From: Greg Kroah-Hartman Date: Tue, 4 Nov 2025 05:29:18 +0000 (+0900) Subject: 5.15-stable patches X-Git-Tag: v6.12.58~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0ba08afe58b0ca30c9df68a1ec130eea9a595395;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: block-make-req_op_zone_open-a-write-operation.patch drm-sched-fix-race-in-drm_sched_entity_select_rq.patch drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch --- diff --git a/queue-5.15/block-make-req_op_zone_open-a-write-operation.patch b/queue-5.15/block-make-req_op_zone_open-a-write-operation.patch new file mode 100644 index 0000000000..bff22bc4ad --- /dev/null +++ b/queue-5.15/block-make-req_op_zone_open-a-write-operation.patch @@ -0,0 +1,65 @@ +From stable+bounces-192200-greg=kroah.com@vger.kernel.org Mon Nov 3 21:50:04 2025 +From: Sasha Levin +Date: Mon, 3 Nov 2025 07:46:31 -0500 +Subject: block: make REQ_OP_ZONE_OPEN a write operation +To: stable@vger.kernel.org +Cc: Damien Le Moal , Chaitanya Kulkarni , Christoph Hellwig , Johannes Thumshirn , Jens Axboe , Sasha Levin +Message-ID: <20251103124631.4003336-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit 19de03b312d69a7e9bacb51c806c6e3f4207376c ] + +A REQ_OP_OPEN_ZONE request changes the condition of a sequential zone of +a zoned block device to the explicitly open condition +(BLK_ZONE_COND_EXP_OPEN). As such, it should be considered a write +operation. + +Change this operation code to be an odd number to reflect this. The +following operation numbers are changed to keep the numbering compact. + +No problems were reported without this change as this operation has no +data. However, this unifies the zone operation to reflect that they +modify the device state and also allows strengthening checks in the +block layer, e.g. checking if this operation is not issued against a +read-only device. + +Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +[ relocated REQ_OP_ZONE_APPEND from 15 to 21 to resolve numbering conflict ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/blk_types.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -337,17 +337,17 @@ enum req_opf { + /* write the zero filled sector many times */ + REQ_OP_WRITE_ZEROES = 9, + /* Open a zone */ +- REQ_OP_ZONE_OPEN = 10, ++ REQ_OP_ZONE_OPEN = 11, + /* Close a zone */ +- REQ_OP_ZONE_CLOSE = 11, ++ REQ_OP_ZONE_CLOSE = 13, + /* Transition a zone to full */ +- REQ_OP_ZONE_FINISH = 13, +- /* write data at the current zone write pointer */ +- REQ_OP_ZONE_APPEND = 15, ++ REQ_OP_ZONE_FINISH = 15, + /* reset a zone write pointer */ + REQ_OP_ZONE_RESET = 17, + /* reset all the zone present on the device */ + REQ_OP_ZONE_RESET_ALL = 19, ++ /* write data at the current zone write pointer */ ++ REQ_OP_ZONE_APPEND = 21, + + /* Driver private requests */ + REQ_OP_DRV_IN = 34, diff --git a/queue-5.15/drm-sched-fix-race-in-drm_sched_entity_select_rq.patch b/queue-5.15/drm-sched-fix-race-in-drm_sched_entity_select_rq.patch new file mode 100644 index 0000000000..667aeddc65 --- /dev/null +++ b/queue-5.15/drm-sched-fix-race-in-drm_sched_entity_select_rq.patch @@ -0,0 +1,44 @@ +From stable+bounces-192225-greg=kroah.com@vger.kernel.org Tue Nov 4 00:53:07 2025 +From: Sasha Levin +Date: Mon, 3 Nov 2025 10:44:46 -0500 +Subject: drm/sched: Fix race in drm_sched_entity_select_rq() +To: stable@vger.kernel.org +Cc: Philipp Stanner , Tvrtko Ursulin , Sasha Levin +Message-ID: <20251103154446.4056428-1-sashal@kernel.org> + +From: Philipp Stanner + +[ Upstream commit d25e3a610bae03bffc5c14b5d944a5d0cd844678 ] + +In a past bug fix it was forgotten that entity access must be protected +by the entity lock. That's a data race and potentially UB. + +Move the spin_unlock() to the appropriate position. + +Cc: stable@vger.kernel.org # v5.13+ +Fixes: ac4eb83ab255 ("drm/sched: select new rq even if there is only one v3") +Reviewed-by: Tvrtko Ursulin +Signed-off-by: Philipp Stanner +Link: https://patch.msgid.link/20251022063402.87318-2-phasta@kernel.org +[ adapted lock field name from entity->lock to entity->rq_lock ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -456,10 +456,11 @@ void drm_sched_entity_select_rq(struct d + drm_sched_rq_remove_entity(entity->rq, entity); + entity->rq = rq; + } +- spin_unlock(&entity->rq_lock); + + if (entity->num_sched_list == 1) + entity->sched_list = NULL; ++ ++ spin_unlock(&entity->rq_lock); + } + + /** diff --git a/queue-5.15/drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch b/queue-5.15/drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch new file mode 100644 index 0000000000..9eff6d3c01 --- /dev/null +++ b/queue-5.15/drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch @@ -0,0 +1,55 @@ +From stable+bounces-192219-greg=kroah.com@vger.kernel.org Tue Nov 4 00:22:28 2025 +From: Sasha Levin +Date: Mon, 3 Nov 2025 10:06:26 -0500 +Subject: drm/sysfb: Do not dereference NULL pointer in plane reset +To: stable@vger.kernel.org +Cc: Thomas Zimmermann , Dan Carpenter , Melissa Wen , Maarten Lankhorst , Maxime Ripard , David Airlie , Simona Vetter , dri-devel@lists.freedesktop.org, Javier Martinez Canillas , Sasha Levin +Message-ID: <20251103150626.4044944-1-sashal@kernel.org> + +From: Thomas Zimmermann + +[ Upstream commit 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 ] + +The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not +deref that pointer, but forward NULL to the other plane-reset helpers. +Clears plane->state to NULL. + +v2: +- fix typo in commit description (Javier) + +Signed-off-by: Thomas Zimmermann +Fixes: b71565022031 ("drm/gem: Export implementation of shadow-plane helpers") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/dri-devel/aPIDAsHIUHp_qSW4@stanley.mountain/ +Cc: Thomas Zimmermann +Cc: Melissa Wen +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: David Airlie +Cc: Simona Vetter +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.15+ +Reviewed-by: Javier Martinez Canillas +Link: https://patch.msgid.link/20251017091407.58488-1-tzimmermann@suse.de +[ removed drm_format_conv_state_init() call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_atomic_helper.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_gem_atomic_helper.c ++++ b/drivers/gpu/drm/drm_gem_atomic_helper.c +@@ -282,7 +282,11 @@ EXPORT_SYMBOL(drm_gem_destroy_shadow_pla + void __drm_gem_reset_shadow_plane(struct drm_plane *plane, + struct drm_shadow_plane_state *shadow_plane_state) + { +- __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base); ++ if (shadow_plane_state) { ++ __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base); ++ } else { ++ __drm_atomic_helper_plane_reset(plane, NULL); ++ } + } + EXPORT_SYMBOL(__drm_gem_reset_shadow_plane); + diff --git a/queue-5.15/series b/queue-5.15/series index 0dd5706414..555d7dc332 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -47,3 +47,7 @@ xhci-dbc-fix-bogus-1024-byte-prefix-if-ttydbc-read-races-with-stall-event.patch x86-boot-compile-boot-code-with-std-gnu11-too.patch arch-back-to-std-gnu89-in-v5.18.patch revert-docs-process-howto-replace-c89-with-c11.patch +usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch +drm-sched-fix-race-in-drm_sched_entity_select_rq.patch +drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch +block-make-req_op_zone_open-a-write-operation.patch diff --git a/queue-5.15/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch b/queue-5.15/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch new file mode 100644 index 0000000000..120b853f85 --- /dev/null +++ b/queue-5.15/usb-gadget-f_fs-fix-epfile-null-pointer-access-after-ep-enable.patch @@ -0,0 +1,54 @@ +From cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 Mon Sep 17 00:00:00 2001 +From: Owen Gu +Date: Mon, 15 Sep 2025 17:29:07 +0800 +Subject: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. + +From: Owen Gu + +commit cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 upstream. + +A race condition occurs when ffs_func_eps_enable() runs concurrently +with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() +sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading +to a NULL pointer dereference when accessing epfile->ep in +ffs_func_eps_enable() after successful usb_ep_enable(). + +The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and +ffs_data_close() functions, and its modification is protected by the +spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function +is also protected by ffs->eps_lock. + +Thus, add NULL pointer handling for ffs->epfiles in the +ffs_func_eps_enable() function to fix issues + +Signed-off-by: Owen Gu +Link: https://lore.kernel.org/r/20250915092907.17802-1-guhuinan@xiaomi.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2005,7 +2005,12 @@ static int ffs_func_eps_enable(struct ff + ep = func->eps; + epfile = ffs->epfiles; + count = ffs->eps_count; +- while(count--) { ++ if (!epfile) { ++ ret = -ENOMEM; ++ goto done; ++ } ++ ++ while (count--) { + ep->ep->driver_data = ep; + + ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); +@@ -2029,6 +2034,7 @@ static int ffs_func_eps_enable(struct ff + } + + wake_up_interruptible(&ffs->wait); ++done: + spin_unlock_irqrestore(&func->ffs->eps_lock, flags); + + return ret;