--- /dev/null
+From 0749daa8eb5ab90334aaad3b0671efd7150d43b1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Sun, 3 May 2026 21:55:52 -0300
+Subject: ALSA: firewire-tascam: Do not drop unread control events
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit 0749daa8eb5ab90334aaad3b0671efd7150d43b1 upstream.
+
+tscm_hwdep_read_queue() copies as many queued control events as fit in
+the userspace buffer. When the buffer is smaller than the current
+contiguous queue segment, length is rounded down to the number of bytes
+that can be copied.
+
+However, after copying that shortened length, the code advances pull_pos
+to the original tail_pos, marking the whole contiguous segment as
+consumed. Any events between the copied portion and tail_pos are lost.
+
+Limit tail_pos to the position after the entries actually copied before
+updating pull_pos. When the whole segment fits, this is equivalent to the
+old tail_pos update; when the buffer is smaller, the remaining events
+stay queued for the next read.
+
+Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications")
+Cc: stable@vger.kernel.org
+Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/tascam/tascam-hwdep.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/firewire/tascam/tascam-hwdep.c
++++ b/sound/firewire/tascam/tascam-hwdep.c
+@@ -73,6 +73,7 @@ static long tscm_hwdep_read_queue(struct
+ length = rounddown(remained, sizeof(*entries));
+ if (length == 0)
+ break;
++ tail_pos = head_pos + length / sizeof(*entries);
+
+ spin_unlock_irq(&tscm->lock);
+ if (copy_to_user(pos, &entries[head_pos], length))
--- /dev/null
+From 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 27 Apr 2026 17:22:15 +0200
+Subject: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6e7247d8f5fefeceb0bb9cc80a5388a636b219cd upstream.
+
+The convert_chmap_v3() has a loop with its increment size of
+cs_desc->wLength, but we forgot to validate cs_desc->wLength itself,
+which may lead to potential endless loop by a malformed descriptor.
+
+Add a proper size check to abort the loop for plugging the hole.
+
+Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors")
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260427152224.15276-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
+ if (len < sizeof(*cs_desc))
+ break;
+ cs_len = le16_to_cpu(cs_desc->wLength);
++ if (cs_len < sizeof(*cs_desc))
++ break;
+ if (len < cs_len)
+ break;
+ cs_type = cs_desc->bSegmentType;
--- /dev/null
+From 26265dd69da32d88a88d21987853cec899d9e21f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Fri, 24 Apr 2026 18:50:10 -0300
+Subject: ALSA: usb-audio: Fix UAC3 cluster descriptor size check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit 26265dd69da32d88a88d21987853cec899d9e21f upstream.
+
+The UAC3 cluster descriptor length check in
+snd_usb_get_audioformat_uac3()was added to
+make sure that the buffer is large enough for
+a struct uac3_cluster_header_descriptor before the
+returned data is cast and used.
+
+However, the check uses sizeof(cluster), where cluster
+is a pointer, not the size of the descriptor header.
+This makes the validation depend on the architecture
+pointer size and does not match the intended object size.
+
+Check against sizeof(*cluster) instead.
+
+Fixes: fb4e2a6e8f28 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -993,7 +993,7 @@ snd_usb_get_audioformat_uac3(struct snd_
+ * and request Cluster Descriptor
+ */
+ wLength = le16_to_cpu(hc_header.wLength);
+- if (wLength < sizeof(cluster))
++ if (wLength < sizeof(*cluster))
+ return NULL;
+ cluster = kzalloc(wLength, GFP_KERNEL);
+ if (!cluster)
ipmi-ssif-clean-up-kthread-on-errors.patch
ipmi-ssif-remove-unnecessary-indention.patch
ipmi-ssif-null-thread-on-error.patch
+wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch
+wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch
+wifi-ath5k-do-not-access-array-oob.patch
+wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch
+usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch
+usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch
+alsa-usb-audio-avoid-potential-endless-loop-in-convert_chmap_v3.patch
+alsa-usb-audio-fix-uac3-cluster-descriptor-size-check.patch
+usb-omap_udc-dma-don-t-enable-burst-4-mode.patch
+usb-serial-option-add-telit-cinterion-le910cx-compositions.patch
+usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch
+alsa-firewire-tascam-do-not-drop-unread-control-events.patch
--- /dev/null
+From 3f91484f6c13c434bd573ca6b6779c26adb0ddab Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Mon, 13 Apr 2026 21:49:12 +0300
+Subject: USB: omap_udc: DMA: Don't enable burst 4 mode
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit 3f91484f6c13c434bd573ca6b6779c26adb0ddab upstream.
