From 17daef6c2041093693db1937f79afd6f92ac3213 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 4 Nov 2025 14:28:11 +0900
Subject: [PATCH] 5.4-stable patches

added patches:
	usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
---
 queue-5.4/series                              |  1 +
 ...-null-pointer-access-after-ep-enable.patch | 54 +++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch

diff --git a/queue-5.4/series b/queue-5.4/series
index abef3aa511..e67260e8e5 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -21,3 +21,4 @@ can-gs_usb-increase-max-interface-to-u8_max.patch
 serial-8250_dw-use-devm_clk_get_optional-to-get-the-input-clock.patch
 serial-8250_dw-use-devm_add_action_or_reset.patch
 serial-8250_dw-handle-reset-control-deassert-error.patch
+usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
diff --git a/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch b/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
new file mode 100644
index 0000000000..8c2cec2768
--- /dev/null
+++ b/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
@@ -0,0 +1,54 @@
+From cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 Mon Sep 17 00:00:00 2001
+From: Owen Gu <guhuinan@xiaomi.com>
+Date: Mon, 15 Sep 2025 17:29:07 +0800
+Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
+
+From: Owen Gu <guhuinan@xiaomi.com>
+
+commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 upstream.
+
+A race condition occurs when ffs_func_eps_enable() runs concurrently
+with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
+sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
+to a NULL pointer dereference when accessing epfile->ep in
+ffs_func_eps_enable() after successful usb_ep_enable().
+
+The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
+ffs_data_close() functions, and its modification is protected by the
+spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
+is also protected by ffs->eps_lock.
+
+Thus, add NULL pointer handling for ffs->epfiles in the
+ffs_func_eps_enable() function to fix issues
+
+Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
+Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2012,7 +2012,12 @@ static int ffs_func_eps_enable(struct ff
+ 	ep = func->eps;
+ 	epfile = ffs->epfiles;
+ 	count = ffs->eps_count;
+-	while(count--) {
++	if (!epfile) {
++		ret = -ENOMEM;
++		goto done;
++	}
++
++	while (count--) {
+ 		ep->ep->driver_data = ep;
+ 
+ 		ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
+@@ -2036,6 +2041,7 @@ static int ffs_func_eps_enable(struct ff
+ 	}
+ 
+ 	wake_up_interruptible(&ffs->wait);
++done:
+ 	spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
+ 
+ 	return ret;
-- 
2.47.3