--- /dev/null
+From a472cc0dde3eb057db71c80f102556eeced03805 Mon Sep 17 00:00:00 2001
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+Date: Thu, 21 Oct 2021 09:34:22 +0800
+Subject: crypto: s5p-sss - Add error handling in s5p_aes_probe()
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+commit a472cc0dde3eb057db71c80f102556eeced03805 upstream.
+
+The function s5p_aes_probe() does not perform sufficient error
+checking after executing platform_get_resource(), thus fix it.
+
+Fixes: c2afad6c6105 ("crypto: s5p-sss - Add HASH support for Exynos")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/s5p-sss.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/crypto/s5p-sss.c
++++ b/drivers/crypto/s5p-sss.c
+@@ -2171,6 +2171,8 @@ static int s5p_aes_probe(struct platform
+
+ variant = find_s5p_sss_version(pdev);
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!res)
++ return -EINVAL;
+
+ /*
+ * Note: HASH and PRNG uses the same registers in secss, avoid
--- /dev/null
+From 0c336d6e33f4bedc443404c89f43c91c8bd9ee11 Mon Sep 17 00:00:00 2001
+From: Sungjong Seo <sj1557.seo@samsung.com>
+Date: Tue, 19 Oct 2021 15:14:21 +0900
+Subject: exfat: fix incorrect loading of i_blocks for large files
+
+From: Sungjong Seo <sj1557.seo@samsung.com>
+
+commit 0c336d6e33f4bedc443404c89f43c91c8bd9ee11 upstream.
+
+When calculating i_blocks, there was a mistake that was masked with a
+32-bit variable. So i_blocks for files larger than 4 GiB had incorrect
+values. Mask with a 64-bit variable instead of 32-bit one.
+
+Fixes: 5f2aa075070c ("exfat: add inode operations")
+Cc: stable@vger.kernel.org # v5.7+
+Reported-by: Ganapathi Kamath <hgkamath@hotmail.com>
+Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/exfat/inode.c
++++ b/fs/exfat/inode.c
+@@ -604,7 +604,7 @@ static int exfat_fill_inode(struct inode
+ exfat_save_attr(inode, info->attr);
+
+ inode->i_blocks = ((i_size_read(inode) + (sbi->cluster_size - 1)) &
+- ~(sbi->cluster_size - 1)) >> inode->i_blkbits;
++ ~((loff_t)sbi->cluster_size - 1)) >> inode->i_blkbits;
+ inode->i_mtime = info->mtime;
+ inode->i_ctime = info->mtime;
+ ei->i_crtime = info->crtime;
--- /dev/null
+From 2ac5fb35cd520ab1851c9a4816c523b65276052f Mon Sep 17 00:00:00 2001
+From: jing yangyang <cgel.zte@gmail.com>
+Date: Thu, 19 Aug 2021 19:30:16 -0700
+Subject: firmware/psci: fix application of sizeof to pointer
+
+From: jing yangyang <cgel.zte@gmail.com>
+
+commit 2ac5fb35cd520ab1851c9a4816c523b65276052f upstream.
+
+sizeof when applied to a pointer typed expression gives the size of
+the pointer.
+
+./drivers/firmware/psci/psci_checker.c:158:41-47: ERROR application of sizeof to pointer
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: 7401056de5f8 ("drivers/firmware: psci_checker: stash and use topology_core_cpumask for hotplug tests")
+Cc: stable@vger.kernel.org
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: jing yangyang <jing.yangyang@zte.com.cn>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/psci/psci_checker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/psci/psci_checker.c
++++ b/drivers/firmware/psci/psci_checker.c
+@@ -155,7 +155,7 @@ static int alloc_init_cpu_groups(cpumask
+ if (!alloc_cpumask_var(&tmp, GFP_KERNEL))
+ return -ENOMEM;
+
+- cpu_groups = kcalloc(nb_available_cpus, sizeof(cpu_groups),
++ cpu_groups = kcalloc(nb_available_cpus, sizeof(*cpu_groups),
+ GFP_KERNEL);
+ if (!cpu_groups) {
+ free_cpumask_var(tmp);
--- /dev/null
+From 1d5f5ea7cb7d15b9fb1cc82673ebb054f02cd7d2 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Fri, 29 Oct 2021 13:11:33 +0100
+Subject: io-wq: remove worker to owner tw dependency
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 1d5f5ea7cb7d15b9fb1cc82673ebb054f02cd7d2 upstream.
