From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Jul 2025 14:09:09 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.147~49
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e60fd711ade4f6b2a4e8a23ac5cbfbd5759aa55f;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	clone_private_mnt-make-sure-that-caller-has-cap_sys_admin-in-the-right-userns.patch
	hid-mcp2221-set-driver-data-before-i2c-adapter-add.patch
	sched-change-nr_uninterruptible-type-to-unsigned-long.patch
---

diff --git a/queue-6.1/clone_private_mnt-make-sure-that-caller-has-cap_sys_admin-in-the-right-userns.patch b/queue-6.1/clone_private_mnt-make-sure-that-caller-has-cap_sys_admin-in-the-right-userns.patch
new file mode 100644
index 0000000000..6967bbef97
--- /dev/null
+++ b/queue-6.1/clone_private_mnt-make-sure-that-caller-has-cap_sys_admin-in-the-right-userns.patch
@@ -0,0 +1,48 @@
+From c28f922c9dcee0e4876a2c095939d77fe7e15116 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 1 Jun 2025 20:11:06 -0400
+Subject: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c28f922c9dcee0e4876a2c095939d77fe7e15116 upstream.
+
+What we want is to verify there is that clone won't expose something
+hidden by a mount we wouldn't be able to undo.  "Wouldn't be able to undo"
+may be a result of MNT_LOCKED on a child, but it may also come from
+lacking admin rights in the userns of the namespace mount belongs to.
+
+clone_private_mnt() checks the former, but not the latter.
+
+There's a number of rather confusing CAP_SYS_ADMIN checks in various
+userns during the mount, especially with the new mount API; they serve
+different purposes and in case of clone_private_mnt() they usually,
+but not always end up covering the missing check mentioned above.
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
+Fixes: 427215d85e8d ("ovl: prevent private clone if bind mount is not allowed")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[ merge conflict resolution: clone_private_mount() was reworked in
+  db04662e2f4f ("fs: allow detached mounts in clone_private_mount()").
+  Tweak the relevant ns_capable check so that it works on older kernels ]
+Signed-off-by: Noah Orlando <Noah.Orlando@deshaw.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namespace.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2018,6 +2018,11 @@ struct vfsmount *clone_private_mount(con
+ 	if (!check_mnt(old_mnt))
+ 		goto invalid;
+ 
++	if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) {
++		up_read(&namespace_sem);
++		return ERR_PTR(-EPERM);
++	}
++
+ 	if (has_locked_children(old_mnt, path->dentry))
+ 		goto invalid;
+ 
diff --git a/queue-6.1/hid-mcp2221-set-driver-data-before-i2c-adapter-add.patch b/queue-6.1/hid-mcp2221-set-driver-data-before-i2c-adapter-add.patch
new file mode 100644
index 0000000000..be3648df1c
--- /dev/null
+++ b/queue-6.1/hid-mcp2221-set-driver-data-before-i2c-adapter-add.patch
@@ -0,0 +1,43 @@
+From f2d4a5834638bbc967371b9168c0b481519f7c5e Mon Sep 17 00:00:00 2001
+From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+Date: Wed, 25 Oct 2023 16:55:10 +1300
+Subject: HID: mcp2221: Set driver data before I2C adapter add
+
+From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+
+commit f2d4a5834638bbc967371b9168c0b481519f7c5e upstream.
+
+The process of adding an I2C adapter can invoke I2C accesses on that new
+adapter (see i2c_detect()).
+
+Ensure we have set the adapter's driver data to avoid null pointer
+dereferences in the xfer functions during the adapter add.
