From b70be86e96e3c265efa74fa492bf69dc264ec2be Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 15 Sep 2020 15:24:39 +0200 Subject: [PATCH] 4.9-stable patches added patches: fbcon-remove-now-unusued-softback_lines-cursor-argument.patch fbcon-remove-soft-scrollback-code.patch kvm-vmx-don-t-freeze-guest-when-event-delivery-causes-an-apic-access-exit.patch staging-greybus-audio-fix-uninitialized-value-issue.patch usb-core-fix-slab-out-of-bounds-read-in-read_descriptors.patch usb-fix-out-of-sync-data-toggle-if-a-configured-device-is-reconfigured.patch usb-serial-ftdi_sio-add-ids-for-xsens-mti-usb-converter.patch usb-serial-option-add-support-for-sim7070-sim7080-sim7090-modules.patch vgacon-remove-software-scrollback-support.patch video-fbdev-fix-oob-read-in-vga_8planes_imageblit.patch --- ...usued-softback_lines-cursor-argument.patch | 178 ++++++ .../fbcon-remove-soft-scrollback-code.patch | 526 ++++++++++++++++++ ...-delivery-causes-an-apic-access-exit.patch | 34 ++ queue-4.9/series | 10 + ...-audio-fix-uninitialized-value-issue.patch | 82 +++ ...t-of-bounds-read-in-read_descriptors.patch | 52 ++ ...-a-configured-device-is-reconfigured.patch | 180 ++++++ ...-add-ids-for-xsens-mti-usb-converter.patch | 42 ++ ...-for-sim7070-sim7080-sim7090-modules.patch | 79 +++ ...n-remove-software-scrollback-support.patch | 320 +++++++++++ ...ix-oob-read-in-vga_8planes_imageblit.patch | 35 ++ 11 files changed, 1538 insertions(+) create mode 100644 queue-4.9/fbcon-remove-now-unusued-softback_lines-cursor-argument.patch create mode 100644 queue-4.9/fbcon-remove-soft-scrollback-code.patch create mode 100644 queue-4.9/kvm-vmx-don-t-freeze-guest-when-event-delivery-causes-an-apic-access-exit.patch create mode 100644 queue-4.9/staging-greybus-audio-fix-uninitialized-value-issue.patch create mode 100644 queue-4.9/usb-core-fix-slab-out-of-bounds-read-in-read_descriptors.patch create mode 100644 queue-4.9/usb-fix-out-of-sync-data-toggle-if-a-configured-device-is-reconfigured.patch create mode 100644 queue-4.9/usb-serial-ftdi_sio-add-ids-for-xsens-mti-usb-converter.patch create mode 100644 queue-4.9/usb-serial-option-add-support-for-sim7070-sim7080-sim7090-modules.patch create mode 100644 queue-4.9/vgacon-remove-software-scrollback-support.patch create mode 100644 queue-4.9/video-fbdev-fix-oob-read-in-vga_8planes_imageblit.patch diff --git a/queue-4.9/fbcon-remove-now-unusued-softback_lines-cursor-argument.patch b/queue-4.9/fbcon-remove-now-unusued-softback_lines-cursor-argument.patch new file mode 100644 index 00000000000..a7efde5ed96 --- /dev/null +++ b/queue-4.9/fbcon-remove-now-unusued-softback_lines-cursor-argument.patch @@ -0,0 +1,178 @@ +From 06a0df4d1b8b13b551668e47b11fd7629033b7df Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 8 Sep 2020 10:56:27 -0700 +Subject: fbcon: remove now unusued 'softback_lines' cursor() argument + +From: Linus Torvalds + +commit 06a0df4d1b8b13b551668e47b11fd7629033b7df upstream. + +Since the softscroll code got removed, this argument is always zero and +makes no sense any more. + +Tested-by: Yuan Ming +Tested-by: Willy Tarreau +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/bitblit.c | 11 +---------- + drivers/video/console/fbcon.c | 4 ++-- + drivers/video/console/fbcon.h | 2 +- + drivers/video/console/fbcon_ccw.c | 11 +---------- + drivers/video/console/fbcon_cw.c | 11 +---------- + drivers/video/console/fbcon_ud.c | 11 +---------- + drivers/video/console/tileblit.c | 2 +- + 7 files changed, 8 insertions(+), 44 deletions(-) + +--- a/drivers/video/console/bitblit.c ++++ b/drivers/video/console/bitblit.c +@@ -234,7 +234,7 @@ static void bit_clear_margins(struct vc_ + } + + static void bit_cursor(struct vc_data *vc, struct fb_info *info, int mode, +- int softback_lines, int fg, int bg) ++ int fg, int bg) + { + struct fb_cursor cursor; + struct fbcon_ops *ops = info->fbcon_par; +@@ -247,15 +247,6 @@ static void bit_cursor(struct vc_data *v + + cursor.set = 0; + +- if (softback_lines) { +- if (y + softback_lines >= vc->vc_rows) { +- mode = CM_ERASE; +- ops->cursor_flash = 0; +- return; +- } else +- y += softback_lines; +- } +- + c = scr_readw((u16 *) vc->vc_pos); + attribute = get_attribute(info, c); + src = vc->vc_font.data + ((c & charmask) * (w * vc->vc_font.height)); +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -370,7 +370,7 @@ static void fb_flashcursor(struct work_s + c = scr_readw((u16 *) vc->vc_pos); + mode = (!ops->cursor_flash || ops->cursor_state.enable) ? + CM_ERASE : CM_DRAW; +- ops->cursor(vc, info, mode, 0, get_color(vc, info, c, 1), ++ ops->cursor(vc, info, mode, get_color(vc, info, c, 1), + get_color(vc, info, c, 0)); + console_unlock(); + } +@@ -1270,7 +1270,7 @@ static void fbcon_cursor(struct vc_data + + ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1; + +- ops->cursor(vc, info, mode, 0, get_color(vc, info, c, 1), ++ ops->cursor(vc, info, mode, get_color(vc, info, c, 1), + get_color(vc, info, c, 0)); + } + +--- a/drivers/video/console/fbcon.h ++++ b/drivers/video/console/fbcon.h +@@ -62,7 +62,7 @@ struct fbcon_ops { + void (*clear_margins)(struct vc_data *vc, struct fb_info *info, + int bottom_only); + void (*cursor)(struct vc_data *vc, struct fb_info *info, int mode, +- int softback_lines, int fg, int bg); ++ int fg, int bg); + int (*update_start)(struct fb_info *info); + int (*rotate_font)(struct fb_info *info, struct vc_data *vc); + struct fb_var_screeninfo var; /* copy of the current fb_var_screeninfo */ +--- a/drivers/video/console/fbcon_ccw.c ++++ b/drivers/video/console/fbcon_ccw.c +@@ -219,7 +219,7 @@ static void ccw_clear_margins(struct vc_ + } + + static void ccw_cursor(struct vc_data *vc, struct fb_info *info, int mode, +- int softback_lines, int fg, int bg) ++ int fg, int bg) + { + struct fb_cursor cursor; + struct fbcon_ops *ops = info->fbcon_par; +@@ -236,15 +236,6 @@ static void ccw_cursor(struct vc_data *v + + cursor.set = 0; + +- if (softback_lines) { +- if (y + softback_lines >= vc->vc_rows) { +- mode = CM_ERASE; +- ops->cursor_flash = 0; +- return; +- } else +- y += softback_lines; +- } +- + c = scr_readw((u16 *) vc->vc_pos); + attribute = get_attribute(info, c); + src = ops->fontbuffer + ((c & charmask) * (w * vc->vc_font.width)); +--- a/drivers/video/console/fbcon_cw.c ++++ b/drivers/video/console/fbcon_cw.c +@@ -202,7 +202,7 @@ static void cw_clear_margins(struct vc_d + } + + static void cw_cursor(struct vc_data *vc, struct fb_info *info, int mode, +- int