From 410cad6dedf20a424c0a440be5211dbe60517b79 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Nov 2021 12:46:43 +0100 Subject: [PATCH] 5.14-stable patches added patches: crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch exfat-fix-incorrect-loading-of-i_blocks-for-large-files.patch firmware-psci-fix-application-of-sizeof-to-pointer.patch media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch media-rkvdec-do-not-override-sizeimage-for-output-format.patch media-rkvdec-support-dynamic-resolution-changes.patch media-v4l2-ioctl-fix-check_ext_ctrls.patch mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch mmc-mtk-sd-add-wait-dma-stop-done-flow.patch parisc-fix-ptrace-check-on-syscall-return.patch parisc-fix-set_fixmap-on-pa1.x-cpus.patch tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch --- ...-add-error-handling-in-s5p_aes_probe.patch | 33 ++++ ...-loading-of-i_blocks-for-large-files.patch | 34 ++++ ...fix-application-of-sizeof-to-pointer.patch | 39 +++++ ...iveness-of-hauppauge-zilog-receivers.patch | 40 +++++ ...-stop-working-after-receive-overflow.patch | 36 ++++ ...override-sizeimage-for-output-format.patch | 43 +++++ ...c-support-dynamic-resolution-changes.patch | 107 ++++++++++++ ...media-v4l2-ioctl-fix-check_ext_ctrls.patch | 162 ++++++++++++++++++ ...ont-wait-for-drto-on-write-rsp-error.patch | 45 +++++ ...c-mtk-sd-add-wait-dma-stop-done-flow.patch | 54 ++++++ ...c-fix-ptrace-check-on-syscall-return.patch | 36 ++++ .../parisc-fix-set_fixmap-on-pa1.x-cpus.patch | 37 ++++ queue-5.14/series | 13 ++ ...r-overflow-in-tpm2_map_response_body.patch | 34 ++++ 14 files changed, 713 insertions(+) create mode 100644 queue-5.14/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch create mode 100644 queue-5.14/exfat-fix-incorrect-loading-of-i_blocks-for-large-files.patch create mode 100644 queue-5.14/firmware-psci-fix-application-of-sizeof-to-pointer.patch create mode 100644 queue-5.14/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch create mode 100644 queue-5.14/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch create mode 100644 queue-5.14/media-rkvdec-do-not-override-sizeimage-for-output-format.patch create mode 100644 queue-5.14/media-rkvdec-support-dynamic-resolution-changes.patch create mode 100644 queue-5.14/media-v4l2-ioctl-fix-check_ext_ctrls.patch create mode 100644 queue-5.14/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch create mode 100644 queue-5.14/mmc-mtk-sd-add-wait-dma-stop-done-flow.patch create mode 100644 queue-5.14/parisc-fix-ptrace-check-on-syscall-return.patch create mode 100644 queue-5.14/parisc-fix-set_fixmap-on-pa1.x-cpus.patch create mode 100644 queue-5.14/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch diff --git a/queue-5.14/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch b/queue-5.14/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch new file mode 100644 index 00000000000..5d9a9522b92 --- /dev/null +++ b/queue-5.14/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch @@ -0,0 +1,33 @@ +From a472cc0dde3eb057db71c80f102556eeced03805 Mon Sep 17 00:00:00 2001 +From: Tang Bin +Date: Thu, 21 Oct 2021 09:34:22 +0800 +Subject: crypto: s5p-sss - Add error handling in s5p_aes_probe() + +From: Tang Bin + +commit a472cc0dde3eb057db71c80f102556eeced03805 upstream. + +The function s5p_aes_probe() does not perform sufficient error +checking after executing platform_get_resource(), thus fix it. + +Fixes: c2afad6c6105 ("crypto: s5p-sss - Add HASH support for Exynos") +Cc: +Signed-off-by: Tang Bin +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/s5p-sss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/crypto/s5p-sss.c ++++ b/drivers/crypto/s5p-sss.c +@@ -2171,6 +2171,8 @@ static int s5p_aes_probe(struct platform + + variant = find_s5p_sss_version(pdev); + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -EINVAL; + + /* + * Note: HASH and PRNG uses the same registers in secss, avoid diff --git a/queue-5.14/exfat-fix-incorrect-loading-of-i_blocks-for-large-files.patch b/queue-5.14/exfat-fix-incorrect-loading-of-i_blocks-for-large-files.patch new file mode 100644 index 00000000000..347cacf73fc --- /dev/null +++ b/queue-5.14/exfat-fix-incorrect-loading-of-i_blocks-for-large-files.patch @@ -0,0 +1,34 @@ +From 0c336d6e33f4bedc443404c89f43c91c8bd9ee11 Mon Sep 17 00:00:00 2001 +From: Sungjong Seo +Date: Tue, 19 Oct 2021 15:14:21 +0900 +Subject: exfat: fix incorrect loading of i_blocks for large files + +From: Sungjong Seo + +commit 0c336d6e33f4bedc443404c89f43c91c8bd9ee11 upstream. + +When calculating i_blocks, there was a mistake that was masked with a +32-bit variable. So i_blocks for files larger than 4 GiB had incorrect +values. Mask with a 64-bit variable instead of 32-bit one. + +Fixes: 5f2aa075070c ("exfat: add inode operations") +Cc: stable@vger.kernel.org # v5.7+ +Reported-by: Ganapathi Kamath +Signed-off-by: Sungjong Seo +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/exfat/inode.c ++++ b/fs/exfat/inode.c +@@ -604,7 +604,7 @@ static int exfat_fill_inode(struct inode + exfat_save_attr(inode, info->attr); + + inode->i_blocks = ((i_size_read(inode) + (sbi->cluster_size - 1)) & +- ~(sbi->cluster_size - 1)) >> inode->i_blkbits; ++ ~((loff_t)sbi->cluster_size - 1)) >> inode->i_blkbits; + inode->i_mtime = info->mtime; + inode->i_ctime = info->mtime; + ei->i_crtime = info->crtime; diff --git a/queue-5.14/firmware-psci-fix-application-of-sizeof-to-pointer.patch b/queue-5.14/firmware-psci-fix-application-of-sizeof-to-pointer.patch new file mode 100644 index 00000000000..65b9d12836d --- /dev/null +++ b/queue-5.14/firmware-psci-fix-application-of-sizeof-to-pointer.patch @@ -0,0 +1,39 @@ +From 2ac5fb35cd520ab1851c9a4816c523b65276052f Mon Sep 17 00:00:00 2001 +From: jing yangyang +Date: Thu, 19 Aug 2021 19:30:16 -0700 +Subject: firmware/psci: fix application of sizeof to pointer + +From: jing yangyang + +commit 2ac5fb35cd520ab1851c9a4816c523b65276052f upstream. + +sizeof when applied to a pointer typed expression gives the size of +the pointer. + +./drivers/firmware/psci/psci_checker.c:158:41-47: ERROR application of sizeof to pointer + +This issue was detected with the help of Coccinelle. + +Fixes: 7401056de5f8 ("drivers/firmware: psci_checker: stash and use topology_core_cpumask for hotplug tests") +Cc: stable@vger.kernel.org +Reported-by: Zeal Robot +Acked-by: Mark Rutland +Reviewed-by: Gustavo A. R. Silva +Signed-off-by: jing yangyang +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/psci/psci_checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/psci/psci_checker.c ++++ b/drivers/firmware/psci/psci_checker.c +@@ -155,7 +155,7 @@ static int alloc_init_cpu_groups(cpumask + if (!alloc_cpumask_var(&tmp, GFP_KERNEL)) + return -ENOMEM; + +- cpu_groups = kcalloc(nb_available_cpus, sizeof(cpu_groups), ++ cpu_groups = kcalloc(nb_available_cpus, sizeof(*cpu_groups), + GFP_KERNEL); + if (!cpu_groups) { + free_cpumask_var(tmp); diff --git a/queue-5.14/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch b/queue-5.14/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch new file mode 100644 index 00000000000..4fd79235fc8 --- /dev/null +++ b/queue-5.14/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch @@ -0,0 +1,40 @@ +From c73ba202a851c0b611ef2c25e568fadeff5e667f Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Wed, 