--- /dev/null
+From 82855073c1081732656734b74d7d1d5e4cfd0da7 Mon Sep 17 00:00:00 2001
+From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
+Date: Thu, 21 May 2026 13:25:47 +0800
+Subject: Bluetooth: btusb: Allow firmware re-download when version matches
+
+From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
+
+commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream.
+
+The Bluetooth host decides whether to download firmware by reading the
+controller firmware download completion flag and firmware version
+information.
+
+If a USB error occurs during the firmware download process (for example
+due to a USB disconnect), the download is aborted immediately. An
+incomplete firmware transfer does not cause the controller to set the
+download completion flag, but the firmware version information may be
+updated at an early stage of the download process.
+
+In this case, after USB reconnection, the host attempts to re-download
+the firmware because the download completion flag is not set. However,
+since the controller reports the same firmware version as the target
+firmware, the download is skipped. This ultimately results in the
+firmware not being properly updated on the controller.
+
+This change removes the restriction that skips firmware download when
+the versions are equal. It covers scenarios where the USB connection
+can be disconnected at any time and ensures that firmware download can
+be retriggered after USB reconnection, allowing the Bluetooth firmware
+to be correctly and completely updated.
+
+Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3448,7 +3448,13 @@ static int btusb_setup_qca_load_rampatch
+ "firmware rome 0x%x build 0x%x",
+ rver_rom, rver_patch, ver_rom, ver_patch);
+
+- if (rver_rom != ver_rom || rver_patch <= ver_patch) {
++ /* Allow rampatch when the patch version equals the firmware version.
++ * A firmware download may be aborted by a transient USB error (e.g.
++ * disconnect) after the controller updates version info but before
++ * completion.
++ * Allowing equal versions enables re-flashing during recovery.
++ */
++ if (rver_rom != ver_rom || rver_patch < ver_patch) {
+ bt_dev_err(hdev, "rampatch file version did not match with firmware");
+ err = -EINVAL;
+ goto done;
--- /dev/null
+From c9d8e9adaa63150ef7e833480b799d0bab83a276 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Apr 2026 15:40:48 +0200
+Subject: iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream.
+
+The tagged FIFO path declares iio_buff on the stack with __aligned(8)
+but no initializer, but there is a hole in the structure, which will
+then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be
+copied, but the space between that and the timestamp are not
+initialized.
+
+Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak
+issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan,
+but for the tagged path it only added the alignment qualifier and not
+the initializer :(
+
+Fix this by just zero-initializing the structure on the stack.
+
+Cc: Lorenzo Bianconi <lorenzo@kernel.org>
+Cc: Jonathan Cameron <jic23@kernel.org>
+Cc: David Lechner <dlechner@baylibre.com>
+Cc: "Nuno Sá" <nuno.sa@analog.com>
+Cc: Andy Shevchenko <andy@kernel.org>
+Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues")
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+@@ -585,7 +585,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s
+ * must be passed a buffer that is aligned to 8 bytes so
+ * as to allow insertion of a naturally aligned timestamp.
+ */
+- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8);
++ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { };
+ u8 tag;
+ bool reset_ts = false;
+ int i, err, read_len;
--- /dev/null
+From dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Fri, 22 May 2026 10:54:04 +0200
+Subject: Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream.
+
+The input buffer size is pcu->max_in_size, but pcu->max_out_size is
+passed to usb_free_coherent().
+
+Change size to match the allocation size.
+
+Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/ims-pcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -1598,7 +1598,7 @@ static void ims_pcu_buffers_free(struct
+ usb_kill_urb(pcu->urb_in);
+ usb_free_urb(pcu->urb_in);
+
+- usb_free_coherent(pcu->udev, pcu->max_out_size,
++ usb_free_coherent(pcu->udev, pcu->max_in_size,
+ pcu->urb_in_buf, pcu->read_dma);
+
+ kfree(pcu->urb_out_buf);
--- /dev/null
+From 2905281cbda52ec9df540113b35b835feb5fafd3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 20 Apr 2026 18:00:27 +0200
+Subject: Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream.
+
+nexio_read_data() pulls data_len and x_len from a packed __be16 header
+in the device's interrupt packet and then walks packet->data[0..x_len)
+and packet->data[x_len..data_len) comparing each byte against a
+threshold.
