--- /dev/null
+From c4e4fccc5d52d881afaac11d3353265ef4eccb8b Mon Sep 17 00:00:00 2001
+From: Wayne Lin <Wayne.Lin@amd.com>
+Date: Fri, 3 Jan 2020 13:50:01 +0800
+Subject: drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
+
+From: Wayne Lin <Wayne.Lin@amd.com>
+
+commit c4e4fccc5d52d881afaac11d3353265ef4eccb8b upstream.
+
+[Why]
+According to DP spec, it should shift left 4 digits for NO_STOP_BIT
+in REMOTE_I2C_READ message. Not 5 digits.
+
+In current code, NO_STOP_BIT is always set to zero which means I2C
+master is always generating a I2C stop at the end of each I2C write
+transaction while handling REMOTE_I2C_READ sideband message. This issue
+might have the generated I2C signal not meeting the requirement. Take
+random read in I2C for instance, I2C master should generate a repeat
+start to start to read data after writing the read address. This issue
+will cause the I2C master to generate a stop-start rather than a
+re-start which is not expected in I2C random read.
+
+[How]
+Correct the shifting value of NO_STOP_BIT for DP_REMOTE_I2C_READ case in
+drm_dp_encode_sideband_req().
+
+Changes since v1:(https://patchwork.kernel.org/patch/11312667/)
+* Add more descriptions in commit and cc to stable
+
+Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200103055001.10287-1-Wayne.Lin@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -274,7 +274,7 @@ static void drm_dp_encode_sideband_req(s
+ memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes);
+ idx += req->u.i2c_read.transactions[i].num_bytes;
+
+- buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 5;
++ buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4;
+ buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf);
+ idx++;
+ }
--- /dev/null
+From f30e27779d3031a092c2a177b7fb76adccc45241 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 30 Dec 2019 14:27:34 +0100
+Subject: drm/fb-helper: Round up bits_per_pixel if possible
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit f30e27779d3031a092c2a177b7fb76adccc45241 upstream.
+
+When userspace requests a video mode parameter value that is not
+supported, frame buffer device drivers should round it up to a supported
+value, if possible, instead of just rejecting it. This allows
+applications to quickly scan for supported video modes.
+
+Currently this rule is not followed for the number of bits per pixel,
+causing e.g. "fbset -depth N" to fail, if N is smaller than the current
+number of bits per pixel.
+
+Fix this by returning an error only if bits per pixel is too large, and
+setting it to the current value otherwise.
+
+See also Documentation/fb/framebuffer.rst, Section 2 (Programmer's View
+of /dev/fb*").
+
+Fixes: 865afb11949e5bf4 ("drm/fb-helper: reject any changes to the fbdev")
+Cc: stable@vger.kernel.org
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20191230132734.4538-1-geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_fb_helper.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -1702,7 +1702,7 @@ int drm_fb_helper_check_var(struct fb_va
+ * Changes struct fb_var_screeninfo are currently not pushed back
+ * to KMS, hence fail if different settings are requested.
+ */
+- if (var->bits_per_pixel != fb->format->cpp[0] * 8 ||
++ if (var->bits_per_pixel > fb->format->cpp[0] * 8 ||
+ var->xres > fb->width || var->yres > fb->height ||
+ var->xres_virtual > fb->width || var->yres_virtual > fb->height) {
+ DRM_DEBUG("fb requested width/height/bpp can't fit in current fb "
+@@ -1728,6 +1728,11 @@ int drm_fb_helper_check_var(struct fb_va
+ }
+
+ /*
++ * Likewise, bits_per_pixel should be rounded up to a supported value.
++ */
++ var->bits_per_pixel = fb->format->cpp[0] * 8;
++
++ /*
+ * drm fbdev emulation doesn't support changing the pixel format at all,
+ * so reject all pixel format changing requests.
+ */
--- /dev/null
+From 4396393fb96449c56423fb4b351f76e45a6bcaf6 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Tue, 7 Jan 2020 15:01:13 +0800
+Subject: drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 4396393fb96449c56423fb4b351f76e45a6bcaf6 upstream.
