--- /dev/null
+From b9644fbfbcab13da7f8b37bef7c51e5b8407d031 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Wed, 12 Feb 2025 10:18:49 +0800
+Subject: gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit b9644fbfbcab13da7f8b37bef7c51e5b8407d031 upstream.
+
+The stmpe_reg_read function can fail, but its return value is not checked
+in stmpe_gpio_irq_sync_unlock. This can lead to silent failures and
+incorrect behavior if the hardware access fails.
+
+This patch adds checks for the return value of stmpe_reg_read. If the
+function fails, an error message is logged and the function returns
+early to avoid further issues.
+
+Fixes: b888fb6f2a27 ("gpio: stmpe: i2c transfer are forbiden in atomic context")
+Cc: stable@vger.kernel.org # 4.16+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20250212021849.275-1-vulab@iscas.ac.cn
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-stmpe.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpio/gpio-stmpe.c
++++ b/drivers/gpio/gpio-stmpe.c
+@@ -188,7 +188,7 @@ static void stmpe_gpio_irq_sync_unlock(s
+ [REG_IE][CSB] = STMPE_IDX_IEGPIOR_CSB,
+ [REG_IE][MSB] = STMPE_IDX_IEGPIOR_MSB,
+ };
+- int i, j;
++ int ret, i, j;
+
+ /*
+ * STMPE1600: to be able to get IRQ from pins,
+@@ -196,8 +196,16 @@ static void stmpe_gpio_irq_sync_unlock(s
+ * GPSR or GPCR registers
+ */
+ if (stmpe->partnum == STMPE1600) {
+- stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]);
+- stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]);
++ ret = stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]);
++ if (ret < 0) {
++ dev_err(stmpe->dev, "Failed to read GPMR_LSB: %d\n", ret);
++ goto err;
++ }
++ ret = stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]);
++ if (ret < 0) {
++ dev_err(stmpe->dev, "Failed to read GPMR_CSB: %d\n", ret);
++ goto err;
++ }
+ }
+
+ for (i = 0; i < CACHE_NR_REGS; i++) {
+@@ -219,6 +227,7 @@ static void stmpe_gpio_irq_sync_unlock(s
+ }
+ }
+
++err:
+ mutex_unlock(&stmpe_gpio->irq_lock);
+ }
+
--- /dev/null
+From 80e648042e512d5a767da251d44132553fe04ae0 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 14 Feb 2025 02:39:50 +0100
+Subject: partitions: mac: fix handling of bogus partition table
+
+From: Jann Horn <jannh@google.com>
+
+commit 80e648042e512d5a767da251d44132553fe04ae0 upstream.
+
+Fix several issues in partition probing:
+
+ - The bailout for a bad partoffset must use put_dev_sector(), since the
+ preceding read_part_sector() succeeded.
+ - If the partition table claims a silly sector size like 0xfff bytes
+ (which results in partition table entries straddling sector boundaries),
+ bail out instead of accessing out-of-bounds memory.
+ - We must not assume that the partition table contains proper NUL
+ termination - use strnlen() and strncmp() instead of strlen() and
+ strcmp().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/r/20250214-partition-mac-v1-1-c1c626dffbd5@google.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/mac.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/block/partitions/mac.c
++++ b/block/partitions/mac.c
+@@ -51,13 +51,25 @@ int mac_partition(struct parsed_partitio
+ }
+ secsize = be16_to_cpu(md->block_size);
+ put_dev_sector(sect);
++
++ /*
++ * If the "block size" is not a power of 2, things get weird - we might
++ * end up with a partition straddling a sector boundary, so we wouldn't
++ * be able to read a partition entry with read_part_sector().
++ * Real block sizes are probably (?) powers of two, so just require
++ * that.
++ */
++ if (!is_power_of_2(secsize))
++ return -1;
+ datasize = round_down(secsize, 512);
+ data = read_part_sector(state, datasize / 512, §);
+ if (!data)
+ return -1;
+ partoffset = secsize % 512;
+- if (partoffset + sizeof(*part) > datasize)
++ if (partoffset + sizeof(*part) > datasize) {
++ put_dev_sector(sect);
+ return -1;
++ }
+ part = (struct mac_partition *) (data + partoffset);
+ if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) {
+ put_dev_sector(sect);
+@@ -110,8 +122,8 @@ int mac_partition(struct parsed_partitio
+ int i, l;
+
+ goodness++;
+- l = strlen(part->name);
+- if (strcmp(part->name, "/") == 0)
++ l = strnlen(part->name, sizeof(part->name));
++ if (strncmp(part->name, "/", sizeof(part->name)) == 0)
+ goodness++;
+ for (i = 0; i <= l - 4; ++i) {
+ if (strncasecmp(part->name + i, "root",
projects / thirdparty / kernel / stable-queue.git / commitdiff
