--- /dev/null
+From stable+bounces-227971-greg=kroah.com@vger.kernel.org Mon Mar 23 14:01:18 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 08:56:30 -0400
+Subject: i2c: cp2615: fix serial string NULL-deref at probe
+To: stable@vger.kernel.org
+Cc: "Johan Hovold" <johan@kernel.org>, "Bence Csókás" <bence98@sch.bme.hu>, "Andi Shyti" <andi.shyti@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260323125630.1651316-2-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit aa79f996eb41e95aed85a1bd7f56bcd6a3842008 ]
+
+The cp2615 driver uses the USB device serial string as the i2c adapter
+name but does not make sure that the string exists.
+
+Verify that the device has a serial number before accessing it to avoid
+triggering a NULL-pointer dereference (e.g. with malicious devices).
+
+Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
+Cc: stable@vger.kernel.org # 5.13
+Cc: Bence Csókás <bence98@sch.bme.hu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Bence Csókás <bence98@sch.bme.hu>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20260309075016.25612-1-johan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-cp2615.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-cp2615.c
++++ b/drivers/i2c/busses/i2c-cp2615.c
+@@ -298,6 +298,9 @@ cp2615_i2c_probe(struct usb_interface *u
+ if (!adap)
+ return -ENOMEM;
+
++ if (!usbdev->serial)
++ return -EINVAL;
++
+ strscpy(adap->name, usbdev->serial, sizeof(adap->name));
+ adap->owner = THIS_MODULE;
+ adap->dev.parent = &usbif->dev;
--- /dev/null
+From stable+bounces-227970-greg=kroah.com@vger.kernel.org Mon Mar 23 14:05:16 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Mar 2026 08:56:29 -0400
+Subject: i2c: cp2615: replace deprecated strncpy with strscpy
+To: stable@vger.kernel.org
+Cc: Justin Stitt <justinstitt@google.com>, Kees Cook <keescook@chromium.org>, Wolfram Sang <wsa@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260323125630.1651316-1-sashal@kernel.org>
+
+From: Justin Stitt <justinstitt@google.com>
+
+[ Upstream commit e2def33f9ee1b1a8cda4ec5cde69840b5708f068 ]
+
+`strncpy` is deprecated for use on NUL-terminated destination strings [1].
+
+We should prefer more robust and less ambiguous string interfaces.
+
+We expect name to be NUL-terminated based on its numerous uses with
+functions that expect NUL-terminated strings.
+
+For example in i2c-core-base.c +1533:
+| dev_dbg(&adap->dev, "adapter [%s] registered\n", adap->name);
+
+NUL-padding is not required as `adap` is already zero-alloacted with:
+| adap = devm_kzalloc(&usbif->dev, sizeof(struct i2c_adapter), GFP_KERNEL);
+
+With the above in mind, a suitable replacement is `strscpy` [2] due to
+the fact that it guarantees NUL-termination on the destination buffer
+without unnecessarily NUL-padding.
+
+Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
+Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
+Link: https://github.com/KSPP/linux/issues/90
+Signed-off-by: Justin Stitt <justinstitt@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Stable-dep-of: aa79f996eb41 ("i2c: cp2615: fix serial string NULL-deref at probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-cp2615.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-cp2615.c
++++ b/drivers/i2c/busses/i2c-cp2615.c
+@@ -298,7 +298,7 @@ cp2615_i2c_probe(struct usb_interface *u
+ if (!adap)
+ return -ENOMEM;
+
+- strncpy(adap->name, usbdev->serial, sizeof(adap->name) - 1);
++ strscpy(adap->name, usbdev->serial, sizeof(adap->name));
+ adap->owner = THIS_MODULE;
+ adap->dev.parent = &usbif->dev;
+ adap->dev.of_node = usbif->dev.of_node;
--- /dev/null
+From jsingh@cloudlinux.com Mon Feb 23 18:24:22 2026
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+Date: Mon, 23 Feb 2026 22:54:05 +0530
+Subject: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
+To: stable@vger.kernel.org, james.smart@broadcom.com, kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me
+Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Jaskaran Singh <jsingh@cloudlinux.com>, Marco Patalano <mpatalan@redhat.com>, Justin Tee <justin.tee@broadcom.com>, "Ewan D . Milne" <emilne@redhat.com>
+Message-ID: <20260223172405.292040-3-jsingh@cloudlinux.com>
+
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+
+commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream.
+
+nvme_fc_delete_assocation() waits for pending I/O to complete before
+returning, and an error can cause ->ioerr_work to be queued after
+cancel_work_sync() had been called. Move the call to cancel_work_sync() to
+be after nvme_fc_delete_association() to ensure ->ioerr_work is not running
+when the nvme_fc_ctrl object is freed. Otherwise the following can occur:
+
+[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL
+[ 1135.917705] ------------[ cut here ]------------
+[ 1135.922336] kernel BUG at lib/list_debug.c:52!
