From ce024dede66bcaaad45196c58c7cf77dc37fc725 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 12 Jul 2025 16:45:08 +0200
Subject: [PATCH] 6.1-stable patches

added patches:
	usb-gadget-u_serial-fix-race-condition-in-tty-wakeup.patch
---
 queue-6.1/series                              |  1 +
 ...ial-fix-race-condition-in-tty-wakeup.patch | 59 +++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 queue-6.1/usb-gadget-u_serial-fix-race-condition-in-tty-wakeup.patch

diff --git a/queue-6.1/series b/queue-6.1/series
index 027b6ff8df..60ff0df97b 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -33,3 +33,4 @@ wifi-prevent-a-msdu-attacks-in-mesh-networks.patch
 drm-sched-increment-job-count-before-swapping-tail-spsc-queue.patch
 drm-ttm-fix-error-handling-in-ttm_buffer_object_transfer.patch
 drm-gem-fix-race-in-drm_gem_handle_create_tail.patch
+usb-gadget-u_serial-fix-race-condition-in-tty-wakeup.patch
diff --git a/queue-6.1/usb-gadget-u_serial-fix-race-condition-in-tty-wakeup.patch b/queue-6.1/usb-gadget-u_serial-fix-race-condition-in-tty-wakeup.patch
new file mode 100644
index 0000000000..8bd823fc50
--- /dev/null
+++ b/queue-6.1/usb-gadget-u_serial-fix-race-condition-in-tty-wakeup.patch
@@ -0,0 +1,59 @@
+From c529c3730bd09115684644e26bf01ecbd7e2c2c9 Mon Sep 17 00:00:00 2001
+From: Kuen-Han Tsai <khtsai@google.com>
+Date: Tue, 17 Jun 2025 13:07:12 +0800
+Subject: usb: gadget: u_serial: Fix race condition in TTY wakeup
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+commit c529c3730bd09115684644e26bf01ecbd7e2c2c9 upstream.
+
+A race condition occurs when gs_start_io() calls either gs_start_rx() or
+gs_start_tx(), as those functions briefly drop the port_lock for
+usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear
+port.tty and port_usb, respectively.
+
+Use the null-safe TTY Port helper function to wake up TTY.
+
+Example
+  CPU1:			      CPU2:
+  gserial_connect() // lock
+  			      gs_close() // await lock
+  gs_start_rx()     // unlock
+  usb_ep_queue()
+  			      gs_close() // lock, reset port.tty and unlock
+  gs_start_rx()     // lock
+  tty_wakeup()      // NPE
+
+Fixes: 35f95fd7f234 ("TTY: usb/u_serial, use tty from tty_port")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Reviewed-by: Prashanth K <prashanth.k@oss.qualcomm.com>
+Link: https://lore.kernel.org/linux-usb/20240116141801.396398-1-khtsai@google.com/
+Link: https://lore.kernel.org/r/20250617050844.1848232-2-khtsai@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_serial.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_serial.c
++++ b/drivers/usb/gadget/function/u_serial.c
+@@ -290,8 +290,8 @@ __acquires(&port->port_lock)
+ 			break;
+ 	}
+ 
+-	if (do_tty_wake && port->port.tty)
+-		tty_wakeup(port->port.tty);
++	if (do_tty_wake)
++		tty_port_tty_wakeup(&port->port);
+ 	return status;
+ }
+ 
+@@ -568,7 +568,7 @@ static int gs_start_io(struct gs_port *p
+ 		gs_start_tx(port);
+ 		/* Unblock any pending writes into our circular buffer, in case
+ 		 * we didn't in gs_start_tx() */
+-		tty_wakeup(port->port.tty);
++		tty_port_tty_wakeup(&port->port);
+ 	} else {
+ 		/* Free reqs only if we are still connected */
+ 		if (port->port_usb) {
-- 
2.47.2