--- /dev/null
+From stable+bounces-186176-greg=kroah.com@vger.kernel.org Thu Oct 16 18:08:44 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:04:42 -0400
+Subject: ACPI: property: Add code comments explaining what is going on
+To: stable@vger.kernel.org
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Sakari Ailus <sakari.ailus@linux.intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251016160443.3328083-3-sashal@kernel.org>
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 737c3a09dcf69ba2814f3674947ccaec1861c985 ]
+
+In some places in the ACPI device properties handling code, it is
+unclear why the code is what it is. Some assumptions are not documented
+and some pieces of code are based on knowledge that is not mentioned
+anywhere.
+
+Add code comments explaining these things.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Stable-dep-of: baf60d5cb8bc ("ACPI: property: Do not pass NULL handles to acpi_attach_data()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/property.c | 46 ++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 44 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -108,7 +108,18 @@ static bool acpi_nondev_subnode_extract(
+ if (handle)
+ acpi_get_parent(handle, &scope);
+
++ /*
++ * Extract properties from the _DSD-equivalent package pointed to by
++ * desc and use scope (if not NULL) for the completion of relative
++ * pathname segments.
++ *
++ * The extracted properties will be held in the new data node dn.
++ */
+ result = acpi_extract_properties(scope, desc, &dn->data);
++ /*
++ * Look for subnodes in the _DSD-equivalent package pointed to by desc
++ * and create child nodes of dn if there are any.
++ */
+ if (acpi_enumerate_nondev_subnodes(scope, desc, &dn->data, &dn->fwnode))
+ result = true;
+
+@@ -133,6 +144,12 @@ static bool acpi_nondev_subnode_ok(acpi_
+ acpi_handle handle;
+ acpi_status status;
+
++ /*
++ * If the scope is unknown, the _DSD-equivalent package being parsed
++ * was embedded in an outer _DSD-equivalent package as a result of
++ * direct evaluation of an object pointed to by a reference. In that
++ * case, using a pathname as the target object pointer is invalid.
++ */
+ if (!scope)
+ return false;
+
+@@ -162,6 +179,10 @@ static bool acpi_add_nondev_subnodes(acp
+ bool ret = false;
+ int i;
+
++ /*
++ * Every element in the links package is expected to represent a link
++ * to a non-device node in a tree containing device-specific data.
++ */
+ for (i = 0; i < links->package.count; i++) {
+ union acpi_object *link, *desc;
+ bool result;
+@@ -171,17 +192,38 @@ static bool acpi_add_nondev_subnodes(acp
+ if (link->package.count != 2)
+ continue;
+
+- /* The first one must be a string. */
++ /* The first one (the key) must be a string. */
+ if (link->package.elements[0].type != ACPI_TYPE_STRING)
+ continue;
+
+- /* The second one may be a string or a package. */
++ /* The second one (the target) may be a string or a package. */
+ switch (link->package.elements[1].type) {
+ case ACPI_TYPE_STRING:
++ /*
++ * The string is expected to be a full pathname or a
++ * pathname segment relative to the given scope. That
++ * pathname is expected to point to an object returning
++ * a package that contains _DSD-equivalent information.
++ */
+ result = acpi_nondev_subnode_ok(scope, link, list,
+ parent);
+ break;
+ case ACPI_TYPE_PACKAGE:
++ /*
++ * This happens when a reference is used in AML to
++ * point to the target. Since the target is expected
++ * to be a named object, a reference to it will cause it
++ * to be avaluated in place and its return package will
++ * be embedded in the links package at the location of
++ * the reference.
++ *
++ * The target package is expected to contain _DSD-
++ * equivalent information, but the scope in which it
++ * is located in the original AML is unknown. Thus
++ * it cannot contain pathname segments represented as
++ * strings because there is no way to build full
++ * pathnames out of them.
++ */
+ desc = &link->package.elements[1];
+ result = acpi_nondev_subnode_extract(desc, NULL, link,
+ list, parent);
--- /dev/null
+From stable+bounces-186175-greg=kroah.com@vger.kernel.org Thu Oct 16 18:08:08 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:04:41 -0400
+Subject: ACPI: property: Disregard references in data-only subnode lists
+To: stable@vger.kernel.org
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Sakari Ailus <sakari.ailus@linux.intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251016160443.3328083-2-sashal@kernel.org>
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit d06118fe9b03426484980ed4c189a8c7b99fa631 ]
+
+Data-only subnode links following the ACPI data subnode GUID in a _DSD
+package are expected to point to named objects returning _DSD-equivalent
+packages. If a reference to such an object is used in the target field
+of any of those links, that object will be evaluated in place (as a
+named object) and its return data will be embedded in the outer _DSD
+package.
