--- /dev/null
+From ced4913efb0acc844ed65cc01d091a85d83a2082 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Dec 2021 11:48:43 +0100
+Subject: can: softing_cs: softingcs_probe(): fix memleak on registration failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ced4913efb0acc844ed65cc01d091a85d83a2082 upstream.
+
+In case device registration fails during probe, the driver state and
+the embedded platform device structure needs to be freed using
+platform_device_put() to properly free all resources (e.g. the device
+name).
+
+Fixes: 0a0b7a5f7a04 ("can: add driver for Softing card")
+Link: https://lore.kernel.org/all/20211222104843.6105-1-johan@kernel.org
+Cc: stable@vger.kernel.org # 2.6.38
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/softing/softing_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/softing/softing_cs.c
++++ b/drivers/net/can/softing/softing_cs.c
+@@ -293,7 +293,7 @@ static int softingcs_probe(struct pcmcia
+ return 0;
+
+ platform_failed:
+- kfree(dev);
++ platform_device_put(pdev);
+ mem_failed:
+ pcmcia_bad:
+ pcmcia_failed:
--- /dev/null
+From 95d35838880fb040ccb9fe4a48816bd0c8b62df5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= <thomas.hellstrom@linux.intel.com>
+Date: Mon, 29 Nov 2021 16:27:27 +0100
+Subject: dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+
+commit 95d35838880fb040ccb9fe4a48816bd0c8b62df5 upstream.
+
+If a dma_fence_array is reported signaled by a call to
+dma_fence_is_signaled(), it may leak the PENDING_ERROR status.
+
+Fix this by clearing the PENDING_ERROR status if we return true in
+dma_fence_array_signaled().
+
+v2:
+- Update Cc list, and add R-b.
+
+Fixes: 1f70b8b812f3 ("dma-fence: Propagate errors to dma-fence-array container")
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: "Christian König" <christian.koenig@amd.com>
+Cc: linux-media@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: linaro-mm-sig@lists.linaro.org
+Cc: <stable@vger.kernel.org> # v5.4+
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211129152727.448908-1-thomas.hellstrom@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/dma-fence-array.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma-buf/dma-fence-array.c
++++ b/drivers/dma-buf/dma-fence-array.c
+@@ -104,7 +104,11 @@ static bool dma_fence_array_signaled(str
+ {
+ struct dma_fence_array *array = to_dma_fence_array(fence);
+
+- return atomic_read(&array->num_pending) <= 0;
++ if (atomic_read(&array->num_pending) > 0)
++ return false;
++
++ dma_fence_array_clear_pending_error(array);
++ return true;
+ }
+
+ static void dma_fence_array_release(struct dma_fence *fence)
--- /dev/null
+From 514db871922f103886ad4d221cf406b4fcc5e74a Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Tue, 28 Sep 2021 14:35:49 -0700
+Subject: drm/rockchip: dsi: Hold pm-runtime across bind/unbind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 514db871922f103886ad4d221cf406b4fcc5e74a upstream.
+
+In commit 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except
+LCDC mux to bind()"), we moved most HW configuration to bind(), but we
+didn't move the runtime PM management. Therefore, depending on initial
+boot state, runtime-PM workqueue delays, and other timing factors, we
+may disable our power domain in between the hardware configuration
+(bind()) and when we enable the display. This can cause us to lose
+hardware state and fail to configure our display. For example:
+
+ dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO
+ panel-innolux-p079zca ff960000.mipi.0: failed to write command 0
+
+or:
+
+ dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO
+ panel-kingdisplay-kd097d04 ff960000.mipi.0: failed write init cmds: -110
+
+We should match the runtime PM to the lifetime of the bind()/unbind()
+cycle.
+
+Tested on Acer Chrometab 10 (RK3399 Gru-Scarlet), with panel drivers
+built either as modules or built-in.
+
+Side notes: it seems one is more likely to see this problem when the
+panel driver is built into the kernel. I've also seen this problem
+bisect down to commits that simply changed Kconfig dependencies, because
+it changed the order in which driver init functions were compiled into
+the kernel, and therefore the ordering and timing of built-in device
+probe.
+
+Fixes: 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except LCDC mux to bind()")
+Link: https://lore.kernel.org/linux-rockchip/9aedfb528600ecf871885f7293ca4207c84d16c1.camel@gmail.com/
+Reported-by: <aleksandr.o.makarov@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Tested-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.1.Ic2904d37f30013a7f3d8476203ad3733c186827e@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 37 ++++++++++++------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+@@ -625,10 +625,6 @@ static void dw_mipi_dsi_encoder_enable(s
+ if (mux < 0)
+ return;
+
+- pm_runtime_get_sync(dsi->dev);
+- if (dsi->slave)
+- pm_runtime_get_sync(dsi->slave->dev);
+-
+ /*
+ * For the RK3399, the clk of grf must be enabled before writing grf
+ * register. And for RK3288 or other soc, this grf_clk must be NULL,
+@@ -647,20 +643,10 @@ static void dw_mipi_dsi_encoder_enable(s
+ clk_disable_unprepare(dsi->grf_clk);
+ }
+
+-static void dw_mipi_dsi_encoder_disable(struct drm_encoder *encoder)
+-{
+- struct dw_mipi_dsi_rockchip *dsi = to_dsi(encoder);
+-
+- if (dsi->slave)
+- pm_runtime_put(dsi->slave->dev);
+- pm_runtime_put(dsi->dev);
+-}
+-
+ static const struct drm_encoder_helper_funcs
+ dw_mipi_dsi_encoder_helper_funcs = {
+ .atomic_check = dw_mipi_dsi_encoder_atomic_check,
+ .enable = dw_mipi_dsi_encoder_enable,
+- .disable = dw_mipi_dsi_encoder_disable,
+ };
+
+ static const struct drm_encoder_funcs dw_mipi_dsi_encoder_funcs = {
+@@ -795,10 +781,14 @@ static int dw_mipi_dsi_rockchip_bind(str
+ put_device(second);
+ }
+
++ pm_runtime_get_sync(dsi->dev);
++ if (dsi->slave)
++ pm_runtime_get_sync(dsi->slave->dev);
++
+ ret = clk_prepare_enable(dsi->pllref_clk);
+ if (ret) {
+ DRM_DEV_ERROR(dev, "Failed to enable pllref_clk: %d\n", ret);
+- return ret;
++ goto out_pm_runtime;
+ }
+
+ /*
+@@ -810,7 +800,7 @@ static int dw_mipi_dsi_rockchip_bind(str
+ ret = clk_prepare_enable(dsi->grf_clk);
+ if (ret) {
+ DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret);
+- return ret;
++ goto out_pm_runtime;
+ }
+
+ dw_mipi_dsi_rockchip_config(dsi);
+@@ -822,16 +812,23 @@ static int dw_mipi_dsi_rockchip_bind(str
+ ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev);
+ if (ret) {
+ DRM_DEV_ERROR(dev, "Failed to create drm encoder\n");
+- return ret;
++ goto out_pm_runtime;
+ }
+
+ ret = dw_mipi_dsi_bind(dsi->dmd, &dsi->encoder);
+ if (ret) {
+ DRM_DEV_ERROR(dev, "Failed to bind: %d\n", ret);
+- return ret;
++ goto out_pm_runtime;
+ }
+
+ return 0;
++
++out_pm_runtime:
++ pm_runtime_put(dsi->dev);
++ if (dsi->slave)
++ pm_runtime_put(dsi->slave->dev);
++
++ return ret;
+ }
+
+ static void dw_mipi_dsi_rockchip_unbind(struct device *dev,
+@@ -846,6 +843,10 @@ static void dw_mipi_dsi_rockchip_unbind(
+ dw_mipi_dsi_unbind(dsi->dmd);
+
+ clk_disable_unprepare(dsi->pllref_clk);
++
++ pm_runtime_put(dsi->dev);
++ if (dsi->slave)
++ pm_runtime_put(dsi->slave->dev);
+ }
+
+ static const struct component_ops dw_mipi_dsi_rockchip_ops = {
--- /dev/null
+From e584cdc1549932f87a2707b56bc588cfac5d89e0 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Tue, 28 Sep 2021 14:35:50 -0700
+Subject: drm/rockchip: dsi: Reconfigure hardware on resume()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit e584cdc1549932f87a2707b56bc588cfac5d89e0 upstream.
+
+Since commit 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except
+LCDC mux to bind()"), we perform most HW configuration in the bind()
+function. This configuration may be lost on suspend/resume, so we
+need to call it again. That may lead to errors like this after system
+suspend/resume:
+
+ dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO
+ panel-kingdisplay-kd097d04 ff960000.mipi.0: failed write init cmds: -110
+
+Tested on Acer Chromebook Tab 10 (RK3399 Gru-Scarlet).
+
+Note that early mailing list versions of this driver borrowed Rockchip's
+downstream/BSP solution, to do HW configuration in mode_set() (which
+*is* called at the appropriate pre-enable() times), but that was
+discarded along the way. I've avoided that still, because mode_set()
+documentation doesn't suggest this kind of purpose as far as I can tell.
+
+Fixes: 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except LCDC mux to bind()")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Tested-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.2.I4e9d93aadb00b1ffc7d506e3186a25492bf0b732@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 37 ++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+@@ -231,6 +231,8 @@ struct dw_mipi_dsi_rockchip {
+ struct dw_mipi_dsi *dmd;
+ const struct rockchip_dw_dsi_chip_data *cdata;
+ struct dw_mipi_dsi_plat_data pdata;
++
++ bool dsi_bound;
+ };
+
+ struct dphy_pll_parameter_map {
+@@ -821,6 +823,8 @@ static int dw_mipi_dsi_rockchip_bind(str
+ goto out_pm_runtime;
+ }
+
++ dsi->dsi_bound = true;
++
+ return 0;
+
+ out_pm_runtime:
+@@ -840,6 +844,8 @@ static void dw_mipi_dsi_rockchip_unbind(
+ if (dsi->is_slave)
+ return;
+
++ dsi->dsi_bound = false;
++
+ dw_mipi_dsi_unbind(dsi->dmd);
+
+ clk_disable_unprepare(dsi->pllref_clk);
+@@ -904,6 +910,36 @@ static const struct dw_mipi_dsi_host_ops
+ .detach = dw_mipi_dsi_rockchip_host_detach,
+ };
+
++static int __maybe_unused dw_mipi_dsi_rockchip_resume(struct device *dev)
++{
++ struct dw_mipi_dsi_rockchip *dsi = dev_get_drvdata(dev);
++ int ret;
++
++ /*
++ * Re-configure DSI state, if we were previously initialized. We need
++ * to do this before rockchip_drm_drv tries to re-enable() any panels.
