--- /dev/null
+From 80982c7e834e5d4e325b6ce33757012ecafdf0bb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 4 Aug 2020 20:58:15 +0200
+Subject: ALSA: seq: oss: Serialize ioctls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream.
+
+Some ioctls via OSS sequencer API may race and lead to UAF when the
+port create and delete are performed concurrently, as spotted by a
+couple of syzkaller cases. This patch is an attempt to address it by
+serializing the ioctls with the existing register_mutex.
+
+Basically OSS sequencer API is an obsoleted interface and was designed
+without much consideration of the concurrency. There are very few
+applications with it, and the concurrent performance isn't asked,
+hence this "big hammer" approach should be good enough.
+
+Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com
+Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com
+Suggested-by: Hillf Danton <hdanton@sina.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/oss/seq_oss.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/core/seq/oss/seq_oss.c
++++ b/sound/core/seq/oss/seq_oss.c
+@@ -181,10 +181,16 @@ static long
+ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ {
+ struct seq_oss_devinfo *dp;
++ long rc;
++
+ dp = file->private_data;
+ if (snd_BUG_ON(!dp))
+ return -ENXIO;
+- return snd_seq_oss_ioctl(dp, cmd, arg);
++
++ mutex_lock(®ister_mutex);
++ rc = snd_seq_oss_ioctl(dp, cmd, arg);
++ mutex_unlock(®ister_mutex);
++ return rc;
+ }
+
+ #ifdef CONFIG_COMPAT
--- /dev/null
+From 4b836a1426cb0f1ef2a6e211d7e553221594f8fc Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 27 Jul 2020 14:04:24 +0200
+Subject: binder: Prevent context manager from incrementing ref 0
+
+From: Jann Horn <jannh@google.com>
+
+commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream.
+
+Binder is designed such that a binder_proc never has references to
+itself. If this rule is violated, memory corruption can occur when a
+process sends a transaction to itself; see e.g.
+<https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.
+
+There is a remaining edgecase through which such a transaction-to-self
+can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
+access:
+
+ - task A opens /dev/binder twice, creating binder_proc instances P1
+ and P2
+ - P1 becomes context manager
+ - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
+ handle table
+ - P1 dies (by closing the /dev/binder fd and waiting a bit)
+ - P2 becomes context manager
+ - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
+ handle table
+ [this triggers a warning: "binder: 1974:1974 tried to acquire
+ reference to desc 0, got 1 instead"]
+ - task B opens /dev/binder once, creating binder_proc instance P3
+ - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
+ transaction)
+ - P2 receives the handle and uses it to call P3 (two-way transaction)
+ - P3 calls P2 (via magic handle 0) (two-way transaction)
+ - P2 calls P2 (via handle 1) (two-way transaction)
+
+And then, if P2 does *NOT* accept the incoming transaction work, but
+instead closes the binder fd, we get a crash.
+
+Solve it by preventing the context manager from using ACQUIRE on ref 0.
+There shouldn't be any legitimate reason for the context manager to do
+that.
+
+Additionally, print a warning if someone manages to find another way to
+trigger a transaction-to-self bug in the future.
+
+Cc: stable@vger.kernel.org
+Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
+Acked-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Martijn Coenen <maco@android.com>
+Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2862,6 +2862,12 @@ static void binder_transaction(struct bi
+ goto err_dead_binder;
+ }
+ e->to_node = target_node->debug_id;
++ if (WARN_ON(proc == target_proc)) {
++ return_error = BR_FAILED_REPLY;
++ return_error_param = -EINVAL;
++ return_error_line = __LINE__;
++ goto err_invalid_target_handle;
++ }
+ if (security_binder_transaction(proc->tsk,
+ target_proc->tsk) < 0) {
+ return_error = BR_FAILED_REPLY;
+@@ -3366,10 +3372,17 @@ static int binder_thread_write(struct bi
+ struct binder_node *ctx_mgr_node;
+ mutex_lock(&context->context_mgr_node_lock);
+ ctx_mgr_node = context->binder_context_mgr_node;
+- if (ctx_mgr_node)
++ if (ctx_mgr_node) {
++ if (ctx_mgr_node->proc == proc) {
++ binder_user_error("%d:%d context manager tried to acquire desc 0\n",
++ proc->pid, thread->pid);
++ mutex_unlock(&context->context_mgr_node_lock);
++ return -EINVAL;
++ }
+ ret = binder_inc_ref_for_node(
+ proc, ctx_mgr_node,
+ strong, NULL, &rdata);
++ }
+ mutex_unlock(&context->context_mgr_node_lock);
+ }
+ if (ret)
--- /dev/null
+From 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Fri, 10 Jul 2020 12:09:15 -0400
+Subject: Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream.
