--- /dev/null
+From 07704bbf36f57e4379e4cadf96410dab14621e3b Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Apr 2026 16:05:54 +0200
+Subject: ALSA: fireworks: bound device-supplied status before string array lookup
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 07704bbf36f57e4379e4cadf96410dab14621e3b upstream.
+
+The status field in an EFW response is a 32-bit value supplied by the
+firewire device. efr_status_names[] has 17 entries so a status value
+outside that range goes off into the weeds when looking at the %s value.
+
+Even worse, the status could return EFR_STATUS_INCOMPLETE which is
+0x80000000, and is obviously not in that array of potential strings.
+
+Fix this up by properly bounding the index against the array size and
+printing "unknown" if it's not recognized.
+
+Cc: Clemens Ladisch <clemens@ladisch.de>
+Cc: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Fixes: bde8a8f23bbe ("ALSA: fireworks: Add transaction and some commands")
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://patch.msgid.link/2026040953-astute-camera-1aa1@gregkh
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/firewire/fireworks/fireworks_command.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sound/firewire/fireworks/fireworks_command.c
++++ b/sound/firewire/fireworks/fireworks_command.c
+@@ -151,10 +151,13 @@ efw_transaction(struct snd_efw *efw, uns
+ (be32_to_cpu(header->category) != category) ||
+ (be32_to_cpu(header->command) != command) ||
+ (be32_to_cpu(header->status) != EFR_STATUS_OK)) {
++ u32 st = be32_to_cpu(header->status);
++
+ dev_err(&efw->unit->device, "EFW command failed [%u/%u]: %s\n",
+ be32_to_cpu(header->category),
+ be32_to_cpu(header->command),
+- efr_status_names[be32_to_cpu(header->status)]);
++ st < ARRAY_SIZE(efr_status_names) ?
++ efr_status_names[st] : "unknown");
+ err = -EIO;
+ goto end;
+ }
--- /dev/null
+From a535a9217ca3f2fccedaafb2fddb4c48f27d36dc Mon Sep 17 00:00:00 2001
+From: Samuel Page <sam@bynar.io>
+Date: Wed, 8 Apr 2026 15:30:13 +0100
+Subject: can: raw: fix ro->uniq use-after-free in raw_rcv()
+
+From: Samuel Page <sam@bynar.io>
+
+commit a535a9217ca3f2fccedaafb2fddb4c48f27d36dc upstream.
+
+raw_release() unregisters raw CAN receive filters via can_rx_unregister(),
+but receiver deletion is deferred with call_rcu(). This leaves a window
+where raw_rcv() may still be running in an RCU read-side critical section
+after raw_release() frees ro->uniq, leading to a use-after-free of the
+percpu uniq storage.
+
+Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific
+socket destructor. can_rx_unregister() takes an extra reference to the
+socket and only drops it from the RCU callback, so freeing uniq from
+sk_destruct ensures the percpu area is not released until the relevant
+callbacks have drained.
+
+Fixes: 514ac99c64b2 ("can: fix multiple delivery of a single CAN frame for overlapping CAN filters")
+Cc: stable@vger.kernel.org # v4.1+
+Assisted-by: Bynario AI
+Signed-off-by: Samuel Page <sam@bynar.io>
+Link: https://patch.msgid.link/26ec626d-cae7-4418-9782-7198864d070c@bynar.io
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+[mkl: applied manually]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/raw.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -336,6 +336,14 @@ static int raw_notifier(struct notifier_
+ return NOTIFY_DONE;
+ }
+
++static void raw_sock_destruct(struct sock *sk)
++{
++ struct raw_sock *ro = raw_sk(sk);
++
++ free_percpu(ro->uniq);
++ can_sock_destruct(sk);
++}
++
+ static int raw_init(struct sock *sk)
+ {
+ struct raw_sock *ro = raw_sk(sk);
+@@ -362,6 +370,8 @@ static int raw_init(struct sock *sk)
+ if (unlikely(!ro->uniq))
+ return -ENOMEM;
+
++ sk->sk_destruct = raw_sock_destruct;
++
+ /* set notifier */
+ spin_lock(&raw_notifier_lock);
+ list_add_tail(&ro->notifier, &raw_notifier_list);
+@@ -409,7 +419,6 @@ static int raw_release(struct socket *so
+ ro->bound = 0;
+ ro->dev = NULL;
+ ro->count = 0;
+- free_percpu(ro->uniq);
+
+ sock_orphan(sk);
+ sock->sk = NULL;
--- /dev/null
+From e597a809a2b97e927060ba182f58eb3e6101bc70 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 23 Feb 2026 16:53:39 +0100
+Subject: drm/vc4: platform_get_irq_byname() returns an int
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit e597a809a2b97e927060ba182f58eb3e6101bc70 upstream.
+
+platform_get_irq_byname() will return a negative value if an error
+happens, so it should be checked and not just passed directly into
+devm_request_threaded_irq() hoping all will be ok.
