scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch
allow-finish_no_open-file-err_ptr-e.patch
usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch
-usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch
usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch
ipv6-np-rxpmtu-race-annotation.patch
jfs-verify-inode-mode-when-loading-from-disk.patch
+++ /dev/null
-From e41c80a8dfb86814637c986439fd225a007ce750 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Sep 2025 17:29:07 +0800
-Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
-
-From: Owen Gu <guhuinan@xiaomi.com>
-
-[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ]
-
-A race condition occurs when ffs_func_eps_enable() runs concurrently
-with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
-sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
-to a NULL pointer dereference when accessing epfile->ep in
-ffs_func_eps_enable() after successful usb_ep_enable().
-
-The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
-ffs_data_close() functions, and its modification is protected by the
-spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
-is also protected by ffs->eps_lock.
-
-Thus, add NULL pointer handling for ffs->epfiles in the
-ffs_func_eps_enable() function to fix issues
-
-Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
-Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/function/f_fs.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index 47b70bcc9dc29..e6c7844b8d1c2 100644
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -1993,7 +1993,12 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- ep = func->eps;
- epfile = ffs->epfiles;
- count = ffs->eps_count;
-- while(count--) {
-+ if (!epfile) {
-+ ret = -ENOMEM;
-+ goto done;
-+ }
-+
-+ while (count--) {
- ep->ep->driver_data = ep;
-
- ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
-@@ -2017,6 +2022,7 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- }
-
- wake_up_interruptible(&ffs->wait);
-+done:
- spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
-
- return ret;
---
-2.51.0
-
scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch
allow-finish_no_open-file-err_ptr-e.patch
usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch
-usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch
usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch
ipv6-np-rxpmtu-race-annotation.patch
rdma-irdma-update-kconfig.patch
+++ /dev/null
-From 48e0e634967d8b963faf9a4c4cff504c3ee54356 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Sep 2025 17:29:07 +0800
-Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
-
-From: Owen Gu <guhuinan@xiaomi.com>
-
-[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ]
-
-A race condition occurs when ffs_func_eps_enable() runs concurrently
-with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
-sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
-to a NULL pointer dereference when accessing epfile->ep in
-ffs_func_eps_enable() after successful usb_ep_enable().
-
-The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
-ffs_data_close() functions, and its modification is protected by the
-spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
-is also protected by ffs->eps_lock.
-
-Thus, add NULL pointer handling for ffs->epfiles in the
-ffs_func_eps_enable() function to fix issues
-
-Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
-Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/function/f_fs.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index d6dc02ec5fc6e..9fcf27e6f0e40 100644
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -2005,7 +2005,12 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- ep = func->eps;
- epfile = ffs->epfiles;
- count = ffs->eps_count;
-- while(count--) {
-+ if (!epfile) {
-+ ret = -ENOMEM;
-+ goto done;
-+ }
-+
-+ while (count--) {
- ep->ep->driver_data = ep;
-
- ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
-@@ -2029,6 +2034,7 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- }
-
- wake_up_interruptible(&ffs->wait);
-+done:
- spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
-
- return ret;
---
-2.51.0
-
scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch
allow-finish_no_open-file-err_ptr-e.patch
usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch
-usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch
usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch
ipv6-np-rxpmtu-race-annotation.patch
jfs-verify-inode-mode-when-loading-from-disk.patch
+++ /dev/null
-From 34c64db5edee2965e80e887a3a48950c3995d65a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Sep 2025 17:29:07 +0800
-Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
-
-From: Owen Gu <guhuinan@xiaomi.com>
-
-[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ]
-
-A race condition occurs when ffs_func_eps_enable() runs concurrently
-with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
-sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
-to a NULL pointer dereference when accessing epfile->ep in
-ffs_func_eps_enable() after successful usb_ep_enable().
-
-The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
-ffs_data_close() functions, and its modification is protected by the
-spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
-is also protected by ffs->eps_lock.
