--- /dev/null
+From a7511dcd9dd4bc55d123f9b800c8a4ed2662e5c6 Mon Sep 17 00:00:00 2001
+From: Stepan Ionichev <sozdayvek@gmail.com>
+Date: Thu, 14 May 2026 22:43:42 +0500
+Subject: auxdisplay: line-display: fix OOB read on zero-length message_store()
+
+From: Stepan Ionichev <sozdayvek@gmail.com>
+
+commit a7511dcd9dd4bc55d123f9b800c8a4ed2662e5c6 upstream.
+
+linedisp_display() unconditionally reads msg[count - 1] before
+checking whether count is zero, so a write of zero bytes to the
+message sysfs attribute hits msg[-1]:
+
+ write(fd, "", 0);
+
+ -> message_store(..., buf, count=0)
+ -> linedisp_display(linedisp, buf, count=0)
+ -> msg[count - 1] == '\n' ; OOB read
+
+The kernfs write buffer for that store is a 1-byte allocation
+(kernfs_fop_write_iter() does kmalloc(len + 1) with len == 0),
+so msg[-1] is a 1-byte read before the slab object. On a
+KASAN-enabled kernel this trips an out-of-bounds report and
+panics; on stock kernels it silently reads adjacent slab data
+and, if that byte happens to be '\n', the following count--
+wraps ssize_t 0 to -1 and is then passed to kmemdup_nul().
+
+linedisp_display() is reached from the message_store() sysfs
+callback (drivers/auxdisplay/line-display.c message attribute,
+mode 0644) and from the in-tree initial-message setup with
+count == -1, so the OOB path is only userspace-triggerable via
+zero-byte writes; vfs_write() does not short-circuit on
+count == 0 and kernfs_fop_write_iter() dispatches the store
+callback regardless.
+
+Guard the trailing-newline trim with a count check. The
+existing if (!count) block then takes the clear-display path
+unchanged.
+
+Affects every auxdisplay driver that registers via
+linedisp_register() / linedisp_attach(): ht16k33, max6959,
+img-ascii-lcd, seg-led-gpio.
+
+Fixes: 7e76aece6f03 ("auxdisplay: Extract character line display core support")
+Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/auxdisplay/line-display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/auxdisplay/line-display.c
++++ b/drivers/auxdisplay/line-display.c
+@@ -80,7 +80,7 @@ static int linedisp_display(struct lined
+ count = strlen(msg);
+
+ /* if the string ends with a newline, trim it */
+- if (msg[count - 1] == '\n')
++ if (count && msg[count - 1] == '\n')
+ count--;
+
+ if (!count) {
--- /dev/null
+From 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 Mon Sep 17 00:00:00 2001
+From: Muhammad Bilal <meatuni001@gmail.com>
+Date: Wed, 20 May 2026 18:56:43 -0400
+Subject: Bluetooth: HIDP: fix missing length checks in hidp_input_report()
+
+From: Muhammad Bilal <meatuni001@gmail.com>
+
+commit 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 upstream.
+
+hidp_input_report() reads keyboard and mouse payload data from an skb
+without first verifying that skb->len contains enough data.
+
+hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
+to hidp_input_report(). If a paired device sends a truncated packet,
+the handler reads beyond the valid skb data, resulting in an
+out-of-bounds read of skb data. The OOB bytes may be interpreted as
+phantom key presses or spurious mouse movement.
+
+Replace the open-coded length tracking and pointer arithmetic with
+skb_pull_data() calls. skb_pull_data() returns NULL if the requested
+bytes are not present, eliminating the need for a manual size variable
+and the separate skb->len guard.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hidp/core.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -179,12 +179,21 @@ static void hidp_input_report(struct hid
+ {
+ struct input_dev *dev = session->input;
+ unsigned char *keys = session->keys;
+- unsigned char *udata = skb->data + 1;
+- signed char *sdata = skb->data + 1;
+- int i, size = skb->len - 1;
++ unsigned char *udata;
++ signed char *sdata;
++ u8 *hdr;
++ int i;
++
++ hdr = skb_pull_data(skb, 1);
++ if (!hdr)
++ return;
+
+- switch (skb->data[0]) {
++ switch (*hdr) {
+ case 0x01: /* Keyboard report */
++ udata = skb_pull_data(skb, 8);
++ if (!udata)
++ break;
++
+ for (i = 0; i < 8; i++)
+ input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
+
+@@ -213,6 +222,10 @@ static void hidp_input_report(struct hid
+ break;
+
+ case 0x02: /* Mouse report */
++ sdata = skb_pull_data(skb, 3);
++ if (!sdata)
++ break;
++
+ input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
+ input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
+ input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
+@@ -222,7 +235,7 @@ static void hidp_input_report(struct hid
+ input_report_rel(dev, REL_X, sdata[1]);
+ input_report_rel(dev, REL_Y, sdata[2]);
+
+- if (size > 3)
++ if (skb->len > 0)
+ input_report_rel(dev, REL_WHEEL, sdata[3]);
+ break;
+ }
--- /dev/null
+From 47f23a259517abbdb8032c057a1e8a6bf3734878 Mon Sep 17 00:00:00 2001
+From: Muhammad Bilal <meatuni001@gmail.com>
+Date: Wed, 27 May 2026 04:59:17 +0000
+Subject: Bluetooth: ISO: fix UAF in iso_recv_frame
+
+From: Muhammad Bilal <meatuni001@gmail.com>
+
+commit 47f23a259517abbdb8032c057a1e8a6bf3734878 upstream.
+
+iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
+before using sk, with no reference held. A concurrent iso_sock_kill()
+can free sk in that window, causing use-after-free on sk->sk_state and
+sock_queue_rcv_skb().
+
+Fix by replacing the bare pointer read with iso_sock_hold(conn), which
+calls sock_hold() while the spinlock is held, atomically elevating the
+refcount before the lock drops. Add a drop_put label so sock_put() is
+called on all exit paths where the hold succeeded.
+
+Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
+Cc: stable@vger.kernel.org
+Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/iso.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -445,7 +445,7 @@ static void iso_recv_frame(struct iso_co
+ struct sock *sk;
+
+ iso_conn_lock(conn);
+- sk = conn->sk;
++ sk = iso_sock_hold(conn);
+ iso_conn_unlock(conn);
+
+ if (!sk)
+@@ -454,11 +454,15 @@ static void iso_recv_frame(struct iso_co
+ BT_DBG("sk %p len %d", sk, skb->len);
+
+ if (sk->sk_state != BT_CONNECTED)
+- goto drop;
++ goto drop_put;
+
+- if (!sock_queue_rcv_skb(sk, skb))
++ if (!sock_queue_rcv_skb(sk, skb)) {
++ sock_put(sk);
+ return;
++ }
+
++drop_put:
++ sock_put(sk);
+ drop:
+ kfree_skb(skb);
+ }
--- /dev/null
+From 4b5f8e608749b7e8fa386c6e4301cf9272595859 Mon Sep 17 00:00:00 2001
+From: Muhammad Bilal <meatuni001@gmail.com>
+Date: Wed, 27 May 2026 04:59:18 +0000
+Subject: Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
+
+From: Muhammad Bilal <meatuni001@gmail.com>
+
+commit 4b5f8e608749b7e8fa386c6e4301cf9272595859 upstream.