+
+Commit 65111084c63d7 ("USB: more omap_udc updates (dma and omap1710)")
+added setting for DMA burst 4 mode. But I think this should be undone for
+two reasons:
+
+- It breaks DMA on 15xx boards - transfers just silently stall.
+
+- On newer OMAP1 boards, like Nokia 770 (omap1710), there is no measurable
+performance impact when testing TCP throughput with g_ether with large
+15000 byte MTU size.
+
+It's also worth noting that when the original change was made, the
+OMAP_DMA_DATA_BURST_4 handling in arch/arm/plat-omap/dma.c was broken, and
+actually resulted in the same as the OMAP_DMA_DATA_BURST_DIS i.e. burst
+disabled. This was fixed not until a couple kernel releases later in an
+unrelated commit 1a8bfa1eb998a ("[ARM] 3142/1: OMAP 2/5: Update files
+common to omap1 and omap2").
+
+So based on this it seems there was never really a very good reason to
+enable this burst mode in omap_udc, so remove it now to allow 15xx DMA
+to work again (it provides 2x throughput compared to PIO mode).
+
+Fixes: 65111084c63d ("[PATCH] USB: more omap_udc updates (dma and omap1710)")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Link: https://patch.msgid.link/ad06qHLclWHeSGnV@darkstar.musicnaut.iki.fi
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/omap_udc.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/usb/gadget/udc/omap_udc.c
++++ b/drivers/usb/gadget/udc/omap_udc.c
+@@ -731,8 +731,6 @@ static void dma_channel_claim(struct oma
+ if (status == 0) {
+ omap_writew(reg, UDC_TXDMA_CFG);
+ /* EMIFF or SDRC */
+- omap_set_dma_src_burst_mode(ep->lch,
+- OMAP_DMA_DATA_BURST_4);
+ omap_set_dma_src_data_pack(ep->lch, 1);
+ /* TIPB */
+ omap_set_dma_dest_params(ep->lch,
+@@ -754,8 +752,6 @@ static void dma_channel_claim(struct oma
+ UDC_DATA_DMA,
+ 0, 0);
+ /* EMIFF or SDRC */
+- omap_set_dma_dest_burst_mode(ep->lch,
+- OMAP_DMA_DATA_BURST_4);
+ omap_set_dma_dest_data_pack(ep->lch, 1);
+ }
+ }
--- /dev/null
+From 100201d349edd226ca3470c894c92dccc67ee7a8 Mon Sep 17 00:00:00 2001
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+Date: Mon, 27 Apr 2026 11:17:46 +0200
+Subject: USB: serial: option: add Telit Cinterion LE910Cx compositions
+
+From: Fabio Porcedda <fabio.porcedda@gmail.com>
+
+commit 100201d349edd226ca3470c894c92dccc67ee7a8 upstream.
+
+Add the following Telit Cinterion LE910Cx compositions:
+
+0x1251: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
+T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=108 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1251 Rev=03.18
+S: Manufacturer=Android
+S: Product=LE910C1-EU
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=ff Driver=rndis_host
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+0x1253: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
+T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=121 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1253 Rev=03.18
+S: Manufacturer=Android
+S: Product=LE910C1-EU
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+0x1254: tty (AT) + tty (AT)
+T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=122 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1254 Rev=03.18
+S: Manufacturer=Android
+S: Product=LE910C1-EU
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+0x1255: tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP)
+T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=123 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1255 Rev=03.18
+S: Manufacturer=Android
+S: Product=LE910C1-EU
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1513,7 +1513,11 @@ static const struct usb_device_id option
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1231, 0xff), /* Telit LE910Cx (RNDIS) */
+ .driver_info = NCTRL(2) | RSVD(3) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x1250, 0xff, 0x00, 0x00) }, /* Telit LE910Cx (rmnet) */
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1251, 0xff) }, /* Telit LE910Cx (RNDIS) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1252, 0xff) }, /* Telit LE910Cx (MBIM) */
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1253, 0xff) }, /* Telit LE910Cx (ECM) */
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1254, 0xff) }, /* Telit LE910Cx */
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1255, 0xff) }, /* Telit LE910Cx */
+ { USB_DEVICE(TELIT_VENDOR_ID, 0x1260),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
+ { USB_DEVICE(TELIT_VENDOR_ID, 0x1261),
--- /dev/null
+From 0b9fcab1b8608d429e5f239afb197de928d4de7d Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Tue, 7 Apr 2026 21:21:22 +0800
+Subject: usb: ulpi: fix memory leak on ulpi_register() error paths
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 0b9fcab1b8608d429e5f239afb197de928d4de7d upstream.
+
+Commit 01af542392b5 ("usb: ulpi: fix double free in
+ulpi_register_interface() error path") removed kfree(ulpi) from
+ulpi_register_interface() to fix a double-free when device_register()
+fails.
