From: Greg Kroah-Hartman Date: Mon, 26 Jan 2026 12:57:42 +0000 (+0100) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19c41a688c84eb71593c42a95f153dcc1d11713c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: comedi-dmm32at-serialize-use-of-paged-registers.patch serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch --- diff --git a/queue-6.1/comedi-dmm32at-serialize-use-of-paged-registers.patch b/queue-6.1/comedi-dmm32at-serialize-use-of-paged-registers.patch new file mode 100644 index 0000000000..4e58bc59bd --- /dev/null +++ b/queue-6.1/comedi-dmm32at-serialize-use-of-paged-registers.patch @@ -0,0 +1,127 @@ +From e03b29b55f2b7c345a919a6ee36633b06bf3fb56 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 12 Jan 2026 16:28:35 +0000 +Subject: comedi: dmm32at: serialize use of paged registers + +From: Ian Abbott + +commit e03b29b55f2b7c345a919a6ee36633b06bf3fb56 upstream. + +Some of the hardware registers of the DMM-32-AT board are multiplexed, +using the least significant two bits of the Miscellaneous Control +register to select the function of registers at offsets 12 to 15: + + 00 => 8254 timer/counter registers are accessible + 01 => 8255 digital I/O registers are accessible + 10 => Reserved + 11 => Calibration registers are accessible + +The interrupt service routine (`dmm32at_isr()`) clobbers the bottom two +bits of the register with value 00, which would interfere with access to +the 8255 registers by the `dm32at_8255_io()` function (used for Comedi +instruction handling on the digital I/O subdevice). + +Make use of the generic Comedi device spin-lock `dev->spinlock` (which +is otherwise unused by this driver) to serialize access to the +miscellaneous control register and paged registers. + +Fixes: 3c501880ac44 ("Staging: comedi: add dmm32at driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260112162835.91688-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/dmm32at.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/drivers/comedi/drivers/dmm32at.c ++++ b/drivers/comedi/drivers/dmm32at.c +@@ -330,6 +330,7 @@ static int dmm32at_ai_cmdtest(struct com + + static void dmm32at_setaitimer(struct comedi_device *dev, unsigned int nansec) + { ++ unsigned long irq_flags; + unsigned char lo1, lo2, hi2; + unsigned short both2; + +@@ -342,6 +343,9 @@ static void dmm32at_setaitimer(struct co + /* set counter clocks to 10MHz, disable all aux dio */ + outb(0, dev->iobase + DMM32AT_CTRDIO_CFG_REG); + ++ /* serialize access to control register and paged registers */ ++ spin_lock_irqsave(&dev->spinlock, irq_flags); ++ + /* get access to the clock regs */ + outb(DMM32AT_CTRL_PAGE_8254, dev->iobase + DMM32AT_CTRL_REG); + +@@ -354,6 +358,8 @@ static void dmm32at_setaitimer(struct co + outb(lo2, dev->iobase + DMM32AT_CLK2); + outb(hi2, dev->iobase + DMM32AT_CLK2); + ++ spin_unlock_irqrestore(&dev->spinlock, irq_flags); ++ + /* enable the ai conversion interrupt and the clock to start scans */ + outb(DMM32AT_INTCLK_ADINT | + DMM32AT_INTCLK_CLKEN | DMM32AT_INTCLK_CLKSEL, +@@ -363,13 +369,19 @@ static void dmm32at_setaitimer(struct co + static int dmm32at_ai_cmd(struct comedi_device *dev, struct comedi_subdevice *s) + { + struct comedi_cmd *cmd = &s->async->cmd; ++ unsigned long irq_flags; + int ret; + + dmm32at_ai_set_chanspec(dev, s, cmd->chanlist[0], cmd->chanlist_len); + ++ /* serialize access to control register and paged registers */ ++ spin_lock_irqsave(&dev->spinlock, irq_flags); ++ + /* reset the interrupt just in case */ + outb(DMM32AT_CTRL_INTRST, dev->iobase + DMM32AT_CTRL_REG); + ++ spin_unlock_irqrestore(&dev->spinlock, irq_flags); ++ + /* + * wait for circuit to settle + * we don't have the 'insn' here but it's not needed +@@ -429,8 +441,13 @@ static irqreturn_t dmm32at_isr(int irq, + comedi_handle_events(dev, s); + } + ++ /* serialize access to control register and paged registers */ ++ spin_lock(&dev->spinlock); ++ + /* reset the interrupt */ + outb(DMM32AT_CTRL_INTRST, dev->iobase + DMM32AT_CTRL_REG); ++ ++ spin_unlock(&dev->spinlock); + return IRQ_HANDLED; + } + +@@ -481,14 +498,25 @@ static int dmm32at_ao_insn_write(struct + static int dmm32at_8255_io(struct comedi_device *dev, + int dir, int port, int data, unsigned long regbase) + { ++ unsigned long irq_flags; ++ int ret; ++ ++ /* serialize access to control register and paged registers */ ++ spin_lock_irqsave(&dev->spinlock, irq_flags); ++ + /* get access to the DIO regs */ + outb(DMM32AT_CTRL_PAGE_8255, dev->iobase + DMM32AT_CTRL_REG); + + if (dir) { + outb(data, dev->iobase + regbase + port); +- return 0; ++ ret = 0; ++ } else { ++ ret = inb(dev->iobase + regbase + port); + } +- return inb(dev->iobase + regbase + port); ++ ++ spin_unlock_irqrestore(&dev->spinlock, irq_flags); ++ ++ return ret; + } + + /* Make sure the board is there and put it to a known state */ diff --git a/queue-6.1/serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch b/queue-6.1/serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch new file mode 100644 index 0000000000..da7aa507bf --- /dev/null +++ b/queue-6.1/serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch @@ -0,0 +1,40 @@ +From 27aff0a56b3c77ea1a73641c9b3c4172a8f7238f Mon Sep 17 00:00:00 2001 +From: Marnix Rijnart +Date: Mon, 12 Jan 2026 01:08:23 +0100 +Subject: serial: 8250_pci: Fix broken RS485 for F81504/508/512 + +From: Marnix Rijnart + +commit 27aff0a56b3c77ea1a73641c9b3c4172a8f7238f upstream. + +Fintek F81504/508/512 can support both RTS_ON_SEND and RTS_AFTER_SEND, +but pci_fintek_rs485_supported only announces the former. + +This makes it impossible to unset SER_RS485_RTS_ON_SEND from +userspace because of uart_sanitize_serial_rs485(). Some devices +with these chips need RTS low on TX, so they are effectively broken. + +Fix this by announcing the support for SER_RS485_RTS_AFTER_SEND, +similar to commit 068d35a7be65 ("serial: sc16is7xx: announce support +for SER_RS485_RTS_ON_SEND"). + +Fixes: 4afeced55baa ("serial: core: fix sanitizing check for RTS settings") +Cc: stable +Signed-off-by: Marnix Rijnart +Link: https://patch.msgid.link/20260112000931.61703-1-marnix.rijnart@iwell.eu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1583,7 +1583,7 @@ static int pci_fintek_rs485_config(struc + } + + static const struct serial_rs485 pci_fintek_rs485_supported = { +- .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND, ++ .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND | SER_RS485_RTS_AFTER_SEND, + /* F81504/508/512 does not support RTS delay before or after send */ + }; + diff --git a/queue-6.1/series b/queue-6.1/series index 8d2ab3b8b2..a3e5635adf 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -112,3 +112,7 @@ octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch net-sched-enforce-that-teql-can-only-be-used-as-root.patch net-sched-qfq-use-cl_is_active-to-determine-whether-.patch crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch +serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch +comedi-dmm32at-serialize-use-of-paged-registers.patch +w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch +w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch diff --git a/queue-6.1/w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch b/queue-6.1/w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch new file mode 100644 index 0000000000..484efc2aa7 --- /dev/null +++ b/queue-6.1/w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch @@ -0,0 +1,36 @@ +From cc8f92e41eb76f450f05234fef2054afc3633100 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 18 Dec 2025 19:14:14 +0800 +Subject: w1: fix redundant counter decrement in w1_attach_slave_device() + +From: Haoxiang Li + +commit cc8f92e41eb76f450f05234fef2054afc3633100 upstream. + +In w1_attach_slave_device(), if __w1_attach_slave_device() fails, +put_device() -> w1_slave_release() is called to do the cleanup job. +In w1_slave_release(), sl->family->refcnt and sl->master->slave_count +have already been decremented. There is no need to decrement twice +in w1_attach_slave_device(). + +Fixes: 2c927c0c73fd ("w1: Fix slave count on 1-Wire bus (resend)") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20251218111414.564403-1-lihaoxiang@isrc.iscas.ac.cn +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/w1/w1.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -767,8 +767,6 @@ int w1_attach_slave_device(struct w1_mas + if (err < 0) { + dev_err(&dev->dev, "%s: Attaching %s failed.