+
+iso_sock_close() calls iso_sock_clear_timer() before acquiring
+lock_sock(sk).
+
+iso_sock_clear_timer() reads iso_pi(sk)->conn twice without the
+socket lock held:
+
+ if (!iso_pi(sk)->conn)
+ return;
+ cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
+
+Concurrently, iso_conn_del() executes under lock_sock(sk) and calls
+iso_chan_del(), which sets iso_pi(sk)->conn to NULL and may result in
+the final reference to the connection being dropped:
+
+ CPU0 CPU1
+ ---- ----
+ iso_sock_clear_timer()
+ if (conn != NULL) ... lock_sock(sk)
+ iso_chan_del()
+ iso_pi(sk)->conn = NULL
+ cancel_delayed_work(conn) /* NULL deref or UAF */
+
+iso_pi(sk)->conn is not stable across the unlock window, causing a
+NULL pointer dereference or use-after-free.
+
+Serialize iso_sock_clear_timer() with the socket lock by moving it
+inside lock_sock()/release_sock(), matching the pattern used in
+iso_conn_del() and all other call sites.
+
+Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
+Cc: stable@vger.kernel.org
+Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/iso.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -666,8 +666,8 @@ static void __iso_sock_close(struct sock
+ /* Must be called on unlocked socket. */
+ static void iso_sock_close(struct sock *sk)
+ {
+- iso_sock_clear_timer(sk);
+ lock_sock(sk);
++ iso_sock_clear_timer(sk);
+ __iso_sock_close(sk);
+ release_sock(sk);
+ iso_sock_kill(sk);
--- /dev/null
+From 9dbd84990394c51f5cee1e8871bb5ff8af5ed939 Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 20 May 2026 22:30:36 -0400
+Subject: Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 9dbd84990394c51f5cee1e8871bb5ff8af5ed939 upstream.
+
+__set_chan_timer() takes a l2cap_chan reference via l2cap_chan_hold()
+before scheduling the delayed work. The normal path in
+l2cap_chan_timeout() drops this reference with l2cap_chan_put() at the
+end, but the early return when chan->conn is NULL skips the put,
+leaking the reference.
+
+Add the missing l2cap_chan_put() before the early return.
+
+Fixes: adf0398cee86 ("Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout")
+Cc: stable@vger.kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -435,8 +435,10 @@ static void l2cap_chan_timeout(struct wo
+
+ BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
+
+- if (!conn)
++ if (!conn) {
++ l2cap_chan_put(chan);
+ return;
++ }
+
+ mutex_lock(&conn->chan_lock);
+ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
--- /dev/null
+From 8c8e620467a7b51562dbcefbd1f09f288d7d710d Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 20 May 2026 22:12:20 -0400
+Subject: Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 8c8e620467a7b51562dbcefbd1f09f288d7d710d upstream.
+
+l2cap_chan_close() removes the channel from conn->chan_l, which
+must be done under conn->lock. cleanup_listen() runs under the
+parent sk_lock, so acquiring conn->lock would invert the
+established conn->lock -> chan->lock -> sk_lock order.
+
+Instead of calling l2cap_chan_close() directly, schedule
+l2cap_chan_timeout with delay 0 to close the channel
+asynchronously. The timeout handler already acquires conn->lock
+and chan->lock in the correct order.
+
+The timer is only armed when chan->conn is still set: if it is
+already NULL, l2cap_conn_del() has already processed this channel
+(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),
+so there is nothing left to do. If l2cap_conn_del() races in
+after the timer is armed, __clear_chan_timer() inside
+l2cap_chan_del() cancels it; if the timer has already fired, the
+handler returns harmlessly because chan->conn was cleared.
+
+Fixes: 3df91ea20e74 ("Bluetooth: Revert to mutexes from RCU list")
+Cc: <stable@vger.kernel.org> # 0b58004: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1501,6 +1501,10 @@ static void l2cap_sock_cleanup_listen(st
+ * pin it (hold_unless_zero() additionally skips a chan already past
+ * its last reference). We then drop the sk lock before taking
+ * chan->lock, so sk and chan locks are never held together.
++ *
++ * Since we cannot call l2cap_chan_close() without conn->lock,
++ * schedule l2cap_chan_timeout to close the channel; it already
++ * acquires conn->lock -> chan->lock in the correct order.
+ */
+ while ((sk = bt_accept_dequeue(parent, NULL))) {
+ struct l2cap_chan *chan;
+@@ -1518,14 +1522,12 @@ static void l2cap_sock_cleanup_listen(st
+ state_to_string(chan->state));
+
+ l2cap_chan_lock(chan);
+- __clear_chan_timer(chan);
+- l2cap_chan_close(chan, ECONNRESET);
+- /* l2cap_conn_del() may already have killed this socket
+- * (it sets SOCK_DEAD); skip the duplicate to avoid a
+- * double sock_put()/l2cap_chan_put().
++ /* Since we cannot call l2cap_chan_close() without
++ * conn->lock, schedule its timer to trigger the close
++ * and cleanup of this channel.
+ */
+- if (!sock_flag(sk, SOCK_DEAD))
+- l2cap_sock_kill(sk);
++ if (chan->conn)
++ __set_chan_timer(chan, 0);
+ l2cap_chan_unlock(chan);
+
+ l2cap_chan_put(chan);
--- /dev/null
+From 974820a59efde7c1a7e1260bcfe9bb81f833cc9f Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 25 May 2026 14:48:58 +0200
+Subject: hpfs: fix a crash if hpfs_map_dnode_bitmap fails
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 974820a59efde7c1a7e1260bcfe9bb81f833cc9f upstream.
+
+If hpfs_map_dnode_bitmap fails, the code would call hpfs_brelse4 on
+uninitialized quad buffer head, causing a crash.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hpfs/alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/hpfs/alloc.c
++++ b/fs/hpfs/alloc.c
+@@ -372,8 +372,8 @@ int hpfs_check_free_dnodes(struct super_
+ return 0;
+ }
+ }
++ hpfs_brelse4(&qbh);
+ }
+- hpfs_brelse4(&qbh);
+ i = 0;
+ if (hpfs_sb(s)->sb_c_bitmap != -1) {
+ bmp = hpfs_map_bitmap(s, b, &qbh, "chkdn1");
--- /dev/null
+From 422b5bbf333f75fb486855ad0eedc23cf21f3277 Mon Sep 17 00:00:00 2001
+From: Salah Triki <salah.triki@gmail.com>
+Date: Thu, 7 May 2026 20:07:51 +0100
+Subject: iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Salah Triki <salah.triki@gmail.com>
+
+commit 422b5bbf333f75fb486855ad0eedc23cf21f3277 upstream.
+
+The driver proceeds to the reception phase even if the preceding
+transmission fails.
