--- /dev/null
+From 542f5248cb481073203e0dadab5bcbd28aeae308 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 22 Apr 2026 17:21:19 +0100
+Subject: comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 542f5248cb481073203e0dadab5bcbd28aeae308 upstream.
+
+Commit 783ddaebd397 ("staging: comedi: comedi_test: support
+scan_begin_src == TRIG_FOLLOW") neglected to add a test that
+`scan_begin_src` has only one bit set. The allowed values are
+`TRIG_FOLLOW` and `TRIG_TIMER`, but the code incorrectly also allows
+`TRIG_FOLLOW | TRIG_TIMER`. Add a call to
+`comedi_check_trigger_is_unique()` to check that only one trigger source
+bit is set.
+
+Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260422162138.36003-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/comedi_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/comedi/drivers/comedi_test.c
++++ b/drivers/comedi/drivers/comedi_test.c
+@@ -273,6 +273,7 @@ static int waveform_ai_cmdtest(struct co
+ /* Step 2a : make sure trigger sources are unique */
+
+ err |= comedi_check_trigger_is_unique(cmd->convert_src);
++ err |= comedi_check_trigger_is_unique(cmd->scan_begin_src);
+ err |= comedi_check_trigger_is_unique(cmd->stop_src);
+
+ /* Step 2b : and mutually compatible */
--- /dev/null
+From 8a3bee801d420be8a7a0bae4a26547b353b8fe22 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 22 Apr 2026 15:46:37 +0100
+Subject: comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 8a3bee801d420be8a7a0bae4a26547b353b8fe22 upstream.
+
+The function checks and possibly modifies the description of an
+asynchronous command to be run on the analog input subdevice of a comedi
+device attached to the "comedi_test" driver, returning 0 if no
+modifications were required, or a positive value that indicates which
+step of the checking process it failed on. Step 4 fixes up various
+argument values for various trigger sources.
+
+There are two bugs in the fixing up of the `convert_arg` value to keep
+the `scan_begin_arg` value within the range of `unsigned int` when
+`scan_begin_src` and `convert_src` both have the value `TRIG_TIMER`,
+which indicates that the corresponding `_arg` values hold a time period
+in nanoseconds. The code also uses `scan_end_arg` which hold the number
+of "conversions" within each "scan". The goal is to end up with the
+scan period being less than or equal to the convert period multiplied by
+the number of conversions per scan. It intends to do that by clamping
+the `convert_arg` value to a maximum value of `UINT_MAX / scan_end_arg`
+rounded down to a multiple of 1000 (`NSEC_PER_USEC`).
+
+(The rounding from nanoseconds to microseconds is because the driver is
+modelling a device that uses a 1 MHz clock for timing. This is partly
+because that is a more typical timing base for real hardware devices
+driven by comedi, and partly because the driver used to use `struct
+timeval` internally.)
+
+The first bug is that the code checks if `scan_begin_arg == TRIG_TIMER`
+when it should be checking if `scan_begin_src == TRIG_TIMER`. The
+bugged check will always fail because if `scan_begin_src == TRIG_TIMER`,
+then `scan_begin_arg` will be at least 1000 (`NSEC_PER_USEC`), otherwise
+`scan_begin_src == TRIG_FOLLOW` and `scan_begin_arg` will be 0. (N.B
+`TRIG_TIMER` is defined as `0x10`.) The second bug is that is rounding
+the maximum value down to a multiple of 1000000000 (`NSEC_PER_SEC`)
+instead of 1000 (`NSEC_PER_USEC`), however this bug is not reached due
+to the first bug. This patch fixes both bugs.
+
+Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
+Fixes: 5afdcad2f818 ("staging: comedi: comedi_test: limit maximum convert_arg")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260422144637.27692-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/comedi_test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/comedi/drivers/comedi_test.c
++++ b/drivers/comedi/drivers/comedi_test.c
+@@ -324,10 +324,10 @@ static int waveform_ai_cmdtest(struct co
+ arg = min(arg,
+ rounddown(UINT_MAX, (unsigned int)NSEC_PER_USEC));
+ arg = NSEC_PER_USEC * DIV_ROUND_CLOSEST(arg, NSEC_PER_USEC);
+- if (cmd->scan_begin_arg == TRIG_TIMER) {
++ if (cmd->scan_begin_src == TRIG_TIMER) {
+ /* limit convert_arg to keep scan_begin_arg in range */
+ limit = UINT_MAX / cmd->scan_end_arg;
+- limit = rounddown(limit, (unsigned int)NSEC_PER_SEC);
++ limit = rounddown(limit, (unsigned int)NSEC_PER_USEC);
+ arg = min(arg, limit);
+ }
+ err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
--- /dev/null
+From d9eeb0ea0d2de658663bfaa9c26eccdd8fd64440 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Mon, 13 Apr 2026 21:46:04 +0800
+Subject: counter: Fix refcount leak in counter_alloc() error path
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit d9eeb0ea0d2de658663bfaa9c26eccdd8fd64440 upstream.
+
+After device_initialize(), the lifetime of the embedded struct device
+is expected to be managed through the device core reference counting.
+
+In counter_alloc(), if dev_set_name() fails after device_initialize(),
+the error path removes the chrdev, frees the ID, and frees the backing
+allocation directly instead of releasing the device reference with
+put_device(). This bypasses the normal device lifetime rules and may
+leave the reference count of the embedded struct device unbalanced,
+resulting in a refcount leak.
+
+The issue was identified by a static analysis tool I developed and
+confirmed by manual review.
+
+Fix this by using put_device() in the dev_set_name() failure path and
+let counter_device_release() handle the final cleanup.
+
+Fixes: 4da08477ea1f ("counter: Set counter device name")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Link: https://lore.kernel.org/r/20260413134604.2861772-1-lgs201920130244@gmail.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/counter-core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/counter/counter-core.c
++++ b/drivers/counter/counter-core.c
+@@ -123,7 +123,8 @@ struct counter_device *counter_alloc(siz
+
+ err_dev_set_name:
+
+- counter_chrdev_remove(counter);
++ put_device(dev);
++ return NULL;
+ err_chrdev_add:
+
+ ida_free(&counter_ida, dev->id);
--- /dev/null
+From dd4f3ee535b3b0ac027f75dbf9dc5fc88733c765 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timur=20Krist=C3=B3f?= <timur.kristof@gmail.com>
+Date: Tue, 19 May 2026 10:41:54 +0200
+Subject: drm/amd/pm/si: Disregard vblank time when no displays are connected
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Timur Kristóf <timur.kristof@gmail.com>
+
+commit dd4f3ee535b3b0ac027f75dbf9dc5fc88733c765 upstream.
+
+When no displays are connected, there is no vblank
+happening so the power management code shouldn't
+worry about it.
+
+This fixes a regression that caused the memory clock
+to be stuck at maximum when there were no displays
+connected to a SI GPU.
+
+Fixes: 9003a0746864 ("drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)")
+Fixes: 9d73b107a61b ("drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)")
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Tested-by: Jeremy Klarenbeek <jeremy.klarenbeek99@gmail.com>
+Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 6d87e0199f7b83735b56e422d59f170a201897a8)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
+@@ -3062,6 +3062,10 @@ static bool si_dpm_vblank_too_short(void
+ /* we never hit the non-gddr5 limit so disable it */
+ u32 switch_limit = adev->gmc.vram_type == AMDGPU_VRAM_TYPE_GDDR5 ? 450 : 0;
+
++ /* Disregard vblank time when there are no displays connected */
++ if (!adev->pm.pm_display_cfg.num_display)
++ return false;
++
+ /* Consider zero vblank time too short and disable MCLK switching.
+ * Note that the vblank time is set to maximum when no displays are attached,
+ * so we'll still enable MCLK switching in that case.
--- /dev/null
+From 6842b6a4b72da9b2906ffc5ca9d846ace2c54c14 Mon Sep 17 00:00:00 2001
+From: David Francis <David.Francis@amd.com>
+Date: Thu, 14 May 2026 10:31:20 -0400
+Subject: drm/amdkfd: Check for pdd drm file first in CRIU restore path
+
+From: David Francis <David.Francis@amd.com>
+
+commit 6842b6a4b72da9b2906ffc5ca9d846ace2c54c14 upstream.
+
+CRIU restore ioctls are meant to be called by CRIU with no
+existing drm file. There's an error path
+for if the drm file unexpectedly exists. It was positioned so
+it was missing a fput(drm_file).
+
+Do that check earlier, as soon as we have the pdd.
+
+Signed-off-by: David Francis <David.Francis@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 2bab781dac78916c5cc8de76345a4102449267d7)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -2265,6 +2265,11 @@ static int criu_restore_devices(struct k
+ ret = -EINVAL;
+ goto exit;
+ }
++
++ if (pdd->drm_file) {
++ ret = -EINVAL;
++ goto exit;
++ }
+ pdd->user_gpu_id = device_buckets[i].user_gpu_id;
+
+ drm_file = fget(device_buckets[i].drm_fd);
+@@ -2274,11 +2279,6 @@ static int criu_restore_devices(struct k
+ ret = -EINVAL;
+ goto exit;
+ }
+-
+- if (pdd->drm_file) {
+- ret = -EINVAL;
+- goto exit;
+- }
+
+ /* create the vm using render nodes for kfd pdd */
+ if (kfd_process_device_init_vm(pdd, drm_file)) {
--- /dev/null
+From 93f5534b35a05ef8a0109c1eefa800062fee810a Mon Sep 17 00:00:00 2001
+From: Eric Huang <jinhuieric.huang@amd.com>
+Date: Tue, 12 May 2026 10:19:52 -0400
+Subject: drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
+
+From: Eric Huang <jinhuieric.huang@amd.com>
+
+commit 93f5534b35a05ef8a0109c1eefa800062fee810a upstream.
+
+get_queue_ids() computes array_size = num_queues * sizeof(uint32_t),
+which could overflow on 32-bit size_t build. using array_size()
+instead, it saturates to SIZE_MAX on overflow.
+
+Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 2d57a0475f085c08b49312dfd8edcb461845f285)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -2786,12 +2786,14 @@ static void copy_context_work_handler (s
+
+ static uint32_t *get_queue_ids(uint32_t num_queues, uint32_t *usr_queue_id_array)
+ {
+- size_t array_size = num_queues * sizeof(uint32_t);
+-
+ if (!usr_queue_id_array)
+ return NULL;
+
+- return memdup_user(usr_queue_id_array, array_size);
++ if (num_queues > KFD_MAX_NUM_OF_QUEUES_PER_PROCESS)
++ return ERR_PTR(-EINVAL);
++
++ return memdup_user(usr_queue_id_array,
++ array_size(num_queues, sizeof(uint32_t)));
+ }
+
+ int resume_queues(struct kfd_process *p,
--- /dev/null
+From e984d61d92e702096058f0f828f4b2b8563b88ce Mon Sep 17 00:00:00 2001
+From: Eric Huang <jinhuieric.huang@amd.com>
+Date: Thu, 7 May 2026 15:51:49 -0400
+Subject: drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
+
+From: Eric Huang <jinhuieric.huang@amd.com>
+
+commit e984d61d92e702096058f0f828f4b2b8563b88ce upstream.
+
+The process_info could be NULL if user doesn't call kfd_ioctl_acquire_vm
+before calling kfd_ioctl_svm.
+
+Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 83a26c812e0529eb040d31a76f73e33e637243d4)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+@@ -3567,6 +3567,9 @@ svm_range_set_attr(struct kfd_process *p
+
+ svms = &p->svms;
+
++ if (!process_info)
++ return -EINVAL;
++
+ mutex_lock(&process_info->lock);
+
+ svm_range_list_lock_and_flush_work(svms, mm);
--- /dev/null
+From 13d33b9ef67066c77c84273fac5a1d3fde3533d1 Mon Sep 17 00:00:00 2001
+From: Berkant Koc <me@berkoc.com>
+Date: Tue, 19 May 2026 22:08:17 +0200
+Subject: drm/hyperv: validate resolution_count and fix WIN8 fallback
+
+From: Berkant Koc <me@berkoc.com>
+
+commit 13d33b9ef67066c77c84273fac5a1d3fde3533d1 upstream.
+
+A SYNTHVID_RESOLUTION_RESPONSE with resolution_count > 64 walks past
+the supported_resolution[SYNTHVID_MAX_RESOLUTION_COUNT] array in the
+parse loop. Bound resolution_count against the array size, folded
+into the existing zero-check.
+
+When the WIN10 resolution probe fails, the caller in
+hyperv_connect_vsp() left hv->screen_*_max / preferred_* unpopulated,
+which sets mode_config.max_width / max_height to 0 and makes
+drm_internal_framebuffer_create() reject every userspace framebuffer
+with -EINVAL. The pre-WIN10 branch had the same gap for
+preferred_width / preferred_height. Use a single post-probe fallback
+guarded by screen_width_max == 0 so both paths converge on the WIN8
+defaults.
+
+Signed-off-by: Berkant Koc <me@berkoc.com>
+Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
+Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
+Cc: stable@vger.kernel.org # 5.14+
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Tested-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Link: https://patch.msgid.link/6945b22419c7d404b4954a113de2ac9c900dba93.1779542874.git.me@berkoc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
++++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+@@ -396,8 +396,11 @@ static int hyperv_get_supported_resoluti
+ return -ETIMEDOUT;
+ }
+
+- if (msg->resolution_resp.resolution_count == 0) {
+- drm_err(dev, "No supported resolutions\n");
++ if (msg->resolution_resp.resolution_count == 0 ||
++ msg->resolution_resp.resolution_count >
++ SYNTHVID_MAX_RESOLUTION_COUNT) {
++ drm_err(dev, "Invalid resolution count: %d\n",
++ msg->resolution_resp.resolution_count);
+ return -ENODEV;
+ }
+
+@@ -513,9 +516,13 @@ int hyperv_connect_vsp(struct hv_device
+ ret = hyperv_get_supported_resolution(hdev);
+ if (ret)
+ drm_err(dev, "Failed to get supported resolution from host, use default\n");
+- } else {
++ }
++
++ if (!hv->screen_width_max) {
+ hv->screen_width_max = SYNTHVID_WIDTH_WIN8;
+ hv->screen_height_max = SYNTHVID_HEIGHT_WIN8;
++ hv->preferred_width = SYNTHVID_WIDTH_WIN8;
++ hv->preferred_height = SYNTHVID_HEIGHT_WIN8;
+ }
+
+ hv->mmio_megabytes = hdev->channel->offermsg.offer.mmio_megabytes;
--- /dev/null
+From 7f87763f47a3c22fb50265a00619ef10f2394b18 Mon Sep 17 00:00:00 2001
+From: Berkant Koc <me@berkoc.com>
+Date: Sat, 23 May 2026 15:27:47 +0200
+Subject: drm/hyperv: validate VMBus packet size in receive callback
+
+From: Berkant Koc <me@berkoc.com>
+
+commit 7f87763f47a3c22fb50265a00619ef10f2394b18 upstream.
+
+hyperv_receive_sub() reads msg->vid_hdr.type and dispatches into one
+of four message-type branches without knowing how many bytes the host
+wrote into hv->recv_buf. The completion path then runs
+memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE), so the consumer that
+wakes on wait_for_completion_timeout() can read up to 16 KiB of
+residue from a prior message as if it were the response payload.
+
+Pass bytes_recvd into hyperv_receive_sub() and reject any packet that
+does not cover the pipe + synthvid header. A single switch on
+msg->vid_hdr.type then computes the type-specific payload size: the
+three completion-driving types (SYNTHVID_VERSION_RESPONSE,
+SYNTHVID_RESOLUTION_RESPONSE, SYNTHVID_VRAM_LOCATION_ACK) fall through
+to a shared exit that requires that size before memcpy/complete, while
+SYNTHVID_FEATURE_CHANGE validates its own payload and returns before
+reading is_dirt_needed. Unknown types are dropped.
+
+SYNTHVID_RESOLUTION_RESPONSE is variable length: the host fills
+resolution_count entries, not the full SYNTHVID_MAX_RESOLUTION_COUNT
+array. Validate the fixed prefix first so resolution_count can be
+read, bound it against the array, then require only the count-sized
+array, so the shorter responses the host actually sends are accepted.
