--- /dev/null
+From stable+bounces-192217-greg=kroah.com@vger.kernel.org Tue Nov 4 00:45:37 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Nov 2025 09:59:16 -0500
+Subject: block: make REQ_OP_ZONE_OPEN a write operation
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Chaitanya Kulkarni <kch@nvidia.com>, Christoph Hellwig <hch@lst.de>, Johannes Thumshirn <johannes.thumshirn@wdc.com>, Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251103145916.4040700-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 19de03b312d69a7e9bacb51c806c6e3f4207376c ]
+
+A REQ_OP_OPEN_ZONE request changes the condition of a sequential zone of
+a zoned block device to the explicitly open condition
+(BLK_ZONE_COND_EXP_OPEN). As such, it should be considered a write
+operation.
+
+Change this operation code to be an odd number to reflect this. The
+following operation numbers are changed to keep the numbering compact.
+
+No problems were reported without this change as this operation has no
+data. However, this unifies the zone operation to reflect that they
+modify the device state and also allows strengthening checks in the
+block layer, e.g. checking if this operation is not issued against a
+read-only device.
+
+Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ relocated REQ_OP_ZONE_APPEND from 15 to 21 to resolve numbering conflict ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/blk_types.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -349,17 +349,17 @@ enum req_opf {
+ /* write the zero filled sector many times */
+ REQ_OP_WRITE_ZEROES = 9,
+ /* Open a zone */
+- REQ_OP_ZONE_OPEN = 10,
++ REQ_OP_ZONE_OPEN = 11,
+ /* Close a zone */
+- REQ_OP_ZONE_CLOSE = 11,
++ REQ_OP_ZONE_CLOSE = 13,
+ /* Transition a zone to full */
+- REQ_OP_ZONE_FINISH = 13,
+- /* write data at the current zone write pointer */
+- REQ_OP_ZONE_APPEND = 15,
++ REQ_OP_ZONE_FINISH = 15,
+ /* reset a zone write pointer */
+ REQ_OP_ZONE_RESET = 17,
+ /* reset all the zone present on the device */
+ REQ_OP_ZONE_RESET_ALL = 19,
++ /* write data at the current zone write pointer */
++ REQ_OP_ZONE_APPEND = 21,
+
+ /* SCSI passthrough using struct scsi_request */
+ REQ_OP_SCSI_IN = 32,
--- /dev/null
+From cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 Mon Sep 17 00:00:00 2001
+From: Owen Gu <guhuinan@xiaomi.com>
+Date: Mon, 15 Sep 2025 17:29:07 +0800
+Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
+
+From: Owen Gu <guhuinan@xiaomi.com>
+
+commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 upstream.
+
+A race condition occurs when ffs_func_eps_enable() runs concurrently
+with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
+sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
+to a NULL pointer dereference when accessing epfile->ep in
+ffs_func_eps_enable() after successful usb_ep_enable().
+
+The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
+ffs_data_close() functions, and its modification is protected by the
+spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
+is also protected by ffs->eps_lock.
+
+Thus, add NULL pointer handling for ffs->epfiles in the
+ffs_func_eps_enable() function to fix issues
+
+Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
+Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1993,7 +1993,12 @@ static int ffs_func_eps_enable(struct ff
+ ep = func->eps;
+ epfile = ffs->epfiles;
+ count = ffs->eps_count;
+- while(count--) {
++ if (!epfile) {
++ ret = -ENOMEM;
++ goto done;
++ }
++
++ while (count--) {
+ ep->ep->driver_data = ep;
+
+ ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
+@@ -2017,6 +2022,7 @@ static int ffs_func_eps_enable(struct ff
+ }
+
+ wake_up_interruptible(&ffs->wait);
++done:
+ spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
+
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
