patches...

14 files changed, 622 insertions, 97 deletions

diff --git a/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch b/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
new file mode 100644
index 0000000..54e94e7
--- /dev/null
+++ b/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
@@ -0,0 +1,42 @@
+From 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:32:31 +0100
+Subject: can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream.
+
+Make sure to always use the descriptors of the current alternate setting
+to avoid future issues when accessing fields that may differ between
+settings.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/gs_usb.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -847,7 +847,7 @@ static int gs_usb_probe(struct usb_inter
+ 			     GS_USB_BREQ_HOST_FORMAT,
+ 			     USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+ 			     1,
+-			     intf->altsetting[0].desc.bInterfaceNumber,
++			     intf->cur_altsetting->desc.bInterfaceNumber,
+ 			     hconf,
+ 			     sizeof(*hconf),
+ 			     1000);
+@@ -870,7 +870,7 @@ static int gs_usb_probe(struct usb_inter
+ 			     GS_USB_BREQ_DEVICE_CONFIG,
+ 			     USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
+ 			     1,
+-			     intf->altsetting[0].desc.bInterfaceNumber,
++			     intf->cur_altsetting->desc.bInterfaceNumber,
+ 			     dconf,
+ 			     sizeof(*dconf),
+ 			     1000);
diff --git a/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch b/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch
new file mode 100644
index 0000000..18e84ac
--- /dev/null
+++ b/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch
@@ -0,0 +1,75 @@
+From 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 Mon Sep 17 00:00:00 2001
+From: Florian Faber <faber@faberman.de>
+Date: Thu, 26 Dec 2019 19:51:24 +0100
+Subject: can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode
+
+From: Florian Faber <faber@faberman.de>
+
+commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream.
+
+Under load, the RX side of the mscan driver can get stuck while TX still
+works. Restarting the interface locks up the system. This behaviour
+could be reproduced reliably on a MPC5121e based system.
+
+The patch fixes the return value of the NAPI polling function (should be
+the number of processed packets, not constant 1) and the condition under
+which IRQs are enabled again after polling is finished.
+
+With this patch, no more lockups were observed over a test period of ten
+days.
+
+Fixes: afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
+Signed-off-by: Florian Faber <faber@faberman.de>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/mscan/mscan.c |   21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/can/mscan/mscan.c
++++ b/drivers/net/can/mscan/mscan.c
+@@ -412,13 +412,12 @@ static int mscan_rx_poll(struct napi_str
+ 	struct net_device *dev = napi->dev;
+ 	struct mscan_regs __iomem *regs = priv->reg_base;
+ 	struct net_device_stats *stats = &dev->stats;
+-	int npackets = 0;
+-	int ret = 1;
++	int work_done = 0;
+ 	struct sk_buff *skb;
+ 	struct can_frame *frame;
+ 	u8 canrflg;
+ 
+-	while (npackets < quota) {
++	while (work_done < quota) {
+ 		canrflg = in_8(&regs->canrflg);
+ 		if (!(canrflg & (MSCAN_RXF | MSCAN_ERR_IF)))
+ 			break;
+@@ -439,18 +438,18 @@ static int mscan_rx_poll(struct napi_str
+ 
+ 		stats->rx_packets++;
+ 		stats->rx_bytes += frame->can_dlc;
+-		npackets++;
++		work_done++;
+ 		netif_receive_skb(skb);
+ 	}
+ 
+-	if (!(in_8(&regs->canrflg) & (MSCAN_RXF | MSCAN_ERR_IF))) {
+-		napi_complete(&priv->napi);
+-		clear_bit(F_RX_PROGRESS, &priv->flags);
+-		if (priv->can.state < CAN_STATE_BUS_OFF)
+-			out_8(&regs->canrier, priv->shadow_canrier);
+-		ret = 0;
++	if (work_done < quota) {
++		if (likely(napi_complete_done(&priv->napi, work_done))) {
++			clear_bit(F_RX_PROGRESS, &priv->flags);
++			if (priv->can.state < CAN_STATE_BUS_OFF)
++				out_8(&regs->canrier, priv->shadow_canrier);
++		}
+ 	}
+-	return ret;
++	return work_done;
+ }
+ 
+ static irqreturn_t mscan_isr(int irq, void *dev_id)
diff --git a/chardev-avoid-potential-use-after-free-in-chrdev_open.patch b/chardev-avoid-potential-use-after-free-in-chrdev_open.patch
deleted file mode 100644
index 056f1f7..0000000
--- a/chardev-avoid-potential-use-after-free-in-chrdev_open.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 68faa679b8be1a74e6663c21c3a9d25d32f1c079 Mon Sep 17 00:00:00 2001
-From: Will Deacon <will@kernel.org>
-Date: Thu, 19 Dec 2019 12:02:03 +0000
-Subject: chardev: Avoid potential use-after-free in 'chrdev_open()'
-
-From: Will Deacon <will@kernel.org>
-
-commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 upstream.
