--- /dev/null
+From 5565a72b24fa7935a9f30af386e92c8c9dfb23b9 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Wed, 26 Nov 2025 10:46:13 +0100
+Subject: crypto: octeontx - Fix length check to avoid truncation in ucode_load_store
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 5565a72b24fa7935a9f30af386e92c8c9dfb23b9 upstream.
+
+OTX_CPT_UCODE_NAME_LENGTH limits the microcode name to 64 bytes. If a
+user writes a string of exactly 64 characters, the original code used
+'strlen(buf) > 64' to check the length, but then strscpy() copies only
+63 characters before adding a NUL terminator, silently truncating the
+copied string.
+
+Fix this off-by-one error by using 'count' directly for the length check
+to ensure long names are rejected early and copied without truncation.
+
+Cc: stable@vger.kernel.org
+Fixes: d9110b0b01ff ("crypto: marvell - add support for OCTEON TX CPT engine")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c
++++ b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c
+@@ -1337,7 +1337,7 @@ static ssize_t ucode_load_store(struct d
+ int del_grp_idx = -1;
+ int ucode_idx = 0;
+
+- if (strlen(buf) > OTX_CPT_UCODE_NAME_LENGTH)
++ if (count >= OTX_CPT_UCODE_NAME_LENGTH)
+ return -EINVAL;
+
+ eng_grps = container_of(attr, struct otx_cpt_eng_grps, ucode_load_attr);
--- /dev/null
+From 1562b1fb7e17c1b3addb15e125c718b2be7f5512 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees@kernel.org>
+Date: Fri, 6 Feb 2026 19:49:54 -0800
+Subject: crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly
+
+From: Kees Cook <kees@kernel.org>
+
+commit 1562b1fb7e17c1b3addb15e125c718b2be7f5512 upstream.
+
+The existing allocation of scatterlists in omap_crypto_copy_sg_lists()
+was allocating an array of scatterlist pointers, not scatterlist objects,
+resulting in a 4x too small allocation.
+
+Use sizeof(*new_sg) to get the correct object size.
+
+Fixes: 74ed87e7e7f7 ("crypto: omap - add base support library for common routines")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/omap-crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/omap-crypto.c
++++ b/drivers/crypto/omap-crypto.c
+@@ -21,7 +21,7 @@ static int omap_crypto_copy_sg_lists(int
+ struct scatterlist *tmp;
+
+ if (!(flags & OMAP_CRYPTO_FORCE_SINGLE_ENTRY)) {
+- new_sg = kmalloc_array(n, sizeof(*sg), GFP_KERNEL);
++ new_sg = kmalloc_array(n, sizeof(*new_sg), GFP_KERNEL);
+ if (!new_sg)
+ return -ENOMEM;
+
--- /dev/null
+From b505047ffc8057555900d2d3a005d033e6967382 Mon Sep 17 00:00:00 2001
+From: Bibo Mao <maobibo@loongson.cn>
+Date: Tue, 13 Jan 2026 11:05:54 +0800
+Subject: crypto: virtio - Add spinlock protection with virtqueue notification
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+commit b505047ffc8057555900d2d3a005d033e6967382 upstream.
+
+When VM boots with one virtio-crypto PCI device and builtin backend,
+run openssl benchmark command with multiple processes, such as
+ openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32
+
+openssl processes will hangup and there is error reported like this:
+ virtio_crypto virtio0: dataq.0:id 3 is not a head!
+
+It seems that the data virtqueue need protection when it is handled
+for virtio done notification. If the spinlock protection is added
+in virtcrypto_done_task(), openssl benchmark with multiple processes
+works well.
+
+Fixes: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/virtio/virtio_crypto_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/crypto/virtio/virtio_crypto_core.c
++++ b/drivers/crypto/virtio/virtio_crypto_core.c
+@@ -77,15 +77,20 @@ static void virtcrypto_done_task(unsigne
+ struct data_queue *data_vq = (struct data_queue *)data;
+ struct virtqueue *vq = data_vq->vq;
+ struct virtio_crypto_request *vc_req;
++ unsigned long flags;
+ unsigned int len;
+
++ spin_lock_irqsave(&data_vq->lock, flags);
+ do {
+ virtqueue_disable_cb(vq);
+ while ((vc_req = virtqueue_get_buf(vq, &len)) != NULL) {
++ spin_unlock_irqrestore(&data_vq->lock, flags);
+ if (vc_req->alg_cb)
+ vc_req->alg_cb(vc_req, len);
++ spin_lock_irqsave(&data_vq->lock, flags);
+ }
+ } while (!virtqueue_enable_cb(vq));
++ spin_unlock_irqrestore(&data_vq->lock, flags);
+ }
+
+ static void virtcrypto_dataq_callback(struct virtqueue *vq)
--- /dev/null
+From ed527ef0c264e4bed6c7b2a158ddf516b17f5f66 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Sat, 20 Dec 2025 03:04:25 +0900
+Subject: nilfs2: Fix potential block overflow that cause system hang
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit ed527ef0c264e4bed6c7b2a158ddf516b17f5f66 upstream.
