From c20c69f67dd4e2a1da61298687dd28f0616e8ed0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 16 Oct 2025 10:49:56 +0200 Subject: [PATCH] 5.15-stable patches added patches: acpi-debug-fix-signedness-issues-in-read-write-helpers.patch acpi-tad-add-missing-sysfs_remove_group-for-acpi_tad_rt.patch arm-omap2-pm33xx-core-ix-device-node-reference-leaks-in-amx3_idle_init.patch arm64-dts-qcom-msm8916-add-missing-mdss-reset.patch arm64-kprobes-call-set_memory_rox-for-kprobe-page.patch --- ...nedness-issues-in-read-write-helpers.patch | 125 ++++++++++++++++++ ...g-sysfs_remove_group-for-acpi_tad_rt.patch | 49 +++++++ ...de-reference-leaks-in-amx3_idle_init.patch | 49 +++++++ ...-qcom-msm8916-add-missing-mdss-reset.patch | 54 ++++++++ ...-call-set_memory_rox-for-kprobe-page.patch | 51 +++++++ queue-5.15/series | 5 + 6 files changed, 333 insertions(+) create mode 100644 queue-5.15/acpi-debug-fix-signedness-issues-in-read-write-helpers.patch create mode 100644 queue-5.15/acpi-tad-add-missing-sysfs_remove_group-for-acpi_tad_rt.patch create mode 100644 queue-5.15/arm-omap2-pm33xx-core-ix-device-node-reference-leaks-in-amx3_idle_init.patch create mode 100644 queue-5.15/arm64-dts-qcom-msm8916-add-missing-mdss-reset.patch create mode 100644 queue-5.15/arm64-kprobes-call-set_memory_rox-for-kprobe-page.patch diff --git a/queue-5.15/acpi-debug-fix-signedness-issues-in-read-write-helpers.patch b/queue-5.15/acpi-debug-fix-signedness-issues-in-read-write-helpers.patch new file mode 100644 index 0000000000..bf9d1b45bc --- /dev/null +++ b/queue-5.15/acpi-debug-fix-signedness-issues-in-read-write-helpers.patch @@ -0,0 +1,125 @@ +From 496f9372eae14775e0524e83e952814691fe850a Mon Sep 17 00:00:00 2001 +From: Amir Mohammad Jahangirzad +Date: Tue, 23 Sep 2025 05:01:13 +0330 +Subject: ACPI: debug: fix signedness issues in read/write helpers + +From: Amir Mohammad Jahangirzad + +commit 496f9372eae14775e0524e83e952814691fe850a upstream. + +In the ACPI debugger interface, the helper functions for read and write +operations use "int" as the length parameter data type. When a large +"size_t count" is passed from the file operations, this cast to "int" +results in truncation and a negative value due to signed integer +representation. + +Logically, this negative number propagates to the min() calculation, +where it is selected over the positive buffer space value, leading to +unexpected behavior. Subsequently, when this negative value is used in +copy_to_user() or copy_from_user(), it is interpreted as a large positive +value due to the unsigned nature of the size parameter in these functions, +causing the copy operations to attempt handling sizes far beyond the +intended buffer limits. + +Address the issue by: + - Changing the length parameters in acpi_aml_read_user() and + acpi_aml_write_user() from "int" to "size_t", aligning with the + expected unsigned size semantics. + - Updating return types and local variables in acpi_aml_read() and + acpi_aml_write() to "ssize_t" for consistency with kernel file + operation conventions. + - Using "size_t" for the "n" variable to ensure calculations remain + unsigned. + - Using min_t() for circ_count_to_end() and circ_space_to_end() to + ensure type-safe comparisons and prevent integer overflow. + +Signed-off-by: Amir Mohammad Jahangirzad +Link: https://patch.msgid.link/20250923013113.20615-1-a.jahangirzad@gmail.com +[ rjw: Changelog tweaks, local variable definitions ordering adjustments ] +Fixes: 8cfb0cdf07e2 ("ACPI / debugger: Add IO interface to access debugger functionalities") +Cc: 4.5+ # 4.5+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_dbg.