From 0907dc64be3d4b974b598b25bebfb268dd5bdc08 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 17 Oct 2025 09:07:27 +0200 Subject: [PATCH] 6.17-stable patches added patches: acpi-property-add-code-comments-explaining-what-is-going-on.patch acpi-property-disregard-references-in-data-only-subnode-lists.patch acpi-property-do-not-pass-null-handles-to-acpi_attach_data.patch arm64-dts-qcom-qcs615-add-missing-dt-property-in-qup-ses.patch ext4-free-orphan-info-with-kvfree.patch ipmi-fix-handling-of-messages-with-provided-receive-message-pointer.patch media-mc-clear-minor-number-before-put-device.patch mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch squashfs-add-additional-inode-sanity-checking.patch squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch --- ...comments-explaining-what-is-going-on.patch | 115 +++++++++++++++ ...eferences-in-data-only-subnode-lists.patch | 138 ++++++++++++++++++ ...ass-null-handles-to-acpi_attach_data.patch | 77 ++++++++++ ...5-add-missing-dt-property-in-qup-ses.patch | 77 ++++++++++ .../ext4-free-orphan-info-with-kvfree.patch | 43 ++++++ ...ith-provided-receive-message-pointer.patch | 47 ++++++ ...clear-minor-number-before-put-device.patch | 51 +++++++ ...er-handling-in-mm_struct-during-fork.patch | 104 +++++++++++++ queue-6.17/series | 10 ++ ...add-additional-inode-sanity-checking.patch | 90 ++++++++++++ ...ve-file-sizes-in-squashfs_read_inode.patch | 48 ++++++ 11 files changed, 800 insertions(+) create mode 100644 queue-6.17/acpi-property-add-code-comments-explaining-what-is-going-on.patch create mode 100644 queue-6.17/acpi-property-disregard-references-in-data-only-subnode-lists.patch create mode 100644 queue-6.17/acpi-property-do-not-pass-null-handles-to-acpi_attach_data.patch create mode 100644 queue-6.17/arm64-dts-qcom-qcs615-add-missing-dt-property-in-qup-ses.patch create mode 100644 queue-6.17/ext4-free-orphan-info-with-kvfree.patch create mode 100644 queue-6.17/ipmi-fix-handling-of-messages-with-provided-receive-message-pointer.patch create mode 100644 queue-6.17/media-mc-clear-minor-number-before-put-device.patch create mode 100644 queue-6.17/mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch create mode 100644 queue-6.17/squashfs-add-additional-inode-sanity-checking.patch create mode 100644 queue-6.17/squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch diff --git a/queue-6.17/acpi-property-add-code-comments-explaining-what-is-going-on.patch b/queue-6.17/acpi-property-add-code-comments-explaining-what-is-going-on.patch new file mode 100644 index 0000000000..0c9c99ea37 --- /dev/null +++ b/queue-6.17/acpi-property-add-code-comments-explaining-what-is-going-on.patch @@ -0,0 +1,115 @@ +From stable+bounces-186176-greg=kroah.com@vger.kernel.org Thu Oct 16 18:08:44 2025 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:04:42 -0400 +Subject: ACPI: property: Add code comments explaining what is going on +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Sakari Ailus , Sasha Levin +Message-ID: <20251016160443.3328083-3-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit 737c3a09dcf69ba2814f3674947ccaec1861c985 ] + +In some places in the ACPI device properties handling code, it is +unclear why the code is what it is. Some assumptions are not documented +and some pieces of code are based on knowledge that is not mentioned +anywhere. + +Add code comments explaining these things. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Sakari Ailus +Tested-by: Sakari Ailus +Stable-dep-of: baf60d5cb8bc ("ACPI: property: Do not pass NULL handles to acpi_attach_data()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/property.