+
+When a user executes the FITRIM command, an underflow can occur when
+calculating nblocks if end_block is too small. Since nblocks is of
+type sector_t, which is u64, a negative nblocks value will become a
+very large positive integer. This ultimately leads to the block layer
+function __blkdev_issue_discard() taking an excessively long time to
+process the bio chain, and the ns_segctor_sem lock remains held for a
+long period. This prevents other tasks from acquiring the ns_segctor_sem
+lock, resulting in the hang reported by syzbot in [1].
+
+If the ending block is too small, typically if it is smaller than 4KiB
+range, depending on the usage of the segment 0, it may be possible to
+attempt a discard request beyond the device size causing the hang.
+
+Exiting successfully and assign the discarded size (0 in this case)
+to range->len.
+
+Although the start and len values in the user input range are too small,
+a conservative strategy is adopted here to safely ignore them, which is
+equivalent to a no-op; it will not perform any trimming and will not
+throw an error.
+
+[1]
+task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000
+Call Trace:
+ rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272
+ nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357
+ nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]
+ nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684
+
+[ryusuke: corrected part of the commit message about the consequences]
+
+Fixes: 82e11e857be3 ("nilfs2: add nilfs_sufile_trim_fs to trim clean segs")
+Reported-by: syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=7eedce5eb281acd832f0
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/sufile.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/nilfs2/sufile.c
++++ b/fs/nilfs2/sufile.c
+@@ -1091,6 +1091,9 @@ int nilfs_sufile_trim_fs(struct inode *s
+ else
+ end_block = start_block + len - 1;
+
++ if (end_block < nilfs->ns_first_data_block)
++ goto out;
++
+ segnum = nilfs_get_segnum_of_block(nilfs, start_block);
+ segnum_end = nilfs_get_segnum_of_block(nilfs, end_block);
+
+@@ -1188,6 +1191,7 @@ int nilfs_sufile_trim_fs(struct inode *s
+ out_sem:
+ up_read(&NILFS_MDT(sufile)->mi_sem);
+
++out:
+ range->len = ndiscarded << nilfs->ns_blocksize_bits;
+ return ret;
+ }
--- /dev/null
+From 8890bf450e0b6b283f48ac619fca5ac2f14ddd62 Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+Date: Wed, 10 Dec 2025 15:45:59 +0530
+Subject: scsi: qla2xxx: Delay module unload while fabric scan in progress
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+commit 8890bf450e0b6b283f48ac619fca5ac2f14ddd62 upstream.
+
+System crash seen during load/unload test in a loop.
+
+[105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086
+[105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0
+[105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000
+[105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000
+[105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0
+[105954.384928] PKRU: 55555554
+[105954.384929] Call Trace:
+[105954.384931] <IRQ>
+[105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx]
+[105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx]
+[105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx]
+[105954.384999] ? __wake_up_common+0x80/0x190
+[105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx]
+[105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx]
+[105954.385040] ? __handle_irq_event_percpu+0x3d/0x190
+[105954.385044] ? handle_irq_event+0x58/0xb0
+[105954.385046] ? handle_edge_irq+0x93/0x240
+[105954.385050] ? __common_interrupt+0x41/0xa0
+[105954.385055] ? common_interrupt+0x3e/0xa0
+[105954.385060] ? asm_common_interrupt+0x22/0x40
+
+The root cause of this was that there was a free (dma_free_attrs) in the
+interrupt context. There was a device discovery/fabric scan in
+progress. A module unload was issued which set the UNLOADING flag. As
+part of the discovery, after receiving an interrupt a work queue was
+scheduled (which involved a work to be queued). Since the UNLOADING
+flag is set, the work item was not allocated and the mapped memory had
+to be freed. The free occurred in interrupt context leading to system
+crash. Delay the driver unload until the fabric scan is complete to
+avoid the crash.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/202512090414.07Waorz0-lkp@intel.com/
+Fixes: 783e0dc4f66a ("qla2xxx: Check for device state before unloading the driver.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-8-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1162,7 +1162,8 @@ qla2x00_wait_for_hba_ready(scsi_qla_host
+ while ((qla2x00_reset_active(vha) || ha->dpc_active ||
+ ha->flags.mbox_busy) ||
+ test_bit(FX00_RESET_RECOVERY, &vha->dpc_flags) ||
+- test_bit(FX00_TARGET_SCAN, &vha->dpc_flags)) {
++ test_bit(FX00_TARGET_SCAN, &vha->dpc_flags) ||
++ (vha->scan.scan_flags & SF_SCANNING)) {
+ if (test_bit(UNLOADING, &base_vha->dpc_flags))
+ break;
+ msleep(1000);
--- /dev/null
+From 42b2dab4340d39b71334151e10c6d7d9b0040ffa Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+Date: Wed, 10 Dec 2025 15:46:02 +0530
+Subject: scsi: qla2xxx: Query FW again before proceeding with login
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+commit 42b2dab4340d39b71334151e10c6d7d9b0040ffa upstream.
