--- /dev/null
+From 496f9372eae14775e0524e83e952814691fe850a Mon Sep 17 00:00:00 2001
+From: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+Date: Tue, 23 Sep 2025 05:01:13 +0330
+Subject: ACPI: debug: fix signedness issues in read/write helpers
+
+From: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+
+commit 496f9372eae14775e0524e83e952814691fe850a upstream.
+
+In the ACPI debugger interface, the helper functions for read and write
+operations use "int" as the length parameter data type. When a large
+"size_t count" is passed from the file operations, this cast to "int"
+results in truncation and a negative value due to signed integer
+representation.
+
+Logically, this negative number propagates to the min() calculation,
+where it is selected over the positive buffer space value, leading to
+unexpected behavior. Subsequently, when this negative value is used in
+copy_to_user() or copy_from_user(), it is interpreted as a large positive
+value due to the unsigned nature of the size parameter in these functions,
+causing the copy operations to attempt handling sizes far beyond the
+intended buffer limits.
+
+Address the issue by:
+ - Changing the length parameters in acpi_aml_read_user() and
+ acpi_aml_write_user() from "int" to "size_t", aligning with the
+ expected unsigned size semantics.
+ - Updating return types and local variables in acpi_aml_read() and
+ acpi_aml_write() to "ssize_t" for consistency with kernel file
+ operation conventions.
+ - Using "size_t" for the "n" variable to ensure calculations remain
+ unsigned.
+ - Using min_t() for circ_count_to_end() and circ_space_to_end() to
+ ensure type-safe comparisons and prevent integer overflow.
+
+Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+Link: https://patch.msgid.link/20250923013113.20615-1-a.jahangirzad@gmail.com
+[ rjw: Changelog tweaks, local variable definitions ordering adjustments ]
+Fixes: 8cfb0cdf07e2 ("ACPI / debugger: Add IO interface to access debugger functionalities")
+Cc: 4.5+ <stable@vger.kernel.org> # 4.5+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_dbg.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+--- a/drivers/acpi/acpi_dbg.c
++++ b/drivers/acpi/acpi_dbg.c
+@@ -569,11 +569,11 @@ static int acpi_aml_release(struct inode
+ return 0;
+ }
+
+-static int acpi_aml_read_user(char __user *buf, int len)
++static ssize_t acpi_aml_read_user(char __user *buf, size_t len)
+ {
+- int ret;
+ struct circ_buf *crc = &acpi_aml_io.out_crc;
+- int n;
++ ssize_t ret;
++ size_t n;
+ char *p;
+
+ ret = acpi_aml_lock_read(crc, ACPI_AML_OUT_USER);
+@@ -582,7 +582,7 @@ static int acpi_aml_read_user(char __use
+ /* sync head before removing logs */
+ smp_rmb();
+ p = &crc->buf[crc->tail];
+- n = min(len, circ_count_to_end(crc));
++ n = min_t(size_t, len, circ_count_to_end(crc));
+ if (copy_to_user(buf, p, n)) {
+ ret = -EFAULT;
+ goto out;
+@@ -599,8 +599,8 @@ out:
+ static ssize_t acpi_aml_read(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- int ret = 0;
+- int size = 0;
++ ssize_t ret = 0;
++ ssize_t size = 0;
+
+ if (!count)
+ return 0;
+@@ -639,11 +639,11 @@ again:
+ return size > 0 ? size : ret;
+ }
+
+-static int acpi_aml_write_user(const char __user *buf, int len)
++static ssize_t acpi_aml_write_user(const char __user *buf, size_t len)
+ {
+- int ret;
+ struct circ_buf *crc = &acpi_aml_io.in_crc;
+- int n;
++ ssize_t ret;
++ size_t n;
+ char *p;
+
+ ret = acpi_aml_lock_write(crc, ACPI_AML_IN_USER);
+@@ -652,7 +652,7 @@ static int acpi_aml_write_user(const cha
+ /* sync tail before inserting cmds */
+ smp_mb();
+ p = &crc->buf[crc->head];
+- n = min(len, circ_space_to_end(crc));
++ n = min_t(size_t, len, circ_space_to_end(crc));
+ if (copy_from_user(p, buf, n)) {
+ ret = -EFAULT;
+ goto out;
+@@ -663,14 +663,14 @@ static int acpi_aml_write_user(const cha
+ ret = n;
+ out:
+ acpi_aml_unlock_fifo(ACPI_AML_IN_USER, ret >= 0);
+- return n;
++ return ret;
+ }
+
+ static ssize_t acpi_aml_write(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- int ret = 0;
+- int size = 0;
++ ssize_t ret = 0;
++ ssize_t size = 0;
+
+ if (!count)
+ return 0;
--- /dev/null
+From 4aac453deca0d9c61df18d968f8864c3ae7d3d8d Mon Sep 17 00:00:00 2001
+From: Daniel Tang <danielzgtg.opensource@gmail.com>
+Date: Thu, 28 Aug 2025 01:38:14 -0400
+Subject: ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
+
+From: Daniel Tang <danielzgtg.opensource@gmail.com>
+
+commit 4aac453deca0d9c61df18d968f8864c3ae7d3d8d upstream.