+
+INFO: task iou-wrk-6609:6612 blocked for more than 143 seconds.
+ Not tainted 5.15.0-rc5-syzkaller #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:iou-wrk-6609 state:D stack:27944 pid: 6612 ppid: 6526 flags:0x00004006
+Call Trace:
+ context_switch kernel/sched/core.c:4940 [inline]
+ __schedule+0xb44/0x5960 kernel/sched/core.c:6287
+ schedule+0xd3/0x270 kernel/sched/core.c:6366
+ schedule_timeout+0x1db/0x2a0 kernel/time/timer.c:1857
+ do_wait_for_common kernel/sched/completion.c:85 [inline]
+ __wait_for_common kernel/sched/completion.c:106 [inline]
+ wait_for_common kernel/sched/completion.c:117 [inline]
+ wait_for_completion+0x176/0x280 kernel/sched/completion.c:138
+ io_worker_exit fs/io-wq.c:183 [inline]
+ io_wqe_worker+0x66d/0xc40 fs/io-wq.c:597
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+io-wq worker may submit a task_work to the master task and upon
+io_worker_exit() wait for the tw to get executed. The problem appears
+when the master task is waiting in coredump.c:
+
+468 freezer_do_not_count();
+469 wait_for_completion(&core_state->startup);
+470 freezer_count();
+
+Apparently having some dependency on children threads getting everything
+stuck. Workaround it by cancelling the taks_work callback that causes it
+before going into io_worker_exit() waiting.
+
+p.s. probably a better option is to not submit tw elevating the refcount
+in the first place, but let's leave this excercise for the future.
+
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: syzbot+27d62ee6f256b186883e@syzkaller.appspotmail.com
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/142a716f4ed936feae868959059154362bfa8c19.1635509451.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io-wq.c | 46 +++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+--- a/fs/io-wq.c
++++ b/fs/io-wq.c
+@@ -140,6 +140,7 @@ static void io_wqe_dec_running(struct io
+ static bool io_acct_cancel_pending_work(struct io_wqe *wqe,
+ struct io_wqe_acct *acct,
+ struct io_cb_cancel_data *match);
++static void create_worker_cb(struct callback_head *cb);
+
+ static bool io_worker_get(struct io_worker *worker)
+ {
+@@ -174,9 +175,44 @@ static void io_worker_ref_put(struct io_
+ complete(&wq->worker_done);
+ }
+
++static void io_worker_cancel_cb(struct io_worker *worker)
++{
++ struct io_wqe_acct *acct = io_wqe_get_acct(worker);
++ struct io_wqe *wqe = worker->wqe;
++ struct io_wq *wq = wqe->wq;
++
++ atomic_dec(&acct->nr_running);
++ raw_spin_lock(&worker->wqe->lock);
++ acct->nr_workers--;
++ raw_spin_unlock(&worker->wqe->lock);
++ io_worker_ref_put(wq);
++ clear_bit_unlock(0, &worker->create_state);
++ io_worker_release(worker);
++}
++
++static bool io_task_worker_match(struct callback_head *cb, void *data)
++{
++ struct io_worker *worker;
++
++ if (cb->func != create_worker_cb)
++ return false;
++ worker = container_of(cb, struct io_worker, create_work);
++ return worker == data;
++}
++
+ static void io_worker_exit(struct io_worker *worker)
+ {
+ struct io_wqe *wqe = worker->wqe;
++ struct io_wq *wq = wqe->wq;
++
++ while (1) {
++ struct callback_head *cb = task_work_cancel_match(wq->task,
++ io_task_worker_match, worker);
++
++ if (!cb)
++ break;
++ io_worker_cancel_cb(worker);
++ }
+
+ if (refcount_dec_and_test(&worker->ref))
+ complete(&worker->ref_done);
+@@ -1150,17 +1186,9 @@ static void io_wq_exit_workers(struct io
+
+ while ((cb = task_work_cancel_match(wq->task, io_task_work_match, wq)) != NULL) {
+ struct io_worker *worker;
+- struct io_wqe_acct *acct;
+
+ worker = container_of(cb, struct io_worker, create_work);
+- acct = io_wqe_get_acct(worker);
+- atomic_dec(&acct->nr_running);
+- raw_spin_lock(&worker->wqe->lock);
+- acct->nr_workers--;
+- raw_spin_unlock(&worker->wqe->lock);
+- io_worker_ref_put(wq);
+- clear_bit_unlock(0, &worker->create_state);
+- io_worker_release(worker);
++ io_worker_cancel_cb(worker);
+ }
+
+ rcu_read_lock();
--- /dev/null
+From c73ba202a851c0b611ef2c25e568fadeff5e667f Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Wed, 15 Sep 2021 18:14:07 +0200
+Subject: media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Young <sean@mess.org>
+
+commit c73ba202a851c0b611ef2c25e568fadeff5e667f upstream.
