6.6-stable patches

added patches:
	usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch

diff --git a/queue-6.6/series b/queue-6.6/series
index 7478b8bf68ce91ec39dc06291f482c3090e3ca2b..fdd9a86c4d04eb764e4e7f84a045ab2046ecaf8c 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -54,3 +54,4 @@ s390-disable-arch_want_optimize_hugetlb_vmemmap.patch
 drm-sched-fix-race-in-drm_sched_entity_select_rq.patch
 drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch
 s390-pci-avoid-deadlock-between-pci-error-recovery-and-mlx5-crdump.patch
+usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch

diff --git a/queue-6.6/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch b/queue-6.6/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
new file mode 100644 (file)
index 0000000..d2a3551
--- /dev/null
+++ b/queue-6.6/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch
@@ -0,0 +1,54 @@
+From cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 Mon Sep 17 00:00:00 2001
+From: Owen Gu <guhuinan@xiaomi.com>
+Date: Mon, 15 Sep 2025 17:29:07 +0800
+Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
+
+From: Owen Gu <guhuinan@xiaomi.com>
+
+commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 upstream.
+
+A race condition occurs when ffs_func_eps_enable() runs concurrently
+with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
+sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
+to a NULL pointer dereference when accessing epfile->ep in
+ffs_func_eps_enable() after successful usb_ep_enable().
+
+The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
+ffs_data_close() functions, and its modification is protected by the
+spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
+is also protected by ffs->eps_lock.
+
+Thus, add NULL pointer handling for ffs->epfiles in the
+ffs_func_eps_enable() function to fix issues
+
+Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
+Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1941,7 +1941,12 @@ static int ffs_func_eps_enable(struct ff
+       ep = func->eps;
+       epfile = ffs->epfiles;
+       count = ffs->eps_count;
+-      while(count--) {
++      if (!epfile) {
++              ret = -ENOMEM;
++              goto done;
++      }
++
++      while (count--) {
+               ep->ep->driver_data = ep;
+ 
+               ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
+@@ -1965,6 +1970,7 @@ static int ffs_func_eps_enable(struct ff
+       }
+ 
+       wake_up_interruptible(&ffs->wait);
++done:
+       spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
+ 
+       return ret;