6.18-stable patches

added patches:
	comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch
	crypto-zstd-fix-double-free-in-per-cpu-stream-cleanup.patch
	documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch
	dt-bindings-serial-rsci-drop-uart-has-rtscts-false.patch
	ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch
	ext4-refresh-inline-data-size-before-write-operations.patch
	jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch
	ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch
	kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch
	locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch
	rust_binder-fix-race-condition-on-death_list.patch
	serial-add-support-of-cpci-cards.patch
	serial-sh-sci-fix-deadlock-during-rsci-fifo-overrun-error.patch
	series
	usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch
	usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch
	usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch
	usb-serial-option-add-foxconn-t99w760.patch
	usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch
	usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch

diff --git a/queue-6.18/comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch b/queue-6.18/comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch
new file mode 100644 (file)
index 0000000..6afa022
--- /dev/null
+++ b/queue-6.18/comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch
@@ -0,0 +1,68 @@
+From a51f025b5038abd3d22eed2ede4cd46793d89565 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Thu, 23 Oct 2025 17:14:56 +0300
+Subject: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit a51f025b5038abd3d22eed2ede4cd46793d89565 upstream.
+
+Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
+the fact that in case of early device detach via pcl818_detach(),
+subdevice dev->read_subdev may not have initialized its pointer to
+&struct comedi_async as intended. Thus, any such dereferencing of
+&s->async->cmd will lead to general protection fault and kernel crash.
+
+Mitigate this problem by removing a call to pcl818_ai_cancel() from
+pcl818_detach() altogether. This way, if the subdevice setups its
+support for async commands, everything async-related will be
+handled via subdevice's own ->cancel() function in
+comedi_device_detach_locked() even before pcl818_detach(). If no
+support for asynchronous commands is provided, there is no need
+to cancel anything either.
+
+[1] Syzbot crash:
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
+CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
+RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
+...
+Call Trace:
+ <TASK>
+ pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
+ comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
+ do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
+ comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+...
+
+Reported-by: syzbot+fce5d9d5bd067d6fbe9b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=fce5d9d5bd067d6fbe9b
+Fixes: 00aba6e7b565 ("staging: comedi: pcl818: remove 'neverending_ai' from private data")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20251023141457.398685-1-n.zhandarovich@fintech.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/pcl818.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/comedi/drivers/pcl818.c
++++ b/drivers/comedi/drivers/pcl818.c
+@@ -1111,10 +1111,9 @@ static void pcl818_detach(struct comedi_
+ {
+       struct pcl818_private *devpriv = dev->private;
+ 
+-      if (devpriv) {
+-              pcl818_ai_cancel(dev, dev->read_subdev);
++      if (devpriv)
+               pcl818_reset(dev);
+-      }
++
+       pcl818_free_dma(dev);
+       comedi_legacy_detach(dev);
+ }

diff --git a/queue-6.18/crypto-zstd-fix-double-free-in-per-cpu-stream-cleanup.patch b/queue-6.18/crypto-zstd-fix-double-free-in-per-cpu-stream-cleanup.patch
new file mode 100644 (file)
index 0000000..7c944c5
--- /dev/null
+++ b/queue-6.18/crypto-zstd-fix-double-free-in-per-cpu-stream-cleanup.patch
@@ -0,0 +1,84 @@
+From 48bc9da3c97c15f1ea24934bcb3b736acd30163d Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Thu, 20 Nov 2025 16:26:09 +0000
+Subject: crypto: zstd - fix double-free in per-CPU stream cleanup
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit 48bc9da3c97c15f1ea24934bcb3b736acd30163d upstream.
+
+The crypto/zstd module has a double-free bug that occurs when multiple
+tfms are allocated and freed.
+
+The issue happens because zstd_streams (per-CPU contexts) are freed in
+zstd_exit() during every tfm destruction, rather than being managed at
+the module level.  When multiple tfms exist, each tfm exit attempts to
+free the same shared per-CPU streams, resulting in a double-free.
+
+This leads to a stack trace similar to:
+
+  BUG: Bad page state in process kworker/u16:1  pfn:106fd93
+  page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93
+  flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
+  page_type: 0xffffffff()
+  raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000
+  raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+  page dumped because: nonzero entire_mapcount
+  Modules linked in: ...
+  CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G    B
+  Hardware name: ...
+  Workqueue: btrfs-delalloc btrfs_work_helper
+  Call Trace:
+   <TASK>
+   dump_stack_lvl+0x5d/0x80
+   bad_page+0x71/0xd0
+   free_unref_page_prepare+0x24e/0x490
+   free_unref_page+0x60/0x170
+   crypto_acomp_free_streams+0x5d/0xc0
+   crypto_acomp_exit_tfm+0x23/0x50
+   crypto_destroy_tfm+0x60/0xc0
+   ...
+
+Change the lifecycle management of zstd_streams to free the streams only
+once during module cleanup.
+
+Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp")
+Cc: stable@vger.kernel.org
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/zstd.c |    7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/crypto/zstd.c
++++ b/crypto/zstd.c
+@@ -75,11 +75,6 @@ static int zstd_init(struct crypto_acomp
+       return ret;
+ }
+ 
+-static void zstd_exit(struct crypto_acomp *acomp_tfm)
+-{
+-      crypto_acomp_free_streams(&zstd_streams);
+-}
+-
+ static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
+                            const void *src, void *dst, unsigned int *dlen)
+ {
+@@ -297,7 +292,6 @@ static struct acomp_alg zstd_acomp = {
+               .cra_module = THIS_MODULE,
+       },
+       .init = zstd_init,
+-      .exit = zstd_exit,
+       .compress = zstd_compress,
+       .decompress = zstd_decompress,
+ };
+@@ -310,6 +304,7 @@ static int __init zstd_mod_init(void)
+ static void __exit zstd_mod_fini(void)
+ {
+       crypto_unregister_acomp(&zstd_acomp);
++      crypto_acomp_free_streams(&zstd_streams);
+ }
+ 
+ module_init(zstd_mod_init);

diff --git a/queue-6.18/documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch b/queue-6.18/documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch
new file mode 100644 (file)
index 0000000..1068d97
--- /dev/null
+++ b/queue-6.18/documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch
@@ -0,0 +1,39 @@
+From ba2457109d5b47a90fe565b39524f7225fc23e60 Mon Sep 17 00:00:00 2001
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+Date: Wed, 22 Oct 2025 10:43:35 +0700
+Subject: Documentation: process: Also mention Sasha Levin as stable tree maintainer
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+commit ba2457109d5b47a90fe565b39524f7225fc23e60 upstream.
+
+Sasha has also maintaining stable branch in conjunction with Greg
+since cb5d21946d2a2f ("MAINTAINERS: Add Sasha as a stable branch
+maintainer"). Mention him in 2.Process.rst.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Message-ID: <20251022034336.22839-1-bagasdotme@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/process/2.Process.rst |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/Documentation/process/2.Process.rst
++++ b/Documentation/process/2.Process.rst
+@@ -104,8 +104,10 @@ kernels go out with a handful of known r
+ of them are serious.
+ 
+ Once a stable release is made, its ongoing maintenance is passed off to the
+-"stable team," currently Greg Kroah-Hartman. The stable team will release
+-occasional updates to the stable release using the 5.x.y numbering scheme.
++"stable team," currently consists of Greg Kroah-Hartman and Sasha Levin. The
++stable team will release occasional updates to the stable release using the
++5.x.y numbering scheme.
++
+ To be considered for an update release, a patch must (1) fix a significant
+ bug, and (2) already be merged into the mainline for the next development
+ kernel. Kernels will typically receive stable updates for a little more

