From: Greg Kroah-Hartman Date: Mon, 26 Jan 2026 12:58:14 +0000 (+0100) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d16c8783c9324c513bccb21a1eefa2bcd0c3fd0b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: comedi-dmm32at-serialize-use-of-paged-registers.patch serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch serial-fix-not-set-tty-port-race-condition.patch w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch --- diff --git a/queue-6.18/comedi-dmm32at-serialize-use-of-paged-registers.patch b/queue-6.18/comedi-dmm32at-serialize-use-of-paged-registers.patch new file mode 100644 index 0000000000..4e58bc59bd --- /dev/null +++ b/queue-6.18/comedi-dmm32at-serialize-use-of-paged-registers.patch @@ -0,0 +1,127 @@ +From e03b29b55f2b7c345a919a6ee36633b06bf3fb56 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 12 Jan 2026 16:28:35 +0000 +Subject: comedi: dmm32at: serialize use of paged registers + +From: Ian Abbott + +commit e03b29b55f2b7c345a919a6ee36633b06bf3fb56 upstream. + +Some of the hardware registers of the DMM-32-AT board are multiplexed, +using the least significant two bits of the Miscellaneous Control +register to select the function of registers at offsets 12 to 15: + + 00 => 8254 timer/counter registers are accessible + 01 => 8255 digital I/O registers are accessible + 10 => Reserved + 11 => Calibration registers are accessible + +The interrupt service routine (`dmm32at_isr()`) clobbers the bottom two +bits of the register with value 00, which would interfere with access to +the 8255 registers by the `dm32at_8255_io()` function (used for Comedi +instruction handling on the digital I/O subdevice). + +Make use of the generic Comedi device spin-lock `dev->spinlock` (which +is otherwise unused by this driver) to serialize access to the +miscellaneous control register and paged registers. + +Fixes: 3c501880ac44 ("Staging: comedi: add dmm32at driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260112162835.91688-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/dmm32at.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/drivers/comedi/drivers/dmm32at.c ++++ b/drivers/comedi/drivers/dmm32at.c +@@ -330,6 +330,7 @@ static int dmm32at_ai_cmdtest(struct com + + static void dmm32at_setaitimer(struct comedi_device *dev, unsigned int nansec) + { ++ unsigned long irq_flags; + unsigned char lo1, lo2, hi2; + unsigned short both2; + +@@ -342,6 +343,9 @@ static void dmm32at_setaitimer(struct co + /* set counter clocks to 10MHz, disable all aux dio */ + outb(0, dev->iobase + DMM32AT_CTRDIO_CFG_REG); + ++ /* serialize access to control register and paged registers */ ++ spin_lock_irqsave(&dev->spinlock, irq_flags); ++ + /* get access to the clock regs */ + outb(DMM32AT_CTRL_PAGE_8254, dev->iobase + DMM32AT_CTRL_REG); + +@@ -354,6 +358,8 @@ static void dmm32at_setaitimer(struct co + outb(lo2, dev->iobase + DMM32AT_CLK2); + outb(hi2, dev->iobase + DMM32AT_CLK2); + ++ spin_unlock_irqrestore(&dev->spinlock, irq_flags); ++ + /* enable the ai conversion interrupt and the clock to start scans */ + outb(DMM32AT_INTCLK_ADINT | + DMM32AT_INTCLK_CLKEN | DMM32AT_INTCLK_CLKSEL, +@@ -363,13 +369,19 @@ static void dmm32at_setaitimer(struct co + static int dmm32at_ai_cmd(struct comedi_device *dev, struct comedi_subdevice *s) + { + struct comedi_cmd *cmd = &s->async->cmd; ++ unsigned long irq_flags; + int ret; + + dmm32at_ai_set_chanspec(dev, s, cmd->chanlist[0], cmd->chanlist_len); + ++ /* serialize access to control register and paged registers */ ++ spin_lock_irqsave(&dev->spinlock, irq_flags); ++ + /* reset the interrupt just in case */ + outb(DMM32AT_CTRL_INTRST, dev->iobase + DMM32AT_CTRL_REG); + ++ spin_unlock_irqrestore(&dev->spinlock, irq_flags); ++ + /* + * wait for circuit to settle + * we don't have the 'insn' here but it's not needed +@@ -429,8 +441,13 @@ static irqreturn_t dmm32at_isr(int irq, + comedi_handle_events(dev, s); + } + ++ /* serialize access to control register and paged registers */ ++ spin_lock(&dev->spinlock); ++ + /* reset the interrupt */ + outb(DMM32AT_CTRL_INTRST, dev->iobase + DMM32AT_CTRL_REG); ++ ++ spin_unlock(&dev->spinlock); + return IRQ_HANDLED; + } + +@@ -481,14 +498,25 @@ static int dmm32at_ao_insn_write(struct + static int dmm32at_8255_io(struct comedi_device *dev, + int dir, int port, int data, unsigned long regbase) + { ++ unsigned long irq_flags; ++ int ret; ++ ++ /* serialize access to control register and paged registers */ ++ spin_lock_irqsave(&dev->spinlock, irq_flags); ++ + /* get access to the DIO regs */ + outb(DMM32AT_CTRL_PAGE_8255, dev->iobase + DMM32AT_CTRL_REG); + + if (dir) { + outb(data, dev->iobase + regbase + port); +- return 0; ++ ret = 0; ++ } else { ++ ret = inb(dev->iobase + regbase + port); + } +- return inb(dev->iobase + regbase + port); ++ ++ spin_unlock_irqrestore(&dev->spinlock, irq_flags); ++ ++ return ret; + } + + /* Make sure the board is there and put it to a known state */ diff --git a/queue-6.18/serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch b/queue-6.18/serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch new file mode 100644 index 0000000000..f1ecddc95b --- /dev/null +++ b/queue-6.18/serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch @@ -0,0 +1,40 @@ +From 27aff0a56b3c77ea1a73641c9b3c4172a8f7238f Mon Sep 17 00:00:00 2001 +From: Marnix Rijnart +Date: Mon, 12 Jan 2026 01:08:23 +0100 +Subject: serial: 8250_pci: Fix broken RS485 for F81504/508/512 + +From: Marnix Rijnart + +commit 27aff0a56b3c77ea1a73641c9b3c4172a8f7238f upstream. + +Fintek F81504/508/512 can support both RTS_ON_SEND and RTS_AFTER_SEND, +but pci_fintek_rs485_supported only announces the former. + +This makes it impossible to unset SER_RS485_RTS_ON_SEND from +userspace because of uart_sanitize_serial_rs485(). Some devices +with these chips need RTS low on TX, so they are effectively broken. + +Fix this by announcing the support for SER_RS485_RTS_AFTER_SEND, +similar to commit 068d35a7be65 ("serial: sc16is7xx: announce support +for SER_RS485_RTS_ON_SEND"). + +Fixes: 4afeced55baa ("serial: core: fix sanitizing check for RTS settings") +Cc: stable +Signed-off-by: Marnix Rijnart +Link: https://patch.msgid.link/20260112000931.61703-1-marnix.rijnart@iwell.eu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1650,7 +1650,7 @@ static int pci_fintek_rs485_config(struc + } + + static const struct serial_rs485 pci_fintek_rs485_supported = { +- .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND, ++ .flags = SER_RS485_ENABLED | SER_RS485_RTS_ON_SEND | SER_RS485_RTS_AFTER_SEND, + /* F81504/508/512 does not support RTS delay before or after send */ + }; + diff --git a/queue-6.18/serial-fix-not-set-tty-port-race-condition.patch b/queue-6.18/serial-fix-not-set-tty-port-race-condition.patch new file mode 100644 index 0000000000..ed8f37d126 --- /dev/null +++ b/queue-6.18/serial-fix-not-set-tty-port-race-condition.patch @@ -0,0 +1,93 @@ +From 32f37e57583f869140cff445feedeea8a5fea986 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 23 Jan 2026 08:21:40 +0100 +Subject: serial: Fix not set tty->port race condition + +From: Krzysztof Kozlowski + +commit 32f37e57583f869140cff445feedeea8a5fea986 upstream. + +Revert commit bfc467db60b7 ("serial: remove redundant +tty_port_link_device()") because the tty_port_link_device() is not +redundant: the tty->port has to be confured before we call +uart_configure_port(), otherwise user-space can open console without TTY +linked to the driver. + +This tty_port_link_device() was added explicitly to avoid this exact +issue in commit fb2b90014d78 ("tty: link tty and port before configuring +it as console"), so offending commit basically reverted the fix saying +it is redundant without addressing the actual race condition presented +there. + +Reproducible always as tty->port warning on Qualcomm SoC with most of +devices disabled, so with very fast boot, and one serial device being +the console: + + printk: legacy console [ttyMSM0] enabled + printk: legacy console [ttyMSM0] enabled + printk: legacy bootconsole [qcom_geni0] disabled + printk: legacy bootconsole [qcom_geni0] disabled + ------------[ cut here ]------------ + tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver! + WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1 + Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6 + CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT + Tainted: [S]=CPU_OUT_OF_SPEC + Hardware name: Qualcomm Technologies, Inc. Eliza (DT) + ... + tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P) + tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3)) + chrdev_open (fs/char_dev.c:411) + do_dentry_open (fs/open.c:962) + vfs_open (fs/open.c:1094) + do_open (fs/namei.c:4634) + path_openat (fs/namei.c:4793) + do_filp_open (fs/namei.c:4820) + do_sys_openat2 (fs/open.c:1391 (discriminator 3)) + ... + Starting Network Name Resolution... + +Apparently the flow with this small Yocto-based ramdisk user-space is: + +driver (qcom_geni_serial.c): user-space: +============================ =========== +qcom_geni_serial_probe() + uart_add_one_port() + serial_core_register_port() + serial_core_add_one_port() + uart_configure_port() + register_console() + | + | open console + | ... + | tty_init_dev() + | driver->ports[idx] is NULL + | + tty_port_register_device_attr_serdev() + tty_port_link_device() <- set driver->ports[idx] + +Fixes: bfc467db60b7 ("serial: remove redundant tty_port_link_device()") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Jiri Slaby +Link: https://patch.msgid.link/20260123072139.53293-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -3102,6 +3102,12 @@ static int serial_core_add_one_port(stru + if (uport->cons && uport->dev) + of_console_check(uport->dev->of_node, uport->cons->name, uport->line); + ++ /* ++ * TTY port has to be linked with the driver before register_console() ++ * in uart_configure_port(), because user-space could open the console ++ * immediately after. ++ */ ++ tty_port_link_device(port, drv->tty_driver, uport->line); + uart_configure_port(drv, state, uport); + + port->console = uart_console(uport); diff --git a/queue-6.18/series b/queue-6.18/series index b885a52ddb..54037e6233 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -46,3 +46,8 @@ net-sched-enforce-that-teql-can-only-be-used-as-root.patch net-sched-qfq-use-cl_is_active-to-determine-whether-.patch crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch +serial-8250_pci-fix-broken-rs485-for-f81504-508-512.patch +serial-fix-not-set-tty-port-race-condition.patch +comedi-dmm32at-serialize-use-of-paged-registers.patch +w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch +w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch diff --git a/queue-6.18/w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch b/queue-6.18/w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch new file mode 100644 index 0000000000..28c906151a --- /dev/null +++ b/queue-6.18/w1-fix-redundant-counter-decrement-in-w1_attach_slave_device.patch @@ -0,0 +1,36 @@ +From cc8f92e41eb76f450f05234fef2054afc3633100 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 18 Dec 2025 19:14:14 +0800 +Subject: w1: fix redundant counter decrement in w1_attach_slave_device() + +From: Haoxiang Li + +commit cc8f92e41eb76f450f05234fef2054afc3633100 upstream. + +In w1_attach_slave_device(), if __w1_attach_slave_device() fails, +put_device() -> w1_slave_release() is called to do the cleanup job. +In w1_slave_release(), sl->family->refcnt and sl->master->slave_count +have already been decremented. There is no need to decrement twice +in w1_attach_slave_device(). + +Fixes: 2c927c0c73fd ("w1: Fix slave count on 1-Wire bus (resend)") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20251218111414.564403-1-lihaoxiang@isrc.iscas.ac.cn +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/w1/w1.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -758,8 +758,6 @@ int w1_attach_slave_device(struct w1_mas + if (err < 0) { + dev_err(&dev->dev, "%s: Attaching %s failed.