--- /dev/null
+From 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae Mon Sep 17 00:00:00 2001
+From: Salah Triki <salah.triki@gmail.com>
+Date: Mon, 25 Aug 2025 10:34:35 +0100
+Subject: bus: fsl-mc: Check return value of platform_get_resource()
+
+From: Salah Triki <salah.triki@gmail.com>
+
+commit 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae upstream.
+
+platform_get_resource() returns NULL in case of failure, so check its
+return value and propagate the error in order to prevent NULL pointer
+dereference.
+
+Fixes: 6305166c8771 ("bus: fsl-mc: Add ACPI support for fsl-mc")
+Cc: stable@vger.kernel.org
+Signed-off-by: Salah Triki <salah.triki@gmail.com>
+Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/aKwuK6TRr5XNYQ8u@pc
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -1014,6 +1014,9 @@ static int fsl_mc_bus_probe(struct platf
+ * Get physical address of MC portal for the root DPRC:
+ */
+ plat_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!plat_res)
++ return -EINVAL;
++
+ mc_portal_phys_addr = plat_res->start;
+ mc_portal_size = resource_size(plat_res);
+ mc_portal_base_phys_addr = mc_portal_phys_addr & ~0x3ffffff;
--- /dev/null
+From c7866ee0a9ddd9789faadf58cdac6abd7aabf045 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut@mailbox.org>
+Date: Sun, 5 Oct 2025 04:33:10 +0200
+Subject: Input: atmel_mxt_ts - allow reset GPIO to sleep
+
+From: Marek Vasut <marek.vasut@mailbox.org>
+
+commit c7866ee0a9ddd9789faadf58cdac6abd7aabf045 upstream.
+
+The reset GPIO is not toggled in any critical section where it couldn't
+sleep, allow the reset GPIO to sleep. This allows the driver to operate
+reset GPIOs connected to I2C GPIO expanders.
+
+Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
+Link: https://lore.kernel.org/r/20251005023335.166483-1-marek.vasut@mailbox.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3156,7 +3156,7 @@ static int mxt_probe(struct i2c_client *
+ if (data->reset_gpio) {
+ /* Wait a while and then de-assert the RESET GPIO line */
+ msleep(MXT_RESET_GPIO_TIME);
+- gpiod_set_value(data->reset_gpio, 0);
++ gpiod_set_value_cansleep(data->reset_gpio, 0);
+ msleep(MXT_RESET_INVALID_CHG);
+ }
+
--- /dev/null
+From d3366a04770eea807f2826cbdb96934dd8c9bf79 Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Sun, 28 Sep 2025 14:37:37 +0800
+Subject: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit d3366a04770eea807f2826cbdb96934dd8c9bf79 upstream.
+
+Struct ff_effect_compat is embedded twice inside
+uinput_ff_upload_compat, contains internal padding. In particular, there
+is a hole after struct ff_replay to satisfy alignment requirements for
+the following union member. Without clearing the structure,
+copy_to_user() may leak stack data to userspace.
+
+Initialize ff_up_compat to zero before filling valid fields.
+
+Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/uinput.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -741,6 +741,7 @@ static int uinput_ff_upload_to_user(char
+ if (in_compat_syscall()) {
+ struct uinput_ff_upload_compat ff_up_compat;
+
++ memset(&ff_up_compat, 0, sizeof(ff_up_compat));
+ ff_up_compat.request_id = ff_up->request_id;
+ ff_up_compat.retval = ff_up->retval;
+ /*
--- /dev/null
+From f52ce0ea90c83a28904c7cc203a70e6434adfecb Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang@os.amperecomputing.com>
+Date: Mon, 29 Sep 2025 13:24:02 -0700
+Subject: mm: hugetlb: avoid soft lockup when mprotect to large memory area
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+commit f52ce0ea90c83a28904c7cc203a70e6434adfecb upstream.
+
+When calling mprotect() to a large hugetlb memory area in our customer's
+workload (~300GB hugetlb memory), soft lockup was observed:
+
+watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
+
+CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
+Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
+pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : mte_clear_page_tags+0x14/0x24
+lr : mte_sync_tags+0x1c0/0x240
+sp : ffff80003150bb80
+x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
+x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
+x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
+x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
+x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
+x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
+x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
+
+Call trace:
+ mte_clear_page_tags+0x14/0x24
+ set_huge_pte_at+0x25c/0x280
+ hugetlb_change_protection+0x220/0x430
+ change_protection+0x5c/0x8c
+ mprotect_fixup+0x10c/0x294
+ do_mprotect_pkey.constprop.0+0x2e0/0x3d4
+ __arm64_sys_mprotect+0x24/0x44
+ invoke_syscall+0x50/0x160
+ el0_svc_common+0x48/0x144
+ do_el0_svc+0x30/0xe0
+ el0_svc+0x30/0xf0
+ el0t_64_sync_handler+0xc4/0x148
+ el0t_64_sync+0x1a4/0x1a8
+
+Soft lockup is not triggered with THP or base page because there is
+cond_resched() called for each PMD size.
+
+Although the soft lockup was triggered by MTE, it should be not MTE
+specific. The other processing which takes long time in the loop may
+trigger soft lockup too.
+
+So add cond_resched() for hugetlb to avoid soft lockup.
+
+Link: https://lkml.kernel.org/r/20250929202402.1663290-1-yang@os.amperecomputing.com
+Fixes: 8f860591ffb2 ("[PATCH] Enable mprotect on huge pages")
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Tested-by: Carl Worth <carl@os.amperecomputing.com>
+Reviewed-by: Christoph Lameter (Ampere) <cl@gentwo.org>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Will Deacon <will@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -5119,6 +5119,8 @@ unsigned long hugetlb_change_protection(
+ pages++;
+ }
+ spin_unlock(ptl);
++
++ cond_resched();
+ }
+ /*
+ * Must flush TLB before releasing i_mmap_rwsem: x86's huge_pmd_unshare
--- /dev/null
+From 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 2 Sep 2025 13:59:10 +0200
+Subject: pinctrl: check the return value of pinmux_ops::get_function_name()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 upstream.
+
+While the API contract in docs doesn't specify it explicitly, the
+generic implementation of the get_function_name() callback from struct
+pinmux_ops - pinmux_generic_get_function_name() - can fail and return
+NULL. This is already checked in pinmux_check_ops() so add a similar
+check in pinmux_func_name_to_selector() instead of passing the returned
+pointer right down to strcmp() where the NULL can get dereferenced. This
+is normal operation when adding new pinfunctions.
+
+Cc: stable@vger.kernel.org
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinmux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinmux.c
++++ b/drivers/pinctrl/pinmux.c
+@@ -327,7 +327,7 @@ static int pinmux_func_name_to_selector(
+ while (selector < nfuncs) {
+ const char *fname = ops->get_function_name(pctldev, selector);
+
+- if (!strcmp(function, fname))
++ if (fname && !strcmp(function, fname))
+ return selector;
+
+ selector++;
squashfs-fix-uninit-value-in-squashfs_get_parent.patch
uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch
mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch
+mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
+input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
+input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
+pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
+bus-fsl-mc-check-return-value-of-platform_get_resource.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