+
+Check upon `num_rsp` is insufficient. A malformed event packet with a
+large `num_rsp` number makes hci_extended_inquiry_result_evt() go out
+of bounds. Fix it.
+
+This patch fixes the following syzbot bug:
+
+ https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2
+
+Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4151,7 +4151,7 @@ static void hci_extended_inquiry_result_
+
+ BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
+
+- if (!num_rsp)
++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
+ return;
+
+ if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
--- /dev/null
+From 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Fri, 10 Jul 2020 17:39:18 -0400
+Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream.
+
+Check `num_rsp` before using it as for-loop counter.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2360,7 +2360,7 @@ static void hci_inquiry_result_evt(struc
+
+ BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
+
+- if (!num_rsp)
++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
+ return;
+
+ if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
--- /dev/null
+From 629b49c848ee71244203934347bd7730b0ddee8d Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Fri, 10 Jul 2020 17:45:26 -0400
+Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 629b49c848ee71244203934347bd7730b0ddee8d upstream.
+
+Check `num_rsp` before using it as for-loop counter. Add `unlock` label.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3948,6 +3948,9 @@ static void hci_inquiry_result_with_rssi
+ struct inquiry_info_with_rssi_and_pscan_mode *info;
+ info = (void *) (skb->data + 1);
+
++ if (skb->len < num_rsp * sizeof(*info) + 1)
++ goto unlock;
++
+ for (; num_rsp; num_rsp--, info++) {
+ u32 flags;
+
+@@ -3969,6 +3972,9 @@ static void hci_inquiry_result_with_rssi
+ } else {
+ struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
+
++ if (skb->len < num_rsp * sizeof(*info) + 1)
++ goto unlock;
++
+ for (; num_rsp; num_rsp--, info++) {
+ u32 flags;
+
+@@ -3989,6 +3995,7 @@ static void hci_inquiry_result_with_rssi
+ }
+ }
+
++unlock:
+ hci_dev_unlock(hdev);
+ }
+
--- /dev/null
+From eca21c2d8655387823d695b26e6fe78cf3975c05 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:45 +0200
+Subject: leds: 88pm860x: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit eca21c2d8655387823d695b26e6fe78cf3975c05 upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot blindly do devres conversions
+so that deregistration ends up being tied to the parent device,
+something which leads to use-after-free on driver unbind when the class
+device is released while still being registered.
+
+Fixes: 375446df95ee ("leds: 88pm860x: Use devm_led_classdev_register")
+Cc: stable <stable@vger.kernel.org> # 4.6
+Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-88pm860x.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-88pm860x.c
++++ b/drivers/leds/leds-88pm860x.c
+@@ -207,21 +207,33 @@ static int pm860x_led_probe(struct platf
+ data->cdev.brightness_set_blocking = pm860x_led_set;
+ mutex_init(&data->lock);
+
+- ret = devm_led_classdev_register(chip->dev, &data->cdev);
++ ret = led_classdev_register(chip->dev, &data->cdev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Failed to register LED: %d\n", ret);
+ return ret;
+ }
+ pm860x_led_set(&data->cdev, 0);
++
++ platform_set_drvdata(pdev, data);
++
+ return 0;
+ }
+
++static int pm860x_led_remove(struct platform_device *pdev)
++{
++ struct pm860x_led *data = platform_get_drvdata(pdev);
++
++ led_classdev_unregister(&data->cdev);
++
++ return 0;
++}
+
+ static struct platform_driver pm860x_led_driver = {
+ .driver = {
+ .name = "88pm860x-led",
+ },
+ .probe = pm860x_led_probe,
++ .remove = pm860x_led_remove,
+ };
+
+ module_platform_driver(pm860x_led_driver);
--- /dev/null
+From 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:46 +0200
+Subject: leds: da903x: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot blindly do devres conversions
+so that deregistration ends up being tied to the parent device,
+something which leads to use-after-free on driver unbind when the class
+device is released while still being registered.