+
+Both fields are 16-bit on the wire (max 65535). The existing
+adjustments shave at most 0x100 / 0x80 off, so the loop bound can still
+reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size
+(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the
+packed header — so packet->data[] has 1017 valid bytes. read_data()
+callbacks are not given urb->actual_length, and nothing else bounds the
+walk.
+
+A device that lies about its length can get a ~64 KiB out-of-bounds read
+past the coherent DMA allocation. The first index whose byte exceeds
+NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the
+reported touch coordinates, so adjacent kernel memory contents leak to
+userspace as ABS_X / ABS_Y events. Far enough out, the read can also
+hit an unmapped page and fault.
+
+Fix this all by clamping data_len to the buffer's data[] capacity and
+x_len to data_len.
+
+Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
+Cc: stable <stable@kernel.org>
+Assisted-by: gkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/usbtouchscreen.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/input/touchscreen/usbtouchscreen.c
++++ b/drivers/input/touchscreen/usbtouchscreen.c
+@@ -1061,6 +1061,11 @@ static int nexio_read_data(struct usbtou
+ if (x_len > 0xff)
+ x_len -= 0x80;
+
++ if (data_len > usbtouch->data_size - sizeof(*packet))
++ data_len = usbtouch->data_size - sizeof(*packet);
++ if (x_len > data_len)
++ x_len = data_len;
++
+ /* send ACK */
+ ret = usb_submit_urb(priv->ack, GFP_ATOMIC);
+ if (ret)
+input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch
net-sched-cls_fw-fix-null-dereference-of-old-filters.patch
net-mctp-ensure-our-nlmsg-responses-are-initialised.patch
net-sched-sch_sfb-replace-direct-dequeue-call-with-p.patch
phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch
phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch
smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch
+iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch
+usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch
+usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch
+usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch
+usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch
+usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch
+input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch
+bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch
--- /dev/null
+From 438061ed1ad85e6743e2dce826671772d81089ec Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 22 May 2026 16:22:18 +0200
+Subject: USB: serial: safe_serial: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 438061ed1ad85e6743e2dce826671772d81089ec upstream.
+
+Make sure that the bulk-out buffer size is at least eight bytes to avoid
+user-controlled slab corruption in "safe" mode should a malicious device
+report a smaller size.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/safe_serial.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/usb/serial/safe_serial.c
++++ b/drivers/usb/serial/safe_serial.c
+@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str
+ static int safe_startup(struct usb_serial *serial)
+ {
+ struct usb_interface_descriptor *desc;
++ int bulk_out_size;
+
+ if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS)
+ return -ENODEV;
+@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria
+ default:
+ return -EINVAL;
+ }
++
++ /*
++ * The bulk-out buffer needs to be large enough for the two-byte
++ * trailer in safe mode, but assume anything smaller than eight bytes
++ * is broken.
++ */
++ bulk_out_size = serial->port[0]->bulk_out_size;
++ if (bulk_out_size > 0 && bulk_out_size < 8)
++ return -EINVAL;
++
+ return 0;
+ }
+
--- /dev/null
+From 8a18f896e667df491331371b55d4ad644dc51d60 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:49 +0200
+Subject: usb: typec: altmodes/displayport: validate count before reading Status Update VDO
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream.
+
+A broken/malicious device can send the incorrect count for a status
+update VDO, which will cause the kernel to read uninitialized stack data
+and send it off elsewhere.
+
+Fix this up by correctly verifying the count for the update object.
+
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/altmodes/displayport.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -286,6 +286,8 @@ static int dp_altmode_vdm(struct typec_a
+ dp->data.conf = 0;
+ break;
+ case DP_CMD_STATUS_UPDATE:
++ if (count < 2)
++ break;
+ dp->data.status = *vdo;
+ ret = dp_altmode_status_update(dp);
+ break;
--- /dev/null
+From d7486952bf74e546ee3748fb14b2d07881fa6273 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 14 May 2026 19:10:06 +0200
+Subject: usb: typec: ucsi: ccg: reject firmware images without a ':' record header
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream.
+
+do_flash() locates the first .cyacd record with
+
+ p = strnchr(fw->data, fw->size, ':');
+ while (p < eof) {
+ s = strnchr(p + 1, eof - p - 1, ':');
+ ...
+ }
+
+If the firmware image contains no ':' byte, strnchr() returns NULL.
