--- /dev/null
+From e03b29b55f2b7c345a919a6ee36633b06bf3fb56 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 12 Jan 2026 16:28:35 +0000
+Subject: comedi: dmm32at: serialize use of paged registers
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit e03b29b55f2b7c345a919a6ee36633b06bf3fb56 upstream.
+
+Some of the hardware registers of the DMM-32-AT board are multiplexed,
+using the least significant two bits of the Miscellaneous Control
+register to select the function of registers at offsets 12 to 15:
+
+ 00 => 8254 timer/counter registers are accessible
+ 01 => 8255 digital I/O registers are accessible
+ 10 => Reserved
+ 11 => Calibration registers are accessible
+
+The interrupt service routine (`dmm32at_isr()`) clobbers the bottom two
+bits of the register with value 00, which would interfere with access to
+the 8255 registers by the `dm32at_8255_io()` function (used for Comedi
+instruction handling on the digital I/O subdevice).
+
+Make use of the generic Comedi device spin-lock `dev->spinlock` (which
+is otherwise unused by this driver) to serialize access to the
+miscellaneous control register and paged registers.
+
+Fixes: 3c501880ac44 ("Staging: comedi: add dmm32at driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260112162835.91688-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/dmm32at.c | 32 ++++++++++++++++++++++++++++++--
+ 1 file changed, 30 insertions(+), 2 deletions(-)
+
+--- a/drivers/comedi/drivers/dmm32at.c
++++ b/drivers/comedi/drivers/dmm32at.c
+@@ -330,6 +330,7 @@ static int dmm32at_ai_cmdtest(struct com
+
+ static void dmm32at_setaitimer(struct comedi_device *dev, unsigned int nansec)
+ {
++ unsigned long irq_flags;
+ unsigned char lo1, lo2, hi2;
+ unsigned short both2;
+
+@@ -342,6 +343,9 @@ static void dmm32at_setaitimer(struct co
+ /* set counter clocks to 10MHz, disable all aux dio */
+ outb(0, dev->iobase + DMM32AT_CTRDIO_CFG_REG);
+
++ /* serialize access to control register and paged registers */
++ spin_lock_irqsave(&dev->spinlock, irq_flags);
++
+ /* get access to the clock regs */
+ outb(DMM32AT_CTRL_PAGE_8254, dev->iobase + DMM32AT_CTRL_REG);
+
+@@ -354,6 +358,8 @@ static void dmm32at_setaitimer(struct co
+ outb(lo2, dev->iobase + DMM32AT_CLK2);
+ outb(hi2, dev->iobase + DMM32AT_CLK2);
+
++ spin_unlock_irqrestore(&dev->spinlock, irq_flags);
++
+ /* enable the ai conversion interrupt and the clock to start scans */
+ outb(DMM32AT_INTCLK_ADINT |
+ DMM32AT_INTCLK_CLKEN | DMM32AT_INTCLK_CLKSEL,
+@@ -363,13 +369,19 @@ static void dmm32at_setaitimer(struct co
+ static int dmm32at_ai_cmd(struct comedi_device *dev, struct comedi_subdevice *s)
+ {
+ struct comedi_cmd *cmd = &s->async->cmd;
++ unsigned long irq_flags;
+ int ret;
+
+ dmm32at_ai_set_chanspec(dev, s, cmd->chanlist[0], cmd->chanlist_len);
+
++ /* serialize access to control register and paged registers */
++ spin_lock_irqsave(&dev->spinlock, irq_flags);
++
+ /* reset the interrupt just in case */
+ outb(DMM32AT_CTRL_INTRST, dev->iobase + DMM32AT_CTRL_REG);
+
++ spin_unlock_irqrestore(&dev->spinlock, irq_flags);
++
+ /*
+ * wait for circuit to settle
+ * we don't have the 'insn' here but it's not needed
+@@ -429,8 +441,13 @@ static irqreturn_t dmm32at_isr(int irq,
+ comedi_handle_events(dev, s);
+ }
+
++ /* serialize access to control register and paged registers */
++ spin_lock(&dev->spinlock);
++
+ /* reset the interrupt */
+ outb(DMM32AT_CTRL_INTRST, dev->iobase + DMM32AT_CTRL_REG);
++
++ spin_unlock(&dev->spinlock);
+ return IRQ_HANDLED;
+ }
+
+@@ -481,14 +498,25 @@ static int dmm32at_ao_insn_write(struct
+ static int dmm32at_8255_io(struct comedi_device *dev,
+ int dir, int port, int data, unsigned long regbase)
+ {
++ unsigned long irq_flags;
++ int ret;
++
++ /* serialize access to control register and paged registers */
++ spin_lock_irqsave(&dev->spinlock, irq_flags);
++
+ /* get access to the DIO regs */
