--- /dev/null
+From 59abe7bc7e7c70e9066b3e46874d1b7e6a13de14 Mon Sep 17 00:00:00 2001
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Date: Thu, 2 Oct 2025 10:31:25 +0300
+Subject: ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+
+commit 59abe7bc7e7c70e9066b3e46874d1b7e6a13de14 upstream.
+
+In the case of static pipelines, freeing the widgets in the pipelines
+that were not suspended after freeing the scheduler widgets results in
+errors because the secondary cores are powered off when the scheduler
+widgets are freed. Fix this by tearing down the leftover pipelines before
+powering off the secondary cores.
+
+Cc: stable@vger.kernel.org
+Fixes: d7332c4a4f1a ("ASoC: SOF: ipc3-topology: Fix pipeline tear down logic")
+Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20251002073125.32471-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/ipc3-topology.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/sound/soc/sof/ipc3-topology.c
++++ b/sound/soc/sof/ipc3-topology.c
+@@ -2394,11 +2394,6 @@ static int sof_ipc3_tear_down_all_pipeli
+ if (ret < 0)
+ return ret;
+
+- /* free all the scheduler widgets now */
+- ret = sof_ipc3_free_widgets_in_list(sdev, true, &dyn_widgets, verify);
+- if (ret < 0)
+- return ret;
+-
+ /*
+ * Tear down all pipelines associated with PCMs that did not get suspended
+ * and unset the prepare flag so that they can be set up again during resume.
+@@ -2414,6 +2409,11 @@ static int sof_ipc3_tear_down_all_pipeli
+ }
+ }
+
++ /* free all the scheduler widgets now. This will also power down the secondary cores */
++ ret = sof_ipc3_free_widgets_in_list(sdev, true, &dyn_widgets, verify);
++ if (ret < 0)
++ return ret;
++
+ list_for_each_entry(sroute, &sdev->route_list, list)
+ sroute->setup = false;
+
--- /dev/null
+From 4e65bda8273c938039403144730923e77916a3d7 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Tue, 23 Sep 2025 14:52:12 +0800
+Subject: ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 4e65bda8273c938039403144730923e77916a3d7 upstream.
+
+wcd934x_codec_parse_data() contains a device reference count leak in
+of_slim_get_device() where device_find_child() increases the reference
+count of the device but this reference is not properly decreased in
+the success path. Add put_device() in wcd934x_codec_parse_data() and
+add devm_add_action_or_reset() in the probe function, which ensures
+that the reference count of the device is correctly managed.
+
+Memory leak in regmap_init_slimbus() as the allocated regmap is not
+released when the device is removed. Using devm_regmap_init_slimbus()
+instead of regmap_init_slimbus() to ensure automatic regmap cleanup on
+device removal.
+
+Calling path: of_slim_get_device() -> of_find_slim_device() ->
+device_find_child(). As comment of device_find_child() says, 'NOTE:
+you will need to drop the reference with put_device() after use.'.
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250923065212.26660-1-make24@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd934x.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/wcd934x.c
++++ b/sound/soc/codecs/wcd934x.c
+@@ -5858,6 +5858,13 @@ static const struct snd_soc_component_dr
+ .endianness = 1,
+ };
+
++static void wcd934x_put_device_action(void *data)
++{
++ struct device *dev = data;
++
++ put_device(dev);
++}
++
+ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd)
+ {
+ struct device *dev = &wcd->sdev->dev;
+@@ -5878,11 +5885,13 @@ static int wcd934x_codec_parse_data(stru
+ }
+
+ slim_get_logical_addr(wcd->sidev);
+- wcd->if_regmap = regmap_init_slimbus(wcd->sidev,
++ wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev,
+ &wcd934x_ifc_regmap_config);
+- if (IS_ERR(wcd->if_regmap))
++ if (IS_ERR(wcd->if_regmap)) {
++ put_device(&wcd->sidev->dev);
+ return dev_err_probe(dev, PTR_ERR(wcd->if_regmap),
+ "Failed to allocate ifc register map\n");
++ }
+
+ of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate",
+ &wcd->dmic_sample_rate);
+@@ -5926,6 +5935,10 @@ static int wcd934x_codec_probe(struct pl
+ return ret;
+ }
+
++ ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev);
++ if (ret)
++ return ret;
++
+ /* set default rate 9P6MHz */
+ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG,
+ WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK,
--- /dev/null
+From 3bd5e45c2ce30e239d596becd5db720f7eb83c99 Mon Sep 17 00:00:00 2001
+From: Larshin Sergey <Sergey.Larshin@kaspersky.com>
+Date: Mon, 22 Sep 2025 16:13:58 +0300
+Subject: fs: udf: fix OOB read in lengthAllocDescs handling
+
+From: Larshin Sergey <Sergey.Larshin@kaspersky.com>
+
+commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 upstream.
