--- /dev/null
+From 542f5248cb481073203e0dadab5bcbd28aeae308 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 22 Apr 2026 17:21:19 +0100
+Subject: comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 542f5248cb481073203e0dadab5bcbd28aeae308 upstream.
+
+Commit 783ddaebd397 ("staging: comedi: comedi_test: support
+scan_begin_src == TRIG_FOLLOW") neglected to add a test that
+`scan_begin_src` has only one bit set. The allowed values are
+`TRIG_FOLLOW` and `TRIG_TIMER`, but the code incorrectly also allows
+`TRIG_FOLLOW | TRIG_TIMER`. Add a call to
+`comedi_check_trigger_is_unique()` to check that only one trigger source
+bit is set.
+
+Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260422162138.36003-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/comedi_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/comedi/drivers/comedi_test.c
++++ b/drivers/staging/comedi/drivers/comedi_test.c
+@@ -273,6 +273,7 @@ static int waveform_ai_cmdtest(struct co
+ /* Step 2a : make sure trigger sources are unique */
+
+ err |= comedi_check_trigger_is_unique(cmd->convert_src);
++ err |= comedi_check_trigger_is_unique(cmd->scan_begin_src);
+ err |= comedi_check_trigger_is_unique(cmd->stop_src);
+
+ /* Step 2b : and mutually compatible */
--- /dev/null
+From 8a3bee801d420be8a7a0bae4a26547b353b8fe22 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 22 Apr 2026 15:46:37 +0100
+Subject: comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 8a3bee801d420be8a7a0bae4a26547b353b8fe22 upstream.
+
+The function checks and possibly modifies the description of an
+asynchronous command to be run on the analog input subdevice of a comedi
+device attached to the "comedi_test" driver, returning 0 if no
+modifications were required, or a positive value that indicates which
+step of the checking process it failed on. Step 4 fixes up various
+argument values for various trigger sources.
+
+There are two bugs in the fixing up of the `convert_arg` value to keep
+the `scan_begin_arg` value within the range of `unsigned int` when
+`scan_begin_src` and `convert_src` both have the value `TRIG_TIMER`,
+which indicates that the corresponding `_arg` values hold a time period
+in nanoseconds. The code also uses `scan_end_arg` which hold the number
+of "conversions" within each "scan". The goal is to end up with the
+scan period being less than or equal to the convert period multiplied by
+the number of conversions per scan. It intends to do that by clamping
+the `convert_arg` value to a maximum value of `UINT_MAX / scan_end_arg`
+rounded down to a multiple of 1000 (`NSEC_PER_USEC`).
+
+(The rounding from nanoseconds to microseconds is because the driver is
+modelling a device that uses a 1 MHz clock for timing. This is partly
+because that is a more typical timing base for real hardware devices
+driven by comedi, and partly because the driver used to use `struct
+timeval` internally.)
+
+The first bug is that the code checks if `scan_begin_arg == TRIG_TIMER`
+when it should be checking if `scan_begin_src == TRIG_TIMER`. The
+bugged check will always fail because if `scan_begin_src == TRIG_TIMER`,
+then `scan_begin_arg` will be at least 1000 (`NSEC_PER_USEC`), otherwise
+`scan_begin_src == TRIG_FOLLOW` and `scan_begin_arg` will be 0. (N.B
+`TRIG_TIMER` is defined as `0x10`.) The second bug is that is rounding
+the maximum value down to a multiple of 1000000000 (`NSEC_PER_SEC`)
+instead of 1000 (`NSEC_PER_USEC`), however this bug is not reached due
+to the first bug. This patch fixes both bugs.
+
+Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
+Fixes: 5afdcad2f818 ("staging: comedi: comedi_test: limit maximum convert_arg")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20260422144637.27692-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/comedi_test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/comedi_test.c
++++ b/drivers/staging/comedi/drivers/comedi_test.c
+@@ -324,10 +324,10 @@ static int waveform_ai_cmdtest(struct co
+ arg = min(arg,
+ rounddown(UINT_MAX, (unsigned int)NSEC_PER_USEC));
+ arg = NSEC_PER_USEC * DIV_ROUND_CLOSEST(arg, NSEC_PER_USEC);
+- if (cmd->scan_begin_arg == TRIG_TIMER) {
++ if (cmd->scan_begin_src == TRIG_TIMER) {
+ /* limit convert_arg to keep scan_begin_arg in range */
+ limit = UINT_MAX / cmd->scan_end_arg;
+- limit = rounddown(limit, (unsigned int)NSEC_PER_SEC);
++ limit = rounddown(limit, (unsigned int)NSEC_PER_USEC);
+ arg = min(arg, limit);
+ }
+ err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
--- /dev/null
+From baa0210fb6a9dc3882509a9411b6d284d88fe30e Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 4 May 2026 11:54:45 -0700
+Subject: Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit baa0210fb6a9dc3882509a9411b6d284d88fe30e upstream.
+
+When a configuration file provides an object size that is larger than the
+driver's known mxt_obj_size(object), the driver intends to discard the
+extra bytes.
+
+The loop iterates using for (i = 0; i < size; i++). Inside the loop, the
+condition to skip processing extra bytes is:
+
+ if (i > mxt_obj_size(object))
+ continue;
+
+Since i is a 0-based index, the valid indices for the object are 0 through
+mxt_obj_size(object) - 1.
+
+When i == mxt_obj_size(object), the condition evaluates to false, and the
+code processes the byte instead of discarding it.
+
+This causes the code to calculate byte_offset = reg + i - cfg->start_ofs
+and writes the byte there, overwriting exactly one byte of the adjacent
+instance or object.
+
+Update the boundary check to skip extra bytes correctly by using >=.
+
+Fixes: 50a77c658b80 ("Input: atmel_mxt_ts - download device config using firmware loader")
+Cc: stable@vger.kernel.org
+Assisted-by: Gemini:gemini-3.1-pro
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -1400,7 +1400,7 @@ static int mxt_prepare_cfg_mem(struct mx
+ }
+ cfg->raw_pos += offset;
+
+- if (i > mxt_obj_size(object))
++ if (i >= mxt_obj_size(object))
+ continue;
+
+ byte_offset = reg + i - cfg->start_ofs;
--- /dev/null
+From 16ca52bc209fa4bf9239cd9e5643e95533476b58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nicol=C3=A1s=20Bazaes?= <contacto@bazaes.cl>
+Date: Wed, 13 May 2026 21:35:49 -0400
+Subject: Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nicolás Bazaes <contacto@bazaes.cl>
+
+commit 16ca52bc209fa4bf9239cd9e5643e95533476b58 upstream.
+
+The Lenovo ThinkPad E490 (PNP ID: LEN2058) has a Synaptics TM3471-020
+touchpad that supports SMBus/RMI4 mode but is not listed in
+smbus_pnp_ids[]. Without this entry, RMI4 over SMBus is not enabled
+by default, and the touchpad falls back to PS/2 mode.
+
+Adding LEN2058 to the passlist enables automatic RMI4 detection without
+requiring the psmouse.synaptics_intertouch parameter, and matches
+the behavior of similar ThinkPad models already in the list
+(E480/LEN2054, E580/LEN2055).
+
+Tested on ThinkPad E490 with kernel 7.0.5-zen1 and Arch Linux.
+RMI4 over SMBus is confirmed working without any kernel parameters.
+
+Signed-off-by: Nicolás Bazaes <contacto@bazaes.cl>
+Assisted-by: Claude:claude-sonnet-4-6
+Link: https://patch.msgid.link/20260514013552.14234-1-contacto@bazaes.cl
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -187,6 +187,7 @@ static const char * const smbus_pnp_ids[
+ "LEN2044", /* L470 */
+ "LEN2054", /* E480 */
+ "LEN2055", /* E580 */
++ "LEN2058", /* E490 */
+ "LEN2068", /* T14 Gen 1 */
+ "SYN1221", /* TUXEDO InfinityBook Pro 14 v5 */
+ "SYN3003", /* HP EliteBook 850 G1 */
--- /dev/null
+From 9eed1bd59937e6828b00d2f2dfef631d964f3636 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Mon, 18 May 2026 10:43:07 -0400
+Subject: scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 9eed1bd59937e6828b00d2f2dfef631d964f3636 upstream.
+
+drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the
+descriptor cursor by an attacker-supplied fip_dlen without ever
+requiring dlen >= sizeof(struct fip_desc) in the default branch. The
+named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked
+their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor
+(fip_dtype >= 128, which the standard requires receivers to silently
+ignore) skipped that check entirely.