++ */
++ if (dsi->dsi_bound) {
++ ret = clk_prepare_enable(dsi->grf_clk);
++ if (ret) {
++ DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret);
++ return ret;
++ }
++
++ dw_mipi_dsi_rockchip_config(dsi);
++ if (dsi->slave)
++ dw_mipi_dsi_rockchip_config(dsi->slave);
++
++ clk_disable_unprepare(dsi->grf_clk);
++ }
++
++ return 0;
++}
++
++static const struct dev_pm_ops dw_mipi_dsi_rockchip_pm_ops = {
++ SET_LATE_SYSTEM_SLEEP_PM_OPS(NULL, dw_mipi_dsi_rockchip_resume)
++};
++
+ static int dw_mipi_dsi_rockchip_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+@@ -1089,6 +1125,7 @@ struct platform_driver dw_mipi_dsi_rockc
+ .remove = dw_mipi_dsi_rockchip_remove,
+ .driver = {
+ .of_match_table = dw_mipi_dsi_rockchip_dt_ids,
++ .pm = &dw_mipi_dsi_rockchip_pm_ops,
+ .name = "dw-mipi-dsi-rockchip",
+ },
+ };
--- /dev/null
+From 77900c45ee5cd5da63bd4d818a41dbdf367e81cd Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Mon, 6 Dec 2021 22:44:21 +0800
+Subject: f2fs: fix to do sanity check in is_alive()
+
+From: Chao Yu <chao@kernel.org>
+
+commit 77900c45ee5cd5da63bd4d818a41dbdf367e81cd upstream.
+
+In fuzzed image, SSA table may indicate that a data block belongs to
+invalid node, which node ID is out-of-range (0, 1, 2 or max_nid), in
+order to avoid migrating inconsistent data in such corrupted image,
+let's do sanity check anyway before data block migration.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/gc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -633,6 +633,9 @@ static bool is_alive(struct f2fs_sb_info
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ }
+
++ if (f2fs_check_nid_range(sbi, dni->ino))
++ return false;
++
+ *nofs = ofs_of_node(node_page);
+ source_blkaddr = datablock_addr(NULL, node_page, ofs_in_node);
+ f2fs_put_page(node_page, 1);
--- /dev/null
+From a556cfe4cabc6d79cbb7733f118bbb420b376fe6 Mon Sep 17 00:00:00 2001
+From: Yunfei Wang <yf.wang@mediatek.com>
+Date: Tue, 7 Dec 2021 19:33:15 +0800
+Subject: iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure
+
+From: Yunfei Wang <yf.wang@mediatek.com>
+
+commit a556cfe4cabc6d79cbb7733f118bbb420b376fe6 upstream.
+
+In __arm_v7s_alloc_table function:
+iommu call kmem_cache_alloc to allocate page table, this function
+allocate memory may fail, when kmem_cache_alloc fails to allocate
+table, call virt_to_phys will be abnomal and return unexpected phys
+and goto out_free, then call kmem_cache_free to release table will
+trigger KE, __get_free_pages and free_pages have similar problem,
+so add error handle for page table allocation failure.
+
+Fixes: 29859aeb8a6e ("iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE")
+Signed-off-by: Yunfei Wang <yf.wang@mediatek.com>
+Cc: <stable@vger.kernel.org> # 5.10.*
+Acked-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/20211207113315.29109-1-yf.wang@mediatek.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/io-pgtable-arm-v7s.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/io-pgtable-arm-v7s.c
++++ b/drivers/iommu/io-pgtable-arm-v7s.c
+@@ -244,13 +244,17 @@ static void *__arm_v7s_alloc_table(int l
+ __GFP_ZERO | ARM_V7S_TABLE_GFP_DMA, get_order(size));
+ else if (lvl == 2)
+ table = kmem_cache_zalloc(data->l2_tables, gfp);
++
++ if (!table)
++ return NULL;
++
+ phys = virt_to_phys(table);
+ if (phys != (arm_v7s_iopte)phys) {
+ /* Doesn't fit in PTE */
+ dev_err(dev, "Page table does not fit in PTE: %pa", &phys);
+ goto out_free;
+ }
+- if (table && !cfg->coherent_walk) {
++ if (!cfg->coherent_walk) {
+ dma = dma_map_single(dev, table, size, DMA_TO_DEVICE);
+ if (dma_mapping_error(dev, dma))
+ goto out_free;
--- /dev/null
+From bc93a22a19eb2b68a16ecf04cdf4b2ed65aaf398 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Fri, 8 Oct 2021 18:58:40 +0200
+Subject: lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit bc93a22a19eb2b68a16ecf04cdf4b2ed65aaf398 upstream.
+
+On a kernel without CONFIG_STRICT_KERNEL_RWX, running EXEC_RODATA
+test leads to "Illegal instruction" failure.
+
+Looking at the content of rodata_objcopy.o, we see that the
+function content zeroes only:
+
+ Disassembly of section .rodata:
+
+ 0000000000000000 <.lkdtm_rodata_do_nothing>:
+ 0: 00 00 00 00 .long 0x0
+
+Add the contents flag in order to keep the content of the section
+while renaming it.
+
+ Disassembly of section .rodata:
+
+ 0000000000000000 <.lkdtm_rodata_do_nothing>:
+ 0: 4e 80 00 20 blr
+
+Fixes: e9e08a07385e ("lkdtm: support llvm-objcopy")
+Cc: stable@vger.kernel.org
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/8900731fbc05fb8b0de18af7133a8fc07c3c53a1.1633712176.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/lkdtm/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/lkdtm/Makefile
++++ b/drivers/misc/lkdtm/Makefile
+@@ -16,7 +16,7 @@ KCOV_INSTRUMENT_rodata.o := n
+
+ OBJCOPYFLAGS :=
+ OBJCOPYFLAGS_rodata_objcopy.o := \
+- --rename-section .noinstr.text=.rodata,alloc,readonly,load
++ --rename-section .noinstr.text=.rodata,alloc,readonly,load,contents
+ targets += rodata.o rodata_objcopy.o
+ $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
+ $(call if_changed,objcopy)
--- /dev/null
+From 10729be03327f53258cb196362015ad5c6eabe02 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:16:37 +0100
+Subject: media: cpia2: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 10729be03327f53258cb196362015ad5c6eabe02 upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Fixes: ab33d5071de7 ("V4L/DVB (3376): Add cpia2 camera support")
+Cc: stable@vger.kernel.org # 2.6.17
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/cpia2/cpia2_usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/cpia2/cpia2_usb.c
++++ b/drivers/media/usb/cpia2/cpia2_usb.c
+@@ -550,7 +550,7 @@ static int write_packet(struct usb_devic
+ 0, /* index */
+ buf, /* buffer */
+ size,
+- HZ);
++ 1000);
+
+ kfree(buf);
+ return ret;
+@@ -582,7 +582,7 @@ static int read_packet(struct usb_device
+ 0, /* index */
+ buf, /* buffer */
+ size,
+- HZ);
++ 1000);
+
+ if (ret >= 0)
+ memcpy(registers, buf, size);
--- /dev/null
+From f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 Mon Sep 17 00:00:00 2001
+From: Michael Kuron <michael.kuron@gmail.com>
+Date: Sun, 26 Sep 2021 21:51:26 +0100
+Subject: media: dib0700: fix undefined behavior in tuner shutdown
+
+From: Michael Kuron <michael.kuron@gmail.com>
+
+commit f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 upstream.
+
+This fixes a problem where closing the tuner would leave it in a state
+where it would not tune to any channel when reopened. This problem was
+discovered as part of https://github.com/hselasky/webcamd/issues/16.
+
+Since adap->id is 0 or 1, this bit-shift overflows, which is undefined
+behavior. The driver still worked in practice as the overflow would in
+most environments result in 0, which rendered the line a no-op. When
+running the driver as part of webcamd however, the overflow could lead
+to 0xff due to optimizations by the compiler, which would, in the end,
+improperly shut down the tuner.
+
+The bug is a regression introduced in the commit referenced below. The
+present patch causes identical behavior to before that commit for
+adap->id equal to 0 or 1. The driver does not contain support for
+dib0700 devices with more adapters, assuming such even exist.
+
+Tests have been performed with the Xbox One Digital TV Tuner on amd64.
+Not all dib0700 devices are expected to be affected by the regression;
+this code path is only taken by those with incorrect endpoint numbers.
+
+Link: https://lore.kernel.org/linux-media/1d2fc36d94ced6f67c7cc21dcc469d5e5bdd8201.1632689033.git.mchehab+huawei@kernel.org
+
+Cc: stable@vger.kernel.org
+Fixes: 7757ddda6f4f ("[media] DiB0700: add function to change I2C-speed")
+Signed-off-by: Michael Kuron <michael.kuron@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb/dib0700_core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dib0700_core.c
++++ b/drivers/media/usb/dvb-usb/dib0700_core.c
+@@ -616,8 +616,6 @@ int dib0700_streaming_ctrl(struct dvb_us
+ deb_info("the endpoint number (%i) is not correct, use the adapter id instead", adap->fe_adap[0].stream.props.endpoint);
+ if (onoff)
+ st->channel_state |= 1 << (adap->id);
+- else
+- st->channel_state |= 1 << ~(adap->id);
+ } else {
+ if (onoff)
+ st->channel_state |= 1 << (adap->fe_adap[0].stream.props.endpoint-2);
--- /dev/null
+From d9b7e8df3aa9b8c10708aab60e72e79ac08237e4 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:16:38 +0100
+Subject: media: em28xx: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d9b7e8df3aa9b8c10708aab60e72e79ac08237e4 upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Fixes: a6c2ba283565 ("[PATCH] v4l: 716: support for em28xx board family")
+Cc: stable@vger.kernel.org # 2.6.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/em28xx/em28xx-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-core.c
++++ b/drivers/media/usb/em28xx/em28xx-core.c
+@@ -89,7 +89,7 @@ int em28xx_read_reg_req_len(struct em28x
+ mutex_lock(&dev->ctrl_urb_lock);
+ ret = usb_control_msg(udev, pipe, req,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x0000, reg, dev->urb_buf, len, HZ);
++ 0x0000, reg, dev->urb_buf, len, 1000);
+ if (ret < 0) {
+ em28xx_regdbg("(pipe 0x%08x): IN: %02x %02x %02x %02x %02x %02x %02x %02x failed with error %i\n",
+ pipe,
+@@ -158,7 +158,7 @@ int em28xx_write_regs_req(struct em28xx
+ memcpy(dev->urb_buf, buf, len);
+ ret = usb_control_msg(udev, pipe, req,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x0000, reg, dev->urb_buf, len, HZ);
++ 0x0000, reg, dev->urb_buf, len, 1000);
+ mutex_unlock(&dev->ctrl_urb_lock);
+
+ if (ret < 0) {
--- /dev/null
+From cd1798a387825cc4a51282f5a611ad05bb1ad75f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:16:36 +0100
+Subject: media: flexcop-usb: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit cd1798a387825cc4a51282f5a611ad05bb1ad75f upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Note that the driver was multiplying some of the timeout values with HZ
+twice resulting in 3000-second timeouts with HZ=1000.
