From: Sasha Levin Date: Sat, 4 Nov 2023 03:00:45 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v4.14.329~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bbb9a2c55c53da0fe3be643d34af345d133fc817;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/asoc-rt5650-fix-the-wrong-result-of-key-button.patch b/queue-5.10/asoc-rt5650-fix-the-wrong-result-of-key-button.patch new file mode 100644 index 00000000000..1f0653f6cd0 --- /dev/null +++ b/queue-5.10/asoc-rt5650-fix-the-wrong-result-of-key-button.patch @@ -0,0 +1,35 @@ +From 4508c8aa9c43194165c10cb725d5a81e90140e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 17:45:25 +0800 +Subject: ASoC: rt5650: fix the wrong result of key button + +From: Shuming Fan + +[ Upstream commit f88dfbf333b3661faff996bb03af2024d907b76a ] + +The RT5650 should enable a power setting for button detection to avoid the wrong result. + +Signed-off-by: Shuming Fan +Link: https://lore.kernel.org/r/20231013094525.715518-1-shumingf@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5645.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c +index d1533e95a74f6..99d91bfb88122 100644 +--- a/sound/soc/codecs/rt5645.c ++++ b/sound/soc/codecs/rt5645.c +@@ -3241,6 +3241,8 @@ int rt5645_set_jack_detect(struct snd_soc_component *component, + RT5645_GP1_PIN_IRQ, RT5645_GP1_PIN_IRQ); + regmap_update_bits(rt5645->regmap, RT5645_GEN_CTRL1, + RT5645_DIG_GATE_CTRL, RT5645_DIG_GATE_CTRL); ++ regmap_update_bits(rt5645->regmap, RT5645_DEPOP_M1, ++ RT5645_HP_CB_MASK, RT5645_HP_CB_PU); + } + rt5645_irq(0, rt5645); + +-- +2.42.0 + diff --git a/queue-5.10/dmaengine-ste_dma40-fix-pm-disable-depth-imbalance-i.patch b/queue-5.10/dmaengine-ste_dma40-fix-pm-disable-depth-imbalance-i.patch new file mode 100644 index 00000000000..0d5b08e30d0 --- /dev/null +++ b/queue-5.10/dmaengine-ste_dma40-fix-pm-disable-depth-imbalance-i.patch @@ -0,0 +1,38 @@ +From fb55629b0ae10f72f45132073015a3658ff01c2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 22:28:35 +0800 +Subject: dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe + +From: Zhang Shurong + +[ Upstream commit 0618c077a8c20e8c81e367988f70f7e32bb5a717 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. +We fix it by calling pm_runtime_disable when error returns. + +Signed-off-by: Zhang Shurong +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/tencent_DD2D371DB5925B4B602B1E1D0A5FA88F1208@qq.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ste_dma40.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c +index d99fec8215083..4c306dd13e865 100644 +--- a/drivers/dma/ste_dma40.c ++++ b/drivers/dma/ste_dma40.c +@@ -3698,6 +3698,7 @@ static int __init d40_probe(struct platform_device *pdev) + regulator_disable(base->lcpa_regulator); + regulator_put(base->lcpa_regulator); + } ++ pm_runtime_disable(base->dev); + + kfree(base->lcla_pool.alloc_map); + kfree(base->lookup_log_chans); +-- +2.42.0 + diff --git a/queue-5.10/fbdev-atyfb-only-use-ioremap_uc-on-i386-and-ia64.patch b/queue-5.10/fbdev-atyfb-only-use-ioremap_uc-on-i386-and-ia64.patch new file mode 100644 index 00000000000..5cf1e687a0c --- /dev/null +++ b/queue-5.10/fbdev-atyfb-only-use-ioremap_uc-on-i386-and-ia64.patch @@ -0,0 +1,58 @@ +From 91844c1cfdea54a927258574ebc4c09c294a219c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 19:04:21 +0800 +Subject: fbdev: atyfb: only use ioremap_uc() on i386 and ia64 + +From: Arnd Bergmann + +[ Upstream commit c1a8d1d0edb71dec15c9649cb56866c71c1ecd9e ] + +ioremap_uc() is only meaningful on old x86-32 systems with the PAT +extension, and on ia64 with its slightly unconventional ioremap() +behavior, everywhere else this is the same as ioremap() anyway. + +Change the only driver that still references ioremap_uc() to only do so +on x86-32/ia64 in order to allow removing that interface at some +point in the future for the other architectures. + +On some architectures, ioremap_uc() just returns NULL, changing +the driver to call ioremap() means that they now have a chance +of working correctly. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Baoquan He +Reviewed-by: Luis Chamberlain +Cc: Helge Deller +Cc: Thomas Zimmermann +Cc: Christophe Leroy +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/aty/atyfb_base.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c +index c8feff0ee8da9..eb32ff0910d3e 100644 +--- a/drivers/video/fbdev/aty/atyfb_base.c ++++ b/drivers/video/fbdev/aty/atyfb_base.c +@@ -3440,11 +3440,15 @@ static int atyfb_setup_generic(struct pci_dev *pdev, struct fb_info *info, + } + + info->fix.mmio_start = raddr; ++#if defined(__i386__) || defined(__ia64__) + /* + * By using strong UC we force the MTRR to never have an + * effect on the MMIO region on both non-PAT and PAT systems. + */ + par->ati_regbase = ioremap_uc(info->fix.mmio_start, 0x1000); ++#else ++ par->ati_regbase = ioremap(info->fix.mmio_start, 0x1000); ++#endif + if (par->ati_regbase == NULL) + return -ENOMEM; + +-- +2.42.0 + diff --git a/queue-5.10/fbdev-uvesafb-call-cn_del_callback-at-the-end-of-uve.patch b/queue-5.10/fbdev-uvesafb-call-cn_del_callback-at-the-end-of-uve.patch new file mode 100644 index 00000000000..5a7d5358ad5 --- /dev/null +++ b/queue-5.10/fbdev-uvesafb-call-cn_del_callback-at-the-end-of-uve.patch @@ -0,0 +1,41 @@ +From 02078d42c62d0484e9920f935150e141ed75ff1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 17:43:47 -0300 +Subject: fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() + +From: Jorge Maidana + +[ Upstream commit 1022e7e2f40574c74ed32c3811b03d26b0b81daf ] + +Delete the v86d netlink only after all the VBE tasks have been +completed. + +Fixes initial state restore on module unload: +uvesafb: VBE state restore call failed (eax=0x4f04, err=-19) + +Signed-off-by: Jorge Maidana +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/uvesafb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c +index 661f12742e4f0..d999a7cdb5409 100644 +--- a/drivers/video/fbdev/uvesafb.c ++++ b/drivers/video/fbdev/uvesafb.c +@@ -1933,10 +1933,10 @@ static void uvesafb_exit(void) + } + } + +- cn_del_callback(&uvesafb_cn_id); + driver_remove_file(&uvesafb_driver.driver, &driver_attr_v86d); + platform_device_unregister(uvesafb_device); + platform_driver_unregister(&uvesafb_driver); ++ cn_del_callback(&uvesafb_cn_id); + } + + module_exit(uvesafb_exit); +-- +2.42.0 + diff --git a/queue-5.10/input-synaptics-rmi4-handle-reset-delay-when-using-s.patch b/queue-5.10/input-synaptics-rmi4-handle-reset-delay-when-using-s.patch new file mode 100644 index 00000000000..02747083c7c --- /dev/null +++ b/queue-5.10/input-synaptics-rmi4-handle-reset-delay-when-using-s.patch @@ -0,0 +1,135 @@ +From 25df7a1d4661cd4d20e8ead164409201a90df8d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 17:29:57 -0700 +Subject: Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport + +From: Dmitry Torokhov + +[ Upstream commit 5030b2fe6aab37fe42d14f31842ea38be7c55c57 ] + +Touch controllers need some time after receiving reset command for the +firmware to finish re-initializing and be ready to respond to commands +from the host. The driver already had handling for the post-reset delay +for I2C and SPI transports, this change adds the handling to +SMBus-connected devices. + +SMBus devices are peculiar because they implement legacy PS/2 +compatibility mode, so reset is actually issued by psmouse driver on the +associated serio port, after which the control is passed to the RMI4 +driver with SMBus companion device. + +Note that originally the delay was added to psmouse driver in +92e24e0e57f7 ("Input: psmouse - add delay when deactivating for SMBus +mode"), but that resulted in an unwanted delay in "fast" reconnect +handler for the serio port, so it was decided to revert the patch and +have the delay being handled in the RMI4 driver, similar to the other +transports. + +Tested-by: Jeffery Miller +Link: https://lore.kernel.org/r/ZR1yUFJ8a9Zt606N@penguin +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/synaptics.c | 1 + + drivers/input/rmi4/rmi_smbus.c | 50 ++++++++++++++++++--------------- + 2 files changed, 29 insertions(+), 22 