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/acpi/acpi_dbg.c ++++ b/drivers/acpi/acpi_dbg.c +@@ -569,11 +569,11 @@ static int acpi_aml_release(struct inode + return 0; + } + +-static int acpi_aml_read_user(char __user *buf, int len) ++static ssize_t acpi_aml_read_user(char __user *buf, size_t len) + { +- int ret; + struct circ_buf *crc = &acpi_aml_io.out_crc; +- int n; ++ ssize_t ret; ++ size_t n; + char *p; + + ret = acpi_aml_lock_read(crc, ACPI_AML_OUT_USER); +@@ -582,7 +582,7 @@ static int acpi_aml_read_user(char __use + /* sync head before removing logs */ + smp_rmb(); + p = &crc->buf[crc->tail]; +- n = min(len, circ_count_to_end(crc)); ++ n = min_t(size_t, len, circ_count_to_end(crc)); + if (copy_to_user(buf, p, n)) { + ret = -EFAULT; + goto out; +@@ -599,8 +599,8 @@ out: + static ssize_t acpi_aml_read(struct file *file, char __user *buf, + size_t count, loff_t *ppos) + { +- int ret = 0; +- int size = 0; ++ ssize_t ret = 0; ++ ssize_t size = 0; + + if (!count) + return 0; +@@ -639,11 +639,11 @@ again: + return size > 0 ? size : ret; + } + +-static int acpi_aml_write_user(const char __user *buf, int len) ++static ssize_t acpi_aml_write_user(const char __user *buf, size_t len) + { +- int ret; + struct circ_buf *crc = &acpi_aml_io.in_crc; +- int n; ++ ssize_t ret; ++ size_t n; + char *p; + + ret = acpi_aml_lock_write(crc, ACPI_AML_IN_USER); +@@ -652,7 +652,7 @@ static int acpi_aml_write_user(const cha + /* sync tail before inserting cmds */ + smp_mb(); + p = &crc->buf[crc->head]; +- n = min(len, circ_space_to_end(crc)); ++ n = min_t(size_t, len, circ_space_to_end(crc)); + if (copy_from_user(p, buf, n)) { + ret = -EFAULT; + goto out; +@@ -663,14 +663,14 @@ static int acpi_aml_write_user(const cha + ret = n; + out: + acpi_aml_unlock_fifo(ACPI_AML_IN_USER, ret >= 0); +- return n; ++ return ret; + } + + static ssize_t acpi_aml_write(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- int ret = 0; +- int size = 0; ++ ssize_t ret = 0; ++ ssize_t size = 0; + + if (!count) + return 0; diff --git a/queue-5.15/acpi-tad-add-missing-sysfs_remove_group-for-acpi_tad_rt.patch b/queue-5.15/acpi-tad-add-missing-sysfs_remove_group-for-acpi_tad_rt.patch new file mode 100644 index 0000000000..6a39376659 --- /dev/null +++ b/queue-5.15/acpi-tad-add-missing-sysfs_remove_group-for-acpi_tad_rt.patch @@ -0,0 +1,49 @@ +From 4aac453deca0d9c61df18d968f8864c3ae7d3d8d Mon Sep 17 00:00:00 2001 +From: Daniel Tang +Date: Thu, 28 Aug 2025 01:38:14 -0400 +Subject: ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT + +From: Daniel Tang + +commit 4aac453deca0d9c61df18d968f8864c3ae7d3d8d upstream. + +Previously, after `rmmod acpi_tad`, `modprobe acpi_tad` would fail +with this dmesg: + +sysfs: cannot create duplicate filename '/devices/platform/ACPI000E:00/time' +Call Trace: + + dump_stack_lvl+0x6c/0x90 + dump_stack+0x10/0x20 + sysfs_warn_dup+0x8b/0xa0 + sysfs_add_file_mode_ns+0x122/0x130 + internal_create_group+0x1dd/0x4c0 + sysfs_create_group+0x13/0x20 + acpi_tad_probe+0x147/0x1f0 [acpi_tad] + platform_probe+0x42/0xb0 + +acpi-tad ACPI000E:00: probe with driver acpi-tad failed with error -17 + +Fixes: 