-
-'chrdev_open()' calls 'cdev_get()' to obtain a reference to the
-'struct cdev *' stashed in the 'i_cdev' field of the target inode
-structure. If the pointer is NULL, then it is initialised lazily by
-looking up the kobject in the 'cdev_map' and so the whole procedure is
-protected by the 'cdev_lock' spinlock to serialise initialisation of
-the shared pointer.
-
-Unfortunately, it is possible for the initialising thread to fail *after*
-installing the new pointer, for example if the subsequent '->open()' call
-on the file fails. In this case, 'cdev_put()' is called, the reference
-count on the kobject is dropped and, if nobody else has taken a reference,
-the release function is called which finally clears 'inode->i_cdev' from
-'cdev_purge()' before potentially freeing the object. The problem here
-is that a racing thread can happily take the 'cdev_lock' and see the
-non-NULL pointer in the inode, which can result in a refcount increment
-from zero and a warning:
-
-  |  ------------[ cut here ]------------
-  |  refcount_t: addition on 0; use-after-free.
-  |  WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0
-  |  Modules linked in:
-  |  CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22
-  |  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
-  |  RIP: 0010:refcount_warn_saturate+0x6d/0xf0
-  |  Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08
-  |  RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282
-  |  RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000
-  |  RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798
-  |  RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039
-  |  R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700
-  |  R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700
-  |  FS:  00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000
-  |  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-  |  CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0
-  |  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-  |  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
-  |  Call Trace:
-  |   kobject_get+0x5c/0x60
-  |   cdev_get+0x2b/0x60
-  |   chrdev_open+0x55/0x220
-  |   ? cdev_put.part.3+0x20/0x20
-  |   do_dentry_open+0x13a/0x390
-  |   path_openat+0x2c8/0x1470
-  |   do_filp_open+0x93/0x100
-  |   ? selinux_file_ioctl+0x17f/0x220
-  |   do_sys_open+0x186/0x220
-  |   do_syscall_64+0x48/0x150
-  |   entry_SYSCALL_64_after_hwframe+0x44/0xa9
-  |  RIP: 0033:0x7f3b87efcd0e
-  |  Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4
-  |  RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
-  |  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e
-  |  RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c
-  |  RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000
-  |  R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e
-  |  R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000
-  |  ---[ end trace 24f53ca58db8180a ]---
-
-Since 'cdev_get()' can already fail to obtain a reference, simply move
-it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',
-which will cause the racing thread to return -ENXIO if the initialising
-thread fails unexpectedly.
-
-Cc: Hillf Danton <hdanton@sina.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com
-Signed-off-by: Will Deacon <will@kernel.org>
-Cc: stable <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/char_dev.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/char_dev.c
-+++ b/fs/char_dev.c
-@@ -354,7 +354,7 @@ static struct kobject *cdev_get(struct c
- 
- 	if (owner && !try_module_get(owner))
- 		return NULL;
--	kobj = kobject_get(&p->kobj);
-+	kobj = kobject_get_unless_zero(&p->kobj);
- 	if (!kobj)
- 		module_put(owner);
- 	return kobj;
diff --git a/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch b/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch
new file mode 100644
index 0000000..555c6f7
--- /dev/null
+++ b/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch
@@ -0,0 +1,52 @@
+From c4e4fccc5d52d881afaac11d3353265ef4eccb8b Mon Sep 17 00:00:00 2001
+From: Wayne Lin <Wayne.Lin@amd.com>
+Date: Fri, 3 Jan 2020 13:50:01 +0800
+Subject: drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
+
+From: Wayne Lin <Wayne.Lin@amd.com>
+
+commit c4e4fccc5d52d881afaac11d3353265ef4eccb8b upstream.
