5.4-stable patches

added patches:
	usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch

diff --git a/queue-5.4/series b/queue-5.4/series
index abef3aa5112b189fef60d28d3359075aa6adc291..e67260e8e5eeb35d442434da1d4fa3fdd6db9d51 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -21,3 +21,4 @@ can-gs_usb-increase-max-interface-to-u8_max.patch
 serial-8250_dw-use-devm_clk_get_optional-to-get-the-input-clock.patch
 serial-8250_dw-use-devm_add_action_or_reset.patch
 serial-8250_dw-handle-reset-control-deassert-error.patch
+usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch

diff --git a/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch b/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
new file mode 100644 (file)
index 0000000..8c2cec2
--- /dev/null
+++ b/queue-5.4/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
@@ -0,0 +1,54 @@
+From cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 Mon Sep 17 00:00:00 2001
+From: Owen Gu <guhuinan@xiaomi.com>
+Date: Mon, 15 Sep 2025 17:29:07 +0800
+Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
+
+From: Owen Gu <guhuinan@xiaomi.com>
+
+commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 upstream.
+
+A race condition occurs when ffs_func_eps_enable() runs concurrently
+with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
+sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
+to a NULL pointer dereference when accessing epfile->ep in
+ffs_func_eps_enable() after successful usb_ep_enable().
+
+The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
+ffs_data_close() functions, and its modification is protected by the
+spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
+is also protected by ffs->eps_lock.
+
+Thus, add NULL pointer handling for ffs->epfiles in the
+ffs_func_eps_enable() function to fix issues
+
+Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
+Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2012,7 +2012,12 @@ static int ffs_func_eps_enable(struct ff
+       ep = func->eps;
+       epfile = ffs->epfiles;
+       count = ffs->eps_count;
+-      while(count--) {
++      if (!epfile) {
++              ret = -ENOMEM;
++              goto done;
++      }
++
++      while (count--) {
+               ep->ep->driver_data = ep;
+ 
+               ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
+@@ -2036,6 +2041,7 @@ static int ffs_func_eps_enable(struct ff
+       }
+ 
+       wake_up_interruptible(&ffs->wait);
++done:
+       spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
+ 
+       return ret;