3230b2b3c1ab ("ACPI: TAD: Add low-level support for real time capability") +Signed-off-by: Daniel Tang +Reviewed-by: Mika Westerberg +Link: https://patch.msgid.link/2881298.hMirdbgypa@daniel-desktop3 +Cc: 5.2+ # 5.2+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_tad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/acpi/acpi_tad.c ++++ b/drivers/acpi/acpi_tad.c +@@ -563,6 +563,9 @@ static int acpi_tad_remove(struct platfo + + pm_runtime_get_sync(dev); + ++ if (dd->capabilities & ACPI_TAD_RT) ++ sysfs_remove_group(&dev->kobj, &acpi_tad_time_attr_group); ++ + if (dd->capabilities & ACPI_TAD_DC_WAKE) + sysfs_remove_group(&dev->kobj, &acpi_tad_dc_attr_group); + diff --git a/queue-5.15/arm-omap2-pm33xx-core-ix-device-node-reference-leaks-in-amx3_idle_init.patch b/queue-5.15/arm-omap2-pm33xx-core-ix-device-node-reference-leaks-in-amx3_idle_init.patch new file mode 100644 index 0000000000..df547ac94b --- /dev/null +++ b/queue-5.15/arm-omap2-pm33xx-core-ix-device-node-reference-leaks-in-amx3_idle_init.patch @@ -0,0 +1,49 @@ +From 74139a64e8cedb6d971c78d5d17384efeced1725 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 2 Sep 2025 15:59:43 +0800 +Subject: ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init + +From: Miaoqian Lin + +commit 74139a64e8cedb6d971c78d5d17384efeced1725 upstream. + +Add missing of_node_put() calls to release +device node references obtained via of_parse_phandle(). + +Fixes: 06ee7a950b6a ("ARM: OMAP2+: pm33xx-core: Add cpuidle_ops for am335x/am437x") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20250902075943.2408832-1-linmq006@gmail.com +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/pm33xx-core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/pm33xx-core.c ++++ b/arch/arm/mach-omap2/pm33xx-core.c +@@ -393,12 +393,15 @@ static int __init amx3_idle_init(struct + if (!state_node) + break; + +- if (!of_device_is_available(state_node)) ++ if (!of_device_is_available(state_node)) { ++ of_node_put(state_node); + continue; ++ } + + if (i == CPUIDLE_STATE_MAX) { + pr_warn("%s: cpuidle states reached max possible\n", + __func__); ++ of_node_put(state_node); + break; + } + +@@ -408,6 +411,7 @@ static int __init amx3_idle_init(struct + states[state_count].wfi_flags |= WFI_FLAG_WAKE_M3 | + WFI_FLAG_FLUSH_CACHE; + ++ of_node_put(state_node); + state_count++; + } + diff --git a/queue-5.15/arm64-dts-qcom-msm8916-add-missing-mdss-reset.patch b/queue-5.15/arm64-dts-qcom-msm8916-add-missing-mdss-reset.patch new file mode 100644 index 0000000000..e6d72ba814 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-msm8916-add-missing-mdss-reset.patch @@ -0,0 +1,54 @@ +From 99b78773c2ae55dcc01025f94eae8ce9700ae985 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Mon, 15 Sep 2025 15:28:30 +0200 +Subject: arm64: dts: qcom: msm8916: Add missing MDSS reset + +From: Stephan Gerhold + +commit 99b78773c2ae55dcc01025f94eae8ce9700ae985 upstream. + +On most MSM8916 devices (aside from the DragonBoard 410c), the bootloader +already initializes the display to show the boot splash screen. In this +situation, MDSS is already configured and left running when starting Linux. +To avoid side effects from the bootloader configuration, the MDSS reset can +be specified in the device tree to start again with a clean hardware state. + +The reset for MDSS is currently missing in msm8916.dtsi, which causes +errors