+
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Cc: Maíra Canal <mcanal@igalia.com>
+Cc: Raspberry Pi Kernel Maintenance <kernel-list@raspberrypi.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: stable <stable@kernel.org>
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026022339-cornflake-t-shirt-2471@gregkh
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -2614,17 +2614,23 @@ static int vc4_hdmi_hotplug_init(struct
+ int ret;
+
+ if (vc4_hdmi->variant->external_irq_controller) {
+- unsigned int hpd_con = platform_get_irq_byname(pdev, "hpd-connected");
+- unsigned int hpd_rm = platform_get_irq_byname(pdev, "hpd-removed");
++ int hpd = platform_get_irq_byname(pdev, "hpd-connected");
+
+- ret = devm_request_threaded_irq(&pdev->dev, hpd_con,
++ if (hpd < 0)
++ return hpd;
++
++ ret = devm_request_threaded_irq(&pdev->dev, hpd,
+ NULL,
+ vc4_hdmi_hpd_irq_thread, IRQF_ONESHOT,
+ "vc4 hdmi hpd connected", vc4_hdmi);
+ if (ret)
+ return ret;
+
+- ret = devm_request_threaded_irq(&pdev->dev, hpd_rm,
++ hpd = platform_get_irq_byname(pdev, "hpd-removed");
++ if (hpd < 0)
++ return hpd;
++
++ ret = devm_request_threaded_irq(&pdev->dev, hpd,
+ NULL,
+ vc4_hdmi_hpd_irq_thread, IRQF_ONESHOT,
+ "vc4 hdmi hpd disconnected", vc4_hdmi);
--- /dev/null
+From 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Apr 2026 15:23:14 +0200
+Subject: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 8f98b81fe011e1879e6a7b1247e69e06a5e17af2 upstream.
+
+Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide
+by zero error"), we also need to prevent that same crash from happening
+in the udlfb driver as it uses pixclock directly when dividing, which
+will crash.
+
+Cc: Helge Deller <deller@gmx.de>
+Assisted-by: gregkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/tdfxfb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/tdfxfb.c
++++ b/drivers/video/fbdev/tdfxfb.c
+@@ -496,6 +496,9 @@ static int tdfxfb_check_var(struct fb_va
+ }
+ }
+
++ if (!var->pixclock)
++ return -EINVAL;
++
+ if (PICOS2KHZ(var->pixclock) > par->max_pixclock) {
+ DPRINTK("pixclock too high (%ldKHz)\n",
+ PICOS2KHZ(var->pixclock));
--- /dev/null
+From 1badfc4319224820d5d890f8eab6aa52e4e83339 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 6 Apr 2026 16:03:25 +0200
+Subject: HID: alps: fix NULL pointer dereference in alps_raw_event()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 1badfc4319224820d5d890f8eab6aa52e4e83339 upstream.
+
+Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event
+callbacks missing them") attempted to fix up the HID drivers that had
+missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir:
+Fix potential NULL dereference at raw event handle"), but the alps
+driver was missed.
+
+Fix this up by properly checking in the hid-alps driver that it had been
+claimed correctly before attempting to process the raw event.
+
+Fixes: 73196ebe134d ("HID: alps: add support for Alps T4 Touchpad device")
+Cc: stable <stable@kernel.org>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Benjamin Tissoires <bentiss@kernel.org>
+Cc: Masaki Ota <masaki.ota@jp.alps.com>
+Cc: linux-input@vger.kernel.org
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-alps.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-alps.c
++++ b/drivers/hid/hid-alps.c
+@@ -437,6 +437,9 @@ static int alps_raw_event(struct hid_dev
+ int ret = 0;
+ struct alps_dev *hdata = hid_get_drvdata(hdev);
+
++ if (!(hdev->claimed & HID_CLAIMED_INPUT) || !hdata->input)
++ return 0;
++
+ switch (hdev->product) {
+ case HID_PRODUCT_ID_T4_BTNLESS:
+ ret = t4_raw_event(hdata, data, size);
--- /dev/null
+From 69c02ffde6ed4d535fa4e693a9e572729cad3d0d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 6 Apr 2026 16:04:10 +0200
+Subject: HID: core: clamp report_size in s32ton() to avoid undefined shift
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 69c02ffde6ed4d535fa4e693a9e572729cad3d0d upstream.
+
+s32ton() shifts by n-1 where n is the field's report_size, a value that
+comes directly from a HID device. The HID parser bounds report_size
+only to <= 256, so a broken HID device can supply a report descriptor
+with a wide field that triggers shift exponents up to 256 on a 32-bit
+type when an output report is built via hid_output_field() or
+hid_set_field().
+
+Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in
+hid_report_raw_event") added the same n > 32 clamp to the function
+snto32(), but s32ton() was never given the same fix as I guess syzbot
+hadn't figured out how to fuzz a device the same way.
+
+Fix this up by just clamping the max value of n, just like snto32()
+does.
+
+Cc: stable <stable@kernel.org>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Benjamin Tissoires <bentiss@kernel.org>
+Cc: linux-input@vger.kernel.org
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1358,6 +1358,9 @@ static u32 s32ton(__s32 value, unsigned
+ if (!value || !n)
+ return 0;
+
++ if (n > 32)
++ n = 32;
++
+ a = value >> (n - 1);
+
+ if (a && a != -1)
--- /dev/null
+From c0128c7157d639a931353ea344fb44aad6d6e17a Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 23 Feb 2026 18:05:15 +0100
+Subject: i2c: s3c24xx: check the size of the SMBUS message before using it
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit c0128c7157d639a931353ea344fb44aad6d6e17a upstream.
+
+The first byte of an i2c SMBUS message is the size, and it should be
+verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX
+before processing it.
+
+This is the same logic that was added in commit a6e04f05ce0b ("i2c:
+tegra: check msg length in SMBUS block read") to the i2c tegra driver.