+
+Only run the sub-handler when vmbus_recvpacket() returned success. The
+memcpy length is bytes_recvd, which is bounded by VMBUS_MAX_PACKET_SIZE
+only on a successful receive; on -ENOBUFS vmbus_recvpacket() instead
+reports the required length, which can exceed hv->recv_buf, so copying
+bytes_recvd would read and write past the 16 KiB buffers. Gating on the
+success return keeps the copy bounded. The nonzero-return path is itself
+a malformed-message case and is now logged rather than silently skipped;
+channel recovery is not attempted.
+
+Rejected packets are reported via drm_err_ratelimited() rather than
+silently dropped, matching the CoCo-hardened pattern in
+hv_kvp_onchannelcallback().
+
+Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
+Cc: stable@vger.kernel.org # 5.14+
+Signed-off-by: Berkant Koc <me@berkoc.com>
+Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Tested-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
+Link: https://patch.msgid.link/8200dbc199c7a9b75ac7e8af6c748d2189b5ebd5.1779542874.git.me@berkoc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 100 ++++++++++++++++++++++++++----
+ 1 file changed, 87 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
++++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+@@ -425,30 +425,92 @@ static int hyperv_get_supported_resoluti
+ return 0;
+ }
+
+-static void hyperv_receive_sub(struct hv_device *hdev)
++static void hyperv_receive_sub(struct hv_device *hdev, u32 bytes_recvd)
+ {
+ struct hyperv_drm_device *hv = hv_get_drvdata(hdev);
+ struct synthvid_msg *msg;
++ size_t hdr_size;
++ size_t need;
+
+ if (!hv)
+ return;
+
+- msg = (struct synthvid_msg *)hv->recv_buf;
+-
+- /* Complete the wait event */
+- if (msg->vid_hdr.type == SYNTHVID_VERSION_RESPONSE ||
+- msg->vid_hdr.type == SYNTHVID_RESOLUTION_RESPONSE ||
+- msg->vid_hdr.type == SYNTHVID_VRAM_LOCATION_ACK) {
+- memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE);
+- complete(&hv->wait);
++ hdr_size = sizeof(struct pipe_msg_hdr) +
++ sizeof(struct synthvid_msg_hdr);
++ if (bytes_recvd < hdr_size) {
++ drm_err_ratelimited(&hv->dev,
++ "synthvid packet too small for header: %u\n",
++ bytes_recvd);
+ return;
+ }
+
+- if (msg->vid_hdr.type == SYNTHVID_FEATURE_CHANGE) {
++ msg = (struct synthvid_msg *)hv->recv_buf;
++ need = hdr_size;
++
++ switch (msg->vid_hdr.type) {
++ case SYNTHVID_VERSION_RESPONSE:
++ need += sizeof(struct synthvid_version_resp);
++ break;
++ case SYNTHVID_RESOLUTION_RESPONSE:
++ /*
++ * The resolution response is variable length: the host
++ * fills resolution_count entries, not the full
++ * SYNTHVID_MAX_RESOLUTION_COUNT array. Require the fixed
++ * prefix first so resolution_count can be read, then
++ * demand exactly the count-sized array.
++ */
++ need += offsetof(struct synthvid_supported_resolution_resp,
++ supported_resolution);
++ if (bytes_recvd < need)
++ break;
++ if (msg->resolution_resp.resolution_count >
++ SYNTHVID_MAX_RESOLUTION_COUNT) {
++ drm_err_ratelimited(&hv->dev,
++ "synthvid resolution count too large: %u\n",
++ msg->resolution_resp.resolution_count);
++ return;
++ }
++ need += msg->resolution_resp.resolution_count *
++ sizeof(struct hvd_screen_info);
++ break;
++ case SYNTHVID_VRAM_LOCATION_ACK:
++ need += sizeof(struct synthvid_vram_location_ack);
++ break;
++ case SYNTHVID_FEATURE_CHANGE:
++ /*
++ * Not a completion-driving message: validate its own payload
++ * and consume it here rather than falling through to the
++ * memcpy/complete shared by the wait-event responses.
++ */
++ if (bytes_recvd < need +
++ sizeof(struct synthvid_feature_change)) {
++ drm_err_ratelimited(&hv->dev,
++ "synthvid feature change packet too small: %u\n",
++ bytes_recvd);
++ return;
++ }
+ hv->dirt_needed = msg->feature_chg.is_dirt_needed;
+ if (hv->dirt_needed)
+ hyperv_hide_hw_ptr(hv->hdev);
++ return;
++ default:
++ return;
++ }
++
++ /*
++ * Shared completion path for the wait-event responses
++ * (VERSION_RESPONSE, RESOLUTION_RESPONSE, VRAM_LOCATION_ACK):
++ * require the type-specific payload before handing the buffer to
++ * the waiter.
++ */
++ if (bytes_recvd < need) {
++ drm_err_ratelimited(&hv->dev,
++ "synthvid packet too small for type %u: %u < %zu\n",
++ msg->vid_hdr.type, bytes_recvd, need);
++ return;
+ }
++ memcpy(hv->init_buf, msg, bytes_recvd);
++ complete(&hv->wait);
+ }
+
+ static void hyperv_receive(void *ctx)
+@@ -469,9 +531,21 @@ static void hyperv_receive(void *ctx)
+ ret = vmbus_recvpacket(hdev->channel, recv_buf,
+ VMBUS_MAX_PACKET_SIZE,
+ &bytes_recvd, &req_id);
+- if (bytes_recvd > 0 &&
+- recv_buf->pipe_hdr.type == PIPE_MSG_DATA)
+- hyperv_receive_sub(hdev);
++ if (ret) {
++ /*
++ * A nonzero return (e.g. -ENOBUFS for an oversized
++ * packet) is itself a malformed message: bytes_recvd
++ * then reports the required length rather than a copied
++ * payload, so it must not be forwarded to the
++ * sub-handler. Channel recovery is not attempted.
++ */
++ drm_err_ratelimited(&hv->dev,
++ "vmbus_recvpacket failed: %d (need %u)\n",
++ ret, bytes_recvd);
++ } else if (bytes_recvd > 0 &&
++ recv_buf->pipe_hdr.type == PIPE_MSG_DATA) {
++ hyperv_receive_sub(hdev, bytes_recvd);
++ }
+ } while (bytes_recvd > 0 && ret == 0);
+ }
+
--- /dev/null
+From 5c4063c87a619e4df954c179d24628636f5db15f Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Date: Fri, 8 May 2026 14:23:51 +0200
+Subject: drm/i915: Fix potential UAF in TTM object purge
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+
+commit 5c4063c87a619e4df954c179d24628636f5db15f upstream.
+
+TLDR: The bo->ttm object might be changed by calling ttm_bo_validate(),
+ move casting it to an i915_tt object later to actually get the right
+ pointer.
+
+A user reported hitting the following bug under heavy use on DG2:
+
+[26620.095550] Oops: general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 1 SMP NOPTI
+[26620.095556] CPU: 2 UID: 0 PID: 631 Comm: Xorg Not tainted 6.18.8 #1 PREEMPT(lazy)
+[26620.095558] Hardware name: ASRock B850M Steel Legend WiFi/B850M Steel Legend WiFi, BIOS 3.50 09/18/2025
+[26620.095559] RIP: 0010:i915_ttm_purge+0x84/0x100 [i915]
+[26620.095604] Code: 00 00 00 48 8d 54 24 10 48 89 e6 48 89 fb e8 83 aa ae ff 85 c0 75 6f 48 83 bb a8 01 00 00 00 74 2c 48 8b 45 78 48 85 c0 74 23 <48> 8b 78 20 48 c7 c2 ff ff ff ff 31 f6 e8 7a 73 e3 e0 48 8b 7d 78
+[26620.095605] RSP: 0018:ffffc90005fd7430 EFLAGS: 00010282
+[26620.095607] RAX: a56b6b6b6b6b6b6b RBX: ffff8881f46c3dc0 RCX: 0000000000000000
+[26620.095608] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 00000000ffffffff
+[26620.095609] RBP: ffff888289610f00 R08: 0000000000000001 R09: ffff88823b022000
+[26620.095609] R10: ffff888103029b28 R11: ffff8881fc7f3800 R12: ffff88810b6150d0
+[26620.095609] R13: ffff888289610f00 R14: 0000000000000000 R15: ffff8881f46c3dc0
+[26620.095610] FS: 00007f1004d86900(0000) GS:ffff88901c858000(0000) knlGS:0000000000000000
+[26620.095611] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[26620.095611] CR2: 00007f0fdf489000 CR3: 000000035b0c1000 CR4: 0000000000750ef0
+[26620.095612] PKRU: 55555554
+[26620.095612] Call Trace:
+[26620.095615] <TASK>
+[26620.095615] i915_ttm_move+0x2b9/0x420 [i915]
+[26620.095642] ? ttm_tt_init+0x65/0x80 [ttm]
+[26620.095644] ? i915_ttm_tt_create+0xc6/0x150 [i915]
+[26620.095667] ttm_bo_handle_move_mem+0xb6/0x160 [ttm]
+[26620.095669] ttm_bo_evict+0x100/0x150 [ttm]
+[26620.095671] ? preempt_count_add+0x64/0xa0
+[26620.095673] ? _raw_spin_lock+0xe/0x30
+[26620.095675] ? _raw_spin_unlock+0xd/0x30
+[26620.095675] ? i915_gem_object_evictable+0xb7/0xd0 [i915]
+[26620.095704] ttm_bo_evict_cb+0x6e/0xd0 [ttm]
+[26620.095705] ttm_lru_walk_for_evict+0xa6/0x200 [ttm]
+[26620.095708] ttm_bo_alloc_resource+0x185/0x4f0 [ttm]
+[26620.095709] ? init_object+0x62/0xd0
+[26620.095712] ttm_bo_validate+0x7a/0x180 [ttm]
+[26620.095713] ? _raw_spin_unlock_irqrestore+0x16/0x30
+[26620.095714] __i915_ttm_get_pages+0xb0/0x170 [i915]
+[26620.095737] i915_ttm_get_pages+0x9f/0x150 [i915]
+[26620.095759] ? i915_gem_do_execbuffer+0xedc/0x2b40 [i915]
+[26620.095786] ? alloc_debug_processing+0xd0/0x100
+[26620.095787] ? _raw_spin_unlock_irqrestore+0x16/0x30
+[26620.095788] ? i915_vma_instance+0xa0/0x4e0 [i915]
+[26620.095822] __i915_gem_object_get_pages+0x2f/0x40 [i915]
+[26620.095848] i915_vma_pin_ww+0x706/0x980 [i915]
+[26620.095875] ? i915_gem_do_execbuffer+0xedc/0x2b40 [i915]
+[26620.095904] eb_validate_vmas+0x170/0xa00 [i915]
+[26620.095930] i915_gem_do_execbuffer+0x1201/0x2b40 [i915]
+[26620.095953] ? alloc_debug_processing+0xd0/0x100
+[26620.095954] ? _raw_spin_unlock_irqrestore+0x16/0x30
+[26620.095955] ? i915_gem_execbuffer2_ioctl+0xc9/0x240 [i915]
+[26620.095977] ? __wake_up_sync_key+0x32/0x50
+[26620.095979] ? i915_gem_execbuffer2_ioctl+0xc9/0x240 [i915]
+[26620.096001] ? __slab_alloc.isra.0+0x67/0xc0
+[26620.096003] i915_gem_execbuffer2_ioctl+0x11a/0x240 [i915]
+
+Results from decode_stacktrace.sh pointed to dereference of a file pointer
+field of a i915 TTM page vector container associated with an object being
+purged on eviction. That path is taken when the object is marked as no
+longer needed.
+
+Code analysis revealed a possibility of the i915 TTM page vector container
+being replaced with a new instance inside a function that purges content
+of the object, should it be still busy. That function is called,
+indirectly via a more general function that changes the object's placement
+and caching policy, before the problematic dereference, but still after
+a pointer to the container is captured, rendering the pointer no longer
+valid.
+
+Fix the issue by capturing the pointer to the container only after its
+potential replacement.
+
+v2: Move the container_of() inside the if block (Sebastian),
+ - a simplified version of the commit description that explains briefly
+ why the change is necessary (Christian).
+
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/14882
+Fixes: 7ae034590ceae ("drm/i915/ttm: add tt shmem backend")
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Cc: stable@vger.kernel.org # v5.17+
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Cc: Christian König <christian.koenig@amd.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/20260508122612.469227-2-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit 4462966a93eb185849b7f174f0d0de53476d00a4)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+@@ -423,8 +423,6 @@ void i915_ttm_free_cached_io_rsgt(struct
+ int i915_ttm_purge(struct drm_i915_gem_object *obj)
+ {
+ struct ttm_buffer_object *bo = i915_gem_to_ttm(obj);
+- struct i915_ttm_tt *i915_tt =
+- container_of(bo->ttm, typeof(*i915_tt), ttm);
+ struct ttm_operation_ctx ctx = {
+ .interruptible = true,
+ .no_wait_gpu = false,
+@@ -439,16 +437,22 @@ int i915_ttm_purge(struct drm_i915_gem_o
+ if (ret)
+ return ret;
+
+- if (bo->ttm && i915_tt->filp) {
+- /*
+- * The below fput(which eventually calls shmem_truncate) might
+- * be delayed by worker, so when directly called to purge the
+- * pages(like by the shrinker) we should try to be more
+- * aggressive and release the pages immediately.
+- */
+- shmem_truncate_range(file_inode(i915_tt->filp),
+- 0, (loff_t)-1);
+- fput(fetch_and_zero(&i915_tt->filp));
++ if (bo->ttm) {
++ struct i915_ttm_tt *i915_tt =
++ container_of(bo->ttm, typeof(*i915_tt), ttm);
++
++ if (i915_tt->filp) {
++ /*
++ * The below fput(which eventually calls shmem_truncate)
++ * might be delayed by worker, so when directly called
++ * to purge the pages(like by the shrinker) we should
++ * try to be more aggressive and release the pages
++ * immediately.
++ */
++ shmem_truncate_range(file_inode(i915_tt->filp),
++ 0, (loff_t)-1);
++ fput(fetch_and_zero(&i915_tt->filp));
++ }
+ }
+
+ obj->write_domain = 0;
--- /dev/null
+From baa0210fb6a9dc3882509a9411b6d284d88fe30e Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 11:54:45 -0700
+Subject: Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit baa0210fb6a9dc3882509a9411b6d284d88fe30e upstream.
+
+When a configuration file provides an object size that is larger than the
+driver's known mxt_obj_size(object), the driver intends to discard the
+extra bytes.
+
+The loop iterates using for (i = 0; i < size; i++). Inside the loop, the
+condition to skip processing extra bytes is:
+
+ if (i > mxt_obj_size(object))
+ continue;
+
+Since i is a 0-based index, the valid indices for the object are 0 through
+mxt_obj_size(object) - 1.
+
+When i == mxt_obj_size(object), the condition evaluates to false, and the
+code processes the byte instead of discarding it.
+
+This causes the code to calculate byte_offset = reg + i - cfg->start_ofs
+and writes the byte there, overwriting exactly one byte of the adjacent
+instance or object.
+
+Update the boundary check to skip extra bytes correctly by using >=.
+
+Fixes: 50a77c658b80 ("Input: atmel_mxt_ts - download device config using firmware loader")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -1476,7 +1476,7 @@ static int mxt_prepare_cfg_mem(struct mx
+ }
+ cfg->raw_pos += offset;
+
+- if (i > mxt_obj_size(object))
++ if (i >= mxt_obj_size(object))
+ continue;
+
+ byte_offset = reg + i - cfg->start_ofs;
--- /dev/null
+From 16ca52bc209fa4bf9239cd9e5643e95533476b58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nicol=C3=A1s=20Bazaes?= <contacto@bazaes.cl>
+Date: Wed, 13 May 2026 21:35:49 -0400
+Subject: Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nicolás Bazaes <contacto@bazaes.cl>
+
+commit 16ca52bc209fa4bf9239cd9e5643e95533476b58 upstream.