+
+This uses a goto error label for an early bail out and ensures the mutex is
+properly unlocked in case of failure.
+
+Fixes: ffd8a6e7a778 ("iio: adc: Add viperboard adc driver")
+Signed-off-by: Salah Triki <salah.triki@gmail.com>
+Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com>
+Reviewed-by: Maxwell Doose <m32285159@gmail.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/viperboard_adc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/viperboard_adc.c
++++ b/drivers/iio/adc/viperboard_adc.c
+@@ -70,8 +70,10 @@ static int vprbrd_iio_read_raw(struct ii
+ VPRBRD_USB_TYPE_OUT, 0x0000, 0x0000, admsg,
+ sizeof(struct vprbrd_adc_msg), VPRBRD_USB_TIMEOUT_MS);
+ if (ret != sizeof(struct vprbrd_adc_msg)) {
+- dev_err(&iio_dev->dev, "usb send error on adc read\n");
++ mutex_unlock(&vb->lock);
+ error = -EREMOTEIO;
++ dev_err(&iio_dev->dev, "usb send error on adc read\n");
++ goto error;
+ }
+
+ ret = usb_control_msg(vb->usb_dev,
--- /dev/null
+From 852534744c2d35626a604f128ff0b8ec12805591 Mon Sep 17 00:00:00 2001
+From: Christofer Jonason <christofer.jonason@guidelinegeo.com>
+Date: Wed, 4 Mar 2026 10:07:27 +0100
+Subject: iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christofer Jonason <christofer.jonason@guidelinegeo.com>
+
+commit 852534744c2d35626a604f128ff0b8ec12805591 upstream.
+
+xadc_postdisable() unconditionally sets the sequencer to continuous
+mode. For dual external multiplexer configurations this is incorrect:
+simultaneous sampling mode is required so that ADC-A samples through
+the mux on VAUX[0-7] while ADC-B simultaneously samples through the
+mux on VAUX[8-15]. In continuous mode only ADC-A is active, so
+VAUX[8-15] channels return incorrect data.
+
+Since postdisable is also called from xadc_probe() to set the initial
+idle state, the wrong sequencer mode is active from the moment the
+driver loads.
+
+The preenable path already uses xadc_get_seq_mode() which returns
+SIMULTANEOUS for dual mux. Fix postdisable to do the same.
+
+Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christofer Jonason <christofer.jonason@guidelinegeo.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: Salih Erim <salih.erim@amd.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -821,6 +821,7 @@ static int xadc_postdisable(struct iio_d
+ {
+ struct xadc *xadc = iio_priv(indio_dev);
+ unsigned long scan_mask;
++ int seq_mode;
+ int ret;
+ int i;
+
+@@ -828,6 +829,12 @@ static int xadc_postdisable(struct iio_d
+ for (i = 0; i < indio_dev->num_channels; i++)
+ scan_mask |= BIT(indio_dev->channels[i].scan_index);
+
++ /*
++ * Use the correct sequencer mode for the idle state: simultaneous
++ * mode for dual external mux configurations, continuous otherwise.
++ */
++ seq_mode = xadc_get_seq_mode(xadc, scan_mask);
++
+ /* Enable all channels and calibration */
+ ret = xadc_write_adc_reg(xadc, XADC_REG_SEQ(0), scan_mask & 0xffff);
+ if (ret)
+@@ -838,11 +845,11 @@ static int xadc_postdisable(struct iio_d
+ return ret;
+
+ ret = xadc_update_adc_reg(xadc, XADC_REG_CONF1, XADC_CONF1_SEQ_MASK,
+- XADC_CONF1_SEQ_CONTINUOUS);
++ seq_mode);
+ if (ret)
+ return ret;
+
+- return xadc_power_adc_b(xadc, XADC_CONF1_SEQ_CONTINUOUS);
++ return xadc_power_adc_b(xadc, seq_mode);
+ }
+
+ static int xadc_preenable(struct iio_dev *indio_dev)
--- /dev/null
+From 6f5ed4f2c7c83f33344e0ba179f72a12e5dad4a4 Mon Sep 17 00:00:00 2001
+From: Felix Gu <ustc.gu@gmail.com>
+Date: Thu, 30 Apr 2026 21:29:06 +0800
+Subject: iio: buffer: hw-consumer: fix use-after-free in error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felix Gu <ustc.gu@gmail.com>
+
+commit 6f5ed4f2c7c83f33344e0ba179f72a12e5dad4a4 upstream.
+
+In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
+was using list_for_each_entry() to iterate through buffers while calling
+iio_buffer_put() which can free the current buffer if refcount drops to 0.
+The list_for_each_entry() loop macro then evaluates buf->head.next to
+continue iteration, accessing the freed buffer.
+
+Fix this by using list_for_each_entry_safe().
+
+Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
+Reported-by: sashiko <sashiko-bot@kernel.org>
+Closes: https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com
+Signed-off-by: Felix Gu <ustc.gu@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: Maxwell Doose <m32285159@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/buffer/industrialio-hw-consumer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/buffer/industrialio-hw-consumer.c
++++ b/drivers/iio/buffer/industrialio-hw-consumer.c
+@@ -82,7 +82,7 @@ static struct hw_consumer_buffer *iio_hw
+ */
+ struct iio_hw_consumer *iio_hw_consumer_alloc(struct device *dev)
+ {
+- struct hw_consumer_buffer *buf;
++ struct hw_consumer_buffer *buf, *tmp;
+ struct iio_hw_consumer *hwc;
+ struct iio_channel *chan;
+ int ret;
+@@ -113,7 +113,7 @@ struct iio_hw_consumer *iio_hw_consumer_
+ return hwc;
+
+ err_put_buffers:
+- list_for_each_entry(buf, &hwc->buffers, head)
++ list_for_each_entry_safe(buf, tmp, &hwc->buffers, head)
+ iio_buffer_put(&buf->buffer);
+ iio_channel_release_all(hwc->channels);
+ err_free_hwc:
--- /dev/null
+From 5237c3175cae5ab05f18878cec3301a04403859e Mon Sep 17 00:00:00 2001
+From: Rodrigo Alencar <rodrigo.alencar@analog.com>
+Date: Tue, 5 May 2026 13:35:04 +0100
+Subject: iio: dac: ad5686: acquire lock when doing powerdown control
+
+From: Rodrigo Alencar <rodrigo.alencar@analog.com>
+
+commit 5237c3175cae5ab05f18878cec3301a04403859e upstream.
+
+Protect access of pwr_down_mode and pwr_down_mask fields with existing
+mutex lock. Each channel exposes their own attributes for controlling
+powerdown modes and powerdown state. This fixes potential race conditions
+as those the write functions perform non-atomic read-modify-write
+operations to those pwr_down_* fields. This issue exists since the ad5686
+driver was first introduced.