diff --git a/queue-6.18/dt-bindings-serial-rsci-drop-uart-has-rtscts-false.patch b/queue-6.18/dt-bindings-serial-rsci-drop-uart-has-rtscts-false.patch
new file mode 100644 (file)
index 0000000..e141a99
--- /dev/null
+++ b/queue-6.18/dt-bindings-serial-rsci-drop-uart-has-rtscts-false.patch
@@ -0,0 +1,34 @@
+From a6cdfd69ad38997108b862f9aafc547891506701 Mon Sep 17 00:00:00 2001
+From: Biju Das <biju.das.jz@bp.renesas.com>
+Date: Fri, 14 Nov 2025 10:13:46 +0000
+Subject: dt-bindings: serial: rsci: Drop "uart-has-rtscts: false"
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+commit a6cdfd69ad38997108b862f9aafc547891506701 upstream.
+
+Drop "uart-has-rtscts: false" from binding as the IP supports hardware
+flow control on all SoCs.
+
+Cc: stable@kernel.org
+Fixes: 25422e8f46c1 ("dt-bindings: serial: Add compatible for Renesas RZ/T2H SoC in sci")
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Link: https://patch.msgid.link/20251114101350.106699-2-biju.das.jz@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/serial/renesas,rsci.yaml |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/serial/renesas,rsci.yaml
++++ b/Documentation/devicetree/bindings/serial/renesas,rsci.yaml
+@@ -54,8 +54,6 @@ properties:
+   power-domains:
+     maxItems: 1
+ 
+-  uart-has-rtscts: false
+-
+ required:
+   - compatible
+   - reg

diff --git a/queue-6.18/ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch b/queue-6.18/ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch
new file mode 100644 (file)
index 0000000..83cba44
--- /dev/null
+++ b/queue-6.18/ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch
@@ -0,0 +1,88 @@
+From 0cd8feea8777f8d9b9a862b89c688b049a5c8475 Mon Sep 17 00:00:00 2001
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+Date: Tue, 4 Nov 2025 09:33:25 +0000
+Subject: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
+
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+
+commit 0cd8feea8777f8d9b9a862b89c688b049a5c8475 upstream.
+
+Fix a race between inline data destruction and block mapping.
+
+The function ext4_destroy_inline_data_nolock() changes the inode data
+layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.
+At the same time, another thread may execute ext4_map_blocks(), which
+tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()
+or ext4_ind_map_blocks().
+
+Without i_data_sem protection, ext4_ind_map_blocks() may receive inode
+with EXT4_INODE_EXTENTS flag and triggering assert.
+
+kernel BUG at fs/ext4/indirect.c:546!
+EXT4-fs (loop2): unmounting filesystem.
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546
+
+Call Trace:
+ <TASK>
+ ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681
+ _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822
+ ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124
+ ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255
+ ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000
+ generic_perform_write+0x259/0x5d0 mm/filemap.c:3846
+ ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285
+ ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679
+ call_write_iter include/linux/fs.h:2271 [inline]
+ do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735
+ do_iter_write+0x186/0x710 fs/read_write.c:861
+ vfs_iter_write+0x70/0xa0 fs/read_write.c:902
+ iter_file_splice_write+0x73b/0xc90 fs/splice.c:685
+ do_splice_from fs/splice.c:763 [inline]
+ direct_splice_actor+0x10f/0x170 fs/splice.c:950
+ splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896
+ do_splice_direct+0x1a9/0x280 fs/splice.c:1002
+ do_sendfile+0xb13/0x12c0 fs/read_write.c:1255
+ __do_sys_sendfile64 fs/read_write.c:1323 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1309 [inline]
+ __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+Fixes: c755e251357a ("ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()")
+Cc: stable@vger.kernel.org # v4.11+
+Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
+Message-ID: <20251104093326.697381-1-sdl@nppct.ru>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inline.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -451,9 +451,13 @@ static int ext4_destroy_inline_data_nolo
+       if (!ei->i_inline_off)
+               return 0;
+ 
++      down_write(&ei->i_data_sem);
++
+       error = ext4_get_inode_loc(inode, &is.iloc);
+-      if (error)
++      if (error) {
++              up_write(&ei->i_data_sem);
+               return error;
++      }
+ 
+       error = ext4_xattr_ibody_find(inode, &i, &is);
+       if (error)
+@@ -492,6 +496,7 @@ out:
+       brelse(is.iloc.bh);
+       if (error == -ENODATA)
+               error = 0;
++      up_write(&ei->i_data_sem);
+       return error;
+ }
+ 

diff --git a/queue-6.18/ext4-refresh-inline-data-size-before-write-operations.patch b/queue-6.18/ext4-refresh-inline-data-size-before-write-operations.patch
new file mode 100644 (file)
index 0000000..61a450d
--- /dev/null
+++ b/queue-6.18/ext4-refresh-inline-data-size-before-write-operations.patch
@@ -0,0 +1,67 @@
+From 892e1cf17555735e9d021ab036c36bc7b58b0e3b Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Mon, 20 Oct 2025 11:39:36 +0530
+Subject: ext4: refresh inline data size before write operations
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 892e1cf17555735e9d021ab036c36bc7b58b0e3b upstream.
+
+The cached ei->i_inline_size can become stale between the initial size
+check and when ext4_update_inline_data()/ext4_create_inline_data() use
+it. Although ext4_get_max_inline_size() reads the correct value at the
+time of the check, concurrent xattr operations can modify i_inline_size
+before ext4_write_lock_xattr() is acquired.
+
+This causes ext4_update_inline_data() and ext4_create_inline_data() to
+work with stale capacity values, leading to a BUG_ON() crash in
+ext4_write_inline_data():
+
+  kernel BUG at fs/ext4/inline.c:1331!
+  BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
+
+The race window:
+1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)
+2. Size check passes for 50-byte write
+3. [Another thread adds xattr, i_inline_size changes to 40]
+4. ext4_write_lock_xattr() acquires lock
+5. ext4_update_inline_data() uses stale i_inline_size = 60
+6. Attempts to write 50 bytes but only 40 bytes actually available
+7. BUG_ON() triggers
+
+Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock()
+immediately after acquiring xattr_sem. This ensures ext4_update_inline_data()
+and ext4_create_inline_data() work with current values that are protected
+from concurrent modifications.
+
+This is similar to commit a54c4613dac1 ("ext4: fix race writing to an
+inline_data file while its xattrs are changing") which fixed i_inline_off
+staleness. This patch addresses the related i_inline_size staleness issue.
+
+Reported-by: syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=f3185be57d7e8dda32b8
+Cc: stable@kernel.org
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Message-ID: <20251020060936.474314-1-kartikey406@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inline.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -418,7 +418,12 @@ static int ext4_prepare_inline_data(hand
+               return -ENOSPC;
+ 
+       ext4_write_lock_xattr(inode, &no_expand);
+-
++      /*
++       * ei->i_inline_size may have changed since the initial check
++       * if other xattrs were added. Recalculate to ensure
++       * ext4_update_inline_data() validates against current capacity.
++       */
++      (void) ext4_find_inline_data_nolock(inode);
+       if (ei->i_inline_off)
+               ret = ext4_update_inline_data(handle, inode, len);
+       else

