--- /dev/null
+From 850837965af15707fd3142c1cf3c5bfaf022299b Mon Sep 17 00:00:00 2001
+From: Yang Yang <n05ec@lzu.edu.cn>
+Date: Thu, 26 Mar 2026 03:44:40 +0000
+Subject: bridge: br_nd_send: validate ND option lengths
+
+From: Yang Yang <n05ec@lzu.edu.cn>
+
+commit 850837965af15707fd3142c1cf3c5bfaf022299b upstream.
+
+br_nd_send() walks ND options according to option-provided lengths.
+A malformed option can make the parser advance beyond the computed
+option span or use a too-short source LLADDR option payload.
+
+Validate option lengths against the remaining NS option area before
+advancing, and only read source LLADDR when the option is large enough
+for an Ethernet address.
+
+Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
+Cc: stable@vger.kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
+Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
+Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260326034441.2037420-3-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_arp_nd_proxy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/bridge/br_arp_nd_proxy.c
++++ b/net/bridge/br_arp_nd_proxy.c
+@@ -285,12 +285,14 @@ static void br_nd_send(struct net_bridge
+ ns_olen = request->len - (skb_network_offset(request) +
+ sizeof(struct ipv6hdr)) - sizeof(*ns);
+ for (i = 0; i < ns_olen - 1; i += (ns->opt[i + 1] << 3)) {
+- if (!ns->opt[i + 1]) {
++ if (!ns->opt[i + 1] || i + (ns->opt[i + 1] << 3) > ns_olen) {
+ kfree_skb(reply);
+ return;
+ }
+ if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
+- daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
++ if ((ns->opt[i + 1] << 3) >=
++ sizeof(struct nd_opt_hdr) + ETH_ALEN)
++ daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
+ break;
+ }
+ }
--- /dev/null
+From f97e96c303d689708f7f713d8f3afcc31f1237e9 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 17 Mar 2026 09:41:10 +0100
+Subject: cdc-acm: new quirk for EPSON HMD
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit f97e96c303d689708f7f713d8f3afcc31f1237e9 upstream.
+
+This device has a union descriptor that is just garbage
+and needs a custom descriptor.
+In principle this could be done with a (conditionally
+activated) heuristic. That would match more devices
+without a need for defining a new quirk. However,
+this always carries the risk that the heuristics
+does the wrong thing and leads to more breakage.
+Defining the quirk and telling it exactly what to do
+is the safe and conservative approach.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260317084139.1461008-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 9 +++++++++
+ drivers/usb/class/cdc-acm.h | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1225,6 +1225,12 @@ static int acm_probe(struct usb_interfac
+ if (!data_interface || !control_interface)
+ return -ENODEV;
+ goto skip_normal_probe;
++ } else if (quirks == NO_UNION_12) {
++ data_interface = usb_ifnum_to_if(usb_dev, 2);
++ control_interface = usb_ifnum_to_if(usb_dev, 1);
++ if (!data_interface || !control_interface)
++ return -ENODEV;
++ goto skip_normal_probe;
+ }
+
+ /* normal probing*/
+@@ -1748,6 +1754,9 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x045b, 0x024D), /* Renesas R-Car E3 USB Download mode */
+ .driver_info = DISABLE_ECHO, /* Don't echo banner */
+ },
++ { USB_DEVICE(0x04b8, 0x0d12), /* EPSON HMD Com&Sens */
++ .driver_info = NO_UNION_12, /* union descriptor is garbage */
++ },
+ { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -114,3 +114,4 @@ struct acm {
+ #define SEND_ZERO_PACKET BIT(6)
+ #define DISABLE_ECHO BIT(7)
+ #define MISSING_CAP_BRK BIT(8)
++#define NO_UNION_12 BIT(9)
--- /dev/null
+From 93853512f565e625df2397f0d8050d6aafd7c3ad Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Mon, 9 Mar 2026 16:18:59 +0530
+Subject: comedi: dt2815: add hardware detection to prevent crash
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 93853512f565e625df2397f0d8050d6aafd7c3ad upstream.
+
+The dt2815 driver crashes when attached to I/O ports without actual
+hardware present. This occurs because syzkaller or users can attach
+the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.