+
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Alim Akhtar <alim.akhtar@samsung.com>
+Cc: Andi Shyti <andi.shyti@kernel.org>
+Cc: stable <stable@kernel.org>
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/2026022314-rely-scrubbed-4839@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-s3c2410.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-s3c2410.c
++++ b/drivers/i2c/busses/i2c-s3c2410.c
+@@ -508,8 +508,13 @@ static int i2c_s3c_irq_nextbyte(struct s
+ i2c->msg->buf[i2c->msg_ptr++] = byte;
+
+ /* Add actual length to read for smbus block read */
+- if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1)
++ if (i2c->msg->flags & I2C_M_RECV_LEN && i2c->msg->len == 1) {
++ if (byte == 0 || byte > I2C_SMBUS_BLOCK_MAX) {
++ s3c24xx_i2c_stop(i2c, -EPROTO);
++ break;
++ }
+ i2c->msg->len += byte;
++ }
+ prepare_read:
+ if (is_msglast(i2c)) {
+ /* last byte of buffer */
--- /dev/null
+From 53370cf9090777774e07fd9a8ebce67c6cc333ab Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 6 Apr 2026 15:46:47 +0200
+Subject: ksmbd: require 3 sub-authorities before reading sub_auth[2]
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 53370cf9090777774e07fd9a8ebce67c6cc333ab upstream.
+
+parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on
+match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is
+the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares
+only min(num_subauth, 2) sub-authorities so a client SID with
+num_subauth = 2 and sub_auth = {88, 3} will match.
+
+If num_subauth = 2 and the ACE is placed at the very end of the security
+descriptor, sub_auth[2] will be 4 bytes past end_of_acl. The
+out-of-band bytes will then be masked to the low 9 bits and applied as
+the file's POSIX mode, probably not something that is good to have
+happen.
+
+Fix this up by forcing the SID to actually carry a third sub-authority
+before reading it at all.
+
+Cc: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <smfrench@gmail.com>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -451,7 +451,8 @@ static void parse_dacl(struct user_names
+ ppace[i]->access_req =
+ smb_map_generic_desired_access(ppace[i]->access_req);
+
+- if (!(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) {
++ if (ppace[i]->sid.num_subauth >= 3 &&
++ !(compare_sids(&ppace[i]->sid, &sid_unix_NFS_mode))) {
+ fattr->cf_mode =
+ le32_to_cpu(ppace[i]->sid.sub_auth[2]);
+ break;
--- /dev/null
+From 66751841212c2cc196577453c37f7774ff363f02 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 6 Apr 2026 15:46:46 +0200
+Subject: ksmbd: validate EaNameLength in smb2_get_ea()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 66751841212c2cc196577453c37f7774ff363f02 upstream.
+
+smb2_get_ea() reads ea_req->EaNameLength from the client request and
+passes it directly to strncmp() as the comparison length without
+verifying that the length of the name really is the size of the input
+buffer received.
+
+Fix this up by properly checking the size of the name based on the value
+received and the overall size of the request, to prevent a later
+strncmp() call to use the length as a "trusted" size of the buffer.
+Without this check, uninitialized heap values might be slowly leaked to
+the client.
+
+Cc: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <smfrench@gmail.com>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4390,6 +4390,11 @@ static int smb2_get_ea(struct ksmbd_work
+
+ ea_req = (struct smb2_ea_info_req *)((char *)req +
+ le16_to_cpu(req->InputBufferOffset));
++
++ if (le32_to_cpu(req->InputBufferLength) <
++ offsetof(struct smb2_ea_info_req, name) +
++ ea_req->EaNameLength)
++ return -EINVAL;
+ } else {
+ /* need to send all EAs, if no specific EA is requested*/
+ if (le32_to_cpu(req->Flags) & SL_RETURN_SINGLE_ENTRY)
--- /dev/null
+From 600dc40554dc5ad1e6f3af51f700228033f43ea7 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sat, 11 Apr 2026 13:01:35 +0200
+Subject: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 600dc40554dc5ad1e6f3af51f700228033f43ea7 upstream.
+
+A malicious USB device claiming to be a CDC Phonet modem can overflow
+the skb_shared_info->frags[] array by sending an unbounded sequence of
+full-page bulk transfers.
+
+Drop the skb and increment the length error when the frag limit is
+reached. This matches the same fix that commit f0813bcd2d9d ("net:
+wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
+t7xx driver.
+
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026041134-dreamboat-buddhism-d1ec@gregkh
+Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc-phonet.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cdc-phonet.c
++++ b/drivers/net/usb/cdc-phonet.c
+@@ -157,11 +157,16 @@ static void rx_complete(struct urb *req)
+ PAGE_SIZE);
+ page = NULL;
+ }
+- } else {
++ } else if (skb_shinfo(skb)->nr_frags < MAX_SKB_FRAGS) {
+ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+ page, 0, req->actual_length,
+ PAGE_SIZE);
+ page = NULL;
++ } else {
++ dev_kfree_skb_any(skb);
++ pnd->rx_skb = NULL;
++ skb = NULL;
++ dev->stats.rx_length_errors++;
+ }
+ if (req->actual_length < PAGE_SIZE)
+ pnd->rx_skb = NULL; /* Last fragment */
--- /dev/null
+From 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Apr 2026 17:18:14 +0200
+Subject: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 upstream.
+
+The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3
+or 4 bytes to target->nfcid1 on each round, but the number of cascade
+rounds is controlled entirely by the peer device. The peer sets the
+cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the
+cascade-incomplete bit in the SEL_RES (deciding whether another round
+follows).
+
+ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is
+sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver
+actually enforces this. This means a malicious peer can keep the
+cascade running, writing past the heap-allocated nfc_target with each
+round.
+
+Fix this by rejecting the response when the accumulated UID would exceed
+the buffer.
+
+Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")
+fixed similar missing checks against the same field on the NCI path.
+
+Cc: Simon Horman <horms@kernel.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Thierry Escande <thierry.escande@linux.intel.com>
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support")
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026040913-figure-seducing-bd3f@gregkh
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/digital_technology.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/nfc/digital_technology.c
++++ b/net/nfc/digital_technology.c
+@@ -424,6 +424,12 @@ static void digital_in_recv_sdd_res(stru
+ size = 4;
+ }
+
++ if (target->nfcid1_len + size > NFC_NFCID1_MAXSIZE) {
++ PROTOCOL_ERR("4.7.2.1");
++ rc = -EPROTO;
++ goto exit;
++ }
++
+ memcpy(target->nfcid1 + target->nfcid1_len, sdd_res->nfcid1 + offset,
+ size);
+ target->nfcid1_len += size;
--- /dev/null
+From 2b5dd4632966c39da6ba74dbc8689b309065e82c Mon Sep 17 00:00:00 2001
+From: Junxi Qian <qjx1298677004@gmail.com>
+Date: Wed, 8 Apr 2026 16:10:06 +0800
+Subject: nfc: llcp: add missing return after LLCP_CLOSED checks
+
+From: Junxi Qian <qjx1298677004@gmail.com>
+
+commit 2b5dd4632966c39da6ba74dbc8689b309065e82c upstream.
+
+In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket
+state is LLCP_CLOSED, the code correctly calls release_sock() and
+nfc_llcp_sock_put() but fails to return. Execution falls through to
+the remainder of the function, which calls release_sock() and
+nfc_llcp_sock_put() again. This results in a double release_sock()
+and a refcount underflow via double nfc_llcp_sock_put(), leading to
+a use-after-free.
+
+Add the missing return statements after the LLCP_CLOSED branches
+in both functions to prevent the fall-through.
+
+Fixes: d646960f7986 ("NFC: Initial LLCP support")
+Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260408081006.3723-1-qjx1298677004@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -1089,6 +1089,7 @@ static void nfc_llcp_recv_hdlc(struct nf
+ if (sk->sk_state == LLCP_CLOSED) {
+ release_sock(sk);
+ nfc_llcp_sock_put(llcp_sock);
++ return;
+ }
+
+ /* Pass the payload upstream */
+@@ -1180,6 +1181,7 @@ static void nfc_llcp_recv_disc(struct nf
+ if (sk->sk_state == LLCP_CLOSED) {
+ release_sock(sk);
+ nfc_llcp_sock_put(llcp_sock);
++ return;
+ }
+
+ if (sk->sk_state == LLCP_CONNECTED) {
netfilter-conntrack-add-missing-netlink-policy-valid.patch
alsa-usb-audio-improve-focusrite-sample-rate-filteri.patch
drm-i915-psr-do-not-use-pipe_src-as-borders-for-su-a.patch
+nfc-llcp-add-missing-return-after-llcp_closed-checks.patch
+can-raw-fix-ro-uniq-use-after-free-in-raw_rcv.patch
+i2c-s3c24xx-check-the-size-of-the-smbus-message-before-using-it.patch
+staging-rtl8723bs-initialize-le_tmp64-in-rtw_bip_verify.patch
+hid-alps-fix-null-pointer-dereference-in-alps_raw_event.patch
+hid-core-clamp-report_size-in-s32ton-to-avoid-undefined-shift.patch
+net-usb-cdc-phonet-fix-skb-frags-overflow-in-rx_complete.patch
+nfc-digital-bounds-check-nfc-a-cascade-depth-in-sdd-response-handler.patch
+drm-vc4-platform_get_irq_byname-returns-an-int.patch
+alsa-fireworks-bound-device-supplied-status-before-string-array-lookup.patch
+fbdev-tdfxfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch
+usb-gadget-f_ncm-validate-minimum-block_len-in-ncm_unwrap_ntb.patch
+usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch
+usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch
+ksmbd-validate-eanamelength-in-smb2_get_ea.patch
+ksmbd-require-3-sub-authorities-before-reading-sub_auth.patch
+usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch
+usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch
+usb-cdc-acm-add-quirks-for-yoga-book-9-14iah10-ingenic-touchscreen.patch
+usb-port-add-delay-after-usb_hub_set_port_power.patch
--- /dev/null
+From 8c964b82a4e97ec7f25e17b803ee196009b38a57 Mon Sep 17 00:00:00 2001
+From: Lin YuChen <starpt.official@gmail.com>
+Date: Sat, 21 Mar 2026 01:25:02 +0800
+Subject: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
+
+From: Lin YuChen <starpt.official@gmail.com>
+
+commit 8c964b82a4e97ec7f25e17b803ee196009b38a57 upstream.
+
+Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using
+uninitialized data.
+
+Smatch warns that only 6 bytes are copied to this 8-byte (u64)
+variable, leaving the last two bytes uninitialized:
+
+drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()
+warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)
+
+Initializing the variable at the start of the function fixes this
+warning and ensures predictable behavior.