+
+Also note that two of the timeout defines are currently unused.
+
+Fixes: 2154be651b90 ("[media] redrat3: new rc-core IR transceiver device driver")
+Cc: stable@vger.kernel.org # 3.0
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/b2c2/flexcop-usb.c | 10 +++++-----
+ drivers/media/usb/b2c2/flexcop-usb.h | 12 ++++++------
+ 2 files changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/usb/b2c2/flexcop-usb.c
++++ b/drivers/media/usb/b2c2/flexcop-usb.c
+@@ -87,7 +87,7 @@ static int flexcop_usb_readwrite_dw(stru
+ 0,
+ fc_usb->data,
+ sizeof(u32),
+- B2C2_WAIT_FOR_OPERATION_RDW * HZ);
++ B2C2_WAIT_FOR_OPERATION_RDW);
+
+ if (ret != sizeof(u32)) {
+ err("error while %s dword from %d (%d).", read ? "reading" :
+@@ -155,7 +155,7 @@ static int flexcop_usb_v8_memory_req(str
+ wIndex,
+ fc_usb->data,
+ buflen,
+- nWaitTime * HZ);
++ nWaitTime);
+ if (ret != buflen)
+ ret = -EIO;
+
+@@ -249,13 +249,13 @@ static int flexcop_usb_i2c_req(struct fl
+ /* DKT 020208 - add this to support special case of DiSEqC */
+ case USB_FUNC_I2C_CHECKWRITE:
+ pipe = B2C2_USB_CTRL_PIPE_OUT;
+- nWaitTime = 2;
++ nWaitTime = 2000;
+ request_type |= USB_DIR_OUT;
+ break;
+ case USB_FUNC_I2C_READ:
+ case USB_FUNC_I2C_REPEATREAD:
+ pipe = B2C2_USB_CTRL_PIPE_IN;
+- nWaitTime = 2;
++ nWaitTime = 2000;
+ request_type |= USB_DIR_IN;
+ break;
+ default:
+@@ -282,7 +282,7 @@ static int flexcop_usb_i2c_req(struct fl
+ wIndex,
+ fc_usb->data,
+ buflen,
+- nWaitTime * HZ);
++ nWaitTime);
+
+ if (ret != buflen)
+ ret = -EIO;
+--- a/drivers/media/usb/b2c2/flexcop-usb.h
++++ b/drivers/media/usb/b2c2/flexcop-usb.h
+@@ -91,13 +91,13 @@ typedef enum {
+ UTILITY_SRAM_TESTVERIFY = 0x16,
+ } flexcop_usb_utility_function_t;
+
+-#define B2C2_WAIT_FOR_OPERATION_RW (1*HZ)
+-#define B2C2_WAIT_FOR_OPERATION_RDW (3*HZ)
+-#define B2C2_WAIT_FOR_OPERATION_WDW (1*HZ)
++#define B2C2_WAIT_FOR_OPERATION_RW 1000
++#define B2C2_WAIT_FOR_OPERATION_RDW 3000
++#define B2C2_WAIT_FOR_OPERATION_WDW 1000
+
+-#define B2C2_WAIT_FOR_OPERATION_V8READ (3*HZ)
+-#define B2C2_WAIT_FOR_OPERATION_V8WRITE (3*HZ)
+-#define B2C2_WAIT_FOR_OPERATION_V8FLASH (3*HZ)
++#define B2C2_WAIT_FOR_OPERATION_V8READ 3000
++#define B2C2_WAIT_FOR_OPERATION_V8WRITE 3000
++#define B2C2_WAIT_FOR_OPERATION_V8FLASH 3000
+
+ typedef enum {
+ V8_MEMORY_PAGE_DVB_CI = 0x20,
--- /dev/null
+From 16394e998cbb050730536bdf7e89f5a70efbd974 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:16:34 +0100
+Subject: media: mceusb: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 16394e998cbb050730536bdf7e89f5a70efbd974 upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")
+Cc: stable@vger.kernel.org # 2.6.36
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/mceusb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/rc/mceusb.c
++++ b/drivers/media/rc/mceusb.c
+@@ -1430,7 +1430,7 @@ static void mceusb_gen1_init(struct mceu
+ */
+ ret = usb_control_msg(ir->usbdev, usb_rcvctrlpipe(ir->usbdev, 0),
+ USB_REQ_SET_ADDRESS, USB_TYPE_VENDOR, 0, 0,
+- data, USB_CTRL_MSG_SZ, HZ * 3);
++ data, USB_CTRL_MSG_SZ, 3000);
+ dev_dbg(dev, "set address - ret = %d", ret);
+ dev_dbg(dev, "set address - data[0] = %d, data[1] = %d",
+ data[0], data[1]);
+@@ -1438,20 +1438,20 @@ static void mceusb_gen1_init(struct mceu
+ /* set feature: bit rate 38400 bps */
+ ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
+ USB_REQ_SET_FEATURE, USB_TYPE_VENDOR,
+- 0xc04e, 0x0000, NULL, 0, HZ * 3);
++ 0xc04e, 0x0000, NULL, 0, 3000);
+
+ dev_dbg(dev, "set feature - ret = %d", ret);
+
+ /* bRequest 4: set char length to 8 bits */
+ ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
+ 4, USB_TYPE_VENDOR,
+- 0x0808, 0x0000, NULL, 0, HZ * 3);
++ 0x0808, 0x0000, NULL, 0, 3000);
+ dev_dbg(dev, "set char length - retB = %d", ret);
+
+ /* bRequest 2: set handshaking to use DTR/DSR */
+ ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0),
+ 2, USB_TYPE_VENDOR,
+- 0x0000, 0x0100, NULL, 0, HZ * 3);
++ 0x0000, 0x0100, NULL, 0, 3000);
+ dev_dbg(dev, "set handshake - retC = %d", ret);
+
+ /* device resume */
--- /dev/null
+From b82bf9b9dc305d7d3d93eab106d70dbf2171b43e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:16:39 +0100
+Subject: media: pvrusb2: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b82bf9b9dc305d7d3d93eab106d70dbf2171b43e upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
+Cc: stable@vger.kernel.org # 2.6.18
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -1468,7 +1468,7 @@ static int pvr2_upload_firmware1(struct
+ for (address = 0; address < fwsize; address += 0x800) {
+ memcpy(fw_ptr, fw_entry->data + address, 0x800);
+ ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address,
+- 0, fw_ptr, 0x800, HZ);
++ 0, fw_ptr, 0x800, 1000);
+ }
+
+ trace_firmware("Upload done, releasing device's CPU");
+@@ -1606,7 +1606,7 @@ int pvr2_upload_firmware2(struct pvr2_hd
+ ((u32 *)fw_ptr)[icnt] = swab32(((u32 *)fw_ptr)[icnt]);
+
+ ret |= usb_bulk_msg(hdw->usb_dev, pipe, fw_ptr,bcnt,
+- &actual_length, HZ);
++ &actual_length, 1000);
+ ret |= (actual_length != bcnt);
+ if (ret) break;
+ fw_done += bcnt;
+@@ -3439,7 +3439,7 @@ void pvr2_hdw_cpufw_set_enabled(struct p
+ 0xa0,0xc0,
+ address,0,
+ hdw->fw_buffer+address,
+- 0x800,HZ);
++ 0x800,1000);
+ if (ret < 0) break;
+ }
+
+@@ -3978,7 +3978,7 @@ void pvr2_hdw_cpureset_assert(struct pvr
+ /* Write the CPUCS register on the 8051. The lsb of the register
+ is the reset bit; a 1 asserts reset while a 0 clears it. */
+ pipe = usb_sndctrlpipe(hdw->usb_dev, 0);
+- ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,HZ);
++ ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,1000);
+ if (ret < 0) {
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+ "cpureset_assert(%d) error=%d",val,ret);
--- /dev/null
+From 2adc965c8bfa224e11ecccf9c92fd458c4236428 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:16:35 +0100
+Subject: media: redrat3: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2adc965c8bfa224e11ecccf9c92fd458c4236428 upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Fixes: 2154be651b90 ("[media] redrat3: new rc-core IR transceiver device driver")
+Cc: stable@vger.kernel.org # 3.0
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/redrat3.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/rc/redrat3.c
++++ b/drivers/media/rc/redrat3.c
+@@ -405,7 +405,7 @@ static int redrat3_send_cmd(int cmd, str
+ udev = rr3->udev;
+ res = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), cmd,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+- 0x0000, 0x0000, data, sizeof(u8), HZ * 10);
++ 0x0000, 0x0000, data, sizeof(u8), 10000);
+
+ if (res < 0) {
+ dev_err(rr3->dev, "%s: Error sending rr3 cmd res %d, data %d",
+@@ -481,7 +481,7 @@ static u32 redrat3_get_timeout(struct re
+ pipe = usb_rcvctrlpipe(rr3->udev, 0);
+ ret = usb_control_msg(rr3->udev, pipe, RR3_GET_IR_PARAM,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+- RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, HZ * 5);
++ RR3_IR_IO_SIG_TIMEOUT, 0, tmp, len, 5000);
+ if (ret != len)
+ dev_warn(rr3->dev, "Failed to read timeout from hardware\n");
+ else {
+@@ -511,7 +511,7 @@ static int redrat3_set_timeout(struct rc
+ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), RR3_SET_IR_PARAM,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+ RR3_IR_IO_SIG_TIMEOUT, 0, timeout, sizeof(*timeout),
+- HZ * 25);
++ 25000);
+ dev_dbg(dev, "set ir parm timeout %d ret 0x%02x\n",
+ be32_to_cpu(*timeout), ret);
+
+@@ -543,32 +543,32 @@ static void redrat3_reset(struct redrat3
+ *val = 0x01;
+ rc = usb_control_msg(udev, rxpipe, RR3_RESET,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+- RR3_CPUCS_REG_ADDR, 0, val, len, HZ * 25);
++ RR3_CPUCS_REG_ADDR, 0, val, len, 25000);
+ dev_dbg(dev, "reset returned 0x%02x\n", rc);
+
+ *val = length_fuzz;
+ rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+- RR3_IR_IO_LENGTH_FUZZ, 0, val, len, HZ * 25);
++ RR3_IR_IO_LENGTH_FUZZ, 0, val, len, 25000);
+ dev_dbg(dev, "set ir parm len fuzz %d rc 0x%02x\n", *val, rc);
+
