--- /dev/null
+From stable+bounces-192200-greg=kroah.com@vger.kernel.org Mon Nov 3 21:50:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 07:46:31 -0500
+Subject: block: make REQ_OP_ZONE_OPEN a write operation
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Chaitanya Kulkarni <kch@nvidia.com>, Christoph Hellwig <hch@lst.de>, Johannes Thumshirn <johannes.thumshirn@wdc.com>, Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251103124631.4003336-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 19de03b312d69a7e9bacb51c806c6e3f4207376c ]
+
+A REQ_OP_OPEN_ZONE request changes the condition of a sequential zone of
+a zoned block device to the explicitly open condition
+(BLK_ZONE_COND_EXP_OPEN). As such, it should be considered a write
+operation.
+
+Change this operation code to be an odd number to reflect this. The
+following operation numbers are changed to keep the numbering compact.
+
+No problems were reported without this change as this operation has no
+data. However, this unifies the zone operation to reflect that they
+modify the device state and also allows strengthening checks in the
+block layer, e.g. checking if this operation is not issued against a
+read-only device.
+
+Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ relocated REQ_OP_ZONE_APPEND from 15 to 21 to resolve numbering conflict ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/blk_types.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -337,17 +337,17 @@ enum req_opf {
+ /* write the zero filled sector many times */
+ REQ_OP_WRITE_ZEROES = 9,
+ /* Open a zone */
+- REQ_OP_ZONE_OPEN = 10,
++ REQ_OP_ZONE_OPEN = 11,
+ /* Close a zone */
+- REQ_OP_ZONE_CLOSE = 11,
++ REQ_OP_ZONE_CLOSE = 13,
+ /* Transition a zone to full */
+- REQ_OP_ZONE_FINISH = 13,
+- /* write data at the current zone write pointer */
+- REQ_OP_ZONE_APPEND = 15,
++ REQ_OP_ZONE_FINISH = 15,
+ /* reset a zone write pointer */
+ REQ_OP_ZONE_RESET = 17,
+ /* reset all the zone present on the device */
+ REQ_OP_ZONE_RESET_ALL = 19,
++ /* write data at the current zone write pointer */
++ REQ_OP_ZONE_APPEND = 21,
+
+ /* Driver private requests */
+ REQ_OP_DRV_IN = 34,
--- /dev/null
+From stable+bounces-192225-greg=kroah.com@vger.kernel.org Tue Nov 4 00:53:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 10:44:46 -0500
+Subject: drm/sched: Fix race in drm_sched_entity_select_rq()
+To: stable@vger.kernel.org
+Cc: Philipp Stanner <phasta@kernel.org>, Tvrtko Ursulin <tvrtko.ursulin@igalia.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251103154446.4056428-1-sashal@kernel.org>
+
+From: Philipp Stanner <phasta@kernel.org>
+
+[ Upstream commit d25e3a610bae03bffc5c14b5d944a5d0cd844678 ]
+
+In a past bug fix it was forgotten that entity access must be protected
+by the entity lock. That's a data race and potentially UB.
+
+Move the spin_unlock() to the appropriate position.
+
+Cc: stable@vger.kernel.org # v5.13+
+Fixes: ac4eb83ab255 ("drm/sched: select new rq even if there is only one v3")
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://patch.msgid.link/20251022063402.87318-2-phasta@kernel.org
+[ adapted lock field name from entity->lock to entity->rq_lock ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -456,10 +456,11 @@ void drm_sched_entity_select_rq(struct d
+ drm_sched_rq_remove_entity(entity->rq, entity);
+ entity->rq = rq;
+ }
+- spin_unlock(&entity->rq_lock);
+
+ if (entity->num_sched_list == 1)
+ entity->sched_list = NULL;
++
++ spin_unlock(&entity->rq_lock);
+ }
+
+ /**
--- /dev/null
+From stable+bounces-192219-greg=kroah.com@vger.kernel.org Tue Nov 4 00:22:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 10:06:26 -0500
+Subject: drm/sysfb: Do not dereference NULL pointer in plane reset
+To: stable@vger.kernel.org
+Cc: Thomas Zimmermann <tzimmermann@suse.de>, Dan Carpenter <dan.carpenter@linaro.org>, Melissa Wen <melissa.srw@gmail.com>, Maarten Lankhorst <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>, dri-devel@lists.freedesktop.org, Javier Martinez Canillas <javierm@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251103150626.4044944-1-sashal@kernel.org>
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 ]
+
+The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not
+deref that pointer, but forward NULL to the other plane-reset helpers.
+Clears plane->state to NULL.
+
+v2:
+- fix typo in commit description (Javier)
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: b71565022031 ("drm/gem: Export implementation of shadow-plane helpers")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/dri-devel/aPIDAsHIUHp_qSW4@stanley.mountain/
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Melissa Wen <melissa.srw@gmail.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.15+
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patch.msgid.link/20251017091407.58488-1-tzimmermann@suse.de
+[ removed drm_format_conv_state_init() call ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_atomic_helper.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_gem_atomic_helper.c
++++ b/drivers/gpu/drm/drm_gem_atomic_helper.c
+@@ -282,7 +282,11 @@ EXPORT_SYMBOL(drm_gem_destroy_shadow_pla
+ void __drm_gem_reset_shadow_plane(struct drm_plane *plane,
+ struct drm_shadow_plane_state *shadow_plane_state)
+ {
+- __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base);
++ if (shadow_plane_state) {
++ __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base);
++ } else {
++ __drm_atomic_helper_plane_reset(plane, NULL);
++ }
+ }
+ EXPORT_SYMBOL(__drm_gem_reset_shadow_plane);
+
x86-boot-compile-boot-code-with-std-gnu11-too.patch
arch-back-to-std-gnu89-in-v5.18.patch
revert-docs-process-howto-replace-c89-with-c11.patch
+usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
+drm-sched-fix-race-in-drm_sched_entity_select_rq.patch
+drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch
+block-make-req_op_zone_open-a-write-operation.patch
--- /dev/null
+From cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 Mon Sep 17 00:00:00 2001
+From: Owen Gu <guhuinan@xiaomi.com>
+Date: Mon, 15 Sep 2025 17:29:07 +0800
+Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
+
+From: Owen Gu <guhuinan@xiaomi.com>
+
+commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 upstream.
+
+A race condition occurs when ffs_func_eps_enable() runs concurrently
+with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
+sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
+to a NULL pointer dereference when accessing epfile->ep in
+ffs_func_eps_enable() after successful usb_ep_enable().
+
+The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
+ffs_data_close() functions, and its modification is protected by the
+spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
+is also protected by ffs->eps_lock.
+
+Thus, add NULL pointer handling for ffs->epfiles in the
+ffs_func_eps_enable() function to fix issues
+
+Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
+Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2005,7 +2005,12 @@ static int ffs_func_eps_enable(struct ff
+ ep = func->eps;
+ epfile = ffs->epfiles;
+ count = ffs->eps_count;
+- while(count--) {
++ if (!epfile) {
++ ret = -ENOMEM;
++ goto done;
++ }
++
++ while (count--) {
+ ep->ep->driver_data = ep;
+
+ ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
+@@ -2029,6 +2034,7 @@ static int ffs_func_eps_enable(struct ff
+ }
+
+ wake_up_interruptible(&ffs->wait);
++done:
+ spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
+
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
