From 0b67337cfecadfe5bfe1509258fc97e75182091f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Feb 2026 12:23:52 +0100 Subject: [PATCH] 5.15-stable patches added patches: crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch nilfs2-fix-potential-block-overflow-that-cause-system-hang.patch scsi-qla2xxx-delay-module-unload-while-fabric-scan-in-progress.patch scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch --- ...avoid-truncation-in-ucode_load_store.patch | 38 ++++++ ...to_force_copy-scatterlists-correctly.patch | 35 ++++++ ...otection-with-virtqueue-notification.patch | 55 +++++++++ ...-device_lock-for-driver_match_device.patch | 2 +- ...lock-overflow-that-cause-system-hang.patch | 72 ++++++++++++ ...unload-while-fabric-scan-in-progress.patch | 70 +++++++++++ ...w-again-before-proceeding-with-login.patch | 92 +++++++++++++++ ...-sp-before-freeing-associated-memory.patch | 110 ++++++++++++++++++ queue-5.15/series | 7 ++ 9 files changed, 480 insertions(+), 1 deletion(-) create mode 100644 queue-5.15/crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch create mode 100644 queue-5.15/crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch create mode 100644 queue-5.15/crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch create mode 100644 queue-5.15/nilfs2-fix-potential-block-overflow-that-cause-system-hang.patch create mode 100644 queue-5.15/scsi-qla2xxx-delay-module-unload-while-fabric-scan-in-progress.patch create mode 100644 queue-5.15/scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch create mode 100644 queue-5.15/scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch diff --git a/queue-5.15/crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch b/queue-5.15/crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch new file mode 100644 index 0000000000..84a24fd139 --- /dev/null +++ b/queue-5.15/crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch @@ -0,0 +1,38 @@ +From 5565a72b24fa7935a9f30af386e92c8c9dfb23b9 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 26 Nov 2025 10:46:13 +0100 +Subject: crypto: octeontx - Fix length check to avoid truncation in ucode_load_store + +From: Thorsten Blum + +commit 5565a72b24fa7935a9f30af386e92c8c9dfb23b9 upstream. + +OTX_CPT_UCODE_NAME_LENGTH limits the microcode name to 64 bytes. If a +user writes a string of exactly 64 characters, the original code used +'strlen(buf) > 64' to check the length, but then strscpy() copies only +63 characters before adding a NUL terminator, silently truncating the +copied string. + +Fix this off-by-one error by using 'count' directly for the length check +to ensure long names are rejected early and copied without truncation. + +Cc: stable@vger.kernel.org +Fixes: d9110b0b01ff ("crypto: marvell - add support for OCTEON TX CPT engine") +Signed-off-by: Thorsten Blum +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c ++++ b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c +@@ -1337,7 +1337,7 @@ static ssize_t ucode_load_store(struct d + int del_grp_idx = -1; + int ucode_idx = 0; + +- if (strlen(buf) > OTX_CPT_UCODE_NAME_LENGTH) ++ if (count >= OTX_CPT_UCODE_NAME_LENGTH) + return -EINVAL; + + eng_grps = container_of(attr, struct otx_cpt_eng_grps, ucode_load_attr); diff --git a/queue-5.15/crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch b/queue-5.15/crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch new file mode 100644 index 0000000000..0af85f573b --- /dev/null +++ b/queue-5.15/crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch @@ -0,0 +1,35 @@ +From 1562b1fb7e17c1b3addb15e125c718b2be7f5512 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 6 Feb 2026 19:49:54 -0800 +Subject: crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly + +From: Kees Cook + +commit 1562b1fb7e17c1b3addb15e125c718b2be7f5512 upstream. + +The existing allocation of scatterlists in omap_crypto_copy_sg_lists() +was allocating an array of scatterlist pointers, not scatterlist objects, +resulting in a 4x too small allocation. + +Use sizeof(*new_sg) to get the correct object size. + +Fixes: 74ed87e7e7f7 ("crypto: omap - add base support library for common routines") +Signed-off-by: Kees Cook +Acked-by: Herbert Xu +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/omap-crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/omap-crypto.c ++++ b/drivers/crypto/omap-crypto.c +@@ -21,7 +21,7 @@ static int omap_crypto_copy_sg_lists(int + struct scatterlist *tmp; + + if (!