+
+For this reason, it is not expected to see a subnode link with the
+target field containing a local reference (that would mean pointing
+to a device or another object that cannot be evaluated in place and
+therefore cannot return a _DSD-equivalent package).
+
+Accordingly, simplify the code parsing data-only subnode links to
+simply print a message when it encounters a local reference in the
+target field of one of those links.
+
+Moreover, since acpi_nondev_subnode_data_ok() would only have one
+caller after the change above, fold it into that caller.
+
+Link: https://lore.kernel.org/linux-acpi/CAJZ5v0jVeSrDO6hrZhKgRZrH=FpGD4vNUjFD8hV9WwN9TLHjzQ@mail.gmail.com/
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Stable-dep-of: baf60d5cb8bc ("ACPI: property: Do not pass NULL handles to acpi_attach_data()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/property.c | 51 ++++++++++++++++++++----------------------------
+ 1 file changed, 22 insertions(+), 29 deletions(-)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -124,32 +124,12 @@ static bool acpi_nondev_subnode_extract(
+ return false;
+ }
+
+-static bool acpi_nondev_subnode_data_ok(acpi_handle handle,
+- const union acpi_object *link,
+- struct list_head *list,
+- struct fwnode_handle *parent)
+-{
+- struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER };
+- acpi_status status;
+-
+- status = acpi_evaluate_object_typed(handle, NULL, NULL, &buf,
+- ACPI_TYPE_PACKAGE);
+- if (ACPI_FAILURE(status))
+- return false;
+-
+- if (acpi_nondev_subnode_extract(buf.pointer, handle, link, list,
+- parent))
+- return true;
+-
+- ACPI_FREE(buf.pointer);
+- return false;
+-}
+-
+ static bool acpi_nondev_subnode_ok(acpi_handle scope,
+ const union acpi_object *link,
+ struct list_head *list,
+ struct fwnode_handle *parent)
+ {
++ struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER };
+ acpi_handle handle;
+ acpi_status status;
+
+@@ -161,7 +141,17 @@ static bool acpi_nondev_subnode_ok(acpi_
+ if (ACPI_FAILURE(status))
+ return false;
+
+- return acpi_nondev_subnode_data_ok(handle, link, list, parent);
++ status = acpi_evaluate_object_typed(handle, NULL, NULL, &buf,
++ ACPI_TYPE_PACKAGE);
++ if (ACPI_FAILURE(status))
++ return false;
++
++ if (acpi_nondev_subnode_extract(buf.pointer, handle, link, list,
++ parent))
++ return true;
++
++ ACPI_FREE(buf.pointer);
++ return false;
+ }
+
+ static bool acpi_add_nondev_subnodes(acpi_handle scope,
+@@ -174,7 +164,6 @@ static bool acpi_add_nondev_subnodes(acp
+
+ for (i = 0; i < links->package.count; i++) {
+ union acpi_object *link, *desc;
+- acpi_handle handle;
+ bool result;
+
+ link = &links->package.elements[i];
+@@ -186,22 +175,26 @@ static bool acpi_add_nondev_subnodes(acp
+ if (link->package.elements[0].type != ACPI_TYPE_STRING)
+ continue;
+
+- /* The second one may be a string, a reference or a package. */
++ /* The second one may be a string or a package. */
+ switch (link->package.elements[1].type) {
+ case ACPI_TYPE_STRING:
+ result = acpi_nondev_subnode_ok(scope, link, list,
+ parent);
+ break;
+- case ACPI_TYPE_LOCAL_REFERENCE:
+- handle = link->package.elements[1].reference.handle;
+- result = acpi_nondev_subnode_data_ok(handle, link, list,
+- parent);
+- break;
+ case ACPI_TYPE_PACKAGE:
+ desc = &link->package.elements[1];
+ result = acpi_nondev_subnode_extract(desc, NULL, link,
+ list, parent);
+ break;
++ case ACPI_TYPE_LOCAL_REFERENCE:
++ /*
++ * It is not expected to see any local references in
++ * the links package because referencing a named object
++ * should cause it to be evaluated in place.
