From: Greg Kroah-Hartman Date: Tue, 17 Feb 2026 12:45:19 +0000 (+0100) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fa289011c77a9bf79a1f3b7c271d16f9309ff11;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: crypto-virtio-remove-duplicated-virtqueue_kick-in-virtio_crypto_skcipher_crypt_req.patch fs-dlm-fix-invalid-derefence-of-sb_lvbptr.patch scsi-qla2xxx-fix-bsg_done-causing-double-free.patch scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch selftests-mptcp-pm-ensure-unknown-flags-are-ignored.patch --- diff --git a/queue-5.10/crypto-virtio-remove-duplicated-virtqueue_kick-in-virtio_crypto_skcipher_crypt_req.patch b/queue-5.10/crypto-virtio-remove-duplicated-virtqueue_kick-in-virtio_crypto_skcipher_crypt_req.patch new file mode 100644 index 0000000000..e3730b38d7 --- /dev/null +++ b/queue-5.10/crypto-virtio-remove-duplicated-virtqueue_kick-in-virtio_crypto_skcipher_crypt_req.patch @@ -0,0 +1,40 @@ +From stable+bounces-216238-greg=kroah.com@vger.kernel.org Fri Feb 13 15:34:00 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 09:33:54 -0500 +Subject: crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req +To: stable@vger.kernel.org +Cc: Bibo Mao , Jason Wang , "Michael S. Tsirkin" , Herbert Xu , Sasha Levin +Message-ID: <20260213143354.3510918-1-sashal@kernel.org> + +From: Bibo Mao + +[ Upstream commit 14f86a1155cca1176abf55987b2fce7f7fcb2455 ] + +With function virtio_crypto_skcipher_crypt_req(), there is already +virtqueue_kick() call with spinlock held in function +__virtio_crypto_skcipher_do_req(). Remove duplicated virtqueue_kick() +function call here. + +Fixes: d79b5d0bbf2e ("crypto: virtio - support crypto engine framework") +Cc: stable@vger.kernel.org +Signed-off-by: Bibo Mao +Acked-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/virtio/virtio_crypto_algs.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/crypto/virtio/virtio_crypto_algs.c ++++ b/drivers/crypto/virtio/virtio_crypto_algs.c +@@ -556,8 +556,6 @@ int virtio_crypto_skcipher_crypt_req( + if (ret < 0) + return ret; + +- virtqueue_kick(data_vq->vq); +- + return 0; + } + diff --git a/queue-5.10/fs-dlm-fix-invalid-derefence-of-sb_lvbptr.patch b/queue-5.10/fs-dlm-fix-invalid-derefence-of-sb_lvbptr.patch new file mode 100644 index 0000000000..d3ffa6b0a3 --- /dev/null +++ b/queue-5.10/fs-dlm-fix-invalid-derefence-of-sb_lvbptr.patch @@ -0,0 +1,91 @@ +From stable+bounces-215940-greg=kroah.com@vger.kernel.org Thu Feb 12 11:51:39 2026 +From: Bin Lan +Date: Thu, 12 Feb 2026 10:51:12 +0000 +Subject: fs: dlm: fix invalid derefence of sb_lvbptr +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: Alexander Aring , David Teigland , Bin Lan +Message-ID: <20260212105112.4137-1-lanbincn@139.com> + +From: Alexander Aring + +[ Upstream commit 7175e131ebba47afef47e6ac4d5bab474d1e6e49 ] + +I experience issues when putting a lkbsb on the stack and have sb_lvbptr +field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash +with the following kernel message, the dangled pointer is here +0xdeadbeef as example: + +[ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef +[ 102.749320] #PF: supervisor read access in kernel mode +[ 102.749323] #PF: error_code(0x0000) - not-present page +[ 102.749325] PGD 0 P4D 0 +[ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI +[ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565 +[ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014 +[ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10 +[ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe +[ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202 +[ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040 +[ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070 +[ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001 +[ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70 +[ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001 +[ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000 +[ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0 +[ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 102.749379] PKRU: 55555554 +[ 102.749381] Call Trace: +[ 102.749382] +[ 102.749383] ? send_args+0xb2/0xd0 +[ 102.749389] send_common+0xb7/0xd0 +[ 102.749395] _unlock_lock+0x2c/0x90 +[ 102.749400] unlock_lock.isra.56+0x62/0xa0 +[ 102.749405] dlm_unlock+0x21e/0x330 +[ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] +[ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture] +[ 102.749419] ? preempt_count_sub+0xba/0x100 +[ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture] +[ 102.786186] kthread+0x10a/0x130 +[ 102.786581] ? kthread_complete_and_exit+0x20/0x20 +[ 102.787156] ret_from_fork+0x22/0x30 +[ 102.787588] +[ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw +[ 102.792536] CR2: 00000000deadbeef +[ 102.792930] ---[ end trace 0000000000000000 ]--- + +This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags +is set when copying the lvbptr array instead of if it's just null which +fixes for me the issue. + +I think this patch can fix other dlm users as well, depending how they +handle the init, freeing memory handling of sb_lvbptr and don't set +DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a +hidden issue all the time. However with checking on DLM_LKF_VALBLK the +user always need to provide a sb_lvbptr non-null value. There might be +more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and +non-null to report the user the way how DLM API is used is wrong but can +be added for later, this will only fix the current behaviour. + +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +[ Adjust context ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -3635,7 +3635,7 @@ static void send_args(struct dlm_rsb *r, + case DLM_MSG_REQUEST_REPLY: + case DLM_MSG_CONVERT_REPLY: + case DLM_MSG_GRANT: +- if (!lkb->lkb_lvbptr) ++ if (!lkb->lkb_lvbptr || !(lkb->lkb_exflags & DLM_LKF_VALBLK)) + break; + memcpy(ms->m_extra, lkb->lkb_lvbptr, r->res_ls->ls_lvblen); + break; diff --git a/queue-5.10/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/queue-5.10/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch new file mode 100644 index 0000000000..2b4a3e3cb9 --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch @@ -0,0 +1,78 @@ +From stable+bounces-216493-greg=kroah.com@vger.kernel.org Sat Feb 14 18:26:51 2026 +From: Sasha Levin +Date: Sat, 14 Feb 2026 12:26:46 -0500 +Subject: scsi: qla2xxx: Fix bsg_done() causing double free +To: stable@vger.kernel.org +Cc: Anil Gurumurthy , Nilesh Javali , Himanshu Madhani , "Martin K. Petersen" , Sasha Levin +Message-ID: <20260214172646.638487-1-sashal@kernel.org> + +From: Anil Gurumurthy + +[ Upstream commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 ] + +Kernel panic observed on system, + +[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 +[5353358.825194] #PF: supervisor write access in kernel mode +[5353358.825195] #PF: error_code(0x0002) - not-present page +[5353358.825196] PGD 100006067 P4D 0 +[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI +[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 +[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 +[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 +[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 +[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 +[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 +[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 +[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 +[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 +[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 +[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 +[5353358.825221] PKRU: 55555554 +[5353358.825222] Call Trace: +[5353358.825223] +[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df +[5353358.825232] ? sg_copy_buffer+0xc8/0x110 +[5353358.825236] ? __die_body.cold+0x8/0xd +[5353358.825238] ? page_fault_oops+0x134/0x170 +[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 +[5353358.825244] ? exc_page_fault+0xa8/0x150 +[5353358.825247] ? asm_exc_page_fault+0x22/0x30 +[5353358.825252] ? memcpy_erms+0x6/0x10 +[5353358.825253] sg_copy_buffer+0xc8/0x110 +[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] +[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] + +Most routines in qla_bsg.c call bsg_done() only for success cases. +However a few invoke it for failure case as well leading to a double +free. Validate before calling bsg_done(). + +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com +Signed-off-by: Martin K. Petersen +[ applied only to qla2x00_update_optrom() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -1523,8 +1523,9 @@ qla2x00_update_optrom(struct bsg_job *bs + ha->optrom_buffer = NULL; + ha->optrom_state = QLA_SWAITING; + mutex_unlock(&ha->optrom_mutex); +- bsg_job_done(bsg_job, bsg_reply->result, +- bsg_reply->reply_payload_rcv_len); ++ if (!rval) ++ bsg_job_done(bsg_job, bsg_reply->result, ++ bsg_reply->reply_payload_rcv_len); + return rval; + } + diff --git a/queue-5.10/scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch b/queue-5.10/scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch new file mode 100644 index 0000000000..b7532216bb --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch @@ -0,0 +1,88 @@ +From stable+bounces-216317-greg=kroah.com@vger.kernel.org Sat Feb 14 01:55:06 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 19:54:58 -0500 +Subject: scsi: qla2xxx: Free sp in error path to fix system crash +To: stable@vger.kernel.org +Cc: Anil Gurumurthy , Nilesh Javali , Himanshu Madhani , "Martin K. Petersen" , Sasha Levin +Message-ID: <20260214005458.3653377-1-sashal@kernel.org> + +From: Anil Gurumurthy + +[ Upstream commit 7adbd2b7809066c75f0433e5e2a8e114b429f30f ] + +System crash seen during load/unload test in a loop, + +[61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. +[61110.467494] ============================================================================= +[61110.467498] BUG qla2xxx_srbs (Tainted: G OE -------- --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() +[61110.467501] ----------------------------------------------------------------------------- + +[61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) +[61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1 +[61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 +[61110.467515] Call Trace: +[61110.467516] +[61110.467519] dump_stack_lvl+0x34/0x48 +[61110.467526] slab_err.cold+0x53/0x67 +[61110.467534] __kmem_cache_shutdown+0x16e/0x320 +[61110.467540] kmem_cache_destroy+0x51/0x160 +[61110.467544] qla2x00_module_exit+0x93/0x99 [qla2xxx] +[61110.467607] ? __do_sys_delete_module.constprop.0+0x178/0x280 +[61110.467613] ? syscall_trace_enter.constprop.0+0x145/0x1d0 +[61110.467616] ? do_syscall_64+0x5c/0x90 +[61110.467619] ? exc_page_fault+0x62/0x150 +[61110.467622] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd +[61110.467626] +[61110.467627] Disabling lock debugging due to kernel taint +[61110.467635] Object 0x0000000026f7e6e6 @offset=16000 +[61110.467639] ------------[ cut here ]------------ +[61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] +[61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 +[61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G B OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1 +[61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 +[61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 +[61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 +[61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 +[61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 +[61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 +[61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 +[61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 +[61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[61110.467733] FS: 00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 +[61110.467734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 +[61110.467736] PKRU: 55555554 +[61110.467737] Call Trace: +[61110.467738] +[61110.467739] qla2x00_module_exit+0x93/0x99 [qla2xxx] +[61110.467755] ? __do_sys_delete_module.constprop.0+0x178/0x280 + +Free sp in the error path to fix the crash. + +Fixes: f352eeb75419 ("scsi: qla2xxx: Add ability to use GPNFT/GNNFT for RSCN handling") +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-9-njavali@marvell.com +Signed-off-by: Martin K. Petersen +[ Context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_gs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -3960,8 +3960,8 @@ int qla24xx_async_gpnft(scsi_qla_host_t + if (vha->scan.scan_flags & SF_SCANNING) { + spin_unlock_irqrestore(&vha->work_lock, flags); + ql_dbg(ql_dbg_disc + ql_dbg_verbose, vha, 0xffff, +- "%s: scan active\n", __func__); +- return rval; ++ "%s: scan active for sp:%p\n", __func__, sp); ++ goto done_free_sp; + } + vha->scan.scan_flags |= SF_SCANNING; + spin_unlock_irqrestore(&vha->work_lock, flags); diff --git