From eeea7eb61b9a077ee3500fb0ebc6689d676acd59 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 8 Dec 2025 12:31:07 +0900 Subject: [PATCH] 6.6-stable patches added patches: comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch ext4-refresh-inline-data-size-before-write-operations.patch jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch serial-add-support-of-cpci-cards.patch usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch usb-serial-option-add-foxconn-t99w760.patch usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch --- ...x-null-ptr-deref-in-pcl818_ai_cancel.patch | 68 ++++++ ...asha-levin-as-stable-tree-maintainer.patch | 39 +++ ...n-in-ext4_destroy_inline_data_nolock.patch | 88 +++++++ ...ne-data-size-before-write-operations.patch | 67 ++++++ ...te_access-when-file-system-corrupted.patch | 95 ++++++++ ...e-after-free-in-ipc_msg_send_request.patch | 80 +++++++ ...instruction-if-int3-into-is-replaced.patch | 198 ++++++++++++++++ ...g-fix-data-race-in-do_raw_write_lock.patch | 65 +++++ .../serial-add-support-of-cpci-cards.patch | 74 ++++++ queue-6.6/series | 15 ++ ...-belkin_sa-fix-tiocmbis-and-tiocmbic.patch | 78 ++++++ ...o-match-on-interface-number-for-jtag.patch | 176 ++++++++++++++ ...-kobil_sct-fix-tiocmbis-and-tiocmbic.patch | 78 ++++++ ...sb-serial-option-add-foxconn-t99w760.patch | 60 +++++ ...-cinterion-fe910c04-new-compositions.patch | 223 ++++++++++++++++++ ...x10c7-composition-in-the-right-place.patch | 42 ++++ 16 files changed, 1446 insertions(+) create mode 100644 queue-6.6/comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch create mode 100644 queue-6.6/documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch create mode 100644 queue-6.6/ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch create mode 100644 queue-6.6/ext4-refresh-inline-data-size-before-write-operations.patch create mode 100644 queue-6.6/jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch create mode 100644 queue-6.6/ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch create mode 100644 queue-6.6/kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch create mode 100644 queue-6.6/locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch create mode 100644 queue-6.6/serial-add-support-of-cpci-cards.patch create mode 100644 queue-6.6/usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch create mode 100644 queue-6.6/usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch create mode 100644 queue-6.6/usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch create mode 100644 queue-6.6/usb-serial-option-add-foxconn-t99w760.patch create mode 100644 queue-6.6/usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch create mode 100644 queue-6.6/usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch diff --git a/queue-6.6/comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch b/queue-6.6/comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch new file mode 100644 index 0000000000..6afa022737 --- /dev/null +++ b/queue-6.6/comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch @@ -0,0 +1,68 @@ +From a51f025b5038abd3d22eed2ede4cd46793d89565 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Thu, 23 Oct 2025 17:14:56 +0300 +Subject: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() + +From: Nikita Zhandarovich + +commit a51f025b5038abd3d22eed2ede4cd46793d89565 upstream. + +Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from +the fact that in case of early device detach via pcl818_detach(), +subdevice dev->read_subdev may not have initialized its pointer to +&struct comedi_async as intended. Thus, any such dereferencing of +&s->async->cmd will lead to general protection fault and kernel crash. + +Mitigate this problem by removing a call to pcl818_ai_cancel() from +pcl818_detach() altogether. This way, if the subdevice setups its +support for async commands, everything async-related will be +handled via subdevice's own ->cancel() function in +comedi_device_detach_locked() even before pcl818_detach(). If no +support for asynchronous commands is provided, there is no need +to cancel anything either. + +[1] Syzbot crash: +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] +CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 +RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 +... +Call Trace: + + pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 + comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 + do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] + comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] +... + +Reported-by: syzbot+fce5d9d5bd067d6fbe9b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fce5d9d5bd067d6fbe9b +Fixes: 00aba6e7b565 ("staging: comedi: pcl818: remove 'neverending_ai' from private data") +Cc: stable +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Ian Abbott +Link: https://patch.msgid.link/20251023141457.398685-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/pcl818.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/comedi/drivers/pcl818.c ++++ b/drivers/comedi/drivers/pcl818.c +@@ -1111,10 +1111,9 @@ static void pcl818_detach(struct comedi_ + { + struct pcl818_private *devpriv = dev->private; + +- if (devpriv) { +- pcl818_ai_cancel(dev, dev->read_subdev); ++ if (devpriv) + pcl818_reset(dev); +- } ++ + pcl818_free_dma(dev); + comedi_legacy_detach(dev); + } diff --git a/queue-6.6/documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch b/queue-6.6/documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch new file mode 100644 index 0000000000..1068d97fce --- /dev/null +++ b/queue-6.6/documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch @@ -0,0 +1,39 @@ +From ba2457109d5b47a90fe565b39524f7225fc23e60 Mon Sep 17 00:00:00 2001 +From: Bagas Sanjaya +Date: Wed, 22 Oct 2025 10:43:35 +0700 +Subject: Documentation: process: Also mention Sasha Levin as stable tree maintainer + +From: Bagas Sanjaya + +commit ba2457109d5b47a90fe565b39524f7225fc23e60 upstream. + +Sasha has also maintaining stable branch in conjunction with Greg +since cb5d21946d2a2f ("MAINTAINERS: Add Sasha as a stable branch +maintainer"). Mention him in 2.Process.rst. + +Cc: stable@vger.kernel.org +Signed-off-by: Bagas Sanjaya +Reviewed-by: Randy Dunlap +Acked-by: Greg Kroah-Hartman +Signed-off-by: Jonathan Corbet +Message-ID: <20251022034336.22839-1-bagasdotme@gmail.com> +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/2.Process.rst | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/Documentation/process/2.Process.rst ++++ b/Documentation/process/2.Process.rst +@@ -104,8 +104,10 @@ kernels go out with a handful of known r + of them are serious. + + Once a stable release is made, its ongoing maintenance is passed off to the +-"stable team," currently Greg Kroah-Hartman. The stable team will release +-occasional updates to the stable release using the 5.x.y numbering scheme. ++"stable team," currently consists of Greg Kroah-Hartman and Sasha Levin. The ++stable team will release occasional updates to the stable release using the ++5.x.y numbering scheme. ++ + To be considered for an update release, a patch must (1) fix a significant + bug, and (2) already be merged into the mainline for the next development + kernel. Kernels will typically receive stable updates for a little more diff --git a/queue-6.6/ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch b/queue-6.6/ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch new file mode 100644 index 0000000000..5890b96625 --- /dev/null +++ b/queue-6.6/ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch @@ -0,0 +1,88 @@ +From 0cd8feea8777f8d9b9a862b89c688b049a5c8475 Mon Sep 17 00:00:00 2001 +From: Alexey Nepomnyashih +Date: Tue, 4 Nov 2025 09:33:25 +0000 +Subject: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() + +From: Alexey Nepomnyashih + +commit 0cd8feea8777f8d9b9a862b89c688b049a5c8475 upstream. + +Fix a race between inline data destruction and block mapping. + +The function ext4_destroy_inline_data_nolock() changes the inode data +layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. +At the same time, another thread may execute ext4_map_blocks(), which +tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() +or ext4_ind_map_blocks(). + +Without i_data_sem protection, ext4_ind_map_blocks() may receive inode +with EXT4_INODE_EXTENTS flag and triggering assert. + +kernel BUG at fs/ext4/indirect.c:546! +EXT4-fs (loop2): unmounting filesystem. +invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546 + +Call Trace: + + ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 + _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 + ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 + ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 + ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 + generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 + ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 + ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 + call_write_iter include/linux/fs.h:2271 [inline] + do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 + do_iter_write+0x186/0x710 fs/read_write.c:861 + vfs_iter_write+0x70/0xa0 fs/read_write.c:902 + iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 + do_splice_from fs/splice.c:763 [inline] + direct_splice_actor+0x10f/0x170 fs/splice.c:950 + splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 + do_splice_direct+0x1a9/0x280 fs/splice.c:1002 + do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 + __do_sys_sendfile64 fs/read_write.c:1323 [inline] + __se_sys_sendfile64 fs/read_write.c:1309 [inline] + __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fixes: c755e251357a ("ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()") +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Alexey Nepomnyashih +Message-ID: <20251104093326.697381-1-sdl@nppct.ru> +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -446,9 +446,13 @@ static int ext4_destroy_inline_data_nolo + if (!ei->i_inline_off) + return 0; + ++ down_write(&ei->i_data_sem); ++ + error = ext4_get_inode_loc(inode, &is.iloc); +- if (error) ++ if (error) { ++ up_write(&ei->i_data_sem); + return error; ++ } + + error = ext4_xattr_ibody_find(inode, &i, &is); + if (error) +@@ -487,6 +491,7 @@ out: + brelse(is.iloc.bh); + if (error == -ENODATA) + error = 0; ++ up_write(&ei->i_data_sem); + return error; + } + diff --git a/queue-6.6/ext4-refresh-inline-data-size-before-write-operations.patch b/queue-6.6/ext4-refresh-inline-data-size-before-write-operations.patch new file mode 100644 index 0000000000..92abc1be8a --- /dev/null +++ b/queue-6.6/ext4-refresh-inline-data-size-before-write-operations.patch @@ -0,0 +1,67 @@ +From 892e1cf17555735e9d021ab036c36bc7b58b0e3b Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Mon, 20 Oct 2025 11:39:36 +0530 +Subject: ext4: refresh inline data size before write operations + +From: Deepanshu Kartikey + +commit 892e1cf17555735e9d021ab036c36bc7b58b0e3b upstream. + +The cached ei->i_inline_size can become stale between the initial size +check and when ext4_update_inline_data()/ext4_create_inline_data() use +it. Although ext4_get_max_inline_size() reads the correct value at the +time of the check, concurrent xattr operations can modify i_inline_size +before ext4_write_lock_xattr() is acquired. + +This causes ext4_update_inline_data() and ext4_create_inline_data() to +work with stale capacity values, leading to a BUG_ON() crash in +ext4_write_inline_data(): + + kernel BUG at fs/ext4/inline.c:1331! + BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); + +The race window: +1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) +2. Size check passes for 50-byte write +3. [Another thread adds xattr, i_inline_size changes to 40] +4. ext4_write_lock_xattr() acquires lock +5. ext4_update_inline_data() uses stale i_inline_size = 60 +6. Attempts to write 50 bytes but only 40 bytes actually available +7. BUG_ON() triggers + +Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() +immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() +and ext4_create_inline_data() work with current values that are protected +from concurrent modifications. + +This is similar to commit a54c4613dac1 ("ext4: fix race writing to an +inline_data file while its xattrs are changing") which fixed i_inline_off +staleness. This patch addresses the related i_inline_size staleness issue. + +Reported-by: syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=f3185be57d7e8dda32b8 +Cc: stable@kernel.org +Signed-off-by: Deepanshu Kartikey +Message-ID: <20251020060936.474314-1-kartikey406@gmail.com> +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -413,7 +413,12 @@ static int ext4_prepare_inline_data(hand + return -ENOSPC; + + ext4_write_lock_xattr(inode, &no_expand); +- ++ /* ++ * ei->i_inline_size may have changed since the initial check ++ * if other xattrs were added. Recalculate to ensure ++ * ext4_update_inline_data() validates against current capacity. ++ */ ++ (void) ext4_find_inline_data_nolock(inode); + if (ei->i_inline_off) + ret = ext4_update_inline_data(handle, inode, len); + else diff --git a/queue-6.6/jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch b/queue-6.6/jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch new file mode 100644 index 0000000000..ec64889c76 --- /dev/null +++ b/queue-6.6/jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch @@ -0,0 +1,95 @@ +From 986835bf4d11032bba4ab8414d18fce038c61bb4 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Sat, 25 Oct 2025 15:26:57 +0800 +Subject: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted + +From: Ye Bin + +commit 986835bf4d11032bba4ab8414d18fce038c61bb4 upstream. + +There's issue when file system corrupted: +------------[ cut here ]------------ +kernel BUG at fs/jbd2/transaction.c:1289! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next +RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 +RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 +RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534 +RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010 +RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028 +R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 +R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0 +Call Trace: + + __ext4_journal_get_create_access+0x42/0x170 + ext4_getblk+0x319/0x6f0 + ext4_bread+0x11/0x100 + ext4_append+0x1e6/0x4a0 + ext4_init_new_dir+0x145/0x1d0 + ext4_mkdir+0x326/0x920 + vfs_mkdir+0x45c/0x740 + do_mkdirat+0x234/0x2f0 + __x64_sys_mkdir+0xd6/0x120 + do_syscall_64+0x5f/0xfa0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The above issue occurs with us in errors=continue mode when accompanied by +storage failures. There have been many inconsistencies in the file system +data. +In the case of file system data inconsistency, for example, if the block +bitmap of a referenced block is not set, it can lead to the situation where +a block being committed is allocated and used again. As a result, the +following condition will not be satisfied then trigger BUG_ON. Of course, +it is entirely possible to construct a problematic image that can trigger +this BUG_ON through specific operations. In fact, I have constructed such +an image and easily reproduced this issue. +Therefore, J_ASSERT() holds true only under ideal conditions, but it may +not necessarily be satisfied in exceptional scenarios. Using J_ASSERT() +directly in abnormal situations would cause the system to crash, which is +clearly not what we want. So here we directly trigger a JBD abort instead +of immediately invoking BUG_ON. + +Fixes: 470decc613ab ("[PATCH] jbd2: initial copy of files from jbd") +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Message-ID: <20251025072657.307851-1-yebin@huaweicloud.com> +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/transaction.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1274,14 +1274,23 @@ int jbd2_journal_get_create_access(handl + * committing transaction's lists, but it HAS to be in Forget state in + * that case: the transaction must have deleted the buffer for it to be + * reused here. ++ * In the case of file system data inconsistency, for example, if the ++ * block bitmap of a referenced block is not set, it can lead to the ++ * situation where a block being committed is allocated and used again. ++ * As a result, the following condition will not be satisfied, so here ++ * we directly trigger a JBD abort instead of immediately invoking ++ * bugon. + */ + spin_lock(&jh->b_state_lock); +- J_ASSERT_JH(jh, (jh->b_transaction == transaction || +- jh->b_transaction == NULL || +- (jh->b_transaction == journal->j_committing_transaction && +- jh->b_jlist == BJ_Forget))); ++ if (!(jh->b_transaction == transaction || jh->b_transaction == NULL || ++ (jh->b_transaction == journal->j_committing_transaction && ++ jh->b_jlist == BJ_Forget)) || jh->b_next_transaction != NULL) { ++ err = -EROFS; ++ spin_unlock(&jh->b_state_lock); ++ jbd2_journal_abort(journal, err); ++ goto out; ++ } + +- J_ASSERT_JH(jh, jh->b_next_transaction == NULL); + J_ASSERT_JH(jh, buffer_locked(jh2bh(jh))); + + if (jh->b_transaction == NULL) { diff --git a/queue-6.6/ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch b/queue-6.6/ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch new file mode 100644 index 0000000000..762bd0c4b8 --- /dev/null +++ b/queue-6.6/ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch @@ -0,0 +1,80 @@ +From 1fab1fa091f5aa97265648b53ea031deedd26235 Mon Sep 17 00:00:00 2001 +From: Qianchang Zhao +Date: Wed, 26 Nov 2025 12:24:18 +0900 +Subject: ksmbd: ipc: fix use-after-free in ipc_msg_send_request + +From: Qianchang Zhao + +commit 1fab1fa091f5aa97265648b53ea031deedd26235 upstream. + +ipc_msg_send_request() waits for a generic netlink reply using an +ipc_msg_table_entry on the stack. The generic netlink handler +(handle_generic_event()/handle_response()) fills entry->response under +ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free +entry->response without holding the same lock. + +Under high concurrency this allows a race where handle_response() is +copying data into entry->response while ipc_msg_send_request() has just +freed it, leading to a slab-use-after-free reported by KASAN in +handle_generic_event(): + + BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] + Write of size 12 at addr ffff888198ee6e20 by task pool/109349 + ... + Freed by task: + kvfree + ipc_msg_send_request [ksmbd] + ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd] + +Fix by: +- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating + entry->response, freeing it when invalid, and removing the entry from + ipc_msg_table. +- Returning the final entry->response pointer to the caller only after + the hash entry is removed under the lock. +- Returning NULL in the error path, preserving the original API + semantics. + +This makes all accesses to entry->response consistent with +handle_response(), which already updates and fills the response buffer +under ipc_msg_table_lock, and closes the race that allowed the UAF. + +Cc: stable@vger.kernel.org +Reported-by: Qianchang Zhao +Reported-by: Zhitong Liu +Signed-off-by: Qianchang Zhao +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_ipc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/transport_ipc.c ++++ b/fs/smb/server/transport_ipc.c +@@ -520,12 +520,16 @@ static void *ipc_msg_send_request(struct + up_write(&ipc_msg_table_lock); + + ret = ipc_msg_send(msg); +- if (ret) ++ if (ret) { ++ down_write(&ipc_msg_table_lock); + goto out; ++ } + + ret = wait_event_interruptible_timeout(entry.wait, + entry.response != NULL, + IPC_WAIT_TIMEOUT); ++ ++ down_write(&ipc_msg_table_lock); + if (entry.response) { + ret = ipc_validate_msg(&entry); + if (ret) { +@@ -534,7 +538,6 @@ static void *ipc_msg_send_request(struct + } + } + out: +- down_write(&ipc_msg_table_lock); + hash_del(&entry.ipc_table_hlist); + up_write(&ipc_msg_table_lock); + return entry.response; diff --git a/queue-6.6/kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch b/queue-6.6/kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch new file mode 100644 index 0000000000..9c74132eb9 --- /dev/null +++ b/queue-6.6/kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch @@ -0,0 +1,198 @@ +From 4da3768e1820cf15cced390242d8789aed34f54d Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Tue, 4 Nov 2025 09:55:26 -0800 +Subject: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced + +From: Omar Sandoval + +commit 4da3768e1820cf15cced390242d8789aed34f54d upstream. + +When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn +instruction, discard the exception and retry the instruction if the code +stream is changed (e.g. by a different vCPU) between when the CPU +executes the instruction and when KVM decodes the instruction to get the +next RIP. + +As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject +INT3/INTO instead of retrying the instruction"), failure to verify that +the correct INTn instruction was decoded can effectively clobber guest +state due to decoding the wrong instruction and thus specifying the +wrong next RIP. + +The bug most often manifests as "Oops: int3" panics on static branch +checks in Linux guests. Enabling or disabling a static branch in Linux +uses the kernel's "text poke" code patching mechanism. To modify code +while other CPUs may be executing that code, Linux (temporarily) +replaces the first byte of the original instruction with an int3 (opcode +0xcc), then patches in the new code stream except for the first byte, +and finally replaces the int3 with the first byte of the new code +stream. If a CPU hits the int3, i.e. executes the code while it's being +modified, then the guest kernel must look up the RIP to determine how to +handle the #BP, e.g. by emulating the new instruction. If the RIP is +incorrect, then this lookup fails and the guest kernel panics. + +The bug reproduces almost instantly by hacking the guest kernel to +repeatedly check a static branch[1] while running a drgn script[2] on +the host to constantly swap out the memory containing the guest's TSS. + +[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a +[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b + +Fixes: 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction") +Cc: stable@vger.kernel.org +Co-developed-by: Sean Christopherson +Signed-off-by: Omar Sandoval +Link: https://patch.msgid.link/1cc6dcdf36e3add7ee7c8d90ad58414eeb6c3d34.1762278762.git.osandov@fb.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 9 +++++++++ + arch/x86/kvm/svm/svm.c | 24 +++++++++++++----------- + arch/x86/kvm/x86.c | 21 +++++++++++++++++++++ + 3 files changed, 43 insertions(+), 11 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1950,6 +1950,11 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu); + * the gfn, i.e. retrying the instruction will hit a + * !PRESENT fault, which results in a new shadow page + * and sends KVM back to square one. ++ * ++ * EMULTYPE_SKIP_SOFT_INT - Set in combination with EMULTYPE_SKIP to only skip ++ * an instruction if it could generate a given software ++ * interrupt, which must be encoded via ++ * EMULTYPE_SET_SOFT_INT_VECTOR(). + */ + #define EMULTYPE_NO_DECODE (1 << 0) + #define EMULTYPE_TRAP_UD (1 << 1) +@@ -1960,6 +1965,10 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu); + #define EMULTYPE_PF (1 << 6) + #define EMULTYPE_COMPLETE_USER_EXIT (1 << 7) + #define EMULTYPE_WRITE_PF_TO_SP (1 << 8) ++#define EMULTYPE_SKIP_SOFT_INT (1 << 9) ++ ++#define EMULTYPE_SET_SOFT_INT_VECTOR(v) ((u32)((v) & 0xff) << 16) ++#define EMULTYPE_GET_SOFT_INT_VECTOR(e) (((e) >> 16) & 0xff) + + int kvm_emulate_instruction(struct kvm_vcpu *vcpu, int emulation_type); + int kvm_emulate_instruction_from_buffer(struct kvm_vcpu *vcpu, +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -370,6 +370,7 @@ static bool svm_can_emulate_instruction( + void *insn, int insn_len); + + static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu, ++ int emul_type, + bool commit_side_effects) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -399,7 +400,7 @@ static int __svm_skip_emulated_instructi + if (unlikely(!commit_side_effects)) + old_rflags = svm->vmcb->save.rflags; + +- if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP)) ++ if (!kvm_emulate_instruction(vcpu, emul_type)) + return 0; + + if (unlikely(!commit_side_effects)) +@@ -417,11 +418,13 @@ done: + + static int svm_skip_emulated_instruction(struct kvm_vcpu *vcpu) + { +- return __svm_skip_emulated_instruction(vcpu, true); ++ return __svm_skip_emulated_instruction(vcpu, EMULTYPE_SKIP, true); + } + +-static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu) ++static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu, u8 vector) + { ++ const int emul_type = EMULTYPE_SKIP | EMULTYPE_SKIP_SOFT_INT | ++ EMULTYPE_SET_SOFT_INT_VECTOR(vector); + unsigned long rip, old_rip = kvm_rip_read(vcpu); + struct vcpu_svm *svm = to_svm(vcpu); + +@@ -437,7 +440,7 @@ static int svm_update_soft_interrupt_rip + * in use, the skip must not commit any side effects such as clearing + * the interrupt shadow or RFLAGS.RF. + */ +- if (!__svm_skip_emulated_instruction(vcpu, !nrips)) ++ if (!