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 44 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -108,7 +108,18 @@ static bool acpi_nondev_subnode_extract( + if (handle) + acpi_get_parent(handle, &scope); + ++ /* ++ * Extract properties from the _DSD-equivalent package pointed to by ++ * desc and use scope (if not NULL) for the completion of relative ++ * pathname segments. ++ * ++ * The extracted properties will be held in the new data node dn. ++ */ + result = acpi_extract_properties(scope, desc, &dn->data); ++ /* ++ * Look for subnodes in the _DSD-equivalent package pointed to by desc ++ * and create child nodes of dn if there are any. ++ */ + if (acpi_enumerate_nondev_subnodes(scope, desc, &dn->data, &dn->fwnode)) + result = true; + +@@ -133,6 +144,12 @@ static bool acpi_nondev_subnode_ok(acpi_ + acpi_handle handle; + acpi_status status; + ++ /* ++ * If the scope is unknown, the _DSD-equivalent package being parsed ++ * was embedded in an outer _DSD-equivalent package as a result of ++ * direct evaluation of an object pointed to by a reference. In that ++ * case, using a pathname as the target object pointer is invalid. ++ */ + if (!scope) + return false; + +@@ -162,6 +179,10 @@ static bool acpi_add_nondev_subnodes(acp + bool ret = false; + int i; + ++ /* ++ * Every element in the links package is expected to represent a link ++ * to a non-device node in a tree containing device-specific data. ++ */ + for (i = 0; i < links->package.count; i++) { + union acpi_object *link, *desc; + bool result; +@@ -171,17 +192,38 @@ static bool acpi_add_nondev_subnodes(acp + if (link->package.count != 2) + continue; + +- /* The first one must be a string. */ ++ /* The first one (the key) must be a string. */ + if (link->package.elements[0].type != ACPI_TYPE_STRING) + continue; + +- /* The second one may be a string or a package. */ ++ /* The second one (the target) may be a string or a package. */ + switch (link->package.elements[1].type) { + case ACPI_TYPE_STRING: ++ /* ++ * The string is expected to be a full pathname or a ++ * pathname segment relative to the given scope. That ++ * pathname is expected to point to an object returning ++ * a package that contains _DSD-equivalent information. ++ */ + result = acpi_nondev_subnode_ok(scope, link, list, + parent); + break; + case ACPI_TYPE_PACKAGE: ++ /* ++ * This happens when a reference is used in AML to ++ * point to the target. Since the target is expected ++ * to be a named object, a reference to it will cause it ++ * to be avaluated in place and its return package will ++ * be embedded in the links package at the location of ++ * the reference. ++ * ++ * The target package is expected to contain _DSD- ++ * equivalent information, but the scope in which it ++ * is located in the original AML is unknown. Thus ++ * it cannot contain pathname segments represented as ++ * strings because there is no way to build full ++ * pathnames out of them. ++ */ + desc = &link->package.elements[1]; + result = acpi_nondev_subnode_extract(desc, NULL, link, + list, parent); diff --git a/queue-6.17/acpi-property-disregard-references-in-data-only-subnode-lists.patch b/queue-6.17/acpi-property-disregard-references-in-data-only-subnode-lists.patch new file mode 100644 index 0000000000..99b88638ce --- /dev/null +++ b/queue-6.17/acpi-property-disregard-references-in-data-only-subnode-lists.patch @@ -0,0 +1,138 @@ +From stable+bounces-186175-greg=kroah.com@vger.kernel.org Thu Oct 16 18:08:08 2025 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:04:41 -0400 +Subject: ACPI: property: Disregard references in data-only subnode lists +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Sakari Ailus , Sasha Levin +Message-ID: <20251016160443.3328083-2-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit d06118fe9b03426484980ed4c189a8c7b99fa631 ] + +Data-only subnode links following the ACPI data subnode GUID in a _DSD +package are expected to point to named objects returning _DSD-equivalent +packages. If a reference to such an object is used in the target field +of any of those links, that object will be evaluated in place (as a +named object) and its return data will be embedded in the outer _DSD +package. + +For this reason, it is not expected to see a subnode link with the +target field containing a local reference (that would mean pointing +to a device or another object that cannot be evaluated in place and +therefore cannot return a _DSD-equivalent package). + +Accordingly, simplify the code parsing data-only subnode links to +simply print a message when it encounters a local reference in the +target field of one of those links. + +Moreover, since