From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 23 Mar 2026 13:09:22 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.167~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=073e27c3eec30fefc3b633b88b73467c3dedf9b0;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
	i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
	nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
	revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
	revert-selftests-net-amt-wait-longer-for-connection-before-sending-packets.patch
---

diff --git a/queue-6.1/i2c-cp2615-fix-serial-string-null-deref-at-probe.patch b/queue-6.1/i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
new file mode 100644
index 0000000000..370a1b29a2
--- /dev/null
+++ b/queue-6.1/i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
@@ -0,0 +1,43 @@
+From stable+bounces-227971-greg=kroah.com@vger.kernel.org Mon Mar 23 14:01:18 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 08:56:30 -0400
+Subject: i2c: cp2615: fix serial string NULL-deref at probe
+To: stable@vger.kernel.org
+Cc: "Johan Hovold" <johan@kernel.org>, "Bence Csókás" <bence98@sch.bme.hu>, "Andi Shyti" <andi.shyti@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260323125630.1651316-2-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit aa79f996eb41e95aed85a1bd7f56bcd6a3842008 ]
+
+The cp2615 driver uses the USB device serial string as the i2c adapter
+name but does not make sure that the string exists.
+
+Verify that the device has a serial number before accessing it to avoid
+triggering a NULL-pointer dereference (e.g. with malicious devices).
+
+Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
+Cc: stable@vger.kernel.org	# 5.13
+Cc: Bence CsÃ³kÃ¡s <bence98@sch.bme.hu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Bence CsÃ³kÃ¡s <bence98@sch.bme.hu>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260309075016.25612-1-johan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-cp2615.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-cp2615.c
++++ b/drivers/i2c/busses/i2c-cp2615.c
+@@ -298,6 +298,9 @@ cp2615_i2c_probe(struct usb_interface *u
+ 	if (!adap)
+ 		return -ENOMEM;
+ 
++	if (!usbdev->serial)
++		return -EINVAL;
++
+ 	strscpy(adap->name, usbdev->serial, sizeof(adap->name));
+ 	adap->owner = THIS_MODULE;
+ 	adap->dev.parent = &usbif->dev;
diff --git a/queue-6.1/i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch b/queue-6.1/i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
new file mode 100644
index 0000000000..a29082f7e6
--- /dev/null
+++ b/queue-6.1/i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
@@ -0,0 +1,53 @@
+From stable+bounces-227970-greg=kroah.com@vger.kernel.org Mon Mar 23 14:05:16 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 08:56:29 -0400
+Subject: i2c: cp2615: replace deprecated strncpy with strscpy
+To: stable@vger.kernel.org
+Cc: Justin Stitt <justinstitt@google.com>, Kees Cook <keescook@chromium.org>, Wolfram Sang <wsa@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260323125630.1651316-1-sashal@kernel.org>
+
+From: Justin Stitt <justinstitt@google.com>
+
+[ Upstream commit e2def33f9ee1b1a8cda4ec5cde69840b5708f068 ]
+
+`strncpy` is deprecated for use on NUL-terminated destination strings [1].
+
+We should prefer more robust and less ambiguous string interfaces.
+
+We expect name to be NUL-terminated based on its numerous uses with
+functions that expect NUL-terminated strings.
+
+For example in i2c-core-base.c +1533:
+| dev_dbg(&adap->dev, "adapter [%s] registered\n", adap->name);
+
+NUL-padding is not required as `adap` is already zero-alloacted with:
+| adap = devm_kzalloc(&usbif->dev, sizeof(struct i2c_adapter), GFP_KERNEL);
+
+With the above in mind, a suitable replacement is `strscpy` [2] due to
+the fact that it guarantees NUL-termination on the destination buffer
+without unnecessarily NUL-padding.