+ *val = (65536 - (minimum_pause * 2000)) / 256;
+ rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+- RR3_IR_IO_MIN_PAUSE, 0, val, len, HZ * 25);
++ RR3_IR_IO_MIN_PAUSE, 0, val, len, 25000);
+ dev_dbg(dev, "set ir parm min pause %d rc 0x%02x\n", *val, rc);
+
+ *val = periods_measure_carrier;
+ rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+- RR3_IR_IO_PERIODS_MF, 0, val, len, HZ * 25);
++ RR3_IR_IO_PERIODS_MF, 0, val, len, 25000);
+ dev_dbg(dev, "set ir parm periods measure carrier %d rc 0x%02x", *val,
+ rc);
+
+ *val = RR3_DRIVER_MAXLENS;
+ rc = usb_control_msg(udev, txpipe, RR3_SET_IR_PARAM,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+- RR3_IR_IO_MAX_LENGTHS, 0, val, len, HZ * 25);
++ RR3_IR_IO_MAX_LENGTHS, 0, val, len, 25000);
+ dev_dbg(dev, "set ir parm max lens %d rc 0x%02x\n", *val, rc);
+
+ kfree(val);
+@@ -586,7 +586,7 @@ static void redrat3_get_firmware_rev(str
+ rc = usb_control_msg(rr3->udev, usb_rcvctrlpipe(rr3->udev, 0),
+ RR3_FW_VERSION,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+- 0, 0, buffer, RR3_FW_VERSION_LEN, HZ * 5);
++ 0, 0, buffer, RR3_FW_VERSION_LEN, 5000);
+
+ if (rc >= 0)
+ dev_info(rr3->dev, "Firmware rev: %s", buffer);
+@@ -826,14 +826,14 @@ static int redrat3_transmit_ir(struct rc
+
+ pipe = usb_sndbulkpipe(rr3->udev, rr3->ep_out->bEndpointAddress);
+ ret = usb_bulk_msg(rr3->udev, pipe, irdata,
+- sendbuf_len, &ret_len, 10 * HZ);
++ sendbuf_len, &ret_len, 10000);
+ dev_dbg(dev, "sent %d bytes, (ret %d)\n", ret_len, ret);
+
+ /* now tell the hardware to transmit what we sent it */
+ pipe = usb_rcvctrlpipe(rr3->udev, 0);
+ ret = usb_control_msg(rr3->udev, pipe, RR3_TX_SEND_SIGNAL,
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+- 0, 0, irdata, 2, HZ * 10);
++ 0, 0, irdata, 2, 10000);
+
+ if (ret < 0)
+ dev_err(dev, "Error: control msg send failed, rc %d\n", ret);
--- /dev/null
+From f71d272ad4e354097020a4e6b1dc6e4b59feb50f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:16:40 +0100
+Subject: media: s2255: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f71d272ad4e354097020a4e6b1dc6e4b59feb50f upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Use the common control-message timeout define for the five-second
+timeouts.
+
+Fixes: 38f993ad8b1f ("V4L/DVB (8125): This driver adds support for the Sensoray 2255 devices.")
+Cc: stable@vger.kernel.org # 2.6.27
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/s2255/s2255drv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/s2255/s2255drv.c
++++ b/drivers/media/usb/s2255/s2255drv.c
+@@ -1884,7 +1884,7 @@ static long s2255_vendor_req(struct s225
+ USB_TYPE_VENDOR | USB_RECIP_DEVICE |
+ USB_DIR_IN,
+ Value, Index, buf,
+- TransferBufferLength, HZ * 5);
++ TransferBufferLength, USB_CTRL_SET_TIMEOUT);
+
+ if (r >= 0)
+ memcpy(TransferBuffer, buf, TransferBufferLength);
+@@ -1893,7 +1893,7 @@ static long s2255_vendor_req(struct s225
+ r = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+ Request, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ Value, Index, buf,
+- TransferBufferLength, HZ * 5);
++ TransferBufferLength, USB_CTRL_SET_TIMEOUT);
+ }
+ kfree(buf);
+ return r;
--- /dev/null
+From 6aa6e70cdb5b863a57bad61310bf89b6617a5d2d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:16:41 +0100
+Subject: media: stk1160: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6aa6e70cdb5b863a57bad61310bf89b6617a5d2d upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)")
+Cc: stable@vger.kernel.org # 3.7
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/stk1160/stk1160-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/stk1160/stk1160-core.c
++++ b/drivers/media/usb/stk1160/stk1160-core.c
+@@ -65,7 +65,7 @@ int stk1160_read_reg(struct stk1160 *dev
+ return -ENOMEM;
+ ret = usb_control_msg(dev->udev, pipe, 0x00,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- 0x00, reg, buf, sizeof(u8), HZ);
++ 0x00, reg, buf, sizeof(u8), 1000);
+ if (ret < 0) {
+ stk1160_err("read failed on reg 0x%x (%d)\n",
+ reg, ret);
+@@ -85,7 +85,7 @@ int stk1160_write_reg(struct stk1160 *de
+
+ ret = usb_control_msg(dev->udev, pipe, 0x01,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- value, reg, NULL, 0, HZ);
++ value, reg, NULL, 0, 1000);
+ if (ret < 0) {
+ stk1160_err("write failed on reg 0x%x (%d)\n",
+ reg, ret);
--- /dev/null
+From cd9d9377ed235b294a492a094e1666178a5e78fd Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Wed, 3 Nov 2021 12:28:31 +0000
+Subject: media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit cd9d9377ed235b294a492a094e1666178a5e78fd upstream.
+
+If V4L2_CAP_READWRITE is not set, then readbuffers must be set to 0,
+otherwise v4l2-compliance will complain.
+
+A note on the Fixes tag below: this patch does not really fix that commit,
+but it can be applied from that commit onwards. For older code there is no
+guarantee that device_caps is set, so even though this patch would apply,
+it will not work reliably.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 049e684f2de9 (media: v4l2-dev: fix WARN_ON(!vdev->device_caps))
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ioctl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ioctl.c
++++ b/drivers/media/v4l2-core/v4l2-ioctl.c
+@@ -2046,6 +2046,7 @@ static int v4l_prepare_buf(const struct
+ static int v4l_g_parm(const struct v4l2_ioctl_ops *ops,
+ struct file *file, void *fh, void *arg)
+ {
++ struct video_device *vfd = video_devdata(file);
+ struct v4l2_streamparm *p = arg;
+ v4l2_std_id std;
+ int ret = check_fmt(file, p->type);
+@@ -2057,7 +2058,8 @@ static int v4l_g_parm(const struct v4l2_
+ if (p->type != V4L2_BUF_TYPE_VIDEO_CAPTURE &&
+ p->type != V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
+ return -EINVAL;
+- p->parm.capture.readbuffers = 2;
++ if (vfd->device_caps & V4L2_CAP_READWRITE)
++ p->parm.capture.readbuffers = 2;
+ ret = ops->vidioc_g_std(file, fh, &std);
+ if (ret == 0)
+ v4l2_video_std_frame_period(std, &p->parm.capture.timeperframe);
--- /dev/null
+From c4dc63f0032c77464fbd4e7a6afc22fa6913c4a7 Mon Sep 17 00:00:00 2001
+From: Baoquan He <bhe@redhat.com>
+Date: Fri, 14 Jan 2022 14:07:44 -0800
+Subject: mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pages
+
+From: Baoquan He <bhe@redhat.com>
+
+commit c4dc63f0032c77464fbd4e7a6afc22fa6913c4a7 upstream.
+
+In kdump kernel of x86_64, page allocation failure is observed:
+
+ kworker/u2:2: page allocation failure: order:0, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0
+ CPU: 0 PID: 55 Comm: kworker/u2:2 Not tainted 5.16.0-rc4+ #5
+ Hardware name: AMD Dinar/Dinar, BIOS RDN1505B 06/05/2013
+ Workqueue: events_unbound async_run_entry_fn
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x48/0x5e
+ warn_alloc.cold+0x72/0xd6
+ __alloc_pages_slowpath.constprop.0+0xc69/0xcd0
+ __alloc_pages+0x1df/0x210
+ new_slab+0x389/0x4d0
+ ___slab_alloc+0x58f/0x770
+ __slab_alloc.constprop.0+0x4a/0x80
+ kmem_cache_alloc_trace+0x24b/0x2c0
+ sr_probe+0x1db/0x620
+ ......
+ device_add+0x405/0x920
+ ......
+ __scsi_add_device+0xe5/0x100
+ ata_scsi_scan_host+0x97/0x1d0
+ async_run_entry_fn+0x30/0x130
+ process_one_work+0x1e8/0x3c0
+ worker_thread+0x50/0x3b0
+ ? rescuer_thread+0x350/0x350
+ kthread+0x16b/0x190
+ ? set_kthread_struct+0x40/0x40
+ ret_from_fork+0x22/0x30
+ </TASK>
+ Mem-Info:
+ ......
+
+The above failure happened when calling kmalloc() to allocate buffer with
+GFP_DMA. It requests to allocate slab page from DMA zone while no managed
+pages at all in there.
+
+ sr_probe()
+ --> get_capabilities()
+ --> buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
+
+Because in the current kernel, dma-kmalloc will be created as long as
+CONFIG_ZONE_DMA is enabled. However, kdump kernel of x86_64 doesn't have
+managed pages on DMA zone since commit 6f599d84231f ("x86/kdump: Always
+reserve the low 1M when the crashkernel option is specified"). The
+failure can be always reproduced.
+
+For now, let's mute the warning of allocation failure if requesting pages
+from DMA zone while no managed pages.
