From: Greg Kroah-Hartman Date: Mon, 16 Feb 2026 16:04:27 +0000 (+0100) Subject: copy queues so we can do a "quick" release X-Git-Tag: v6.6.126~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a6b98d9d6c119a7c51104fd7b222da66e9c1eb3;p=thirdparty%2Fkernel%2Fstable-queue.git copy queues so we can do a "quick" release --- diff --git a/temp/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch b/temp/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch new file mode 100644 index 0000000000..a21aa2f93d --- /dev/null +++ b/temp/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch @@ -0,0 +1,77 @@ +From 0fcad44a86bdc2b5f202d91ba1eeeee6fceb7b25 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Thu, 17 Apr 2025 10:24:45 -0700 +Subject: bnxt_en: Change FW message timeout warning + +From: Michael Chan + +commit 0fcad44a86bdc2b5f202d91ba1eeeee6fceb7b25 upstream. + +The firmware advertises a "hwrm_cmd_max_timeout" value to the driver +for NVRAM and coredump related functions that can take tens of seconds +to complete. The driver polls for the operation to complete under +mutex and may trigger hung task watchdog warning if the wait is too long. +To warn the user about this, the driver currently prints a warning if +this advertised value exceeds 40 seconds: + +Device requests max timeout of %d seconds, may trigger hung task watchdog + +Initially, we chose 40 seconds, well below the kernel's default +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT (120 seconds) to avoid triggering +the hung task watchdog. But 60 seconds is the timeout on most +production FW and cannot be reduced further. Change the driver's warning +threshold to 60 seconds to avoid triggering this warning on all +production devices. We also print the warning if the value exceeds +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT which may be set to architecture +specific defaults as low as 10 seconds. + +Reviewed-by: Kalesh AP +Reviewed-by: Pavan Chebbi +Reviewed-by: Andy Gospodarek +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20250417172448.1206107-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 +++++++---- + drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h | 2 +- + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9770,7 +9770,7 @@ static int bnxt_hwrm_ver_get(struct bnxt + struct hwrm_ver_get_input *req; + u16 fw_maj, fw_min, fw_bld, fw_rsv; + u32 dev_caps_cfg, hwrm_ver; +- int rc, len; ++ int rc, len, max_tmo_secs; + + rc = hwrm_req_init(bp, req, HWRM_VER_GET); + if (rc) +@@ -9843,9 +9843,12 @@ static int bnxt_hwrm_ver_get(struct bnxt + bp->hwrm_cmd_max_timeout = le16_to_cpu(resp->max_req_timeout) * 1000; + if (!bp->hwrm_cmd_max_timeout) + bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT; +- else if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT) +- netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog\n", +- bp->hwrm_cmd_max_timeout / 1000); ++ max_tmo_secs = bp->hwrm_cmd_max_timeout / 1000; ++ if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT || ++ max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { ++ netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog (kernel default %ds)\n", ++ max_tmo_secs, CONFIG_DEFAULT_HUNG_TASK_TIMEOUT); ++ } + + if (resp->hwrm_intf_maj_8b >= 1) { + bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len); +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h +@@ -58,7 +58,7 @@ void hwrm_update_token(struct bnxt *bp, + + #define BNXT_HWRM_MAX_REQ_LEN (bp->hwrm_max_req_len) + #define BNXT_HWRM_SHORT_REQ_LEN sizeof(struct hwrm_short_input) +-#define HWRM_CMD_MAX_TIMEOUT 40000U ++#define HWRM_CMD_MAX_TIMEOUT 60000U + #define SHORT_HWRM_CMD_TIMEOUT 20 + #define HWRM_CMD_TIMEOUT (bp->hwrm_cmd_timeout) + #define HWRM_RESET_TIMEOUT ((HWRM_CMD_TIMEOUT) * 4) diff --git a/temp/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch b/temp/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch new file mode 100644 index 0000000000..7df89eb005 --- /dev/null +++ b/temp/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch @@ -0,0 +1,44 @@ +From 8ff6175139967cd17b2a62bca4b2de2559942b7e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 23 Apr 2025 18:28:21 +0200 +Subject: bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code + +From: Arnd Bergmann + +commit 8ff6175139967cd17b2a62bca4b2de2559942b7e upstream. + +The CONFIG_DEFAULT_HUNG_TASK_TIMEOUT setting is only available when the +hung task detection is enabled, otherwise the code now produces a build +failure: + +drivers/net/ethernet/broadcom/bnxt/bnxt.c:10188:21: error: use of undeclared identifier 'CONFIG_DEFAULT_HUNG_TASK_TIMEOUT' + 10188 | max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { + +Enclose this warning logic in an #ifdef to ensure this builds. + +Fixes: 0fcad44a86bd ("bnxt_en: Change FW message timeout warning") +Signed-off-by: Arnd Bergmann +Reviewed-by: Michael Chan +Link: https://patch.msgid.link/20250423162827.2189658-1-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9844,11 +9844,13 @@ static int bnxt_hwrm_ver_get(struct bnxt + if (!bp->hwrm_cmd_max_timeout) + bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT; + max_tmo_secs = bp->hwrm_cmd_max_timeout / 1000; ++#ifdef CONFIG_DETECT_HUNG_TASK + if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT || + max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { + netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog (kernel default %ds)\n", + max_tmo_secs, CONFIG_DEFAULT_HUNG_TASK_TIMEOUT); + } ++#endif + + if (resp->hwrm_intf_maj_8b >= 1) { + bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len); diff --git a/temp/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch b/temp/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch new file mode 100644 index 0000000000..81ffecf619 --- /dev/null +++ b/temp/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch @@ -0,0 +1,50 @@ +From stable+bounces-216258-greg=kroah.com@vger.kernel.org Fri Feb 13 17:12:28 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 11:12:19 -0500 +Subject: bus: fsl-mc: fix use-after-free in driver_override_show() +To: stable@vger.kernel.org +Cc: Gui-Dong Han , Ioana Ciornei , "Christophe Leroy (CS GROUP)" , Sasha Levin +Message-ID: <20260213161219.3554825-2-sashal@kernel.org> + +From: Gui-Dong Han + +[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ] + +The driver_override_show() function reads the driver_override string +without holding the device_lock. However, driver_override_store() uses +driver_set_override(), which modifies and frees the string while holding +the device_lock. + +This can result in a concurrent use-after-free if the string is freed +by the store function while being read by the show function. + +Fix this by holding the device_lock around the read operation. + +Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Reviewed-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru + struct device_attribute *attr, char *buf) + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); ++ ssize_t len; + +- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_lock(dev); ++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_unlock(dev); ++ return len; + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/temp/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch b/temp/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch new file mode 100644 index 0000000000..20a85ce69d --- /dev/null +++ b/temp/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch @@ -0,0 +1,48 @@ +From stable+bounces-216257-greg=kroah.com@vger.kernel.org Fri Feb 13 17:12:24 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 11:12:18 -0500 +Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions +To: stable@vger.kernel.org +Cc: Chelsy Ratnawat , Ioana Ciornei , Christophe Leroy , Sasha Levin +Message-ID: <20260213161219.3554825-1-sashal@kernel.org> + +From: Chelsy Ratnawat + +[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ] + +Use sysfs_emit() instead of snprintf()/sprintf() when writing +to sysfs buffers, as recommended by the kernel documentation. + +Signed-off-by: Chelsy Ratnawat +Acked-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com +Signed-off-by: Christophe Leroy +Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + +- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, +- mc_dev->obj_desc.type); ++ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, ++ mc_dev->obj_desc.type); + } + static DEVICE_ATTR_RO(modalias); + +@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + +- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override); ++ return sysfs_emit(buf, "%s\n", mc_dev->driver_override); + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/temp/queue-6.12/revert-driver-core-enforce-device_lock-for-driver_match_device.patch b/temp/queue-6.12/revert-driver-core-enforce-device_lock-for-driver_match_device.patch new file mode 100644 index 0000000000..52231d91ac --- /dev/null +++ b/temp/queue-6.12/revert-driver-core-enforce-device_lock-for-driver_match_device.patch @@ -0,0 +1,72 @@ +From b8819cb8faec938fa3e3b0023e1839ee52d3af32 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 16 Feb 2026 16:41:21 +0100 +Subject: Revert "driver core: enforce device_lock for driver_match_device()" + +From: Greg Kroah-Hartman + +This reverts commit cd0e0a76e40c2e77bcfc88291d00dca22b00158e which is +commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. + +It causes boot regressions on some systems as all of the "fixes" for +drivers are not properly backported yet. Once that is completed, only +then can this be applied, if really necessary given the potential for +explosions, perhaps we might want to wait a few -rc releases first... + +Cc: Danilo Krummrich +Cc: Rafael J. Wysocki (Intel) +Cc: Danilo Krummrich +Cc: Gui-Dong Han +Cc: Qiu-ji Chen +Reported-by: Mark Brown +Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/base.h | 9 --------- + drivers/base/bus.c | 2 +- + drivers/base/dd.c | 2 +- + 3 files changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -165,18 +165,9 @@ void device_set_deferred_probe_reason(co + static inline int driver_match_device(const struct device_driver *drv, + struct device *dev) + { +- device_lock_assert(dev); +- + return drv->bus->match ? drv->bus->match(dev, drv) : 1; + } + +-static inline int driver_match_device_locked(const struct device_driver *drv, +- struct device *dev) +-{ +- guard(device)(dev); +- return driver_match_device(drv, dev); +-} +- + static inline void dev_sync_state(struct device *dev) + { + if (dev->bus->sync_state) +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_ + int err = -ENODEV; + + dev = bus_find_device_by_name(bus, NULL, buf); +- if (dev && driver_match_device_locked(drv, dev)) { ++ if (dev && driver_match_device(drv, dev)) { + err = device_driver_attach(drv, dev); + if (!err) { + /* success */ +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1168,7 +1168,7 @@ static int __driver_attach(struct device + * is an error. + */ + +- ret = driver_match_device_locked(drv, dev); ++ ret = driver_match_device(drv, dev); + if (ret == 0) { + /* no match */ + return 0; diff --git a/temp/queue-6.12/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/temp/queue-6.12/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch new file mode 100644 index 0000000000..391f962a9e --- /dev/null +++ b/temp/queue-6.12/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch @@ -0,0 +1,132 @@ +From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Wed, 10 Dec 2025 15:46:03 +0530 +Subject: scsi: qla2xxx: Fix bsg_done() causing double free + +From: Anil Gurumurthy + +commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream. + +Kernel panic observed on system, + +[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 +[5353358.825194] #PF: supervisor write access in kernel mode +[5353358.825195] #PF: error_code(0x0002) - not-present page +[5353358.825196] PGD 100006067 P4D 0 +[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI +[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 +[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 +[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 +[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 +[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 +[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 +[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 +[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 +[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 +[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 +[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 +[5353358.825221] PKRU: 55555554 +[5353358.825222] Call Trace: +[5353358.825223] +[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825232] ? sg_copy_buffer+0xc8/0x110 +[5353358.825236] ? __die_body.cold+0x8/0xd +[5353358.825238] ? page_fault_oops+0x134/0x170 +[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 +[5353358.825244] ? exc_page_fault+0xa8/0x150 +[5353358.825247] ? asm_exc_page_fault+0x22/0x30 +[5353358.825252] ? memcpy_erms+0x6/0x10 +[5353358.825253] sg_copy_buffer+0xc8/0x110 +[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] +[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] + +Most routines in qla_bsg.c call bsg_done() only for success cases. +However a few invoke it for failure case as well leading to a double +free. Validate before calling bsg_done(). + +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs + ha->optrom_buffer = NULL; + ha->optrom_state = QLA_SWAITING; + mutex_unlock(&ha->optrom_mutex); +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!rval) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + return rval; + } + +@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job + sizeof(struct ql_vnd_mng_host_stats_resp)); + + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + return ret; + } +@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b + bsg_job->reply_payload.sg_cnt, + data, response_len); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + kfree(data); + host_stat_out: +@@ -2802,8 +2805,9 @@ reply: + bsg_job->reply_payload.sg_cnt, data, + response_len); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + tgt_stat_out: + kfree(data); +@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job + bsg_job->reply_payload.sg_cnt, &rsp_data, + sizeof(struct ql_vnd_mng_host_port_resp)); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + return ret; + } +@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_ + + bsg_job->reply_len = sizeof(*bsg_job->reply); + bsg_reply->result = DID_OK << 16; +- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); + + kfree(req_data); + diff --git a/temp/queue-6.12/series b/temp/queue-6.12/series new file mode 100644 index 0000000000..ce3ae5389d --- /dev/null +++ b/temp/queue-6.12/series @@ -0,0 +1,6 @@ +scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +bnxt_en-change-fw-message-timeout-warning.patch +bnxt_en-hide-config_detect_hung_task-specific-code.patch +bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch +bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch +revert-driver-core-enforce-device_lock-for-driver_match_device.patch diff --git a/temp/queue-6.18/revert-driver-core-enforce-device_lock-for-driver_match_device.patch b/temp/queue-6.18/revert-driver-core-enforce-device_lock-for-driver_match_device.patch new file mode 100644 index 0000000000..aa44e258f9 --- /dev/null +++ b/temp/queue-6.18/revert-driver-core-enforce-device_lock-for-driver_match_device.patch @@ -0,0 +1,72 @@ +From b8819cb8faec938fa3e3b0023e1839ee52d3af32 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 16 Feb 2026 16:41:21 +0100 +Subject: Revert "driver core: enforce device_lock for driver_match_device()" + +From: Greg Kroah-Hartman + +This reverts commit 8d76b2488eb3cc0717ab81b60622cff4a5f90f79 which is +commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. + +It causes boot regressions on some systems as all of the "fixes" for +drivers are not properly backported yet. Once that is completed, only +then can this be applied, if really necessary given the potential for +explosions, perhaps we might want to wait a few -rc releases first... + +Cc: Danilo Krummrich +Cc: Rafael J. Wysocki (Intel) +Cc: Danilo Krummrich +Cc: Gui-Dong Han +Cc: Qiu-ji Chen +Reported-by: Mark Brown +Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/base.h | 9 --------- + drivers/base/bus.c | 2 +- + drivers/base/dd.c | 2 +- + 3 files changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -166,18 +166,9 @@ void device_set_deferred_probe_reason(co + static inline int driver_match_device(const struct device_driver *drv, + struct device *dev) + { +- device_lock_assert(dev); +- + return drv->bus->match ? drv->bus->match(dev, drv) : 1; + } + +-static inline int driver_match_device_locked(const struct device_driver *drv, +- struct device *dev) +-{ +- guard(device)(dev); +- return driver_match_device(drv, dev); +-} +- + static inline void dev_sync_state(struct device *dev) + { + if (dev->bus->sync_state) +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_ + int err = -ENODEV; + + dev = bus_find_device_by_name(bus, NULL, buf); +- if (dev && driver_match_device_locked(drv, dev)) { ++ if (dev && driver_match_device(drv, dev)) { + err = device_driver_attach(drv, dev); + if (!err) { + /* success */ +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1170,7 +1170,7 @@ static int __driver_attach(struct device + * is an error. + */ + +- ret = driver_match_device_locked(drv, dev); ++ ret = driver_match_device(drv, dev); + if (ret == 0) { + /* no match */ + return 0; diff --git a/temp/queue-6.18/rust-device-fix-broken-intra-doc-links.patch b/temp/queue-6.18/rust-device-fix-broken-intra-doc-links.patch new file mode 100644 index 0000000000..3c0e36fa95 --- /dev/null +++ b/temp/queue-6.18/rust-device-fix-broken-intra-doc-links.patch @@ -0,0 +1,56 @@ +From a9a42f0754b6c69525612d678b73da790e28b9fd Mon Sep 17 00:00:00 2001 +From: FUJITA Tomonori +Date: Wed, 31 Dec 2025 13:57:28 +0900 +Subject: rust: device: fix broken intra-doc links + +From: FUJITA Tomonori + +commit a9a42f0754b6c69525612d678b73da790e28b9fd upstream. + +The `pci` module is conditional on CONFIG_PCI. When it's disabled, the +intra-doc link to `pci::Device` causes rustdoc warnings: + +warning: unresolved link to `kernel::pci::Device` + --> rust/kernel/device.rs:163:22 + | +163 | /// [`pci::Device`]: kernel::pci::Device + | ^^^^^^^^^^^^^^^^^^^ no item named `pci` in module `kernel` + | + = note: `#[warn(rustdoc::broken_intra_doc_links)]` on by default + +Fix this by making the documentation conditional on CONFIG_PCI. + +Fixes: d6e26c1ae4a6 ("device: rust: expand documentation for Device") +Signed-off-by: FUJITA Tomonori +Reviewed-by: Dirk Behme +Link: https://patch.msgid.link/20251231045728.1912024-2-fujita.tomonori@gmail.com +[ Keep the "such as" part indicating a list of examples; fix typos in + commit message. - Danilo ] +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/device.rs | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/rust/kernel/device.rs ++++ b/rust/kernel/device.rs +@@ -62,8 +62,9 @@ pub mod property; + /// + /// # Implementing Bus Devices + /// +-/// This section provides a guideline to implement bus specific devices, such as [`pci::Device`] or +-/// [`platform::Device`]. ++/// This section provides a guideline to implement bus specific devices, such as: ++#[cfg_attr(CONFIG_PCI, doc = "* [`pci::Device`](kernel::pci::Device)")] ++/// * [`platform::Device`] + /// + /// A bus specific device should be defined as follows. + /// +@@ -155,7 +156,6 @@ pub mod property; + /// + /// [`AlwaysRefCounted`]: kernel::types::AlwaysRefCounted + /// [`impl_device_context_deref`]: kernel::impl_device_context_deref +-/// [`pci::Device`]: kernel::pci::Device + /// [`platform::Device`]: kernel::platform::Device + #[repr(transparent)] + pub struct Device(Opaque, PhantomData); diff --git a/temp/queue-6.18/rust-dma-fix-broken-intra-doc-links.patch b/temp/queue-6.18/rust-dma-fix-broken-intra-doc-links.patch new file mode 100644 index 0000000000..fbf82f14df --- /dev/null +++ b/temp/queue-6.18/rust-dma-fix-broken-intra-doc-links.patch @@ -0,0 +1,46 @@ +From 32cb3840386fd3684fbe8294cfc0a6684417139e Mon Sep 17 00:00:00 2001 +From: FUJITA Tomonori +Date: Wed, 31 Dec 2025 13:57:27 +0900 +Subject: rust: dma: fix broken intra-doc links + +From: FUJITA Tomonori + +commit 32cb3840386fd3684fbe8294cfc0a6684417139e upstream. + +The `pci` module is conditional on CONFIG_PCI. When it's disabled, the +intra-doc link to `pci::Device` causes rustdoc warnings: + +warning: unresolved link to `::kernel::pci::Device` + --> rust/kernel/dma.rs:30:70 + | +30 | /// where the underlying bus is DMA capable, such as [`pci::Device`](::kernel::pci::Device) or + | ^^^^^^^^^^^^^^^^^^^^^ no item named `pci` in module `kernel` + +Fix this by making the documentation conditional on CONFIG_PCI. + +Fixes: d06d5f66f549 ("rust: dma: implement `dma::Device` trait") +Signed-off-by: FUJITA Tomonori +Reviewed-by: Dirk Behme +Link: https://patch.msgid.link/20251231045728.1912024-1-fujita.tomonori@gmail.com +[ Keep the "such as" part indicating a list of examples; fix typos in + commit message. - Danilo ] +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/dma.rs | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/rust/kernel/dma.rs ++++ b/rust/kernel/dma.rs +@@ -26,8 +26,9 @@ pub type DmaAddress = bindings::dma_addr + /// Trait to be implemented by DMA capable bus devices. + /// + /// The [`dma::Device`](Device) trait should be implemented by bus specific device representations, +-/// where the underlying bus is DMA capable, such as [`pci::Device`](::kernel::pci::Device) or +-/// [`platform::Device`](::kernel::platform::Device). ++/// where the underlying bus is DMA capable, such as: ++#[cfg_attr(CONFIG_PCI, doc = "* [`pci::Device`](kernel::pci::Device)")] ++/// * [`platform::Device`](::kernel::platform::Device) + pub trait Device: AsRef> { + /// Set up the device's DMA streaming addressing capabilities. + /// diff --git a/temp/queue-6.18/rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch b/temp/queue-6.18/rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch new file mode 100644 index 0000000000..008b6dde17 --- /dev/null +++ b/temp/queue-6.18/rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch @@ -0,0 +1,69 @@ +From 4c9f6a782f6078dc94450fcb22e65d520bfa0775 Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Sat, 27 Dec 2025 15:47:21 +0000 +Subject: rust: driver: fix broken intra-doc links to example driver types + +From: Alice Ryhl + +commit 4c9f6a782f6078dc94450fcb22e65d520bfa0775 upstream. + +The `auxiliary` and `pci` modules are conditional on +`CONFIG_AUXILIARY_BUS` and `CONFIG_PCI` respectively. When these are +disabled, the intra-doc links to `auxiliary::Driver` and `pci::Driver` +break, causing rustdoc warnings (or errors with `-D warnings`). + +error: unresolved link to `kernel::auxiliary::Driver` + --> rust/kernel/driver.rs:82:28 + | +82 | //! [`auxiliary::Driver`]: kernel::auxiliary::Driver + | ^^^^^^^^^^^^^^^^^^^^^^^^^ no item named `auxiliary` in module `kernel` + +Fix this by making the documentation for these examples conditional on +the corresponding configuration options. + +Fixes: 970a7c68788e ("driver: rust: expand documentation for driver infrastructure") +Signed-off-by: Alice Ryhl +Reported-by: FUJITA Tomonori +Closes: https://lore.kernel.org/rust-for-linux/20251209.151817.744108529426448097.fujita.tomonori@gmail.com/ +Link: https://patch.msgid.link/20251227-driver-types-v1-1-1916154fbe5e@google.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/driver.rs | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/rust/kernel/driver.rs ++++ b/rust/kernel/driver.rs +@@ -33,7 +33,14 @@ + //! } + //! ``` + //! +-//! For specific examples see [`auxiliary::Driver`], [`pci::Driver`] and [`platform::Driver`]. ++//! For specific examples see: ++//! ++//! * [`platform::Driver`](kernel::platform::Driver) ++#![cfg_attr( ++ CONFIG_AUXILIARY_BUS, ++ doc = "* [`auxiliary::Driver`](kernel::auxiliary::Driver)" ++)] ++#![cfg_attr(CONFIG_PCI, doc = "* [`pci::Driver`](kernel::pci::Driver)")] + //! + //! The `probe()` callback should return a `Result>>`, i.e. the driver's private + //! data. The bus abstraction should store the pointer in the corresponding bus device. The generic +@@ -79,7 +86,6 @@ + //! + //! For this purpose the generic infrastructure in [`device_id`] should be used. + //! +-//! [`auxiliary::Driver`]: kernel::auxiliary::Driver + //! [`Core`]: device::Core + //! [`Device`]: device::Device + //! [`Device`]: device::Device +@@ -87,8 +93,6 @@ + //! [`DeviceContext`]: device::DeviceContext + //! [`device_id`]: kernel::device_id + //! [`module_driver`]: kernel::module_driver +-//! [`pci::Driver`]: kernel::pci::Driver +-//! [`platform::Driver`]: kernel::platform::Driver + + use crate::error::{Error, Result}; + use crate::{acpi, device, of, str::CStr, try_pin_init, types::Opaque, ThisModule}; diff --git