+
+In commit 0b8e7bbde5e7 ("drm/sun4i: tcon: Set min division of TCON0_DCLK
+to 1.") it was assumed that all TCON variants support a minimum divider
+of 1 if only DCLK was used.
+
+However, the oldest generation of hardware only supports minimum divider
+of 4 if only DCLK is used. If a divider of 1 was used on this old
+hardware, some scrolling artifact would appear. A divider of 2 seemed
+OK, but a divider of 3 had artifacts as well.
+
+Set the minimum divider when outputing to parallel RGB based on the
+hardware model, with a minimum of 4 for the oldest (A10/A10s/A13/A20)
+hardware, and a minimum of 1 for the rest. A value is not set for the
+TCON variants lacking channel 0.
+
+This fixes the scrolling artifacts seen on my A13 tablet.
+
+Fixes: 0b8e7bbde5e7 ("drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.")
+Cc: <stable@vger.kernel.org> # 5.4.x
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200107070113.28951-1-wens@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/sun4i/sun4i_tcon.c | 15 ++++++++++++---
+ drivers/gpu/drm/sun4i/sun4i_tcon.h | 1 +
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c
++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c
+@@ -423,7 +423,7 @@ static void sun4i_tcon0_mode_set_rgb(str
+
+ WARN_ON(!tcon->quirks->has_channel_0);
+
+- tcon->dclk_min_div = 1;
++ tcon->dclk_min_div = tcon->quirks->dclk_min_div;
+ tcon->dclk_max_div = 127;
+ sun4i_tcon0_mode_set_common(tcon, mode);
+
+@@ -1249,12 +1249,14 @@ static int sun6i_tcon_set_mux(struct sun
+ static const struct sun4i_tcon_quirks sun4i_a10_quirks = {
+ .has_channel_0 = true,
+ .has_channel_1 = true,
++ .dclk_min_div = 4,
+ .set_mux = sun4i_a10_tcon_set_mux,
+ };
+
+ static const struct sun4i_tcon_quirks sun5i_a13_quirks = {
+ .has_channel_0 = true,
+ .has_channel_1 = true,
++ .dclk_min_div = 4,
+ .set_mux = sun5i_a13_tcon_set_mux,
+ };
+
+@@ -1263,6 +1265,7 @@ static const struct sun4i_tcon_quirks su
+ .has_channel_1 = true,
+ .has_lvds_alt = true,
+ .needs_de_be_mux = true,
++ .dclk_min_div = 1,
+ .set_mux = sun6i_tcon_set_mux,
+ };
+
+@@ -1270,11 +1273,13 @@ static const struct sun4i_tcon_quirks su
+ .has_channel_0 = true,
+ .has_channel_1 = true,
+ .needs_de_be_mux = true,
++ .dclk_min_div = 1,
+ };
+
+ static const struct sun4i_tcon_quirks sun7i_a20_quirks = {
+ .has_channel_0 = true,
+ .has_channel_1 = true,
++ .dclk_min_div = 4,
+ /* Same display pipeline structure as A10 */
+ .set_mux = sun4i_a10_tcon_set_mux,
+ };
+@@ -1282,11 +1287,13 @@ static const struct sun4i_tcon_quirks su
+ static const struct sun4i_tcon_quirks sun8i_a33_quirks = {
+ .has_channel_0 = true,
+ .has_lvds_alt = true,
++ .dclk_min_div = 1,
+ };
+
+ static const struct sun4i_tcon_quirks sun8i_a83t_lcd_quirks = {
+ .supports_lvds = true,
+ .has_channel_0 = true,
++ .dclk_min_div = 1,
+ };
+
+ static const struct sun4i_tcon_quirks sun8i_a83t_tv_quirks = {
+@@ -1295,11 +1302,13 @@ static const struct sun4i_tcon_quirks su
+
+ static const struct sun4i_tcon_quirks sun8i_v3s_quirks = {
+ .has_channel_0 = true,
++ .dclk_min_div = 1,
+ };
+
+ static const struct sun4i_tcon_quirks sun9i_a80_tcon_lcd_quirks = {
+- .has_channel_0 = true,
+- .needs_edp_reset = true,
++ .has_channel_0 = true,
++ .needs_edp_reset = true,
++ .dclk_min_div = 1,
+ };
+
+ static const struct sun4i_tcon_quirks sun9i_a80_tcon_tv_quirks = {
+--- a/drivers/gpu/drm/sun4i/sun4i_tcon.h
++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.h
+@@ -224,6 +224,7 @@ struct sun4i_tcon_quirks {
+ bool needs_de_be_mux; /* sun6i needs mux to select backend */
+ bool needs_edp_reset; /* a80 edp reset needed for tcon0 access */
+ bool supports_lvds; /* Does the TCON support an LVDS output? */
++ u8 dclk_min_div; /* minimum divider for TCON0 DCLK */
+
+ /* callback to handle tcon muxing options */