+
+Previously, after `rmmod acpi_tad`, `modprobe acpi_tad` would fail
+with this dmesg:
+
+sysfs: cannot create duplicate filename '/devices/platform/ACPI000E:00/time'
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6c/0x90
+ dump_stack+0x10/0x20
+ sysfs_warn_dup+0x8b/0xa0
+ sysfs_add_file_mode_ns+0x122/0x130
+ internal_create_group+0x1dd/0x4c0
+ sysfs_create_group+0x13/0x20
+ acpi_tad_probe+0x147/0x1f0 [acpi_tad]
+ platform_probe+0x42/0xb0
+ </TASK>
+acpi-tad ACPI000E:00: probe with driver acpi-tad failed with error -17
+
+Fixes: 3230b2b3c1ab ("ACPI: TAD: Add low-level support for real time capability")
+Signed-off-by: Daniel Tang <danielzgtg.opensource@gmail.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://patch.msgid.link/2881298.hMirdbgypa@daniel-desktop3
+Cc: 5.2+ <stable@vger.kernel.org> # 5.2+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_tad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/acpi/acpi_tad.c
++++ b/drivers/acpi/acpi_tad.c
+@@ -563,6 +563,9 @@ static int acpi_tad_remove(struct platfo
+
+ pm_runtime_get_sync(dev);
+
++ if (dd->capabilities & ACPI_TAD_RT)
++ sysfs_remove_group(&dev->kobj, &acpi_tad_time_attr_group);
++
+ if (dd->capabilities & ACPI_TAD_DC_WAKE)
+ sysfs_remove_group(&dev->kobj, &acpi_tad_dc_attr_group);
+
--- /dev/null
+From 74139a64e8cedb6d971c78d5d17384efeced1725 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Tue, 2 Sep 2025 15:59:43 +0800
+Subject: ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 74139a64e8cedb6d971c78d5d17384efeced1725 upstream.
+
+Add missing of_node_put() calls to release
+device node references obtained via of_parse_phandle().
+
+Fixes: 06ee7a950b6a ("ARM: OMAP2+: pm33xx-core: Add cpuidle_ops for am335x/am437x")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20250902075943.2408832-1-linmq006@gmail.com
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/pm33xx-core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/pm33xx-core.c
++++ b/arch/arm/mach-omap2/pm33xx-core.c
+@@ -393,12 +393,15 @@ static int __init amx3_idle_init(struct
+ if (!state_node)
+ break;
+
+- if (!of_device_is_available(state_node))
++ if (!of_device_is_available(state_node)) {
++ of_node_put(state_node);
+ continue;
++ }
+
+ if (i == CPUIDLE_STATE_MAX) {
+ pr_warn("%s: cpuidle states reached max possible\n",
+ __func__);
++ of_node_put(state_node);
+ break;
+ }
+
+@@ -408,6 +411,7 @@ static int __init amx3_idle_init(struct
+ states[state_count].wfi_flags |= WFI_FLAG_WAKE_M3 |
+ WFI_FLAG_FLUSH_CACHE;
+
++ of_node_put(state_node);
+ state_count++;
+ }
+
--- /dev/null
+From 99b78773c2ae55dcc01025f94eae8ce9700ae985 Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Mon, 15 Sep 2025 15:28:30 +0200
+Subject: arm64: dts: qcom: msm8916: Add missing MDSS reset
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit 99b78773c2ae55dcc01025f94eae8ce9700ae985 upstream.
