summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-05-23pinctrl: qcom: spmi-gpio: Add PM8010 GPIO supportFenglin Wu
Add PM8010 GPIO support with its compatible string and match data. Signed-off-by: Fenglin Wu <fenglin.wu@oss.qualcomm.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-05-23dt-bindings: pinctrl: qcom,pmic-gpio: Document PM8010 GPIO supportFenglin Wu
Update the binding documentation to include the compatible string for PM8010 PMIC which has 2 GPIO modules. Signed-off-by: Fenglin Wu <fenglin.wu@oss.qualcomm.com> Acked-by: Rob Herring (Arm) <robh@kernel.org> Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-05-23pinctrl: qcom: Add Shikra pinctrl driverKomal Bajaj
Add pinctrl driver for TLMM block found in Shikra SoC. Signed-off-by: Komal Bajaj <komal.bajaj@oss.qualcomm.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Reviewed-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-05-23dt-bindings: pinctrl: qcom: Document Shikra Top Level Mode MultiplexerKomal Bajaj
Add a DeviceTree binding to describe the TLMM block on Qualcomm's Shikra SoC. Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Komal Bajaj <komal.bajaj@oss.qualcomm.com> Reviewed-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-05-23bpf/arena: Add bpf_arena_map_kern_vm_start() and bpf_prog_arena()Tejun Heo
struct bpf_arena is opaque to callers outside arena.c. Add two helpers for struct_ops subsystems that need to reach into an arena: bpf_arena_map_kern_vm_start(struct bpf_map *map) returns @map's kern_vm_start. A sched_ext follow-up needs this to translate kern_va <-> uaddr. bpf_prog_arena(struct bpf_prog *prog) returns the bpf_map of the arena referenced by @prog (NULL if @prog references no arena). The verifier enforces at most one arena per program. Used by struct_ops callers that auto-discover an arena from a member prog and need to take a map reference. Suggested-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260522172219.1423324-6-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23bpf: Add bpf_struct_ops_for_each_prog()Tejun Heo
Add a helper that walks the member progs of the struct_ops map containing a given @kdata vmtable. struct_ops ->reg() callbacks (and similar) sometimes need to inspect the loaded BPF programs, e.g. to discover maps they reference via prog->aux->used_maps. The implementation mirrors bpf_struct_ops_id(): container_of @kdata to recover the bpf_struct_ops_map, then iterate st_map->links[i]->prog for i in [0, funcs_cnt). Same access pattern, no new locking - by the time ->reg() fires st_map is fully populated and stable. A sched_ext follow-up walks the member progs of a cid-form scheduler's struct_ops map, reads prog->aux->arena directly, and requires all member progs to reference exactly one arena, without requiring the BPF program to call a registration kfunc. Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260522172219.1423324-5-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23bpf: Add sleepable variant of bpf_arena_alloc_pages for kernel callersTejun Heo
The existing kernel-side export of bpf_arena_alloc_pages is _non_sleepable only - it's used by the verifier to inline the kfunc when the call site is non-sleepable. There is no sleepable equivalent for kernel callers. The kfunc bpf_arena_alloc_pages itself is BPF-only. sched_ext needs sleepable kernel-side allocs for its arena pool init/grow paths. Add bpf_arena_alloc_pages_sleepable() mirroring the _non_sleepable wrapper but passing sleepable=true to arena_alloc_pages(). Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260522172219.1423324-4-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23bpf: Recover arena kernel faults with scratch pageKumar Kartikeya Dwivedi
BPF arena usage is becoming more prevalent, but kernel <-> BPF communication over arena memory is awkward today. Data has to be staged through a trusted kernel pointer with extra code and copying on the BPF side. While reads through arena pointers can use a fault-safe helper, writes don't have a good solution. The in-line alternative would need instruction emulation or asm fixup labels. Enable direct kernel-side reads and writes within GUARD_SZ / 2 of any handed-in arena pointer, without bounds checking. A per-arena scratch page is installed by the arch fault path into empty arena kernel PTEs - x86 from page_fault_oops() for not-present faults, arm64 from __do_kernel_fault() for translation faults, both after the existing exception-table and KFENCE handling. The faulting instruction retries and the access is also reported through the program's BPF stream, preserving error reporting. bpf_prog_find_from_stack() resolves the current BPF program (and its arena) from the kernel stack - no new bpf_run_ctx state is added. Recovery covers the 4 GiB arena plus the upper half-guard (GUARD_SZ / 2). The lower half-guard is excluded because well-behaved kfuncs only access forward from arena pointers. The kfunc-author contract - access at most GUARD_SZ / 2 past a handed-in pointer - is documented in Documentation/bpf/kfuncs.rst. The install is lock-free via ptep_try_set(). On race-loss the winning installer's PTE is already valid, so the access retry succeeds. The arena clear path uses ptep_get_and_clear() so installer and clearer race through atomic accessors. No flush_tlb_kernel_range() afterwards. Stale "not mapped" entries just cause one extra re-fault, cheaper than a global IPI on every install. Scratch exists only to keep the kernel from oopsing on an in-line arena access. Its presence at a PTE means the BPF program has already malfunctioned, and the violation is reported through the program's BPF stream. The only requirement for behavior on a scratched PTE is that the kernel doesn't crash. In particular, any user-side access through such a PTE may segfault. The shared scratch page is freed once during map destruction. BPF instruction faults continue to use the existing JIT exception-table path. This patch changes only the kernel-text fault path. No UAPI flag is added. The new behavior is the default. v2: Use ptep_get_and_clear() in apply_range_clear_cb(). (David) v3: Stub bpf_arena_handle_page_fault() for !CONFIG_BPF_SYSCALL. (lkp) Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Cc: David Hildenbrand <david@kernel.org> Link: https://lore.kernel.org/r/20260522172219.1423324-3-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23mm: Add ptep_try_set() for lockless empty-slot installsTejun Heo
