From 3161ccd8fd31d21bdf3349fd03a41b9423866962 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Feb 2026 17:08:19 +0100 Subject: [PATCH] Linux 6.6.126 --- ...en-change-fw-message-timeout-warning.patch | 77 ---------- ...onfig_detect_hung_task-specific-code.patch | 44 ------ ...e-after-free-in-driver_override_show.patch | 50 ------- ...h-sysfs_emit-in-sysfs-show-functions.patch | 48 ------- ...xxx-fix-bsg_done-causing-double-free.patch | 132 ------------------ queue-6.12/series | 5 - ...st-device-fix-broken-intra-doc-links.patch | 56 -------- .../rust-dma-fix-broken-intra-doc-links.patch | 46 ------ ...ra-doc-links-to-example-driver-types.patch | 69 --------- ...xxx-fix-bsg_done-causing-double-free.patch | 132 ------------------ queue-6.18/series | 4 - ...xxx-fix-bsg_done-causing-double-free.patch | 132 ------------------ queue-6.19/series | 1 - ...e-after-free-in-driver_override_show.patch | 50 ------- ...h-sysfs_emit-in-sysfs-show-functions.patch | 48 ------- ...d-creating-sub-groups-asynchronously.patch | 103 -------------- ...unused-field-in-struct-pci_epf_group.patch | 43 ------ ...xxx-fix-bsg_done-causing-double-free.patch | 132 ------------------ queue-6.6/series | 5 - 19 files changed, 1177 deletions(-) delete mode 100644 queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch delete mode 100644 queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch delete mode 100644 queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch delete mode 100644 queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch delete mode 100644 queue-6.12/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch delete mode 100644 queue-6.18/rust-device-fix-broken-intra-doc-links.patch delete mode 100644 queue-6.18/rust-dma-fix-broken-intra-doc-links.patch delete mode 100644 queue-6.18/rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch delete mode 100644 queue-6.18/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch delete mode 100644 queue-6.19/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch delete mode 100644 queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch delete mode 100644 queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch delete mode 100644 queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch delete mode 100644 queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch delete mode 100644 queue-6.6/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch diff --git a/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch b/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch deleted file mode 100644 index a21aa2f93d..0000000000 --- a/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 0fcad44a86bdc2b5f202d91ba1eeeee6fceb7b25 Mon Sep 17 00:00:00 2001 -From: Michael Chan -Date: Thu, 17 Apr 2025 10:24:45 -0700 -Subject: bnxt_en: Change FW message timeout warning - -From: Michael Chan - -commit 0fcad44a86bdc2b5f202d91ba1eeeee6fceb7b25 upstream. - -The firmware advertises a "hwrm_cmd_max_timeout" value to the driver -for NVRAM and coredump related functions that can take tens of seconds -to complete. The driver polls for the operation to complete under -mutex and may trigger hung task watchdog warning if the wait is too long. -To warn the user about this, the driver currently prints a warning if -this advertised value exceeds 40 seconds: - -Device requests max timeout of %d seconds, may trigger hung task watchdog - -Initially, we chose 40 seconds, well below the kernel's default -CONFIG_DEFAULT_HUNG_TASK_TIMEOUT (120 seconds) to avoid triggering -the hung task watchdog. But 60 seconds is the timeout on most -production FW and cannot be reduced further. Change the driver's warning -threshold to 60 seconds to avoid triggering this warning on all -production devices. We also print the warning if the value exceeds -CONFIG_DEFAULT_HUNG_TASK_TIMEOUT which may be set to architecture -specific defaults as low as 10 seconds. - -Reviewed-by: Kalesh AP -Reviewed-by: Pavan Chebbi -Reviewed-by: Andy Gospodarek -Signed-off-by: Michael Chan -Link: https://patch.msgid.link/20250417172448.1206107-2-michael.chan@broadcom.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 +++++++---- - drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h | 2 +- - 2 files changed, 8 insertions(+), 5 deletions(-) - ---- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c -+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c -@@ -9770,7 +9770,7 @@ static int bnxt_hwrm_ver_get(struct bnxt - struct hwrm_ver_get_input *req; - u16 fw_maj, fw_min, fw_bld, fw_rsv; - u32 dev_caps_cfg, hwrm_ver; -- int rc, len; -+ int rc, len, max_tmo_secs; - - rc = hwrm_req_init(bp, req, HWRM_VER_GET); - if (rc) -@@ -9843,9 +9843,12 @@ static int bnxt_hwrm_ver_get(struct bnxt - bp->hwrm_cmd_max_timeout = le16_to_cpu(resp->max_req_timeout) * 1000; - if (!bp->hwrm_cmd_max_timeout) - bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT; -- else if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT) -- netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog\n", -- bp->hwrm_cmd_max_timeout / 1000); -+ max_tmo_secs = bp->hwrm_cmd_max_timeout / 1000; -+ if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT || -+ max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { -+ netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog (kernel default %ds)\n", -+ max_tmo_secs, CONFIG_DEFAULT_HUNG_TASK_TIMEOUT); -+ } - - if (resp->hwrm_intf_maj_8b >= 1) { - bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len); ---- a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h -+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h -@@ -58,7 +58,7 @@ void hwrm_update_token(struct bnxt *bp, - - #define BNXT_HWRM_MAX_REQ_LEN (bp->hwrm_max_req_len) - #define BNXT_HWRM_SHORT_REQ_LEN