+
+Issue occurred during a continuous reboot test of several thousand
+iterations specific to a fabric topo with dual mode target where it
+sends a PLOGI/PRLI and then sends a LOGO. The initiator was also in the
+process of discovery and sent a PLOGI to the switch. It then queried a
+list of ports logged in via mbx 75h and the GPDB response indicated that
+the target was logged in. This caused a mismatch in the states between
+the driver and FW. Requery the FW for the state and proceed with the
+rest of discovery process.
+
+Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-11-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 19 +++++++++++++++++--
+ drivers/scsi/qla2xxx/qla_isr.c | 19 +++++++++++++++++--
+ 2 files changed, 34 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -2082,8 +2082,23 @@ qla24xx_handle_plogi_done_event(struct s
+ ea->sp->gen1, fcport->rscn_gen,
+ ea->data[0], ea->data[1], ea->iop[0], ea->iop[1]);
+
+- if ((fcport->fw_login_state == DSC_LS_PLOGI_PEND) ||
+- (fcport->fw_login_state == DSC_LS_PRLI_PEND)) {
++ if (fcport->fw_login_state == DSC_LS_PLOGI_PEND) {
++ ql_dbg(ql_dbg_disc, vha, 0x20ea,
++ "%s %d %8phC Remote is trying to login\n",
++ __func__, __LINE__, fcport->port_name);
++ /*
++ * If we get here, there is port thats already logged in,
++ * but it's state has not moved ahead. Recheck with FW on
++ * what state it is in and proceed ahead
++ */
++ if (!N2N_TOPO(vha->hw)) {
++ fcport->fw_login_state = DSC_LS_PRLI_COMP;
++ qla24xx_post_gpdb_work(vha, fcport, 0);
++ }
++ return;
++ }
++
++ if (fcport->fw_login_state == DSC_LS_PRLI_PEND) {
+ ql_dbg(ql_dbg_disc, vha, 0x20ea,
+ "%s %d %8phC Remote is trying to login\n",
+ __func__, __LINE__, fcport->port_name);
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -1367,13 +1367,28 @@ skip_rio:
+
+ /* Port logout */
+ fcport = qla2x00_find_fcport_by_loopid(vha, mb[1]);
+- if (!fcport)
++ if (!fcport) {
++ ql_dbg(ql_dbg_async, vha, 0x5011,
++ "Could not find fcport:%04x %04x %04x\n",
++ mb[1], mb[2], mb[3]);
+ break;
+- if (atomic_read(&fcport->state) != FCS_ONLINE)
++ }
++
++ if (atomic_read(&fcport->state) != FCS_ONLINE) {
++ ql_dbg(ql_dbg_async, vha, 0x5012,
++ "Port state is not online State:0x%x \n",
++ atomic_read(&fcport->state));
++ ql_dbg(ql_dbg_async, vha, 0x5012,
++ "Scheduling session for deletion \n");
++ fcport->logout_on_delete = 0;
++ qlt_schedule_sess_for_deletion(fcport);
+ break;
++ }
++
+ ql_dbg(ql_dbg_async, vha, 0x508a,
+ "Marking port lost loopid=%04x portid=%06x.\n",
+ fcport->loop_id, fcport->d_id.b24);
++
+ if (qla_ini_mode_enabled(vha)) {
+ fcport->logout_on_delete = 0;
+ qlt_schedule_sess_for_deletion(fcport);
driver-core-enforce-device_lock-for-driver_match_device.patch
+crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch
+crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch
+crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch
+nilfs2-fix-potential-block-overflow-that-cause-system-hang.patch
+scsi-qla2xxx-delay-module-unload-while-fabric-scan-in-progress.patch
+scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