+ int (*set_mux)(struct sun4i_tcon *, const struct drm_encoder *);
--- /dev/null
+From 8ec321e96e056de84022c032ffea253431a83c3c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 10 Dec 2019 16:26:11 -0500
+Subject: HID: Fix slab-out-of-bounds read in hid_field_extract
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.
+
+The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
+handler. The bug was caused by a report descriptor which included a
+field with size 12 bits and count 4899, for a total size of 7349
+bytes.
+
+The usbhid driver uses at most a single-page 4-KB buffer for reports.
+In the test there wasn't any problem about overflowing the buffer,
+since only one byte was received from the device. Rather, the bug
+occurred when the HID core tried to extract the data from the report
+fields, which caused it to try reading data beyond the end of the
+allocated buffer.
+
+This patch fixes the problem by rejecting any report whose total
+length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
+for a possible report index). In theory a device could have a report
+longer than that, but if there was such a thing we wouldn't handle it
+correctly anyway.
+
+Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -288,6 +288,12 @@ static int hid_add_field(struct hid_pars
+ offset = report->size;
+ report->size += parser->global.report_size * parser->global.report_count;
+
++ /* Total size check: Allow for possible report index byte */
++ if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
++ hid_err(parser->device, "report is too long\n");
++ return -1;
++ }
++
+ if (!parser->local.usage_index) /* Ignore padding fields */
+ return 0;
+
--- /dev/null
+From 4f3882177240a1f55e45a3d241d3121341bead78 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sat, 7 Dec 2019 13:05:18 -0800
+Subject: HID: hid-input: clear unmapped usages
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 4f3882177240a1f55e45a3d241d3121341bead78 upstream.
+
+We should not be leaving half-mapped usages with potentially invalid
+keycodes, as that may confuse hidinput_find_key() when the key is located
+by index, which may end up feeding way too large keycode into the VT
+keyboard handler and cause OOB write there:
+
+BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
+...
+ kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+ kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+ input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
+ input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
+ input_pass_values drivers/input/input.c:949 [inline]
+ input_set_keycode+0x290/0x320 drivers/input/input.c:954
+ evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
+ evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1125,9 +1125,15 @@ static void hidinput_configure_usage(str
+ }
+
+ mapped:
+- if (device->driver->input_mapped && device->driver->input_mapped(device,
+- hidinput, field, usage, &bit, &max) < 0)
+- goto ignore;
++ if (device->driver->input_mapped &&
++ device->driver->input_mapped(device, hidinput, field, usage,
++ &bit, &max) < 0) {
++ /*
++ * The driver indicated that no further generic handling
++ * of the usage is desired.
++ */
++ return;
++ }
+
+ set_bit(usage->type, input->evbit);
+
+@@ -1208,9 +1214,11 @@ mapped:
+ set_bit(MSC_SCAN, input->mscbit);
+ }
+
+-ignore:
+ return;
+
++ignore:
++ usage->type = 0;
++ usage->code = 0;
+ }
+
+ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct hid_usage *usage, __s32 value)
--- /dev/null
+From be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 Mon Sep 17 00:00:00 2001
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Wed, 4 Dec 2019 03:43:55 +0100
+Subject: HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+commit be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 upstream.