+
+The IR receiver has two issues:
+
+ - Sometimes there is no response to a button press
+ - Sometimes a button press is repeated when it should not have been
+
+Hanging the polling interval fixes this behaviour.
+
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994050
+
+Cc: stable@vger.kernel.org
+Suggested-by: Joaquín Alberto Calderón Pozo <kini_calderon@hotmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ir-kbd-i2c.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/i2c/ir-kbd-i2c.c
++++ b/drivers/media/i2c/ir-kbd-i2c.c
+@@ -791,6 +791,7 @@ static int ir_probe(struct i2c_client *c
+ rc_proto = RC_PROTO_BIT_RC5 | RC_PROTO_BIT_RC6_MCE |
+ RC_PROTO_BIT_RC6_6A_32;
+ ir_codes = RC_MAP_HAUPPAUGE;
++ ir->polling_interval = 125;
+ probe_tx = true;
+ break;
+ }
--- /dev/null
+From fdc881783099c6343921ff017450831c8766d12a Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 17 Oct 2021 13:01:15 +0100
+Subject: media: ite-cir: IR receiver stop working after receive overflow
+
+From: Sean Young <sean@mess.org>
+
+commit fdc881783099c6343921ff017450831c8766d12a upstream.
+
+On an Intel NUC6iSYK, no IR is reported after a receive overflow.
+
+When a receiver overflow occurs, this condition is only cleared by
+reading the fifo. Make sure we read anything in the fifo.
+
+Fixes: 28c7afb07ccf ("media: ite-cir: check for receive overflow")
+Suggested-by: Bryan Pass <bryan.pass@gmail.com>
+Tested-by: Bryan Pass <bryan.pass@gmail.com>
+Cc: stable@vger.kernel.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/ite-cir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/rc/ite-cir.c
++++ b/drivers/media/rc/ite-cir.c
+@@ -242,7 +242,7 @@ static irqreturn_t ite_cir_isr(int irq,
+ }
+
+ /* check for the receive interrupt */
+- if (iflags & ITE_IRQ_RX_FIFO) {
++ if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) {
+ /* read the FIFO bytes */
+ rx_bytes = dev->params->get_rx_bytes(dev, rx_buf,
+ ITE_RX_FIFO_LEN);
--- /dev/null
+From 298d8e8f7bcf023aceb60232d59b983255fec0df Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wenst@chromium.org>
+Date: Fri, 8 Oct 2021 11:04:22 +0100
+Subject: media: rkvdec: Do not override sizeimage for output format
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+commit 298d8e8f7bcf023aceb60232d59b983255fec0df upstream.
+
+The rkvdec H.264 decoder currently overrides sizeimage for the output
+format. This causes issues when userspace requires and requests a larger
+buffer, but ends up with one of insufficient size.
+
+Instead, only provide a default size if none was requested. This fixes
+the video_decode_accelerator_tests from Chromium failing on the first
+frame due to insufficient buffer space. It also aligns the behavior
+of the rkvdec driver with the Hantro and Cedrus drivers.
