From 83767ba8d6c128bdf3624900ca7fcc9ddb9f4622 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 Jan 2020 21:40:57 +0100 Subject: [PATCH] 4.19-stable patches added patches: drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch drm-fb-helper-round-up-bits_per_pixel-if-possible.patch drm-sun4i-tcon-set-rgb-dclk-min.-divider-based-on-hardware-model.patch hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch hid-hid-input-clear-unmapped-usages.patch hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch input-add-safety-guards-to-input_set_keycode.patch input-input_event-fix-struct-padding-on-sparc64.patch kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch tracing-change-offset-type-to-s32-in-preempt-irq-tracepoints.patch tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch --- ...t-the-shifting-in-dp_remote_i2c_read.patch | 52 ++++++++ ...-round-up-bits_per_pixel-if-possible.patch | 58 ++++++++ ...min.-divider-based-on-hardware-model.patch | 125 ++++++++++++++++++ ...-of-bounds-read-in-hid_field_extract.patch | 52 ++++++++ .../hid-hid-input-clear-unmapped-usages.patch | 73 ++++++++++ ...turning-epollout-from-uhid_char_poll.patch | 33 +++++ ...d-safety-guards-to-input_set_keycode.patch | 69 ++++++++++ ..._event-fix-struct-padding-on-sparc64.patch | 90 +++++++++++++ ...hen-register-sched_migrate_task-fail.patch | 45 +++++++ queue-4.19/series | 11 ++ ...pe-to-s32-in-preempt-irq-tracepoints.patch | 53 ++++++++ ...when-mcount_insn_size-is-not-defined.patch | 39 ++++++ 12 files changed, 700 insertions(+) create mode 100644 queue-4.19/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch create mode 100644 queue-4.19/drm-fb-helper-round-up-bits_per_pixel-if-possible.patch create mode 100644 queue-4.19/drm-sun4i-tcon-set-rgb-dclk-min.-divider-based-on-hardware-model.patch create mode 100644 queue-4.19/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch create mode 100644 queue-4.19/hid-hid-input-clear-unmapped-usages.patch create mode 100644 queue-4.19/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch create mode 100644 queue-4.19/input-add-safety-guards-to-input_set_keycode.patch create mode 100644 queue-4.19/input-input_event-fix-struct-padding-on-sparc64.patch create mode 100644 queue-4.19/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch create mode 100644 queue-4.19/tracing-change-offset-type-to-s32-in-preempt-irq-tracepoints.patch create mode 100644 queue-4.19/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch diff --git a/queue-4.19/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch b/queue-4.19/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch new file mode 100644 index 00000000000..70f54c0654c --- /dev/null +++ b/queue-4.19/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch @@ -0,0 +1,52 @@ +From c4e4fccc5d52d881afaac11d3353265ef4eccb8b Mon Sep 17 00:00:00 2001 +From: Wayne Lin +Date: Fri, 3 Jan 2020 13:50:01 +0800 +Subject: drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ + +From: Wayne Lin + +commit c4e4fccc5d52d881afaac11d3353265ef4eccb8b upstream. + +[Why] +According to DP spec, it should shift left 4 digits for NO_STOP_BIT +in REMOTE_I2C_READ message. Not 5 digits. + +In current code, NO_STOP_BIT is always set to zero which means I2C +master is always generating a I2C stop at the end of each I2C write +transaction while handling REMOTE_I2C_READ sideband message. This issue +might have the generated I2C signal not meeting the requirement. Take +random read in I2C for instance, I2C master should generate a repeat +start to start to read data after writing the read address. This issue +will cause the I2C master to generate a stop-start rather than a +re-start which is not expected in I2C random read. + +[How] +Correct the shifting value of NO_STOP_BIT for DP_REMOTE_I2C_READ case in +drm_dp_encode_sideband_req(). + +Changes since v1:(https://patchwork.kernel.org/patch/11312667/) +* Add more descriptions in commit and cc to stable + +Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)") +Reviewed-by: Harry Wentland +Signed-off-by: Wayne Lin +Cc: stable@vger.kernel.org +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20200103055001.10287-1-Wayne.Lin@amd.