sizeof(struct hwrm_short_input) --#define HWRM_CMD_MAX_TIMEOUT 40000U -+#define HWRM_CMD_MAX_TIMEOUT 60000U - #define SHORT_HWRM_CMD_TIMEOUT 20 - #define HWRM_CMD_TIMEOUT (bp->hwrm_cmd_timeout) - #define HWRM_RESET_TIMEOUT ((HWRM_CMD_TIMEOUT) * 4) diff --git a/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch b/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch deleted file mode 100644 index 7df89eb005..0000000000 --- a/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 8ff6175139967cd17b2a62bca4b2de2559942b7e Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Wed, 23 Apr 2025 18:28:21 +0200 -Subject: bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code - -From: Arnd Bergmann - -commit 8ff6175139967cd17b2a62bca4b2de2559942b7e upstream. - -The CONFIG_DEFAULT_HUNG_TASK_TIMEOUT setting is only available when the -hung task detection is enabled, otherwise the code now produces a build -failure: - -drivers/net/ethernet/broadcom/bnxt/bnxt.c:10188:21: error: use of undeclared identifier 'CONFIG_DEFAULT_HUNG_TASK_TIMEOUT' - 10188 | max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { - -Enclose this warning logic in an #ifdef to ensure this builds. - -Fixes: 0fcad44a86bd ("bnxt_en: Change FW message timeout warning") -Signed-off-by: Arnd Bergmann -Reviewed-by: Michael Chan -Link: https://patch.msgid.link/20250423162827.2189658-1-arnd@kernel.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c -+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c -@@ -9844,11 +9844,13 @@ static int bnxt_hwrm_ver_get(struct bnxt - if (!bp->hwrm_cmd_max_timeout) - bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT; - max_tmo_secs = bp->hwrm_cmd_max_timeout / 1000; -+#ifdef CONFIG_DETECT_HUNG_TASK - if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT || - max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { - netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog (kernel default %ds)\n", - max_tmo_secs, CONFIG_DEFAULT_HUNG_TASK_TIMEOUT); - } -+#endif - - if (resp->hwrm_intf_maj_8b >= 1) { - bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len); diff --git a/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch b/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch deleted file mode 100644 index 81ffecf619..0000000000 --- a/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch +++ /dev/null @@ -1,50 +0,0 @@ -From stable+bounces-216258-greg=kroah.com@vger.kernel.org Fri Feb 13 17:12:28 2026 -From: Sasha Levin -Date: Fri, 13 Feb 2026 11:12:19 -0500 -Subject: bus: fsl-mc: fix use-after-free in driver_override_show() -To: stable@vger.kernel.org -Cc: Gui-Dong Han , Ioana Ciornei , "Christophe Leroy (CS GROUP)" , Sasha Levin -Message-ID: <20260213161219.3554825-2-sashal@kernel.org> - -From: Gui-Dong Han - -[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ] - -The driver_override_show() function reads the driver_override string -without holding the device_lock. However, driver_override_store() uses -driver_set_override(), which modifies and frees the string while holding -the device_lock. - -This can result in a concurrent use-after-free if the string is freed -by the store function while being read by the show function. - -Fix this by holding the device_lock around the read operation. - -Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") -Cc: stable@vger.kernel.org -Signed-off-by: Gui-Dong Han -Reviewed-by: Ioana Ciornei -Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com -Signed-off-by: Christophe Leroy (CS GROUP) -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/bus/fsl-mc/fsl-mc-bus.c -+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c -@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru - struct device_attribute *attr, char *buf) - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); -+ ssize_t len; - -- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); -+ device_lock(dev); -+ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); -+ device_unlock(dev); -+ return len; - } - static DEVICE_ATTR_RW(driver_override); - diff --git a/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch b/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch deleted file mode 100644 index 20a85ce69d..0000000000 --- a/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch +++ /dev/null @@ -1,48 +0,0 @@ -From stable+bounces-216257-greg=kroah.com@vger.kernel.org Fri Feb 13 17:12:24 2026 -From: Sasha Levin -Date: Fri, 13 Feb 2026 11:12:18 -0500 -Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions -To: stable@vger.kernel.org -Cc: Chelsy Ratnawat , Ioana Ciornei , Christophe Leroy , Sasha Levin -Message-ID: <20260213161219.3554825-1-sashal@kernel.org> - -From: Chelsy Ratnawat - -[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ] - -Use sysfs_emit() instead of snprintf()/sprintf() when writing -to sysfs buffers, as recommended by the kernel documentation. - -Signed-off-by: Chelsy Ratnawat -Acked-by: Ioana Ciornei -Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com -Signed-off-by: Christophe Leroy -Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()") -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/bus/fsl-mc/fsl-mc-bus.c -+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c -@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); - -- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, -- mc_dev->obj_desc.type); -+ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, -+ mc_dev->obj_desc.type); - } - static DEVICE_ATTR_RO(modalias); - -@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); - -- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override); -+ return sysfs_emit(buf, "%s\n", mc_dev->driver_override); - } - static DEVICE_ATTR_RW(driver_override); - diff --git a/queue-6.12/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/queue-6.12/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch deleted file mode 100644 index 391f962a9e..0000000000 --- a/queue-6.12/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +++ /dev/null @@ -1,132 +0,0 @@ -From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001 -From: Anil Gurumurthy -Date: Wed, 10 Dec 2025 15:46:03 +0530 -Subject: scsi: qla2xxx: Fix bsg_done() causing double free - -From: Anil Gurumurthy - -commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream. - -Kernel panic observed on system, - -[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 -[5353358.825194] #PF: supervisor write access in kernel mode -[5353358.825195] #PF: error_code(0x0002) - not-present page -[5353358.825196] PGD 100006067 P4D 0 -[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI -[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 -[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 -[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 -[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 -[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 -[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 -[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 -[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 -[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 -[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 -[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 -[5353358.825221] PKRU: 55555554 -[5353358.825222] Call Trace: -[5353358.825223] -[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df -[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df -[5353358.825232] ? sg_copy_buffer+0xc8/0x110 -[5353358.825236] ? __die_body.cold+0x8/0xd -[5353358.825238] ? page_fault_oops+0x134/0x170 -[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 -[5353358.825244] ? exc_page_fault+0xa8/0x150 -[5353358.825247] ? asm_exc_page_fault+0x22/0x30 -[5353358.825252] ? memcpy_erms+0x6/0x10 -[5353358.825253] sg_copy_buffer+0xc8/0x110 -[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] -[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] - -Most routines in qla_bsg.c call bsg_done() only for success cases. -However a few invoke it for failure case as well leading to a double -free. Validate before calling bsg_done(). - -Cc: stable@vger.kernel.org -Signed-off-by: Anil Gurumurthy -Signed-off-by: Nilesh Javali -Reviewed-by: Himanshu Madhani -Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++----------- - 1 file changed, 17 insertions(+), 11 deletions(-) - ---- a/drivers/scsi/qla2xxx/qla_bsg.c -+++ b/drivers/scsi/qla2xxx/qla_bsg.c -@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs - ha->optrom_buffer = NULL; - ha->optrom_state = QLA_SWAITING; - mutex_unlock(&ha->optrom_mutex); -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!rval) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - return rval; - } - -@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job - sizeof(struct ql_vnd_mng_host_stats_resp)); - - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - return ret; - } -@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b - bsg_job->reply_payload.sg_cnt, - data, response_len); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - kfree(data); - host_stat_out: -@@ -2802,8 +2805,9 @@ reply: - bsg_job->reply_payload.sg_cnt, data, - response_len); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - tgt_stat_out: - kfree(data); -@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job - bsg_job->reply_payload.sg_cnt, &rsp_data, - sizeof(struct ql_vnd_mng_host_port_resp)); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - return ret; - } -@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_ - - bsg_job->reply_len = sizeof(*bsg_job->reply); - bsg_reply->result = DID_OK << 16; -- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); - - kfree(req_data); - diff --git a/queue-6.12/series b/queue-6.12/series index ce3ae5389d..838738dbd1 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -1,6 +1 @@ -scsi-qla2xxx-fix-bsg_done-causing-double-free.patch -bnxt_en-change-fw-message-timeout-warning.patch -bnxt_en-hide-config_detect_hung_task-specific-code.patch -bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch -bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch revert-driver-core-enforce-device_lock-for-driver_match_device.patch diff --git a/queue-6.18/rust-device-fix-broken-intra-doc-links.patch b/queue-6.18/rust-device-fix-broken-intra-doc-links.patch deleted file mode 100644 index 3c0e36fa95..0000000000 --- a/queue-6.18/rust-device-fix-broken-intra-doc-links.patch +++ /dev/null @@ -1,56 +0,0 @@ -From a9a42f0754b6c69525612d678b73da790e28b9fd Mon Sep 17 00:00:00 2001 -From: FUJITA Tomonori -Date: Wed, 31 Dec 2025 13:57:28 +0900 -Subject: rust: device: fix broken intra-doc links - -From: FUJITA Tomonori - -commit a9a42f0754b6c69525612d678b73da790e28b9fd upstream. - -The `pci` module is conditional on CONFIG_PCI. When it's disabled, the -intra-doc link to `pci::Device` causes rustdoc warnings: - -warning: unresolved link to `kernel::pci::Device` - --> rust/kernel/device.rs:163:22 - | -163 | /// [`pci::Device`]: kernel::pci::Device - | ^^^^^^^^^^^^^^^^^^^ no item named `pci` in module `kernel` - | - = note: `#[warn(rustdoc::broken_intra_doc_links)]` on by default - -Fix this by making the documentation conditional on CONFIG_PCI. - -Fixes: d6e26c1ae4a6 ("device: rust: expand documentation for Device") -Signed-off-by: FUJITA Tomonori -Reviewed-by: Dirk Behme -Link: https://patch.msgid.link/20251231045728.1912024-2-fujita.tomonori@gmail.com -[ Keep the "such as" part indicating a list of examples; fix typos in - commit