+
+Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/rkvdec/rkvdec-h264.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/media/rkvdec/rkvdec-h264.c
++++ b/drivers/staging/media/rkvdec/rkvdec-h264.c
+@@ -1015,8 +1015,9 @@ static int rkvdec_h264_adjust_fmt(struct
+ struct v4l2_pix_format_mplane *fmt = &f->fmt.pix_mp;
+
+ fmt->num_planes = 1;
+- fmt->plane_fmt[0].sizeimage = fmt->width * fmt->height *
+- RKVDEC_H264_MAX_DEPTH_IN_BYTES;
++ if (!fmt->plane_fmt[0].sizeimage)
++ fmt->plane_fmt[0].sizeimage = fmt->width * fmt->height *
++ RKVDEC_H264_MAX_DEPTH_IN_BYTES;
+ return 0;
+ }
+
--- /dev/null
+From 0887e9e152efbd3601d6c907e90033d25067277d Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wenst@chromium.org>
+Date: Fri, 8 Oct 2021 11:04:23 +0100
+Subject: media: rkvdec: Support dynamic resolution changes
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+commit 0887e9e152efbd3601d6c907e90033d25067277d upstream.
+
+The mem-to-mem stateless decoder API specifies support for dynamic
+resolution changes. In particular, the decoder should accept format
+changes on the OUTPUT queue even when buffers have been allocated,
+as long as it is not streaming.
+
+Relax restrictions for S_FMT as described in the previous paragraph,
+and as long as the codec format remains the same. This aligns it with
+the Hantro and Cedrus decoders. This change was mostly based on commit
+ae02d49493b5 ("media: hantro: Fix s_fmt for dynamic resolution changes").
+
+Since rkvdec_s_fmt() is now just a wrapper around the output/capture
+variants without any additional shared functionality, drop the wrapper
+and call the respective functions directly.
+
+Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/rkvdec/rkvdec.c | 40 +++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+--- a/drivers/staging/media/rkvdec/rkvdec.c
++++ b/drivers/staging/media/rkvdec/rkvdec.c
+@@ -280,31 +280,20 @@ static int rkvdec_try_output_fmt(struct
+ return 0;
+ }
+
+-static int rkvdec_s_fmt(struct file *file, void *priv,
+- struct v4l2_format *f,
+- int (*try_fmt)(struct file *, void *,
+- struct v4l2_format *))
++static int rkvdec_s_capture_fmt(struct file *file, void *priv,
++ struct v4l2_format *f)
+ {
+ struct rkvdec_ctx *ctx = fh_to_rkvdec_ctx(priv);
+ struct vb2_queue *vq;
++ int ret;
+
+- if (!try_fmt)
+- return -EINVAL;
+-
+- vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx, f->type);
++ /* Change not allowed if queue is busy */
++ vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx,
++ V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE);
+ if (vb2_is_busy(vq))
+ return -EBUSY;
+
+- return try_fmt(file, priv, f);
+-}
+-
+-static int rkvdec_s_capture_fmt(struct file *file, void *priv,
+- struct v4l2_format *f)
+-{
+- struct rkvdec_ctx *ctx = fh_to_rkvdec_ctx(priv);
+- int ret;
+-
+- ret = rkvdec_s_fmt(file, priv, f, rkvdec_try_capture_fmt);
++ ret = rkvdec_try_capture_fmt(file, priv, f);
+ if (ret)
+ return ret;
+
+@@ -319,10 +308,21 @@ static int rkvdec_s_output_fmt(struct fi
+ struct v4l2_m2m_ctx *m2m_ctx = ctx->fh.m2m_ctx;
+ const struct rkvdec_coded_fmt_desc *desc;
+ struct v4l2_format *cap_fmt;
+- struct vb2_queue *peer_vq;
++ struct vb2_queue *peer_vq, *vq;
+ int ret;
+
+ /*
++ * In order to support dynamic resolution change, the decoder admits
++ * a resolution change, as long as the pixelformat remains. Can't be
++ * done if streaming.
