From 112b368fd4e05adf2869aad8fc77e3f804432e9b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 7 May 2025 19:12:59 +0200
Subject: [PATCH] 6.6-stable patches

added patches:
	usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
	xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch
---
 queue-6.6/series                              |  2 +
 ...-being-allocated-in-xhci_mem_clearup.patch | 46 +++++++++++++++++
 ...nce-at-secondary-interrupter-removal.patch | 49 +++++++++++++++++++
 3 files changed, 97 insertions(+)
 create mode 100644 queue-6.6/usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
 create mode 100644 queue-6.6/xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch

diff --git a/queue-6.6/series b/queue-6.6/series
index cc4411a7bd..d827ef645b 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -129,3 +129,5 @@ iommu-arm-smmu-v3-use-the-new-rb-tree-helpers.patch
 iommu-arm-smmu-v3-fix-iommu_device_probe-bug-due-to-.patch
 drm-amd-display-add-scoped-mutexes-for-amdgpu_dm_dhc.patch
 drm-amd-display-fix-slab-use-after-free-in-hdcp.patch
+usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
+xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch
diff --git a/queue-6.6/usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch b/queue-6.6/usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
new file mode 100644
index 0000000000..1852537f79
--- /dev/null
+++ b/queue-6.6/usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
@@ -0,0 +1,46 @@
+From dcdb52d948f3a17ccd3fce757d9bd981d7c32039 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Fri, 9 Aug 2024 15:44:07 +0300
+Subject: usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup()
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit dcdb52d948f3a17ccd3fce757d9bd981d7c32039 upstream.
+
+If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop
+up the damage. If it fails early enough, before xhci->interrupters
+is allocated but after xhci->max_interrupters has been set, which
+happens in most (all?) cases, things get uglier, as xhci_mem_cleanup()
+unconditionally derefences xhci->interrupters. With prejudice.
+
+Gate the interrupt freeing loop with a check on xhci->interrupters
+being non-NULL.
+
+Found while debugging a DMA allocation issue that led the XHCI driver
+on this exact path.
+
+Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters")
+Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
+Cc: Wesley Cheng <quic_wcheng@quicinc.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org # 6.8+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20240809124408.505786-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1882,7 +1882,7 @@ void xhci_mem_cleanup(struct xhci_hcd *x
+ 
+ 	cancel_delayed_work_sync(&xhci->cmd_timer);
+ 
+-	for (i = 0; i < xhci->max_interrupters; i++) {
++	for (i = 0; xhci->interrupters && i < xhci->max_interrupters; i++) {
+ 		if (xhci->interrupters[i]) {
+ 			xhci_remove_interrupter(xhci, xhci->interrupters[i]);
+ 			xhci_free_interrupter(xhci, xhci->interrupters[i]);
diff --git a/queue-6.6/xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch b/queue-6.6/xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch
new file mode 100644
index 0000000000..09e8abd8e6
--- /dev/null
+++ b/queue-6.6/xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch
@@ -0,0 +1,49 @@
+From a54a594d72f25b08f39d743880a76721fba9ae77 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 25 Jan 2024 17:27:34 +0200
+Subject: xhci: fix possible null pointer dereference at secondary interrupter removal
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit a54a594d72f25b08f39d743880a76721fba9ae77 upstream.
+
+Don't try to remove a secondary interrupter that is known to be invalid.
+Also check if the interrupter is valid inside the spinlock that protects
+the array of interrupters.
+
+Found by smatch static checker
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/linux-usb/ffaa0a1b-5984-4a1f-bfd3-9184630a97b9@moroto.mountain/
+Fixes: c99b38c41234 ("xhci: add support to allocate several interrupters")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20240125152737.2983959-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1855,14 +1855,14 @@ void xhci_remove_secondary_interrupter(s
+ 	struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+ 	unsigned int intr_num;
+ 
++	spin_lock_irq(&xhci->lock);
++
+ 	/* interrupter 0 is primary interrupter, don't touch it */
+-	if (!ir || !ir->intr_num || ir->intr_num >= xhci->max_interrupters)
++	if (!ir || !ir->intr_num || ir->intr_num >= xhci->max_interrupters) {
+ 		xhci_dbg(xhci, "Invalid secondary interrupter, can't remove\n");
+-
+-	/* fixme, should we check xhci->interrupter[intr_num] == ir */
+-	/* fixme locking */
+-
+-	spin_lock_irq(&xhci->lock);
++		spin_unlock_irq(&xhci->lock);
++		return;
++	}
+ 
+ 	intr_num = ir->intr_num;
+ 
-- 
2.47.3