From: Prithvi Tambewagh <activprithvi@gmail.com>
+commit b14fad555302a2104948feaff70503b64c80ac01 upstream.
+
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
+++ /dev/null
-From 3a6ea1951fb1117950678a61c103c8867281c31f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 10 Nov 2025 14:10:37 +0800
-Subject: reset: fix BIT macro reference
-
-From: Encrow Thorne <jyc0019@gmail.com>
-
-[ Upstream commit f3d8b64ee46c9b4b0b82b1a4642027728bac95b8 ]
-
-RESET_CONTROL_FLAGS_BIT_* macros use BIT(), but reset.h does not
-include bits.h. This causes compilation errors when including
-reset.h standalone.
-
-Include bits.h to make reset.h self-contained.
-
-Suggested-by: Troy Mitchell <troy.mitchell@linux.dev>
-Reviewed-by: Troy Mitchell <troy.mitchell@linux.dev>
-Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
-Signed-off-by: Encrow Thorne <jyc0019@gmail.com>
-Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/reset.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/include/linux/reset.h b/include/linux/reset.h
-index 05aa9f440f48..f27026f52104 100644
---- a/include/linux/reset.h
-+++ b/include/linux/reset.h
-@@ -2,6 +2,7 @@
- #ifndef _LINUX_RESET_H_
- #define _LINUX_RESET_H_
-
-+#include <linux/bits.h>
- #include <linux/err.h>
- #include <linux/errno.h>
- #include <linux/types.h>
---
-2.51.0
-
scsi-qla2xxx-fix-initiator-mode-with-qlini_mode-excl.patch
scsi-qla2xxx-use-reinit_completion-on-mbx_intr_comp.patch
via_wdt-fix-critical-boot-hang-due-to-unnamed-resour.patch
-reset-fix-bit-macro-reference.patch
exfat-fix-remount-failure-in-different-process-envir.patch
usbip-fix-locking-bug-in-rt-enabled-kernels.patch
usb-typec-ucsi-handle-incorrect-num_connectors-capab.patch
media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch
phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch
usb-lpc32xx_udc-fix-error-handling-in-probe.patch
-usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch
usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch
usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch
char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch
+++ /dev/null
-From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001
-From: Duoming Zhou <duoming@zju.edu.cn>
-Date: Fri, 5 Dec 2025 11:48:31 +0800
-Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
-
-From: Duoming Zhou <duoming@zju.edu.cn>
-
-commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream.
-
-The delayed work item otg_event is initialized in fsl_otg_conf() and
-scheduled under two conditions:
-1. When a host controller binds to the OTG controller.
-2. When the USB ID pin state changes (cable insertion/removal).
-
-A race condition occurs when the device is removed via fsl_otg_remove():
-the fsl_otg instance may be freed while the delayed work is still pending
-or executing. This leads to use-after-free when the work function
-fsl_otg_event() accesses the already freed memory.
-
-The problematic scenario:
-
-(detach thread) | (delayed work)
-fsl_otg_remove() |
- kfree(fsl_otg_dev) //FREE| fsl_otg_event()
- | og = container_of(...) //USE
- | og-> //USE
-
-Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
-before deallocating the fsl_otg structure. This ensures the delayed work
-is properly canceled and completes execution prior to memory deallocation.
-
-This bug was identified through static analysis.
-
-Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
-Cc: stable <stable@kernel.org>
-Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
-Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/phy/phy-fsl-usb.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/usb/phy/phy-fsl-usb.c
-+++ b/drivers/usb/phy/phy-fsl-usb.c
-@@ -987,6 +987,7 @@ static int fsl_otg_remove(struct platfor
- {
- struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
-
-+ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
- usb_remove_phy(&fsl_otg_dev->phy);
- free_irq(fsl_otg_dev->irq, fsl_otg_dev);
-
From: Prithvi Tambewagh <activprithvi@gmail.com>
+commit b14fad555302a2104948feaff70503b64c80ac01 upstream.
+
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
+++ /dev/null
-From 01a30ff6a74d145704cf532d1450febb2febc167 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 10 Nov 2025 14:10:37 +0800
-Subject: reset: fix BIT macro reference
-
-From: Encrow Thorne <jyc0019@gmail.com>
-
-[ Upstream commit f3d8b64ee46c9b4b0b82b1a4642027728bac95b8 ]
-
-RESET_CONTROL_FLAGS_BIT_* macros use BIT(), but reset.h does not
-include bits.h. This causes compilation errors when including
-reset.h standalone.
-
-Include bits.h to make reset.h self-contained.
-
-Suggested-by: Troy Mitchell <troy.mitchell@linux.dev>
-Reviewed-by: Troy Mitchell <troy.mitchell@linux.dev>
-Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
-Signed-off-by: Encrow Thorne <jyc0019@gmail.com>
-Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/reset.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/include/linux/reset.h b/include/linux/reset.h
-index 7bb583737528..23abb90398ad 100644
---- a/include/linux/reset.h
-+++ b/include/linux/reset.h
-@@ -2,6 +2,7 @@
- #ifndef _LINUX_RESET_H_
- #define _LINUX_RESET_H_
-
-+#include <linux/bits.h>
- #include <linux/err.h>
- #include <linux/errno.h>
- #include <linux/types.h>
---
-2.51.0
-
scsi-qla2xxx-fix-initiator-mode-with-qlini_mode-excl.patch
scsi-qla2xxx-use-reinit_completion-on-mbx_intr_comp.patch
via_wdt-fix-critical-boot-hang-due-to-unnamed-resour.patch
-reset-fix-bit-macro-reference.patch
exfat-fix-remount-failure-in-different-process-envir.patch
usbip-fix-locking-bug-in-rt-enabled-kernels.patch
usb-typec-ucsi-handle-incorrect-num_connectors-capab.patch
media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch
phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch
usb-lpc32xx_udc-fix-error-handling-in-probe.patch
-usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch
usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch
usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch
usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch
+++ /dev/null
-From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001
-From: Duoming Zhou <duoming@zju.edu.cn>
-Date: Fri, 5 Dec 2025 11:48:31 +0800
-Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
-
-From: Duoming Zhou <duoming@zju.edu.cn>
-
-commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream.
-
-The delayed work item otg_event is initialized in fsl_otg_conf() and
-scheduled under two conditions:
-1. When a host controller binds to the OTG controller.
-2. When the USB ID pin state changes (cable insertion/removal).
-
-A race condition occurs when the device is removed via fsl_otg_remove():
-the fsl_otg instance may be freed while the delayed work is still pending
-or executing. This leads to use-after-free when the work function
-fsl_otg_event() accesses the already freed memory.
-
-The problematic scenario:
-
-(detach thread) | (delayed work)
-fsl_otg_remove() |
- kfree(fsl_otg_dev) //FREE| fsl_otg_event()
- | og = container_of(...) //USE
- | og-> //USE
-
-Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
-before deallocating the fsl_otg structure. This ensures the delayed work
-is properly canceled and completes execution prior to memory deallocation.
-
-This bug was identified through static analysis.
-
-Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
-Cc: stable <stable@kernel.org>
-Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
-Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/phy/phy-fsl-usb.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/usb/phy/phy-fsl-usb.c
-+++ b/drivers/usb/phy/phy-fsl-usb.c
-@@ -987,6 +987,7 @@ static int fsl_otg_remove(struct platfor
- {
- struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
-
-+ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
- usb_remove_phy(&fsl_otg_dev->phy);
- free_irq(fsl_otg_dev->irq, fsl_otg_dev);
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
