5.15-stable patches

added patches:
	bus-fsl-mc-check-return-value-of-platform_get_resource.patch
	input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
	input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
	mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
	nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch
	pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
	usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch

diff --git a/queue-5.15/bus-fsl-mc-check-return-value-of-platform_get_resource.patch b/queue-5.15/bus-fsl-mc-check-return-value-of-platform_get_resource.patch
new file mode 100644 (file)
index 0000000..a78c674
--- /dev/null
+++ b/queue-5.15/bus-fsl-mc-check-return-value-of-platform_get_resource.patch
@@ -0,0 +1,36 @@
+From 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae Mon Sep 17 00:00:00 2001
+From: Salah Triki <salah.triki@gmail.com>
+Date: Mon, 25 Aug 2025 10:34:35 +0100
+Subject: bus: fsl-mc: Check return value of platform_get_resource()
+
+From: Salah Triki <salah.triki@gmail.com>
+
+commit 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae upstream.
+
+platform_get_resource() returns NULL in case of failure, so check its
+return value and propagate the error in order to prevent NULL pointer
+dereference.
+
+Fixes: 6305166c8771 ("bus: fsl-mc: Add ACPI support for fsl-mc")
+Cc: stable@vger.kernel.org
+Signed-off-by: Salah Triki <salah.triki@gmail.com>
+Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/aKwuK6TRr5XNYQ8u@pc
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -1169,6 +1169,9 @@ static int fsl_mc_bus_probe(struct platf
+        * Get physical address of MC portal for the root DPRC:
+        */
+       plat_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++      if (!plat_res)
++              return -EINVAL;
++
+       mc_portal_phys_addr = plat_res->start;
+       mc_portal_size = resource_size(plat_res);
+       mc_portal_base_phys_addr = mc_portal_phys_addr & ~0x3ffffff;

diff --git a/queue-5.15/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch b/queue-5.15/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
new file mode 100644 (file)
index 0000000..d84638f
--- /dev/null
+++ b/queue-5.15/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
@@ -0,0 +1,33 @@
+From c7866ee0a9ddd9789faadf58cdac6abd7aabf045 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut@mailbox.org>
+Date: Sun, 5 Oct 2025 04:33:10 +0200
+Subject: Input: atmel_mxt_ts - allow reset GPIO to sleep
+
+From: Marek Vasut <marek.vasut@mailbox.org>
+
+commit c7866ee0a9ddd9789faadf58cdac6abd7aabf045 upstream.
+
+The reset GPIO is not toggled in any critical section where it couldn't
+sleep, allow the reset GPIO to sleep. This allows the driver to operate
+reset GPIOs connected to I2C GPIO expanders.
+
+Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
+Link: https://lore.kernel.org/r/20251005023335.166483-1-marek.vasut@mailbox.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3239,7 +3239,7 @@ static int mxt_probe(struct i2c_client *
+       if (data->reset_gpio) {
+               /* Wait a while and then de-assert the RESET GPIO line */
+               msleep(MXT_RESET_GPIO_TIME);
+-              gpiod_set_value(data->reset_gpio, 0);
++              gpiod_set_value_cansleep(data->reset_gpio, 0);
+               msleep(MXT_RESET_INVALID_CHG);
+       }
+ 

diff --git a/queue-5.15/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch b/queue-5.15/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
new file mode 100644 (file)
index 0000000..1d7cc52
--- /dev/null
+++ b/queue-5.15/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
@@ -0,0 +1,37 @@
+From d3366a04770eea807f2826cbdb96934dd8c9bf79 Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Sun, 28 Sep 2025 14:37:37 +0800
+Subject: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit d3366a04770eea807f2826cbdb96934dd8c9bf79 upstream.
+
+Struct ff_effect_compat is embedded twice inside
+uinput_ff_upload_compat, contains internal padding. In particular, there
+is a hole after struct ff_replay to satisfy alignment requirements for
+the following union member. Without clearing the structure,
+copy_to_user() may leak stack data to userspace.
+
+Initialize ff_up_compat to zero before filling valid fields.
+
+Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/uinput.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -741,6 +741,7 @@ static int uinput_ff_upload_to_user(char
+       if (in_compat_syscall()) {
+               struct uinput_ff_upload_compat ff_up_compat;
+ 
++              memset(&ff_up_compat, 0, sizeof(ff_up_compat));
+               ff_up_compat.request_id = ff_up->request_id;
+               ff_up_compat.retval = ff_up->retval;
+               /*