message. - Danilo ] -Signed-off-by: Danilo Krummrich -Signed-off-by: Greg Kroah-Hartman ---- - rust/kernel/device.rs | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/rust/kernel/device.rs -+++ b/rust/kernel/device.rs -@@ -62,8 +62,9 @@ pub mod property; - /// - /// # Implementing Bus Devices - /// --/// This section provides a guideline to implement bus specific devices, such as [`pci::Device`] or --/// [`platform::Device`]. -+/// This section provides a guideline to implement bus specific devices, such as: -+#[cfg_attr(CONFIG_PCI, doc = "* [`pci::Device`](kernel::pci::Device)")] -+/// * [`platform::Device`] - /// - /// A bus specific device should be defined as follows. - /// -@@ -155,7 +156,6 @@ pub mod property; - /// - /// [`AlwaysRefCounted`]: kernel::types::AlwaysRefCounted - /// [`impl_device_context_deref`]: kernel::impl_device_context_deref --/// [`pci::Device`]: kernel::pci::Device - /// [`platform::Device`]: kernel::platform::Device - #[repr(transparent)] - pub struct Device(Opaque, PhantomData); diff --git a/queue-6.18/rust-dma-fix-broken-intra-doc-links.patch b/queue-6.18/rust-dma-fix-broken-intra-doc-links.patch deleted file mode 100644 index fbf82f14df..0000000000 --- a/queue-6.18/rust-dma-fix-broken-intra-doc-links.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 32cb3840386fd3684fbe8294cfc0a6684417139e Mon Sep 17 00:00:00 2001 -From: FUJITA Tomonori -Date: Wed, 31 Dec 2025 13:57:27 +0900 -Subject: rust: dma: fix broken intra-doc links - -From: FUJITA Tomonori - -commit 32cb3840386fd3684fbe8294cfc0a6684417139e upstream. - -The `pci` module is conditional on CONFIG_PCI. When it's disabled, the -intra-doc link to `pci::Device` causes rustdoc warnings: - -warning: unresolved link to `::kernel::pci::Device` - --> rust/kernel/dma.rs:30:70 - | -30 | /// where the underlying bus is DMA capable, such as [`pci::Device`](::kernel::pci::Device) or - | ^^^^^^^^^^^^^^^^^^^^^ no item named `pci` in module `kernel` - -Fix this by making the documentation conditional on CONFIG_PCI. - -Fixes: d06d5f66f549 ("rust: dma: implement `dma::Device` trait") -Signed-off-by: FUJITA Tomonori -Reviewed-by: Dirk Behme -Link: https://patch.msgid.link/20251231045728.1912024-1-fujita.tomonori@gmail.com -[ Keep the "such as" part indicating a list of examples; fix typos in - commit message. - Danilo ] -Signed-off-by: Danilo Krummrich -Signed-off-by: Greg Kroah-Hartman ---- - rust/kernel/dma.rs | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/rust/kernel/dma.rs -+++ b/rust/kernel/dma.rs -@@ -26,8 +26,9 @@ pub type DmaAddress = bindings::dma_addr - /// Trait to be implemented by DMA capable bus devices. - /// - /// The [`dma::Device`](Device) trait should be implemented by bus specific device representations, --/// where the underlying bus is DMA capable, such as [`pci::Device`](::kernel::pci::Device) or --/// [`platform::Device`](::kernel::platform::Device). -+/// where the underlying bus is DMA capable, such as: -+#[cfg_attr(CONFIG_PCI, doc = "* [`pci::Device`](kernel::pci::Device)")] -+/// * [`platform::Device`](::kernel::platform::Device) - pub trait Device: AsRef> { - /// Set up the device's DMA streaming addressing capabilities. - /// diff --git a/queue-6.18/rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch b/queue-6.18/rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch deleted file mode 100644 index 008b6dde17..0000000000 --- a/queue-6.18/rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 4c9f6a782f6078dc94450fcb22e65d520bfa0775 Mon Sep 17 00:00:00 2001 -From: Alice Ryhl -Date: Sat, 27 Dec 2025 15:47:21 +0000 -Subject: rust: driver: fix broken intra-doc links to example driver types - -From: Alice Ryhl - -commit 4c9f6a782f6078dc94450fcb22e65d520bfa0775 upstream. - -The `auxiliary` and `pci` modules are conditional on -`CONFIG_AUXILIARY_BUS` and `CONFIG_PCI` respectively. When these are -disabled, the intra-doc links to `auxiliary::Driver` and `pci::Driver` -break, causing rustdoc warnings (or errors with `-D warnings`). - -error: unresolved link to `kernel::auxiliary::Driver` - --> rust/kernel/driver.rs:82:28 - | -82 | //! [`auxiliary::Driver`]: kernel::auxiliary::Driver - | ^^^^^^^^^^^^^^^^^^^^^^^^^ no item named `auxiliary` in module `kernel` - -Fix this by making the documentation for these examples conditional on -the corresponding configuration options. - -Fixes: 970a7c68788e ("driver: rust: expand documentation for driver infrastructure") -Signed-off-by: Alice Ryhl -Reported-by: FUJITA Tomonori -Closes: https://lore.kernel.org/rust-for-linux/20251209.151817.744108529426448097.fujita.tomonori@gmail.com/ -Link: https://patch.msgid.link/20251227-driver-types-v1-1-1916154fbe5e@google.com -Signed-off-by: Danilo Krummrich -Signed-off-by: Greg Kroah-Hartman ---- - rust/kernel/driver.rs | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - ---- a/rust/kernel/driver.rs -+++ b/rust/kernel/driver.rs -@@ -33,7 +33,14 @@ - //! } - //! ``` - //! --//! For specific examples see [`auxiliary::Driver`], [`pci::Driver`] and [`platform::Driver`]. -+//! For specific examples see: -+//! -+//! * [`platform::Driver`](kernel::platform::Driver) -+#![cfg_attr( -+ CONFIG_AUXILIARY_BUS, -+ doc = "* [`auxiliary::Driver`](kernel::auxiliary::Driver)" -+)] -+#![cfg_attr(CONFIG_PCI, doc = "* [`pci::Driver`](kernel::pci::Driver)")] - //! - //! The `probe()` callback should return a `Result>>`, i.e. the driver's private - //! data. The bus abstraction should store the pointer in the corresponding bus device. The generic -@@ -79,7 +86,6 @@ - //! - //! For this purpose the generic infrastructure in [`device_id`] should be used. - //! --//! [`auxiliary::Driver`]: kernel::auxiliary::Driver - //! [`Core`]: device::Core - //! [`Device`]: device::Device - //! [`Device`]: device::Device -@@ -87,8 +93,6 @@ - //! [`DeviceContext`]: device::DeviceContext - //! [`device_id`]: kernel::device_id - //! [`module_driver`]: kernel::module_driver --//! [`pci::Driver`]: kernel::pci::Driver --//! [`platform::Driver`]: kernel::platform::Driver - - use crate::error::{Error, Result}; - use crate::{acpi, device, of, str::CStr, try_pin_init, types::Opaque, ThisModule}; diff --git a/queue-6.18/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/queue-6.18/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch deleted file mode 100644 index 391f962a9e..0000000000 --- a/queue-6.18/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +++ /dev/null @@ -1,132 +0,0 @@ -From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001 -From: Anil Gurumurthy -Date: Wed, 10 Dec 2025 15:46:03 +0530 -Subject: scsi: qla2xxx: Fix bsg_done() causing double free - -From: Anil Gurumurthy - -commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream. - -Kernel panic observed on system, - -[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 -[5353358.825194] #PF: supervisor write access in kernel mode -[5353358.825195] #PF: error_code(0x0002) - not-present page -[5353358.825196] PGD 100006067 P4D 0 -[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI -[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 -[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 -[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 -[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 -[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 -[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 -[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 -[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 -[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 -[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 -[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 -[5353358.825221] PKRU: 55555554 -[5353358.825222] Call Trace: -[5353358.825223] -[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df -[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df -[5353358.825232] ? sg_copy_buffer+0xc8/0x110 -[5353358.825236] ? __die_body.cold+0x8/0xd -[5353358.825238] ? page_fault_oops+0x134/0x170 -[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 -[5353358.825244] ? exc_page_fault+0xa8/0x150 -[5353358.825247] ? asm_exc_page_fault+0x22/0x30 -[5353358.825252] ? memcpy_erms+0x6/0x10 -[5353358.825253] sg_copy_buffer+0xc8/0x110 -[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] -[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] - -Most routines in qla_bsg.c call bsg_done() only for success cases. -However a few invoke it for failure case as well leading to a double -free. Validate before calling bsg_done(). - -Cc: stable@vger.kernel.org -Signed-off-by: Anil Gurumurthy -Signed-off-by: Nilesh Javali -Reviewed-by: Himanshu Madhani -Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++----------- - 1 file changed, 17 insertions(+), 11 deletions(-) - ---- a/drivers/scsi/qla2xxx/qla_bsg.c -+++ b/drivers/scsi/qla2xxx/qla_bsg.c -@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs - ha->optrom_buffer = NULL; - ha->optrom_state = QLA_SWAITING; - mutex_unlock(&ha->optrom_mutex); -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!rval) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - return rval; - } - -@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job - sizeof(struct ql_vnd_mng_host_stats_resp)); - - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - return ret; - } -@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b - bsg_job->reply_payload.sg_cnt, - data, response_len); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - kfree(data); - host_stat_out: -@@ -2802,8 +2805,9 @@ reply: - bsg_job->reply_payload.sg_cnt, data, - response_len); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - tgt_stat_out: - kfree(data); -@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job - bsg_job->reply_payload.sg_cnt, &rsp_data, - sizeof(struct ql_vnd_mng_host_port_resp)); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - return ret; - } -@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_ - - bsg_job->reply_len = sizeof(*bsg_job->reply); - bsg_reply->result = DID_OK << 16; -- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); - - kfree(req_data); - diff --git a/queue-6.18/series b/queue-6.18/series index 2c048b5056..838738dbd1 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -1,5 +1 @@ -scsi-qla2xxx-fix-bsg_done-causing-double-free.patch -rust-device-fix-broken-intra-doc-links.patch -rust-dma-fix-broken-intra-doc-links.patch -rust-driver-fix-broken-intra-doc-links-to-example-driver-types.patch revert-driver-core-enforce-device_lock-for-driver_match_device.patch diff --git a/queue-6.19/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/queue-6.19/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch deleted file mode 100644 index 391f962a9e..0000000000 --- a/queue-6.19/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +++ /dev/null @@ -1,132 +0,0 @@ -From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001 -From: Anil Gurumurthy -Date: Wed, 10 Dec 2025 15:46:03 +0530 -Subject: scsi: qla2xxx: Fix bsg_done() causing double free - -From: Anil Gurumurthy - -commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream. - -Kernel panic observed on system, - -[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 -[5353358.825194] #PF: supervisor write access in kernel mode -[5353358.825195] #PF: error_code(0x0002) - not-present page -[5353358.825196] PGD 100006067 P4D 0 -[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI -[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 -[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 -[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 -[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 -[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 -[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 -[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 -[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 -[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 -[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 -[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 -[5353358.825221] PKRU: 55555554 -[5353358.825222] Call Trace: -[5353358.825223] -[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df -[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df -[5353358.825232] ? sg_copy_buffer+0xc8/0x110 -[5353358.825236] ? __die_body.cold+0x8/0xd -[5353358.825238] ? page_fault_oops+0x134/0x170 -[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 -[5353358.825244] ? exc_page_fault+0xa8/0x150 -[5353358.825247] ? asm_exc_page_fault+0x22/0x30 -[5353358.825252] ? memcpy_erms+0x6/0x10 -[5353358.825253] sg_copy_buffer+0xc8/0x110 -[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] -[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] - -Most routines in qla_bsg.c call bsg_done() only for success cases. -However a few invoke it for failure case as well leading to a double -free. Validate before calling bsg_done(). - -Cc: stable@vger.kernel.org -Signed-off-by: Anil Gurumurthy -Signed-off-by: Nilesh Javali -Reviewed-by: Himanshu Madhani -Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++----------- - 1 file changed, 17 insertions(+), 11 deletions(-) - ---- a/drivers/scsi/qla2xxx/qla_bsg.c -+++ b/drivers/scsi/qla2xxx/qla_bsg.c -@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs - ha->optrom_buffer = NULL; - ha->optrom_state = QLA_SWAITING; - mutex_unlock(&ha->optrom_mutex); -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!rval) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - return rval; - } - -@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job - sizeof(struct ql_vnd_mng_host_stats_resp)); - - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - return ret; - } -@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b - bsg_job->reply_payload.sg_cnt, - data, response_len); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - kfree(data); - host_stat_out: -@@ -2802,8 +2805,9 @@ reply: - bsg_job->reply_payload.sg_cnt, data, - response_len); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - tgt_stat_out: - kfree(data); -@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job - bsg_job->reply_payload.sg_cnt, &rsp_data, - sizeof(struct ql_vnd_mng_host_port_resp)); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - return ret; - } -@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_ - - bsg_job->reply_len = sizeof(*bsg_job->reply); - bsg_reply->result = DID_OK << 16; -- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); - - kfree(req_data); - diff --git a/queue-6.19/series b/queue-6.19/series index 240b6c4f78..838738dbd1 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -1,2 +1 @@ -scsi-qla2xxx-fix-bsg_done-causing-double-free.patch revert-driver-core-enforce-device_lock-for-driver_match_device.patch diff --git a/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch b/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch deleted file mode 100644 index 5f766afbb9..0000000000 --- a/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch +++ /dev/null @@ -1,50 +0,0 @@ -From stable+bounces-216262-greg=kroah.com@vger.kernel.org Fri Feb 13 17:24:13 2026 -From: Sasha Levin -Date: Fri, 13 Feb 2026 11:22:29 -0500 -Subject: bus: fsl-mc: fix use-after-free in driver_override_show() -To: stable@vger.kernel.org -Cc: Gui-Dong Han , Ioana Ciornei , "Christophe Leroy (CS GROUP)" , Sasha Levin -Message-ID: <20260213162229.3559221-2-sashal@kernel.org> - -From: Gui-Dong Han - -[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ] - -The driver_override_show() function reads the driver_override string -without holding the device_lock. However, driver_override_store() uses -driver_set_override(), which modifies and frees the string while holding -the device_lock. - -This can result in a concurrent use-after-free if the string is freed -by the store function while being read by the show function. - -Fix this by holding the device_lock around the read operation. - -Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") -Cc: stable@vger.kernel.org -Signed-off-by: Gui-Dong Han -Reviewed-by: Ioana Ciornei -Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com -Signed-off-by: Christophe Leroy (CS GROUP) -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/bus/fsl-mc/fsl-mc-bus.c -+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c -@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru - struct device_attribute *attr, char *buf) - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); -+ ssize_t len; - -- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); -+ device_lock(dev); -+ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); -+ device_unlock(dev); -+ return len; - } - static DEVICE_ATTR_RW(driver_override); - diff --git a/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch b/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch deleted file mode 100644 index 65cb80ede1..0000000000 --- a/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch +++ /dev/null @@ -1,48 +0,0 @@ -From stable+bounces-216261-greg=kroah.com@vger.kernel.org Fri Feb 13 17:22:36 2026 -From: Sasha Levin -Date: Fri, 13 Feb 2026 11:22:28 -0500 -Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions -To: stable@vger.kernel.org -Cc: Chelsy Ratnawat , Ioana Ciornei , Christophe Leroy , Sasha Levin -Message-ID: <20260213162229.3559221-1-sashal@kernel.org> - -From: Chelsy Ratnawat - -[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ] - -Use sysfs_emit() instead of snprintf()/sprintf() when writing -to sysfs buffers, as recommended by the kernel documentation. - -Signed-off-by: Chelsy Ratnawat -Acked-by: Ioana Ciornei -Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com -Signed-off-by: Christophe Leroy -Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()") -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/bus/fsl-mc/fsl-mc-bus.c -+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c -@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); - -- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, -- mc_dev->obj_desc.type); -+ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, -+ mc_dev->obj_desc.type); - } - static DEVICE_ATTR_RO(modalias); - -@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); - -- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override); -+ return sysfs_emit(buf, "%s\n", mc_dev->driver_override); - } - static DEVICE_ATTR_RW(driver_override); - diff --git a/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch b/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch deleted file mode 100644 index f55ee7a342..0000000000 --- a/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch +++ /dev/null @@ -1,103 +0,0 @@ -From stable+bounces-216462-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:31 2026 -From: Sasha Levin -Date: Fri, 13 Feb 2026 20:49:23 -0500 -Subject: PCI: endpoint: Avoid creating sub-groups asynchronously -To: stable@vger.kernel.org -Cc: Liu Song , Manivannan Sadhasivam , Bjorn Helgaas , stable@kernel.org, Sasha Levin -Message-ID: <20260214014923.3899226-2-sashal@kernel.org> - -From: Liu Song - -[ Upstream commit 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c ] - -The asynchronous creation of sub-groups by a delayed work could lead to a -NULL pointer dereference when the driver directory is removed before the -work completes. - -The crash can be easily reproduced with the following commands: - - # cd /sys/kernel/config/pci_ep/functions/pci_epf_test - # for i in {1..20}; do mkdir test && rmdir test; done - - BUG: kernel NULL pointer dereference, address: 0000000000000088 - ... - Call Trace: - configfs_register_group+0x3d/0x190 - pci_epf_cfs_work+0x41/0x110 - process_one_work+0x18f/0x350 - worker_thread+0x25a/0x3a0 - -Fix this issue by using configfs_add_default_group() API which does not -have the deadlock problem as configfs_register_group() and does not require -the delayed work handler. - -Fixes: e85a2d783762 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF") -Signed-off-by: Liu Song -[mani: slightly reworded the description and added stable list] -Signed-off-by: Manivannan Sadhasivam -Signed-off-by: Bjorn Helgaas -Cc: stable@kernel.org -Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/endpoint/pci-ep-cfs.c | 15 +++++---------- - 1 file changed, 5 insertions(+), 10 deletions(-) - ---- a/drivers/pci/endpoint/pci-ep-cfs.c -+++ b/drivers/pci/endpoint/pci-ep-cfs.c -@@ -23,7 +23,6 @@ struct pci_epf_group { - struct config_group group; - struct config_group primary_epc_group; - struct config_group secondary_epc_group; -- struct delayed_work cfs_work; - struct pci_epf *epf; - int index; - }; -@@ -100,7 +99,7 @@ static struct config_group - secondary_epc_group = &epf_group->secondary_epc_group; - config_group_init_type_name(secondary_epc_group, "secondary", - &pci_secondary_epc_type); -- configfs_register_group(&epf_group->group, secondary_epc_group); -+ configfs_add_default_group(secondary_epc_group, &epf_group->group); - - return secondary_epc_group; - } -@@ -160,7 +159,7 @@ static struct config_group - - config_group_init_type_name(primary_epc_group, "primary", - &pci_primary_epc_type); -- configfs_register_group(&epf_group->group, primary_epc_group); -+ configfs_add_default_group(primary_epc_group, &epf_group->group); - - return primary_epc_group; - } -@@ -561,15 +560,13 @@ static void pci_ep_cfs_add_type_group(st - return; - } - -- configfs_register_group(&epf_group->group, group); -+ configfs_add_default_group(group, &epf_group->group); - } - --static void pci_epf_cfs_work(struct work_struct *work) -+static void pci_epf_cfs_add_sub_groups(struct pci_epf_group *epf_group) - { -- struct pci_epf_group *epf_group; - struct config_group *group; - -- epf_group = container_of(work, struct pci_epf_group, cfs_work.work); - group = pci_ep_cfs_add_primary_group(epf_group); - if (IS_ERR(group)) { - pr_err("failed to create 'primary' EPC interface\n"); -@@ -628,9 +625,7 @@ static struct config_group *pci_epf_make - - kfree(epf_name); - -- INIT_DELAYED_WORK(&epf_group->cfs_work, pci_epf_cfs_work); -- queue_delayed_work(system_wq, &epf_group->cfs_work, -- msecs_to_jiffies(1)); -+ pci_epf_cfs_add_sub_groups(epf_group); - - return &epf_group->group; - diff --git a/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch b/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch deleted file mode 100644 index 3ba537ef34..0000000000 --- a/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch +++ /dev/null @@ -1,43 +0,0 @@ -From stable+bounces-216461-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:28 2026 -From: Sasha Levin -Date: Fri, 13 Feb 2026 20:49:22 -0500 -Subject: PCI: endpoint: Remove unused field in struct pci_epf_group -To: stable@vger.kernel.org -Cc: "Christophe JAILLET" , "Krzysztof Wilczyński" , "Bjorn Helgaas" , "Sasha Levin" -Message-ID: <20260214014923.3899226-1-sashal@kernel.org> - -From: Christophe JAILLET - -[ Upstream commit 328e4dffbeecc0f2cc5a149dee6c11a0577c9671 ] - -In "struct pci_epf_group", the 'type_group' field is unused. - -This was added, but already unused, by commit 70b3740f2c19 ("PCI: endpoint: -Automatically create a function specific attributes group"). - -Thus, remove it. - -Found with cppcheck, unusedStructMember. - -[kwilczynski: commit log] -Link: https://lore.kernel.org/linux-pci/6507d44b6c60a19af35a605e2d58050be8872ab6.1712341008.