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -274,7 +274,7 @@ static void drm_dp_encode_sideband_req(s + memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes); + idx += req->u.i2c_read.transactions[i].num_bytes; + +- buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 5; ++ buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4; + buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf); + idx++; + } diff --git a/queue-4.19/drm-fb-helper-round-up-bits_per_pixel-if-possible.patch b/queue-4.19/drm-fb-helper-round-up-bits_per_pixel-if-possible.patch new file mode 100644 index 00000000000..26268f3cab5 --- /dev/null +++ b/queue-4.19/drm-fb-helper-round-up-bits_per_pixel-if-possible.patch @@ -0,0 +1,58 @@ +From f30e27779d3031a092c2a177b7fb76adccc45241 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 30 Dec 2019 14:27:34 +0100 +Subject: drm/fb-helper: Round up bits_per_pixel if possible + +From: Geert Uytterhoeven + +commit f30e27779d3031a092c2a177b7fb76adccc45241 upstream. + +When userspace requests a video mode parameter value that is not +supported, frame buffer device drivers should round it up to a supported +value, if possible, instead of just rejecting it. This allows +applications to quickly scan for supported video modes. + +Currently this rule is not followed for the number of bits per pixel, +causing e.g. "fbset -depth N" to fail, if N is smaller than the current +number of bits per pixel. + +Fix this by returning an error only if bits per pixel is too large, and +setting it to the current value otherwise. + +See also Documentation/fb/framebuffer.rst, Section 2 (Programmer's View +of /dev/fb*"). + +Fixes: 865afb11949e5bf4 ("drm/fb-helper: reject any changes to the fbdev") +Cc: stable@vger.kernel.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20191230132734.4538-1-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_fb_helper.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -1702,7 +1702,7 @@ int drm_fb_helper_check_var(struct fb_va + * Changes struct fb_var_screeninfo are currently not pushed back + * to KMS, hence fail if different settings are requested. + */ +- if (var->bits_per_pixel != fb->format->cpp[0] * 8 || ++ if (var->bits_per_pixel > fb->format->cpp[0] * 8 || + var->xres > fb->width || var->yres > fb->height || + var->xres_virtual > fb->width || var->yres_virtual > fb->height) { + DRM_DEBUG("fb requested width/height/bpp can't fit in current fb " +@@ -1728,6 +1728,11 @@ int drm_fb_helper_check_var(struct fb_va + } + + /* ++ * Likewise, bits_per_pixel should be rounded up to a supported value. ++ */ ++ var->bits_per_pixel = fb->format->cpp[0] * 8; ++ ++ /* + * drm fbdev emulation doesn't support changing the pixel format at all, + * so reject all pixel format changing requests. + */ diff --git a/queue-4.19/drm-sun4i-tcon-set-rgb-dclk-min.-divider-based-on-hardware-model.patch b/queue-4.19/drm-sun4i-tcon-set-rgb-dclk-min.-divider-based-on-hardware-model.patch new file mode 100644 index 00000000000..4bf71809f49 --- /dev/null +++ b/queue-4.19/drm-sun4i-tcon-set-rgb-dclk-min.-divider-based-on-hardware-model.patch @@ -0,0 +1,125 @@ +From 4396393fb96449c56423fb4b351f76e45a6bcaf6 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Tue, 7 Jan 2020 15:01:13 +0800 +Subject: drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model + +From: Chen-Yu Tsai + +commit 4396393fb96449c56423fb4b351f76e45a6bcaf6 upstream. + +In commit 0b8e7bbde5e7 ("drm/sun4i: tcon: Set min division of TCON0_DCLK +to 1.") it was assumed that all TCON variants support a minimum divider +of 1 if only DCLK was used. + +However, the oldest generation of hardware only supports minimum divider +of 4 if only DCLK is used. If a divider of 1 was used on this old +hardware, some scrolling artifact would appear. A divider of 2 seemed +OK, but a divider of 3 had artifacts as well. + +Set the minimum divider when outputing to parallel RGB based on the +hardware model, with a minimum of 4 for the oldest (A10/A10s/A13/A20) +hardware, and a minimum of 1 for the