+
+Always return EPOLLOUT from uhid_char_poll to allow polling /dev/uhid
+for writable state.
+
+Fixes: 1f9dec1e0164 ("HID: uhid: allow poll()'ing on uhid devices")
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/uhid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -775,7 +775,7 @@ static __poll_t uhid_char_poll(struct fi
+ if (uhid->head != uhid->tail)
+ return EPOLLIN | EPOLLRDNORM;
+
+- return 0;
++ return EPOLLOUT | EPOLLWRNORM;
+ }
+
+ static const struct file_operations uhid_fops = {
--- /dev/null
+From cb222aed03d798fc074be55e59d9a112338ee784 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 13 Dec 2019 14:56:16 -0800
+Subject: Input: add safety guards to input_set_keycode()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit cb222aed03d798fc074be55e59d9a112338ee784 upstream.
+
+If we happen to have a garbage in input device's keycode table with values
+too big we'll end up doing clear_bit() with offset way outside of our
+bitmaps, damaging other objects within an input device or even outside of
+it. Let's add sanity checks to the returned old keycodes.
+
+Reported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com
+Reported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/input.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/drivers/input/input.c
++++ b/drivers/input/input.c
+@@ -858,16 +858,18 @@ static int input_default_setkeycode(stru
+ }
+ }
+
+- __clear_bit(*old_keycode, dev->keybit);
+- __set_bit(ke->keycode, dev->keybit);
+-
+- for (i = 0; i < dev->keycodemax; i++) {
+- if (input_fetch_keycode(dev, i) == *old_keycode) {
+- __set_bit(*old_keycode, dev->keybit);
+- break; /* Setting the bit twice is useless, so break */
++ if (*old_keycode <= KEY_MAX) {
++ __clear_bit(*old_keycode, dev->keybit);
++ for (i = 0; i < dev->keycodemax; i++) {
++ if (input_fetch_keycode(dev, i) == *old_keycode) {
++ __set_bit(*old_keycode, dev->keybit);
++ /* Setting the bit twice is useless, so break */
++ break;
++ }
+ }
+ }
+
++ __set_bit(ke->keycode, dev->keybit);
+ return 0;
+ }
+
+@@ -923,9 +925,13 @@ int input_set_keycode(struct input_dev *
+ * Simulate keyup event if keycode is not present
+ * in the keymap anymore
+ */
+- if (test_bit(EV_KEY, dev->evbit) &&
+- !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&
+- __test_and_clear_bit(old_keycode, dev->key)) {
++ if (old_keycode > KEY_MAX) {
++ dev_warn(dev->dev.parent ?: &dev->dev,
++ "%s: got too big old keycode %#x\n",
++ __func__, old_keycode);
++ } else if (test_bit(EV_KEY, dev->evbit) &&
++ !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&
++ __test_and_clear_bit(old_keycode, dev->key)) {
+ struct input_value vals[] = {
+ { EV_KEY, old_keycode, 0 },
+ input_value_sync
--- /dev/null
+From f729a1b0f8df7091cea3729fc0e414f5326e1163 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 13 Dec 2019 14:06:58 -0800
+Subject: Input: input_event - fix struct padding on sparc64
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit f729a1b0f8df7091cea3729fc0e414f5326e1163 upstream.
+
+Going through all uses of timeval, I noticed that we screwed up
+input_event in the previous attempts to fix it:
+
+The time fields now match between kernel and user space, but all following
+fields are in the wrong place.
+
+Add the required padding that is implied by the glibc timeval definition
+to fix the layout, and use a struct initializer to avoid leaking kernel
+stack data.