++ */
++ acpi_handle_info(scope, "subnode %s: Unexpected reference\n",
++ link->package.elements[0].string.pointer);
++ fallthrough;
+ default:
+ result = false;
+ break;
--- /dev/null
+From stable+bounces-186177-greg=kroah.com@vger.kernel.org Thu Oct 16 18:05:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 12:04:43 -0400
+Subject: ACPI: property: Do not pass NULL handles to acpi_attach_data()
+To: stable@vger.kernel.org
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Sakari Ailus <sakari.ailus@linux.intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251016160443.3328083-4-sashal@kernel.org>
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit baf60d5cb8bc6b85511c5df5f0ad7620bb66d23c ]
+
+In certain circumstances, the ACPI handle of a data-only node may be
+NULL, in which case it does not make sense to attempt to attach that
+node to an ACPI namespace object, so update the code to avoid attempts
+to do so.
+
+This prevents confusing and unuseful error messages from being printed.
+
+Also document the fact that the ACPI handle of a data-only node may be
+NULL and when that happens in a code comment. In addition, make
+acpi_add_nondev_subnodes() print a diagnostic message for each data-only
+node with an unknown ACPI namespace scope.
+
+Fixes: 1d52f10917a7 ("ACPI: property: Tie data nodes to acpi handles")
+Cc: 6.0+ <stable@vger.kernel.org> # 6.0+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Tested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/property.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -124,6 +124,10 @@ static bool acpi_nondev_subnode_extract(
+ result = true;
+
+ if (result) {
++ /*
++ * This will be NULL if the desc package is embedded in an outer
++ * _DSD-equivalent package and its scope cannot be determined.
++ */
+ dn->handle = handle;
+ dn->data.pointer = desc;
+ list_add_tail(&dn->sibling, list);
+@@ -224,6 +228,8 @@ static bool acpi_add_nondev_subnodes(acp
+ * strings because there is no way to build full
+ * pathnames out of them.
+ */
++ acpi_handle_debug(scope, "subnode %s: Unknown scope\n",
++ link->package.elements[0].string.pointer);
+ desc = &link->package.elements[1];
+ result = acpi_nondev_subnode_extract(desc, NULL, link,
+ list, parent);
+@@ -396,6 +402,9 @@ static void acpi_untie_nondev_subnodes(s
+ struct acpi_data_node *dn;
+
+ list_for_each_entry(dn, &data->subnodes, sibling) {
++ if (!dn->handle)
++ continue;
++
+ acpi_detach_data(dn->handle, acpi_nondev_subnode_tag);
+
+ acpi_untie_nondev_subnodes(&dn->data);
+@@ -410,6 +419,9 @@ static bool acpi_tie_nondev_subnodes(str
+ acpi_status status;
+ bool ret;
+
++ if (!dn->handle)
++ continue;
++
+ status = acpi_attach_data(dn->handle, acpi_nondev_subnode_tag, dn);
+ if (ACPI_FAILURE(status) && status != AE_ALREADY_EXISTS) {
+ acpi_handle_err(dn->handle, "Can't tag data node\n");
--- /dev/null
+From stable+bounces-186202-greg=kroah.com@vger.kernel.org Thu Oct 16 21:38:08 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Oct 2025 15:38:01 -0400
+Subject: arm64: dts: qcom: qcs615: add missing dt property in QUP SEs
+To: stable@vger.kernel.org
+Cc: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251016193801.3389185-1-sashal@kernel.org>
+
+From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
+
+[ Upstream commit 6a5e9b9738a32229e2673d4eccfcbfe2ef3a1ab4 ]
+
+Add the missing required-opps and operating-points-v2 properties to
+several I2C, SPI, and UART nodes in the QUP SEs.
