--- /dev/null
+From stable+bounces-216262-greg=kroah.com@vger.kernel.org Fri Feb 13 17:24:13 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 11:22:29 -0500
+Subject: bus: fsl-mc: fix use-after-free in driver_override_show()
+To: stable@vger.kernel.org
+Cc: Gui-Dong Han <hanguidong02@gmail.com>, Ioana Ciornei <ioana.ciornei@nxp.com>, "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260213162229.3559221-2-sashal@kernel.org>
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ]
+
+The driver_override_show() function reads the driver_override string
+without holding the device_lock. However, driver_override_store() uses
+driver_set_override(), which modifies and frees the string while holding
+the device_lock.
+
+This can result in a concurrent use-after-free if the string is freed
+by the store function while being read by the show function.
+
+Fix this by holding the device_lock around the read operation.
+
+Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru
+ struct device_attribute *attr, char *buf)
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
++ ssize_t len;
+
+- return sysfs_emit(buf, "%s\n", mc_dev->driver_override);
++ device_lock(dev);
++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override);
++ device_unlock(dev);
++ return len;
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
--- /dev/null
+From stable+bounces-216261-greg=kroah.com@vger.kernel.org Fri Feb 13 17:22:36 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 11:22:28 -0500
+Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions
+To: stable@vger.kernel.org
+Cc: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>, Ioana Ciornei <ioana.ciornei@nxp.com>, Christophe Leroy <christophe.leroy@csgroup.eu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260213162229.3559221-1-sashal@kernel.org>
+
+From: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>
+
+[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ]
+
+Use sysfs_emit() instead of snprintf()/sprintf() when writing
+to sysfs buffers, as recommended by the kernel documentation.
+
+Signed-off-by: Chelsy Ratnawat <chelsyratnawat2001@gmail.com>
+Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
+
+- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor,
+- mc_dev->obj_desc.type);
++ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor,
++ mc_dev->obj_desc.type);
+ }
+ static DEVICE_ATTR_RO(modalias);
+
+@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
+
+- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override);
++ return sysfs_emit(buf, "%s\n", mc_dev->driver_override);
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
--- /dev/null
+From stable+bounces-216462-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:31 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 20:49:23 -0500
+Subject: PCI: endpoint: Avoid creating sub-groups asynchronously
+To: stable@vger.kernel.org
+Cc: Liu Song <liu.song13@zte.com.cn>, Manivannan Sadhasivam <mani@kernel.org>, Bjorn Helgaas <bhelgaas@google.com>, stable@kernel.org, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260214014923.3899226-2-sashal@kernel.org>
+
+From: Liu Song <liu.song13@zte.com.cn>
+
+[ Upstream commit 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c ]
+
+The asynchronous creation of sub-groups by a delayed work could lead to a
+NULL pointer dereference when the driver directory is removed before the
+work completes.
+
+The crash can be easily reproduced with the following commands:
+
+ # cd /sys/kernel/config/pci_ep/functions/pci_epf_test
+ # for i in {1..20}; do mkdir test && rmdir test; done
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000088
+ ...
+ Call Trace:
+ configfs_register_group+0x3d/0x190
+ pci_epf_cfs_work+0x41/0x110
+ process_one_work+0x18f/0x350
+ worker_thread+0x25a/0x3a0
+
+Fix this issue by using configfs_add_default_group() API which does not
+have the deadlock problem as configfs_register_group() and does not require
+the delayed work handler.
