6.18-stable patches

added patches:
	x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch

diff --git a/queue-6.18/series b/queue-6.18/series
index 4a51c2ae87656e008a60bfc6489ac1c8a79eb067..641a3e75d139b8ea7fdc045ca5164409452f18ed 100644 (file)
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -207,3 +207,4 @@ usb-core-phy-avoid-double-use-of-usb3-phy.patch
 usb-cdns3-gadget-fix-null-pointer-dereference-in-ep_queue.patch
 usb-cdns3-gadget-fix-state-inconsistency-on-gadget-init-failure.patch
 usb-core-use-dedicated-spinlock-for-offload-state.patch
+x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch

diff --git a/queue-6.18/x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch b/queue-6.18/x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch
new file mode 100644 (file)
index 0000000..29576ae
--- /dev/null
+++ b/queue-6.18/x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch
@@ -0,0 +1,104 @@
+From b981e9e94c687b7b19ae8820963f005b842cb2f2 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sun, 29 Mar 2026 19:27:48 -0700
+Subject: x86/platform/geode: Fix on-stack property data use-after-return bug
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b981e9e94c687b7b19ae8820963f005b842cb2f2 upstream.
+
+The PROPERTY_ENTRY_GPIO macro (and by extension PROPERTY_ENTRY_REF)
+creates a temporary software_node_ref_args structure on the stack
+when used in a runtime assignment. This results in the property
+pointing to data that is invalid once the function returns.
+
+Fix this by ensuring the GPIO reference data is not stored on stack and
+using PROPERTY_ENTRY_REF_ARRAY_LEN() to point directly to the persistent
+reference data.
+
+Fixes: 298c9babadb8 ("x86/platform/geode: switch GPIO buttons and LEDs to software properties")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Rafael J. Wysocki <rafael@kernel.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Daniel Scally <djrscally@gmail.com>
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Hans de Goede <hansg@kernel.org>
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260329-property-gpio-fix-v2-1-3cca5ba136d8@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/platform/geode/geode-common.c |   24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/platform/geode/geode-common.c
++++ b/arch/x86/platform/geode/geode-common.c
+@@ -28,8 +28,10 @@ static const struct software_node geode_
+       .properties = geode_gpio_keys_props,
+ };
+ 
+-static struct property_entry geode_restart_key_props[] = {
+-      { /* Placeholder for GPIO property */ },
++static struct software_node_ref_args geode_restart_gpio_ref;
++
++static const struct property_entry geode_restart_key_props[] = {
++      PROPERTY_ENTRY_REF_ARRAY_LEN("gpios", &geode_restart_gpio_ref, 1),
+       PROPERTY_ENTRY_U32("linux,code", KEY_RESTART),
+       PROPERTY_ENTRY_STRING("label", "Reset button"),
+       PROPERTY_ENTRY_U32("debounce-interval", 100),
+@@ -64,8 +66,7 @@ int __init geode_create_restart_key(unsi
+       struct platform_device *pd;
+       int err;
+ 
+-      geode_restart_key_props[0] = PROPERTY_ENTRY_GPIO("gpios",
+-                                                       &geode_gpiochip_node,
++      geode_restart_gpio_ref = SOFTWARE_NODE_REFERENCE(&geode_gpiochip_node,
+                                                        pin, GPIO_ACTIVE_LOW);
+ 
+       err = software_node_register_node_group(geode_gpio_keys_swnodes);
+@@ -99,6 +100,7 @@ int __init geode_create_leds(const char
+       const struct software_node *group[MAX_LEDS + 2] = { 0 };
+       struct software_node *swnodes;
+       struct property_entry *props;
++      struct software_node_ref_args *gpio_refs;
+       struct platform_device_info led_info = {
+               .name   = "leds-gpio",
+               .id     = PLATFORM_DEVID_NONE,
+@@ -127,6 +129,12 @@ int __init geode_create_leds(const char
+               goto err_free_swnodes;
+       }
+ 
++      gpio_refs = kzalloc_objs(*gpio_refs, n_leds);
++      if (!gpio_refs) {
++              err = -ENOMEM;
++              goto err_free_props;
++      }
++
+       group[0] = &geode_gpio_leds_node;
+       for (i = 0; i < n_leds; i++) {
+               node_name = kasprintf(GFP_KERNEL, "%s:%d", label, i);
+@@ -135,9 +143,11 @@ int __init geode_create_leds(const char
+                       goto err_free_names;
+               }
+ 
++              gpio_refs[i] = SOFTWARE_NODE_REFERENCE(&geode_gpiochip_node,
++                                                     leds[i].pin,
++                                                     GPIO_ACTIVE_LOW);
+               props[i * 3 + 0] =
+-                      PROPERTY_ENTRY_GPIO("gpios", &geode_gpiochip_node,
+-                                          leds[i].pin, GPIO_ACTIVE_LOW);
++                      PROPERTY_ENTRY_REF_ARRAY_LEN("gpios", &gpio_refs[i], 1);
+               props[i * 3 + 1] =
+                       PROPERTY_ENTRY_STRING("linux,default-trigger",
+                                             leds[i].default_on ?
+@@ -171,6 +181,8 @@ err_unregister_group:
+ err_free_names:
+       while (--i >= 0)
+               kfree(swnodes[i].name);
++      kfree(gpio_refs);
++err_free_props:
+       kfree(props);
+ err_free_swnodes:
+       kfree(swnodes);