+
+Fixes: eed16255d66b ("leds: da903x: Use devm_led_classdev_register")
+Cc: stable <stable@vger.kernel.org> # 4.6
+Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-da903x.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-da903x.c
++++ b/drivers/leds/leds-da903x.c
+@@ -113,12 +113,23 @@ static int da903x_led_probe(struct platf
+ led->flags = pdata->flags;
+ led->master = pdev->dev.parent;
+
+- ret = devm_led_classdev_register(led->master, &led->cdev);
++ ret = led_classdev_register(led->master, &led->cdev);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to register LED %d\n", id);
+ return ret;
+ }
+
++ platform_set_drvdata(pdev, led);
++
++ return 0;
++}
++
++static int da903x_led_remove(struct platform_device *pdev)
++{
++ struct da903x_led *led = platform_get_drvdata(pdev);
++
++ led_classdev_unregister(&led->cdev);
++
+ return 0;
+ }
+
+@@ -127,6 +138,7 @@ static struct platform_driver da903x_led
+ .name = "da903x-led",
+ },
+ .probe = da903x_led_probe,
++ .remove = da903x_led_remove,
+ };
+
+ module_platform_driver(da903x_led_driver);
--- /dev/null
+From d584221e683bbd173738603b83a315f27d27d043 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:47 +0200
+Subject: leds: lm3533: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d584221e683bbd173738603b83a315f27d27d043 upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot blindly do devres conversions
+so that deregistration ends up being tied to the parent device,
+something which leads to use-after-free on driver unbind when the class
+device is released while still being registered.
+
+Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register")
+Cc: stable <stable@vger.kernel.org> # 4.6
+Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-lm3533.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/leds/leds-lm3533.c
++++ b/drivers/leds/leds-lm3533.c
+@@ -698,7 +698,7 @@ static int lm3533_led_probe(struct platf
+
+ platform_set_drvdata(pdev, led);
+
+- ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev);
++ ret = led_classdev_register(pdev->dev.parent, &led->cdev);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id);
+ return ret;
+@@ -708,13 +708,18 @@ static int lm3533_led_probe(struct platf
+
+ ret = lm3533_led_setup(led, pdata);
+ if (ret)
+- return ret;
++ goto err_deregister;
+
+ ret = lm3533_ctrlbank_enable(&led->cb);
+ if (ret)
+- return ret;
++ goto err_deregister;
+
+ return 0;
++
++err_deregister:
++ led_classdev_unregister(&led->cdev);
++
++ return ret;
+ }
+
+ static int lm3533_led_remove(struct platform_device *pdev)
+@@ -724,6 +729,7 @@ static int lm3533_led_remove(struct plat
+ dev_dbg(&pdev->dev, "%s\n", __func__);
+
+ lm3533_ctrlbank_disable(&led->cb);
++ led_classdev_unregister(&led->cdev);
+
+ return 0;
+ }
--- /dev/null
+From 47a459ecc800a17109d0c496a4e21e478806ee40 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:49 +0200
+Subject: leds: wm831x-status: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot blindly do devres conversions
+so that deregistration ends up being tied to the parent device,
+something which leads to use-after-free on driver unbind when the class
+device is released while still being registered.
+
+Fixes: 8d3b6a4001ce ("leds: wm831x-status: Use devm_led_classdev_register")
+Cc: stable <stable@vger.kernel.org> # 4.6
+Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-wm831x-status.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-wm831x-status.c
++++ b/drivers/leds/leds-wm831x-status.c
+@@ -273,12 +273,23 @@ static int wm831x_status_probe(struct pl
+ drvdata->cdev.blink_set = wm831x_status_blink_set;
+ drvdata->cdev.groups = wm831x_status_groups;
+
+- ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev);
++ ret = led_classdev_register(wm831x->dev, &drvdata->cdev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Failed to register LED: %d\n", ret);
+ return ret;
+ }
+
++ platform_set_drvdata(pdev, drvdata);
++
++ return 0;
++}
++
++static int wm831x_status_remove(struct platform_device *pdev)
++{
++ struct wm831x_status *drvdata = platform_get_drvdata(pdev);
++
++ led_classdev_unregister(&drvdata->cdev);
++
+ return 0;
+ }
+
+@@ -287,6 +298,7 @@ static struct platform_driver wm831x_sta
+ .name = "wm831x-status",
+ },
+ .probe = wm831x_status_probe,
++ .remove = wm831x_status_remove,
+ };
+
+ module_platform_driver(wm831x_status_driver);
--- /dev/null
+From f7e6b19bc76471ba03725fe58e0c218a3d6266c3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 16 Jul 2020 13:53:46 +0200
+Subject: mtd: properly check all write ioctls for permissions
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream.