\n", __func__, + sl->name); +- dev->slave_count--; +- w1_family_put(sl->family); + atomic_dec(&sl->master->refcnt); + kfree(sl); + return err; diff --git a/queue-6.18/w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch b/queue-6.18/w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch new file mode 100644 index 0000000000..f6ff47e529 --- /dev/null +++ b/queue-6.18/w1-therm-fix-off-by-one-buffer-overflow-in-alarms_store.patch @@ -0,0 +1,132 @@ +From 761fcf46a1bd797bd32d23f3ea0141ffd437668a Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 16 Dec 2025 15:50:03 +0100 +Subject: w1: therm: Fix off-by-one buffer overflow in alarms_store + +From: Thorsten Blum + +commit 761fcf46a1bd797bd32d23f3ea0141ffd437668a upstream. + +The sysfs buffer passed to alarms_store() is allocated with 'size + 1' +bytes and a NUL terminator is appended. However, the 'size' argument +does not account for this extra byte. The original code then allocated +'size' bytes and used strcpy() to copy 'buf', which always writes one +byte past the allocated buffer since strcpy() copies until the NUL +terminator at index 'size'. + +Fix this by parsing the 'buf' parameter directly using simple_strtoll() +without allocating any intermediate memory or string copying. This +removes the overflow while simplifying the code. + +Cc: stable@vger.kernel.org +Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry") +Signed-off-by: Thorsten Blum +Link: https://patch.msgid.link/20251216145007.44328-2-thorsten.blum@linux.dev +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/w1/slaves/w1_therm.c | 60 +++++++++++++------------------------------ + 1 file changed, 19 insertions(+), 41 deletions(-) + +--- a/drivers/w1/slaves/w1_therm.c ++++ b/drivers/w1/slaves/w1_therm.c +@@ -1836,53 +1836,35 @@ static ssize_t alarms_store(struct devic + struct w1_slave *sl = dev_to_w1_slave(device); + struct therm_info info; + u8 new_config_register[3]; /* array of data to be written */ +- int temp, ret; +- char *token = NULL; ++ long long temp; ++ int ret = 0; + s8 tl, th; /* 1 byte per value + temp ring order */ +- char *p_args, *orig; ++ const char *p = buf; ++ char *endp; + +- p_args = orig = kmalloc(size, GFP_KERNEL); +- /* Safe string copys as buf is const */ +- if (!p_args) { +- dev_warn(device, +- "%s: error unable to allocate memory %d\n", +- __func__, -ENOMEM); +- return size; +- } +- strcpy(p_args, buf); +- +- /* Split string using space char */ +- token = strsep(&p_args, " "); +- +- if (!token) { +- dev_info(device, +- "%s: error parsing args %d\n", __func__, -EINVAL); +- goto free_m; +- } +- +- /* Convert 1st entry to int */ +- ret = kstrtoint (token, 10, &temp); ++ temp = simple_strtoll(p, &endp, 10); ++ if (p == endp || *endp != ' ') ++ ret = -EINVAL; ++ else if (temp < INT_MIN || temp > INT_MAX) ++ ret = -ERANGE; + if (ret) { + dev_info(device, + "%s: error parsing args %d\n", __func__, ret); +- goto free_m; ++ return size; + } + + tl = int_to_short(temp); + +- /* Split string using space char */ +- token = strsep(&p_args, " "); +- if (!token) { +- dev_info(device, +- "%s: error parsing args %d\n", __func__, -EINVAL); +- goto free_m; +- } +- /* Convert 2nd entry to int */ +- ret = kstrtoint (token, 10, &temp); ++ p = endp + 1; ++ temp = simple_strtoll(p, &endp, 10); ++ if (p == endp) ++ ret = -EINVAL; ++ else if (temp < INT_MIN || temp > INT_MAX) ++ ret = -ERANGE; + if (ret) { + dev_info(device, + "%s: error parsing args %d\n", __func__, ret); +- goto free_m; ++ return size; + } + + /* Prepare to cast to short by eliminating out of range values */ +@@ -1905,7 +1887,7 @@ static ssize_t alarms_store(struct devic + dev_info(device, + "%s: error reading from the slave device %d\n", + __func__, ret); +- goto free_m; ++ return size; + } + + /* Write data in the device RAM */ +@@ -1913,7 +1895,7 @@ static ssize_t alarms_store(struct devic + dev_info(device, + "%s: Device not supported by the driver %d\n", + __func__, -ENODEV); +- goto free_m; ++ return size; + } + + ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register); +@@ -1922,10 +1904,6 @@ static ssize_t alarms_store(struct devic + "%s: error writing to the slave device %d\n", + __func__, ret); + +-free_m: +- /* free allocated memory */ +- kfree(orig); +- + return size; + } +