a/queue-5.10/scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch b/queue-5.10/scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch new file mode 100644 index 0000000000..b1c70dfb78 --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch @@ -0,0 +1,110 @@ +From stable+bounces-216253-greg=kroah.com@vger.kernel.org Fri Feb 13 16:44:38 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 10:44:30 -0500 +Subject: scsi: qla2xxx: Validate sp before freeing associated memory +To: stable@vger.kernel.org +Cc: Anil Gurumurthy , Nilesh Javali , Himanshu Madhani , "Martin K. Petersen" , Sasha Levin +Message-ID: <20260213154430.3545825-1-sashal@kernel.org> + +From: Anil Gurumurthy + +[ Upstream commit b6df15aec8c3441357d4da0eaf4339eb20f5999f ] + +System crash with the following signature +[154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete +[154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. +[154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. +[154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. +[154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. +[154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). +[154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). +[154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 +[154565.553080] #PF: supervisor read access in kernel mode +[154565.553082] #PF: error_code(0x0000) - not-present page +[154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 +[154565.553089] Oops: 0000 1 PREEMPT SMP PTI +[154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1 +[154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 +[154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] +[154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b +[154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 +[154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 +[154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 +[154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a +[154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 +[154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 +[154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 +[154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 +[154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[154565.553159] PKRU: 55555554 +[154565.553160] Call Trace: +[154565.553162] +[154565.553165] ? show_trace_log_lvl+0x1c4/0x2df +[154565.553172] ? show_trace_log_lvl+0x1c4/0x2df +[154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] +[154565.553215] ? __die_body.cold+0x8/0xd +[154565.553218] ? page_fault_oops+0x134/0x170 +[154565.553223] ? snprintf+0x49/0x70 +[154565.553229] ? exc_page_fault+0x62/0x150 +[154565.553238] ? asm_exc_page_fault+0x22/0x30 + +Check for sp being non NULL before freeing any associated memory + +Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery") +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-10-njavali@marvell.com +Signed-off-by: Martin K. Petersen +[ adapted kref_put() srb free mechanism to older sp->free(sp) ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_gs.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -3901,22 +3901,24 @@ static int qla24xx_async_gnnft(scsi_qla_ + return rval; + + done_free_sp: +- if (sp->u.iocb_cmd.u.ctarg.req) { +- dma_free_coherent(&vha->hw->pdev->dev, +- sp->u.iocb_cmd.u.ctarg.req_allocated_size, +- sp->u.iocb_cmd.u.ctarg.req, +- sp->u.iocb_cmd.u.ctarg.req_dma); +- sp->u.iocb_cmd.u.ctarg.req = NULL; +- } +- if (sp->u.iocb_cmd.u.ctarg.rsp) { +- dma_free_coherent(&vha->hw->pdev->dev, +- sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, +- sp->u.iocb_cmd.u.ctarg.rsp, +- sp->u.iocb_cmd.u.ctarg.rsp_dma); +- sp->u.iocb_cmd.u.ctarg.rsp = NULL; +- } ++ if (sp) { ++ if (sp->u.iocb_cmd.u.ctarg.req) { ++ dma_free_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, ++ sp->u.iocb_cmd.u.ctarg.req, ++ sp->u.iocb_cmd.u.ctarg.req_dma); ++ sp->u.iocb_cmd.u.ctarg.req = NULL; ++ } ++ if (sp->u.iocb_cmd.u.ctarg.rsp) { ++ dma_free_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, ++ sp->u.iocb_cmd.u.ctarg.rsp, ++ sp->u.iocb_cmd.u.ctarg.rsp_dma); ++ sp->u.iocb_cmd.u.ctarg.rsp = NULL; ++ } + +- sp->free(sp); ++ sp->free(sp); ++ } + + spin_lock_irqsave(&vha->work_lock, flags); + vha->scan.scan_flags &= ~SF_SCANNING; diff --git a/queue-5.10/selftests-mptcp-pm-ensure-unknown-flags-are-ignored.patch