diff --git a/queue-5.15/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch b/queue-5.15/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
new file mode 100644 (file)
index 0000000..80ff4b8
--- /dev/null
+++ b/queue-5.15/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
@@ -0,0 +1,88 @@
+From f52ce0ea90c83a28904c7cc203a70e6434adfecb Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang@os.amperecomputing.com>
+Date: Mon, 29 Sep 2025 13:24:02 -0700
+Subject: mm: hugetlb: avoid soft lockup when mprotect to large memory area
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+commit f52ce0ea90c83a28904c7cc203a70e6434adfecb upstream.
+
+When calling mprotect() to a large hugetlb memory area in our customer's
+workload (~300GB hugetlb memory), soft lockup was observed:
+
+watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
+
+CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
+Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
+pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : mte_clear_page_tags+0x14/0x24
+lr : mte_sync_tags+0x1c0/0x240
+sp : ffff80003150bb80
+x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
+x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
+x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
+x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
+x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
+x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
+x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
+
+Call trace:
+  mte_clear_page_tags+0x14/0x24
+  set_huge_pte_at+0x25c/0x280
+  hugetlb_change_protection+0x220/0x430
+  change_protection+0x5c/0x8c
+  mprotect_fixup+0x10c/0x294
+  do_mprotect_pkey.constprop.0+0x2e0/0x3d4
+  __arm64_sys_mprotect+0x24/0x44
+  invoke_syscall+0x50/0x160
+  el0_svc_common+0x48/0x144
+  do_el0_svc+0x30/0xe0
+  el0_svc+0x30/0xf0
+  el0t_64_sync_handler+0xc4/0x148
+  el0t_64_sync+0x1a4/0x1a8
+
+Soft lockup is not triggered with THP or base page because there is
+cond_resched() called for each PMD size.
+
+Although the soft lockup was triggered by MTE, it should be not MTE
+specific.  The other processing which takes long time in the loop may
+trigger soft lockup too.
+
+So add cond_resched() for hugetlb to avoid soft lockup.
+
+Link: https://lkml.kernel.org/r/20250929202402.1663290-1-yang@os.amperecomputing.com
+Fixes: 8f860591ffb2 ("[PATCH] Enable mprotect on huge pages")
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Tested-by: Carl Worth <carl@os.amperecomputing.com>
+Reviewed-by: Christoph Lameter (Ampere) <cl@gentwo.org>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Will Deacon <will@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -5714,6 +5714,8 @@ unsigned long hugetlb_change_protection(
+                       pages++;
+               }
+               spin_unlock(ptl);
++
++              cond_resched();
+       }
+       /*
+        * Must flush TLB before releasing i_mmap_rwsem: x86's huge_pmd_unshare

diff --git a/queue-5.15/nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch b/queue-5.15/nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch
new file mode 100644 (file)
index 0000000..272571d
--- /dev/null
+++ b/queue-5.15/nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch
@@ -0,0 +1,56 @@
+From a9e6aa994917ee602798bbb03180a194b37865bb Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Thu, 25 Sep 2025 14:44:48 +0800
+Subject: nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit a9e6aa994917ee602798bbb03180a194b37865bb upstream.
+
+devm_kcalloc() may fail. ndtest_probe() allocates three DMA address
+arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses
+them in ndtest_nvdimm_init(), which can lead to a NULL pointer
+dereference under low-memory conditions.
+
+Check all three allocations and return -ENOMEM if any allocation fails,
+jumping to the common error path. Do not emit an extra error message
+since the allocator already warns on allocation failure.
+
+Fixes: 9399ab61ad82 ("ndtest: Add dimms to the two buses")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/nvdimm/test/ndtest.c |   13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/nvdimm/test/ndtest.c
++++ b/tools/testing/nvdimm/test/ndtest.c
+@@ -981,11 +981,22 @@ static int ndtest_probe(struct platform_
+ 
+       p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+                                sizeof(dma_addr_t), GFP_KERNEL);
++      if (!p->dcr_dma) {
++              rc = -ENOMEM;
++              goto err;
++      }
+       p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+                                  sizeof(dma_addr_t), GFP_KERNEL);
++      if (!p->label_dma) {
++              rc = -ENOMEM;
++              goto err;
++      }
+       p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+                                 sizeof(dma_addr_t), GFP_KERNEL);
+-
++      if (!p->dimm_dma) {
++              rc = -ENOMEM;
++              goto err;
++      }
+       rc = ndtest_nvdimm_init(p);
+       if (rc)
+               goto err;