+
+The Lenovo ThinkPad E490 (PNP ID: LEN2058) has a Synaptics TM3471-020
+touchpad that supports SMBus/RMI4 mode but is not listed in
+smbus_pnp_ids[]. Without this entry, RMI4 over SMBus is not enabled
+by default, and the touchpad falls back to PS/2 mode.
+
+Adding LEN2058 to the passlist enables automatic RMI4 detection without
+requiring the psmouse.synaptics_intertouch parameter, and matches
+the behavior of similar ThinkPad models already in the list
+(E480/LEN2054, E580/LEN2055).
+
+Tested on ThinkPad E490 with kernel 7.0.5-zen1 and Arch Linux.
+RMI4 over SMBus is confirmed working without any kernel parameters.
+
+Signed-off-by: Nicolás Bazaes <contacto@bazaes.cl>
+Assisted-by: Claude:claude-sonnet-4-6
+Link: https://patch.msgid.link/20260514013552.14234-1-contacto@bazaes.cl
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -189,6 +189,7 @@ static const char * const smbus_pnp_ids[
+ "LEN2044", /* L470 */
+ "LEN2054", /* E480 */
+ "LEN2055", /* E580 */
++ "LEN2058", /* E490 */
+ "LEN2068", /* T14 Gen 1 */
+ "SYN1221", /* TUXEDO InfinityBook Pro 14 v5 */
+ "SYN3003", /* HP EliteBook 850 G1 */
--- /dev/null
+From 1f6ac0f8441c48c4cc250141e1da8486c13512ba Mon Sep 17 00:00:00 2001
+From: Qbeliw Tanaka <q.tanaka@gmx.com>
+Date: Thu, 30 Apr 2026 21:44:12 -0700
+Subject: Input: xpad - add "Nova 2 Lite" from GameSir
+
+From: Qbeliw Tanaka <q.tanaka@gmx.com>
+
+commit 1f6ac0f8441c48c4cc250141e1da8486c13512ba upstream.
+
+Add support for the gamepad "Nova 2 Lite" from GameSir, compatible with
+the Xbox 360 gamepad.
+
+Signed-off-by: Qbeliw Tanaka <q.tanaka@gmx.com>
+Link: https://patch.msgid.link/20260429.162040.930225048583399359.q.tanaka@gmx.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -414,6 +414,7 @@ static const struct xpad_device {
+ { 0x3285, 0x0662, "Nacon Revolution5 Pro", 0, XTYPE_XBOX360 },
+ { 0x3285, 0x0663, "Nacon Evol-X", 0, XTYPE_XBOXONE },
+ { 0x3537, 0x1004, "GameSir T4 Kaleid", 0, XTYPE_XBOX360 },
++ { 0x3537, 0x100f, "GameSir Nova 2 Lite", 0, XTYPE_XBOX360 },
+ { 0x3537, 0x1010, "GameSir G7 SE", 0, XTYPE_XBOXONE },
+ { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX },
+ { 0x413d, 0x2104, "Black Shark Green Ghost Gamepad", 0, XTYPE_XBOX360 },
--- /dev/null
+From c897cf120696b94f56ed0f3197ba9a77071a59ec Mon Sep 17 00:00:00 2001
+From: Dmitriy Zharov <contact@zharov.dev>
+Date: Thu, 30 Apr 2026 22:35:22 +0400
+Subject: Input: xpad - add support for ASUS ROG RAIKIRI II
+
+From: Dmitriy Zharov <contact@zharov.dev>
+
+commit c897cf120696b94f56ed0f3197ba9a77071a59ec upstream.
+
+Add the VID/PIDs for the ASUS ROG RAIKIRI II controller to xpad_device
+and the VID to xpad_table. The controller has a physical PC/XBOX toggle
+which switches between XBOX360 and XBOXONE protocols.
+
+Signed-off-by: Dmitriy Zharov <contact@zharov.dev>
+Link: https://patch.msgid.link/20260430183522.122151-1-contact@zharov.dev
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -215,6 +215,10 @@ static const struct xpad_device {
+ { 0x07ff, 0xffff, "Mad Catz GamePad", 0, XTYPE_XBOX360 },
+ { 0x0b05, 0x1a38, "ASUS ROG RAIKIRI", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
+ { 0x0b05, 0x1abb, "ASUS ROG RAIKIRI PRO", 0, XTYPE_XBOXONE },
++ { 0x0b05, 0x1c91, "ASUS ROG RAIKIRI II", 0, XTYPE_XBOX360 },
++ { 0x0b05, 0x1c92, "ASUS ROG RAIKIRI II WIRELESS", 0, XTYPE_XBOX360 },
++ { 0x0b05, 0x1c96, "ASUS ROG RAIKIRI II XBOX", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
++ { 0x0b05, 0x1d04, "ASUS ROG RAIKIRI II XBOX WIRELESS", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
+ { 0x0c12, 0x0005, "Intec wireless", 0, XTYPE_XBOX },
+ { 0x0c12, 0x8801, "Nyko Xbox Controller", 0, XTYPE_XBOX },
+ { 0x0c12, 0x8802, "Zeroplus Xbox Controller", 0, XTYPE_XBOX },
+@@ -527,6 +531,7 @@ static const struct usb_device_id xpad_t
+ { USB_DEVICE(0x0738, 0x4540) }, /* Mad Catz Beat Pad */
+ XPAD_XBOXONE_VENDOR(0x0738), /* Mad Catz FightStick TE 2 */
+ XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz Gamepad */
++ XPAD_XBOX360_VENDOR(0x0b05), /* ASUS controllers */
+ XPAD_XBOXONE_VENDOR(0x0b05), /* ASUS controllers */
+ XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */
+ XPAD_XBOX360_VENDOR(0x0db0), /* Micro Star International X-Box 360 controllers */
--- /dev/null
+From 0e60dafe97eca61721f3db456f97d97a80c6c8ae Mon Sep 17 00:00:00 2001
+From: Ali Ganiyev <ali.qaniyev@gmail.com>
+Date: Mon, 25 May 2026 10:23:47 +0900
+Subject: ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
+
+From: Ali Ganiyev <ali.qaniyev@gmail.com>
+
+commit 0e60dafe97eca61721f3db456f97d97a80c6c8ae upstream.
+
+Commit d07b26f39246 ("ksmbd: require minimum ACE size in
+smb_check_perm_dacl()") introduced a transposed bounds check:
+
+ if (offsetof(struct smb_ace, sid) + aces_size < CIFS_SID_BASE_SIZE)
+
+Since offsetof(..sid) is 8 and CIFS_SID_BASE_SIZE is 8, this evaluates
+to `aces_size < 0`. Because `aces_size` is always non-negative, this
+check becomes dead code and never breaks the loop.
+
+Worse, that commit removed the old 4-byte guard, meaning the loop now
+reads `ace->size` (offset 2) even when `aces_size` is 0-3 bytes. This
+re-opens a 2-byte heap out-of-bounds (OOB) read past the pntsd allocation
+during subsequent SMB2_CREATE operations.
+
+Fix this by properly transposing the comparison to require at least
+16 bytes (8-byte offset + 8-byte SID base), matching the correct form
+used in smb_inherit_dacl().
+
+Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ali Ganiyev <ali.qaniyev@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -1342,8 +1342,8 @@ int smb_check_perm_dacl(struct ksmbd_con
+ ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
+ aces_size = acl_size - sizeof(struct smb_acl);
+ for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
+- if (offsetof(struct smb_ace, sid) +
+- aces_size < CIFS_SID_BASE_SIZE)
++ if (aces_size < offsetof(struct smb_ace, sid) +
++ CIFS_SID_BASE_SIZE)
+ break;
+ ace_size = le16_to_cpu(ace->size);
+ if (ace_size > aces_size ||
+@@ -1366,8 +1366,8 @@ int smb_check_perm_dacl(struct ksmbd_con
+ ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
+ aces_size = acl_size - sizeof(struct smb_acl);
+ for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
+- if (offsetof(struct smb_ace, sid) +
+- aces_size < CIFS_SID_BASE_SIZE)
++ if (aces_size < offsetof(struct smb_ace, sid) +
++ CIFS_SID_BASE_SIZE)
+ break;
+ ace_size = le16_to_cpu(ace->size);
+ if (ace_size > aces_size ||
--- /dev/null
+From 9eed1bd59937e6828b00d2f2dfef631d964f3636 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 18 May 2026 10:43:07 -0400
+Subject: scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 9eed1bd59937e6828b00d2f2dfef631d964f3636 upstream.
+
+drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the
+descriptor cursor by an attacker-supplied fip_dlen without ever
+requiring dlen >= sizeof(struct fip_desc) in the default branch. The
+named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked
+their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor
+(fip_dtype >= 128, which the standard requires receivers to silently
+ignore) skipped that check entirely.
+
+An unauthenticated L2 peer on the FCoE control VLAN could hang
+fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely
+by emitting one FIP CVL frame whose single descriptor had fip_dtype ==
+FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes
+per iteration and the loop condition rlen >= sizeof(*desc) stayed true
+forever, blocking every subsequent FIP frame on that controller.
+
+Tighten the outer dlen guard to also reject dlen < sizeof(struct
+fip_desc), so a malformed descriptor whose length cannot even cover the
+descriptor header is rejected before the switch. This is the same
+lower-bound the named cases already apply and is the minimum scope that
+closes the loop.
+
+Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Reviewed-by: Hannes Reinecke <hare@kernel.org>
+Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/fcoe/fcoe_ctlr.c
++++ b/drivers/scsi/fcoe/fcoe_ctlr.c
+@@ -1386,7 +1386,7 @@ static void fcoe_ctlr_recv_clr_vlink(str
+
+ while (rlen >= sizeof(*desc)) {
+ dlen = desc->fip_dlen * FIP_BPW;
+- if (dlen > rlen)
++ if (dlen < sizeof(*desc) || dlen > rlen)
+ goto err;
+ /* Drop CVL if there are duplicate critical descriptors */
+ if ((desc->fip_dtype < 32) &&
--- /dev/null
+From a9a39233ec1fc9f97ea1340a4d09bb7ec2be5153 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Wed, 20 May 2026 09:30:15 -0400
+Subject: scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit a9a39233ec1fc9f97ea1340a4d09bb7ec2be5153 upstream.
+
+An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS
+frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in
+the generic FC transport. This is not a local userspace or IP network
+path; the attacker must be able to inject fabric traffic, for example as
+a compromised switch or fabric controller, or as a same-zone N_Port on a
+fabric that permits source spoofing.
+
+The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop
+counter against the 32-bit on-wire pname_count field, and did not bound
+pname_count by the descriptor body already validated by the TLV walker.
+A pname_count of 256 therefore wraps the counter and keeps the loop
+condition true indefinitely.
+
+Factor the shared pname_list[] walk into one helper, widen the counter
+to u32, and clamp pname_count against the entries that fit in the
+descriptor body before iterating.
+
+Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Link: https://patch.msgid.link/20260520133015.1018937-1-michael.bommarito@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_transport_fc.c | 77 ++++++++++++++++++++-------------------
+ 1 file changed, 41 insertions(+), 36 deletions(-)
+
+--- a/drivers/scsi/scsi_transport_fc.c
++++ b/drivers/scsi/scsi_transport_fc.c
+@@ -747,6 +747,37 @@ fc_cn_stats_update(u16 event_type, struc
+ }
+ }
+
++static void
++fc_fpin_pname_stats_update(struct Scsi_Host *shost,
++ struct fc_rport *attach_rport, u16 event_type,
++ u32 desc_len, u32 fixed_len, u32 pname_count,
++ __be64 *pname_list,
++ void (*stats_update)(u16 event_type,
++ struct fc_fpin_stats *stats))
++{
++ u32 i;
++ struct fc_rport *rport;
++ u64 wwpn;
++
++ if (desc_len < fixed_len)
++ pname_count = 0;
++ else
++ pname_count = min(pname_count, (desc_len - fixed_len) /
++ sizeof(pname_list[0]));
++
++ for (i = 0; i < pname_count; i++) {
++ wwpn = be64_to_cpu(pname_list[i]);
++ rport = fc_find_rport_by_wwpn(shost, wwpn);
++ if (rport &&
++ (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
++ rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
++ if (rport == attach_rport)
++ continue;
++ stats_update(event_type, &rport->fpin_stats);
++ }
++ }
++}
++
+ /*
+ * fc_fpin_li_stats_update - routine to update Link Integrity
+ * event statistics.
+@@ -757,13 +788,11 @@ fc_cn_stats_update(u16 event_type, struc
+ static void
+ fc_fpin_li_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv)
+ {
+- u8 i;
+ struct fc_rport *rport = NULL;
+ struct fc_rport *attach_rport = NULL;
+ struct fc_host_attrs *fc_host = shost_to_fc_host(shost);
+ struct fc_fn_li_desc *li_desc = (struct fc_fn_li_desc *)tlv;
+ u16 event_type = be16_to_cpu(li_desc->event_type);
+- u64 wwpn;
+
+ rport = fc_find_rport_by_wwpn(shost,
+ be64_to_cpu(li_desc->attached_wwpn));
+@@ -774,22 +803,11 @@ fc_fpin_li_stats_update(struct Scsi_Host
+ fc_li_stats_update(event_type, &attach_rport->fpin_stats);
+ }
+
+- if (be32_to_cpu(li_desc->pname_count) > 0) {
+- for (i = 0;
+- i < be32_to_cpu(li_desc->pname_count);
+- i++) {
+- wwpn = be64_to_cpu(li_desc->pname_list[i]);
+- rport = fc_find_rport_by_wwpn(shost, wwpn);
+- if (rport &&
+- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
+- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
+- if (rport == attach_rport)
+- continue;
+- fc_li_stats_update(event_type,
+- &rport->fpin_stats);
+- }
+- }
+- }
++ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
++ be32_to_cpu(li_desc->desc_len),
++ FC_TLV_DESC_LENGTH_FROM_SZ(*li_desc),
++ be32_to_cpu(li_desc->pname_count),
++ li_desc->pname_list, fc_li_stats_update);
+
+ if (fc_host->port_name == be64_to_cpu(li_desc->attached_wwpn))
+ fc_li_stats_update(event_type, &fc_host->fpin_stats);
+@@ -837,13 +855,11 @@ static void
+ fc_fpin_peer_congn_stats_update(struct Scsi_Host *shost,
+ struct fc_tlv_desc *tlv)
+ {
+- u8 i;
+ struct fc_rport *rport = NULL;
+ struct fc_rport *attach_rport = NULL;
+ struct fc_fn_peer_congn_desc *pc_desc =
+ (struct fc_fn_peer_congn_desc *)tlv;
+ u16 event_type = be16_to_cpu(pc_desc->event_type);
+- u64 wwpn;
+
+ rport = fc_find_rport_by_wwpn(shost,
+ be64_to_cpu(pc_desc->attached_wwpn));
+@@ -854,22 +870,11 @@ fc_fpin_peer_congn_stats_update(struct S
+ fc_cn_stats_update(event_type, &attach_rport->fpin_stats);
+ }
+
+- if (be32_to_cpu(pc_desc->pname_count) > 0) {
+- for (i = 0;
+- i < be32_to_cpu(pc_desc->pname_count);
+- i++) {
+- wwpn = be64_to_cpu(pc_desc->pname_list[i]);
+- rport = fc_find_rport_by_wwpn(shost, wwpn);
+- if (rport &&
+- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
+- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
+- if (rport == attach_rport)
+- continue;
+- fc_cn_stats_update(event_type,
+- &rport->fpin_stats);
+- }
+- }
+- }
++ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
++ be32_to_cpu(pc_desc->desc_len),
++ FC_TLV_DESC_LENGTH_FROM_SZ(*pc_desc),
++ be32_to_cpu(pc_desc->pname_count),
++ pc_desc->pname_list, fc_cn_stats_update);
+ }
+
+ /*
--- /dev/null
+From bf33e01f88388c43e285492a63e539df6ffed64c Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 11 May 2026 14:49:14 -0400
+Subject: scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit bf33e01f88388c43e285492a63e539df6ffed64c upstream.