+
+But when ulpi_of_register() or ulpi_read_id() fail before
+device_register() is called, the ulpi allocation is leaked.
+
+Add kfree(ulpi) on both error paths to properly clean up the allocation.
+
+Fixes: 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/20260407-ulpi-v1-1-f3fafe53f7b2@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/common/ulpi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/common/ulpi.c
++++ b/drivers/usb/common/ulpi.c
+@@ -244,12 +244,15 @@ static int ulpi_register(struct device *
+ ACPI_COMPANION_SET(&ulpi->dev, ACPI_COMPANION(dev));
+
+ ret = ulpi_of_register(ulpi);
+- if (ret)
++ if (ret) {
++ kfree(ulpi);
+ return ret;
++ }
+
+ ret = ulpi_read_id(ulpi);
+ if (ret) {
+ of_node_put(ulpi->dev.of_node);
++ kfree(ulpi);
+ return ret;
+ }
+
--- /dev/null
+From 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 20 Apr 2026 18:11:03 +0200
+Subject: usb: usblp: fix heap leak in IEEE 1284 device ID via short response
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream.
+
+usblp_ctrl_msg() collapses the usb_control_msg() return value to
+0/-errno, discarding the actual number of bytes transferred. A broken
+printer can complete the GET_DEVICE_ID control transfer short and the
+driver has no way to know.
+
+usblp_cache_device_id_string() reads the 2-byte big-endian length prefix
+from the response and trusts it (clamped only to the buffer bounds).
+The buffer is kmalloc(1024) at probe time. A device that sends exactly
+two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves
+device_id_string[2..1022] holding stale kmalloc heap.
+
+That stale data is then exposed:
+ - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated
+ at the first NUL in the stale heap), and
+ - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full
+ claimed length regardless of NULs, up to 1021 bytes of uninitialized
+ heap, with the leak size chosen by the device.
+
+Fix this up by just zapping the buffer with zeros before each request
+sent to the device.
+
+Cc: Pete Zaitcev <zaitcev@redhat.com>
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1365,6 +1365,7 @@ static int usblp_cache_device_id_string(
+ {
+ int err, length;
+
++ memset(usblp->device_id_string, 0, USBLP_DEVICE_ID_SIZE);
+ err = usblp_get_id(usblp, 0, usblp->device_id_string, USBLP_DEVICE_ID_SIZE - 1);
+ if (err < 0) {
+ dev_dbg(&usblp->intf->dev,
--- /dev/null
+From b38e53cbfb9d84732e5984fbd73e128d592415c5 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 20 Apr 2026 18:11:04 +0200
+Subject: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream.
+
+Just like in a previous problem in this driver, usblp_ctrl_msg() will
+collapse the usb_control_msg() return value to 0/-errno, discarding the
+actual number of bytes transferred.
+
+Ideally that short command should be detected and error out, but many
+printers are known to send "incorrect" responses back so we can't just
+do that.
+
+statusbuf is kmalloc(8) at probe time and never filled before the first
+LPGETSTATUS ioctl.
+
+usblp_read_status() requests 1 byte. If a malicious printer responds
+with zero bytes, *statusbuf is one byte of stale kmalloc heap,
+sign-extended into the local int status, which the LPGETSTATUS path then
+copy_to_user()s directly to the ioctl caller.
+
+Fix this all by just zapping out the memory buffer when allocated at
+probe time. If a later call does a short read, the data will be
+identical to what the device sent it the last time, so there is no
+"leak" of information happening.
+
+Cc: Pete Zaitcev <zaitcev@redhat.com>
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1166,7 +1166,7 @@ static int usblp_probe(struct usb_interf
+ }
+
+ /* Allocate buffer for printer status */
+- usblp->statusbuf = kmalloc(STATUS_BUF_SIZE, GFP_KERNEL);
++ usblp->statusbuf = kzalloc(STATUS_BUF_SIZE, GFP_KERNEL);
+ if (!usblp->statusbuf) {
+ retval = -ENOMEM;
+ goto abort;
--- /dev/null
+From d748603f12baff112caa3ab7d39f50100f010dbd Mon Sep 17 00:00:00 2001
+From: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
+Date: Tue, 9 Dec 2025 11:04:59 +0100
+Subject: wifi: ath5k: do not access array OOB
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+commit d748603f12baff112caa3ab7d39f50100f010dbd upstream.
+
+Vincent reports:
+> The ath5k driver seems to do an array-index-out-of-bounds access as
+> shown by the UBSAN kernel message:
+> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
+> index 4 is out of range for type 'ieee80211_tx_rate [4]'
+> ...