deletions(-) + +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index afa5d2623c410..e2c130832c159 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -1749,6 +1749,7 @@ static int synaptics_create_intertouch(struct psmouse *psmouse, + psmouse_matches_pnp_id(psmouse, topbuttonpad_pnp_ids) && + !SYN_CAP_EXT_BUTTONS_STICK(info->ext_cap_10); + const struct rmi_device_platform_data pdata = { ++ .reset_delay_ms = 30, + .sensor_pdata = { + .sensor_type = rmi_sensor_touchpad, + .axis_align.flip_y = true, +diff --git a/drivers/input/rmi4/rmi_smbus.c b/drivers/input/rmi4/rmi_smbus.c +index 2407ea43de59b..f38bf9a5f599d 100644 +--- a/drivers/input/rmi4/rmi_smbus.c ++++ b/drivers/input/rmi4/rmi_smbus.c +@@ -235,12 +235,29 @@ static void rmi_smb_clear_state(struct rmi_smb_xport *rmi_smb) + + static int rmi_smb_enable_smbus_mode(struct rmi_smb_xport *rmi_smb) + { +- int retval; ++ struct i2c_client *client = rmi_smb->client; ++ int smbus_version; ++ ++ /* ++ * psmouse driver resets the controller, we only need to wait ++ * to give the firmware chance to fully reinitialize. ++ */ ++ if (rmi_smb->xport.pdata.reset_delay_ms) ++ msleep(rmi_smb->xport.pdata.reset_delay_ms); + + /* we need to get the smbus version to activate the touchpad */ +- retval = rmi_smb_get_version(rmi_smb); +- if (retval < 0) +- return retval; ++ smbus_version = rmi_smb_get_version(rmi_smb); ++ if (smbus_version < 0) ++ return smbus_version; ++ ++ rmi_dbg(RMI_DEBUG_XPORT, &client->dev, "Smbus version is %d", ++ smbus_version); ++ ++ if (smbus_version != 2 && smbus_version != 3) { ++ dev_err(&client->dev, "Unrecognized SMB version %d\n", ++ smbus_version); ++ return -ENODEV; ++ } + + return 0; + } +@@ -253,11 +270,10 @@ static int rmi_smb_reset(struct rmi_transport_dev *xport, u16 reset_addr) + rmi_smb_clear_state(rmi_smb); + + /* +- * we do not call the actual reset command, it has to be handled in +- * PS/2 or there will be races between PS/2 and SMBus. +- * PS/2 should ensure that a psmouse_reset is called before +- * intializing the device and after it has been removed to be in a known +- * state. ++ * We do not call the actual reset command, it has to be handled in ++ * PS/2 or there will be races between PS/2 and SMBus. PS/2 should ++ * ensure that a psmouse_reset is called before initializing the ++ * device and after it has been removed to be in a known state. + */ + return rmi_smb_enable_smbus_mode(rmi_smb); + } +@@ -273,7 +289,6 @@ static int rmi_smb_probe(struct i2c_client *client, + { + struct rmi_device_platform_data *pdata = dev_get_platdata(&client->dev); + struct rmi_smb_xport *rmi_smb; +- int smbus_version; + int error; + + if (!pdata) { +@@ -312,18 +327,9 @@ static int rmi_smb_probe(struct i2c_client *client, + rmi_smb->xport.proto_name = "smb"; + rmi_smb->xport.ops = &rmi_smb_ops; + +- smbus_version = rmi_smb_get_version(rmi_smb); +- if (smbus_version < 0) +- return smbus_version; +- +- rmi_dbg(RMI_DEBUG_XPORT, &client->dev, "Smbus version is %d", +- smbus_version); +- +- if (smbus_version != 2 && smbus_version != 3) { +- dev_err(&client->dev, "Unrecognized SMB version %d\n", +- smbus_version); +- return -ENODEV; +- } ++ error = rmi_smb_enable_smbus_mode(rmi_smb); ++ if (error) ++ return error; + + i2c_set_clientdata(client, rmi_smb); + +-- +2.42.0 + diff --git a/queue-5.10/irqchip-riscv-intc-mark-all-intc-nodes-as-initialize.patch b/queue-5.10/irqchip-riscv-intc-mark-all-intc-nodes-as-initialize.patch new file mode 100644 index 00000000000..6f9bf590227 --- /dev/null +++ b/queue-5.10/irqchip-riscv-intc-mark-all-intc-nodes-as-initialize.patch @@ -0,0 +1,54 @@ +From 8eeefd49d7ae7ad14194a69b123c0e169031b83b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 10:13:51 +0530 +Subject: irqchip/riscv-intc: Mark all INTC nodes as initialized + +From: Anup Patel + +[ Upstream commit e13cd66bd821be417c498a34928652db4ac6b436 ] + +The RISC-V INTC local interrupts are per-HART (or per-CPU) so we +create INTC IRQ domain only for the INTC node belonging to the boot +HART. This means only the boot HART INTC node will be marked as +initialized and other INTC nodes won't be marked which results +downstream interrupt controllers (such as PLIC, IMSIC and APLIC +direct-mode) not being probed due to missing device suppliers. + +To address this issue, we mark all INTC node for which we don't +create IRQ domain as initialized. + +Reported-by: Dmitry Dunaev +Signed-off-by: Anup Patel +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230926102801.1591126-1-dunaev@tecon.ru +Link: https://lore.kernel.org/r/20231003044403.1974628-4-apatel@ventanamicro.