Add ptep_try_set(ptep, new_pte): atomically set *ptep to new_pte iff it is currently pte_none(). Returns true on success, false if the slot was already populated or the arch has no implementation. The intended caller is the upcoming bpf_arena kernel-side fault recovery path. The install runs from a page fault that can be nested under locks held by the faulting kernel caller (e.g. a BPF program holding raw_res_spin_lock_irqsave on its arena's spinlock), so trylock-and-retry would A-A deadlock. Lock-free cmpxchg is the only viable option, which constrains this helper to special kernel page tables where concurrent writers cooperate via atomic accessors. The generic version in <linux/pgtable.h> returns false. x86 and arm64 override with try_cmpxchg-based implementations on the underlying pteval. Other architectures get the false stub - the callers there already fall through to oops. v2: Rename to ptep_try_set(). Tighten kerneldoc. (David, Alexei) v3: Note that strict-zero cmpxchg is narrower than pte_none(). (Andrea) Suggested-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Suggested-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Tejun Heo <tj@kernel.org> Reviewed-by: Andrea Righi <arighi@nvidia.com> Cc: David Hildenbrand <david@kernel.org> Acked-by: David Hildenbrand (arm) <david@kernel.org> Link: https://lore.kernel.org/r/20260522172219.1423324-2-tj@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-23Merge tag 'renesas-pinctrl-for-v7.2-tag1' of ↵Linus Walleij
git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-drivers into devel pinctrl: renesas: Updates for v7.2 - Save/restore more registers during suspend/resume on the RZ/G2L and RZ/V2H SoC families, - Add support for the RZ/G3L (R9A08G046) SoC, - Add support for pinconf-groups in debugfs on EMMA Mobile, SH/R-Mobile, R-Car, RZ/G1, and RZ/G2 SoCs, - Miscellaneous fixes and improvements. Signed-off-by: Linus Walleij <linusw@kernel.org>
2026-05-23KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)Tina Zhang
Hygon Family 18h CPUs are derived from AMD Family 17h (Zen1) silicon and share the same erratum #1235: hardware may read a stale IsRunning=1 bit during ICR write emulation and silently fail to generate an AVIC_IPI_FAILURE_TARGET_NOT_RUNNING VM-Exit on the sending vCPU. The absence of the VM-Exit causes KVM to miss the required wakeup of blocking target vCPUs, leading to hung vCPUs and unbounded delays in guest execution. Extend the existing AMD Family 17h erratum #1235 workaround to also cover Hygon Family 18h. With IPI virtualization disabled, KVM never sets IsRunning=1 in the Physical ID table, so every non-self IPI generates a VM-Exit and is correctly emulated. Fixes: 8de4a1c8164e ("KVM: SVM: Disable (x2)AVIC IPI virtualization if CPU has erratum #1235") Cc: <stable@vger.kernel.org> Signed-off-by: Tina Zhang <zhang_wei@open-hieco.net> Message-ID: <20260522040014.3380201-1-zhang_wei@open-hieco.net>
2026-05-23KVM: selftests: Verify that KVM returns the configured APIC cycle lengthSean Christopherson
Add checks in the APIC bus clock test to verify that querying KVM_CAP_X86_APIC_BUS_CYCLES_NS on the VM after changing the frequency returns the VM's actual APIC cycle length, not KVM's default. For giggles, verify that KVM still returns its default frequency for the system-scoped check. Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260522173526.3539407-3-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2026-05-23KVM: x86: Return the VM's configured APIC bus frequency when queriedSean Christopherson
When KVM_CAP_X86_APIC_BUS_CYCLES_NS is queried on a specific VM, return the VM's configured APIC bus frequency, not KVM's default. Aside from the fact that returning the default frequency is blatantly wrong if userspace has changed the frequency, returning the configured frequency means userspace can blindly trust the result, e.g. when filling PV CPUID information that communicates the APIC bus frequency to the guest. Fixes: 6fef518594bc ("KVM: x86: Add a capability to configure bus frequency for APIC timer") Reported-by: David Woodhouse <dwmw2@infradead.org> Closes: https://lore.kernel.org/all/ab84153e33fbe7c25667f595c56b310d4d5a93ef.camel@infradead.org Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260522173526.3539407-2-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2026-05-23KVM: selftests: elf: Include <endian.h> instead of <bits/endian.h>Hisam Mehboob
<bits/endian.h> is a glibc-internal header that explicitly states it should never be included directly: #error "Never use <bits/endian.h> directly; include <endian.h> instead." Replace it with the correct public header <endian.h> which works on all C libraries including musl. Building KVM selftests with musl-gcc fails with: lib/elf.c:10:10: fatal error: bits/endian.h: No such file or directory Fixes: 6089ae0bd5e1 ("kvm: selftests: add sync_regs_test") Signed-off-by: Hisam Mehboob <hisamshar@gmail.com> Message-ID: <20260409164020.1575176-4-hisamshar@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2026-05-23Merge tag 'kvm-riscv-fixes-7.1-1' of https://github.com/kvm-riscv/linux into ↵Paolo Bonzini
HEAD KVM/riscv fixes for 7.1, take #1 - Fix invalid HVA warning in steal-time recording - Return SBI_ERR_FAILURE to guest upon OOM in pmu_event_info() and pmu_snapshot_set_shmem() - Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler - Fix sign extension of value for MMIO loads
2026-05-23Merge tag 'kvm-s390-master-7.1-2' of ↵Paolo Bonzini
https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD KVM: s390: some vSIE and UCONTROL fixes Fix some memory issues and some hangs in vSIE.
