--- /dev/null
+From 850837965af15707fd3142c1cf3c5bfaf022299b Mon Sep 17 00:00:00 2001
+From: Yang Yang <n05ec@lzu.edu.cn>
+Date: Thu, 26 Mar 2026 03:44:40 +0000
+Subject: bridge: br_nd_send: validate ND option lengths
+
+From: Yang Yang <n05ec@lzu.edu.cn>
+
+commit 850837965af15707fd3142c1cf3c5bfaf022299b upstream.
+
+br_nd_send() walks ND options according to option-provided lengths.
+A malformed option can make the parser advance beyond the computed
+option span or use a too-short source LLADDR option payload.
+
+Validate option lengths against the remaining NS option area before
+advancing, and only read source LLADDR when the option is large enough
+for an Ethernet address.
+
+Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
+Cc: stable@vger.kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
+Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
+Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260326034441.2037420-3-n05ec@lzu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_arp_nd_proxy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/bridge/br_arp_nd_proxy.c
++++ b/net/bridge/br_arp_nd_proxy.c
+@@ -285,12 +285,14 @@ static void br_nd_send(struct net_bridge
+ ns_olen = request->len - (skb_network_offset(request) +
+ sizeof(struct ipv6hdr)) - sizeof(*ns);
+ for (i = 0; i < ns_olen - 1; i += (ns->opt[i + 1] << 3)) {
+- if (!ns->opt[i + 1]) {
++ if (!ns->opt[i + 1] || i + (ns->opt[i + 1] << 3) > ns_olen) {
+ kfree_skb(reply);
+ return;
+ }
+ if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
+- daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
++ if ((ns->opt[i + 1] << 3) >=
++ sizeof(struct nd_opt_hdr) + ETH_ALEN)
++ daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
+ break;
+ }
+ }
--- /dev/null
+From f97e96c303d689708f7f713d8f3afcc31f1237e9 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 17 Mar 2026 09:41:10 +0100
+Subject: cdc-acm: new quirk for EPSON HMD
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit f97e96c303d689708f7f713d8f3afcc31f1237e9 upstream.
+
+This device has a union descriptor that is just garbage
+and needs a custom descriptor.
+In principle this could be done with a (conditionally
+activated) heuristic. That would match more devices
+without a need for defining a new quirk. However,
+this always carries the risk that the heuristics
+does the wrong thing and leads to more breakage.
+Defining the quirk and telling it exactly what to do
+is the safe and conservative approach.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260317084139.1461008-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 9 +++++++++
+ drivers/usb/class/cdc-acm.h | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1205,6 +1205,12 @@ static int acm_probe(struct usb_interfac
+ if (!data_interface || !control_interface)
+ return -ENODEV;
+ goto skip_normal_probe;
++ } else if (quirks == NO_UNION_12) {
++ data_interface = usb_ifnum_to_if(usb_dev, 2);
++ control_interface = usb_ifnum_to_if(usb_dev, 1);
++ if (!data_interface || !control_interface)
++ return -ENODEV;
++ goto skip_normal_probe;
+ }
+
+ /* normal probing*/
+@@ -1733,6 +1739,9 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x045b, 0x024D), /* Renesas R-Car E3 USB Download mode */
+ .driver_info = DISABLE_ECHO, /* Don't echo banner */
+ },
++ { USB_DEVICE(0x04b8, 0x0d12), /* EPSON HMD Com&Sens */
++ .driver_info = NO_UNION_12, /* union descriptor is garbage */
++ },
+ { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -142,3 +142,4 @@ struct acm {
+ #define SEND_ZERO_PACKET BIT(6)
+ #define DISABLE_ECHO BIT(7)
+ #define MISSING_CAP_BRK BIT(8)
++#define NO_UNION_12 BIT(9)
--- /dev/null
+From 93853512f565e625df2397f0d8050d6aafd7c3ad Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Mon, 9 Mar 2026 16:18:59 +0530
+Subject: comedi: dt2815: add hardware detection to prevent crash
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 93853512f565e625df2397f0d8050d6aafd7c3ad upstream.
+
+The dt2815 driver crashes when attached to I/O ports without actual
+hardware present. This occurs because syzkaller or users can attach
+the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.