+
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Cc: stable <stable@kernel.org>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/linux-staging/abvwIQh0CHTp4wNJ@stanley.mountain/
+Signed-off-by: Lin YuChen <starpt.official@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20260320172502.167332-1-starpt.official@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_security.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_security.c
++++ b/drivers/staging/rtl8723bs/core/rtw_security.c
+@@ -1364,7 +1364,7 @@ u32 rtw_BIP_verify(struct adapter *padap
+ u8 mic[16];
+ struct mlme_ext_priv *pmlmeext = &padapter->mlmeextpriv;
+ __le16 le_tmp;
+- __le64 le_tmp64;
++ __le64 le_tmp64 = 0;
+
+ ori_len = pattrib->pkt_len-WLAN_HDR_A3_LEN+BIP_AAD_SIZE;
+ BIP_AAD = rtw_zmalloc(ori_len);
--- /dev/null
+From f58752ebcb35e156c85cd1a82d6579c7af3b9023 Mon Sep 17 00:00:00 2001
+From: Dave Carey <carvsdriver@gmail.com>
+Date: Thu, 2 Apr 2026 14:29:50 -0400
+Subject: USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
+
+From: Dave Carey <carvsdriver@gmail.com>
+
+commit f58752ebcb35e156c85cd1a82d6579c7af3b9023 upstream.
+
+The Lenovo Yoga Book 9 14IAH10 (83KJ) has a composite USB device
+(17EF:6161) that controls both touchscreens via a CDC ACM interface.
+Interface 0 is a standard CDC ACM control interface, but interface 1
+(the data interface) incorrectly declares vendor-specific class (0xFF)
+instead of USB_CLASS_CDC_DATA. cdc-acm rejects the device at probe with
+-EINVAL, leaving interface 0 unbound and EP 0x82 never polled.
+
+With no consumer polling EP 0x82, the firmware's watchdog fires every
+~20 seconds and resets the USB bus, producing a continuous disconnect/
+reconnect loop that prevents the touchscreens from ever initialising.
+
+Add two new quirk flags:
+
+VENDOR_CLASS_DATA_IFACE: Bypasses the bInterfaceClass check in
+acm_probe() that would otherwise reject the vendor-class data
+interface with -EINVAL.
+
+ALWAYS_POLL_CTRL: Submits the notification URB at probe() rather than
+waiting for a TTY open. This keeps EP 0x82 polled at all times,
+permanently suppressing the firmware watchdog. The URB is resubmitted
+after port_shutdown() and on system resume. SET_CONTROL_LINE_STATE
+(DTR|RTS) is sent at probe and after port_shutdown() to complete
+firmware handshake.
+
+Note: the firmware performs exactly 4 USB connect/disconnect cycles
+(~19 s each) on every cold boot before stabilising. This is a fixed
+firmware property; touch is available ~75-80 s after power-on.
+
+Signed-off-by: Dave Carey <carvsdriver@gmail.com>
+Cc: stable <stable@kernel.org>
+Tested-by: Dave Carey <carvsdriver@gmail.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Link: https://patch.msgid.link/20260402182950.389016-1-carvsdriver@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 53 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 46 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -113,6 +113,8 @@ static int acm_ctrl_msg(struct acm *acm,
+ int retval;
+
+ retval = usb_autopm_get_interface(acm->control);
++#define VENDOR_CLASS_DATA_IFACE BIT(9) /* data interface uses vendor-specific class */
++#define ALWAYS_POLL_CTRL BIT(10) /* keep ctrl URB active even without an open TTY */
+ if (retval)
+ return retval;
+
+@@ -699,12 +701,14 @@ static int acm_port_activate(struct tty_
+ set_bit(TTY_NO_WRITE_SPLIT, &tty->flags);
+ acm->control->needs_remote_wakeup = 1;
+
+- acm->ctrlurb->dev = acm->dev;
+- retval = usb_submit_urb(acm->ctrlurb, GFP_KERNEL);
+- if (retval) {
+- dev_err(&acm->control->dev,
+- "%s - usb_submit_urb(ctrl irq) failed\n", __func__);
+- goto error_submit_urb;
++ if (!(acm->quirks & ALWAYS_POLL_CTRL)) {
++ acm->ctrlurb->dev = acm->dev;
++ retval = usb_submit_urb(acm->ctrlurb, GFP_KERNEL);
++ if (retval) {
++ dev_err(&acm->control->dev,
++ "%s - usb_submit_urb(ctrl irq) failed\n", __func__);
++ goto error_submit_urb;
++ }
+ }
+
+ acm_tty_set_termios(tty, NULL);
+@@ -777,6 +781,14 @@ static void acm_port_shutdown(struct tty
+
+ acm_unpoison_urbs(acm);
+
++ if (acm->quirks & ALWAYS_POLL_CTRL) {
++ acm->ctrlurb->dev = acm->dev;
++ if (usb_submit_urb(acm->ctrlurb, GFP_KERNEL))
++ dev_dbg(&acm->control->dev,
++ "ctrl polling restart failed after port close\n");
++ /* port_shutdown() cleared DTR/RTS; restore them */
++ acm_set_control(acm, USB_CDC_CTRL_DTR | USB_CDC_CTRL_RTS);
++ }
+ }
+
+ static void acm_tty_cleanup(struct tty_struct *tty)
+@@ -1304,6 +1316,9 @@ skip_normal_probe:
+ dev_dbg(&intf->dev,
+ "Your device has switched interfaces.\n");
+ swap(control_interface, data_interface);
++ } else if (quirks & VENDOR_CLASS_DATA_IFACE) {
++ dev_dbg(&intf->dev,
++ "Vendor-specific data interface class, continuing.\n");
+ } else {
+ return -EINVAL;
+ }
+@@ -1498,6 +1513,9 @@ skip_countries:
+ acm->line.bDataBits = 8;