2026-05-23Merge tag 'kvmarm-fixes-7.1-3' of ↵Paolo Bonzini
git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm64 fixes for 7.1, take #3 - Fix ITS EventID sanitisation when restoring an interrupt translation table. - Fix PPI memory leak when failing to initialise a vcpu. - Correctly return an error when the validation of a hypervisor trace descriptor fails, and limit this validation to protected mode only.
2026-05-23USB: serial: cypress_m8: validate interrupt packet headersZhang Cen
cypress_read_int_callback() parses the interrupt-in buffer according to the selected Cypress packet format. Format 1 has a two-byte status/count header and format 2 has a one-byte combined status/count header. The usb-serial core sizes the interrupt-in buffer from the endpoint descriptor's wMaxPacketSize, and successful interrupt transfers can complete short when URB_SHORT_NOT_OK is not set. Check that the completed packet contains the selected header before reading it. Malformed short reports are ignored and the interrupt URB is resubmitted through the existing retry path, preventing out-of-bounds header-byte reads. KASAN report as below: KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0 Read of size 1 Call trace: cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009) __usb_hcd_giveback_urb() dummy_timer() Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size") Assisted-by: Codex:gpt-5.5 Signed-off-by: Zhang Cen <rollkingzzc@gmail.com> Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size") Cc: stable@vger.kernel.org # 2.6.26 [ johan: use constants in header length sanity checks ] Signed-off-by: Johan Hovold <johan@kernel.org>
2026-05-23USB: serial: safe_serial: fix memory corruption with small endpointJohan Hovold
Make sure that the bulk-out buffer size is at least eight bytes to avoid user-controlled slab corruption in "safe" mode should a malicious device report a smaller size. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2026-05-23USB: serial: omninet: fix memory corruption with small endpointJohan Hovold
Make sure that the bulk-out buffers are at least as large as the hardcoded transfer size to avoid user-controlled slab corruption should a malicious device report a smaller endpoint max packet size than expected. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2026-05-23USB: serial: mxuport: fix memory corruption with small endpointJohan Hovold
Make sure that the bulk-out endpoint max packet size is at least eight bytes to avoid user-controlled slab corruption should a malicious device report a smaller size. Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver") Cc: stable@vger.kernel.org # 3.14 Cc: Andrew Lunn <andrew@lunn.ch> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Johan Hovold <johan@kernel.org>
2026-05-23openrisc: Fix jump_label smp syncingStafford Horne
The original commit 8c30b0018f9d ("openrisc: Add jump label support") copies from arm64 and does not properly consider how icache invalidation on remote cores works in OpenRISC. On OpenRISC remote icaches need to be invalidated otherwise static key's may remain state after updating. Fix SMP cache syncing by: 1. Properly invalidate remote core icaches on SMP systems by using icache_all_inv. The old code uses kick_all_cpus_sync() which runs a no-op IPI function call on remote CPU's which does execute a lot of code and flushes many cache lines in the process, but does not flush all and it's not correct on OpenRISC. 2. For architectures that do not have WRITETHROUGH caches be sure to flush the dcache after patching. To test this I first reproduced the issue using a custom test module [0]. The test confirmed that some icache lines maintained stale static_key code sequences after calling static_branch_enable(). After this patch there are no longer jump_label coherency issues. [0] https://github.com/stffrdhrn/or1k-utils/tree/master/tests/smp_static_key_test Cc: stable@vger.kernel.org # depends on openrisc: Add icache_all_inv Fixes: 8c30b0018f9d ("openrisc: Add jump label support") Signed-off-by: Stafford Horne <shorne@gmail.com>
2026-05-23openrisc: Add full instruction cache invalidate functionsStafford Horne
Add functions to invalidate all cache lines which we will use for static_key patching. On OpenRISC there is no instruction to invalidate an entire cache so we loop and invalidate cache lines one by one. This is not extremely expensive on OpenRISC as we usually have only a few hundred cache lines. I considered using the invalidate cache page or range functions. However, tracking which ranges need invalidation would have been more expensive than flushing all pages. Cc: stable@vger.kernel.org Signed-off-by: Stafford Horne <shorne@gmail.com>
2026-05-23openrisc: Cache invalidation cleanupStafford Horne
When working on new cache invalidation functions I noticed these cleanups in the cache initialization code. Remove unused and commented instructions to avoid confusion. Signed-off-by: Stafford Horne <shorne@gmail.com>
2026-05-22scsi: target: iscsi: Validate CHAP_R length before base64 decodeAlexandru Hossu