+
+Fixes: 141e5dcaa735 ("Input: input_event - fix the CONFIG_SPARC64 mixup")
+Fixes: 2e746942ebac ("Input: input_event - provide override for sparc64")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20191213204936.3643476-2-arnd@arndb.de
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/evdev.c | 14 +++++++-------
+ drivers/input/misc/uinput.c | 14 +++++++++-----
+ include/uapi/linux/input.h | 1 +
+ 3 files changed, 17 insertions(+), 12 deletions(-)
+
+--- a/drivers/input/evdev.c
++++ b/drivers/input/evdev.c
+@@ -241,13 +241,13 @@ static void __pass_event(struct evdev_cl
+ */
+ client->tail = (client->head - 2) & (client->bufsize - 1);
+
+- client->buffer[client->tail].input_event_sec =
+- event->input_event_sec;
+- client->buffer[client->tail].input_event_usec =
+- event->input_event_usec;
+- client->buffer[client->tail].type = EV_SYN;
+- client->buffer[client->tail].code = SYN_DROPPED;
+- client->buffer[client->tail].value = 0;
++ client->buffer[client->tail] = (struct input_event) {
++ .input_event_sec = event->input_event_sec,
++ .input_event_usec = event->input_event_usec,
++ .type = EV_SYN,
++ .code = SYN_DROPPED,
++ .value = 0,
++ };
+
+ client->packet_head = client->tail;
+ }
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -87,12 +87,16 @@ static int uinput_dev_event(struct input
+ struct uinput_device *udev = input_get_drvdata(dev);
+ struct timespec64 ts;
+
+- udev->buff[udev->head].type = type;
+- udev->buff[udev->head].code = code;
+- udev->buff[udev->head].value = value;
+ ktime_get_ts64(&ts);
+- udev->buff[udev->head].input_event_sec = ts.tv_sec;
+- udev->buff[udev->head].input_event_usec = ts.tv_nsec / NSEC_PER_USEC;
++
++ udev->buff[udev->head] = (struct input_event) {
++ .input_event_sec = ts.tv_sec,
++ .input_event_usec = ts.tv_nsec / NSEC_PER_USEC,
++ .type = type,
++ .code = code,
++ .value = value,
++ };
++
+ udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE;
+
+ wake_up_interruptible(&udev->waitq);
+--- a/include/uapi/linux/input.h
++++ b/include/uapi/linux/input.h
+@@ -34,6 +34,7 @@ struct input_event {
+ __kernel_ulong_t __sec;
+ #if defined(__sparc__) && defined(__arch64__)
+ unsigned int __usec;
++ unsigned int __pad;
+ #else
+ __kernel_ulong_t __usec;
+ #endif
--- /dev/null
+From 50f9ad607ea891a9308e67b81f774c71736d1098 Mon Sep 17 00:00:00 2001
+From: Kaitao Cheng <pilgrimtao@gmail.com>
+Date: Tue, 31 Dec 2019 05:35:30 -0800
+Subject: kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
+
+From: Kaitao Cheng <pilgrimtao@gmail.com>
+
+commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream.
+
+In the function, if register_trace_sched_migrate_task() returns error,
+sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is
+why fail_deprobe_sched_switch was added.
+
+Link: http://lkml.kernel.org/r/20191231133530.2794-1-pilgrimtao@gmail.com
+
+Cc: stable@vger.kernel.org
+Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing")
+Signed-off-by: Kaitao Cheng <pilgrimtao@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_sched_wakeup.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_sched_wakeup.c
++++ b/kernel/trace/trace_sched_wakeup.c
+@@ -640,7 +640,7 @@ static void start_wakeup_tracer(struct t
+ if (ret) {
+ pr_info("wakeup trace: Couldn't activate tracepoint"
+ " probe to kernel_sched_migrate_task\n");
+- return;
++ goto fail_deprobe_sched_switch;
+ }
+
+ wakeup_reset(tr);
+@@ -658,6 +658,8 @@ static void start_wakeup_tracer(struct t
+ printk(KERN_ERR "failed to start wakeup tracer\n");
+
+ return;
++fail_deprobe_sched_switch:
++ unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL);
+ fail_deprobe_wake_new:
+ unregister_trace_sched_wakeup_new(probe_wakeup, NULL);
+ fail_deprobe:
alsa-hda-realtek-add-new-codec-supported-for-alcs1200a.patch
alsa-hda-realtek-set-eapd-control-to-default-for-alc222.patch
alsa-hda-realtek-add-quirk-for-the-bass-speaker-on-lenovo-yoga-x1-7th-gen.patch
+kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch
+tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch
+tracing-change-offset-type-to-s32-in-preempt-irq-tracepoints.patch
+hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
+hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
+hid-hid-input-clear-unmapped-usages.patch
+input-add-safety-guards-to-input_set_keycode.patch
+input-input_event-fix-struct-padding-on-sparc64.patch
+drm-sun4i-tcon-set-rgb-dclk-min.-divider-based-on-hardware-model.patch
+drm-fb-helper-round-up-bits_per_pixel-if-possible.patch
+drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch
--- /dev/null
+From bf44f488e168368cae4139b4b33c3d0aaa11679c Mon Sep 17 00:00:00 2001
+From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Date: Thu, 2 Jan 2020 14:46:25 -0500
+Subject: tracing: Change offset type to s32 in preempt/irq tracepoints
+
+From: Joel Fernandes (Google) <joel@joelfernandes.org>
+
+commit bf44f488e168368cae4139b4b33c3d0aaa11679c upstream.