+
+[akpm@linux-foundation.org: fix warning]
+
+Link: https://lkml.kernel.org/r/20211223094435.248523-4-bhe@redhat.com
+Fixes: 6f599d84231f ("x86/kdump: Always reserve the low 1M when the crashkernel option is specified")
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Acked-by: John Donnelly <john.p.donnelly@oracle.com>
+Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_alloc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3767,7 +3767,9 @@ void warn_alloc(gfp_t gfp_mask, nodemask
+ va_list args;
+ static DEFINE_RATELIMIT_STATE(nopage_rs, 10*HZ, 1);
+
+- if ((gfp_mask & __GFP_NOWARN) || !__ratelimit(&nopage_rs))
++ if ((gfp_mask & __GFP_NOWARN) ||
++ !__ratelimit(&nopage_rs) ||
++ ((gfp_mask & __GFP_DMA) && !has_managed_dma()))
+ return;
+
+ va_start(args, fmt);
--- /dev/null
+From 62b3107073646e0946bd97ff926832bafb846d17 Mon Sep 17 00:00:00 2001
+From: Baoquan He <bhe@redhat.com>
+Date: Fri, 14 Jan 2022 14:07:37 -0800
+Subject: mm_zone: add function to check if managed dma zone exists
+
+From: Baoquan He <bhe@redhat.com>
+
+commit 62b3107073646e0946bd97ff926832bafb846d17 upstream.
+
+Patch series "Handle warning of allocation failure on DMA zone w/o
+managed pages", v4.
+
+**Problem observed:
+On x86_64, when crash is triggered and entering into kdump kernel, page
+allocation failure can always be seen.
+
+ ---------------------------------
+ DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
+ swapper/0: page allocation failure: order:5, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0
+ CPU: 0 PID: 1 Comm: swapper/0
+ Call Trace:
+ dump_stack+0x7f/0xa1
+ warn_alloc.cold+0x72/0xd6
+ ......
+ __alloc_pages+0x24d/0x2c0
+ ......
+ dma_atomic_pool_init+0xdb/0x176
+ do_one_initcall+0x67/0x320
+ ? rcu_read_lock_sched_held+0x3f/0x80
+ kernel_init_freeable+0x290/0x2dc
+ ? rest_init+0x24f/0x24f
+ kernel_init+0xa/0x111
+ ret_from_fork+0x22/0x30
+ Mem-Info:
+ ------------------------------------
+
+***Root cause:
+In the current kernel, it assumes that DMA zone must have managed pages
+and try to request pages if CONFIG_ZONE_DMA is enabled. While this is not
+always true. E.g in kdump kernel of x86_64, only low 1M is presented and
+locked down at very early stage of boot, so that this low 1M won't be
+added into buddy allocator to become managed pages of DMA zone. This
+exception will always cause page allocation failure if page is requested
+from DMA zone.
+
+***Investigation:
+This failure happens since below commit merged into linus's tree.
+ 1a6a9044b967 x86/setup: Remove CONFIG_X86_RESERVE_LOW and reservelow= options
+ 23721c8e92f7 x86/crash: Remove crash_reserve_low_1M()
+ f1d4d47c5851 x86/setup: Always reserve the first 1M of RAM
+ 7c321eb2b843 x86/kdump: Remove the backup region handling
+ 6f599d84231f x86/kdump: Always reserve the low 1M when the crashkernel option is specified
+
+Before them, on x86_64, the low 640K area will be reused by kdump kernel.
+So in kdump kernel, the content of low 640K area is copied into a backup
+region for dumping before jumping into kdump. Then except of those firmware
+reserved region in [0, 640K], the left area will be added into buddy
+allocator to become available managed pages of DMA zone.
+
+However, after above commits applied, in kdump kernel of x86_64, the low
+1M is reserved by memblock, but not released to buddy allocator. So any
+later page allocation requested from DMA zone will fail.
+
+At the beginning, if crashkernel is reserved, the low 1M need be locked
+down because AMD SME encrypts memory making the old backup region
+mechanims impossible when switching into kdump kernel.
+
+Later, it was also observed that there are BIOSes corrupting memory
+under 1M. To solve this, in commit f1d4d47c5851, the entire region of
+low 1M is always reserved after the real mode trampoline is allocated.
+
+Besides, recently, Intel engineer mentioned their TDX (Trusted domain
+extensions) which is under development in kernel also needs to lock down
+the low 1M. So we can't simply revert above commits to fix the page allocation
+failure from DMA zone as someone suggested.
+
+***Solution:
+Currently, only DMA atomic pool and dma-kmalloc will initialize and
+request page allocation with GFP_DMA during bootup.
+
+So only initializ DMA atomic pool when DMA zone has available managed
+pages, otherwise just skip the initialization.
+
+For dma-kmalloc(), for the time being, let's mute the warning of
+allocation failure if requesting pages from DMA zone while no manged
+pages. Meanwhile, change code to use dma_alloc_xx/dma_map_xx API to
+replace kmalloc(GFP_DMA), or do not use GFP_DMA when calling kmalloc() if
+not necessary. Christoph is posting patches to fix those under
+drivers/scsi/. Finally, we can remove the need of dma-kmalloc() as people
+suggested.
+
+This patch (of 3):
+
+In some places of the current kernel, it assumes that dma zone must have
+managed pages if CONFIG_ZONE_DMA is enabled. While this is not always
+true. E.g in kdump kernel of x86_64, only low 1M is presented and locked
+down at very early stage of boot, so that there's no managed pages at all
+in DMA zone. This exception will always cause page allocation failure if
+page is requested from DMA zone.
+
+Here add function has_managed_dma() and the relevant helper functions to
+check if there's DMA zone with managed pages. It will be used in later
+patches.
+
+Link: https://lkml.kernel.org/r/20211223094435.248523-1-bhe@redhat.com
+Link: https://lkml.kernel.org/r/20211223094435.248523-2-bhe@redhat.com
+Fixes: 6f599d84231f ("x86/kdump: Always reserve the low 1M when the crashkernel option is specified")
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: John Donnelly <john.p.donnelly@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mmzone.h | 9 +++++++++
+ mm/page_alloc.c | 15 +++++++++++++++
+ 2 files changed, 24 insertions(+)
+
+--- a/include/linux/mmzone.h
++++ b/include/linux/mmzone.h
+@@ -929,6 +929,15 @@ static inline int is_highmem_idx(enum zo
+ #endif
+ }
+
++#ifdef CONFIG_ZONE_DMA
++bool has_managed_dma(void);
++#else
++static inline bool has_managed_dma(void)
++{
++ return false;
++}
++#endif
++
+ /**
+ * is_highmem - helper function to quickly check if a struct zone is a
+ * highmem zone or not. This is an attempt to keep references
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -8694,3 +8694,18 @@ bool set_hwpoison_free_buddy_page(struct
+ return hwpoisoned;
+ }
+ #endif
++
++#ifdef CONFIG_ZONE_DMA
++bool has_managed_dma(void)
++{
++ struct pglist_data *pgdat;
++
++ for_each_online_pgdat(pgdat) {
++ struct zone *zone = &pgdat->node_zones[ZONE_DMA];
++
++ if (managed_zone(zone))
++ return true;
++ }
++ return false;
++}
++#endif /* CONFIG_ZONE_DMA */
--- /dev/null
+From f53d4c109a666bf1a4883b45d546fba079258717 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Tue, 2 Nov 2021 21:20:22 +0100
+Subject: mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit f53d4c109a666bf1a4883b45d546fba079258717 upstream.
+
+gpmi_io clock needs to be gated off when changing the parent/dividers of
+enfc_clk_root (i.MX6Q/i.MX6UL) respectively qspi2_clk_root (i.MX6SX).
+Otherwise this rate change can lead to an unresponsive GPMI core which
+results in DMA timeouts and failed driver probe:
+
+[ 4.072318] gpmi-nand 112000.gpmi-nand: DMA timeout, last DMA
+...
+[ 4.370355] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -110
+...
+[ 4.375988] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22
+[ 4.381524] gpmi-nand 112000.gpmi-nand: Error in ECC-based read: -22
+[ 4.387988] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22
+[ 4.393535] gpmi-nand 112000.gpmi-nand: Chip: 0, Error -22
+...
+
+Other than stated in i.MX 6 erratum ERR007117, it should be sufficient
+to gate only gpmi_io because all other bch/nand clocks are derived from
+different clock roots.
+
+The i.MX6 reference manuals state that changing clock muxers can cause
+glitches but are silent about changing dividers. But tests showed that
+these glitches can definitely happen on i.MX6ULL. For i.MX7D/8MM in turn,
+the manual guarantees that no glitches can happen when changing
+dividers.
+
+Co-developed-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Signed-off-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Cc: stable@vger.kernel.org
+Acked-by: Han Xu <han.xu@nxp.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20211102202022.15551-2-ceggers@arri.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
+@@ -710,14 +710,32 @@ static void gpmi_nfc_compute_timings(str
+ (use_half_period ? BM_GPMI_CTRL1_HALF_PERIOD : 0);
+ }
+
+-static void gpmi_nfc_apply_timings(struct gpmi_nand_data *this)
++static int gpmi_nfc_apply_timings(struct gpmi_nand_data *this)
+ {
+ struct gpmi_nfc_hardware_timing *hw = &this->hw;
+ struct resources *r = &this->resources;
+ void __iomem *gpmi_regs = r->gpmi_regs;
+ unsigned int dll_wait_time_us;
++ int ret;
++
++ /* Clock dividers do NOT guarantee a clean clock signal on its output
++ * during the change of the divide factor on i.MX6Q/UL/SX. On i.MX7/8,
++ * all clock dividers provide these guarantee.
