From 8096c9cbf1601f170aae291d7a01c36eb363afaf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Feb 2026 10:52:53 +0100 Subject: [PATCH] 6.12-stable patches added patches: bnxt_en-change-fw-message-timeout-warning.patch bnxt_en-hide-config_detect_hung_task-specific-code.patch bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch --- ...en-change-fw-message-timeout-warning.patch | 77 +++++++++++++++++++ ...onfig_detect_hung_task-specific-code.patch | 44 +++++++++++ ...e-after-free-in-driver_override_show.patch | 50 ++++++++++++ ...h-sysfs_emit-in-sysfs-show-functions.patch | 48 ++++++++++++ queue-6.12/series | 4 + 5 files changed, 223 insertions(+) create mode 100644 queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch create mode 100644 queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch create mode 100644 queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch create mode 100644 queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch diff --git a/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch b/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch new file mode 100644 index 0000000000..a21aa2f93d --- /dev/null +++ b/queue-6.12/bnxt_en-change-fw-message-timeout-warning.patch @@ -0,0 +1,77 @@ +From 0fcad44a86bdc2b5f202d91ba1eeeee6fceb7b25 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Thu, 17 Apr 2025 10:24:45 -0700 +Subject: bnxt_en: Change FW message timeout warning + +From: Michael Chan + +commit 0fcad44a86bdc2b5f202d91ba1eeeee6fceb7b25 upstream. + +The firmware advertises a "hwrm_cmd_max_timeout" value to the driver +for NVRAM and coredump related functions that can take tens of seconds +to complete. The driver polls for the operation to complete under +mutex and may trigger hung task watchdog warning if the wait is too long. +To warn the user about this, the driver currently prints a warning if +this advertised value exceeds 40 seconds: + +Device requests max timeout of %d seconds, may trigger hung task watchdog + +Initially, we chose 40 seconds, well below the kernel's default +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT (120 seconds) to avoid triggering +the hung task watchdog. But 60 seconds is the timeout on most +production FW and cannot be reduced further. Change the driver's warning +threshold to 60 seconds to avoid triggering this warning on all +production devices. We also print the warning if the value exceeds +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT which may be set to architecture +specific defaults as low as 10 seconds. + +Reviewed-by: Kalesh AP +Reviewed-by: Pavan Chebbi +Reviewed-by: Andy Gospodarek +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20250417172448.1206107-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 +++++++---- + drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h | 2 +- + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9770,7 +9770,7 @@ static int bnxt_hwrm_ver_get(struct bnxt + struct hwrm_ver_get_input *req; + u16 fw_maj, fw_min, fw_bld, fw_rsv; + u32 dev_caps_cfg, hwrm_ver; +- int rc, len; ++ int rc, len, max_tmo_secs; + + rc = hwrm_req_init(bp, req, HWRM_VER_GET); + if (rc) +@@ -9843,9 +9843,12 @@ static int bnxt_hwrm_ver_get(struct bnxt + bp->hwrm_cmd_max_timeout = le16_to_cpu(resp->max_req_timeout) * 1000; + if (!bp->hwrm_cmd_max_timeout) + bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT; +- else if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT) +- netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog\n", +- bp->hwrm_cmd_max_timeout / 1000); ++ max_tmo_secs = bp->hwrm_cmd_max_timeout / 1000; ++ if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT || ++ max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { ++ netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog (kernel default %ds)\n", ++ max_tmo_secs, CONFIG_DEFAULT_HUNG_TASK_TIMEOUT); ++ } + + if (resp->hwrm_intf_maj_8b >= 1) { + bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len); +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h +@@ -58,7 +58,7 @@ void hwrm_update_token(struct bnxt *bp, + + #define BNXT_HWRM_MAX_REQ_LEN (bp->hwrm_max_req_len) + #define BNXT_HWRM_SHORT_REQ_LEN sizeof(struct hwrm_short_input) +-#define HWRM_CMD_MAX_TIMEOUT 40000U ++#define HWRM_CMD_MAX_TIMEOUT 60000U + #define SHORT_HWRM_CMD_TIMEOUT 20 + #define HWRM_CMD_TIMEOUT (bp->hwrm_cmd_timeout) + #define HWRM_RESET_TIMEOUT ((HWRM_CMD_TIMEOUT) * 4) diff --git a/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch b/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch new file mode 100644 index 0000000000..7df89eb005 --- /dev/null +++ b/queue-6.12/bnxt_en-hide-config_detect_hung_task-specific-code.patch @@ -0,0 +1,44 @@ +From 8ff6175139967cd17b2a62bca4b2de2559942b7e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 23 Apr 2025 18:28:21 +0200 +Subject: bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code + +From: Arnd Bergmann + +commit 8ff6175139967cd17b2a62bca4b2de2559942b7e upstream. + +The CONFIG_DEFAULT_HUNG_TASK_TIMEOUT setting is only available when the +hung task detection is enabled, otherwise the code now produces a build +failure: + +drivers/net/ethernet/broadcom/bnxt/bnxt.c:10188:21: error: use of undeclared identifier 'CONFIG_DEFAULT_HUNG_TASK_TIMEOUT' + 10188 | max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { + +Enclose this warning logic in an #ifdef to ensure this builds. + +Fixes: 0fcad44a86bd ("bnxt_en: Change FW message timeout warning") +Signed-off-by: Arnd Bergmann +Reviewed-by: Michael Chan +Link: https://patch.msgid.link/20250423162827.2189658-1-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9844,11 +9844,13 @@ static int bnxt_hwrm_ver_get(struct bnxt + if (!bp->hwrm_cmd_max_timeout) + bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT; + max_tmo_secs = bp->hwrm_cmd_max_timeout / 1000; ++#ifdef CONFIG_DETECT_HUNG_TASK + if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT || + max_tmo_secs > CONFIG_DEFAULT_HUNG_TASK_TIMEOUT) { + netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog (kernel default %ds)\n", + max_tmo_secs, CONFIG_DEFAULT_HUNG_TASK_TIMEOUT); + } ++#endif + + if (resp->hwrm_intf_maj_8b >= 1) { + bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len); diff --git a/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch b/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch new file mode 100644 index 0000000000..81ffecf619 --- /dev/null +++ b/queue-6.12/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch @@ -0,0 +1,50 @@ +From stable+bounces-216258-greg=kroah.com@vger.kernel.org Fri Feb 13 17:12:28 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 11:12:19 -0500 +Subject: bus: fsl-mc: fix use-after-free in driver_override_show() +To: stable@vger.kernel.org +Cc: Gui-Dong Han , Ioana Ciornei , "Christophe Leroy (CS GROUP)" , Sasha Levin +Message-ID: <20260213161219.3554825-2-sashal@kernel.org> + +From: Gui-Dong Han + +[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ] + +The driver_override_show() function reads the driver_override string +without holding the device_lock. However, driver_override_store() uses +driver_set_override(), which modifies and frees the string while holding +the device_lock. + +This can result in a concurrent use-after-free if the string is freed +by the store function while being read by the show function. + +Fix this by holding the device_lock around the read operation. + +Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Reviewed-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru + struct device_attribute *attr, char *buf) + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); ++ ssize_t len; + +- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_lock(dev); ++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_unlock(dev); ++ return len; + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch b/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch new file mode 100644 index 0000000000..20a85ce69d --- /dev/null +++ b/queue-6.12/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch @@ -0,0 +1,48 @@ +From stable+bounces-216257-greg=kroah.com@vger.kernel.org Fri Feb 13 17:12:24 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 11:12:18 -0500 +Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions +To: stable@vger.kernel.org +Cc: Chelsy Ratnawat , Ioana Ciornei , Christophe Leroy , Sasha Levin +Message-ID: <20260213161219.3554825-1-sashal@kernel.org> + +From: Chelsy Ratnawat + +[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ] + +Use sysfs_emit() instead of snprintf()/sprintf() when writing +to sysfs buffers, as recommended by the kernel documentation. + +Signed-off-by: Chelsy Ratnawat +Acked-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com +Signed-off-by: Christophe Leroy +Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + +- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, +- mc_dev->obj_desc.type); ++ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, ++ mc_dev->obj_desc.type); + } + static DEVICE_ATTR_RO(modalias); + +@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + +- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override); ++ return sysfs_emit(buf, "%s\n", mc_dev->driver_override); + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/queue-6.12/series b/queue-6.12/series index 40eb4524d6..2fbca806bc 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -1 +1,5 @@ scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +bnxt_en-change-fw-message-timeout-warning.patch +bnxt_en-hide-config_detect_hung_task-specific-code.patch +bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch +bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch -- 2.47.3