b/queue-5.10/selftests-mptcp-pm-ensure-unknown-flags-are-ignored.patch new file mode 100644 index 0000000000..0f37ff20d1 --- /dev/null +++ b/queue-5.10/selftests-mptcp-pm-ensure-unknown-flags-are-ignored.patch @@ -0,0 +1,95 @@ +From stable+bounces-215944-greg=kroah.com@vger.kernel.org Thu Feb 12 12:51:11 2026 +From: "Matthieu Baerts (NGI0)" +Date: Thu, 12 Feb 2026 12:50:57 +0100 +Subject: selftests: mptcp: pm: ensure unknown flags are ignored +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: MPTCP Upstream , "Matthieu Baerts (NGI0)" , Mat Martineau , Jakub Kicinski +Message-ID: <20260212115056.898313-2-matttbe@kernel.org> + +From: "Matthieu Baerts (NGI0)" + +commit 29f4801e9c8dfd12bdcb33b61a6ac479c7162bd7 upstream. + +This validates the previous commit: the userspace can set unknown flags +-- the 7th bit is currently unused -- without errors, but only the +supported ones are printed in the endpoints dumps. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-2-9e4781a6c1b8@kernel.org +Signed-off-by: Jakub Kicinski +[ Conflicts in pm_netlink.sh, because some refactoring have been done + later on: commit 0d16ed0c2e74 ("selftests: mptcp: add + {get,format}_endpoint(s) helpers") and commit c99d57d0007a + ("selftests: mptcp: use pm_nl endpoint ops") are not in this version. + The same operation can still be done at the same place, without using + the new helpers. + Also, commit 1dc88d241f92 ("selftests: mptcp: pm_nl_ctl: always look + for errors") is not in this version, and create a conflict in the + context which is not related to the modification here. + In v5.10, endpoints couldn't be re-used directly, so the flag is + tested before. + Conflicts in pm_nl_ctl.c, because commit 69c6ce7b6eca ("selftests: + mptcp: add implicit endpoint test case") and commit 371b90377e60 + ("selftests: mptcp: set and print the fullmesh flag") are not in this + version, and caused a conflict in the context which is not related to + the modification here. ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/pm_netlink.sh | 2 +- + tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 11 +++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh ++++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh +@@ -80,7 +80,7 @@ if mptcp_lib_expect_all_features; then + subflows 0" "defaults limits" + fi + +-ip netns exec $ns1 ./pm_nl_ctl add 10.0.1.1 ++ip netns exec $ns1 ./pm_nl_ctl add 10.0.1.1 flags unknown + ip netns exec $ns1 ./pm_nl_ctl add 10.0.1.2 flags subflow dev lo + ip netns exec $ns1 ./pm_nl_ctl add 10.0.1.3 flags signal,backup + check "ip netns exec $ns1 ./pm_nl_ctl get 1" "id 1 flags 10.0.1.1" "simple add/get addr" +--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c ++++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c +@@ -22,6 +22,8 @@ + #define MPTCP_PM_NAME "mptcp_pm" + #endif + ++#define MPTCP_PM_ADDR_FLAG_UNKNOWN _BITUL(7) ++ + static void syntax(char *argv[]) + { + fprintf(stderr, "%s add|get|del|flush|dump|accept []\n", argv[0]); +@@ -236,6 +238,8 @@ int add_addr(int fd, int pm_family, int + flags |= MPTCP_PM_ADDR_FLAG_SIGNAL; + else if (!strcmp(tok, "backup")) + flags |= MPTCP_PM_ADDR_FLAG_BACKUP; ++ else if (!strcmp(tok, "unknown")) ++ flags |= MPTCP_PM_ADDR_FLAG_UNKNOWN; + else + error(1, errno, + "unknown flag %s", argv[arg]); +@@ -372,6 +376,13 @@ static void print_addr(struct rtattr *at + if (flags) + printf(","); + } ++ ++ if (flags & MPTCP_PM_ADDR_FLAG_UNKNOWN) { ++ printf("unknown"); ++ flags &= ~MPTCP_PM_ADDR_FLAG_UNKNOWN; ++ if (flags) ++ printf(","); ++ } + + /* bump unknown flags, if any */ + if (flags) diff --git a/queue-5.10/series b/queue-5.10/series index 680e93c23a..c7f7a46e46 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -11,3 +11,9 @@ romfs-check-sb_set_blocksize-return-value.patch drm-tegra-hdmi-sor-fix-error-variable-j-set-but-not-.patch platform-x86-classmate-laptop-add-missing-null-point.patch gpiolib-acpi-fix-gpio-count-with-string-references.patch +fs-dlm-fix-invalid-derefence-of-sb_lvbptr.patch +selftests-mptcp-pm-ensure-unknown-flags-are-ignored.patch +crypto-virtio-remove-duplicated-virtqueue_kick-in-virtio_crypto_skcipher_crypt_req.patch +scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch +scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch +scsi-qla2xxx-fix-bsg_done-causing-double-free.patch