chap_server_compute_hash() allocates client_digest as kzalloc(chap->digest_size) and then, for BASE64-encoded responses, passes chap_r directly to chap_base64_decode() without checking whether the input length could produce more than digest_size bytes of output. chap_base64_decode() writes to the destination unconditionally as long as there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and the "0b" prefix stripped by extract_param(), up to 127 base64 characters can reach the decoder. 127 characters decode to 95 bytes. For SHA-256 (digest_size=32) this overflows client_digest by 63 bytes; for MD5 (digest_size=16) the overflow is 79 bytes. The length check at line 344 fires after the write has already happened. The HEX branch in the same switch statement already validates the length up front. Apply the same approach to the BASE64 branch: strip trailing base64 padding characters, then reject any input whose data length exceeds DIV_ROUND_UP(digest_size * 4, 3) before calling the decoder. Stripping trailing '=' before the comparison handles both padded and unpadded encodings. chap_base64_decode() already returns early on '=', so the full original string is still passed to the decoder unchanged. The mutual CHAP path decodes CHAP_C into initiatorchg_binhex, which is kzalloc(CHAP_CHALLENGE_STR_LEN). extract_param() caps initiatorchg at CHAP_CHALLENGE_STR_LEN characters, so at most CHAP_CHALLENGE_STR_LEN-1 base64 characters reach the decoder. The maximum decoded size, DIV_ROUND_UP((CHAP_CHALLENGE_STR_LEN-1) * 3, 4), is less than CHAP_CHALLENGE_STR_LEN, so no overflow is possible there. A comment is added at the call site to document this. Fixes: 1e5733883421 ("scsi: target: iscsi: Support base64 in CHAP") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Reviewed-by: David Disseldorp <ddiss@suse.de> Link: https://patch.msgid.link/20260521151121.808477-1-hossu.alexandru@gmail.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_bufMichael Bommarito
iscsi_encode_text_output() concatenates "key=value\0" records into login->rsp_buf, an 8192-byte kzalloc(MAX_KEY_VALUE_PAIRS) buffer allocated in iscsit_alloc_login_setup_buffer(). The three sprintf() call sites in this function (lines 1398, 1411, 1424 in v7.1-rc2) never check the remaining buffer capacity: *length += sprintf(output_buf, "%s=%s", er->key, er->value); *length += 1; output_buf = textbuf + *length; The 8192-byte ceiling at iscsi_target_check_login_request() bounds the *input* Login PDU payload, but a single PDU can carry up to 2048 minimal four-byte "a=b\0" pairs, each unknown key expanding to a 16-byte "a=NotUnderstood\0" output record via iscsi_add_notunderstood_response(). 2048 * 16 = 32 KiB of output into an 8 KiB buffer, producing a ~24 KiB heap overrun in the kmalloc-8k slab. The fix introduces a static iscsi_encode_text_record() helper that uses snprintf() with a per-call bounds check against the remaining buffer, and threads a u32 textbuf_size parameter through iscsi_encode_text_output(). Both call sites in iscsi_target_handle_csg_zero() (PHASE_SECURITY) and iscsi_target_handle_csg_one() (PHASE_OPERATIONAL) pass MAX_KEY_VALUE_PAIRS. On overflow the encoder logs the condition, calls iscsi_release_extra_responses() to drop queued records, and returns -1; both caller sites now emit ISCSI_STATUS_CLS_INITIATOR_ERR / ISCSI_LOGIN_STATUS_INIT_ERR via iscsit_tx_login_rsp() before returning, so the initiator sees an explicit failed-login response rather than a silent connection drop. (Prior to this patch only the PHASE_OPERATIONAL caller did that; the PHASE_SECURITY caller is converted to the same shape.) Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Tested-by: John Garry <john.g.garry@oracle.com> Reviewed-by: John Garry <john.g.garry@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: target: iscsi: Fix CRC overread and double-free in ↵Michael Bommarito
iscsit_handle_text_cmd() Two latent bugs in the Text-phase handler, both present since the original LIO integration in commit e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1"): 1) DataDigest CRC buffer overread (4 bytes past text_in). text_in is kzalloc()'d at ALIGN(payload_length, 4). rx_size is then incremented by ISCSI_CRC_LEN to make room for the received DataDigest in the iovec, but the same (now-bumped) rx_size is passed as the buffer length to iscsit_crc_buf(): if (conn->conn_ops->DataDigest) { ... rx_size += ISCSI_CRC_LEN; } ... if (conn->conn_ops->DataDigest) { data_crc = iscsit_crc_buf(text_in, rx_size, 0, NULL); iscsit_crc_buf() walks rx_size bytes of text_in with crc32c(), so when DataDigest is negotiated it reads 4 bytes past the end of the text_in allocation. KASAN reproduces this directly on the unpatched mainline tree as slab-out-of-bounds in crc32c() called from the Text PDU path. The OOB bytes feed crc32c() and are then compared against the initiator-supplied checksum, so the value does not flow back to the attacker, but the kernel does read past the buffer on every Text PDU with DataDigest=CRC32C. Fix by passing the actual padded payload length (ALIGN(payload_length, 4)) that was used for the kzalloc(). 