+
+An unauthenticated L2 peer on the FCoE control VLAN could hang
+fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely
+by emitting one FIP CVL frame whose single descriptor had fip_dtype ==
+FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes
+per iteration and the loop condition rlen >= sizeof(*desc) stayed true
+forever, blocking every subsequent FIP frame on that controller.
+
+Tighten the outer dlen guard to also reject dlen < sizeof(struct
+fip_desc), so a malformed descriptor whose length cannot even cover the
+descriptor header is rejected before the switch. This is the same
+lower-bound the named cases already apply and is the minimum scope that
+closes the loop.
+
+Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Reviewed-by: Hannes Reinecke <hare@kernel.org>
+Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/fcoe/fcoe_ctlr.c
++++ b/drivers/scsi/fcoe/fcoe_ctlr.c
+@@ -1391,7 +1391,7 @@ static void fcoe_ctlr_recv_clr_vlink(str
+
+ while (rlen >= sizeof(*desc)) {
+ dlen = desc->fip_dlen * FIP_BPW;
+- if (dlen > rlen)
++ if (dlen < sizeof(*desc) || dlen > rlen)
+ goto err;
+ /* Drop CVL if there are duplicate critical descriptors */
+ if ((desc->fip_dtype < 32) &&
--- /dev/null
+From ca904f4b42355287bc5ce8b7550ebe909cda4c2c Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Wed, 6 May 2026 23:42:31 +0100
+Subject: serial: dz: Fix bootconsole message clobbering at chip reset
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit ca904f4b42355287bc5ce8b7550ebe909cda4c2c upstream.
+
+In the DZ interface as implemented by the DC7085 gate array the serial
+transmitters are double buffered, meaning that at the time a transmitter
+is ready to accept the next character there is one in the transmit shift
+register still being sent to the line. Issuing a master clear at this
+time causes this character to be lost, so wait an extra amount of time
+sufficient for the transmit shift register to drain at 9600bps, which is
+the baud rate setting used by the firmware console.
+
+Mind the specified 1.4us TRDY recovery time in the course and continue
+using iob() as the completion barrier, since the platforms involved use
+a write buffer that can delay and combine writes, and reorder them with
+respect to reads regardless of the MMIO locations accessed and we still
+lack a platform-independent handler for that.
+
+When called from dz_serial_console_init() this is too early for fsleep()
+to work and even before lpj has been calculated and therefore the delay
+is actually not sufficient for the transmitter to drain and is merely a
+placeholder now. This will be addressed in a follow-up change.
+
+Fixes: e6ee512f5a77 ("dz.c: Resource management")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v2.6.25+
+Link: https://patch.msgid.link/alpine.DEB.2.21.2605062259080.46195@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/dz.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/tty/serial/dz.c
++++ b/drivers/tty/serial/dz.c
+@@ -544,10 +544,31 @@ static int dz_encode_baud_rate(unsigned
+ static void dz_reset(struct dz_port *dport)
+ {
+ struct dz_mux *mux = dport->mux;
++ unsigned short tcr;
++ int loops = 10000;
+
+ if (mux->initialised)
+ return;
+
++ tcr = dz_in(dport, DZ_TCR);
++
++ /* Do not disturb any ongoing transmissions. */
++ if (dz_in(dport, DZ_CSR) & DZ_MSE) {
++ unsigned short csr, mask;
++
++ mask = tcr;
++ while ((mask & DZ_LNENB) && loops--) {
++ csr = dz_in(dport, DZ_CSR);
++ if (!(csr & DZ_TRDY))
++ continue;
++ mask &= ~(1 << ((csr & DZ_TLINE) >> 8));
++ dz_out(dport, DZ_TCR, mask);
++ iob();
++ udelay(2); /* 1.4us TRDY recovery. */
++ }
++ udelay(1200); /* Transmitter drain. */
++ }
++
+ dz_out(dport, DZ_CSR, DZ_CLR);
+ while (dz_in(dport, DZ_CSR) & DZ_CLR);
+ iob();
--- /dev/null
+From 9a9254c4a2a3ca2b3da16d173f3b0dd01f397ff6 Mon Sep 17 00:00:00 2001
+From: Shitalkumar Gandhi <shital.gandhi45@gmail.com>
+Date: Mon, 20 Apr 2026 19:29:03 +0530
+Subject: serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
+
+From: Shitalkumar Gandhi <shital.gandhi45@gmail.com>
+
+commit 9a9254c4a2a3ca2b3da16d173f3b0dd01f397ff6 upstream.
+
+lpuart_start_rx_dma() allocates sport->rx_ring.buf with kzalloc() and
+then maps a scatterlist via dma_map_sg(). On three subsequent error
+paths the function returns directly without releasing those resources:
+
+ - when dma_map_sg() returns 0 (-EINVAL):
+ ring->buf is leaked.
+ - when dmaengine_slave_config() fails:
+ ring->buf and the DMA mapping are leaked.
+ - when dmaengine_prep_dma_cyclic() returns NULL:
+ ring->buf and the DMA mapping are leaked.
+
+The sole cleanup path, lpuart_dma_rx_free(), is only reached when
+lpuart_dma_rx_use is set, and the caller lpuart_rx_dma_startup() clears
+that flag on failure of lpuart_start_rx_dma(). So these resources are
+permanently leaked on every failure in this function. Repeated port
+open/close or termios changes under error conditions will slowly consume
+memory and leave stale streaming DMA mappings behind.
+
+Fix it by introducing two error labels that unmap the scatterlist and
+free the ring buffer as appropriate. While here, replace the misleading
+-EFAULT (bad userspace pointer) returned when dmaengine_prep_dma_cyclic()
+fails with the more accurate -ENOMEM, matching how other dmaengine users
+in the tree treat this failure.
+
+No functional change on the success path.
+
+Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20260420135903.2062024-1-shitalkumar.gandhi@cambiumnetworks.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1234,7 +1234,8 @@ static inline int lpuart_start_rx_dma(st
+
+ if (!nent) {
+ dev_err(sport->port.dev, "DMA Rx mapping error\n");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_free_buf;
+ }
+
+ dma_rx_sconfig.src_addr = lpuart_dma_datareg_addr(sport);
+@@ -1246,7 +1247,7 @@ static inline int lpuart_start_rx_dma(st
+ if (ret < 0) {
+ dev_err(sport->port.dev,
+ "DMA Rx slave config failed, err = %d\n", ret);
+- return ret;
++ goto err_unmap_sg;
+ }
+
+ sport->dma_rx_desc = dmaengine_prep_dma_cyclic(chan,
+@@ -1257,7 +1258,8 @@ static inline int lpuart_start_rx_dma(st
+ DMA_PREP_INTERRUPT);
+ if (!sport->dma_rx_desc) {
+ dev_err(sport->port.dev, "Cannot prepare cyclic DMA\n");
+- return -EFAULT;
++ ret = -ENOMEM;
++ goto err_unmap_sg;
+ }
+
+ sport->dma_rx_desc->callback = lpuart_dma_rx_complete;
+@@ -1275,6 +1277,13 @@ static inline int lpuart_start_rx_dma(st
+ }
+
+ return 0;
++
++err_unmap_sg:
++ dma_unmap_sg(chan->device->dev, &sport->rx_sgl, 1, DMA_FROM_DEVICE);
++err_free_buf:
++ kfree(ring->buf);
++ ring->buf = NULL;
++ return ret;
+ }
+
+ static void lpuart_dma_rx_free(struct uart_port *port)
--- /dev/null
+From 92b1ea22454b08a39baef3a7290fb3ec50366616 Mon Sep 17 00:00:00 2001
+From: Hongling Zeng <zenghongling@kylinos.cn>
+Date: Tue, 21 Apr 2026 14:57:37 +0800
+Subject: serial: sh-sci: fix memory region release in error path
+
+From: Hongling Zeng <zenghongling@kylinos.cn>
+
+commit 92b1ea22454b08a39baef3a7290fb3ec50366616 upstream.
+
+The sci_request_port() function uses request_mem_region() to reserve
+I/O memory, but in the error path when sci_remap_port() fails, it
+incorrectly calls release_resource() instead of release_mem_region().
+
+This mismatch can cause resource accounting issues. Fix it by using
+the correct release function, consistent with sci_release_port().
+
+Fixes: e2651647080930a1 ("serial: sh-sci: Handle port memory region reservations.")
+Cc: stable <stable@kernel.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Closes: https://lore.kernel.org/r/202604032356.SzEjYkBC-lkp@intel.com/
+Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20260421065737.724187-1-zenghongling@kylinos.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -2781,7 +2781,7 @@ static int sci_request_port(struct uart_
+
+ ret = sci_remap_port(port);
+ if (unlikely(ret != 0)) {
+- release_resource(res);
++ release_mem_region(port->mapbase, sport->reg_size);
+ return ret;
+ }
+
--- /dev/null
+From 6c05cf72e13314ce9b770b5951695dc5a2152920 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Wed, 6 May 2026 23:42:39 +0100
+Subject: serial: zs: Fix bootconsole handover lockup
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 6c05cf72e13314ce9b770b5951695dc5a2152920 upstream.
+
+Calling zs_reset() in the course of setting up the serial device causes
+line parameters to be reset and the transmitter disabled. We've been
+lucky in that no message is usually produced to the kernel log between
+this call and the later call to uart_set_options() in the course of
+console setup done by zs_serial_console_init(), or the system would hang
+as the console output handler in the firmware tried to access a port the
+transmitter of which has been disabled and line parameters messed up.
+
+This will change with the next change to the driver, so fix zs_reset()
+such that line parameters are set for 9600n8 console operation as with
+the system firmware and the transmitter re-enabled after reset. This
+also means zs_pm() serves no purpose anymore, so drop it.
+
+Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v2.6.23+
+Link: https://patch.msgid.link/alpine.DEB.2.21.2605062308040.46195@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/zs.c | 29 ++++++++---------------------
+ 1 file changed, 8 insertions(+), 21 deletions(-)
+
+--- a/drivers/tty/serial/zs.c
++++ b/drivers/tty/serial/zs.c
+@@ -105,18 +105,24 @@ struct zs_parms {
+
+ static struct zs_scc zs_sccs[ZS_NUM_SCCS];
+
++/*
++ * Set parameters in WR5, WR12, WR13 such as not to interfere
++ * with the initial PROM-based console. Otherwise any output
++ * produced before the console handover would cause the system
++ * firmware to hang (TxENAB) or produce rubbish (Tx8, B9600).
++ */
+ static u8 zs_init_regs[ZS_NUM_REGS] __initdata = {
+ 0, /* write 0 */
+ PAR_SPEC, /* write 1 */
+ 0, /* write 2 */
+ 0, /* write 3 */
+ X16CLK | SB1, /* write 4 */
+- 0, /* write 5 */
++ Tx8 | TxENAB, /* write 5 */
+ 0, 0, 0, /* write 6, 7, 8 */
+ MIE | DLC | NV, /* write 9 */
+ NRZ, /* write 10 */
+ TCBR | RCBR, /* write 11 */
+- 0, 0, /* BRG time constant, write 12 + 13 */
++ 0x16, 0x00, /* BRG time constant, write 12 + 13 */
+ BRSRC | BRENABL, /* write 14 */
+ 0, /* write 15 */
+ };
+@@ -955,23 +961,6 @@ static void zs_set_termios(struct uart_p
+ spin_unlock_irqrestore(&scc->zlock, flags);
+ }
+
+-/*
+- * Hack alert!
+- * Required solely so that the initial PROM-based console
+- * works undisturbed in parallel with this one.
+- */
+-static void zs_pm(struct uart_port *uport, unsigned int state,
+- unsigned int oldstate)
+-{
+- struct zs_port *zport = to_zport(uport);
+-
+- if (state < 3)
+- zport->regs[5] |= TxENAB;
+- else
+- zport->regs[5] &= ~TxENAB;
+- write_zsreg(zport, R5, zport->regs[5]);
+-}
+-
+
+ static const char *zs_type(struct uart_port *uport)
+ {
+@@ -1054,7 +1043,6 @@ static const struct uart_ops zs_ops = {
+ .startup = zs_startup,
+ .shutdown = zs_shutdown,
+ .set_termios = zs_set_termios,
+- .pm = zs_pm,
+ .type = zs_type,
+ .release_port = zs_release_port,
+ .request_port = zs_request_port,
+@@ -1209,7 +1197,6 @@ static int __init zs_console_setup(struc
+ return ret;
+
+ zs_reset(zport);
+- zs_pm(uport, 0, -1);
+
+ if (options)
+ uart_parse_options(options, &baud, &parity, &bits, &flow);
--- /dev/null
+From d15cd40cb1858f75846eaafa9a6bca841b790a92 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Fri, 10 Apr 2026 18:19:31 +0100
+Subject: serial: zs: Fix swapped RI/DSR modem line transition counting
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit d15cd40cb1858f75846eaafa9a6bca841b790a92 upstream.
+
+Fix a thinko in the status interrupt handler that has caused counters
+for the RI and DSR modem line transitions to be used for the other line
+each.
+
+Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Link: https://patch.msgid.link/alpine.DEB.2.21.2604101747110.29980@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/zs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/zs.c
++++ b/drivers/tty/serial/zs.c
+@@ -679,9 +679,9 @@ static void zs_status_handle(struct zs_p
+ uart_handle_dcd_change(uport,
+ zport->mctrl & TIOCM_CAR);
+ if (delta & TIOCM_RNG)
+- uport->icount.dsr++;
+- if (delta & TIOCM_DSR)
+ uport->icount.rng++;
++ if (delta & TIOCM_DSR)
++ uport->icount.dsr++;
+
+ if (delta)
+ wake_up_interruptible(&uport->state->port.delta_msr_wait);
--- /dev/null
+From 8572955630f30948837088aa98bcbe0532d1ceac Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Wed, 6 May 2026 23:42:43 +0100
+Subject: serial: zs: Switch to using channel reset
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 8572955630f30948837088aa98bcbe0532d1ceac upstream.
+
+Switch the driver to using the channel reset rather than hardware reset,
+simplifying handling by removing an interference between channels that
+causes the other channel to become uninitialised afterwards.
+
+There is little difference between the two kinds of reset in terms of
+register settings that result, and we initialise the whole register set
+right away anyway. However this prevents a hang from happening should
+the console output handler in the firmware try to access the other port
+whose transmitter has been disabled and line parameters messed up.
+
+For example this will happen if the keyboard port (port A) is chosen for
+the system console, unusually but not insanely for a headless system, as
+the port is wired to a standard DA-15 connector and an adapter can be
+easily made. Or with the next change in place this would happen for the
+regular console port (port B), since the keyboard port (port A) will be
+initialised first.
+
+Just remove the unnecessary complication then, a channel reset is good
+enough. We still need the initialisation marker, now per channel rather
+than per SCC, as for the console port zs_reset() will be called twice:
+once early on via zs_serial_console_init() for the console setup only,
+and then again via zs_config_port() as the port is associated with a TTY
+device.
+
+Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v2.6.23+
+Link: https://patch.msgid.link/alpine.DEB.2.21.2605062323430.46195@angie.orcam.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/zs.c | 7 ++++---
+ drivers/tty/serial/zs.h | 2 +-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/zs.c
++++ b/drivers/tty/serial/zs.c
+@@ -831,21 +831,22 @@ static void zs_shutdown(struct uart_port
+
+ static void zs_reset(struct zs_port *zport)
+ {
++ struct zs_port *zport_a = &zport->scc->zport[ZS_CHAN_A];
+ struct zs_scc *scc = zport->scc;
+ int irq;
+ unsigned long flags;
+
+ spin_lock_irqsave(&scc->zlock, flags);
+ irq = !irqs_disabled_flags(flags);
+- if (!scc->initialised) {
++ if (!zport->initialised) {
+ /* Reset the pointer first, just in case... */
+ read_zsreg(zport, R0);
+ /* And let the current transmission finish. */
+ zs_line_drain(zport, irq);
+- write_zsreg(zport, R9, FHWRES);
++ write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
+ udelay(10);
+ write_zsreg(zport, R9, 0);
+- scc->initialised = 1;
++ zport->initialised = 1;
+ }
+ load_zsregs(zport, zport->regs, irq);
+ spin_unlock_irqrestore(&scc->zlock, flags);
+--- a/drivers/tty/serial/zs.h
++++ b/drivers/tty/serial/zs.h
+@@ -22,6 +22,7 @@
+ struct zs_port {
+ struct zs_scc *scc; /* Containing SCC. */
+ struct uart_port port; /* Underlying UART. */
++ int initialised; /* For the console port. */
+
+ int clk_mode; /* May be 1, 16, 32, or 64. */
+
+@@ -41,7 +42,6 @@ struct zs_scc {
+ struct zs_port zport[2];
+ spinlock_t zlock;
+ atomic_t irq_guard;
+- int initialised;
+ };
+
+ #endif /* __KERNEL__ */
asoc-qcom-q6asm-dai-close-stream-only-when-running.patch
asoc-qcom-q6asm-dai-do-not-set-stream-state-in-event-and-trigger-callbacks.patch
xfrm-esp-restore-combined-single-frag-length-gate.patch
+input-atmel_mxt_ts-fix-boundary-check-in-mxt_prepare_cfg_mem.patch
+input-synaptics-add-len2058-to-smbus-passlist-for-thinkpad-e490.patch
+comedi-comedi_test-fix-check-for-valid-scan_begin_src-in-waveform_ai_cmdtest.patch
+comedi-comedi_test-fix-limiting-of-convert_arg-in-waveform_ai_cmdtest.patch
+tty-serial-pch_uart-add-check-for-dma_alloc_coherent.patch
+usb-chipidea-core-convert-ci_role_switch-to-local-variable.patch
+usb-core-fix-up-interrupt-in-endpoints-with-bogus-wbytesperinterval.patch
+usb-quirks-add-no_lpm-for-lenovo-thinkpad-usb-c-dock-gen2-hub-controllers.patch
+usb-storage-add-quirks-for-pny-elite-portable-ssd.patch
+usbip-vudc-fix-use-after-free-bug-in-vudc_remove-due-to-race-condition.patch
+usb-usbtmc-check-urb-actual_length-for-interrupt-in-notifications.patch
+usb-usbtmc-reject-interrupt-endpoints-with-small-wmaxpacketsize.patch
+usb-typec-ucsi-don-t-update-power_supply-on-power-role-change-if-not-connected.patch
+usb-serial-option-add-meig-srm813q.patch
+usb-serial-option-add-missing-rsvd-5-flag-for-rolling-rw135r-gl.patch
+usb-serial-belkin_sa-validate-interrupt-status-length.patch
+usb-serial-cypress_m8-validate-interrupt-packet-headers.patch
+usb-serial-keyspan-fix-missing-indat-transfer-sanity-check.patch
+usb-serial-mxuport-fix-memory-corruption-with-small-endpoint.patch
+usb-serial-mct_u232-fix-missing-interrupt-in-transfer-sanity-check.patch
+usb-gadget-net2280-fix-double-free-in-probe-error-path.patch
+usb-gadget-dummy_hcd-reject-hub-port-requests-for-non-existent-ports.patch
+thunderbolt-property-reject-u32-wrap-in-tb_property_entry_valid.patch
+thunderbolt-property-reject-dir_len-4-to-prevent-size_t-underflow.patch
+scsi-fcoe-reject-fip-descriptors-with-zero-fip_dlen-in-cvl-walker.patch
+serial-sh-sci-fix-memory-region-release-in-error-path.patch
+serial-zs-fix-swapped-ri-dsr-modem-line-transition-counting.patch
+serial-fsl_lpuart-fix-rx-buffer-and-dma-map-leaks-in-start_rx_dma.patch
+serial-dz-fix-bootconsole-message-clobbering-at-chip-reset.patch
+serial-zs-fix-bootconsole-handover-lockup.patch
+serial-zs-switch-to-using-channel-reset.patch
--- /dev/null
+From de21b59c29e31c5108ddc04210631bbfab81b997 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Sun, 10 May 2026 19:16:57 -0400
+Subject: thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit de21b59c29e31c5108ddc04210631bbfab81b997 upstream.
+
+On the non-root path, __tb_property_parse_dir() takes dir_len from
+entry->length (u16 widened to size_t). Two distinct OOB conditions
+follow when entry->length < 4:
+
+1. The non-root path begins with kmemdup(&block[dir_offset],
+ sizeof(*dir->uuid), ...) which always reads 4 dwords from
+ dir_offset. tb_property_entry_valid() only enforces
+ dir_offset + entry->length <= block_len, so a crafted entry
+ with dir_offset close to the end of the property block and
+ entry->length in 0..3 passes that gate but lets the UUID copy
+ run off the block (e.g. dir_offset = 497, dir_len = 3 in a
+ 500-dword block reads block[497..501]).
+
+2. After the kmemdup, content_len = dir_len - 4 underflows size_t
+ to ~SIZE_MAX, nentries becomes SIZE_MAX / 4, and the entry
+ walk runs OOB on each iteration until an entry fails
+ validation or the kernel oopses on an unmapped page.
+
+Reject dir_len < 4 on the non-root path *before* the UUID kmemdup,
+which closes both holes.
+
+Also move INIT_LIST_HEAD(&dir->properties) up to immediately after
+the dir allocation so the new error-return path (and the existing
+uuid-alloc failure path) calling tb_property_free_dir() sees a
+walkable list rather than the zero-initialized NULL next/prev that
+list_for_each_entry_safe() would oops on.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/property.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -174,10 +174,16 @@ static struct tb_property_dir *__tb_prop
+ if (!dir)
+ return NULL;
+
++ INIT_LIST_HEAD(&dir->properties);
++
+ if (is_root) {
+ content_offset = dir_offset + 2;
+ content_len = dir_len;
+ } else {
++ if (dir_len < 4) {
++ tb_property_free_dir(dir);
++ return NULL;
++ }
+ dir->uuid = kmemdup(&block[dir_offset], sizeof(*dir->uuid),
+ GFP_KERNEL);
+ if (!dir->uuid) {
+@@ -191,8 +197,6 @@ static struct tb_property_dir *__tb_prop
+ entries = (const struct tb_property_entry *)&block[content_offset];
+ nentries = content_len / (sizeof(*entries) / 4);
+
+- INIT_LIST_HEAD(&dir->properties);
+-
+ for (i = 0; i < nentries; i++) {
+ struct tb_property *property;
+
--- /dev/null
+From 01deda0152066c6c955f0619114ea6afa070aaec Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Sun, 10 May 2026 19:16:56 -0400
+Subject: thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 01deda0152066c6c955f0619114ea6afa070aaec upstream.
+
+entry->value is u32 and entry->length is u16; the sum is performed in
+u32 and wraps. A malicious XDomain peer can pick
+value = 0xffffff00, length = 0x100 so the sum 0x100000000 wraps to 0
+and passes the > block_len check. tb_property_parse() then passes
+entry->value to parse_dwdata() as a dword offset into the property
+block, reading attacker-directed memory far past the allocation.
+
+For TEXT-typed entries with the "deviceid" or "vendorid" keys this
+lands in xd->device_name / xd->vendor_name and is readable back via
+the per-XDomain device_name / vendor_name sysfs attributes; the leak
+is NUL-bounded (kstrdup() stops at the first zero byte) and
+untargeted (the attacker picks a delta, not an absolute address).
+DATA-typed entries are parsed into property->value.data but not
+generically surfaced to userspace.
+
+Use check_add_overflow() so a wrapped sum is rejected.
+
+Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/property.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/thunderbolt/property.c
++++ b/drivers/thunderbolt/property.c
+@@ -8,6 +8,7 @@
+ */
+
+ #include <linux/err.h>
++#include <linux/overflow.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <linux/uuid.h>
+@@ -52,13 +53,16 @@ static inline void format_dwdata(void *d
+ static bool tb_property_entry_valid(const struct tb_property_entry *entry,
+ size_t block_len)
+ {
++ u32 end;
++
+ switch (entry->type) {
+ case TB_PROPERTY_TYPE_DIRECTORY:
+ case TB_PROPERTY_TYPE_DATA:
+ case TB_PROPERTY_TYPE_TEXT:
+ if (entry->length > block_len)
+ return false;
+- if (entry->value + entry->length > block_len)
++ if (check_add_overflow(entry->value, entry->length, &end) ||
++ end > block_len)
+ return false;
+ break;
+
--- /dev/null
+From 6fe472c1bbbe238e91141f7cabc1226e96a60d43 Mon Sep 17 00:00:00 2001
+From: Zhaoyang Yu <2426767509@qq.com>
+Date: Thu, 9 Apr 2026 13:41:58 +0800
+Subject: tty: serial: pch_uart: add check for dma_alloc_coherent()
+
+From: Zhaoyang Yu <2426767509@qq.com>
+
+commit 6fe472c1bbbe238e91141f7cabc1226e96a60d43 upstream.
+
+Add a check for dma_alloc_coherent() failure to prevent a potential
+NULL pointer dereference in dma_handle_rx(). Properly release DMA
+channels and the PCI device reference using a goto ladder if the
+allocation fails.
+
+Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Zhaoyang Yu <2426767509@qq.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/tencent_E328416B7CFD436F6029F2DF02AD7ED89C08@qq.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/pch_uart.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -711,8 +711,7 @@ static void pch_request_dma(struct uart_
+ if (!chan) {
+ dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
+ __func__);
+- pci_dev_put(dma_dev);
+- return;
++ goto err_pci_get;
+ }
+ priv->chan_tx = chan;
+
+@@ -726,18 +725,26 @@ static void pch_request_dma(struct uart_
+ if (!chan) {
+ dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Rx)\n",
+ __func__);
+- dma_release_channel(priv->chan_tx);
+- priv->chan_tx = NULL;
+- pci_dev_put(dma_dev);
+- return;
++ goto err_req_tx;
+ }
+
+ /* Get Consistent memory for DMA */
+ priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
+ &priv->rx_buf_dma, GFP_KERNEL);
++ if (!priv->rx_buf_virt)
++ goto err_req_rx;
+ priv->chan_rx = chan;
+
+ pci_dev_put(dma_dev);
++ return;
++
++err_req_rx:
++ dma_release_channel(chan);
++err_req_tx:
++ dma_release_channel(priv->chan_tx);
++ priv->chan_tx = NULL;
++err_pci_get:
++ pci_dev_put(dma_dev);
+ }
+
+ static void pch_dma_rx_complete(void *arg)
--- /dev/null
+From 8f6aa392653e52a45858cff5c063df550028836b Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Mon, 27 Apr 2026 15:57:55 +0800
+Subject: usb: chipidea: core: convert ci_role_switch to local variable
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 8f6aa392653e52a45858cff5c063df550028836b upstream.
+
+When a system contains multiple USB controllers, the global ci_role_switch
+variable may be overwritten by subsequent driver initialization code.
+
+This can cause issues in the following cases:
+ - The 2nd ci_hdrc_probe() sees ci_role_switch.fwnode as non-NULL even
+ though the "usb-role-switch" property is not present for the controller.
+ - When the ci_hdrc device is unbound and bound again, ci_role_switch
+ fwnode will not be reassigned, and the old value will be used instead.
+
+Convert ci_role_switch to a local variable to fix these issues.
+
+Fixes: 05559f10ed79 ("usb: chipidea: add role switch class support")
+Cc: stable <stable@kernel.org>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://patch.msgid.link/20260427075755.3611217-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/core.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -654,12 +654,6 @@ static int ci_usb_role_switch_set(struct
+ return 0;
+ }
+
+-static struct usb_role_switch_desc ci_role_switch = {
+- .set = ci_usb_role_switch_set,
+- .get = ci_usb_role_switch_get,
+- .allow_userspace_control = true,
+-};
+-
+ static int ci_get_platdata(struct device *dev,
+ struct ci_hdrc_platform_data *platdata)
+ {
+@@ -786,9 +780,6 @@ static int ci_get_platdata(struct device
+ cable->connected = false;
+ }
+
+- if (device_property_read_bool(dev, "usb-role-switch"))
+- ci_role_switch.fwnode = dev->fwnode;
+-
+ platdata->pctl = devm_pinctrl_get(dev);
+ if (!IS_ERR(platdata->pctl)) {
+ struct pinctrl_state *p;
+@@ -1005,6 +996,7 @@ ATTRIBUTE_GROUPS(ci);
+
+ static int ci_hdrc_probe(struct platform_device *pdev)
+ {
++ struct usb_role_switch_desc ci_role_switch = {};
+ struct device *dev = &pdev->dev;
+ struct ci_hdrc *ci;
+ struct resource *res;
+@@ -1146,7 +1138,11 @@ static int ci_hdrc_probe(struct platform
+ }
+ }
+
+- if (ci_role_switch.fwnode) {
++ if (device_property_read_bool(dev, "usb-role-switch")) {
++ ci_role_switch.set = ci_usb_role_switch_set;
++ ci_role_switch.get = ci_usb_role_switch_get;
++ ci_role_switch.allow_userspace_control = true;
++ ci_role_switch.fwnode = dev_fwnode(dev);
+ ci_role_switch.driver_data = ci;
+ ci->role_switch = usb_role_switch_register(dev,
+ &ci_role_switch);
--- /dev/null
+From 727d045d064b7c9a24db3bce9c0485a382cb768b Mon Sep 17 00:00:00 2001
+From: Michal Pecio <michal.pecio@gmail.com>
+Date: Mon, 18 May 2026 07:32:07 +0200
+Subject: usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
+
+From: Michal Pecio <michal.pecio@gmail.com>
+
+commit 727d045d064b7c9a24db3bce9c0485a382cb768b upstream.
+
+Tao Xue found that some common devices violate USB 3.x section 9.6.7
+by reporting wBytesPerInterval lower than the size of packets they
+actually send. I confirmed that AX88179 may set it to 0 and RTL8153
+CDC configuration sets it to 8 but sends both 8 and 16 byte packets:
+
+S Ii:11:007:3 -115:128 16 <
+C Ii:11:007:3 0:128 8 = a1000000 01000000
+S Ii:11:007:3 -115:128 16 <
+C Ii:11:007:3 0:128 16 = a12a0000 01000800 00000000 00000000
+
+Most xHCI host controllers neglect interrupt bandwidth reservations
+and let such devices exceed theirs, some fail the URB with EOVERFLOW.
+
+Assume that wBytesPerInterval lower than wMaxPacketSize is bogus and
+increase it to the worst case maximum on interrupt IN endpoints. This
+solves xHCI problems and appears to have no other effect. Interrupt
+transfers are not limited to one interval and drivers submit URBs of
+class defined size without looking at wBytesPerInterval. Any multi-
+interval transfer is considered terminated by a packet shorter than
+wMaxPacketSize regardless of wBytesPerInterval - see USB3 8.10.3.
+
+Stay in spec on OUT endpoints and isochronous. No buggy devices are
+known and we don't want to risk sending more data than the device
+is prepared to handle or confusing isoc drivers regarding altsetting
+capacities guaranteed by the device itself. And don't complain when
+wMaxPacketSize <= wBytesPerInterval < wMaxPacketSize * (bMaxBurst+1)
+because enabling this seems to be the exact goal of the spec.
+
+Reported-and-tested-by: Tao Xue <xuetao09@huawei.com>
+Closes: https://lore.kernel.org/linux-usb/20260402021400.28853-1-xuetao09@huawei.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
+Link: https://patch.msgid.link/20260518073207.5b7d26e7.michal.pecio@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/config.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -165,7 +165,14 @@ static void usb_parse_ss_endpoint_compan
+ (desc->bMaxBurst + 1);
+ else
+ max_tx = 999999;
+- if (le16_to_cpu(desc->wBytesPerInterval) > max_tx) {
++ /*
++ * wBytesPerInterval > max_tx is bogus, but USB3 spec doesn't forbid the opposite.
++ * Experience shows that wBytesPerInterval < wMaxPacketSize on common interrupt IN
++ * endpoints is usually bogus too, and recent HCs enforce interrupt BW limits.
++ */
++ if (le16_to_cpu(desc->wBytesPerInterval) > max_tx ||
++ (le16_to_cpu(desc->wBytesPerInterval) < usb_endpoint_maxp(&ep->desc) &&
++ usb_endpoint_is_int_in(&ep->desc))) {
+ dev_notice(ddev, "%s endpoint with wBytesPerInterval of %d in "
+ "config %d interface %d altsetting %d ep %d: "
+ "setting to %d\n",
--- /dev/null
+From 7d9633528dd40e33964d2dc74a5abbf5c4d116ce Mon Sep 17 00:00:00 2001
+From: Seungjin Bae <eeodqql09@gmail.com>
+Date: Mon, 18 May 2026 19:43:14 -0400
+Subject: usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
+
+From: Seungjin Bae <eeodqql09@gmail.com>
+
+commit 7d9633528dd40e33964d2dc74a5abbf5c4d116ce upstream.
+
+The `dummy_hub_control()` function handles USB hub class requests
+to the virtual root hub. The `GetPortStatus` case returns -EPIPE for
+requests with `wIndex != 1`, since the virtual root hub has only a
+single port. However, the `ClearPortFeature` and `SetPortFeature`
+cases lack the same check.