+
+When no hardware exists at the specified port, inb() operations return
+0xff (floating bus), but outb() operations can trigger page faults due
+to undefined behavior, especially under race conditions:
+
+ BUG: unable to handle page fault for address: 000000007fffff90
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ RIP: 0010:dt2815_attach+0x6e0/0x1110
+
+Add hardware detection by reading the status register before attempting
+any write operations. If the read returns 0xff, assume no hardware is
+present and fail the attach with -ENODEV. This prevents crashes from
+outb() operations on non-existent hardware.
+
+Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
+Cc: stable <stable@kernel.org>
+Closes: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
+Tested-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/]
+Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/
+Link: https://patch.msgid.link/20260309104859.503529-1-kartikey406@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/dt2815.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/comedi/drivers/dt2815.c
++++ b/drivers/comedi/drivers/dt2815.c
+@@ -175,6 +175,18 @@ static int dt2815_attach(struct comedi_d
+ ? current_range_type : voltage_range_type;
+ }
+
++ /*
++ * Check if hardware is present before attempting any I/O operations.
++ * Reading 0xff from status register typically indicates no hardware
++ * on the bus (floating bus reads as all 1s).
++ */
++ if (inb(dev->iobase + DT2815_STATUS) == 0xff) {
++ dev_err(dev->class_dev,
++ "No hardware detected at I/O base 0x%lx\n",
++ dev->iobase);
++ return -ENODEV;
++ }
++
+ /* Init the 2815 */
+ outb(0x00, dev->iobase + DT2815_STATUS);
+ for (i = 0; i < 100; i++) {
--- /dev/null
+From 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 5 Feb 2026 13:39:49 +0000
+Subject: comedi: me4000: Fix potential overrun of firmware buffer
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 upstream.
+
+`me4000_xilinx_download()` loads the firmware that was requested by
+`request_firmware()`. It is possible for it to overrun the source
+buffer because it blindly trusts the file format. It reads a data
+stream length from the first 4 bytes into variable `file_length` and
+reads the data stream contents of length `file_length` from offset 16
+onwards.
+
+Add a test to ensure that the supplied firmware is long enough to
+contain the header and the data stream. On failure, log an error and
+return `-EINVAL`.
+
+Note: The firmware loading was totally broken before commit ac584af59945
+("staging: comedi: me4000: fix firmware downloading"), but that is the
+most sensible target for this fix.
+
+Fixes: ac584af59945 ("staging: comedi: me4000: fix firmware downloading")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260205133949.71722-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/me4000.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/comedi/drivers/me4000.c
++++ b/drivers/comedi/drivers/me4000.c
+@@ -315,6 +315,18 @@ static int me4000_xilinx_download(struct
+ unsigned int val;
+ unsigned int i;
+
++ /* Get data stream length from header. */
++ if (size >= 4) {
++ file_length = (((unsigned int)data[0] & 0xff) << 24) +
++ (((unsigned int)data[1] & 0xff) << 16) +
++ (((unsigned int)data[2] & 0xff) << 8) +
++ ((unsigned int)data[3] & 0xff);
++ }
++ if (size < 16 || file_length > size - 16) {
++ dev_err(dev->class_dev, "Firmware length inconsistency\n");
++ return -EINVAL;
++ }
++
+ if (!xilinx_iobase)
+ return -ENODEV;
+
+@@ -346,10 +358,6 @@ static int me4000_xilinx_download(struct
+ outl(val, devpriv->plx_regbase + PLX9052_CNTRL);
+
+ /* Download Xilinx firmware */
+- file_length = (((unsigned int)data[0] & 0xff) << 24) +
+- (((unsigned int)data[1] & 0xff) << 16) +
+- (((unsigned int)data[2] & 0xff) << 8) +
+- ((unsigned int)data[3] & 0xff);
+ usleep_range(10, 1000);
+
+ for (i = 0; i < file_length; i++) {
--- /dev/null
+From cc797d4821c754c701d9714b58bea947e31dbbe0 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 5 Feb 2026 14:01:30 +0000
+Subject: comedi: me_daq: Fix potential overrun of firmware buffer
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit cc797d4821c754c701d9714b58bea947e31dbbe0 upstream.