+
+Fixes: e85a2d783762 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF")
+Signed-off-by: Liu Song <liu.song13@zte.com.cn>
+[mani: slightly reworded the description and added stable list]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@kernel.org
+Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-ep-cfs.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+--- a/drivers/pci/endpoint/pci-ep-cfs.c
++++ b/drivers/pci/endpoint/pci-ep-cfs.c
+@@ -23,7 +23,6 @@ struct pci_epf_group {
+ struct config_group group;
+ struct config_group primary_epc_group;
+ struct config_group secondary_epc_group;
+- struct delayed_work cfs_work;
+ struct pci_epf *epf;
+ int index;
+ };
+@@ -100,7 +99,7 @@ static struct config_group
+ secondary_epc_group = &epf_group->secondary_epc_group;
+ config_group_init_type_name(secondary_epc_group, "secondary",
+ &pci_secondary_epc_type);
+- configfs_register_group(&epf_group->group, secondary_epc_group);
++ configfs_add_default_group(secondary_epc_group, &epf_group->group);
+
+ return secondary_epc_group;
+ }
+@@ -160,7 +159,7 @@ static struct config_group
+
+ config_group_init_type_name(primary_epc_group, "primary",
+ &pci_primary_epc_type);
+- configfs_register_group(&epf_group->group, primary_epc_group);
++ configfs_add_default_group(primary_epc_group, &epf_group->group);
+
+ return primary_epc_group;
+ }
+@@ -561,15 +560,13 @@ static void pci_ep_cfs_add_type_group(st
+ return;
+ }
+
+- configfs_register_group(&epf_group->group, group);
++ configfs_add_default_group(group, &epf_group->group);
+ }
+
+-static void pci_epf_cfs_work(struct work_struct *work)
++static void pci_epf_cfs_add_sub_groups(struct pci_epf_group *epf_group)
+ {
+- struct pci_epf_group *epf_group;
+ struct config_group *group;
+
+- epf_group = container_of(work, struct pci_epf_group, cfs_work.work);
+ group = pci_ep_cfs_add_primary_group(epf_group);
+ if (IS_ERR(group)) {
+ pr_err("failed to create 'primary' EPC interface\n");
+@@ -628,9 +625,7 @@ static struct config_group *pci_epf_make
+
+ kfree(epf_name);
+
+- INIT_DELAYED_WORK(&epf_group->cfs_work, pci_epf_cfs_work);
+- queue_delayed_work(system_wq, &epf_group->cfs_work,
+- msecs_to_jiffies(1));
++ pci_epf_cfs_add_sub_groups(epf_group);
+
+ return &epf_group->group;
+
--- /dev/null
+From stable+bounces-216461-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:28 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Feb 2026 20:49:22 -0500
+Subject: PCI: endpoint: Remove unused field in struct pci_epf_group
+To: stable@vger.kernel.org
+Cc: "Christophe JAILLET" <christophe.jaillet@wanadoo.fr>, "Krzysztof Wilczyński" <kwilczynski@kernel.org>, "Bjorn Helgaas" <bhelgaas@google.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260214014923.3899226-1-sashal@kernel.org>
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 328e4dffbeecc0f2cc5a149dee6c11a0577c9671 ]
+
+In "struct pci_epf_group", the 'type_group' field is unused.
+
+This was added, but already unused, by commit 70b3740f2c19 ("PCI: endpoint:
+Automatically create a function specific attributes group").
+
+Thus, remove it.
+
+Found with cppcheck, unusedStructMember.
+
+[kwilczynski: commit log]
+Link: https://lore.kernel.org/linux-pci/6507d44b6c60a19af35a605e2d58050be8872ab6.1712341008.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Stable-dep-of: 7c5c7d06bd1f ("PCI: endpoint: Avoid creating sub-groups asynchronously")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-ep-cfs.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/pci/endpoint/pci-ep-cfs.c
++++ b/drivers/pci/endpoint/pci-ep-cfs.c
+@@ -23,7 +23,6 @@ struct pci_epf_group {
+ struct config_group group;
+ struct config_group primary_epc_group;
+ struct config_group secondary_epc_group;
+- struct config_group *type_group;
+ struct delayed_work cfs_work;
+ struct pci_epf *epf;
+ int index;
scsi-qla2xxx-fix-bsg_done-causing-double-free.patch
+pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch
+pci-endpoint-avoid-creating-sub-groups-asynchronously.patch
+bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch
+bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