++ */
++ vq = v4l2_m2m_get_vq(m2m_ctx, V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE);
++ if (vb2_is_streaming(vq) ||
++ (vb2_is_busy(vq) &&
++ f->fmt.pix_mp.pixelformat != ctx->coded_fmt.fmt.pix_mp.pixelformat))
++ return -EBUSY;
++
++ /*
+ * Since format change on the OUTPUT queue will reset the CAPTURE
+ * queue, we can't allow doing so when the CAPTURE queue has buffers
+ * allocated.
+@@ -331,7 +331,7 @@ static int rkvdec_s_output_fmt(struct fi
+ if (vb2_is_busy(peer_vq))
+ return -EBUSY;
+
+- ret = rkvdec_s_fmt(file, priv, f, rkvdec_try_output_fmt);
++ ret = rkvdec_try_output_fmt(file, priv, f);
+ if (ret)
+ return ret;
+
--- /dev/null
+From 861f92cb9160b14beef0ada047384c2340701ee2 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Fri, 18 Jun 2021 14:29:03 +0200
+Subject: media: v4l2-ioctl: Fix check_ext_ctrls
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 861f92cb9160b14beef0ada047384c2340701ee2 upstream.
+
+Drivers that do not use the ctrl-framework use this function instead.
+
+Fix the following issues:
+
+- Do not check for multiple classes when getting the DEF_VAL.
+- Return -EINVAL for request_api calls
+- Default value cannot be changed, return EINVAL as soon as possible.
+- Return the right error_idx
+[If an error is found when validating the list of controls passed with
+VIDIOC_G_EXT_CTRLS, then error_idx shall be set to ctrls->count to
+indicate to userspace that no actual hardware was touched.
+It would have been much nicer of course if error_idx could point to the
+control index that failed the validation, but sadly that's not how the
+API was designed.]
+
+Fixes v4l2-compliance:
+Control ioctls (Input 0):
+ warn: v4l2-test-controls.cpp(834): error_idx should be equal to count
+ warn: v4l2-test-controls.cpp(855): error_idx should be equal to count
+ fail: v4l2-test-controls.cpp(813): doioctl(node, VIDIOC_G_EXT_CTRLS, &ctrls)
+ test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL
+Buffer ioctls (Input 0):
+ fail: v4l2-test-buffers.cpp(1994): ret != EINVAL && ret != EBADR && ret != ENOTTY
+ test Requests: FAIL
+
+Cc: stable@vger.kernel.org
+Fixes: 6fa6f831f095 ("media: v4l2-ctrls: add core request support")
+Suggested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ioctl.c | 60 ++++++++++++++++++++++-------------
+ 1 file changed, 39 insertions(+), 21 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ioctl.c
++++ b/drivers/media/v4l2-core/v4l2-ioctl.c
+@@ -869,7 +869,7 @@ static void v4l_print_default(const void
+ pr_cont("driver-specific ioctl\n");
+ }
+
+-static int check_ext_ctrls(struct v4l2_ext_controls *c, int allow_priv)
++static bool check_ext_ctrls(struct v4l2_ext_controls *c, unsigned long ioctl)
+ {
+ __u32 i;
+
+@@ -878,23 +878,41 @@ static int check_ext_ctrls(struct v4l2_e
+ for (i = 0; i < c->count; i++)
+ c->controls[i].reserved2[0] = 0;
+
+- /* V4L2_CID_PRIVATE_BASE cannot be used as control class
+- when using extended controls.
+- Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL
+- is it allowed for backwards compatibility.
+- */
+- if (!allow_priv && c->which == V4L2_CID_PRIVATE_BASE)
+- return 0;
+- if (!c->which)
+- return 1;
++ switch (c->which) {
++ case V4L2_CID_PRIVATE_BASE:
++ /*
++ * V4L2_CID_PRIVATE_BASE cannot be used as control class
++ * when using extended controls.
++ * Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL
++ * is it allowed for backwards compatibility.