acpi_nondev_subnode_data_ok() would only have one +caller after the change above, fold it into that caller. + +Link: https://lore.kernel.org/linux-acpi/CAJZ5v0jVeSrDO6hrZhKgRZrH=FpGD4vNUjFD8hV9WwN9TLHjzQ@mail.gmail.com/ +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Sakari Ailus +Tested-by: Sakari Ailus +Stable-dep-of: baf60d5cb8bc ("ACPI: property: Do not pass NULL handles to acpi_attach_data()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/property.c | 51 ++++++++++++++++++++---------------------------- + 1 file changed, 22 insertions(+), 29 deletions(-) + +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -124,32 +124,12 @@ static bool acpi_nondev_subnode_extract( + return false; + } + +-static bool acpi_nondev_subnode_data_ok(acpi_handle handle, +- const union acpi_object *link, +- struct list_head *list, +- struct fwnode_handle *parent) +-{ +- struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER }; +- acpi_status status; +- +- status = acpi_evaluate_object_typed(handle, NULL, NULL, &buf, +- ACPI_TYPE_PACKAGE); +- if (ACPI_FAILURE(status)) +- return false; +- +- if (acpi_nondev_subnode_extract(buf.pointer, handle, link, list, +- parent)) +- return true; +- +- ACPI_FREE(buf.pointer); +- return false; +-} +- + static bool acpi_nondev_subnode_ok(acpi_handle scope, + const union acpi_object *link, + struct list_head *list, + struct fwnode_handle *parent) + { ++ struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER }; + acpi_handle handle; + acpi_status status; + +@@ -161,7 +141,17 @@ static bool acpi_nondev_subnode_ok(acpi_ + if (ACPI_FAILURE(status)) + return false; + +- return acpi_nondev_subnode_data_ok(handle, link, list, parent); ++ status = acpi_evaluate_object_typed(handle, NULL, NULL, &buf, ++ ACPI_TYPE_PACKAGE); ++ if (ACPI_FAILURE(status)) ++ return false; ++ ++ if (acpi_nondev_subnode_extract(buf.pointer, handle, link, list, ++ parent)) ++ return true; ++ ++ ACPI_FREE(buf.pointer); ++ return false; + } + + static bool acpi_add_nondev_subnodes(acpi_handle scope, +@@ -174,7 +164,6 @@ static bool acpi_add_nondev_subnodes(acp + + for (i = 0; i < links->package.count; i++) { + union acpi_object *link, *desc; +- acpi_handle handle; + bool result; + + link = &links->package.elements[i]; +@@ -186,22 +175,26 @@ static bool acpi_add_nondev_subnodes(acp + if (link->package.elements[0].type != ACPI_TYPE_STRING) + continue; + +- /* The second one may be a string, a reference or a package. */ ++ /* The second one may be a string or a package. */ + switch (link->package.elements[1].type) { + case ACPI_TYPE_STRING: + result = acpi_nondev_subnode_ok(scope, link, list, + parent); + break; +- case ACPI_TYPE_LOCAL_REFERENCE: +- handle = link->package.elements[1].reference.handle; +- result = acpi_nondev_subnode_data_ok(handle, link, list, +- parent); +- break; + case ACPI_TYPE_PACKAGE: + desc = &link->package.elements[1]; + result = acpi_nondev_subnode_extract(desc, NULL, link, + list, parent); + break; ++ case ACPI_TYPE_LOCAL_REFERENCE: ++ /* ++ * It is not expected to see any local references in ++ * the links package because referencing a named object ++ * should cause it to be evaluated in place. ++ */ ++ acpi_handle_info(scope, "subnode %s: Unexpected reference\n", ++ link->package.elements[0].string.pointer); ++ fallthrough; + default: + result = false; + break; diff --git a/queue-6.17/acpi-property-do-not-pass-null-handles-to-acpi_attach_data.patch b/queue-6.17/acpi-property-do-not-pass-null-handles-to-acpi_attach_data.patch new file mode 100644 index 0000000000..6d0c29ea05 --- /dev/null +++ b/queue-6.17/acpi-property-do-not-pass-null-handles-to-acpi_attach_data.patch @@ -0,0 +1,77 @@ +From stable+bounces-186177-greg=kroah.com@vger.kernel.org Thu Oct 16 18:05:40 2025 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:04:43 -0400 +Subject: ACPI: property: Do not pass NULL handles to acpi_attach_data() +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Sakari Ailus , Sasha Levin +Message-ID: <20251016160443.3328083-4-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit baf60d5cb8bc6b85511c5df5f0ad7620bb66d23c ] + +In certain circumstances, the ACPI handle of a