2) Stale cmd->text_in_ptr re-free (double-free) on ERL>0 bad DataDigest drop. On DataDigest mismatch with ErrorRecoveryLevel > 0 the handler silently drops the PDU and lets the initiator plug the CmdSN gap: kfree(text_in); return 0; cmd->text_in_ptr still points at the freed buffer. The next Text Request on the same ITT re-enters iscsit_setup_text_cmd(), which unconditionally does kfree(cmd->text_in_ptr); cmd->text_in_ptr = NULL; freeing the same pointer a second time. Session teardown via iscsit_release_cmd() has the same shape and hits the same double-free if the connection is dropped before a second Text Request arrives. On an unmodified mainline tree the bug-1 CRC overread fires first on the initial valid Text Request and perturbs the subsequent state, so #4 was isolated by building a kernel with only the bug-1 hunk of this patch applied plus temporary printk() observability around the three relevant kfree() sites. The observability prints are not part of this patch. On that build, a three-PDU Text Request sequence after login produces two back-to-back splats: BUG: KASAN: double-free in iscsit_setup_text_cmd+0x?? BUG: KASAN: double-free in iscsit_release_cmd+0x?? showing the same pointer freed in the ERL>0 drop path and again in iscsit_setup_text_cmd() (next Text Request on the same ITT) and once more in iscsit_release_cmd() (session teardown). On distro kernels with CONFIG_SLAB_FREELIST_HARDENED=y (default) the double-free becomes a remote kernel BUG(); on non-hardened kernels it corrupts the slab freelist. Fix by clearing cmd->text_in_ptr after the kfree() in the ERL>0 drop path. With both hunks applied #4 is directly observable on the stock tree without observability printks; fixing bug-1 alone would mask #4 less, not more, so the hunks are submitted together. Both fixes are one-liners. The Text PDU state machine is unchanged and the wire protocol is unaffected. Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Tested-by: John Garry <john.g.garry@oracle.com> Reviewed-by: John Garry <john.g.garry@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22ipv4: free net->ipv4.sysctl_local_reserved_ports after ↵Eric Dumazet
unregister_net_sysctl_table() ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports too soon. Only after unregister_net_sysctl_table() we can be sure no threads can possibly use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports. Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns") Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Jason Xing <kerneljasonxing@gmail.com> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://patch.msgid.link/20260521122147.3584624-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22vsock/virtio: fix skb overhead overflow on 32-bit buildsStefano Garzarella
On 32-bit architectures, both skb_queue_len() and SKB_TRUESIZE(0) evaluate to 32-bit values. The multiplication can overflow before being assigned to the u64 skb_overhead variable, making the skb overhead check ineffective. Cast skb_queue_len() to u64 so the multiplication is always performed in 64-bit arithmetic. This issue was reported by Sashiko while reviewing another patch. Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue") Closes: https://sashiko.dev/#/patchset/20260518090656.134588-1-sgarzare%40redhat.com Cc: stable@vger.kernel.org Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Link: https://patch.msgid.link/20260521124732.125771-1-sgarzare@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walkerMichael Bommarito
drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the descriptor cursor by an attacker-supplied fip_dlen without ever requiring dlen >= sizeof(struct fip_desc) in the default branch. The named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor (fip_dtype >= 128, which the standard requires receivers to silently ignore) skipped that check entirely. An unauthenticated L2 peer on the FCoE control VLAN could hang fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely by emitting one FIP CVL frame whose single descriptor had fip_dtype == FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes per iteration and the loop condition rlen >= sizeof(*desc) stayed true forever, blocking every subsequent FIP frame on that controller. Tighten the outer dlen guard to also reject dlen < sizeof(struct fip_desc), so a malformed descriptor whose length cannot even cover the descriptor header is rejected before the switch. This is the same lower-bound the named cases already apply and is the minimum scope that closes the loop. Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Reviewed-by: Hannes Reinecke <hare@kernel.org> Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32Michael Bommarito
An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in the generic FC transport. This is not a local userspace or IP network path; the attacker must be able to inject fabric traffic, for example as a compromised switch or fabric controller, or as a same-zone N_Port on a fabric that permits source spoofing. The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop counter against the 32-bit on-wire pname_count field, and did not bound pname_count by the descriptor body already validated by the TLV walker. A pname_count of 256 therefore wraps the counter and keeps the loop condition true indefinitely. Factor the shared pname_list[] walk into one helper, widen the counter to u32, and clamp pname_count against the entries that fit in the descriptor body before iterating. Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: John Garry <john.g.garry@oracle.com> Link: https://patch.msgid.link/20260520133015.1018937-1-michael.bommarito@gmail.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: core: Convert INQUIRY informationBart Van Assche