+
+When doing a "write" ioctl call, properly check that we have permissions
+to do so before copying anything from userspace or anything else so we
+can "fail fast". This includes also covering the MEMWRITE ioctl which
+previously missed checking for this.
+
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Vignesh Raghavendra <vigneshr@ti.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[rw: Fixed locking issue]
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/mtdchar.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 47 insertions(+), 9 deletions(-)
+
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -368,9 +368,6 @@ static int mtdchar_writeoob(struct file
+ uint32_t retlen;
+ int ret = 0;
+
+- if (!(file->f_mode & FMODE_WRITE))
+- return -EPERM;
+-
+ if (length > 4096)
+ return -EINVAL;
+
+@@ -655,6 +652,48 @@ static int mtdchar_ioctl(struct file *fi
+
+ pr_debug("MTD_ioctl\n");
+
++ /*
++ * Check the file mode to require "dangerous" commands to have write
++ * permissions.
++ */
++ switch (cmd) {
++ /* "safe" commands */
++ case MEMGETREGIONCOUNT:
++ case MEMGETREGIONINFO:
++ case MEMGETINFO:
++ case MEMREADOOB:
++ case MEMREADOOB64:
++ case MEMLOCK:
++ case MEMUNLOCK:
++ case MEMISLOCKED:
++ case MEMGETOOBSEL:
++ case MEMGETBADBLOCK:
++ case MEMSETBADBLOCK:
++ case OTPSELECT:
++ case OTPGETREGIONCOUNT:
++ case OTPGETREGIONINFO:
++ case OTPLOCK:
++ case ECCGETLAYOUT:
++ case ECCGETSTATS:
++ case MTDFILEMODE:
++ case BLKPG:
++ case BLKRRPART:
++ break;
++
++ /* "dangerous" commands */
++ case MEMERASE:
++ case MEMERASE64:
++ case MEMWRITEOOB:
++ case MEMWRITEOOB64:
++ case MEMWRITE:
++ if (!(file->f_mode & FMODE_WRITE))
++ return -EPERM;
++ break;
++
++ default:
++ return -ENOTTY;
++ }
++
+ switch (cmd) {
+ case MEMGETREGIONCOUNT:
+ if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int)))
+@@ -702,9 +741,6 @@ static int mtdchar_ioctl(struct file *fi
+ {
+ struct erase_info *erase;
+
+- if(!(file->f_mode & FMODE_WRITE))
+- return -EPERM;
+-
+ erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL);
+ if (!erase)
+ ret = -ENOMEM;
+@@ -997,9 +1033,6 @@ static int mtdchar_ioctl(struct file *fi
+ ret = 0;
+ break;
+ }
+-
+- default:
+- ret = -ENOTTY;
+ }
+
+ return ret;
+@@ -1043,6 +1076,11 @@ static long mtdchar_compat_ioctl(struct
+ struct mtd_oob_buf32 buf;
+ struct mtd_oob_buf32 __user *buf_user = argp;
+
++ if (!(file->f_mode & FMODE_WRITE)) {
++ ret = -EPERM;
++ break;
++ }
++
+ if (copy_from_user(&buf, argp, sizeof(buf)))
+ ret = -EFAULT;
+ else
--- /dev/null
+From 254503a2b186caa668a188dbbd7ab0d25149c0a5 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Tue, 30 Jun 2020 13:26:36 -0500
+Subject: omapfb: dss: Fix max fclk divider for omap36xx
+
+From: Adam Ford <aford173@gmail.com>
+
+commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream.
+
+The drm/omap driver was fixed to correct an issue where using a
+divider of 32 breaks the DSS despite the TRM stating 32 is a valid
+number. Through experimentation, it appears that 31 works, and
+it is consistent with the value used by the drm/omap driver.
+
+This patch fixes the divider for fbdev driver instead of the drm.