-
-Thus, add NULL pointer handling for ffs->epfiles in the
-ffs_func_eps_enable() function to fix issues
-
-Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
-Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/function/f_fs.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index 9b5f9d503ff0d..e0a35dc19e455 100644
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -2012,7 +2012,12 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- ep = func->eps;
- epfile = ffs->epfiles;
- count = ffs->eps_count;
-- while(count--) {
-+ if (!epfile) {
-+ ret = -ENOMEM;
-+ goto done;
-+ }
-+
-+ while (count--) {
- ep->ep->driver_data = ep;
-
- ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
-@@ -2036,6 +2041,7 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- }
-
- wake_up_interruptible(&ffs->wait);
-+done:
- spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
-
- return ret;
---
-2.51.0
-
Link: https://patch.msgid.link/20250807-add_err_uevents-v5-2-adf85b0620b0@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- arch/s390/pci/pci_event.c | 3 +++
- drivers/pci/pci-driver.c | 2 +-
- include/linux/pci.h | 2 +-
+ arch/s390/pci/pci_event.c | 3 +++
+ drivers/pci/pci-driver.c | 2 +-
+ include/linux/pci.h | 2 +-
3 files changed, 5 insertions(+), 2 deletions(-)
-diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c
-index d969f36bf186f..f7f2853de49be 100644
--- a/arch/s390/pci/pci_event.c
+++ b/arch/s390/pci/pci_event.c
-@@ -83,6 +83,7 @@ static pci_ers_result_t zpci_event_notify_error_detected(struct pci_dev *pdev,
+@@ -83,6 +83,7 @@ static pci_ers_result_t zpci_event_notif
pci_ers_result_t ers_res = PCI_ERS_RESULT_DISCONNECT;
ers_res = driver->err_handler->error_detected(pdev, pdev->error_state);
if (ers_result_indicates_abort(ers_res))
pr_info("%s: Automatic recovery failed after initial reporting\n", pci_name(pdev));
else if (ers_res == PCI_ERS_RESULT_NEED_RESET)
-@@ -212,6 +213,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev)
+@@ -212,6 +213,7 @@ static pci_ers_result_t zpci_event_attem
ers_res = zpci_event_do_reset(pdev, driver);
if (ers_res != PCI_ERS_RESULT_RECOVERED) {
pr_err("%s: Automatic recovery failed; operator intervention is required\n",
pci_name(pdev));
goto out_unlock;
-@@ -220,6 +222,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev)
+@@ -220,6 +222,7 @@ static pci_ers_result_t zpci_event_attem
pr_info("%s: The device is ready to resume operations\n", pci_name(pdev));
if (driver->err_handler->resume)
driver->err_handler->resume(pdev);
+ pci_uevent_ers(pdev, PCI_ERS_RESULT_RECOVERED);
out_unlock:
- pci_dev_unlock(pdev);
+ device_unlock(&pdev->dev);
-diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
-index c3410241633f4..51db5063949bf 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
-@@ -1597,7 +1597,7 @@ static int pci_uevent(struct device *dev, struct kobj_uevent_env *env)
+@@ -1597,7 +1597,7 @@ static int pci_uevent(struct device *dev
return 0;
}
/**
* pci_uevent_ers - emit a uevent during recovery path of PCI device
* @pdev: PCI device undergoing error recovery
-diff --git a/include/linux/pci.h b/include/linux/pci.h
-index ea50d050d0214..e10b54642b7f2 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
-@@ -2561,7 +2561,7 @@ static inline bool pci_is_thunderbolt_attached(struct pci_dev *pdev)
+@@ -2561,7 +2561,7 @@ static inline bool pci_is_thunderbolt_at
return false;
}
void pci_uevent_ers(struct pci_dev *pdev, enum pci_ers_result err_type);
#endif
---
-2.51.0
-
scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch
allow-finish_no_open-file-err_ptr-e.patch
usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch
-usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch
usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch
ipv6-np-rxpmtu-race-annotation.patch
rdma-irdma-update-kconfig.patch
+++ /dev/null
-From 1bdcdde38375c9733dea42a1c4980164afd0c2e1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Sep 2025 17:29:07 +0800
-Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
-
-From: Owen Gu <guhuinan@xiaomi.com>
-
-[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ]
-
-A race condition occurs when ffs_func_eps_enable() runs concurrently
-with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
-sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
-to a NULL pointer dereference when accessing epfile->ep in
-ffs_func_eps_enable() after successful usb_ep_enable().
-
-The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
-ffs_data_close() functions, and its modification is protected by the
-spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
-is also protected by ffs->eps_lock.