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-riscv-intc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-riscv-intc.c b/drivers/irqchip/irq-riscv-intc.c +index 8017f6d32d52b..54c99441c1b54 100644 +--- a/drivers/irqchip/irq-riscv-intc.c ++++ b/drivers/irqchip/irq-riscv-intc.c +@@ -109,8 +109,16 @@ static int __init riscv_intc_init(struct device_node *node, + * for each INTC DT node. We only need to do INTC initialization + * for the INTC DT node belonging to boot CPU (or boot HART). + */ +- if (riscv_hartid_to_cpuid(hartid) != smp_processor_id()) ++ if (riscv_hartid_to_cpuid(hartid) != smp_processor_id()) { ++ /* ++ * The INTC nodes of each CPU are suppliers for downstream ++ * interrupt controllers (such as PLIC, IMSIC and APLIC ++ * direct-mode) so we should mark an INTC node as initialized ++ * if we are not creating IRQ domain for it. ++ */ ++ fwnode_dev_initialized(of_fwnode_handle(node), true); + return 0; ++ } + + intc_domain = irq_domain_add_linear(node, BITS_PER_LONG, + &riscv_intc_domain_ops, NULL); +-- +2.42.0 + diff --git a/queue-5.10/irqchip-stm32-exti-add-missing-dt-irq-flag-translati.patch b/queue-5.10/irqchip-stm32-exti-add-missing-dt-irq-flag-translati.patch new file mode 100644 index 00000000000..cad0d80e275 --- /dev/null +++ b/queue-5.10/irqchip-stm32-exti-add-missing-dt-irq-flag-translati.patch @@ -0,0 +1,37 @@ +From 701020f2ac133ed45ae9cac42f10a70f2d27ec0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 12:20:03 -0400 +Subject: irqchip/stm32-exti: add missing DT IRQ flag translation + +From: Ben Wolsieffer + +[ Upstream commit 8554cba1d6dbd3c74e0549e28ddbaccbb1d6b30a ] + +The STM32F4/7 EXTI driver was missing the xlate callback, so IRQ trigger +flags specified in the device tree were being ignored. This was +preventing the RTC alarm interrupt from working, because it must be set +to trigger on the rising edge to function correctly. + +Signed-off-by: Ben Wolsieffer +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20231003162003.1649967-1-ben.wolsieffer@hefring.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-stm32-exti.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-stm32-exti.c b/drivers/irqchip/irq-stm32-exti.c +index 8662d7b7b2625..cec9080cccad0 100644 +--- a/drivers/irqchip/irq-stm32-exti.c ++++ b/drivers/irqchip/irq-stm32-exti.c +@@ -403,6 +403,7 @@ static const struct irq_domain_ops irq_exti_domain_ops = { + .map = irq_map_generic_chip, + .alloc = stm32_exti_alloc, + .free = stm32_exti_free, ++ .xlate = irq_domain_xlate_twocell, + }; + + static void stm32_irq_ack(struct irq_data *d) +-- +2.42.0 + diff --git a/queue-5.10/net-chelsio-cxgb4-add-an-error-code-check-in-t4_load.patch b/queue-5.10/net-chelsio-cxgb4-add-an-error-code-check-in-t4_load.patch new file mode 100644 index 00000000000..be0311028bd --- /dev/null +++ b/queue-5.10/net-chelsio-cxgb4-add-an-error-code-check-in-t4_load.patch @@ -0,0 +1,35 @@ +From 4768b0be00aeb838c02b3ea59e596db4a4b6a215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 17:27:59 +0800 +Subject: net: chelsio: cxgb4: add an error code check in t4_load_phy_fw + +From: Su Hui + +[ Upstream commit 9f771493da935299c6393ad3563b581255d01a37 ] + +t4_set_params_timeout() can return -EINVAL if failed, add check +for this. + +Signed-off-by: Su Hui +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +index 964ea3491b80b..7e8a8ea6d8f7d 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -3846,6 +3846,8 @@ int t4_load_phy_fw(struct adapter *adap, int