+
+Fixes: f6746dc9e379 ("arm64: dts: qcom: qcs615: Add QUPv3 configuration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250630064338.2487409-1-viken.dadhaniya@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/qcs615.dtsi | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/arm64/boot/dts/qcom/qcs615.dtsi
++++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi
+@@ -631,6 +631,7 @@
+ interconnect-names = "qup-core",
+ "qup-config";
+ power-domains = <&rpmhpd RPMHPD_CX>;
++ operating-points-v2 = <&qup_opp_table>;
+ status = "disabled";
+ };
+
+@@ -654,6 +655,7 @@
+ "qup-config",
+ "qup-memory";
+ power-domains = <&rpmhpd RPMHPD_CX>;
++ required-opps = <&rpmhpd_opp_low_svs>;
+ dmas = <&gpi_dma0 0 1 QCOM_GPI_I2C>,
+ <&gpi_dma0 1 1 QCOM_GPI_I2C>;
+ dma-names = "tx",
+@@ -681,6 +683,7 @@
+ "qup-config",
+ "qup-memory";
+ power-domains = <&rpmhpd RPMHPD_CX>;
++ required-opps = <&rpmhpd_opp_low_svs>;
+ dmas = <&gpi_dma0 0 2 QCOM_GPI_I2C>,
+ <&gpi_dma0 1 2 QCOM_GPI_I2C>;
+ dma-names = "tx",
+@@ -703,6 +706,7 @@
+ interconnect-names = "qup-core",
+ "qup-config";
+ power-domains = <&rpmhpd RPMHPD_CX>;
++ operating-points-v2 = <&qup_opp_table>;
+ dmas = <&gpi_dma0 0 2 QCOM_GPI_SPI>,
+ <&gpi_dma0 1 2 QCOM_GPI_SPI>;
+ dma-names = "tx",
+@@ -728,6 +732,7 @@
+ interconnect-names = "qup-core",
+ "qup-config";
+ power-domains = <&rpmhpd RPMHPD_CX>;
++ operating-points-v2 = <&qup_opp_table>;
+ status = "disabled";
+ };
+
+@@ -751,6 +756,7 @@
+ "qup-config",
+ "qup-memory";
+ power-domains = <&rpmhpd RPMHPD_CX>;
++ required-opps = <&rpmhpd_opp_low_svs>;
+ dmas = <&gpi_dma0 0 3 QCOM_GPI_I2C>,
+ <&gpi_dma0 1 3 QCOM_GPI_I2C>;
+ dma-names = "tx",
--- /dev/null
+From 971843c511c3c2f6eda96c6b03442913bfee6148 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 7 Oct 2025 15:49:37 +0200
+Subject: ext4: free orphan info with kvfree
+
+From: Jan Kara <jack@suse.cz>
+
+commit 971843c511c3c2f6eda96c6b03442913bfee6148 upstream.
+
+Orphan info is now getting allocated with kvmalloc_array(). Free it with
+kvfree() instead of kfree() to avoid complaints from mm.
+
+Reported-by: Chris Mason <clm@meta.com>
+Fixes: 0a6ce20c1564 ("ext4: verify orphan file size is not too big")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Message-ID: <20251007134936.7291-2-jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/orphan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/orphan.c
++++ b/fs/ext4/orphan.c
+@@ -513,7 +513,7 @@ void ext4_release_orphan_info(struct sup
+ return;
+ for (i = 0; i < oi->of_blocks; i++)
+ brelse(oi->of_binfo[i].ob_bh);
+- kfree(oi->of_binfo);
++ kvfree(oi->of_binfo);
+ }
+
+ static struct ext4_orphan_block_tail *ext4_orphan_block_tail(
+@@ -637,7 +637,7 @@ int ext4_init_orphan_info(struct super_b
+ out_free:
+ for (i--; i >= 0; i--)
+ brelse(oi->of_binfo[i].ob_bh);
+- kfree(oi->of_binfo);
++ kvfree(oi->of_binfo);
+ out_put:
+ iput(inode);
+ return ret;
--- /dev/null
+From e2c69490dda5d4c9f1bfbb2898989c8f3530e354 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 6 Oct 2025 13:18:57 -0700
+Subject: ipmi: Fix handling of messages with provided receive message pointer
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit e2c69490dda5d4c9f1bfbb2898989c8f3530e354 upstream.
+
+Prior to commit b52da4054ee0 ("ipmi: Rework user message limit handling"),
+i_ipmi_request() used to increase the user reference counter if the receive
+message is provided by the caller of IPMI API functions. This is no longer
+the case. However, ipmi_free_recv_msg() is still called and decreases the
+reference counter. This results in the reference counter reaching zero,
+the user data pointer is released, and all kinds of interesting crashes are
+seen.
+
+Fix the problem by increasing user reference counter if the receive message
+has been provided by the caller.
