From: Greg Kroah-Hartman Date: Fri, 15 Aug 2025 17:08:16 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v6.12.43~72 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6891dcb02bb6a1f6846dcae9a599774f5e001b7f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: documentation-acpi-fix-parent-device-references.patch eventpoll-fix-semi-unbounded-recursion.patch --- diff --git a/queue-6.15/documentation-acpi-fix-parent-device-references.patch b/queue-6.15/documentation-acpi-fix-parent-device-references.patch new file mode 100644 index 0000000000..c31c9976fc --- /dev/null +++ b/queue-6.15/documentation-acpi-fix-parent-device-references.patch @@ -0,0 +1,72 @@ +From e65cb011349e653ded541dddd6469c2ca813edcf Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Thu, 10 Jul 2025 20:00:23 +0300 +Subject: Documentation: ACPI: Fix parent device references + +From: Andy Shevchenko + +commit e65cb011349e653ded541dddd6469c2ca813edcf upstream. + +The _CRS resources in many cases want to have ResourceSource field +to be a type of ACPI String. This means that to compile properly +we need to enclosure the name path into double quotes. This will +in practice defer the interpretation to a run-time stage, However, +this may be interpreted differently on different OSes and ACPI +interpreter implementations. In particular ACPICA might not correctly +recognize the leading '^' (caret) character and will not resolve +the relative name path properly. On top of that, this piece may be +used in SSDTs which are loaded after the DSDT and on itself may also +not resolve relative name paths outside of their own scopes. +With this all said, fix documentation to use fully-qualified name +paths always to avoid any misinterpretations, which is proven to +work. + +Fixes: 8eb5c87a92c0 ("i2c: add ACPI support for I2C mux ports") +Reported-by: Yevhen Kondrashyn +Cc: All applicable +Signed-off-by: Andy Shevchenko +Link: https://patch.msgid.link/20250710170225.961303-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/Documentation/firmware-guide/acpi/i2c-muxes.rst ++++ b/Documentation/firmware-guide/acpi/i2c-muxes.rst +@@ -14,7 +14,7 @@ Consider this topology:: + | | | 0x70 |--CH01--> i2c client B (0x50) + +------+ +------+ + +-which corresponds to the following ASL:: ++which corresponds to the following ASL (in the scope of \_SB):: + + Device (SMB1) + { +@@ -24,7 +24,7 @@ which corresponds to the following ASL:: + Name (_HID, ...) + Name (_CRS, ResourceTemplate () { + I2cSerialBus (0x70, ControllerInitiated, I2C_SPEED, +- AddressingMode7Bit, "^SMB1", 0x00, ++ AddressingMode7Bit, "\\_SB.SMB1", 0x00, + ResourceConsumer,,) + } + +@@ -37,7 +37,7 @@ which corresponds to the following ASL:: + Name (_HID, ...) + Name (_CRS, ResourceTemplate () { + I2cSerialBus (0x50, ControllerInitiated, I2C_SPEED, +- AddressingMode7Bit, "^CH00", 0x00, ++ AddressingMode7Bit, "\\_SB.SMB1.CH00", 0x00, + ResourceConsumer,,) + } + } +@@ -52,7 +52,7 @@ which corresponds to the following ASL:: + Name (_HID, ...) + Name (_CRS, ResourceTemplate () { + I2cSerialBus (0x50, ControllerInitiated, I2C_SPEED, +- AddressingMode7Bit, "^CH01", 0x00, ++ AddressingMode7Bit, "\\_SB.SMB1.CH01", 0x00, + ResourceConsumer,,) + } + } diff --git a/queue-6.15/eventpoll-fix-semi-unbounded-recursion.patch b/queue-6.15/eventpoll-fix-semi-unbounded-recursion.patch new file mode 100644 index 0000000000..4babec0f37 --- /dev/null +++ b/queue-6.15/eventpoll-fix-semi-unbounded-recursion.patch @@ -0,0 +1,166 @@ +From f2e467a48287c868818085aa35389a224d226732 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 11 Jul 2025 18:33:36 +0200 +Subject: eventpoll: Fix semi-unbounded recursion + +From: Jann Horn + +commit f2e467a48287c868818085aa35389a224d226732 upstream. + +Ensure that epoll instances can never form a graph deeper than +EP_MAX_NESTS+1 links. + +Currently, ep_loop_check_proc() ensures that the graph is loop-free and +does some recursion depth checks, but those recursion depth checks don't +limit the depth of the resulting tree for two reasons: + + - They don't look upwards in the tree. + - If there are multiple downwards paths of different lengths, only one of + the paths is actually considered for the depth check since commit + 28d82dc1c4ed ("epoll: limit paths"). + +Essentially, the current recursion depth check in ep_loop_check_proc() just +serves to prevent it from recursing too deeply while checking for loops. + +A more thorough check is done in reverse_path_check() after the new graph +edge has already been created; this checks, among other things, that no +paths going upwards from any non-epoll file with a length of more than 5 +edges exist. However, this check does not apply to non-epoll files. + +As a result, it is possible to recurse to a depth of at least