+
+[Why]
+According to DP spec, it should shift left 4 digits for NO_STOP_BIT
+in REMOTE_I2C_READ message. Not 5 digits.
+
+In current code, NO_STOP_BIT is always set to zero which means I2C
+master is always generating a I2C stop at the end of each I2C write
+transaction while handling REMOTE_I2C_READ sideband message. This issue
+might have the generated I2C signal not meeting the requirement. Take
+random read in I2C for instance, I2C master should generate a repeat
+start to start to read data after writing the read address. This issue
+will cause the I2C master to generate a stop-start rather than a
+re-start which is not expected in I2C random read.
+
+[How]
+Correct the shifting value of NO_STOP_BIT for DP_REMOTE_I2C_READ case in
+drm_dp_encode_sideband_req().
+
+Changes since v1:(https://patchwork.kernel.org/patch/11312667/)
+* Add more descriptions in commit and cc to stable
+
+Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200103055001.10287-1-Wayne.Lin@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -272,7 +272,7 @@ static void drm_dp_encode_sideband_req(s
+ 			memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes);
+ 			idx += req->u.i2c_read.transactions[i].num_bytes;
+ 
+-			buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 5;
++			buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4;
+ 			buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf);
+ 			idx++;
+ 		}
diff --git a/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch b/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
new file mode 100644
index 0000000..29626ac
--- /dev/null
+++ b/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
@@ -0,0 +1,52 @@
+From 8ec321e96e056de84022c032ffea253431a83c3c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 10 Dec 2019 16:26:11 -0500
+Subject: HID: Fix slab-out-of-bounds read in hid_field_extract
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.
+
+The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
+handler.  The bug was caused by a report descriptor which included a
+field with size 12 bits and count 4899, for a total size of 7349
+bytes.
+
+The usbhid driver uses at most a single-page 4-KB buffer for reports.
+In the test there wasn't any problem about overflowing the buffer,
+since only one byte was received from the device.  Rather, the bug
+occurred when the HID core tried to extract the data from the report
+fields, which caused it to try reading data beyond the end of the
+allocated buffer.
+
+This patch fixes the problem by rejecting any report whose total
+length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
+for a possible report index).  In theory a device could have a report
+longer than that, but if there was such a thing we wouldn't handle it
+correctly anyway.
+
+Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -248,6 +248,12 @@ static int hid_add_field(struct hid_pars
+ 	offset = report->size;
+ 	report->size += parser->global.report_size * parser->global.report_count;
+ 
++	/* Total size check: Allow for possible report index byte */
++	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
++		hid_err(parser->device, "report is too long\n");
++		return -1;
++	}
++
+ 	if (!parser->local.usage_index) /* Ignore padding fields */
+ 		return 0;
+ 
diff --git a/hid-hid-input-clear-unmapped-usages.patch b/hid-hid-input-clear-unmapped-usages.patch
new file mode 100644
index 0000000..0447d77
--- /dev/null
+++ b/hid-hid-input-clear-unmapped-usages.patch
@@ -0,0 +1,73 @@
+From 4f3882177240a1f55e45a3d241d3121341bead78 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sat, 7 Dec 2019 13:05:18 -0800
+Subject: HID: hid-input: clear unmapped usages
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 4f3882177240a1f55e45a3d241d3121341bead78 upstream.
+
+We should not be leaving half-mapped usages with potentially invalid
+keycodes, as that may confuse hidinput_find_key() when the key is located
+by index, which may end up feeding way too large keycode into the VT
+keyboard handler and cause OOB write there:
+
+BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
+...
+ kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
+ kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
+ input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
+ input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
+ input_pass_values drivers/input/input.c:949 [inline]
+ input_set_keycode+0x290/0x320 drivers/input/input.c:954
+ evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
+ evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c |   16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -956,9 +956,15 @@ static void hidinput_configure_usage(str
+ 	}
+ 
+ mapped:
+-	if (device->driver->input_mapped && device->driver->input_mapped(device,
+-				hidinput, field, usage, &bit, &max) < 0)
+-		goto ignore;
++	if (device->driver->input_mapped &&
++	    device->driver->input_mapped(device, hidinput, field, usage,
++					 &bit, &max) < 0) {
++		/*
++		 * The driver indicated that no further generic handling
++		 * of the usage is desired.