+
+Fix this by extending the `wIndex != 1` rejection to both cases,
+matching the existing behavior of `GetPortStatus`.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@kernel.org>
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://patch.msgid.link/20260518234314.1889396-1-eeodqql09@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -2110,6 +2110,8 @@ static int dummy_hub_control(
+ case ClearHubFeature:
+ break;
+ case ClearPortFeature:
++ if (wIndex != 1)
++ goto error;
+ switch (wValue) {
+ case USB_PORT_FEAT_SUSPEND:
+ if (hcd->speed == HCD_USB3) {
+@@ -2224,6 +2226,8 @@ static int dummy_hub_control(
+ retval = -EPIPE;
+ break;
+ case SetPortFeature:
++ if (wIndex != 1)
++ goto error;
+ switch (wValue) {
+ case USB_PORT_FEAT_LINK_STATE:
+ if (hcd->speed != HCD_USB3) {
--- /dev/null
+From c8547c74988e0b5f4cbb1b895e2a57aae084f070 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Mon, 27 Apr 2026 23:36:51 +0800
+Subject: usb: gadget: net2280: Fix double free in probe error path
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit c8547c74988e0b5f4cbb1b895e2a57aae084f070 upstream.
+
+usb_initialize_gadget() installs gadget_release() as the release
+callback for the embedded gadget device. The struct net2280 instance is
+therefore released through gadget_release() when the gadget device's last
+reference is dropped.
+
+The probe error path calls net2280_remove(), which tears down the
+partially initialized device and drops the gadget reference with
+usb_put_gadget(). Calling kfree(dev) afterwards can free the same object
+again.
+
+Drop the explicit kfree() and let the gadget device release callback
+handle the final free. This issue was found by a static analysis tool
+I am developing.
+
+Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://patch.msgid.link/20260427153651.337846-1-lgs201920130244@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -3783,10 +3783,8 @@ static int net2280_probe(struct pci_dev
+ return 0;
+
+ done:
+- if (dev) {
++ if (dev)
+ net2280_remove(pdev);
+- kfree(dev);
+- }
+ return retval;
+ }
+
--- /dev/null
+From 9ddb9c0deca48d2c2a22ebf4d2f35c925a520328 Mon Sep 17 00:00:00 2001
+From: "Stephen J. Fuhry" <fuhrysteve@gmail.com>
+Date: Wed, 13 May 2026 13:14:19 -0400
+Subject: USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
+
+From: Stephen J. Fuhry <fuhrysteve@gmail.com>
+
+commit 9ddb9c0deca48d2c2a22ebf4d2f35c925a520328 upstream.
+
+The Lenovo ThinkPad USB-C Dock Gen2 (17ef:a391, 17ef:a392) hub
+controllers exhibit link instability when USB Link Power Management
+is enabled, similar to the dock's Ethernet adapter (17ef:a387) which
+already carries USB_QUIRK_NO_LPM.
+
+When the dock reconnects after a transient disconnect, the hub
+controllers enter LPM states between re-enumeration retries, causing
+repeated disconnect/reconnect cycles lasting up to two minutes.
+Disabling LPM for these devices restores stable enumeration.
+
+Signed-off-by: Stephen J. Fuhry <fuhrysteve@gmail.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260513171419.44849-1-fuhrysteve@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -498,6 +498,10 @@ static const struct usb_device_id usb_qu
+ /* Lenovo ThinkPad USB-C Dock Gen2 Ethernet (RTL8153 GigE) */
+ { USB_DEVICE(0x17ef, 0xa387), .driver_info = USB_QUIRK_NO_LPM },
+
++ /* Lenovo ThinkPad USB-C Dock Gen2 USB 3.1 and USB 2.0 hub controllers */
++ { USB_DEVICE(0x17ef, 0xa391), .driver_info = USB_QUIRK_NO_LPM },
++ { USB_DEVICE(0x17ef, 0xa392), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* BUILDWIN Photo Frame */
+ { USB_DEVICE(0x1908, 0x1315), .driver_info =
+ USB_QUIRK_HONOR_BNUMINTERFACES },
--- /dev/null
+From 4ce058df2ee02cc2a0f0fd5cd64ce6f1482a0b65 Mon Sep 17 00:00:00 2001
+From: Zhang Cen <rollkingzzc@gmail.com>
+Date: Tue, 19 May 2026 19:11:50 +0800
+Subject: USB: serial: belkin_sa: validate interrupt status length
+
+From: Zhang Cen <rollkingzzc@gmail.com>
+
+commit 4ce058df2ee02cc2a0f0fd5cd64ce6f1482a0b65 upstream.
+
+The Belkin interrupt callback treats interrupt data as a four-byte
+status report and reads LSR/MSR fields at offsets 2 and 3. The
+interrupt-in buffer length is derived from endpoint wMaxPacketSize, and
+short interrupt transfers may complete successfully with a smaller
+actual_length.
+
+Check the completed interrupt packet length before parsing status
+fields so short interrupt endpoints and short successful packets are
+ignored instead of causing out-of-bounds or stale status-byte reads.
+
+KASAN report as below:
+
+BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback()
+Read of size 1
+Call trace:
+ belkin_sa_read_int_callback() (drivers/usb/serial/belkin_sa.c:202)
+ __usb_hcd_giveback_urb() (drivers/usb/core/hcd.c:1630)
+ dummy_timer() (?:?)
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Assisted-by: Codex:gpt-5.5
+Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/belkin_sa.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/belkin_sa.c
++++ b/drivers/usb/serial/belkin_sa.c
+@@ -196,6 +196,9 @@ static void belkin_sa_read_int_callback(
+
+ usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data);
+
++ if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
++ goto exit;
++
+ /* Handle known interrupt data */
+ /* ignore data[0] and data[1] */
+
--- /dev/null
+From 9f9bfc80c67f35a275820da7e83a35dface08281 Mon Sep 17 00:00:00 2001
+From: Zhang Cen <rollkingzzc@gmail.com>
+Date: Fri, 22 May 2026 22:54:42 +0800
+Subject: USB: serial: cypress_m8: validate interrupt packet headers
+
+From: Zhang Cen <rollkingzzc@gmail.com>
+
+commit 9f9bfc80c67f35a275820da7e83a35dface08281 upstream.
+
+cypress_read_int_callback() parses the interrupt-in buffer according to
+the selected Cypress packet format. Format 1 has a two-byte status/count
+header and format 2 has a one-byte combined status/count header. The
+usb-serial core sizes the interrupt-in buffer from the endpoint
+descriptor's wMaxPacketSize, and successful interrupt transfers can
+complete short when URB_SHORT_NOT_OK is not set.
+
+Check that the completed packet contains the selected header before
+reading it. Malformed short reports are ignored and the interrupt URB is
+resubmitted through the existing retry path, preventing out-of-bounds
+header-byte reads.
+
+KASAN report as below:
+KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
+Read of size 1
+Call trace:
+ cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
+ __usb_hcd_giveback_urb()
+ dummy_timer()
+
+Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
+Assisted-by: Codex:gpt-5.5
+Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
+Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
+Cc: stable@vger.kernel.org # 2.6.26
+[ johan: use constants in header length sanity checks ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cypress_m8.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -1035,8 +1035,8 @@ static void cypress_read_int_callback(st
+ char tty_flag = TTY_NORMAL;
+ int bytes = 0;
+ int result;
+- int i = 0;
+ int status = urb->status;
++ int i;
+
+ switch (status) {
+ case 0: /* success */
+@@ -1074,22 +1074,32 @@ static void cypress_read_int_callback(st
+
+ spin_lock_irqsave(&priv->lock, flags);
+ result = urb->actual_length;
++ i = 0;
+ switch (priv->pkt_fmt) {
+ default:
+ case packet_format_1:
+ /* This is for the CY7C64013... */
++ if (result < 2)
++ break;
+ priv->current_status = data[0] & 0xF8;
+ bytes = data[1] + 2;
+ i = 2;
+ break;
+ case packet_format_2:
+ /* This is for the CY7C63743... */
++ if (result < 1)
++ break;
+ priv->current_status = data[0] & 0xF8;
+ bytes = (data[0] & 0x07) + 1;
+ i = 1;
+ break;
+ }
+ spin_unlock_irqrestore(&priv->lock, flags);
++ if (i == 0) {
++ dev_dbg(dev, "%s - short packet received: %d bytes\n",
++ __func__, result);
++ goto continue_read;
++ }
+ if (result < bytes) {
+ dev_dbg(dev,
+ "%s - wrong packet size - received %d bytes but packet said %d bytes\n",
--- /dev/null
+From ab8336a7e414f018430aa1af3a46944032f7ff96 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 20 May 2026 16:26:48 +0200
+Subject: USB: serial: keyspan: fix missing indat transfer sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ab8336a7e414f018430aa1af3a46944032f7ff96 upstream.