+
+When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
+on-disk data and must be validated against the block size. Crafted or
+corrupted images may set lengthAllocDescs so that the total descriptor
+length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
+leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
+trigger a KASAN use-after-free read.
+
+BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
+Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
+
+CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
+ udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
+ udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
+ extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
+ udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
+ udf_release_file+0xc1/0x120 fs/udf/file.c:185
+ __fput+0x23f/0x880 fs/file_table.c:431
+ task_work_run+0x24f/0x310 kernel/task_work.c:239
+ exit_task_work include/linux/task_work.h:43 [inline]
+ do_exit+0xa2f/0x28e0 kernel/exit.c:939
+ do_group_exit+0x207/0x2c0 kernel/exit.c:1088
+ __do_sys_exit_group kernel/exit.c:1099 [inline]
+ __se_sys_exit_group kernel/exit.c:1097 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
+ x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Validate the computed total length against epos->bh->b_size.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Larshin Sergey <Sergey.Larshin@kaspersky.com>
+Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -2265,6 +2265,9 @@ int udf_current_aext(struct inode *inode
+ if (check_add_overflow(sizeof(struct allocExtDesc),
+ le32_to_cpu(header->lengthAllocDescs), &alen))
+ return -1;
++
++ if (alen > epos->bh->b_size)
++ return -1;
+ }
+
+ switch (iinfo->i_alloc_type) {
--- /dev/null
+From da32b0e82c523b76265ba1ad25d7ea74f0ece402 Mon Sep 17 00:00:00 2001
+From: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
+Date: Wed, 10 Sep 2025 20:59:06 +0300
+Subject: mfd: rz-mtu3: Fix MTU5 NFCR register offset
+
+From: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
+
+commit da32b0e82c523b76265ba1ad25d7ea74f0ece402 upstream.
+
+The NFCR register for MTU5 is at 0x1a95 offset according to Datasheet
+Page 725, Table 16.4. The address of all registers is offset by 0x1200,
+making the proper address of MTU5 NFCR register be 0x895.
+
+Cc: stable@vger.kernel.org
+Fixes: 654c293e1687 ("mfd: Add Renesas RZ/G2L MTU3a core driver")
+Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Link: https://lore.kernel.org/r/20250910175914.12956-1-cosmin-gabriel.tanislav.xa@renesas.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/rz-mtu3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/rz-mtu3.c b/drivers/mfd/rz-mtu3.c
+index f3dac4a29a83..9cdfef610398 100644
+--- a/drivers/mfd/rz-mtu3.c
++++ b/drivers/mfd/rz-mtu3.c
+@@ -32,7 +32,7 @@ static const unsigned long rz_mtu3_8bit_ch_reg_offs[][13] = {
+ [RZ_MTU3_CHAN_2] = MTU_8BIT_CH_1_2(0x204, 0x092, 0x205, 0x200, 0x20c, 0x201, 0x202),
+ [RZ_MTU3_CHAN_3] = MTU_8BIT_CH_3_4_6_7(0x008, 0x093, 0x02c, 0x000, 0x04c, 0x002, 0x004, 0x005, 0x038),
+ [RZ_MTU3_CHAN_4] = MTU_8BIT_CH_3_4_6_7(0x009, 0x094, 0x02d, 0x001, 0x04d, 0x003, 0x006, 0x007, 0x039),
+- [RZ_MTU3_CHAN_5] = MTU_8BIT_CH_5(0xab2, 0x1eb, 0xab4, 0xab6, 0xa84, 0xa85, 0xa86, 0xa94, 0xa95, 0xa96, 0xaa4, 0xaa5, 0xaa6),
++ [RZ_MTU3_CHAN_5] = MTU_8BIT_CH_5(0xab2, 0x895, 0xab4, 0xab6, 0xa84, 0xa85, 0xa86, 0xa94, 0xa95, 0xa96, 0xaa4, 0xaa5, 0xaa6),
+ [RZ_MTU3_CHAN_6] = MTU_8BIT_CH_3_4_6_7(0x808, 0x893, 0x82c, 0x800, 0x84c, 0x802, 0x804, 0x805, 0x838),
+ [RZ_MTU3_CHAN_7] = MTU_8BIT_CH_3_4_6_7(0x809, 0x894, 0x82d, 0x801, 0x84d, 0x803, 0x806, 0x807, 0x839),
+ [RZ_MTU3_CHAN_8] = MTU_8BIT_CH_8(0x404, 0x098, 0x400, 0x406, 0x401, 0x402, 0x403)
+--
+2.51.0
+
--- /dev/null
+From 1efbee6852f1ff698a9981bd731308dd027189fb Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Mon, 11 Aug 2025 15:36:16 +0200
+Subject: mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 1efbee6852f1ff698a9981bd731308dd027189fb upstream.