+
+Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
+Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
+Link: https://github.com/KSPP/linux/issues/90
+Signed-off-by: Justin Stitt <justinstitt@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Stable-dep-of: aa79f996eb41 ("i2c: cp2615: fix serial string NULL-deref at probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-cp2615.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-cp2615.c
++++ b/drivers/i2c/busses/i2c-cp2615.c
+@@ -298,7 +298,7 @@ cp2615_i2c_probe(struct usb_interface *u
+ 	if (!adap)
+ 		return -ENOMEM;
+ 
+-	strncpy(adap->name, usbdev->serial, sizeof(adap->name) - 1);
++	strscpy(adap->name, usbdev->serial, sizeof(adap->name));
+ 	adap->owner = THIS_MODULE;
+ 	adap->dev.parent = &usbif->dev;
+ 	adap->dev.of_node = usbif->dev.of_node;
diff --git a/queue-6.1/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch b/queue-6.1/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
new file mode 100644
index 0000000000..f8e51c286a
--- /dev/null
+++ b/queue-6.1/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
@@ -0,0 +1,94 @@
+From jsingh@cloudlinux.com Mon Feb 23 18:24:22 2026
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+Date: Mon, 23 Feb 2026 22:54:05 +0530
+Subject: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
+To: stable@vger.kernel.org, james.smart@broadcom.com, kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me
+Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Jaskaran Singh <jsingh@cloudlinux.com>, Marco Patalano <mpatalan@redhat.com>, Justin Tee <justin.tee@broadcom.com>, "Ewan D . Milne" <emilne@redhat.com>
+Message-ID: <20260223172405.292040-3-jsingh@cloudlinux.com>
+
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+
+commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream.
+
+nvme_fc_delete_assocation() waits for pending I/O to complete before
+returning, and an error can cause ->ioerr_work to be queued after
+cancel_work_sync() had been called.  Move the call to cancel_work_sync() to
+be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
+when the nvme_fc_ctrl object is freed.  Otherwise the following can occur:
+
+[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
+[ 1135.917705] ------------[ cut here ]------------
+[ 1135.922336] kernel BUG at lib/list_debug.c:52!
+[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
+[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
+[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
+[ 1135.950969] Workqueue:  0x0 (nvme-wq)
+[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
+[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
+[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
+[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
+[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
+[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
+[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
+[ 1136.020677] FS:  0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
+[ 1136.028765] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
+[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+[ 1136.055910] PKRU: 55555554
+[ 1136.058623] Call Trace:
+[ 1136.061074]  <TASK>
+[ 1136.063179]  ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.067540]  ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.071898]  ? move_linked_works+0x4a/0xa0
+[ 1136.075998]  ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.081744]  ? __die_body.cold+0x8/0x12
+[ 1136.085584]  ? die+0x2e/0x50
+[ 1136.088469]  ? do_trap+0xca/0x110
+[ 1136.091789]  ? do_error_trap+0x65/0x80
+[ 1136.095543]  ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.101289]  ? exc_invalid_op+0x50/0x70
+[ 1136.105127]  ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.110874]  ? asm_exc_invalid_op+0x1a/0x20
+[ 1136.115059]  ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.120806]  move_linked_works+0x4a/0xa0
+[ 1136.124733]  worker_thread+0x216/0x3a0
+[ 1136.128485]  ? __pfx_worker_thread+0x10/0x10
+[ 1136.132758]  kthread+0xfa/0x240
+[ 1136.135904]  ? __pfx_kthread+0x10/0x10
+[ 1136.139657]  ret_from_fork+0x31/0x50
+[ 1136.143236]  ? __pfx_kthread+0x10/0x10
+[ 1136.146988]  ret_from_fork_asm+0x1a/0x30
+[ 1136.150915]  </TASK>
+
+Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context")
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jaskaran Singh <jsingh@cloudlinux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3264,13 +3264,13 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ 	struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+ 
+-	cancel_work_sync(&ctrl->ioerr_work);
+ 	cancel_delayed_work_sync(&ctrl->connect_work);
+ 	/*
+ 	 * kill the association on the link side.  this will block
+ 	 * waiting for io to terminate
+ 	 */
+ 	nvme_fc_delete_association(ctrl);
++	cancel_work_sync(&ctrl->ioerr_work);
+ }
+ 
+ static void
diff --git a/queue-6.1/revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch b/queue-6.1/revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
new file mode 100644
index 0000000000..8ee5271985
--- /dev/null
+++ b/queue-6.1/revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
@@ -0,0 +1,40 @@
+From stable+bounces-217804-greg=kroah.com@vger.kernel.org Mon Feb 23 18:31:24 2026
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+Date: Mon, 23 Feb 2026 22:54:04 +0530
+Subject: Revert "nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()"
+To: stable@vger.kernel.org, james.smart@broadcom.com, kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me
+Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Jaskaran Singh <jsingh@cloudlinux.com>
+Message-ID: <20260223172405.292040-2-jsingh@cloudlinux.com>
+
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+
+This reverts commit 3d81beae4753db3b3dc5b70dc300d4036e0d9cb8.
+
+The backport of upstream commit 0a2c5495b6d1 was incorrectly applied.