data-only node may be +NULL, in which case it does not make sense to attempt to attach that +node to an ACPI namespace object, so update the code to avoid attempts +to do so. + +This prevents confusing and unuseful error messages from being printed. + +Also document the fact that the ACPI handle of a data-only node may be +NULL and when that happens in a code comment. In addition, make +acpi_add_nondev_subnodes() print a diagnostic message for each data-only +node with an unknown ACPI namespace scope. + +Fixes: 1d52f10917a7 ("ACPI: property: Tie data nodes to acpi handles") +Cc: 6.0+ # 6.0+ +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Sakari Ailus +Tested-by: Sakari Ailus +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/property.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -124,6 +124,10 @@ static bool acpi_nondev_subnode_extract( + result = true; + + if (result) { ++ /* ++ * This will be NULL if the desc package is embedded in an outer ++ * _DSD-equivalent package and its scope cannot be determined. ++ */ + dn->handle = handle; + dn->data.pointer = desc; + list_add_tail(&dn->sibling, list); +@@ -224,6 +228,8 @@ static bool acpi_add_nondev_subnodes(acp + * strings because there is no way to build full + * pathnames out of them. + */ ++ acpi_handle_debug(scope, "subnode %s: Unknown scope\n", ++ link->package.elements[0].string.pointer); + desc = &link->package.elements[1]; + result = acpi_nondev_subnode_extract(desc, NULL, link, + list, parent); +@@ -396,6 +402,9 @@ static void acpi_untie_nondev_subnodes(s + struct acpi_data_node *dn; + + list_for_each_entry(dn, &data->subnodes, sibling) { ++ if (!dn->handle) ++ continue; ++ + acpi_detach_data(dn->handle, acpi_nondev_subnode_tag); + + acpi_untie_nondev_subnodes(&dn->data); +@@ -410,6 +419,9 @@ static bool acpi_tie_nondev_subnodes(str + acpi_status status; + bool ret; + ++ if (!dn->handle) ++ continue; ++ + status = acpi_attach_data(dn->handle, acpi_nondev_subnode_tag, dn); + if (ACPI_FAILURE(status) && status != AE_ALREADY_EXISTS) { + acpi_handle_err(dn->handle, "Can't tag data node\n"); diff --git a/queue-6.17/arm64-dts-qcom-qcs615-add-missing-dt-property-in-qup-ses.patch b/queue-6.17/arm64-dts-qcom-qcs615-add-missing-dt-property-in-qup-ses.patch new file mode 100644 index 0000000000..a393831248 --- /dev/null +++ b/queue-6.17/arm64-dts-qcom-qcs615-add-missing-dt-property-in-qup-ses.patch @@ -0,0 +1,77 @@ +From stable+bounces-186202-greg=kroah.com@vger.kernel.org Thu Oct 16 21:38:08 2025 +From: Sasha Levin +Date: Thu, 16 Oct 2025 15:38:01 -0400 +Subject: arm64: dts: qcom: qcs615: add missing dt property in QUP SEs +To: stable@vger.kernel.org +Cc: Viken Dadhaniya , Dmitry Baryshkov , Bjorn Andersson , Sasha Levin +Message-ID: <20251016193801.3389185-1-sashal@kernel.org> + +From: Viken Dadhaniya + +[ Upstream commit 6a5e9b9738a32229e2673d4eccfcbfe2ef3a1ab4 ] + +Add the missing required-opps and operating-points-v2 properties to +several I2C, SPI, and UART nodes in the QUP SEs. + +Fixes: f6746dc9e379 ("arm64: dts: qcom: qcs615: Add QUPv3 configuration") +Cc: stable@vger.kernel.org +Signed-off-by: Viken Dadhaniya +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250630064338.2487409-1-viken.dadhaniya@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/qcs615.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/qcs615.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi +@@ -631,6 +631,7 @@ + interconnect-names = "qup-core", + "qup-config"; + power-domains = <&rpmhpd RPMHPD_CX>; ++ operating-points-v2 = <&qup_opp_table>; + status = "disabled"; + }; + +@@ -654,6 +655,7 @@ + "qup-config", + "qup-memory"; + power-domains = <&rpmhpd RPMHPD_CX>; ++ required-opps = <&rpmhpd_opp_low_svs>; + dmas = <&gpi_dma0 0 1 QCOM_GPI_I2C>, + <&gpi_dma0 1 1 QCOM_GPI_I2C>; + dma-names = "tx", +@@ -681,6 +683,7 @@ + "qup-config", + "qup-memory"; + power-domains = <&rpmhpd RPMHPD_CX>; ++ required-opps = <&rpmhpd_opp_low_svs>; + dmas = <&gpi_dma0 0 2 QCOM_GPI_I2C>, + <&gpi_dma0 1 2 QCOM_GPI_I2C>; + dma-names = "tx", +@@ -703,6 +706,7 @@ + interconnect-names = "qup-core", + "qup-config"; + power-domains = <&rpmhpd RPMHPD_CX>; ++ operating-points-v2 = <&qup_opp_table>; + dmas = <&gpi_dma0 0 2 QCOM_GPI_SPI>, + <&gpi_dma0 1 2 QCOM_GPI_SPI>; + dma-names = "tx", +@@ -728,6 +732,7 @@ + interconnect-names = "qup-core", + "qup-config"; + power-domains = <&rpmhpd RPMHPD_CX>; ++ operating-points-v2 = <&qup_opp_table>; + status = "disabled"; + }; + +@@ -751,6 +756,7 @@ + "qup-config", + "qup-memory"; + power-domains = <&rpmhpd RPMHPD_CX>; ++ required-opps = <&rpmhpd_opp_low_svs>; + dmas = <&gpi_dma0 0 3 QCOM_GPI_I2C>, + <&gpi_dma0 1 3 QCOM_GPI_I2C>; + dma-names = "tx", diff --git a/queue-6.17/ext4-free-orphan-info-with-kvfree.patch b/queue-6.17/ext4-free-orphan-info-with-kvfree.patch new file mode 100644 index 0000000000..fcb9ecd259 --- /dev/null +++ b/queue-6.17/ext4-free-orphan-info-with-kvfree.patch @@ -0,0 +1,43 @@ +From 971843c511c3c2f6eda96c6b03442913bfee6148 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 7 Oct 2025 15:49:37 +0200 +Subject: ext4: free orphan info with kvfree + +From: Jan Kara + +commit 971843c511c3c2f6eda96c6b03442913bfee6148 upstream. + +Orphan info is now getting allocated with kvmalloc_array(). Free it with +kvfree() instead of kfree() to avoid complaints from mm. + +Reported-by: Chris Mason +Fixes: 0a6ce20c1564 ("ext4: verify orphan file size is not too big") +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-ID: <20251007134936.7291-2-jack@suse.cz> +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/orphan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/orphan.c ++++ b/fs/ext4/orphan.c +@@ -513,7 +513,7 @@ void ext4_release_orphan_info(struct sup + return; + for (i = 0; i < oi->of_blocks; i++) + brelse(oi->of_binfo[i].ob_bh); +- kfree(oi->of_binfo); ++ kvfree(oi->of_binfo); + } + + static struct ext4_orphan_block_tail *ext4_orphan_block_tail( +@@ -637,7 +637,7 @@ int ext4_init_orphan_info(struct super_b + out_free: + for (i--; i >= 0; i--) + brelse(oi->of_binfo[i].ob_bh); +- kfree(oi->of_binfo); ++ kvfree(oi->of_binfo); + out_put: + iput(inode); + return ret; diff --git a/queue-6.17/ipmi-fix-handling-of-messages-with-provided-receive-message-pointer.patch b/queue-6.17/ipmi-fix-handling-of-messages-with-provided-receive-message-pointer.patch new file mode 100644 index 0000000000..aa8e756959 --- /dev/null +++ b/queue-6.17/ipmi-fix-handling-of-messages-with-provided-receive-message-pointer.patch @@ -0,0 +1,47 @@ +From e2c69490dda5d4c9f1bfbb2898989c8f3530e354 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Mon, 6 Oct 2025 13:18:57 -0700 +Subject: ipmi: Fix handling of messages with provided receive message pointer + +From: Guenter Roeck + +commit e2c69490dda5d4c9f1bfbb2898989c8f3530e354 upstream. + +Prior to commit b52da4054ee0 ("ipmi: Rework user message limit handling"), +i_ipmi_request() used to increase the user reference counter if the receive +message is provided by the caller of IPMI API functions. This is no longer +the case. However, ipmi_free_recv_msg() is still called and decreases the +reference counter. This results in the reference counter reaching zero, +the user data pointer is released, and all kinds of interesting crashes are +seen. + +Fix the problem by increasing user reference counter if the receive message +has been provided by the caller. + +Fixes: b52da4054ee0 ("ipmi: Rework user message limit handling") +Reported-by: Eric Dumazet +Cc: Eric Dumazet +Cc: Greg Thelen +Signed-off-by: Guenter Roeck +Message-ID: <20251006201857.3433837-1-linux@roeck-us.net> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_msghandler.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -2280,8 +2280,11 @@ static int i_ipmi_request(struct ipmi_us + if (supplied_recv) { + recv_msg = supplied_recv; + recv_msg->user = user; +- if (user) ++ if (user) { + atomic_inc(&user->nr_msgs); ++ /* The put happens when the message is freed. */ ++ kref_get(&user->refcount); ++ } + } else { + recv_msg = ipmi_alloc_recv_msg(user); + if (IS_ERR(recv_msg)) diff --git a/queue-6.17/media-mc-clear-minor-number-before-put-device.patch b/queue-6.17/media-mc-clear-minor-number-before-put-device.patch new file mode 100644 index 0000000000..ad3a04359a --- /dev/null +++ b/queue-6.17/media-mc-clear-minor-number-before-put-device.patch @@ -0,0 +1,51 @@ +From stable+bounces-185511-greg=kroah.com@vger.kernel.org Mon Oct 13 22:26:36 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 16:26:24 -0400 +Subject: media: mc: Clear minor number before put device +To: stable@vger.kernel.org +Cc: Edward Adam Davis , syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com, Sakari Ailus , Hans Verkuil , Sasha Levin +Message-ID: <20251013202625.3590659-1-sashal@kernel.org> + +From: Edward Adam Davis + +[ Upstream commit 8cfc8cec1b4da88a47c243a11f384baefd092a50 ] + +The device minor should not be cleared after the device is released. + +Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time") +Cc: stable@vger.kernel.org +Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f +Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +[ moved clear_bit from media_devnode_release callback to media_devnode_unregister before put_device ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/mc/mc-devnode.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/media/mc/mc-devnode.c ++++ b/drivers/media/mc/mc-devnode.c +@@ -50,11 +50,6 @@ static void media_devnode_release(struct + { + struct media_devnode *devnode = to_media_devnode(cd); + +- mutex_lock(&media_devnode_lock); +- /* Mark device node number as free */ +- clear_bit(devnode->minor, media_devnode_nums); +- mutex_unlock(&media_devnode_lock); +- + /* Release media_devnode and perform other cleanups as needed. */ + if (devnode->release) + devnode->release(devnode); +@@ -281,6 +276,7 @@ void media_devnode_unregister(struct med + /* Delete the cdev on this minor as well */ + cdev_device_del(&devnode->cdev, &devnode->dev); + devnode->media_dev = NULL; ++ clear_bit(devnode->minor, media_devnode_nums); + mutex_unlock(&media_devnode_lock); + + put_device(&devnode->dev); diff --git a/queue-6.17/mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch b/queue-6.17/mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch new file mode 100644 index 0000000000..abb038c501 --- /dev/null +++ b/queue-6.17/mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch @@ -0,0 +1,104 @@ +From stable+bounces-185639-greg=kroah.com@vger.kernel.org Tue Oct 14 13:39:53 2025 +From: Sasha Levin +Date: Tue, 14 Oct 2025 07:39:43 -0400 +Subject: mm/ksm: fix incorrect KSM counter handling in mm_struct during fork +To: stable@vger.kernel.org +Cc: Donet Tom , Chengming Zhou , David Hildenbrand , Aboorva Devarajan , "Ritesh Harjani (IBM)" , Wei Yang , xu xin , Andrew Morton , Sasha Levin +Message-ID: <20251014113943.4156526-1-sashal@kernel.org> + +From: Donet Tom + +[ Upstream commit 4d6fc29f36341d7795db1d1819b4c15fe9be7b23 ] + +Patch series "mm/ksm: Fix incorrect accounting of KSM counters during +fork", v3. + +The first patch in this series fixes the incorrect accounting of KSM +counters such as ksm_merging_pages, ksm_rmap_items, and the global +ksm_zero_pages during fork. + +The following patch add a selftest to verify the ksm_merging_pages counter +was updated correctly during fork. + +Test Results +============ +Without the first patch +----------------------- + # [RUN] test_fork_ksm_merging_page_count + not ok 10 ksm_merging_page in child: 32 + +With the first patch +-------------------- + # [RUN] test_fork_ksm_merging_page_count + ok 10 ksm_merging_pages is not inherited after fork + +This patch (of 2): + +Currently, the KSM-related counters in `mm_struct`, such as +`ksm_merging_pages`, `ksm_rmap_items`, and `ksm_zero_pages`, are inherited +by the child process during fork. This results in inconsistent +accounting. + +When a process uses KSM, identical pages are merged and an rmap item is +created for each merged page. The `ksm_merging_pages` and +`ksm_rmap_items` counters are updated accordingly. However, after a fork, +these counters are copied to the child while the corresponding rmap items +are not. As a result, when the child later triggers an unmerge, there are +no rmap items present in the child, so the counters remain stale, leading +to incorrect accounting. + +A similar issue exists with `ksm_zero_pages`, which maintains both a +global counter and a per-process counter. During fork, the