+
+Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb")
+Cc: <stable@vger.kernel.org> #4.5+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Dave Airlie <airlied@gmail.com>
+Cc: Rob Clark <robdclark@gmail.com>
+[b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200630182636.439015-1-aford173@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c
++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c
+@@ -844,7 +844,7 @@ static const struct dss_features omap34x
+ };
+
+ static const struct dss_features omap3630_dss_feats = {
+- .fck_div_max = 32,
++ .fck_div_max = 31,
+ .dss_fck_multiplier = 1,
+ .parent_clk_name = "dpll4_ck",
+ .dpi_select_source = &dss_dpi_select_source_omap2_omap3,
--- /dev/null
+From 07c9983b567d0ef33aefc063299de95a987e12a8 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 3 Aug 2020 14:46:38 +0800
+Subject: Revert "ALSA: hda: call runtime_allow() for all hda controllers"
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 07c9983b567d0ef33aefc063299de95a987e12a8 upstream.
+
+This reverts commit 9a6418487b56 ("ALSA: hda: call runtime_allow()
+for all hda controllers").
+
+The reverted patch already introduced some regressions on some
+machines:
+ - on gemini-lake machines, the error of "azx_get_response timeout"
+ happens in the hda driver.
+ - on the machines with alc662 codec, the audio jack detection doesn't
+ work anymore.
+
+Fixes: 9a6418487b56 ("ALSA: hda: call runtime_allow() for all hda controllers")
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208511
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Link: https://lore.kernel.org/r/20200803064638.6139-1-hui.wang@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2478,7 +2478,6 @@ static int azx_probe_continue(struct azx
+
+ if (azx_has_pm_runtime(chip)) {
+ pm_runtime_use_autosuspend(&pci->dev);
+- pm_runtime_allow(&pci->dev);
+ pm_runtime_put_autosuspend(&pci->dev);
+ }
+
usb-serial-qcserial-add-em7305-qdl-product-id.patch
+usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch
+usb-xhci-define-ids-for-various-asmedia-host-controllers.patch
+usb-xhci-fix-asmedia-asm1142-dma-addressing.patch
+revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch
+alsa-seq-oss-serialize-ioctls.patch
+staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch
+bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch
+bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch
+bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch
+omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch
+binder-prevent-context-manager-from-incrementing-ref-0.patch
+vgacon-fix-for-missing-check-in-scrollback-handling.patch
+mtd-properly-check-all-write-ioctls-for-permissions.patch
+leds-wm831x-status-fix-use-after-free-on-unbind.patch
+leds-da903x-fix-use-after-free-on-unbind.patch
+leds-lm3533-fix-use-after-free-on-unbind.patch
+leds-88pm860x-fix-use-after-free-on-unbind.patch
--- /dev/null
+From 3e338d3c95c735dc3265a86016bb4c022ec7cadc Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Thu, 30 Jul 2020 12:26:32 -0700
+Subject: staging: android: ashmem: Fix lockdep warning for write operation
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit 3e338d3c95c735dc3265a86016bb4c022ec7cadc upstream.
+
+syzbot report [1] describes a deadlock when write operation against an
+ashmem fd executed at the time when ashmem is shrinking its cache results
+in the following lock sequence:
+
+Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(fs_reclaim);
+ lock(&sb->s_type->i_mutex_key#13);
+ lock(fs_reclaim);
+ lock(&sb->s_type->i_mutex_key#13);
+
+kswapd takes fs_reclaim and then inode_lock while generic_perform_write
+takes inode_lock and then fs_reclaim. However ashmem does not support
+writing into backing shmem with a write syscall. The only way to change
+its content is to mmap it and operate on mapped memory. Therefore the race
+that lockdep is warning about is not valid. Resolve this by introducing a
+separate lockdep class for the backing shmem inodes.
+
+[1]: https://lkml.kernel.org/lkml/0000000000000b5f9d059aa2037f@google.com/
+
+Reported-by: syzbot+7a0d9d0b26efefe61780@syzkaller.appspotmail.com
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Link: https://lore.kernel.org/r/20200730192632.3088194-1-surenb@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -95,6 +95,15 @@ static DEFINE_MUTEX(ashmem_mutex);
+ static struct kmem_cache *ashmem_area_cachep __read_mostly;
+ static struct kmem_cache *ashmem_range_cachep __read_mostly;
+
++/*
++ * A separate lockdep class for the backing shmem inodes to resolve the lockdep
++ * warning about the race between kswapd taking fs_reclaim before inode_lock
++ * and write syscall taking inode_lock and then fs_reclaim.
++ * Note that such race is impossible because ashmem does not support write
++ * syscalls operating on the backing shmem.