++		 */
++		return;
++	}
+ 
+ 	set_bit(usage->type, input->evbit);
+ 
+@@ -1017,9 +1023,11 @@ mapped:
+ 		set_bit(MSC_SCAN, input->mscbit);
+ 	}
+ 
+-ignore:
+ 	return;
+ 
++ignore:
++	usage->type = 0;
++	usage->code = 0;
+ }
+ 
+ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct hid_usage *usage, __s32 value)
diff --git a/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch b/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
new file mode 100644
index 0000000..64fbc65
--- /dev/null
+++ b/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
@@ -0,0 +1,41 @@
+From be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 Mon Sep 17 00:00:00 2001
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Wed, 4 Dec 2019 03:43:55 +0100
+Subject: HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+commit be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 upstream.
+
+Always return EPOLLOUT from uhid_char_poll to allow polling /dev/uhid
+for writable state.
+
+Fixes: 1f9dec1e0164 ("HID: uhid: allow poll()'ing on uhid devices")
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/uhid.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -26,6 +26,7 @@
+ #include <linux/uhid.h>
+ #include <linux/wait.h>
+ #include <linux/uaccess.h>
++#include <linux/eventpoll.h>
+ 
+ #define UHID_NAME	"uhid"
+ #define UHID_BUFSIZE	32
+@@ -787,7 +788,7 @@ static unsigned int uhid_char_poll(struc
+ 	if (uhid->head != uhid->tail)
+ 		return POLLIN | POLLRDNORM;
+ 
+-	return 0;
++	return EPOLLOUT | EPOLLWRNORM;
+ }
+ 
+ static const struct file_operations uhid_fops = {
diff --git a/input-add-safety-guards-to-input_set_keycode.patch b/input-add-safety-guards-to-input_set_keycode.patch
new file mode 100644
index 0000000..69639d2
--- /dev/null
+++ b/input-add-safety-guards-to-input_set_keycode.patch
@@ -0,0 +1,69 @@
+From cb222aed03d798fc074be55e59d9a112338ee784 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 13 Dec 2019 14:56:16 -0800
+Subject: Input: add safety guards to input_set_keycode()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit cb222aed03d798fc074be55e59d9a112338ee784 upstream.
+
+If we happen to have a garbage in input device's keycode table with values
+too big we'll end up doing clear_bit() with offset way outside of our
+bitmaps, damaging other objects within an input device or even outside of
+it. Let's add sanity checks to the returned old keycodes.
+
+Reported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com
+Reported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/input.c |   26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/drivers/input/input.c
++++ b/drivers/input/input.c
+@@ -845,16 +845,18 @@ static int input_default_setkeycode(stru
+ 		}
+ 	}
+ 
+-	__clear_bit(*old_keycode, dev->keybit);
+-	__set_bit(ke->keycode, dev->keybit);
+-
+-	for (i = 0; i < dev->keycodemax; i++) {
+-		if (input_fetch_keycode(dev, i) == *old_keycode) {
+-			__set_bit(*old_keycode, dev->keybit);
+-			break; /* Setting the bit twice is useless, so break */
++	if (*old_keycode <= KEY_MAX) {
++		__clear_bit(*old_keycode, dev->keybit);
++		for (i = 0; i < dev->keycodemax; i++) {
++			if (input_fetch_keycode(dev, i) == *old_keycode) {
++				__set_bit(*old_keycode, dev->keybit);
++				/* Setting the bit twice is useless, so break */
++				break;
++			}
+ 		}
+ 	}
+ 
++	__set_bit(ke->keycode, dev->keybit);
+ 	return 0;
+ }
+ 
+@@ -910,9 +912,13 @@ int input_set_keycode(struct input_dev *
+ 	 * Simulate keyup event if keycode is not present
+ 	 * in the keymap anymore
+ 	 */
+-	if (test_bit(EV_KEY, dev->evbit) &&
+-	    !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&
+-	    __test_and_clear_bit(old_keycode, dev->key)) {
++	if (old_keycode > KEY_MAX) {
++		dev_warn(dev->dev.parent ?: &dev->dev,
++			 "%s: got too big old keycode %#x\n",
++			 __func__, old_keycode);
++	} else if (test_bit(EV_KEY, dev->evbit) &&
++		   !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&
++		   __test_and_clear_bit(old_keycode, dev->key)) {
+ 		struct input_value vals[] =  {
+ 			{ EV_KEY, old_keycode, 0 },
+ 			input_value_sync
diff --git a/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch b/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch
new file mode 100644
index 0000000..e203b02
--- /dev/null
+++ b/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch
@@ -0,0 +1,45 @@
+From 50f9ad607ea891a9308e67b81f774c71736d1098 Mon Sep 17 00:00:00 2001
+From: Kaitao Cheng <pilgrimtao@gmail.com>
+Date: Tue, 31 Dec 2019 05:35:30 -0800
+Subject: kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
+
+From: Kaitao Cheng <pilgrimtao@gmail.com>
+
+commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream.