+
+iscsi_encode_text_output() concatenates "key=value\0" records into
+login->rsp_buf, an 8192-byte kzalloc(MAX_KEY_VALUE_PAIRS) buffer
+allocated in iscsit_alloc_login_setup_buffer(). The three sprintf() call
+sites in this function (lines 1398, 1411, 1424 in v7.1-rc2) never check
+the remaining buffer capacity:
+
+ *length += sprintf(output_buf, "%s=%s", er->key, er->value);
+ *length += 1;
+ output_buf = textbuf + *length;
+
+The 8192-byte ceiling at iscsi_target_check_login_request() bounds the
+*input* Login PDU payload, but a single PDU can carry up to 2048 minimal
+four-byte "a=b\0" pairs, each unknown key expanding to a 16-byte
+"a=NotUnderstood\0" output record via iscsi_add_notunderstood_response().
+2048 * 16 = 32 KiB of output into an 8 KiB buffer, producing a ~24 KiB
+heap overrun in the kmalloc-8k slab.
+
+The fix introduces a static iscsi_encode_text_record() helper that uses
+snprintf() with a per-call bounds check against the remaining buffer,
+and threads a u32 textbuf_size parameter through
+iscsi_encode_text_output(). Both call sites in
+iscsi_target_handle_csg_zero() (PHASE_SECURITY) and
+iscsi_target_handle_csg_one() (PHASE_OPERATIONAL) pass
+MAX_KEY_VALUE_PAIRS. On overflow the encoder logs the condition, calls
+iscsi_release_extra_responses() to drop queued records, and returns -1;
+both caller sites now emit ISCSI_STATUS_CLS_INITIATOR_ERR /
+ISCSI_LOGIN_STATUS_INIT_ERR via iscsit_tx_login_rsp() before returning,
+so the initiator sees an explicit failed-login response rather than a
+silent connection drop. (Prior to this patch only the PHASE_OPERATIONAL
+caller did that; the PHASE_SECURITY caller is converted to the same
+shape.)
+
+Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Tested-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_nego.c | 7 ++
+ drivers/target/iscsi/iscsi_target_parameters.c | 62 +++++++++++++++++++------
+ drivers/target/iscsi/iscsi_target_parameters.h | 2
+ 3 files changed, 55 insertions(+), 16 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -899,10 +899,14 @@ static int iscsi_target_handle_csg_zero(
+ SENDER_TARGET,
+ login->rsp_buf,
+ &login->rsp_length,
++ MAX_KEY_VALUE_PAIRS,
+ conn->param_list,
+ conn->tpg->tpg_attrib.login_keys_workaround);
+- if (ret < 0)
++ if (ret < 0) {
++ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
++ ISCSI_LOGIN_STATUS_INIT_ERR);
+ return -1;
++ }
+
+ if (!iscsi_check_negotiated_keys(conn->param_list)) {
+ bool auth_required = iscsi_conn_auth_required(conn);
+@@ -986,6 +990,7 @@ static int iscsi_target_handle_csg_one(s
+ SENDER_TARGET,
+ login->rsp_buf,
+ &login->rsp_length,
++ MAX_KEY_VALUE_PAIRS,
+ conn->param_list,
+ conn->tpg->tpg_attrib.login_keys_workaround);
+ if (ret < 0) {
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -1419,19 +1419,42 @@ free_buffer:
+ return -1;
+ }
+
++/*
++ * Append "key=value" plus a trailing NUL into @textbuf at *@length.
++ * Returns 0 on success and advances *@length, or -EMSGSIZE if the
++ * record (including the NUL) would not fit in the remaining buffer.
++ */
++static int iscsi_encode_text_record(char *textbuf, u32 *length,
++ u32 textbuf_size,
++ const char *key, const char *value)
++{
++ int n;
++ u32 avail;
++
++ if (*length >= textbuf_size)
++ return -EMSGSIZE;
++
++ avail = textbuf_size - *length;
++ n = snprintf(textbuf + *length, avail, "%s=%s", key, value);
++ if (n < 0 || (u32)n + 1 > avail)
++ return -EMSGSIZE;
++
++ *length += n + 1;
++ return 0;
++}
++
+ int iscsi_encode_text_output(
+ u8 phase,
+ u8 sender,
+ char *textbuf,
+ u32 *length,
++ u32 textbuf_size,
+ struct iscsi_param_list *param_list,
+ bool keys_workaround)
+ {
+- char *output_buf = NULL;
+ struct iscsi_extra_response *er;
+ struct iscsi_param *param;
+-
+- output_buf = textbuf + *length;
++ int ret;
+
+ if (iscsi_enforce_integrity_rules(phase, param_list) < 0)
+ return -1;
+@@ -1443,10 +1466,12 @@ int iscsi_encode_text_output(
+ !IS_PSTATE_RESPONSE_SENT(param) &&
+ !IS_PSTATE_REPLY_OPTIONAL(param) &&
+ (param->phase & phase)) {
+- *length += sprintf(output_buf, "%s=%s",
+- param->name, param->value);
+- *length += 1;
+- output_buf = textbuf + *length;
++ ret = iscsi_encode_text_record(textbuf, length,
++ textbuf_size,
++ param->name,
++ param->value);
++ if (ret < 0)
++ goto err_overflow;
+ SET_PSTATE_RESPONSE_SENT(param);
+ pr_debug("Sending key: %s=%s\n",
+ param->name, param->value);
+@@ -1456,10 +1481,12 @@ int iscsi_encode_text_output(
+ !IS_PSTATE_ACCEPTOR(param) &&
+ !IS_PSTATE_PROPOSER(param) &&
+ (param->phase & phase)) {
+- *length += sprintf(output_buf, "%s=%s",
+- param->name, param->value);
+- *length += 1;
+- output_buf = textbuf + *length;
++ ret = iscsi_encode_text_record(textbuf, length,
++ textbuf_size,
++ param->name,
++ param->value);
++ if (ret < 0)
++ goto err_overflow;
+ SET_PSTATE_PROPOSER(param);
+ iscsi_check_proposer_for_optional_reply(param,
+ keys_workaround);
+@@ -1469,14 +1496,21 @@ int iscsi_encode_text_output(
+ }
+
+ list_for_each_entry(er, ¶m_list->extra_response_list, er_list) {
+- *length += sprintf(output_buf, "%s=%s", er->key, er->value);
+- *length += 1;
+- output_buf = textbuf + *length;
++ ret = iscsi_encode_text_record(textbuf, length, textbuf_size,
++ er->key, er->value);
++ if (ret < 0)
++ goto err_overflow;
+ pr_debug("Sending key: %s=%s\n", er->key, er->value);
+ }
+ iscsi_release_extra_responses(param_list);
+
+ return 0;
++
++err_overflow:
++ pr_err("iSCSI login response buffer (%u bytes) exhausted, dropping login.\n",
++ textbuf_size);
++ iscsi_release_extra_responses(param_list);
++ return -1;
+ }
+
+ int iscsi_check_negotiated_keys(struct iscsi_param_list *param_list)
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -46,7 +46,7 @@ extern struct iscsi_param *iscsi_find_pa
+ extern int iscsi_extract_key_value(char *, char **, char **);
+ extern int iscsi_update_param_value(struct iscsi_param *, char *);
+ extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsit_conn *);
+-extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
++extern int iscsi_encode_text_output(u8, u8, char *, u32 *, u32,
+ struct iscsi_param_list *, bool);
+ extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
+ extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
--- /dev/null
+From 85db7391310b1304d2dc8ae3b0b12105a9567147 Mon Sep 17 00:00:00 2001
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+Date: Thu, 21 May 2026 17:11:21 +0200
+Subject: scsi: target: iscsi: Validate CHAP_R length before base64 decode
+
+From: Alexandru Hossu <hossu.alexandru@gmail.com>
+
+commit 85db7391310b1304d2dc8ae3b0b12105a9567147 upstream.
+
+chap_server_compute_hash() allocates client_digest as
+kzalloc(chap->digest_size) and then, for BASE64-encoded responses,
+passes chap_r directly to chap_base64_decode() without checking whether
+the input length could produce more than digest_size bytes of output.
+
+chap_base64_decode() writes to the destination unconditionally as long
+as there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and
+the "0b" prefix stripped by extract_param(), up to 127 base64 characters
+can reach the decoder. 127 characters decode to 95 bytes. For SHA-256
+(digest_size=32) this overflows client_digest by 63 bytes; for MD5
+(digest_size=16) the overflow is 79 bytes.
+
+The length check at line 344 fires after the write has already happened.
+
+The HEX branch in the same switch statement already validates the length
+up front. Apply the same approach to the BASE64 branch: strip trailing
+base64 padding characters, then reject any input whose data length
+exceeds DIV_ROUND_UP(digest_size * 4, 3) before calling the decoder.
+
+Stripping trailing '=' before the comparison handles both padded and
+unpadded encodings. chap_base64_decode() already returns early on '=',
+so the full original string is still passed to the decoder unchanged.
+
+The mutual CHAP path decodes CHAP_C into initiatorchg_binhex, which is
+kzalloc(CHAP_CHALLENGE_STR_LEN). extract_param() caps initiatorchg at
+CHAP_CHALLENGE_STR_LEN characters, so at most CHAP_CHALLENGE_STR_LEN-1
+base64 characters reach the decoder. The maximum decoded size,
+DIV_ROUND_UP((CHAP_CHALLENGE_STR_LEN-1) * 3, 4), is less than
+CHAP_CHALLENGE_STR_LEN, so no overflow is possible there. A comment is
+added at the call site to document this.
+
+Fixes: 1e5733883421 ("scsi: target: iscsi: Support base64 in CHAP")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+Link: https://patch.msgid.link/20260521151121.808477-1-hossu.alexandru@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -339,13 +339,22 @@ static int chap_server_compute_hash(
+ goto out;
+ }
+ break;
+- case BASE64:
++ case BASE64: {
++ size_t r_len = strlen(chap_r);
++
++ while (r_len > 0 && chap_r[r_len - 1] == '=')
++ r_len--;
++ if (r_len > DIV_ROUND_UP(chap->digest_size * 4, 3)) {
++ pr_err("Malformed CHAP_R: base64 payload too long\n");
++ goto out;
++ }
+ if (chap_base64_decode(client_digest, chap_r, strlen(chap_r)) !=
+ chap->digest_size) {
+ pr_err("Malformed CHAP_R: invalid BASE64\n");
+ goto out;
+ }
+ break;
++ }
+ default:
+ pr_err("Could not find CHAP_R\n");
+ goto out;
+@@ -472,6 +481,14 @@ static int chap_server_compute_hash(
+ }
+ break;
+ case BASE64:
++ /*
++ * No overflow check needed: initiatorchg_binhex is
++ * CHAP_CHALLENGE_STR_LEN bytes and extract_param() caps
++ * initiatorchg at CHAP_CHALLENGE_STR_LEN characters, so
++ * the decoded output is at most DIV_ROUND_UP(
++ * (CHAP_CHALLENGE_STR_LEN - 1) * 3, 4) bytes, which is
++ * less than CHAP_CHALLENGE_STR_LEN.
++ */
+ initiatorchg_len = chap_base64_decode(initiatorchg_binhex,
+ initiatorchg,
+ strlen(initiatorchg));
--- /dev/null
+From ea66be25f0e934f49d24cd0c5845d13cdba3520b Mon Sep 17 00:00:00 2001
+From: Myeonghun Pak <mhun512@gmail.com>
+Date: Tue, 12 May 2026 15:56:57 +0900
+Subject: serial: altera_jtaguart: handle uart_add_one_port() failures
+
+From: Myeonghun Pak <mhun512@gmail.com>
+
+commit ea66be25f0e934f49d24cd0c5845d13cdba3520b upstream.
+
+altera_jtaguart_probe() maps the register window before registering the
+UART port, but it ignores failures from uart_add_one_port(). If port
+registration fails, probe still returns success and the mapping remains
+live until a later remove path that is not part of probe failure cleanup.
+
+Return the uart_add_one_port() error and unmap the register window on
+that failure path.
+
+This issue was identified during our ongoing static-analysis research while
+reviewing kernel code.
+
+Fixes: 5bcd601049c6 ("serial: Add driver for the Altera JTAG UART")
+Cc: stable <stable@kernel.org>
+Co-developed-by: Ijae Kim <ae878000@gmail.com>
+Signed-off-by: Ijae Kim <ae878000@gmail.com>
+Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
+Link: https://patch.msgid.link/20260512065837.79528-1-mhun512@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/altera_jtaguart.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/altera_jtaguart.c
++++ b/drivers/tty/serial/altera_jtaguart.c
+@@ -381,6 +381,7 @@ static int altera_jtaguart_probe(struct
+ struct resource *res_mem;
+ int i = pdev->id;
+ int irq;
++ int ret;
+
+ /* -1 emphasizes that the platform must have one port, no .N suffix */
+ if (i == -1)
+@@ -420,7 +421,11 @@ static int altera_jtaguart_probe(struct
+ port->flags = UPF_BOOT_AUTOCONF;
+ port->dev = &pdev->dev;
+
+- uart_add_one_port(&altera_jtaguart_driver, port);
++ ret = uart_add_one_port(&altera_jtaguart_driver, port);
++ if (ret) {
++ iounmap(port->membase);
++ return ret;
++ }
+
+ return 0;
+ }
--- /dev/null
+From ca904f4b42355287bc5ce8b7550ebe909cda4c2c Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Wed, 6 May 2026 23:42:31 +0100
+Subject: serial: dz: Fix bootconsole message clobbering at chip reset
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit ca904f4b42355287bc5ce8b7550ebe909cda4c2c upstream.
+
+In the DZ interface as implemented by the DC7085 gate array the serial
+transmitters are double buffered, meaning that at the time a transmitter
+is ready to accept the next character there is one in the transmit shift
+register still being sent to the line. Issuing a master clear at this
+time causes this character to be lost, so wait an extra amount of time
+sufficient for the transmit shift register to drain at 9600bps, which is
+the baud rate setting used by the firmware console.
+
+Mind the specified 1.4us TRDY recovery time in the course and continue
+using iob() as the completion barrier, since the platforms involved use
+a write buffer that can delay and combine writes, and reorder them with
+respect to reads regardless of the MMIO locations accessed and we still
+lack a platform-independent handler for that.
+
+When called from dz_serial_console_init() this is too early for fsleep()
+to work and even before lpj has been calculated and therefore the delay
+is actually not sufficient for the transmitter to drain and is merely a
+placeholder now. This will be addressed in a follow-up change.
+
+Fixes: e6ee512f5a77 ("dz.c: Resource management")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v2.6.25+
+Link: https://patch.msgid.link/alpine.DEB.2.21.2605062259080.46195@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/dz.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/tty/serial/dz.c
++++ b/drivers/tty/serial/dz.c
+@@ -543,10 +543,31 @@ static int dz_encode_baud_rate(unsigned
+ static void dz_reset(struct dz_port *dport)
+ {
+ struct dz_mux *mux = dport->mux;
++ unsigned short tcr;
++ int loops = 10000;
+
+ if (mux->initialised)
+ return;
+
++ tcr = dz_in(dport, DZ_TCR);
++
++ /* Do not disturb any ongoing transmissions. */
++ if (dz_in(dport, DZ_CSR) & DZ_MSE) {
++ unsigned short csr, mask;
++
++ mask = tcr;
++ while ((mask & DZ_LNENB) && loops--) {
++ csr = dz_in(dport, DZ_CSR);
++ if (!(csr & DZ_TRDY))
++ continue;
++ mask &= ~(1 << ((csr & DZ_TLINE) >> 8));
++ dz_out(dport, DZ_TCR, mask);
++ iob();
++ udelay(2); /* 1.4us TRDY recovery. */
++ }
++ udelay(1200); /* Transmitter drain. */
++ }
++
+ dz_out(dport, DZ_CSR, DZ_CLR);
+ while (dz_in(dport, DZ_CSR) & DZ_CLR);
+ iob();
--- /dev/null
+From 9a9254c4a2a3ca2b3da16d173f3b0dd01f397ff6 Mon Sep 17 00:00:00 2001
+From: Shitalkumar Gandhi <shital.gandhi45@gmail.com>
+Date: Mon, 20 Apr 2026 19:29:03 +0530
+Subject: serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
+
+From: Shitalkumar Gandhi <shital.gandhi45@gmail.com>
+
+commit 9a9254c4a2a3ca2b3da16d173f3b0dd01f397ff6 upstream.