+ acm_set_line(acm, &acm->line);
+
++ if (quirks & ALWAYS_POLL_CTRL)
++ acm_set_control(acm, USB_CDC_CTRL_DTR | USB_CDC_CTRL_RTS);
++
+ if (!acm->combined_interfaces) {
+ rv = usb_driver_claim_interface(&acm_driver, data_interface, acm);
+ if (rv)
+@@ -1519,6 +1537,13 @@ skip_countries:
+
+ dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
+
++ if (acm->quirks & ALWAYS_POLL_CTRL) {
++ acm->ctrlurb->dev = acm->dev;
++ if (usb_submit_urb(acm->ctrlurb, GFP_KERNEL))
++ dev_warn(&intf->dev,
++ "failed to start persistent ctrl polling\n");
++ }
++
+ return 0;
+
+ err_release_data_interface:
+@@ -1645,7 +1670,7 @@ static int acm_resume(struct usb_interfa
+
+ acm_unpoison_urbs(acm);
+
+- if (tty_port_initialized(&acm->port)) {
++ if (tty_port_initialized(&acm->port) || (acm->quirks & ALWAYS_POLL_CTRL)) {
+ rv = usb_submit_urb(acm->ctrlurb, GFP_ATOMIC);
+
+ for (;;) {
+@@ -1992,6 +2017,20 @@ static const struct usb_device_id acm_id
+ /* CH343 supports CAP_BRK, but doesn't advertise it */
+ { USB_DEVICE(0x1a86, 0x55d3), .driver_info = MISSING_CAP_BRK, },
+
++ /*
++ * Lenovo Yoga Book 9 14IAH10 (83KJ) — INGENIC 17EF:6161 touchscreen
++ * composite device. The CDC ACM control interface (0) uses a standard
++ * Union descriptor, but the data interface (1) is declared as vendor-
++ * specific class (0xff) with no CDC data descriptors, so cdc-acm would
++ * normally reject it. The firmware also requires continuous polling of
++ * the notification endpoint (EP 0x82) to suppress a 20-second watchdog
++ * reset; ALWAYS_POLL_CTRL keeps the ctrlurb active even when no TTY is
++ * open. Match only the control interface by class to avoid probing the
++ * vendor-specific data interface.
++ */
++ { USB_DEVICE_INTERFACE_CLASS(0x17ef, 0x6161, USB_CLASS_COMM),
++ .driver_info = VENDOR_CLASS_DATA_IFACE | ALWAYS_POLL_CTRL },
++
+ /* control interfaces without any protocol set */
+ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
+ USB_CDC_PROTO_NONE) },
--- /dev/null
+From 8f993d30b95dc9557a8a96ceca11abed674c8acb Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 7 Apr 2026 11:02:54 +0200
+Subject: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 8f993d30b95dc9557a8a96ceca11abed674c8acb upstream.
+
+The block_len read from the host-supplied NTB header is checked against
+ntb_max but has no lower bound. When block_len is smaller than
+opts->ndp_size, the bounds check of:
+ ndp_index > (block_len - opts->ndp_size)
+will underflow producing a huge unsigned value that ndp_index can never
+exceed, defeating the check entirely.
+
+The same underflow occurs in the datagram index checks against block_len
+- opts->dpe_size. With those checks neutered, a malicious USB host can
+choose ndp_index and datagram offsets that point past the actual
+transfer, and the skb_put_data() copies adjacent kernel memory into the
+network skb.
+
+Fix this by rejecting block lengths that cannot hold at least the NTB
+header plus one NDP. This will make block_len - opts->ndp_size and
+block_len - opts->dpe_size both well-defined.
+
+Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed
+a related class of issues on the host side of NCM.
+
+Fixes: 2b74b0a04d3e ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Link: https://patch.msgid.link/2026040753-baffle-handheld-624d@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_ncm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -1211,8 +1211,8 @@ parse_ntb:
+
+ block_len = get_ncm(&tmp, opts->block_length);
+ /* (d)wBlockLength */
+- if (block_len > ntb_max) {
+- INFO(port->func.config->cdev, "OUT size exceeded\n");
++ if ((block_len < opts->nth_size + opts->ndp_size) || (block_len > ntb_max)) {
++ INFO(port->func.config->cdev, "Bad block length: %#X\n", block_len);
+ goto err;
+ }
+
--- /dev/null
+From c088d5dd2fffb4de1fb8e7f57751c8b82942180a Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 7 Apr 2026 10:55:05 +0200
+Subject: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit c088d5dd2fffb4de1fb8e7f57751c8b82942180a upstream.
+
+A broken/bored/mean USB host can overflow the skb_shared_info->frags[]
+array on a Linux gadget exposing a Phonet function by sending an
+unbounded sequence of full-page OUT transfers.
+
+pn_rx_complete() finalizes the skb only when req->actual < req->length,
+where req->length is set to PAGE_SIZE by the gadget. If the host always
+sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be
+reset and each completion will add another fragment via
+skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),
+subsequent frag stores overwrite memory adjacent to the shinfo on the
+heap.
+
+Drop the skb and account a length error when the frag limit is reached,
+matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan:
+t7xx: fix potential skb->frags overflow in RX path").