+
+In the function, if register_trace_sched_migrate_task() returns error,
+sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is
+why fail_deprobe_sched_switch was added.
+
+Link: http://lkml.kernel.org/r/20191231133530.2794-1-pilgrimtao@gmail.com
+
+Cc: stable@vger.kernel.org
+Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing")
+Signed-off-by: Kaitao Cheng <pilgrimtao@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_sched_wakeup.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_sched_wakeup.c
++++ b/kernel/trace/trace_sched_wakeup.c
+@@ -567,7 +567,7 @@ static void start_wakeup_tracer(struct t
+ 	if (ret) {
+ 		pr_info("wakeup trace: Couldn't activate tracepoint"
+ 			" probe to kernel_sched_migrate_task\n");
+-		return;
++		goto fail_deprobe_sched_switch;
+ 	}
+ 
+ 	wakeup_reset(tr);
+@@ -585,6 +585,8 @@ static void start_wakeup_tracer(struct t
+ 		printk(KERN_ERR "failed to start wakeup tracer\n");
+ 
+ 	return;
++fail_deprobe_sched_switch:
++	unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL);
+ fail_deprobe_wake_new:
+ 	unregister_trace_sched_wakeup_new(probe_wakeup, NULL);
+ fail_deprobe:
diff --git a/series b/series
index 27ac010..d0b845f 100644
--- a/series
+++ b/series
@@ -1 +1,12 @@
-chardev-avoid-potential-use-after-free-in-chrdev_open.patch
+kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch
+tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch
+hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
+hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
+hid-hid-input-clear-unmapped-usages.patch
+input-add-safety-guards-to-input_set_keycode.patch
+drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch
+can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
+can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch
+staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch
+usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
+staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
diff --git a/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch b/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
new file mode 100644
index 0000000..55c23f2
--- /dev/null
+++ b/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
@@ -0,0 +1,32 @@
+From 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a Mon Sep 17 00:00:00 2001
+From: Michael Straube <straube.linux@gmail.com>
+Date: Sat, 28 Dec 2019 15:37:25 +0100
+Subject: staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
+
+From: Michael Straube <straube.linux@gmail.com>
+
+commit 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a upstream.
+
+This device was added to the stand-alone driver on github.
+Add it to the staging driver as well.
+
+Link: https://github.com/lwfinger/rtl8188eu/commit/b9b537aa25a8
+Signed-off-by: Michael Straube <straube.linux@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191228143725.24455-1-straube.linux@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -50,6 +50,7 @@ static struct usb_device_id rtw_usb_id_t
+ 	{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
+ 	{USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
+ 	{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
++	{USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */
+ 	{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
+ 	{USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
+ 	{}	/* Terminating entry */
diff --git a/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch b/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch
new file mode 100644
index 0000000..b34f08a
--- /dev/null
+++ b/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch
@@ -0,0 +1,55 @@
+From c0bcf9f3f5b661d4ace2a64a79ef661edd2a4dc8 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Fri, 20 Dec 2019 21:15:59 +0000
+Subject: staging: vt6656: set usb_set_intfdata on driver fail.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit c0bcf9f3f5b661d4ace2a64a79ef661edd2a4dc8 upstream.