++ */
++ if (GPMI_IS_MX6Q(this) || GPMI_IS_MX6SX(this))
++ clk_disable_unprepare(r->clock[0]);
++
++ ret = clk_set_rate(r->clock[0], hw->clk_rate);
++ if (ret) {
++ dev_err(this->dev, "cannot set clock rate to %lu Hz: %d\n", hw->clk_rate, ret);
++ return ret;
++ }
+
+- clk_set_rate(r->clock[0], hw->clk_rate);
++ if (GPMI_IS_MX6Q(this) || GPMI_IS_MX6SX(this)) {
++ ret = clk_prepare_enable(r->clock[0]);
++ if (ret)
++ return ret;
++ }
+
+ writel(hw->timing0, gpmi_regs + HW_GPMI_TIMING0);
+ writel(hw->timing1, gpmi_regs + HW_GPMI_TIMING1);
+@@ -736,6 +754,8 @@ static void gpmi_nfc_apply_timings(struc
+
+ /* Wait for the DLL to settle. */
+ udelay(dll_wait_time_us);
++
++ return 0;
+ }
+
+ static int gpmi_setup_data_interface(struct nand_chip *chip, int chipnr,
+@@ -2429,7 +2449,9 @@ static int gpmi_nfc_exec_op(struct nand_
+ */
+ if (this->hw.must_apply_timings) {
+ this->hw.must_apply_timings = false;
+- gpmi_nfc_apply_timings(this);
++ ret = gpmi_nfc_apply_timings(this);
++ if (ret)
++ return ret;
+ }
+
+ dev_dbg(this->dev, "%s: %d instructions\n", __func__, op->ninstrs);
--- /dev/null
+From aa1baa0e6c1aa4872e481dce4fc7fd6f3dd8496b Mon Sep 17 00:00:00 2001
+From: Stefan Riedmueller <s.riedmueller@phytec.de>
+Date: Tue, 2 Nov 2021 21:20:21 +0100
+Subject: mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6
+
+From: Stefan Riedmueller <s.riedmueller@phytec.de>
+
+commit aa1baa0e6c1aa4872e481dce4fc7fd6f3dd8496b upstream.
+
+There is no need to explicitly set the default gpmi clock rate during
+boot for the i.MX 6 since this is done during nand_detect anyway.
+
+Signed-off-by: Stefan Riedmueller <s.riedmueller@phytec.de>
+Cc: stable@vger.kernel.org
+Acked-by: Han Xu <han.xu@nxp.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20211102202022.15551-1-ceggers@arri.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
+@@ -1204,15 +1204,6 @@ static int gpmi_get_clks(struct gpmi_nan
+ r->clock[i] = clk;
+ }
+
+- if (GPMI_IS_MX6(this))
+- /*
+- * Set the default value for the gpmi clock.
+- *
+- * If you want to use the ONFI nand which is in the
+- * Synchronous Mode, you should change the clock as you need.
+- */
+- clk_set_rate(r->clock[0], 22000000);
+-
+ return 0;
+
+ err_clock:
--- /dev/null
+From dded08927ca3c31a5c37f8e7f95fe98770475dd4 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Wed, 19 Jan 2022 08:48:16 +0100
+Subject: nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit dded08927ca3c31a5c37f8e7f95fe98770475dd4 upstream.
+
+Syzbot detected a NULL pointer dereference of nfc_llcp_sock->dev pointer
+(which is a 'struct nfc_dev *') with calls to llcp_sock_sendmsg() after
+a failed llcp_sock_bind(). The message being sent is a SOCK_DGRAM.
+
+KASAN report:
+
+ BUG: KASAN: null-ptr-deref in nfc_alloc_send_skb+0x2d/0xc0
+ Read of size 4 at addr 00000000000005c8 by task llcp_sock_nfc_a/899
+
+ CPU: 5 PID: 899 Comm: llcp_sock_nfc_a Not tainted 5.16.0-rc6-next-20211224-00001-gc6437fbf18b0 #125
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x45/0x59
+ ? nfc_alloc_send_skb+0x2d/0xc0
+ __kasan_report.cold+0x117/0x11c
+ ? mark_lock+0x480/0x4f0
+ ? nfc_alloc_send_skb+0x2d/0xc0
+ kasan_report+0x38/0x50
+ nfc_alloc_send_skb+0x2d/0xc0
+ nfc_llcp_send_ui_frame+0x18c/0x2a0
+ ? nfc_llcp_send_i_frame+0x230/0x230
+ ? __local_bh_enable_ip+0x86/0xe0
+ ? llcp_sock_connect+0x470/0x470
+ ? llcp_sock_connect+0x470/0x470
+ sock_sendmsg+0x8e/0xa0
+ ____sys_sendmsg+0x253/0x3f0
+ ...
+
+The issue was visible only with multiple simultaneous calls to bind() and
+sendmsg(), which resulted in most of the bind() calls to fail. The
+bind() was failing on checking if there is available WKS/SDP/SAP
+(respective bit in 'struct nfc_llcp_local' fields). When there was no
+available WKS/SDP/SAP, the bind returned error but the sendmsg() to such
+socket was able to trigger mentioned NULL pointer dereference of
+nfc_llcp_sock->dev.
+
+The code looks simply racy and currently it protects several paths
+against race with checks for (!nfc_llcp_sock->local) which is NULL-ified
+in error paths of bind(). The llcp_sock_sendmsg() did not have such
+check but called function nfc_llcp_send_ui_frame() had, although not
+protected with lock_sock().
+
+Therefore the race could look like (same socket is used all the time):
+ CPU0 CPU1
+ ==== ====
+ llcp_sock_bind()
+ - lock_sock()
+ - success
+ - release_sock()
+ - return 0
+ llcp_sock_sendmsg()
+ - lock_sock()
+ - release_sock()
+ llcp_sock_bind(), same socket
+ - lock_sock()
+ - error
+ - nfc_llcp_send_ui_frame()
+ - if (!llcp_sock->local)
+ - llcp_sock->local = NULL
+ - nfc_put_device(dev)
+ - dereference llcp_sock->dev
+ - release_sock()
+ - return -ERRNO
+
+The nfc_llcp_send_ui_frame() checked llcp_sock->local outside of the
+lock, which is racy and ineffective check. Instead, its caller
+llcp_sock_sendmsg(), should perform the check inside lock_sock().
+
+Reported-and-tested-by: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com
+Fixes: b874dec21d1c ("NFC: Implement LLCP connection less Tx path")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -789,6 +789,11 @@ static int llcp_sock_sendmsg(struct sock
+
+ lock_sock(sk);
+
++ if (!llcp_sock->local) {
++ release_sock(sk);
++ return -ENODEV;
++ }
++
+ if (sk->sk_type == SOCK_DGRAM) {
+ DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
+ msg->msg_name);
--- /dev/null
+From e445375882883f69018aa669b67cbb37ec873406 Mon Sep 17 00:00:00 2001
+From: Yifeng Li <tomli@tomli.me>
+Date: Thu, 2 Dec 2021 06:35:21 +0000
+Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yifeng Li <tomli@tomli.me>
+
+commit e445375882883f69018aa669b67cbb37ec873406 upstream.
+
+Like other SATA controller chips in the Marvell 88SE91xx series, the
+Marvell 88SE9125 has the same DMA requester ID hardware bug that prevents
+it from working under IOMMU. Add it to the list of devices that need the
+quirk.
+
+Without this patch, device initialization fails with DMA errors:
+
+ ata8: softreset failed (1st FIS failed)
+ DMAR: DRHD: handling fault status reg 2
+ DMAR: [DMA Write NO_PASID] Request device [03:00.1] fault addr 0xfffc0000 [fault reason 0x02] Present bit in context entry is clear
+ DMAR: DRHD: handling fault status reg 2
+ DMAR: [DMA Read NO_PASID] Request device [03:00.1] fault addr 0xfffc0000 [fault reason 0x02] Present bit in context entry is clear
+
+After applying the patch, the controller can be successfully initialized:
+
+ ata8: SATA link up 1.5 Gbps (SStatus 113 SControl 330)
+ ata8.00: ATAPI: PIONEER BD-RW BDR-207M, 1.21, max UDMA/100
+ ata8.00: configured for UDMA/100
+ scsi 7:0:0:0: CD-ROM PIONEER BD-RW BDR-207M 1.21 PQ: 0 ANSI: 5
+
+Link: https://lore.kernel.org/r/YahpKVR+McJVDdkD@work
+Reported-by: Sam Bingner <sam@bingner.com>
+Tested-by: Sam Bingner <sam@bingner.com>
+Tested-by: Yifeng Li <tomli@tomli.me>
+Signed-off-by: Yifeng Li <tomli@tomli.me>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Krzysztof Wilczyński <kw@linux.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4134,6 +4134,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M
+ quirk_dma_func1_alias);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123,
+ quirk_dma_func1_alias);
++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c136 */
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9125,
++ quirk_dma_func1_alias);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128,
+ quirk_dma_func1_alias);
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
--- /dev/null
+From 454f47ff464325223129b9b5b8d0b61946ec704d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mateusz=20Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
+Date: Fri, 10 Dec 2021 21:01:23 +0100
+Subject: rtc: cmos: take rtc_lock while reading from CMOS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mateusz Jończyk <mat.jonczyk@o2.pl>
+
+commit 454f47ff464325223129b9b5b8d0b61946ec704d upstream.
+
+Reading from the CMOS involves writing to the index register and then
+reading from the data register. Therefore access to the CMOS has to be
+serialized with rtc_lock. This invocation of CMOS_READ was not
+serialized, which could cause trouble when other code is accessing CMOS
+at the same time.
+
+Use spin_lock_irq() like the rest of the function.
+
+Nothing in kernel modifies the RTC_DM_BINARY bit, so there could be a
+separate pair of spin_lock_irq() / spin_unlock_irq() before doing the
+math.