softback_lines, int fg, int bg) ++ int fg, int bg) + { + struct fb_cursor cursor; + struct fbcon_ops *ops = info->fbcon_par; +@@ -219,15 +219,6 @@ static void cw_cursor(struct vc_data *vc + + cursor.set = 0; + +- if (softback_lines) { +- if (y + softback_lines >= vc->vc_rows) { +- mode = CM_ERASE; +- ops->cursor_flash = 0; +- return; +- } else +- y += softback_lines; +- } +- + c = scr_readw((u16 *) vc->vc_pos); + attribute = get_attribute(info, c); + src = ops->fontbuffer + ((c & charmask) * (w * vc->vc_font.width)); +--- a/drivers/video/console/fbcon_ud.c ++++ b/drivers/video/console/fbcon_ud.c +@@ -249,7 +249,7 @@ static void ud_clear_margins(struct vc_d + } + + static void ud_cursor(struct vc_data *vc, struct fb_info *info, int mode, +- int softback_lines, int fg, int bg) ++ int fg, int bg) + { + struct fb_cursor cursor; + struct fbcon_ops *ops = info->fbcon_par; +@@ -267,15 +267,6 @@ static void ud_cursor(struct vc_data *vc + + cursor.set = 0; + +- if (softback_lines) { +- if (y + softback_lines >= vc->vc_rows) { +- mode = CM_ERASE; +- ops->cursor_flash = 0; +- return; +- } else +- y += softback_lines; +- } +- + c = scr_readw((u16 *) vc->vc_pos); + attribute = get_attribute(info, c); + src = ops->fontbuffer + ((c & charmask) * (w * vc->vc_font.height)); +--- a/drivers/video/console/tileblit.c ++++ b/drivers/video/console/tileblit.c +@@ -80,7 +80,7 @@ static void tile_clear_margins(struct vc + } + + static void tile_cursor(struct vc_data *vc, struct fb_info *info, int mode, +- int softback_lines, int fg, int bg) ++ int fg, int bg) + { + struct fb_tilecursor cursor; + int use_sw = (vc->vc_cursor_type & 0x10); diff --git a/queue-4.9/fbcon-remove-soft-scrollback-code.patch b/queue-4.9/fbcon-remove-soft-scrollback-code.patch new file mode 100644 index 00000000000..6d1e1645780 --- /dev/null +++ b/queue-4.9/fbcon-remove-soft-scrollback-code.patch @@ -0,0 +1,526 @@ +From 50145474f6ef4a9c19205b173da6264a644c7489 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 7 Sep 2020 11:45:27 -0700 +Subject: fbcon: remove soft scrollback code + +From: Linus Torvalds + +commit 50145474f6ef4a9c19205b173da6264a644c7489 upstream. + +This (and the VGA soft scrollback) turns out to have various nasty small +special cases that nobody really is willing to fight. The soft +scrollback code was really useful a few decades ago when you typically +used the console interactively as the main way to interact with the +machine, but that just isn't the case any more. + +So it's not worth dragging along. + +Tested-by: Yuan Ming +Tested-by: Willy Tarreau +Acked-by: Bartlomiej Zolnierkiewicz +Acked-by: Daniel Vetter +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/fbcon.c | 334 ------------------------------------------ + 1 file changed, 4 insertions(+), 330 deletions(-) + +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -101,12 +101,6 @@ static int logo_lines; + /* logo_shown is an index to vc_cons when >= 0; otherwise follows FBCON_LOGO + enums. */ + static int logo_shown = FBCON_LOGO_CANSHOW; +-/* Software scrollback */ +-static int fbcon_softback_size = 32768; +-static unsigned long softback_buf, softback_curr; +-static unsigned long softback_in; +-static unsigned long softback_top, softback_end; +-static int softback_lines; + /* console mappings */ + static int first_fb_vc; + static int last_fb_vc = MAX_NR_CONSOLES - 1; +@@ -140,8 +134,6 @@ static int fbcon_has_sysfs; + + static const struct consw fb_con; + +-#define CM_SOFTBACK (8) +- + #define advance_row(p, delta) (unsigned short *)((unsigned long)(p) + (delta) * vc->vc_size_row) + + static int fbcon_set_origin(struct vc_data *); +@@ -349,18 +341,6 @@ static int get_color(struct vc_data *vc, + return color; + } + +-static void fbcon_update_softback(struct vc_data *vc) +-{ +- int l = fbcon_softback_size / vc->vc_size_row; +- +- if (l > 5) +- softback_end = softback_buf + l * vc->vc_size_row; +- else +- /* Smaller scrollback makes no sense, and 0 would screw +- the operation totally */ +- softback_top = 0; +-} +- + static void fb_flashcursor(struct work_struct *work) + { + struct fb_info *info = container_of(work, struct fb_info, queue); +@@ -390,7 +370,7 @@ static void fb_flashcursor(struct work_s + c = scr_readw((u16 *) vc->vc_pos); + mode = (!ops->cursor_flash || ops->cursor_state.enable) ? + CM_ERASE : CM_DRAW; +- ops->cursor(vc, info, mode, softback_lines, get_color(vc, info, c, 1), ++ ops->cursor(vc, info, mode, 0, get_color(vc, info, c, 1), + get_color(vc, info, c, 0)); + console_unlock(); + } +@@ -450,13 +430,7 @@ static int __init fb_console_setup(char + } + + if (!strncmp(options, "scrollback:", 11)) { +- options += 11; +- if (*options) { +- fbcon_softback_size = simple_strtoul(options, &options, 0); +- if (*options == 'k' || *options == 'K') { +- fbcon_softback_size *= 1024; +- } +- } ++ pr_warn("Ignoring scrollback size option\n"); + continue; + } + +@@ -961,31 +935,6 @@ static const char *fbcon_startup(void) + p->con_rotate = initial_rotation; + set_blitting_type(vc, info); + +- if (info->fix.type != FB_TYPE_TEXT) { +- if (fbcon_softback_size) { +- if (!softback_buf) { +- softback_buf = +- (unsigned long) +- kmalloc(fbcon_softback_size, +- GFP_KERNEL); +- if (!softback_buf) { +- fbcon_softback_size = 0; +- softback_top = 0; +- } +- } +- } else { +- if (softback_buf) { +- kfree((void *) softback_buf); +- softback_buf = 0; +- softback_top = 0; +- } +- } +- if (softback_buf) +- softback_in = softback_top = softback_curr = +- softback_buf; +- softback_lines = 0; +- } +- + /* Setup default font */ + if (!p->fontdata && !vc->vc_font.data) { + if (!fontname[0] || !