a/temp/queue-6.18/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/temp/queue-6.18/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch new file mode 100644 index 0000000000..391f962a9e --- /dev/null +++ b/temp/queue-6.18/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch @@ -0,0 +1,132 @@ +From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Wed, 10 Dec 2025 15:46:03 +0530 +Subject: scsi: qla2xxx: Fix bsg_done() causing double free + +From: Anil Gurumurthy + +commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream. + +Kernel panic observed on system, + +[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 +[5353358.825194] #PF: supervisor write access in kernel mode +[5353358.825195] #PF: error_code(0x0002) - not-present page +[5353358.825196] PGD 100006067 P4D 0 +[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI +[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 +[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 +[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 +[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 +[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 +[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 +[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 +[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 +[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 +[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 +[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 +[5353358.825221] PKRU: 55555554 +[5353358.825222] Call Trace: +[5353358.825223] +[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825232] ? sg_copy_buffer+0xc8/0x110 +[5353358.825236] ? __die_body.cold+0x8/0xd +[5353358.825238] ? page_fault_oops+0x134/0x170 +[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 +[5353358.825244] ? exc_page_fault+0xa8/0x150 +[5353358.825247] ? asm_exc_page_fault+0x22/0x30 +[5353358.825252] ? memcpy_erms+0x6/0x10 +[5353358.825253] sg_copy_buffer+0xc8/0x110 +[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] +[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] + +Most routines in qla_bsg.c call bsg_done() only for success cases. +However a few invoke it for failure case as well leading to a double +free. Validate before calling bsg_done(). + +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs + ha->optrom_buffer = NULL; + ha->optrom_state = QLA_SWAITING; + mutex_unlock(&ha->optrom_mutex); +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!rval) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + return rval; + } + +@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job + sizeof(struct ql_vnd_mng_host_stats_resp)); + + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + return ret; + } +@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b + bsg_job->reply_payload.sg_cnt, + data, response_len); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + kfree(data); + host_stat_out: +@@ -2802,8 +2805,9 @@ reply: + bsg_job->reply_payload.sg_cnt, data, + response_len); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + tgt_stat_out: + kfree(data); +@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job + bsg_job->reply_payload.sg_cnt, &rsp_data, + sizeof(struct ql_vnd_mng_host_port_resp)); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + return ret; + } +@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_ + + bsg_job->reply_len = sizeof(*bsg_job->reply); + bsg_reply->result = DID_OK << 16; +- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); + + kfree(req_data); + diff --git a/temp/queue-6.18/series b/temp/queue-6.18/series new file mode 100644 index 0000000000..2c048b5056 --- /dev/null +++ b/temp/queue-6.18/series @@ -0,0 +1,5 @@ +scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +rust-device-fix-broken-intra-doc-links.patch +rust-dma-fix-broken-intra-doc-links.patch +rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch +revert-driver-core-enforce-device_lock-for-driver_match_device.patch diff --git a/temp/queue-6.19/revert-driver-core-enforce-device_lock-for-driver_match_device.patch b/temp/queue-6.19/revert-driver-core-enforce-device_lock-for-driver_match_device.patch new file mode 100644 index 0000000000..d6b9bfa2f1 --- /dev/null +++ b/temp/queue-6.19/revert-driver-core-enforce-device_lock-for-driver_match_device.patch @@ -0,0 +1,72 @@ +From b8819cb8faec938fa3e3b0023e1839ee52d3af32 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 16 Feb 2026 16:41:21 +0100 +Subject: Revert "driver core: enforce device_lock for driver_match_device()" + +From: Greg Kroah-Hartman + +This reverts commit bc82e5f4d7dc8237ae8cabc73aa46fc93c85d98c which is +commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. + +It causes boot regressions on some systems as all of the "fixes" for +drivers are not properly backported yet. Once that is completed, only +then can this be applied, if really necessary given the potential for +explosions, perhaps we might want to wait a few -rc releases first... + +Cc: Danilo Krummrich +Cc: Rafael J. Wysocki (Intel) +Cc: Danilo Krummrich +Cc: Gui-Dong Han +Cc: Qiu-ji Chen +Reported-by: Mark Brown +Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/base.h | 9 --------- + drivers/base/bus.c | 2 +- + drivers/base/dd.c | 2 +- + 3 files changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -182,18 +182,9 @@ void device_set_deferred_probe_reason(co + static inline int driver_match_device(const struct device_driver *drv, + struct device *dev) + { +- device_lock_assert(dev); +- + return drv->bus->match ? drv->bus->match(dev, drv) : 1; + } + +-static inline int driver_match_device_locked(const struct device_driver *drv, +- struct device *dev) +-{ +- guard(device)(dev); +- return driver_match_device(drv, dev); +-} +- + static inline void dev_sync_state(struct device *dev) + { + if (dev->bus->sync_state) +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_ + int err = -ENODEV; + + dev = bus_find_device_by_name(bus, NULL, buf); +- if (dev && driver_match_device_locked(drv, dev)) { ++ if (dev && driver_match_device(drv, dev)) { + err = device_driver_attach(drv, dev); + if (!err) { + /* success */ +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1180,7 +1180,7 @@ static int __driver_attach(struct device + * is an error. + */ + +- ret = driver_match_device_locked(drv, dev); ++ ret = driver_match_device(drv, dev); + if (ret == 0) { + /* no match */ + return 0; diff --git a/temp/queue-6.19/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/temp/queue-6.19/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch new file mode 100644 index 0000000000..391f962a9e --- /dev/null +++ b/temp/queue-6.19/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch @@ -0,0 +1,132 @@ +From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Wed, 10 Dec 2025 15:46:03 +0530 +Subject: scsi: qla2xxx: Fix bsg_done() causing double free + +From: Anil Gurumurthy + +commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream. + +Kernel panic observed on system, + +[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 +[5353358.825194] #PF: supervisor write access in kernel mode +[5353358.825195] #PF: error_code(0x0002) - not-present page +[5353358.825196] PGD 100006067 P4D 0 +[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI +[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 +[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 +[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 +[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 +[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 +[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 +[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 +[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 +[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 +[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 +[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 +[5353358.825221] PKRU: 55555554 +[5353358.825222] Call Trace: +[5353358.825223] +[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825232] ? sg_copy_buffer+0xc8/0x110 +[5353358.825236] ? __die_body.cold+0x8/0xd +[5353358.825238] ? page_fault_oops+0x134/0x170 +[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 +[5353358.825244] ? exc_page_fault+0xa8/0x150 +[5353358.825247] ? asm_exc_page_fault+0x22/0x30 +[5353358.825252] ? memcpy_erms+0x6/0x10 +[5353358.825253] sg_copy_buffer+0xc8/0x110 +[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] +[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] + +Most routines in qla_bsg.c call bsg_done() only for success cases. +However a few invoke it for failure case as well leading to a double +free. Validate before calling bsg_done(). + +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs + ha->optrom_buffer = NULL; + ha->optrom_state = QLA_SWAITING; + mutex_unlock(&ha->optrom_mutex); +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!rval) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + return rval; + } + +@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job + sizeof(struct ql_vnd_mng_host_stats_resp)); + + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + return ret; + } +@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b + bsg_job->reply_payload.sg_cnt, + data, response_len); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + kfree(data); + host_stat_out: +@@ -2802,8 +2805,9 @@ reply: + bsg_job->reply_payload.sg_cnt, data, + response_len); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + tgt_stat_out: + kfree(data); +@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job + bsg_job->reply_payload.sg_cnt, &rsp_data, + sizeof(struct ql_vnd_mng_host_port_resp)); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + return ret; + } +@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_ + + bsg_job->reply_len = sizeof(*bsg_job->reply); + bsg_reply->result = DID_OK << 16; +- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); + + kfree(req_data); + diff --git a/temp/queue-6.19/series b/temp/queue-6.19/series new file mode 100644 index 0000000000..240b6c4f78 --- /dev/null +++ b/temp/queue-6.19/series @@ -0,0 +1,2 @@ +scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +revert-driver-core-enforce-device_lock-for-driver_match_device.patch diff --git a/temp/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch b/temp/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch new file mode 100644 index 0000000000..5f766afbb9 --- /dev/null +++ b/temp/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch @@ -0,0 +1,50 @@ +From stable+bounces-216262-greg=kroah.com@vger.kernel.org Fri Feb 13 17:24:13 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 11:22:29 -0500 +Subject: bus: fsl-mc: fix use-after-free in driver_override_show() +To: stable@vger.kernel.org +Cc: Gui-Dong Han , Ioana Ciornei , "Christophe Leroy (CS GROUP)" , Sasha Levin +Message-ID: <20260213162229.3559221-2-sashal@kernel.org> + +From: Gui-Dong Han + +[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ] + +The driver_override_show() function reads the driver_override string +without holding the device_lock. However, driver_override_store() uses +driver_set_override(), which modifies and frees the string while holding +the device_lock. + +This can result in a concurrent use-after-free if the string is freed +by the store function while being read by the show function. + +Fix this by holding the device_lock around the read operation. + +Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Reviewed-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru + struct device_attribute *attr, char *buf) + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); ++ ssize_t len; + +- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_lock(dev); ++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_unlock(dev); ++ return len; + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/temp/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch b/temp/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch new file mode 100644 index 0000000000..65cb80ede1 --- /dev/null +++ b/temp/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch @@ -0,0 +1,48 @@ +From stable+bounces-216261-greg=kroah.com@vger.kernel.org Fri Feb 13 17:22:36 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 11:22:28 -0500 +Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions +To: stable@vger.kernel.org +Cc: Chelsy Ratnawat , Ioana Ciornei , Christophe Leroy , Sasha Levin +Message-ID: <20260213162229.3559221-1-sashal@kernel.org> + +From: Chelsy Ratnawat + +[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ] + +Use sysfs_emit() instead