+
+Commit 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
+removed the return value check from the call to gpiochip_add_data() (or
+rather gpiochip_add() back then and later converted to devres) with no
+explanation. This function however can still fail, so check the return
+value and bail-out if it does.
+
+Cc: stable@vger.kernel.org
+Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250811-gpio-mmio-mfd-conv-v1-1-68c5c958cf80@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/vexpress-sysreg.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mfd/vexpress-sysreg.c
++++ b/drivers/mfd/vexpress-sysreg.c
+@@ -90,6 +90,7 @@ static int vexpress_sysreg_probe(struct
+ struct resource *mem;
+ void __iomem *base;
+ struct gpio_chip *mmc_gpio_chip;
++ int ret;
+
+ mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!mem)
+@@ -110,7 +111,10 @@ static int vexpress_sysreg_probe(struct
+ bgpio_init(mmc_gpio_chip, &pdev->dev, 0x4, base + SYS_MCI,
+ NULL, NULL, NULL, NULL, 0);
+ mmc_gpio_chip->ngpio = 2;
+- devm_gpiochip_add_data(&pdev->dev, mmc_gpio_chip, NULL);
++
++ ret = devm_gpiochip_add_data(&pdev->dev, mmc_gpio_chip, NULL);
++ if (ret)
++ return ret;
+
+ return devm_mfd_add_devices(&pdev->dev, PLATFORM_DEVID_AUTO,
+ vexpress_sysreg_cells,
--- /dev/null
+From 9c328f54741bd5465ca1dc717c84c04242fac2e1 Mon Sep 17 00:00:00 2001
+From: Deepak Sharma <deepak.sharma.472935@gmail.com>
+Date: Thu, 25 Sep 2025 18:58:46 +0530
+Subject: net: nfc: nci: Add parameter validation for packet data
+
+From: Deepak Sharma <deepak.sharma.472935@gmail.com>
+
+commit 9c328f54741bd5465ca1dc717c84c04242fac2e1 upstream.
+
+Syzbot reported an uninitialized value bug in nci_init_req, which was
+introduced by commit 5aca7966d2a7 ("Merge tag
+'perf-tools-fixes-for-v6.17-2025-09-16' of
+git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").
+
+This bug arises due to very limited and poor input validation
+that was done at nic_valid_size(). This validation only
+validates the skb->len (directly reflects size provided at the
+userspace interface) with the length provided in the buffer
+itself (interpreted as NCI_HEADER). This leads to the processing
+of memory content at the address assuming the correct layout
+per what opcode requires there. This leads to the accesses to
+buffer of `skb_buff->data` which is not assigned anything yet.
+
+Following the same silent drop of packets of invalid sizes at
+`nic_valid_size()`, add validation of the data in the respective
+handlers and return error values in case of failure. Release
+the skb if error values are returned from handlers in
+`nci_nft_packet` and effectively do a silent drop
+
+Possible TODO: because we silently drop the packets, the
+call to `nci_request` will be waiting for completion of request
+and will face timeouts. These timeouts can get excessively logged
+in the dmesg. A proper handling of them may require to export
+`nci_request_cancel` (or propagate error handling from the
+nft packets handlers).