win, + FW_PARAMS_PARAM_Z_V(FW_PARAMS_PARAM_DEV_PHYFW_DOWNLOAD)); + ret = t4_set_params_timeout(adap, adap->mbox, adap->pf, 0, 1, + ¶m, &val, 30000); ++ if (ret) ++ return ret; + + /* If we have version number support, then check to see that the new + * firmware got loaded properly. +-- +2.42.0 + diff --git a/queue-5.10/net-sched-cls_u32-fix-allocation-size-in-u32_init.patch b/queue-5.10/net-sched-cls_u32-fix-allocation-size-in-u32_init.patch new file mode 100644 index 00000000000..4916978d388 --- /dev/null +++ b/queue-5.10/net-sched-cls_u32-fix-allocation-size-in-u32_init.patch @@ -0,0 +1,105 @@ +From 92f74f6a2bdd40e346abe604de41f609bfef1ad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 15:19:37 +0200 +Subject: net: sched: cls_u32: Fix allocation size in u32_init() + +From: Gustavo A. R. Silva + +[ Upstream commit c4d49196ceec80e30e8d981410d73331b49b7850 ] + +commit d61491a51f7e ("net/sched: cls_u32: Replace one-element array +with flexible-array member") incorrecly replaced an instance of +`sizeof(*tp_c)` with `struct_size(tp_c, hlist->ht, 1)`. This results +in a an over-allocation of 8 bytes. + +This change is wrong because `hlist` in `struct tc_u_common` is a +pointer: + +net/sched/cls_u32.c: +struct tc_u_common { + struct tc_u_hnode __rcu *hlist; + void *ptr; + int refcnt; + struct idr handle_idr; + struct hlist_node hnode; + long knodes; +}; + +So, the use of `struct_size()` makes no sense: we don't need to allocate +any extra space for a flexible-array member. `sizeof(*tp_c)` is just fine. + +So, `struct_size(tp_c, hlist->ht, 1)` translates to: + +sizeof(*tp_c) + sizeof(tp_c->hlist->ht) == +sizeof(struct tc_u_common) + sizeof(struct tc_u_knode *) == + 144 + 8 == 0x98 (byes) + ^^^ + | + unnecessary extra + allocation size + +$ pahole -C tc_u_common net/sched/cls_u32.o +struct tc_u_common { + struct tc_u_hnode * hlist; /* 0 8 */ + void * ptr; /* 8 8 */ + int refcnt; /* 16 4 */ + + /* XXX 4 bytes hole, try to pack */ + + struct idr handle_idr; /* 24 96 */ + /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */ + struct hlist_node hnode; /* 120 16 */ + /* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */ + long int knodes; /* 136 8 */ + + /* size: 144, cachelines: 3, members: 6 */ + /* sum members: 140, holes: 1, sum holes: 4 */ + /* last cacheline: 16 bytes */ +}; + +And with `sizeof(*tp_c)`, we have: + + sizeof(*tp_c) == sizeof(struct tc_u_common) == 144 == 0x90 (bytes) + +which is the correct and original allocation size. + +Fix this issue by replacing `struct_size(tp_c, hlist->ht, 1)` with +`sizeof(*tp_c)`, and avoid allocating 8 too many bytes. + +The following difference in binary output is expected and reflects the +desired change: + +| net/sched/cls_u32.o +| @@ -6148,7 +6148,7 @@ +| include/linux/slab.h:599 +| 2cf5: mov 0x0(%rip),%rdi # 2cfc +| 2cf8: R_X86_64_PC32 kmalloc_caches+0xc +|- 2cfc: mov $0x98,%edx +|+ 2cfc: mov $0x90,%edx + +Reported-by: Alejandro Colomar +Closes: https://lore.kernel.org/lkml/09b4a2ce-da74-3a19-6961-67883f634d98@kernel.org/ +Signed-off-by: Gustavo A. R. Silva +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index b2d2ba561eba1..f2a0c10682fc8 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -364,7 +364,7 @@ static int u32_init(struct tcf_proto *tp) + idr_init(&root_ht->handle_idr); + + if (tp_c == NULL) { +- tp_c = kzalloc(struct_size(tp_c, hlist->ht, 1), GFP_KERNEL); ++ tp_c = kzalloc(sizeof(*tp_c), GFP_KERNEL); + if (tp_c == NULL) { + kfree(root_ht); + return -ENOBUFS; +-- +2.42.0 + diff --git a/queue-5.10/netfilter-nfnetlink_log-silence-bogus-compiler-warni.patch b/queue-5.10/netfilter-nfnetlink_log-silence-bogus-compiler-warni.patch new file mode 100644 index 00000000000..fdeaa7c0012 --- /dev/null +++ b/queue-5.10/netfilter-nfnetlink_log-silence-bogus-compiler-warni.patch @@ -0,0 +1,39 @@ +From 6cd27005c07b0b5ccae16f8fe29ecf604d6088dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 10:53:08 +0200 +Subject: netfilter: nfnetlink_log: silence bogus compiler warning + +From: Florian Westphal + +[ Upstream commit 2e1d175410972285333193837a4250a74cd472e6 ] + +net/netfilter/nfnetlink_log.c:800:18: warning: variable 'ctinfo' is uninitialized + +The warning is bogus, the variable is only used if ct is non-NULL and +always initialised in that case. Init to 0 too to silence this. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202309100514.ndBFebXN-lkp@intel.com/ +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index f087baa95b07b..80c09070ea9fa 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -683,8 +683,8 @@ nfulnl_log_packet(struct net *net, + unsigned int plen = 0; + struct nfnl_log_net *log = nfnl_log_pernet(net); + const struct nfnl_ct_hook *nfnl_ct = NULL; ++ enum ip_conntrack_info ctinfo = 0; + struct nf_conn *ct = NULL; +- enum ip_conntrack_info ctinfo; + + if (li_user && li_user->type == NF_LOG_TYPE_ULOG) + li = li_user; +-- +2.42.0 + diff --git a/queue-5.10/platform-mellanox-mlxbf-tmfifo-fix-a-warning-message.patch b/queue-5.10/platform-mellanox-mlxbf-tmfifo-fix-a-warning-message.patch new file mode 100644 index 00000000000..2b00edd3668 --- /dev/null +++ b/queue-5.10/platform-mellanox-mlxbf-tmfifo-fix-a-warning-message.patch @@ -0,0 +1,65 @@ +From 4ab7958bdec885bd5a15dbbe8dce7e87072cb000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 19:02:35 -0400 +Subject: platform/mellanox: mlxbf-tmfifo: Fix a warning message + +From: Liming Sun + +[ Upstream commit 99c09c985e5973c8f0ad976ebae069548dd86f12 ] + +This commit fixes the smatch static checker warning in function +mlxbf_tmfifo_rxtx_word() which complains data not initialized at +line 634 when IS_VRING_DROP() is TRUE. + +Signed-off-by: Liming Sun +Link: https://lore.kernel.org/r/20231012230235.219861-1-limings@nvidia.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-tmfifo.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c +index 194f3205e5597..767f4406e55f1 100644 +--- a/drivers/platform/mellanox/mlxbf-tmfifo.c ++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c +@@ -588,24 +588,25 @@ static void mlxbf_tmfifo_rxtx_word(struct mlxbf_tmfifo_vring *vring, + + if (vring->cur_len + sizeof(u64) <= len) { + /* The whole word. */ +- if (!IS_VRING_DROP(vring)) { +- if (is_rx) ++ if (is_rx) { ++ if (!IS_VRING_DROP(vring)) + memcpy(addr + vring->cur_len, &data, + sizeof(u64)); +- else +- memcpy(&data, addr + vring->cur_len, +- sizeof(u64)); ++ } else { ++ memcpy(&data, addr + vring->cur_len, ++ sizeof(u64)); + } + vring->cur_len += sizeof(u64); + } else { + /* Leftover bytes. */ +- if (!IS_VRING_DROP(vring)) { +- if (is_rx) ++ if (is_rx) { ++ if (!IS_VRING_DROP(vring)) + memcpy(addr + vring->cur_len, &data, + len - vring->cur_len); +- else +- memcpy(&data, addr + vring->cur_len, +- len - vring->cur_len); ++ } else { ++ data = 0; ++ memcpy(&data, addr + vring->cur_len, ++ len - vring->cur_len); + } + vring->cur_len = len; + } +-- +2.42.0 + diff --git a/queue-5.10/powerpc-mm-fix-boot-crash-with-flatmem.patch b/queue-5.10/powerpc-mm-fix-boot-crash-with-flatmem.patch new file mode 100644 index 00000000000..8fcd6cec746 --- /dev/null +++ b/queue-5.10/powerpc-mm-fix-boot-crash-with-flatmem.patch @@ -0,0 +1,143 @@ +From e4bef8d5f012558263129acf4a8db643025beb0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 22:25:00 +1100 +Subject: powerpc/mm: Fix boot crash with FLATMEM + +From: Michael Ellerman + +[ Upstream commit daa9ada2093ed23d52b4c1fe6e13cf78f55cc85f ] + +Erhard reported that his G5 was crashing with v6.6-rc kernels: + + mpic: Setting up HT PICs workarounds for U3/U4 + BUG: Unable to handle kernel data access at 0xfeffbb62ffec65fe + Faulting instruction address: 0xc00000000005dc40 + Oops: Kernel access of bad area, sig: 11 [#1] + BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac + Modules linked in: + CPU: 0 PID: 0 Comm: swapper/0 Tainted: G T 6.6.0-rc3-PMacGS #1 + Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac + NIP: c00000000005dc40 LR: c000000000066660 CTR: c000000000007730 + REGS: c0000000022bf510 TRAP: 0380 Tainted: G T (6.6.0-rc3-PMacGS) + MSR: 9000000000001032 CR: 44004242 XER: 00000000 + IRQMASK: 3 + GPR00: 0000000000000000 