+
+Fixes: b52da4054ee0 ("ipmi: Rework user message limit handling")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Greg Thelen <gthelen@google.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Message-ID: <20251006201857.3433837-1-linux@roeck-us.net>
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -2280,8 +2280,11 @@ static int i_ipmi_request(struct ipmi_us
+ if (supplied_recv) {
+ recv_msg = supplied_recv;
+ recv_msg->user = user;
+- if (user)
++ if (user) {
+ atomic_inc(&user->nr_msgs);
++ /* The put happens when the message is freed. */
++ kref_get(&user->refcount);
++ }
+ } else {
+ recv_msg = ipmi_alloc_recv_msg(user);
+ if (IS_ERR(recv_msg))
--- /dev/null
+From stable+bounces-185511-greg=kroah.com@vger.kernel.org Mon Oct 13 22:26:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 16:26:24 -0400
+Subject: media: mc: Clear minor number before put device
+To: stable@vger.kernel.org
+Cc: Edward Adam Davis <eadavis@qq.com>, syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com, Sakari Ailus <sakari.ailus@linux.intel.com>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013202625.3590659-1-sashal@kernel.org>
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit 8cfc8cec1b4da88a47c243a11f384baefd092a50 ]
+
+The device minor should not be cleared after the device is released.
+
+Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
+Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+[ moved clear_bit from media_devnode_release callback to media_devnode_unregister before put_device ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/mc/mc-devnode.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/media/mc/mc-devnode.c
++++ b/drivers/media/mc/mc-devnode.c
+@@ -50,11 +50,6 @@ static void media_devnode_release(struct
+ {
+ struct media_devnode *devnode = to_media_devnode(cd);
+
+- mutex_lock(&media_devnode_lock);
+- /* Mark device node number as free */
+- clear_bit(devnode->minor, media_devnode_nums);
+- mutex_unlock(&media_devnode_lock);
+-
+ /* Release media_devnode and perform other cleanups as needed. */
+ if (devnode->release)
+ devnode->release(devnode);
+@@ -281,6 +276,7 @@ void media_devnode_unregister(struct med
+ /* Delete the cdev on this minor as well */
+ cdev_device_del(&devnode->cdev, &devnode->dev);
+ devnode->media_dev = NULL;
++ clear_bit(devnode->minor, media_devnode_nums);
+ mutex_unlock(&media_devnode_lock);
+
+ put_device(&devnode->dev);
--- /dev/null
+From stable+bounces-185639-greg=kroah.com@vger.kernel.org Tue Oct 14 13:39:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Oct 2025 07:39:43 -0400
+Subject: mm/ksm: fix incorrect KSM counter handling in mm_struct during fork
+To: stable@vger.kernel.org
+Cc: Donet Tom <donettom@linux.ibm.com>, Chengming Zhou <chengming.zhou@linux.dev>, David Hildenbrand <david@redhat.com>, Aboorva Devarajan <aboorvad@linux.ibm.com>, "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>, Wei Yang <richard.weiyang@gmail.com>, xu xin <xu.xin16@zte.com.cn>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251014113943.4156526-1-sashal@kernel.org>
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+[ Upstream commit 4d6fc29f36341d7795db1d1819b4c15fe9be7b23 ]
+
+Patch series "mm/ksm: Fix incorrect accounting of KSM counters during
+fork", v3.
+
+The first patch in this series fixes the incorrect accounting of KSM
+counters such as ksm_merging_pages, ksm_rmap_items, and the global
+ksm_zero_pages during fork.
+
+The following patch add a selftest to verify the ksm_merging_pages counter
+was updated correctly during fork.
+
+Test Results
+============
+Without the first patch
+-----------------------
+ # [RUN] test_fork_ksm_merging_page_count
+ not ok 10 ksm_merging_page in child: 32
+
+With the first patch
+--------------------
+ # [RUN] test_fork_ksm_merging_page_count
+ ok 10 ksm_merging_pages is not inherited after fork
+
+This patch (of 2):
+
+Currently, the KSM-related counters in `mm_struct`, such as
+`ksm_merging_pages`, `ksm_rmap_items`, and `ksm_zero_pages`, are inherited
+by the child process during fork. This results in inconsistent
+accounting.
+
+When a process uses KSM, identical pages are merged and an rmap item is
+created for each merged page. The `ksm_merging_pages` and
+`ksm_rmap_items` counters are updated accordingly. However, after a fork,
+these counters are copied to the child while the corresponding rmap items
+are not. As a result, when the child later triggers an unmerge, there are
+no rmap items present in the child, so the counters remain stale, leading
+to incorrect accounting.