+
+When no hardware exists at the specified port, inb() operations return
+0xff (floating bus), but outb() operations can trigger page faults due
+to undefined behavior, especially under race conditions:
+
+ BUG: unable to handle page fault for address: 000000007fffff90
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ RIP: 0010:dt2815_attach+0x6e0/0x1110
+
+Add hardware detection by reading the status register before attempting
+any write operations. If the read returns 0xff, assume no hardware is
+present and fail the attach with -ENODEV. This prevents crashes from
+outb() operations on non-existent hardware.
+
+Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
+Cc: stable <stable@kernel.org>
+Closes: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc
+Tested-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/]
+Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/
+Link: https://patch.msgid.link/20260309104859.503529-1-kartikey406@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/dt2815.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/comedi/drivers/dt2815.c
++++ b/drivers/comedi/drivers/dt2815.c
+@@ -176,6 +176,18 @@ static int dt2815_attach(struct comedi_d
+ ? current_range_type : voltage_range_type;
+ }
+
++ /*
++ * Check if hardware is present before attempting any I/O operations.
++ * Reading 0xff from status register typically indicates no hardware
++ * on the bus (floating bus reads as all 1s).
++ */
++ if (inb(dev->iobase + DT2815_STATUS) == 0xff) {
++ dev_err(dev->class_dev,
++ "No hardware detected at I/O base 0x%lx\n",
++ dev->iobase);
++ return -ENODEV;
++ }
++
+ /* Init the 2815 */
+ outb(0x00, dev->iobase + DT2815_STATUS);
+ for (i = 0; i < 100; i++) {
--- /dev/null
+From 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 5 Feb 2026 13:39:49 +0000
+Subject: comedi: me4000: Fix potential overrun of firmware buffer
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 upstream.
+
+`me4000_xilinx_download()` loads the firmware that was requested by
+`request_firmware()`. It is possible for it to overrun the source
+buffer because it blindly trusts the file format. It reads a data
+stream length from the first 4 bytes into variable `file_length` and
+reads the data stream contents of length `file_length` from offset 16
+onwards.
+
+Add a test to ensure that the supplied firmware is long enough to
+contain the header and the data stream. On failure, log an error and
+return `-EINVAL`.
+
+Note: The firmware loading was totally broken before commit ac584af59945
+("staging: comedi: me4000: fix firmware downloading"), but that is the
+most sensible target for this fix.
+
+Fixes: ac584af59945 ("staging: comedi: me4000: fix firmware downloading")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260205133949.71722-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/me4000.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/comedi/drivers/me4000.c
++++ b/drivers/comedi/drivers/me4000.c
+@@ -316,6 +316,18 @@ static int me4000_xilinx_download(struct
+ unsigned int val;
+ unsigned int i;
+
++ /* Get data stream length from header. */
++ if (size >= 4) {
++ file_length = (((unsigned int)data[0] & 0xff) << 24) +
++ (((unsigned int)data[1] & 0xff) << 16) +
++ (((unsigned int)data[2] & 0xff) << 8) +
++ ((unsigned int)data[3] & 0xff);
++ }
++ if (size < 16 || file_length > size - 16) {
++ dev_err(dev->class_dev, "Firmware length inconsistency\n");
++ return -EINVAL;
++ }
++
+ if (!xilinx_iobase)
+ return -ENODEV;
+
+@@ -347,10 +359,6 @@ static int me4000_xilinx_download(struct
+ outl(val, devpriv->plx_regbase + PLX9052_CNTRL);
+
+ /* Download Xilinx firmware */
+- file_length = (((unsigned int)data[0] & 0xff) << 24) +
+- (((unsigned int)data[1] & 0xff) << 16) +
+- (((unsigned int)data[2] & 0xff) << 8) +
+- ((unsigned int)data[3] & 0xff);
+ usleep_range(10, 1000);
+
+ for (i = 0; i < file_length; i++) {
--- /dev/null
+From cc797d4821c754c701d9714b58bea947e31dbbe0 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 5 Feb 2026 14:01:30 +0000
+Subject: comedi: me_daq: Fix potential overrun of firmware buffer
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit cc797d4821c754c701d9714b58bea947e31dbbe0 upstream.
