--- /dev/null
+From 0fcad44a86bdc2b5f202d91ba1eeeee6fceb7b25 Mon Sep 17 00:00:00 2001
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Thu, 17 Apr 2025 10:24:45 -0700
+Subject: bnxt_en: Change FW message timeout warning
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+commit 0fcad44a86bdc2b5f202d91ba1eeeee6fceb7b25 upstream.
+
+The firmware advertises a "hwrm_cmd_max_timeout" value to the driver
+for NVRAM and coredump related functions that can take tens of seconds
+to complete. The driver polls for the operation to complete under
+mutex and may trigger hung task watchdog warning if the wait is too long.
+To warn the user about this, the driver currently prints a warning if
+this advertised value exceeds 40 seconds:
+
+Device requests max timeout of %d seconds, may trigger hung task watchdog
+
+Initially, we chose 40 seconds, well below the kernel's default
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT (120 seconds) to avoid triggering
+the hung task watchdog. But 60 seconds is the timeout on most
+production FW and cannot be reduced further. Change the driver's warning
+threshold to 60 seconds to avoid triggering this warning on all
+production devices. We also print the warning if the value exceeds
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT which may be set to architecture
+specific defaults as low as 10 seconds.
+
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://patch.msgid.link/20250417172448.1206107-2-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 +++++++----
+ drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h | 2 +-
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -9770,7 +9770,7 @@ static int bnxt_hwrm_ver_get(struct bnxt
+ struct hwrm_ver_get_input *req;
+ u16 fw_maj, fw_min, fw_bld, fw_rsv;
+ u32 dev_caps_cfg, hwrm_ver;
+- int rc, len;
++ int rc, len, max_tmo_secs;
+
+ rc = hwrm_req_init(bp, req, HWRM_VER_GET);
+ if (rc)
+@@ -9843,9 +9843,12 @@ static int bnxt_hwrm_ver_get(struct bnxt
+ bp->hwrm_cmd_max_timeout = le16_to_cpu(resp->max_req_timeout) * 1000;
+ if (!bp->hwrm_cmd_max_timeout)
+ bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT;
+- else if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT)
+- netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog\n",
+- bp->hwrm_cmd_max_timeout / 1000);
++ max_tmo_secs = bp->hwrm_cmd_max_timeout / 1000;
++ if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT ||
++ max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) {
++ netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog (kernel default %ds)\n",
++ max_tmo_secs, CONFIG_DEFAULT_HUNG_TASK_TIMEOUT);
++ }
+
+ if (resp->hwrm_intf_maj_8b >= 1) {
+ bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len);
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h
+@@ -58,7 +58,7 @@ void hwrm_update_token(struct bnxt *bp,
+
+ #define BNXT_HWRM_MAX_REQ_LEN (bp->hwrm_max_req_len)
+ #define BNXT_HWRM_SHORT_REQ_LEN sizeof(struct hwrm_short_input)
+-#define HWRM_CMD_MAX_TIMEOUT 40000U
++#define HWRM_CMD_MAX_TIMEOUT 60000U
+ #define SHORT_HWRM_CMD_TIMEOUT 20
+ #define HWRM_CMD_TIMEOUT (bp->hwrm_cmd_timeout)
+ #define HWRM_RESET_TIMEOUT ((HWRM_CMD_TIMEOUT) * 4)
--- /dev/null
+From 8ff6175139967cd17b2a62bca4b2de2559942b7e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 23 Apr 2025 18:28:21 +0200
+Subject: bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 8ff6175139967cd17b2a62bca4b2de2559942b7e upstream.
+
+The CONFIG_DEFAULT_HUNG_TASK_TIMEOUT setting is only available when the
+hung task detection is enabled, otherwise the code now produces a build
+failure:
+
+drivers/net/ethernet/broadcom/bnxt/bnxt.c:10188:21: error: use of undeclared identifier 'CONFIG_DEFAULT_HUNG_TASK_TIMEOUT'
+ 10188 | max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) {
+
+Enclose this warning logic in an #ifdef to ensure this builds.
+
+Fixes: 0fcad44a86bd ("bnxt_en: Change FW message timeout warning")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://patch.msgid.link/20250423162827.2189658-1-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -9844,11 +9844,13 @@ static int bnxt_hwrm_ver_get(struct bnxt
+ if (!bp->hwrm_cmd_max_timeout)
+ bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT;
+ max_tmo_secs = bp->hwrm_cmd_max_timeout / 1000;
++#ifdef CONFIG_DETECT_HUNG_TASK
+ if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT ||
+ max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) {
+ netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog (kernel default %ds)\n",
+ max_tmo_secs, CONFIG_DEFAULT_HUNG_TASK_TIMEOUT);
+ }
++#endif
+
+ if (resp->hwrm_intf_maj_8b >= 1) {
+ bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len);
--- /dev/null
+From stable+bounces-216258-greg=kroah.com@vger.kernel.org Fri Feb 13 17:12:28 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 11:12:19 -0500
+Subject: bus: fsl-mc: fix use-after-free in driver_override_show()
+To: stable@vger.kernel.org
+Cc: Gui-Dong Han <hanguidong02@gmail.com>, Ioana Ciornei <ioana.ciornei@nxp.com>, "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260213161219.3554825-2-sashal@kernel.org>
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ]
+
+The driver_override_show() function reads the driver_override string
+without holding the device_lock. However, driver_override_store() uses
+driver_set_override(), which modifies and frees the string while holding
+the device_lock.
+
+This can result in a concurrent use-after-free if the string is freed
+by the store function while being read by the show function.
+
+Fix this by holding the device_lock around the read operation.
+
+Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru
+ struct device_attribute *attr, char *buf)
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
++ ssize_t len;
+
+- return sysfs_emit(buf, "%s\n", mc_dev->driver_override);
++ device_lock(dev);
++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override);
++ device_unlock(dev);
++ return len;
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
--- /dev/null
+From stable+bounces-216257-greg=kroah.com@vger.kernel.org Fri Feb 13 17:12:24 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 11:12:18 -0500
+Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions
+To: stable@vger.kernel.org
+Cc: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>, Ioana Ciornei <ioana.ciornei@nxp.com>, Christophe Leroy <christophe.leroy@csgroup.eu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260213161219.3554825-1-sashal@kernel.org>
+
+From: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>
+
+[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ]
+
+Use sysfs_emit() instead of snprintf()/sprintf() when writing
+to sysfs buffers, as recommended by the kernel documentation.
+
+Signed-off-by: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>
+Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
+
+- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor,
+- mc_dev->obj_desc.type);
++ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor,
++ mc_dev->obj_desc.type);
+ }
+ static DEVICE_ATTR_RO(modalias);
+
+@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
+
+- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override);
++ return sysfs_emit(buf, "%s\n", mc_dev->driver_override);
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
--- /dev/null
+From b8819cb8faec938fa3e3b0023e1839ee52d3af32 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 16 Feb 2026 16:41:21 +0100
+Subject: Revert "driver core: enforce device_lock for driver_match_device()"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit cd0e0a76e40c2e77bcfc88291d00dca22b00158e which is
+commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream.
+
+It causes boot regressions on some systems as all of the "fixes" for
+drivers are not properly backported yet. Once that is completed, only
+then can this be applied, if really necessary given the potential for
+explosions, perhaps we might want to wait a few -rc releases first...
+
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Rafael J. Wysocki (Intel) <rafael@kernel.org>
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Gui-Dong Han <hanguidong02@gmail.com>
+Cc: Qiu-ji Chen <chenqiuji666@gmail.com>
+Reported-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/base.h | 9 ---------
+ drivers/base/bus.c | 2 +-
+ drivers/base/dd.c | 2 +-
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/base/base.h
++++ b/drivers/base/base.h
+@@ -165,18 +165,9 @@ void device_set_deferred_probe_reason(co
+ static inline int driver_match_device(const struct device_driver *drv,
+ struct device *dev)
+ {
+- device_lock_assert(dev);
+-
+ return drv->bus->match ? drv->bus->match(dev, drv) : 1;
+ }
+
+-static inline int driver_match_device_locked(const struct device_driver *drv,
+- struct device *dev)
+-{
+- guard(device)(dev);
+- return driver_match_device(drv, dev);
+-}
+-
+ static inline void dev_sync_state(struct device *dev)
+ {
+ if (dev->bus->sync_state)
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_
+ int err = -ENODEV;
+
+ dev = bus_find_device_by_name(bus, NULL, buf);
+- if (dev && driver_match_device_locked(drv, dev)) {
++ if (dev && driver_match_device(drv, dev)) {
+ err = device_driver_attach(drv, dev);
+ if (!err) {
+ /* success */
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -1168,7 +1168,7 @@ static int __driver_attach(struct device
+ * is an error.
+ */
+
+- ret = driver_match_device_locked(drv, dev);
++ ret = driver_match_device(drv, dev);
+ if (ret == 0) {
+ /* no match */
+ return 0;
--- /dev/null
+From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+Date: Wed, 10 Dec 2025 15:46:03 +0530
+Subject: scsi: qla2xxx: Fix bsg_done() causing double free
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream.
+
+Kernel panic observed on system,
+
+[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
+[5353358.825194] #PF: supervisor write access in kernel mode
+[5353358.825195] #PF: error_code(0x0002) - not-present page
+[5353358.825196] PGD 100006067 P4D 0
+[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
+[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
+[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
+[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
+[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
+[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
+[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
+[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
+[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
+[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
+[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
+[5353358.825221] PKRU: 55555554
+[5353358.825222] Call Trace:
+[5353358.825223] <TASK>
+[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825232] ? sg_copy_buffer+0xc8/0x110
+[5353358.825236] ? __die_body.cold+0x8/0xd
+[5353358.825238] ? page_fault_oops+0x134/0x170
+[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
+[5353358.825244] ? exc_page_fault+0xa8/0x150
+[5353358.825247] ? asm_exc_page_fault+0x22/0x30
+[5353358.825252] ? memcpy_erms+0x6/0x10
+[5353358.825253] sg_copy_buffer+0xc8/0x110
+[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
+[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
+
+Most routines in qla_bsg.c call bsg_done() only for success cases.
+However a few invoke it for failure case as well leading to a double
+free. Validate before calling bsg_done().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs
+ ha->optrom_buffer = NULL;
+ ha->optrom_state = QLA_SWAITING;
+ mutex_unlock(&ha->optrom_mutex);
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!rval)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+ return rval;
+ }
+
+@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job
+ sizeof(struct ql_vnd_mng_host_stats_resp));
+
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ return ret;
+ }
+@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b
+ bsg_job->reply_payload.sg_cnt,
+ data, response_len);
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ kfree(data);
+ host_stat_out:
+@@ -2802,8 +2805,9 @@ reply:
+ bsg_job->reply_payload.sg_cnt, data,
+ response_len);
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ tgt_stat_out:
+ kfree(data);
+@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job
+ bsg_job->reply_payload.sg_cnt, &rsp_data,
+ sizeof(struct ql_vnd_mng_host_port_resp));
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ return ret;
+ }
+@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_
+
+ bsg_job->reply_len = sizeof(*bsg_job->reply);
+ bsg_reply->result = DID_OK << 16;
+- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
+
+ kfree(req_data);
+
--- /dev/null
+scsi-qla2xxx-fix-bsg_done-causing-double-free.patch
+bnxt_en-change-fw-message-timeout-warning.patch
+bnxt_en-hide-config_detect_hung_task-specific-code.patch
+bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch
+bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch
+revert-driver-core-enforce-device_lock-for-driver_match_device.patch
--- /dev/null
+From b8819cb8faec938fa3e3b0023e1839ee52d3af32 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 16 Feb 2026 16:41:21 +0100
+Subject: Revert "driver core: enforce device_lock for driver_match_device()"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit 8d76b2488eb3cc0717ab81b60622cff4a5f90f79 which is
+commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream.
+
+It causes boot regressions on some systems as all of the "fixes" for
+drivers are not properly backported yet. Once that is completed, only
+then can this be applied, if really necessary given the potential for
+explosions, perhaps we might want to wait a few -rc releases first...
+
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Rafael J. Wysocki (Intel) <rafael@kernel.org>
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Gui-Dong Han <hanguidong02@gmail.com>
+Cc: Qiu-ji Chen <chenqiuji666@gmail.com>
+Reported-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/base.h | 9 ---------
+ drivers/base/bus.c | 2 +-
+ drivers/base/dd.c | 2 +-
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/base/base.h
++++ b/drivers/base/base.h
+@@ -166,18 +166,9 @@ void device_set_deferred_probe_reason(co
+ static inline int driver_match_device(const struct device_driver *drv,
+ struct device *dev)
+ {
+- device_lock_assert(dev);
+-
+ return drv->bus->match ? drv->bus->match(dev, drv) : 1;
+ }
+
+-static inline int driver_match_device_locked(const struct device_driver *drv,
+- struct device *dev)
+-{
+- guard(device)(dev);
+- return driver_match_device(drv, dev);
+-}
+-
+ static inline void dev_sync_state(struct device *dev)
+ {
+ if (dev->bus->sync_state)
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_
+ int err = -ENODEV;
+
+ dev = bus_find_device_by_name(bus, NULL, buf);
+- if (dev && driver_match_device_locked(drv, dev)) {
++ if (dev && driver_match_device(drv, dev)) {
+ err = device_driver_attach(drv, dev);
+ if (!err) {
+ /* success */
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -1170,7 +1170,7 @@ static int __driver_attach(struct device
+ * is an error.
+ */
+
+- ret = driver_match_device_locked(drv, dev);
++ ret = driver_match_device(drv, dev);
+ if (ret == 0) {
+ /* no match */
+ return 0;
--- /dev/null
+From a9a42f0754b6c69525612d678b73da790e28b9fd Mon Sep 17 00:00:00 2001
+From: FUJITA Tomonori <fujita.tomonori@gmail.com>
+Date: Wed, 31 Dec 2025 13:57:28 +0900
+Subject: rust: device: fix broken intra-doc links
+
+From: FUJITA Tomonori <fujita.tomonori@gmail.com>
+
+commit a9a42f0754b6c69525612d678b73da790e28b9fd upstream.
+
+The `pci` module is conditional on CONFIG_PCI. When it's disabled, the
+intra-doc link to `pci::Device` causes rustdoc warnings:
+
+warning: unresolved link to `kernel::pci::Device`
+ --> rust/kernel/device.rs:163:22
+ |
+163 | /// [`pci::Device`]: kernel::pci::Device
+ | ^^^^^^^^^^^^^^^^^^^ no item named `pci` in module `kernel`
+ |
+ = note: `#[warn(rustdoc::broken_intra_doc_links)]` on by default
+
+Fix this by making the documentation conditional on CONFIG_PCI.
+
+Fixes: d6e26c1ae4a6 ("device: rust: expand documentation for Device")
+Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
+Reviewed-by: Dirk Behme <dirk.behme@de.bosch.com>
+Link: https://patch.msgid.link/20251231045728.1912024-2-fujita.tomonori@gmail.com
+[ Keep the "such as" part indicating a list of examples; fix typos in
+ commit message. - Danilo ]
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/device.rs | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/rust/kernel/device.rs
++++ b/rust/kernel/device.rs
+@@ -62,8 +62,9 @@ pub mod property;
+ ///
+ /// # Implementing Bus Devices
+ ///
+-/// This section provides a guideline to implement bus specific devices, such as [`pci::Device`] or
+-/// [`platform::Device`].
++/// This section provides a guideline to implement bus specific devices, such as:
++#[cfg_attr(CONFIG_PCI, doc = "* [`pci::Device`](kernel::pci::Device)")]
++/// * [`platform::Device`]
+ ///
+ /// A bus specific device should be defined as follows.
+ ///
+@@ -155,7 +156,6 @@ pub mod property;
+ ///
+ /// [`AlwaysRefCounted`]: kernel::types::AlwaysRefCounted
+ /// [`impl_device_context_deref`]: kernel::impl_device_context_deref
+-/// [`pci::Device`]: kernel::pci::Device
+ /// [`platform::Device`]: kernel::platform::Device
+ #[repr(transparent)]
+ pub struct Device<Ctx: DeviceContext = Normal>(Opaque<bindings::device>, PhantomData<Ctx>);
--- /dev/null
+From 32cb3840386fd3684fbe8294cfc0a6684417139e Mon Sep 17 00:00:00 2001
+From: FUJITA Tomonori <fujita.tomonori@gmail.com>
+Date: Wed, 31 Dec 2025 13:57:27 +0900
+Subject: rust: dma: fix broken intra-doc links
+
+From: FUJITA Tomonori <fujita.tomonori@gmail.com>
+
+commit 32cb3840386fd3684fbe8294cfc0a6684417139e upstream.
+
+The `pci` module is conditional on CONFIG_PCI. When it's disabled, the
+intra-doc link to `pci::Device` causes rustdoc warnings:
+
+warning: unresolved link to `::kernel::pci::Device`
+ --> rust/kernel/dma.rs:30:70
+ |
+30 | /// where the underlying bus is DMA capable, such as [`pci::Device`](::kernel::pci::Device) or
+ | ^^^^^^^^^^^^^^^^^^^^^ no item named `pci` in module `kernel`
+
+Fix this by making the documentation conditional on CONFIG_PCI.
+
+Fixes: d06d5f66f549 ("rust: dma: implement `dma::Device` trait")
+Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
+Reviewed-by: Dirk Behme <dirk.behme@de.bosch.com>
+Link: https://patch.msgid.link/20251231045728.1912024-1-fujita.tomonori@gmail.com
+[ Keep the "such as" part indicating a list of examples; fix typos in
+ commit message. - Danilo ]
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/dma.rs | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/rust/kernel/dma.rs
++++ b/rust/kernel/dma.rs
+@@ -26,8 +26,9 @@ pub type DmaAddress = bindings::dma_addr
+ /// Trait to be implemented by DMA capable bus devices.
+ ///
+ /// The [`dma::Device`](Device) trait should be implemented by bus specific device representations,
+-/// where the underlying bus is DMA capable, such as [`pci::Device`](::kernel::pci::Device) or
+-/// [`platform::Device`](::kernel::platform::Device).
++/// where the underlying bus is DMA capable, such as:
++#[cfg_attr(CONFIG_PCI, doc = "* [`pci::Device`](kernel::pci::Device)")]
++/// * [`platform::Device`](::kernel::platform::Device)
+ pub trait Device: AsRef<device::Device<Core>> {
+ /// Set up the device's DMA streaming addressing capabilities.
+ ///
--- /dev/null
+From 4c9f6a782f6078dc94450fcb22e65d520bfa0775 Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Sat, 27 Dec 2025 15:47:21 +0000
+Subject: rust: driver: fix broken intra-doc links to example driver types
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit 4c9f6a782f6078dc94450fcb22e65d520bfa0775 upstream.
+
+The `auxiliary` and `pci` modules are conditional on
+`CONFIG_AUXILIARY_BUS` and `CONFIG_PCI` respectively. When these are
+disabled, the intra-doc links to `auxiliary::Driver` and `pci::Driver`
+break, causing rustdoc warnings (or errors with `-D warnings`).
+
+error: unresolved link to `kernel::auxiliary::Driver`
+ --> rust/kernel/driver.rs:82:28
+ |
+82 | //! [`auxiliary::Driver`]: kernel::auxiliary::Driver
+ | ^^^^^^^^^^^^^^^^^^^^^^^^^ no item named `auxiliary` in module `kernel`
+
+Fix this by making the documentation for these examples conditional on
+the corresponding configuration options.
+
+Fixes: 970a7c68788e ("driver: rust: expand documentation for driver infrastructure")
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Reported-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
+Closes: https://lore.kernel.org/rust-for-linux/20251209.151817.744108529426448097.fujita.tomonori@gmail.com/
+Link: https://patch.msgid.link/20251227-driver-types-v1-1-1916154fbe5e@google.com
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/driver.rs | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/rust/kernel/driver.rs
++++ b/rust/kernel/driver.rs
+@@ -33,7 +33,14 @@
+ //! }
+ //! ```
+ //!
+-//! For specific examples see [`auxiliary::Driver`], [`pci::Driver`] and [`platform::Driver`].
++//! For specific examples see:
++//!
++//! * [`platform::Driver`](kernel::platform::Driver)
++#"
++)]
++#")]
+ //!
+ //! The `probe()` callback should return a `Result<Pin<KBox<Self>>>`, i.e. the driver's private
+ //! data. The bus abstraction should store the pointer in the corresponding bus device. The generic
+@@ -79,7 +86,6 @@
+ //!
+ //! For this purpose the generic infrastructure in [`device_id`] should be used.
+ //!
+-//! [`auxiliary::Driver`]: kernel::auxiliary::Driver
+ //! [`Core`]: device::Core
+ //! [`Device`]: device::Device
+ //! [`Device<Core>`]: device::Device<device::Core>
+@@ -87,8 +93,6 @@
+ //! [`DeviceContext`]: device::DeviceContext
+ //! [`device_id`]: kernel::device_id
+ //! [`module_driver`]: kernel::module_driver
+-//! [`pci::Driver`]: kernel::pci::Driver
+-//! [`platform::Driver`]: kernel::platform::Driver
+
+ use crate::error::{Error, Result};
+ use crate::{acpi, device, of, str::CStr, try_pin_init, types::Opaque, ThisModule};
--- /dev/null
+From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+Date: Wed, 10 Dec 2025 15:46:03 +0530
+Subject: scsi: qla2xxx: Fix bsg_done() causing double free
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream.
+
+Kernel panic observed on system,
+
+[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
+[5353358.825194] #PF: supervisor write access in kernel mode
+[5353358.825195] #PF: error_code(0x0002) - not-present page
+[5353358.825196] PGD 100006067 P4D 0
+[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
+[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
+[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
+[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
+[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
+[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
+[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
+[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
+[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
+[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
+[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
+[5353358.825221] PKRU: 55555554
+[5353358.825222] Call Trace:
+[5353358.825223] <TASK>
+[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825232] ? sg_copy_buffer+0xc8/0x110
+[5353358.825236] ? __die_body.cold+0x8/0xd
+[5353358.825238] ? page_fault_oops+0x134/0x170
+[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
+[5353358.825244] ? exc_page_fault+0xa8/0x150
+[5353358.825247] ? asm_exc_page_fault+0x22/0x30
+[5353358.825252] ? memcpy_erms+0x6/0x10
+[5353358.825253] sg_copy_buffer+0xc8/0x110
+[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
+[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
+
+Most routines in qla_bsg.c call bsg_done() only for success cases.
+However a few invoke it for failure case as well leading to a double
+free. Validate before calling bsg_done().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs
+ ha->optrom_buffer = NULL;
+ ha->optrom_state = QLA_SWAITING;
+ mutex_unlock(&ha->optrom_mutex);
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!rval)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+ return rval;
+ }
+
+@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job
+ sizeof(struct ql_vnd_mng_host_stats_resp));
+
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ return ret;
+ }
+@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b
+ bsg_job->reply_payload.sg_cnt,
+ data, response_len);
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ kfree(data);
+ host_stat_out:
+@@ -2802,8 +2805,9 @@ reply:
+ bsg_job->reply_payload.sg_cnt, data,
+ response_len);
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ tgt_stat_out:
+ kfree(data);
+@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job
+ bsg_job->reply_payload.sg_cnt, &rsp_data,
+ sizeof(struct ql_vnd_mng_host_port_resp));
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ return ret;
+ }
+@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_
+
+ bsg_job->reply_len = sizeof(*bsg_job->reply);
+ bsg_reply->result = DID_OK << 16;
+- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
+
+ kfree(req_data);
+
--- /dev/null
+scsi-qla2xxx-fix-bsg_done-causing-double-free.patch
+rust-device-fix-broken-intra-doc-links.patch
+rust-dma-fix-broken-intra-doc-links.patch
+rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch
+revert-driver-core-enforce-device_lock-for-driver_match_device.patch
--- /dev/null
+From b8819cb8faec938fa3e3b0023e1839ee52d3af32 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 16 Feb 2026 16:41:21 +0100
+Subject: Revert "driver core: enforce device_lock for driver_match_device()"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit bc82e5f4d7dc8237ae8cabc73aa46fc93c85d98c which is
+commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream.
+
+It causes boot regressions on some systems as all of the "fixes" for
+drivers are not properly backported yet. Once that is completed, only
+then can this be applied, if really necessary given the potential for
+explosions, perhaps we might want to wait a few -rc releases first...
+
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Rafael J. Wysocki (Intel) <rafael@kernel.org>
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Gui-Dong Han <hanguidong02@gmail.com>
+Cc: Qiu-ji Chen <chenqiuji666@gmail.com>
+Reported-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/base.h | 9 ---------
+ drivers/base/bus.c | 2 +-
+ drivers/base/dd.c | 2 +-
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/base/base.h
++++ b/drivers/base/base.h
+@@ -182,18 +182,9 @@ void device_set_deferred_probe_reason(co
+ static inline int driver_match_device(const struct device_driver *drv,
+ struct device *dev)
+ {
+- device_lock_assert(dev);
+-
+ return drv->bus->match ? drv->bus->match(dev, drv) : 1;
+ }
+
+-static inline int driver_match_device_locked(const struct device_driver *drv,
+- struct device *dev)
+-{
+- guard(device)(dev);
+- return driver_match_device(drv, dev);
+-}
+-
+ static inline void dev_sync_state(struct device *dev)
+ {
+ if (dev->bus->sync_state)
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_
+ int err = -ENODEV;
+
+ dev = bus_find_device_by_name(bus, NULL, buf);
+- if (dev && driver_match_device_locked(drv, dev)) {
++ if (dev && driver_match_device(drv, dev)) {
+ err = device_driver_attach(drv, dev);
+ if (!err) {
+ /* success */
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -1180,7 +1180,7 @@ static int __driver_attach(struct device
+ * is an error.
+ */
+
+- ret = driver_match_device_locked(drv, dev);
++ ret = driver_match_device(drv, dev);
+ if (ret == 0) {
+ /* no match */
+ return 0;
--- /dev/null
+From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+Date: Wed, 10 Dec 2025 15:46:03 +0530
+Subject: scsi: qla2xxx: Fix bsg_done() causing double free
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream.
+
+Kernel panic observed on system,
+
+[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
+[5353358.825194] #PF: supervisor write access in kernel mode
+[5353358.825195] #PF: error_code(0x0002) - not-present page
+[5353358.825196] PGD 100006067 P4D 0
+[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
+[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
+[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
+[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
+[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
+[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
+[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
+[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
+[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
+[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
+[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
+[5353358.825221] PKRU: 55555554
+[5353358.825222] Call Trace:
+[5353358.825223] <TASK>
+[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825232] ? sg_copy_buffer+0xc8/0x110
+[5353358.825236] ? __die_body.cold+0x8/0xd
+[5353358.825238] ? page_fault_oops+0x134/0x170
+[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
+[5353358.825244] ? exc_page_fault+0xa8/0x150
+[5353358.825247] ? asm_exc_page_fault+0x22/0x30
+[5353358.825252] ? memcpy_erms+0x6/0x10
+[5353358.825253] sg_copy_buffer+0xc8/0x110
+[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
+[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
+
+Most routines in qla_bsg.c call bsg_done() only for success cases.
+However a few invoke it for failure case as well leading to a double
+free. Validate before calling bsg_done().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs
+ ha->optrom_buffer = NULL;
+ ha->optrom_state = QLA_SWAITING;
+ mutex_unlock(&ha->optrom_mutex);
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!rval)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+ return rval;
+ }
+
+@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job
+ sizeof(struct ql_vnd_mng_host_stats_resp));
+
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ return ret;
+ }
+@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b
+ bsg_job->reply_payload.sg_cnt,
+ data, response_len);
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ kfree(data);
+ host_stat_out:
+@@ -2802,8 +2805,9 @@ reply:
+ bsg_job->reply_payload.sg_cnt, data,
+ response_len);
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ tgt_stat_out:
+ kfree(data);
+@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job
+ bsg_job->reply_payload.sg_cnt, &rsp_data,
+ sizeof(struct ql_vnd_mng_host_port_resp));
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ return ret;
+ }
+@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_
+
+ bsg_job->reply_len = sizeof(*bsg_job->reply);
+ bsg_reply->result = DID_OK << 16;
+- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
+
+ kfree(req_data);
+
--- /dev/null
+scsi-qla2xxx-fix-bsg_done-causing-double-free.patch
+revert-driver-core-enforce-device_lock-for-driver_match_device.patch
--- /dev/null
+From stable+bounces-216262-greg=kroah.com@vger.kernel.org Fri Feb 13 17:24:13 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 11:22:29 -0500
+Subject: bus: fsl-mc: fix use-after-free in driver_override_show()
+To: stable@vger.kernel.org
+Cc: Gui-Dong Han <hanguidong02@gmail.com>, Ioana Ciornei <ioana.ciornei@nxp.com>, "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260213162229.3559221-2-sashal@kernel.org>
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ]
+
+The driver_override_show() function reads the driver_override string
+without holding the device_lock. However, driver_override_store() uses
+driver_set_override(), which modifies and frees the string while holding
+the device_lock.
+
+This can result in a concurrent use-after-free if the string is freed
+by the store function while being read by the show function.
+
+Fix this by holding the device_lock around the read operation.
+
+Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru
+ struct device_attribute *attr, char *buf)
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
++ ssize_t len;
+
+- return sysfs_emit(buf, "%s\n", mc_dev->driver_override);
++ device_lock(dev);
++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override);
++ device_unlock(dev);
++ return len;
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
--- /dev/null
+From stable+bounces-216261-greg=kroah.com@vger.kernel.org Fri Feb 13 17:22:36 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 11:22:28 -0500
+Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions
+To: stable@vger.kernel.org
+Cc: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>, Ioana Ciornei <ioana.ciornei@nxp.com>, Christophe Leroy <christophe.leroy@csgroup.eu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260213162229.3559221-1-sashal@kernel.org>
+
+From: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>
+
+[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ]
+
+Use sysfs_emit() instead of snprintf()/sprintf() when writing
+to sysfs buffers, as recommended by the kernel documentation.
+
+Signed-off-by: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>
+Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
+
+- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor,
+- mc_dev->obj_desc.type);
++ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor,
++ mc_dev->obj_desc.type);
+ }
+ static DEVICE_ATTR_RO(modalias);
+
+@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
+
+- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override);
++ return sysfs_emit(buf, "%s\n", mc_dev->driver_override);
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
--- /dev/null
+From stable+bounces-216462-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:31 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 20:49:23 -0500
+Subject: PCI: endpoint: Avoid creating sub-groups asynchronously
+To: stable@vger.kernel.org
+Cc: Liu Song <liu.song13@zte.com.cn>, Manivannan Sadhasivam <mani@kernel.org>, Bjorn Helgaas <bhelgaas@google.com>, stable@kernel.org, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260214014923.3899226-2-sashal@kernel.org>
+
+From: Liu Song <liu.song13@zte.com.cn>
+
+[ Upstream commit 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c ]
+
+The asynchronous creation of sub-groups by a delayed work could lead to a
+NULL pointer dereference when the driver directory is removed before the
+work completes.
+
+The crash can be easily reproduced with the following commands:
+
+ # cd /sys/kernel/config/pci_ep/functions/pci_epf_test
+ # for i in {1..20}; do mkdir test && rmdir test; done
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000088
+ ...
+ Call Trace:
+ configfs_register_group+0x3d/0x190
+ pci_epf_cfs_work+0x41/0x110
+ process_one_work+0x18f/0x350
+ worker_thread+0x25a/0x3a0
+
+Fix this issue by using configfs_add_default_group() API which does not
+have the deadlock problem as configfs_register_group() and does not require
+the delayed work handler.
+
+Fixes: e85a2d783762 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF")
+Signed-off-by: Liu Song <liu.song13@zte.com.cn>
+[mani: slightly reworded the description and added stable list]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@kernel.org
+Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-ep-cfs.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+--- a/drivers/pci/endpoint/pci-ep-cfs.c
++++ b/drivers/pci/endpoint/pci-ep-cfs.c
+@@ -23,7 +23,6 @@ struct pci_epf_group {
+ struct config_group group;
+ struct config_group primary_epc_group;
+ struct config_group secondary_epc_group;
+- struct delayed_work cfs_work;
+ struct pci_epf *epf;
+ int index;
+ };
+@@ -100,7 +99,7 @@ static struct config_group
+ secondary_epc_group = &epf_group->secondary_epc_group;
+ config_group_init_type_name(secondary_epc_group, "secondary",
+ &pci_secondary_epc_type);
+- configfs_register_group(&epf_group->group, secondary_epc_group);
++ configfs_add_default_group(secondary_epc_group, &epf_group->group);
+
+ return secondary_epc_group;
+ }
+@@ -160,7 +159,7 @@ static struct config_group
+
+ config_group_init_type_name(primary_epc_group, "primary",
+ &pci_primary_epc_type);
+- configfs_register_group(&epf_group->group, primary_epc_group);
++ configfs_add_default_group(primary_epc_group, &epf_group->group);
+
+ return primary_epc_group;
+ }
+@@ -561,15 +560,13 @@ static void pci_ep_cfs_add_type_group(st
+ return;
+ }
+
+- configfs_register_group(&epf_group->group, group);
++ configfs_add_default_group(group, &epf_group->group);
+ }
+
+-static void pci_epf_cfs_work(struct work_struct *work)
++static void pci_epf_cfs_add_sub_groups(struct pci_epf_group *epf_group)
+ {
+- struct pci_epf_group *epf_group;
+ struct config_group *group;
+
+- epf_group = container_of(work, struct pci_epf_group, cfs_work.work);
+ group = pci_ep_cfs_add_primary_group(epf_group);
+ if (IS_ERR(group)) {
+ pr_err("failed to create 'primary' EPC interface\n");
+@@ -628,9 +625,7 @@ static struct config_group *pci_epf_make
+
+ kfree(epf_name);
+
+- INIT_DELAYED_WORK(&epf_group->cfs_work, pci_epf_cfs_work);
+- queue_delayed_work(system_wq, &epf_group->cfs_work,
+- msecs_to_jiffies(1));
++ pci_epf_cfs_add_sub_groups(epf_group);
+
+ return &epf_group->group;
+
--- /dev/null
+From stable+bounces-216461-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:28 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 20:49:22 -0500
+Subject: PCI: endpoint: Remove unused field in struct pci_epf_group
+To: stable@vger.kernel.org
+Cc: "Christophe JAILLET" <christophe.jaillet@wanadoo.fr>, "Krzysztof Wilczyński" <kwilczynski@kernel.org>, "Bjorn Helgaas" <bhelgaas@google.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260214014923.3899226-1-sashal@kernel.org>
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 328e4dffbeecc0f2cc5a149dee6c11a0577c9671 ]
+
+In "struct pci_epf_group", the 'type_group' field is unused.
+
+This was added, but already unused, by commit 70b3740f2c19 ("PCI: endpoint:
+Automatically create a function specific attributes group").
+
+Thus, remove it.
+
+Found with cppcheck, unusedStructMember.
+
+[kwilczynski: commit log]
+Link: https://lore.kernel.org/linux-pci/6507d44b6c60a19af35a605e2d58050be8872ab6.1712341008.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Stable-dep-of: 7c5c7d06bd1f ("PCI: endpoint: Avoid creating sub-groups asynchronously")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-ep-cfs.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/pci/endpoint/pci-ep-cfs.c
++++ b/drivers/pci/endpoint/pci-ep-cfs.c
+@@ -23,7 +23,6 @@ struct pci_epf_group {
+ struct config_group group;
+ struct config_group primary_epc_group;
+ struct config_group secondary_epc_group;
+- struct config_group *type_group;
+ struct delayed_work cfs_work;
+ struct pci_epf *epf;
+ int index;
--- /dev/null
+From b8819cb8faec938fa3e3b0023e1839ee52d3af32 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 16 Feb 2026 16:41:21 +0100
+Subject: Revert "driver core: enforce device_lock for driver_match_device()"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit adc1796eced46b48e23ec200a219d635f33a38ee which is
+commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream.
+
+It causes boot regressions on some systems as all of the "fixes" for
+drivers are not properly backported yet. Once that is completed, only
+then can this be applied, if really necessary given the potential for
+explosions, perhaps we might want to wait a few -rc releases first...
+
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Rafael J. Wysocki (Intel) <rafael@kernel.org>
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Gui-Dong Han <hanguidong02@gmail.com>
+Cc: Qiu-ji Chen <chenqiuji666@gmail.com>
+Reported-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/base.h | 9 ---------
+ drivers/base/bus.c | 2 +-
+ drivers/base/dd.c | 2 +-
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/base/base.h
++++ b/drivers/base/base.h
+@@ -165,18 +165,9 @@ void device_set_deferred_probe_reason(co
+ static inline int driver_match_device(struct device_driver *drv,
+ struct device *dev)
+ {
+- device_lock_assert(dev);
+-
+ return drv->bus->match ? drv->bus->match(dev, drv) : 1;
+ }
+
+-static inline int driver_match_device_locked(struct device_driver *drv,
+- struct device *dev)
+-{
+- guard(device)(dev);
+- return driver_match_device(drv, dev);
+-}
+-
+ static inline void dev_sync_state(struct device *dev)
+ {
+ if (dev->bus->sync_state)
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_
+ int err = -ENODEV;
+
+ dev = bus_find_device_by_name(bus, NULL, buf);
+- if (dev && driver_match_device_locked(drv, dev)) {
++ if (dev && driver_match_device(drv, dev)) {
+ err = device_driver_attach(drv, dev);
+ if (!err) {
+ /* success */
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -1169,7 +1169,7 @@ static int __driver_attach(struct device
+ * is an error.
+ */
+
+- ret = driver_match_device_locked(drv, dev);
++ ret = driver_match_device(drv, dev);
+ if (ret == 0) {
+ /* no match */
+ return 0;
--- /dev/null
+From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+Date: Wed, 10 Dec 2025 15:46:03 +0530
+Subject: scsi: qla2xxx: Fix bsg_done() causing double free
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream.
+
+Kernel panic observed on system,
+
+[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
+[5353358.825194] #PF: supervisor write access in kernel mode
+[5353358.825195] #PF: error_code(0x0002) - not-present page
+[5353358.825196] PGD 100006067 P4D 0
+[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
+[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
+[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
+[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
+[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
+[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
+[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
+[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
+[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
+[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
+[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
+[5353358.825221] PKRU: 55555554
+[5353358.825222] Call Trace:
+[5353358.825223] <TASK>
+[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825232] ? sg_copy_buffer+0xc8/0x110
+[5353358.825236] ? __die_body.cold+0x8/0xd
+[5353358.825238] ? page_fault_oops+0x134/0x170
+[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
+[5353358.825244] ? exc_page_fault+0xa8/0x150
+[5353358.825247] ? asm_exc_page_fault+0x22/0x30
+[5353358.825252] ? memcpy_erms+0x6/0x10
+[5353358.825253] sg_copy_buffer+0xc8/0x110
+[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
+[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
+
+Most routines in qla_bsg.c call bsg_done() only for success cases.
+However a few invoke it for failure case as well leading to a double
+free. Validate before calling bsg_done().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs
+ ha->optrom_buffer = NULL;
+ ha->optrom_state = QLA_SWAITING;
+ mutex_unlock(&ha->optrom_mutex);
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!rval)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+ return rval;
+ }
+
+@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job
+ sizeof(struct ql_vnd_mng_host_stats_resp));
+
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ return ret;
+ }
+@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b
+ bsg_job->reply_payload.sg_cnt,
+ data, response_len);
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ kfree(data);
+ host_stat_out:
+@@ -2802,8 +2805,9 @@ reply:
+ bsg_job->reply_payload.sg_cnt, data,
+ response_len);
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ tgt_stat_out:
+ kfree(data);
+@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job
+ bsg_job->reply_payload.sg_cnt, &rsp_data,
+ sizeof(struct ql_vnd_mng_host_port_resp));
+ bsg_reply->result = DID_OK;
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+
+ return ret;
+ }
+@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_
+
+ bsg_job->reply_len = sizeof(*bsg_job->reply);
+ bsg_reply->result = DID_OK << 16;
+- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
++ if (!ret)
++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
+
+ kfree(req_data);
+
--- /dev/null
+scsi-qla2xxx-fix-bsg_done-causing-double-free.patch
+pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch
+pci-endpoint-avoid-creating-sub-groups-asynchronously.patch
+bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch
+bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch
+revert-driver-core-enforce-device_lock-for-driver_match_device.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
