From 7c65c65485adebc1a1c3e9042a1d8dad7a498ecd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 8 Nov 2025 10:31:53 +0900 Subject: [PATCH] drop duplicated patches --- queue-5.10/series | 1 - ...fix-epfile-null-pointer-access-after.patch | 60 ------------------- queue-5.15/series | 1 - ...fix-epfile-null-pointer-access-after.patch | 60 ------------------- queue-5.4/series | 1 - ...fix-epfile-null-pointer-access-after.patch | 60 ------------------- ...i-use-pci_uevent_ers-in-pci-recovery.patch | 27 +++------ queue-6.1/series | 1 - ...fix-epfile-null-pointer-access-after.patch | 60 ------------------- ...i-use-pci_uevent_ers-in-pci-recovery.patch | 27 +++------ queue-6.12/series | 1 - ...fix-epfile-null-pointer-access-after.patch | 60 ------------------- queue-6.17/series | 1 - ...fix-epfile-null-pointer-access-after.patch | 60 ------------------- queue-6.6/series | 1 - ...fix-epfile-null-pointer-access-after.patch | 60 ------------------- 16 files changed, 18 insertions(+), 463 deletions(-) delete mode 100644 queue-5.10/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch delete mode 100644 queue-5.15/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch delete mode 100644 queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch delete mode 100644 queue-6.1/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch delete mode 100644 queue-6.12/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch delete mode 100644 queue-6.17/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch delete mode 100644 queue-6.6/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch diff --git a/queue-5.10/series b/queue-5.10/series index 7438e75581..7a5f108e1d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -121,7 +121,6 @@ selftests-makefile-include-install_dep_targets-in-cl.patch scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch allow-finish_no_open-file-err_ptr-e.patch usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch -usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch ipv6-np-rxpmtu-race-annotation.patch jfs-verify-inode-mode-when-loading-from-disk.patch diff --git a/queue-5.10/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch b/queue-5.10/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch deleted file mode 100644 index 0068b05fb4..0000000000 --- a/queue-5.10/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch +++ /dev/null @@ -1,60 +0,0 @@ -From e41c80a8dfb86814637c986439fd225a007ce750 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Sep 2025 17:29:07 +0800 -Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. - -From: Owen Gu - -[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ] - -A race condition occurs when ffs_func_eps_enable() runs concurrently -with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() -sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading -to a NULL pointer dereference when accessing epfile->ep in -ffs_func_eps_enable() after successful usb_ep_enable(). - -The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and -ffs_data_close() functions, and its modification is protected by the -spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function -is also protected by ffs->eps_lock. - -Thus, add NULL pointer handling for ffs->epfiles in the -ffs_func_eps_enable() function to fix issues - -Signed-off-by: Owen Gu -Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index 47b70bcc9dc29..e6c7844b8d1c2 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -1993,7 +1993,12 @@ static int ffs_func_eps_enable(struct ffs_function *func) - ep = func->eps; - epfile = ffs->epfiles; - count = ffs->eps_count; -- while(count--) { -+ if (!epfile) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ -+ while (count--) { - ep->ep->driver_data = ep; - - ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); -@@ -2017,6 +2022,7 @@ static int ffs_func_eps_enable(struct ffs_function *func) - } - - wake_up_interruptible(&ffs->wait); -+done: - spin_unlock_irqrestore(&func->ffs->eps_lock, flags); - - return ret; --- -2.51.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 8536b55576..038c0f8805 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -163,7 +163,6 @@ scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f_po.patch scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch allow-finish_no_open-file-err_ptr-e.patch usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch -usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch ipv6-np-rxpmtu-race-annotation.patch rdma-irdma-update-kconfig.patch diff --git a/queue-5.15/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch b/queue-5.15/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch deleted file mode 100644 index f4d70a04e0..0000000000 --- a/queue-5.15/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 48e0e634967d8b963faf9a4c4cff504c3ee54356 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Sep 2025 17:29:07 +0800 -Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. - -From: Owen Gu - -[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ] - -A race condition occurs when ffs_func_eps_enable() runs concurrently -with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() -sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading -to a NULL pointer dereference when accessing epfile->ep in -ffs_func_eps_enable() after successful usb_ep_enable(). - -The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and -ffs_data_close() functions, and its modification is protected by the -spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function -is also protected by ffs->eps_lock. - -Thus, add NULL pointer handling for ffs->epfiles in the -ffs_func_eps_enable() function to fix issues - -Signed-off-by: Owen Gu -Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index d6dc02ec5fc6e..9fcf27e6f0e40 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -2005,7 +2005,12 @@ static int ffs_func_eps_enable(struct ffs_function *func) - ep = func->eps; - epfile = ffs->epfiles; - count = ffs->eps_count; -- while(count--) { -+ if (!epfile) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ -+ while (count--) { - ep->ep->driver_data = ep; - - ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); -@@ -2029,6 +2034,7 @@ static int ffs_func_eps_enable(struct ffs_function *func) - } - - wake_up_interruptible(&ffs->wait); -+done: - spin_unlock_irqrestore(&func->ffs->eps_lock, flags); - - return ret; --- -2.51.0 - diff --git a/queue-5.4/series b/queue-5.4/series index 14b6ee4218..ad05466ed7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -88,7 +88,6 @@ scsi-lpfc-check-return-status-of-lpfc_reset_flush_io.patch scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch allow-finish_no_open-file-err_ptr-e.patch usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch -usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch ipv6-np-rxpmtu-race-annotation.patch jfs-verify-inode-mode-when-loading-from-disk.patch diff --git a/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch b/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch deleted file mode 100644 index 8c1f0cc371..0000000000 --- a/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 34c64db5edee2965e80e887a3a48950c3995d65a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Sep 2025 17:29:07 +0800 -Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. - -From: Owen Gu - -[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ] - -A race condition occurs when ffs_func_eps_enable() runs concurrently -with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() -sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading -to a NULL pointer dereference when accessing epfile->ep in -ffs_func_eps_enable() after successful usb_ep_enable(). - -The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and -ffs_data_close() functions, and its modification is protected by the -spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function -is also protected by ffs->eps_lock. - -Thus, add NULL pointer handling for ffs->epfiles in the -ffs_func_eps_enable() function to fix issues - -Signed-off-by: Owen Gu -Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index 9b5f9d503ff0d..e0a35dc19e455 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -2012,7 +2012,12 @@ static int ffs_func_eps_enable(struct ffs_function *func) - ep = func->eps; - epfile = ffs->epfiles; - count = ffs->eps_count; -- while(count--) { -+ if (!epfile) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ -+ while (count--) { - ep->ep->driver_data = ep; - - ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); -@@ -2036,6 +2041,7 @@ static int ffs_func_eps_enable(struct ffs_function *func) - } - - wake_up_interruptible(&ffs->wait); -+done: - spin_unlock_irqrestore(&func->ffs->eps_lock, flags); - - return ret; --- -2.51.0 - diff --git a/queue-6.1/s390-pci-use-pci_uevent_ers-in-pci-recovery.patch b/queue-6.1/s390-pci-use-pci_uevent_ers-in-pci-recovery.patch index dea67f50dd..0ce76fbe84 100644 --- a/queue-6.1/s390-pci-use-pci_uevent_ers-in-pci-recovery.patch +++ b/queue-6.1/s390-pci-use-pci_uevent_ers-in-pci-recovery.patch @@ -16,16 +16,14 @@ Reviewed-by: Lukas Wunner Link: https://patch.msgid.link/20250807-add_err_uevents-v5-2-adf85b0620b0@linux.ibm.com Signed-off-by: Sasha Levin --- - arch/s390/pci/pci_event.c | 3 +++ - drivers/pci/pci-driver.c | 2 +- - include/linux/pci.h | 2 +- + arch/s390/pci/pci_event.c | 3 +++ + drivers/pci/pci-driver.c | 2 +- + include/linux/pci.h | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) -diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c -index d969f36bf186f..f7f2853de49be 100644 --- a/arch/s390/pci/pci_event.c +++ b/arch/s390/pci/pci_event.c -@@ -83,6 +83,7 @@ static pci_ers_result_t zpci_event_notify_error_detected(struct pci_dev *pdev, +@@ -83,6 +83,7 @@ static pci_ers_result_t zpci_event_notif pci_ers_result_t ers_res = PCI_ERS_RESULT_DISCONNECT; ers_res = driver->err_handler->error_detected(pdev, pdev->error_state); @@ -33,7 +31,7 @@ index d969f36bf186f..f7f2853de49be 100644 if (ers_result_indicates_abort(ers_res)) pr_info("%s: Automatic recovery failed after initial reporting\n", pci_name(pdev)); else if (ers_res == PCI_ERS_RESULT_NEED_RESET) -@@ -212,6 +213,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev) +@@ -212,6 +213,7 @@ static pci_ers_result_t zpci_event_attem ers_res = zpci_event_do_reset(pdev, driver); if (ers_res != PCI_ERS_RESULT_RECOVERED) { @@ -41,19 +39,17 @@ index d969f36bf186f..f7f2853de49be 100644 pr_err("%s: Automatic recovery failed; operator intervention is required\n", pci_name(pdev)); goto out_unlock; -@@ -220,6 +222,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev) +@@ -220,6 +222,7 @@ static pci_ers_result_t zpci_event_attem pr_info("%s: The device is ready to resume operations\n", pci_name(pdev)); if (driver->err_handler->resume) driver->err_handler->resume(pdev); + pci_uevent_ers(pdev, PCI_ERS_RESULT_RECOVERED); out_unlock: - pci_dev_unlock(pdev); + device_unlock(&pdev->dev); -diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c -index c3410241633f4..51db5063949bf 100644 --- a/drivers/pci/pci-driver.c +++ b/drivers/pci/pci-driver.c -@@ -1597,7 +1597,7 @@ static int pci_uevent(struct device *dev, struct kobj_uevent_env *env) +@@ -1597,7 +1597,7 @@ static int pci_uevent(struct device *dev return 0; } @@ -62,11 +58,9 @@ index c3410241633f4..51db5063949bf 100644 /** * pci_uevent_ers - emit a uevent during recovery path of PCI device * @pdev: PCI device undergoing error recovery -diff --git a/include/linux/pci.h b/include/linux/pci.h -index ea50d050d0214..e10b54642b7f2 100644 --- a/include/linux/pci.h +++ b/include/linux/pci.h -@@ -2561,7 +2561,7 @@ static inline bool pci_is_thunderbolt_attached(struct pci_dev *pdev) +@@ -2561,7 +2561,7 @@ static inline bool pci_is_thunderbolt_at return false; } @@ -75,6 +69,3 @@ index ea50d050d0214..e10b54642b7f2 100644 void pci_uevent_ers(struct pci_dev *pdev, enum pci_ers_result err_type); #endif --- -2.51.0 - diff --git a/queue-6.1/series b/queue-6.1/series index dd96fd0455..fb73112459 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -234,7 +234,6 @@ scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f_po.patch scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch allow-finish_no_open-file-err_ptr-e.patch usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch -usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch ipv6-np-rxpmtu-race-annotation.patch rdma-irdma-update-kconfig.patch diff --git a/queue-6.1/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch b/queue-6.1/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch deleted file mode 100644 index c2e7a6b102..0000000000 --- a/queue-6.1/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 1bdcdde38375c9733dea42a1c4980164afd0c2e1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Sep 2025 17:29:07 +0800 -Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. - -From: Owen Gu - -[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ] - -A race condition occurs when ffs_func_eps_enable() runs concurrently -with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() -sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading -to a NULL pointer dereference when accessing epfile->ep in -ffs_func_eps_enable() after successful usb_ep_enable(). - -The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and -ffs_data_close() functions, and its modification is protected by the -spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function -is also protected by ffs->eps_lock. - -Thus, add NULL pointer handling for ffs->epfiles in the -ffs_func_eps_enable() function to fix issues - -Signed-off-by: Owen Gu -Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index e68425db9a6af..9c0857f72eb79 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -2005,7 +2005,12 @@ static int ffs_func_eps_enable(struct ffs_function *func) - ep = func->eps; - epfile = ffs->epfiles; - count = ffs->eps_count; -- while(count--) { -+ if (!epfile) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ -+ while (count--) { - ep->ep->driver_data = ep; - - ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); -@@ -2029,6 +2034,7 @@ static int ffs_func_eps_enable(struct ffs_function *func) - } - - wake_up_interruptible(&ffs->wait); -+done: - spin_unlock_irqrestore(&func->ffs->eps_lock, flags); - - return ret; --- -2.51.0 - diff --git a/queue-6.12/s390-pci-use-pci_uevent_ers-in-pci-recovery.patch b/queue-6.12/s390-pci-use-pci_uevent_ers-in-pci-recovery.patch index 7badc06543..6f769ed89c 100644 --- a/queue-6.12/s390-pci-use-pci_uevent_ers-in-pci-recovery.patch +++ b/queue-6.12/s390-pci-use-pci_uevent_ers-in-pci-recovery.patch @@ -16,16 +16,14 @@ Reviewed-by: Lukas Wunner Link: https://patch.msgid.link/20250807-add_err_uevents-v5-2-adf85b0620b0@linux.ibm.com Signed-off-by: Sasha Levin --- - arch/s390/pci/pci_event.c | 3 +++ - drivers/pci/pci-driver.c | 2 +- - include/linux/pci.h | 2 +- + arch/s390/pci/pci_event.c | 3 +++ + drivers/pci/pci-driver.c | 2 +- + include/linux/pci.h | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) -diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c -index ef44feb1a9daa..2c82e1afec3b3 100644 --- a/arch/s390/pci/pci_event.c +++ b/arch/s390/pci/pci_event.c -@@ -90,6 +90,7 @@ static pci_ers_result_t zpci_event_notify_error_detected(struct pci_dev *pdev, +@@ -90,6 +90,7 @@ static pci_ers_result_t zpci_event_notif pci_ers_result_t ers_res = PCI_ERS_RESULT_DISCONNECT; ers_res = driver->err_handler->error_detected(pdev, pdev->error_state); @@ -33,7 +31,7 @@ index ef44feb1a9daa..2c82e1afec3b3 100644 if (ers_result_indicates_abort(ers_res)) pr_info("%s: Automatic recovery failed after initial reporting\n", pci_name(pdev)); else if (ers_res == PCI_ERS_RESULT_NEED_RESET) -@@ -219,6 +220,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev) +@@ -219,6 +220,7 @@ static pci_ers_result_t zpci_event_attem ers_res = zpci_event_do_reset(pdev, driver); if (ers_res != PCI_ERS_RESULT_RECOVERED) { @@ -41,19 +39,17 @@ index ef44feb1a9daa..2c82e1afec3b3 100644 pr_err("%s: Automatic recovery failed; operator intervention is required\n", pci_name(pdev)); goto out_unlock; -@@ -227,6 +229,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev) +@@ -227,6 +229,7 @@ static pci_ers_result_t zpci_event_attem pr_info("%s: The device is ready to resume operations\n", pci_name(pdev)); if (driver->err_handler->resume) driver->err_handler->resume(pdev); + pci_uevent_ers(pdev, PCI_ERS_RESULT_RECOVERED); out_unlock: - pci_dev_unlock(pdev); + device_unlock(&pdev->dev); -diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c -index 0c3aa91d1aee0..7e9b6e4d46950 100644 --- a/drivers/pci/pci-driver.c +++ b/drivers/pci/pci-driver.c -@@ -1586,7 +1586,7 @@ static int pci_uevent(const struct device *dev, struct kobj_uevent_env *env) +@@ -1586,7 +1586,7 @@ static int pci_uevent(const struct devic return 0; } @@ -62,11 +58,9 @@ index 0c3aa91d1aee0..7e9b6e4d46950 100644 /** * pci_uevent_ers - emit a uevent during recovery path of PCI device * @pdev: PCI device undergoing error recovery -diff --git a/include/linux/pci.h b/include/linux/pci.h -index 452a3dca28eaa..242ee3843e10e 100644 --- a/include/linux/pci.h +++ b/include/linux/pci.h -@@ -2707,7 +2707,7 @@ static inline bool pci_is_thunderbolt_attached(struct pci_dev *pdev) +@@ -2707,7 +2707,7 @@ static inline bool pci_is_thunderbolt_at return false; } @@ -75,6 +69,3 @@ index 452a3dca28eaa..242ee3843e10e 100644 void pci_uevent_ers(struct pci_dev *pdev, enum pci_ers_result err_type); #endif --- -2.51.0 - diff --git a/queue-6.12/series b/queue-6.12/series index eaee5084b7..e50c59bd83 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -379,7 +379,6 @@ scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch scsi-lpfc-ensure-plogi_acc-is-sent-prior-to-prli-in-.patch allow-finish_no_open-file-err_ptr-e.patch usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch -usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch f2fs-fix-infinite-loop-in-__insert_extent_tree.patch wifi-rtw89-obtain-rx-path-from-ppdu-status-ie00.patch diff --git a/queue-6.12/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch b/queue-6.12/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch deleted file mode 100644 index 78d0154607..0000000000 --- a/queue-6.12/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 717c15a5aec620977338ab74e8c6c7a168fd4973 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Sep 2025 17:29:07 +0800 -Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. - -From: Owen Gu - -[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ] - -A race condition occurs when ffs_func_eps_enable() runs concurrently -with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() -sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading -to a NULL pointer dereference when accessing epfile->ep in -ffs_func_eps_enable() after successful usb_ep_enable(). - -The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and -ffs_data_close() functions, and its modification is protected by the -spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function -is also protected by ffs->eps_lock. - -Thus, add NULL pointer handling for ffs->epfiles in the -ffs_func_eps_enable() function to fix issues - -Signed-off-by: Owen Gu -Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index 92c883440e02c..f7be1548cc18a 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -2418,7 +2418,12 @@ static int ffs_func_eps_enable(struct ffs_function *func) - ep = func->eps; - epfile = ffs->epfiles; - count = ffs->eps_count; -- while(count--) { -+ if (!epfile) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ -+ while (count--) { - ep->ep->driver_data = ep; - - ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); -@@ -2442,6 +2447,7 @@ static int ffs_func_eps_enable(struct ffs_function *func) - } - - wake_up_interruptible(&ffs->wait); -+done: - spin_unlock_irqrestore(&func->ffs->eps_lock, flags); - - return ret; --- -2.51.0 - diff --git a/queue-6.17/series b/queue-6.17/series index 1c22f40df9..edf6dec537 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -577,7 +577,6 @@ scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch scsi-lpfc-ensure-plogi_acc-is-sent-prior-to-prli-in-.patch allow-finish_no_open-file-err_ptr-e.patch usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch -usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch f2fs-fix-infinite-loop-in-__insert_extent_tree.patch wifi-rtw89-disable-rtw89_physts_ie09_ftr_0-for-ppdu-.patch diff --git a/queue-6.17/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch b/queue-6.17/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch deleted file mode 100644 index f9637e14c5..0000000000 --- a/queue-6.17/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 8c9a53d8811455c7800bfccabc307d756af153e0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Sep 2025 17:29:07 +0800 -Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. - -From: Owen Gu - -[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ] - -A race condition occurs when ffs_func_eps_enable() runs concurrently -with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() -sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading -to a NULL pointer dereference when accessing epfile->ep in -ffs_func_eps_enable() after successful usb_ep_enable(). - -The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and -ffs_data_close() functions, and its modification is protected by the -spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function -is also protected by ffs->eps_lock. - -Thus, add NULL pointer handling for ffs->epfiles in the -ffs_func_eps_enable() function to fix issues - -Signed-off-by: Owen Gu -Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index 08a251df20c43..04058261cdd03 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -2407,7 +2407,12 @@ static int ffs_func_eps_enable(struct ffs_function *func) - ep = func->eps; - epfile = ffs->epfiles; - count = ffs->eps_count; -- while(count--) { -+ if (!epfile) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ -+ while (count--) { - ep->ep->driver_data = ep; - - ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); -@@ -2431,6 +2436,7 @@ static int ffs_func_eps_enable(struct ffs_function *func) - } - - wake_up_interruptible(&ffs->wait); -+done: - spin_unlock_irqrestore(&func->ffs->eps_lock, flags); - - return ret; --- -2.51.0 - diff --git a/queue-6.6/series b/queue-6.6/series index 825bca8876..766b9b64a7 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -245,7 +245,6 @@ scsi-lpfc-remove-ndlp-kref-decrement-clause-for-f_po.patch scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch allow-finish_no_open-file-err_ptr-e.patch usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch -usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch f2fs-fix-infinite-loop-in-__insert_extent_tree.patch ipv6-np-rxpmtu-race-annotation.patch diff --git a/queue-6.6/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch b/queue-6.6/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch deleted file mode 100644 index 49c2b7fbd0..0000000000 --- a/queue-6.6/usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch +++ /dev/null @@ -1,60 +0,0 @@ -From e1a52bf7e1f33a3b693e3f540ff9769c347a85c9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Sep 2025 17:29:07 +0800 -Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. - -From: Owen Gu - -[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ] - -A race condition occurs when ffs_func_eps_enable() runs concurrently -with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() -sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading -to a NULL pointer dereference when accessing epfile->ep in -ffs_func_eps_enable() after successful usb_ep_enable(). - -The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and -ffs_data_close() functions, and its modification is protected by the -spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function -is also protected by ffs->eps_lock. - -Thus, add NULL pointer handling for ffs->epfiles in the -ffs_func_eps_enable() function to fix issues - -Signed-off-by: Owen Gu -Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/gadget/function/f_fs.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c -index 4a88546b1b157..14424e395f2a9 100644 ---- a/drivers/usb/gadget/function/f_fs.c -+++ b/drivers/usb/gadget/function/f_fs.c -@@ -1941,7 +1941,12 @@ static int ffs_func_eps_enable(struct ffs_function *func) - ep = func->eps; - epfile = ffs->epfiles; - count = ffs->eps_count; -- while(count--) { -+ if (!epfile) { -+ ret = -ENOMEM; -+ goto done; -+ } -+ -+ while (count--) { - ep->ep->driver_data = ep; - - ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); -@@ -1965,6 +1970,7 @@ static int ffs_func_eps_enable(struct ffs_function *func) - } - - wake_up_interruptible(&ffs->wait); -+done: - spin_unlock_irqrestore(&func->ffs->eps_lock, flags); - - return ret; --- -2.51.0 - -- 2.47.3