c0000000022bf7b0 c0000000010c0b00 00000000000001ac + GPR04: 0000000003c80000 0000000000000300 c0000000f20001ae 0000000000000300 + GPR08: 0000000000000006 feffbb62ffec65ff 0000000000000001 0000000000000000 + GPR12: 9000000000001032 c000000002362000 c000000000f76b80 000000000349ecd8 + GPR16: 0000000002367ba8 0000000002367f08 0000000000000006 0000000000000000 + GPR20: 00000000000001ac c000000000f6f920 c0000000022cd985 000000000000000c + GPR24: 0000000000000300 00000003b0a3691d c0003e008030000e 0000000000000000 + GPR28: c00000000000000c c0000000f20001ee feffbb62ffec65fe 00000000000001ac + NIP hash_page_do_lazy_icache+0x50/0x100 + LR __hash_page_4K+0x420/0x590 + Call Trace: + hash_page_mm+0x364/0x6f0 + do_hash_fault+0x114/0x2b0 + data_access_common_virt+0x198/0x1f0 + --- interrupt: 300 at mpic_init+0x4bc/0x10c4 + NIP: c000000002020a5c LR: c000000002020a04 CTR: 0000000000000000 + REGS: c0000000022bf9f0 TRAP: 0300 Tainted: G T (6.6.0-rc3-PMacGS) + MSR: 9000000000001032 CR: 24004248 XER: 00000000 + DAR: c0003e008030000e DSISR: 40000000 IRQMASK: 1 + ... + NIP mpic_init+0x4bc/0x10c4 + LR mpic_init+0x464/0x10c4 + --- interrupt: 300 + pmac_setup_one_mpic+0x258/0x2dc + pmac_pic_init+0x28c/0x3d8 + init_IRQ+0x90/0x140 + start_kernel+0x57c/0x78c + start_here_common+0x1c/0x20 + +A bisect pointed to the breakage beginning with commit 9fee28baa601 ("powerpc: +implement the new page table range API"). + +Analysis of the oops pointed to a struct page with a corrupted +compound_head being loaded via page_folio() -> _compound_head() in +hash_page_do_lazy_icache(). + +The access by the mpic code is to an MMIO address, so the expectation +is that the struct page for that address would be initialised by +init_unavailable_range(), as pointed out by Aneesh. + +Instrumentation showed that was not the case, which eventually lead to +the realisation that pfn_valid() was returning false for that address, +causing the struct page to not be initialised. + +Because the system is using FLATMEM, the version of pfn_valid() in +memory_model.h is used: + +static inline int pfn_valid(unsigned long pfn) +{ + ... + return pfn >= pfn_offset && (pfn - pfn_offset) < max_mapnr; +} + +Which relies on max_mapnr being initialised. Early in boot max_mapnr is +zero meaning no PFNs are valid. + +max_mapnr is initialised in mem_init() called via: + + start_kernel() + mm_core_init() # init/main.c:928 + mem_init() + +But that is too late for the usage in init_unavailable_range() called via: + + start_kernel() + setup_arch() # init/main.c:893 + paging_init() + free_area_init() + init_unavailable_range() + +Although max_mapnr is currently set in mem_init(), the value is actually +already available much earlier, as soon as mem_topology_setup() has +completed, which is also before paging_init() is called. So move the +initialisation there, which causes paging_init() to correctly initialise +the struct page and fixes the bug. + +This bug seems to have been lurking for years, but went unnoticed +because the pre-folio code was inspecting the uninitialised page->flags +but not dereferencing it. + +Thanks to Erhard and Aneesh for help debugging. + +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/all/20230929132750.3cd98452@yea/ +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231023112500.1550208-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/setup-common.c | 2 ++ + arch/powerpc/mm/mem.c | 1 - + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c +index da8c71f321ad3..1e417c3eedfef 100644 +--- a/arch/powerpc/kernel/setup-common.c ++++ b/arch/powerpc/kernel/setup-common.c +@@ -906,6 +906,8 @@ void __init setup_arch(char **cmdline_p) + + /* Parse memory topology */ + mem_topology_setup(); ++ /* Set max_mapnr before paging_init() */ ++ set_max_mapnr(max_pfn); + + /* + * Release secondary cpus out of their spinloops at 0x60 now that +diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c +index 1ed276d2305fa..08e3422eb7926 100644 +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -293,7 +293,6 @@ void __init