+
+On most MSM8916 devices (aside from the DragonBoard 410c), the bootloader
+already initializes the display to show the boot splash screen. In this
+situation, MDSS is already configured and left running when starting Linux.
+To avoid side effects from the bootloader configuration, the MDSS reset can
+be specified in the device tree to start again with a clean hardware state.
+
+The reset for MDSS is currently missing in msm8916.dtsi, which causes
+errors when the MDSS driver tries to re-initialize the registers:
+
+ dsi_err_worker: status=6
+ dsi_err_worker: status=6
+ dsi_err_worker: status=6
+ ...
+
+It turns out that we have always indirectly worked around this by building
+the MDSS driver as a module. Before v6.17, the power domain was temporarily
+turned off until the module was loaded, long enough to clear the register
+contents. In v6.17, power domains are not turned off during boot until
+sync_state() happens, so this is no longer working. Even before v6.17 this
+resulted in broken behavior, but notably only when the MDSS driver was
+built-in instead of a module.
+
+Cc: stable@vger.kernel.org
+Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250915-msm8916-resets-v1-1-a5c705df0c45@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -957,6 +957,8 @@
+
+ interrupts = <GIC_SPI 72 IRQ_TYPE_LEVEL_HIGH>;
+
++ resets = <&gcc GCC_MDSS_BCR>;
++
+ interrupt-controller;
+ #interrupt-cells = <1>;
+
--- /dev/null
+From 195a1b7d8388c0ec2969a39324feb8bebf9bb907 Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang@os.amperecomputing.com>
+Date: Thu, 18 Sep 2025 09:23:49 -0700
+Subject: arm64: kprobes: call set_memory_rox() for kprobe page
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+commit 195a1b7d8388c0ec2969a39324feb8bebf9bb907 upstream.
+
+The kprobe page is allocated by execmem allocator with ROX permission.
+It needs to call set_memory_rox() to set proper permission for the
+direct map too. It was missed.
+
+Fixes: 10d5e97c1bf8 ("arm64: use PAGE_KERNEL_ROX directly in alloc_insn_page")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/probes/kprobes.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/arm64/kernel/probes/kprobes.c
++++ b/arch/arm64/kernel/probes/kprobes.c
+@@ -10,6 +10,7 @@
+
+ #define pr_fmt(fmt) "kprobes: " fmt
+
++#include <linux/execmem.h>
+ #include <linux/extable.h>
+ #include <linux/kasan.h>
+ #include <linux/kernel.h>
+@@ -41,6 +42,17 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kpr
+ static void __kprobes
+ post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *);
+
++void *alloc_insn_page(void)
++{
++ void *addr;
++
++ addr = execmem_alloc(EXECMEM_KPROBES, PAGE_SIZE);
++ if (!addr)
++ return NULL;
++ set_memory_rox((unsigned long)addr, 1);
++ return addr;
++}
++
+ static void __kprobes arch_prepare_ss_slot(struct kprobe *p)
+ {
+ kprobe_opcode_t *addr = p->ainsn.api.insn;
gpio-wcd934x-remove-duplicate-assignment-of-of_gpio_.patch
gpio-wcd934x-mark-the-gpio-controller-as-sleeping.patch
bpf-avoid-rcu-context-warning-when-unpinning-htab-wi.patch
+acpi-tad-add-missing-sysfs_remove_group-for-acpi_tad_rt.patch
+acpi-debug-fix-signedness-issues-in-read-write-helpers.patch
+arm64-dts-qcom-msm8916-add-missing-mdss-reset.patch
+arm64-kprobes-call-set_memory_rox-for-kprobe-page.patch
+arm-omap2-pm33xx-core-ix-device-node-reference-leaks-in-amx3_idle_init.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