-
-Thus, add NULL pointer handling for ffs->epfiles in the
-ffs_func_eps_enable() function to fix issues
-
-Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
-Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/function/f_fs.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index e68425db9a6af..9c0857f72eb79 100644
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -2005,7 +2005,12 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- ep = func->eps;
- epfile = ffs->epfiles;
- count = ffs->eps_count;
-- while(count--) {
-+ if (!epfile) {
-+ ret = -ENOMEM;
-+ goto done;
-+ }
-+
-+ while (count--) {
- ep->ep->driver_data = ep;
-
- ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
-@@ -2029,6 +2034,7 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- }
-
- wake_up_interruptible(&ffs->wait);
-+done:
- spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
-
- return ret;
---
-2.51.0
-
Link: https://patch.msgid.link/20250807-add_err_uevents-v5-2-adf85b0620b0@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- arch/s390/pci/pci_event.c | 3 +++
- drivers/pci/pci-driver.c | 2 +-
- include/linux/pci.h | 2 +-
+ arch/s390/pci/pci_event.c | 3 +++
+ drivers/pci/pci-driver.c | 2 +-
+ include/linux/pci.h | 2 +-
3 files changed, 5 insertions(+), 2 deletions(-)
-diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c
-index ef44feb1a9daa..2c82e1afec3b3 100644
--- a/arch/s390/pci/pci_event.c
+++ b/arch/s390/pci/pci_event.c
-@@ -90,6 +90,7 @@ static pci_ers_result_t zpci_event_notify_error_detected(struct pci_dev *pdev,
+@@ -90,6 +90,7 @@ static pci_ers_result_t zpci_event_notif
pci_ers_result_t ers_res = PCI_ERS_RESULT_DISCONNECT;
ers_res = driver->err_handler->error_detected(pdev, pdev->error_state);
if (ers_result_indicates_abort(ers_res))
pr_info("%s: Automatic recovery failed after initial reporting\n", pci_name(pdev));
else if (ers_res == PCI_ERS_RESULT_NEED_RESET)
-@@ -219,6 +220,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev)
+@@ -219,6 +220,7 @@ static pci_ers_result_t zpci_event_attem
ers_res = zpci_event_do_reset(pdev, driver);
if (ers_res != PCI_ERS_RESULT_RECOVERED) {
pr_err("%s: Automatic recovery failed; operator intervention is required\n",
pci_name(pdev));
goto out_unlock;
-@@ -227,6 +229,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev)
+@@ -227,6 +229,7 @@ static pci_ers_result_t zpci_event_attem
pr_info("%s: The device is ready to resume operations\n", pci_name(pdev));
if (driver->err_handler->resume)
driver->err_handler->resume(pdev);
+ pci_uevent_ers(pdev, PCI_ERS_RESULT_RECOVERED);
out_unlock:
- pci_dev_unlock(pdev);
+ device_unlock(&pdev->dev);
-diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
-index 0c3aa91d1aee0..7e9b6e4d46950 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
-@@ -1586,7 +1586,7 @@ static int pci_uevent(const struct device *dev, struct kobj_uevent_env *env)
+@@ -1586,7 +1586,7 @@ static int pci_uevent(const struct devic
return 0;
}
/**
* pci_uevent_ers - emit a uevent during recovery path of PCI device
* @pdev: PCI device undergoing error recovery
-diff --git a/include/linux/pci.h b/include/linux/pci.h
-index 452a3dca28eaa..242ee3843e10e 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
-@@ -2707,7 +2707,7 @@ static inline bool pci_is_thunderbolt_attached(struct pci_dev *pdev)
+@@ -2707,7 +2707,7 @@ static inline bool pci_is_thunderbolt_at
return false;
}
void pci_uevent_ers(struct pci_dev *pdev, enum pci_ers_result err_type);
#endif
---
-2.51.0
-
scsi-lpfc-ensure-plogi_acc-is-sent-prior-to-prli-in-.patch
allow-finish_no_open-file-err_ptr-e.patch
usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch
-usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch
usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch
f2fs-fix-infinite-loop-in-__insert_extent_tree.patch
wifi-rtw89-obtain-rx-path-from-ppdu-status-ie00.patch
+++ /dev/null
-From 717c15a5aec620977338ab74e8c6c7a168fd4973 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Sep 2025 17:29:07 +0800
-Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
-
-From: Owen Gu <guhuinan@xiaomi.com>
-
-[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ]
-
-A race condition occurs when ffs_func_eps_enable() runs concurrently
-with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
-sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
-to a NULL pointer dereference when accessing epfile->ep in
-ffs_func_eps_enable() after successful usb_ep_enable().
-
-The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
-ffs_data_close() functions, and its modification is protected by the
-spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
-is also protected by ffs->eps_lock.