per-process +counter is inherited by the child, but the global counter is not +incremented. Since the child also references zero pages, the global +counter should be updated as well. Otherwise, during zero-page unmerge, +both the global and per-process counters are decremented, causing the +global counter to become inconsistent. + +To fix this, ksm_merging_pages and ksm_rmap_items are reset to 0 during +fork, and the global ksm_zero_pages counter is updated with the +per-process ksm_zero_pages value inherited by the child. This ensures +that KSM statistics remain accurate and reflect the activity of each +process correctly. + +Link: https://lkml.kernel.org/r/cover.1758648700.git.donettom@linux.ibm.com +Link: https://lkml.kernel.org/r/7b9870eb67ccc0d79593940d9dbd4a0b39b5d396.1758648700.git.donettom@linux.ibm.com +Fixes: 7609385337a4 ("ksm: count ksm merging pages for each process") +Fixes: cb4df4cae4f2 ("ksm: count allocated ksm rmap_items for each process") +Fixes: e2942062e01d ("ksm: count all zero pages placed by KSM") +Signed-off-by: Donet Tom +Reviewed-by: Chengming Zhou +Acked-by: David Hildenbrand +Cc: Aboorva Devarajan +Cc: David Hildenbrand +Cc: Donet Tom +Cc: "Ritesh Harjani (IBM)" +Cc: Wei Yang +Cc: xu xin +Cc: [6.6+] +Signed-off-by: Andrew Morton +[ replaced mm_flags_test() calls with test_bit() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ksm.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/include/linux/ksm.h ++++ b/include/linux/ksm.h +@@ -56,8 +56,14 @@ static inline long mm_ksm_zero_pages(str + static inline void ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) + { + /* Adding mm to ksm is best effort on fork. */ +- if (test_bit(MMF_VM_MERGEABLE, &oldmm->flags)) ++ if (test_bit(MMF_VM_MERGEABLE, &oldmm->flags)) { ++ long nr_ksm_zero_pages = atomic_long_read(&mm->ksm_zero_pages); ++ ++ mm->ksm_merging_pages = 0; ++ mm->ksm_rmap_items = 0; ++ atomic_long_add(nr_ksm_zero_pages, &ksm_zero_pages); + __ksm_enter(mm); ++ } + } + + static inline int ksm_execve(struct mm_struct *mm) diff --git a/queue-6.17/series b/queue-6.17/series index f95d25b273..1de0ca9ed3 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -345,3 +345,13 @@ ext4-fix-an-off-by-one-issue-during-moving-extents.patch ext4-guard-against-ea-inode-refcount-underflow-in-xattr-update.patch ext4-validate-ea_ino-and-size-in-check_xattrs.patch acpica-allow-to-skip-global-lock-initialization.patch +ext4-free-orphan-info-with-kvfree.patch +ipmi-fix-handling-of-messages-with-provided-receive-message-pointer.patch +squashfs-add-additional-inode-sanity-checking.patch +squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch +mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch +media-mc-clear-minor-number-before-put-device.patch +arm64-dts-qcom-qcs615-add-missing-dt-property-in-qup-ses.patch +acpi-property-disregard-references-in-data-only-subnode-lists.patch +acpi-property-add-code-comments-explaining-what-is-going-on.patch +acpi-property-do-not-pass-null-handles-to-acpi_attach_data.patch diff --git a/queue-6.17/squashfs-add-additional-inode-sanity-checking.patch b/queue-6.17/squashfs-add-additional-inode-sanity-checking.patch new file mode 100644 index 0000000000..60f93fd301 --- /dev/null +++ b/queue-6.17/squashfs-add-additional-inode-sanity-checking.patch @@ -0,0 +1,90 @@ +From stable+bounces-185488-greg=kroah.com@vger.kernel.org Mon Oct 13 19:37:13 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 13:36:48 -0400 +Subject: Squashfs: add additional inode sanity checking +To: stable@vger.kernel.org +Cc: Phillip Lougher , Andrew Morton , Sasha Levin +Message-ID: <20251013173649.3404578-1-sashal@kernel.org> + +From: Phillip Lougher + +[ Upstream commit 9ee94bfbe930a1b39df53fa2d7b31141b780eb5a ] + +Patch series "Squashfs: performance improvement and a sanity check". + +This patchset adds an additional sanity check when reading regular file +inodes, and adds support for SEEK_DATA/SEEK_HOLE lseek() whence values. + +This patch (of 2): + +Add an additional sanity check when reading regular file inodes. + +A regular file if the file size is an exact multiple of the filesystem +block size cannot have a fragment. This is because by definition a +fragment block stores tailends which are not a whole block in size. + +Link: https://lkml.kernel.org/r/20250923220652.568416-1-phillip@squashfs.org.uk +Link: https://lkml.kernel.org/r/20250923220652.568416-2-phillip@squashfs.org.uk +Signed-off-by: Phillip Lougher +Signed-off-by: Andrew Morton +Stable-dep-of: 9f1c14c1de1b ("Squashfs: reject negative file sizes in squashfs_read_inode()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/inode.