+
+`me2600_xilinx_download()` loads the firmware that was requested by
+`request_firmware()`. It is possible for it to overrun the source
+buffer because it blindly trusts the file format. It reads a data
+stream length from the first 4 bytes into variable `file_length` and
+reads the data stream contents of length `file_length` from offset 16
+onwards. Although it checks that the supplied firmware is at least 16
+bytes long, it does not check that it is long enough to contain the data
+stream.
+
+Add a test to ensure that the supplied firmware is long enough to
+contain the header and the data stream. On failure, log an error and
+return `-EINVAL`.
+
+Fixes: 85acac61096f9 ("Staging: comedi: add me_daq driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260205140130.76697-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/me_daq.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+--- a/drivers/comedi/drivers/me_daq.c
++++ b/drivers/comedi/drivers/me_daq.c
+@@ -344,6 +344,25 @@ static int me2600_xilinx_download(struct
+ unsigned int file_length;
+ unsigned int i;
+
++ /*
++ * Format of the firmware
++ * Build longs from the byte-wise coded header
++ * Byte 1-3: length of the array
++ * Byte 4-7: version
++ * Byte 8-11: date
++ * Byte 12-15: reserved
++ */
++ if (size >= 4) {
++ file_length = (((unsigned int)data[0] & 0xff) << 24) +
++ (((unsigned int)data[1] & 0xff) << 16) +
++ (((unsigned int)data[2] & 0xff) << 8) +
++ ((unsigned int)data[3] & 0xff);
++ }
++ if (size < 16 || file_length > size - 16) {
++ dev_err(dev->class_dev, "Firmware length inconsistency\n");
++ return -EINVAL;
++ }
++
+ /* disable irq's on PLX */
+ writel(0x00, devpriv->plx_regbase + PLX9052_INTCSR);
+
+@@ -358,22 +377,6 @@ static int me2600_xilinx_download(struct
+ sleep(1);
+
+ /*
+- * Format of the firmware
+- * Build longs from the byte-wise coded header
+- * Byte 1-3: length of the array
+- * Byte 4-7: version
+- * Byte 8-11: date
+- * Byte 12-15: reserved
+- */
+- if (size < 16)
+- return -EINVAL;
+-
+- file_length = (((unsigned int)data[0] & 0xff) << 24) +
+- (((unsigned int)data[1] & 0xff) << 16) +
+- (((unsigned int)data[2] & 0xff) << 8) +
+- ((unsigned int)data[3] & 0xff);
+-
+- /*
+ * Loop for writing firmware byte by byte to xilinx
+ * Firmware data start at offset 16
+ */
--- /dev/null
+From 101ab946b79ad83b36d5cfd47de587492a80acf0 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 28 Jan 2026 15:00:10 +0000
+Subject: comedi: ni_atmio16d: Fix invalid clean-up after failed attach
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 101ab946b79ad83b36d5cfd47de587492a80acf0 upstream.
+
+If the driver's COMEDI "attach" handler function (`atmio16d_attach()`)
+returns an error, the COMEDI core will call the driver's "detach"
+handler function (`atmio16d_detach()`) to clean up. This calls
+`reset_atmio16d()` unconditionally, but depending on where the error
+occurred in the attach handler, the device may not have been
+sufficiently initialized to call `reset_atmio16d()`. It uses
+`dev->iobase` as the I/O port base address and `dev->private` as the
+pointer to the COMEDI device's private data structure. `dev->iobase`
+may still be set to its initial value of 0, which would result in
+undesired writes to low I/O port addresses. `dev->private` may still be
+`NULL`, which would result in null pointer dereferences.
+
+Fix `atmio16d_detach()` by checking that `dev->private` is valid
+(non-null) before calling `reset_atmio16d()`. This implies that
+`dev->iobase` was set correctly since that is set up before
+`dev->private`.