++ */
++static struct lock_class_key backing_shmem_inode_class;
++
+ static inline unsigned long range_size(struct ashmem_range *range)
+ {
+ return range->pgend - range->pgstart + 1;
+@@ -395,6 +404,7 @@ static int ashmem_mmap(struct file *file
+ if (!asma->file) {
+ char *name = ASHMEM_NAME_DEF;
+ struct file *vmfile;
++ struct inode *inode;
+
+ if (asma->name[ASHMEM_NAME_PREFIX_LEN] != '\0')
+ name = asma->name;
+@@ -406,6 +416,8 @@ static int ashmem_mmap(struct file *file
+ goto out;
+ }
+ vmfile->f_mode |= FMODE_LSEEK;
++ inode = file_inode(vmfile);
++ lockdep_set_class(&inode->i_rwsem, &backing_shmem_inode_class);
+ asma->file = vmfile;
+ /*
+ * override mmap operation of the vmfile so that it can't be
--- /dev/null
+From 17a82716587e9d7c3b246a789add490b2b5dcab6 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 26 Jul 2020 11:49:39 +0200
+Subject: USB: iowarrior: fix up report size handling for some devices
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 17a82716587e9d7c3b246a789add490b2b5dcab6 upstream.
+
+In previous patches that added support for new iowarrior devices, the
+handling of the report size was not done correct.
+
+Fix that up and update the copyright date for the driver
+
+Reworked from an original patch written by Christoph Jung.
+
+Fixes: bab5417f5f01 ("USB: misc: iowarrior: add support for the 100 device")
+Fixes: 5f6f8da2d7b5 ("USB: misc: iowarrior: add support for the 28 and 28L devices")
+Fixes: 461d8deb26a7 ("USB: misc: iowarrior: add support for 2 OEMed devices")
+Cc: stable <stable@kernel.org>
+Reported-by: Christoph Jung <jung@codemercs.com>
+Link: https://lore.kernel.org/r/20200726094939.1268978-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 35 +++++++++++++++++++++++++----------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -2,8 +2,9 @@
+ /*
+ * Native support for the I/O-Warrior USB devices
+ *
+- * Copyright (c) 2003-2005 Code Mercenaries GmbH
+- * written by Christian Lucht <lucht@codemercs.com>
++ * Copyright (c) 2003-2005, 2020 Code Mercenaries GmbH
++ * written by Christian Lucht <lucht@codemercs.com> and
++ * Christoph Jung <jung@codemercs.com>
+ *
+ * based on
+
+@@ -817,14 +818,28 @@ static int iowarrior_probe(struct usb_in
+
+ /* we have to check the report_size often, so remember it in the endianness suitable for our machine */
+ dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
+- if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
+- ((dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) ||
+- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56AM) ||
+- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28) ||
+- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28L) ||
+- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW100)))
+- /* IOWarrior56 has wMaxPacketSize different from report size */
+- dev->report_size = 7;
++
++ /*
++ * Some devices need the report size to be different than the
++ * endpoint size.
++ */
++ if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) {
++ switch (dev->product_id) {
++ case USB_DEVICE_ID_CODEMERCS_IOW56:
++ case USB_DEVICE_ID_CODEMERCS_IOW56AM:
++ dev->report_size = 7;
++ break;
++
++ case USB_DEVICE_ID_CODEMERCS_IOW28:
++ case USB_DEVICE_ID_CODEMERCS_IOW28L:
++ dev->report_size = 4;
++ break;
++
++ case USB_DEVICE_ID_CODEMERCS_IOW100:
++ dev->report_size = 13;
++ break;
++ }
++ }
+
+ /* create the urb and buffer for reading */
+ dev->int_in_urb = usb_alloc_urb(0, GFP_KERNEL);
--- /dev/null
+From 1841cb255da41e87bed9573915891d056f80e2e7 Mon Sep 17 00:00:00 2001
+From: Forest Crossman <cyrozap@gmail.com>
+Date: Mon, 27 Jul 2020 23:24:07 -0500
+Subject: usb: xhci: define IDs for various ASMedia host controllers
+
+From: Forest Crossman <cyrozap@gmail.com>
+
+commit 1841cb255da41e87bed9573915891d056f80e2e7 upstream.
+
+Not all ASMedia host controllers have a device ID that matches its part
+number. #define some of these IDs to make it clearer at a glance which
+chips require what quirks.
