From 320247ab15afff0ad8f099d0500d2dc112623d4f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 20 Jan 2026 12:07:34 +0100
Subject: [PATCH] 5.15-stable patches

added patches:
	hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch
---
 ...aper-over-wrong-bnumdescriptor-field.patch | 55 +++++++++++++++++++
 queue-5.15/series                             |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 queue-5.15/hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch

diff --git a/queue-5.15/hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch b/queue-5.15/hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch
new file mode 100644
index 0000000000..3a8218d6a0
--- /dev/null
+++ b/queue-5.15/hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch
@@ -0,0 +1,55 @@
+From f28beb69c51517aec7067dfb2074e7c751542384 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <bentiss@kernel.org>
+Date: Mon, 15 Dec 2025 12:57:21 +0100
+Subject: HID: usbhid: paper over wrong bNumDescriptor field
+
+From: Benjamin Tissoires <bentiss@kernel.org>
+
+commit f28beb69c51517aec7067dfb2074e7c751542384 upstream.
+
+Some faulty devices (ZWO EFWmini) have a wrong optional HID class
+descriptor count compared to the provided length.
+
+Given that we plainly ignore those optional descriptor, we can attempt
+to fix the provided number so we do not lock out those devices.
+
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Cc: Salvatore Bonaccorso <carnil@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/usbhid/hid-core.c |   17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hid-core.c
++++ b/drivers/hid/usbhid/hid-core.c
+@@ -983,6 +983,7 @@ static int usbhid_parse(struct hid_devic
+ 	struct usb_device *dev = interface_to_usbdev (intf);
+ 	struct hid_descriptor *hdesc;
+ 	struct hid_class_descriptor *hcdesc;
++	__u8 fixed_opt_descriptors_size;
+ 	u32 quirks = 0;
+ 	unsigned int rsize = 0;
+ 	char *rdesc;
+@@ -1013,7 +1014,21 @@ static int usbhid_parse(struct hid_devic
+ 			      (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) {
+ 		dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n",
+ 			hdesc->bLength, hdesc->bNumDescriptors);
+-		return -EINVAL;
++
++		/*
++		 * Some devices may expose a wrong number of descriptors compared
++		 * to the provided length.
++		 * However, we ignore the optional hid class descriptors entirely
++		 * so we can safely recompute the proper field.
++		 */
++		if (hdesc->bLength >= sizeof(*hdesc)) {
++			fixed_opt_descriptors_size = hdesc->bLength - sizeof(*hdesc);
++
++			hid_warn(intf, "fixing wrong optional hid class descriptors count\n");
++			hdesc->bNumDescriptors = fixed_opt_descriptors_size / sizeof(*hcdesc) + 1;
++		} else {
++			return -EINVAL;
++		}
+ 	}
+ 
+ 	hid->version = le16_to_cpu(hdesc->bcdHID);
diff --git a/queue-5.15/series b/queue-5.15/series
index 791c5a5089..bce1c6f3da 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -19,3 +19,4 @@ dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch
 phy-stm32-usphyc-fix-off-by-one-in-probe.patch
 phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch
 dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch
+hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch
-- 
2.47.3