+
+`me2600_xilinx_download()` loads the firmware that was requested by
+`request_firmware()`. It is possible for it to overrun the source
+buffer because it blindly trusts the file format. It reads a data
+stream length from the first 4 bytes into variable `file_length` and
+reads the data stream contents of length `file_length` from offset 16
+onwards. Although it checks that the supplied firmware is at least 16
+bytes long, it does not check that it is long enough to contain the data
+stream.
+
+Add a test to ensure that the supplied firmware is long enough to
+contain the header and the data stream. On failure, log an error and
+return `-EINVAL`.
+
+Fixes: 85acac61096f9 ("Staging: comedi: add me_daq driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260205140130.76697-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/me_daq.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+--- a/drivers/comedi/drivers/me_daq.c
++++ b/drivers/comedi/drivers/me_daq.c
+@@ -345,6 +345,25 @@ static int me2600_xilinx_download(struct
+ unsigned int file_length;
+ unsigned int i;
+
++ /*
++ * Format of the firmware
++ * Build longs from the byte-wise coded header
++ * Byte 1-3: length of the array
++ * Byte 4-7: version
++ * Byte 8-11: date
++ * Byte 12-15: reserved
++ */
++ if (size >= 4) {
++ file_length = (((unsigned int)data[0] & 0xff) << 24) +
++ (((unsigned int)data[1] & 0xff) << 16) +
++ (((unsigned int)data[2] & 0xff) << 8) +
++ ((unsigned int)data[3] & 0xff);
++ }
++ if (size < 16 || file_length > size - 16) {
++ dev_err(dev->class_dev, "Firmware length inconsistency\n");
++ return -EINVAL;
++ }
++
+ /* disable irq's on PLX */
+ writel(0x00, devpriv->plx_regbase + PLX9052_INTCSR);
+
+@@ -359,22 +378,6 @@ static int me2600_xilinx_download(struct
+ sleep(1);
+
+ /*
+- * Format of the firmware
+- * Build longs from the byte-wise coded header
+- * Byte 1-3: length of the array
+- * Byte 4-7: version
+- * Byte 8-11: date
+- * Byte 12-15: reserved
+- */
+- if (size < 16)
+- return -EINVAL;
+-
+- file_length = (((unsigned int)data[0] & 0xff) << 24) +
+- (((unsigned int)data[1] & 0xff) << 16) +
+- (((unsigned int)data[2] & 0xff) << 8) +
+- ((unsigned int)data[3] & 0xff);
+-
+- /*
+ * Loop for writing firmware byte by byte to xilinx
+ * Firmware data start at offset 16
+ */
--- /dev/null
+From 101ab946b79ad83b36d5cfd47de587492a80acf0 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 28 Jan 2026 15:00:10 +0000
+Subject: comedi: ni_atmio16d: Fix invalid clean-up after failed attach
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 101ab946b79ad83b36d5cfd47de587492a80acf0 upstream.
+
+If the driver's COMEDI "attach" handler function (`atmio16d_attach()`)
+returns an error, the COMEDI core will call the driver's "detach"
+handler function (`atmio16d_detach()`) to clean up. This calls
+`reset_atmio16d()` unconditionally, but depending on where the error
+occurred in the attach handler, the device may not have been
+sufficiently initialized to call `reset_atmio16d()`. It uses
+`dev->iobase` as the I/O port base address and `dev->private` as the
+pointer to the COMEDI device's private data structure. `dev->iobase`
+may still be set to its initial value of 0, which would result in
+undesired writes to low I/O port addresses. `dev->private` may still be
+`NULL`, which would result in null pointer dereferences.
+
+Fix `atmio16d_detach()` by checking that `dev->private` is valid
+(non-null) before calling `reset_atmio16d()`. This implies that
+`dev->iobase` was set correctly since that is set up before
+`dev->private`.
+
+Fixes: 2323b276308a ("Staging: comedi: add ni_at_atmio16d driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260128150011.5006-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/ni_atmio16d.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/comedi/drivers/ni_atmio16d.c
++++ b/drivers/comedi/drivers/ni_atmio16d.c
+@@ -699,7 +699,8 @@ static int atmio16d_attach(struct comedi
+
+ static void atmio16d_detach(struct comedi_device *dev)
+ {
+- reset_atmio16d(dev);
++ if (dev->private)
++ reset_atmio16d(dev);
+ comedi_legacy_detach(dev);
+ }
+
--- /dev/null
+From 4b9a9a6d71e3e252032f959fb3895a33acb5865c Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 25 Feb 2026 13:24:27 +0000
+Subject: comedi: Reinit dev->spinlock between attachments to low-level drivers
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 4b9a9a6d71e3e252032f959fb3895a33acb5865c upstream.