(font = find_font(fontname))) +@@ -1148,9 +1097,6 @@ static void fbcon_init(struct vc_data *v + if (logo) + fbcon_prepare_logo(vc, info, cols, rows, new_cols, new_rows); + +- if (vc == svc && softback_buf) +- fbcon_update_softback(vc); +- + if (ops->rotate_font && ops->rotate_font(info, vc)) { + ops->rotate = FB_ROTATE_UR; + set_blitting_type(vc, info); +@@ -1310,7 +1256,6 @@ static void fbcon_cursor(struct vc_data + { + struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]]; + struct fbcon_ops *ops = info->fbcon_par; +- int y; + int c = scr_readw((u16 *) vc->vc_pos); + + ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms); +@@ -1324,16 +1269,8 @@ static void fbcon_cursor(struct vc_data + fbcon_add_cursor_timer(info); + + ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1; +- if (mode & CM_SOFTBACK) { +- mode &= ~CM_SOFTBACK; +- y = softback_lines; +- } else { +- if (softback_lines) +- fbcon_set_origin(vc); +- y = 0; +- } + +- ops->cursor(vc, info, mode, y, get_color(vc, info, c, 1), ++ ops->cursor(vc, info, mode, 0, get_color(vc, info, c, 1), + get_color(vc, info, c, 0)); + } + +@@ -1404,8 +1341,6 @@ static void fbcon_set_disp(struct fb_inf + + if (con_is_visible(vc)) { + update_screen(vc); +- if (softback_buf) +- fbcon_update_softback(vc); + } + } + +@@ -1543,99 +1478,6 @@ static __inline__ void ypan_down_redraw( + scrollback_current = 0; + } + +-static void fbcon_redraw_softback(struct vc_data *vc, struct display *p, +- long delta) +-{ +- int count = vc->vc_rows; +- unsigned short *d, *s; +- unsigned long n; +- int line = 0; +- +- d = (u16 *) softback_curr; +- if (d == (u16 *) softback_in) +- d = (u16 *) vc->vc_origin; +- n = softback_curr + delta * vc->vc_size_row; +- softback_lines -= delta; +- if (delta < 0) { +- if (softback_curr < softback_top && n < softback_buf) { +- n += softback_end - softback_buf; +- if (n < softback_top) { +- softback_lines -= +- (softback_top - n) / vc->vc_size_row; +- n = softback_top; +- } +- } else if (softback_curr >= softback_top +- && n < softback_top) { +- softback_lines -= +- (softback_top - n) / vc->vc_size_row; +- n = softback_top; +- } +- } else { +- if (softback_curr > softback_in && n >= softback_end) { +- n += softback_buf - softback_end; +- if (n > softback_in) { +- n = softback_in; +- softback_lines = 0; +- } +- } else if (softback_curr <= softback_in && n > softback_in) { +- n = softback_in; +- softback_lines = 0; +- } +- } +- if (n == softback_curr) +- return; +- softback_curr = n; +- s = (u16 *) softback_curr; +- if (s == (u16 *) softback_in) +- s = (u16 *) vc->vc_origin; +- while (count--) { +- unsigned short *start; +- unsigned short *le; +- unsigned short c; +- int x = 0; +- unsigned short attr = 1; +- +- start = s; +- le = advance_row(s, 1); +- do { +- c = scr_readw(s); +- if (attr != (c & 0xff00)) { +- attr = c & 0xff00; +- if (s > start) { +- fbcon_putcs(vc, start, s - start, +- line, x); +- x += s - start; +- start = s; +- } +- } +- if (c == scr_readw(d)) { +- if (s > start) { +- fbcon_putcs(vc, start, s - start, +- line, x); +- x += s - start + 1; +- start = s + 1; +- } else { +- x++; +- start++; +- } +- } +- s++; +- d++; +- } while (s < le); +- if (s > start) +- fbcon_putcs(vc, start, s - start, line, x); +- line++; +- if (d == (u16 *) softback_end) +- d = (u16 *) softback_buf; +- if (d == (u16 *) softback_in) +- d = (u16 *) vc->vc_origin; +- if (s == (u16 *) softback_end) +- s = (u16 *) softback_buf; +- if (s == (u16 *) softback_in) +- s = (u16 *) vc->vc_origin; +- } +-} +- + static void fbcon_redraw_move(struct vc_data *vc, struct display *p, + int line, int count, int dy) + { +@@ -1775,31 +1617,6 @@ static void fbcon_redraw(struct vc_data + } + } + +-static inline void fbcon_softback_note(struct vc_data *vc, int t, +- int count) +-{ +- unsigned short *p; +- +- if (vc->vc_num != fg_console) +- return; +- p = (unsigned short *) (vc->vc_origin + t * vc->vc_size_row); +- +- while (count) { +- scr_memcpyw((u16 *) softback_in, p, vc->vc_size_row); +- count--; +- p = advance_row(p, 1); +- softback_in += vc->vc_size_row; +- if (softback_in == softback_end) +- softback_in = softback_buf; +- if (softback_in == softback_top) { +- softback_top += vc->vc_size_row; +- if (softback_top == softback_end) +- softback_top = softback_buf; +- } +- } +- softback_curr = softback_in; +-} +- + static int fbcon_scroll(struct vc_data *vc, int t, int b, int dir, + int count) + { +@@ -1822,8 +1639,6 @@ static int fbcon_scroll(struct vc_data * + case SM_UP: + if (count > vc->vc_rows) /* Maximum realistic size */ + count = vc->vc_rows; +- if (softback_top) +- fbcon_softback_note(vc, t, count); + if (logo_shown >= 0) + goto redraw_up; + switch (p->scrollmode) { +@@ -2194,14 +2009,6 @@ static int fbcon_switch(struct vc_data * + info = registered_fb[con2fb_map[vc->vc_num]]; + ops = info->fbcon_par; + +- if (softback_top) { +- if (softback_lines) +- fbcon_set_origin(vc); +- softback_top = softback_curr = softback_in = softback_buf; +- softback_lines = 0; +- fbcon_update_softback(vc); +- } +- + if (logo_shown >= 0) { + struct vc_data *conp2 = vc_cons[logo_shown].d; + +@@ -2535,9 +2342,6 @@ static int fbcon_do_set_font(struct vc_d + int cnt; + char *old_data = NULL; + +- if (con_is_visible(vc) && softback_lines) +- fbcon_set_origin(vc); +- + resize = (w != vc->vc_font.width) || (h != vc->vc_font.height); + if (p->userfont) + old_data = vc->vc_font.data; +@@ -2563,8 +2367,6 @@ static int fbcon_do_set_font(struct vc_d + cols /= w; + rows /= h; + vc_resize(vc, cols, rows); +- if (con_is_visible(vc) && softback_buf) +- fbcon_update_softback(vc); + } else if (con_is_visible(vc) + && vc->vc_mode == KD_TEXT) { + fbcon_clear_margins(vc, 0); +@@ -2722,19 +2524,7 @@ static void fbcon_set_palette(struct vc_ + + static u16 *fbcon_screen_pos(struct vc_data *vc, int offset) + { +- unsigned long p; +- int line; +- +- if (vc->vc_num != fg_console || !softback_lines) +- return (u16 *) (vc->vc_origin + offset); +- line = offset / vc->vc_size_row; +- if (line >= softback_lines) +- return (u16 *) (vc->vc_origin + offset - +- softback_lines * vc->vc_size_row); +- p = softback_curr + offset; +- if (p >= softback_end) +- p += softback_buf - softback_end; +- return (u16 *) p; ++ return (u16 *) (vc->vc_origin + offset); + } + + static unsigned long fbcon_getxy(struct vc_data *vc, unsigned long pos, +@@ -2748,22 +2538,7 @@ static unsigned long fbcon_getxy(struct + + x = offset % vc->vc_cols; + y = offset / vc->vc_cols; +- if (vc->vc_num == fg_console) +- y += softback_lines; + ret = pos + (vc->vc_cols - x) * 2; +- } else if (vc->vc_num == fg_console && softback_lines) { +- unsigned long offset = pos - softback_curr; +- +- if (pos < softback_curr) +- offset += softback_end - softback_buf; +- offset /= 2; +- x = offset % vc->vc_cols; +- y = offset / vc->vc_cols; +- ret = pos + (vc->vc_cols - x) * 2; +- if (ret == softback_end) +- ret = softback_buf; +- if (ret == softback_in) +- ret = vc->vc_origin; + } else { + /* Should not happen */ + x = y = 0; +@@ -2791,106 +2566,11 @@ static void fbcon_invert_region(struct v + a = ((a) & 0x88ff) | (((a) & 0x7000) >> 4) | + (((a) & 0x0700) << 4); + scr_writew(a, p++); +- if (p == (u16 *) softback_end) +- p = (u16 *) softback_buf; +- if (p == (u16 *) softback_in) +- p = (u16 *) vc->vc_origin; + } + } + +-static