+
+lpuart_start_rx_dma() allocates sport->rx_ring.buf with kzalloc() and
+then maps a scatterlist via dma_map_sg(). On three subsequent error
+paths the function returns directly without releasing those resources:
+
+ - when dma_map_sg() returns 0 (-EINVAL):
+ ring->buf is leaked.
+ - when dmaengine_slave_config() fails:
+ ring->buf and the DMA mapping are leaked.
+ - when dmaengine_prep_dma_cyclic() returns NULL:
+ ring->buf and the DMA mapping are leaked.
+
+The sole cleanup path, lpuart_dma_rx_free(), is only reached when
+lpuart_dma_rx_use is set, and the caller lpuart_rx_dma_startup() clears
+that flag on failure of lpuart_start_rx_dma(). So these resources are
+permanently leaked on every failure in this function. Repeated port
+open/close or termios changes under error conditions will slowly consume
+memory and leave stale streaming DMA mappings behind.
+
+Fix it by introducing two error labels that unmap the scatterlist and
+free the ring buffer as appropriate. While here, replace the misleading
+-EFAULT (bad userspace pointer) returned when dmaengine_prep_dma_cyclic()
+fails with the more accurate -ENOMEM, matching how other dmaengine users
+in the tree treat this failure.
+
+No functional change on the success path.
+
+Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20260420135903.2062024-1-shitalkumar.gandhi@cambiumnetworks.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1383,7 +1383,8 @@ static inline int lpuart_start_rx_dma(st
+
+ if (!nent) {
+ dev_err(sport->port.dev, "DMA Rx mapping error\n");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_free_buf;
+ }
+
+ dma_rx_sconfig.src_addr = lpuart_dma_datareg_addr(sport);
+@@ -1395,7 +1396,7 @@ static inline int lpuart_start_rx_dma(st
+ if (ret < 0) {
+ dev_err(sport->port.dev,
+ "DMA Rx slave config failed, err = %d\n", ret);
+- return ret;
++ goto err_unmap_sg;
+ }
+
+ sport->dma_rx_desc = dmaengine_prep_dma_cyclic(chan,
+@@ -1406,7 +1407,8 @@ static inline int lpuart_start_rx_dma(st
+ DMA_PREP_INTERRUPT);
+ if (!sport->dma_rx_desc) {
+ dev_err(sport->port.dev, "Cannot prepare cyclic DMA\n");
+- return -EFAULT;
++ ret = -ENOMEM;
++ goto err_unmap_sg;
+ }
+
+ sport->dma_rx_desc->callback = lpuart_dma_rx_complete;
+@@ -1430,6 +1432,13 @@ static inline int lpuart_start_rx_dma(st
+ }
+
+ return 0;
++
++err_unmap_sg:
++ dma_unmap_sg(chan->device->dev, &sport->rx_sgl, 1, DMA_FROM_DEVICE);
++err_free_buf:
++ kfree(ring->buf);
++ ring->buf = NULL;
++ return ret;
+ }
+
+ static void lpuart_dma_rx_free(struct uart_port *port)
--- /dev/null
+From ca2584d841b69391ffc4144840563d2e1a0018df Mon Sep 17 00:00:00 2001
+From: Prasanna S <prasanna.s@oss.qualcomm.com>
+Date: Tue, 28 Apr 2026 09:56:13 +0530
+Subject: serial: qcom-geni: fix UART_RX_PAR_EN bit position
+
+From: Prasanna S <prasanna.s@oss.qualcomm.com>
+
+commit ca2584d841b69391ffc4144840563d2e1a0018df upstream.
+
+UART_RX_PAR_EN is incorrectly defined as bit 3, which triggers false
+framing errors (S_GP_IRQ_1_EN) and causes received data to be dropped
+when parity is enabled and the parity bit is 0.
+
+Define UART_RX_PAR_EN as bit 4 of the SE_UART_RX_TRANS_CFG register, as
+specified in the reference manual.
+
+Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Prasanna S <prasanna.s@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260428-serial-bit-correct-v1-1-9131ad5b97d8@oss.qualcomm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/qcom_geni_serial.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/qcom_geni_serial.c
++++ b/drivers/tty/serial/qcom_geni_serial.c
+@@ -46,7 +46,7 @@
+ #define TX_STOP_BIT_LEN_2 2
+
+ /* SE_UART_RX_TRANS_CFG */
+-#define UART_RX_PAR_EN BIT(3)
++#define UART_RX_PAR_EN BIT(4)
+
+ /* SE_UART_RX_WORD_LEN */
+ #define RX_WORD_LEN_MASK GENMASK(9, 0)
--- /dev/null
+From 92b1ea22454b08a39baef3a7290fb3ec50366616 Mon Sep 17 00:00:00 2001
+From: Hongling Zeng <zenghongling@kylinos.cn>
+Date: Tue, 21 Apr 2026 14:57:37 +0800
+Subject: serial: sh-sci: fix memory region release in error path
+
+From: Hongling Zeng <zenghongling@kylinos.cn>
+
+commit 92b1ea22454b08a39baef3a7290fb3ec50366616 upstream.
+
+The sci_request_port() function uses request_mem_region() to reserve
+I/O memory, but in the error path when sci_remap_port() fails, it
+incorrectly calls release_resource() instead of release_mem_region().
+
+This mismatch can cause resource accounting issues. Fix it by using
+the correct release function, consistent with sci_release_port().
+
+Fixes: e2651647080930a1 ("serial: sh-sci: Handle port memory region reservations.")
+Cc: stable <stable@kernel.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Closes: https://lore.kernel.org/r/202604032356.SzEjYkBC-lkp@intel.com/
+Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260421065737.724187-1-zenghongling@kylinos.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -2818,7 +2818,7 @@ static int sci_request_port(struct uart_
+
+ ret = sci_remap_port(port);
+ if (unlikely(ret != 0)) {
+- release_resource(res);
++ release_mem_region(port->mapbase, sport->reg_size);
+ return ret;
+ }
+
--- /dev/null
+From 6c05cf72e13314ce9b770b5951695dc5a2152920 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Wed, 6 May 2026 23:42:39 +0100
+Subject: serial: zs: Fix bootconsole handover lockup
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 6c05cf72e13314ce9b770b5951695dc5a2152920 upstream.
+
+Calling zs_reset() in the course of setting up the serial device causes
+line parameters to be reset and the transmitter disabled. We've been
+lucky in that no message is usually produced to the kernel log between
+this call and the later call to uart_set_options() in the course of
+console setup done by zs_serial_console_init(), or the system would hang
+as the console output handler in the firmware tried to access a port the
+transmitter of which has been disabled and line parameters messed up.
+
+This will change with the next change to the driver, so fix zs_reset()
+such that line parameters are set for 9600n8 console operation as with
+the system firmware and the transmitter re-enabled after reset. This
+also means zs_pm() serves no purpose anymore, so drop it.
+
+Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v2.6.23+
+Link: https://patch.msgid.link/alpine.DEB.2.21.2605062308040.46195@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/zs.c | 29 ++++++++---------------------
+ 1 file changed, 8 insertions(+), 21 deletions(-)
+
+--- a/drivers/tty/serial/zs.c
++++ b/drivers/tty/serial/zs.c
+@@ -105,18 +105,24 @@ struct zs_parms {
+
+ static struct zs_scc zs_sccs[ZS_NUM_SCCS];
+
++/*
++ * Set parameters in WR5, WR12, WR13 such as not to interfere
++ * with the initial PROM-based console. Otherwise any output
++ * produced before the console handover would cause the system
++ * firmware to hang (TxENAB) or produce rubbish (Tx8, B9600).
++ */
+ static u8 zs_init_regs[ZS_NUM_REGS] __initdata = {
+ 0, /* write 0 */
+ PAR_SPEC, /* write 1 */
+ 0, /* write 2 */
+ 0, /* write 3 */
+ X16CLK | SB1, /* write 4 */
+- 0, /* write 5 */
++ Tx8 | TxENAB, /* write 5 */
+ 0, 0, 0, /* write 6, 7, 8 */
+ MIE | DLC | NV, /* write 9 */
+ NRZ, /* write 10 */
+ TCBR | RCBR, /* write 11 */
+- 0, 0, /* BRG time constant, write 12 + 13 */
++ 0x16, 0x00, /* BRG time constant, write 12 + 13 */
+ BRSRC | BRENABL, /* write 14 */
+ 0, /* write 15 */
+ };
+@@ -955,23 +961,6 @@ static void zs_set_termios(struct uart_p
+ spin_unlock_irqrestore(&scc->zlock, flags);
+ }
+
+-/*
+- * Hack alert!
+- * Required solely so that the initial PROM-based console
+- * works undisturbed in parallel with this one.
+- */
+-static void zs_pm(struct uart_port *uport, unsigned int state,
+- unsigned int oldstate)
+-{
+- struct zs_port *zport = to_zport(uport);
+-
+- if (state < 3)
+- zport->regs[5] |= TxENAB;
+- else
+- zport->regs[5] &= ~TxENAB;
+- write_zsreg(zport, R5, zport->regs[5]);
+-}
+-
+
+ static const char *zs_type(struct uart_port *uport)
+ {
+@@ -1054,7 +1043,6 @@ static const struct uart_ops zs_ops = {
+ .startup = zs_startup,
+ .shutdown = zs_shutdown,
+ .set_termios = zs_set_termios,
+- .pm = zs_pm,
+ .type = zs_type,
+ .release_port = zs_release_port,
+ .request_port = zs_request_port,
+@@ -1209,7 +1197,6 @@ static int __init zs_console_setup(struc
+ return ret;
+
+ zs_reset(zport);
+- zs_pm(uport, 0, -1);
+
+ if (options)
+ uart_parse_options(options, &baud, &parity, &bits, &flow);
--- /dev/null
+From d15cd40cb1858f75846eaafa9a6bca841b790a92 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Fri, 10 Apr 2026 18:19:31 +0100
+Subject: serial: zs: Fix swapped RI/DSR modem line transition counting
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit d15cd40cb1858f75846eaafa9a6bca841b790a92 upstream.
+
+Fix a thinko in the status interrupt handler that has caused counters
+for the RI and DSR modem line transitions to be used for the other line
+each.
+
+Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Link: https://patch.msgid.link/alpine.DEB.2.21.2604101747110.29980@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/zs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/zs.c
++++ b/drivers/tty/serial/zs.c
+@@ -679,9 +679,9 @@ static void zs_status_handle(struct zs_p
+ uart_handle_dcd_change(uport,
+ zport->mctrl & TIOCM_CAR);
+ if (delta & TIOCM_RNG)
+- uport->icount.dsr++;
+- if (delta & TIOCM_DSR)
+ uport->icount.rng++;
++ if (delta & TIOCM_DSR)
++ uport->icount.dsr++;
+
+ if (delta)
+ wake_up_interruptible(&uport->state->port.delta_msr_wait);
--- /dev/null
+From 8572955630f30948837088aa98bcbe0532d1ceac Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Wed, 6 May 2026 23:42:43 +0100
+Subject: serial: zs: Switch to using channel reset
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 8572955630f30948837088aa98bcbe0532d1ceac upstream.
+
+Switch the driver to using the channel reset rather than hardware reset,
+simplifying handling by removing an interference between channels that
+causes the other channel to become uninitialised afterwards.
+
+There is little difference between the two kinds of reset in terms of
+register settings that result, and we initialise the whole register set
+right away anyway. However this prevents a hang from happening should
+the console output handler in the firmware try to access the other port
+whose transmitter has been disabled and line parameters messed up.
+
+For example this will happen if the keyboard port (port A) is chosen for
+the system console, unusually but not insanely for a headless system, as
+the port is wired to a standard DA-15 connector and an adapter can be
+easily made. Or with the next change in place this would happen for the
+regular console port (port B), since the keyboard port (port A) will be
+initialised first.
+
+Just remove the unnecessary complication then, a channel reset is good
+enough. We still need the initialisation marker, now per channel rather
+than per SCC, as for the console port zs_reset() will be called twice:
+once early on via zs_serial_console_init() for the console setup only,
+and then again via zs_config_port() as the port is associated with a TTY
+device.
+
+Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v2.6.23+
+Link: https://patch.msgid.link/alpine.DEB.2.21.2605062323430.46195@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/zs.c | 7 ++++---
+ drivers/tty/serial/zs.h | 2 +-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/zs.c
++++ b/drivers/tty/serial/zs.c
+@@ -831,21 +831,22 @@ static void zs_shutdown(struct uart_port
+
+ static void zs_reset(struct zs_port *zport)
+ {
++ struct zs_port *zport_a = &zport->scc->zport[ZS_CHAN_A];
+ struct zs_scc *scc = zport->scc;
+ int irq;
+ unsigned long flags;
+
+ spin_lock_irqsave(&scc->zlock, flags);
+ irq = !irqs_disabled_flags(flags);
+- if (!scc->initialised) {
++ if (!zport->initialised) {
+ /* Reset the pointer first, just in case... */
+ read_zsreg(zport, R0);
+ /* And let the current transmission finish. */
+ zs_line_drain(zport, irq);
+- write_zsreg(zport, R9, FHWRES);
++ write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
+ udelay(10);
+ write_zsreg(zport, R9, 0);
+- scc->initialised = 1;
++ zport->initialised = 1;
+ }
+ load_zsregs(zport, zport->regs, irq);
+ spin_unlock_irqrestore(&scc->zlock, flags);
+--- a/drivers/tty/serial/zs.h
++++ b/drivers/tty/serial/zs.h
+@@ -22,6 +22,7 @@
+ struct zs_port {
+ struct zs_scc *scc; /* Containing SCC. */
+ struct uart_port port; /* Underlying UART. */
++ int initialised; /* For the console port. */
+
+ int clk_mode; /* May be 1, 16, 32, or 64. */
+
+@@ -41,7 +42,6 @@ struct zs_scc {
+ struct zs_port zport[2];
+ spinlock_t zlock;
+ atomic_t irq_guard;
+- int initialised;
+ };
+
+ #endif /* __KERNEL__ */
asoc-qcom-q6asm-dai-close-stream-only-when-running.patch
asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch
xfrm-esp-restore-combined-single-frag-length-gate.patch
+input-xpad-add-nova-2-lite-from-gamesir.patch
+input-xpad-add-support-for-asus-rog-raikiri-ii.patch
+ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch
+input-atmel_mxt_ts-fix-boundary-check-in-mxt_prepare_cfg_mem.patch
+input-synaptics-add-len2058-to-smbus-passlist-for-thinkpad-e490.patch
+comedi-comedi_test-fix-check-for-valid-scan_begin_src-in-waveform_ai_cmdtest.patch
+comedi-comedi_test-fix-limiting-of-convert_arg-in-waveform_ai_cmdtest.patch
+counter-fix-refcount-leak-in-counter_alloc-error-path.patch
+tty-serial-pch_uart-add-check-for-dma_alloc_coherent.patch
+usb-chipidea-core-convert-ci_role_switch-to-local-variable.patch
+usb-core-fix-up-interrupt-in-endpoints-with-bogus-wbytesperinterval.patch
+usb-quirks-add-no_lpm-for-lenovo-thinkpad-usb-c-dock-gen2-hub-controllers.patch
+usb-storage-add-quirks-for-pny-elite-portable-ssd.patch
+usbip-vudc-fix-use-after-free-bug-in-vudc_remove-due-to-race-condition.patch
+usb-usbtmc-check-urb-actual_length-for-interrupt-in-notifications.patch
+usb-usbtmc-reject-interrupt-endpoints-with-small-wmaxpacketsize.patch
+usb-typec-ucsi-don-t-update-power_supply-on-power-role-change-if-not-connected.patch
+usb-serial-option-add-meig-srm813q.patch
+usb-serial-option-add-missing-rsvd-5-flag-for-rolling-rw135r-gl.patch
+usb-serial-belkin_sa-validate-interrupt-status-length.patch
+usb-serial-cypress_m8-validate-interrupt-packet-headers.patch
+usb-serial-keyspan-fix-missing-indat-transfer-sanity-check.patch
+usb-serial-mxuport-fix-memory-corruption-with-small-endpoint.patch
+usb-serial-mct_u232-fix-missing-interrupt-in-transfer-sanity-check.patch
+usb-gadget-net2280-fix-double-free-in-probe-error-path.patch
+usb-gadget-f_hid-fix-device-reference-leak-in-hidg_alloc.patch
+usb-gadget-composite-fix-integer-underflow-in-webusb-get_url-handling.patch
+usb-gadget-dummy_hcd-reject-hub-port-requests-for-non-existent-ports.patch
+usb-gadget-f_fs-copy-only-received-bytes-on-short-ep0-read.patch
+thunderbolt-property-reject-u32-wrap-in-tb_property_entry_valid.patch
+thunderbolt-property-reject-dir_len-4-to-prevent-size_t-underflow.patch
+scsi-fcoe-reject-fip-descriptors-with-zero-fip_dlen-in-cvl-walker.patch
+scsi-scsi_transport_fc-widen-fpin-pname-walker-counter-to-u32.patch
+scsi-target-iscsi-bound-iscsi_encode_text_output-appends-to-rsp_buf.patch
+scsi-target-iscsi-validate-chap_r-length-before-base64-decode.patch
+drm-hyperv-validate-resolution_count-and-fix-win8-fallback.patch
+drm-hyperv-validate-vmbus-packet-size-in-receive-callback.patch
+drm-i915-fix-potential-uaf-in-ttm-object-purge.patch
+drm-amd-pm-si-disregard-vblank-time-when-no-displays-are-connected.patch
+serial-altera_jtaguart-handle-uart_add_one_port-failures.patch
+serial-qcom-geni-fix-uart_rx_par_en-bit-position.patch
+serial-sh-sci-fix-memory-region-release-in-error-path.patch
+serial-zs-fix-swapped-ri-dsr-modem-line-transition-counting.patch
+serial-fsl_lpuart-fix-rx-buffer-and-dma-map-leaks-in-start_rx_dma.patch
+drm-amdkfd-fix-null-pointer-bug-in-svm_range_set_attr.patch
+drm-amdkfd-fix-a-vulnerability-of-integer-overflow-in-kfd-debugger.patch
+drm-amdkfd-check-for-pdd-drm-file-first-in-criu-restore-path.patch
+serial-dz-fix-bootconsole-message-clobbering-at-chip-reset.patch
+serial-zs-fix-bootconsole-handover-lockup.patch
+serial-zs-switch-to-using-channel-reset.patch
--- /dev/null
+From de21b59c29e31c5108ddc04210631bbfab81b997 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Sun, 10 May 2026 19:16:57 -0400
+Subject: thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit de21b59c29e31c5108ddc04210631bbfab81b997 upstream.