+ outb(DMM32AT_CTRL_PAGE_8255, dev->iobase + DMM32AT_CTRL_REG);
+
+ if (dir) {
+ outb(data, dev->iobase + regbase + port);
+- return 0;
++ ret = 0;
++ } else {
++ ret = inb(dev->iobase + regbase + port);
+ }
+- return inb(dev->iobase + regbase + port);
++
++ spin_unlock_irqrestore(&dev->spinlock, irq_flags);
++
++ return ret;
+ }
+
+ /* Make sure the board is there and put it to a known state */
--- /dev/null
+From 27aff0a56b3c77ea1a73641c9b3c4172a8f7238f Mon Sep 17 00:00:00 2001
+From: Marnix Rijnart <marnix.rijnart@iwell.eu>
+Date: Mon, 12 Jan 2026 01:08:23 +0100
+Subject: serial: 8250_pci: Fix broken RS485 for F81504/508/512
+
+From: Marnix Rijnart <marnix.rijnart@iwell.eu>
+
+commit 27aff0a56b3c77ea1a73641c9b3c4172a8f7238f upstream.
+
+Fintek F81504/508/512 can support both RTS_ON_SEND and RTS_AFTER_SEND,
+but pci_fintek_rs485_supported only announces the former.
+
+This makes it impossible to unset SER_RS485_RTS_ON_SEND from
+userspace because of uart_sanitize_serial_rs485(). Some devices
+with these chips need RTS low on TX, so they are effectively broken.
+
+Fix this by announcing the support for SER_RS485_RTS_AFTER_SEND,
+similar to commit 068d35a7be65 ("serial: sc16is7xx: announce support
+for SER_RS485_RTS_ON_SEND").
+
+Fixes: 4afeced55baa ("serial: core: fix sanitizing check for RTS settings")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Marnix Rijnart <marnix.rijnart@iwell.eu>
+Link: https://patch.msgid.link/20260112000931.61703-1-marnix.rijnart@iwell.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -1641,7 +1641,7 @@ static int pci_fintek_rs485_config(struc
+ }
+
+ static const struct serial_rs485 pci_fintek_rs485_supported = {
+- .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND,
++ .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND | SER_RS485_RTS_AFTER_SEND,
+ /* F81504/508/512 does not support RTS delay before or after send */
+ };
+
net-sched-qfq-use-cl_is_active-to-determine-whether-.patch
crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch
wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch
+serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch
+comedi-dmm32at-serialize-use-of-paged-registers.patch
+w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch
+w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch
--- /dev/null
+From cc8f92e41eb76f450f05234fef2054afc3633100 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Date: Thu, 18 Dec 2025 19:14:14 +0800
+Subject: w1: fix redundant counter decrement in w1_attach_slave_device()
+
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+
+commit cc8f92e41eb76f450f05234fef2054afc3633100 upstream.
+
+In w1_attach_slave_device(), if __w1_attach_slave_device() fails,
+put_device() -> w1_slave_release() is called to do the cleanup job.
+In w1_slave_release(), sl->family->refcnt and sl->master->slave_count
+have already been decremented. There is no need to decrement twice
+in w1_attach_slave_device().
+
+Fixes: 2c927c0c73fd ("w1: Fix slave count on 1-Wire bus (resend)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Link: https://patch.msgid.link/20251218111414.564403-1-lihaoxiang@isrc.iscas.ac.cn
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/w1/w1.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -758,8 +758,6 @@ int w1_attach_slave_device(struct w1_mas
+ if (err < 0) {
+ dev_err(&dev->dev, "%s: Attaching %s failed.\n", __func__,
+ sl->name);
+- dev->slave_count--;
+- w1_family_put(sl->family);
+ atomic_dec(&sl->master->refcnt);
+ kfree(sl);
+ return err;
--- /dev/null
+From 761fcf46a1bd797bd32d23f3ea0141ffd437668a Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Tue, 16 Dec 2025 15:50:03 +0100
+Subject: w1: therm: Fix off-by-one buffer overflow in alarms_store
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 761fcf46a1bd797bd32d23f3ea0141ffd437668a upstream.