+
+Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
+Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ad5686.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/iio/dac/ad5686.c
++++ b/drivers/iio/dac/ad5686.c
+@@ -30,6 +30,8 @@ static int ad5686_get_powerdown_mode(str
+ {
+ struct ad5686_state *st = iio_priv(indio_dev);
+
++ guard(mutex)(&st->lock);
++
+ return ((st->pwr_down_mode >> (chan->channel * 2)) & 0x3) - 1;
+ }
+
+@@ -39,6 +41,8 @@ static int ad5686_set_powerdown_mode(str
+ {
+ struct ad5686_state *st = iio_priv(indio_dev);
+
++ guard(mutex)(&st->lock);
++
+ st->pwr_down_mode &= ~(0x3 << (chan->channel * 2));
+ st->pwr_down_mode |= ((mode + 1) << (chan->channel * 2));
+
+@@ -57,6 +61,8 @@ static ssize_t ad5686_read_dac_powerdown
+ {
+ struct ad5686_state *st = iio_priv(indio_dev);
+
++ guard(mutex)(&st->lock);
++
+ return sysfs_emit(buf, "%d\n", !!(st->pwr_down_mask &
+ (0x3 << (chan->channel * 2))));
+ }
+@@ -77,6 +83,8 @@ static ssize_t ad5686_write_dac_powerdow
+ if (ret)
+ return ret;
+
++ guard(mutex)(&st->lock);
++
+ if (readin)
+ st->pwr_down_mask |= (0x3 << (chan->channel * 2));
+ else
--- /dev/null
+From d01220ee5e43c65a206df827b39bf5cf5f7b9dce Mon Sep 17 00:00:00 2001
+From: Rodrigo Alencar <rodrigo.alencar@analog.com>
+Date: Fri, 1 May 2026 10:14:55 +0100
+Subject: iio: dac: ad5686: fix input raw value check
+
+From: Rodrigo Alencar <rodrigo.alencar@analog.com>
+
+commit d01220ee5e43c65a206df827b39bf5cf5f7b9dce upstream.
+
+Fix range check for input raw value, which is off by one, i.e., for a
+10-bit DAC the max valid value is 1023, but 1 << 10 equals 1024, which
+passes the previous check, allowing an out-of-range write. The issue
+exists since the ad5686 driver was first introduced.
+
+Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ad5686.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/dac/ad5686.c
++++ b/drivers/iio/dac/ad5686.c
+@@ -154,7 +154,7 @@ static int ad5686_write_raw(struct iio_d
+
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
+- if (val > (1 << chan->scan_type.realbits) || val < 0)
++ if (val >= (1 << chan->scan_type.realbits) || val < 0)
+ return -EINVAL;
+
+ mutex_lock(&st->lock);
--- /dev/null
+From d0a228d903425e653f18a4341e60c0538afb6d41 Mon Sep 17 00:00:00 2001
+From: Salah Triki <salah.triki@gmail.com>
+Date: Mon, 27 Apr 2026 22:33:19 +0100
+Subject: iio: dac: max5821: fix return value check in powerdown sync
+
+From: Salah Triki <salah.triki@gmail.com>
+
+commit d0a228d903425e653f18a4341e60c0538afb6d41 upstream.
+
+The function max5821_sync_powerdown_mode() returned the result of
+i2c_master_send() directly. If a partial transfer occurred, it would
+be incorrectly treated as a success by the caller.
+
+While the caller currently handles the positive return value of 2 as
+success, this patch refactors the function to return 0 on full success
+and -EIO on short writes. This ensures robust error handling for
+incomplete transfers and improves code maintainability by using
+sizeof(outbuf).
+
+Fixes: 472988972737 ("iio: add support of the max5821")
+Signed-off-by: Salah Triki <salah.triki@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/max5821.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/dac/max5821.c
++++ b/drivers/iio/dac/max5821.c
+@@ -91,6 +91,7 @@ static int max5821_sync_powerdown_mode(s
+ const struct iio_chan_spec *chan)
+ {
+ u8 outbuf[2];
++ int ret;
+
+ outbuf[0] = MAX5821_EXTENDED_COMMAND_MODE;
+
+@@ -104,7 +105,13 @@ static int max5821_sync_powerdown_mode(s
+ else
+ outbuf[1] |= MAX5821_EXTENDED_POWER_UP;
+
+- return i2c_master_send(data->client, outbuf, 2);
++ ret = i2c_master_send(data->client, outbuf, sizeof(outbuf));
++ if (ret < 0)
++ return ret;
++ if (ret != sizeof(outbuf))
++ return -EIO;
++
++ return 0;
+ }
+
+ static ssize_t max5821_write_dac_powerdown(struct iio_dev *indio_dev,
--- /dev/null
+From 6bdc3023d62ed5c7d591f0eb27a5adb37fb892ae Mon Sep 17 00:00:00 2001
+From: David Carlier <devnexen@gmail.com>
+Date: Tue, 5 May 2026 14:37:48 +0100
+Subject: iio: gyro: itg3200: fix i2c read into the wrong stack location
+
+From: David Carlier <devnexen@gmail.com>
+
+commit 6bdc3023d62ed5c7d591f0eb27a5adb37fb892ae upstream.
+
+itg3200_read_all_channels() takes `__be16 *buf' as a parameter and
+fills the i2c_msg destination as `(char *)&buf'. Since `buf' is the
+parameter (a pointer), `&buf' is the address of the local pointer
+slot on the stack of itg3200_read_all_channels(), not the address
+of the caller's scan buffer. The (char *) cast hides the type
+mismatch.
+
+i2c_transfer() therefore writes ITG3200_SCAN_ELEMENTS * sizeof(s16)
+= 8 bytes into the parameter's stack slot, which is discarded when
+the function returns. The caller's scan buffer in
+itg3200_trigger_handler() is never written to, so
+iio_push_to_buffers_with_timestamp() pushes uninitialised stack
+contents to userspace via /dev/iio:deviceX every scan -- both a
+functional bug (no actual gyroscope or temperature data is
+delivered through the triggered buffer) and an information leak.
+
+The non-buffered read_raw() path is unaffected: it goes through
+itg3200_read_reg_s16() which uses `&out' on a local s16 value,
+where that is correct.
+
+Drop the spurious `&' so the i2c read writes into the caller's
+buffer.
+
+Fixes: 9dbf091da080 ("iio: gyro: Add itg3200")
+Cc: stable@vger.kernel.org
+Signed-off-by: David Carlier <devnexen@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/itg3200_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/gyro/itg3200_buffer.c
++++ b/drivers/iio/gyro/itg3200_buffer.c
+@@ -34,7 +34,7 @@ static int itg3200_read_all_channels(str
+ .addr = i2c->addr,
+ .flags = i2c->flags | I2C_M_RD,
+ .len = ITG3200_SCAN_ELEMENTS * sizeof(s16),
+- .buf = (char *)&buf,
++ .buf = (char *)buf,
+ },
+ };
+
--- /dev/null
+From 1f4f0bcc5255dec5c4c3a1551bf49d8c33b69b20 Mon Sep 17 00:00:00 2001
+From: Aldo Conte <aldocontelk@gmail.com>
+Date: Tue, 7 Apr 2026 17:17:01 +0200
+Subject: iio: light: cm3323: fix reg_conf not being initialized correctly
+
+From: Aldo Conte <aldocontelk@gmail.com>
+
+commit 1f4f0bcc5255dec5c4c3a1551bf49d8c33b69b20 upstream.