rest. A value is not set for the +TCON variants lacking channel 0. + +This fixes the scrolling artifacts seen on my A13 tablet. + +Fixes: 0b8e7bbde5e7 ("drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.") +Cc: # 5.4.x +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200107070113.28951-1-wens@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/sun4i/sun4i_tcon.c | 15 ++++++++++++--- + drivers/gpu/drm/sun4i/sun4i_tcon.h | 1 + + 2 files changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c +@@ -423,7 +423,7 @@ static void sun4i_tcon0_mode_set_rgb(str + + WARN_ON(!tcon->quirks->has_channel_0); + +- tcon->dclk_min_div = 1; ++ tcon->dclk_min_div = tcon->quirks->dclk_min_div; + tcon->dclk_max_div = 127; + sun4i_tcon0_mode_set_common(tcon, mode); + +@@ -1249,12 +1249,14 @@ static int sun6i_tcon_set_mux(struct sun + static const struct sun4i_tcon_quirks sun4i_a10_quirks = { + .has_channel_0 = true, + .has_channel_1 = true, ++ .dclk_min_div = 4, + .set_mux = sun4i_a10_tcon_set_mux, + }; + + static const struct sun4i_tcon_quirks sun5i_a13_quirks = { + .has_channel_0 = true, + .has_channel_1 = true, ++ .dclk_min_div = 4, + .set_mux = sun5i_a13_tcon_set_mux, + }; + +@@ -1263,6 +1265,7 @@ static const struct sun4i_tcon_quirks su + .has_channel_1 = true, + .has_lvds_alt = true, + .needs_de_be_mux = true, ++ .dclk_min_div = 1, + .set_mux = sun6i_tcon_set_mux, + }; + +@@ -1270,11 +1273,13 @@ static const struct sun4i_tcon_quirks su + .has_channel_0 = true, + .has_channel_1 = true, + .needs_de_be_mux = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun7i_a20_quirks = { + .has_channel_0 = true, + .has_channel_1 = true, ++ .dclk_min_div = 4, + /* Same display pipeline structure as A10 */ + .set_mux = sun4i_a10_tcon_set_mux, + }; +@@ -1282,11 +1287,13 @@ static const struct sun4i_tcon_quirks su + static const struct sun4i_tcon_quirks sun8i_a33_quirks = { + .has_channel_0 = true, + .has_lvds_alt = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun8i_a83t_lcd_quirks = { + .supports_lvds = true, + .has_channel_0 = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun8i_a83t_tv_quirks = { +@@ -1295,11 +1302,13 @@ static const struct sun4i_tcon_quirks su + + static const struct sun4i_tcon_quirks sun8i_v3s_quirks = { + .has_channel_0 = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun9i_a80_tcon_lcd_quirks = { +- .has_channel_0 = true, +- .needs_edp_reset = true, ++ .has_channel_0 = true, ++ .needs_edp_reset = true, ++ .dclk_min_div = 1, + }; + + static const struct sun4i_tcon_quirks sun9i_a80_tcon_tv_quirks = { +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.h ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.h +@@ -224,6 +224,7 @@ struct sun4i_tcon_quirks { + bool needs_de_be_mux; /* sun6i needs mux to select backend */ + bool needs_edp_reset; /* a80 edp reset needed for tcon0 access */ + bool supports_lvds; /* Does the TCON support an LVDS output? */ ++ u8 dclk_min_div; /* minimum divider for TCON0 DCLK */ + + /* callback to handle tcon muxing options */ + int (*set_mux)(struct sun4i_tcon *, const struct drm_encoder *); diff --git a/queue-4.19/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch b/queue-4.19/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch new file mode 100644 index 00000000000..1ae69df6b71 --- /dev/null +++ b/queue-4.19/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch @@ -0,0 +1,52 @@ +From 8ec321e96e056de84022c032ffea253431a83c3c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 10 Dec 2019 16:26:11 -0500 +Subject: HID: Fix slab-out-of-bounds read in hid_field_extract + +From: Alan Stern + +commit 8ec321e96e056de84022c032ffea253431a83c3c upstream. + +The syzbot fuzzer found a slab-out-of-bounds bug in the HID report +handler. The bug was caused by a report descriptor which included a +field with size 12 bits and count 4899, for a total size of 7349 +bytes. + +The usbhid driver uses at most a single-page 4-KB buffer for reports. +In the test there wasn't any problem about overflowing the buffer, +since only one byte was received from the device. Rather, the bug +occurred when the HID core