+
+On the non-root path, __tb_property_parse_dir() takes dir_len from
+entry->length (u16 widened to size_t). Two distinct OOB conditions
+follow when entry->length < 4:
+
+1. The non-root path begins with kmemdup(&block[dir_offset],
+ sizeof(*dir->uuid), ...) which always reads 4 dwords from
+ dir_offset. tb_property_entry_valid() only enforces
+ dir_offset + entry->length <= block_len, so a crafted entry
+ with dir_offset close to the end of the property block and
+ entry->length in 0..3 passes that gate but lets the UUID copy
+ run off the block (e.g. dir_offset = 497, dir_len = 3 in a
+ 500-dword block reads block[497..501]).
+
+2. After the kmemdup, content_len = dir_len - 4 underflows size_t
+ to ~SIZE_MAX, nentries becomes SIZE_MAX / 4, and the entry
+ walk runs OOB on each iteration until an entry fails
+ validation or the kernel oopses on an unmapped page.
+
+Reject dir_len < 4 on the non-root path *before* the UUID kmemdup,
+which closes both holes.
+
+Also move INIT_LIST_HEAD(&dir->properties) up to immediately after
+the dir allocation so the new error-return path (and the existing
+uuid-alloc failure path) calling tb_property_free_dir() sees a
+walkable list rather than the zero-initialized NULL next/prev that
+list_for_each_entry_safe() would oops on.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/property.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -174,10 +174,16 @@ static struct tb_property_dir *__tb_prop
+ if (!dir)
+ return NULL;
+
++ INIT_LIST_HEAD(&dir->properties);
++
+ if (is_root) {
+ content_offset = dir_offset + 2;
+ content_len = dir_len;
+ } else {
++ if (dir_len < 4) {
++ tb_property_free_dir(dir);
++ return NULL;
++ }
+ dir->uuid = kmemdup(&block[dir_offset], sizeof(*dir->uuid),
+ GFP_KERNEL);
+ if (!dir->uuid) {
+@@ -191,8 +197,6 @@ static struct tb_property_dir *__tb_prop
+ entries = (const struct tb_property_entry *)&block[content_offset];
+ nentries = content_len / (sizeof(*entries) / 4);
+
+- INIT_LIST_HEAD(&dir->properties);
+-
+ for (i = 0; i < nentries; i++) {
+ struct tb_property *property;
+
--- /dev/null
+From 01deda0152066c6c955f0619114ea6afa070aaec Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Sun, 10 May 2026 19:16:56 -0400
+Subject: thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 01deda0152066c6c955f0619114ea6afa070aaec upstream.
+
+entry->value is u32 and entry->length is u16; the sum is performed in
+u32 and wraps. A malicious XDomain peer can pick
+value = 0xffffff00, length = 0x100 so the sum 0x100000000 wraps to 0
+and passes the > block_len check. tb_property_parse() then passes
+entry->value to parse_dwdata() as a dword offset into the property
+block, reading attacker-directed memory far past the allocation.
+
+For TEXT-typed entries with the "deviceid" or "vendorid" keys this
+lands in xd->device_name / xd->vendor_name and is readable back via
+the per-XDomain device_name / vendor_name sysfs attributes; the leak
+is NUL-bounded (kstrdup() stops at the first zero byte) and
+untargeted (the attacker picks a delta, not an absolute address).
+DATA-typed entries are parsed into property->value.data but not
+generically surfaced to userspace.
+
+Use check_add_overflow() so a wrapped sum is rejected.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/property.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -8,6 +8,7 @@
+ */
+
+ #include <linux/err.h>
++#include <linux/overflow.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <linux/uuid.h>
+@@ -52,13 +53,16 @@ static inline void format_dwdata(void *d
+ static bool tb_property_entry_valid(const struct tb_property_entry *entry,
+ size_t block_len)
+ {
++ u32 end;
++
+ switch (entry->type) {
+ case TB_PROPERTY_TYPE_DIRECTORY:
+ case TB_PROPERTY_TYPE_DATA:
+ case TB_PROPERTY_TYPE_TEXT:
+ if (entry->length > block_len)
+ return false;
+- if (entry->value + entry->length > block_len)
++ if (check_add_overflow(entry->value, entry->length, &end) ||
++ end > block_len)
+ return false;
+ break;
+
--- /dev/null
+From 6fe472c1bbbe238e91141f7cabc1226e96a60d43 Mon Sep 17 00:00:00 2001
+From: Zhaoyang Yu <2426767509@qq.com>
+Date: Thu, 9 Apr 2026 13:41:58 +0800
+Subject: tty: serial: pch_uart: add check for dma_alloc_coherent()
+
+From: Zhaoyang Yu <2426767509@qq.com>
+
+commit 6fe472c1bbbe238e91141f7cabc1226e96a60d43 upstream.
+
+Add a check for dma_alloc_coherent() failure to prevent a potential
+NULL pointer dereference in dma_handle_rx(). Properly release DMA
+channels and the PCI device reference using a goto ladder if the
+allocation fails.
+
+Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Zhaoyang Yu <2426767509@qq.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/tencent_E328416B7CFD436F6029F2DF02AD7ED89C08@qq.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/pch_uart.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -694,8 +694,7 @@ static void pch_request_dma(struct uart_
+ if (!chan) {
+ dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
+ __func__);
+- pci_dev_put(dma_dev);
+- return;
++ goto err_pci_get;
+ }
+ priv->chan_tx = chan;
+
+@@ -709,18 +708,26 @@ static void pch_request_dma(struct uart_
+ if (!chan) {
+ dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Rx)\n",
+ __func__);
+- dma_release_channel(priv->chan_tx);
+- priv->chan_tx = NULL;
+- pci_dev_put(dma_dev);
+- return;
++ goto err_req_tx;
+ }
+
+ /* Get Consistent memory for DMA */
+ priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
+ &priv->rx_buf_dma, GFP_KERNEL);
++ if (!priv->rx_buf_virt)
++ goto err_req_rx;
+ priv->chan_rx = chan;
+
+ pci_dev_put(dma_dev);
++ return;
++
++err_req_rx:
++ dma_release_channel(chan);
++err_req_tx:
++ dma_release_channel(priv->chan_tx);
++ priv->chan_tx = NULL;
++err_pci_get:
++ pci_dev_put(dma_dev);
+ }
+
+ static void pch_dma_rx_complete(void *arg)
--- /dev/null
+From 8f6aa392653e52a45858cff5c063df550028836b Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Mon, 27 Apr 2026 15:57:55 +0800
+Subject: usb: chipidea: core: convert ci_role_switch to local variable
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 8f6aa392653e52a45858cff5c063df550028836b upstream.
+
+When a system contains multiple USB controllers, the global ci_role_switch
+variable may be overwritten by subsequent driver initialization code.
+
+This can cause issues in the following cases:
+ - The 2nd ci_hdrc_probe() sees ci_role_switch.fwnode as non-NULL even
+ though the "usb-role-switch" property is not present for the controller.
+ - When the ci_hdrc device is unbound and bound again, ci_role_switch
+ fwnode will not be reassigned, and the old value will be used instead.
+
+Convert ci_role_switch to a local variable to fix these issues.
+
+Fixes: 05559f10ed79 ("usb: chipidea: add role switch class support")
+Cc: stable <stable@kernel.org>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://patch.msgid.link/20260427075755.3611217-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/core.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -669,12 +669,6 @@ static enum ci_role ci_get_role(struct c
+ return role;
+ }
+
+-static struct usb_role_switch_desc ci_role_switch = {
+- .set = ci_usb_role_switch_set,
+- .get = ci_usb_role_switch_get,
+- .allow_userspace_control = true,
+-};
+-
+ static int ci_get_platdata(struct device *dev,
+ struct ci_hdrc_platform_data *platdata)
+ {
+@@ -801,9 +795,6 @@ static int ci_get_platdata(struct device
+ cable->connected = false;
+ }
+
+- if (device_property_read_bool(dev, "usb-role-switch"))
+- ci_role_switch.fwnode = dev->fwnode;
+-
+ platdata->pctl = devm_pinctrl_get(dev);
+ if (!IS_ERR(platdata->pctl)) {
+ struct pinctrl_state *p;
+@@ -1045,6 +1036,7 @@ ATTRIBUTE_GROUPS(ci);
+
+ static int ci_hdrc_probe(struct platform_device *pdev)
+ {
++ struct usb_role_switch_desc ci_role_switch = {};
+ struct device *dev = &pdev->dev;
+ struct ci_hdrc *ci;
+ struct resource *res;
+@@ -1191,7 +1183,11 @@ static int ci_hdrc_probe(struct platform
+ }
+ }
+
+- if (ci_role_switch.fwnode) {
++ if (device_property_read_bool(dev, "usb-role-switch")) {
++ ci_role_switch.set = ci_usb_role_switch_set;
++ ci_role_switch.get = ci_usb_role_switch_get;
++ ci_role_switch.allow_userspace_control = true;
++ ci_role_switch.fwnode = dev_fwnode(dev);
+ ci_role_switch.driver_data = ci;
+ ci->role_switch = usb_role_switch_register(dev,
+ &ci_role_switch);
--- /dev/null
+From 727d045d064b7c9a24db3bce9c0485a382cb768b Mon Sep 17 00:00:00 2001
+From: Michal Pecio <michal.pecio@gmail.com>
+Date: Mon, 18 May 2026 07:32:07 +0200
+Subject: usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
+
+From: Michal Pecio <michal.pecio@gmail.com>
+
+commit 727d045d064b7c9a24db3bce9c0485a382cb768b upstream.
+
+Tao Xue found that some common devices violate USB 3.x section 9.6.7
+by reporting wBytesPerInterval lower than the size of packets they
+actually send. I confirmed that AX88179 may set it to 0 and RTL8153
+CDC configuration sets it to 8 but sends both 8 and 16 byte packets:
+
+S Ii:11:007:3 -115:128 16 <
+C Ii:11:007:3 0:128 8 = a1000000 01000000
+S Ii:11:007:3 -115:128 16 <
+C Ii:11:007:3 0:128 16 = a12a0000 01000800 00000000 00000000
+
+Most xHCI host controllers neglect interrupt bandwidth reservations
+and let such devices exceed theirs, some fail the URB with EOVERFLOW.
+
+Assume that wBytesPerInterval lower than wMaxPacketSize is bogus and
+increase it to the worst case maximum on interrupt IN endpoints. This
+solves xHCI problems and appears to have no other effect. Interrupt
+transfers are not limited to one interval and drivers submit URBs of
+class defined size without looking at wBytesPerInterval. Any multi-
+interval transfer is considered terminated by a packet shorter than
+wMaxPacketSize regardless of wBytesPerInterval - see USB3 8.10.3.
+
+Stay in spec on OUT endpoints and isochronous. No buggy devices are
+known and we don't want to risk sending more data than the device
+is prepared to handle or confusing isoc drivers regarding altsetting
+capacities guaranteed by the device itself. And don't complain when
+wMaxPacketSize <= wBytesPerInterval < wMaxPacketSize * (bMaxBurst+1)
+because enabling this seems to be the exact goal of the spec.
+
+Reported-and-tested-by: Tao Xue <xuetao09@huawei.com>
+Closes: https://lore.kernel.org/linux-usb/20260402021400.28853-1-xuetao09@huawei.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
+Link: https://patch.msgid.link/20260518073207.5b7d26e7.michal.pecio@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/config.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -165,7 +165,14 @@ static void usb_parse_ss_endpoint_compan
+ (desc->bMaxBurst + 1);
+ else
+ max_tx = 999999;
+- if (le16_to_cpu(desc->wBytesPerInterval) > max_tx) {
++ /*
++ * wBytesPerInterval > max_tx is bogus, but USB3 spec doesn't forbid the opposite.
++ * Experience shows that wBytesPerInterval < wMaxPacketSize on common interrupt IN
++ * endpoints is usually bogus too, and recent HCs enforce interrupt BW limits.
++ */
++ if (le16_to_cpu(desc->wBytesPerInterval) > max_tx ||
++ (le16_to_cpu(desc->wBytesPerInterval) < usb_endpoint_maxp(&ep->desc) &&
++ usb_endpoint_is_int_in(&ep->desc))) {
+ dev_notice(ddev, "%s endpoint with wBytesPerInterval of %d in "
+ "config %d interface %d altsetting %d ep %d: "
+ "setting to %d\n",
--- /dev/null
+From 6c5dbc104dadd79fc2923497c20bae759a18758c Mon Sep 17 00:00:00 2001
+From: Jeremy Erazo <mendozayt13@gmail.com>
+Date: Tue, 12 May 2026 16:05:30 +0000
+Subject: usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling
+
+From: Jeremy Erazo <mendozayt13@gmail.com>
+
+commit 6c5dbc104dadd79fc2923497c20bae759a18758c upstream.
