From: Greg Kroah-Hartman Date: Wed, 8 Apr 2026 06:56:16 +0000 (+0200) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04e1adc173601090ccb23da52780fa5a75d46d82;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bridge-br_nd_send-validate-nd-option-lengths.patch cdc-acm-new-quirk-for-epson-hmd.patch comedi-dt2815-add-hardware-detection-to-prevent-crash.patch comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch --- diff --git a/queue-5.15/bridge-br_nd_send-validate-nd-option-lengths.patch b/queue-5.15/bridge-br_nd_send-validate-nd-option-lengths.patch new file mode 100644 index 0000000000..36442bf36a --- /dev/null +++ b/queue-5.15/bridge-br_nd_send-validate-nd-option-lengths.patch @@ -0,0 +1,54 @@ +From 850837965af15707fd3142c1cf3c5bfaf022299b Mon Sep 17 00:00:00 2001 +From: Yang Yang +Date: Thu, 26 Mar 2026 03:44:40 +0000 +Subject: bridge: br_nd_send: validate ND option lengths + +From: Yang Yang + +commit 850837965af15707fd3142c1cf3c5bfaf022299b upstream. + +br_nd_send() walks ND options according to option-provided lengths. +A malformed option can make the parser advance beyond the computed +option span or use a too-short source LLADDR option payload. + +Validate option lengths against the remaining NS option area before +advancing, and only read source LLADDR when the option is large enough +for an Ethernet address. + +Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports") +Cc: stable@vger.kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Tested-by: Ao Zhou +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Signed-off-by: Yang Yang +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260326034441.2037420-3-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_arp_nd_proxy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/bridge/br_arp_nd_proxy.c ++++ b/net/bridge/br_arp_nd_proxy.c +@@ -285,12 +285,14 @@ static void br_nd_send(struct net_bridge + ns_olen = request->len - (skb_network_offset(request) + + sizeof(struct ipv6hdr)) - sizeof(*ns); + for (i = 0; i < ns_olen - 1; i += (ns->opt[i + 1] << 3)) { +- if (!ns->opt[i + 1]) { ++ if (!ns->opt[i + 1] || i + (ns->opt[i + 1] << 3) > ns_olen) { + kfree_skb(reply); + return; + } + if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) { +- daddr = ns->opt + i + sizeof(struct nd_opt_hdr); ++ if ((ns->opt[i + 1] << 3) >= ++ sizeof(struct nd_opt_hdr) + ETH_ALEN) ++ daddr = ns->opt + i + sizeof(struct nd_opt_hdr); + break; + } + } diff --git a/queue-5.15/cdc-acm-new-quirk-for-epson-hmd.patch b/queue-5.15/cdc-acm-new-quirk-for-epson-hmd.patch new file mode 100644 index 0000000000..fe54ef8750 --- /dev/null +++ b/queue-5.15/cdc-acm-new-quirk-for-epson-hmd.patch @@ -0,0 +1,60 @@ +From f97e96c303d689708f7f713d8f3afcc31f1237e9 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 17 Mar 2026 09:41:10 +0100 +Subject: cdc-acm: new quirk for EPSON HMD + +From: Oliver Neukum + +commit f97e96c303d689708f7f713d8f3afcc31f1237e9 upstream. + +This device has a union descriptor that is just garbage +and needs a custom descriptor. +In principle this could be done with a (conditionally +activated) heuristic. That would match more devices +without a need for defining a new quirk. However, +this always carries the risk that the heuristics +does the wrong thing and leads to more breakage. +Defining the quirk and telling it exactly what to do +is the safe and conservative approach. + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://patch.msgid.link/20260317084139.1461008-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 9 +++++++++ + drivers/usb/class/cdc-acm.h | 1 + + 2 files changed, 10 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1205,6 +1205,12 @@ static int acm_probe(struct usb_interfac + if (!data_interface || !control_interface) + return -ENODEV; + goto skip_normal_probe; ++ } else if (quirks == NO_UNION_12) { ++ data_interface = usb_ifnum_to_if(usb_dev, 2); ++ control_interface = usb_ifnum_to_if(usb_dev, 1); ++ if (!data_interface || !control_interface) ++ return -ENODEV; ++ goto skip_normal_probe; + } + + /* normal probing*/ +@@ -1733,6 +1739,9 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x045b, 0x024D), /* Renesas R-Car E3 USB Download mode */ + .driver_info = DISABLE_ECHO, /* Don't echo banner */ + }, ++ { USB_DEVICE(0x04b8, 0x0d12), /* EPSON HMD Com&Sens */ ++ .driver_info = NO_UNION_12, /* union descriptor is garbage */ ++ }, + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -142,3 +142,4 @@ struct acm { + #define SEND_ZERO_PACKET BIT(6) + #define DISABLE_ECHO BIT(7) + #define MISSING_CAP_BRK BIT(8) ++#define NO_UNION_12 BIT(9) diff --git a/queue-5.15/comedi-dt2815-add-hardware-detection-to-prevent-crash.patch b/queue-5.15/comedi-dt2815-add-hardware-detection-to-prevent-crash.patch new file mode 100644 index 0000000000..85e99a4bbe --- /dev/null +++ b/queue-5.15/comedi-dt2815-add-hardware-detection-to-prevent-crash.patch @@ -0,0 +1,63 @@ +From 93853512f565e625df2397f0d8050d6aafd7c3ad Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Mon, 9 Mar 2026 16:18:59 +0530 +Subject: comedi: dt2815: add hardware detection to prevent crash + +From: Deepanshu Kartikey + +commit 93853512f565e625df2397f0d8050d6aafd7c3ad upstream. + +The dt2815 driver crashes when attached to I/O ports without actual +hardware present. This occurs because syzkaller or users can attach +the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl. + +When no hardware exists at the specified port, inb() operations return +0xff (floating bus), but outb() operations can trigger page faults due +to undefined behavior, especially under race conditions: + + BUG: unable to handle page fault for address: 000000007fffff90 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + RIP: 0010:dt2815_attach+0x6e0/0x1110 + +Add hardware detection by reading the status register before attempting +any write operations. If the read returns 0xff, assume no hardware is +present and fail the attach with -ENODEV. This prevents crashes from +outb() operations on non-existent hardware. + +Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com +Cc: stable +Closes: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc +Tested-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com +Reviewed-by: Ian Abbott +Signed-off-by: Deepanshu Kartikey +Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/] +Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/ +Link: https://patch.msgid.link/20260309104859.503529-1-kartikey406@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/dt2815.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/comedi/drivers/dt2815.c ++++ b/drivers/comedi/drivers/dt2815.c +@@ -176,6 +176,18 @@ static int dt2815_attach(struct comedi_d + ? current_range_type : voltage_range_type; + } + ++ /* ++ * Check if hardware is present before attempting any I/O operations. ++ * Reading 0xff from status register typically indicates no hardware ++ * on the bus (floating bus reads as all 1s). ++ */ ++ if (inb(dev->iobase + DT2815_STATUS) == 0xff) { ++ dev_err(dev->class_dev, ++ "No hardware detected at I/O base 0x%lx\n", ++ dev->iobase); ++ return -ENODEV; ++ } ++ + /* Init the 2815 */ + outb(0x00, dev->iobase + DT2815_STATUS); + for (i = 0; i < 100; i++) { diff --git a/queue-5.15/comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch b/queue-5.15/comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch new file mode 100644 index 0000000000..177b528b57 --- /dev/null +++ b/queue-5.15/comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch @@ -0,0 +1,65 @@ +From 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Thu, 5 Feb 2026 13:39:49 +0000 +Subject: comedi: me4000: Fix potential overrun of firmware buffer + +From: Ian Abbott + +commit 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 upstream. + +`me4000_xilinx_download()` loads the firmware that was requested by +`request_firmware()`. It is possible for it to overrun the source +buffer because it blindly trusts the file format. It reads a data +stream length from the first 4 bytes into variable `file_length` and +reads the data stream contents of length `file_length` from offset 16 +onwards. + +Add a test to ensure that the supplied firmware is long enough to +contain the header and the data stream. On failure, log an error and +return `-EINVAL`. + +Note: The firmware loading was totally broken before commit ac584af59945 +("staging: comedi: me4000: fix firmware downloading"), but that is the +most sensible target for this fix. + +Fixes: ac584af59945 ("staging: comedi: me4000: fix firmware downloading") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260205133949.71722-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/me4000.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/comedi/drivers/me4000.c ++++ b/drivers/comedi/drivers/me4000.c +@@ -316,6 +316,18 @@ static int me4000_xilinx_download(struct + unsigned int val; + unsigned int i; + ++ /* Get data stream length from header. */ ++ if (size >= 4) { ++ file_length = (((unsigned int)data[0] & 0xff) << 24) + ++ (((unsigned int)data[1] & 0xff) << 16) + ++ (((unsigned int)data[2] & 0xff) << 8) + ++ ((unsigned int)data[3] & 0xff); ++ } ++ if (size < 16 || file_length > size - 16) { ++ dev_err(dev->class_dev, "Firmware length inconsistency\n"); ++ return -EINVAL; ++ } ++ + if (!xilinx_iobase) + return -ENODEV; + +@@ -347,10 +359,6 @@ static int me4000_xilinx_download(struct + outl(val, devpriv->plx_regbase + PLX9052_CNTRL); + + /* Download Xilinx firmware */ +- file_length = (((unsigned int)data[0] & 0xff) << 24) + +- (((unsigned int)data[1] & 0xff) << 16) + +- (((unsigned int)data[2] & 0xff) << 8) + +- ((unsigned int)data[3] & 0xff); + usleep_range(10, 1000); + + for (i = 0; i < file_length; i++) { diff --git a/queue-5.15/comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch b/queue-5.15/comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch new file mode 100644 index 0000000000..0956549843 --- /dev/null +++ b/queue-5.15/comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch @@ -0,0 +1,82 @@ +From cc797d4821c754c701d9714b58bea947e31dbbe0 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Thu, 5 Feb 2026 14:01:30 +0000 +Subject: comedi: me_daq: Fix potential overrun of firmware buffer + +From: Ian Abbott + +commit cc797d4821c754c701d9714b58bea947e31dbbe0 upstream. + +`me2600_xilinx_download()` loads the firmware that was requested by +`request_firmware()`. It is possible for it to overrun the source +buffer because it blindly trusts the file format. It reads a data +stream length from the first 4 bytes into variable `file_length` and +reads the data stream contents of length `file_length` from offset 16 +onwards. Although it checks that the supplied firmware is at least 16 +bytes long, it does not check that it is long enough to contain the data +stream. + +Add a test to ensure that the supplied firmware is long enough to +contain the header and the data stream. On failure, log an error and +return `-EINVAL`. + +Fixes: 85acac61096f9 ("Staging: comedi: add me_daq driver") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260205140130.76697-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/me_daq.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +--- a/drivers/comedi/drivers/me_daq.c ++++ b/drivers/comedi/drivers/me_daq.c +@@ -345,6 +345,25 @@ static int me2600_xilinx_download(struct + unsigned int file_length; + unsigned int i; + ++ /* ++ * Format of the firmware ++ * Build longs from the byte-wise coded header ++ * Byte 1-3: length of the array ++ * Byte 4-7: version ++ * Byte 8-11: date ++ * Byte 12-15: reserved ++ */ ++ if (size >= 4) { ++ file_length = (((unsigned int)data[0] & 0xff) << 24) + ++ (((unsigned int)data[1] & 0xff) << 16) + ++ (((unsigned int)data[2] & 0xff) << 8) + ++ ((unsigned int)data[3] & 0xff); ++ } ++ if (size < 16 || file_length > size - 16) { ++ dev_err(dev->class_dev, "Firmware length inconsistency\n"); ++ return -EINVAL; ++ } ++ + /* disable irq's on PLX */ + writel(0x00, devpriv->plx_regbase + PLX9052_INTCSR); + +@@ -359,22 +378,6 @@ static int me2600_xilinx_download(struct + sleep(1); + + /* +- * Format of the firmware +- * Build longs from the byte-wise coded header +- * Byte 1-3: length of the array +- * Byte 4-7: version +- * Byte 8-11: date +- * Byte 12-15: reserved +- */ +- if (size < 16) +- return -EINVAL; +- +- file_length = (((unsigned int)data[0] & 0xff) << 24) + +- (((unsigned int)data[1] & 0xff) << 16) + +- (((unsigned int)data[2] & 0xff) << 8) + +- ((unsigned int)data[3] & 0xff); +- +- /* + * Loop for writing firmware byte by byte to xilinx + * Firmware data start at offset 16 + */ diff --git a/queue-5.15/comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch b/queue-5.15/comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch new file mode 100644 index 0000000000..01006fa9f5 --- /dev/null +++ b/queue-5.15/comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch @@ -0,0 +1,47 @@ +From 101ab946b79ad83b36d5cfd47de587492a80acf0 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 28 Jan 2026 15:00:10 +0000 +Subject: comedi: ni_atmio16d: Fix invalid clean-up after failed attach + +From: Ian Abbott + +commit 101ab946b79ad83b36d5cfd47de587492a80acf0 upstream. + +If the driver's COMEDI "attach" handler function (`atmio16d_attach()`) +returns an error, the COMEDI core will call the driver's "detach" +handler function (`atmio16d_detach()`) to clean up. This calls +`reset_atmio16d()` unconditionally, but depending on where the error +occurred in the attach handler, the device may not have been +sufficiently initialized to call `reset_atmio16d()`. It uses +`dev->iobase` as the I/O port base address and `dev->private` as the +pointer to the COMEDI device's private data structure. `dev->iobase` +may still be set to its initial value of 0, which would result in +undesired writes to low I/O port addresses. `dev->private` may still be +`NULL`, which would result in null pointer dereferences. + +Fix `atmio16d_detach()` by checking that `dev->private` is valid +(non-null) before calling `reset_atmio16d()`. This implies that +`dev->iobase` was set correctly since that is set up before +`dev->private`. + +Fixes: 2323b276308a ("Staging: comedi: add ni_at_atmio16d driver") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260128150011.5006-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/ni_atmio16d.