diff --git a/queue-6.18/jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch b/queue-6.18/jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch
new file mode 100644 (file)
index 0000000..80e2ea9
--- /dev/null
+++ b/queue-6.18/jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch
@@ -0,0 +1,95 @@
+From 986835bf4d11032bba4ab8414d18fce038c61bb4 Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Sat, 25 Oct 2025 15:26:57 +0800
+Subject: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit 986835bf4d11032bba4ab8414d18fce038c61bb4 upstream.
+
+There's issue when file system corrupted:
+------------[ cut here ]------------
+kernel BUG at fs/jbd2/transaction.c:1289!
+Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
+CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
+RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
+RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
+RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
+RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
+R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
+R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ __ext4_journal_get_create_access+0x42/0x170
+ ext4_getblk+0x319/0x6f0
+ ext4_bread+0x11/0x100
+ ext4_append+0x1e6/0x4a0
+ ext4_init_new_dir+0x145/0x1d0
+ ext4_mkdir+0x326/0x920
+ vfs_mkdir+0x45c/0x740
+ do_mkdirat+0x234/0x2f0
+ __x64_sys_mkdir+0xd6/0x120
+ do_syscall_64+0x5f/0xfa0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The above issue occurs with us in errors=continue mode when accompanied by
+storage failures. There have been many inconsistencies in the file system
+data.
+In the case of file system data inconsistency, for example, if the block
+bitmap of a referenced block is not set, it can lead to the situation where
+a block being committed is allocated and used again. As a result, the
+following condition will not be satisfied then trigger BUG_ON. Of course,
+it is entirely possible to construct a problematic image that can trigger
+this BUG_ON through specific operations. In fact, I have constructed such
+an image and easily reproduced this issue.
+Therefore, J_ASSERT() holds true only under ideal conditions, but it may
+not necessarily be satisfied in exceptional scenarios. Using J_ASSERT()
+directly in abnormal situations would cause the system to crash, which is
+clearly not what we want. So here we directly trigger a JBD abort instead
+of immediately invoking BUG_ON.
+
+Fixes: 470decc613ab ("[PATCH] jbd2: initial copy of files from jbd")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Message-ID: <20251025072657.307851-1-yebin@huaweicloud.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/transaction.c |   19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1284,14 +1284,23 @@ int jbd2_journal_get_create_access(handl
+        * committing transaction's lists, but it HAS to be in Forget state in
+        * that case: the transaction must have deleted the buffer for it to be
+        * reused here.
++       * In the case of file system data inconsistency, for example, if the
++       * block bitmap of a referenced block is not set, it can lead to the
++       * situation where a block being committed is allocated and used again.
++       * As a result, the following condition will not be satisfied, so here
++       * we directly trigger a JBD abort instead of immediately invoking
++       * bugon.
+        */
+       spin_lock(&jh->b_state_lock);
+-      J_ASSERT_JH(jh, (jh->b_transaction == transaction ||
+-              jh->b_transaction == NULL ||
+-              (jh->b_transaction == journal->j_committing_transaction &&
+-                        jh->b_jlist == BJ_Forget)));
++      if (!(jh->b_transaction == transaction || jh->b_transaction == NULL ||
++            (jh->b_transaction == journal->j_committing_transaction &&
++             jh->b_jlist == BJ_Forget)) || jh->b_next_transaction != NULL) {
++              err = -EROFS;
++              spin_unlock(&jh->b_state_lock);
++              jbd2_journal_abort(journal, err);
++              goto out;
++      }
+ 
+-      J_ASSERT_JH(jh, jh->b_next_transaction == NULL);
+       J_ASSERT_JH(jh, buffer_locked(jh2bh(jh)));
+ 
+       if (jh->b_transaction == NULL) {

diff --git a/queue-6.18/ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch b/queue-6.18/ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch
new file mode 100644 (file)
index 0000000..3fa8877
--- /dev/null
+++ b/queue-6.18/ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch
@@ -0,0 +1,80 @@
+From 1fab1fa091f5aa97265648b53ea031deedd26235 Mon Sep 17 00:00:00 2001
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+Date: Wed, 26 Nov 2025 12:24:18 +0900
+Subject: ksmbd: ipc: fix use-after-free in ipc_msg_send_request
+
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+
+commit 1fab1fa091f5aa97265648b53ea031deedd26235 upstream.
+
+ipc_msg_send_request() waits for a generic netlink reply using an
+ipc_msg_table_entry on the stack. The generic netlink handler
+(handle_generic_event()/handle_response()) fills entry->response under
+ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
+entry->response without holding the same lock.
+
+Under high concurrency this allows a race where handle_response() is
+copying data into entry->response while ipc_msg_send_request() has just
+freed it, leading to a slab-use-after-free reported by KASAN in
+handle_generic_event():
+
+  BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
+  Write of size 12 at addr ffff888198ee6e20 by task pool/109349
+  ...
+  Freed by task:
+    kvfree
+    ipc_msg_send_request [ksmbd]
+    ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]
+
+Fix by:
+- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
+  entry->response, freeing it when invalid, and removing the entry from
+  ipc_msg_table.
+- Returning the final entry->response pointer to the caller only after
+  the hash entry is removed under the lock.
+- Returning NULL in the error path, preserving the original API
+  semantics.
+
+This makes all accesses to entry->response consistent with
+handle_response(), which already updates and fills the response buffer
+under ipc_msg_table_lock, and closes the race that allowed the UAF.
+
+Cc: stable@vger.kernel.org
+Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
+Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_ipc.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -553,12 +553,16 @@ static void *ipc_msg_send_request(struct
+       up_write(&ipc_msg_table_lock);
+ 
+       ret = ipc_msg_send(msg);
+-      if (ret)
++      if (ret) {
++              down_write(&ipc_msg_table_lock);
+               goto out;
++      }
+ 
+       ret = wait_event_interruptible_timeout(entry.wait,
+                                              entry.response != NULL,
+                                              IPC_WAIT_TIMEOUT);
++
++      down_write(&ipc_msg_table_lock);
+       if (entry.response) {
+               ret = ipc_validate_msg(&entry);
+               if (ret) {
+@@ -567,7 +571,6 @@ static void *ipc_msg_send_request(struct
+               }
+       }
+ out:
+-      down_write(&ipc_msg_table_lock);
+       hash_del(&entry.ipc_table_hlist);
+       up_write(&ipc_msg_table_lock);
+       return entry.response;