+
+The code stores the return value of i2c_smbus_write_word_data()
+in data->reg_conf; however, this value represents the result
+of the write operation and not the value actually written to
+the configuration register. This meant that the contents of
+data->reg_conf did not truly reflect the contents
+of the hardware register.
+
+Instead, save the value of the register before the write
+and use this value in the I2C write.
+
+The bug was found by code inspection: i2c_smbus_write_word_data()
+returns 0 on success, not the value written to the register.
+
+Tested using i2c-stub on a Raspberry Pi 3B running a custom 6.19.10
+kernel. Before loading the driver, the configuration register 0x00
+CM3323_CMD_CONF was populated with 0x0030 using
+`i2cset -y 11 0x10 0x00 0x0030 w`, encoding an integration time of 320ms
+in bits[6:4].
+
+Due to incorrect initialization of data->reg_conf in
+cm3323_init(), the print of integration_time returns 0.040000
+instead of the expected 0.320000. This happens because the read of the
+integration_time depends on cm3323_get_it_bits() that is based on the
+value of data->reg_conf, which is erroneously set to 0.
+
+With this fix applied, data->reg_conf correctly saves 0x0030 after init
+and the successive integration_time reports 0.320000 as expected.
+
+Fixes: 8b0544263761 ("iio: light: Add support for Capella CM3323 color sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Aldo Conte <aldocontelk@gmail.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/cm3323.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/light/cm3323.c
++++ b/drivers/iio/light/cm3323.c
+@@ -89,15 +89,14 @@ static int cm3323_init(struct iio_dev *i
+
+ /* enable sensor and set auto force mode */
+ ret &= ~(CM3323_CONF_SD_BIT | CM3323_CONF_AF_BIT);
++ data->reg_conf = ret;
+
+- ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, ret);
++ ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, data->reg_conf);
+ if (ret < 0) {
+ dev_err(&data->client->dev, "Error writing reg_conf\n");
+ return ret;
+ }
+
+- data->reg_conf = ret;
+-
+ return 0;
+ }
+
--- /dev/null
+From 49f79cd28f1e3333cbe0d616ce59ead0b24bf34e Mon Sep 17 00:00:00 2001
+From: Advait Dhamorikar <advaitd@mechasystems.com>
+Date: Tue, 7 Apr 2026 12:50:59 +0530
+Subject: iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
+
+From: Advait Dhamorikar <advaitd@mechasystems.com>
+
+commit 49f79cd28f1e3333cbe0d616ce59ead0b24bf34e upstream.
+
+The device tree binding for st,lis2mdl does not support
+st,drdy-int-pin property. However, when no platform data is provided
+and the property is absent, the driver falls back to default_magn_pdata
+which hardcodes drdy_int_pin = 2. This causes
+`st_sensors_set_drdy_int_pin` to fail with -EINVAL because the LIS2MDL
+sensor settings have no INT2 DRDY mask defined.
+
+Fix this by checking the sensor's INT2 DRDY mask availability at
+probe time and selecting the appropriate default pin. Sensors that
+do not support INT2 DRDY will default to INT1, while all others
+retain the existing default of INT2.
+
+Fixes: 38934daf7b5c ("iio: magnetometer: st_magn: Provide default platform data")
+Signed-off-by: Advait Dhamorikar <advaitd@mechasystems.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/magnetometer/st_magn_core.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/magnetometer/st_magn_core.c
++++ b/drivers/iio/magnetometer/st_magn_core.c
+@@ -504,6 +504,11 @@ static const struct st_sensors_platform_
+ .drdy_int_pin = 2,
+ };
+
++/* LIS2MDL only supports DRDY on INT1 */
++static const struct st_sensors_platform_data alt_magn_pdata = {
++ .drdy_int_pin = 1,
++};
++
+ static int st_magn_read_raw(struct iio_dev *indio_dev,
+ struct iio_chan_spec const *ch, int *val,
+ int *val2, long mask)
+@@ -626,8 +631,12 @@ int st_magn_common_probe(struct iio_dev
+ mdata->current_fullscale = &mdata->sensor_settings->fs.fs_avl[0];
+ mdata->odr = mdata->sensor_settings->odr.odr_avl[0].hz;
+
+- if (!pdata)
+- pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
++ if (!pdata) {
++ if (mdata->sensor_settings->drdy_irq.int2.mask)
++ pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
++ else
++ pdata = (struct st_sensors_platform_data *)&alt_magn_pdata;
++ }
+
+ err = st_sensors_init_sensor(indio_dev, pdata);
+ if (err < 0)
--- /dev/null
+From eedf7602fbd929e97e0c480da501dc7a34beb2a8 Mon Sep 17 00:00:00 2001
+From: Sanjay Chitroda <sanjayembeddedse@gmail.com>
+Date: Sun, 26 Apr 2026 14:47:04 +0530
+Subject: iio: ssp_sensors: cancel delayed work_refresh on remove
+
+From: Sanjay Chitroda <sanjayembeddedse@gmail.com>
+
+commit eedf7602fbd929e97e0c480da501dc7a34beb2a8 upstream.
+
+The work_refresh may still be pending or running when the device is
+removed, cancel the delayed work_refresh in remove path.
+
+Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver")
+Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/common/ssp_sensors/ssp_dev.c
++++ b/drivers/iio/common/ssp_sensors/ssp_dev.c
+@@ -590,6 +590,7 @@ static void ssp_remove(struct spi_device
+ ssp_clean_pending_list(data);
+
+ free_irq(data->spi->irq, data);
++ cancel_delayed_work_sync(&data->work_refresh);
+
+ del_timer_sync(&data->wdt_timer);
+ cancel_work_sync(&data->work_wdt);
--- /dev/null
+From 4701e471c16866e7aa8f5e6a3a6b0d31e097e2c9 Mon Sep 17 00:00:00 2001
+From: Salah Triki <salah.triki@gmail.com>
+Date: Tue, 5 May 2026 08:10:24 +0100
+Subject: iio: temperature: tsys01: fix broken PROM checksum validation
+
+From: Salah Triki <salah.triki@gmail.com>
+
+commit 4701e471c16866e7aa8f5e6a3a6b0d31e097e2c9 upstream.
+
+The current implementation of tsys01_crc_valid() incorrectly sums the
+first word (n_prom[0]) repeatedly instead of iterating over the 8 words
+retrieved from the PROM. This leads to a checksum mismatch and probe
+failure on hardware.
+
+According to the TSYS01 datasheet, the PROM consists of 8 words. A valid
+check must iterate through all 8 words to verify the integrity of the
+calibration data. The current driver only checks the first word 8 times.
+
+Note: This fix was identified during a code audit and is based on
+datasheet specifications. It has not been tested on real hardware.
