From: Greg Kroah-Hartman Date: Mon, 24 Nov 2025 13:43:10 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.6.118~32 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1df4f1068d4458fdd016b6d0fc4cd790976f8abd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: input-cros_ec_keyb-fix-an-invalid-memory-access.patch mips-malta-fix-eva-soc-it-pci-mmio.patch scsi-sg-do-not-sleep-in-atomic-context.patch scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch --- diff --git a/queue-5.4/input-cros_ec_keyb-fix-an-invalid-memory-access.patch b/queue-5.4/input-cros_ec_keyb-fix-an-invalid-memory-access.patch new file mode 100644 index 0000000000..e95f90179b --- /dev/null +++ b/queue-5.4/input-cros_ec_keyb-fix-an-invalid-memory-access.patch @@ -0,0 +1,53 @@ +From e08969c4d65ac31297fcb4d31d4808c789152f68 Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Tue, 4 Nov 2025 07:03:10 +0000 +Subject: Input: cros_ec_keyb - fix an invalid memory access + +From: Tzung-Bi Shih + +commit e08969c4d65ac31297fcb4d31d4808c789152f68 upstream. + +If cros_ec_keyb_register_matrix() isn't called (due to +`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains +NULL. An invalid memory access is observed in cros_ec_keyb_process() +when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() +in such case. + + Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 + ... + x3 : 0000000000000000 x2 : 0000000000000000 + x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + input_event + cros_ec_keyb_work + blocking_notifier_call_chain + ec_irq_thread + +It's still unknown about why the kernel receives such malformed event, +in any cases, the kernel shouldn't access `ckdev->idev` and friends if +the driver doesn't intend to initialize them. + +Signed-off-by: Tzung-Bi Shih +Link: https://patch.msgid.link/20251104070310.3212712-1-tzungbi@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/cros_ec_keyb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/input/keyboard/cros_ec_keyb.c ++++ b/drivers/input/keyboard/cros_ec_keyb.c +@@ -244,6 +244,12 @@ static int cros_ec_keyb_work(struct noti + case EC_MKBP_EVENT_KEY_MATRIX: + pm_wakeup_event(ckdev->dev, 0); + ++ if (!ckdev->idev) { ++ dev_warn_once(ckdev->dev, ++ "Unexpected key matrix event\n"); ++ return NOTIFY_OK; ++ } ++ + if (ckdev->ec->event_size != ckdev->cols) { + dev_err(ckdev->dev, + "Discarded incomplete key matrix event.\n"); diff --git a/queue-5.4/mips-malta-fix-eva-soc-it-pci-mmio.patch b/queue-5.4/mips-malta-fix-eva-soc-it-pci-mmio.patch new file mode 100644 index 0000000000..d07dfe674a --- /dev/null +++ b/queue-5.4/mips-malta-fix-eva-soc-it-pci-mmio.patch @@ -0,0 +1,100 @@ +From ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Mon, 20 Oct 2025 02:11:49 +0100 +Subject: MIPS: Malta: Fix !EVA SOC-it PCI MMIO + +From: Maciej W. Rozycki + +commit ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e upstream. + +Fix a regression that has caused accesses to the PCI MMIO window to +complete unclaimed in non-EVA configurations with the SOC-it family of +system controllers, preventing PCI devices from working that use MMIO. + +In the non-EVA case PHYS_OFFSET is set to 0, meaning that PCI_BAR0 is +set with an empty mask (and PCI_HEAD4 matches addresses starting from 0 +accordingly). Consequently all addresses are matched for incoming DMA +accesses from PCI. This seems to confuse the system controller's logic +and outgoing bus cycles targeting the PCI MMIO window seem not to make +it to the intended devices. + +This happens as well when a wider mask is used with PCI_BAR0, such as +0x80000000 or 0xe0000000, that makes addresses match that overlap with +the PCI MMIO window, which starts at 0x10000000 in our configuration. + +Set the mask in PCI_BAR0 to 0xf0000000 for non-EVA then, covering the +non-EVA maximum 256 MiB of RAM, which is what YAMON does and which used +to work correctly up to the offending commit. Set PCI_P2SCMSKL to match +PCI_BAR0 as required by the system controller's specification, and match +PCI_P2SCMAPL to PCI_HEAD4 for identity mapping. + +Verified with: + +Core board type/revision = 0x0d (Core74K) / 0x01 +System controller/revision = MIPS SOC-it 101 OCP / 1.3 SDR-FW-4:1 +Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x1c +Processor ID/revision = 0x97 (MIPS 74Kf) / 0x4c + +for non-EVA and with: + +Core board type/revision = 0x0c (CoreFPGA-5) / 0x00 +System controller/revision = MIPS ROC-it2 / 0.0 FW-1:1 (CLK_unknown) GIC +Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x00 +Processor ID/revision = 0xa0 (MIPS interAptiv UP) / 0x20 + +for EVA/non-EVA, fixing: + +defxx 0000:00:12.0: assign IRQ: got 10 +defxx: v1.12 2021/03/10 Lawrence V. Stefani and others +0000:00:12.0: Could not read adapter factory MAC address! + +vs: + +defxx 0000:00:12.0: assign IRQ: got 10 +defxx: v1.12 2021/03/10 Lawrence V. Stefani and others +0000:00:12.0: DEFPA at MMIO addr = 0x10142000, IRQ = 10, Hardware addr = 00-00-f8-xx-xx-xx +0000:00:12.0: registered as fddi0 + +for non-EVA and causing no change for EVA. + +Signed-off-by: Maciej W. Rozycki +Fixes: 422dd256642b ("MIPS: Malta: Allow PCI devices DMA to lower 2GB physical") +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mti-malta/malta-init.