+
+Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Tested-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Deepak Sharma <deepak.sharma.472935@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20250925132846.213425-1-deepak.sharma.472935@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/ntf.c | 135 +++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 99 insertions(+), 36 deletions(-)
+
+--- a/net/nfc/nci/ntf.c
++++ b/net/nfc/nci/ntf.c
+@@ -27,11 +27,16 @@
+
+ /* Handle NCI Notification packets */
+
+-static void nci_core_reset_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_core_reset_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ /* Handle NCI 2.x core reset notification */
+- const struct nci_core_reset_ntf *ntf = (void *)skb->data;
++ const struct nci_core_reset_ntf *ntf;
++
++ if (skb->len < sizeof(struct nci_core_reset_ntf))
++ return -EINVAL;
++
++ ntf = (struct nci_core_reset_ntf *)skb->data;
+
+ ndev->nci_ver = ntf->nci_ver;
+ pr_debug("nci_ver 0x%x, config_status 0x%x\n",
+@@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(st
+ __le32_to_cpu(ntf->manufact_specific_info);
+
+ nci_req_complete(ndev, NCI_STATUS_OK);
++
++ return 0;
+ }
+
+-static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
+- struct sk_buff *skb)
++static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
++ struct sk_buff *skb)
+ {
+- struct nci_core_conn_credit_ntf *ntf = (void *) skb->data;
++ struct nci_core_conn_credit_ntf *ntf;
+ struct nci_conn_info *conn_info;
+ int i;
+
++ if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
++ return -EINVAL;
++
++ ntf = (struct nci_core_conn_credit_ntf *)skb->data;
++
+ pr_debug("num_entries %d\n", ntf->num_entries);
+
+ if (ntf->num_entries > NCI_MAX_NUM_CONN)
+@@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_pa
+ conn_info = nci_get_conn_info_by_conn_id(ndev,
+ ntf->conn_entries[i].conn_id);
+ if (!conn_info)
+- return;
++ return 0;
+
+ atomic_add(ntf->conn_entries[i].credits,
+ &conn_info->credits_cnt);
+@@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_pa
+ /* trigger the next tx */
+ if (!skb_queue_empty(&ndev->tx_q))
+ queue_work(ndev->tx_wq, &ndev->tx_work);
++
++ return 0;
+ }
+
+-static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+- __u8 status = skb->data[0];
++ __u8 status;
++
++ if (skb->len < 1)
++ return -EINVAL;
++
++ status = skb->data[0];
+
+ pr_debug("status 0x%x\n", status);
+
+@@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_p
+ (the state remains the same) */
+ nci_req_complete(ndev, status);
+ }
++
++ return 0;
+ }
+
+-static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev,
+- struct sk_buff *skb)
++static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev,
++ struct sk_buff *skb)
+ {
+- struct nci_core_intf_error_ntf *ntf = (void *) skb->data;
++ struct nci_core_intf_error_ntf *ntf;
++
++ if (skb->len < sizeof(struct nci_core_intf_error_ntf))
++ return -EINVAL;
++
++ ntf = (struct nci_core_intf_error_ntf *)skb->data;
+
+ ntf->conn_id = nci_conn_id(&ntf->conn_id);
+
+@@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf
+ /* complete the data exchange transaction, if exists */
+ if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags))
+ nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO);
++
++ return 0;
+ }
+
+ static const __u8 *
+@@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_de
+ ndev->n_targets = 0;
+ }
+
+-static void nci_rf_discover_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ struct nci_rf_discover_ntf ntf;
+- const __u8 *data = skb->data;
++ const __u8 *data;
+ bool add_target = true;
+
++ if (skb->len < sizeof(struct nci_rf_discover_ntf))
++ return -EINVAL;
++
++ data = skb->data;
++
+ ntf.rf_discovery_id = *data++;
+ ntf.rf_protocol = *data++;
+ ntf.rf_tech_and_mode = *data++;
+@@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(s
+ nfc_targets_found(ndev->nfc_dev, ndev->targets,
+ ndev->n_targets);
+ }
++
++ return 0;
+ }
+
+ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
+@@ -531,14 +566,19 @@ static int nci_store_general_bytes_nfc_d
+ return NCI_STATUS_OK;
+ }
+
+-static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ struct nci_conn_info *conn_info;
+ struct nci_rf_intf_activated_ntf ntf;
+- const __u8 *data = skb->data;