Currently the vendor, model, and revision members of struct scsi_device are pointers to fixed-length strings that are not NUL-terminated. Fixed-precision format specifiers (e.g., "%.8s") are required whenever they are printed and strncmp() must be used to compare these fields. This is error-prone. Convert these fields to fixed-size character arrays within struct scsi_device. Remove an !sdev->model check because sdev->model is now guaranteed not to be NULL. This patch fixes a bug in the qla2xxx driver. It makes the following code safe: if (state_flags & BIT_4) scmd_printk(KERN_WARNING, cp, "Unsupported device '%s' found.\n", cp->device->vendor); Signed-off-by: Bart Van Assche <bvanassche@acm.org> Tested-by: Brian Bunker <brian@purestorage.com> Link: https://patch.msgid.link/20260515205222.1754621-4-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: core: Use the INQUIRY-related constantsBart Van Assche
Use symbolic names instead of numeric constants to access the vendor and model information. Signed-off-by: Bart Van Assche <bvanassche@acm.org> Tested-by: Brian Bunker <brian@purestorage.com> Link: https://patch.msgid.link/20260515205222.1754621-3-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: core: target: Add INQUIRY-related constants to scsi_common.hBart Van Assche
Move three constants from target/target_core_base.h into scsi/scsi_common.h. Add three new constants in the scsi_common.h header file. This patch prepares for using these constants in the SCSI core. Signed-off-by: Bart Van Assche <bvanassche@acm.org> Tested-by: Brian Bunker <brian@purestorage.com> Link: https://patch.msgid.link/20260515205222.1754621-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22Merge branch 'net-dsa-microchip-remove-unnecessary-ksz_dev_ops-callbacks'Jakub Kicinski
Bastien Curutchet says: ==================== net: dsa: microchip: Remove unnecessary ksz_dev_ops callbacks This series continues the rework of the KSZ driver initiated by a previous series (see [1]), following the discussion we had here [2]. The KSZ driver got way too convoluted over time because it uses a common framework to handle more than 20 switches split in 5 families (see below table) +----------+---------+---------+---------+---------+---------+ | Family | KSZ8463 | KSZ87xx | KSZ88xx | KSZ9477 | LAN937X | +----------+---------+---------+---------+---------+---------+ | Switches | KSZ8463 | KSZ8795 | KSZ88X3 | KSZ8563 | LAN9370 | | | | KSZ8794 | KSZ8864 | KSZ9477 | LAN9371 | | | | KSZ8765 | KSZ8895 | KSZ9896 | LAN9372 | | | | | | KSZ9897 | LAN9373 | | | | | | KSZ9893 | LAN9374 | | | | | | KSZ9563 | | | | | | | KSZ8567 | | | | | | | KSZ9567 | | | | | | | LAN9646 | | +----------+---------+---------+---------+---------+---------+ The previous series ([1]) replaced the unique dsa_swicth_ops struct used by all the KSZ families with one dsa_switch_ops struct for each family. These dsa_switch_ops structs still rely on common functions that redirect the calls to ksz_dev_ops operations which are custom to each switch family. Many of hese ksz_dev_ops callbacks have a direct equivalent in the struct dsa_switch_ops. This series directly connects the implementations of these ksz_dev_ops operations to the relevant dsa_switch_ops attribute to get rid of one unnecessary level of indirection. On top of this on-going rework I added PTP and periodic output support for the KSZ8463 (which was my first goal). There are more than 60 patches for all this so this series will be followed by several others and if you want to see the full picture we can check my github ([3]). I haven't finished yet to group all the patches into meaningful series but here is more or less what I plan to do next: - A series will split again some operations to get rid of the if (is_kszXYZ) branches. - Maybe another series will be needed to completely move out of ksz_common.c everything that isn't truly common to all the switches - A series will add PTP support for the KSZ8463 - A final series will add periodic output support for the KSZ8463 FYI, I only have a KSZ8463 so, unfortunately, I can't test other switches. [1]: https://lore.kernel.org/r/20260505-clean-ksz-driver-v1-0-05d70fa42461@bootlin.com [2]: https://lore.kernel.org/r/20260304-ksz8463-ptp-v6-0-3f4c47954c71@bootlin.com) [3]: https://github.com/bastien-curutchet/linux/tree/ksz_rework ==================== Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-0-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: dsa: microchip: bypass dev_ops for phy_read()/phy_write()Bastien Curutchet (Schneider Electric)
phy_read() and phy_write() are handled through common functions that redirect the treatment to ksz_dev_ops callbacks. This layer of indirection isn't needed since we now have a dsa_switch_ops for each kind of switch Remove one indirection layer for KSZ switches, by connecting the ksz_dev_ops::phy_r() and ksz_dev_ops::phy_w() operations directly to dsa_switch_ops. Remove the now unused phy_r()/phy_w() callbacks from ksz_dev_ops. Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com> Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-8-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: dsa: microchip: call DSA's phy_{read/write} to do mdio {read/write}Bastien Curutchet (Schneider Electric)
ksz_sw_mdio_read() and ksz_sw_mdio_write() respectively call ksz_dev_ops::phy_r() and ksz_dev_ops::phy_w() just like dsa_switch_ops::phy_read() and dsa_switch_ops::phy_write() do. Call dsa_switch_ops::phy_read() from ksz_sw_mdio_read() and dsa_switch_ops::phy_write() from ksz_sw_mdio_write() so we'll be able to get rid of the useless indirections provided by ksz_dev_ops in upcoming patch. Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com> Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-7-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: dsa: microchip: bypass dev_ops for port_setup()Bastien Curutchet (Schneider Electric)
port_setup() is handled through a common function that redirects the treatment to ksz_dev_ops callbacks. This layer of indirection isn't needed since we now have a dsa_switch_ops for each switch family Remove one indirection layer for KSZ switches, by connecting the ksz_dev_ops :: port_setup() operations directly to dsa_switch_ops. Make ksz9477_set_default_prio_queue_mapping() non-static since it's used by ksz_common for tc operations and by ksz9477.c for this port_setup(). Remove the now unused port_setup() callback from ksz_dev_ops. Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com> Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-6-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: dsa: microchip: remove dev_ops->setup() and teardown()Vladimir Oltean
All switch families have been converted to have their own ds->ops->setup() methods and to call the common ksz_teardown(). Remove the no longer used ksz_setup() function and the associated ksz_dev_ops callbacks. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com> Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-5-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: dsa: microchip: bypass dev_ops->setup() and teardown() for ksz8Vladimir Oltean
The KSZ switch families are sufficiently different that a common ds->ops->setup() - ksz_setup() with micro-managed dev_ops->reset(), dev_ops->pcs_create(), dev_ops->config_cpu_port(), dev_ops->enable_stp_addr(), dev_ops->setup() seems to be too convoluted. I am proposing to make each KSZ switch family part ways for dsa_switch_ops :: setup() and teardown(), to allow them greater flexibility. This here is the implementation for ksz8, which is nothing other than a copy of ksz_setup() with the dev_ops function pointers replaced with direct function calls. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com> Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-4-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: dsa: microchip: bypass dev_ops->setup() and teardown() for ksz9477Vladimir Oltean
The KSZ switch families are sufficiently different that a common ds->ops->setup() - ksz_setup() with micro-managed dev_ops->reset(), dev_ops->pcs_create(), dev_ops->config_cpu_port(), dev_ops->enable_stp_addr(), dev_ops->setup() seems to be too convoluted. I am proposing to make each KSZ switch family part ways for dsa_switch_ops :: setup() and teardown(), to allow them greater flexibility. This here is the implementation for ksz9477, which is nothing other than a copy of ksz_setup() with the dev_ops function pointers replaced with direct function calls. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com> Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-3-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: dsa: microchip: bypass dev_ops->setup() and teardown() for lan937xVladimir Oltean
The KSZ switch families are sufficiently different that a common ds->ops->setup() - ksz_setup() with micro-managed dev_ops->reset(), dev_ops->pcs_create(), dev_ops->config_cpu_port(), dev_ops->enable_stp_addr(), dev_ops->setup() seems to be too convoluted. I am proposing to make each KSZ switch family part ways for dsa_switch_ops :: setup() and teardown(), to allow them greater flexibility. This here is the implementation for lan937x, which is nothing other than a copy of ksz_setup() with the dev_ops function pointers replaced with direct function calls. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com> Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-2-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22net: dsa: microchip: don't reset on shutdown or driver removalVladimir Oltean
The ksz_switch driver is one of the few which reset the switch when unbinding the driver or shutting down - in the same category with ar9331_sw_remove(), bcm_sf2_sw_remove(), and ks8995_remove(), vsc73xx_remove() and lan9303_remove(). I don't think there exists any requirement to do this, and in fact it does create complications for WoL, as the code already shows. My issue with this logic is that it is the only thing keeping dev_ops->reset() necessary, which I would like to remove after individual KSZ switch families get their own setup() and teardown() methods that don't go through dev_ops. Don't reset the switch when unbinding the driver or shutting down. Remove the exit callbacks from the ksz_dev_ops. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet@bootlin.com> Link: https://patch.msgid.link/20260521-clean-ksz-2nd-series-v3-1-75c38971c19a@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-22scsi: ufs: core: Optimize ufshcd_add_uic_command_trace()Bart Van Assche