++ */
++ if (ioctl == VIDIOC_G_CTRL || ioctl == VIDIOC_S_CTRL)
++ return false;
++ break;
++ case V4L2_CTRL_WHICH_DEF_VAL:
++ /* Default value cannot be changed */
++ if (ioctl == VIDIOC_S_EXT_CTRLS ||
++ ioctl == VIDIOC_TRY_EXT_CTRLS) {
++ c->error_idx = c->count;
++ return false;
++ }
++ return true;
++ case V4L2_CTRL_WHICH_CUR_VAL:
++ return true;
++ case V4L2_CTRL_WHICH_REQUEST_VAL:
++ c->error_idx = c->count;
++ return false;
++ }
++
+ /* Check that all controls are from the same control class. */
+ for (i = 0; i < c->count; i++) {
+ if (V4L2_CTRL_ID2WHICH(c->controls[i].id) != c->which) {
+- c->error_idx = i;
+- return 0;
++ c->error_idx = ioctl == VIDIOC_TRY_EXT_CTRLS ? i :
++ c->count;
++ return false;
+ }
+ }
+- return 1;
++ return true;
+ }
+
+ static int check_fmt(struct file *file, enum v4l2_buf_type type)
+@@ -2187,7 +2205,7 @@ static int v4l_g_ctrl(const struct v4l2_
+ ctrls.controls = &ctrl;
+ ctrl.id = p->id;
+ ctrl.value = p->value;
+- if (check_ext_ctrls(&ctrls, 1)) {
++ if (check_ext_ctrls(&ctrls, VIDIOC_G_CTRL)) {
+ int ret = ops->vidioc_g_ext_ctrls(file, fh, &ctrls);
+
+ if (ret == 0)
+@@ -2221,7 +2239,7 @@ static int v4l_s_ctrl(const struct v4l2_
+ ctrls.controls = &ctrl;
+ ctrl.id = p->id;
+ ctrl.value = p->value;
+- if (check_ext_ctrls(&ctrls, 1))
++ if (check_ext_ctrls(&ctrls, VIDIOC_S_CTRL))
+ return ops->vidioc_s_ext_ctrls(file, fh, &ctrls);
+ return -EINVAL;
+ }
+@@ -2243,8 +2261,8 @@ static int v4l_g_ext_ctrls(const struct
+ vfd, vfd->v4l2_dev->mdev, p);
+ if (ops->vidioc_g_ext_ctrls == NULL)
+ return -ENOTTY;
+- return check_ext_ctrls(p, 0) ? ops->vidioc_g_ext_ctrls(file, fh, p) :
+- -EINVAL;
++ return check_ext_ctrls(p, VIDIOC_G_EXT_CTRLS) ?
++ ops->vidioc_g_ext_ctrls(file, fh, p) : -EINVAL;
+ }
+
+ static int v4l_s_ext_ctrls(const struct v4l2_ioctl_ops *ops,
+@@ -2264,8 +2282,8 @@ static int v4l_s_ext_ctrls(const struct
+ vfd, vfd->v4l2_dev->mdev, p);
+ if (ops->vidioc_s_ext_ctrls == NULL)
+ return -ENOTTY;
+- return check_ext_ctrls(p, 0) ? ops->vidioc_s_ext_ctrls(file, fh, p) :
+- -EINVAL;
++ return check_ext_ctrls(p, VIDIOC_S_EXT_CTRLS) ?
++ ops->vidioc_s_ext_ctrls(file, fh, p) : -EINVAL;
+ }
+
+ static int v4l_try_ext_ctrls(const struct v4l2_ioctl_ops *ops,
+@@ -2285,8 +2303,8 @@ static int v4l_try_ext_ctrls(const struc
+ vfd, vfd->v4l2_dev->mdev, p);
+ if (ops->vidioc_try_ext_ctrls == NULL)
+ return -ENOTTY;
+- return check_ext_ctrls(p, 0) ? ops->vidioc_try_ext_ctrls(file, fh, p) :
+- -EINVAL;
++ return check_ext_ctrls(p, VIDIOC_TRY_EXT_CTRLS) ?
++ ops->vidioc_try_ext_ctrls(file, fh, p) : -EINVAL;
+ }
+
+ /*
--- /dev/null
+From 43592c8736e84025d7a45e61a46c3fa40536a364 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20L=C3=B6hle?= <CLoehle@hyperstone.com>
+Date: Thu, 16 Sep 2021 05:59:19 +0000
+Subject: mmc: dw_mmc: Dont wait for DRTO on Write RSP error
+
+From: Christian Löhle <CLoehle@hyperstone.com>
+
+commit 43592c8736e84025d7a45e61a46c3fa40536a364 upstream.
