--- /dev/null
+From 3bd5e45c2ce30e239d596becd5db720f7eb83c99 Mon Sep 17 00:00:00 2001
+From: Larshin Sergey <Sergey.Larshin@kaspersky.com>
+Date: Mon, 22 Sep 2025 16:13:58 +0300
+Subject: fs: udf: fix OOB read in lengthAllocDescs handling
+
+From: Larshin Sergey <Sergey.Larshin@kaspersky.com>
+
+commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 upstream.
+
+When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
+on-disk data and must be validated against the block size. Crafted or
+corrupted images may set lengthAllocDescs so that the total descriptor
+length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
+leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
+trigger a KASAN use-after-free read.
+
+BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
+Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
+
+CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
+ udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
+ udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
+ extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
+ udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
+ udf_release_file+0xc1/0x120 fs/udf/file.c:185
+ __fput+0x23f/0x880 fs/file_table.c:431
+ task_work_run+0x24f/0x310 kernel/task_work.c:239
+ exit_task_work include/linux/task_work.h:43 [inline]
+ do_exit+0xa2f/0x28e0 kernel/exit.c:939
+ do_group_exit+0x207/0x2c0 kernel/exit.c:1088
+ __do_sys_exit_group kernel/exit.c:1099 [inline]
+ __se_sys_exit_group kernel/exit.c:1097 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
+ x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Validate the computed total length against epos->bh->b_size.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Larshin Sergey <Sergey.Larshin@kaspersky.com>
+Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -2109,6 +2109,9 @@ int8_t udf_current_aext(struct inode *in
+ if (check_add_overflow(sizeof(struct allocExtDesc),
+ le32_to_cpu(header->lengthAllocDescs), &alen))
+ return -1;
++
++ if (alen > epos->bh->b_size)
++ return -1;
+ }
+
+ switch (iinfo->i_alloc_type) {
--- /dev/null
+From 9c328f54741bd5465ca1dc717c84c04242fac2e1 Mon Sep 17 00:00:00 2001
+From: Deepak Sharma <deepak.sharma.472935@gmail.com>
+Date: Thu, 25 Sep 2025 18:58:46 +0530
+Subject: net: nfc: nci: Add parameter validation for packet data
+
+From: Deepak Sharma <deepak.sharma.472935@gmail.com>
+
+commit 9c328f54741bd5465ca1dc717c84c04242fac2e1 upstream.
+
+Syzbot reported an uninitialized value bug in nci_init_req, which was
+introduced by commit 5aca7966d2a7 ("Merge tag
+'perf-tools-fixes-for-v6.17-2025-09-16' of
+git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").
+
+This bug arises due to very limited and poor input validation
+that was done at nic_valid_size(). This validation only
+validates the skb->len (directly reflects size provided at the
+userspace interface) with the length provided in the buffer
+itself (interpreted as NCI_HEADER). This leads to the processing
+of memory content at the address assuming the correct layout
+per what opcode requires there. This leads to the accesses to
+buffer of `skb_buff->data` which is not assigned anything yet.
+
+Following the same silent drop of packets of invalid sizes at
+`nic_valid_size()`, add validation of the data in the respective
+handlers and return error values in case of failure. Release
+the skb if error values are returned from handlers in
+`nci_nft_packet` and effectively do a silent drop
+
+Possible TODO: because we silently drop the packets, the
+call to `nci_request` will be waiting for completion of request
+and will face timeouts. These timeouts can get excessively logged
+in the dmesg. A proper handling of them may require to export
+`nci_request_cancel` (or propagate error handling from the
+nft packets handlers).