diff --git a/queue-5.15/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch b/queue-5.15/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
new file mode 100644 (file)
index 0000000..2e1508c
--- /dev/null
+++ b/queue-5.15/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
@@ -0,0 +1,37 @@
+From 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 2 Sep 2025 13:59:10 +0200
+Subject: pinctrl: check the return value of pinmux_ops::get_function_name()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 upstream.
+
+While the API contract in docs doesn't specify it explicitly, the
+generic implementation of the get_function_name() callback from struct
+pinmux_ops - pinmux_generic_get_function_name() - can fail and return
+NULL. This is already checked in pinmux_check_ops() so add a similar
+check in pinmux_func_name_to_selector() instead of passing the returned
+pointer right down to strcmp() where the NULL can get dereferenced. This
+is normal operation when adding new pinfunctions.
+
+Cc: stable@vger.kernel.org
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinmux.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinmux.c
++++ b/drivers/pinctrl/pinmux.c
+@@ -328,7 +328,7 @@ static int pinmux_func_name_to_selector(
+       while (selector < nfuncs) {
+               const char *fname = ops->get_function_name(pctldev, selector);
+ 
+-              if (!strcmp(function, fname))
++              if (fname && !strcmp(function, fname))
+                       return selector;
+ 
+               selector++;

diff --git a/queue-5.15/series b/queue-5.15/series
index 80907edc565f2736f5b427c5a1d8f694af837abd..2e131d7f392a42efb09244fca65f151aeac3b7c5 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -111,3 +111,10 @@ fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch
 net-nfc-nci-add-parameter-validation-for-packet-data.patch
 mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch
 ext4-fix-checks-for-orphan-inodes.patch
+mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
+nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch
+input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
+input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
+pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
+bus-fsl-mc-check-return-value-of-platform_get_resource.patch
+usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch

diff --git a/queue-5.15/usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch b/queue-5.15/usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch
new file mode 100644 (file)
index 0000000..f4c6855
--- /dev/null
+++ b/queue-5.15/usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch
@@ -0,0 +1,47 @@
+From e9c206324eeb213957a567a9d066bdeb355c7491 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Wed, 3 Sep 2025 22:16:13 +0800
+Subject: usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit e9c206324eeb213957a567a9d066bdeb355c7491 upstream.
+
+The cdnsp-pci driver uses pcim_enable_device() to enable a PCI device,
+which means the device will be automatically disabled on driver detach
+through the managed device framework. The manual pci_disable_device()
+call in the error path is therefore redundant.
+
+Found via static anlaysis and this is similar to commit 99ca0b57e49f
+("thermal: intel: int340x: processor: Fix warning during module unload").
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20250903141613.2535472-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-pci.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-pci.c
++++ b/drivers/usb/cdns3/cdnsp-pci.c
+@@ -90,7 +90,7 @@ static int cdnsp_pci_probe(struct pci_de
+               cdnsp = kzalloc(sizeof(*cdnsp), GFP_KERNEL);
+               if (!cdnsp) {
+                       ret = -ENOMEM;
+-                      goto disable_pci;
++                      goto put_pci;
+               }
+       }
+ 
+@@ -173,9 +173,6 @@ free_cdnsp:
+       if (!pci_is_enabled(func))
+               kfree(cdnsp);
+ 
+-disable_pci:
+-      pci_disable_device(pdev);
+-
+ put_pci:
+       pci_dev_put(func);
+