+
+Fixes: 43e53407f680 ("Add tsys01 meas-spec driver support")
+Signed-off-by: Salah Triki <salah.triki@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/temperature/tsys01.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/temperature/tsys01.c
++++ b/drivers/iio/temperature/tsys01.c
+@@ -119,7 +119,7 @@ static bool tsys01_crc_valid(u16 *n_prom
+ u8 sum = 0;
+
+ for (cnt = 0; cnt < TSYS01_PROM_WORDS_NB; cnt++)
+- sum += ((n_prom[0] >> 8) + (n_prom[0] & 0xFF));
++ sum += ((n_prom[cnt] >> 8) + (n_prom[cnt] & 0xFF));
+
+ return (sum == 0);
+ }
--- /dev/null
+From 76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sat, 25 Apr 2026 22:07:06 -0700
+Subject: Input: elan_i2c - validate firmware size before use
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634 upstream.
+
+Ensure that the firmware file is large enough to contain the expected
+number of pages and the signature (which resides at the end of the
+firmware blob) before accessing them to prevent potential out-of-bounds
+reads.
+
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/ae2dOgiFvXRm4BHo@google.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/elan_i2c_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -646,6 +646,11 @@ static ssize_t elan_sysfs_update_fw(stru
+ return error;
+ }
+
++ if (fw->size < data->fw_signature_address + sizeof(signature)) {
++ dev_err(dev, "firmware file too small\n");
++ return -EBADF;
++ }
++
+ /* Firmware file must match signature data */
+ fw_signature = &fw->data[data->fw_signature_address];
+ if (memcmp(fw_signature, signature, sizeof(signature)) != 0) {
--- /dev/null
+From fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 Mon Sep 17 00:00:00 2001
+From: Linpu Yu <linpu5433@gmail.com>
+Date: Sun, 10 May 2026 13:43:30 +0800
+Subject: ipc: limit next_id allocation to the valid ID range
+
+From: Linpu Yu <linpu5433@gmail.com>
+
+commit fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 upstream.
+
+The checkpoint/restore sysctl path can request the next SysV IPC id
+through ids->next_id. ipc_idr_alloc() currently forwards that request to
+idr_alloc() with an open-ended upper bound.
+
+If the valid tail of the SysV IPC id space is full, the allocation can
+spill beyond ipc_mni. The returned SysV IPC id still uses the normal
+index encoding, so later lookup and removal can target the wrong slot.
+This leaves the real IDR entry behind and breaks the IDR state for the
+object.
+
+The bug is in ipc_idr_alloc() in the checkpoint/restore path.
+
+1. ids->next_id is passed to:
+
+ idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)
+
+2. The zero upper bound makes the allocation effectively open-ended.
+ Once the valid SysV IPC tail is occupied, idr_alloc() can spill past
+ ipc_mni and allocate an entry beyond the valid IPC id range.
+
+3. The new object id is still encoded with the narrower SysV IPC index
+ width:
+
+ new->id = (new->seq << ipcmni_seq_shift()) + idx
+
+4. Later removal goes through ipc_rmid(), which uses:
+
+ ipcid_to_idx(ipcp->id)
+
+ That truncates the real IDR index. An object actually stored at a
+ high index can then be removed as if it lived at a low in-range
+ index.
+
+5. For shared memory, shm_destroy() frees the current object anyway, but
+ the real high IDR slot is left behind as a dangling pointer.
+
+6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry
+ and dereferences freed memory.
+
+Prevent this by bounding the requested allocation to ipc_mni so the
+checkpoint/restore path fails once the valid range is exhausted.
+
+Link: https://lore.kernel.org/cover.1778336914.git.linpu5433@gmail.com
+Link: https://lore.kernel.org/2eebe949bfa7d1f6e13b5be6a92c64c850ce9d45.1778336914.git.linpu5433@gmail.com
+Fixes: 03f595668017 ("ipc: add sysctl to specify desired next object id")
+Signed-off-by: Linpu Yu <linpu5433@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ ipc/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/ipc/util.c
++++ b/ipc/util.c
+@@ -253,7 +253,7 @@ static inline int ipc_idr_alloc(struct i
+ } else {
+ new->seq = ipcid_to_seqx(next_id);
+ idx = idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id),
+- 0, GFP_NOWAIT);
++ ipc_mni, GFP_NOWAIT);
+ }
+ if (idx >= 0)
+ new->id = (new->seq << ipcmni_seq_shift()) + idx;
--- /dev/null
+From f185e05dce6f170f83c4ba602e969b1c3c7a22e6 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 1 May 2026 13:22:32 -0700
+Subject: KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f185e05dce6f170f83c4ba602e969b1c3c7a22e6 upstream.
+
+Now that all paths in KVM properly validate the length needed for the
+scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM
+attempts to configured the scratch area with min_len==0 to guard against
+future bugs.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20260501202250.2115252-8-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -2658,6 +2658,9 @@ static int setup_vmgexit_scratch(struct
+ u64 scratch_gpa_beg, scratch_gpa_end;
+ void *scratch_va;
+
++ if (WARN_ON_ONCE(!min_len))
++ goto e_scratch;
++
+ scratch_gpa_beg = svm->sev_es.sw_scratch;
+ if (!scratch_gpa_beg) {
+ pr_err("vmgexit: scratch gpa not provided\n");
--- /dev/null
+From ef15ccbb3e8640a723c42ad90eaf81d66ae02017 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <benh@debian.org>
+Date: Tue, 5 May 2026 20:45:12 +0200
+Subject: parport: Fix race between port and client registration
+
+From: Ben Hutchings <benh@debian.org>
+
+commit ef15ccbb3e8640a723c42ad90eaf81d66ae02017 upstream.
+
+The parport subsystem registers port devices before they are fully
+initialised, resulting in a race condition where client drivers such
+as lp can attach to ports that are not completely initialised or even
+being torn down.
+
+When the port and client drivers are built as modules and loaded
+around the same time during boot, this occasionally results in a
+crash. I was able to make this happen reliably in a VM with a
+PC-style parallel port by patching parport_pc to fail probing:
+
+> --- a/drivers/parport/parport_pc.c
+> +++ b/drivers/parport/parport_pc.c
+> @@ -2069,7 +2069,7 @@ static struct parport *__parport_pc_probe_port(unsigned long int base,
+> if (!p)
+> goto out3;
+>
+> - base_res = request_region(base, 3, p->name);
+> + base_res = NULL;
+> if (!base_res)
+> goto out4;
+>
+
+and then running:
+
+ while true; do
+ modprobe lp & modprobe parport_pc
+ wait
+ rmmod lp parport_pc
+ done
+
+for a few seconds.
+
+In the long term I think port registration should be changed to put
+the call to device_add() inside parport_announce_port(), but since the
+latter currently cannot fail this will require changing all port
+drivers.
+
+For now, add a flag to indicate whether a port has been "announced"
+and only try to attach client drivers to ports when the flag is set.