__svm_skip_emulated_instruction(vcpu, emul_type, !nrips)) + return -EIO; + + rip = kvm_rip_read(vcpu); +@@ -473,7 +476,7 @@ static void svm_inject_exception(struct + kvm_deliver_exception_payload(vcpu, ex); + + if (kvm_exception_is_soft(ex->vector) && +- svm_update_soft_interrupt_rip(vcpu)) ++ svm_update_soft_interrupt_rip(vcpu, ex->vector)) + return; + + svm->vmcb->control.event_inj = ex->vector +@@ -3668,11 +3671,12 @@ static bool svm_set_vnmi_pending(struct + + static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected) + { ++ struct kvm_queued_interrupt *intr = &vcpu->arch.interrupt; + struct vcpu_svm *svm = to_svm(vcpu); + u32 type; + +- if (vcpu->arch.interrupt.soft) { +- if (svm_update_soft_interrupt_rip(vcpu)) ++ if (intr->soft) { ++ if (svm_update_soft_interrupt_rip(vcpu, intr->nr)) + return; + + type = SVM_EVTINJ_TYPE_SOFT; +@@ -3680,12 +3684,10 @@ static void svm_inject_irq(struct kvm_vc + type = SVM_EVTINJ_TYPE_INTR; + } + +- trace_kvm_inj_virq(vcpu->arch.interrupt.nr, +- vcpu->arch.interrupt.soft, reinjected); ++ trace_kvm_inj_virq(intr->nr, intr->soft, reinjected); + ++vcpu->stat.irq_injections; + +- svm->vmcb->control.event_inj = vcpu->arch.interrupt.nr | +- SVM_EVTINJ_VALID | type; ++ svm->vmcb->control.event_inj = intr->nr | SVM_EVTINJ_VALID | type; + } + + void svm_complete_interrupt_delivery(struct kvm_vcpu *vcpu, int delivery_mode, +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -8864,6 +8864,23 @@ static bool is_vmware_backdoor_opcode(st + return false; + } + ++static bool is_soft_int_instruction(struct x86_emulate_ctxt *ctxt, ++ int emulation_type) ++{ ++ u8 vector = EMULTYPE_GET_SOFT_INT_VECTOR(emulation_type); ++ ++ switch (ctxt->b) { ++ case 0xcc: ++ return vector == BP_VECTOR; ++ case 0xcd: ++ return vector == ctxt->src.val; ++ case 0xce: ++ return vector == OF_VECTOR; ++ default: ++ return false; ++ } ++} ++ + /* + * Decode an instruction for emulation. The caller is responsible for handling + * code breakpoints. Note, manually detecting code breakpoints is unnecessary +@@ -8954,6 +8971,10 @@ int x86_emulate_instruction(struct kvm_v + * injecting single-step #DBs. + */ + if (emulation_type & EMULTYPE_SKIP) { ++ if (emulation_type & EMULTYPE_SKIP_SOFT_INT && ++ !is_soft_int_instruction(ctxt, emulation_type)) ++ return 0; ++ + if (ctxt->mode != X86EMUL_MODE_PROT64) + ctxt->eip = (u32)ctxt->_eip; + else diff --git a/queue-6.6/locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch b/queue-6.6/locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch new file mode 100644 index 0000000000..f8f4b00095 --- /dev/null +++ b/queue-6.6/locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch @@ -0,0 +1,65 @@ +From c14ecb555c3ee80eeb030a4e46d00e679537f03a Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Fri, 19 Sep 2025 11:12:38 +0200 +Subject: locking/spinlock/debug: Fix data-race in do_raw_write_lock + +From: Alexander Sverdlin + +commit c14ecb555c3ee80eeb030a4e46d00e679537f03a upstream. + +KCSAN reports: + +BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock + +write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: + do_raw_write_lock+0x120/0x204 + _raw_write_lock_irq + do_exit + call_usermodehelper_exec_async + ret_from_fork + +read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: + do_raw_write_lock+0x88/0x204 + _raw_write_lock_irq + do_exit + call_usermodehelper_exec_async + ret_from_fork + +value changed: 0xffffffff -> 0x00000001 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 + +Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has +adressed most of these races, but seems to be not consistent/not complete. + +>From do_raw_write_lock() only debug_write_lock_after() part has been +converted to WRITE_ONCE(), but not debug_write_lock_before() part. +Do it now. + +Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races") +Reported-by: Adrian Freihofer +Signed-off-by: Alexander Sverdlin +Signed-off-by: Boqun Feng +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Paul E. McKenney +Acked-by: Waiman Long +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/spinlock_debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/locking/spinlock_debug.c ++++ b/kernel/locking/spinlock_debug.c +@@ -183,8 +183,8 @@ void do_raw_read_unlock(rwlock_t *lock) + static inline void debug_write_lock_before(rwlock_t *lock) + { + RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic"); +- RWLOCK_BUG_ON(lock->owner == current, lock, "recursion"); +- RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(), ++ RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion"); ++ RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(), + lock, "cpu recursion"); + } + diff --git a/queue-6.6/serial-add-support-of-cpci-cards.patch b/queue-6.6/serial-add-support-of-cpci-cards.patch new file mode 100644 index 0000000000..255d104402 --- /dev/null +++ b/queue-6.6/serial-add-support-of-cpci-cards.patch @@ -0,0 +1,74 @@ +From 0e5a99e0e5f50353b86939ff6e424800d769c818 Mon Sep 17 00:00:00 2001 +From: Magne Bruno +Date: Mon, 10 Nov 2025 17:24:56 +0100 +Subject: serial: add support of CPCI cards + +From: Magne Bruno + +commit 0e5a99e0e5f50353b86939ff6e424800d769c818 upstream. + +Addi-Data GmbH is manufacturing multi-serial ports cards supporting CompactPCI (known as CPCI). +Those cards are identified with different DeviceIds. Those cards integrating standard UARTs +work the same way as PCI/PCIe models already supported in the serial driver. + +Signed-off-by: Magne Bruno +Link: https://patch.msgid.link/20251110162456.341029-1-magne.bruno@addi-data.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_pci.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1971,6 +1971,11 @@ pci_moxa_setup(struct serial_private *pr + #define PCI_DEVICE_ID_MOXA_CP138E_A 0x1381 + #define PCI_DEVICE_ID_MOXA_CP168EL_A 0x1683 + ++#define PCI_DEVICE_ID_ADDIDATA_CPCI7500 0x7003 ++#define PCI_DEVICE_ID_ADDIDATA_CPCI7500_NG 0x7024 ++#define PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG 0x7025 ++#define PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG 0x7026 ++ + /* Unknown vendors/cards - this should not be in linux/pci_ids.h */ + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584 + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588 +@@ -5868,6 +5873,38 @@ static const struct pci_device_id serial + 0, + pbn_ADDIDATA_PCIe_8_3906250 }, + ++ { PCI_VENDOR_ID_ADDIDATA, ++ PCI_DEVICE_ID_ADDIDATA_CPCI7500, ++ PCI_ANY_ID, ++ PCI_ANY_ID, ++ 0, ++ 0, ++ pbn_b0_4_115200 }, ++ ++ { PCI_VENDOR_ID_ADDIDATA, ++ PCI_DEVICE_ID_ADDIDATA_CPCI7500_NG, ++ PCI_ANY_ID, ++ PCI_ANY_ID, ++ 0, ++ 0, ++ pbn_b0_4_115200 }, ++ ++ { PCI_VENDOR_ID_ADDIDATA, ++ PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG, ++ PCI_ANY_ID, ++ PCI_ANY_ID, ++ 0, ++ 0, ++ pbn_b0_2_115200 }, ++ ++ { PCI_VENDOR_ID_ADDIDATA, ++ PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG, ++ PCI_ANY_ID, ++ PCI_ANY_ID, ++ 0, ++ 0, ++ pbn_b0_1_115200 }, ++ + { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835, + PCI_VENDOR_ID_IBM, 0x0299, + 0, 0, pbn_b0_bt_2_115200 }, diff --git