+
+A similar issue exists with `ksm_zero_pages`, which maintains both a
+global counter and a per-process counter. During fork, the per-process
+counter is inherited by the child, but the global counter is not
+incremented. Since the child also references zero pages, the global
+counter should be updated as well. Otherwise, during zero-page unmerge,
+both the global and per-process counters are decremented, causing the
+global counter to become inconsistent.
+
+To fix this, ksm_merging_pages and ksm_rmap_items are reset to 0 during
+fork, and the global ksm_zero_pages counter is updated with the
+per-process ksm_zero_pages value inherited by the child. This ensures
+that KSM statistics remain accurate and reflect the activity of each
+process correctly.
+
+Link: https://lkml.kernel.org/r/cover.1758648700.git.donettom@linux.ibm.com
+Link: https://lkml.kernel.org/r/7b9870eb67ccc0d79593940d9dbd4a0b39b5d396.1758648700.git.donettom@linux.ibm.com
+Fixes: 7609385337a4 ("ksm: count ksm merging pages for each process")
+Fixes: cb4df4cae4f2 ("ksm: count allocated ksm rmap_items for each process")
+Fixes: e2942062e01d ("ksm: count all zero pages placed by KSM")
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Reviewed-by: Chengming Zhou <chengming.zhou@linux.dev>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Donet Tom <donettom@linux.ibm.com>
+Cc: "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>
+Cc: Wei Yang <richard.weiyang@gmail.com>
+Cc: xu xin <xu.xin16@zte.com.cn>
+Cc: <stable@vger.kernel.org> [6.6+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ replaced mm_flags_test() calls with test_bit() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ksm.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/include/linux/ksm.h
++++ b/include/linux/ksm.h
+@@ -56,8 +56,14 @@ static inline long mm_ksm_zero_pages(str
+ static inline void ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm)
+ {
+ /* Adding mm to ksm is best effort on fork. */
+- if (test_bit(MMF_VM_MERGEABLE, &oldmm->flags))
++ if (test_bit(MMF_VM_MERGEABLE, &oldmm->flags)) {
++ long nr_ksm_zero_pages = atomic_long_read(&mm->ksm_zero_pages);
++
++ mm->ksm_merging_pages = 0;
++ mm->ksm_rmap_items = 0;
++ atomic_long_add(nr_ksm_zero_pages, &ksm_zero_pages);
+ __ksm_enter(mm);
++ }
+ }
+
+ static inline int ksm_execve(struct mm_struct *mm)
ext4-guard-against-ea-inode-refcount-underflow-in-xattr-update.patch
ext4-validate-ea_ino-and-size-in-check_xattrs.patch
acpica-allow-to-skip-global-lock-initialization.patch
+ext4-free-orphan-info-with-kvfree.patch
+ipmi-fix-handling-of-messages-with-provided-receive-message-pointer.patch
+squashfs-add-additional-inode-sanity-checking.patch
+squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch
+mm-ksm-fix-incorrect-ksm-counter-handling-in-mm_struct-during-fork.patch
+media-mc-clear-minor-number-before-put-device.patch
+arm64-dts-qcom-qcs615-add-missing-dt-property-in-qup-ses.patch
+acpi-property-disregard-references-in-data-only-subnode-lists.patch
+acpi-property-add-code-comments-explaining-what-is-going-on.patch
+acpi-property-do-not-pass-null-handles-to-acpi_attach_data.patch
--- /dev/null
+From stable+bounces-185488-greg=kroah.com@vger.kernel.org Mon Oct 13 19:37:13 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 13:36:48 -0400
+Subject: Squashfs: add additional inode sanity checking
+To: stable@vger.kernel.org
+Cc: Phillip Lougher <phillip@squashfs.org.uk>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013173649.3404578-1-sashal@kernel.org>
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 9ee94bfbe930a1b39df53fa2d7b31141b780eb5a ]
+
+Patch series "Squashfs: performance improvement and a sanity check".
+
+This patchset adds an additional sanity check when reading regular file
+inodes, and adds support for SEEK_DATA/SEEK_HOLE lseek() whence values.
+
+This patch (of 2):
+
+Add an additional sanity check when reading regular file inodes.
+
+A regular file if the file size is an exact multiple of the filesystem
+block size cannot have a fragment. This is because by definition a
+fragment block stores tailends which are not a whole block in size.