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -140,8 +140,17 @@ int squashfs_read_inode(struct inode *in + if (err < 0) + goto failed_read; + ++ inode->i_size = le32_to_cpu(sqsh_ino->file_size); + frag = le32_to_cpu(sqsh_ino->fragment); + if (frag != SQUASHFS_INVALID_FRAG) { ++ /* ++ * the file cannot have a fragment (tailend) and have a ++ * file size a multiple of the block size ++ */ ++ if ((inode->i_size & (msblk->block_size - 1)) == 0) { ++ err = -EINVAL; ++ goto failed_read; ++ } + frag_offset = le32_to_cpu(sqsh_ino->offset); + frag_size = squashfs_frag_lookup(sb, frag, &frag_blk); + if (frag_size < 0) { +@@ -155,7 +164,6 @@ int squashfs_read_inode(struct inode *in + } + + set_nlink(inode, 1); +- inode->i_size = le32_to_cpu(sqsh_ino->file_size); + inode->i_fop = &generic_ro_fops; + inode->i_mode |= S_IFREG; + inode->i_blocks = ((inode->i_size - 1) >> 9) + 1; +@@ -184,8 +192,17 @@ int squashfs_read_inode(struct inode *in + if (err < 0) + goto failed_read; + ++ inode->i_size = le64_to_cpu(sqsh_ino->file_size); + frag = le32_to_cpu(sqsh_ino->fragment); + if (frag != SQUASHFS_INVALID_FRAG) { ++ /* ++ * the file cannot have a fragment (tailend) and have a ++ * file size a multiple of the block size ++ */ ++ if ((inode->i_size & (msblk->block_size - 1)) == 0) { ++ err = -EINVAL; ++ goto failed_read; ++ } + frag_offset = le32_to_cpu(sqsh_ino->offset); + frag_size = squashfs_frag_lookup(sb, frag, &frag_blk); + if (frag_size < 0) { +@@ -200,7 +217,6 @@ int squashfs_read_inode(struct inode *in + + xattr_id = le32_to_cpu(sqsh_ino->xattr); + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); +- inode->i_size = le64_to_cpu(sqsh_ino->file_size); + inode->i_op = &squashfs_inode_ops; + inode->i_fop = &generic_ro_fops; + inode->i_mode |= S_IFREG; diff --git a/queue-6.17/squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch b/queue-6.17/squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch new file mode 100644 index 0000000000..8bbdce63e7 --- /dev/null +++ b/queue-6.17/squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch @@ -0,0 +1,48 @@ +From stable+bounces-185489-greg=kroah.com@vger.kernel.org Mon Oct 13 19:37:15 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 13:36:49 -0400 +Subject: Squashfs: reject negative file sizes in squashfs_read_inode() +To: stable@vger.kernel.org +Cc: Phillip Lougher , syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com, Amir Goldstein , Andrew Morton , Sasha Levin +Message-ID: <20251013173649.3404578-2-sashal@kernel.org> + +From: Phillip Lougher + +[ Upstream commit 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b ] + +Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. + +This warning is ultimately caused because the underlying Squashfs file +system returns a file with a negative file size. + +This commit checks for a negative file size and returns EINVAL. + +[phillip@squashfs.org.uk: only need to check 64 bit quantity] + Link: https://lkml.kernel.org/r/20250926222305.110103-1-phillip@squashfs.org.uk +Link: https://lkml.kernel.org/r/20250926215935.107233-1-phillip@squashfs.org.uk +Fixes: 6545b246a2c8 ("Squashfs: inode operations") +Signed-off-by: Phillip Lougher +Reported-by: syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68d580e5.a00a0220.303701.0019.GAE@google.com/ +Cc: Amir Goldstein +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -193,6 +193,10 @@ int squashfs_read_inode(struct inode *in + goto failed_read; + + inode->i_size = le64_to_cpu(sqsh_ino->file_size); ++ if (inode->i_size < 0) { ++ err = -EINVAL; ++ goto failed_read; ++ } + frag = le32_to_cpu(sqsh_ino->fragment); + if (frag != SQUASHFS_INVALID_FRAG) { + /* -- 2.47.3