+
+`struct comedi_device` is the main controlling structure for a COMEDI
+device created by the COMEDI subsystem. It contains a member `spinlock`
+containing a spin-lock that is initialized by the COMEDI subsystem, but
+is reserved for use by a low-level driver attached to the COMEDI device
+(at least since commit 25436dc9d84f ("Staging: comedi: remove RT
+code")).
+
+Some COMEDI devices (those created on initialization of the COMEDI
+subsystem when the "comedi.comedi_num_legacy_minors" parameter is
+non-zero) can be attached to different low-level drivers over their
+lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in
+inconsistent lock states being reported when there is a mismatch in the
+spin-lock locking levels used by each low-level driver to which the
+COMEDI device has been attached. Fix it by reinitializing
+`dev->spinlock` before calling the low-level driver's `attach` function
+pointer if `CONFIG_LOCKDEP` is enabled.
+
+Reported-by: syzbot+cc9f7f4a7df09f53c4a4@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cc9f7f4a7df09f53c4a4
+Fixes: ed9eccbe8970 ("Staging: add comedi core")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260225132427.86578-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/comedi/drivers.c
++++ b/drivers/comedi/drivers.c
+@@ -1001,6 +1001,14 @@ int comedi_device_attach(struct comedi_d
+ ret = -EIO;
+ goto out;
+ }
++ if (IS_ENABLED(CONFIG_LOCKDEP)) {
++ /*
++ * dev->spinlock is for private use by the attached low-level
++ * driver. Reinitialize it to stop lock-dependency tracking
++ * between attachments to different low-level drivers.
++ */
++ spin_lock_init(&dev->spinlock);
++ }
+ dev->driver = driv;
+ dev->board_name = dev->board_ptr ? *(const char **)dev->board_ptr
+ : dev->driver->driver_name;
--- /dev/null
+From 9862ef9ab0a116c6dca98842aab7de13a252ae02 Mon Sep 17 00:00:00 2001
+From: Yifan Wu <yifanwucs@gmail.com>
+Date: Mon, 30 Mar 2026 14:39:24 -0700
+Subject: netfilter: ipset: drop logically empty buckets in mtype_del
+
+From: Yifan Wu <yifanwucs@gmail.com>
+
+commit 9862ef9ab0a116c6dca98842aab7de13a252ae02 upstream.
+
+mtype_del() counts empty slots below n->pos in k, but it only drops the
+bucket when both n->pos and k are zero. This misses buckets whose live
+entries have all been removed while n->pos still points past deleted slots.
+
+Treat a bucket as empty when all positions below n->pos are unused and
+release it directly instead of shrinking it further.
+
+Fixes: 8af1c6fbd923 ("netfilter: ipset: Fix forceadd evaluation path")
+Cc: stable@vger.kernel.org
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <dstsmallbird@foxmail.com>
+Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Reviewed-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -1086,7 +1086,7 @@ mtype_del(struct ip_set *set, void *valu
+ if (!test_bit(i, n->used))
+ k++;
+ }
+- if (n->pos == 0 && k == 0) {
++ if (k == n->pos) {
+ t->hregion[r].ext_size -= ext_size(n->size, dsize);
+ rcu_assign_pointer(hbucket(t, key), NULL);
+ kfree_rcu(n, rcu);
phy-renesas-rcar-gen3-usb2-move-irq-request-in-probe.patch
phy-renesas-rcar-gen3-usb2-lock-around-hardware-regi.patch
phy-renesas-rcar-gen3-usb2-assert-pll-reset-on-phy-p.patch
+bridge-br_nd_send-validate-nd-option-lengths.patch
+cdc-acm-new-quirk-for-epson-hmd.patch
+comedi-dt2815-add-hardware-detection-to-prevent-crash.patch
+comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch
+comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch
+comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch
+comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch
+netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