when the MDSS driver tries to re-initialize the registers: + + dsi_err_worker: status=6 + dsi_err_worker: status=6 + dsi_err_worker: status=6 + ... + +It turns out that we have always indirectly worked around this by building +the MDSS driver as a module. Before v6.17, the power domain was temporarily +turned off until the module was loaded, long enough to clear the register +contents. In v6.17, power domains are not turned off during boot until +sync_state() happens, so this is no longer working. Even before v6.17 this +resulted in broken behavior, but notably only when the MDSS driver was +built-in instead of a module. + +Cc: stable@vger.kernel.org +Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support") +Signed-off-by: Stephan Gerhold +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250915-msm8916-resets-v1-1-a5c705df0c45@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -957,6 +957,8 @@ + + interrupts = ; + ++ resets = <&gcc GCC_MDSS_BCR>; ++ + interrupt-controller; + #interrupt-cells = <1>; + diff --git a/queue-5.15/arm64-kprobes-call-set_memory_rox-for-kprobe-page.patch b/queue-5.15/arm64-kprobes-call-set_memory_rox-for-kprobe-page.patch new file mode 100644 index 0000000000..162d09dd59 --- /dev/null +++ b/queue-5.15/arm64-kprobes-call-set_memory_rox-for-kprobe-page.patch @@ -0,0 +1,51 @@ +From 195a1b7d8388c0ec2969a39324feb8bebf9bb907 Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Thu, 18 Sep 2025 09:23:49 -0700 +Subject: arm64: kprobes: call set_memory_rox() for kprobe page + +From: Yang Shi + +commit 195a1b7d8388c0ec2969a39324feb8bebf9bb907 upstream. + +The kprobe page is allocated by execmem allocator with ROX permission. +It needs to call set_memory_rox() to set proper permission for the +direct map too. It was missed. + +Fixes: 10d5e97c1bf8 ("arm64: use PAGE_KERNEL_ROX directly in alloc_insn_page") +Cc: +Signed-off-by: Yang Shi +Reviewed-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/probes/kprobes.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/arm64/kernel/probes/kprobes.c ++++ b/arch/arm64/kernel/probes/kprobes.c +@@ -10,6 +10,7 @@ + + #define pr_fmt(fmt) "kprobes: " fmt + ++#include + #include + #include + #include +@@ -41,6 +42,17 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kpr + static void __kprobes + post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *); + ++void *alloc_insn_page(void) ++{ ++ void *addr; ++ ++ addr = execmem_alloc(EXECMEM_KPROBES, PAGE_SIZE); ++ if (!addr) ++ return NULL; ++ set_memory_rox((unsigned long)addr, 1); ++ return addr; ++} ++ + static void __kprobes arch_prepare_ss_slot(struct kprobe *p) + { + kprobe_opcode_t *addr = p->ainsn.api.insn; diff --git a/queue-5.15/series b/queue-5.15/series index badb1c3363..01a9dc9e9a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -163,3 +163,8 @@ tpm_tis-fix-incorrect-arguments-in-tpm_tis_probe_irq.patch gpio-wcd934x-remove-duplicate-assignment-of-of_gpio_.patch gpio-wcd934x-mark-the-gpio-controller-as-sleeping.patch bpf-avoid-rcu-context-warning-when-unpinning-htab-wi.patch +acpi-tad-add-missing-sysfs_remove_group-for-acpi_tad_rt.patch +acpi-debug-fix-signedness-issues-in-read-write-helpers.patch +arm64-dts-qcom-msm8916-add-missing-mdss-reset.patch +arm64-kprobes-call-set_memory_rox-for-kprobe-page.patch +arm-omap2-pm33xx-core-ix-device-node-reference-leaks-in-amx3_idle_init.patch -- 2.47.3