+
+Signed-off-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
+Reviewed-by: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20211210200131.153887-2-mat.jonczyk@o2.pl
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-cmos.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/rtc/rtc-cmos.c
++++ b/drivers/rtc/rtc-cmos.c
+@@ -463,7 +463,10 @@ static int cmos_set_alarm(struct device
+ min = t->time.tm_min;
+ sec = t->time.tm_sec;
+
++ spin_lock_irq(&rtc_lock);
+ rtc_control = CMOS_READ(RTC_CONTROL);
++ spin_unlock_irq(&rtc_lock);
++
+ if (!(rtc_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) {
+ /* Writing 0xff means "don't care" or "match all". */
+ mon = (mon <= 12) ? bin2bcd(mon) : 0xff;
hid-wacom-reset-expected-and-received-contact-counts-at-the-same-time.patch
hid-wacom-ignore-the-confidence-flag-when-a-touch-is-removed.patch
hid-wacom-avoid-using-stale-array-indicies-to-read-contact-count.patch
+f2fs-fix-to-do-sanity-check-in-is_alive.patch
+nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch
+mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch
+mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch
+x86-gpu-reserve-stolen-memory-for-first-integrated-intel-gpu.patch
+tools-nolibc-x86-64-fix-startup-code-bug.patch
+tools-nolibc-i386-fix-initial-stack-alignment.patch
+tools-nolibc-fix-incorrect-truncation-of-exit-code.patch
+rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch
+media-v4l2-ioctl.c-readbuffers-depends-on-v4l2_cap_readwrite.patch
+media-flexcop-usb-fix-control-message-timeouts.patch
+media-mceusb-fix-control-message-timeouts.patch
+media-em28xx-fix-control-message-timeouts.patch
+media-cpia2-fix-control-message-timeouts.patch
+media-s2255-fix-control-message-timeouts.patch
+media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch
+media-redrat3-fix-control-message-timeouts.patch
+media-pvrusb2-fix-control-message-timeouts.patch
+media-stk1160-fix-control-message-timeouts.patch
+can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch
+lkdtm-fix-content-of-section-containing-lkdtm_rodata_do_nothing.patch
+iommu-io-pgtable-arm-v7s-add-error-handle-for-page-table-allocation-failure.patch
+dma_fence_array-fix-pending_error-leak-in-dma_fence_array_signaled.patch
+pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch
+mm_zone-add-function-to-check-if-managed-dma-zone-exists.patch
+mm-page_alloc.c-do-not-warn-allocation-failure-on-zone-dma-if-no-managed-pages.patch
+shmem-fix-a-race-between-shmem_unused_huge_shrink-and-shmem_evict_inode.patch
+drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch
+drm-rockchip-dsi-reconfigure-hardware-on-resume.patch
--- /dev/null
+From 62c9827cbb996c2c04f615ecd783ce28bcea894b Mon Sep 17 00:00:00 2001
+From: Gang Li <ligang.bdlg@bytedance.com>
+Date: Fri, 14 Jan 2022 14:05:23 -0800
+Subject: shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode
+
+From: Gang Li <ligang.bdlg@bytedance.com>
+
+commit 62c9827cbb996c2c04f615ecd783ce28bcea894b upstream.
+
+Fix a data race in commit 779750d20b93 ("shmem: split huge pages beyond
+i_size under memory pressure").
+
+Here are call traces causing race:
+
+ Call Trace 1:
+ shmem_unused_huge_shrink+0x3ae/0x410
+ ? __list_lru_walk_one.isra.5+0x33/0x160
+ super_cache_scan+0x17c/0x190
+ shrink_slab.part.55+0x1ef/0x3f0
+ shrink_node+0x10e/0x330
+ kswapd+0x380/0x740
+ kthread+0xfc/0x130
+ ? mem_cgroup_shrink_node+0x170/0x170
+ ? kthread_create_on_node+0x70/0x70
+ ret_from_fork+0x1f/0x30
+
+ Call Trace 2:
+ shmem_evict_inode+0xd8/0x190
+ evict+0xbe/0x1c0
+ do_unlinkat+0x137/0x330
+ do_syscall_64+0x76/0x120
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+A simple explanation:
+
+Image there are 3 items in the local list (@list). In the first
+traversal, A is not deleted from @list.
+
+ 1) A->B->C
+ ^
+ |
+ pos (leave)
+
+In the second traversal, B is deleted from @list. Concurrently, A is
+deleted from @list through shmem_evict_inode() since last reference
+counter of inode is dropped by other thread. Then the @list is corrupted.
+
+ 2) A->B->C
+ ^ ^
+ | |
+ evict pos (drop)
+
+We should make sure the inode is either on the global list or deleted from
+any local list before iput().
+
+Fixed by moving inodes back to global list before we put them.
+
+[akpm@linux-foundation.org: coding style fixes]
+
+Link: https://lkml.kernel.org/r/20211125064502.99983-1-ligang.bdlg@bytedance.com
+Fixes: 779750d20b93 ("shmem: split huge pages beyond i_size under memory pressure")
+Signed-off-by: Gang Li <ligang.bdlg@bytedance.com>
+Reviewed-by: Muchun Song <songmuchun@bytedance.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shmem.c | 37 +++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -466,7 +466,7 @@ static unsigned long shmem_unused_huge_s
+ struct shmem_inode_info *info;
+ struct page *page;
+ unsigned long batch = sc ? sc->nr_to_scan : 128;
+- int removed = 0, split = 0;
++ int split = 0;
+
+ if (list_empty(&sbinfo->shrinklist))
+ return SHRINK_STOP;
+@@ -481,7 +481,6 @@ static unsigned long shmem_unused_huge_s
+ /* inode is about to be evicted */
+ if (!inode) {
+ list_del_init(&info->shrinklist);
+- removed++;
+ goto next;
+ }
+
+@@ -489,12 +488,12 @@ static unsigned long shmem_unused_huge_s
+ if (round_up(inode->i_size, PAGE_SIZE) ==
+ round_up(inode->i_size, HPAGE_PMD_SIZE)) {
+ list_move(&info->shrinklist, &to_remove);
+- removed++;
+ goto next;
+ }
+
+ list_move(&info->shrinklist, &list);
+ next:
++ sbinfo->shrinklist_len--;
+ if (!--batch)
+ break;
+ }
+@@ -514,7 +513,7 @@ next:
+ inode = &info->vfs_inode;
+
+ if (nr_to_split && split >= nr_to_split)
+- goto leave;
++ goto move_back;
+
+ page = find_get_page(inode->i_mapping,
+ (inode->i_size & HPAGE_PMD_MASK) >> PAGE_SHIFT);
+@@ -528,38 +527,44 @@ next:
+ }
+
+ /*
+- * Leave the inode on the list if we failed to lock
+- * the page at this time.
++ * Move the inode on the list back to shrinklist if we failed
++ * to lock the page at this time.
+ *
+ * Waiting for the lock may lead to deadlock in the
+ * reclaim path.
+ */
+ if (!trylock_page(page)) {
+ put_page(page);
+- goto leave;
++ goto move_back;
+ }
+
+ ret = split_huge_page(page);
+ unlock_page(page);
+ put_page(page);
+
+- /* If split failed leave the inode on the list */
++ /* If split failed move the inode on the list back to shrinklist */
+ if (ret)
+- goto leave;
++ goto move_back;
+
+ split++;
+ drop:
+ list_del_init(&info->shrinklist);
+- removed++;
+-leave:
++ goto put;
++move_back:
++ /*
++ * Make sure the inode is either on the global list or deleted
++ * from any local list before iput() since it could be deleted
++ * in another thread once we put the inode (then the local list
++ * is corrupted).
++ */
++ spin_lock(&sbinfo->shrinklist_lock);
++ list_move(&info->shrinklist, &sbinfo->shrinklist);
++ sbinfo->shrinklist_len++;
++ spin_unlock(&sbinfo->shrinklist_lock);
++put:
+ iput(inode);
+ }
+
+- spin_lock(&sbinfo->shrinklist_lock);
+- list_splice_tail(&list, &sbinfo->shrinklist);
+- sbinfo->shrinklist_len -= removed;
+- spin_unlock(&sbinfo->shrinklist_lock);
+-
+ return split;
+ }
+
--- /dev/null
+From de0244ae40ae91145faaf164a4252347607c3711 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 24 Oct 2021 19:28:16 +0200
+Subject: tools/nolibc: fix incorrect truncation of exit code
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit de0244ae40ae91145faaf164a4252347607c3711 upstream.
+
+Ammar Faizi reported that our exit code handling is wrong. We truncate
+it to the lowest 8 bits but the syscall itself is expected to take a
+regular 32-bit signed integer, not an unsigned char. It's the kernel
+that later truncates it to the lowest 8 bits. The difference is visible
+in strace, where the program below used to show exit(255) instead of
+exit(-1):
+
+ int main(void)
+ {
+ return -1;
+ }
+
+This patch applies the fix to all archs. x86_64, i386, arm64, armv7 and
+mips were all tested and confirmed to work fine now. Risc-v was not
+tested but the change is trivial and exactly the same as for other archs.
+
+Reported-by: Ammar Faizi <ammar.faizi@students.amikom.ac.id>
+Cc: stable@vger.kernel.org
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/nolibc/nolibc.h | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/tools/include/nolibc/nolibc.h
++++ b/tools/include/nolibc/nolibc.h
+@@ -437,7 +437,7 @@ asm(".section .text\n"
+ "xor %ebp, %ebp\n" // zero the stack frame
+ "and $-16, %rsp\n" // x86 ABI : esp must be 16-byte aligned before call
+ "call main\n" // main() returns the status code, we'll exit with it.
+- "movzb %al, %rdi\n" // retrieve exit code from 8 lower bits
++ "mov %eax, %edi\n" // retrieve exit code (32 bit)
+ "mov $60, %rax\n" // NR_exit == 60
+ "syscall\n" // really exit
+ "hlt\n" // ensure it does not return
+@@ -625,9 +625,9 @@ asm(".section .text\n"
+ "push %ebx\n" // support both regparm and plain stack modes
+ "push %eax\n"
+ "call main\n" // main() returns the status code in %eax
+- "movzbl %al, %ebx\n" // retrieve exit code from lower 8 bits
+- "movl $1, %eax\n" // NR_exit == 1
+- "int $0x80\n" // exit now
++ "mov %eax, %ebx\n" // retrieve exit code (32-bit int)
++ "movl $1, %eax\n" // NR_exit == 1
++ "int $0x80\n" // exit now
+ "hlt\n" // ensure it does not
+ "");
+
+@@ -811,7 +811,6 @@ asm(".section .text\n"
+ "and %r3, %r1, $-8\n" // AAPCS : sp must be 8-byte aligned in the
+ "mov %sp, %r3\n" // callee, an bl doesn't push (lr=pc)
+ "bl main\n" // main() returns the status code, we'll exit with it.
+- "and %r0, %r0, $0xff\n" // limit exit code to 8 bits
+ "movs r7, $1\n" // NR_exit == 1
+ "svc $0x00\n"
+ "");
+@@ -1008,7 +1007,6 @@ asm(".section .text\n"
+ "add x2, x2, x1\n" // + argv
+ "and sp, x1, -16\n" // sp must be 16-byte aligned in the callee
+ "bl main\n" // main() returns the status code, we'll exit with it.
+- "and x0, x0, 0xff\n" // limit exit code to 8 bits
+ "mov x8, 93\n" // NR_exit == 93
+ "svc #0\n"
+ "");
+@@ -1213,7 +1211,7 @@ asm(".section .text\n"
+ "addiu $sp,$sp,-16\n" // the callee expects to save a0..a3 there!
+ "jal main\n" // main() returns the status code, we'll exit with it.