+
+intfdata will contain stale pointer when the device is detached after
+failed initialization when referenced in vt6656_disconnect
+
+Provide driver access to it here and NULL it.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/6de448d7-d833-ef2e-dd7b-3ef9992fee0e@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/device.h   |    1 +
+ drivers/staging/vt6656/main_usb.c |    1 +
+ drivers/staging/vt6656/wcmd.c     |    1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/drivers/staging/vt6656/device.h
++++ b/drivers/staging/vt6656/device.h
+@@ -272,6 +272,7 @@ struct vnt_private {
+ 	u8 mac_hw;
+ 	/* netdev */
+ 	struct usb_device *usb;
++	struct usb_interface *intf;
+ 
+ 	u64 tsf_time;
+ 	u8 rx_rate;
+--- a/drivers/staging/vt6656/main_usb.c
++++ b/drivers/staging/vt6656/main_usb.c
+@@ -974,6 +974,7 @@ vt6656_probe(struct usb_interface *intf,
+ 	priv = hw->priv;
+ 	priv->hw = hw;
+ 	priv->usb = udev;
++	priv->intf = intf;
+ 
+ 	vnt_set_options(priv);
+ 
+--- a/drivers/staging/vt6656/wcmd.c
++++ b/drivers/staging/vt6656/wcmd.c
+@@ -113,6 +113,7 @@ void vnt_run_command(struct work_struct
+ 		if (vnt_init(priv)) {
+ 			/* If fail all ends TODO retry */
+ 			dev_err(&priv->usb->dev, "failed to start\n");
++			usb_set_intfdata(priv->intf, NULL);
+ 			ieee80211_free_hw(priv->hw);
+ 			return;
+ 		}
diff --git a/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch b/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch
new file mode 100644
index 0000000..6a5fbc7
--- /dev/null
+++ b/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch
@@ -0,0 +1,39 @@
+From b8299d362d0837ae39e87e9019ebe6b736e0f035 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 2 Jan 2020 22:02:41 -0500
+Subject: tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit b8299d362d0837ae39e87e9019ebe6b736e0f035 upstream.
+
+On some archs with some configurations, MCOUNT_INSN_SIZE is not defined, and
+this makes the stack tracer fail to compile. Just define it to zero in this
+case.
+
+Link: https://lore.kernel.org/r/202001020219.zvE3vsty%lkp@intel.com
+
+Cc: stable@vger.kernel.org
+Fixes: 4df297129f622 ("tracing: Remove most or all of stack tracer stack size from stack_max_size")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_stack.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/trace/trace_stack.c
++++ b/kernel/trace/trace_stack.c
+@@ -180,6 +180,11 @@ check_stack(unsigned long ip, unsigned l
+ 	local_irq_restore(flags);
+ }
+ 
++/* Some archs may not define MCOUNT_INSN_SIZE */
++#ifndef MCOUNT_INSN_SIZE
++# define MCOUNT_INSN_SIZE 0
++#endif
++
+ static void
+ stack_trace_call(unsigned long ip, unsigned long parent_ip,
+ 		 struct ftrace_ops *op, struct pt_regs *pt_regs)
diff --git a/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch b/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
new file mode 100644
index 0000000..9ad5f9e
--- /dev/null
+++ b/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
@@ -0,0 +1,35 @@
+From c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Mon, 16 Dec 2019 10:18:43 -0600
+Subject: usb: musb: dma: Correct parameter passed to IRQ handler
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 upstream.
+
+The IRQ handler was passed a pointer to a struct dma_controller, but the
+argument was then casted to a pointer to a struct musb_dma_controller.
+
+Fixes: 427c4f333474 ("usb: struct device - replace bus_id with dev_name(), dev_set_name()")
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: Artur Rojek <contact@artur-rojek.eu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Link: https://lore.kernel.org/r/20191216161844.772-2-b-liu@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musbhsdma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/musbhsdma.c
++++ b/drivers/usb/musb/musbhsdma.c
+@@ -395,7 +395,7 @@ struct dma_controller *dma_controller_cr
+ 	controller->controller.channel_abort = dma_channel_abort;
+ 
+ 	if (request_irq(irq, dma_controller_irq, 0,
+-			dev_name(musb->controller), &controller->controller)) {
++			dev_name(musb->controller), controller)) {
+ 		dev_err(dev, "request_irq %d failed!\n", irq);
+ 		dma_controller_destroy(&controller->controller);
+