+
+Discussion in the below link reported that symbols in modules can appear
+to be before _stext on ARM architecture, causing wrapping with the
+offsets of this tracepoint. Change the offset type to s32 to fix this.
+
+Link: http://lore.kernel.org/r/20191127154428.191095-1-antonio.borneo@st.com
+Link: http://lkml.kernel.org/r/20200102194625.226436-1-joel@joelfernandes.org
+
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: David Sterba <dsterba@suse.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: Antonio Borneo <antonio.borneo@st.com>
+Cc: stable@vger.kernel.org
+Fixes: d59158162e032 ("tracing: Add support for preempt and irq enable/disable events")
+Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/trace/events/preemptirq.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/trace/events/preemptirq.h
++++ b/include/trace/events/preemptirq.h
+@@ -18,13 +18,13 @@ DECLARE_EVENT_CLASS(preemptirq_template,
+ TP_ARGS(ip, parent_ip),
+
+ TP_STRUCT__entry(
+- __field(u32, caller_offs)
+- __field(u32, parent_offs)
++ __field(s32, caller_offs)
++ __field(s32, parent_offs)
+ ),
+
+ TP_fast_assign(
+- __entry->caller_offs = (u32)(ip - (unsigned long)_stext);
+- __entry->parent_offs = (u32)(parent_ip - (unsigned long)_stext);
++ __entry->caller_offs = (s32)(ip - (unsigned long)_stext);
++ __entry->parent_offs = (s32)(parent_ip - (unsigned long)_stext);
+ ),
+
+ TP_printk("caller=%pF parent=%pF",
--- /dev/null
+From b8299d362d0837ae39e87e9019ebe6b736e0f035 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 2 Jan 2020 22:02:41 -0500
+Subject: tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit b8299d362d0837ae39e87e9019ebe6b736e0f035 upstream.
+
+On some archs with some configurations, MCOUNT_INSN_SIZE is not defined, and
+this makes the stack tracer fail to compile. Just define it to zero in this
+case.
+
+Link: https://lore.kernel.org/r/202001020219.zvE3vsty%lkp@intel.com
+
+Cc: stable@vger.kernel.org
+Fixes: 4df297129f622 ("tracing: Remove most or all of stack tracer stack size from stack_max_size")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_stack.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/trace/trace_stack.c
++++ b/kernel/trace/trace_stack.c
+@@ -196,6 +196,11 @@ check_stack(unsigned long ip, unsigned l
+ local_irq_restore(flags);
+ }
+
++/* Some archs may not define MCOUNT_INSN_SIZE */
++#ifndef MCOUNT_INSN_SIZE
++# define MCOUNT_INSN_SIZE 0
++#endif
++
+ static void
+ stack_trace_call(unsigned long ip, unsigned long parent_ip,
+ struct ftrace_ops *op, struct pt_regs *pt_regs)
projects / thirdparty / kernel / stable-queue.git / commitdiff