15 Sep 2021 18:14:07 +0200 +Subject: media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Young + +commit c73ba202a851c0b611ef2c25e568fadeff5e667f upstream. + +The IR receiver has two issues: + + - Sometimes there is no response to a button press + - Sometimes a button press is repeated when it should not have been + +Hanging the polling interval fixes this behaviour. + +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994050 + +Cc: stable@vger.kernel.org +Suggested-by: Joaquín Alberto Calderón Pozo +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ir-kbd-i2c.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/i2c/ir-kbd-i2c.c ++++ b/drivers/media/i2c/ir-kbd-i2c.c +@@ -791,6 +791,7 @@ static int ir_probe(struct i2c_client *c + rc_proto = RC_PROTO_BIT_RC5 | RC_PROTO_BIT_RC6_MCE | + RC_PROTO_BIT_RC6_6A_32; + ir_codes = RC_MAP_HAUPPAUGE; ++ ir->polling_interval = 125; + probe_tx = true; + break; + } diff --git a/queue-5.14/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch b/queue-5.14/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch new file mode 100644 index 00000000000..77f4020d213 --- /dev/null +++ b/queue-5.14/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch @@ -0,0 +1,36 @@ +From fdc881783099c6343921ff017450831c8766d12a Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 17 Oct 2021 13:01:15 +0100 +Subject: media: ite-cir: IR receiver stop working after receive overflow + +From: Sean Young + +commit fdc881783099c6343921ff017450831c8766d12a upstream. + +On an Intel NUC6iSYK, no IR is reported after a receive overflow. + +When a receiver overflow occurs, this condition is only cleared by +reading the fifo. Make sure we read anything in the fifo. + +Fixes: 28c7afb07ccf ("media: ite-cir: check for receive overflow") +Suggested-by: Bryan Pass +Tested-by: Bryan Pass +Cc: stable@vger.kernel.org> +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/ite-cir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/ite-cir.c ++++ b/drivers/media/rc/ite-cir.c +@@ -242,7 +242,7 @@ static irqreturn_t ite_cir_isr(int irq, + } + + /* check for the receive interrupt */ +- if (iflags & ITE_IRQ_RX_FIFO) { ++ if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) { + /* read the FIFO bytes */ + rx_bytes = dev->params->get_rx_bytes(dev, rx_buf, + ITE_RX_FIFO_LEN); diff --git a/queue-5.14/media-rkvdec-do-not-override-sizeimage-for-output-format.patch b/queue-5.14/media-rkvdec-do-not-override-sizeimage-for-output-format.patch new file mode 100644 index 00000000000..297dffb9898 --- /dev/null +++ b/queue-5.14/media-rkvdec-do-not-override-sizeimage-for-output-format.patch @@ -0,0 +1,43 @@ +From 298d8e8f7bcf023aceb60232d59b983255fec0df Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Fri, 8 Oct 2021 11:04:22 +0100 +Subject: media: rkvdec: Do not override sizeimage for output format + +From: Chen-Yu Tsai + +commit 298d8e8f7bcf023aceb60232d59b983255fec0df upstream. + +The rkvdec H.264 decoder currently overrides sizeimage for the output +format. This causes issues when userspace requires and requests a larger +buffer, but ends up with one of insufficient size. + +Instead, only provide a default size if none was requested. This fixes +the video_decode_accelerator_tests from Chromium failing on the first +frame due to insufficient buffer space. It also aligns the behavior +of the rkvdec driver with the Hantro and Cedrus drivers. + +Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver") +Cc: +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/rkvdec/rkvdec-h264.