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/comedi/drivers/ni_atmio16d.c ++++ b/drivers/comedi/drivers/ni_atmio16d.c +@@ -699,7 +699,8 @@ static int atmio16d_attach(struct comedi + + static void atmio16d_detach(struct comedi_device *dev) + { +- reset_atmio16d(dev); ++ if (dev->private) ++ reset_atmio16d(dev); + comedi_legacy_detach(dev); + } + diff --git a/queue-5.15/comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch b/queue-5.15/comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch new file mode 100644 index 0000000000..8d9f746828 --- /dev/null +++ b/queue-5.15/comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch @@ -0,0 +1,54 @@ +From 4b9a9a6d71e3e252032f959fb3895a33acb5865c Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 25 Feb 2026 13:24:27 +0000 +Subject: comedi: Reinit dev->spinlock between attachments to low-level drivers + +From: Ian Abbott + +commit 4b9a9a6d71e3e252032f959fb3895a33acb5865c upstream. + +`struct comedi_device` is the main controlling structure for a COMEDI +device created by the COMEDI subsystem. It contains a member `spinlock` +containing a spin-lock that is initialized by the COMEDI subsystem, but +is reserved for use by a low-level driver attached to the COMEDI device +(at least since commit 25436dc9d84f ("Staging: comedi: remove RT +code")). + +Some COMEDI devices (those created on initialization of the COMEDI +subsystem when the "comedi.comedi_num_legacy_minors" parameter is +non-zero) can be attached to different low-level drivers over their +lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in +inconsistent lock states being reported when there is a mismatch in the +spin-lock locking levels used by each low-level driver to which the +COMEDI device has been attached. Fix it by reinitializing +`dev->spinlock` before calling the low-level driver's `attach` function +pointer if `CONFIG_LOCKDEP` is enabled. + +Reported-by: syzbot+cc9f7f4a7df09f53c4a4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cc9f7f4a7df09f53c4a4 +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260225132427.86578-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/comedi/drivers.c ++++ b/drivers/comedi/drivers.c +@@ -1001,6 +1001,14 @@ int comedi_device_attach(struct comedi_d + ret = -EIO; + goto out; + } ++ if (IS_ENABLED(CONFIG_LOCKDEP)) { ++ /* ++ * dev->spinlock is for private use by the attached low-level ++ * driver. Reinitialize it to stop lock-dependency tracking ++ * between attachments to different low-level drivers. ++ */ ++ spin_lock_init(&dev->spinlock); ++ } + dev->driver = driv; + dev->board_name = dev->board_ptr ? *(const char **)dev->board_ptr + : dev->driver->driver_name; diff --git a/queue-5.15/netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch b/queue-5.15/netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch new file mode 100644 index 0000000000..c06340f3ad --- /dev/null +++ b/queue-5.15/netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch @@ -0,0 +1,41 @@ +From 9862ef9ab0a116c6dca98842aab7de13a252ae02 Mon Sep 17 00:00:00 2001 +From: Yifan Wu +Date: Mon, 30 Mar 2026 14:39:24 -0700 +Subject: netfilter: ipset: drop logically empty buckets in mtype_del + +From: Yifan Wu + +commit 9862ef9ab0a116c6dca98842aab7de13a252ae02 upstream. + +mtype_del() counts empty slots below n->pos in k, but it only drops the +bucket when both n->pos and k are zero. This misses buckets whose live +entries have all been removed while n->pos still points past deleted slots. + +Treat a bucket as empty when all positions below n->pos are unused and +release it directly instead of shrinking it further. + +Fixes: 8af1c6fbd923 ("netfilter: ipset: Fix forceadd evaluation path") +Cc: stable@vger.kernel.org +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Yifan Wu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Reviewed-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipset/ip_set_hash_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -1086,7 +1086,7 @@ mtype_del(struct ip_set *set, void *valu + if (!test_bit(i, n->used)) + k++; + } +- if (n->pos == 0 && k == 0) { ++ if (k == n->pos) { + t->hregion[r].ext_size -= ext_size(n->size, dsize); + rcu_assign_pointer(hbucket(t, key), NULL); + kfree_rcu(n, rcu); diff --git a/queue-5.15/series b/queue-5.15/series index 2e9892b2d7..534ff10287 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -475,3 +475,11 @@ phy-renesas-rcar-gen3-usb2-fix-role-detection-on-unb.patch phy-renesas-rcar-gen3-usb2-move-irq-request-in-probe.patch phy-renesas-rcar-gen3-usb2-lock-around-hardware-regi.patch phy-renesas-rcar-gen3-usb2-assert-pll-reset-on-phy-p.patch +bridge-br_nd_send-validate-nd-option-lengths.patch +cdc-acm-new-quirk-for-epson-hmd.patch +comedi-dt2815-add-hardware-detection-to-prevent-crash.patch +comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch +comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch +comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch +comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch +netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch