--- /dev/null
+From stable+bounces-216238-greg=kroah.com@vger.kernel.org Fri Feb 13 15:34:00 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 09:33:54 -0500
+Subject: crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req
+To: stable@vger.kernel.org
+Cc: Bibo Mao <maobibo@loongson.cn>, Jason Wang <jasowang@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, Herbert Xu <herbert@gondor.apana.org.au>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260213143354.3510918-1-sashal@kernel.org>
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+[ Upstream commit 14f86a1155cca1176abf55987b2fce7f7fcb2455 ]
+
+With function virtio_crypto_skcipher_crypt_req(), there is already
+virtqueue_kick() call with spinlock held in function
+__virtio_crypto_skcipher_do_req(). Remove duplicated virtqueue_kick()
+function call here.
+
+Fixes: d79b5d0bbf2e ("crypto: virtio - support crypto engine framework")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/virtio/virtio_crypto_algs.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/crypto/virtio/virtio_crypto_algs.c
++++ b/drivers/crypto/virtio/virtio_crypto_algs.c
+@@ -556,8 +556,6 @@ int virtio_crypto_skcipher_crypt_req(
+ if (ret < 0)
+ return ret;
+
+- virtqueue_kick(data_vq->vq);
+-
+ return 0;
+ }
+
--- /dev/null
+From stable+bounces-215940-greg=kroah.com@vger.kernel.org Thu Feb 12 11:51:39 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Thu, 12 Feb 2026 10:51:12 +0000
+Subject: fs: dlm: fix invalid derefence of sb_lvbptr
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: Alexander Aring <aahringo@redhat.com>, David Teigland <teigland@redhat.com>, Bin Lan <lanbincn@139.com>
+Message-ID: <20260212105112.4137-1-lanbincn@139.com>
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 7175e131ebba47afef47e6ac4d5bab474d1e6e49 ]
+
+I experience issues when putting a lkbsb on the stack and have sb_lvbptr
+field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash
+with the following kernel message, the dangled pointer is here
+0xdeadbeef as example:
+
+[ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef
+[ 102.749320] #PF: supervisor read access in kernel mode
+[ 102.749323] #PF: error_code(0x0000) - not-present page
+[ 102.749325] PGD 0 P4D 0
+[ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565
+[ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014
+[ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10
+[ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
+[ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202
+[ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040
+[ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070
+[ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001
+[ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70
+[ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001
+[ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000
+[ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0
+[ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 102.749379] PKRU: 55555554
+[ 102.749381] Call Trace:
+[ 102.749382] <TASK>
+[ 102.749383] ? send_args+0xb2/0xd0
+[ 102.749389] send_common+0xb7/0xd0
+[ 102.749395] _unlock_lock+0x2c/0x90
+[ 102.749400] unlock_lock.isra.56+0x62/0xa0
+[ 102.749405] dlm_unlock+0x21e/0x330
+[ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
+[ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture]
+[ 102.749419] ? preempt_count_sub+0xba/0x100
+[ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture]
+[ 102.786186] kthread+0x10a/0x130
+[ 102.786581] ? kthread_complete_and_exit+0x20/0x20
+[ 102.787156] ret_from_fork+0x22/0x30
+[ 102.787588] </TASK>
+[ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw
+[ 102.792536] CR2: 00000000deadbeef
+[ 102.792930] ---[ end trace 0000000000000000 ]---
+
+This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags
+is set when copying the lvbptr array instead of if it's just null which
+fixes for me the issue.
+
+I think this patch can fix other dlm users as well, depending how they
+handle the init, freeing memory handling of sb_lvbptr and don't set
+DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a
+hidden issue all the time. However with checking on DLM_LKF_VALBLK the
+user always need to provide a sb_lvbptr non-null value. There might be
+more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and
+non-null to report the user the way how DLM API is used is wrong but can
+be added for later, this will only fix the current behaviour.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+[ Adjust context ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -3635,7 +3635,7 @@ static void send_args(struct dlm_rsb *r,
+ case DLM_MSG_REQUEST_REPLY:
+ case DLM_MSG_CONVERT_REPLY:
+ case DLM_MSG_GRANT:
+- if (!lkb->lkb_lvbptr)
++ if (!lkb->lkb_lvbptr || !(lkb->lkb_exflags & DLM_LKF_VALBLK))
+ break;
+ memcpy(ms->m_extra, lkb->lkb_lvbptr, r->res_ls->ls_lvblen);
+ break;
--- /dev/null
+From stable+bounces-216493-greg=kroah.com@vger.kernel.org Sat Feb 14 18:26:51 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Feb 2026 12:26:46 -0500
+Subject: scsi: qla2xxx: Fix bsg_done() causing double free
+To: stable@vger.kernel.org
+Cc: Anil Gurumurthy <agurumurthy@marvell.com>, Nilesh Javali <njavali@marvell.com>, Himanshu Madhani <hmadhani2024@gmail.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260214172646.638487-1-sashal@kernel.org>
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+[ Upstream commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 ]
+
+Kernel panic observed on system,
+
+[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
+[5353358.825194] #PF: supervisor write access in kernel mode
+[5353358.825195] #PF: error_code(0x0002) - not-present page
+[5353358.825196] PGD 100006067 P4D 0
+[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
+[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
+[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
+[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
+[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
+[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
+[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
+[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
+[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
+[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
+[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
+[5353358.825221] PKRU: 55555554
+[5353358.825222] Call Trace:
+[5353358.825223] <TASK>
+[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
+[5353358.825232] ? sg_copy_buffer+0xc8/0x110
+[5353358.825236] ? __die_body.cold+0x8/0xd
+[5353358.825238] ? page_fault_oops+0x134/0x170
+[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
+[5353358.825244] ? exc_page_fault+0xa8/0x150
+[5353358.825247] ? asm_exc_page_fault+0x22/0x30
+[5353358.825252] ? memcpy_erms+0x6/0x10
+[5353358.825253] sg_copy_buffer+0xc8/0x110
+[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
+[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
+
+Most routines in qla_bsg.c call bsg_done() only for success cases.
+However a few invoke it for failure case as well leading to a double
+free. Validate before calling bsg_done().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ applied only to qla2x00_update_optrom() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -1523,8 +1523,9 @@ qla2x00_update_optrom(struct bsg_job *bs
+ ha->optrom_buffer = NULL;
+ ha->optrom_state = QLA_SWAITING;
+ mutex_unlock(&ha->optrom_mutex);
+- bsg_job_done(bsg_job, bsg_reply->result,
+- bsg_reply->reply_payload_rcv_len);
++ if (!rval)
++ bsg_job_done(bsg_job, bsg_reply->result,
++ bsg_reply->reply_payload_rcv_len);
+ return rval;
+ }
+
--- /dev/null
+From stable+bounces-216317-greg=kroah.com@vger.kernel.org Sat Feb 14 01:55:06 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 19:54:58 -0500
+Subject: scsi: qla2xxx: Free sp in error path to fix system crash
+To: stable@vger.kernel.org
+Cc: Anil Gurumurthy <agurumurthy@marvell.com>, Nilesh Javali <njavali@marvell.com>, Himanshu Madhani <hmadhani2024@gmail.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260214005458.3653377-1-sashal@kernel.org>
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+[ Upstream commit 7adbd2b7809066c75f0433e5e2a8e114b429f30f ]
+
+System crash seen during load/unload test in a loop,
+
+[61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.
+[61110.467494] =============================================================================
+[61110.467498] BUG qla2xxx_srbs (Tainted: G OE -------- --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown()
+[61110.467501] -----------------------------------------------------------------------------
+
+[61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
+[61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1
+[61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023
+[61110.467515] Call Trace:
+[61110.467516] <TASK>
+[61110.467519] dump_stack_lvl+0x34/0x48
+[61110.467526] slab_err.cold+0x53/0x67
+[61110.467534] __kmem_cache_shutdown+0x16e/0x320
+[61110.467540] kmem_cache_destroy+0x51/0x160
+[61110.467544] qla2x00_module_exit+0x93/0x99 [qla2xxx]
+[61110.467607] ? __do_sys_delete_module.constprop.0+0x178/0x280
+[61110.467613] ? syscall_trace_enter.constprop.0+0x145/0x1d0
+[61110.467616] ? do_syscall_64+0x5c/0x90
+[61110.467619] ? exc_page_fault+0x62/0x150
+[61110.467622] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[61110.467626] </TASK>
+[61110.467627] Disabling lock debugging due to kernel taint
+[61110.467635] Object 0x0000000026f7e6e6 @offset=16000
+[61110.467639] ------------[ cut here ]------------
+[61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx]
+[61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160
+[61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G B OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1
+[61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023
+[61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160
+[61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89
+[61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282
+[61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027
+[61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0
+[61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7
+[61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000
+[61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[61110.467733] FS: 00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000
+[61110.467734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0
+[61110.467736] PKRU: 55555554
+[61110.467737] Call Trace:
+[61110.467738] <TASK>
+[61110.467739] qla2x00_module_exit+0x93/0x99 [qla2xxx]
+[61110.467755] ? __do_sys_delete_module.constprop.0+0x178/0x280
+
+Free sp in the error path to fix the crash.
+
+Fixes: f352eeb75419 ("scsi: qla2xxx: Add ability to use GPNFT/GNNFT for RSCN handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-9-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ Context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_gs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -3960,8 +3960,8 @@ int qla24xx_async_gpnft(scsi_qla_host_t
+ if (vha->scan.scan_flags & SF_SCANNING) {
+ spin_unlock_irqrestore(&vha->work_lock, flags);
+ ql_dbg(ql_dbg_disc + ql_dbg_verbose, vha, 0xffff,
+- "%s: scan active\n", __func__);
+- return rval;
++ "%s: scan active for sp:%p\n", __func__, sp);
++ goto done_free_sp;
+ }
+ vha->scan.scan_flags |= SF_SCANNING;
+ spin_unlock_irqrestore(&vha->work_lock, flags);
--- /dev/null
+From stable+bounces-216253-greg=kroah.com@vger.kernel.org Fri Feb 13 16:44:38 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 10:44:30 -0500
+Subject: scsi: qla2xxx: Validate sp before freeing associated memory
+To: stable@vger.kernel.org
+Cc: Anil Gurumurthy <agurumurthy@marvell.com>, Nilesh Javali <njavali@marvell.com>, Himanshu Madhani <hmadhani2024@gmail.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260213154430.3545825-1-sashal@kernel.org>
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+[ Upstream commit b6df15aec8c3441357d4da0eaf4339eb20f5999f ]
+
+System crash with the following signature
+[154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete
+[154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.
+[154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5.
+[154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000.
+[154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000.
+[154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate).
+[154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate).
+[154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8
+[154565.553080] #PF: supervisor read access in kernel mode
+[154565.553082] #PF: error_code(0x0000) - not-present page
+[154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0
+[154565.553089] Oops: 0000 1 PREEMPT SMP PTI
+[154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1
+[154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024
+[154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx]
+[154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b
+[154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286
+[154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002
+[154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47
+[154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a
+[154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0
+[154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000
+[154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000
+[154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0
+[154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[154565.553159] PKRU: 55555554
+[154565.553160] Call Trace:
+[154565.553162] <TASK>
+[154565.553165] ? show_trace_log_lvl+0x1c4/0x2df
+[154565.553172] ? show_trace_log_lvl+0x1c4/0x2df
+[154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx]
+[154565.553215] ? __die_body.cold+0x8/0xd
+[154565.553218] ? page_fault_oops+0x134/0x170
+[154565.553223] ? snprintf+0x49/0x70
+[154565.553229] ? exc_page_fault+0x62/0x150
+[154565.553238] ? asm_exc_page_fault+0x22/0x30
+
+Check for sp being non NULL before freeing any associated memory
+
+Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
+Link: https://patch.msgid.link/20251210101604.431868-10-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ adapted kref_put() srb free mechanism to older sp->free(sp) ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_gs.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -3901,22 +3901,24 @@ static int qla24xx_async_gnnft(scsi_qla_
+ return rval;
+
+ done_free_sp:
+- if (sp->u.iocb_cmd.u.ctarg.req) {
+- dma_free_coherent(&vha->hw->pdev->dev,
+- sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+- sp->u.iocb_cmd.u.ctarg.req,
+- sp->u.iocb_cmd.u.ctarg.req_dma);
+- sp->u.iocb_cmd.u.ctarg.req = NULL;
+- }
+- if (sp->u.iocb_cmd.u.ctarg.rsp) {
+- dma_free_coherent(&vha->hw->pdev->dev,
+- sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+- sp->u.iocb_cmd.u.ctarg.rsp,
+- sp->u.iocb_cmd.u.ctarg.rsp_dma);
+- sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+- }
++ if (sp) {
++ if (sp->u.iocb_cmd.u.ctarg.req) {
++ dma_free_coherent(&vha->hw->pdev->dev,
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size,
++ sp->u.iocb_cmd.u.ctarg.req,
++ sp->u.iocb_cmd.u.ctarg.req_dma);
++ sp->u.iocb_cmd.u.ctarg.req = NULL;
++ }
++ if (sp->u.iocb_cmd.u.ctarg.rsp) {
++ dma_free_coherent(&vha->hw->pdev->dev,
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
++ sp->u.iocb_cmd.u.ctarg.rsp,
++ sp->u.iocb_cmd.u.ctarg.rsp_dma);
++ sp->u.iocb_cmd.u.ctarg.rsp = NULL;
++ }
+
+- sp->free(sp);
++ sp->free(sp);
++ }
+
+ spin_lock_irqsave(&vha->work_lock, flags);
+ vha->scan.scan_flags &= ~SF_SCANNING;
--- /dev/null
+From stable+bounces-215944-greg=kroah.com@vger.kernel.org Thu Feb 12 12:51:11 2026
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Thu, 12 Feb 2026 12:50:57 +0100
+Subject: selftests: mptcp: pm: ensure unknown flags are ignored
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: MPTCP Upstream <mptcp@lists.linux.dev>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Mat Martineau <martineau@kernel.org>, Jakub Kicinski <kuba@kernel.org>
+Message-ID: <20260212115056.898313-2-matttbe@kernel.org>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+commit 29f4801e9c8dfd12bdcb33b61a6ac479c7162bd7 upstream.