void fbcon_scrolldelta(struct vc_data *vc, int lines) +-{ +- struct fb_info *info = registered_fb[con2fb_map[fg_console]]; +- struct fbcon_ops *ops = info->fbcon_par; +- struct display *disp = &fb_display[fg_console]; +- int offset, limit, scrollback_old; +- +- if (softback_top) { +- if (vc->vc_num != fg_console) +- return; +- if (vc->vc_mode != KD_TEXT || !lines) +- return; +- if (logo_shown >= 0) { +- struct vc_data *conp2 = vc_cons[logo_shown].d; +- +- if (conp2->vc_top == logo_lines +- && conp2->vc_bottom == conp2->vc_rows) +- conp2->vc_top = 0; +- if (logo_shown == vc->vc_num) { +- unsigned long p, q; +- int i; +- +- p = softback_in; +- q = vc->vc_origin + +- logo_lines * vc->vc_size_row; +- for (i = 0; i < logo_lines; i++) { +- if (p == softback_top) +- break; +- if (p == softback_buf) +- p = softback_end; +- p -= vc->vc_size_row; +- q -= vc->vc_size_row; +- scr_memcpyw((u16 *) q, (u16 *) p, +- vc->vc_size_row); +- } +- softback_in = softback_curr = p; +- update_region(vc, vc->vc_origin, +- logo_lines * vc->vc_cols); +- } +- logo_shown = FBCON_LOGO_CANSHOW; +- } +- fbcon_cursor(vc, CM_ERASE | CM_SOFTBACK); +- fbcon_redraw_softback(vc, disp, lines); +- fbcon_cursor(vc, CM_DRAW | CM_SOFTBACK); +- return; +- } +- +- if (!scrollback_phys_max) +- return; +- +- scrollback_old = scrollback_current; +- scrollback_current -= lines; +- if (scrollback_current < 0) +- scrollback_current = 0; +- else if (scrollback_current > scrollback_max) +- scrollback_current = scrollback_max; +- if (scrollback_current == scrollback_old) +- return; +- +- if (fbcon_is_inactive(vc, info)) +- return; +- +- fbcon_cursor(vc, CM_ERASE); +- +- offset = disp->yscroll - scrollback_current; +- limit = disp->vrows; +- switch (disp->scrollmode) { +- case SCROLL_WRAP_MOVE: +- info->var.vmode |= FB_VMODE_YWRAP; +- break; +- case SCROLL_PAN_MOVE: +- case SCROLL_PAN_REDRAW: +- limit -= vc->vc_rows; +- info->var.vmode &= ~FB_VMODE_YWRAP; +- break; +- } +- if (offset < 0) +- offset += limit; +- else if (offset >= limit) +- offset -= limit; +- +- ops->var.xoffset = 0; +- ops->var.yoffset = offset * vc->vc_font.height; +- ops->update_start(info); +- +- if (!scrollback_current) +- fbcon_cursor(vc, CM_DRAW); +-} +- + static int fbcon_set_origin(struct vc_data *vc) + { +- if (softback_lines) +- fbcon_scrolldelta(vc, softback_lines); + return 0; + } + +@@ -2954,8 +2634,6 @@ static void fbcon_modechanged(struct fb_ + + fbcon_set_palette(vc, color_table); + update_screen(vc); +- if (softback_buf) +- fbcon_update_softback(vc); + } + } + +@@ -3375,7 +3053,6 @@ static const struct consw fb_con = { + .con_font_default = fbcon_set_def_font, + .con_font_copy = fbcon_copy_font, + .con_set_palette = fbcon_set_palette, +- .con_scrolldelta = fbcon_scrolldelta, + .con_set_origin = fbcon_set_origin, + .con_invert_region = fbcon_invert_region, + .con_screen_pos = fbcon_screen_pos, +@@ -3584,9 +3261,6 @@ static void fbcon_exit(void) + if (fbcon_has_exited) + return; + +- kfree((void *)softback_buf); +- softback_buf = 0UL; +- + for (i = 0; i < FB_MAX; i++) { + int pending = 0; + diff --git a/queue-4.9/kvm-vmx-don-t-freeze-guest-when-event-delivery-causes-an-apic-access-exit.patch b/queue-4.9/kvm-vmx-don-t-freeze-guest-when-event-delivery-causes-an-apic-access-exit.patch new file mode 100644 index 00000000000..477dd6074ad --- /dev/null +++ b/queue-4.9/kvm-vmx-don-t-freeze-guest-when-event-delivery-causes-an-apic-access-exit.patch @@ -0,0 +1,34 @@ +From 99b82a1437cb31340dbb2c437a2923b9814a7b15 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Wed, 19 Aug 2020 16:55:27 +0800 +Subject: KVM: VMX: Don't freeze guest when event delivery causes an APIC-access exit + +From: Wanpeng Li + +commit 99b82a1437cb31340dbb2c437a2923b9814a7b15 upstream. + +According to SDM 27.2.4, Event delivery causes an APIC-access VM exit. +Don't report internal error and freeze guest when event delivery causes +an APIC-access exit, it is handleable and the event will be re-injected +during the next vmentry. + +Signed-off-by: Wanpeng Li +Message-Id: <1597827327-25055-2-git-send-email-wanpengli@tencent.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8606,6 +8606,7 @@ static int vmx_handle_exit(struct kvm_vc + (exit_reason != EXIT_REASON_EXCEPTION_NMI && + exit_reason != EXIT_REASON_EPT_VIOLATION && + exit_reason != EXIT_REASON_PML_FULL && ++ exit_reason != EXIT_REASON_APIC_ACCESS && + exit_reason != EXIT_REASON_TASK_SWITCH)) { + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_DELIVERY_EV; diff --git a/queue-4.9/series b/queue-4.9/series index bedc4c26761..2fd35b6ec45 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -32,3 +32,13 @@ regulator-push-allocation-in-set_consumer_device_supply-out-of-lock.patch scsi-target-iscsi-fix-data-digest-calculation.patch scsi-target-iscsi-fix-hang-in-iscsit_access_np-when-getting-tpg-np_login_sem.patch rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch +fbcon-remove-soft-scrollback-code.patch +fbcon-remove-now-unusued-softback_lines-cursor-argument.patch +vgacon-remove-software-scrollback-support.patch +kvm-vmx-don-t-freeze-guest-when-event-delivery-causes-an-apic-access-exit.patch +video-fbdev-fix-oob-read-in-vga_8planes_imageblit.patch +staging-greybus-audio-fix-uninitialized-value-issue.patch +usb-core-fix-slab-out-of-bounds-read-in-read_descriptors.patch +usb-serial-ftdi_sio-add-ids-for-xsens-mti-usb-converter.patch +usb-serial-option-add-support-for-sim7070-sim7080-sim7090-modules.patch +usb-fix-out-of-sync-data-toggle-if-a-configured-device-is-reconfigured.patch diff --git a/queue-4.9/staging-greybus-audio-fix-uninitialized-value-issue.patch b/queue-4.9/staging-greybus-audio-fix-uninitialized-value-issue.patch new file mode 100644 index 00000000000..a4bee7a7902 --- /dev/null +++ b/queue-4.9/staging-greybus-audio-fix-uninitialized-value-issue.patch @@ -0,0 +1,82 @@ +From 1dffeb8b8b4c261c45416d53c75ea51e6ece1770 Mon Sep 17 00:00:00 2001 +From: Vaibhav Agarwal +Date: Fri, 14 Aug 2020 18:03:15 +0530 +Subject: staging: greybus: audio: fix uninitialized value issue + +From: Vaibhav Agarwal + +commit 1dffeb8b8b4c261c45416d53c75ea51e6ece1770 upstream. + +The current implementation for gbcodec_mixer_dapm_ctl_put() uses +uninitialized gbvalue for comparison with updated value. This was found +using static analysis with coverity. + +Uninitialized scalar variable (UNINIT) +11. uninit_use: Using uninitialized value +gbvalue.value.integer_value[0]. +460 if (gbvalue.value.integer_value[0] != val) { + +This patch fixes the issue with fetching the gbvalue before using it for + comparision. + +Fixes: 6339d2322c47 ("greybus: audio: Add topology parser for GB codec") +Reported-by: Colin Ian King +Signed-off-by: Vaibhav Agarwal +Cc: stable +Link: https://lore.kernel.org/r/bc4f29eb502ccf93cd2ffd98db0e319fa7d0f247.1597408126.git.vaibhav.sr@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/greybus/audio_topology.