+
+Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Tested-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Deepak Sharma <deepak.sharma.472935@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20250925132846.213425-1-deepak.sharma.472935@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/ntf.c | 135 +++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 99 insertions(+), 36 deletions(-)
+
+--- a/net/nfc/nci/ntf.c
++++ b/net/nfc/nci/ntf.c
+@@ -27,11 +27,16 @@
+
+ /* Handle NCI Notification packets */
+
+-static void nci_core_reset_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_core_reset_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ /* Handle NCI 2.x core reset notification */
+- const struct nci_core_reset_ntf *ntf = (void *)skb->data;
++ const struct nci_core_reset_ntf *ntf;
++
++ if (skb->len < sizeof(struct nci_core_reset_ntf))
++ return -EINVAL;
++
++ ntf = (struct nci_core_reset_ntf *)skb->data;
+
+ ndev->nci_ver = ntf->nci_ver;
+ pr_debug("nci_ver 0x%x, config_status 0x%x\n",
+@@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(st
+ __le32_to_cpu(ntf->manufact_specific_info);
+
+ nci_req_complete(ndev, NCI_STATUS_OK);
++
++ return 0;
+ }
+
+-static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
+- struct sk_buff *skb)
++static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
++ struct sk_buff *skb)
+ {
+- struct nci_core_conn_credit_ntf *ntf = (void *) skb->data;
++ struct nci_core_conn_credit_ntf *ntf;
+ struct nci_conn_info *conn_info;
+ int i;
+
++ if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
++ return -EINVAL;
++
++ ntf = (struct nci_core_conn_credit_ntf *)skb->data;
++
+ pr_debug("num_entries %d\n", ntf->num_entries);
+
+ if (ntf->num_entries > NCI_MAX_NUM_CONN)
+@@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_pa
+ conn_info = nci_get_conn_info_by_conn_id(ndev,
+ ntf->conn_entries[i].conn_id);
+ if (!conn_info)
+- return;
++ return 0;
+
+ atomic_add(ntf->conn_entries[i].credits,
+ &conn_info->credits_cnt);
+@@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_pa
+ /* trigger the next tx */
+ if (!skb_queue_empty(&ndev->tx_q))
+ queue_work(ndev->tx_wq, &ndev->tx_work);
++
++ return 0;
+ }
+
+-static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+- __u8 status = skb->data[0];
++ __u8 status;
++
++ if (skb->len < 1)
++ return -EINVAL;
++
++ status = skb->data[0];
+
+ pr_debug("status 0x%x\n", status);
+
+@@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_p
+ (the state remains the same) */
+ nci_req_complete(ndev, status);
+ }
++
++ return 0;
+ }
+
+-static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev,
+- struct sk_buff *skb)
++static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev,
++ struct sk_buff *skb)
+ {
+- struct nci_core_intf_error_ntf *ntf = (void *) skb->data;
++ struct nci_core_intf_error_ntf *ntf;
++
++ if (skb->len < sizeof(struct nci_core_intf_error_ntf))
++ return -EINVAL;
++
++ ntf = (struct nci_core_intf_error_ntf *)skb->data;
+
+ ntf->conn_id = nci_conn_id(&ntf->conn_id);
+
+@@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf
+ /* complete the data exchange transaction, if exists */
+ if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags))
+ nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO);
++
++ return 0;
+ }
+
+ static const __u8 *
+@@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_de
+ ndev->n_targets = 0;
+ }
+
+-static void nci_rf_discover_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ struct nci_rf_discover_ntf ntf;
+- const __u8 *data = skb->data;
++ const __u8 *data;
+ bool add_target = true;
+
++ if (skb->len < sizeof(struct nci_rf_discover_ntf))
++ return -EINVAL;
++
++ data = skb->data;
++
+ ntf.rf_discovery_id = *data++;
+ ntf.rf_protocol = *data++;
+ ntf.rf_tech_and_mode = *data++;
+@@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(s
+ nfc_targets_found(ndev->nfc_dev, ndev->targets,
+ ndev->n_targets);
+ }
++
++ return 0;
+ }
+
+ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