diff --git a/queue-6.18/kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch b/queue-6.18/kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch
new file mode 100644 (file)
index 0000000..c1f0502
--- /dev/null
+++ b/queue-6.18/kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch
@@ -0,0 +1,198 @@
+From 4da3768e1820cf15cced390242d8789aed34f54d Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Tue, 4 Nov 2025 09:55:26 -0800
+Subject: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit 4da3768e1820cf15cced390242d8789aed34f54d upstream.
+
+When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn
+instruction, discard the exception and retry the instruction if the code
+stream is changed (e.g. by a different vCPU) between when the CPU
+executes the instruction and when KVM decodes the instruction to get the
+next RIP.
+
+As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject
+INT3/INTO instead of retrying the instruction"), failure to verify that
+the correct INTn instruction was decoded can effectively clobber guest
+state due to decoding the wrong instruction and thus specifying the
+wrong next RIP.
+
+The bug most often manifests as "Oops: int3" panics on static branch
+checks in Linux guests.  Enabling or disabling a static branch in Linux
+uses the kernel's "text poke" code patching mechanism.  To modify code
+while other CPUs may be executing that code, Linux (temporarily)
+replaces the first byte of the original instruction with an int3 (opcode
+0xcc), then patches in the new code stream except for the first byte,
+and finally replaces the int3 with the first byte of the new code
+stream.  If a CPU hits the int3, i.e. executes the code while it's being
+modified, then the guest kernel must look up the RIP to determine how to
+handle the #BP, e.g. by emulating the new instruction.  If the RIP is
+incorrect, then this lookup fails and the guest kernel panics.
+
+The bug reproduces almost instantly by hacking the guest kernel to
+repeatedly check a static branch[1] while running a drgn script[2] on
+the host to constantly swap out the memory containing the guest's TSS.
+
+[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a
+[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b
+
+Fixes: 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction")
+Cc: stable@vger.kernel.org
+Co-developed-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Link: https://patch.msgid.link/1cc6dcdf36e3add7ee7c8d90ad58414eeb6c3d34.1762278762.git.osandov@fb.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm_host.h |    9 +++++++++
+ arch/x86/kvm/svm/svm.c          |   24 +++++++++++++-----------
+ arch/x86/kvm/x86.c              |   21 +++++++++++++++++++++
+ 3 files changed, 43 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -2143,6 +2143,11 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu);
+  *                         the gfn, i.e. retrying the instruction will hit a
+  *                         !PRESENT fault, which results in a new shadow page
+  *                         and sends KVM back to square one.
++ *
++ * EMULTYPE_SKIP_SOFT_INT - Set in combination with EMULTYPE_SKIP to only skip
++ *                          an instruction if it could generate a given software
++ *                          interrupt, which must be encoded via
++ *                          EMULTYPE_SET_SOFT_INT_VECTOR().
+  */
+ #define EMULTYPE_NO_DECODE        (1 << 0)
+ #define EMULTYPE_TRAP_UD          (1 << 1)
+@@ -2153,6 +2158,10 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu);
+ #define EMULTYPE_PF               (1 << 6)
+ #define EMULTYPE_COMPLETE_USER_EXIT (1 << 7)
+ #define EMULTYPE_WRITE_PF_TO_SP           (1 << 8)
++#define EMULTYPE_SKIP_SOFT_INT            (1 << 9)
++
++#define EMULTYPE_SET_SOFT_INT_VECTOR(v)       ((u32)((v) & 0xff) << 16)
++#define EMULTYPE_GET_SOFT_INT_VECTOR(e)       (((e) >> 16) & 0xff)
+ 
+ static inline bool kvm_can_emulate_event_vectoring(int emul_type)
+ {
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -272,6 +272,7 @@ static void svm_set_interrupt_shadow(str
+ }
+ 
+ static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu,
++                                         int emul_type,
+                                          bool commit_side_effects)
+ {
+       struct vcpu_svm *svm = to_svm(vcpu);
+@@ -293,7 +294,7 @@ static int __svm_skip_emulated_instructi
+               if (unlikely(!commit_side_effects))
+                       old_rflags = svm->vmcb->save.rflags;
+ 
+-              if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP))
++              if (!kvm_emulate_instruction(vcpu, emul_type))
+                       return 0;
+ 
+               if (unlikely(!commit_side_effects))
+@@ -311,11 +312,13 @@ done:
+ 
+ static int svm_skip_emulated_instruction(struct kvm_vcpu *vcpu)
+ {
+-      return __svm_skip_emulated_instruction(vcpu, true);
++      return __svm_skip_emulated_instruction(vcpu, EMULTYPE_SKIP, true);
+ }
+ 
+-static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu)
++static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu, u8 vector)
+ {
++      const int emul_type = EMULTYPE_SKIP | EMULTYPE_SKIP_SOFT_INT |
++                            EMULTYPE_SET_SOFT_INT_VECTOR(vector);
+       unsigned long rip, old_rip = kvm_rip_read(vcpu);
+       struct vcpu_svm *svm = to_svm(vcpu);
+ 
+@@ -331,7 +334,7 @@ static int svm_update_soft_interrupt_rip
+        * in use, the skip must not commit any side effects such as clearing
+        * the interrupt shadow or RFLAGS.RF.
+        */
+-      if (!__svm_skip_emulated_instruction(vcpu, !nrips))
++      if (!__svm_skip_emulated_instruction(vcpu, emul_type, !nrips))
+               return -EIO;
+ 
+       rip = kvm_rip_read(vcpu);
+@@ -367,7 +370,7 @@ static void svm_inject_exception(struct
+       kvm_deliver_exception_payload(vcpu, ex);
+ 
+       if (kvm_exception_is_soft(ex->vector) &&
+-          svm_update_soft_interrupt_rip(vcpu))
++          svm_update_soft_interrupt_rip(vcpu, ex->vector))
+               return;
+ 
+       svm->vmcb->control.event_inj = ex->vector
+@@ -3633,11 +3636,12 @@ static bool svm_set_vnmi_pending(struct
+ 
+ static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected)
+ {
++      struct kvm_queued_interrupt *intr = &vcpu->arch.interrupt;
+       struct vcpu_svm *svm = to_svm(vcpu);
+       u32 type;
+ 
+-      if (vcpu->arch.interrupt.soft) {
+-              if (svm_update_soft_interrupt_rip(vcpu))
++      if (intr->soft) {
++              if (svm_update_soft_interrupt_rip(vcpu, intr->nr))
+                       return;
+ 
+               type = SVM_EVTINJ_TYPE_SOFT;
+@@ -3645,12 +3649,10 @@ static void svm_inject_irq(struct kvm_vc
+               type = SVM_EVTINJ_TYPE_INTR;
+       }
+ 
+-      trace_kvm_inj_virq(vcpu->arch.interrupt.nr,
+-                         vcpu->arch.interrupt.soft, reinjected);
++      trace_kvm_inj_virq(intr->nr, intr->soft, reinjected);
+       ++vcpu->stat.irq_injections;
+ 
+-      svm->vmcb->control.event_inj = vcpu->arch.interrupt.nr |
+-                                     SVM_EVTINJ_VALID | type;
++      svm->vmcb->control.event_inj = intr->nr | SVM_EVTINJ_VALID | type;
+ }
+ 
+ void svm_complete_interrupt_delivery(struct kvm_vcpu *vcpu, int delivery_mode,
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -9337,6 +9337,23 @@ static bool is_vmware_backdoor_opcode(st
+       return false;
+ }
+ 
++static bool is_soft_int_instruction(struct x86_emulate_ctxt *ctxt,
++                                  int emulation_type)
++{
++      u8 vector = EMULTYPE_GET_SOFT_INT_VECTOR(emulation_type);
++
++      switch (ctxt->b) {
++      case 0xcc:
++              return vector == BP_VECTOR;
++      case 0xcd:
++              return vector == ctxt->src.val;
++      case 0xce:
++              return vector == OF_VECTOR;
++      default:
++              return false;
++      }
++}
++
+ /*
+  * Decode an instruction for emulation.  The caller is responsible for handling
+  * code breakpoints.  Note, manually detecting code breakpoints is unnecessary
+@@ -9447,6 +9464,10 @@ int x86_emulate_instruction(struct kvm_v
+        * injecting single-step #DBs.
+        */
+       if (emulation_type & EMULTYPE_SKIP) {
++              if (emulation_type & EMULTYPE_SKIP_SOFT_INT &&
++                  !is_soft_int_instruction(ctxt, emulation_type))
++                      return 0;
++
+               if (ctxt->mode != X86EMUL_MODE_PROT64)
+                       ctxt->eip = (u32)ctxt->_eip;
+               else

diff --git a/queue-6.18/locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch b/queue-6.18/locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch
new file mode 100644 (file)
index 0000000..35369f3
--- /dev/null
+++ b/queue-6.18/locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch
@@ -0,0 +1,65 @@
+From c14ecb555c3ee80eeb030a4e46d00e679537f03a Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Date: Fri, 19 Sep 2025 11:12:38 +0200
+Subject: locking/spinlock/debug: Fix data-race in do_raw_write_lock
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+commit c14ecb555c3ee80eeb030a4e46d00e679537f03a upstream.
+
+KCSAN reports:
+
+BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
+
+write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
+ do_raw_write_lock+0x120/0x204
+ _raw_write_lock_irq
+ do_exit
+ call_usermodehelper_exec_async
+ ret_from_fork
+
+read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
+ do_raw_write_lock+0x88/0x204
+ _raw_write_lock_irq
+ do_exit
+ call_usermodehelper_exec_async
+ ret_from_fork
+
+value changed: 0xffffffff -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
+
+Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has
+adressed most of these races, but seems to be not consistent/not complete.
+
+>From do_raw_write_lock() only debug_write_lock_after() part has been
+converted to WRITE_ONCE(), but not debug_write_lock_before() part.
+Do it now.
+
+Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races")
+Reported-by: Adrian Freihofer <adrian.freihofer@siemens.com>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Acked-by: Waiman Long <longman@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/spinlock_debug.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/locking/spinlock_debug.c
++++ b/kernel/locking/spinlock_debug.c
+@@ -184,8 +184,8 @@ void do_raw_read_unlock(rwlock_t *lock)
+ static inline void debug_write_lock_before(rwlock_t *lock)
+ {
+       RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic");
+-      RWLOCK_BUG_ON(lock->owner == current, lock, "recursion");
+-      RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(),
++      RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion");
++      RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(),
+                                                       lock, "cpu recursion");
+ }
+ 