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/staging/media/rkvdec/rkvdec-h264.c ++++ b/drivers/staging/media/rkvdec/rkvdec-h264.c +@@ -1015,8 +1015,9 @@ static int rkvdec_h264_adjust_fmt(struct + struct v4l2_pix_format_mplane *fmt = &f->fmt.pix_mp; + + fmt->num_planes = 1; +- fmt->plane_fmt[0].sizeimage = fmt->width * fmt->height * +- RKVDEC_H264_MAX_DEPTH_IN_BYTES; ++ if (!fmt->plane_fmt[0].sizeimage) ++ fmt->plane_fmt[0].sizeimage = fmt->width * fmt->height * ++ RKVDEC_H264_MAX_DEPTH_IN_BYTES; + return 0; + } + diff --git a/queue-5.14/media-rkvdec-support-dynamic-resolution-changes.patch b/queue-5.14/media-rkvdec-support-dynamic-resolution-changes.patch new file mode 100644 index 00000000000..ed5f73e7c1d --- /dev/null +++ b/queue-5.14/media-rkvdec-support-dynamic-resolution-changes.patch @@ -0,0 +1,107 @@ +From 0887e9e152efbd3601d6c907e90033d25067277d Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Fri, 8 Oct 2021 11:04:23 +0100 +Subject: media: rkvdec: Support dynamic resolution changes + +From: Chen-Yu Tsai + +commit 0887e9e152efbd3601d6c907e90033d25067277d upstream. + +The mem-to-mem stateless decoder API specifies support for dynamic +resolution changes. In particular, the decoder should accept format +changes on the OUTPUT queue even when buffers have been allocated, +as long as it is not streaming. + +Relax restrictions for S_FMT as described in the previous paragraph, +and as long as the codec format remains the same. This aligns it with +the Hantro and Cedrus decoders. This change was mostly based on commit +ae02d49493b5 ("media: hantro: Fix s_fmt for dynamic resolution changes"). + +Since rkvdec_s_fmt() is now just a wrapper around the output/capture +variants without any additional shared functionality, drop the wrapper +and call the respective functions directly. + +Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver") +Cc: +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/rkvdec/rkvdec.c | 40 +++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/drivers/staging/media/rkvdec/rkvdec.c ++++ b/drivers/staging/media/rkvdec/rkvdec.c +@@ -280,31 +280,20 @@ static int rkvdec_try_output_fmt(struct + return 0; + } + +-static int rkvdec_s_fmt(struct file *file, void *priv, +- struct v4l2_format *f, +- int (*try_fmt)(struct file *, void *, +- struct v4l2_format *)) ++static int rkvdec_s_capture_fmt(struct file *file, void *priv, ++ struct v4l2_format *f) + { + struct rkvdec_ctx *ctx = fh_to_rkvdec_ctx(priv); + struct vb2_queue *vq; ++ int ret; + +- if (!try_fmt) +- return -EINVAL; +- +- vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx, f->type); ++ /* Change not allowed if queue is busy */ ++ vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx, ++ V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE); + if (vb2_is_busy(vq)) + return -EBUSY; + +- return try_fmt(file, priv, f); +-} +- +-static int rkvdec_s_capture_fmt(struct file *file, void *priv, +- struct v4l2_format *f) +-{ +- struct rkvdec_ctx *ctx = fh_to_rkvdec_ctx(priv); +- int ret; +- +- ret = rkvdec_s_fmt(file, priv, f, rkvdec_try_capture_fmt); ++ ret = rkvdec_try_capture_fmt(file, priv, f); + if (ret) + return ret; + +@@ -319,10 +308,21 @@ static int rkvdec_s_output_fmt(struct fi + struct v4l2_m2m_ctx *m2m_ctx = ctx->fh.m2m_ctx; + const struct rkvdec_coded_fmt_desc *desc; + struct v4l2_format *cap_fmt; +- struct vb2_queue *peer_vq; ++ struct vb2_queue *peer_vq, *vq; + int ret; + + /* ++ * In order to support dynamic resolution change, the decoder admits ++ * a resolution change, as long as the pixelformat remains. Can't be ++ * done if streaming. ++ */ ++ vq = v4l2_m2m_get_vq(m2m_ctx, V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE); ++ if (vb2_is_streaming(vq) || ++ (vb2_is_busy(vq) && ++ f->fmt.pix_mp.pixelformat != ctx->coded_fmt.fmt.pix_mp.pixelformat)) ++ return -EBUSY; ++ ++ /* + * Since format change on the OUTPUT queue will reset the CAPTURE + * queue, we can't allow doing so when the CAPTURE queue has buffers + * allocated. +@@ -331,7 +331,7 @@ static int rkvdec_s_output_fmt(struct fi + if (vb2_is_busy(peer_vq)) + return -EBUSY; + +- ret = rkvdec_s_fmt(file, priv, f, rkvdec_try_output_fmt); ++ ret = rkvdec_try_output_fmt(file, priv, f); + if (ret) + return ret; + diff --git a/queue-5.14/media-v4l2-ioctl-fix-check_ext_ctrls.patch b/queue-5.14/media-v4l2-ioctl-fix-check_ext_ctrls.patch new file mode 100644 index 00000000000..db3e2d825e3 --- /dev/null +++ b/queue-5.14/media-v4l2-ioctl-fix-check_ext_ctrls.patch @@ -0,0 +1,162 @@ +From 861f92cb9160b14beef0ada047384c2340701ee2 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 18 Jun 2021 14:29:03 +0200 +Subject: media: v4l2-ioctl: Fix check_ext_ctrls + +From: Ricardo Ribalda + +commit 861f92cb9160b14beef0ada047384c2340701ee2 upstream. + +Drivers that do not use the ctrl-framework use this function instead. + +Fix the following issues: + +- Do not check for multiple classes when getting the DEF_VAL. +- Return -EINVAL for request_api calls +- Default value cannot be changed, return EINVAL as soon as possible. +- Return the right error_idx +[If an error is found when validating the list of controls passed with +VIDIOC_G_EXT_CTRLS, then error_idx shall be set to ctrls->count to +indicate to userspace that no actual hardware was touched. +It would have been much nicer of course if error_idx could point to the +control index that failed the validation, but sadly that's not how the +API was designed.] + +Fixes v4l2-compliance: +Control ioctls (Input 0): + warn: v4l2-test-controls.cpp(834): error_idx should be equal to count + warn: v4l2-test-controls.cpp(855): error_idx should be equal to count + fail: v4l2-test-controls.cpp(813): doioctl(node, VIDIOC_G_EXT_CTRLS, &ctrls) + test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL +Buffer ioctls (Input 0): + fail: v4l2-test-buffers.cpp(1994): ret != EINVAL && ret != EBADR && ret != ENOTTY + test Requests: FAIL + +Cc: stable@vger.kernel.org +Fixes: 6fa6f831f095 ("media: v4l2-ctrls: add core request support") +Suggested-by: Hans Verkuil +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 60 ++++++++++++++++++++++------------- + 1 file changed, 39 insertions(+), 21 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -869,7 +869,7 @@ static void v4l_print_default(const void + pr_cont("driver-specific ioctl\n"); + } + +-static int check_ext_ctrls(struct v4l2_ext_controls *c, int allow_priv) ++static bool check_ext_ctrls(struct v4l2_ext_controls *c, unsigned long ioctl) + { + __u32 i; + +@@ -878,23 +878,41 @@ static int check_ext_ctrls(struct v4l2_e + for (i = 0; i < c->count; i++) + c->controls[i].reserved2[0] = 0; + +- /* V4L2_CID_PRIVATE_BASE cannot be used as control class +- when using extended controls. +- Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL +- is it allowed for backwards compatibility. +- */ +- if (!allow_priv && c->which == V4L2_CID_PRIVATE_BASE) +- return 0; +- if (!c->which) +- return 1; ++ switch (c->which) { ++ case V4L2_CID_PRIVATE_BASE: ++ /* ++ * V4L2_CID_PRIVATE_BASE cannot be used as control class ++ * when using extended controls. ++ * Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL ++ * is it allowed for backwards compatibility. ++ */ ++ if (ioctl == VIDIOC_G_CTRL || ioctl == VIDIOC_S_CTRL) ++ return false; ++ break; ++ case V4L2_CTRL_WHICH_DEF_VAL: ++ /* Default value cannot be changed */ ++ if (ioctl == VIDIOC_S_EXT_CTRLS || ++ ioctl == VIDIOC_TRY_EXT_CTRLS) { ++ c->error_idx = c->count; ++ return false; ++ } ++ return true; ++ case V4L2_CTRL_WHICH_CUR_VAL: ++ return true; ++ case V4L2_CTRL_WHICH_REQUEST_VAL: ++ c->error_idx = c->count; ++ return false; ++ } ++ + /* Check that all controls are from the same control class. */ + for (i = 0; i < c->count; i++) { + if (V4L2_CTRL_ID2WHICH(c->controls[i].id) != c->which) { +- c->error_idx = i; +- return 0; ++ c->error_idx = ioctl == VIDIOC_TRY_EXT_CTRLS ? i : ++ c->count; ++ return false; + } + } +- return 1; ++ return true; + } + + static int check_fmt(struct file *file, enum v4l2_buf_type type) +@@ -2187,7 +2205,7 @@ static int v4l_g_ctrl(const struct v4l2_ + ctrls.controls = &ctrl; + ctrl.id = p->id; + ctrl.value = p->value; +- if (check_ext_ctrls(&ctrls, 1)) { ++ if (check_ext_ctrls(&ctrls, VIDIOC_G_CTRL)) { + int ret = ops->vidioc_g_ext_ctrls(file, fh, &ctrls); + + if (ret == 0) +@@ -2221,7 +2239,7 @@ static int v4l_s_ctrl(const struct v4l2_ + ctrls.controls = &ctrl; + ctrl.id = p->id; + ctrl.value = p->value; +- if (check_ext_ctrls(&ctrls, 1)) ++ if (check_ext_ctrls(&ctrls, VIDIOC_S_CTRL)) + return ops->vidioc_s_ext_ctrls(file, fh, &ctrls); + return -EINVAL; + } +@@ -2243,8 +2261,8 @@ static int v4l_g_ext_ctrls(const struct + vfd, vfd->v4l2_dev->mdev, p); + if (ops->vidioc_g_ext_ctrls == NULL) + return -ENOTTY; +- return check_ext_ctrls(p, 0) ? ops->vidioc_g_ext_ctrls(file, fh, p) : +- -EINVAL; ++ return check_ext_ctrls(p, VIDIOC_G_EXT_CTRLS) ? ++ ops->vidioc_g_ext_ctrls(file, fh, p) : -EINVAL; + } + + static int v4l_s_ext_ctrls(const struct v4l2_ioctl_ops *ops, +@@ -2264,8 +2282,8 @@ static int v4l_s_ext_ctrls(const struct + vfd, vfd->v4l2_dev->mdev, p); + if (ops->vidioc_s_ext_ctrls == NULL) + return -ENOTTY; +- return check_ext_ctrls(p, 0) ? ops->vidioc_s_ext_ctrls(file, fh, p) : +- -EINVAL; ++ return check_ext_ctrls(p, VIDIOC_S_EXT_CTRLS) ? ++ ops->vidioc_s_ext_ctrls(file, fh, p) : -EINVAL; + } + + static int v4l_try_ext_ctrls(const struct v4l2_ioctl_ops *ops, +@@ -2285,8 +2303,8 @@ static int v4l_try_ext_ctrls(const struc + vfd, vfd->v4l2_dev->mdev, p); + if (ops->vidioc_try_ext_ctrls == NULL) + return -ENOTTY; +- return check_ext_ctrls(p, 0) ? ops->vidioc_try_ext_ctrls(file, fh, p) : +- -EINVAL; ++ return check_ext_ctrls(p, VIDIOC_TRY_EXT_CTRLS) ? ++ ops->vidioc_try_ext_ctrls(file, fh, p) : -EINVAL; + } + + /* diff --git a/queue-5.14/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch b/queue-5.14/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch new file mode 100644 index 00000000000..a19cb75e981 --- /dev/null +++ b/queue-5.14/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch @@ -0,0 +1,45 @@ +From 43592c8736e84025d7a45e61a46c3fa40536a364 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20L=C3=B6hle?= +Date: Thu, 16 Sep 2021 05:59:19 +0000 +Subject: mmc: dw_mmc: Dont wait for DRTO on Write RSP error + +From: Christian Löhle + +commit 43592c8736e84025d7a45e61a46c3fa40536a364 upstream. + +Only wait for DRTO on reads, otherwise the driver hangs. + +The driver prevents sending CMD12 on response errors like CRCs. According +to the comment this is because some cards have problems with this during +the UHS tuning sequence. Unfortunately this workaround currently also +applies for any command with data. On reads this will set the drto timer, +which then triggers after a while. On writes this will not set any timer +and the tasklet will not be scheduled again. + +I cannot test for the UHS workarounds need, but even if so, it should at +most apply to reads. I have observed many hangs when CMD25 response +contained a CRC error. This patch fixes this without touching the actual +UHS tuning workaround. + +Signed-off-by: Christian Loehle +Reviewed-by: Jaehoon Chung +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/af8f8b8674ba4fcc9a781019e4aeb72c@hyperstone.