+[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI
+[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)
+[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025
+[ 1135.950969] Workqueue: 0x0 (nvme-wq)
+[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b
+[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046
+[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000
+[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0
+[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08
+[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100
+[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0
+[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000
+[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0
+[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+[ 1136.055910] PKRU: 55555554
+[ 1136.058623] Call Trace:
+[ 1136.061074] <TASK>
+[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0
+[ 1136.071898] ? move_linked_works+0x4a/0xa0
+[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.081744] ? __die_body.cold+0x8/0x12
+[ 1136.085584] ? die+0x2e/0x50
+[ 1136.088469] ? do_trap+0xca/0x110
+[ 1136.091789] ? do_error_trap+0x65/0x80
+[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.101289] ? exc_invalid_op+0x50/0x70
+[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20
+[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f
+[ 1136.120806] move_linked_works+0x4a/0xa0
+[ 1136.124733] worker_thread+0x216/0x3a0
+[ 1136.128485] ? __pfx_worker_thread+0x10/0x10
+[ 1136.132758] kthread+0xfa/0x240
+[ 1136.135904] ? __pfx_kthread+0x10/0x10
+[ 1136.139657] ret_from_fork+0x31/0x50
+[ 1136.143236] ? __pfx_kthread+0x10/0x10
+[ 1136.146988] ret_from_fork_asm+0x1a/0x30
+[ 1136.150915] </TASK>
+
+Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context")
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jaskaran Singh <jsingh@cloudlinux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3264,13 +3264,13 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+
+- cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
+ /*
+ * kill the association on the link side. this will block
+ * waiting for io to terminate
+ */
+ nvme_fc_delete_association(ctrl);
++ cancel_work_sync(&ctrl->ioerr_work);
+ }
+
+ static void
--- /dev/null
+From stable+bounces-217804-greg=kroah.com@vger.kernel.org Mon Feb 23 18:31:24 2026
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+Date: Mon, 23 Feb 2026 22:54:04 +0530
+Subject: Revert "nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()"
+To: stable@vger.kernel.org, james.smart@broadcom.com, kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me
+Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Jaskaran Singh <jsingh@cloudlinux.com>
+Message-ID: <20260223172405.292040-2-jsingh@cloudlinux.com>
+
+From: Jaskaran Singh <jsingh@cloudlinux.com>
+
+This reverts commit 3d81beae4753db3b3dc5b70dc300d4036e0d9cb8.
+
+The backport of upstream commit 0a2c5495b6d1 was incorrectly applied.
+The cancel_work_sync() call for ->ioerr_work was added to
+nvme_fc_reset_ctrl_work() instead of nvme_fc_delete_ctrl().
+
+Signed-off-by: Jaskaran Singh <jsingh@cloudlinux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/fc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -3264,6 +3264,7 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc
+ {
+ struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl);
+
++ cancel_work_sync(&ctrl->ioerr_work);
+ cancel_delayed_work_sync(&ctrl->connect_work);
+ /*
+ * kill the association on the link side. this will block
+@@ -3334,7 +3335,6 @@ nvme_fc_reset_ctrl_work(struct work_stru
+
+ /* will block will waiting for io to terminate */
+ nvme_fc_delete_association(ctrl);
+- cancel_work_sync(&ctrl->ioerr_work);
+
+ if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING))
+ dev_err(ctrl->ctrl.device,
--- /dev/null
+From stable+bounces-222894-greg=kroah.com@vger.kernel.org Tue Mar 3 15:38:15 2026
+From: Nathan Gao <zcgao@amazon.com>
+Date: Tue, 3 Mar 2026 06:37:50 -0800
+Subject: Revert "selftests: net: amt: wait longer for connection before sending packets"
+To: <stable@vger.kernel.org>
+Cc: <gregkh@linuxfoundation.org>, <sashal@kernel.org>, <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>, <shuah@kernel.org>, <netdev@vger.kernel.org>, <linux-kselftest@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <ap420073@gmail.com>, <zcgao@amazon.com>
+Message-ID: <20260303143750.57741-1-zcgao@amazon.com>
+
+From: Nathan Gao <zcgao@amazon.com>
+
+This reverts commit 7724036d4804222007689cd69f248347eb154793 which is
+commit 04708606fd7bdc34b69089a4ff848ff36d7088f9 upstream.
+
+The reverted patch introduced dependency on lib.sh under net selftests.
+The file was introduced in v6.8-rc1 via commit 25ae948b4478
+("selftests/net: add lib.sh").
+
+Without lib.sh, the amt test fails with:
+./amt.sh: line 76: source: lib.sh: file not found
+
+The whole history of lib.sh includes about 50 commits and considering
+the file never landed on 6.1 it may be better to not introduce it.
+
+Signed-off-by: Nathan Gao <zcgao@amazon.com>
+Acked-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/amt.sh | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/net/amt.sh
++++ b/tools/testing/selftests/net/amt.sh
+@@ -73,8 +73,6 @@
+ # +------------------------+
+ #==============================================================================
+
+-source lib.sh
+-
+ readonly LISTENER=$(mktemp -u listener-XXXXXXXX)
+ readonly GATEWAY=$(mktemp -u gateway-XXXXXXXX)
+ readonly RELAY=$(mktemp -u relay-XXXXXXXX)
+@@ -242,15 +240,14 @@ test_ipv6_forward()
+
+ send_mcast4()
+ {
+- sleep 5
+- wait_local_port_listen ${LISTENER} 4000 udp
++ sleep 2
+ ip netns exec "${SOURCE}" bash -c \
+ 'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' &
+ }
+
+ send_mcast6()
+ {
+- wait_local_port_listen ${LISTENER} 6000 udp
++ sleep 2
+ ip netns exec "${SOURCE}" bash -c \
+ 'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' &
+ }
netfilter-nft_set_pipapo-prevent-overflow-in-lookup-table-allocation.patch
wifi-brcmfmac-fix-use-after-free-when-rescheduling-brcmf_btcoex_info-work.patch
riscv-stacktrace-disable-kasan-checks-for-non-current-tasks.patch
+i2c-cp2615-replace-deprecated-strncpy-with-strscpy.patch
+i2c-cp2615-fix-serial-string-null-deref-at-probe.patch
+revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch
+revert-selftests-net-amt-wait-longer-for-connection-before-sending-packets.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