diff --git a/queue-6.18/rust_binder-fix-race-condition-on-death_list.patch b/queue-6.18/rust_binder-fix-race-condition-on-death_list.patch
new file mode 100644 (file)
index 0000000..2c6c38c
--- /dev/null
+++ b/queue-6.18/rust_binder-fix-race-condition-on-death_list.patch
@@ -0,0 +1,113 @@
+From 3e0ae02ba831da2b707905f4e602e43f8507b8cc Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Tue, 11 Nov 2025 14:23:32 +0000
+Subject: rust_binder: fix race condition on death_list
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit 3e0ae02ba831da2b707905f4e602e43f8507b8cc upstream.
+
+Rust Binder contains the following unsafe operation:
+
+       // SAFETY: A `NodeDeath` is never inserted into the death list
+       // of any node other than its owner, so it is either in this
+       // death list or in no death list.
+       unsafe { node_inner.death_list.remove(self) };
+
+This operation is unsafe because when touching the prev/next pointers of
+a list element, we have to ensure that no other thread is also touching
+them in parallel. If the node is present in the list that `remove` is
+called on, then that is fine because we have exclusive access to that
+list. If the node is not in any list, then it's also ok. But if it's
+present in a different list that may be accessed in parallel, then that
+may be a data race on the prev/next pointers.
+
+And unfortunately that is exactly what is happening here. In
+Node::release, we:
+
+ 1. Take the lock.
+ 2. Move all items to a local list on the stack.
+ 3. Drop the lock.
+ 4. Iterate the local list on the stack.
+
+Combined with threads using the unsafe remove method on the original
+list, this leads to memory corruption of the prev/next pointers. This
+leads to crashes like this one:
+
+       Unable to handle kernel paging request at virtual address 000bb9841bcac70e
+       Mem abort info:
+         ESR = 0x0000000096000044
+         EC = 0x25: DABT (current EL), IL = 32 bits
+         SET = 0, FnV = 0
+         EA = 0, S1PTW = 0
+         FSC = 0x04: level 0 translation fault
+       Data abort info:
+         ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000
+         CM = 0, WnR = 1, TnD = 0, TagAccess = 0
+         GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+       [000bb9841bcac70e] address between user and kernel address ranges
+       Internal error: Oops: 0000000096000044 [#1] PREEMPT SMP
+       google-cdd 538c004.gcdd: context saved(CPU:1)
+       item - log_kevents is disabled
+       Modules linked in: ... rust_binder
+       CPU: 1 UID: 0 PID: 2092 Comm: kworker/1:178 Tainted: G S      W  OE      6.12.52-android16-5-g98debd5df505-4k #1 f94a6367396c5488d635708e43ee0c888d230b0b
+       Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+       Hardware name: MUSTANG PVT 1.0 based on LGA (DT)
+       Workqueue: events _RNvXs6_NtCsdfZWD8DztAw_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCs8QPsHWIn21X_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_ [rust_binder]
+       pstate: 23400005 (nzCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
+       pc : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder]
+       lr : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x464/0x11f8 [rust_binder]
+       sp : ffffffc09b433ac0
+       x29: ffffffc09b433d30 x28: ffffff8821690000 x27: ffffffd40cbaa448
+       x26: ffffff8821690000 x25: 00000000ffffffff x24: ffffff88d0376578
+       x23: 0000000000000001 x22: ffffffc09b433c78 x21: ffffff88e8f9bf40
+       x20: ffffff88e8f9bf40 x19: ffffff882692b000 x18: ffffffd40f10bf00
+       x17: 00000000c006287d x16: 00000000c006287d x15: 00000000000003b0
+       x14: 0000000000000100 x13: 000000201cb79ae0 x12: fffffffffffffff0
+       x11: 0000000000000000 x10: 0000000000000001 x9 : 0000000000000000
+       x8 : b80bb9841bcac706 x7 : 0000000000000001 x6 : fffffffebee63f30
+       x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
+       x2 : 0000000000004c31 x1 : ffffff88216900c0 x0 : ffffff88e8f9bf00
+       Call trace:
+        _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder bbc172b53665bbc815363b22e97e3f7e3fe971fc]
+        process_scheduled_works+0x1c4/0x45c
+        worker_thread+0x32c/0x3e8
+        kthread+0x11c/0x1c8
+        ret_from_fork+0x10/0x20
+       Code: 94218d85 b4000155 a94026a8 d10102a0 (f9000509)
+       ---[ end trace 0000000000000000 ]---
+
+Thus, modify Node::release to pop items directly off the original list.
+
+Cc: stable@vger.kernel.org
+Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Acked-by: Miguel Ojeda <ojeda@kernel.org>
+Link: https://patch.msgid.link/20251111-binder-fix-list-remove-v1-1-8ed14a0da63d@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder/node.rs | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/android/binder/node.rs b/drivers/android/binder/node.rs
+index 08d362deaf61..c26d113ede96 100644
+--- a/drivers/android/binder/node.rs
++++ b/drivers/android/binder/node.rs
+@@ -541,10 +541,10 @@ pub(crate) fn release(&self) {
+             guard = self.owner.inner.lock();
+         }
+ 
+-        let death_list = core::mem::take(&mut self.inner.access_mut(&mut guard).death_list);
+-        drop(guard);
+-        for death in death_list {
++        while let Some(death) = self.inner.access_mut(&mut guard).death_list.pop_front() {
++            drop(guard);
+             death.into_arc().set_dead();
++            guard = self.owner.inner.lock();
+         }
+     }
+ 
+-- 
+2.52.0
+

diff --git a/queue-6.18/serial-add-support-of-cpci-cards.patch b/queue-6.18/serial-add-support-of-cpci-cards.patch
new file mode 100644 (file)
index 0000000..ca57e81
--- /dev/null
+++ b/queue-6.18/serial-add-support-of-cpci-cards.patch
@@ -0,0 +1,74 @@
+From 0e5a99e0e5f50353b86939ff6e424800d769c818 Mon Sep 17 00:00:00 2001
+From: Magne Bruno <magne.bruno@addi-data.com>
+Date: Mon, 10 Nov 2025 17:24:56 +0100
+Subject: serial: add support of CPCI cards
+
+From: Magne Bruno <magne.bruno@addi-data.com>
+
+commit 0e5a99e0e5f50353b86939ff6e424800d769c818 upstream.
+
+Addi-Data GmbH is manufacturing multi-serial ports cards supporting CompactPCI (known as CPCI).
+Those cards are identified with different DeviceIds. Those cards integrating standard UARTs
+work the same way as PCI/PCIe models already supported in the serial driver.
+
+Signed-off-by: Magne Bruno <magne.bruno@addi-data.com>
+Link: https://patch.msgid.link/20251110162456.341029-1-magne.bruno@addi-data.com
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_pci.c |   37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -95,6 +95,11 @@
+ #define PCI_DEVICE_ID_MOXA_CP138E_A   0x1381
+ #define PCI_DEVICE_ID_MOXA_CP168EL_A  0x1683
+ 
++#define PCI_DEVICE_ID_ADDIDATA_CPCI7500        0x7003
++#define PCI_DEVICE_ID_ADDIDATA_CPCI7500_NG     0x7024
++#define PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG     0x7025
++#define PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG     0x7026
++
+ /* Unknown vendors/cards - this should not be in linux/pci_ids.h */
+ #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584       0x1584
+ #define PCI_SUBDEVICE_ID_UNKNOWN_0x1588       0x1588
+@@ -5996,6 +6001,38 @@ static const struct pci_device_id serial
+               0,
+               pbn_ADDIDATA_PCIe_8_3906250 },
+ 
++      {       PCI_VENDOR_ID_ADDIDATA,
++              PCI_DEVICE_ID_ADDIDATA_CPCI7500,
++              PCI_ANY_ID,
++              PCI_ANY_ID,
++              0,
++              0,
++              pbn_b0_4_115200 },
++
++      {       PCI_VENDOR_ID_ADDIDATA,
++              PCI_DEVICE_ID_ADDIDATA_CPCI7500_NG,
++              PCI_ANY_ID,
++              PCI_ANY_ID,
++              0,
++              0,
++              pbn_b0_4_115200 },
++
++      {       PCI_VENDOR_ID_ADDIDATA,
++              PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG,
++              PCI_ANY_ID,
++              PCI_ANY_ID,
++              0,
++              0,
++              pbn_b0_2_115200 },
++
++      {       PCI_VENDOR_ID_ADDIDATA,
++              PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG,
++              PCI_ANY_ID,
++              PCI_ANY_ID,
++              0,
++              0,
++              pbn_b0_1_115200 },
++
+       {       PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835,
+               PCI_VENDOR_ID_IBM, 0x0299,
+               0, 0, pbn_b0_bt_2_115200 },