roughly 500, +tested on v6.15. (I am unsure if deeper recursion is possible; and this may +have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion +problem").) + +To fix it: + +1. In ep_loop_check_proc(), note the subtree depth of each visited node, +and use subtree depths for the total depth calculation even when a subtree +has already been visited. +2. Add ep_get_upwards_depth_proc() for similarly determining the maximum +depth of an upwards walk. +3. In ep_loop_check(), use these values to limit the total path length +between epoll nodes to EP_MAX_NESTS edges. + +Fixes: 22bacca48a17 ("epoll: prevent creating circular epoll structures") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/20250711-epoll-recursion-fix-v1-1-fb2457c33292@google.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 60 +++++++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 46 insertions(+), 14 deletions(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -218,6 +218,7 @@ struct eventpoll { + /* used to optimize loop detection check */ + u64 gen; + struct hlist_head refs; ++ u8 loop_check_depth; + + /* + * usage count, used together with epitem->dying to +@@ -2140,23 +2141,24 @@ static int ep_poll(struct eventpoll *ep, + } + + /** +- * ep_loop_check_proc - verify that adding an epoll file inside another +- * epoll structure does not violate the constraints, in +- * terms of closed loops, or too deep chains (which can +- * result in excessive stack usage). ++ * ep_loop_check_proc - verify that adding an epoll file @ep inside another ++ * epoll file does not create closed loops, and ++ * determine the depth of the subtree starting at @ep + * + * @ep: the &struct eventpoll to be currently checked. + * @depth: Current depth of the path being checked. + * +- * Return: %zero if adding the epoll @file inside current epoll +- * structure @ep does not violate the constraints, or %-1 otherwise. ++ * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep. + */ + static int ep_loop_check_proc(struct eventpoll *ep, int depth) + { +- int error = 0; ++ int result = 0; + struct rb_node *rbp; + struct epitem *epi; + ++ if (ep->gen == loop_check_gen) ++ return ep->loop_check_depth; ++ + mutex_lock_nested(&ep->mtx, depth + 1); + ep->gen = loop_check_gen; + for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = rb_next(rbp)) { +@@ -2164,13 +2166,11 @@ static int ep_loop_check_proc(struct eve + if (unlikely(is_file_epoll(epi->ffd.file))) { + struct eventpoll *ep_tovisit; + ep_tovisit = epi->ffd.file->private_data; +- if (ep_tovisit->gen == loop_check_gen) +- continue; + if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS) +- error = -1; ++ result = INT_MAX; + else +- error = ep_loop_check_proc(ep_tovisit, depth + 1); +- if (error != 0) ++ result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1); ++ if (result > EP_MAX_NESTS) + break; + } else { + /* +@@ -2184,9 +2184,27 @@ static int ep_loop_check_proc(struct eve + list_file(epi->ffd.file); + } + } ++ ep->loop_check_depth = result; + mutex_unlock(&ep->mtx); + +- return error; ++ return result; ++} ++ ++/** ++ * ep_get_upwards_depth_proc - determine depth of @ep when traversed upwards ++ */ ++static int ep_get_upwards_depth_proc(struct eventpoll *ep, int depth) ++{ ++ int result = 0; ++ struct epitem *epi; ++ ++ if (ep->gen == loop_check_gen) ++ return ep->loop_check_depth; ++ hlist_for_each_entry_rcu(epi, &ep->refs, fllink) ++ result = max(result, ep_get_upwards_depth_proc(epi->ep, depth + 1) + 1); ++ ep->gen = loop_check_gen; ++ ep->loop_check_depth = result; ++ return result; + } + + /** +@@ -2202,8 +2220,22 @@ static int ep_loop_check_proc(struct eve + */ + static int ep_loop_check(struct eventpoll *ep, struct eventpoll *to) + { ++ int depth, upwards_depth; ++ + inserting_into = ep; +- return ep_loop_check_proc(to, 0); ++ /* ++ * Check how deep down we can get from @to, and whether it is possible ++ * to loop up to @ep. ++ */ ++ depth = ep_loop_check_proc(to, 0); ++ if (depth > EP_MAX_NESTS) ++ return -1; ++ /* Check how far up we can go from @ep. */ ++ rcu_read_lock(); ++ upwards_depth = ep_get_upwards_depth_proc(ep, 0); ++ rcu_read_unlock(); ++ ++ return (depth+1+upwards_depth > EP_MAX_NESTS) ? -1 : 0; + } + + static void clear_tfile_check_list(void) diff --git a/queue-6.15/series b/queue-6.15/series index 1541569118..a0bd08f8c2 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -42,3 +42,5 @@ clk-samsung-gs101-fix-clk_dout_cmu_g3d_busd.patch clk-samsung-gs101-fix-alternate-mout_hsi0_usb20_ref-parent-clock.patch fscrypt-don-t-use-problematic-non-inline-crypto-engines.patch fs-prevent-file-descriptor-table-allocations-exceeding-int_max.patch +eventpoll-fix-semi-unbounded-recursion.patch +documentation-acpi-fix-parent-device-references.patch