of snprintf()/sprintf() when writing +to sysfs buffers, as recommended by the kernel documentation. + +Signed-off-by: Chelsy Ratnawat +Acked-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com +Signed-off-by: Christophe Leroy +Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + +- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, +- mc_dev->obj_desc.type); ++ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, ++ mc_dev->obj_desc.type); + } + static DEVICE_ATTR_RO(modalias); + +@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + +- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override); ++ return sysfs_emit(buf, "%s\n", mc_dev->driver_override); + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/temp/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch b/temp/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch new file mode 100644 index 0000000000..f55ee7a342 --- /dev/null +++ b/temp/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch @@ -0,0 +1,103 @@ +From stable+bounces-216462-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:31 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 20:49:23 -0500 +Subject: PCI: endpoint: Avoid creating sub-groups asynchronously +To: stable@vger.kernel.org +Cc: Liu Song , Manivannan Sadhasivam , Bjorn Helgaas , stable@kernel.org, Sasha Levin +Message-ID: <20260214014923.3899226-2-sashal@kernel.org> + +From: Liu Song + +[ Upstream commit 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c ] + +The asynchronous creation of sub-groups by a delayed work could lead to a +NULL pointer dereference when the driver directory is removed before the +work completes. + +The crash can be easily reproduced with the following commands: + + # cd /sys/kernel/config/pci_ep/functions/pci_epf_test + # for i in {1..20}; do mkdir test && rmdir test; done + + BUG: kernel NULL pointer dereference, address: 0000000000000088 + ... + Call Trace: + configfs_register_group+0x3d/0x190 + pci_epf_cfs_work+0x41/0x110 + process_one_work+0x18f/0x350 + worker_thread+0x25a/0x3a0 + +Fix this issue by using configfs_add_default_group() API which does not +have the deadlock problem as configfs_register_group() and does not require +the delayed work handler. + +Fixes: e85a2d783762 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF") +Signed-off-by: Liu Song +[mani: slightly reworded the description and added stable list] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Cc: stable@kernel.org +Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -23,7 +23,6 @@ struct pci_epf_group { + struct config_group group; + struct config_group primary_epc_group; + struct config_group secondary_epc_group; +- struct delayed_work cfs_work; + struct pci_epf *epf; + int index; + }; +@@ -100,7 +99,7 @@ static struct config_group + secondary_epc_group = &epf_group->secondary_epc_group; + config_group_init_type_name(secondary_epc_group, "secondary", + &pci_secondary_epc_type); +- configfs_register_group(&epf_group->group, secondary_epc_group); ++ configfs_add_default_group(secondary_epc_group, &epf_group->group); + + return secondary_epc_group; + } +@@ -160,7 +159,7 @@ static struct config_group + + config_group_init_type_name(primary_epc_group, "primary", + &pci_primary_epc_type); +- configfs_register_group(&epf_group->group, primary_epc_group); ++ configfs_add_default_group(primary_epc_group, &epf_group->group); + + return primary_epc_group; + } +@@ -561,15 +560,13 @@ static void pci_ep_cfs_add_type_group(st + return; + } + +- configfs_register_group(&epf_group->group, group); ++ configfs_add_default_group(group, &epf_group->group); + } + +-static void pci_epf_cfs_work(struct work_struct *work) ++static void pci_epf_cfs_add_sub_groups(struct pci_epf_group *epf_group) + { +- struct pci_epf_group *epf_group; + struct config_group *group; + +- epf_group = container_of(work, struct pci_epf_group, cfs_work.work); + group = pci_ep_cfs_add_primary_group(epf_group); + if (IS_ERR(group)) { + pr_err("failed to create 'primary' EPC interface\n"); +@@ -628,9 +625,7 @@ static struct config_group *pci_epf_make + + kfree(epf_name); + +- INIT_DELAYED_WORK(&epf_group->cfs_work, pci_epf_cfs_work); +- queue_delayed_work(system_wq, &epf_group->cfs_work, +- msecs_to_jiffies(1)); ++ pci_epf_cfs_add_sub_groups(epf_group); + + return &epf_group->group; + diff --git a/temp/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch b/temp/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch new file mode 100644 index 0000000000..3ba537ef34 --- /dev/null +++ b/temp/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch @@ -0,0 +1,43 @@ +From stable+bounces-216461-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:28 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 20:49:22 -0500 +Subject: PCI: endpoint: Remove unused field in struct pci_epf_group +To: stable@vger.kernel.org +Cc: "Christophe JAILLET" , "Krzysztof Wilczyński" , "Bjorn Helgaas" , "Sasha Levin" +Message-ID: <20260214014923.3899226-1-sashal@kernel.org> + +From: Christophe JAILLET + +[ Upstream commit 328e4dffbeecc0f2cc5a149dee6c11a0577c9671 ] + +In "struct pci_epf_group", the 'type_group' field is unused. + +This was added, but already unused, by commit 70b3740f2c19 ("PCI: endpoint: +Automatically create a function specific attributes group"). + +Thus, remove it. + +Found with cppcheck, unusedStructMember. + +[kwilczynski: commit log] +Link: https://lore.kernel.org/linux-pci/6507d44b6c60a19af35a605e2d58050be8872ab6.1712341008.