From a70cb6b30497d14a7f56de858739ce77d23234a7 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 Oct 2025 14:02:11 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	bus-fsl-mc-check-return-value-of-platform_get_resource.patch
	input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
	input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
	mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
	pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
---
 ...eturn-value-of-platform_get_resource.patch | 36 ++++++++
 ...mel_mxt_ts-allow-reset-gpio-to-sleep.patch | 33 +++++++
 ..._ff_upload_compat-to-avoid-info-leak.patch | 37 ++++++++
 ...p-when-mprotect-to-large-memory-area.patch | 88 +++++++++++++++++++
 ...alue-of-pinmux_ops-get_function_name.patch | 37 ++++++++
 queue-5.10/series                             |  5 ++
 6 files changed, 236 insertions(+)
 create mode 100644 queue-5.10/bus-fsl-mc-check-return-value-of-platform_get_resource.patch
 create mode 100644 queue-5.10/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
 create mode 100644 queue-5.10/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
 create mode 100644 queue-5.10/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
 create mode 100644 queue-5.10/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch

diff --git a/queue-5.10/bus-fsl-mc-check-return-value-of-platform_get_resource.patch b/queue-5.10/bus-fsl-mc-check-return-value-of-platform_get_resource.patch
new file mode 100644
index 0000000000..261a3a4efc
--- /dev/null
+++ b/queue-5.10/bus-fsl-mc-check-return-value-of-platform_get_resource.patch
@@ -0,0 +1,36 @@
+From 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae Mon Sep 17 00:00:00 2001
+From: Salah Triki <salah.triki@gmail.com>
+Date: Mon, 25 Aug 2025 10:34:35 +0100
+Subject: bus: fsl-mc: Check return value of platform_get_resource()
+
+From: Salah Triki <salah.triki@gmail.com>
+
+commit 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae upstream.
+
+platform_get_resource() returns NULL in case of failure, so check its
+return value and propagate the error in order to prevent NULL pointer
+dereference.
+
+Fixes: 6305166c8771 ("bus: fsl-mc: Add ACPI support for fsl-mc")
+Cc: stable@vger.kernel.org
+Signed-off-by: Salah Triki <salah.triki@gmail.com>
+Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/aKwuK6TRr5XNYQ8u@pc
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -1014,6 +1014,9 @@ static int fsl_mc_bus_probe(struct platf
+ 	 * Get physical address of MC portal for the root DPRC:
+ 	 */
+ 	plat_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++	if (!plat_res)
++		return -EINVAL;
++
+ 	mc_portal_phys_addr = plat_res->start;
+ 	mc_portal_size = resource_size(plat_res);
+ 	mc_portal_base_phys_addr = mc_portal_phys_addr & ~0x3ffffff;
diff --git a/queue-5.10/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch b/queue-5.10/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
new file mode 100644
index 0000000000..2fd768afdf
--- /dev/null
+++ b/queue-5.10/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
@@ -0,0 +1,33 @@
+From c7866ee0a9ddd9789faadf58cdac6abd7aabf045 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut@mailbox.org>
+Date: Sun, 5 Oct 2025 04:33:10 +0200
+Subject: Input: atmel_mxt_ts - allow reset GPIO to sleep
+
+From: Marek Vasut <marek.vasut@mailbox.org>
+
+commit c7866ee0a9ddd9789faadf58cdac6abd7aabf045 upstream.
+
+The reset GPIO is not toggled in any critical section where it couldn't
+sleep, allow the reset GPIO to sleep. This allows the driver to operate
+reset GPIOs connected to I2C GPIO expanders.
+
+Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
+Link: https://lore.kernel.org/r/20251005023335.166483-1-marek.vasut@mailbox.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3156,7 +3156,7 @@ static int mxt_probe(struct i2c_client *
+ 	if (data->reset_gpio) {
+ 		/* Wait a while and then de-assert the RESET GPIO line */
+ 		msleep(MXT_RESET_GPIO_TIME);
+-		gpiod_set_value(data->reset_gpio, 0);
++		gpiod_set_value_cansleep(data->reset_gpio, 0);
+ 		msleep(MXT_RESET_INVALID_CHG);
+ 	}
+ 
diff --git a/queue-5.10/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch b/queue-5.10/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
new file mode 100644
index 0000000000..1d7cc52f06
--- /dev/null
+++ b/queue-5.10/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
@@ -0,0 +1,37 @@
+From d3366a04770eea807f2826cbdb96934dd8c9bf79 Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Sun, 28 Sep 2025 14:37:37 +0800
+Subject: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit d3366a04770eea807f2826cbdb96934dd8c9bf79 upstream.
+
+Struct ff_effect_compat is embedded twice inside
+uinput_ff_upload_compat, contains internal padding. In particular, there
+is a hole after struct ff_replay to satisfy alignment requirements for
+the following union member. Without clearing the structure,
+copy_to_user() may leak stack data to userspace.
+
+Initialize ff_up_compat to zero before filling valid fields.
+
+Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/uinput.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -741,6 +741,7 @@ static int uinput_ff_upload_to_user(char
+ 	if (in_compat_syscall()) {
+ 		struct uinput_ff_upload_compat ff_up_compat;
+ 
++		memset(&ff_up_compat, 0, sizeof(ff_up_compat));
+ 		ff_up_compat.request_id = ff_up->request_id;
+ 		ff_up_compat.retval = ff_up->retval;
+ 		/*
diff --git a/queue-5.10/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch b/queue-5.10/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
new file mode 100644
index 0000000000..bed43df5ec
--- /dev/null
+++ b/queue-5.10/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
@@ -0,0 +1,88 @@
+From f52ce0ea90c83a28904c7cc203a70e6434adfecb Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang@os.amperecomputing.com>
+Date: Mon, 29 Sep 2025 13:24:02 -0700
+Subject: mm: hugetlb: avoid soft lockup when mprotect to large memory area
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+commit f52ce0ea90c83a28904c7cc203a70e6434adfecb upstream.
+
+When calling mprotect() to a large hugetlb memory area in our customer's
+workload (~300GB hugetlb memory), soft lockup was observed:
+
+watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
+
+CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
+Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
+pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pcÂ : mte_clear_page_tags+0x14/0x24
+lrÂ : mte_sync_tags+0x1c0/0x240
+spÂ : ffff80003150bb80
+x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
+x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
+x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
+x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
+x8Â : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
+x5Â : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
+x2Â : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
+
+Call trace:
+Â Â mte_clear_page_tags+0x14/0x24
+Â Â set_huge_pte_at+0x25c/0x280
+Â Â hugetlb_change_protection+0x220/0x430
+Â Â change_protection+0x5c/0x8c
+Â Â mprotect_fixup+0x10c/0x294
+Â Â do_mprotect_pkey.constprop.0+0x2e0/0x3d4
+Â Â __arm64_sys_mprotect+0x24/0x44
+Â Â invoke_syscall+0x50/0x160
+Â Â el0_svc_common+0x48/0x144
+Â Â do_el0_svc+0x30/0xe0
+Â Â el0_svc+0x30/0xf0
+Â Â el0t_64_sync_handler+0xc4/0x148
+Â Â el0t_64_sync+0x1a4/0x1a8
+
+Soft lockup is not triggered with THP or base page because there is
+cond_resched() called for each PMD size.
+
+Although the soft lockup was triggered by MTE, it should be not MTE
+specific.  The other processing which takes long time in the loop may
+trigger soft lockup too.
+
+So add cond_resched() for hugetlb to avoid soft lockup.
+
+Link: https://lkml.kernel.org/r/20250929202402.1663290-1-yang@os.amperecomputing.com
+Fixes: 8f860591ffb2 ("[PATCH] Enable mprotect on huge pages")
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Tested-by: Carl Worth <carl@os.amperecomputing.com>
+Reviewed-by: Christoph Lameter (Ampere) <cl@gentwo.org>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Will Deacon <will@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -5119,6 +5119,8 @@ unsigned long hugetlb_change_protection(
+ 			pages++;
+ 		}
+ 		spin_unlock(ptl);
++
++		cond_resched();
+ 	}
+ 	/*
+ 	 * Must flush TLB before releasing i_mmap_rwsem: x86's huge_pmd_unshare
diff --git a/queue-5.10/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch b/queue-5.10/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
new file mode 100644
index 0000000000..7a34dce1d6
--- /dev/null
+++ b/queue-5.10/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
@@ -0,0 +1,37 @@
+From 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 2 Sep 2025 13:59:10 +0200
+Subject: pinctrl: check the return value of pinmux_ops::get_function_name()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 upstream.
+
+While the API contract in docs doesn't specify it explicitly, the
+generic implementation of the get_function_name() callback from struct
+pinmux_ops - pinmux_generic_get_function_name() - can fail and return
+NULL. This is already checked in pinmux_check_ops() so add a similar
+check in pinmux_func_name_to_selector() instead of passing the returned
+pointer right down to strcmp() where the NULL can get dereferenced. This
+is normal operation when adding new pinfunctions.
+
+Cc: stable@vger.kernel.org
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinmux.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinmux.c
++++ b/drivers/pinctrl/pinmux.c
+@@ -327,7 +327,7 @@ static int pinmux_func_name_to_selector(
+ 	while (selector < nfuncs) {
+ 		const char *fname = ops->get_function_name(pctldev, selector);
+ 
+-		if (!strcmp(function, fname))
++		if (fname && !strcmp(function, fname))
+ 			return selector;
+ 
+ 		selector++;
diff --git a/queue-5.10/series b/queue-5.10/series
index fddd9bb550..5cc248a63d 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -88,3 +88,8 @@ revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch
 squashfs-fix-uninit-value-in-squashfs_get_parent.patch
 uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch
 mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch
+mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
+input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
+input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
+pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
+bus-fsl-mc-check-return-value-of-platform_get_resource.patch
-- 
2.47.3