From ddc4c170f05952418a7eae296ddf890e381bb552 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 27 Oct 2025 12:49:33 +0100
Subject: [PATCH] 6.6-stable patches

added patches:
	gpio-ljca-initialize-num-before-accessing-item-in-ljca_gpio_config.patch
---
 ...e-accessing-item-in-ljca_gpio_config.patch | 37 +++++++++++++++++++
 queue-6.6/series                              |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 queue-6.6/gpio-ljca-initialize-num-before-accessing-item-in-ljca_gpio_config.patch

diff --git a/queue-6.6/gpio-ljca-initialize-num-before-accessing-item-in-ljca_gpio_config.patch b/queue-6.6/gpio-ljca-initialize-num-before-accessing-item-in-ljca_gpio_config.patch
new file mode 100644
index 0000000000..998999a9fa
--- /dev/null
+++ b/queue-6.6/gpio-ljca-initialize-num-before-accessing-item-in-ljca_gpio_config.patch
@@ -0,0 +1,37 @@
+From 3396995f9fb6bcbe0004a68118a22f98bab6e2b9 Mon Sep 17 00:00:00 2001
+From: Haoyu Li <lihaoyu499@gmail.com>
+Date: Tue, 3 Dec 2024 22:14:51 +0800
+Subject: gpio: ljca: Initialize num before accessing item in ljca_gpio_config
+
+From: Haoyu Li <lihaoyu499@gmail.com>
+
+commit 3396995f9fb6bcbe0004a68118a22f98bab6e2b9 upstream.
+
+With the new __counted_by annocation in ljca_gpio_packet, the "num"
+struct member must be set before accessing the "item" array. Failing to
+do so will trigger a runtime warning when enabling CONFIG_UBSAN_BOUNDS
+and CONFIG_FORTIFY_SOURCE.
+
+Fixes: 1034cc423f1b ("gpio: update Intel LJCA USB GPIO driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoyu Li <lihaoyu499@gmail.com>
+Link: https://lore.kernel.org/stable/20241203141451.342316-1-lihaoyu499%40gmail.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-ljca.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-ljca.c
++++ b/drivers/gpio/gpio-ljca.c
+@@ -82,9 +82,9 @@ static int ljca_gpio_config(struct ljca_
+ 	int ret;
+ 
+ 	mutex_lock(&ljca_gpio->trans_lock);
++	packet->num = 1;
+ 	packet->item[0].index = gpio_id;
+ 	packet->item[0].value = config | ljca_gpio->connect_mode[gpio_id];
+-	packet->num = 1;
+ 
+ 	ret = ljca_transfer(ljca_gpio->ljca, LJCA_GPIO_CONFIG, (u8 *)packet,
+ 			    struct_size(packet, item, packet->num), NULL, 0);
diff --git a/queue-6.6/series b/queue-6.6/series
index d293453b1b..061b544ee7 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -81,3 +81,4 @@ x86-resctrl-fix-miscount-of-bandwidth-event-when-reactivating-previously-unavail
 s390-cio-update-purge-function-to-unregister-the-unused-subchannels.patch
 fuse-allocate-ff-release_args-only-if-release-is-needed.patch
 fuse-fix-livelock-in-synchronous-file-put-from-fuseblk-workers.patch
+gpio-ljca-initialize-num-before-accessing-item-in-ljca_gpio_config.patch
-- 
2.47.3