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/arch/mips/mti-malta/malta-init.c ++++ b/arch/mips/mti-malta/malta-init.c +@@ -242,16 +242,22 @@ mips_pci_controller: + #endif + + /* +- * Setup the Malta max (2GB) memory for PCI DMA in host bridge +- * in transparent addressing mode. ++ * Set up memory mapping in host bridge for PCI DMA masters, ++ * in transparent addressing mode. For EVA use the Malta ++ * maximum of 2 GiB memory in the alias space at 0x80000000 ++ * as per PHYS_OFFSET. Otherwise use 256 MiB of memory in ++ * the regular space, avoiding mapping the PCI MMIO window ++ * for DMA as it seems to confuse the system controller's ++ * logic, causing PCI MMIO to stop working. + */ +- mask = PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH; +- MSC_WRITE(MSC01_PCI_BAR0, mask); +- MSC_WRITE(MSC01_PCI_HEAD4, mask); ++ mask = PHYS_OFFSET ? PHYS_OFFSET : 0xf0000000; ++ MSC_WRITE(MSC01_PCI_BAR0, ++ mask | PCI_BASE_ADDRESS_MEM_PREFETCH); ++ MSC_WRITE(MSC01_PCI_HEAD4, ++ PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH); + +- mask &= MSC01_PCI_BAR0_SIZE_MSK; + MSC_WRITE(MSC01_PCI_P2SCMSKL, mask); +- MSC_WRITE(MSC01_PCI_P2SCMAPL, mask); ++ MSC_WRITE(MSC01_PCI_P2SCMAPL, PHYS_OFFSET); + + /* Don't handle target retries indefinitely. */ + if ((data & MSC01_PCI_CFG_MAXRTRY_MSK) == diff --git a/queue-5.4/scsi-sg-do-not-sleep-in-atomic-context.patch b/queue-5.4/scsi-sg-do-not-sleep-in-atomic-context.patch new file mode 100644 index 0000000000..d6d73cdf27 --- /dev/null +++ b/queue-5.4/scsi-sg-do-not-sleep-in-atomic-context.patch @@ -0,0 +1,47 @@ +From 90449f2d1e1f020835cba5417234636937dd657e Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 13 Nov 2025 10:16:43 -0800 +Subject: scsi: sg: Do not sleep in atomic context + +From: Bart Van Assche + +commit 90449f2d1e1f020835cba5417234636937dd657e upstream. + +sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may +sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead +of disabled. + +Reported-by: syzbot+c01f8e6e73f20459912e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google.com/ +Cc: Hannes Reinecke +Cc: stable@vger.kernel.org +Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2214,9 +2214,17 @@ sg_remove_sfp_usercontext(struct work_st + write_lock_irqsave(&sfp->rq_list_lock, iflags); + while (!list_empty(&sfp->rq_list)) { + srp = list_first_entry(&sfp->rq_list, Sg_request, entry); +- sg_finish_rem_req(srp); + list_del(&srp->entry); ++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags); ++ ++ sg_finish_rem_req(srp); ++ /* ++ * sg_rq_end_io() uses srp->parentfp. Hence, only clear ++ * srp->parentfp after blk_mq_free_request() has been called. ++ */ + srp->parentfp = NULL; ++ ++ write_lock_irqsave(&sfp->rq_list_lock, iflags); + } + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + diff --git a/queue-5.4/scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch b/queue-5.4/scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch new file mode 100644 index 0000000000..99c29039a6 --- /dev/null +++ b/queue-5.4/scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch @@ -0,0 +1,55 @@ +From e6965188f84a7883e6a0d3448e86b0cf29b24dfc Mon Sep 17 00:00:00 2001 +From: Hamza Mahfooz +Date: Wed, 5 Nov 2025 11:25:46 -0800 +Subject: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() + +From: Hamza Mahfooz + +commit e6965188f84a7883e6a0d3448e86b0cf29b24dfc upstream. + +If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we +attempt to dereference it in tcm_loop_tpg_address_show() we will get a +segfault, see below for an example. So, check tl_hba->sh before +dereferencing it. + + Unable to allocate struct scsi_host + BUG: kernel NULL pointer dereference, address: 0000000000000194 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 + RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop] +... + Call Trace: + + configfs_read_iter+0x12d/0x1d0 [configfs] + vfs_read+0x1b5/0x300 + ksys_read+0x6f/0xf0 +... + +Cc: stable@vger.kernel.org +Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs") +Signed-off-by: Hamza Mahfooz +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Allen Pais +Link: https://patch.msgid.link/1762370746-6304-1-git-send-email-hamzamahfooz@linux.microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/loopback/tcm_loop.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/target/loopback/tcm_loop.c ++++ b/drivers/target/loopback/tcm_loop.c +@@ -933,6 +933,9 @@ static ssize_t tcm_loop_tpg_address_show + struct tcm_loop_tpg, tl_se_tpg); + struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba; + ++ if (!tl_hba->sh) ++ return -ENODEV; ++ + return snprintf(page, PAGE_SIZE, "%d:0:%d\n", + tl_hba->sh->host_no, tl_tpg->tl_tpgt); + } diff --git a/queue-5.4/series b/queue-5.4/series index bcf1b18e29..a84610effb 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -159,3 +159,7 @@ isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch be2net-pass-wrb_params-in-case-of-os2bmc.patch +input-cros_ec_keyb-fix-an-invalid-memory-access.patch +scsi-sg-do-not-sleep-in-atomic-context.patch +scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch +mips-malta-fix-eva-soc-it-pci-mmio.patch