++ const __u8 *data;
+ int err = NCI_STATUS_OK;
+
++ if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
++ return -EINVAL;
++
++ data = skb->data;
++
+ ntf.rf_discovery_id = *data++;
+ ntf.rf_interface = *data++;
+ ntf.rf_protocol = *data++;
+@@ -645,7 +685,7 @@ exit:
+ if (err == NCI_STATUS_OK) {
+ conn_info = ndev->rf_conn_info;
+ if (!conn_info)
+- return;
++ return 0;
+
+ conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size;
+ conn_info->initial_num_credits = ntf.initial_num_credits;
+@@ -691,19 +731,26 @@ listen:
+ pr_err("error when signaling tm activation\n");
+ }
+ }
++
++ return 0;
+ }
+
+-static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ const struct nci_conn_info *conn_info;
+- const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data;
++ const struct nci_rf_deactivate_ntf *ntf;
++
++ if (skb->len < sizeof(struct nci_rf_deactivate_ntf))
++ return -EINVAL;
++
++ ntf = (struct nci_rf_deactivate_ntf *)skb->data;
+
+ pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason);
+
+ conn_info = ndev->rf_conn_info;
+ if (!conn_info)
+- return;
++ return 0;
+
+ /* drop tx data queue */
+ skb_queue_purge(&ndev->tx_q);
+@@ -735,14 +782,20 @@ static void nci_rf_deactivate_ntf_packet
+ }
+
+ nci_req_complete(ndev, NCI_STATUS_OK);
++
++ return 0;
+ }
+
+-static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ u8 status = NCI_STATUS_OK;
+- const struct nci_nfcee_discover_ntf *nfcee_ntf =
+- (struct nci_nfcee_discover_ntf *)skb->data;
++ const struct nci_nfcee_discover_ntf *nfcee_ntf;
++
++ if (skb->len < sizeof(struct nci_nfcee_discover_ntf))
++ return -EINVAL;
++
++ nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data;
+
+ /* NFCForum NCI 9.2.1 HCI Network Specific Handling
+ * If the NFCC supports the HCI Network, it SHALL return one,
+@@ -753,6 +806,8 @@ static void nci_nfcee_discover_ntf_packe
+ ndev->cur_params.id = nfcee_ntf->nfcee_id;
+
+ nci_req_complete(ndev, status);
++
++ return 0;
+ }
+
+ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb)
+@@ -779,35 +834,43 @@ void nci_ntf_packet(struct nci_dev *ndev
+
+ switch (ntf_opcode) {
+ case NCI_OP_CORE_RESET_NTF:
+- nci_core_reset_ntf_packet(ndev, skb);
++ if (nci_core_reset_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_CORE_CONN_CREDITS_NTF:
+- nci_core_conn_credits_ntf_packet(ndev, skb);
++ if (nci_core_conn_credits_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_CORE_GENERIC_ERROR_NTF:
+- nci_core_generic_error_ntf_packet(ndev, skb);
++ if (nci_core_generic_error_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_CORE_INTF_ERROR_NTF:
+- nci_core_conn_intf_error_ntf_packet(ndev, skb);
++ if (nci_core_conn_intf_error_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_RF_DISCOVER_NTF:
+- nci_rf_discover_ntf_packet(ndev, skb);
++ if (nci_rf_discover_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_RF_INTF_ACTIVATED_NTF:
+- nci_rf_intf_activated_ntf_packet(ndev, skb);
++ if (nci_rf_intf_activated_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_RF_DEACTIVATE_NTF:
+- nci_rf_deactivate_ntf_packet(ndev, skb);
++ if (nci_rf_deactivate_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_NFCEE_DISCOVER_NTF:
+- nci_nfcee_discover_ntf_packet(ndev, skb);
++ if (nci_nfcee_discover_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_RF_NFCEE_ACTION_NTF:
vhost-vringh-modify-the-return-value-check.patch
bpf-reject-negative-offsets-for-alu-ops.patch
squashfs-fix-uninit-value-in-squashfs_get_parent.patch
+uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch
+asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch
+asoc-sof-ipc3-topology-fix-multi-core-and-static-pipelines-tear-down.patch
+fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch
+net-nfc-nci-add-parameter-validation-for-packet-data.patch
+mfd-rz-mtu3-fix-mtu5-nfcr-register-offset.patch
+mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch
--- /dev/null
+From b15b7d2a1b09ef5428a8db260251897405a19496 Mon Sep 17 00:00:00 2001
+From: Naman Jain <namjain@linux.microsoft.com>
+Date: Thu, 28 Aug 2025 10:12:00 +0530
+Subject: uio_hv_generic: Let userspace take care of interrupt mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Naman Jain <namjain@linux.microsoft.com>
+
+commit b15b7d2a1b09ef5428a8db260251897405a19496 upstream.