+
+Fixes: 2323b276308a ("Staging: comedi: add ni_at_atmio16d driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260128150011.5006-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/ni_atmio16d.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/comedi/drivers/ni_atmio16d.c
++++ b/drivers/comedi/drivers/ni_atmio16d.c
+@@ -698,7 +698,8 @@ static int atmio16d_attach(struct comedi
+
+ static void atmio16d_detach(struct comedi_device *dev)
+ {
+- reset_atmio16d(dev);
++ if (dev->private)
++ reset_atmio16d(dev);
+ comedi_legacy_detach(dev);
+ }
+
--- /dev/null
+From 4b9a9a6d71e3e252032f959fb3895a33acb5865c Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 25 Feb 2026 13:24:27 +0000
+Subject: comedi: Reinit dev->spinlock between attachments to low-level drivers
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 4b9a9a6d71e3e252032f959fb3895a33acb5865c upstream.
+
+`struct comedi_device` is the main controlling structure for a COMEDI
+device created by the COMEDI subsystem. It contains a member `spinlock`
+containing a spin-lock that is initialized by the COMEDI subsystem, but
+is reserved for use by a low-level driver attached to the COMEDI device
+(at least since commit 25436dc9d84f ("Staging: comedi: remove RT
+code")).
+
+Some COMEDI devices (those created on initialization of the COMEDI
+subsystem when the "comedi.comedi_num_legacy_minors" parameter is
+non-zero) can be attached to different low-level drivers over their
+lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in
+inconsistent lock states being reported when there is a mismatch in the
+spin-lock locking levels used by each low-level driver to which the
+COMEDI device has been attached. Fix it by reinitializing
+`dev->spinlock` before calling the low-level driver's `attach` function
+pointer if `CONFIG_LOCKDEP` is enabled.
+
+Reported-by: syzbot+cc9f7f4a7df09f53c4a4@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cc9f7f4a7df09f53c4a4
+Fixes: ed9eccbe8970 ("Staging: add comedi core")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260225132427.86578-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/comedi/drivers.c
++++ b/drivers/comedi/drivers.c
+@@ -1001,6 +1001,14 @@ int comedi_device_attach(struct comedi_d
+ ret = -EIO;
+ goto out;
+ }
++ if (IS_ENABLED(CONFIG_LOCKDEP)) {
++ /*
++ * dev->spinlock is for private use by the attached low-level
++ * driver. Reinitialize it to stop lock-dependency tracking
++ * between attachments to different low-level drivers.
++ */
++ spin_lock_init(&dev->spinlock);
++ }
+ dev->driver = driv;
+ dev->board_name = dev->board_ptr ? *(const char **)dev->board_ptr
+ : dev->driver->driver_name;
--- /dev/null
+From 269c26464dcf8b54b0dd9c333721c30ee44ae297 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Mon, 30 Mar 2026 14:35:18 +0800
+Subject: dt-bindings: connector: add pd-disable dependency
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 269c26464dcf8b54b0dd9c333721c30ee44ae297 upstream.
+
+When Power Delivery is not supported, the source is unable to obtain the
+current capability from the Source PDO. As a result, typec-power-opmode
+needs to be added to advertise such capability.
+
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://patch.msgid.link/20260330063518.719345-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/connector/usb-connector.yaml | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/devicetree/bindings/connector/usb-connector.yaml
++++ b/Documentation/devicetree/bindings/connector/usb-connector.yaml
+@@ -254,6 +254,7 @@ properties:
+ additionalProperties: false
+
+ dependencies:
++ pd-disable: [typec-power-opmode]
+ sink-vdos-v1: [ sink-vdos ]
+ sink-vdos: [ sink-vdos-v1 ]
+
--- /dev/null
+From c7596f9001e2b83293e3658e4e1addde69bb335d Mon Sep 17 00:00:00 2001
+From: Conor Dooley <conor.dooley@microchip.com>
+Date: Tue, 3 Mar 2026 11:24:06 +0000
+Subject: firmware: microchip: fail auto-update probe if no flash found
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+commit c7596f9001e2b83293e3658e4e1addde69bb335d upstream.
+
+There's no point letting the driver probe if there is no flash, as
+trying to do a firmware upload will fail. Move the code that attempts
+to get the flash from firmware upload to probe, and let it emit a
+message to users stating why auto-update is not supported.
+The code currently could have a problem if there's a flash in
+devicetree, but the system controller driver fails to get a pointer to
+it from the mtd subsystem, which will cause
+mpfs_sys_controller_get_flash() to return an error. Check for errors and
+null, instead of just null, in the new clause.