tried to extract the data from the report +fields, which caused it to try reading data beyond the end of the +allocated buffer. + +This patch fixes the problem by rejecting any report whose total +length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow +for a possible report index). In theory a device could have a report +longer than that, but if there was such a thing we wouldn't handle it +correctly anyway. + +Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +CC: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -288,6 +288,12 @@ static int hid_add_field(struct hid_pars + offset = report->size; + report->size += parser->global.report_size * parser->global.report_count; + ++ /* Total size check: Allow for possible report index byte */ ++ if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) { ++ hid_err(parser->device, "report is too long\n"); ++ return -1; ++ } ++ + if (!parser->local.usage_index) /* Ignore padding fields */ + return 0; + diff --git a/queue-4.19/hid-hid-input-clear-unmapped-usages.patch b/queue-4.19/hid-hid-input-clear-unmapped-usages.patch new file mode 100644 index 00000000000..26c52e8ab59 --- /dev/null +++ b/queue-4.19/hid-hid-input-clear-unmapped-usages.patch @@ -0,0 +1,73 @@ +From 4f3882177240a1f55e45a3d241d3121341bead78 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Sat, 7 Dec 2019 13:05:18 -0800 +Subject: HID: hid-input: clear unmapped usages + +From: Dmitry Torokhov + +commit 4f3882177240a1f55e45a3d241d3121341bead78 upstream. + +We should not be leaving half-mapped usages with potentially invalid +keycodes, as that may confuse hidinput_find_key() when the key is located +by index, which may end up feeding way too large keycode into the VT +keyboard handler and cause OOB write there: + +BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] +BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] +BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 +Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 +... + kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] + kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 + input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 + input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 + input_pass_values drivers/input/input.c:949 [inline] + input_set_keycode+0x290/0x320 drivers/input/input.c:954 + evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 + evdev_do_ioctl drivers/input/evdev.c:1150 [inline] + +Cc: stable@vger.kernel.org +Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com +Signed-off-by: Dmitry Torokhov +Tested-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-input.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1125,9 +1125,15 @@ static void hidinput_configure_usage(str + } + + mapped: +- if (device->driver->input_mapped && device->driver->input_mapped(device, +- hidinput, field, usage, &bit, &max) < 0) +- goto ignore; ++ if (device->driver->input_mapped && ++ device->driver->input_mapped(device, hidinput, field, usage, ++ &bit, &max) < 0) { ++ /* ++ * The driver indicated that no further generic handling ++ * of the usage is desired. ++ */ ++ return; ++ } + + set_bit(usage->type, input->evbit); + +@@ -1208,9 +1214,11 @@ mapped: + set_bit(MSC_SCAN, input->mscbit); + } + +-ignore: + return; + ++ignore: ++ usage->type = 0; ++ usage->code = 0; + } + + void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct hid_usage *usage, __s32 value) diff --git a/queue-4.19/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch b/queue-4.19/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch new file mode 100644 index 00000000000..7ba28f7482d --- /dev/null +++ b/queue-4.19/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch @@ -0,0 +1,33 @@ +From be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 Mon Sep 17 00:00:00 2001 +From: Marcel Holtmann +Date: Wed, 4 Dec 2019 03:43:55 +0100 +Subject: HID: uhid: Fix returning EPOLLOUT from uhid_char_poll + +From: Marcel Holtmann + +commit be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 upstream. + +Always return EPOLLOUT from uhid_char_poll to allow polling /dev/uhid +for writable state. + +Fixes: 1f9dec1e0164 ("HID: uhid: allow poll()'ing on uhid devices") +Signed-off-by: Marcel Holtmann +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/uhid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -775,7 +775,7 @@ static __poll_t uhid_char_poll(struct fi + if (uhid->head != uhid->tail) + return EPOLLIN | EPOLLRDNORM; + +- return 0; ++ return EPOLLOUT | EPOLLWRNORM; + } + + static const struct file_operations uhid_fops = { diff --git a/queue-4.19/input-add-safety-guards-to-input_set_keycode.patch b/queue-4.19/input-add-safety-guards-to-input_set_keycode.patch new file mode 100644 index 00000000000..67defb12d8f --- /dev/null +++ b/queue-4.19/input-add-safety-guards-to-input_set_keycode.patch @@ -0,0 +1,69 @@ +From cb222aed03d798fc074be55e59d9a112338ee784 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 13 Dec 2019 14:56:16 -0800 +Subject: Input: add safety guards to input_set_keycode() + +From: Dmitry Torokhov + +commit cb222aed03d798fc074be55e59d9a112338ee784 upstream. + +If we happen to have a garbage in input device's keycode table with values +too big we'll end up doing clear_bit() with offset way outside of our +bitmaps, damaging other objects within an input device or even outside of +it. Let's add sanity checks to the returned old keycodes. + +Reported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com +Reported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/input.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -858,16 +858,18 @@ static int input_default_setkeycode(stru + } + } + +- __clear_bit(*old_keycode, dev->keybit); +- __set_bit(ke->keycode, dev->keybit); +- +- for (i = 0; i < dev->keycodemax; i++) { +- if (input_fetch_keycode(dev, i) == *old_keycode) { +- __set_bit(*old_keycode, dev->keybit); +- break; /* Setting the bit twice is useless, so break */ ++ if (*old_keycode <= KEY_MAX) { ++ __clear_bit(*old_keycode, dev->keybit); ++ for (i = 0; i < dev->keycodemax; i++) { ++ if (input_fetch_keycode(dev, i) == *old_keycode) { ++ __set_bit(*old_keycode, dev->keybit); ++ /* Setting the bit twice is useless, so break */ ++ break; ++ } + } + } + ++ __set_bit(ke->keycode, dev->keybit); + return 0; + } + +@@ -923,9 +925,13 @@ int input_set_keycode(struct input_dev * + * Simulate keyup event if keycode is not present + * in the keymap anymore + */ +- if (test_bit(EV_KEY, dev->evbit) && +- !is_event_supported(old_keycode, dev->keybit, KEY_MAX) && +- __test_and_clear_bit(old_keycode, dev->key)) { ++ if (old_keycode > KEY_MAX) { ++ dev_warn(dev->dev.parent ?: &dev->dev, ++ "%s: got too big old keycode %#x\n", ++ __func__, old_keycode); ++ } else if (test_bit(EV_KEY, dev->evbit) && ++ !is_event_supported(old_keycode, dev->keybit, KEY_MAX) && ++ __test_and_clear_bit(old_keycode, dev->key)) { + struct input_value vals[] = { + { EV_KEY, old_keycode, 0 }, + input_value_sync diff --git a/queue-4.19/input-input_event-fix-struct-padding-on-sparc64.patch b/queue-4.19/input-input_event-fix-struct-padding-on-sparc64.patch new file mode 100644 index 00000000000..277cc244a27 --- /dev/null +++ b/queue-4.19/input-input_event-fix-struct-padding-on-sparc64.patch @@ -0,0 +1,90 @@ +From f729a1b0f8df7091cea3729fc0e414f5326e1163 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 13 Dec 2019 14:06:58 -0800 +Subject: Input: input_event - fix struct padding on sparc64 + +From: Arnd Bergmann + +commit f729a1b0f8df7091cea3729fc0e414f5326e1163 upstream. + +Going through all uses of timeval, I noticed that we screwed up +input_event in the previous attempts to fix it: + +The time fields now match between kernel and user space, but all following +fields are in the wrong place. + +Add the required padding that is implied by the glibc timeval definition +to fix the layout, and use a struct initializer to avoid leaking kernel +stack data. + +Fixes: 141e5dcaa735 ("Input: input_event - fix the CONFIG_SPARC64 mixup") +Fixes: 2e746942ebac ("Input: input_event - provide override for sparc64") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20191213204936.3643476-2-arnd@arndb.de +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/evdev.c | 14 +++++++------- + drivers/input/misc/uinput.c | 14 +++++++++----- + include/uapi/linux/input.h | 1 + + 3 files changed, 17 insertions(+), 12 deletions(-) + +--- a/drivers/input/evdev.c ++++ b/drivers/input/evdev.c +@@ -241,13 +241,13 @@ static void __pass_event(struct evdev_cl + */ + client->tail = (client->head - 2) & (client->bufsize - 1); + +- client->buffer[client->tail].input_event_sec = +- event->input_event_sec; +- client->buffer[client->tail].input_event_usec = +- event->input_event_usec; +- client->buffer[client->tail].type = EV_SYN; +- client->buffer[client->tail].code = SYN_DROPPED; +- client->buffer[client->tail].value = 0; ++ client->buffer[client->tail] = (struct input_event) { ++ .input_event_sec = event->input_event_sec, ++ .input_event_usec = event->input_event_usec, ++ .type = EV_SYN, ++ .code = SYN_DROPPED, ++ .value = 0, ++ }; + + client->packet_head = client->tail; + } +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -87,12 +87,16 @@ static int uinput_dev_event(struct input + struct uinput_device *udev = input_get_drvdata(dev); + struct timespec64 ts; + +- udev->buff[udev->head].type = type; +- udev->buff[udev->head].code = code; +- udev->buff[udev->head].value = value; + ktime_get_ts64(&ts); +- udev->buff[udev->head].input_event_sec = ts.tv_sec; +- udev->buff[udev->head].input_event_usec = ts.tv_nsec / NSEC_PER_USEC; ++ ++ udev->buff[udev->head] = (struct input_event) { ++ .input_event_sec = ts.tv_sec, ++ .input_event_usec = ts.tv_nsec / NSEC_PER_USEC, ++ .type = type, ++ .code = code, ++ .value = value, ++ }; ++ + udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE; + + wake_up_interruptible(&udev->waitq); +--- a/include/uapi/linux/input.h ++++ b/include/uapi/linux/input.h +@@ -34,6 +34,7 @@ struct input_event { + __kernel_ulong_t __sec; + #if defined(__sparc__) && defined(__arch64__) + unsigned int __usec; ++ unsigned int __pad; + #else + __kernel_ulong_t __usec; + #endif diff --git a/queue-4.19/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch b/queue-4.19/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch new file mode 100644 index 00000000000..bbc79adfcd3 --- /dev/null +++ b/queue-4.19/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch @@ -0,0 +1,45 @@ +From 50f9ad607ea891a9308e67b81f774c71736d1098 Mon Sep 17 00:00:00 2001 +From: Kaitao Cheng +Date: Tue, 31 Dec 2019 05:35:30 -0800 +Subject: kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail + +From: Kaitao Cheng + +commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream. + +In the function, if register_trace_sched_migrate_task() returns error, +sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is +why fail_deprobe_sched_switch was added. + +Link: http://lkml.kernel.org/r/20191231133530.2794-1-pilgrimtao@gmail.com + +Cc: stable@vger.kernel.org +Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing") +Signed-off-by: Kaitao Cheng +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_sched_wakeup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_sched_wakeup.c ++++ b/kernel/trace/trace_sched_wakeup.c +@@ -640,7 +640,7 @@ static void start_wakeup_tracer(struct t + if (ret) { + pr_info("wakeup trace: Couldn't activate tracepoint" + " probe to kernel_sched_migrate_task\n"); +- return; ++ goto fail_deprobe_sched_switch; + } + + wakeup_reset(tr); +@@ -658,6 +658,8 @@ static void start_wakeup_tracer(struct t + printk(KERN_ERR "failed to start wakeup tracer\n"); + + return; ++fail_deprobe_sched_switch: ++ unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL); + fail_deprobe_wake_new: + unregister_trace_sched_wakeup_new(probe_wakeup, NULL); + fail_deprobe: diff --git a/queue-4.19/series b/queue-4.19/series index 1897aba8168..9155b4c016d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -5,3 +5,14 @@ alsa-usb-audio-apply-the-sample-rate-quirk-for-bose-companion-5.patch alsa-hda-realtek-add-new-codec-supported-for-alcs1200a.patch alsa-hda-realtek-set-eapd-control-to-default-for-alc222.patch alsa-hda-realtek-add-quirk-for-the-bass-speaker-on-lenovo-yoga-x1-7th-gen.patch +kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch +tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch +tracing-change-offset-type-to-s32-in-preempt-irq-tracepoints.patch +hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch +hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch +hid-hid-input-clear-unmapped-usages.patch +input-add-safety-guards-to-input_set_keycode.patch +input-input_event-fix-struct-padding-on-sparc64.patch +drm-sun4i-tcon-set-rgb-dclk-min.