+
+Add the missing sanity check on the size of usa49wg indat transfers to
+avoid parsing stale or uninitialised slab data.
+
+Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
+Cc: stable@vger.kernel.org # 2.6.23
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/keyspan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -1204,6 +1204,10 @@ static void usa49wg_indat_callback(struc
+ len = 0;
+
+ while (i < urb->actual_length) {
++ if (urb->actual_length - i < 3) {
++ dev_warn_ratelimited(&urb->dev->dev, "malformed indat packet\n");
++ break;
++ }
+
+ /* Check port number from message */
+ if (data[i] >= serial->num_ports) {
--- /dev/null
+From 245aba83e3c288e176ed037a1f6b618b09e92ed8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 20 May 2026 16:27:10 +0200
+Subject: USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 245aba83e3c288e176ed037a1f6b618b09e92ed8 upstream.
+
+Add the missing sanity check on the size of interrupt-in transfers to
+avoid parsing stale or uninitialised slab data (and leaking it to user
+space).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mct_u232.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -545,6 +545,11 @@ static void mct_u232_read_int_callback(s
+ goto exit;
+ }
+
++ if (urb->actual_length < 2) {
++ dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
++ goto exit;
++ }
++
+ /*
+ * The interrupt-in pipe signals exceptional conditions (modem line
+ * signal changes and errors). data[0] holds MSR, data[1] holds LSR.
--- /dev/null
+From 4085f0dbb1ce2251c9a5938d693de6593f0ab2bd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 22 May 2026 16:19:50 +0200
+Subject: USB: serial: mxuport: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 4085f0dbb1ce2251c9a5938d693de6593f0ab2bd upstream.
+
+Make sure that the bulk-out endpoint max packet size is at least eight
+bytes to avoid user-controlled slab corruption should a malicious device
+report a smaller size.
+
+Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
+Cc: stable@vger.kernel.org # 3.14
+Cc: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mxuport.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/mxuport.c
++++ b/drivers/usb/serial/mxuport.c
+@@ -969,6 +969,14 @@ static int mxuport_calc_num_ports(struct
+ */
+ BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
+
++ /*
++ * The bulk-out buffers must be large enough for the four-byte header
++ * (and following data), but assume anything smaller than eight bytes
++ * is broken.
++ */
++ if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
++ return -EINVAL;
++
+ for (i = 1; i < num_ports; ++i)
+ epds->bulk_out[i] = epds->bulk_out[0];
+
--- /dev/null
+From 7d2b37d3e42d19071b62f4ddbee6e16e905efbf1 Mon Sep 17 00:00:00 2001
+From: Jan Volckaert <janvolck@gmail.com>
+Date: Sun, 17 May 2026 17:32:37 +0200
+Subject: USB: serial: option: add MeiG SRM813Q
+
+From: Jan Volckaert <janvolck@gmail.com>
+
+commit 7d2b37d3e42d19071b62f4ddbee6e16e905efbf1 upstream.
+
+Add support for the Qualcomm Technology Snapdragon X35-based MeiG
+SRM813Q module.
+
+The module can be put in different modes via AT commands to
+enable/disable GPS functionality:
+
+MODEM - PPP mode(2dee:4d63): AT+SER=1,1
+
+If#= 0: RMNET
+If#= 1: DIAG/ADB
+If#= 2: MODEM
+If#= 3: AT
+
+P: Vendor=2dee ProdID=4d63 Rev=05.15
+S: Manufacturer=MEIG
+S: Product=LTE-A Module
+S: SerialNumber=1bd51f0e
+C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+NMEA mode(2dee:4d64): AT+SER=51,1
+
+If#= 0: RMNET
+If#= 1: DIAG/ADB
+If#= 2: NMEA
+If#= 3: AT
+
+P: Vendor=2dee ProdID=4d64 Rev=05.15
+S: Manufacturer=MEIG
+S: Product=LTE-A Module
+S: SerialNumber=1bd51f0e
+C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+
+Signed-off-by: Jan Volckaert <janvolck@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2450,6 +2450,12 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM825WN (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825WN (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825WN (NMEA) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x60) }, /* MeiG SRM813Q (NMEA) */
++
+ { USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
+ { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
+ { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
--- /dev/null
+From 689f2facc689c8add11d7ff69fbbad17d65ee596 Mon Sep 17 00:00:00 2001
+From: Wanquan Zhong <wanquan.zhong@fibocom.com>
+Date: Wed, 20 May 2026 19:32:45 +0800
+Subject: USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
+
+From: Wanquan Zhong <wanquan.zhong@fibocom.com>
+
+commit 689f2facc689c8add11d7ff69fbbad17d65ee596 upstream.
+
+The RW135R-GL entry added in commit 01e8d0f74222 ("USB: serial: option:
+add support for Rolling Wireless RW135R-GL") was missing the
+.driver_info = RSVD(5) flag used by other Rolling Wireless MBIM laptop
+modules (e.g. RW135-GL and RW350-GL).
+
+Without this flag, the option driver incorrectly binds to the reserved
+ADB interface (If#5) in multi-interface USB modes, causing AT/MBIM
+communication failures after mode switching. This matches the handling
+of other Rolling Wireless MBIM devices.
+
+- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
+ interface for Linux/Chrome OS)
+
+ 0x1003: mbim, diag, AT, pipe
+
+ Here are the outputs of usb-devices:
+
+T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=33f8 ProdID=1003 Rev= 5.15
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling RW135R-GL Module
+S: SerialNumber=12345678
+C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
+ interface for Linux/Chrome OS)
+
+ 0x1003: mbim, diag, AT, ADB, pipe
+
+ Here are the outputs of usb-devices:
+
+T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 7 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=33f8 ProdID=1003 Rev= 5.15
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling RW135R-GL Module
+S: SerialNumber=12345678
+C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
+ interface for Linux/Chrome OS)
+
+ 0x1003: mbim, pipe
+
+ Here are the outputs of usb-devices:
+
+T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 9 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=33f8 ProdID=1003 Rev= 5.15
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling RW135R-GL Module
+S: SerialNumber=12345678
+C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Fixes: 01e8d0f74222 ("USB: serial: option: add support for Rolling Wireless RW135R-GL")
+Signed-off-by: Wanquan Zhong <wanquan.zhong@fibocom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2476,7 +2476,8 @@ static const struct usb_device_id option
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
+- { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff) }, /* Rolling RW135R-GL (laptop MBIM) */
++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff), /* Rolling RW135R-GL (laptop MBIM) */
++ .driver_info = RSVD(5) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) },
--- /dev/null
+From b53ebb811e00be50a779ce4e7aee604178b4a825 Mon Sep 17 00:00:00 2001
+From: Sam Burkels <sam@1a38.nl>
+Date: Fri, 1 May 2026 15:23:46 +0200
+Subject: usb: storage: Add quirks for PNY Elite Portable SSD
+
+From: Sam Burkels <sam@1a38.nl>
+
+commit b53ebb811e00be50a779ce4e7aee604178b4a825 upstream.
+
+The PNY Elite Portable SSD (USB ID 154b:f009) is a sibling of the
+already-quirked PNY Pro Elite SSDs (154b:f00b and 154b:f00d). Like its
+siblings, it uses a Phison-based USB-SATA bridge that exhibits
+firmware bugs when bound to the uas driver.
+
+Without quirks, the device fails to complete READ CAPACITY commands
+when accessed over UAS on a SuperSpeed (USB 3) port. The device
+enumerates and reports as a SCSI direct-access device, but reports
+zero logical blocks and never finishes spin-up:
+
+ usb 2-3: new SuperSpeed USB device number 8 using xhci_hcd
+ usb 2-3: New USB device found, idVendor=154b, idProduct=f009
+ usb 2-3: Product: PNY ELITE PSSD
+ usb 2-3: Manufacturer: PNY
+ scsi host0: uas
+ scsi 0:0:0:0: Direct-Access PNY PNY ELITE PSSD 0
+ sd 0:0:0:0: [sda] Spinning up disk...
+ [...10+ seconds of polling, no progress...]
+ sd 0:0:0:0: [sda] Read Capacity(16) failed: hostbyte=DID_ERROR
+ sd 0:0:0:0: [sda] Read Capacity(10) failed: hostbyte=DID_ERROR
+ sd 0:0:0:0: [sda] 0 512-byte logical blocks: (0 B/0 B)
+
+Tested each individual quirk to find the minimum that fixes this:
+ - US_FL_NO_ATA_1X alone: device hangs on spin-up
+ - US_FL_NO_REPORT_OPCODES alone: works on USB 2.0, hangs on USB 3.0
+ - US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES: works on both
+
+With both quirks the device enumerates correctly while still using
+the uas driver, and delivers full UAS throughput (~281 MB/s
+sequential read on a USB 3.0 Gen 1 port).