+
+CC: stable@vger.kernel.org
+Fixes: ec5b0f1193ad4 ("firmware: microchip: add PolarFire SoC Auto Update support")
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/microchip/mpfs-auto-update.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/firmware/microchip/mpfs-auto-update.c
++++ b/drivers/firmware/microchip/mpfs-auto-update.c
+@@ -113,10 +113,6 @@ static enum fw_upload_err mpfs_auto_upda
+ * be added here.
+ */
+
+- priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller);
+- if (!priv->flash)
+- return FW_UPLOAD_ERR_HW_ERROR;
+-
+ erase_size = round_up(erase_size, (u64)priv->flash->erasesize);
+
+ /*
+@@ -427,6 +423,12 @@ static int mpfs_auto_update_probe(struct
+ return dev_err_probe(dev, PTR_ERR(priv->sys_controller),
+ "Could not register as a sub device of the system controller\n");
+
++ priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller);
++ if (IS_ERR_OR_NULL(priv->flash)) {
++ dev_dbg(dev, "No flash connected to the system controller, auto-update not supported\n");
++ return -ENODEV;
++ }
++
+ priv->dev = dev;
+ platform_set_drvdata(pdev, priv);
+
--- /dev/null
+From 9862ef9ab0a116c6dca98842aab7de13a252ae02 Mon Sep 17 00:00:00 2001
+From: Yifan Wu <yifanwucs@gmail.com>
+Date: Mon, 30 Mar 2026 14:39:24 -0700
+Subject: netfilter: ipset: drop logically empty buckets in mtype_del
+
+From: Yifan Wu <yifanwucs@gmail.com>
+
+commit 9862ef9ab0a116c6dca98842aab7de13a252ae02 upstream.
+
+mtype_del() counts empty slots below n->pos in k, but it only drops the
+bucket when both n->pos and k are zero. This misses buckets whose live
+entries have all been removed while n->pos still points past deleted slots.
+
+Treat a bucket as empty when all positions below n->pos are unused and
+release it directly instead of shrinking it further.
+
+Fixes: 8af1c6fbd923 ("netfilter: ipset: Fix forceadd evaluation path")
+Cc: stable@vger.kernel.org
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <dstsmallbird@foxmail.com>
+Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Reviewed-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -1099,7 +1099,7 @@ mtype_del(struct ip_set *set, void *valu
+ if (!test_bit(i, n->used))
+ k++;
+ }
+- if (n->pos == 0 && k == 0) {
++ if (k == n->pos) {
+ t->hregion[r].ext_size -= ext_size(n->size, dsize);
+ rcu_assign_pointer(hbucket(t, key), NULL);
+ kfree_rcu(n, rcu);
--- /dev/null
+From 48b5163c957548f5854f14c90bfdedc33afbea3c Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Fri, 27 Mar 2026 13:16:44 +0000
+Subject: nvmem: imx: assign nvmem_cell_info::raw_len
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 48b5163c957548f5854f14c90bfdedc33afbea3c upstream.
+
+Avoid getting error messages at startup like the following on i.MX6ULL:
+
+nvmem imx-ocotp0: cell mac-addr raw len 6 unaligned to nvmem word size 4
+nvmem imx-ocotp0: cell mac-addr raw len 6 unaligned to nvmem word size 4
+
+This shouldn't cause any functional change as this alignment would
+otherwise be done in nvmem_cell_info_to_nvmem_cell_entry_nodup().