+ "nop\n" // delayed slot
+- "and $a0, $v0, 0xff\n" // limit exit code to 8 bits
++ "move $a0, $v0\n" // retrieve 32-bit exit code from v0
+ "li $v0, 4001\n" // NR_exit == 4001
+ "syscall\n"
+ ".end __start\n"
+@@ -1411,7 +1409,6 @@ asm(".section .text\n"
+ "add a2,a2,a1\n" // + argv
+ "andi sp,a1,-16\n" // sp must be 16-byte aligned
+ "call main\n" // main() returns the status code, we'll exit with it.
+- "andi a0, a0, 0xff\n" // limit exit code to 8 bits
+ "li a7, 93\n" // NR_exit == 93
+ "ecall\n"
+ "");
--- /dev/null
+From ebbe0d8a449d183fa43b42d84fcb248e25303985 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 24 Oct 2021 19:28:15 +0200
+Subject: tools/nolibc: i386: fix initial stack alignment
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit ebbe0d8a449d183fa43b42d84fcb248e25303985 upstream.
+
+After re-checking in the spec and comparing stack offsets with glibc,
+The last pushed argument must be 16-byte aligned (i.e. aligned before the
+call) so that in the callee esp+4 is multiple of 16, so the principle is
+the 32-bit equivalent to what Ammar fixed for x86_64. It's possible that
+32-bit code using SSE2 or MMX could have been affected. In addition the
+frame pointer ought to be zero at the deepest level.
+
+Link: https://gitlab.com/x86-psABIs/i386-ABI/-/wikis/Intel386-psABI
+Cc: Ammar Faizi <ammar.faizi@students.amikom.ac.id>
+Cc: stable@vger.kernel.org
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/nolibc/nolibc.h | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/tools/include/nolibc/nolibc.h
++++ b/tools/include/nolibc/nolibc.h
+@@ -606,13 +606,21 @@ struct sys_stat_struct {
+ })
+
+ /* startup code */
++/*
++ * i386 System V ABI mandates:
++ * 1) last pushed argument must be 16-byte aligned.
++ * 2) The deepest stack frame should be set to zero
++ *
++ */
+ asm(".section .text\n"
+ ".global _start\n"
+ "_start:\n"
+ "pop %eax\n" // argc (first arg, %eax)
+ "mov %esp, %ebx\n" // argv[] (second arg, %ebx)
+ "lea 4(%ebx,%eax,4),%ecx\n" // then a NULL then envp (third arg, %ecx)
+- "and $-16, %esp\n" // x86 ABI : esp must be 16-byte aligned when
++ "xor %ebp, %ebp\n" // zero the stack frame
++ "and $-16, %esp\n" // x86 ABI : esp must be 16-byte aligned before
++ "sub $4, %esp\n" // the call instruction (args are aligned)
+ "push %ecx\n" // push all registers on the stack so that we
+ "push %ebx\n" // support both regparm and plain stack modes
+ "push %eax\n"
--- /dev/null
+From 937ed91c712273131de6d2a02caafd3ee84e0c72 Mon Sep 17 00:00:00 2001
+From: Ammar Faizi <ammar.faizi@students.amikom.ac.id>
+Date: Sun, 24 Oct 2021 19:28:14 +0200
+Subject: tools/nolibc: x86-64: Fix startup code bug
+
+From: Ammar Faizi <ammar.faizi@students.amikom.ac.id>
+
+commit 937ed91c712273131de6d2a02caafd3ee84e0c72 upstream.
+
+Before this patch, the `_start` function looks like this:
+```
+0000000000001170 <_start>:
+ 1170: pop %rdi
+ 1171: mov %rsp,%rsi
+ 1174: lea 0x8(%rsi,%rdi,8),%rdx
+ 1179: and $0xfffffffffffffff0,%rsp
+ 117d: sub $0x8,%rsp
+ 1181: call 1000 <main>
+ 1186: movzbq %al,%rdi
+ 118a: mov $0x3c,%rax
+ 1191: syscall
+ 1193: hlt
+ 1194: data16 cs nopw 0x0(%rax,%rax,1)
+ 119f: nop
+```
+Note the "and" to %rsp with $-16, it makes the %rsp be 16-byte aligned,
+but then there is a "sub" with $0x8 which makes the %rsp no longer
+16-byte aligned, then it calls main. That's the bug!
+
+What actually the x86-64 System V ABI mandates is that right before the
+"call", the %rsp must be 16-byte aligned, not after the "call". So the
+"sub" with $0x8 here breaks the alignment. Remove it.
+
+An example where this rule matters is when the callee needs to align
+its stack at 16-byte for aligned move instruction, like `movdqa` and
+`movaps`. If the callee can't align its stack properly, it will result
+in segmentation fault.
+
+x86-64 System V ABI also mandates the deepest stack frame should be
+zero. Just to be safe, let's zero the %rbp on startup as the content
+of %rbp may be unspecified when the program starts. Now it looks like
+this:
+```
+0000000000001170 <_start>:
+ 1170: pop %rdi
+ 1171: mov %rsp,%rsi
+ 1174: lea 0x8(%rsi,%rdi,8),%rdx
+ 1179: xor %ebp,%ebp # zero the %rbp
+ 117b: and $0xfffffffffffffff0,%rsp # align the %rsp
+ 117f: call 1000 <main>
+ 1184: movzbq %al,%rdi
+ 1188: mov $0x3c,%rax
+ 118f: syscall
+ 1191: hlt
+ 1192: data16 cs nopw 0x0(%rax,%rax,1)
+ 119d: nopl (%rax)
+```
+
+Cc: Bedirhan KURT <windowz414@gnuweeb.org>
+Cc: Louvian Lyndal <louvianlyndal@gmail.com>
+Reported-by: Peter Cordes <peter@cordes.ca>
+Signed-off-by: Ammar Faizi <ammar.faizi@students.amikom.ac.id>
+[wt: I did this on purpose due to a misunderstanding of the spec, other
+ archs will thus have to be rechecked, particularly i386]
+Cc: stable@vger.kernel.org
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/nolibc/nolibc.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/tools/include/nolibc/nolibc.h
++++ b/tools/include/nolibc/nolibc.h
+@@ -422,14 +422,20 @@ struct stat {
+ })
+
+ /* startup code */
++/*
++ * x86-64 System V ABI mandates:
++ * 1) %rsp must be 16-byte aligned right before the function call.
++ * 2) The deepest stack frame should be zero (the %rbp).
++ *
++ */
+ asm(".section .text\n"
+ ".global _start\n"
+ "_start:\n"
+ "pop %rdi\n" // argc (first arg, %rdi)
+ "mov %rsp, %rsi\n" // argv[] (second arg, %rsi)
+ "lea 8(%rsi,%rdi,8),%rdx\n" // then a NULL then envp (third arg, %rdx)
+- "and $-16, %rsp\n" // x86 ABI : esp must be 16-byte aligned when
+- "sub $8, %rsp\n" // entering the callee
++ "xor %ebp, %ebp\n" // zero the stack frame
++ "and $-16, %rsp\n" // x86 ABI : esp must be 16-byte aligned before call
+ "call main\n" // main() returns the status code, we'll exit with it.
+ "movzb %al, %rdi\n" // retrieve exit code from 8 lower bits
+ "mov $60, %rax\n" // NR_exit == 60
--- /dev/null
+From 9c494ca4d3a535f9ca11ad6af1813983c1c6cbdd Mon Sep 17 00:00:00 2001
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+Date: Thu, 13 Jan 2022 16:28:39 -0800
+Subject: x86/gpu: Reserve stolen memory for first integrated Intel GPU
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+commit 9c494ca4d3a535f9ca11ad6af1813983c1c6cbdd upstream.
+
+"Stolen memory" is memory set aside for use by an Intel integrated GPU.
+The intel_graphics_quirks() early quirk reserves this memory when it is
+called for a GPU that appears in the intel_early_ids[] table of integrated
+GPUs.
+
+Previously intel_graphics_quirks() was marked as QFLAG_APPLY_ONCE, so it
+was called only for the first Intel GPU found. If a discrete GPU happened
+to be enumerated first, intel_graphics_quirks() was called for it but not
+for any integrated GPU found later. Therefore, stolen memory for such an
+integrated GPU was never reserved.
+
+For example, this problem occurs in this Alderlake-P (integrated) + DG2
+(discrete) topology where the DG2 is found first, but stolen memory is
+associated with the integrated GPU:
+
+ - 00:01.0 Bridge
+ `- 03:00.0 DG2 discrete GPU
+ - 00:02.0 Integrated GPU (with stolen memory)
+
+Remove the QFLAG_APPLY_ONCE flag and call intel_graphics_quirks() for every
+Intel GPU. Reserve stolen memory for the first GPU that appears in
+intel_early_ids[].
+
+[bhelgaas: commit log, add code comment, squash in
+https://lore.kernel.org/r/20220118190558.2ququ4vdfjuahicm@ldmartin-desk2]
+Link: https://lore.kernel.org/r/20220114002843.2083382-1-lucas.demarchi@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/early-quirks.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/early-quirks.c
++++ b/arch/x86/kernel/early-quirks.c
+@@ -515,6 +515,7 @@ static const struct intel_early_ops gen1
+ .stolen_size = gen9_stolen_size,
+ };
+
++/* Intel integrated GPUs for which we need to reserve "stolen memory" */
+ static const struct pci_device_id intel_early_ids[] __initconst = {
+ INTEL_I830_IDS(&i830_early_ops),
+ INTEL_I845G_IDS(&i845_early_ops),
+@@ -587,6 +588,13 @@ static void __init intel_graphics_quirks
+ u16 device;
+ int i;
+
++ /*
++ * Reserve "stolen memory" for an integrated GPU. If we've already
++ * found one, there's nothing to do for other (discrete) GPUs.
++ */
++ if (resource_size(&intel_graphics_stolen_res))
++ return;
++
+ device = read_pci_config_16(num, slot, func, PCI_DEVICE_ID);
+
+ for (i = 0; i < ARRAY_SIZE(intel_early_ids); i++) {
+@@ -699,7 +707,7 @@ static struct chipset early_qrk[] __init
+ { PCI_VENDOR_ID_INTEL, 0x3406, PCI_CLASS_BRIDGE_HOST,
+ PCI_BASE_CLASS_BRIDGE, 0, intel_remapping_check },
+ { PCI_VENDOR_ID_INTEL, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA, PCI_ANY_ID,
+- QFLAG_APPLY_ONCE, intel_graphics_quirks },
++ 0, intel_graphics_quirks },
+ /*
+ * HPET on the current version of the Baytrail platform has accuracy
+ * problems: it will halt in deep idle state - so we disable it.
projects / thirdparty / kernel / stable-queue.git / commitdiff