+
+The WebUSB GET_URL handler in composite_setup() narrows
+landing_page_length to fit the host-supplied wLength using
+
+ landing_page_length = w_length
+ - WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset;
+
+If wLength is smaller than WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH the
+unsigned subtraction wraps, and the subsequent
+
+ memcpy(url_descriptor->URL,
+ cdev->landing_page + landing_page_offset,
+ landing_page_length - landing_page_offset);
+
+ends up copying close to UINT_MAX bytes from cdev->landing_page into
+cdev->req->buf. KASAN reports a slab-out-of-bounds in composite_setup
+on the kmalloc-2k gadget_info allocation, and FORTIFY_SOURCE traps the
+memcpy as a 4294967293-byte field-spanning write into
+url_descriptor->URL (size 252).
+
+A USB host can reach this from a single SETUP packet against any
+gadget that has webusb/use=1 and a landingPage configured.
+
+Handle the small-wLength case before the math: when the host requested
+fewer bytes than the URL descriptor header, only the header is
+meaningful and no URL bytes need to be copied. Setting
+landing_page_length to landing_page_offset makes the existing memcpy a
+no-op and leaves the descriptor returned to the host unchanged for all
+larger wLength values.
+
+Fixes: 93c473948c58 ("usb: gadget: add WebUSB landing page support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
+Link: https://patch.msgid.link/20260512160530.352318-1-mendozayt13@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2196,7 +2196,10 @@ unknown:
+ sizeof(url_descriptor->URL)
+ - WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset);
+
+- if (w_length < WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_length)
++ if (w_length < WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH)
++ landing_page_length = landing_page_offset;
++ else if (w_length <
++ WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_length)
+ landing_page_length = w_length
+ - WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset;
+
--- /dev/null
+From 7d9633528dd40e33964d2dc74a5abbf5c4d116ce Mon Sep 17 00:00:00 2001
+From: Seungjin Bae <eeodqql09@gmail.com>
+Date: Mon, 18 May 2026 19:43:14 -0400
+Subject: usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
+
+From: Seungjin Bae <eeodqql09@gmail.com>
+
+commit 7d9633528dd40e33964d2dc74a5abbf5c4d116ce upstream.
+
+The `dummy_hub_control()` function handles USB hub class requests
+to the virtual root hub. The `GetPortStatus` case returns -EPIPE for
+requests with `wIndex != 1`, since the virtual root hub has only a
+single port. However, the `ClearPortFeature` and `SetPortFeature`
+cases lack the same check.
+
+Fix this by extending the `wIndex != 1` rejection to both cases,
+matching the existing behavior of `GetPortStatus`.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@kernel.org>
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://patch.msgid.link/20260518234314.1889396-1-eeodqql09@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -2132,6 +2132,8 @@ static int dummy_hub_control(
+ case ClearHubFeature:
+ break;
+ case ClearPortFeature:
++ if (wIndex != 1)
++ goto error;
+ switch (wValue) {
+ case USB_PORT_FEAT_SUSPEND:
+ if (hcd->speed == HCD_USB3) {
+@@ -2246,6 +2248,8 @@ static int dummy_hub_control(
+ retval = -EPIPE;
+ break;
+ case SetPortFeature:
++ if (wIndex != 1)
++ goto error;
+ switch (wValue) {
+ case USB_PORT_FEAT_LINK_STATE:
+ if (hcd->speed != HCD_USB3) {
--- /dev/null
+From 4e036c10e7f4df5d951c69cc3697bc8e209c6d02 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Sun, 19 Apr 2026 12:03:59 -0400
+Subject: usb: gadget: f_fs: copy only received bytes on short ep0 read
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 4e036c10e7f4df5d951c69cc3697bc8e209c6d02 upstream.
+
+ffs_ep0_read() allocates its control-OUT data buffer with
+kmalloc() (not kzalloc) at the Length value from the Setup
+packet, then copies that full len to userspace regardless of
+how many bytes were actually received:
+
+ data = kmalloc(len, GFP_KERNEL);
+ ...
+ ret = __ffs_ep0_queue_wait(ffs, data, len);
+ if ((ret > 0) && (copy_to_user(buf, data, len)))
+ ret = -EFAULT;
+
+__ffs_ep0_queue_wait() returns req->actual, which on a short
+control OUT transfer is strictly less than len. The
+copy_to_user() call still copies len bytes, so on a short OUT
+the last (len - ret) bytes of the kmalloc() buffer --
+uninitialised slab residue -- are delivered to the FunctionFS
+daemon.
+
+Short ep0 OUT completions are specified USB control-transfer
+behavior and are produced by in-tree UDCs:
+
+ * dwc2 continues on req->actual < req->length for ep0 DATA OUT
+ (short-not-ok is the only ep0-OUT stall path).
+ * aspeed_udc ends ep0 OUT on rx_len < ep->ep.maxpacket.
+ * renesas_usbf logs "ep0 short packet" and completes the
+ request.
+ * dwc3 stalls on short IN but not on short OUT.
+
+A short ep0 OUT is therefore not evidence of a broken UDC; it is
+a normal condition f_fs has to cope with. The sibling gadgetfs
+implementation in drivers/usb/gadget/legacy/inode.c already does
+this correctly via min(len, dev->req->actual) before
+copy_to_user(). This patch brings f_fs.c to the same safe
+pattern rather than trimming at a defensive layer.
+
+The bug is reached from the FunctionFS device node, which in
+real deployments is owned by the privileged gadget daemon
+(adbd, UMS, composite gadget services, etc.); it is not
+reachable from unprivileged userspace. Linux host stacks
+normally reject short-wLength control OUTs before they reach
+the gadget, so reproducing this required a build that
+bypasses that host-side check. With the bypass in place, a
+1-byte payload on a 64-byte Setup produces 63 bytes of
+non-canary slab residue in the daemon's read buffer.
+
+Fix by copying only ret (actually received) bytes to
+userspace.
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Cc: stable <stable@kernel.org>
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Link: https://patch.msgid.link/20260419160359.1577270-1-michael.bommarito@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -588,7 +588,7 @@ static ssize_t ffs_ep0_read(struct file
+
+ /* unlocks spinlock */
+ ret = __ffs_ep0_queue_wait(ffs, data, len);
+- if ((ret > 0) && (copy_to_user(buf, data, len)))
++ if ((ret > 0) && (copy_to_user(buf, data, ret)))
+ ret = -EFAULT;
+ goto done_mutex;
+
--- /dev/null
+From 4f88d65def6f3c90121601b4f62a4c967f3063a6 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Mon, 13 Apr 2026 22:21:19 +0800
+Subject: usb: gadget: f_hid: fix device reference leak in hidg_alloc()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit 4f88d65def6f3c90121601b4f62a4c967f3063a6 upstream.
+
+hidg_alloc() initializes hidg->dev with device_initialize() before
+calling dev_set_name(). If dev_set_name() fails, the function currently
+jumps to err_unlock and returns without calling put_device().
+
+This leaves the device reference unbalanced and prevents hidg_release()
+from being called. Calling put_device() here is also safe, since
+hidg_release() only frees resources owned by hidg.
+
+The issue was identified by a static analysis tool I developed and
+confirmed by manual review.
+
+Route the dev_set_name() failure path through err_put_device so the
+device reference is dropped properly.
+
+Fixes: 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs cdev")
+Cc: stable <stable@kernel.org>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Johan Hovold johan@kernel.org
+Link: https://patch.msgid.link/20260413142119.2977716-1-lgs201920130244@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_hid.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -1282,7 +1282,7 @@ static struct usb_function *hidg_alloc(s
+ hidg->dev.devt = MKDEV(major, opts->minor);
+ ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
+ if (ret)
+- goto err_unlock;
++ goto err_put_device;
+
+ hidg->bInterfaceSubClass = opts->subclass;
+ hidg->bInterfaceProtocol = opts->protocol;
+@@ -1317,7 +1317,6 @@ static struct usb_function *hidg_alloc(s
+
+ err_put_device:
+ put_device(&hidg->dev);
+-err_unlock:
+ mutex_unlock(&opts->lock);
+ return ERR_PTR(ret);
+ }
--- /dev/null
+From c8547c74988e0b5f4cbb1b895e2a57aae084f070 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Mon, 27 Apr 2026 23:36:51 +0800
+Subject: usb: gadget: net2280: Fix double free in probe error path
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit c8547c74988e0b5f4cbb1b895e2a57aae084f070 upstream.
+
+usb_initialize_gadget() installs gadget_release() as the release
+callback for the embedded gadget device. The struct net2280 instance is
+therefore released through gadget_release() when the gadget device's last
+reference is dropped.
+
+The probe error path calls net2280_remove(), which tears down the
+partially initialized device and drops the gadget reference with
+usb_put_gadget(). Calling kfree(dev) afterwards can free the same object
+again.
+
+Drop the explicit kfree() and let the gadget device release callback
+handle the final free. This issue was found by a static analysis tool
+I am developing.
+
+Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://patch.msgid.link/20260427153651.337846-1-lgs201920130244@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -3790,10 +3790,8 @@ static int net2280_probe(struct pci_dev
+ return 0;
+
+ done:
+- if (dev) {
++ if (dev)
+ net2280_remove(pdev);
+- kfree(dev);
+- }
+ return retval;
+ }
+
--- /dev/null
+From 9ddb9c0deca48d2c2a22ebf4d2f35c925a520328 Mon Sep 17 00:00:00 2001
+From: "Stephen J. Fuhry" <fuhrysteve@gmail.com>
+Date: Wed, 13 May 2026 13:14:19 -0400
+Subject: USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
+
+From: Stephen J. Fuhry <fuhrysteve@gmail.com>
+
+commit 9ddb9c0deca48d2c2a22ebf4d2f35c925a520328 upstream.
+
+The Lenovo ThinkPad USB-C Dock Gen2 (17ef:a391, 17ef:a392) hub
+controllers exhibit link instability when USB Link Power Management
+is enabled, similar to the dock's Ethernet adapter (17ef:a387) which
+already carries USB_QUIRK_NO_LPM.
+
+When the dock reconnects after a transient disconnect, the hub
+controllers enter LPM states between re-enumeration retries, causing
+repeated disconnect/reconnect cycles lasting up to two minutes.
+Disabling LPM for these devices restores stable enumeration.
+
+Signed-off-by: Stephen J. Fuhry <fuhrysteve@gmail.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260513171419.44849-1-fuhrysteve@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -511,6 +511,10 @@ static const struct usb_device_id usb_qu
+ /* Lenovo ThinkPad USB-C Dock Gen2 Ethernet (RTL8153 GigE) */
+ { USB_DEVICE(0x17ef, 0xa387), .driver_info = USB_QUIRK_NO_LPM },
+
++ /* Lenovo ThinkPad USB-C Dock Gen2 USB 3.1 and USB 2.0 hub controllers */
++ { USB_DEVICE(0x17ef, 0xa391), .driver_info = USB_QUIRK_NO_LPM },
++ { USB_DEVICE(0x17ef, 0xa392), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* BUILDWIN Photo Frame */
+ { USB_DEVICE(0x1908, 0x1315), .driver_info =
+ USB_QUIRK_HONOR_BNUMINTERFACES },
--- /dev/null
+From 4ce058df2ee02cc2a0f0fd5cd64ce6f1482a0b65 Mon Sep 17 00:00:00 2001
+From: Zhang Cen <rollkingzzc@gmail.com>
+Date: Tue, 19 May 2026 19:11:50 +0800
+Subject: USB: serial: belkin_sa: validate interrupt status length
+
+From: Zhang Cen <rollkingzzc@gmail.com>
+
+commit 4ce058df2ee02cc2a0f0fd5cd64ce6f1482a0b65 upstream.
+
+The Belkin interrupt callback treats interrupt data as a four-byte
+status report and reads LSR/MSR fields at offsets 2 and 3. The
+interrupt-in buffer length is derived from endpoint wMaxPacketSize, and
+short interrupt transfers may complete successfully with a smaller
+actual_length.
+
+Check the completed interrupt packet length before parsing status
+fields so short interrupt endpoints and short successful packets are
+ignored instead of causing out-of-bounds or stale status-byte reads.
+
+KASAN report as below:
+
+BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback()
+Read of size 1
+Call trace:
+ belkin_sa_read_int_callback() (drivers/usb/serial/belkin_sa.c:202)
+ __usb_hcd_giveback_urb() (drivers/usb/core/hcd.c:1630)
+ dummy_timer() (?:?)
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Assisted-by: Codex:gpt-5.5
+Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/belkin_sa.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/belkin_sa.c
++++ b/drivers/usb/serial/belkin_sa.c
+@@ -195,6 +195,9 @@ static void belkin_sa_read_int_callback(
+
+ usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data);
+
++ if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
++ goto exit;
++
+ /* Handle known interrupt data */
+ /* ignore data[0] and data[1] */
+
--- /dev/null
+From 9f9bfc80c67f35a275820da7e83a35dface08281 Mon Sep 17 00:00:00 2001
+From: Zhang Cen <rollkingzzc@gmail.com>
+Date: Fri, 22 May 2026 22:54:42 +0800
+Subject: USB: serial: cypress_m8: validate interrupt packet headers
+
+From: Zhang Cen <rollkingzzc@gmail.com>
+
+commit 9f9bfc80c67f35a275820da7e83a35dface08281 upstream.
+
+cypress_read_int_callback() parses the interrupt-in buffer according to
+the selected Cypress packet format. Format 1 has a two-byte status/count
+header and format 2 has a one-byte combined status/count header. The
+usb-serial core sizes the interrupt-in buffer from the endpoint
+descriptor's wMaxPacketSize, and successful interrupt transfers can
+complete short when URB_SHORT_NOT_OK is not set.
+
+Check that the completed packet contains the selected header before
+reading it. Malformed short reports are ignored and the interrupt URB is
+resubmitted through the existing retry path, preventing out-of-bounds
+header-byte reads.
+
+KASAN report as below:
+KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
+Read of size 1
+Call trace:
+ cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
+ __usb_hcd_giveback_urb()
+ dummy_timer()
+
+Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
+Assisted-by: Codex:gpt-5.5
+Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
+Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
+Cc: stable@vger.kernel.org # 2.6.26
+[ johan: use constants in header length sanity checks ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cypress_m8.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -1020,8 +1020,8 @@ static void cypress_read_int_callback(st
+ char tty_flag = TTY_NORMAL;
+ int bytes = 0;
+ int result;
+- int i = 0;
+ int status = urb->status;
++ int i;
+
+ switch (status) {
+ case 0: /* success */
+@@ -1059,22 +1059,32 @@ static void cypress_read_int_callback(st
+
+ spin_lock_irqsave(&priv->lock, flags);
+ result = urb->actual_length;
++ i = 0;
+ switch (priv->pkt_fmt) {
+ default:
+ case packet_format_1:
+ /* This is for the CY7C64013... */
++ if (result < 2)
++ break;
+ priv->current_status = data[0] & 0xF8;
+ bytes = data[1] + 2;
+ i = 2;
+ break;
+ case packet_format_2:
+ /* This is for the CY7C63743... */
++ if (result < 1)
++ break;
+ priv->current_status = data[0] & 0xF8;
+ bytes = (data[0] & 0x07) + 1;
+ i = 1;
+ break;
+ }
+ spin_unlock_irqrestore(&priv->lock, flags);
++ if (i == 0) {
++ dev_dbg(dev, "%s - short packet received: %d bytes\n",
++ __func__, result);
++ goto continue_read;
++ }
+ if (result < bytes) {
+ dev_dbg(dev,
+ "%s - wrong packet size - received %d bytes but packet said %d bytes\n",
--- /dev/null
+From ab8336a7e414f018430aa1af3a46944032f7ff96 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 20 May 2026 16:26:48 +0200
+Subject: USB: serial: keyspan: fix missing indat transfer sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ab8336a7e414f018430aa1af3a46944032f7ff96 upstream.
+
+Add the missing sanity check on the size of usa49wg indat transfers to
+avoid parsing stale or uninitialised slab data.
+
+Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
+Cc: stable@vger.kernel.org # 2.6.23
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/keyspan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -1188,6 +1188,10 @@ static void usa49wg_indat_callback(struc
+ len = 0;
+
+ while (i < urb->actual_length) {
++ if (urb->actual_length - i < 3) {
++ dev_warn_ratelimited(&urb->dev->dev, "malformed indat packet\n");
++ break;
++ }
+
+ /* Check port number from message */
+ if (data[i] >= serial->num_ports) {
--- /dev/null
+From 245aba83e3c288e176ed037a1f6b618b09e92ed8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 20 May 2026 16:27:10 +0200
+Subject: USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 245aba83e3c288e176ed037a1f6b618b09e92ed8 upstream.