+
+The existing PNY Pro Elite entries (f00b, f00d) only set NO_ATA_1X,
+but this device additionally chokes on REPORT OPCODES under
+SuperSpeed.
+
+Signed-off-by: Sam Burkels <sam@1a38.nl>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/20260501132346.86572-1-sam@1a38.nl
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -132,6 +132,13 @@ UNUSUAL_DEV(0x152d, 0x0583, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_REPORT_OPCODES),
+
++/* Reported-by: Sam Burkels <sam@1a38.nl> */
++UNUSUAL_DEV(0x154b, 0xf009, 0x0000, 0x9999,
++ "PNY",
++ "PNY ELITE PSSD",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES),
++
+ /* Reported-by: Thinh Nguyen <thinhn@synopsys.com> */
+ UNUSUAL_DEV(0x154b, 0xf00b, 0x0000, 0x9999,
+ "PNY",
--- /dev/null
+From d98d413ca65d0790a8f3695d0a5845538958ab84 Mon Sep 17 00:00:00 2001
+From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+Date: Tue, 19 May 2026 18:41:40 +0700
+Subject: usb: typec: ucsi: Don't update power_supply on power role change if not connected
+
+From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+
+commit d98d413ca65d0790a8f3695d0a5845538958ab84 upstream.
+
+We only need to update the power_supply on power role change if the port
+is connected, because otherwise the online status should be the same for
+both cases.
+
+Cc: stable <stable@kernel.org>
+Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
+Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-2-6f1239535187@qtmlabs.xyz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -779,7 +779,12 @@ static void ucsi_handle_connector_change
+
+ if (con->status.change & UCSI_CONSTAT_CONNECT_CHANGE) {
+ typec_set_pwr_role(con->port, role);
+- ucsi_port_psy_changed(con);
++
++ /* Some power_supply properties vary depending on the power direction when
++ * connected
++ */
++ if (UCSI_CONSTAT(con, CONNECTED))
++ ucsi_port_psy_changed(con);
+
+ switch (UCSI_CONSTAT_PARTNER_TYPE(con->status.flags)) {
+ case UCSI_CONSTAT_PARTNER_TYPE_UFP:
--- /dev/null
+From 52f2ad3f7e5eb3b5908e1d685d4342519dc9cfcd Mon Sep 17 00:00:00 2001
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Tue, 5 May 2026 15:56:03 -0300
+Subject: usb: usbtmc: check URB actual_length for interrupt-IN notifications
+
+From: Heitor Alves de Siqueira <halves@igalia.com>
+
+commit 52f2ad3f7e5eb3b5908e1d685d4342519dc9cfcd upstream.
+
+USBTMC devices can use an optional interrupt endpoint for notification
+messages. These typically contain two-byte headers indicating the
+payload format, but the driver does not check if these headers are
+present before accessing the data buffers. In cases where the URB
+actual_length is not enough to fit these headers, the driver will either
+cause an out-of-bounds read, or consume stale leftover data from a
+previous notification.
+
+Fix by checking if actual_data contains enough bytes for the headers,
+otherwise resubmit URB to the interrupt endpoint.
+
+Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
+Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
+Cc: stable <stable@kernel.org>
+Suggested-by: Michal Pecio <michal.pecio@gmail.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-1-a36113f62db7@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usbtmc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -2268,6 +2268,14 @@ static void usbtmc_interrupt(struct urb
+
+ switch (status) {
+ case 0: /* SUCCESS */
++ /* ensure at least two bytes of headers were transferred */
++ if (urb->actual_length < 2) {
++ dev_warn(dev,
++ "actual length %d not sufficient for interrupt headers\n",
++ urb->actual_length);
++ goto exit;
++ }
++
+ /* check for valid STB notification */
+ if (data->iin_buffer[0] > 0x81) {
+ data->bNotify1 = data->iin_buffer[0];
--- /dev/null
+From 121d2f682ba912b1427cddca7cf84840f41cc620 Mon Sep 17 00:00:00 2001
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Tue, 5 May 2026 15:56:04 -0300
+Subject: usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
+
+From: Heitor Alves de Siqueira <halves@igalia.com>
+
+commit 121d2f682ba912b1427cddca7cf84840f41cc620 upstream.
+
+The USB488 subclass specification requires interrupt wMaxPacketSize to
+be 0x02, unless the device sends vendor-specific notifications.
+Endpoints that advertise less than 2 bytes for wMaxPacketSize are
+unlikely to work with the current driver, as URBs will not have enough
+space for interrupt headers. Considering that any notification URBs will
+be ignored by the driver, reject these endpoints early during probe.
+
+Fixes: 041370cce889 ("USB: usbtmc: refactor endpoint retrieval")
+Cc: stable <stable@kernel.org>
+Suggested-by: Michal Pecio <michal.pecio@gmail.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-2-a36113f62db7@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usbtmc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -2402,6 +2402,12 @@ static int usbtmc_probe(struct usb_inter
+ data->iin_ep = int_in->bEndpointAddress;
+ data->iin_wMaxPacketSize = usb_endpoint_maxp(int_in);
+ data->iin_interval = int_in->bInterval;
++ /* wMaxPacketSize should be 0x02 or more as per USB488 Table 22 */
++ if (iface_desc->desc.bInterfaceProtocol == 1 &&
++ data->iin_wMaxPacketSize < 2) {
++ retcode = -EINVAL;
++ goto err_put;
++ }
+ dev_dbg(&intf->dev, "Found Int in endpoint at %u\n",
+ data->iin_ep);
+ }
--- /dev/null
+From d96209626a29ea64666be98c30b30ac82e5f1be6 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Fri, 17 Apr 2026 12:35:52 -0400
+Subject: usbip: vudc: Fix use after free bug in vudc_remove due to race condition
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit d96209626a29ea64666be98c30b30ac82e5f1be6 upstream.
+
+This patch follows up Zheng Wang's 2023 report of a use-after-free in
+vudc_remove(). The original thread stalled on Shuah Khan's request for
+runtime testing of the unplug/unbind path. This patch supplies that
+testing and keeps Zheng's original fix shape.
+
+In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer().
+usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer().
+vudc_remove() can then free the containing struct vudc while the timer is
+still pending or executing.
+
+KASAN confirms the race on an unpatched x86_64 QEMU guest with
+CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop
+that repeatedly writes a socket fd to usbip_sockfd, closes the socket
+pair, and unbinds/rebinds usbip-vudc.0:
+
+ BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0
+ Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239
+ Allocated by task 239:
+ vudc_probe+0x4d/0xaa0
+ Freed by task 239:
+ kfree+0x18f/0x520
+ device_release_driver_internal+0x388/0x540
+ unbind_store+0xd9/0x100
+
+This lands in the timer core rather than v_timer() itself because the
+embedded timer_list is being walked after its containing struct vudc has
+already been freed. The underlying lifetime bug is the same one Zheng
+reported.
+
+With v_stop_timer() called from vudc_remove() and the timer deleted
+synchronously, the same harness completed 5000 bind/unbind iterations
+with no KASAN report.
+
+Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
+Cc: stable <stable@kernel.org>
+Reported-by: Zheng Wang <zyytlz.wz@163.com>
+Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vudc_dev.c | 1 +
+ drivers/usb/usbip/vudc_transfer.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/vudc_dev.c
++++ b/drivers/usb/usbip/vudc_dev.c
+@@ -633,6 +633,7 @@ int vudc_remove(struct platform_device *
+ {
+ struct vudc *udc = platform_get_drvdata(pdev);
+
++ v_stop_timer(udc);
+ usb_del_gadget_udc(&udc->gadget);
+ cleanup_vudc_hw(udc);
+ kfree(udc);
+--- a/drivers/usb/usbip/vudc_transfer.c
++++ b/drivers/usb/usbip/vudc_transfer.c
+@@ -490,7 +490,8 @@ void v_stop_timer(struct vudc *udc)
+ {
+ struct transfer_timer *t = &udc->tr_timer;
+
+- /* timer itself will take care of stopping */
++ /* Delete the timer synchronously before teardown frees udc. */
+ dev_dbg(&udc->pdev->dev, "timer stop");
++ timer_delete_sync(&t->timer);
+ t->state = VUDC_TR_STOPPED;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