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/dw_mmc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2014,7 +2014,8 @@ static void dw_mci_tasklet_func(struct t + * delayed. Allowing the transfer to take place + * avoids races and keeps things simple. + */ +- if (err != -ETIMEDOUT) { ++ if (err != -ETIMEDOUT && ++ host->dir_status == DW_MCI_RECV_STATUS) { + state = STATE_SENDING_DATA; + continue; + } diff --git a/queue-5.14/mmc-mtk-sd-add-wait-dma-stop-done-flow.patch b/queue-5.14/mmc-mtk-sd-add-wait-dma-stop-done-flow.patch new file mode 100644 index 00000000000..246cc7b5e09 --- /dev/null +++ b/queue-5.14/mmc-mtk-sd-add-wait-dma-stop-done-flow.patch @@ -0,0 +1,54 @@ +From 43e5fee317f4b0a48992b8b07935b1a3ac20ce84 Mon Sep 17 00:00:00 2001 +From: Derong Liu +Date: Fri, 27 Aug 2021 15:15:37 +0800 +Subject: mmc: mtk-sd: Add wait dma stop done flow + +From: Derong Liu + +commit 43e5fee317f4b0a48992b8b07935b1a3ac20ce84 upstream. + +We found this issue on a 5G platform, during CMDQ error handling, if DMA +status is active when it call msdc_reset_hw(), it means mmc host hw reset +and DMA transfer will be parallel, mmc host may access sram region +unexpectedly. According to the programming guide of mtk-sd host, it needs +to wait for dma stop done after set dma stop. + +This change should be applied to all SoCs. + +Signed-off-by: Derong Liu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210827071537.1034-1-derong.liu@mediatek.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2330,6 +2331,7 @@ static void msdc_cqe_enable(struct mmc_h + static void msdc_cqe_disable(struct mmc_host *mmc, bool recovery) + { + struct msdc_host *host = mmc_priv(mmc); ++ unsigned int val = 0; + + /* disable cmdq irq */ + sdr_clr_bits(host->base + MSDC_INTEN, MSDC_INT_CMDQ); +@@ -2339,6 +2341,9 @@ static void msdc_cqe_disable(struct mmc_ + if (recovery) { + sdr_set_field(host->base + MSDC_DMA_CTRL, + MSDC_DMA_CTRL_STOP, 1); ++ if (WARN_ON(readl_poll_timeout(host->base + MSDC_DMA_CFG, val, ++ !(val & MSDC_DMA_CFG_STS), 1, 3000))) ++ return; + msdc_reset_hw(host); + } + } diff --git a/queue-5.14/parisc-fix-ptrace-check-on-syscall-return.patch b/queue-5.14/parisc-fix-ptrace-check-on-syscall-return.patch new file mode 100644 index 00000000000..274c59302d6 --- /dev/null +++ b/queue-5.14/parisc-fix-ptrace-check-on-syscall-return.patch @@ -0,0 +1,36 @@ +From 8779e05ba8aaffec1829872ef9774a71f44f6580 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 5 Oct 2021 00:27:49 +0200 +Subject: parisc: Fix ptrace check on syscall return + +From: Helge Deller + +commit 8779e05ba8aaffec1829872ef9774a71f44f6580 upstream. + +The TIF_XXX flags are stored in the flags field in the thread_info +struct (TI_FLAGS), not in the flags field of the task_struct structure +(TASK_FLAGS). + +It seems this bug didn't generate any important side-effects, otherwise it +wouldn't have went unnoticed for 12 years (since v2.6.32). + +Signed-off-by: Helge Deller +Fixes: ecd3d4bc06e48 ("parisc: stop using task->ptrace for {single,block}step flags") +Cc: Kyle McMartin +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1834,7 +1834,7 @@ syscall_restore: + LDREG TI_TASK-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r1 + + /* Are we being ptraced? */ +- ldw TASK_FLAGS(%r1),%r19 ++ LDREG TI_FLAGS-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r19 + ldi _TIF_SYSCALL_TRACE_MASK,%r2 + and,COND(=) %r19,%r2,%r0 + b,n syscall_restore_rfi diff --git a/queue-5.14/parisc-fix-set_fixmap-on-pa1.x-cpus.patch