+
+Cc: stable@vger.kernel.org
+Fixes: 13bcd440f2ff ("nvmem: core: verify cell's raw_len")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260327131645.3025781-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/imx-ocotp-ele.c | 1 +
+ drivers/nvmem/imx-ocotp.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/nvmem/imx-ocotp-ele.c
++++ b/drivers/nvmem/imx-ocotp-ele.c
+@@ -131,6 +131,7 @@ static int imx_ocotp_cell_pp(void *conte
+ static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem,
+ struct nvmem_cell_info *cell)
+ {
++ cell->raw_len = round_up(cell->bytes, 4);
+ cell->read_post_process = imx_ocotp_cell_pp;
+ }
+
+--- a/drivers/nvmem/imx-ocotp.c
++++ b/drivers/nvmem/imx-ocotp.c
+@@ -589,6 +589,7 @@ MODULE_DEVICE_TABLE(of, imx_ocotp_dt_ids
+ static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem,
+ struct nvmem_cell_info *cell)
+ {
++ cell->raw_len = round_up(cell->bytes, 4);
+ cell->read_post_process = imx_ocotp_cell_pp;
+ }
+
--- /dev/null
+From f9b88613ff402aa6fe8fd020573cb95867ae947e Mon Sep 17 00:00:00 2001
+From: Ivan Vera <ivanverasantos@gmail.com>
+Date: Fri, 27 Mar 2026 13:16:45 +0000
+Subject: nvmem: zynqmp_nvmem: Fix buffer size in DMA and memcpy
+
+From: Ivan Vera <ivanverasantos@gmail.com>
+
+commit f9b88613ff402aa6fe8fd020573cb95867ae947e upstream.
+
+Buffer size used in dma allocation and memcpy is wrong.
+It can lead to undersized DMA buffer access and possible
+memory corruption. use correct buffer size in dma_alloc_coherent
+and memcpy.
+
+Fixes: 737c0c8d07b5 ("nvmem: zynqmp_nvmem: Add support to access efuse")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Vera <ivanverasantos@gmail.com>
+Signed-off-by: Harish Ediga <harish.ediga@amd.com>
+Signed-off-by: Harsh Jain <h.jain@amd.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260327131645.3025781-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/zynqmp_nvmem.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/nvmem/zynqmp_nvmem.c
++++ b/drivers/nvmem/zynqmp_nvmem.c
+@@ -66,7 +66,7 @@ static int zynqmp_efuse_access(void *con
+ dma_addr_t dma_buf;
+ size_t words = bytes / WORD_INBYTES;
+ int ret;
+- int value;
++ unsigned int value;
+ char *data;
+
+ if (bytes % WORD_INBYTES != 0) {
+@@ -80,7 +80,7 @@ static int zynqmp_efuse_access(void *con
+ }
+
+ if (pufflag == 1 && flag == EFUSE_WRITE) {
+- memcpy(&value, val, bytes);
++ memcpy(&value, val, sizeof(value));
+ if ((offset == EFUSE_PUF_START_OFFSET ||
+ offset == EFUSE_PUF_MID_OFFSET) &&
+ value & P_USER_0_64_UPPER_MASK) {
+@@ -100,7 +100,7 @@ static int zynqmp_efuse_access(void *con
+ if (!efuse)
+ return -ENOMEM;
+
+- data = dma_alloc_coherent(dev, sizeof(bytes),
++ data = dma_alloc_coherent(dev, bytes,
+ &dma_buf, GFP_KERNEL);
+ if (!data) {
+ ret = -ENOMEM;
+@@ -134,7 +134,7 @@ static int zynqmp_efuse_access(void *con
+ if (flag == EFUSE_READ)
+ memcpy(val, data, bytes);
+ efuse_access_err:
+- dma_free_coherent(dev, sizeof(bytes),
++ dma_free_coherent(dev, bytes,
+ data, dma_buf);
+ efuse_data_fail:
+ dma_free_coherent(dev, sizeof(struct xilinx_efuse),
revert-loongarch-handle-percpu-handler-address-for-o.patch
revert-loongarch-remove-unnecessary-checks-for-orc-u.patch
revert-loongarch-orc-use-rcu-in-all-users-of-__modul.patch
+bridge-br_nd_send-validate-nd-option-lengths.patch
+cdc-acm-new-quirk-for-epson-hmd.patch
+comedi-dt2815-add-hardware-detection-to-prevent-crash.patch
+comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch
+comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch
+comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch
+comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch
+firmware-microchip-fail-auto-update-probe-if-no-flash-found.patch
+dt-bindings-connector-add-pd-disable-dependency.patch
+nvmem-imx-assign-nvmem_cell_info-raw_len.patch
+nvmem-zynqmp_nvmem-fix-buffer-size-in-dma-and-memcpy.patch
+netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