(flags & OMAP_CRYPTO_FORCE_SINGLE_ENTRY)) { +- new_sg = kmalloc_array(n, sizeof(*sg), GFP_KERNEL); ++ new_sg = kmalloc_array(n, sizeof(*new_sg), GFP_KERNEL); + if (!new_sg) + return -ENOMEM; + diff --git a/queue-5.15/crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch b/queue-5.15/crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch new file mode 100644 index 0000000000..5e518f7946 --- /dev/null +++ b/queue-5.15/crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch @@ -0,0 +1,55 @@ +From b505047ffc8057555900d2d3a005d033e6967382 Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Tue, 13 Jan 2026 11:05:54 +0800 +Subject: crypto: virtio - Add spinlock protection with virtqueue notification + +From: Bibo Mao + +commit b505047ffc8057555900d2d3a005d033e6967382 upstream. + +When VM boots with one virtio-crypto PCI device and builtin backend, +run openssl benchmark command with multiple processes, such as + openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32 + +openssl processes will hangup and there is error reported like this: + virtio_crypto virtio0: dataq.0:id 3 is not a head! + +It seems that the data virtqueue need protection when it is handled +for virtio done notification. If the spinlock protection is added +in virtcrypto_done_task(), openssl benchmark with multiple processes +works well. + +Fixes: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet") +Cc: stable@vger.kernel.org +Signed-off-by: Bibo Mao +Acked-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/virtio/virtio_crypto_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/crypto/virtio/virtio_crypto_core.c ++++ b/drivers/crypto/virtio/virtio_crypto_core.c +@@ -27,15 +27,20 @@ static void virtcrypto_done_task(unsigne + struct data_queue *data_vq = (struct data_queue *)data; + struct virtqueue *vq = data_vq->vq; + struct virtio_crypto_request *vc_req; ++ unsigned long flags; + unsigned int len; + ++ spin_lock_irqsave(&data_vq->lock, flags); + do { + virtqueue_disable_cb(vq); + while ((vc_req = virtqueue_get_buf(vq, &len)) != NULL) { ++ spin_unlock_irqrestore(&data_vq->lock, flags); + if (vc_req->alg_cb) + vc_req->alg_cb(vc_req, len); ++ spin_lock_irqsave(&data_vq->lock, flags); + } + } while (!virtqueue_enable_cb(vq)); ++ spin_unlock_irqrestore(&data_vq->lock, flags); + } + + static void virtcrypto_dataq_callback(struct virtqueue *vq) diff --git a/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch b/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch index 59fdedab82..30e1dba6a0 100644 --- a/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch +++ b/queue-5.15/driver-core-enforce-device_lock-for-driver_match_device.patch @@ -54,7 +54,7 @@ Signed-off-by: Greg Kroah-Hartman return drv->bus->match ? drv->bus->match(dev, drv) : 1; } + -+static inline int driver_match_device_locked(const struct device_driver *drv, ++static inline int driver_match_device_locked(struct device_driver *drv, + struct device *dev) +{ + guard(device)(dev); diff --git a/queue-5.15/nilfs2-fix-potential-block-overflow-that-cause-system-hang.patch b/queue-5.15/nilfs2-fix-potential-block-overflow-that-cause-system-hang.patch new file mode 100644 index 0000000000..eb021754fb --- /dev/null +++ b/queue-5.15/nilfs2-fix-potential-block-overflow-that-cause-system-hang.patch @@ -0,0 +1,72 @@ +From ed527ef0c264e4bed6c7b2a158ddf516b17f5f66 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Sat, 20 Dec 2025 03:04:25 +0900 +Subject: nilfs2: Fix potential block overflow that cause system hang + +From: Edward Adam Davis + +commit ed527ef0c264e4bed6c7b2a158ddf516b17f5f66 upstream. + +When a user executes the FITRIM command, an underflow can occur when +calculating nblocks if end_block is too small. Since nblocks is of +type sector_t, which is u64, a negative nblocks value will become a +very large positive integer. This ultimately leads to the block layer +function __blkdev_issue_discard() taking an excessively long time to +process the bio chain, and the ns_segctor_sem lock remains held for a +long period. This prevents other tasks from acquiring the ns_segctor_sem +lock, resulting in the hang reported by syzbot in [1]. + +If the ending block is too small, typically if it is smaller than 4KiB +range, depending on the usage of the segment 0, it may be possible to +attempt a discard request beyond the device size causing the hang. + +Exiting successfully and assign the discarded size (0 in this case) +to range->len. + +Although the start and len values in the user input range are too small, +a conservative strategy is adopted here to safely ignore them, which is +equivalent to a no-op; it will not perform any trimming and will not +throw an error. + +[1] +task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000 +Call Trace: + rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272 + nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357 + nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline] + nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684 + +[ryusuke: corrected part of the commit message about the consequences] + +Fixes: 82e11e857be3 ("nilfs2: add nilfs_sufile_trim_fs to trim clean segs") +Reported-by: syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7eedce5eb281acd832f0 +Signed-off-by: Edward Adam Davis +Signed-off-by: Ryusuke Konishi +Cc: stable@vger.kernel.org +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/sufile.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/nilfs2/sufile.c ++++ b/fs/nilfs2/sufile.c +@@ -1091,6 +1091,9 @@ int nilfs_sufile_trim_fs(struct inode *s + else + end_block = start_block + len - 1; + ++ if (end_block < nilfs->ns_first_data_block) ++ goto out; ++ + segnum = nilfs_get_segnum_of_block(nilfs, start_block); + segnum_end = nilfs_get_segnum_of_block(nilfs, end_block); + +@@ -1188,6 +1191,7 @@ int nilfs_sufile_trim_fs(struct inode *s + out_sem: + up_read(&NILFS_MDT(sufile)->mi_sem); + ++out: + range->len = ndiscarded << nilfs->ns_blocksize_bits; + return ret; + } diff --git a/queue-5.15/scsi-qla2xxx-delay-module-unload-while-fabric-scan-in-progress.patch b/queue-5.15/scsi-qla2xxx-delay-module-unload-while-fabric-scan-in-progress.patch new file mode 100644 index 0000000000..873f154221 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-delay-module-unload-while-fabric-scan-in-progress.patch @@ -0,0 +1,70 @@ +From 8890bf450e0b6b283f48ac619fca5ac2f14ddd62 Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Wed, 10 Dec 2025 15:45:59 +0530 +Subject: scsi: qla2xxx: Delay module unload while fabric scan in progress + +From: Anil Gurumurthy + +commit 8890bf450e0b6b283f48ac619fca5ac2f14ddd62 upstream. + +System crash seen during load/unload test in a loop. + +[105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 +[105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 +[105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 +[105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 +[105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 +[105954.384928] PKRU: 55555554 +[105954.384929] Call Trace: +[105954.384931] +[105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] +[105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] +[105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] +[105954.384999] ? __wake_up_common+0x80/0x190 +[105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] +[105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] +[105954.385040] ? __handle_irq_event_percpu+0x3d/0x190 +[105954.385044] ? handle_irq_event+0x58/0xb0 +[105954.385046] ? handle_edge_irq+0x93/0x240 +[105954.385050] ? __common_interrupt+0x41/0xa0 +[105954.385055] ? common_interrupt+0x3e/0xa0 +[105954.385060] ? asm_common_interrupt+0x22/0x40 + +The root cause of this was that there was a free (dma_free_attrs) in the +interrupt context. There was a device discovery/fabric scan in +progress. A module unload was issued which set the UNLOADING flag. As +part of the discovery, after receiving an interrupt a work queue was +scheduled (which involved a work to be queued). Since the UNLOADING +flag is set, the work item was not allocated and the mapped memory had +to be freed. The free occurred in interrupt context leading to system +crash. Delay the driver unload until the fabric scan is complete to +avoid the crash. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/202512090414.07Waorz0-lkp@intel.com/ +Fixes: 783e0dc4f66a ("qla2xxx: Check for device state before unloading the driver.") +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-8-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1216,7 +1216,8 @@ qla2x00_wait_for_hba_ready(scsi_qla_host + while ((qla2x00_reset_active(vha) || ha->dpc_active || + ha->flags.mbox_busy) || + test_bit(FX00_RESET_RECOVERY, &vha->dpc_flags) || +- test_bit(FX00_TARGET_SCAN, &vha->dpc_flags)) { ++ test_bit(FX00_TARGET_SCAN, &vha->dpc_flags) || ++ (vha->scan.scan_flags & SF_SCANNING)) { + if (test_bit(UNLOADING, &base_vha->dpc_flags)) + break; + msleep(1000); diff --git a/queue-5.15/scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch b/queue-5.15/scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch new file mode 100644 index 0000000000..7190e870c7 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch @@ -0,0 +1,92 @@ +From 42b2dab4340d39b71334151e10c6d7d9b0040ffa Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Wed, 10 Dec 2025 15:46:02 +0530 +Subject: scsi: qla2xxx: Query FW again before proceeding with login + +From: Anil Gurumurthy + +commit 42b2dab4340d39b71334151e10c6d7d9b0040ffa upstream. + +Issue occurred during a continuous reboot test of several thousand +iterations specific to a fabric topo with dual mode target where it +sends a PLOGI/PRLI and then sends a LOGO. The initiator was also in the +process of discovery and sent a PLOGI to the switch. It then queried a +list of ports logged in via mbx 75h and the GPDB response indicated that +the target was logged in. This caused a mismatch in the states between +the driver and FW. Requery the FW for the state and proceed with the +rest of discovery process. + +Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery") +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-11-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_init.c | 19 +++++++++++++++++-- + drivers/scsi/qla2xxx/qla_isr.c | 19 +++++++++++++++++-- + 2 files changed, 34 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -2473,8 +2473,23 @@ qla24xx_handle_plogi_done_event(struct s + ea->sp->gen1, fcport->rscn_gen, + ea->data[0], ea->data[1], ea->iop[0], ea->iop[1]); + +- if ((fcport->fw_login_state == DSC_LS_PLOGI_PEND) || +- (fcport->fw_login_state == DSC_LS_PRLI_PEND)) { ++ if (fcport->fw_login_state == DSC_LS_PLOGI_PEND) { ++ ql_dbg(ql_dbg_disc, vha, 0x20ea, ++ "%s %d %8phC Remote is trying to login\n", ++ __func__, __LINE__, fcport->port_name); ++ /* ++ * If we get here, there is port thats already logged in, ++ * but it's state has not moved ahead. Recheck with FW on ++ * what state it is in and proceed ahead ++ */ ++ if (!N2N_TOPO(vha->hw)) { ++ fcport->fw_login_state = DSC_LS_PRLI_COMP; ++ qla24xx_post_gpdb_work(vha, fcport, 0); ++ } ++ return; ++ } ++ ++ if (fcport->fw_login_state == DSC_LS_PRLI_PEND) { + ql_dbg(ql_dbg_disc, vha, 0x20ea, + "%s %d %8phC Remote is trying to login\n", + __func__, __LINE__, fcport->port_name); +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -1524,13 +1524,28 @@ skip_rio: + + /* Port logout */ + fcport = qla2x00_find_fcport_by_loopid(vha, mb[1]); +- if (!fcport) ++ if (!fcport) { ++ ql_dbg(ql_dbg_async, vha, 0x5011, ++ "Could not find fcport:%04x %04x %04x\n", ++ mb[1], mb[2], mb[3]); + break; +- if (atomic_read(&fcport->state) != FCS_ONLINE) ++ } ++ ++ if (atomic_read(&fcport->state) != FCS_ONLINE) { ++ ql_dbg(ql_dbg_async, vha, 0x5012, ++ "Port state is not online State:0x%x \n", ++ atomic_read(&fcport->state)); ++ ql_dbg(ql_dbg_async, vha, 0x5012, ++ "Scheduling session for deletion \n"); ++ fcport->logout_on_delete = 0; ++ qlt_schedule_sess_for_deletion(fcport); + break; ++ } ++ + ql_dbg(ql_dbg_async, vha, 0x508a, + "Marking port lost loopid=%04x portid=%06x.\n", + fcport->loop_id, fcport->d_id.b24); ++ + if (qla_ini_mode_enabled(vha)) { + fcport->logout_on_delete = 0; + qlt_schedule_sess_for_deletion(fcport); diff --git a/queue-5.15/scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch b/queue-5.15/scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch new file mode 100644 index 0000000000..57316e2306 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch @@ -0,0 +1,110 @@ +From b6df15aec8c3441357d4da0eaf4339eb20f5999f Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Wed, 10 Dec 2025 15:46:01 +0530 +Subject: scsi: qla2xxx: Validate sp before freeing associated memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anil Gurumurthy + +commit b6df15aec8c3441357d4da0eaf4339eb20f5999f upstream. + +System crash with the following signature +[154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete +[154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. +[154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. +[154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. +[154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. +[154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). +[154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). +[154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 +[154565.553080] #PF: supervisor read access in kernel mode +[154565.553082] #PF: error_code(0x0000) - not-present page +[154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 +[154565.553089] Oops: 0000 1 PREEMPT SMP PTI +[154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1 +[154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 +[154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] +[154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b +[154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 +[154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 +[154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 +[154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a +[154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 +[154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 +[154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 +[154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 +[154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[154565.553159] PKRU: 55555554 +[154565.553160] Call Trace: +[154565.553162] +[154565.553165] ? show_trace_log_lvl+0x1c4/0x2df +[154565.553172] ? show_trace_log_lvl+0x1c4/0x2df +[154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] +[154565.553215] ? __die_body.cold+0x8/0xd +[154565.553218] ? page_fault_oops+0x134/0x170 +[154565.553223] ? snprintf+0x49/0x70 +[154565.553229] ? exc_page_fault+0x62/0x150 +[154565.553238] ? asm_exc_page_fault+0x22/0x30 + +Check for sp being non NULL before freeing any associated memory + +Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery") +Cc: stable@vger.kernel.org +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20251210101604.431868-10-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_gs.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -4166,23 +4166,25 @@ int qla24xx_async_gpnft(scsi_qla_host_t + return rval; + + done_free_sp: +- if (sp->u.iocb_cmd.u.ctarg.req) { +- dma_free_coherent(&vha->hw->pdev->dev, +- sp->u.iocb_cmd.u.ctarg.req_allocated_size, +- sp->u.iocb_cmd.u.ctarg.req, +- sp->u.iocb_cmd.u.ctarg.req_dma); +- sp->u.iocb_cmd.u.ctarg.req = NULL; +- } +- if (sp->u.iocb_cmd.u.ctarg.rsp) { +- dma_free_coherent(&vha->hw->pdev->dev, +- sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, +- sp->u.iocb_cmd.u.ctarg.rsp, +- sp->u.iocb_cmd.u.ctarg.rsp_dma); +- sp->u.iocb_cmd.u.ctarg.rsp = NULL; +- } ++ if (sp) { ++ if (sp->u.iocb_cmd.u.ctarg.req) { ++ dma_free_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.req_allocated_size, ++ sp->u.iocb_cmd.u.ctarg.req, ++ sp->u.iocb_cmd.u.ctarg.req_dma); ++ sp->u.iocb_cmd.u.ctarg.req = NULL; ++ } ++ if (sp->u.iocb_cmd.u.ctarg.rsp) { ++ dma_free_coherent(&vha->hw->pdev->dev, ++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size, ++ sp->u.iocb_cmd.u.ctarg.rsp, ++ sp->u.iocb_cmd.u.ctarg.rsp_dma); ++ sp->u.iocb_cmd.u.ctarg.rsp = NULL; ++ } + +- /* ref: INIT */ +- kref_put(&sp->cmd_kref, qla2x00_sp_release); ++ /* ref: INIT */ ++ kref_put(&sp->cmd_kref, qla2x00_sp_release); ++ } + + spin_lock_irqsave(&vha->work_lock, flags); + vha->scan.scan_flags &= ~SF_SCANNING; diff --git a/queue-5.15/series b/queue-5.15/series index 595f04bdc7..3d80d55900 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,2 +1,9 @@ driver-core-add-a-guard-definition-for-the-device_lock.patch driver-core-enforce-device_lock-for-driver_match_device.patch +crypto-octeontx-fix-length-check-to-avoid-truncation-in-ucode_load_store.patch +crypto-omap-allocate-omap_crypto_force_copy-scatterlists-correctly.patch +crypto-virtio-add-spinlock-protection-with-virtqueue-notification.patch +nilfs2-fix-potential-block-overflow-that-cause-system-hang.patch +scsi-qla2xxx-validate-sp-before-freeing-associated-memory.patch +scsi-qla2xxx-delay-module-unload-while-fabric-scan-in-progress.patch +scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch -- 2.47.3