+NULL compares less than the valid kernel pointer eof, so the loop body
+runs and strnchr() is called with p + 1 == (void *)1 and a length of
+roughly (unsigned long)eof, causing a wonderful crash.
+
+The not_signed_fw fallthrough earlier in do_flash() and the chip-state
+branches in ccg_fw_update_needed() allow an unsigned blob to reach this
+loop, so a root user who can place a crafted file under /lib/firmware
+and write the do_flash sysfs attribute can trigger the oops.
+
+Bail out with -EINVAL when the initial strnchr() returns NULL.
+
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
+@@ -1156,6 +1156,11 @@ not_signed_fw:
+ *****************************************************************/
+
+ p = strnchr(fw->data, fw->size, ':');
++ if (!p) {
++ dev_err(dev, "Bad FW format: no ':' record header found\n");
++ err = -EINVAL;
++ goto release_mem;
++ }
+ while (p < eof) {
+ s = strnchr(p + 1, eof - p - 1, ':');
+
--- /dev/null
+From 167dd8d12226587ee554f520aed0256b7769cd5d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:54 +0200
+Subject: usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream.
+
+ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
+payload VDO from data[], but unlike the equivalent handler in
+altmodes/displayport.c it does not check that count covers a VDO beyond
+the header. A header-only Configure VDM (count == 1) would read one u32
+past the caller's array.
+
+In the normal UCSI path the caller controls count, so this is hardening
+for non-standard delivery paths. NAK and bail when no configuration VDO
+is present, matching the generic DP altmode driver's existing guard.
+
+Assisted-by: gkh_clanker_t1000
+Cc: Pooja Katiyar <pooja.katiyar@intel.com>
+Cc: Johan Hovold <johan@kernel.org>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/displayport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/typec/ucsi/displayport.c
++++ b/drivers/usb/typec/ucsi/displayport.c
+@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct t
+ dp->header |= VDO_CMDT(CMDT_RSP_ACK);
+ break;
+ case DP_CMD_CONFIGURE:
++ if (count < 2) {
++ dp->header |= VDO_CMDT(CMDT_RSP_NAK);
++ break;
++ }
+ dp->data.conf = *data;
+ if (ucsi_displayport_configure(dp)) {
+ dp->header |= VDO_CMDT(CMDT_RSP_NAK);
--- /dev/null
+From 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:48 +0200
+Subject: usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream.
+
+wcove_read_rx_buffer() copies the PD RX FIFO into the caller's
+struct pd_message with
+
+ for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++)
+ regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
+
+which has two problems:
+
+USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message
+is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed).
+The byte count latched in RXINFO is the number of bytes the port partner
+put on the wire, so a malicious partner that transmits a 31-byte frame
+can drive the loop one byte past the destination if the WCOVE BMC
+receiver does not enforce the PD object-count limit in hardware. The
+existing FIXME flagged this as unverified.
+
+Independently, regmap_read() takes an unsigned int * and stores a full
+unsigned int at the destination. Passing the byte pointer msg + i means
+each iteration writes four bytes; the high three are zero (val_bits is
+8) and are normally overwritten by the next iteration, but the final
+iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration
+already writes three zero bytes past msg, which sits on the IRQ thread's
+stack in wcove_typec_irq().
+
+Clamp the loop to sizeof(struct pd_message) and read each register into
+a local before storing only its low byte, so the copy can never exceed
+the destination regardless of what RXINFO reports.
+
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/wcove.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/wcove.c
++++ b/drivers/usb/typec/tcpm/wcove.c
+@@ -444,9 +444,11 @@ static int wcove_start_toggling(struct t
+ return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl);
+ }
+
+-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg)
++static int wcove_read_rx_buffer(struct wcove_typec *wcove,
++ struct pd_message *msg)
+ {
+- unsigned int info;
++ unsigned int info, val, len;
++ u8 *buf = (u8 *)msg;
+ int ret;
+ int i;
+
+@@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct w
+ if (ret)
+ return ret;
+
+- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */
++ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg));
+
+- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) {
+- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
++ for (i = 0; i < len; i++) {
++ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val);
+ if (ret)
+ return ret;
++ buf[i] = val;
+ }
+
+ return regmap_write(wcove->regmap, USBC_RXSTATUS,
projects / thirdparty / kernel / stable-queue.git / commitdiff