+@@ -531,14 +566,19 @@ static int nci_store_general_bytes_nfc_d
+ return NCI_STATUS_OK;
+ }
+
+-static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ struct nci_conn_info *conn_info;
+ struct nci_rf_intf_activated_ntf ntf;
+- const __u8 *data = skb->data;
++ const __u8 *data;
+ int err = NCI_STATUS_OK;
+
++ if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
++ return -EINVAL;
++
++ data = skb->data;
++
+ ntf.rf_discovery_id = *data++;
+ ntf.rf_interface = *data++;
+ ntf.rf_protocol = *data++;
+@@ -645,7 +685,7 @@ exit:
+ if (err == NCI_STATUS_OK) {
+ conn_info = ndev->rf_conn_info;
+ if (!conn_info)
+- return;
++ return 0;
+
+ conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size;
+ conn_info->initial_num_credits = ntf.initial_num_credits;
+@@ -691,19 +731,26 @@ listen:
+ pr_err("error when signaling tm activation\n");
+ }
+ }
++
++ return 0;
+ }
+
+-static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ const struct nci_conn_info *conn_info;
+- const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data;
++ const struct nci_rf_deactivate_ntf *ntf;
++
++ if (skb->len < sizeof(struct nci_rf_deactivate_ntf))
++ return -EINVAL;
++
++ ntf = (struct nci_rf_deactivate_ntf *)skb->data;
+
+ pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason);
+
+ conn_info = ndev->rf_conn_info;
+ if (!conn_info)
+- return;
++ return 0;
+
+ /* drop tx data queue */
+ skb_queue_purge(&ndev->tx_q);
+@@ -735,14 +782,20 @@ static void nci_rf_deactivate_ntf_packet
+ }
+
+ nci_req_complete(ndev, NCI_STATUS_OK);
++
++ return 0;
+ }
+
+-static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev,
+- const struct sk_buff *skb)
++static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev,
++ const struct sk_buff *skb)
+ {
+ u8 status = NCI_STATUS_OK;
+- const struct nci_nfcee_discover_ntf *nfcee_ntf =
+- (struct nci_nfcee_discover_ntf *)skb->data;
++ const struct nci_nfcee_discover_ntf *nfcee_ntf;
++
++ if (skb->len < sizeof(struct nci_nfcee_discover_ntf))
++ return -EINVAL;
++
++ nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data;
+
+ pr_debug("\n");
+
+@@ -755,6 +808,8 @@ static void nci_nfcee_discover_ntf_packe
+ ndev->cur_params.id = nfcee_ntf->nfcee_id;
+
+ nci_req_complete(ndev, status);
++
++ return 0;
+ }
+
+ static void nci_nfcee_action_ntf_packet(struct nci_dev *ndev,
+@@ -787,35 +842,43 @@ void nci_ntf_packet(struct nci_dev *ndev
+
+ switch (ntf_opcode) {
+ case NCI_OP_CORE_RESET_NTF:
+- nci_core_reset_ntf_packet(ndev, skb);
++ if (nci_core_reset_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_CORE_CONN_CREDITS_NTF:
+- nci_core_conn_credits_ntf_packet(ndev, skb);
++ if (nci_core_conn_credits_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_CORE_GENERIC_ERROR_NTF:
+- nci_core_generic_error_ntf_packet(ndev, skb);
++ if (nci_core_generic_error_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_CORE_INTF_ERROR_NTF:
+- nci_core_conn_intf_error_ntf_packet(ndev, skb);
++ if (nci_core_conn_intf_error_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_RF_DISCOVER_NTF:
+- nci_rf_discover_ntf_packet(ndev, skb);
++ if (nci_rf_discover_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_RF_INTF_ACTIVATED_NTF:
+- nci_rf_intf_activated_ntf_packet(ndev, skb);
++ if (nci_rf_intf_activated_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_RF_DEACTIVATE_NTF:
+- nci_rf_deactivate_ntf_packet(ndev, skb);
++ if (nci_rf_deactivate_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_NFCEE_DISCOVER_NTF:
+- nci_nfcee_discover_ntf_packet(ndev, skb);
++ if (nci_nfcee_discover_ntf_packet(ndev, skb))
++ goto end;
+ break;
+
+ case NCI_OP_RF_NFCEE_ACTION_NTF:
--- /dev/null
+From b15b7d2a1b09ef5428a8db260251897405a19496 Mon Sep 17 00:00:00 2001
+From: Naman Jain <namjain@linux.microsoft.com>
+Date: Thu, 28 Aug 2025 10:12:00 +0530
+Subject: uio_hv_generic: Let userspace take care of interrupt mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Naman Jain <namjain@linux.microsoft.com>
+
+commit b15b7d2a1b09ef5428a8db260251897405a19496 upstream.