+
+Add the missing sanity check on the size of interrupt-in transfers to
+avoid parsing stale or uninitialised slab data (and leaking it to user
+space).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mct_u232.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -544,6 +544,11 @@ static void mct_u232_read_int_callback(s
+ goto exit;
+ }
+
++ if (urb->actual_length < 2) {
++ dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
++ goto exit;
++ }
++
+ /*
+ * The interrupt-in pipe signals exceptional conditions (modem line
+ * signal changes and errors). data[0] holds MSR, data[1] holds LSR.
--- /dev/null
+From 4085f0dbb1ce2251c9a5938d693de6593f0ab2bd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 22 May 2026 16:19:50 +0200
+Subject: USB: serial: mxuport: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 4085f0dbb1ce2251c9a5938d693de6593f0ab2bd upstream.
+
+Make sure that the bulk-out endpoint max packet size is at least eight
+bytes to avoid user-controlled slab corruption should a malicious device
+report a smaller size.
+
+Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
+Cc: stable@vger.kernel.org # 3.14
+Cc: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mxuport.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/mxuport.c
++++ b/drivers/usb/serial/mxuport.c
+@@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct
+ */
+ BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
+
++ /*
++ * The bulk-out buffers must be large enough for the four-byte header
++ * (and following data), but assume anything smaller than eight bytes
++ * is broken.
++ */
++ if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
++ return -EINVAL;
++
+ for (i = 1; i < num_ports; ++i)
+ epds->bulk_out[i] = epds->bulk_out[0];
+
--- /dev/null
+From 7d2b37d3e42d19071b62f4ddbee6e16e905efbf1 Mon Sep 17 00:00:00 2001
+From: Jan Volckaert <janvolck@gmail.com>
+Date: Sun, 17 May 2026 17:32:37 +0200
+Subject: USB: serial: option: add MeiG SRM813Q
+
+From: Jan Volckaert <janvolck@gmail.com>
+
+commit 7d2b37d3e42d19071b62f4ddbee6e16e905efbf1 upstream.
+
+Add support for the Qualcomm Technology Snapdragon X35-based MeiG
+SRM813Q module.
+
+The module can be put in different modes via AT commands to
+enable/disable GPS functionality:
+
+MODEM - PPP mode(2dee:4d63): AT+SER=1,1
+
+If#= 0: RMNET
+If#= 1: DIAG/ADB
+If#= 2: MODEM
+If#= 3: AT
+
+P: Vendor=2dee ProdID=4d63 Rev=05.15
+S: Manufacturer=MEIG
+S: Product=LTE-A Module
+S: SerialNumber=1bd51f0e
+C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+NMEA mode(2dee:4d64): AT+SER=51,1
+
+If#= 0: RMNET
+If#= 1: DIAG/ADB
+If#= 2: NMEA
+If#= 3: AT
+
+P: Vendor=2dee ProdID=4d64 Rev=05.15
+S: Manufacturer=MEIG
+S: Product=LTE-A Module
+S: SerialNumber=1bd51f0e
+C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+Signed-off-by: Jan Volckaert <janvolck@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2450,6 +2450,12 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM825WN (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825WN (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825WN (NMEA) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x60) }, /* MeiG SRM813Q (NMEA) */
++
+ { USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
+ { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
+ { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
--- /dev/null
+From 689f2facc689c8add11d7ff69fbbad17d65ee596 Mon Sep 17 00:00:00 2001
+From: Wanquan Zhong <wanquan.zhong@fibocom.com>
+Date: Wed, 20 May 2026 19:32:45 +0800
+Subject: USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
+
+From: Wanquan Zhong <wanquan.zhong@fibocom.com>
+
+commit 689f2facc689c8add11d7ff69fbbad17d65ee596 upstream.
+
+The RW135R-GL entry added in commit 01e8d0f74222 ("USB: serial: option:
+add support for Rolling Wireless RW135R-GL") was missing the
+.driver_info = RSVD(5) flag used by other Rolling Wireless MBIM laptop
+modules (e.g. RW135-GL and RW350-GL).
+
+Without this flag, the option driver incorrectly binds to the reserved
+ADB interface (If#5) in multi-interface USB modes, causing AT/MBIM
+communication failures after mode switching. This matches the handling
+of other Rolling Wireless MBIM devices.
+
+- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
+ interface for Linux/Chrome OS)
+
+ 0x1003: mbim, diag, AT, pipe
+
+ Here are the outputs of usb-devices:
+
+T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=33f8 ProdID=1003 Rev= 5.15
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling RW135R-GL Module
+S: SerialNumber=12345678
+C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
+ interface for Linux/Chrome OS)
+
+ 0x1003: mbim, diag, AT, ADB, pipe
+
+ Here are the outputs of usb-devices:
+
+T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 7 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=33f8 ProdID=1003 Rev= 5.15
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling RW135R-GL Module
+S: SerialNumber=12345678
+C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
+ interface for Linux/Chrome OS)
+
+ 0x1003: mbim, pipe
+
+ Here are the outputs of usb-devices:
+
+T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 9 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=33f8 ProdID=1003 Rev= 5.15
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling RW135R-GL Module
+S: SerialNumber=12345678
+C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Fixes: 01e8d0f74222 ("USB: serial: option: add support for Rolling Wireless RW135R-GL")
+Signed-off-by: Wanquan Zhong <wanquan.zhong@fibocom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2476,7 +2476,8 @@ static const struct usb_device_id option
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
+- { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff) }, /* Rolling RW135R-GL (laptop MBIM) */
++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff), /* Rolling RW135R-GL (laptop MBIM) */
++ .driver_info = RSVD(5) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) },
--- /dev/null
+From b53ebb811e00be50a779ce4e7aee604178b4a825 Mon Sep 17 00:00:00 2001
+From: Sam Burkels <sam@1a38.nl>
+Date: Fri, 1 May 2026 15:23:46 +0200
+Subject: usb: storage: Add quirks for PNY Elite Portable SSD
+
+From: Sam Burkels <sam@1a38.nl>
+
+commit b53ebb811e00be50a779ce4e7aee604178b4a825 upstream.
+
+The PNY Elite Portable SSD (USB ID 154b:f009) is a sibling of the
+already-quirked PNY Pro Elite SSDs (154b:f00b and 154b:f00d). Like its
+siblings, it uses a Phison-based USB-SATA bridge that exhibits
+firmware bugs when bound to the uas driver.
+
+Without quirks, the device fails to complete READ CAPACITY commands
+when accessed over UAS on a SuperSpeed (USB 3) port. The device
+enumerates and reports as a SCSI direct-access device, but reports
+zero logical blocks and never finishes spin-up:
+
+ usb 2-3: new SuperSpeed USB device number 8 using xhci_hcd
+ usb 2-3: New USB device found, idVendor=154b, idProduct=f009
+ usb 2-3: Product: PNY ELITE PSSD
+ usb 2-3: Manufacturer: PNY
+ scsi host0: uas
+ scsi 0:0:0:0: Direct-Access PNY PNY ELITE PSSD 0
+ sd 0:0:0:0: [sda] Spinning up disk...
+ [...10+ seconds of polling, no progress...]
+ sd 0:0:0:0: [sda] Read Capacity(16) failed: hostbyte=DID_ERROR
+ sd 0:0:0:0: [sda] Read Capacity(10) failed: hostbyte=DID_ERROR
+ sd 0:0:0:0: [sda] 0 512-byte logical blocks: (0 B/0 B)
+
+Tested each individual quirk to find the minimum that fixes this:
+ - US_FL_NO_ATA_1X alone: device hangs on spin-up
+ - US_FL_NO_REPORT_OPCODES alone: works on USB 2.0, hangs on USB 3.0
+ - US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES: works on both
+
+With both quirks the device enumerates correctly while still using
+the uas driver, and delivers full UAS throughput (~281 MB/s
+sequential read on a USB 3.0 Gen 1 port).
+
+The existing PNY Pro Elite entries (f00b, f00d) only set NO_ATA_1X,
+but this device additionally chokes on REPORT OPCODES under
+SuperSpeed.
+
+Signed-off-by: Sam Burkels <sam@1a38.nl>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260501132346.86572-1-sam@1a38.nl
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -132,6 +132,13 @@ UNUSUAL_DEV(0x152d, 0x0583, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_REPORT_OPCODES),
+
++/* Reported-by: Sam Burkels <sam@1a38.nl> */
++UNUSUAL_DEV(0x154b, 0xf009, 0x0000, 0x9999,
++ "PNY",
++ "PNY ELITE PSSD",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES),
++
+ /* Reported-by: Thinh Nguyen <thinhn@synopsys.com> */
+ UNUSUAL_DEV(0x154b, 0xf00b, 0x0000, 0x9999,
+ "PNY",
--- /dev/null
+From d98d413ca65d0790a8f3695d0a5845538958ab84 Mon Sep 17 00:00:00 2001
+From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+Date: Tue, 19 May 2026 18:41:40 +0700
+Subject: usb: typec: ucsi: Don't update power_supply on power role change if not connected
+
+From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+
+commit d98d413ca65d0790a8f3695d0a5845538958ab84 upstream.
+
+We only need to update the power_supply on power role change if the port
+is connected, because otherwise the online status should be the same for
+both cases.
+
+Cc: stable <stable@kernel.org>
+Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
+Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-2-6f1239535187@qtmlabs.xyz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -910,7 +910,12 @@ static void ucsi_handle_connector_change
+
+ if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) {
+ typec_set_pwr_role(con->port, role);
+- ucsi_port_psy_changed(con);
++
++ /* Some power_supply properties vary depending on the power direction when
++ * connected
++ */
++ if (UCSI_CONSTAT(con, CONNECTED))
++ ucsi_port_psy_changed(con);
+
+ /* Complete pending power role swap */
+ if (!completion_done(&con->complete))
--- /dev/null
+From 52f2ad3f7e5eb3b5908e1d685d4342519dc9cfcd Mon Sep 17 00:00:00 2001
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Tue, 5 May 2026 15:56:03 -0300
+Subject: usb: usbtmc: check URB actual_length for interrupt-IN notifications
+
+From: Heitor Alves de Siqueira <halves@igalia.com>
+
+commit 52f2ad3f7e5eb3b5908e1d685d4342519dc9cfcd upstream.
+
+USBTMC devices can use an optional interrupt endpoint for notification
+messages. These typically contain two-byte headers indicating the
+payload format, but the driver does not check if these headers are
+present before accessing the data buffers. In cases where the URB
+actual_length is not enough to fit these headers, the driver will either
+cause an out-of-bounds read, or consume stale leftover data from a
+previous notification.
+
+Fix by checking if actual_data contains enough bytes for the headers,
+otherwise resubmit URB to the interrupt endpoint.
+
+Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
+Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
+Cc: stable <stable@kernel.org>
+Suggested-by: Michal Pecio <michal.pecio@gmail.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-1-a36113f62db7@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usbtmc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -2310,6 +2310,14 @@ static void usbtmc_interrupt(struct urb
+
+ switch (status) {
+ case 0: /* SUCCESS */
++ /* ensure at least two bytes of headers were transferred */
++ if (urb->actual_length < 2) {
++ dev_warn(dev,
++ "actual length %d not sufficient for interrupt headers\n",
++ urb->actual_length);
++ goto exit;
++ }
++
+ /* check for valid STB notification */
+ if (data->iin_buffer[0] > 0x81) {
+ data->bNotify1 = data->iin_buffer[0];
--- /dev/null
+From 121d2f682ba912b1427cddca7cf84840f41cc620 Mon Sep 17 00:00:00 2001
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Tue, 5 May 2026 15:56:04 -0300
+Subject: usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
+
+From: Heitor Alves de Siqueira <halves@igalia.com>
+
+commit 121d2f682ba912b1427cddca7cf84840f41cc620 upstream.
+
+The USB488 subclass specification requires interrupt wMaxPacketSize to
+be 0x02, unless the device sends vendor-specific notifications.
+Endpoints that advertise less than 2 bytes for wMaxPacketSize are
+unlikely to work with the current driver, as URBs will not have enough
+space for interrupt headers. Considering that any notification URBs will
+be ignored by the driver, reject these endpoints early during probe.
+
+Fixes: 041370cce889 ("USB: usbtmc: refactor endpoint retrieval")
+Cc: stable <stable@kernel.org>
+Suggested-by: Michal Pecio <michal.pecio@gmail.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-2-a36113f62db7@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usbtmc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -2444,6 +2444,12 @@ static int usbtmc_probe(struct usb_inter
+ data->iin_ep = int_in->bEndpointAddress;
+ data->iin_wMaxPacketSize = usb_endpoint_maxp(int_in);
+ data->iin_interval = int_in->bInterval;
++ /* wMaxPacketSize should be 0x02 or more as per USB488 Table 22 */
++ if (iface_desc->desc.bInterfaceProtocol == 1 &&
++ data->iin_wMaxPacketSize < 2) {
++ retcode = -EINVAL;
++ goto err_put;
++ }
+ dev_dbg(&intf->dev, "Found Int in endpoint at %u\n",
+ data->iin_ep);
+ }
--- /dev/null
+From d96209626a29ea64666be98c30b30ac82e5f1be6 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Fri, 17 Apr 2026 12:35:52 -0400
+Subject: usbip: vudc: Fix use after free bug in vudc_remove due to race condition
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit d96209626a29ea64666be98c30b30ac82e5f1be6 upstream.
+
+This patch follows up Zheng Wang's 2023 report of a use-after-free in
+vudc_remove(). The original thread stalled on Shuah Khan's request for
+runtime testing of the unplug/unbind path. This patch supplies that
+testing and keeps Zheng's original fix shape.
+
+In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer().
+usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer().
+vudc_remove() can then free the containing struct vudc while the timer is
+still pending or executing.
+
+KASAN confirms the race on an unpatched x86_64 QEMU guest with
+CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop
+that repeatedly writes a socket fd to usbip_sockfd, closes the socket
+pair, and unbinds/rebinds usbip-vudc.0:
+
+ BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0
+ Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239
+ Allocated by task 239:
+ vudc_probe+0x4d/0xaa0
+ Freed by task 239:
+ kfree+0x18f/0x520
+ device_release_driver_internal+0x388/0x540
+ unbind_store+0xd9/0x100
+
+This lands in the timer core rather than v_timer() itself because the
+embedded timer_list is being walked after its containing struct vudc has
+already been freed. The underlying lifetime bug is the same one Zheng
+reported.
+
+With v_stop_timer() called from vudc_remove() and the timer deleted
+synchronously, the same harness completed 5000 bind/unbind iterations
+with no KASAN report.
+
+Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
+Cc: stable <stable@kernel.org>
+Reported-by: Zheng Wang <zyytlz.wz@163.com>
+Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vudc_dev.c | 1 +
+ drivers/usb/usbip/vudc_transfer.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/vudc_dev.c
++++ b/drivers/usb/usbip/vudc_dev.c
+@@ -632,6 +632,7 @@ int vudc_remove(struct platform_device *
+ {
+ struct vudc *udc = platform_get_drvdata(pdev);
+
++ v_stop_timer(udc);
+ usb_del_gadget_udc(&udc->gadget);
+ cleanup_vudc_hw(udc);
+ kfree(udc);
+--- a/drivers/usb/usbip/vudc_transfer.c
++++ b/drivers/usb/usbip/vudc_transfer.c
+@@ -490,7 +490,8 @@ void v_stop_timer(struct vudc *udc)
+ {
+ struct transfer_timer *t = &udc->tr_timer;
+
+- /* timer itself will take care of stopping */
++ /* Delete the timer synchronously before teardown frees udc. */
+ dev_dbg(&udc->pdev->dev, "timer stop");
++ timer_delete_sync(&t->timer);
+ t->state = VUDC_TR_STOPPED;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