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Christophe JAILLET -Signed-off-by: Krzysztof Wilczyński -Signed-off-by: Bjorn Helgaas -Stable-dep-of: 7c5c7d06bd1f ("PCI: endpoint: Avoid creating sub-groups asynchronously") -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/endpoint/pci-ep-cfs.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/drivers/pci/endpoint/pci-ep-cfs.c -+++ b/drivers/pci/endpoint/pci-ep-cfs.c -@@ -23,7 +23,6 @@ struct pci_epf_group { - struct config_group group; - struct config_group primary_epc_group; - struct config_group secondary_epc_group; -- struct config_group *type_group; - struct delayed_work cfs_work; - struct pci_epf *epf; - int index; diff --git a/queue-6.6/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch b/queue-6.6/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch deleted file mode 100644 index 391f962a9e..0000000000 --- a/queue-6.6/scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +++ /dev/null @@ -1,132 +0,0 @@ -From c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Mon Sep 17 00:00:00 2001 -From: Anil Gurumurthy -Date: Wed, 10 Dec 2025 15:46:03 +0530 -Subject: scsi: qla2xxx: Fix bsg_done() causing double free - -From: Anil Gurumurthy - -commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 upstream. - -Kernel panic observed on system, - -[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 -[5353358.825194] #PF: supervisor write access in kernel mode -[5353358.825195] #PF: error_code(0x0002) - not-present page -[5353358.825196] PGD 100006067 P4D 0 -[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI -[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 -[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 -[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 -[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 -[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 -[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 -[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 -[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 -[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 -[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 -[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 -[5353358.825221] PKRU: 55555554 -[5353358.825222] Call Trace: -[5353358.825223] -[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df -[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df -[5353358.825232] ? sg_copy_buffer+0xc8/0x110 -[5353358.825236] ? __die_body.cold+0x8/0xd -[5353358.825238] ? page_fault_oops+0x134/0x170 -[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 -[5353358.825244] ? exc_page_fault+0xa8/0x150 -[5353358.825247] ? asm_exc_page_fault+0x22/0x30 -[5353358.825252] ? memcpy_erms+0x6/0x10 -[5353358.825253] sg_copy_buffer+0xc8/0x110 -[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] -[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] - -Most routines in qla_bsg.c call bsg_done() only for success cases. -However a few invoke it for failure case as well leading to a double -free. Validate before calling bsg_done(). - -Cc: stable@vger.kernel.org -Signed-off-by: Anil Gurumurthy -Signed-off-by: Nilesh Javali -Reviewed-by: Himanshu Madhani -Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_bsg.c | 28 +++++++++++++++++----------- - 1 file changed, 17 insertions(+), 11 deletions(-) - ---- a/drivers/scsi/qla2xxx/qla_bsg.c -+++ b/drivers/scsi/qla2xxx/qla_bsg.c -@@ -1546,8 +1546,9 @@ qla2x00_update_optrom(struct bsg_job *bs - ha->optrom_buffer = NULL; - ha->optrom_state = QLA_SWAITING; - mutex_unlock(&ha->optrom_mutex); -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!rval) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - return rval; - } - -@@ -2612,8 +2613,9 @@ qla2x00_manage_host_stats(struct bsg_job - sizeof(struct ql_vnd_mng_host_stats_resp)); - - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - return ret; - } -@@ -2702,8 +2704,9 @@ qla2x00_get_host_stats(struct bsg_job *b - bsg_job->reply_payload.sg_cnt, - data, response_len); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - kfree(data); - host_stat_out: -@@ -2802,8 +2805,9 @@ reply: - bsg_job->reply_payload.sg_cnt, data, - response_len); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - tgt_stat_out: - kfree(data); -@@ -2864,8 +2868,9 @@ qla2x00_manage_host_port(struct bsg_job - bsg_job->reply_payload.sg_cnt, &rsp_data, - sizeof(struct ql_vnd_mng_host_port_resp)); - bsg_reply->result = DID_OK; -- bsg_job_done(bsg_job, bsg_reply->result, -- bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, -+ bsg_reply->reply_payload_rcv_len); - - return ret; - } -@@ -3240,7 +3245,8 @@ int qla2x00_mailbox_passthru(struct bsg_ - - bsg_job->reply_len = sizeof(*bsg_job->reply); - bsg_reply->result = DID_OK << 16; -- bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); -+ if (!ret) -+ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); - - kfree(req_data); - diff --git a/queue-6.6/series b/queue-6.6/series index 14baaa7bf9..838738dbd1 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1,6 +1 @@ -scsi-qla2xxx-fix-bsg_done-causing-double-free.patch -pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch -pci-endpoint-avoid-creating-sub-groups-asynchronously.patch -bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch -bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch revert-driver-core-enforce-device_lock-for-driver_match_device.patch -- 2.47.3