+
+Remove the logic to set interrupt mask by default in uio_hv_generic
+driver as the interrupt mask value is supposed to be controlled
+completely by the user space. If the mask bit gets changed
+by the driver, concurrently with user mode operating on the ring,
+the mask bit may be set when it is supposed to be clear, and the
+user-mode driver will miss an interrupt which will cause a hang.
+
+For eg- when the driver sets inbound ring buffer interrupt mask to 1,
+the host does not interrupt the guest on the UIO VMBus channel.
+However, setting the mask does not prevent the host from putting a
+message in the inbound ring buffer. So let’s assume that happens,
+the host puts a message into the ring buffer but does not interrupt.
+
+Subsequently, the user space code in the guest sets the inbound ring
+buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”.
+User space code then calls pread() to wait for an interrupt.
+Then one of two things happens:
+
+* The host never sends another message. So the pread() waits forever.
+* The host does send another message. But because there’s already a
+ message in the ring buffer, it doesn’t generate an interrupt.
+ This is the correct behavior, because the host should only send an
+ interrupt when the inbound ring buffer transitions from empty to
+ not-empty. Adding an additional message to a ring buffer that is not
+ empty is not supposed to generate an interrupt on the guest.
+ Since the guest is waiting in pread() and not removing messages from
+ the ring buffer, the pread() waits forever.
+
+This could be easily reproduced in hv_fcopy_uio_daemon if we delay
+setting interrupt mask to 0.
+
+Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,
+there’s a race condition. Once user space empties the inbound ring
+buffer, but before user space sets interrupt_mask to 0, the host could
+put another message in the ring buffer but it wouldn’t interrupt.
+Then the next pread() would hang.
+
+Fix these by removing all instances where interrupt_mask is changed,
+while keeping the one in set_event() unchanged to enable userspace
+control the interrupt mask by writing 0/1 to /dev/uioX.
+
+Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus")
+Suggested-by: John Starks <jostarks@microsoft.com>
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Reviewed-by: Tianyu Lan <tiala@microsoft.com>
+Tested-by: Tianyu Lan <tiala@microsoft.com>
+Link: https://lore.kernel.org/r/20250828044200.492030-1-namjain@linux.microsoft.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -96,7 +96,6 @@ static void hv_uio_channel_cb(void *cont
+ struct hv_device *hv_dev = chan->device_obj;
+ struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
+
+- chan->inbound.ring_buffer->interrupt_mask = 1;
+ virt_mb();
+
+ uio_event_notify(&pdata->info);
+@@ -173,8 +172,6 @@ hv_uio_new_channel(struct vmbus_channel
+ return;
+ }
+
+- /* Disable interrupts on sub channel */
+- new_sc->inbound.ring_buffer->interrupt_mask = 1;
+ set_channel_read_mode(new_sc, HV_CALL_ISR);
+
+ ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr);
+@@ -218,9 +215,7 @@ hv_uio_open(struct uio_info *info, struc
+
+ ret = vmbus_connect_ring(dev->channel,
+ hv_uio_channel_cb, dev->channel);
+- if (ret == 0)
+- dev->channel->inbound.ring_buffer->interrupt_mask = 1;
+- else
++ if (ret)
+ atomic_dec(&pdata->refcnt);
+
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