+> Call Trace:
+> <TASK>
+> dump_stack_lvl+0x5d/0x80
+> ubsan_epilogue+0x5/0x2b
+> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
+> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
+> tasklet_action_common+0xb5/0x1c0
+
+It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
+ info->status.rates[ts->ts_final_idx + 1].idx = -1;
+with the array defined as:
+ struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
+while the size is:
+ #define IEEE80211_TX_MAX_RATES 4
+is indeed bogus.
+
+Set this 'idx = -1' sentinel only if the array index is less than the
+array size. As mac80211 will not look at rates beyond the size
+(IEEE80211_TX_MAX_RATES).
+
+Note: The effect of the OOB write is negligible. It just overwrites the
+next member of info->status, i.e. ack_signal.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Reported-by: Vincent Danjean <vdanjean@debian.org>
+Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
+Closes: https://bugs.debian.org/1119093
+Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath5k/base.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath5k/base.c
++++ b/drivers/net/wireless/ath/ath5k/base.c
+@@ -1692,7 +1692,8 @@ ath5k_tx_frame_completed(struct ath5k_hw
+ }
+
+ info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
+- info->status.rates[ts->ts_final_idx + 1].idx = -1;
++ if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
++ info->status.rates[ts->ts_final_idx + 1].idx = -1;
+
+ if (unlikely(ts->ts_status)) {
+ ah->stats.ack_fail++;
--- /dev/null
+From 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Fri, 17 Apr 2026 11:11:44 +0000
+Subject: wifi: b43: enforce bounds check on firmware key index in b43_rx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream.
+
+The firmware-controlled key index in b43_rx() can exceed the dev->key[]
+array size (58 entries). The existing B43_WARN_ON is non-enforcing in
+production builds, allowing an out-of-bounds read.
+
+Make the B43_WARN_ON check enforcing by dropping the frame when the
+firmware returns an invalid key index.
+
+Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
+Acked-by: Michael Büsch <m@bues.ch>
+Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/b43/xmit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43/xmit.c
++++ b/drivers/net/wireless/broadcom/b43/xmit.c
+@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struc
+ * key index, but the ucode passed it slightly different.
+ */
+ keyidx = b43_kidx_to_raw(dev, keyidx);
+- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
++ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
++ goto drop;
+
+ if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
+ wlhdr_len = ieee80211_hdrlen(fctl);
--- /dev/null
+From a035766f970bde2d4298346a31a80685be5c0205 Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Fri, 17 Apr 2026 11:11:45 +0000
+Subject: wifi: b43legacy: enforce bounds check on firmware key index in RX path
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit a035766f970bde2d4298346a31a80685be5c0205 upstream.
+
+Same fix as b43: the firmware-controlled key index in b43legacy_rx()
+can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
+non-enforcing in production builds, allowing an out-of-bounds read of
+dev->key[].
+
+Make the check enforcing by dropping the frame for invalid indices.
+
+Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c
++++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c
+@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev
+ * key index, but the ucode passed it slightly different.
+ */
+ keyidx = b43legacy_kidx_to_raw(dev, keyidx);
+- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys);
++ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys))
++ goto drop;
+
+ if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) {
+ /* Remove PROTECTED flag to mark it as decrypted. */
--- /dev/null
+From db57a1aa54ff68669781976e4edb045e09e2b65b Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Thu, 23 Apr 2026 02:38:46 +0900
+Subject: wifi: rsi: fix kthread lifetime race between self-exit and external-stop
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream.
+
+RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
+(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
+first, and in this case, no particular issues occur.
+
+However, in rare instances where kthread_complete_and_exit() is called
+first and then kthread_stop() is called, a UAF occurs because the kthread
+object, which has already exited and been freed, is accessed again.
+
+Therefore, to prevent this with minimal modification, you must remove
+kthread_stop() and change the code to wait until the self-exit operation
+is completed.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/
+Fixes: 4c62764d0fc2 ("rsi: improve kernel thread handling to fix kernel panic")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_common.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_common.h
++++ b/drivers/net/wireless/rsi/rsi_common.h
+@@ -70,12 +70,11 @@ static inline int rsi_create_kthread(str
+ return 0;
+ }
+
+-static inline int rsi_kill_thread(struct rsi_thread *handle)
++static inline void rsi_kill_thread(struct rsi_thread *handle)
+ {
+ atomic_inc(&handle->thread_done);
+ rsi_set_event(&handle->event);
+-
+- return kthread_stop(handle->task);
++ wait_for_completion(&handle->completion);
+ }
+
+ void rsi_mac80211_detach(struct rsi_hw *hw);
projects / thirdparty / kernel / stable-queue.git / commitdiff