Use cached values in ufshcd_add_uic_command_trace() instead of calling readl() when tracing command submission (UFS_CMD_SEND). Signed-off-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: Peter Wang <peter.wang@mediatek.com> Link: https://patch.msgid.link/20260519212135.3130556-4-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: ufs: core: Complain if UIC argument 2 is invalidBart Van Assche
According to the UFSHCI standard, the lowest byte of UIC argument 2 is an output value. Additionally, ufshcd_uic_cmd_compl() is based on the assumption that the lowest byte of UIC argument 2 is zero. Hence, complain if the result byte is set when a UIC command is submitted. Reviewed-by: Peter Wang <peter.wang@mediatek.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Link: https://patch.msgid.link/20260519212135.3130556-3-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: ufs: core: Inline two functions related to UIC commandsBart Van Assche
The implementation of the two functions ufshcd_get_uic_cmd_result() and ufshcd_get_dme_attr_val() is very short. Additionally, both functions only have one caller. Inline both functions to make the code shorter. Reviewed-by: Peter Wang <peter.wang@mediatek.com> Signed-off-by: Bart Van Assche <bvanassche@acm.org> Link: https://patch.msgid.link/20260519212135.3130556-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: megaraid_mbox: Reduce stack usage in megaraid_cmm_register()Arnd Bergmann
The megaraid_cmm_register() function has a local copy of mraid_mmadp_t on the stack that gets copied into the actual structure used at runtime. When -fsanitize=thread is enabled, this causes the per-function stack frame to grow beyond the warning limit: megaraid_mbox.c: In function 'megaraid_cmm_register': megaraid_mbox.c:3472:1: error: the frame size of 1312 bytes is larger than 1280 bytes [-Werror=frame-larger-than=] Refactor this by moving the allocation into the caller to save the extra on-stack copy of the structure. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://patch.msgid.link/20260519202143.1305850-1-arnd@kernel.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: scsi_debug: Remove unused variable sdebug_any_injecting_optBart Van Assche
The static variable sdebug_any_injecting_opt is no longer read. Commit 3a90a63d02b8 ("scsi: scsi_debug: every_nth triggered error injection") removed all code that reads this variable. Hence, also remove this variable itself. Remove SDEBUG_OPT_ALL_INJECTING because there is no code left that uses this constant if sdebug_any_injecting_opt is removed. This has been detected by building the scsi_debug driver with the git HEAD version of Clang and with W=1. Signed-off-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: John Garry <john.g.garry@oracle.com> Link: https://patch.msgid.link/20260520171454.4035623-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()Ewan D. Milne
A "\n" at the end of the sdev_printk() string appears to have been inadvertently removed. Add it back for correct log message formatting. Fixes: a743b120227a ("scsi: scsi_debug: Stop printing extra function name in debug logs") Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Ewan D. Milne <emilne@redhat.com> Reviewed-by: Bart Van Assche <bvanassche@acm.org> Reviewed-by: John Garry <john.g.garry@oracle.com> Link: https://patch.msgid.link/20260519205356.1040855-1-emilne@redhat.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2026-05-22scsi: megaraid_sas: Fix NULL pointer dereference on firmware duplicate ↵Milan P. Gandhi
completion Add NULL check for scmd_local in the MPI2_FUNCTION_SCSI_IO_REQUEST case to handle firmware duplicate/stale completions. When firmware sends a duplicate completion for a command that was already processed and returned to the pool, the driver accesses NULL scmd pointer causing a crash. Timeline of the bug: 1. Command completes normally, megasas_return_cmd_fusion() called 2. This sets cmd->scmd = NULL and clears io_request with memset(..., 0, ...) 3. Firmware sends duplicate/stale completion for same SMID (firmware bug) 4. Driver processes reply descriptor again 5. Cleared io_request has Function = 0 (MPI2_FUNCTION_SCSI_IO_REQUEST) 6. Switch statement matches SCSI_IO_REQUEST case by accident 7. Accesses megasas_priv(NULL scmd)->status -> crash at offset 0x228 The offset 0x228 = sizeof(struct scsi_cmnd) 0x220 + offsetof(status) 0x8. This issue was observed on PERC H330 Mini running firmware 25.5.9.0001 after 3+ days of heavy I/O load. Crash signature: BUG: unable to handle kernel NULL pointer dereference at 0x228 RIP: complete_cmd_fusion+0x428 Function: megasas_priv(cmd_fusion->scmd)->status Add defensive check to skip processing when scmd_local is NULL. This handles duplicate completions from firmware and prevents accessing freed command structures. The check protects all scmd_local uses in both the SCSI_IO path and the fallthrough LDIO path. Signed-off-by: Milan P. Gandhi <mgandhi@redhat.com> Link: https://patch.msgid.link/agWAgtk6rtHqNWb5@machine1 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>