From 222047f68e8565c558728f792f6fef152a1d4d51 Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" Date: Tue, 2 Dec 2025 19:27:29 +0100 Subject: [PATCH 1/6] fs: PM: Fix reverse check in filesystems_freeze_callback() The freeze_all_ptr check in filesystems_freeze_callback() introduced by commit a3f8f8662771 ("power: always freeze efivarfs") is reverse which quite confusingly causes all file systems to be frozen when filesystem_freeze_enabled is false. On my systems it causes the WARN_ON_ONCE() in __set_task_frozen() to trigger, most likely due to an attempt to freeze a file system that is not ready for that. Add a logical negation to the check in question to reverse it as appropriate. Fixes: a3f8f8662771 ("power: always freeze efivarfs") Cc: 6.18+ # 6.18+ Signed-off-by: Rafael J. Wysocki Link: https://patch.msgid.link/12788397.O9o76ZdvQC@rafael.j.wysocki Signed-off-by: Christian Brauner --- fs/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/super.c b/fs/super.c index 7c66b96b59be..9197e0ba54dd 100644 --- a/fs/super.c +++ b/fs/super.c @@ -1189,7 +1189,7 @@ static void filesystems_freeze_callback(struct super_block *sb, void *freeze_all if (!sb->s_op->freeze_fs && !sb->s_op->freeze_super) return; - if (freeze_all_ptr && !(sb->s_type->fs_flags & FS_POWER_FREEZE)) + if (!freeze_all_ptr && !(sb->s_type->fs_flags & FS_POWER_FREEZE)) return; if (!get_active_super(sb)) From aa8aba61d4e17e23ae048098b81f65840a7d5722 Mon Sep 17 00:00:00 2001 From: Mateusz Guzik Date: Mon, 1 Dec 2025 14:20:37 +0100 Subject: [PATCH 2/6] fs: assert on I_FREEING not being set in iput() and iput_not_last() Signed-off-by: Mateusz Guzik Link: https://patch.msgid.link/20251201132037.22835-1-mjguzik@gmail.com Reviewed-by: Jan Kara Signed-off-by: Christian Brauner --- fs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/inode.c b/fs/inode.c index cc8265cfe80e..521383223d8a 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1968,7 +1968,7 @@ void iput(struct inode *inode) retry: lockdep_assert_not_held(&inode->i_lock); - VFS_BUG_ON_INODE(inode_state_read_once(inode) & I_CLEAR, inode); + VFS_BUG_ON_INODE(inode_state_read_once(inode) & (I_FREEING | I_CLEAR), inode); /* * Note this assert is technically racy as if the count is bogusly * equal to one, then two CPUs racing to further drop it can both @@ -2010,6 +2010,7 @@ EXPORT_SYMBOL(iput); */ void iput_not_last(struct inode *inode) { + VFS_BUG_ON_INODE(inode_state_read_once(inode) & (I_FREEING | I_CLEAR), inode); VFS_BUG_ON_INODE(atomic_read(&inode->i_count) < 2, inode); WARN_ON(atomic_sub_return(1, &inode->i_count) == 0); From b6cb3ccef6e1e275f238d7ecc5986fd6b993e870 Mon Sep 17 00:00:00 2001 From: Ian Kent Date: Tue, 11 Nov 2025 14:04:38 +0800 Subject: [PATCH 3/6] autofs: fix per-dentry timeout warning The check that determines if the message that warns about the per-dentry timeout being greater than the super block timeout is not correct. The initial value for this field is -1 and the type of the field is unsigned long. I could change the type to long but the message is in the wrong place too, it should come after the timeout setting. So leave everything else as it is and move the message and check the timeout is actually set as an additional condition on issuing the message. Also fix the timeout comparison. Signed-off-by: Ian Kent Link: https://patch.msgid.link/20251111060439.19593-2-raven@themaw.net Signed-off-by: Christian Brauner --- fs/autofs/dev-ioctl.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/fs/autofs/dev-ioctl.c b/fs/autofs/dev-ioctl.c index a58f9248b0f5..6743b3b64217 100644 --- a/fs/autofs/dev-ioctl.c +++ b/fs/autofs/dev-ioctl.c @@ -432,16 +432,6 @@ static int autofs_dev_ioctl_timeout(struct file *fp, if (!autofs_type_indirect(sbi->type)) return -EINVAL; - /* An expire timeout greater than the superblock timeout - * could be a problem at shutdown but the super block - * timeout itself can change so all we can really do is - * warn the user. - */ - if (timeout >= sbi->exp_timeout) - pr_warn("per-mount expire timeout is greater than " - "the parent autofs mount timeout which could " - "prevent shutdown\n"); - dentry = try_lookup_noperm(&QSTR_LEN(param->path, path_len), base); if (IS_ERR_OR_NULL(dentry)) @@ -470,6 +460,18 @@ static int autofs_dev_ioctl_timeout(struct file *fp, ino->flags |= AUTOFS_INF_EXPIRE_SET; ino->exp_timeout = timeout * HZ; } + + /* An expire timeout greater than the superblock timeout + * could be a problem at shutdown but the super block + * timeout itself can change so all we can really do is + * warn the user. + */ + if (ino->flags & AUTOFS_INF_EXPIRE_SET && + ino->exp_timeout > sbi->exp_timeout) + pr_warn("per-mount expire timeout is greater than " + "the parent autofs mount timeout which could " + "prevent shutdown\n"); + dput(dentry); } From afb9917d9b374ecb77d478c2a052e20875c6e232 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 5 Dec 2025 13:50:31 +0100 Subject: [PATCH 4/6] Revert "net/socket: convert sock_map_fd() to FD_ADD()" This reverts commit 245f0d1c622b0183ce4f44b3e39aeacf78fae594. When allocating a file sock_alloc_file() consumes the socket reference unconditionally which isn't correctly handled in the conversion. This can be fixed by massaging this appropriately but this is best left for next cycle. Reported-by: Xin Long Link: https://lore.kernel.org/CADvbK_ewub4ZZK-tZg8GBQbDFHWhd9a48C+AFXZ93pMsssCrUg@mail.gmail.com Signed-off-by: Christian Brauner --- net/socket.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/net/socket.c b/net/socket.c index e1bf93508f05..acd8fa6ffa66 100644 --- a/net/socket.c +++ b/net/socket.c @@ -503,12 +503,21 @@ EXPORT_SYMBOL(sock_alloc_file); static int sock_map_fd(struct socket *sock, int flags) { - int fd; - - fd = FD_ADD(flags, sock_alloc_file(sock, flags, NULL)); - if (fd < 0) + struct file *newfile; + int fd = get_unused_fd_flags(flags); + if (unlikely(fd < 0)) { sock_release(sock); - return fd; + return fd; + } + + newfile = sock_alloc_file(sock, flags, NULL); + if (!IS_ERR(newfile)) { + fd_install(fd, newfile); + return fd; + } + + put_unused_fd(fd); + return PTR_ERR(newfile); } /** From 8cf01d0c4372ef5777d20c3c3a83936fd1c670f8 Mon Sep 17 00:00:00 2001 From: Edward Adam Davis Date: Thu, 4 Dec 2025 21:16:22 +0800 Subject: [PATCH 5/6] mqueue: correct the type of ro to int The ro variable, being of type bool, caused the -EROFS return value from mnt_want_write() to be implicitly converted to 1. This prevented the file from being correctly acquired, thus triggering the issue reported by syzbot [1]. Changing the type of ro to int allows the system to correctly identify the reason for the file open failure. [1] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] Call Trace: do_mq_open+0x5a0/0x770 ipc/mqueue.c:932 __do_sys_mq_open ipc/mqueue.c:945 [inline] __se_sys_mq_open ipc/mqueue.c:938 [inline] __x64_sys_mq_open+0x16a/0x1c0 ipc/mqueue.c:938 Fixes: f2573685bd0c ("ipc: convert do_mq_open() to FD_ADD()") Reported-by: syzbot+40f42779048f7476e2e0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=40f42779048f7476e2e0 Tested-by: syzbot+40f42779048f7476e2e0@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis Link: https://patch.msgid.link/tencent_369728EA76ED36CD98793A6D942C956C4C0A@qq.com Reviewed-by: Jan Kara Signed-off-by: Christian Brauner --- ipc/mqueue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipc/mqueue.c b/ipc/mqueue.c index 56e811f9e5fa..90664d26ec07 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -893,7 +893,7 @@ static int prepare_open(struct dentry *dentry, int oflag, int ro, } static struct file *mqueue_file_open(struct filename *name, - struct vfsmount *mnt, int oflag, bool ro, + struct vfsmount *mnt, int oflag, int ro, umode_t mode, struct mq_attr *attr) { struct dentry *dentry; From fe93446b5ebdaa89a8f97b15668c077921a65140 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= Date: Wed, 3 Dec 2025 14:57:57 +0100 Subject: [PATCH 6/6] vfs: use UAPI types for new struct delegation definition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using libc types and headers from the UAPI headers is problematic as it introduces a dependency on a full C toolchain. Use the fixed-width integer types provided by the UAPI headers instead. Fixes: 1602bad16d7d ("vfs: expose delegation support to userland") Fixes: 4be9e04ebf75 ("vfs: add needed headers for new struct delegation definition") Signed-off-by: Thomas Weißschuh Link: https://patch.msgid.link/20251203-uapi-fcntl-v1-1-490c67bf3425@linutronix.de Acked-by: Arnd Bergmann Acked-by: Jeff Layton Signed-off-by: Christian Brauner --- include/uapi/linux/fcntl.h | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 5e277fd955aa..aadfbf6e0cb3 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -4,11 +4,7 @@ #include #include -#ifdef __KERNEL__ #include -#else -#include -#endif #define F_SETLEASE (F_LINUX_SPECIFIC_BASE + 0) #define F_GETLEASE (F_LINUX_SPECIFIC_BASE + 1) @@ -90,9 +86,9 @@ /* Argument structure for F_GETDELEG and F_SETDELEG */ struct delegation { - uint32_t d_flags; /* Must be 0 */ - uint16_t d_type; /* F_RDLCK, F_WRLCK, F_UNLCK */ - uint16_t __pad; /* Must be 0 */ + __u32 d_flags; /* Must be 0 */ + __u16 d_type; /* F_RDLCK, F_WRLCK, F_UNLCK */ + __u16 __pad; /* Must be 0 */ }; /*