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Stable-dep-of: 7c5c7d06bd1f ("PCI: endpoint: Avoid creating sub-groups asynchronously") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -23,7 +23,6 @@ struct pci_epf_group { + struct config_group group; + struct config_group primary_epc_group; + struct config_group secondary_epc_group; +- struct config_group *type_group; + struct delayed_work cfs_work; + struct pci_epf *epf; + int index; diff --git a/temp/queue-6.6/revert-driver-core-enforce-device_lock-for-driver_match_device.patch b/temp/queue-6.6/revert-driver-core-enforce-device_lock-for-driver_match_device.patch new file mode 100644 index 0000000000..6a1277cb74 --- /dev/null +++ b/temp/queue-6.6/revert-driver-core-enforce-device_lock-for-driver_match_device.patch @@ -0,0 +1,72 @@ +From b8819cb8faec938fa3e3b0023e1839ee52d3af32 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 16 Feb 2026 16:41:21 +0100 +Subject: Revert "driver core: enforce device_lock for driver_match_device()" + +From: Greg Kroah-Hartman + +This reverts commit adc1796eced46b48e23ec200a219d635f33a38ee which is +commit dc23806a7c47ec5f1293aba407fb69519f976ee0 upstream. + +It causes boot regressions on some systems as all of the "fixes" for +drivers are not properly backported yet. Once that is completed, only +then can this be applied, if really necessary given the potential for +explosions, perhaps we might want to wait a few -rc releases first... + +Cc: Danilo Krummrich +Cc: Rafael J. Wysocki (Intel) +Cc: Danilo Krummrich +Cc: Gui-Dong Han +Cc: Qiu-ji Chen +Reported-by: Mark Brown +Link: https://lore.kernel.org/r/7dfd0e63-a725-4fac-b2a0-f2e621d99d1b@sirena.org.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/base.h | 9 --------- + drivers/base/bus.c | 2 +- + drivers/base/dd.c | 2 +- + 3 files changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -165,18 +165,9 @@ void device_set_deferred_probe_reason(co + static inline int driver_match_device(struct device_driver *drv, + struct device *dev) + { +- device_lock_assert(dev); +- + return drv->bus->match ? drv->bus->match(dev, drv) : 1; + } + +-static inline int driver_match_device_locked(struct device_driver *drv, +- struct device *dev) +-{ +- guard(device)(dev); +- return driver_match_device(drv, dev); +-} +- + static inline void dev_sync_state(struct device *dev) + { + if (dev->bus->sync_state) +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_ + int err = -ENODEV; + + dev = bus_find_device_by_name(bus, NULL, buf); +- if (dev && driver_match_device_locked(drv, dev)) { ++ if (dev && driver_match_device(drv, dev)) { + err = device_driver_attach(drv, dev); + if (!err) { + /* success */ +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1169,7 +1169,7 @@ static int __driver_attach(struct device + * is an error. + */ + +- ret = driver_match_device_locked(drv, dev); ++ ret = driver_match_device(drv, dev); + if (ret == 0) { + /* no match */ + return 0; diff --git a/temp/queue-6.6/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/temp/queue-6.6/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch new file mode 100644 index 0000000000..391f962a9e --- /dev/null +++ b/temp/queue-6.6/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch @@ -0,0 +1,132 @@ +From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Wed, 10 Dec 2025 15:46:03 +0530 +Subject: scsi: qla2xxx: Fix bsg_done() causing double free + +From: Anil Gurumurthy + +commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream. + +Kernel panic observed on system, + +[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 +[5353358.825194] #PF: supervisor write access in kernel mode +[5353358.825195] #PF: error_code(0x0002) - not-present page +[5353358.825196] PGD 100006067 P4D 0 +[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI +[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 +[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 +[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 +[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 +[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 +[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 +[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 +[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 +[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 +[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 +[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 +[5353358.825221] PKRU: 55555554 +[5353358.825222] Call Trace: +[5353358.825223] +[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825232] ? sg_copy_buffer+0xc8/0x110 +[5353358.825236] ? __die_body.cold+0x8/0xd +[5353358.825238] ? page_fault_oops+0x134/0x170 +[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 +[5353358.825244] ? exc_page_fault+0xa8/0x150 +[5353358.825247] ? asm_exc_page_fault+0x22/0x30 +[5353358.825252] ? memcpy_erms+0x6/0x10 +[5353358.825253] sg_copy_buffer+0xc8/0x110 +[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] +[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] + +Most routines in qla_bsg.c call bsg_done() only for success cases. +However a few invoke it for failure case as well leading to a double +free. Validate before calling bsg_done(). + +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs + ha->optrom_buffer = NULL; + ha->optrom_state = QLA_SWAITING; + mutex_unlock(&ha->optrom_mutex); +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!rval) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + return rval; + } + +@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job + sizeof(struct ql_vnd_mng_host_stats_resp)); + + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + return ret; + } +@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b + bsg_job->reply_payload.sg_cnt, + data, response_len); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + kfree(data); + host_stat_out: +@@ -2802,8 +2805,9 @@ reply: + bsg_job->reply_payload.sg_cnt, data, + response_len); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + tgt_stat_out: + kfree(data); +@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job + bsg_job->reply_payload.sg_cnt, &rsp_data, + sizeof(struct ql_vnd_mng_host_port_resp)); + bsg_reply->result = DID_OK; +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + + return ret; + } +@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_ + + bsg_job->reply_len = sizeof(*bsg_job->reply); + bsg_reply->result = DID_OK << 16; +- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); ++ if (!ret) ++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); + + kfree(req_data); + diff --git a/temp/queue-6.6/series b/temp/queue-6.6/series new file mode 100644 index 0000000000..14baaa7bf9 --- /dev/null +++ b/temp/queue-6.6/series @@ -0,0 +1,6 @@ +scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch +pci-endpoint-avoid-creating-sub-groups-asynchronously.patch +bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch +bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch +revert-driver-core-enforce-device_lock-for-driver_match_device.patch