+
+Only wait for DRTO on reads, otherwise the driver hangs.
+
+The driver prevents sending CMD12 on response errors like CRCs. According
+to the comment this is because some cards have problems with this during
+the UHS tuning sequence. Unfortunately this workaround currently also
+applies for any command with data. On reads this will set the drto timer,
+which then triggers after a while. On writes this will not set any timer
+and the tasklet will not be scheduled again.
+
+I cannot test for the UHS workarounds need, but even if so, it should at
+most apply to reads. I have observed many hangs when CMD25 response
+contained a CRC error. This patch fixes this without touching the actual
+UHS tuning workaround.
+
+Signed-off-by: Christian Loehle <cloehle@hyperstone.com>
+Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/af8f8b8674ba4fcc9a781019e4aeb72c@hyperstone.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/dw_mmc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -2086,7 +2086,8 @@ static void dw_mci_tasklet_func(struct t
+ * delayed. Allowing the transfer to take place
+ * avoids races and keeps things simple.
+ */
+- if (err != -ETIMEDOUT) {
++ if (err != -ETIMEDOUT &&
++ host->dir_status == DW_MCI_RECV_STATUS) {
+ state = STATE_SENDING_DATA;
+ continue;
+ }
--- /dev/null
+From 43e5fee317f4b0a48992b8b07935b1a3ac20ce84 Mon Sep 17 00:00:00 2001
+From: Derong Liu <derong.liu@mediatek.com>
+Date: Fri, 27 Aug 2021 15:15:37 +0800
+Subject: mmc: mtk-sd: Add wait dma stop done flow
+
+From: Derong Liu <derong.liu@mediatek.com>
+
+commit 43e5fee317f4b0a48992b8b07935b1a3ac20ce84 upstream.
+
+We found this issue on a 5G platform, during CMDQ error handling, if DMA
+status is active when it call msdc_reset_hw(), it means mmc host hw reset
+and DMA transfer will be parallel, mmc host may access sram region
+unexpectedly. According to the programming guide of mtk-sd host, it needs
+to wait for dma stop done after set dma stop.
+
+This change should be applied to all SoCs.
+
+Signed-off-by: Derong Liu <derong.liu@mediatek.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210827071537.1034-1-derong.liu@mediatek.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -8,6 +8,7 @@
+ #include <linux/clk.h>
+ #include <linux/delay.h>
+ #include <linux/dma-mapping.h>
++#include <linux/iopoll.h>
+ #include <linux/ioport.h>
+ #include <linux/irq.h>
+ #include <linux/of_address.h>
+@@ -2330,6 +2331,7 @@ static void msdc_cqe_enable(struct mmc_h
+ static void msdc_cqe_disable(struct mmc_host *mmc, bool recovery)
+ {
+ struct msdc_host *host = mmc_priv(mmc);
++ unsigned int val = 0;
+
+ /* disable cmdq irq */
+ sdr_clr_bits(host->base + MSDC_INTEN, MSDC_INT_CMDQ);
+@@ -2339,6 +2341,9 @@ static void msdc_cqe_disable(struct mmc_
+ if (recovery) {
+ sdr_set_field(host->base + MSDC_DMA_CTRL,
+ MSDC_DMA_CTRL_STOP, 1);
++ if (WARN_ON(readl_poll_timeout(host->base + MSDC_DMA_CFG, val,
++ !(val & MSDC_DMA_CFG_STS), 1, 3000)))
++ return;
+ msdc_reset_hw(host);
+ }
+ }
--- /dev/null
+From 8779e05ba8aaffec1829872ef9774a71f44f6580 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 5 Oct 2021 00:27:49 +0200
+Subject: parisc: Fix ptrace check on syscall return
+
+From: Helge Deller <deller@gmx.de>
+
+commit 8779e05ba8aaffec1829872ef9774a71f44f6580 upstream.
+
+The TIF_XXX flags are stored in the flags field in the thread_info
+struct (TI_FLAGS), not in the flags field of the task_struct structure
+(TASK_FLAGS).