+The cancel_work_sync() call for ->ioerr_work was added to
+nvme_fc_reset_ctrl_work() instead of nvme_fc_delete_ctrl().
+
+Signed-off-by: Jaskaran Singh <jsingh@cloudlinux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3264,6 +3264,7 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ 	struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+ 
++	cancel_work_sync(&ctrl->ioerr_work);
+ 	cancel_delayed_work_sync(&ctrl->connect_work);
+ 	/*
+ 	 * kill the association on the link side.  this will block
+@@ -3334,7 +3335,6 @@ nvme_fc_reset_ctrl_work(struct work_stru
+ 
+ 	/* will block will waiting for io to terminate */
+ 	nvme_fc_delete_association(ctrl);
+-	cancel_work_sync(&ctrl->ioerr_work);
+ 
+ 	if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING))
+ 		dev_err(ctrl->ctrl.device,
diff --git a/queue-6.1/revert-selftests-net-amt-wait-longer-for-connection-before-sending-packets.patch b/queue-6.1/revert-selftests-net-amt-wait-longer-for-connection-before-sending-packets.patch
new file mode 100644
index 0000000000..3045cc530f
--- /dev/null
+++ b/queue-6.1/revert-selftests-net-amt-wait-longer-for-connection-before-sending-packets.patch
@@ -0,0 +1,59 @@
+From stable+bounces-222894-greg=kroah.com@vger.kernel.org Tue Mar  3 15:38:15 2026
+From: Nathan Gao <zcgao@amazon.com>
+Date: Tue, 3 Mar 2026 06:37:50 -0800
+Subject: Revert "selftests: net: amt: wait longer for connection before sending packets"
+To: <stable@vger.kernel.org>
+Cc: <gregkh@linuxfoundation.org>, <sashal@kernel.org>, <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>, <shuah@kernel.org>, <netdev@vger.kernel.org>, <linux-kselftest@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <ap420073@gmail.com>, <zcgao@amazon.com>
+Message-ID: <20260303143750.57741-1-zcgao@amazon.com>
+
+From: Nathan Gao <zcgao@amazon.com>
+
+This reverts commit 7724036d4804222007689cd69f248347eb154793 which is
+commit 04708606fd7bdc34b69089a4ff848ff36d7088f9 upstream.
+
+The reverted patch introduced dependency on lib.sh under net selftests.
+The file was introduced in v6.8-rc1 via commit 25ae948b4478
+("selftests/net: add lib.sh").
+
+Without lib.sh, the amt test fails with:
+./amt.sh: line 76: source: lib.sh: file not found
+
+The whole history of lib.sh includes about 50 commits and considering
+the file never landed on 6.1 it may be better to not introduce it.
+
+Signed-off-by: Nathan Gao <zcgao@amazon.com>
+Acked-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/amt.sh |    7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/net/amt.sh
++++ b/tools/testing/selftests/net/amt.sh
+@@ -73,8 +73,6 @@
+ #       +------------------------+
+ #==============================================================================
+ 
+-source lib.sh
+-
+ readonly LISTENER=$(mktemp -u listener-XXXXXXXX)
+ readonly GATEWAY=$(mktemp -u gateway-XXXXXXXX)
+ readonly RELAY=$(mktemp -u relay-XXXXXXXX)
+@@ -242,15 +240,14 @@ test_ipv6_forward()
+ 
+ send_mcast4()
+ {
+-	sleep 5
+-	wait_local_port_listen ${LISTENER} 4000 udp
++	sleep 2
+ 	ip netns exec "${SOURCE}" bash -c \
+ 		'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' &
+ }
+ 
+ send_mcast6()
+ {
+-	wait_local_port_listen ${LISTENER} 6000 udp
++	sleep 2
+ 	ip netns exec "${SOURCE}" bash -c \
+ 		'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' &
+ }
diff --git a/queue-6.1/series b/queue-6.1/series
index 4790ac0835..fe69d65151 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -474,3 +474,8 @@ netfilter-nf_tables-missing-objects-with-no-memcg-accounting.patch
 netfilter-nft_set_pipapo-prevent-overflow-in-lookup-table-allocation.patch
 wifi-brcmfmac-fix-use-after-free-when-rescheduling-brcmf_btcoex_info-work.patch
 riscv-stacktrace-disable-kasan-checks-for-non-current-tasks.patch
+i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
+i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
+revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+revert-selftests-net-amt-wait-longer-for-connection-before-sending-packets.patch