diff --git a/queue-6.18/serial-sh-sci-fix-deadlock-during-rsci-fifo-overrun-error.patch b/queue-6.18/serial-sh-sci-fix-deadlock-during-rsci-fifo-overrun-error.patch
new file mode 100644 (file)
index 0000000..7449f4f
--- /dev/null
+++ b/queue-6.18/serial-sh-sci-fix-deadlock-during-rsci-fifo-overrun-error.patch
@@ -0,0 +1,43 @@
+From 75a9f4c54770f062f4b3813a83667452b326dda3 Mon Sep 17 00:00:00 2001
+From: Biju Das <biju.das.jz@bp.renesas.com>
+Date: Fri, 14 Nov 2025 10:13:47 +0000
+Subject: serial: sh-sci: Fix deadlock during RSCI FIFO overrun error
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+commit 75a9f4c54770f062f4b3813a83667452b326dda3 upstream.
+
+On RSCI IP, a deadlock occurs during a FIFO overrun error, as it uses a
+different register to clear the FIFO overrun error status.
+
+Cc: stable@kernel.org
+Fixes: 0666e3fe95ab ("serial: sh-sci: Add support for RZ/T2H SCI")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20251114101350.106699-3-biju.das.jz@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -1024,8 +1024,16 @@ static int sci_handle_fifo_overrun(struc
+ 
+       status = s->ops->read_reg(port, s->params->overrun_reg);
+       if (status & s->params->overrun_mask) {
+-              status &= ~s->params->overrun_mask;
+-              s->ops->write_reg(port, s->params->overrun_reg, status);
++              if (s->type == SCI_PORT_RSCI) {
++                      /*
++                       * All of the CFCLR_*C clearing bits match the corresponding
++                       * CSR_*status bits. So, reuse the overrun mask for clearing.
++                       */
++                      s->ops->clear_SCxSR(port, s->params->overrun_mask);
++              } else {
++                      status &= ~s->params->overrun_mask;
++                      s->ops->write_reg(port, s->params->overrun_reg, status);
++              }
+ 
+               port->icount.overrun++;
+ 

diff --git a/queue-6.18/series b/queue-6.18/series
new file mode 100644 (file)
index 0000000..6f51004
--- /dev/null
+++ b/queue-6.18/series
@@ -0,0 +1,19 @@
+documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch
+jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch
+ext4-refresh-inline-data-size-before-write-operations.patch
+ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch
+locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch
+crypto-zstd-fix-double-free-in-per-cpu-stream-cleanup.patch
+ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch
+rust_binder-fix-race-condition-on-death_list.patch
+comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch
+kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch
+usb-serial-option-add-foxconn-t99w760.patch
+usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch
+usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch
+usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch
+serial-add-support-of-cpci-cards.patch
+dt-bindings-serial-rsci-drop-uart-has-rtscts-false.patch
+serial-sh-sci-fix-deadlock-during-rsci-fifo-overrun-error.patch
+usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch
+usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch

diff --git a/queue-6.18/usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch b/queue-6.18/usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch
new file mode 100644 (file)
index 0000000..e873c84
--- /dev/null
+++ b/queue-6.18/usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch
@@ -0,0 +1,78 @@
+From b6e0b3016187446ddef9edac03cd9d544ac63f11 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Oct 2025 17:26:33 +0200
+Subject: USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b6e0b3016187446ddef9edac03cd9d544ac63f11 upstream.
+
+Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC
+should not deassert any lines that are not in the mask.
+
+Fix this long-standing regression dating back to 2003 when the
+tiocmset() callback was introduced.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/belkin_sa.c |   28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/serial/belkin_sa.c
++++ b/drivers/usb/serial/belkin_sa.c
+@@ -435,7 +435,7 @@ static int belkin_sa_tiocmset(struct tty
+       struct belkin_sa_private *priv = usb_get_serial_port_data(port);
+       unsigned long control_state;
+       unsigned long flags;
+-      int retval;
++      int retval = 0;
+       int rts = 0;
+       int dtr = 0;
+ 
+@@ -452,26 +452,32 @@ static int belkin_sa_tiocmset(struct tty
+       }
+       if (clear & TIOCM_RTS) {
+               control_state &= ~TIOCM_RTS;
+-              rts = 0;
++              rts = 1;
+       }
+       if (clear & TIOCM_DTR) {
+               control_state &= ~TIOCM_DTR;
+-              dtr = 0;
++              dtr = 1;
+       }
+ 
+       priv->control_state = control_state;
+       spin_unlock_irqrestore(&priv->lock, flags);
+ 
+-      retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST, rts);
+-      if (retval < 0) {
+-              dev_err(&port->dev, "Set RTS error %d\n", retval);
+-              goto exit;
++      if (rts) {
++              retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST,
++                                      !!(control_state & TIOCM_RTS));
++              if (retval < 0) {
++                      dev_err(&port->dev, "Set RTS error %d\n", retval);
++                      goto exit;
++              }
+       }
+ 
+-      retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST, dtr);
+-      if (retval < 0) {
+-              dev_err(&port->dev, "Set DTR error %d\n", retval);
+-              goto exit;
++      if (dtr) {
++              retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST,
++                                      !!(control_state & TIOCM_DTR));
++              if (retval < 0) {
++                      dev_err(&port->dev, "Set DTR error %d\n", retval);
++                      goto exit;
++              }
+       }
+ exit:
+       return retval;