+
+It seems this bug didn't generate any important side-effects, otherwise it
+wouldn't have went unnoticed for 12 years (since v2.6.32).
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Fixes: ecd3d4bc06e48 ("parisc: stop using task->ptrace for {single,block}step flags")
+Cc: Kyle McMartin <kyle@mcmartin.ca>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/entry.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/entry.S
++++ b/arch/parisc/kernel/entry.S
+@@ -1834,7 +1834,7 @@ syscall_restore:
+ LDREG TI_TASK-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r1
+
+ /* Are we being ptraced? */
+- ldw TASK_FLAGS(%r1),%r19
++ LDREG TI_FLAGS-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r19
+ ldi _TIF_SYSCALL_TRACE_MASK,%r2
+ and,COND(=) %r19,%r2,%r0
+ b,n syscall_restore_rfi
--- /dev/null
+From 6e866a462867b60841202e900f10936a0478608c Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 31 Oct 2021 21:58:12 +0100
+Subject: parisc: Fix set_fixmap() on PA1.x CPUs
+
+From: Helge Deller <deller@gmx.de>
+
+commit 6e866a462867b60841202e900f10936a0478608c upstream.
+
+Fix a kernel crash which happens on PA1.x CPUs while initializing the
+FTRACE/KPROBE breakpoints. The PTE table entries for the fixmap area
+were not created correctly.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Fixes: ccfbc68d41c2 ("parisc: add set_fixmap()/clear_fixmap()")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/mm/fixmap.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/arch/parisc/mm/fixmap.c
++++ b/arch/parisc/mm/fixmap.c
+@@ -20,12 +20,9 @@ void notrace set_fixmap(enum fixed_addre
+ pte_t *pte;
+
+ if (pmd_none(*pmd))
+- pmd = pmd_alloc(NULL, pud, vaddr);
+-
+- pte = pte_offset_kernel(pmd, vaddr);
+- if (pte_none(*pte))
+ pte = pte_alloc_kernel(pmd, vaddr);
+
++ pte = pte_offset_kernel(pmd, vaddr);
+ set_pte_at(&init_mm, vaddr, pte, __mk_pte(phys, PAGE_KERNEL_RWX));
+ flush_tlb_kernel_range(vaddr, vaddr + PAGE_SIZE);
+ }
scsi-qla2xxx-fix-use-after-free-in-eh_abort-path.patch
ce-gf100-fix-incorrect-ce0-address-calculation-on-some-gpus.patch
char-xillybus-fix-msg_ep-uaf-in-xillyusb_probe.patch
+mmc-mtk-sd-add-wait-dma-stop-done-flow.patch
+mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch
+exfat-fix-incorrect-loading-of-i_blocks-for-large-files.patch
+io-wq-remove-worker-to-owner-tw-dependency.patch
+parisc-fix-set_fixmap-on-pa1.x-cpus.patch
+parisc-fix-ptrace-check-on-syscall-return.patch
+tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch
+firmware-psci-fix-application-of-sizeof-to-pointer.patch
+crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch
+media-rkvdec-do-not-override-sizeimage-for-output-format.patch
+media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch
+media-rkvdec-support-dynamic-resolution-changes.patch
+media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch
+media-v4l2-ioctl-fix-check_ext_ctrls.patch
--- /dev/null
+From a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Sep 2021 08:33:57 +0300
+Subject: tpm: Check for integer overflow in tpm2_map_response_body()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 upstream.
+
+The "4 * be32_to_cpu(data->count)" multiplication can potentially
+overflow which would lead to memory corruption. Add a check for that.
+
+Cc: stable@vger.kernel.org
+Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm2-space.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/char/tpm/tpm2-space.c
++++ b/drivers/char/tpm/tpm2-space.c
+@@ -455,6 +455,9 @@ static int tpm2_map_response_body(struct
+ if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES)
+ return 0;
+
++ if (be32_to_cpu(data->count) > (UINT_MAX - TPM_HEADER_SIZE - 9) / 4)
++ return -EFAULT;
++
+ if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count))
+ return -EFAULT;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