+
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Link: https://patch.msgid.link/2026040705-fruit-unloved-0701@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_phonet.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_phonet.c
++++ b/drivers/usb/gadget/function/f_phonet.c
+@@ -333,6 +333,15 @@ static void pn_rx_complete(struct usb_ep
+ if (unlikely(!skb))
+ break;
+
++ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
++ /* Frame count from host exceeds frags[] capacity */
++ dev_kfree_skb_any(skb);
++ if (fp->rx.skb == skb)
++ fp->rx.skb = NULL;
++ dev->stats.rx_length_errors++;
++ break;
++ }
++
+ if (skb->len == 0) { /* First fragment */
+ skb->protocol = htons(ETH_P_PHONET);
+ skb_reset_mac_header(skb);
--- /dev/null
+From f880aac8a57ebd92abfa685d45424b2998ac1059 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 6 Apr 2026 17:09:48 +0200
+Subject: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit f880aac8a57ebd92abfa685d45424b2998ac1059 upstream.
+
+The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint
+number from the host-supplied wIndex without any sort of validation.
+Fix this up by validating the number of endpoints actually match up with
+the number the device has before attempting to dereference a pointer
+based on this math.
+
+This is just like what was done in commit ee0d382feb44 ("usb: gadget:
+aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.
+
+Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Link: https://patch.msgid.link/2026040647-sincerity-untidy-b104@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -1628,6 +1628,10 @@ static bool usb3_std_req_get_status(stru
+ break;
+ case USB_RECIP_ENDPOINT:
+ num = le16_to_cpu(ctrl->wIndex) & USB_ENDPOINT_NUMBER_MASK;
++ if (num >= usb3->num_usb3_eps) {
++ stall = true;
++ break;
++ }
+ usb3_ep = usb3_get_ep(usb3, num);
+ if (usb3_ep->halt)
+ status |= 1 << USB_ENDPOINT_HALT;
+@@ -1740,7 +1744,8 @@ static bool usb3_std_req_feature_endpoin
+ struct renesas_usb3_ep *usb3_ep;
+ struct renesas_usb3_request *usb3_req;
+
+- if (le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT)
++ if ((le16_to_cpu(ctrl->wValue) != USB_ENDPOINT_HALT) ||
++ (num >= usb3->num_usb3_eps))
+ return true; /* stall */
+
+ usb3_ep = usb3_get_ep(usb3, num);
--- /dev/null
+From b84cc80610a8ce036deb987f056ce3196ead7f1e Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Mon, 16 Mar 2026 17:50:42 +0800
+Subject: usb: port: add delay after usb_hub_set_port_power()
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit b84cc80610a8ce036deb987f056ce3196ead7f1e upstream.
+
+When a port is disabled, an attached device will be disconnected. This
+causes a port-status-change event, which will race with hub autosuspend
+(if the disabled port was the only connected port on its hub), causing
+an immediate resume and a second autosuspend. Both of these can be
+avoided by adding a short delay after the call to
+usb_hub_set_port_power().
+
+Below log shows what is happening:
+
+$ echo 1 > usb1-port1/disable
+[ 37.958239] usb 1-1: USB disconnect, device number 2
+[ 37.964101] usb 1-1: unregistering device
+[ 37.970070] hub 1-0:1.0: hub_suspend
+[ 37.971305] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0002
+[ 37.974412] usb usb1: bus auto-suspend, wakeup 1
+[ 37.988175] usb usb1: suspend raced with wakeup event <---
+[ 37.993947] usb usb1: usb auto-resume
+[ 37.998401] hub 1-0:1.0: hub_resume
+[ 38.105688] usb usb1-port1: status 0000, change 0000, 12 Mb/s
+[ 38.112399] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0000
+[ 38.118645] hub 1-0:1.0: hub_suspend
+[ 38.122963] usb usb1: bus auto-suspend, wakeup 1
+[ 38.200368] usb usb1: usb wakeup-resume
+[ 38.204982] usb usb1: usb auto-resume
+[ 38.209376] hub 1-0:1.0: hub_resume
+[ 38.213676] usb usb1-port1: status 0101 change 0001
+[ 38.321552] hub 1-0:1.0: state 7 ports 1 chg 0002 evt 0000
+[ 38.327978] usb usb1-port1: status 0101, change 0000, 12 Mb/s
+[ 38.457429] usb 1-1: new high-speed USB device number 3 using ci_hdrc
+
+Then, port change bit will be fixed to the final state and
+usb_clear_port_feature() can correctly clear it after this period. This
+will also avoid usb runtime suspend routine to run because
+usb_autopm_put_interface() not run yet.
+
+Fixes: f061f43d7418 ("usb: hub: port: add sysfs entry to switch port power")
+Cc: stable@kernel.org
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://patch.msgid.link/20260316095042.1559882-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/port.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/port.c
++++ b/drivers/usb/core/port.c
+@@ -111,6 +111,7 @@ static ssize_t disable_store(struct devi
+ usb_disconnect(&port_dev->child);
+
+ rc = usb_hub_set_port_power(hdev, hub, port1, !disabled);
++ msleep(2 * hub_power_on_good_delay(hub));
+
+ if (disabled) {
+ usb_clear_port_feature(hdev, port1, USB_PORT_FEAT_C_CONNECTION);
--- /dev/null
+From 609865ab3d5d803556f628e221ecd3d06aed9f30 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20Br=C3=A1t?= <danek.brat@gmail.com>
+Date: Thu, 2 Apr 2026 19:24:33 +0200
+Subject: usb: storage: Expand range of matched versions for VL817 quirks entry
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Brát <danek.brat@gmail.com>
+
+commit 609865ab3d5d803556f628e221ecd3d06aed9f30 upstream.