+
+Fixes: 6fa45a226897 ("parport: add device-model to parport subsystem")
+Closes: https://bugs.debian.org/1130365
+Closes: https://lore.kernel.org/all/6ba903ad-9897-42bb-8c2d-337385cc3746@molgen.mpg.de/
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Link: https://patch.msgid.link/afo6uBv68GDevbMD@decadent.org.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parport/share.c | 11 +++++++++--
+ include/linux/parport.h | 1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/parport/share.c
++++ b/drivers/parport/share.c
+@@ -223,10 +223,14 @@ static void get_lowlevel_driver(void)
+ static int port_check(struct device *dev, void *dev_drv)
+ {
+ struct parport_driver *drv = dev_drv;
++ struct parport *port;
+
+ /* only send ports, do not send other devices connected to bus */
+- if (is_parport(dev))
+- drv->match_port(to_parport_dev(dev));
++ if (is_parport(dev)) {
++ port = to_parport_dev(dev);
++ if (test_bit(PARPORT_ANNOUNCED, &port->devflags))
++ drv->match_port(port);
++ }
+ return 0;
+ }
+
+@@ -553,6 +557,7 @@ void parport_announce_port(struct parpor
+ if (slave)
+ attach_driver_chain(slave);
+ }
++ set_bit(PARPORT_ANNOUNCED, &port->devflags);
+ mutex_unlock(®istration_lock);
+ }
+ EXPORT_SYMBOL(parport_announce_port);
+@@ -582,6 +587,8 @@ void parport_remove_port(struct parport
+
+ mutex_lock(®istration_lock);
+
++ clear_bit(PARPORT_ANNOUNCED, &port->devflags);
++
+ /* Spread the word. */
+ detach_driver_chain(port);
+
+--- a/include/linux/parport.h
++++ b/include/linux/parport.h
+@@ -245,6 +245,7 @@ struct parport {
+
+ unsigned long devflags;
+ #define PARPORT_DEVPROC_REGISTERED 0
++#define PARPORT_ANNOUNCED 1
+ struct pardevice *proc_device; /* Currently register proc device */
+
+ struct list_head full_list;
input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch
hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch
bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch
+hpfs-fix-a-crash-if-hpfs_map_dnode_bitmap-fails.patch
+ipc-limit-next_id-allocation-to-the-valid-id-range.patch
+auxdisplay-line-display-fix-oob-read-on-zero-length-message_store.patch
+bluetooth-l2cap-use-chan-timer-to-close-channels-in-cleanup_listen.patch
+bluetooth-l2cap-fix-chan-ref-leak-in-l2cap_chan_timeout-on-conn.patch
+bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch
+bluetooth-iso-fix-uaf-in-iso_recv_frame.patch
+bluetooth-iso-serialize-iso_sock_clear_timer-with-socket-lock.patch
+parport-fix-race-between-port-and-client-registration.patch
+usb-cdc-acm-fix-bit-overlap-and-move-quirk-definitions-to-header.patch
+kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch
+iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch
+iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch
+iio-dac-ad5686-fix-input-raw-value-check.patch
+iio-dac-ad5686-acquire-lock-when-doing-powerdown-control.patch
+iio-adc-viperboard-fix-error-handling-in-vprbrd_iio_read_raw.patch
+iio-gyro-itg3200-fix-i2c-read-into-the-wrong-stack-location.patch
+iio-ssp_sensors-cancel-delayed-work_refresh-on-remove.patch
+iio-temperature-tsys01-fix-broken-prom-checksum-validation.patch
+iio-magnetometer-st_magn-fix-default-drdy-pin-selection-for-lis2mdl.patch
+iio-light-cm3323-fix-reg_conf-not-being-initialized-correctly.patch
+iio-buffer-hw-consumer-fix-use-after-free-in-error-path.patch
+usb-serial-omninet-fix-memory-corruption-with-small-endpoint.patch
+usb-cdns3-gadget-fix-request-skipping-after-clearing-halt.patch
+usb-cdns3-plat-fix-unbalanced-pm_runtime_forbid-call-permanently-leaks-the-runtime-pm-usage-counter-across-bind-unbind-cycles.patch
+usb-dwc2-fix-use-after-free-in-debug-code.patch
+input-elan_i2c-validate-firmware-size-before-use.patch
--- /dev/null
+From 5eb070769ea5e18405535609d1d3f6886f3755bd Mon Sep 17 00:00:00 2001
+From: Wentao Guan <guanwentao@uniontech.com>
+Date: Fri, 22 May 2026 17:13:58 +0800
+Subject: USB: cdc-acm: Fix bit overlap and move quirk definitions to header
+
+From: Wentao Guan <guanwentao@uniontech.com>
+
+commit 5eb070769ea5e18405535609d1d3f6886f3755bd upstream.
+
+The VENDOR_CLASS_DATA_IFACE and ALWAYS_POLL_CTRL quirk flags added in
+commit f58752ebcb35 ("USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10
+INGENIC touchscreen") were placed inside the acm_ctrl_msg() function
+rather than in the header with the other quirk flags. Then, their
+values (BIT(9) and BIT(10)) collided with NO_UNION_12 which is already
+BIT(9).
+
+Move the definitions to drivers/usb/class/cdc-acm.h where they belong
+and shift them to BIT(10) and BIT(11) to avoid the overlap.
+
+Fixes: f58752ebcb35 ("USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
+Link: https://patch.msgid.link/20260522091357.1301196-1-guanwentao@uniontech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 2 --
+ drivers/usb/class/cdc-acm.h | 2 ++
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -113,8 +113,6 @@ static int acm_ctrl_msg(struct acm *acm,
+ int retval;
+
+ retval = usb_autopm_get_interface(acm->control);
+-#define VENDOR_CLASS_DATA_IFACE BIT(9) /* data interface uses vendor-specific class */
+-#define ALWAYS_POLL_CTRL BIT(10) /* keep ctrl URB active even without an open TTY */
+ if (retval)
+ return retval;
+
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -115,3 +115,5 @@ struct acm {
+ #define DISABLE_ECHO BIT(7)
+ #define MISSING_CAP_BRK BIT(8)
+ #define NO_UNION_12 BIT(9)
++#define VENDOR_CLASS_DATA_IFACE BIT(10) /* data interface uses vendor-specific class */
++#define ALWAYS_POLL_CTRL BIT(11) /* keep ctrl URB active even without an open TTY */
--- /dev/null
+From c8778ff817a7047d6848fefba99dcb27b1bf01fe Mon Sep 17 00:00:00 2001
+From: Yongchao Wu <yongchao.wu@autochips.com>
+Date: Thu, 14 May 2026 00:00:12 +0800
+Subject: usb: cdns3: gadget: fix request skipping after clearing halt
+
+From: Yongchao Wu <yongchao.wu@autochips.com>
+
+commit c8778ff817a7047d6848fefba99dcb27b1bf01fe upstream.
+
+According to the cdns3 datasheet, the EPRST (Endpoint Reset) command
+causes the DMA engine to reposition its internal pointer to the next
+Transfer Descriptor (TD) if it was already processing one.
