x86-fpu-stop-relying-on-userspace-for-info-to-fault-in-xsave-buffer.patch
sched-rt-fix-sysctl_sched_rr_timeslice-intial-value.patch
sched-rt-disallow-writing-invalid-values-to-sched_rt_period_us.patch
-xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch
scsi-target-core-add-tmf-to-tmr_list-handling.patch
dmaengine-shdma-increase-size-of-dev_id.patch
dmaengine-fsl-qdma-increase-size-of-irq_name.patch
+++ /dev/null
-From ed623a29a39d156867e55ce7070b77edc411766f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 1 Dec 2023 17:06:47 +0200
-Subject: xhci: fix possible null pointer deref during xhci urb enqueue
-
-From: Mathias Nyman <mathias.nyman@linux.intel.com>
-
-[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ]
-
-There is a short gap between urb being submitted and actually added to the
-endpoint queue (linked). If the device is disconnected during this time
-then usb core is not yet aware of the pending urb, and device may be freed
-just before xhci_urq_enqueue() continues, dereferencing the freed device.
-
-Freeing the device is protected by the xhci spinlock, so make sure we take
-and keep the lock while checking that device exists, dereference it, and
-add the urb to the queue.
-
-Remove the unnecessary URB check, usb core checks it before calling
-xhci_urb_enqueue()
-
-Suggested-by: Kuen-Han Tsai <khtsai@google.com>
-Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
-Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++-----------------
- 1 file changed, 23 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 5c9d3be136d2c..6c8c9cbcd05da 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -1644,24 +1644,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
- struct urb_priv *urb_priv;
- int num_tds;
-
-- if (!urb)
-- return -EINVAL;
-- ret = xhci_check_args(hcd, urb->dev, urb->ep,
-- true, true, __func__);
-- if (ret <= 0)
-- return ret ? ret : -EINVAL;
--
-- slot_id = urb->dev->slot_id;
- ep_index = xhci_get_endpoint_index(&urb->ep->desc);
-- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
--
-- if (!HCD_HW_ACCESSIBLE(hcd))
-- return -ESHUTDOWN;
--
-- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-- return -ENODEV;
-- }
-
- if (usb_endpoint_xfer_isoc(&urb->ep->desc))
- num_tds = urb->number_of_packets;
-@@ -1700,12 +1683,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
-
- spin_lock_irqsave(&xhci->lock, flags);
-
-+ ret = xhci_check_args(hcd, urb->dev, urb->ep,
-+ true, true, __func__);
-+ if (ret <= 0) {
-+ ret = ret ? ret : -EINVAL;
-+ goto free_priv;
-+ }
-+
-+ slot_id = urb->dev->slot_id;
-+
-+ if (!HCD_HW_ACCESSIBLE(hcd)) {
-+ ret = -ESHUTDOWN;
-+ goto free_priv;
-+ }
-+
-+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-+ ret = -ENODEV;
-+ goto free_priv;
-+ }
-+
- if (xhci->xhc_state & XHCI_STATE_DYING) {
- xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n",
- urb->ep->desc.bEndpointAddress, urb);
- ret = -ESHUTDOWN;
- goto free_priv;
- }
-+
-+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
-+
- if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) {
- xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n",
- *ep_state);
---
-2.43.0
-
sched-rt-sysctl_sched_rr_timeslice-show-default-timeslice-after-reset.patch
pci-dwc-fix-a-64bit-bug-in-dw_pcie_ep_raise_msix_irq.patch
riscv-efistub-ensure-gp-relative-addressing-is-not-used.patch
-xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch
dmaengine-apple-admac-keep-upper-bits-of-reg_bus_wid.patch
scsi-target-core-add-tmf-to-tmr_list-handling.patch
cifs-open_cached_dir-should-not-rely-on-primary-chan.patch
+++ /dev/null
-From e887066276129cc5b0b8350d2283dfac07c0a76f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 1 Dec 2023 17:06:47 +0200
-Subject: xhci: fix possible null pointer deref during xhci urb enqueue
-
-From: Mathias Nyman <mathias.nyman@linux.intel.com>
-
-[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ]
-
-There is a short gap between urb being submitted and actually added to the
-endpoint queue (linked). If the device is disconnected during this time
-then usb core is not yet aware of the pending urb, and device may be freed
-just before xhci_urq_enqueue() continues, dereferencing the freed device.
-
-Freeing the device is protected by the xhci spinlock, so make sure we take
-and keep the lock while checking that device exists, dereference it, and
-add the urb to the queue.
-
-Remove the unnecessary URB check, usb core checks it before calling
-xhci_urb_enqueue()
-
-Suggested-by: Kuen-Han Tsai <khtsai@google.com>
-Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
-Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++-----------------
- 1 file changed, 23 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index c02ad4f76bb3c..127fbad32a75f 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -1654,24 +1654,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
- struct urb_priv *urb_priv;
- int num_tds;
-
-- if (!urb)
-- return -EINVAL;
-- ret = xhci_check_args(hcd, urb->dev, urb->ep,
-- true, true, __func__);
-- if (ret <= 0)
-- return ret ? ret : -EINVAL;
--
-- slot_id = urb->dev->slot_id;
- ep_index = xhci_get_endpoint_index(&urb->ep->desc);
-- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
--
-- if (!HCD_HW_ACCESSIBLE(hcd))
-- return -ESHUTDOWN;
--
-- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-- return -ENODEV;
-- }
-
- if (usb_endpoint_xfer_isoc(&urb->ep->desc))
- num_tds = urb->number_of_packets;
-@@ -1710,12 +1693,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
-
- spin_lock_irqsave(&xhci->lock, flags);
-
-+ ret = xhci_check_args(hcd, urb->dev, urb->ep,
-+ true, true, __func__);
-+ if (ret <= 0) {
-+ ret = ret ? ret : -EINVAL;
-+ goto free_priv;
-+ }
-+
-+ slot_id = urb->dev->slot_id;
-+
-+ if (!HCD_HW_ACCESSIBLE(hcd)) {
-+ ret = -ESHUTDOWN;
-+ goto free_priv;
-+ }
-+
-+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-+ ret = -ENODEV;
-+ goto free_priv;
-+ }
-+
- if (xhci->xhc_state & XHCI_STATE_DYING) {
- xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n",
- urb->ep->desc.bEndpointAddress, urb);
- ret = -ESHUTDOWN;
- goto free_priv;
- }
-+
-+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
-+
- if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) {
- xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n",
- *ep_state);
---
-2.43.0
-
sched-rt-disallow-writing-invalid-values-to-sched_rt_period_us.patch
pci-dwc-fix-a-64bit-bug-in-dw_pcie_ep_raise_msix_irq.patch
riscv-efistub-ensure-gp-relative-addressing-is-not-used.patch
-xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch
dmaengine-apple-admac-keep-upper-bits-of-reg_bus_wid.patch
scsi-smartpqi-add-new-controller-pci-ids.patch
scsi-smartpqi-fix-logical-volume-rescan-race-conditi.patch
+++ /dev/null
-From 7cf220348e0433cc6254ec3b8f891f3fc2a941b5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 1 Dec 2023 17:06:47 +0200
-Subject: xhci: fix possible null pointer deref during xhci urb enqueue
-
-From: Mathias Nyman <mathias.nyman@linux.intel.com>
-
-[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ]
-
-There is a short gap between urb being submitted and actually added to the
-endpoint queue (linked). If the device is disconnected during this time
-then usb core is not yet aware of the pending urb, and device may be freed
-just before xhci_urq_enqueue() continues, dereferencing the freed device.
-
-Freeing the device is protected by the xhci spinlock, so make sure we take
-and keep the lock while checking that device exists, dereference it, and
-add the urb to the queue.