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +--- a/drivers/staging/greybus/audio_topology.c ++++ b/drivers/staging/greybus/audio_topology.c +@@ -462,6 +462,15 @@ static int gbcodec_mixer_dapm_ctl_put(st + val = ucontrol->value.integer.value[0] & mask; + connect = !!val; + ++ ret = gb_pm_runtime_get_sync(bundle); ++ if (ret) ++ return ret; ++ ++ ret = gb_audio_gb_get_control(module->mgmt_connection, data->ctl_id, ++ GB_AUDIO_INVALID_INDEX, &gbvalue); ++ if (ret) ++ goto exit; ++ + /* update ucontrol */ + if (gbvalue.value.integer_value[0] != val) { + for (wi = 0; wi < wlist->num_widgets; wi++) { +@@ -475,25 +484,17 @@ static int gbcodec_mixer_dapm_ctl_put(st + gbvalue.value.integer_value[0] = + ucontrol->value.integer.value[0]; + +- ret = gb_pm_runtime_get_sync(bundle); +- if (ret) +- return ret; +- + ret = gb_audio_gb_set_control(module->mgmt_connection, + data->ctl_id, + GB_AUDIO_INVALID_INDEX, &gbvalue); +- +- gb_pm_runtime_put_autosuspend(bundle); +- +- if (ret) { +- dev_err_ratelimited(codec->dev, +- "%d:Error in %s for %s\n", ret, +- __func__, kcontrol->id.name); +- return ret; +- } + } + +- return 0; ++exit: ++ gb_pm_runtime_put_autosuspend(bundle); ++ if (ret) ++ dev_err_ratelimited(codec_dev, "%d:Error in %s for %s\n", ret, ++ __func__, kcontrol->id.name); ++ return ret; + } + + #define SOC_DAPM_MIXER_GB(xname, kcount, data) \ diff --git a/queue-4.9/usb-core-fix-slab-out-of-bounds-read-in-read_descriptors.patch b/queue-4.9/usb-core-fix-slab-out-of-bounds-read-in-read_descriptors.patch new file mode 100644 index 00000000000..efa20cadde4 --- /dev/null +++ b/queue-4.9/usb-core-fix-slab-out-of-bounds-read-in-read_descriptors.patch @@ -0,0 +1,52 @@ +From a18cd6c9b6bc73dc17e8b7e9bd07decaa8833c97 Mon Sep 17 00:00:00 2001 +From: Zeng Tao +Date: Fri, 4 Sep 2020 14:37:44 +0800 +Subject: usb: core: fix slab-out-of-bounds Read in read_descriptors + +From: Zeng Tao + +commit a18cd6c9b6bc73dc17e8b7e9bd07decaa8833c97 upstream. + +The USB device descriptor may get changed between two consecutive +enumerations on the same device for some reason, such as DFU or +malicius device. +In that case, we may access the changing descriptor if we don't take +the device lock here. + +The issue is reported: +https://syzkaller.appspot.com/bug?id=901a0d9e6519ef8dc7acab25344bd287dd3c7be9 + +Cc: stable +Cc: Alan Stern +Reported-by: syzbot+256e56ddde8b8957eabd@syzkaller.appspotmail.com +Fixes: 217a9081d8e6 ("USB: add all configs to the "descriptors" attribute") +Signed-off-by: Zeng Tao +Link: https://lore.kernel.org/r/1599201467-11000-1-git-send-email-prime.zeng@hisilicon.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/sysfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -848,7 +848,11 @@ read_descriptors(struct file *filp, stru + size_t srclen, n; + int cfgno; + void *src; ++ int retval; + ++ retval = usb_lock_device_interruptible(udev); ++ if (retval < 0) ++ return -EINTR; + /* The binary attribute begins with the device descriptor. + * Following that are the raw descriptor entries for all the + * configurations (config plus subsidiary descriptors). +@@ -873,6 +877,7 @@ read_descriptors(struct file *filp, stru + off -= srclen; + } + } ++ usb_unlock_device(udev); + return count - nleft; + } + diff --git a/queue-4.9/usb-fix-out-of-sync-data-toggle-if-a-configured-device-is-reconfigured.patch b/queue-4.9/usb-fix-out-of-sync-data-toggle-if-a-configured-device-is-reconfigured.patch new file mode 100644 index 00000000000..ec7163b5d9c --- /dev/null +++ b/queue-4.9/usb-fix-out-of-sync-data-toggle-if-a-configured-device-is-reconfigured.patch @@ -0,0 +1,180 @@ +From cfd54fa83a5068b61b7eb28d3c117d8354c74c7a Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 1 Sep 2020 11:25:28 +0300 +Subject: usb: Fix out of sync data toggle if a configured device is reconfigured + +From: Mathias Nyman + +commit cfd54fa83a5068b61b7eb28d3c117d8354c74c7a upstream. + +Userspace drivers that use a SetConfiguration() request to "lightweight" +reset an already configured usb device might cause data toggles to get out +of sync between the device and host, and the device becomes unusable. + +The xHCI host requires endpoints to be dropped and added back to reset the +toggle. If USB core notices the new configuration is the same as the +current active configuration it will avoid these extra steps by calling +usb_reset_configuration() instead of usb_set_configuration(). + +A SetConfiguration() request will reset the device side data toggles. +Make sure usb_reset_configuration() function also drops and adds back the +endpoints to ensure data toggles are in sync. + +To avoid code duplication split the current usb_disable_device() function +and reuse the endpoint specific part. + +Cc: stable +Tested-by: Martin Thierer +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200901082528.12557-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/message.c | 93 ++++++++++++++++++++------------------------- + 1 file changed, 43 insertions(+), 50 deletions(-) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1142,6 +1142,34 @@ void usb_disable_interface(struct usb_de + } + } + ++/* ++ * usb_disable_device_endpoints -- Disable all endpoints for a device ++ * @dev: the device whose endpoints are being disabled ++ * @skip_ep0: 0 to disable endpoint 0, 1 to skip it. ++ */ ++static void usb_disable_device_endpoints(struct usb_device *dev, int skip_ep0) ++{ ++ struct usb_hcd *hcd = bus_to_hcd(dev->bus); ++ int i; ++ ++ if (hcd->driver->check_bandwidth) { ++ /* First pass: Cancel URBs, leave endpoint pointers intact. */ ++ for (i = skip_ep0; i < 16; ++i) { ++ usb_disable_endpoint(dev, i, false); ++ usb_disable_endpoint(dev, i + USB_DIR_IN, false); ++ } ++ /* Remove endpoints from the host controller internal state */ ++ mutex_lock(hcd->bandwidth_mutex); ++ usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL); ++ mutex_unlock(hcd->bandwidth_mutex); ++ } ++ /* Second pass: remove endpoint pointers */ ++ for (i = skip_ep0; i < 16; ++i) { ++ usb_disable_endpoint(dev, i, true); ++ usb_disable_endpoint(dev, i + USB_DIR_IN, true); ++ } ++} ++ + /** + * usb_disable_device - Disable all the endpoints for a USB device + * @dev: the device whose endpoints are being disabled +@@ -1155,7 +1183,6 @@ void usb_disable_interface(struct usb_de + void usb_disable_device(struct usb_device *dev, int skip_ep0) + { + int i; +- struct usb_hcd *hcd = bus_to_hcd(dev->bus); + + /* getting rid of interfaces will disconnect + * any drivers bound to them (a key side effect) +@@ -1201,22 +1228,8 @@ void usb_disable_device(struct usb_devic + + dev_dbg(&dev->dev, "%s nuking %s URBs\n", __func__, + skip_ep0 ? "non-ep0" : "all"); +- if (hcd->driver->check_bandwidth) { +- /* First pass: Cancel URBs, leave endpoint pointers intact. */ +- for (i = skip_ep0; i < 16; ++i) { +- usb_disable_endpoint(dev, i, false); +- usb_disable_endpoint(dev, i + USB_DIR_IN, false); +- } +- /* Remove endpoints from the host controller internal state */ +- mutex_lock(hcd->bandwidth_mutex); +- usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL); +- mutex_unlock(hcd->bandwidth_mutex); +- /* Second pass: remove endpoint pointers */ +- } +- for (i = skip_ep0; i < 16; ++i) { +- usb_disable_endpoint(dev, i, true); +- usb_disable_endpoint(dev, i + USB_DIR_IN, true); +- } ++ ++ usb_disable_device_endpoints(dev, skip_ep0); + } + + /** +@@ -1459,6 +1472,9 @@ EXPORT_SYMBOL_GPL(usb_set_interface); + * The caller must own the device lock. + * + * Return: Zero on success, else a negative error code. ++ * ++ * If this routine fails the device will probably be in an unusable state ++ * with endpoints disabled, and interfaces only partially enabled. + */ + int usb_reset_configuration(struct usb_device *dev) + { +@@ -1474,10 +1490,7 @@ int usb_reset_configuration(struct usb_d + * calls during probe() are fine + */ + +- for (i = 1; i < 16; ++i) { +- usb_disable_endpoint(dev, i, true); +- usb_disable_endpoint(dev, i + USB_DIR_IN, true); +- } ++ usb_disable_device_endpoints(dev, 1); /* skip ep0*/ + + config = dev->actconfig; + retval = 0; +@@ -1490,34 +1503,10 @@ int usb_reset_configuration(struct usb_d + mutex_unlock(hcd->bandwidth_mutex); + return -ENOMEM; + } +- /* Make sure we have enough bandwidth for each alternate setting 0 */ +- for (i = 0; i < config->desc.bNumInterfaces; i++) { +- struct usb_interface *intf = config->interface[i]; +- struct usb_host_interface *alt; +- +- alt = usb_altnum_to_altsetting(intf, 0); +- if (!alt) +- alt = &intf->altsetting[0]; +- if (alt != intf->cur_altsetting) +- retval = usb_hcd_alloc_bandwidth(dev, NULL, +- intf->cur_altsetting, alt); +- if (retval < 0) +- break; +- } +- /* If not, reinstate the old alternate settings */ ++ ++ /* xHCI adds all endpoints in usb_hcd_alloc_bandwidth */ ++ retval = usb_hcd_alloc_bandwidth(dev, config, NULL, NULL); + if (retval < 0) { +-reset_old_alts: +- for (i--; i >= 0; i--) { +- struct usb_interface *intf = config->interface[i]; +- struct usb_host_interface *alt; +- +- alt = usb_altnum_to_altsetting(intf, 0); +- if (!alt) +- alt = &intf->altsetting[0]; +- if (alt != intf->cur_altsetting) +- usb_hcd_alloc_bandwidth(dev, NULL, +- alt, intf->cur_altsetting); +- } + usb_enable_lpm(dev); + mutex_unlock(hcd->bandwidth_mutex); + return retval; +@@ -1526,8 +1515,12 @@ reset_old_alts: + USB_REQ_SET_CONFIGURATION, 0, + config->desc.bConfigurationValue, 0, + NULL, 0, USB_CTRL_SET_TIMEOUT); +- if (retval < 0) +- goto reset_old_alts; ++ if (retval < 0) { ++ usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL); ++ usb_enable_lpm(dev); ++ mutex_unlock(hcd->bandwidth_mutex); ++ return retval; ++ } + mutex_unlock(hcd->bandwidth_mutex); + + /* re-init hc/hcd interface/endpoint state */ diff --git a/queue-4.9/usb-serial-ftdi_sio-add-ids-for-xsens-mti-usb-converter.patch b/queue-4.9/usb-serial-ftdi_sio-add-ids-for-xsens-mti-usb-converter.patch new file mode 100644 index 00000000000..1bef106dad6 --- /dev/null +++ b/queue-4.9/usb-serial-ftdi_sio-add-ids-for-xsens-mti-usb-converter.patch @@ -0,0 +1,42 @@ +From 6ccc48e0eb2f3a5f3bd39954a21317e5f8874726 Mon Sep 17 00:00:00 2001 +From: Patrick Riphagen +Date: Thu, 6 Aug 2020 13:55:47 +0200 +Subject: USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter + +From: Patrick Riphagen + +commit 6ccc48e0eb2f3a5f3bd39954a21317e5f8874726 upstream. + +The device added has an FTDI chip inside. +The device is used to connect Xsens USB Motion Trackers. + +Cc: stable@vger.kernel.org +Signed-off-by: Patrick Riphagen +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -708,6 +708,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(XSENS_VID, XSENS_AWINDA_STATION_PID) }, + { USB_DEVICE(XSENS_VID, XSENS_CONVERTER_PID) }, + { USB_DEVICE(XSENS_VID, XSENS_MTDEVBOARD_PID) }, ++ { USB_DEVICE(XSENS_VID, XSENS_MTIUSBCONVERTER_PID) }, + { USB_DEVICE(XSENS_VID, XSENS_MTW_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_OMNI1509) }, + { USB_DEVICE(MOBILITY_VID, MOBILITY_USB_SERIAL_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -159,6 +159,7 @@ + #define XSENS_AWINDA_DONGLE_PID 0x0102 + #define XSENS_MTW_PID 0x0200 /* Xsens MTw */ + #define XSENS_MTDEVBOARD_PID 0x0300 /* Motion Tracker Development Board */ ++#define XSENS_MTIUSBCONVERTER_PID 0x0301 /* MTi USB converter */ + #define XSENS_CONVERTER_PID 0xD00D /* Xsens USB-serial converter */ + + /* Xsens devices using FTDI VID */ diff --git a/queue-4.9/usb-serial-option-add-support-for-sim7070-sim7080-sim7090-modules.patch b/queue-4.9/usb-serial-option-add-support-for-sim7070-sim7080-sim7090-modules.patch new file mode 100644 index 00000000000..743311484b1 --- /dev/null +++ b/queue-4.9/usb-serial-option-add-support-for-sim7070-sim7080-sim7090-modules.patch @@ -0,0 +1,79 @@ +From 1ac698790819b83f39fd7ea4f6cdabee9bdd7b38 Mon Sep 17 00:00:00 2001 +From: Aleksander Morgado +Date: Sat, 29 Aug 2020 11:05:39 +0200 +Subject: USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules + +From: Aleksander Morgado + +commit 1ac698790819b83f39fd7ea4f6cdabee9bdd7b38 upstream. + +These modules have 2 different USB layouts: + +The default layout with PID 0x9205 (AT+CUSBSELNV=1) exposes 4 TTYs and +an ECM interface: + + T: Bus=02 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 6 Spd=480 MxCh= 0 + D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 + P: Vendor=1e0e ProdID=9205 Rev=00.00 + S: Manufacturer=SimTech, Incorporated + S: Product=SimTech SIM7080 + S: SerialNumber=1234567890ABCDEF + C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA + I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether + I: If#=0x5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether + +The purpose of each TTY is as follows: + * ttyUSB0: DIAG/QCDM port. + * ttyUSB1: GNSS data. + * ttyUSB2: AT-capable port (control). + * ttyUSB3: AT-capable port (data). + +In the secondary layout with PID=0x9206 (AT+CUSBSELNV=86) the module +exposes 6 TTY ports: + + T: Bus=02 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 + D: Ver= 2.00 Cls=02(commc) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 + P: Vendor=1e0e ProdID=9206 Rev=00.00 + S: Manufacturer=SimTech, Incorporated + S: Product=SimTech SIM7080 + S: SerialNumber=1234567890ABCDEF + C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA + I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + I: If#=0x5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + +The purpose of each TTY is as follows: + * ttyUSB0: DIAG/QCDM port. + * ttyUSB1: GNSS data. + * ttyUSB2: AT-capable port (control). + * ttyUSB3: QFLOG interface. + * ttyUSB4: DAM interface. + * ttyUSB5: AT-capable port (data). + +Signed-off-by: Aleksander Morgado +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1808,6 +1808,8 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom SIM7500/SIM7600 MBIM mode */ + { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9011, 0xff), /* Simcom SIM7500/SIM7600 RNDIS mode */ + .driver_info = RSVD(7) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9205, 0xff) }, /* Simcom SIM7070/SIM7080/SIM7090 AT+ECM mode */ ++ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9206, 0xff) }, /* Simcom SIM7070/SIM7080/SIM7090 AT-only mode */ + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200), + .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D), diff --git a/queue-4.9/vgacon-remove-software-scrollback-support.patch b/queue-4.9/vgacon-remove-software-scrollback-support.patch new file mode 100644 index 00000000000..ee99c144f4c --- /dev/null +++ b/queue-4.9/vgacon-remove-software-scrollback-support.patch @@ -0,0 +1,320 @@ +From 973c096f6a85e5b5f2a295126ba6928d9a6afd45 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 9 Sep 2020 14:53:50 -0700 +Subject: vgacon: remove software scrollback support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit 973c096f6a85e5b5f2a295126ba6928d9a6afd45 upstream. + +Yunhai Zhang recently fixed a VGA software scrollback bug in commit +ebfdfeeae8c0 ("vgacon: Fix for missing check in scrollback handling"), +but that then made people look more closely at some of this code, and +there were more problems on the vgacon side, but also the fbcon software +scrollback. + +We don't really have anybody who maintains this code - probably because +nobody actually _uses_ it any more. Sure, people still use both VGA and +the framebuffer consoles, but they are no longer the main user +interfaces to the kernel, and haven't been for decades, so these kinds +of extra features end up bitrotting and not really being used. + +So rather than try to maintain a likely unused set of code, I'll just +aggressively remove it, and see if anybody even notices. Maybe there +are people who haven't jumped on the whole GUI badnwagon yet, and think +it's just a fad. And maybe those people use the scrollback code. + +If that turns out to be the case, we can resurrect this again, once +we've found the sucker^Wmaintainer for it who actually uses it. + +Reported-by: NopNop Nop +Tested-by: Willy Tarreau +Cc: 张云海 +Acked-by: Andy Lutomirski +Acked-by: Willy Tarreau +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/configs/pasemi_defconfig | 1 + arch/powerpc/configs/ppc6xx_defconfig | 1 + arch/x86/configs/i386_defconfig | 1 + arch/x86/configs/x86_64_defconfig | 1 + drivers/video/console/Kconfig | 25 ----- + drivers/video/console/vgacon.c | 159 ---------------------------------- + 6 files changed, 1 insertion(+), 187 deletions(-) + +--- a/arch/powerpc/configs/pasemi_defconfig ++++ b/arch/powerpc/configs/pasemi_defconfig +@@ -115,7 +115,6 @@ CONFIG_FB_NVIDIA=y + CONFIG_FB_NVIDIA_I2C=y + CONFIG_FB_RADEON=y + # CONFIG_LCD_CLASS_DEVICE is not set +-CONFIG_VGACON_SOFT_SCROLLBACK=y + CONFIG_LOGO=y + CONFIG_SOUND=y + CONFIG_SND=y +--- a/arch/powerpc/configs/ppc6xx_defconfig ++++ b/arch/powerpc/configs/ppc6xx_defconfig +@@ -796,7 +796,6 @@ CONFIG_FB_TRIDENT=m + CONFIG_FB_SM501=m + CONFIG_FB_IBM_GXT4500=y + CONFIG_LCD_PLATFORM=m +-CONFIG_VGACON_SOFT_SCROLLBACK=y + CONFIG_FRAMEBUFFER_CONSOLE=y + CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y + CONFIG_LOGO=y +--- a/arch/x86/configs/i386_defconfig ++++ b/arch/x86/configs/i386_defconfig +@@ -217,7 +217,6 @@ CONFIG_FB_MODE_HELPERS=y + CONFIG_FB_TILEBLITTING=y + CONFIG_FB_EFI=y + # CONFIG_LCD_CLASS_DEVICE is not set +-CONFIG_VGACON_SOFT_SCROLLBACK=y + CONFIG_LOGO=y + # CONFIG_LOGO_LINUX_MONO is not set + # CONFIG_LOGO_LINUX_VGA16 is not set +--- a/arch/x86/configs/x86_64_defconfig ++++ b/arch/x86/configs/x86_64_defconfig +@@ -212,7 +212,6 @@ CONFIG_FB_MODE_HELPERS=y + CONFIG_FB_TILEBLITTING=y + CONFIG_FB_EFI=y + # CONFIG_LCD_CLASS_DEVICE is not set +-CONFIG_VGACON_SOFT_SCROLLBACK=y + CONFIG_LOGO=y + # CONFIG_LOGO_LINUX_MONO is not set + # CONFIG_LOGO_LINUX_VGA16 is not set +--- a/drivers/video/console/Kconfig ++++ b/drivers/video/console/Kconfig +@@ -22,31 +22,6 @@ config VGA_CONSOLE + + Say Y. + +-config VGACON_SOFT_SCROLLBACK +- bool "Enable Scrollback Buffer in System RAM" +- depends on VGA_CONSOLE +- default n +- help +- The scrollback buffer of the standard VGA console is located in +- the VGA RAM. The size of this RAM is fixed and is quite small. +- If you require a larger scrollback buffer, this can be placed in +- System RAM which is dynamically allocated during initialization. +- Placing the scrollback buffer in System RAM will slightly slow +- down the console. +- +- If you want this feature, say 'Y' here and enter the amount of +- RAM to allocate for this buffer. If unsure, say 'N'. +- +-config VGACON_SOFT_SCROLLBACK_SIZE +- int "Scrollback Buffer Size (in KB)" +- depends on VGACON_SOFT_SCROLLBACK +- range 1 1024 +- default "64" +- help +- Enter the amount of System RAM to allocate for the scrollback +- buffer. Each 64KB will give you approximately 16 80x25 +- screenfuls of scrollback buffer +- + config MDA_CONSOLE + depends on !M68K && !PARISC && ISA + tristate "MDA text console (dual-headed)" +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -179,157 +179,6 @@ static inline void vga_set_mem_top(struc + write_vga(12, (c->vc_visible_origin - vga_vram_base) / 2); + } + +-#ifdef CONFIG_VGACON_SOFT_SCROLLBACK +-/* software scrollback */ +-static void *vgacon_scrollback; +-static int vgacon_scrollback_tail; +-static int vgacon_scrollback_size; +-static int vgacon_scrollback_rows; +-static int vgacon_scrollback_cnt; +-static int vgacon_scrollback_cur; +-static int vgacon_scrollback_save; +-static int vgacon_scrollback_restore; +- +-static void vgacon_scrollback_init(int pitch) +-{ +- int rows = CONFIG_VGACON_SOFT_SCROLLBACK_SIZE * 1024/pitch; +- +- if (vgacon_scrollback) { +- vgacon_scrollback_cnt = 0; +- vgacon_scrollback_tail = 0; +- vgacon_scrollback_cur = 0; +- vgacon_scrollback_rows = rows - 1; +- vgacon_scrollback_size = rows * pitch; +- } +-} +- +-static void vgacon_scrollback_startup(void) +-{ +- vgacon_scrollback = kcalloc(CONFIG_VGACON_SOFT_SCROLLBACK_SIZE, 1024, GFP_NOWAIT); +- vgacon_scrollback_init(vga_video_num_columns * 2); +-} +- +-static void vgacon_scrollback_update(struct vc_data *c, int t, int count) +-{ +- void *p; +- +- if (!vgacon_scrollback_size || c->vc_num != fg_console) +- return; +- +- p = (void *) (c->vc_origin + t * c->vc_size_row); +- +- while (count--) { +- if ((vgacon_scrollback_tail + c->vc_size_row) > +- vgacon_scrollback_size) +- vgacon_scrollback_tail = 0; +- +- scr_memcpyw(vgacon_scrollback + vgacon_scrollback_tail, +- p, c->vc_size_row); +- vgacon_scrollback_cnt++; +- p += c->vc_size_row; +- vgacon_scrollback_tail += c->vc_size_row; +- +- if (vgacon_scrollback_tail >= vgacon_scrollback_size) +- vgacon_scrollback_tail = 0; +- +- if (vgacon_scrollback_cnt > vgacon_scrollback_rows) +- vgacon_scrollback_cnt = vgacon_scrollback_rows; +- +- vgacon_scrollback_cur = vgacon_scrollback_cnt; +- } +-} +- +-static void vgacon_restore_screen(struct vc_data *c) +-{ +- vgacon_scrollback_save = 0; +- +- if (!vga_is_gfx && !vgacon_scrollback_restore) { +- scr_memcpyw((u16 *) c->vc_origin, (u16 *) c->vc_screenbuf, +- c->vc_screenbuf_size > vga_vram_size ? +- vga_vram_size : c->vc_screenbuf_size); +- vgacon_scrollback_restore = 1; +- vgacon_scrollback_cur = vgacon_scrollback_cnt; +- } +-} +- +-static void vgacon_scrolldelta(struct vc_data *c, int lines) +-{ +- int start, end, count, soff; +- +- if (!lines) { +- c->vc_visible_origin = c->vc_origin; +- vga_set_mem_top(c); +- return; +- } +- +- if (!vgacon_scrollback) +- return; +- +- if (!vgacon_scrollback_save) { +- vgacon_cursor(c, CM_ERASE); +- vgacon_save_screen(c); +- vgacon_scrollback_save = 1; +- } +- +- vgacon_scrollback_restore = 0; +- start = vgacon_scrollback_cur + lines; +- end = start + abs(lines); +- +- if (start < 0) +- start = 0; +- +- if (start > vgacon_scrollback_cnt) +- start = vgacon_scrollback_cnt; +- +- if (end < 0) +- end = 0; +- +- if (end > vgacon_scrollback_cnt) +- end = vgacon_scrollback_cnt; +- +- vgacon_scrollback_cur = start; +- count = end - start; +- soff = vgacon_scrollback_tail - ((vgacon_scrollback_cnt - end) * +- c->vc_size_row); +- soff -= count * c->vc_size_row; +- +- if (soff < 0) +- soff += vgacon_scrollback_size; +- +- count = vgacon_scrollback_cnt - start; +- +- if (count > c->vc_rows) +- count = c->vc_rows; +- +- if (count) { +- int copysize; +- +- int diff = c->vc_rows - count; +- void *d = (void *) c->vc_origin; +- void *s = (void *) c->vc_screenbuf; +- +- count *= c->vc_size_row; +- /* how much memory to end of buffer left? */ +- copysize = min(count, vgacon_scrollback_size - soff); +- scr_memcpyw(d, vgacon_scrollback + soff, copysize); +- d += copysize; +- count -= copysize; +- +- if (count) { +- scr_memcpyw(d, vgacon_scrollback, count); +- d += count; +- } +- +- if (diff) +- scr_memcpyw(d, s, diff * c->vc_size_row); +- } else +- vgacon_cursor(c, CM_MOVE); +-} +-#else +-#define vgacon_scrollback_startup(...) do { } while (0) +-#define vgacon_scrollback_init(...) do { } while (0) +-#define vgacon_scrollback_update(...) do { } while (0) +- + static void vgacon_restore_screen(struct vc_data *c) + { + if (c->vc_origin != c->vc_visible_origin) +@@ -365,7 +214,6 @@ static void vgacon_scrolldelta(struct vc + } + vga_set_mem_top(c); + } +-#endif /* CONFIG_VGACON_SOFT_SCROLLBACK */ + + static const char *vgacon_startup(void) + { +@@ -562,10 +410,7 @@ static const char *vgacon_startup(void) + vgacon_xres = screen_info.orig_video_cols * VGA_FONTWIDTH; + vgacon_yres = vga_scan_lines; + +- if (!vga_init_done) { +- vgacon_scrollback_startup(); +- vga_init_done = 1; +- } ++ vga_init_done = 1; + + return display_desc; + } +@@ -861,7 +706,6 @@ static int vgacon_switch(struct vc_data + vgacon_doresize(c, c->vc_cols, c->vc_rows); + } + +- vgacon_scrollback_init(c->vc_size_row); + return 0; /* Redrawing not needed */ + } + +@@ -1391,7 +1235,6 @@ static int vgacon_scroll(struct vc_data + oldo = c->vc_origin; + delta = lines * c->vc_size_row; + if (dir == SM_UP) { +- vgacon_scrollback_update(c, t, lines); + if (c->vc_scr_end + delta >= vga_vram_end) { + scr_memcpyw((u16 *) vga_vram_base, + (u16 *) (oldo + delta), diff --git a/queue-4.9/video-fbdev-fix-oob-read-in-vga_8planes_imageblit.patch b/queue-4.9/video-fbdev-fix-oob-read-in-vga_8planes_imageblit.patch new file mode 100644 index 00000000000..c412a68aa6f --- /dev/null +++ b/queue-4.9/video-fbdev-fix-oob-read-in-vga_8planes_imageblit.patch @@ -0,0 +1,35 @@ +From bd018a6a75cebb511bb55a0e7690024be975fe93 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 31 Aug 2020 19:37:00 +0900 +Subject: video: fbdev: fix OOB read in vga_8planes_imageblit() + +From: Tetsuo Handa + +commit bd018a6a75cebb511bb55a0e7690024be975fe93 upstream. + +syzbot is reporting OOB read at vga_8planes_imageblit() [1], for +"cdat[y] >> 4" can become a negative value due to "const char *cdat". + +[1] https://syzkaller.appspot.com/bug?id=0d7a0da1557dcd1989e00cb3692b26d4173b4132 + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Cc: stable +Link: https://lore.kernel.org/r/90b55ec3-d5b0-3307-9f7c-7ff5c5fd6ad3@i-love.sakura.ne.jp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/vga16fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/vga16fb.c ++++ b/drivers/video/fbdev/vga16fb.c +@@ -1122,7 +1122,7 @@ static void vga_8planes_imageblit(struct + char oldop = setop(0); + char oldsr = setsr(0); + char oldmask = selectmask(); +- const char *cdat = image->data; ++ const unsigned char *cdat = image->data; + u32 dx = image->dx; + char __iomem *where; + int y; -- 2.47.3