+
+Link: https://lkml.kernel.org/r/20250923220652.568416-1-phillip@squashfs.org.uk
+Link: https://lkml.kernel.org/r/20250923220652.568416-2-phillip@squashfs.org.uk
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 9f1c14c1de1b ("Squashfs: reject negative file sizes in squashfs_read_inode()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/inode.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -140,8 +140,17 @@ int squashfs_read_inode(struct inode *in
+ if (err < 0)
+ goto failed_read;
+
++ inode->i_size = le32_to_cpu(sqsh_ino->file_size);
+ frag = le32_to_cpu(sqsh_ino->fragment);
+ if (frag != SQUASHFS_INVALID_FRAG) {
++ /*
++ * the file cannot have a fragment (tailend) and have a
++ * file size a multiple of the block size
++ */
++ if ((inode->i_size & (msblk->block_size - 1)) == 0) {
++ err = -EINVAL;
++ goto failed_read;
++ }
+ frag_offset = le32_to_cpu(sqsh_ino->offset);
+ frag_size = squashfs_frag_lookup(sb, frag, &frag_blk);
+ if (frag_size < 0) {
+@@ -155,7 +164,6 @@ int squashfs_read_inode(struct inode *in
+ }
+
+ set_nlink(inode, 1);
+- inode->i_size = le32_to_cpu(sqsh_ino->file_size);
+ inode->i_fop = &generic_ro_fops;
+ inode->i_mode |= S_IFREG;
+ inode->i_blocks = ((inode->i_size - 1) >> 9) + 1;
+@@ -184,8 +192,17 @@ int squashfs_read_inode(struct inode *in
+ if (err < 0)
+ goto failed_read;
+
++ inode->i_size = le64_to_cpu(sqsh_ino->file_size);
+ frag = le32_to_cpu(sqsh_ino->fragment);
+ if (frag != SQUASHFS_INVALID_FRAG) {
++ /*
++ * the file cannot have a fragment (tailend) and have a
++ * file size a multiple of the block size
++ */
++ if ((inode->i_size & (msblk->block_size - 1)) == 0) {
++ err = -EINVAL;
++ goto failed_read;
++ }
+ frag_offset = le32_to_cpu(sqsh_ino->offset);
+ frag_size = squashfs_frag_lookup(sb, frag, &frag_blk);
+ if (frag_size < 0) {
+@@ -200,7 +217,6 @@ int squashfs_read_inode(struct inode *in
+
+ xattr_id = le32_to_cpu(sqsh_ino->xattr);
+ set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+- inode->i_size = le64_to_cpu(sqsh_ino->file_size);
+ inode->i_op = &squashfs_inode_ops;
+ inode->i_fop = &generic_ro_fops;
+ inode->i_mode |= S_IFREG;
--- /dev/null
+From stable+bounces-185489-greg=kroah.com@vger.kernel.org Mon Oct 13 19:37:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Oct 2025 13:36:49 -0400
+Subject: Squashfs: reject negative file sizes in squashfs_read_inode()
+To: stable@vger.kernel.org
+Cc: Phillip Lougher <phillip@squashfs.org.uk>, syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com, Amir Goldstein <amir73il@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251013173649.3404578-2-sashal@kernel.org>
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b ]
+
+Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
+
+This warning is ultimately caused because the underlying Squashfs file
+system returns a file with a negative file size.
+
+This commit checks for a negative file size and returns EINVAL.
+
+[phillip@squashfs.org.uk: only need to check 64 bit quantity]
+ Link: https://lkml.kernel.org/r/20250926222305.110103-1-phillip@squashfs.org.uk
+Link: https://lkml.kernel.org/r/20250926215935.107233-1-phillip@squashfs.org.uk
+Fixes: 6545b246a2c8 ("Squashfs: inode operations")
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Reported-by: syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68d580e5.a00a0220.303701.0019.GAE@google.com/
+Cc: Amir Goldstein <amir73il@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/inode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -193,6 +193,10 @@ int squashfs_read_inode(struct inode *in
+ goto failed_read;
+
+ inode->i_size = le64_to_cpu(sqsh_ino->file_size);
++ if (inode->i_size < 0) {
++ err = -EINVAL;
++ goto failed_read;
++ }
+ frag = le32_to_cpu(sqsh_ino->fragment);
+ if (frag != SQUASHFS_INVALID_FRAG) {
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
