From 23d8345226c3b3618e2e81fd4f33107c4ffe9afc Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Feb 2025 13:29:51 +0100
Subject: [PATCH] 5.15-stable patches

added patches:
	gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch
	partitions-mac-fix-handling-of-bogus-partition-table.patch
---
 ...g_read-in-stmpe_gpio_irq_sync_unlock.patch | 65 +++++++++++++++++
 ...ix-handling-of-bogus-partition-table.patch | 69 +++++++++++++++++++
 queue-5.15/series                             |  2 +
 3 files changed, 136 insertions(+)
 create mode 100644 queue-5.15/gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch
 create mode 100644 queue-5.15/partitions-mac-fix-handling-of-bogus-partition-table.patch

diff --git a/queue-5.15/gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch b/queue-5.15/gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch
new file mode 100644
index 0000000000..6a0c16d989
--- /dev/null
+++ b/queue-5.15/gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch
@@ -0,0 +1,65 @@
+From b9644fbfbcab13da7f8b37bef7c51e5b8407d031 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Wed, 12 Feb 2025 10:18:49 +0800
+Subject: gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit b9644fbfbcab13da7f8b37bef7c51e5b8407d031 upstream.
+
+The stmpe_reg_read function can fail, but its return value is not checked
+in stmpe_gpio_irq_sync_unlock. This can lead to silent failures and
+incorrect behavior if the hardware access fails.
+
+This patch adds checks for the return value of stmpe_reg_read. If the
+function fails, an error message is logged and the function returns
+early to avoid further issues.
+
+Fixes: b888fb6f2a27 ("gpio: stmpe: i2c transfer are forbiden in atomic context")
+Cc: stable@vger.kernel.org # 4.16+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20250212021849.275-1-vulab@iscas.ac.cn
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-stmpe.c |   15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpio/gpio-stmpe.c
++++ b/drivers/gpio/gpio-stmpe.c
+@@ -191,7 +191,7 @@ static void stmpe_gpio_irq_sync_unlock(s
+ 		[REG_IE][CSB] = STMPE_IDX_IEGPIOR_CSB,
+ 		[REG_IE][MSB] = STMPE_IDX_IEGPIOR_MSB,
+ 	};
+-	int i, j;
++	int ret, i, j;
+ 
+ 	/*
+ 	 * STMPE1600: to be able to get IRQ from pins,
+@@ -199,8 +199,16 @@ static void stmpe_gpio_irq_sync_unlock(s
+ 	 * GPSR or GPCR registers
+ 	 */
+ 	if (stmpe->partnum == STMPE1600) {
+-		stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]);
+-		stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]);
++		ret = stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_LSB]);
++		if (ret < 0) {
++			dev_err(stmpe->dev, "Failed to read GPMR_LSB: %d\n", ret);
++			goto err;
++		}
++		ret = stmpe_reg_read(stmpe, stmpe->regs[STMPE_IDX_GPMR_CSB]);
++		if (ret < 0) {
++			dev_err(stmpe->dev, "Failed to read GPMR_CSB: %d\n", ret);
++			goto err;
++		}
+ 	}
+ 
+ 	for (i = 0; i < CACHE_NR_REGS; i++) {
+@@ -222,6 +230,7 @@ static void stmpe_gpio_irq_sync_unlock(s
+ 		}
+ 	}
+ 
++err:
+ 	mutex_unlock(&stmpe_gpio->irq_lock);
+ }
+ 
diff --git a/queue-5.15/partitions-mac-fix-handling-of-bogus-partition-table.patch b/queue-5.15/partitions-mac-fix-handling-of-bogus-partition-table.patch
new file mode 100644
index 0000000000..65eae42616
--- /dev/null
+++ b/queue-5.15/partitions-mac-fix-handling-of-bogus-partition-table.patch
@@ -0,0 +1,69 @@
+From 80e648042e512d5a767da251d44132553fe04ae0 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 14 Feb 2025 02:39:50 +0100
+Subject: partitions: mac: fix handling of bogus partition table
+
+From: Jann Horn <jannh@google.com>
+
+commit 80e648042e512d5a767da251d44132553fe04ae0 upstream.
+
+Fix several issues in partition probing:
+
+ - The bailout for a bad partoffset must use put_dev_sector(), since the
+   preceding read_part_sector() succeeded.
+ - If the partition table claims a silly sector size like 0xfff bytes
+   (which results in partition table entries straddling sector boundaries),
+   bail out instead of accessing out-of-bounds memory.
+ - We must not assume that the partition table contains proper NUL
+   termination - use strnlen() and strncmp() instead of strlen() and
+   strcmp().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/r/20250214-partition-mac-v1-1-c1c626dffbd5@google.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/mac.c |   18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/block/partitions/mac.c
++++ b/block/partitions/mac.c
+@@ -51,13 +51,25 @@ int mac_partition(struct parsed_partitio
+ 	}
+ 	secsize = be16_to_cpu(md->block_size);
+ 	put_dev_sector(sect);
++
++	/*
++	 * If the "block size" is not a power of 2, things get weird - we might
++	 * end up with a partition straddling a sector boundary, so we wouldn't
++	 * be able to read a partition entry with read_part_sector().
++	 * Real block sizes are probably (?) powers of two, so just require
++	 * that.
++	 */
++	if (!is_power_of_2(secsize))
++		return -1;
+ 	datasize = round_down(secsize, 512);
+ 	data = read_part_sector(state, datasize / 512, &sect);
+ 	if (!data)
+ 		return -1;
+ 	partoffset = secsize % 512;
+-	if (partoffset + sizeof(*part) > datasize)
++	if (partoffset + sizeof(*part) > datasize) {
++		put_dev_sector(sect);
+ 		return -1;
++	}
+ 	part = (struct mac_partition *) (data + partoffset);
+ 	if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) {
+ 		put_dev_sector(sect);
+@@ -110,8 +122,8 @@ int mac_partition(struct parsed_partitio
+ 				int i, l;
+ 
+ 				goodness++;
+-				l = strlen(part->name);
+-				if (strcmp(part->name, "/") == 0)
++				l = strnlen(part->name, sizeof(part->name));
++				if (strncmp(part->name, "/", sizeof(part->name)) == 0)
+ 					goodness++;
+ 				for (i = 0; i <= l - 4; ++i) {
+ 					if (strncasecmp(part->name + i, "root",
diff --git a/queue-5.15/series b/queue-5.15/series
index 7107c3bbb2..b19800f48f 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -384,3 +384,5 @@ efi-avoid-cold-plugged-memory-for-placing-the-kernel.patch
 cgroup-fix-race-between-fork-and-cgroup.kill.patch
 serial-8250-fix-fifo-underflow-on-flush.patch
 alpha-align-stack-for-page-fault-and-user-unaligned-trap-handlers.patch
+gpio-stmpe-check-return-value-of-stmpe_reg_read-in-stmpe_gpio_irq_sync_unlock.patch
+partitions-mac-fix-handling-of-bogus-partition-table.patch
-- 
2.47.3