diff --git a/queue-6.18/usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch b/queue-6.18/usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch
new file mode 100644 (file)
index 0000000..108dd08
--- /dev/null
+++ b/queue-6.18/usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch
@@ -0,0 +1,176 @@
+From 4e31a5d0a9ee672f708fc993c1d5520643f769fd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 10 Nov 2025 12:12:05 +0100
+Subject: USB: serial: ftdi_sio: match on interface number for jtag
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 4e31a5d0a9ee672f708fc993c1d5520643f769fd upstream.
+
+Some FTDI devices have the first port reserved for JTAG and have been
+using a dedicated quirk to prevent binding to it.
+
+As can be inferred directly or indirectly from the commit messages,
+almost all of these devices are dual port devices which means that the
+more recently added macro for matching on interface number can be used
+instead (and some such devices do so already).
+
+This avoids probing interfaces that will never be bound and cleans up
+the match table somewhat.
+
+Note that the JTAG quirk is kept for quad port devices, which would
+otherwise require three match entries.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ftdi_sio.c |   72 ++++++++++++++----------------------------
+ 1 file changed, 24 insertions(+), 48 deletions(-)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -628,10 +628,8 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(FTDI_VID, FTDI_IBS_PEDO_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_IBS_PROD_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_TAVIR_STK500_PID) },
+-      { USB_DEVICE(FTDI_VID, FTDI_TIAO_UMPA_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TIAO_UMPA_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_NT_ORIONLXM_PID, 1) },
+       { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) },
+@@ -842,24 +840,17 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) },
+-      { USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, CYBER_CORTEX_AV_PID, 1) },
+       { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID, 1) },
+       { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID, 1) },
+       { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_PID, 1) },
+       { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_H_PID, 1) },
+-      { USB_DEVICE(FIC_VID, FIC_NEO1973_DEBUG_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, FTDI_OOCDLINK_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(FIC_VID, FIC_NEO1973_DEBUG_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_OOCDLINK_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TURTELIZER_PID, 1) },
+       { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) },
+       { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) },
+       { USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) },
+@@ -901,17 +892,14 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(ATMEL_VID, STK541_PID) },
+       { USB_DEVICE(DE_VID, STB_PID) },
+       { USB_DEVICE(DE_VID, WHT_PID) },
+-      { USB_DEVICE(ADI_VID, ADI_GNICE_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(ADI_VID, ADI_GNICEPLUS_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(ADI_VID, ADI_GNICE_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(ADI_VID, ADI_GNICEPLUS_PID, 1) },
+       { USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID,
+                                       USB_CLASS_VENDOR_SPEC,
+                                       USB_SUBCLASS_VENDOR_SPEC, 0x00) },
+       { USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID, MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) },
+       { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
+-      { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(MARVELL_VID, MARVELL_SHEEVAPLUG_PID, 1) },
+       { USB_DEVICE(LARSENBRUSGAARD_VID, LB_ALTITRACK_PID) },
+       { USB_DEVICE(GN_OTOMETRICS_VID, AURICAL_USB_PID) },
+       { USB_DEVICE(FTDI_VID, PI_C865_PID) },
+@@ -934,10 +922,8 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(PI_VID, PI_1016_PID) },
+       { USB_DEVICE(KONDO_VID, KONDO_USB_SERIAL_PID) },
+       { USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
+-      { USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, TI_XDS100V2_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, MARVELL_OPENRD_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, TI_XDS100V2_PID, 1) },
+       { USB_DEVICE(FTDI_VID, HAMEG_HO820_PID) },
+       { USB_DEVICE(FTDI_VID, HAMEG_HO720_PID) },
+       { USB_DEVICE(FTDI_VID, HAMEG_HO730_PID) },
+@@ -946,18 +932,14 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(FTDI_VID, MJSG_SR_RADIO_PID) },
+       { USB_DEVICE(FTDI_VID, MJSG_HD_RADIO_PID) },
+       { USB_DEVICE(FTDI_VID, MJSG_XM_RADIO_PID) },
+-      { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_ST_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SLITE_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SH2_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_ST_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_SLITE_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_SH2_PID, 1) },
+       { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SH4_PID),
+               .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+       { USB_DEVICE(FTDI_VID, SEGWAY_RMP200_PID) },
+       { USB_DEVICE(FTDI_VID, ACCESIO_COM4SM_PID) },
+-      { USB_DEVICE(IONICS_VID, IONICS_PLUGCOMPUTER_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(IONICS_VID, IONICS_PLUGCOMPUTER_PID, 1) },
+       { USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_24_MASTER_WING_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_PC_WING_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_USB_DMX_PID) },
+@@ -972,15 +954,12 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
+       { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
+-      { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(ST_VID, ST_STMCLT_2232_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(ST_VID, ST_STMCLT_2232_PID, 1) },
+       { USB_DEVICE(ST_VID, ST_STMCLT_4232_PID),
+               .driver_info = (kernel_ulong_t)&ftdi_stmclite_quirk },
+       { USB_DEVICE(FTDI_VID, FTDI_RF_R106) },
+-      { USB_DEVICE(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID, 1) },
+       { USB_DEVICE(FTDI_VID, FTDI_LUMEL_PD12_PID) },
+       /* Crucible Devices */
+       { USB_DEVICE(FTDI_VID, FTDI_CT_COMET_PID) },
+@@ -1055,8 +1034,7 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
+       { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+       { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
+-      { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(TI_VID, TI_CC3200_LAUNCHPAD_PID, 1) },
+       { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
+       { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
+       { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
+@@ -1076,10 +1054,8 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) },
+       { USB_DEVICE_INTERFACE_NUMBER(UBLOX_VID, UBLOX_EVK_M101_PID, 2) },
+       /* FreeCalypso USB adapters */
+-      { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+-      { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID),
+-              .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID, 1) },
++      { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID, 1) },
+       /* GMC devices */
+       { USB_DEVICE(GMC_VID, GMC_Z216C_PID) },
+       /* Altera USB Blaster 3 */

diff --git a/queue-6.18/usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch b/queue-6.18/usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch
new file mode 100644 (file)
index 0000000..cdf2371
--- /dev/null
+++ b/queue-6.18/usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch
@@ -0,0 +1,78 @@
+From d432df758f92c4c28aac409bc807fd1716167577 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Oct 2025 17:26:34 +0200
+Subject: USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d432df758f92c4c28aac409bc807fd1716167577 upstream.
+
+Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC
+should not deassert any lines that are not in the mask.
+
+Fix this long-standing issue dating back to 2003 when the support for
+these ioctls was added with the introduction of the tiocmset() callback.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/kobil_sct.c |   18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/serial/kobil_sct.c
++++ b/drivers/usb/serial/kobil_sct.c
+@@ -418,7 +418,7 @@ static int kobil_tiocmset(struct tty_str
+       struct usb_serial_port *port = tty->driver_data;
+       struct device *dev = &port->dev;
+       struct kobil_private *priv;
+-      int result;
++      int result = 0;
+       int dtr = 0;
+       int rts = 0;
+ 
+@@ -435,12 +435,12 @@ static int kobil_tiocmset(struct tty_str
+       if (set & TIOCM_DTR)
+               dtr = 1;
+       if (clear & TIOCM_RTS)
+-              rts = 0;
++              rts = 1;
+       if (clear & TIOCM_DTR)
+-              dtr = 0;
++              dtr = 1;
+ 
+-      if (priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) {
+-              if (dtr != 0)
++      if (dtr && priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) {
++              if (set & TIOCM_DTR)
+                       dev_dbg(dev, "%s - Setting DTR\n", __func__);
+               else
+                       dev_dbg(dev, "%s - Clearing DTR\n", __func__);
+@@ -448,13 +448,13 @@ static int kobil_tiocmset(struct tty_str
+                         usb_sndctrlpipe(port->serial->dev, 0),
+                         SUSBCRequest_SetStatusLinesOrQueues,
+                         USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT,
+-                        ((dtr != 0) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR),
++                        ((set & TIOCM_DTR) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR),
+                         0,
+                         NULL,
+                         0,
+                         KOBIL_TIMEOUT);
+-      } else {
+-              if (rts != 0)
++      } else if (rts) {
++              if (set & TIOCM_RTS)
+                       dev_dbg(dev, "%s - Setting RTS\n", __func__);
+               else
+                       dev_dbg(dev, "%s - Clearing RTS\n", __func__);
+@@ -462,7 +462,7 @@ static int kobil_tiocmset(struct tty_str
+                       usb_sndctrlpipe(port->serial->dev, 0),
+                       SUSBCRequest_SetStatusLinesOrQueues,
+                       USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT,
+-                      ((rts != 0) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS),
++                      ((set & TIOCM_RTS) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS),
+                       0,
+                       NULL,
+                       0,