\n", __func__, + sl->name); +- dev->slave_count--; +- w1_family_put(sl->family); + atomic_dec(&sl->master->refcnt); + kfree(sl); + return err; diff --git a/queue-6.1/w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch b/queue-6.1/w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch new file mode 100644 index 0000000000..07e365f409 --- /dev/null +++ b/queue-6.1/w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch @@ -0,0 +1,132 @@ +From 761fcf46a1bd797bd32d23f3ea0141ffd437668a Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 16 Dec 2025 15:50:03 +0100 +Subject: w1: therm: Fix off-by-one buffer overflow in alarms_store + +From: Thorsten Blum + +commit 761fcf46a1bd797bd32d23f3ea0141ffd437668a upstream. + +The sysfs buffer passed to alarms_store() is allocated with 'size + 1' +bytes and a NUL terminator is appended. However, the 'size' argument +does not account for this extra byte. The original code then allocated +'size' bytes and used strcpy() to copy 'buf', which always writes one +byte past the allocated buffer since strcpy() copies until the NUL +terminator at index 'size'. + +Fix this by parsing the 'buf' parameter directly using simple_strtoll() +without allocating any intermediate memory or string copying. This +removes the overflow while simplifying the code. + +Cc: stable@vger.kernel.org +Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry") +Signed-off-by: Thorsten Blum +Link: https://patch.msgid.link/20251216145007.44328-2-thorsten.blum@linux.dev +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/w1/slaves/w1_therm.c | 60 +++++++++++++------------------------------ + 1 file changed, 19 insertions(+), 41 deletions(-) + +--- a/drivers/w1/slaves/w1_therm.c ++++ b/drivers/w1/slaves/w1_therm.c +@@ -1846,53 +1846,35 @@ static ssize_t alarms_store(struct devic + struct w1_slave *sl = dev_to_w1_slave(device); + struct therm_info info; + u8 new_config_register[3]; /* array of data to be written */ +- int temp, ret; +- char *token = NULL; ++ long long temp; ++ int ret = 0; + s8 tl, th; /* 1 byte per value + temp ring order */ +- char *p_args, *orig; ++ const char *p = buf; ++ char *endp; + +- p_args = orig = kmalloc(size, GFP_KERNEL); +- /* Safe string copys as buf is const */ +- if (!p_args) { +- dev_warn(device, +- "%s: error unable to allocate memory %d\n", +- __func__, -ENOMEM); +- return size; +- } +- strcpy(p_args, buf); +- +- /* Split string using space char */ +- token = strsep(&p_args, " "); +- +- if (!token) { +- dev_info(device, +- "%s: error parsing args %d\n", __func__, -EINVAL); +- goto free_m; +- } +- +- /* Convert 1st entry to int */ +- ret = kstrtoint (token, 10, &temp); ++ temp = simple_strtoll(p, &endp, 10); ++ if (p == endp || *endp != ' ') ++ ret = -EINVAL; ++ else if (temp < INT_MIN || temp > INT_MAX) ++ ret = -ERANGE; + if (ret) { + dev_info(device, + "%s: error parsing args %d\n", __func__, ret); +- goto free_m; ++ return size; + } + + tl = int_to_short(temp); + +- /* Split string using space char */ +- token = strsep(&p_args, " "); +- if (!token) { +- dev_info(device, +- "%s: error parsing args %d\n", __func__, -EINVAL); +- goto free_m; +- } +- /* Convert 2nd entry to int */ +- ret = kstrtoint (token, 10, &temp); ++ p = endp + 1; ++ temp = simple_strtoll(p, &endp, 10); ++ if (p == endp) ++ ret = -EINVAL; ++ else if (temp < INT_MIN || temp > INT_MAX) ++ ret = -ERANGE; + if (ret) { + dev_info(device, + "%s: error parsing args %d\n", __func__, ret); +- goto free_m; ++ return size; + } + + /* Prepare to cast to short by eliminating out of range values */ +@@ -1915,7 +1897,7 @@ static ssize_t alarms_store(struct devic + dev_info(device, + "%s: error reading from the slave device %d\n", + __func__, ret); +- goto free_m; ++ return size; + } + + /* Write data in the device RAM */ +@@ -1923,7 +1905,7 @@ static ssize_t alarms_store(struct devic + dev_info(device, + "%s: Device not supported by the driver %d\n", + __func__, -ENODEV); +- goto free_m; ++ return size; + } + + ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register); +@@ -1932,10 +1914,6 @@ static ssize_t alarms_store(struct devic + "%s: error writing to the slave device %d\n", + __func__, ret); + +-free_m: +- /* free allocated memory */ +- kfree(orig); +- + return size; + } +