+
+Remove the logic to set interrupt mask by default in uio_hv_generic
+driver as the interrupt mask value is supposed to be controlled
+completely by the user space. If the mask bit gets changed
+by the driver, concurrently with user mode operating on the ring,
+the mask bit may be set when it is supposed to be clear, and the
+user-mode driver will miss an interrupt which will cause a hang.
+
+For eg- when the driver sets inbound ring buffer interrupt mask to 1,
+the host does not interrupt the guest on the UIO VMBus channel.
+However, setting the mask does not prevent the host from putting a
+message in the inbound ring buffer. So let’s assume that happens,
+the host puts a message into the ring buffer but does not interrupt.
+
+Subsequently, the user space code in the guest sets the inbound ring
+buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”.
+User space code then calls pread() to wait for an interrupt.
+Then one of two things happens:
+
+* The host never sends another message. So the pread() waits forever.
+* The host does send another message. But because there’s already a
+ message in the ring buffer, it doesn’t generate an interrupt.
+ This is the correct behavior, because the host should only send an
+ interrupt when the inbound ring buffer transitions from empty to
+ not-empty. Adding an additional message to a ring buffer that is not
+ empty is not supposed to generate an interrupt on the guest.
+ Since the guest is waiting in pread() and not removing messages from
+ the ring buffer, the pread() waits forever.
+
+This could be easily reproduced in hv_fcopy_uio_daemon if we delay
+setting interrupt mask to 0.
+
+Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,
+there’s a race condition. Once user space empties the inbound ring
+buffer, but before user space sets interrupt_mask to 0, the host could
+put another message in the ring buffer but it wouldn’t interrupt.
+Then the next pread() would hang.
+
+Fix these by removing all instances where interrupt_mask is changed,
+while keeping the one in set_event() unchanged to enable userspace
+control the interrupt mask by writing 0/1 to /dev/uioX.
+
+Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus")
+Suggested-by: John Starks <jostarks@microsoft.com>
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Reviewed-by: Tianyu Lan <tiala@microsoft.com>
+Tested-by: Tianyu Lan <tiala@microsoft.com>
+Link: https://lore.kernel.org/r/20250828044200.492030-1-namjain@linux.microsoft.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -96,7 +96,6 @@ static void hv_uio_channel_cb(void *cont
+ struct hv_device *hv_dev = chan->device_obj;
+ struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
+
+- chan->inbound.ring_buffer->interrupt_mask = 1;
+ virt_mb();
+
+ uio_event_notify(&pdata->info);
+@@ -173,8 +172,6 @@ hv_uio_new_channel(struct vmbus_channel
+ return;
+ }
+
+- /* Disable interrupts on sub channel */
+- new_sc->inbound.ring_buffer->interrupt_mask = 1;
+ set_channel_read_mode(new_sc, HV_CALL_ISR);
+
+ ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr);
+@@ -218,9 +215,7 @@ hv_uio_open(struct uio_info *info, struc
+
+ ret = vmbus_connect_ring(dev->channel,
+ hv_uio_channel_cb, dev->channel);
+- if (ret == 0)
+- dev->channel->inbound.ring_buffer->interrupt_mask = 1;
+- else
++ if (ret)
+ atomic_dec(&pdata->refcnt);
+
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
