From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Apr 2026 15:38:30 +0000 (+0200)
Subject: 6.19-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0de956b9a90497e20459ae7ec3643397bfda1308;p=thirdparty%2Fkernel%2Fstable-queue.git

6.19-stable patches

added patches:
	x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch
---

diff --git a/queue-6.19/series b/queue-6.19/series
index c12417be25..1dcdb3e57d 100644
--- a/queue-6.19/series
+++ b/queue-6.19/series
@@ -247,3 +247,4 @@ usb-core-phy-avoid-double-use-of-usb3-phy.patch
 usb-cdns3-gadget-fix-null-pointer-dereference-in-ep_queue.patch
 usb-cdns3-gadget-fix-state-inconsistency-on-gadget-init-failure.patch
 usb-core-use-dedicated-spinlock-for-offload-state.patch
+x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch
diff --git a/queue-6.19/x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch b/queue-6.19/x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch
new file mode 100644
index 0000000000..29576ae31f
--- /dev/null
+++ b/queue-6.19/x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch
@@ -0,0 +1,104 @@
+From b981e9e94c687b7b19ae8820963f005b842cb2f2 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sun, 29 Mar 2026 19:27:48 -0700
+Subject: x86/platform/geode: Fix on-stack property data use-after-return bug
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b981e9e94c687b7b19ae8820963f005b842cb2f2 upstream.
+
+The PROPERTY_ENTRY_GPIO macro (and by extension PROPERTY_ENTRY_REF)
+creates a temporary software_node_ref_args structure on the stack
+when used in a runtime assignment. This results in the property
+pointing to data that is invalid once the function returns.
+
+Fix this by ensuring the GPIO reference data is not stored on stack and
+using PROPERTY_ENTRY_REF_ARRAY_LEN() to point directly to the persistent
+reference data.
+
+Fixes: 298c9babadb8 ("x86/platform/geode: switch GPIO buttons and LEDs to software properties")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Rafael J. Wysocki <rafael@kernel.org>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Daniel Scally <djrscally@gmail.com>
+Cc: Danilo Krummrich <dakr@kernel.org>
+Cc: Hans de Goede <hansg@kernel.org>
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260329-property-gpio-fix-v2-1-3cca5ba136d8@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/platform/geode/geode-common.c |   24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/platform/geode/geode-common.c
++++ b/arch/x86/platform/geode/geode-common.c
+@@ -28,8 +28,10 @@ static const struct software_node geode_
+ 	.properties = geode_gpio_keys_props,
+ };
+ 
+-static struct property_entry geode_restart_key_props[] = {
+-	{ /* Placeholder for GPIO property */ },
++static struct software_node_ref_args geode_restart_gpio_ref;
++
++static const struct property_entry geode_restart_key_props[] = {
++	PROPERTY_ENTRY_REF_ARRAY_LEN("gpios", &geode_restart_gpio_ref, 1),
+ 	PROPERTY_ENTRY_U32("linux,code", KEY_RESTART),
+ 	PROPERTY_ENTRY_STRING("label", "Reset button"),
+ 	PROPERTY_ENTRY_U32("debounce-interval", 100),
+@@ -64,8 +66,7 @@ int __init geode_create_restart_key(unsi
+ 	struct platform_device *pd;
+ 	int err;
+ 
+-	geode_restart_key_props[0] = PROPERTY_ENTRY_GPIO("gpios",
+-							 &geode_gpiochip_node,
++	geode_restart_gpio_ref = SOFTWARE_NODE_REFERENCE(&geode_gpiochip_node,
+ 							 pin, GPIO_ACTIVE_LOW);
+ 
+ 	err = software_node_register_node_group(geode_gpio_keys_swnodes);
+@@ -99,6 +100,7 @@ int __init geode_create_leds(const char
+ 	const struct software_node *group[MAX_LEDS + 2] = { 0 };
+ 	struct software_node *swnodes;
+ 	struct property_entry *props;
++	struct software_node_ref_args *gpio_refs;
+ 	struct platform_device_info led_info = {
+ 		.name	= "leds-gpio",
+ 		.id	= PLATFORM_DEVID_NONE,
+@@ -127,6 +129,12 @@ int __init geode_create_leds(const char
+ 		goto err_free_swnodes;
+ 	}
+ 
++	gpio_refs = kzalloc_objs(*gpio_refs, n_leds);
++	if (!gpio_refs) {
++		err = -ENOMEM;
++		goto err_free_props;
++	}
++
+ 	group[0] = &geode_gpio_leds_node;
+ 	for (i = 0; i < n_leds; i++) {
+ 		node_name = kasprintf(GFP_KERNEL, "%s:%d", label, i);
+@@ -135,9 +143,11 @@ int __init geode_create_leds(const char
+ 			goto err_free_names;
+ 		}
+ 
++		gpio_refs[i] = SOFTWARE_NODE_REFERENCE(&geode_gpiochip_node,
++						       leds[i].pin,
++						       GPIO_ACTIVE_LOW);
+ 		props[i * 3 + 0] =
+-			PROPERTY_ENTRY_GPIO("gpios", &geode_gpiochip_node,
+-					    leds[i].pin, GPIO_ACTIVE_LOW);
++			PROPERTY_ENTRY_REF_ARRAY_LEN("gpios", &gpio_refs[i], 1);
+ 		props[i * 3 + 1] =
+ 			PROPERTY_ENTRY_STRING("linux,default-trigger",
+ 					      leds[i].default_on ?
+@@ -171,6 +181,8 @@ err_unregister_group:
+ err_free_names:
+ 	while (--i >= 0)
+ 		kfree(swnodes[i].name);
++	kfree(gpio_refs);
++err_free_props:
+ 	kfree(props);
+ err_free_swnodes:
+ 	kfree(swnodes);