+
+Expands range of matched bcdDevice values for the VL817 quirk entry.
+This is based on experience with Axagon EE35-GTR rev1 3.5" HDD
+enclosure, which reports its bcdDevice as 0x0843, but presumably other
+vendors using this IC in their products may set it to any other value.
+
+Signed-off-by: Daniel Brát <danek.brat@gmail.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260402172433.5227-1-danek.brat@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_devs.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2350,10 +2350,11 @@ UNUSUAL_DEV( 0x2027, 0xa001, 0x0000, 0x
+ US_FL_SCM_MULT_TARG ),
+
+ /*
+- * Reported by DocMAX <mail@vacharakis.de>
+- * and Thomas Weißschuh <linux@weissschuh.net>
++ * Reported by DocMAX <mail@vacharakis.de>,
++ * Thomas Weißschuh <linux@weissschuh.net>
++ * and Daniel Brát <danek.brat@gmail.com>
+ */
+-UNUSUAL_DEV( 0x2109, 0x0715, 0x9999, 0x9999,
++UNUSUAL_DEV( 0x2109, 0x0715, 0x0000, 0x9999,
+ "VIA Labs, Inc.",
+ "VL817 SATA Bridge",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
--- /dev/null
+From 2ab833a16a825373aad2ba7d54b572b277e95b71 Mon Sep 17 00:00:00 2001
+From: Nathan Rebello <nathan.c.rebello@gmail.com>
+Date: Thu, 2 Apr 2026 04:52:59 -0400
+Subject: usbip: validate number_of_packets in usbip_pack_ret_submit()
+
+From: Nathan Rebello <nathan.c.rebello@gmail.com>
+
+commit 2ab833a16a825373aad2ba7d54b572b277e95b71 upstream.
+
+When a USB/IP client receives a RET_SUBMIT response,
+usbip_pack_ret_submit() unconditionally overwrites
+urb->number_of_packets from the network PDU. This value is
+subsequently used as the loop bound in usbip_recv_iso() and
+usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible
+array whose size was fixed at URB allocation time based on the
+*original* number_of_packets from the CMD_SUBMIT.
+
+A malicious USB/IP server can set number_of_packets in the response
+to a value larger than what was originally submitted, causing a heap
+out-of-bounds write when usbip_recv_iso() writes to
+urb->iso_frame_desc[i] beyond the allocated region.
+
+KASAN confirmed this with kernel 7.0.0-rc5:
+
+ BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
+ Write of size 4 at addr ffff888106351d40 by task vhci_rx/69
+
+ The buggy address is located 0 bytes to the right of
+ allocated 320-byte region [ffff888106351c00, ffff888106351d40)
+
+The server side (stub_rx.c) and gadget side (vudc_rx.c) already
+validate number_of_packets in the CMD_SUBMIT path since commits
+c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle
+malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden
+CMD_SUBMIT path to handle malicious input"). The server side validates
+against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.
+On the client side we have the original URB, so we can use the tighter
+bound: the response must not exceed the original number_of_packets.
+
+This mirrors the existing validation of actual_length against
+transfer_buffer_length in usbip_recv_xbuff(), which checks the
+response value against the original allocation size.
+
+Kelvin Mbogo's series ("usb: usbip: fix integer overflow in
+usbip_recv_iso()", v2) hardens the receive-side functions themselves;
+this patch complements that work by catching the bad value at its
+source -- in usbip_pack_ret_submit() before the overwrite -- and
+using the tighter per-URB allocation bound rather than the global
+USBIP_MAX_ISO_PACKETS limit.
+
+Fix this by checking rpdu->number_of_packets against
+urb->number_of_packets in usbip_pack_ret_submit() before the
+overwrite. On violation, clamp to zero so that usbip_recv_iso() and
+usbip_pad_iso() safely return early.
+
+Fixes: 1325f85fa49f ("staging: usbip: bugfix add number of packets for isochronous frames")
+Cc: stable <stable@kernel.org>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Nathan Rebello <nathan.c.rebello@gmail.com>
+Link: https://patch.msgid.link/20260402085259.234-1-nathan.c.rebello@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/usbip_common.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/usb/usbip/usbip_common.c
++++ b/drivers/usb/usbip/usbip_common.c
+@@ -469,6 +469,18 @@ static void usbip_pack_ret_submit(struct
+ urb->status = rpdu->status;
+ urb->actual_length = rpdu->actual_length;
+ urb->start_frame = rpdu->start_frame;
++ /*
++ * The number_of_packets field determines the length of
++ * iso_frame_desc[], which is a flexible array allocated
++ * at URB creation time. A response must never claim more
++ * packets than originally submitted; doing so would cause
++ * an out-of-bounds write in usbip_recv_iso() and
++ * usbip_pad_iso(). Clamp to zero on violation so both
++ * functions safely return early.
++ */
++ if (rpdu->number_of_packets < 0 ||
++ rpdu->number_of_packets > urb->number_of_packets)
++ rpdu->number_of_packets = 0;
+ urb->number_of_packets = rpdu->number_of_packets;
+ urb->error_count = rpdu->error_count;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