+
+The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
+bytes and a NUL terminator is appended. However, the 'size' argument
+does not account for this extra byte. The original code then allocated
+'size' bytes and used strcpy() to copy 'buf', which always writes one
+byte past the allocated buffer since strcpy() copies until the NUL
+terminator at index 'size'.
+
+Fix this by parsing the 'buf' parameter directly using simple_strtoll()
+without allocating any intermediate memory or string copying. This
+removes the overflow while simplifying the code.
+
+Cc: stable@vger.kernel.org
+Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Link: https://patch.msgid.link/20251216145007.44328-2-thorsten.blum@linux.dev
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/w1/slaves/w1_therm.c | 60 +++++++++++++------------------------------
+ 1 file changed, 19 insertions(+), 41 deletions(-)
+
+--- a/drivers/w1/slaves/w1_therm.c
++++ b/drivers/w1/slaves/w1_therm.c
+@@ -1846,53 +1846,35 @@ static ssize_t alarms_store(struct devic
+ struct w1_slave *sl = dev_to_w1_slave(device);
+ struct therm_info info;
+ u8 new_config_register[3]; /* array of data to be written */
+- int temp, ret;
+- char *token = NULL;
++ long long temp;
++ int ret = 0;
+ s8 tl, th; /* 1 byte per value + temp ring order */
+- char *p_args, *orig;
++ const char *p = buf;
++ char *endp;
+
+- p_args = orig = kmalloc(size, GFP_KERNEL);
+- /* Safe string copys as buf is const */
+- if (!p_args) {
+- dev_warn(device,
+- "%s: error unable to allocate memory %d\n",
+- __func__, -ENOMEM);
+- return size;
+- }
+- strcpy(p_args, buf);
+-
+- /* Split string using space char */
+- token = strsep(&p_args, " ");
+-
+- if (!token) {
+- dev_info(device,
+- "%s: error parsing args %d\n", __func__, -EINVAL);
+- goto free_m;
+- }
+-
+- /* Convert 1st entry to int */
+- ret = kstrtoint (token, 10, &temp);
++ temp = simple_strtoll(p, &endp, 10);
++ if (p == endp || *endp != ' ')
++ ret = -EINVAL;
++ else if (temp < INT_MIN || temp > INT_MAX)
++ ret = -ERANGE;
+ if (ret) {
+ dev_info(device,
+ "%s: error parsing args %d\n", __func__, ret);
+- goto free_m;
++ return size;
+ }
+
+ tl = int_to_short(temp);
+
+- /* Split string using space char */
+- token = strsep(&p_args, " ");
+- if (!token) {
+- dev_info(device,
+- "%s: error parsing args %d\n", __func__, -EINVAL);
+- goto free_m;
+- }
+- /* Convert 2nd entry to int */
+- ret = kstrtoint (token, 10, &temp);
++ p = endp + 1;
++ temp = simple_strtoll(p, &endp, 10);
++ if (p == endp)
++ ret = -EINVAL;
++ else if (temp < INT_MIN || temp > INT_MAX)
++ ret = -ERANGE;
+ if (ret) {
+ dev_info(device,
+ "%s: error parsing args %d\n", __func__, ret);
+- goto free_m;
++ return size;
+ }
+
+ /* Prepare to cast to short by eliminating out of range values */
+@@ -1915,7 +1897,7 @@ static ssize_t alarms_store(struct devic
+ dev_info(device,
+ "%s: error reading from the slave device %d\n",
+ __func__, ret);
+- goto free_m;
++ return size;
+ }
+
+ /* Write data in the device RAM */
+@@ -1923,7 +1905,7 @@ static ssize_t alarms_store(struct devic
+ dev_info(device,
+ "%s: Device not supported by the driver %d\n",
+ __func__, -ENODEV);
+- goto free_m;
++ return size;
+ }
+
+ ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register);
+@@ -1932,10 +1914,6 @@ static ssize_t alarms_store(struct devic
+ "%s: error writing to the slave device %d\n",
+ __func__, ret);
+
+-free_m:
+- /* free allocated memory */
+- kfree(orig);
+-
+ return size;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