+
+This issue is consistently observed during the ADB identification
+process on macOS hosts, where the host issues a Clear_Halt. Although
+commit 4bf2dd65135a ("usb: cdns3: gadget: toggle cycle bit before reset
+endpoint") attempted to avoid DMA advance by toggling the cycle bit,
+trace logs show that on certain hosts like macOS, the DMA pointer
+(EP_TRADDR) still shifts after EPRST:
+
+ cdns3_ctrl_req: Clear Endpoint Feature(Halt ep1out)
+ cdns3_doorbell_epx: ep1out, ep_trbaddr f9c04030 <-- Should be f9c04000
+ cdns3_gadget_giveback: ep1out: req: ... length: 16384/16384
+
+As shown above, the DMA pointer jumped to the next TD, causing
+the controller to skip the initial TRBs of the request. This leads to
+data misalignment and ADB protocol hangs on macOS.
+
+Fix this by manually restoring the EP_TRADDR register to the starting
+physical address of the current request after the EPRST operation is
+complete.
+
+Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
+Cc: stable <stable@kernel.org>
+Cc: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Yongchao Wu <yongchao.wu@autochips.com>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Link: https://patch.msgid.link/20260513160012.2547894-1-yongchao.wu@autochips.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdns3-gadget.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/cdns3/cdns3-gadget.c
++++ b/drivers/usb/cdns3/cdns3-gadget.c
+@@ -2812,9 +2812,19 @@ int __cdns3_gadget_ep_clear_halt(struct
+ priv_ep->flags &= ~(EP_STALLED | EP_STALL_PENDING);
+
+ if (request) {
+- if (trb)
++ if (trb) {
+ *trb = trb_tmp;
+
++ /*
++ * Per datasheet, EPRST causes DMA to reposition to the next TD.
++ * Manually reset EP_TRADDR to the current TRB to prevent
++ * the hardware from skipping the interrupted request.
++ */
++ writel(EP_TRADDR_TRADDR(priv_ep->trb_pool_dma +
++ priv_req->start_trb * TRB_SIZE),
++ &priv_dev->regs->ep_traddr);
++ }
++
+ cdns3_rearm_transfer(priv_ep, 1);
+ }
+
--- /dev/null
+From ae6f3b82324e4f39ad8443c9020787e6fc889637 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@cixtech.com>
+Date: Wed, 13 May 2026 16:53:10 +0800
+Subject: usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
+
+From: Peter Chen <peter.chen@cixtech.com>
+
+commit ae6f3b82324e4f39ad8443c9020787e6fc889637 upstream.
+
+Call pm_runtime_allow(dev) conditionally at cdns3_plat_remove.
+
+Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
+Cc: stable <stable@kernel.org>
+Reported-by: sashiko-bot <sashiko-bot@kernel.org>
+Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
+Signed-off-by: Peter Chen <peter.chen@cixtech.com>
+Link: https://patch.msgid.link/20260513085310.2217547-3-peter.chen@cixtech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdns3-plat.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/cdns3/cdns3-plat.c
++++ b/drivers/usb/cdns3/cdns3-plat.c
+@@ -181,6 +181,9 @@ static int cdns3_plat_remove(struct plat
+ struct device *dev = cdns->dev;
+
+ pm_runtime_get_sync(dev);
++ if (!(cdns->pdata && (cdns->pdata->quirks & CDNS3_DEFAULT_PM_RUNTIME_ALLOW)))
++ pm_runtime_allow(dev);
++
+ pm_runtime_disable(dev);
+ pm_runtime_put_noidle(dev);
+ cdns_remove(cdns);
--- /dev/null
+From 9ea06a3fbf9f16e0d98c52cb3b99642be15ec281 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Wed, 20 May 2026 08:59:28 +0300
+Subject: usb: dwc2: Fix use after free in debug code
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit 9ea06a3fbf9f16e0d98c52cb3b99642be15ec281 upstream.
+
+We're not allowed to dereference "urb" after calling
+usb_hcd_giveback_urb() so save the urb->status ahead of time.
+
+Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Link: https://patch.msgid.link/ag1NwBpqT4IEQcdJ@stanley.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -4804,6 +4804,7 @@ static int _dwc2_hcd_urb_dequeue(struct
+ struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd);
+ int rc;
+ unsigned long flags;
++ int urb_status;
+
+ dev_dbg(hsotg->dev, "DWC OTG HCD URB Dequeue\n");
+ dwc2_dump_urb_info(hcd, urb, "urb_dequeue");
+@@ -4828,11 +4829,12 @@ static int _dwc2_hcd_urb_dequeue(struct
+
+ /* Higher layer software sets URB status */
+ spin_unlock(&hsotg->lock);
++ urb_status = urb->status;
+ usb_hcd_giveback_urb(hcd, urb, status);
+ spin_lock(&hsotg->lock);
+
+ dev_dbg(hsotg->dev, "Called usb_hcd_giveback_urb()\n");
+- dev_dbg(hsotg->dev, " urb->status = %d\n", urb->status);
++ dev_dbg(hsotg->dev, " urb->status = %d\n", urb_status);
+ out:
+ spin_unlock_irqrestore(&hsotg->lock, flags);
+
--- /dev/null
+From 60df93d30f9bdd27db17c4d80ed80ef718d7226b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 22 May 2026 16:20:58 +0200
+Subject: USB: serial: omninet: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 60df93d30f9bdd27db17c4d80ed80ef718d7226b upstream.
+
+Make sure that the bulk-out buffers are at least as large as the
+hardcoded transfer size to avoid user-controlled slab corruption should
+a malicious device report a smaller endpoint max packet size than
+expected.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/omninet.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/omninet.c
++++ b/drivers/usb/serial/omninet.c
+@@ -30,6 +30,10 @@
+ /* This one seems to be a re-branded ZyXEL device */
+ #define BT_IGNITIONPRO_ID 0x2000
+
++#define OMNINET_HEADERLEN 4
++#define OMNINET_BULKOUTSIZE 64
++#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
++
+ /* function prototypes */
+ static void omninet_process_read_urb(struct urb *urb);
+ static int omninet_prepare_write_buffer(struct usb_serial_port *port,
+@@ -55,6 +59,7 @@ static struct usb_serial_driver zyxel_om
+ .description = "ZyXEL - omni.net usb",
+ .id_table = id_table,
+ .num_bulk_out = 2,
++ .bulk_out_size = OMNINET_BULKOUTSIZE,
+ .calc_num_ports = omninet_calc_num_ports,
+ .port_probe = omninet_port_probe,
+ .port_remove = omninet_port_remove,
+@@ -131,10 +136,6 @@ static void omninet_port_remove(struct u
+ kfree(od);
+ }
+
+-#define OMNINET_HEADERLEN 4
+-#define OMNINET_BULKOUTSIZE 64
+-#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
+-
+ static void omninet_process_read_urb(struct urb *urb)
+ {
+ struct usb_serial_port *port = urb->context;
projects / thirdparty / kernel / stable-queue.git / commitdiff