+
+This has been noted in the past and the same fix proposed but not
+completed. See:
+https://lore.kernel.org/lkml/ef597e73-ed71-168e-52af-0d19b03734ac@vigem.de/
+
+Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sumanth Gavini <sumanth.gavini@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-mcp2221.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-mcp2221.c
++++ b/drivers/hid/hid-mcp2221.c
+@@ -879,12 +879,12 @@ static int mcp2221_probe(struct hid_devi
+ 	snprintf(mcp->adapter.name, sizeof(mcp->adapter.name),
+ 			"MCP2221 usb-i2c bridge");
+ 
++	i2c_set_adapdata(&mcp->adapter, mcp);
+ 	ret = i2c_add_adapter(&mcp->adapter);
+ 	if (ret) {
+ 		hid_err(hdev, "can't add usb-i2c adapter: %d\n", ret);
+ 		goto err_i2c;
+ 	}
+-	i2c_set_adapdata(&mcp->adapter, mcp);
+ 
+ 	/* Setup GPIO chip */
+ 	mcp->gc = devm_kzalloc(&hdev->dev, sizeof(*mcp->gc), GFP_KERNEL);
diff --git a/queue-6.1/sched-change-nr_uninterruptible-type-to-unsigned-long.patch b/queue-6.1/sched-change-nr_uninterruptible-type-to-unsigned-long.patch
new file mode 100644
index 0000000000..0255662a2c
--- /dev/null
+++ b/queue-6.1/sched-change-nr_uninterruptible-type-to-unsigned-long.patch
@@ -0,0 +1,54 @@
+From 36569780b0d64de283f9d6c2195fd1a43e221ee8 Mon Sep 17 00:00:00 2001
+From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
+Date: Wed, 9 Jul 2025 17:33:28 +0000
+Subject: sched: Change nr_uninterruptible type to unsigned long
+
+From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
+
+commit 36569780b0d64de283f9d6c2195fd1a43e221ee8 upstream.
+
+The commit e6fe3f422be1 ("sched: Make multiple runqueue task counters
+32-bit") changed nr_uninterruptible to an unsigned int. But the
+nr_uninterruptible values for each of the CPU runqueues can grow to
+large numbers, sometimes exceeding INT_MAX. This is valid, if, over
+time, a large number of tasks are migrated off of one CPU after going
+into an uninterruptible state. Only the sum of all nr_interruptible
+values across all CPUs yields the correct result, as explained in a
+comment in kernel/sched/loadavg.c.
+
+Change the type of nr_uninterruptible back to unsigned long to prevent
+overflows, and thus the miscalculation of load average.
+
+Fixes: e6fe3f422be1 ("sched: Make multiple runqueue task counters 32-bit")
+
+Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20250709173328.606794-1-aruna.ramakrishna@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/loadavg.c |    2 +-
+ kernel/sched/sched.h   |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/loadavg.c
++++ b/kernel/sched/loadavg.c
+@@ -80,7 +80,7 @@ long calc_load_fold_active(struct rq *th
+ 	long nr_active, delta = 0;
+ 
+ 	nr_active = this_rq->nr_running - adjust;
+-	nr_active += (int)this_rq->nr_uninterruptible;
++	nr_active += (long)this_rq->nr_uninterruptible;
+ 
+ 	if (nr_active != this_rq->calc_load_active) {
+ 		delta = nr_active - this_rq->calc_load_active;
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -1003,7 +1003,7 @@ struct rq {
+ 	 * one CPU and if it got migrated afterwards it may decrease
+ 	 * it on another CPU. Always updated under the runqueue lock:
+ 	 */
+-	unsigned int		nr_uninterruptible;
++	unsigned long 		nr_uninterruptible;
+ 
+ 	struct task_struct __rcu	*curr;
+ 	struct task_struct	*idle;
diff --git a/queue-6.1/series b/queue-6.1/series
index a36e3fabca..5b628d1b69 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -64,3 +64,5 @@ net-bridge-do-not-offload-igmp-mld-messages.patch
 net-sched-return-null-when-htb_lookup_leaf-encounter.patch
 revert-cgroup_freezer-cgroup_freezing-check-if-not-f.patch
 sched-change-nr_uninterruptible-type-to-unsigned-long.patch
+hid-mcp2221-set-driver-data-before-i2c-adapter-add.patch
+clone_private_mnt-make-sure-that-caller-has-cap_sys_admin-in-the-right-userns.patch