mem_init(void) + #endif + + high_memory = (void *) __va(max_low_pfn * PAGE_SIZE); +- set_max_mapnr(max_pfn); + + kasan_late_init(); + +-- +2.42.0 + diff --git a/queue-5.10/scsi-mpt3sas-fix-in-error-path.patch b/queue-5.10/scsi-mpt3sas-fix-in-error-path.patch new file mode 100644 index 00000000000..cbc55145747 --- /dev/null +++ b/queue-5.10/scsi-mpt3sas-fix-in-error-path.patch @@ -0,0 +1,39 @@ +From 30e9e7b62a2d205ac23190f6a12579d1e5134946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Oct 2023 13:45:29 +0200 +Subject: scsi: mpt3sas: Fix in error path + +From: Tomas Henzl + +[ Upstream commit e40c04ade0e2f3916b78211d747317843b11ce10 ] + +The driver should be deregistered as misc driver after PCI registration +failure. + +Signed-off-by: Tomas Henzl +Link: https://lore.kernel.org/r/20231015114529.10725-1-thenzl@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index c3a5978b0efac..e797f6e3982cf 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -11624,8 +11624,10 @@ _mpt3sas_init(void) + mpt3sas_ctl_init(hbas_to_enumerate); + + error = pci_register_driver(&mpt3sas_driver); +- if (error) ++ if (error) { ++ mpt3sas_ctl_exit(hbas_to_enumerate); + scsih_exit(); ++ } + + return error; + } +-- +2.42.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 2bafabe41b3..cb98eca1183 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -58,3 +58,17 @@ rpmsg-fix-calling-device_lock-on-non-initialized-device.patch rpmsg-glink-release-driver_override.patch rpmsg-fix-possible-refcount-leak-in-rpmsg_register_device_override.patch x86-fix-.brk-attribute-in-linker-script.patch +net-sched-cls_u32-fix-allocation-size-in-u32_init.patch +irqchip-riscv-intc-mark-all-intc-nodes-as-initialize.patch +irqchip-stm32-exti-add-missing-dt-irq-flag-translati.patch +dmaengine-ste_dma40-fix-pm-disable-depth-imbalance-i.patch +input-synaptics-rmi4-handle-reset-delay-when-using-s.patch +fbdev-atyfb-only-use-ioremap_uc-on-i386-and-ia64.patch +spi-npcm-fiu-fix-uma-reads-when-dummy.nbytes-0.patch +netfilter-nfnetlink_log-silence-bogus-compiler-warni.patch +asoc-rt5650-fix-the-wrong-result-of-key-button.patch +fbdev-uvesafb-call-cn_del_callback-at-the-end-of-uve.patch +scsi-mpt3sas-fix-in-error-path.patch +platform-mellanox-mlxbf-tmfifo-fix-a-warning-message.patch +net-chelsio-cxgb4-add-an-error-code-check-in-t4_load.patch +powerpc-mm-fix-boot-crash-with-flatmem.patch diff --git a/queue-5.10/spi-npcm-fiu-fix-uma-reads-when-dummy.nbytes-0.patch b/queue-5.10/spi-npcm-fiu-fix-uma-reads-when-dummy.nbytes-0.patch new file mode 100644 index 00000000000..67a6734f0b9 --- /dev/null +++ b/queue-5.10/spi-npcm-fiu-fix-uma-reads-when-dummy.nbytes-0.patch @@ -0,0 +1,40 @@ +From 8898f6645924b7c9089046340e9e8d03c1db2546 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 11:28:12 -0700 +Subject: spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 + +From: William A. Kennington III + +[ Upstream commit 2ec8b010979036c2fe79a64adb6ecc0bd11e91d1 ] + +We don't want to use the value of ilog2(0) as dummy.buswidth is 0 when +dummy.nbytes is 0. Since we have no dummy bytes, we don't need to +configure the dummy byte bits per clock register value anyway. + +Signed-off-by: "William A. Kennington III" +Link: https://lore.kernel.org/r/20230922182812.2728066-1-william@wkennington.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-npcm-fiu.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-npcm-fiu.c b/drivers/spi/spi-npcm-fiu.c +index b62471ab6d7f2..1edaf22e265bf 100644 +--- a/drivers/spi/spi-npcm-fiu.c ++++ b/drivers/spi/spi-npcm-fiu.c +@@ -334,8 +334,9 @@ static int npcm_fiu_uma_read(struct spi_mem *mem, + uma_cfg |= ilog2(op->cmd.buswidth); + uma_cfg |= ilog2(op->addr.buswidth) + << NPCM_FIU_UMA_CFG_ADBPCK_SHIFT; +- uma_cfg |= ilog2(op->dummy.buswidth) +- << NPCM_FIU_UMA_CFG_DBPCK_SHIFT; ++ if (op->dummy.nbytes) ++ uma_cfg |= ilog2(op->dummy.buswidth) ++ << NPCM_FIU_UMA_CFG_DBPCK_SHIFT; + uma_cfg |= ilog2(op->data.buswidth) + << NPCM_FIU_UMA_CFG_RDBPCK_SHIFT; + uma_cfg |= op->dummy.nbytes << NPCM_FIU_UMA_CFG_DBSIZ_SHIFT; +-- +2.42.0 +