+0x6f/0xf0
+...
+
+Cc: stable@vger.kernel.org
+Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs")
+Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Allen Pais <apais@linux.microsoft.com>
+Link: https://patch.msgid.link/1762370746-6304-1-git-send-email-hamzamahfooz@linux.microsoft.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/loopback/tcm_loop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/target/loopback/tcm_loop.c
++++ b/drivers/target/loopback/tcm_loop.c
+@@ -933,6 +933,9 @@ static ssize_t tcm_loop_tpg_address_show
+ struct tcm_loop_tpg, tl_se_tpg);
+ struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba;
+
++ if (!tl_hba->sh)
++ return -ENODEV;
++
+ return snprintf(page, PAGE_SIZE, "%d:0:%d\n",
+ tl_hba->sh->host_no, tl_tpg->tl_tpgt);
+ }
hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch
mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch
be2net-pass-wrb_params-in-case-of-os2bmc.patch
+input-cros_ec_keyb-fix-an-invalid-memory-access.patch
+scsi-sg-do-not-sleep-in-atomic-context.patch
+scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch
+mips-malta-fix-eva-soc-it-pci-mmio.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