+
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Forest Crossman <cyrozap@gmail.com>
+Link: https://lore.kernel.org/r/20200728042408.180529-2-cyrozap@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -47,7 +47,9 @@
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
++#define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042
+ #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
++#define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142
+
+ static const char hcd_name[] = "xhci_hcd";
+
+@@ -226,13 +228,13 @@ static void xhci_pci_quirks(struct devic
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == 0x1042)
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI)
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == 0x1142)
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI)
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == 0x2142)
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI)
+ xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
--- /dev/null
+From ec37198acca7b4c17b96247697406e47aafe0605 Mon Sep 17 00:00:00 2001
+From: Forest Crossman <cyrozap@gmail.com>
+Date: Mon, 27 Jul 2020 23:24:08 -0500
+Subject: usb: xhci: Fix ASMedia ASM1142 DMA addressing
+
+From: Forest Crossman <cyrozap@gmail.com>
+
+commit ec37198acca7b4c17b96247697406e47aafe0605 upstream.
+
+I've confirmed that the ASMedia ASM1142 has the same problem as the
+ASM2142/ASM3142, in that it too reports that it supports 64-bit DMA
+addresses when in fact it does not. As with the ASM2142/ASM3142, this
+can cause problems on systems where the upper bits matter, and adding
+the XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue.
+
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Forest Crossman <cyrozap@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200728042408.180529-3-cyrozap@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -49,6 +49,7 @@
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
+ #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042
+ #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
++#define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242
+ #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142
+
+ static const char hcd_name[] = "xhci_hcd";
+@@ -234,7 +235,8 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI)
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI)
++ (pdev->device == PCI_DEVICE_ID_ASMEDIA_1142_XHCI ||
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI))
+ xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
--- /dev/null
+From ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d Mon Sep 17 00:00:00 2001
+From: Yunhai Zhang <zhangyunhai@nsfocus.com>
+Date: Tue, 28 Jul 2020 09:58:03 +0800
+Subject: vgacon: Fix for missing check in scrollback handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yunhai Zhang <zhangyunhai@nsfocus.com>
+
+commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream.
+
+vgacon_scrollback_update() always leaves enbough room in the scrollback
+buffer for the next call, but if the console size changed that room
+might not actually be enough, and so we need to re-check.
+
+The check should be in the loop since vgacon_scrollback_cur->tail is
+updated in the loop and count may be more than 1 when triggered by CSI M,
+as Jiri's PoC:
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+
+int main(int argc, char** argv)
+{
+ int fd = open("/dev/tty1", O_RDWR);
+ unsigned short size[3] = {25, 200, 0};
+ ioctl(fd, 0x5609, size); // VT_RESIZE
+
+ write(fd, "\e[1;1H", 6);
+ for (int i = 0; i < 30; i++)
+ write(fd, "\e[10M", 5);
+}
+
+It leads to various crashes as vgacon_scrollback_update writes out of
+the buffer:
+ BUG: unable to handle page fault for address: ffffc900001752a0
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ RIP: 0010:mutex_unlock+0x13/0x30
+...
+ Call Trace:
+ n_tty_write+0x1a0/0x4d0
+ tty_write+0x1a0/0x2e0
+
+Or to KASAN reports:
+BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed
+
+This fixes CVE-2020-14331.
+
+Reported-by: 张云海 <zhangyunhai@nsfocus.com>
+Reported-by: Yang Yingliang <yangyingliang@huawei.com>
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback)
+Cc: stable@vger.kernel.org
+Cc: linux-fbdev@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Solar Designer <solar@openwall.com>
+Cc: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>
+Cc: Anthony Liguori <aliguori@amazon.com>
+Cc: Yang Yingliang <yangyingliang@huawei.com>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Yunhai Zhang <zhangyunhai@nsfocus.com>
+Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/console/vgacon.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -251,6 +251,10 @@ static void vgacon_scrollback_update(str
+ p = (void *) (c->vc_origin + t * c->vc_size_row);
+
+ while (count--) {
++ if ((vgacon_scrollback_cur->tail + c->vc_size_row) >
++ vgacon_scrollback_cur->size)
++ vgacon_scrollback_cur->tail = 0;
++
+ scr_memcpyw(vgacon_scrollback_cur->data +
+ vgacon_scrollback_cur->tail,
+ p, c->vc_size_row);
projects / thirdparty / kernel / stable-queue.git / commitdiff
