From ef3e3768f14546ac667fe8731b7dd4012c28f5ba Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Feb 2026 10:59:24 +0100 Subject: [PATCH] 6.6-stable patches added patches: bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch pci-endpoint-avoid-creating-sub-groups-asynchronously.patch pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch --- ...e-after-free-in-driver_override_show.patch | 50 +++++++++ ...h-sysfs_emit-in-sysfs-show-functions.patch | 48 ++++++++ ...d-creating-sub-groups-asynchronously.patch | 103 ++++++++++++++++++ ...unused-field-in-struct-pci_epf_group.patch | 43 ++++++++ queue-6.6/series | 4 + 5 files changed, 248 insertions(+) create mode 100644 queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch create mode 100644 queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch create mode 100644 queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch create mode 100644 queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch diff --git a/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch b/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch new file mode 100644 index 0000000000..5f766afbb9 --- /dev/null +++ b/queue-6.6/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch @@ -0,0 +1,50 @@ +From stable+bounces-216262-greg=kroah.com@vger.kernel.org Fri Feb 13 17:24:13 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 11:22:29 -0500 +Subject: bus: fsl-mc: fix use-after-free in driver_override_show() +To: stable@vger.kernel.org +Cc: Gui-Dong Han , Ioana Ciornei , "Christophe Leroy (CS GROUP)" , Sasha Levin +Message-ID: <20260213162229.3559221-2-sashal@kernel.org> + +From: Gui-Dong Han + +[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ] + +The driver_override_show() function reads the driver_override string +without holding the device_lock. However, driver_override_store() uses +driver_set_override(), which modifies and frees the string while holding +the device_lock. + +This can result in a concurrent use-after-free if the string is freed +by the store function while being read by the show function. + +Fix this by holding the device_lock around the read operation. + +Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Reviewed-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -201,8 +201,12 @@ static ssize_t driver_override_show(stru + struct device_attribute *attr, char *buf) + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); ++ ssize_t len; + +- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_lock(dev); ++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_unlock(dev); ++ return len; + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch b/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch new file mode 100644 index 0000000000..65cb80ede1 --- /dev/null +++ b/queue-6.6/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch @@ -0,0 +1,48 @@ +From stable+bounces-216261-greg=kroah.com@vger.kernel.org Fri Feb 13 17:22:36 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 11:22:28 -0500 +Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions +To: stable@vger.kernel.org +Cc: Chelsy Ratnawat , Ioana Ciornei , Christophe Leroy , Sasha Levin +Message-ID: <20260213162229.3559221-1-sashal@kernel.org> + +From: Chelsy Ratnawat + +[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ] + +Use sysfs_emit() instead of snprintf()/sprintf() when writing +to sysfs buffers, as recommended by the kernel documentation. + +Signed-off-by: Chelsy Ratnawat +Acked-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com +Signed-off-by: Christophe Leroy +Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -175,8 +175,8 @@ static ssize_t modalias_show(struct devi + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + +- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, +- mc_dev->obj_desc.type); ++ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, ++ mc_dev->obj_desc.type); + } + static DEVICE_ATTR_RO(modalias); + +@@ -202,7 +202,7 @@ static ssize_t driver_override_show(stru + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); + +- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override); ++ return sysfs_emit(buf, "%s\n", mc_dev->driver_override); + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch b/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch new file mode 100644 index 0000000000..f55ee7a342 --- /dev/null +++ b/queue-6.6/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch @@ -0,0 +1,103 @@ +From stable+bounces-216462-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:31 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 20:49:23 -0500 +Subject: PCI: endpoint: Avoid creating sub-groups asynchronously +To: stable@vger.kernel.org +Cc: Liu Song , Manivannan Sadhasivam , Bjorn Helgaas , stable@kernel.org, Sasha Levin +Message-ID: <20260214014923.3899226-2-sashal@kernel.org> + +From: Liu Song + +[ Upstream commit 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c ] + +The asynchronous creation of sub-groups by a delayed work could lead to a +NULL pointer dereference when the driver directory is removed before the +work completes. + +The crash can be easily reproduced with the following commands: + + # cd /sys/kernel/config/pci_ep/functions/pci_epf_test + # for i in {1..20}; do mkdir test && rmdir test; done + + BUG: kernel NULL pointer dereference, address: 0000000000000088 + ... + Call Trace: + configfs_register_group+0x3d/0x190 + pci_epf_cfs_work+0x41/0x110 + process_one_work+0x18f/0x350 + worker_thread+0x25a/0x3a0 + +Fix this issue by using configfs_add_default_group() API which does not +have the deadlock problem as configfs_register_group() and does not require +the delayed work handler. + +Fixes: e85a2d783762 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF") +Signed-off-by: Liu Song +[mani: slightly reworded the description and added stable list] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Cc: stable@kernel.org +Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -23,7 +23,6 @@ struct pci_epf_group { + struct config_group group; + struct config_group primary_epc_group; + struct config_group secondary_epc_group; +- struct delayed_work cfs_work; + struct pci_epf *epf; + int index; + }; +@@ -100,7 +99,7 @@ static struct config_group + secondary_epc_group = &epf_group->secondary_epc_group; + config_group_init_type_name(secondary_epc_group, "secondary", + &pci_secondary_epc_type); +- configfs_register_group(&epf_group->group, secondary_epc_group); ++ configfs_add_default_group(secondary_epc_group, &epf_group->group); + + return secondary_epc_group; + } +@@ -160,7 +159,7 @@ static struct config_group + + config_group_init_type_name(primary_epc_group, "primary", + &pci_primary_epc_type); +- configfs_register_group(&epf_group->group, primary_epc_group); ++ configfs_add_default_group(primary_epc_group, &epf_group->group); + + return primary_epc_group; + } +@@ -561,15 +560,13 @@ static void pci_ep_cfs_add_type_group(st + return; + } + +- configfs_register_group(&epf_group->group, group); ++ configfs_add_default_group(group, &epf_group->group); + } + +-static void pci_epf_cfs_work(struct work_struct *work) ++static void pci_epf_cfs_add_sub_groups(struct pci_epf_group *epf_group) + { +- struct pci_epf_group *epf_group; + struct config_group *group; + +- epf_group = container_of(work, struct pci_epf_group, cfs_work.work); + group = pci_ep_cfs_add_primary_group(epf_group); + if (IS_ERR(group)) { + pr_err("failed to create 'primary' EPC interface\n"); +@@ -628,9 +625,7 @@ static struct config_group *pci_epf_make + + kfree(epf_name); + +- INIT_DELAYED_WORK(&epf_group->cfs_work, pci_epf_cfs_work); +- queue_delayed_work(system_wq, &epf_group->cfs_work, +- msecs_to_jiffies(1)); ++ pci_epf_cfs_add_sub_groups(epf_group); + + return &epf_group->group; + diff --git a/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch b/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch new file mode 100644 index 0000000000..3ba537ef34 --- /dev/null +++ b/queue-6.6/pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch @@ -0,0 +1,43 @@ +From stable+bounces-216461-greg=kroah.com@vger.kernel.org Sat Feb 14 02:49:28 2026 +From: Sasha Levin +Date: Fri, 13 Feb 2026 20:49:22 -0500 +Subject: PCI: endpoint: Remove unused field in struct pci_epf_group +To: stable@vger.kernel.org +Cc: "Christophe JAILLET" , "Krzysztof Wilczyński" , "Bjorn Helgaas" , "Sasha Levin" +Message-ID: <20260214014923.3899226-1-sashal@kernel.org> + +From: Christophe JAILLET + +[ Upstream commit 328e4dffbeecc0f2cc5a149dee6c11a0577c9671 ] + +In "struct pci_epf_group", the 'type_group' field is unused. + +This was added, but already unused, by commit 70b3740f2c19 ("PCI: endpoint: +Automatically create a function specific attributes group"). + +Thus, remove it. + +Found with cppcheck, unusedStructMember. + +[kwilczynski: commit log] +Link: https://lore.kernel.org/linux-pci/6507d44b6c60a19af35a605e2d58050be8872ab6.1712341008.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Stable-dep-of: 7c5c7d06bd1f ("PCI: endpoint: Avoid creating sub-groups asynchronously") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -23,7 +23,6 @@ struct pci_epf_group { + struct config_group group; + struct config_group primary_epc_group; + struct config_group secondary_epc_group; +- struct config_group *type_group; + struct delayed_work cfs_work; + struct pci_epf *epf; + int index; diff --git a/queue-6.6/series b/queue-6.6/series index 40eb4524d6..40aa01ad23 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1 +1,5 @@ scsi-qla2xxx-fix-bsg_done-causing-double-free.patch +pci-endpoint-remove-unused-field-in-struct-pci_epf_group.patch +pci-endpoint-avoid-creating-sub-groups-asynchronously.patch +bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_emit-in-sysfs-show-functions.patch +bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch -- 2.47.3