-
-Thus, add NULL pointer handling for ffs->epfiles in the
-ffs_func_eps_enable() function to fix issues
-
-Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
-Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/function/f_fs.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index 92c883440e02c..f7be1548cc18a 100644
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -2418,7 +2418,12 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- ep = func->eps;
- epfile = ffs->epfiles;
- count = ffs->eps_count;
-- while(count--) {
-+ if (!epfile) {
-+ ret = -ENOMEM;
-+ goto done;
-+ }
-+
-+ while (count--) {
- ep->ep->driver_data = ep;
-
- ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
-@@ -2442,6 +2447,7 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- }
-
- wake_up_interruptible(&ffs->wait);
-+done:
- spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
-
- return ret;
---
-2.51.0
-
scsi-lpfc-ensure-plogi_acc-is-sent-prior-to-prli-in-.patch
allow-finish_no_open-file-err_ptr-e.patch
usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch
-usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch
usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch
f2fs-fix-infinite-loop-in-__insert_extent_tree.patch
wifi-rtw89-disable-rtw89_physts_ie09_ftr_0-for-ppdu-.patch
+++ /dev/null
-From 8c9a53d8811455c7800bfccabc307d756af153e0 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Sep 2025 17:29:07 +0800
-Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
-
-From: Owen Gu <guhuinan@xiaomi.com>
-
-[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ]
-
-A race condition occurs when ffs_func_eps_enable() runs concurrently
-with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
-sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
-to a NULL pointer dereference when accessing epfile->ep in
-ffs_func_eps_enable() after successful usb_ep_enable().
-
-The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
-ffs_data_close() functions, and its modification is protected by the
-spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
-is also protected by ffs->eps_lock.
-
-Thus, add NULL pointer handling for ffs->epfiles in the
-ffs_func_eps_enable() function to fix issues
-
-Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
-Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/function/f_fs.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index 08a251df20c43..04058261cdd03 100644
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -2407,7 +2407,12 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- ep = func->eps;
- epfile = ffs->epfiles;
- count = ffs->eps_count;
-- while(count--) {
-+ if (!epfile) {
-+ ret = -ENOMEM;
-+ goto done;
-+ }
-+
-+ while (count--) {
- ep->ep->driver_data = ep;
-
- ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
-@@ -2431,6 +2436,7 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- }
-
- wake_up_interruptible(&ffs->wait);
-+done:
- spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
-
- return ret;
---
-2.51.0
-
scsi-lpfc-define-size-of-debugfs-entry-for-xri-rebal.patch
allow-finish_no_open-file-err_ptr-e.patch
usb-mon-increase-buff_max-to-64-mib-to-support-multi.patch
-usb-gadget-f_fs-fix-epfile-null-pointer-access-after.patch
usb-xhci-plat-facilitate-using-autosuspend-for-xhci-.patch
f2fs-fix-infinite-loop-in-__insert_extent_tree.patch
ipv6-np-rxpmtu-race-annotation.patch
+++ /dev/null
-From e1a52bf7e1f33a3b693e3f540ff9769c347a85c9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Sep 2025 17:29:07 +0800
-Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
-
-From: Owen Gu <guhuinan@xiaomi.com>
-
-[ Upstream commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 ]
-
-A race condition occurs when ffs_func_eps_enable() runs concurrently
-with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
-sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
-to a NULL pointer dereference when accessing epfile->ep in
-ffs_func_eps_enable() after successful usb_ep_enable().
-
-The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
-ffs_data_close() functions, and its modification is protected by the
-spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
-is also protected by ffs->eps_lock.
-
-Thus, add NULL pointer handling for ffs->epfiles in the
-ffs_func_eps_enable() function to fix issues
-
-Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
-Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/function/f_fs.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index 4a88546b1b157..14424e395f2a9 100644
---- a/drivers/usb/gadget/function/f_fs.c
-+++ b/drivers/usb/gadget/function/f_fs.c
-@@ -1941,7 +1941,12 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- ep = func->eps;
- epfile = ffs->epfiles;
- count = ffs->eps_count;
-- while(count--) {
-+ if (!epfile) {
-+ ret = -ENOMEM;
-+ goto done;
-+ }
-+
-+ while (count--) {
- ep->ep->driver_data = ep;
-
- ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
-@@ -1965,6 +1970,7 @@ static int ffs_func_eps_enable(struct ffs_function *func)
- }
-
- wake_up_interruptible(&ffs->wait);
-+done:
- spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
-
- return ret;
---
-2.51.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