b/queue-5.14/parisc-fix-set_fixmap-on-pa1.x-cpus.patch new file mode 100644 index 00000000000..c1309374809 --- /dev/null +++ b/queue-5.14/parisc-fix-set_fixmap-on-pa1.x-cpus.patch @@ -0,0 +1,37 @@ +From 6e866a462867b60841202e900f10936a0478608c Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 31 Oct 2021 21:58:12 +0100 +Subject: parisc: Fix set_fixmap() on PA1.x CPUs + +From: Helge Deller + +commit 6e866a462867b60841202e900f10936a0478608c upstream. + +Fix a kernel crash which happens on PA1.x CPUs while initializing the +FTRACE/KPROBE breakpoints. The PTE table entries for the fixmap area +were not created correctly. + +Signed-off-by: Helge Deller +Fixes: ccfbc68d41c2 ("parisc: add set_fixmap()/clear_fixmap()") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/mm/fixmap.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/arch/parisc/mm/fixmap.c ++++ b/arch/parisc/mm/fixmap.c +@@ -20,12 +20,9 @@ void notrace set_fixmap(enum fixed_addre + pte_t *pte; + + if (pmd_none(*pmd)) +- pmd = pmd_alloc(NULL, pud, vaddr); +- +- pte = pte_offset_kernel(pmd, vaddr); +- if (pte_none(*pte)) + pte = pte_alloc_kernel(pmd, vaddr); + ++ pte = pte_offset_kernel(pmd, vaddr); + set_pte_at(&init_mm, vaddr, pte, __mk_pte(phys, PAGE_KERNEL_RWX)); + flush_tlb_kernel_range(vaddr, vaddr + PAGE_SIZE); + } diff --git a/queue-5.14/series b/queue-5.14/series index d21d50c25dd..60b72950e9d 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -13,3 +13,16 @@ scsi-qla2xxx-fix-kernel-crash-when-accessing-port_speed-sysfs-file.patch scsi-qla2xxx-fix-use-after-free-in-eh_abort-path.patch ce-gf100-fix-incorrect-ce0-address-calculation-on-some-gpus.patch char-xillybus-fix-msg_ep-uaf-in-xillyusb_probe.patch +mmc-mtk-sd-add-wait-dma-stop-done-flow.patch +mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch +exfat-fix-incorrect-loading-of-i_blocks-for-large-files.patch +parisc-fix-set_fixmap-on-pa1.x-cpus.patch +parisc-fix-ptrace-check-on-syscall-return.patch +tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch +firmware-psci-fix-application-of-sizeof-to-pointer.patch +crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch +media-rkvdec-do-not-override-sizeimage-for-output-format.patch +media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch +media-rkvdec-support-dynamic-resolution-changes.patch +media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch +media-v4l2-ioctl-fix-check_ext_ctrls.patch diff --git a/queue-5.14/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch b/queue-5.14/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch new file mode 100644 index 00000000000..98f74ee6f83 --- /dev/null +++ b/queue-5.14/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch @@ -0,0 +1,34 @@ +From a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 8 Sep 2021 08:33:57 +0300 +Subject: tpm: Check for integer overflow in tpm2_map_response_body() + +From: Dan Carpenter + +commit a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 upstream. + +The "4 * be32_to_cpu(data->count)" multiplication can potentially +overflow which would lead to memory corruption. Add a check for that. + +Cc: stable@vger.kernel.org +Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") +Signed-off-by: Dan Carpenter +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm2-space.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -455,6 +455,9 @@ static int tpm2_map_response_body(struct + if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES) + return 0; + ++ if (be32_to_cpu(data->count) > (UINT_MAX - TPM_HEADER_SIZE - 9) / 4) ++ return -EFAULT; ++ + if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count)) + return -EFAULT; + -- 2.47.2