+
+This validates the previous commit: the userspace can set unknown flags
+-- the 7th bit is currently unused -- without errors, but only the
+supported ones are printed in the endpoints dumps.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-2-9e4781a6c1b8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Conflicts in pm_netlink.sh, because some refactoring have been done
+ later on: commit 0d16ed0c2e74 ("selftests: mptcp: add
+ {get,format}_endpoint(s) helpers") and commit c99d57d0007a
+ ("selftests: mptcp: use pm_nl endpoint ops") are not in this version.
+ The same operation can still be done at the same place, without using
+ the new helpers.
+ Also, commit 1dc88d241f92 ("selftests: mptcp: pm_nl_ctl: always look
+ for errors") is not in this version, and create a conflict in the
+ context which is not related to the modification here.
+ In v5.10, endpoints couldn't be re-used directly, so the flag is
+ tested before.
+ Conflicts in pm_nl_ctl.c, because commit 69c6ce7b6eca ("selftests:
+ mptcp: add implicit endpoint test case") and commit 371b90377e60
+ ("selftests: mptcp: set and print the fullmesh flag") are not in this
+ version, and caused a conflict in the context which is not related to
+ the modification here. ]
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/pm_netlink.sh | 2 +-
+ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh
++++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh
+@@ -80,7 +80,7 @@ if mptcp_lib_expect_all_features; then
+ subflows 0" "defaults limits"
+ fi
+
+-ip netns exec $ns1 ./pm_nl_ctl add 10.0.1.1
++ip netns exec $ns1 ./pm_nl_ctl add 10.0.1.1 flags unknown
+ ip netns exec $ns1 ./pm_nl_ctl add 10.0.1.2 flags subflow dev lo
+ ip netns exec $ns1 ./pm_nl_ctl add 10.0.1.3 flags signal,backup
+ check "ip netns exec $ns1 ./pm_nl_ctl get 1" "id 1 flags 10.0.1.1" "simple add/get addr"
+--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
++++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
+@@ -22,6 +22,8 @@
+ #define MPTCP_PM_NAME "mptcp_pm"
+ #endif
+
++#define MPTCP_PM_ADDR_FLAG_UNKNOWN _BITUL(7)
++
+ static void syntax(char *argv[])
+ {
+ fprintf(stderr, "%s add|get|del|flush|dump|accept [<args>]\n", argv[0]);
+@@ -236,6 +238,8 @@ int add_addr(int fd, int pm_family, int
+ flags |= MPTCP_PM_ADDR_FLAG_SIGNAL;
+ else if (!strcmp(tok, "backup"))
+ flags |= MPTCP_PM_ADDR_FLAG_BACKUP;
++ else if (!strcmp(tok, "unknown"))
++ flags |= MPTCP_PM_ADDR_FLAG_UNKNOWN;
+ else
+ error(1, errno,
+ "unknown flag %s", argv[arg]);
+@@ -372,6 +376,13 @@ static void print_addr(struct rtattr *at
+ if (flags)
+ printf(",");
+ }
++
++ if (flags & MPTCP_PM_ADDR_FLAG_UNKNOWN) {
++ printf("unknown");
++ flags &= ~MPTCP_PM_ADDR_FLAG_UNKNOWN;
++ if (flags)
++ printf(",");
++ }
+
+ /* bump unknown flags, if any */
+ if (flags)
drm-tegra-hdmi-sor-fix-error-variable-j-set-but-not-.patch
platform-x86-classmate-laptop-add-missing-null-point.patch
gpiolib-acpi-fix-gpio-count-with-string-references.patch
+fs-dlm-fix-invalid-derefence-of-sb_lvbptr.patch
+selftests-mptcp-pm-ensure-unknown-flags-are-ignored.patch
+crypto-virtio-remove-duplicated-virtqueue_kick-in-virtio_crypto_skcipher_crypt_req.patch
+scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch
+scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch
+scsi-qla2xxx-fix-bsg_done-causing-double-free.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