diff --git a/queue-6.18/usb-serial-option-add-foxconn-t99w760.patch b/queue-6.18/usb-serial-option-add-foxconn-t99w760.patch
new file mode 100644 (file)
index 0000000..c20f882
--- /dev/null
+++ b/queue-6.18/usb-serial-option-add-foxconn-t99w760.patch
@@ -0,0 +1,60 @@
+From 7970b4969c4c99bcdaf105f9f39c6d2021f6d244 Mon Sep 17 00:00:00 2001
+From: Slark Xiao <slark_xiao@163.com>
+Date: Tue, 18 Nov 2025 14:45:28 +0800
+Subject: USB: serial: option: add Foxconn T99W760
+
+From: Slark Xiao <slark_xiao@163.com>
+
+commit 7970b4969c4c99bcdaf105f9f39c6d2021f6d244 upstream.
+
+T99W760 is designed based on Qualcomm SDX35 (5G redcap) chip. There are
+three serial ports to be enumerated: Modem, NMEA and Diag.
+
+test evidence as below:
+T:  Bus=03 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=5000  MxCh= 0
+D:  Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
+P:  Vendor=0489 ProdID=e123 Rev=05.15
+S:  Manufacturer=QCOM
+S:  Product=SDXBAAGHA-IDP _SN:39A8D3E4
+S:  SerialNumber=39a8d3e4
+C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=896mA
+I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
+I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E:  Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E:  Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E:  Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
+I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E:  Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E:  Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E:  Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+
+0&1: MBIM, 2:Modem, 3:GNSS(non-serial port), 4: NMEA, 5:Diag
+
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2376,6 +2376,8 @@ static const struct usb_device_id option
+         .driver_info = RSVD(3) },
+       { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0f0, 0xff),                     /* Foxconn T99W373 MBIM */
+         .driver_info = RSVD(3) },
++      { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe123, 0xff),                     /* Foxconn T99W760 MBIM */
++        .driver_info = RSVD(3) },
+       { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff),                     /* Foxconn T99W651 RNDIS */
+         .driver_info = RSVD(5) | RSVD(6) },
+       { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe15f, 0xff),                     /* Foxconn T99W709 */

diff --git a/queue-6.18/usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch b/queue-6.18/usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch
new file mode 100644 (file)
index 0000000..5d26e36
--- /dev/null
+++ b/queue-6.18/usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch
@@ -0,0 +1,223 @@
+From c908039a29aa70870871f4848125b3d743f929bf Mon Sep 17 00:00:00 2001
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+Date: Wed, 26 Nov 2025 15:26:39 +0100
+Subject: USB: serial: option: add Telit Cinterion FE910C04 new compositions
+
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+
+commit c908039a29aa70870871f4848125b3d743f929bf upstream.
+
+Add the following Telit Cinterion new compositions:
+
+0x10c1: RNDIS + tty (AT/NMEA) + tty (AT) + tty (diag)
+T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480 MxCh= 0
+D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
+P:  Vendor=1bc7 ProdID=10c1 Rev=05.15
+S:  Manufacturer=Telit Cinterion
+S:  Product=FE910
+S:  SerialNumber=f71b8b32
+C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:  If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
+E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
+I:  If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10c2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag)
+T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  8 Spd=480 MxCh= 0
+D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
+P:  Vendor=1bc7 ProdID=10c2 Rev=05.15
+S:  Manufacturer=Telit Cinterion
+S:  Product=FE910
+S:  SerialNumber=f71b8b32
+C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
+I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10c3: ECM + tty (AT/NMEA) + tty (AT) + tty (diag)
+T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  9 Spd=480 MxCh= 0
+D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
+P:  Vendor=1bc7 ProdID=10c3 Rev=05.15
+S:  Manufacturer=Telit Cinterion
+S:  Product=FE910
+S:  SerialNumber=f71b8b32
+C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+E:  Ad=82(I) Atr=03(Int.) MxPS=  16 Ivl=32ms
+I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10c5: RNDIS + tty (AT) + tty (AT) + tty (diag)
+T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
+D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
+P:  Vendor=1bc7 ProdID=10c5 Rev=05.15
+S:  Manufacturer=Telit Cinterion
+S:  Product=FE910
+S:  SerialNumber=f71b8b32
+C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:  If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
+E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
+I:  If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10c6: MBIM + tty (AT) + tty (AT) + tty (diag)
+T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0
+D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
+P:  Vendor=1bc7 ProdID=10c6 Rev=05.15
+S:  Manufacturer=Telit Cinterion
+S:  Product=FE910
+S:  SerialNumber=f71b8b32
+C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
+I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10c9: MBIM + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb
+T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 13 Spd=480 MxCh= 0
+D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
+P:  Vendor=1bc7 ProdID=10c9 Rev=05.15
+S:  Manufacturer=Telit Cinterion
+S:  Product=FE910
+S:  SerialNumber=f71b8b32
+C:  #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
+I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
+E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
+E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x10cb: RNDIS + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb
+T:  Bus=01 Lev=01 Prnt=01 Port=09 Cnt=01 Dev#=  9 Spd=480 MxCh= 0
+D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
+P:  Vendor=1bc7 ProdID=10cb Rev=05.15
+S:  Manufacturer=Telit Cinterion
+S:  Product=FE910
+S:  SerialNumber=f71b8b32
+C:  #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:  If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
+E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
+I:  If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
+E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1433,10 +1433,24 @@ static const struct usb_device_id option
+       { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b3, 0xff, 0xff, 0x60) },
+       { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c0, 0xff),    /* Telit FE910C04 (rmnet) */
+         .driver_info = RSVD(0) | NCTRL(3) },
++      { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c1, 0xff),    /* Telit FE910C04 (RNDIS) */
++        .driver_info = NCTRL(4) },
++      { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c2, 0xff),    /* Telit FE910C04 (MBIM) */
++        .driver_info = NCTRL(4) },
++      { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c3, 0xff),    /* Telit FE910C04 (ECM) */
++        .driver_info = NCTRL(4) },
+       { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c4, 0xff),    /* Telit FE910C04 (rmnet) */
+         .driver_info = RSVD(0) | NCTRL(3) },
++      { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c5, 0xff),    /* Telit FE910C04 (RNDIS) */
++        .driver_info = NCTRL(4) },
++      { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff),    /* Telit FE910C04 (MBIM) */
++        .driver_info = NCTRL(4) },
+       { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff),    /* Telit FE910C04 (rmnet) */
+         .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
++      { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff),    /* Telit FE910C04 (MBIM) */
++        .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) },
++      { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10cb, 0xff),    /* Telit FE910C04 (RNDIS) */
++        .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) },
+       { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x30),     /* Telit FN990B (rmnet) */
+         .driver_info = NCTRL(5) },
+       { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) },

diff --git a/queue-6.18/usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch b/queue-6.18/usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch
new file mode 100644 (file)
index 0000000..11529d2
--- /dev/null
+++ b/queue-6.18/usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch
@@ -0,0 +1,42 @@
+From 072f2c49572547f4b0776fe2da6b8f61e4b34699 Mon Sep 17 00:00:00 2001
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+Date: Wed, 26 Nov 2025 15:26:40 +0100
+Subject: USB: serial: option: move Telit 0x10c7 composition in the right place
+
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+
+commit 072f2c49572547f4b0776fe2da6b8f61e4b34699 upstream.
+
+Move Telit 0x10c7 composition right after 0x10c6 composition and
+before 0x10c8 composition.
+
+Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1445,6 +1445,9 @@ static const struct usb_device_id option
+         .driver_info = NCTRL(4) },
+       { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff),    /* Telit FE910C04 (MBIM) */
+         .driver_info = NCTRL(4) },
++      { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30),     /* Telit FE910C04 (ECM) */
++        .driver_info = NCTRL(4) },
++      { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) },
+       { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff),    /* Telit FE910C04 (rmnet) */
+         .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
+       { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff),    /* Telit FE910C04 (MBIM) */
+@@ -1455,9 +1458,6 @@ static const struct usb_device_id option
+         .driver_info = NCTRL(5) },
+       { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) },
+       { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x60) },
+-      { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30),     /* Telit FE910C04 (ECM) */
+-        .driver_info = NCTRL(4) },
+-      { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) },
+       { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x30),     /* Telit FN990B (MBIM) */
+         .driver_info = NCTRL(6) },
+       { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x40) },