-
-Remove the unnecessary URB check, usb core checks it before calling
-xhci_urb_enqueue()
-
-Suggested-by: Kuen-Han Tsai <khtsai@google.com>
-Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
-Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++-----------------
- 1 file changed, 23 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 132b76fa7ca60..e39c5ba9b7c76 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -1498,24 +1498,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
- struct urb_priv *urb_priv;
- int num_tds;
-
-- if (!urb)
-- return -EINVAL;
-- ret = xhci_check_args(hcd, urb->dev, urb->ep,
-- true, true, __func__);
-- if (ret <= 0)
-- return ret ? ret : -EINVAL;
--
-- slot_id = urb->dev->slot_id;
- ep_index = xhci_get_endpoint_index(&urb->ep->desc);
-- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
--
-- if (!HCD_HW_ACCESSIBLE(hcd))
-- return -ESHUTDOWN;
--
-- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-- return -ENODEV;
-- }
-
- if (usb_endpoint_xfer_isoc(&urb->ep->desc))
- num_tds = urb->number_of_packets;
-@@ -1554,12 +1537,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
-
- spin_lock_irqsave(&xhci->lock, flags);
-
-+ ret = xhci_check_args(hcd, urb->dev, urb->ep,
-+ true, true, __func__);
-+ if (ret <= 0) {
-+ ret = ret ? ret : -EINVAL;
-+ goto free_priv;
-+ }
-+
-+ slot_id = urb->dev->slot_id;
-+
-+ if (!HCD_HW_ACCESSIBLE(hcd)) {
-+ ret = -ESHUTDOWN;
-+ goto free_priv;
-+ }
-+
-+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-+ ret = -ENODEV;
-+ goto free_priv;
-+ }
-+
- if (xhci->xhc_state & XHCI_STATE_DYING) {
- xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n",
- urb->ep->desc.bEndpointAddress, urb);
- ret = -ESHUTDOWN;
- goto free_priv;
- }
-+
-+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
-+
- if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) {
- xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n",
- *ep_state);
---
-2.43.0
-
drm-amd-stop-evicting-resources-on-apus-in-suspend.patch
-xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch
dmaengine-apple-admac-keep-upper-bits-of-reg_bus_wid.patch
scsi-smartpqi-add-new-controller-pci-ids.patch
scsi-smartpqi-fix-logical-volume-rescan-race-conditi.patch
+++ /dev/null
-From fb9100c2c6b7b172650ba25283cc4cf9af1d082c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 1 Dec 2023 17:06:47 +0200
-Subject: xhci: fix possible null pointer deref during xhci urb enqueue
-
-From: Mathias Nyman <mathias.nyman@linux.intel.com>
-
-[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ]
-
-There is a short gap between urb being submitted and actually added to the
-endpoint queue (linked). If the device is disconnected during this time
-then usb core is not yet aware of the pending urb, and device may be freed
-just before xhci_urq_enqueue() continues, dereferencing the freed device.
-
-Freeing the device is protected by the xhci spinlock, so make sure we take
-and keep the lock while checking that device exists, dereference it, and
-add the urb to the queue.
-
-Remove the unnecessary URB check, usb core checks it before calling
-xhci_urb_enqueue()
-
-Suggested-by: Kuen-Han Tsai <khtsai@google.com>
-Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
-Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++-----------------
- 1 file changed, 23 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 884b0898d9c95..ddb686301af5d 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -1522,24 +1522,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
- struct urb_priv *urb_priv;
- int num_tds;
-
-- if (!urb)
-- return -EINVAL;
-- ret = xhci_check_args(hcd, urb->dev, urb->ep,
-- true, true, __func__);
-- if (ret <= 0)
-- return ret ? ret : -EINVAL;
--
-- slot_id = urb->dev->slot_id;
- ep_index = xhci_get_endpoint_index(&urb->ep->desc);
-- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
--
-- if (!HCD_HW_ACCESSIBLE(hcd))
-- return -ESHUTDOWN;
--
-- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-- return -ENODEV;
-- }
-
- if (usb_endpoint_xfer_isoc(&urb->ep->desc))
- num_tds = urb->number_of_packets;
-@@ -1578,12 +1561,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
-
- spin_lock_irqsave(&xhci->lock, flags);
-
-+ ret = xhci_check_args(hcd, urb->dev, urb->ep,
-+ true, true, __func__);
-+ if (ret <= 0) {
-+ ret = ret ? ret : -EINVAL;
-+ goto free_priv;
-+ }
-+
-+ slot_id = urb->dev->slot_id;
-+
-+ if (!HCD_HW_ACCESSIBLE(hcd)) {
-+ ret = -ESHUTDOWN;
-+ goto free_priv;
-+ }
-+
-+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
-+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
-+ ret = -ENODEV;
-+ goto free_priv;
-+ }
-+
- if (xhci->xhc_state & XHCI_STATE_DYING) {
- xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n",
- urb->ep->desc.bEndpointAddress, urb);
- ret = -ESHUTDOWN;
- goto free_priv;
- }
-+
-+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state;
-+
- if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) {
- xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n",
- *ep_state);
---
-2.43.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
