From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 14:06:19 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.1.135~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ec816dff693f33dd3ae9bbdcb19d7d9faef29720;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch drm-i915-gt-cleanup-partial-engine-discovery-failures.patch fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch kernel-resource-fix-kfree-of-bootmem-memory-again.patch mips-cevt-ds1287-add-missing-ds1287.h-include.patch mips-dec-declare-which_prom-as-static.patch mips-ds1287-match-ds1287_set_base_clock-function-types.patch mm-fix-apply_to_existing_page_range.patch vfio-pci-fix-memory-leak-during-d3hot-to-d0-transition.patch --- diff --git a/queue-5.10/dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch b/queue-5.10/dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch new file mode 100644 index 0000000000..a35664aa6a --- /dev/null +++ b/queue-5.10/dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch @@ -0,0 +1,108 @@ +From 135496c208ba26fd68cdef10b64ed7a91ac9a7ff Mon Sep 17 00:00:00 2001 +From: Ming-Hung Tsai +Date: Tue, 22 Oct 2024 15:12:49 +0800 +Subject: dm cache: fix flushing uninitialized delayed_work on cache_ctr error + +From: Ming-Hung Tsai + +commit 135496c208ba26fd68cdef10b64ed7a91ac9a7ff upstream. + +An unexpected WARN_ON from flush_work() may occur when cache creation +fails, caused by destroying the uninitialized delayed_work waker in the +error path of cache_create(). For example, the warning appears on the +superblock checksum error. + +Reproduce steps: + +dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" +dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" +dmsetup create corig --table "0 524288 linear /dev/sdc 262144" +dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct +dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ +/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" + +Kernel logs: + +(snip) +WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890 + +Fix by pulling out the cancel_delayed_work_sync() from the constructor's +error path. This patch doesn't affect the use-after-free fix for +concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix +UAF in destroy()")) as cache_dtr is not changed. + +Signed-off-by: Ming-Hung Tsai +Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Acked-by: Joe Thornber +Signed-off-by: Ilia Gavrilov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-target.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -1960,16 +1960,13 @@ static void check_migrations(struct work + * This function gets called on the error paths of the constructor, so we + * have to cope with a partially initialised struct. + */ +-static void destroy(struct cache *cache) ++static void __destroy(struct cache *cache) + { +- unsigned i; +- + mempool_exit(&cache->migration_pool); + + if (cache->prison) + dm_bio_prison_destroy_v2(cache->prison); + +- cancel_delayed_work_sync(&cache->waker); + if (cache->wq) + destroy_workqueue(cache->wq); + +@@ -1997,13 +1994,22 @@ static void destroy(struct cache *cache) + if (cache->policy) + dm_cache_policy_destroy(cache->policy); + ++ bioset_exit(&cache->bs); ++ ++ kfree(cache); ++} ++ ++static void destroy(struct cache *cache) ++{ ++ unsigned int i; ++ ++ cancel_delayed_work_sync(&cache->waker); ++ + for (i = 0; i < cache->nr_ctr_args ; i++) + kfree(cache->ctr_args[i]); + kfree(cache->ctr_args); + +- bioset_exit(&cache->bs); +- +- kfree(cache); ++ __destroy(cache); + } + + static void cache_dtr(struct dm_target *ti) +@@ -2616,7 +2622,7 @@ static int cache_create(struct cache_arg + *result = cache; + return 0; + bad: +- destroy(cache); ++ __destroy(cache); + return r; + } + +@@ -2667,7 +2673,7 @@ static int cache_ctr(struct dm_target *t + + r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); + if (r) { +- destroy(cache); ++ __destroy(cache); + goto out; + } + diff --git a/queue-5.10/drm-i915-gt-cleanup-partial-engine-discovery-failures.patch b/queue-5.10/drm-i915-gt-cleanup-partial-engine-discovery-failures.patch new file mode 100644 index 0000000000..eb4f12a250 --- /dev/null +++ b/queue-5.10/drm-i915-gt-cleanup-partial-engine-discovery-failures.patch @@ -0,0 +1,47 @@ +From 78a033433a5ae4fee85511ee075bc9a48312c79e Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 15 Sep 2022 16:26:51 -0700 +Subject: drm/i915/gt: Cleanup partial engine discovery failures + +From: Chris Wilson + +commit 78a033433a5ae4fee85511ee075bc9a48312c79e upstream. + +If we abort driver initialisation in the middle of gt/engine discovery, +some engines will be fully setup and some not. Those incompletely setup +engines only have 'engine->release == NULL' and so will leak any of the +common objects allocated. + +v2: + - Drop the destroy_pinned_context() helper for now. It's not really + worth it with just a single callsite at the moment. (Janusz) + +Signed-off-by: Chris Wilson +Cc: Janusz Krzysztofik +Signed-off-by: Matt Roper +Reviewed-by: Janusz Krzysztofik +Link: https://patchwork.freedesktop.org/patch/msgid/20220915232654.3283095-2-matthew.d.roper@intel.com +Signed-off-by: Zhi Yang +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +@@ -904,8 +904,13 @@ int intel_engines_init(struct intel_gt * + return err; + + err = setup(engine); +- if (err) ++ if (err) { ++ intel_engine_cleanup_common(engine); + return err; ++ } ++ ++ /* The backend should now be responsible for cleanup */ ++ GEM_BUG_ON(engine->release == NULL); + + err = engine_init_common(engine); + if (err) diff --git a/queue-5.10/fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch b/queue-5.10/fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch new file mode 100644 index 0000000000..9a39bedaf3 --- /dev/null +++ b/queue-5.10/fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch @@ -0,0 +1,126 @@ +From 7601df8031fd67310af891897ef6cc0df4209305 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Tue, 23 Jan 2024 16:33:57 +0100 +Subject: fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats + +From: Oleg Nesterov + +commit 7601df8031fd67310af891897ef6cc0df4209305 upstream. + +lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call +do_task_stat() at the same time and the process has NR_THREADS, it will +spin with irqs disabled O(NR_CPUS * NR_THREADS) time. + +Change do_task_stat() to use sig->stats_lock to gather the statistics +outside of ->siglock protected section, in the likely case this code will +run lockless. + +Link: https://lkml.kernel.org/r/20240123153357.GA21857@redhat.com +Signed-off-by: Oleg Nesterov +Signed-off-by: Dylan Hatch +Cc: Eric W. Biederman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: David Sauerwein +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/array.c | 52 ++++++++++++++++++++++++++++++---------------------- + 1 file changed, 30 insertions(+), 22 deletions(-) + +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -443,12 +443,12 @@ static int do_task_stat(struct seq_file + int permitted; + struct mm_struct *mm; + unsigned long long start_time; +- unsigned long cmin_flt = 0, cmaj_flt = 0; +- unsigned long min_flt = 0, maj_flt = 0; +- u64 cutime, cstime, utime, stime; +- u64 cgtime, gtime; ++ unsigned long cmin_flt, cmaj_flt, min_flt, maj_flt; ++ u64 cutime, cstime, cgtime, utime, stime, gtime; + unsigned long rsslim = 0; + unsigned long flags; ++ struct signal_struct *sig = task->signal; ++ unsigned int seq = 1; + + state = *get_task_state(task); + vsize = eip = esp = 0; +@@ -476,12 +476,9 @@ static int do_task_stat(struct seq_file + + sigemptyset(&sigign); + sigemptyset(&sigcatch); +- cutime = cstime = utime = stime = 0; +- cgtime = gtime = 0; ++ utime = stime = 0; + + if (lock_task_sighand(task, &flags)) { +- struct signal_struct *sig = task->signal; +- + if (sig->tty) { + struct pid *pgrp = tty_get_pgrp(sig->tty); + tty_pgrp = pid_nr_ns(pgrp, ns); +@@ -492,37 +489,48 @@ static int do_task_stat(struct seq_file + num_threads = get_nr_threads(task); + collect_sigign_sigcatch(task, &sigign, &sigcatch); + ++ rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); ++ ++ sid = task_session_nr_ns(task, ns); ++ ppid = task_tgid_nr_ns(task->real_parent, ns); ++ pgid = task_pgrp_nr_ns(task, ns); ++ ++ unlock_task_sighand(task, &flags); ++ } ++ ++ if (permitted && (!whole || num_threads < 2)) ++ wchan = get_wchan(task); ++ ++ do { ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ ++ flags = read_seqbegin_or_lock_irqsave(&sig->stats_lock, &seq); ++ + cmin_flt = sig->cmin_flt; + cmaj_flt = sig->cmaj_flt; + cutime = sig->cutime; + cstime = sig->cstime; + cgtime = sig->cgtime; +- rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); + +- /* add up live thread stats at the group level */ + if (whole) { + struct task_struct *t = task; ++ ++ min_flt = sig->min_flt; ++ maj_flt = sig->maj_flt; ++ gtime = sig->gtime; ++ ++ rcu_read_lock(); + do { + min_flt += t->min_flt; + maj_flt += t->maj_flt; + gtime += task_gtime(t); + } while_each_thread(task, t); ++ rcu_read_unlock(); + +- min_flt += sig->min_flt; +- maj_flt += sig->maj_flt; + thread_group_cputime_adjusted(task, &utime, &stime); +- gtime += sig->gtime; + } ++ } while (need_seqretry(&sig->stats_lock, seq)); ++ done_seqretry_irqrestore(&sig->stats_lock, seq, flags); + +- sid = task_session_nr_ns(task, ns); +- ppid = task_tgid_nr_ns(task->real_parent, ns); +- pgid = task_pgrp_nr_ns(task, ns); +- +- unlock_task_sighand(task, &flags); +- } +- +- if (permitted && (!whole || num_threads < 2)) +- wchan = get_wchan(task); + if (!whole) { + min_flt = task->min_flt; + maj_flt = task->maj_flt; diff --git a/queue-5.10/jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch b/queue-5.10/jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch new file mode 100644 index 0000000000..9d76f5127f --- /dev/null +++ b/queue-5.10/jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch @@ -0,0 +1,37 @@ +From 7063b80268e2593e58bee8a8d709c2f3ff93e2f2 Mon Sep 17 00:00:00 2001 +From: Pei Li +Date: Tue, 25 Jun 2024 09:42:05 -0700 +Subject: jfs: Fix shift-out-of-bounds in dbDiscardAG + +From: Pei Li + +commit 7063b80268e2593e58bee8a8d709c2f3ff93e2f2 upstream. + +When searching for the next smaller log2 block, BLKSTOL2() returned 0, +causing shift exponent -1 to be negative. + +This patch fixes the issue by exiting the loop directly when negative +shift is found. + +Reported-by: syzbot+61be3359d2ee3467e7e4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=61be3359d2ee3467e7e4 +Signed-off-by: Pei Li +Signed-off-by: Dave Kleikamp +Signed-off-by: Zhi Yang +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1698,6 +1698,8 @@ s64 dbDiscardAG(struct inode *ip, int ag + } else if (rc == -ENOSPC) { + /* search for next smaller log2 block */ + l2nb = BLKSTOL2(nblocks) - 1; ++ if (unlikely(l2nb < 0)) ++ break; + nblocks = 1LL << l2nb; + } else { + /* Trim any already allocated blocks */ diff --git a/queue-5.10/kernel-resource-fix-kfree-of-bootmem-memory-again.patch b/queue-5.10/kernel-resource-fix-kfree-of-bootmem-memory-again.patch new file mode 100644 index 0000000000..4e98900aff --- /dev/null +++ b/queue-5.10/kernel-resource-fix-kfree-of-bootmem-memory-again.patch @@ -0,0 +1,93 @@ +From 0cbcc92917c5de80f15c24d033566539ad696892 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Wed, 23 Mar 2022 16:07:18 -0700 +Subject: kernel/resource: fix kfree() of bootmem memory again + +From: Miaohe Lin + +commit 0cbcc92917c5de80f15c24d033566539ad696892 upstream. + +Since commit ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem +memory"), we could get a resource allocated during boot via +alloc_resource(). And it's required to release the resource using +free_resource(). Howerver, many people use kfree directly which will +result in kernel BUG. In order to fix this without fixing every call +site, just leak a couple of bytes in such corner case. + +Link: https://lkml.kernel.org/r/20220217083619.19305-1-linmiaohe@huawei.com +Fixes: ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem memory") +Signed-off-by: Miaohe Lin +Suggested-by: David Hildenbrand +Cc: Dan Williams +Cc: Alistair Popple +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: David Sauerwein +Signed-off-by: Greg Kroah-Hartman +--- + kernel/resource.c | 41 ++++++++--------------------------------- + 1 file changed, 8 insertions(+), 33 deletions(-) + +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -53,14 +53,6 @@ struct resource_constraint { + + static DEFINE_RWLOCK(resource_lock); + +-/* +- * For memory hotplug, there is no way to free resource entries allocated +- * by boot mem after the system is up. So for reusing the resource entry +- * we need to remember the resource. +- */ +-static struct resource *bootmem_resource_free; +-static DEFINE_SPINLOCK(bootmem_resource_lock); +- + static struct resource *next_resource(struct resource *p, bool sibling_only) + { + /* Caller wants to traverse through siblings only */ +@@ -149,36 +141,19 @@ __initcall(ioresources_init); + + static void free_resource(struct resource *res) + { +- if (!res) +- return; +- +- if (!PageSlab(virt_to_head_page(res))) { +- spin_lock(&bootmem_resource_lock); +- res->sibling = bootmem_resource_free; +- bootmem_resource_free = res; +- spin_unlock(&bootmem_resource_lock); +- } else { ++ /** ++ * If the resource was allocated using memblock early during boot ++ * we'll leak it here: we can only return full pages back to the ++ * buddy and trying to be smart and reusing them eventually in ++ * alloc_resource() overcomplicates resource handling. ++ */ ++ if (res && PageSlab(virt_to_head_page(res))) + kfree(res); +- } + } + + static struct resource *alloc_resource(gfp_t flags) + { +- struct resource *res = NULL; +- +- spin_lock(&bootmem_resource_lock); +- if (bootmem_resource_free) { +- res = bootmem_resource_free; +- bootmem_resource_free = res->sibling; +- } +- spin_unlock(&bootmem_resource_lock); +- +- if (res) +- memset(res, 0, sizeof(struct resource)); +- else +- res = kzalloc(sizeof(struct resource), flags); +- +- return res; ++ return kzalloc(sizeof(struct resource), flags); + } + + /* Return the conflict entry if you can't request it */ diff --git a/queue-5.10/mips-cevt-ds1287-add-missing-ds1287.h-include.patch b/queue-5.10/mips-cevt-ds1287-add-missing-ds1287.h-include.patch new file mode 100644 index 0000000000..c26036ac9e --- /dev/null +++ b/queue-5.10/mips-cevt-ds1287-add-missing-ds1287.h-include.patch @@ -0,0 +1,49 @@ +From f3be225f338a578851a7b607a409f476354a8deb Mon Sep 17 00:00:00 2001 +From: WangYuli +Date: Tue, 18 Feb 2025 20:57:23 +0800 +Subject: MIPS: cevt-ds1287: Add missing ds1287.h include +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +commit f3be225f338a578851a7b607a409f476354a8deb upstream. + +Address the issue of cevt-ds1287.c not including the ds1287.h header +file. + +Fix follow errors with gcc-14 when -Werror: + +arch/mips/kernel/cevt-ds1287.c:15:5: error: no previous prototype for ‘ds1287_timer_state’ [-Werror=missing-prototypes] + 15 | int ds1287_timer_state(void) + | ^~~~~~~~~~~~~~~~~~ +arch/mips/kernel/cevt-ds1287.c:20:5: error: no previous prototype for ‘ds1287_set_base_clock’ [-Werror=missing-prototypes] + 20 | int ds1287_set_base_clock(unsigned int hz) + | ^~~~~~~~~~~~~~~~~~~~~ +arch/mips/kernel/cevt-ds1287.c:103:12: error: no previous prototype for ‘ds1287_clockevent_init’ [-Werror=missing-prototypes] + 103 | int __init ds1287_clockevent_init(int irq) + | ^~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors +make[7]: *** [scripts/Makefile.build:207: arch/mips/kernel/cevt-ds1287.o] Error 1 +make[7]: *** Waiting for unfinished jobs.... +make[6]: *** [scripts/Makefile.build:465: arch/mips/kernel] Error 2 +make[6]: *** Waiting for unfinished jobs.... + +Signed-off-by: WangYuli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/kernel/cevt-ds1287.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/kernel/cevt-ds1287.c ++++ b/arch/mips/kernel/cevt-ds1287.c +@@ -10,6 +10,7 @@ + #include + #include + ++#include + #include + + int ds1287_timer_state(void) diff --git a/queue-5.10/mips-dec-declare-which_prom-as-static.patch b/queue-5.10/mips-dec-declare-which_prom-as-static.patch new file mode 100644 index 0000000000..1088490022 --- /dev/null +++ b/queue-5.10/mips-dec-declare-which_prom-as-static.patch @@ -0,0 +1,44 @@ +From 55fa5868519bc48a7344a4c070efa2f4468f2167 Mon Sep 17 00:00:00 2001 +From: WangYuli +Date: Tue, 18 Feb 2025 20:54:31 +0800 +Subject: MIPS: dec: Declare which_prom() as static +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +commit 55fa5868519bc48a7344a4c070efa2f4468f2167 upstream. + +Declare which_prom() as static to suppress gcc compiler warning that +'missing-prototypes'. This function is not intended to be called +from other parts. + +Fix follow error with gcc-14 when -Werror: + +arch/mips/dec/prom/init.c:45:13: error: no previous prototype for ‘which_prom’ [-Werror=missing-prototypes] + 45 | void __init which_prom(s32 magic, s32 *prom_vec) + | ^~~~~~~~~~ +cc1: all warnings being treated as errors +make[6]: *** [scripts/Makefile.build:207: arch/mips/dec/prom/init.o] Error 1 +make[5]: *** [scripts/Makefile.build:465: arch/mips/dec/prom] Error 2 +make[5]: *** Waiting for unfinished jobs.... + +Signed-off-by: WangYuli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/dec/prom/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/dec/prom/init.c ++++ b/arch/mips/dec/prom/init.c +@@ -42,7 +42,7 @@ int (*__pmax_close)(int); + * Detect which PROM the DECSTATION has, and set the callback vectors + * appropriately. + */ +-void __init which_prom(s32 magic, s32 *prom_vec) ++static void __init which_prom(s32 magic, s32 *prom_vec) + { + /* + * No sign of the REX PROM's magic number means we assume a non-REX diff --git a/queue-5.10/mips-ds1287-match-ds1287_set_base_clock-function-types.patch b/queue-5.10/mips-ds1287-match-ds1287_set_base_clock-function-types.patch new file mode 100644 index 0000000000..761096de37 --- /dev/null +++ b/queue-5.10/mips-ds1287-match-ds1287_set_base_clock-function-types.patch @@ -0,0 +1,46 @@ +From a759109b234385b74d2f5f4c86b5f59b3201ec12 Mon Sep 17 00:00:00 2001 +From: WangYuli +Date: Tue, 18 Feb 2025 20:57:55 +0800 +Subject: MIPS: ds1287: Match ds1287_set_base_clock() function types +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +commit a759109b234385b74d2f5f4c86b5f59b3201ec12 upstream. + +Synchronize the declaration of ds1287_set_base_clock() between +cevt-ds1287.c and ds1287.h. + +Fix follow error with gcc-14 when -Werror: + +arch/mips/kernel/cevt-ds1287.c:21:5: error: conflicting types for ‘ds1287_set_base_clock’; have ‘int(unsigned int)’ + 21 | int ds1287_set_base_clock(unsigned int hz) + | ^~~~~~~~~~~~~~~~~~~~~ +In file included from arch/mips/kernel/cevt-ds1287.c:13: +./arch/mips/include/asm/ds1287.h:11:13: note: previous declaration of ‘ds1287_set_base_clock’ with type ‘void(unsigned int)’ + 11 | extern void ds1287_set_base_clock(unsigned int clock); + | ^~~~~~~~~~~~~~~~~~~~~ +make[7]: *** [scripts/Makefile.build:207: arch/mips/kernel/cevt-ds1287.o] Error 1 +make[6]: *** [scripts/Makefile.build:465: arch/mips/kernel] Error 2 +make[6]: *** Waiting for unfinished jobs.... + +Signed-off-by: WangYuli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/ds1287.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/ds1287.h ++++ b/arch/mips/include/asm/ds1287.h +@@ -8,7 +8,7 @@ + #define __ASM_DS1287_H + + extern int ds1287_timer_state(void); +-extern void ds1287_set_base_clock(unsigned int clock); ++extern int ds1287_set_base_clock(unsigned int hz); + extern int ds1287_clockevent_init(int irq); + + #endif diff --git a/queue-5.10/mm-fix-apply_to_existing_page_range.patch b/queue-5.10/mm-fix-apply_to_existing_page_range.patch new file mode 100644 index 0000000000..a7bb878f68 --- /dev/null +++ b/queue-5.10/mm-fix-apply_to_existing_page_range.patch @@ -0,0 +1,55 @@ +From a995199384347261bb3f21b2e171fa7f988bd2f8 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Wed, 9 Apr 2025 12:40:43 +0300 +Subject: mm: fix apply_to_existing_page_range() + +From: Kirill A. Shutemov + +commit a995199384347261bb3f21b2e171fa7f988bd2f8 upstream. + +In the case of apply_to_existing_page_range(), apply_to_pte_range() is +reached with 'create' set to false. When !create, the loop over the PTE +page table is broken. + +apply_to_pte_range() will only move to the next PTE entry if 'create' is +true or if the current entry is not pte_none(). + +This means that the user of apply_to_existing_page_range() will not have +'fn' called for any entries after the first pte_none() in the PTE page +table. + +Fix the loop logic in apply_to_pte_range(). + +There are no known runtime issues from this, but the fix is trivial enough +for stable@ even without a known buggy user. + +Link: https://lkml.kernel.org/r/20250409094043.1629234-1-kirill.shutemov@linux.intel.com +Signed-off-by: Kirill A. Shutemov +Fixes: be1db4753ee6 ("mm/memory.c: add apply_to_existing_page_range() helper") +Cc: Daniel Axtens +Cc: David Hildenbrand +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2469,11 +2469,11 @@ static int apply_to_pte_range(struct mm_ + if (fn) { + do { + if (create || !pte_none(*pte)) { +- err = fn(pte++, addr, data); ++ err = fn(pte, addr, data); + if (err) + break; + } +- } while (addr += PAGE_SIZE, addr != end); ++ } while (pte++, addr += PAGE_SIZE, addr != end); + } + *mask |= PGTBL_PTE_MODIFIED; + diff --git a/queue-5.10/series b/queue-5.10/series index b7b967a910..f9284d0e4b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -178,3 +178,13 @@ openvswitch-fix-lockup-on-tx-to-unregistering-netdev-with-carrier.patch scsi-lpfc-fix-a-possible-data-race-in-lpfc_unregister_fcf_rescan.patch scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch net-defer-final-struct-net-free-in-netns-dismantle.patch +mips-dec-declare-which_prom-as-static.patch +mips-cevt-ds1287-add-missing-ds1287.h-include.patch +mips-ds1287-match-ds1287_set_base_clock-function-types.patch +jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch +dm-cache-fix-flushing-uninitialized-delayed_work-on-cache_ctr-error.patch +vfio-pci-fix-memory-leak-during-d3hot-to-d0-transition.patch +kernel-resource-fix-kfree-of-bootmem-memory-again.patch +drm-i915-gt-cleanup-partial-engine-discovery-failures.patch +fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch +mm-fix-apply_to_existing_page_range.patch diff --git a/queue-5.10/vfio-pci-fix-memory-leak-during-d3hot-to-d0-transition.patch b/queue-5.10/vfio-pci-fix-memory-leak-during-d3hot-to-d0-transition.patch new file mode 100644 index 0000000000..fee45023e1 --- /dev/null +++ b/queue-5.10/vfio-pci-fix-memory-leak-during-d3hot-to-d0-transition.patch @@ -0,0 +1,64 @@ +From eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991 Mon Sep 17 00:00:00 2001 +From: Abhishek Sahu +Date: Thu, 17 Feb 2022 17:51:06 +0530 +Subject: vfio/pci: fix memory leak during D3hot to D0 transition + +From: Abhishek Sahu + +commit eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991 upstream. + +If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does +not have No_Soft_Reset bit set in its PMCSR config register), then +the current PCI state will be saved locally in +'vfio_pci_core_device::pm_save' during D0->D3hot transition and same +will be restored back during D3hot->D0 transition. +For saving the PCI state locally, pci_store_saved_state() is being +used and the pci_load_and_free_saved_state() will free the allocated +memory. + +But for reset related IOCTLs, vfio driver calls PCI reset-related +API's which will internally change the PCI power state back to D0. So, +when the guest resumes, then it will get the current state as D0 and it +will skip the call to vfio_pci_set_power_state() for changing the +power state to D0 explicitly. In this case, the memory pointed by +'pm_save' will never be freed. In a malicious sequence, the state changing +to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be +run in a loop and it can cause an OOM situation. + +This patch frees the earlier allocated memory first before overwriting +'pm_save' to prevent the mentioned memory leak. + +Fixes: 51ef3a004b1e ("vfio/pci: Restore device state on PM transition") +Signed-off-by: Abhishek Sahu +Link: https://lore.kernel.org/r/20220217122107.22434-2-abhsahu@nvidia.com +Signed-off-by: Alex Williamson +[Minor context change fixed] +Signed-off-by: Feng Liu +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/pci/vfio_pci.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -299,6 +299,19 @@ int vfio_pci_set_power_state(struct vfio + if (!ret) { + /* D3 might be unsupported via quirk, skip unless in D3 */ + if (needs_save && pdev->current_state >= PCI_D3hot) { ++ /* ++ * The current PCI state will be saved locally in ++ * 'pm_save' during the D3hot transition. When the ++ * device state is changed to D0 again with the current ++ * function, then pci_store_saved_state() will restore ++ * the state and will free the memory pointed by ++ * 'pm_save'. There are few cases where the PCI power ++ * state can be changed to D0 without the involvement ++ * of the driver. For these cases, free the earlier ++ * allocated memory first before overwriting 'pm_save' ++ * to prevent the memory leak. ++ */ ++ kfree(vdev->pm_save); + vdev->pm_save = pci_store_saved_state(pdev); + } else if (needs_restore) { + pci_load_and_free_saved_state(pdev, &vdev->pm_save);