-divider-based-on-hardware-model.patch +drm-fb-helper-round-up-bits_per_pixel-if-possible.patch +drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch diff --git a/queue-4.19/tracing-change-offset-type-to-s32-in-preempt-irq-tracepoints.patch b/queue-4.19/tracing-change-offset-type-to-s32-in-preempt-irq-tracepoints.patch new file mode 100644 index 00000000000..58c29b6e027 --- /dev/null +++ b/queue-4.19/tracing-change-offset-type-to-s32-in-preempt-irq-tracepoints.patch @@ -0,0 +1,53 @@ +From bf44f488e168368cae4139b4b33c3d0aaa11679c Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Thu, 2 Jan 2020 14:46:25 -0500 +Subject: tracing: Change offset type to s32 in preempt/irq tracepoints + +From: Joel Fernandes (Google) + +commit bf44f488e168368cae4139b4b33c3d0aaa11679c upstream. + +Discussion in the below link reported that symbols in modules can appear +to be before _stext on ARM architecture, causing wrapping with the +offsets of this tracepoint. Change the offset type to s32 to fix this. + +Link: http://lore.kernel.org/r/20191127154428.191095-1-antonio.borneo@st.com +Link: http://lkml.kernel.org/r/20200102194625.226436-1-joel@joelfernandes.org + +Cc: Bjorn Helgaas +Cc: David Sterba +Cc: Ingo Molnar +Cc: Mike Rapoport +Cc: "Rafael J. Wysocki" +Cc: Sakari Ailus +Cc: Antonio Borneo +Cc: stable@vger.kernel.org +Fixes: d59158162e032 ("tracing: Add support for preempt and irq enable/disable events") +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/preemptirq.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/trace/events/preemptirq.h ++++ b/include/trace/events/preemptirq.h +@@ -18,13 +18,13 @@ DECLARE_EVENT_CLASS(preemptirq_template, + TP_ARGS(ip, parent_ip), + + TP_STRUCT__entry( +- __field(u32, caller_offs) +- __field(u32, parent_offs) ++ __field(s32, caller_offs) ++ __field(s32, parent_offs) + ), + + TP_fast_assign( +- __entry->caller_offs = (u32)(ip - (unsigned long)_stext); +- __entry->parent_offs = (u32)(parent_ip - (unsigned long)_stext); ++ __entry->caller_offs = (s32)(ip - (unsigned long)_stext); ++ __entry->parent_offs = (s32)(parent_ip - (unsigned long)_stext); + ), + + TP_printk("caller=%pF parent=%pF", diff --git a/queue-4.19/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch b/queue-4.19/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch new file mode 100644 index 00000000000..18c132dfc01 --- /dev/null +++ b/queue-4.19/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch @@ -0,0 +1,39 @@ +From b8299d362d0837ae39e87e9019ebe6b736e0f035 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 2 Jan 2020 22:02:41 -0500 +Subject: tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined + +From: Steven Rostedt (VMware) + +commit b8299d362d0837ae39e87e9019ebe6b736e0f035 upstream. + +On some archs with some configurations, MCOUNT_INSN_SIZE is not defined, and +this makes the stack tracer fail to compile. Just define it to zero in this +case. + +Link: https://lore.kernel.org/r/202001020219.zvE3vsty%lkp@intel.com + +Cc: stable@vger.kernel.org +Fixes: 4df297129f622 ("tracing: Remove most or all of stack tracer stack size from stack_max_size") +Reported-by: kbuild test robot +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_stack.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/trace/trace_stack.c ++++ b/kernel/trace/trace_stack.c +@@ -196,6 +196,11 @@ check_stack(unsigned long ip, unsigned l + local_irq_restore(flags); + } + ++/* Some archs may not define MCOUNT_INSN_SIZE */ ++#ifndef MCOUNT_INSN_SIZE ++# define MCOUNT_INSN_SIZE 0 ++#endif ++ + static void + stack_trace_call(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *op, struct pt_regs *pt_regs) -- 2.47.3