a/queue-6.6/series b/queue-6.6/series index 244f90a9d3..9fd52f900a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -3,3 +3,18 @@ revert-xfrm-destroy-xfrm_state-synchronously-on-net-.patch xfrm-also-call-xfrm_state_delete_tunnel-at-destroy-t.patch xfrm-flush-all-states-in-xfrm_state_fini.patch leds-spi-byte-use-devm_led_classdev_register_ext.patch +documentation-process-also-mention-sasha-levin-as-stable-tree-maintainer.patch +jbd2-avoid-bug_on-in-jbd2_journal_get_create_access-when-file-system-corrupted.patch +ext4-refresh-inline-data-size-before-write-operations.patch +ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_request.patch +locking-spinlock-debug-fix-data-race-in-do_raw_write_lock.patch +ext4-add-i_data_sem-protection-in-ext4_destroy_inline_data_nolock.patch +comedi-pcl818-fix-null-ptr-deref-in-pcl818_ai_cancel.patch +kvm-svm-don-t-skip-unrelated-instruction-if-int3-into-is-replaced.patch +usb-serial-option-add-foxconn-t99w760.patch +usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch +usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch +usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch +serial-add-support-of-cpci-cards.patch +usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch +usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch diff --git a/queue-6.6/usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch b/queue-6.6/usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch new file mode 100644 index 0000000000..5a4277b212 --- /dev/null +++ b/queue-6.6/usb-serial-belkin_sa-fix-tiocmbis-and-tiocmbic.patch @@ -0,0 +1,78 @@ +From b6e0b3016187446ddef9edac03cd9d544ac63f11 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Oct 2025 17:26:33 +0200 +Subject: USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC + +From: Johan Hovold + +commit b6e0b3016187446ddef9edac03cd9d544ac63f11 upstream. + +Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC +should not deassert any lines that are not in the mask. + +Fix this long-standing regression dating back to 2003 when the +tiocmset() callback was introduced. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/belkin_sa.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/usb/serial/belkin_sa.c ++++ b/drivers/usb/serial/belkin_sa.c +@@ -436,7 +436,7 @@ static int belkin_sa_tiocmset(struct tty + struct belkin_sa_private *priv = usb_get_serial_port_data(port); + unsigned long control_state; + unsigned long flags; +- int retval; ++ int retval = 0; + int rts = 0; + int dtr = 0; + +@@ -453,26 +453,32 @@ static int belkin_sa_tiocmset(struct tty + } + if (clear & TIOCM_RTS) { + control_state &= ~TIOCM_RTS; +- rts = 0; ++ rts = 1; + } + if (clear & TIOCM_DTR) { + control_state &= ~TIOCM_DTR; +- dtr = 0; ++ dtr = 1; + } + + priv->control_state = control_state; + spin_unlock_irqrestore(&priv->lock, flags); + +- retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST, rts); +- if (retval < 0) { +- dev_err(&port->dev, "Set RTS error %d\n", retval); +- goto exit; ++ if (rts) { ++ retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST, ++ !!(control_state & TIOCM_RTS)); ++ if (retval < 0) { ++ dev_err(&port->dev, "Set RTS error %d\n", retval); ++ goto exit; ++ } + } + +- retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST, dtr); +- if (retval < 0) { +- dev_err(&port->dev, "Set DTR error %d\n", retval); +- goto exit; ++ if (dtr) { ++ retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST, ++ !!(control_state & TIOCM_DTR)); ++ if (retval < 0) { ++ dev_err(&port->dev, "Set DTR error %d\n", retval); ++ goto exit; ++ } + } + exit: + return retval; diff --git a/queue-6.6/usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch b/queue-6.6/usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch new file mode 100644 index 0000000000..108dd0822c --- /dev/null +++ b/queue-6.6/usb-serial-ftdi_sio-match-on-interface-number-for-jtag.patch @@ -0,0 +1,176 @@ +From 4e31a5d0a9ee672f708fc993c1d5520643f769fd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 10 Nov 2025 12:12:05 +0100 +Subject: USB: serial: ftdi_sio: match on interface number for jtag + +From: Johan Hovold + +commit 4e31a5d0a9ee672f708fc993c1d5520643f769fd upstream. + +Some FTDI devices have the first port reserved for JTAG and have been +using a dedicated quirk to prevent binding to it. + +As can be inferred directly or indirectly from the commit messages, +almost all of these devices are dual port devices which means that the +more recently added macro for matching on interface number can be used +instead (and some such devices do so already). + +This avoids probing interfaces that will never be bound and cleans up +the match table somewhat. + +Note that the JTAG quirk is kept for quad port devices, which would +otherwise require three match entries. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 72 ++++++++++++++---------------------------- + 1 file changed, 24 insertions(+), 48 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -628,10 +628,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(FTDI_VID, FTDI_IBS_PEDO_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_IBS_PROD_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_TAVIR_STK500_PID) }, +- { USB_DEVICE(FTDI_VID, FTDI_TIAO_UMPA_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TIAO_UMPA_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_NT_ORIONLXM_PID, 1) }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) }, +@@ -842,24 +840,17 @@ static const struct usb_device_id id_tab + { USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) }, +- { USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, CYBER_CORTEX_AV_PID, 1) }, + { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID, 1) }, + { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID, 1) }, + { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_PID, 1) }, + { USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_H_PID, 1) }, +- { USB_DEVICE(FIC_VID, FIC_NEO1973_DEBUG_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, FTDI_OOCDLINK_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(FIC_VID, FIC_NEO1973_DEBUG_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_OOCDLINK_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TURTELIZER_PID, 1) }, + { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) }, + { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) }, + { USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) }, +@@ -901,17 +892,14 @@ static const struct usb_device_id id_tab + { USB_DEVICE(ATMEL_VID, STK541_PID) }, + { USB_DEVICE(DE_VID, STB_PID) }, + { USB_DEVICE(DE_VID, WHT_PID) }, +- { USB_DEVICE(ADI_VID, ADI_GNICE_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(ADI_VID, ADI_GNICEPLUS_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(ADI_VID, ADI_GNICE_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(ADI_VID, ADI_GNICEPLUS_PID, 1) }, + { USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID, + USB_CLASS_VENDOR_SPEC, + USB_SUBCLASS_VENDOR_SPEC, 0x00) }, + { USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID, MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) }, + { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) }, +- { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(MARVELL_VID, MARVELL_SHEEVAPLUG_PID, 1) }, + { USB_DEVICE(LARSENBRUSGAARD_VID, LB_ALTITRACK_PID) }, + { USB_DEVICE(GN_OTOMETRICS_VID, AURICAL_USB_PID) }, + { USB_DEVICE(FTDI_VID, PI_C865_PID) }, +@@ -934,10 +922,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(PI_VID, PI_1016_PID) }, + { USB_DEVICE(KONDO_VID, KONDO_USB_SERIAL_PID) }, + { USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) }, +- { USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, TI_XDS100V2_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, MARVELL_OPENRD_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, TI_XDS100V2_PID, 1) }, + { USB_DEVICE(FTDI_VID, HAMEG_HO820_PID) }, + { USB_DEVICE(FTDI_VID, HAMEG_HO720_PID) }, + { USB_DEVICE(FTDI_VID, HAMEG_HO730_PID) }, +@@ -946,18 +932,14 @@ static const struct usb_device_id id_tab + { USB_DEVICE(FTDI_VID, MJSG_SR_RADIO_PID) }, + { USB_DEVICE(FTDI_VID, MJSG_HD_RADIO_PID) }, + { USB_DEVICE(FTDI_VID, MJSG_XM_RADIO_PID) }, +- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_ST_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SLITE_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SH2_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_ST_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_SLITE_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_SH2_PID, 1) }, + { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SH4_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, SEGWAY_RMP200_PID) }, + { USB_DEVICE(FTDI_VID, ACCESIO_COM4SM_PID) }, +- { USB_DEVICE(IONICS_VID, IONICS_PLUGCOMPUTER_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(IONICS_VID, IONICS_PLUGCOMPUTER_PID, 1) }, + { USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_24_MASTER_WING_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_PC_WING_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_USB_DMX_PID) }, +@@ -972,15 +954,12 @@ static const struct usb_device_id id_tab + { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) }, +- { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(ST_VID, ST_STMCLT_2232_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(ST_VID, ST_STMCLT_2232_PID, 1) }, + { USB_DEVICE(ST_VID, ST_STMCLT_4232_PID), + .driver_info = (kernel_ulong_t)&ftdi_stmclite_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_RF_R106) }, +- { USB_DEVICE(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID, 1) }, + { USB_DEVICE(FTDI_VID, FTDI_LUMEL_PD12_PID) }, + /* Crucible Devices */ + { USB_DEVICE(FTDI_VID, FTDI_CT_COMET_PID) }, +@@ -1055,8 +1034,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) }, + { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) }, + { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) }, +- { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(TI_VID, TI_CC3200_LAUNCHPAD_PID, 1) }, + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) }, + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) }, + { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) }, +@@ -1076,10 +1054,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) }, + { USB_DEVICE_INTERFACE_NUMBER(UBLOX_VID, UBLOX_EVK_M101_PID, 2) }, + /* FreeCalypso USB adapters */ +- { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +- { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID), +- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID, 1) }, ++ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID, 1) }, + /* GMC devices */ + { USB_DEVICE(GMC_VID, GMC_Z216C_PID) }, + /* Altera USB Blaster 3 */ diff --git a/queue-6.6/usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch b/queue-6.6/usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch new file mode 100644 index 0000000000..f32ae66b15 --- /dev/null +++ b/queue-6.6/usb-serial-kobil_sct-fix-tiocmbis-and-tiocmbic.patch @@ -0,0 +1,78 @@ +From d432df758f92c4c28aac409bc807fd1716167577 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Oct 2025 17:26:34 +0200 +Subject: USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC + +From: Johan Hovold + +commit d432df758f92c4c28aac409bc807fd1716167577 upstream. + +Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC +should not deassert any lines that are not in the mask. + +Fix this long-standing issue dating back to 2003 when the support for +these ioctls was added with the introduction of the tiocmset() callback. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/kobil_sct.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/usb/serial/kobil_sct.c ++++ b/drivers/usb/serial/kobil_sct.c +@@ -420,7 +420,7 @@ static int kobil_tiocmset(struct tty_str + struct usb_serial_port *port = tty->driver_data; + struct device *dev = &port->dev; + struct kobil_private *priv; +- int result; ++ int result = 0; + int dtr = 0; + int rts = 0; + +@@ -437,12 +437,12 @@ static int kobil_tiocmset(struct tty_str + if (set & TIOCM_DTR) + dtr = 1; + if (clear & TIOCM_RTS) +- rts = 0; ++ rts = 1; + if (clear & TIOCM_DTR) +- dtr = 0; ++ dtr = 1; + +- if (priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) { +- if (dtr != 0) ++ if (dtr && priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) { ++ if (set & TIOCM_DTR) + dev_dbg(dev, "%s - Setting DTR\n", __func__); + else + dev_dbg(dev, "%s - Clearing DTR\n", __func__); +@@ -450,13 +450,13 @@ static int kobil_tiocmset(struct tty_str + usb_sndctrlpipe(port->serial->dev, 0), + SUSBCRequest_SetStatusLinesOrQueues, + USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT, +- ((dtr != 0) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR), ++ ((set & TIOCM_DTR) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR), + 0, + NULL, + 0, + KOBIL_TIMEOUT); +- } else { +- if (rts != 0) ++ } else if (rts) { ++ if (set & TIOCM_RTS) + dev_dbg(dev, "%s - Setting RTS\n", __func__); + else + dev_dbg(dev, "%s - Clearing RTS\n", __func__); +@@ -464,7 +464,7 @@ static int kobil_tiocmset(struct tty_str + usb_sndctrlpipe(port->serial->dev, 0), + SUSBCRequest_SetStatusLinesOrQueues, + USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT, +- ((rts != 0) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS), ++ ((set & TIOCM_RTS) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS), + 0, + NULL, + 0, diff --git a/queue-6.6/usb-serial-option-add-foxconn-t99w760.patch b/queue-6.6/usb-serial-option-add-foxconn-t99w760.patch new file mode 100644 index 0000000000..c20f882523 --- /dev/null +++ b/queue-6.6/usb-serial-option-add-foxconn-t99w760.patch @@ -0,0 +1,60 @@ +From 7970b4969c4c99bcdaf105f9f39c6d2021f6d244 Mon Sep 17 00:00:00 2001 +From: Slark Xiao +Date: Tue, 18 Nov 2025 14:45:28 +0800 +Subject: USB: serial: option: add Foxconn T99W760 + +From: Slark Xiao + +commit 7970b4969c4c99bcdaf105f9f39c6d2021f6d244 upstream. + +T99W760 is designed based on Qualcomm SDX35 (5G redcap) chip. There are +three serial ports to be enumerated: Modem, NMEA and Diag. + +test evidence as below: +T: Bus=03 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e123 Rev=05.15 +S: Manufacturer=QCOM +S: Product=SDXBAAGHA-IDP _SN:39A8D3E4 +S: SerialNumber=39a8d3e4 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +0&1: MBIM, 2:Modem, 3:GNSS(non-serial port), 4: NMEA, 5:Diag + +Signed-off-by: Slark Xiao +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2376,6 +2376,8 @@ static const struct usb_device_id option + .driver_info = RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0f0, 0xff), /* Foxconn T99W373 MBIM */ + .driver_info = RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe123, 0xff), /* Foxconn T99W760 MBIM */ ++ .driver_info = RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */ + .driver_info = RSVD(5) | RSVD(6) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe15f, 0xff), /* Foxconn T99W709 */ diff --git a/queue-6.6/usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch b/queue-6.6/usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch new file mode 100644 index 0000000000..5d26e36bcd --- /dev/null +++ b/queue-6.6/usb-serial-option-add-telit-cinterion-fe910c04-new-compositions.patch @@ -0,0 +1,223 @@ +From c908039a29aa70870871f4848125b3d743f929bf Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Wed, 26 Nov 2025 15:26:39 +0100 +Subject: USB: serial: option: add Telit Cinterion FE910C04 new compositions + +From: Fabio Porcedda + +commit c908039a29aa70870871f4848125b3d743f929bf upstream. + +Add the following Telit Cinterion new compositions: + +0x10c1: RNDIS + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c1 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c2 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c3: ECM + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c3 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c5: RNDIS + tty (AT) + tty (AT) + tty (diag) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c5 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c6: MBIM + tty (AT) + tty (AT) + tty (diag) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c6 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c9: MBIM + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c9 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10cb: RNDIS + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb +T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10cb Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Cc: stable@vger.kernel.org +Signed-off-by: Fabio Porcedda +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1433,10 +1433,24 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b3, 0xff, 0xff, 0x60) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c0, 0xff), /* Telit FE910C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c1, 0xff), /* Telit FE910C04 (RNDIS) */ ++ .driver_info = NCTRL(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c2, 0xff), /* Telit FE910C04 (MBIM) */ ++ .driver_info = NCTRL(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c3, 0xff), /* Telit FE910C04 (ECM) */ ++ .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c4, 0xff), /* Telit FE910C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c5, 0xff), /* Telit FE910C04 (RNDIS) */ ++ .driver_info = NCTRL(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff), /* Telit FE910C04 (MBIM) */ ++ .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff), /* Telit FE910C04 (MBIM) */ ++ .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10cb, 0xff), /* Telit FE910C04 (RNDIS) */ ++ .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x30), /* Telit FN990B (rmnet) */ + .driver_info = NCTRL(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) }, diff --git a/queue-6.6/usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch b/queue-6.6/usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch new file mode 100644 index 0000000000..11529d2eb7 --- /dev/null +++ b/queue-6.6/usb-serial-option-move-telit-0x10c7-composition-in-the-right-place.patch @@ -0,0 +1,42 @@ +From 072f2c49572547f4b0776fe2da6b8f61e4b34699 Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Wed, 26 Nov 2025 15:26:40 +0100 +Subject: USB: serial: option: move Telit 0x10c7 composition in the right place + +From: Fabio Porcedda + +commit 072f2c49572547f4b0776fe2da6b8f61e4b34699 upstream. + +Move Telit 0x10c7 composition right after 0x10c6 composition and +before 0x10c8 composition. + +Signed-off-by: Fabio Porcedda +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1445,6 +1445,9 @@ static const struct usb_device_id option + .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff), /* Telit FE910C04 (MBIM) */ + .driver_info = NCTRL(4) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30), /* Telit FE910C04 (ECM) */ ++ .driver_info = NCTRL(4) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff), /* Telit FE910C04 (MBIM) */ +@@ -1455,9 +1458,6 @@ static const struct usb_device_id option + .driver_info = NCTRL(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x60) }, +- { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30), /* Telit FE910C04 (ECM) */ +- .driver_info = NCTRL(4) }, +- { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x30), /* Telit FN990B (MBIM) */ + .driver_info = NCTRL(6) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x40) }, -- 2.47.3