From 3f5025593bf44c3cf9906bdc8791243f21bda9fe Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 Oct 2025 10:42:30 +0200 Subject: [PATCH] 6.6-stable patches added patches: asoc-sof-ipc3-topology-fix-multi-core-and-static-pipelines-tear-down.patch asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch mfd-rz-mtu3-fix-mtu5-nfcr-register-offset.patch mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch net-nfc-nci-add-parameter-validation-for-packet-data.patch uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch --- ...-core-and-static-pipelines-tear-down.patch | 57 +++ ...handling-in-wcd934x_codec_parse_data.patch | 81 +++++ ...ob-read-in-lengthallocdescs-handling.patch | 76 ++++ ...z-mtu3-fix-mtu5-nfcr-register-offset.patch | 40 ++ ...turn-value-of-devm_gpiochip_add_data.patch | 48 +++ ...parameter-validation-for-packet-data.patch | 342 ++++++++++++++++++ queue-6.6/series | 7 + ...serspace-take-care-of-interrupt-mask.patch | 97 +++++ 8 files changed, 748 insertions(+) create mode 100644 queue-6.6/asoc-sof-ipc3-topology-fix-multi-core-and-static-pipelines-tear-down.patch create mode 100644 queue-6.6/asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch create mode 100644 queue-6.6/fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch create mode 100644 queue-6.6/mfd-rz-mtu3-fix-mtu5-nfcr-register-offset.patch create mode 100644 queue-6.6/mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch create mode 100644 queue-6.6/net-nfc-nci-add-parameter-validation-for-packet-data.patch create mode 100644 queue-6.6/uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch diff --git a/queue-6.6/asoc-sof-ipc3-topology-fix-multi-core-and-static-pipelines-tear-down.patch b/queue-6.6/asoc-sof-ipc3-topology-fix-multi-core-and-static-pipelines-tear-down.patch new file mode 100644 index 0000000000..adbe818416 --- /dev/null +++ b/queue-6.6/asoc-sof-ipc3-topology-fix-multi-core-and-static-pipelines-tear-down.patch @@ -0,0 +1,57 @@ +From 59abe7bc7e7c70e9066b3e46874d1b7e6a13de14 Mon Sep 17 00:00:00 2001 +From: Ranjani Sridharan +Date: Thu, 2 Oct 2025 10:31:25 +0300 +Subject: ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ranjani Sridharan + +commit 59abe7bc7e7c70e9066b3e46874d1b7e6a13de14 upstream. + +In the case of static pipelines, freeing the widgets in the pipelines +that were not suspended after freeing the scheduler widgets results in +errors because the secondary cores are powered off when the scheduler +widgets are freed. Fix this by tearing down the leftover pipelines before +powering off the secondary cores. + +Cc: stable@vger.kernel.org +Fixes: d7332c4a4f1a ("ASoC: SOF: ipc3-topology: Fix pipeline tear down logic") +Signed-off-by: Ranjani Sridharan +Reviewed-by: Péter Ujfalusi +Reviewed-by: Kai Vehmanen +Signed-off-by: Peter Ujfalusi +Link: https://patch.msgid.link/20251002073125.32471-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/ipc3-topology.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/sound/soc/sof/ipc3-topology.c ++++ b/sound/soc/sof/ipc3-topology.c +@@ -2394,11 +2394,6 @@ static int sof_ipc3_tear_down_all_pipeli + if (ret < 0) + return ret; + +- /* free all the scheduler widgets now */ +- ret = sof_ipc3_free_widgets_in_list(sdev, true, &dyn_widgets, verify); +- if (ret < 0) +- return ret; +- + /* + * Tear down all pipelines associated with PCMs that did not get suspended + * and unset the prepare flag so that they can be set up again during resume. +@@ -2414,6 +2409,11 @@ static int sof_ipc3_tear_down_all_pipeli + } + } + ++ /* free all the scheduler widgets now. This will also power down the secondary cores */ ++ ret = sof_ipc3_free_widgets_in_list(sdev, true, &dyn_widgets, verify); ++ if (ret < 0) ++ return ret; ++ + list_for_each_entry(sroute, &sdev->route_list, list) + sroute->setup = false; + diff --git a/queue-6.6/asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch b/queue-6.6/asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch new file mode 100644 index 0000000000..37db659208 --- /dev/null +++ b/queue-6.6/asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch @@ -0,0 +1,81 @@ +From 4e65bda8273c938039403144730923e77916a3d7 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 23 Sep 2025 14:52:12 +0800 +Subject: ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() + +From: Ma Ke + +commit 4e65bda8273c938039403144730923e77916a3d7 upstream. + +wcd934x_codec_parse_data() contains a device reference count leak in +of_slim_get_device() where device_find_child() increases the reference +count of the device but this reference is not properly decreased in +the success path. Add put_device() in wcd934x_codec_parse_data() and +add devm_add_action_or_reset() in the probe function, which ensures +that the reference count of the device is correctly managed. + +Memory leak in regmap_init_slimbus() as the allocated regmap is not +released when the device is removed. Using devm_regmap_init_slimbus() +instead of regmap_init_slimbus() to ensure automatic regmap cleanup on +device removal. + +Calling path: of_slim_get_device() -> of_find_slim_device() -> +device_find_child(). As comment of device_find_child() says, 'NOTE: +you will need to drop the reference with put_device() after use.'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") +Signed-off-by: Ma Ke +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20250923065212.26660-1-make24@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -5858,6 +5858,13 @@ static const struct snd_soc_component_dr + .endianness = 1, + }; + ++static void wcd934x_put_device_action(void *data) ++{ ++ struct device *dev = data; ++ ++ put_device(dev); ++} ++ + static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) + { + struct device *dev = &wcd->sdev->dev; +@@ -5878,11 +5885,13 @@ static int wcd934x_codec_parse_data(stru + } + + slim_get_logical_addr(wcd->sidev); +- wcd->if_regmap = regmap_init_slimbus(wcd->sidev, ++ wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, + &wcd934x_ifc_regmap_config); +- if (IS_ERR(wcd->if_regmap)) ++ if (IS_ERR(wcd->if_regmap)) { ++ put_device(&wcd->sidev->dev); + return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), + "Failed to allocate ifc register map\n"); ++ } + + of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", + &wcd->dmic_sample_rate); +@@ -5926,6 +5935,10 @@ static int wcd934x_codec_probe(struct pl + return ret; + } + ++ ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev); ++ if (ret) ++ return ret; ++ + /* set default rate 9P6MHz */ + regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, + WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, diff --git a/queue-6.6/fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch b/queue-6.6/fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch new file mode 100644 index 0000000000..1fac802eec --- /dev/null +++ b/queue-6.6/fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch @@ -0,0 +1,76 @@ +From 3bd5e45c2ce30e239d596becd5db720f7eb83c99 Mon Sep 17 00:00:00 2001 +From: Larshin Sergey +Date: Mon, 22 Sep 2025 16:13:58 +0300 +Subject: fs: udf: fix OOB read in lengthAllocDescs handling + +From: Larshin Sergey + +commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 upstream. + +When parsing Allocation Extent Descriptor, lengthAllocDescs comes from +on-disk data and must be validated against the block size. Crafted or +corrupted images may set lengthAllocDescs so that the total descriptor +length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, +leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and +trigger a KASAN use-after-free read. + +BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 +Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 + +CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 + udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 + udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 + extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 + udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 + udf_release_file+0xc1/0x120 fs/udf/file.c:185 + __fput+0x23f/0x880 fs/file_table.c:431 + task_work_run+0x24f/0x310 kernel/task_work.c:239 + exit_task_work include/linux/task_work.h:43 [inline] + do_exit+0xa2f/0x28e0 kernel/exit.c:939 + do_group_exit+0x207/0x2c0 kernel/exit.c:1088 + __do_sys_exit_group kernel/exit.c:1099 [inline] + __se_sys_exit_group kernel/exit.c:1097 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 + x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Validate the computed total length against epos->bh->b_size. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Larshin Sergey +Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -2265,6 +2265,9 @@ int udf_current_aext(struct inode *inode + if (check_add_overflow(sizeof(struct allocExtDesc), + le32_to_cpu(header->lengthAllocDescs), &alen)) + return -1; ++ ++ if (alen > epos->bh->b_size) ++ return -1; + } + + switch (iinfo->i_alloc_type) { diff --git a/queue-6.6/mfd-rz-mtu3-fix-mtu5-nfcr-register-offset.patch b/queue-6.6/mfd-rz-mtu3-fix-mtu5-nfcr-register-offset.patch new file mode 100644 index 0000000000..5985832448 --- /dev/null +++ b/queue-6.6/mfd-rz-mtu3-fix-mtu5-nfcr-register-offset.patch @@ -0,0 +1,40 @@ +From da32b0e82c523b76265ba1ad25d7ea74f0ece402 Mon Sep 17 00:00:00 2001 +From: Cosmin Tanislav +Date: Wed, 10 Sep 2025 20:59:06 +0300 +Subject: mfd: rz-mtu3: Fix MTU5 NFCR register offset + +From: Cosmin Tanislav + +commit da32b0e82c523b76265ba1ad25d7ea74f0ece402 upstream. + +The NFCR register for MTU5 is at 0x1a95 offset according to Datasheet +Page 725, Table 16.4. The address of all registers is offset by 0x1200, +making the proper address of MTU5 NFCR register be 0x895. + +Cc: stable@vger.kernel.org +Fixes: 654c293e1687 ("mfd: Add Renesas RZ/G2L MTU3a core driver") +Signed-off-by: Cosmin Tanislav +Reviewed-by: Biju Das +Link: https://lore.kernel.org/r/20250910175914.12956-1-cosmin-gabriel.tanislav.xa@renesas.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/rz-mtu3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/rz-mtu3.c b/drivers/mfd/rz-mtu3.c +index f3dac4a29a83..9cdfef610398 100644 +--- a/drivers/mfd/rz-mtu3.c ++++ b/drivers/mfd/rz-mtu3.c +@@ -32,7 +32,7 @@ static const unsigned long rz_mtu3_8bit_ch_reg_offs[][13] = { + [RZ_MTU3_CHAN_2] = MTU_8BIT_CH_1_2(0x204, 0x092, 0x205, 0x200, 0x20c, 0x201, 0x202), + [RZ_MTU3_CHAN_3] = MTU_8BIT_CH_3_4_6_7(0x008, 0x093, 0x02c, 0x000, 0x04c, 0x002, 0x004, 0x005, 0x038), + [RZ_MTU3_CHAN_4] = MTU_8BIT_CH_3_4_6_7(0x009, 0x094, 0x02d, 0x001, 0x04d, 0x003, 0x006, 0x007, 0x039), +- [RZ_MTU3_CHAN_5] = MTU_8BIT_CH_5(0xab2, 0x1eb, 0xab4, 0xab6, 0xa84, 0xa85, 0xa86, 0xa94, 0xa95, 0xa96, 0xaa4, 0xaa5, 0xaa6), ++ [RZ_MTU3_CHAN_5] = MTU_8BIT_CH_5(0xab2, 0x895, 0xab4, 0xab6, 0xa84, 0xa85, 0xa86, 0xa94, 0xa95, 0xa96, 0xaa4, 0xaa5, 0xaa6), + [RZ_MTU3_CHAN_6] = MTU_8BIT_CH_3_4_6_7(0x808, 0x893, 0x82c, 0x800, 0x84c, 0x802, 0x804, 0x805, 0x838), + [RZ_MTU3_CHAN_7] = MTU_8BIT_CH_3_4_6_7(0x809, 0x894, 0x82d, 0x801, 0x84d, 0x803, 0x806, 0x807, 0x839), + [RZ_MTU3_CHAN_8] = MTU_8BIT_CH_8(0x404, 0x098, 0x400, 0x406, 0x401, 0x402, 0x403) +-- +2.51.0 + diff --git a/queue-6.6/mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch b/queue-6.6/mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch new file mode 100644 index 0000000000..59ea380d68 --- /dev/null +++ b/queue-6.6/mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch @@ -0,0 +1,48 @@ +From 1efbee6852f1ff698a9981bd731308dd027189fb Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Mon, 11 Aug 2025 15:36:16 +0200 +Subject: mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() + +From: Bartosz Golaszewski + +commit 1efbee6852f1ff698a9981bd731308dd027189fb upstream. + +Commit 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells") +removed the return value check from the call to gpiochip_add_data() (or +rather gpiochip_add() back then and later converted to devres) with no +explanation. This function however can still fail, so check the return +value and bail-out if it does. + +Cc: stable@vger.kernel.org +Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250811-gpio-mmio-mfd-conv-v1-1-68c5c958cf80@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/vexpress-sysreg.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/mfd/vexpress-sysreg.c ++++ b/drivers/mfd/vexpress-sysreg.c +@@ -90,6 +90,7 @@ static int vexpress_sysreg_probe(struct + struct resource *mem; + void __iomem *base; + struct gpio_chip *mmc_gpio_chip; ++ int ret; + + mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!mem) +@@ -110,7 +111,10 @@ static int vexpress_sysreg_probe(struct + bgpio_init(mmc_gpio_chip, &pdev->dev, 0x4, base + SYS_MCI, + NULL, NULL, NULL, NULL, 0); + mmc_gpio_chip->ngpio = 2; +- devm_gpiochip_add_data(&pdev->dev, mmc_gpio_chip, NULL); ++ ++ ret = devm_gpiochip_add_data(&pdev->dev, mmc_gpio_chip, NULL); ++ if (ret) ++ return ret; + + return devm_mfd_add_devices(&pdev->dev, PLATFORM_DEVID_AUTO, + vexpress_sysreg_cells, diff --git a/queue-6.6/net-nfc-nci-add-parameter-validation-for-packet-data.patch b/queue-6.6/net-nfc-nci-add-parameter-validation-for-packet-data.patch new file mode 100644 index 0000000000..d79e70d6df --- /dev/null +++ b/queue-6.6/net-nfc-nci-add-parameter-validation-for-packet-data.patch @@ -0,0 +1,342 @@ +From 9c328f54741bd5465ca1dc717c84c04242fac2e1 Mon Sep 17 00:00:00 2001 +From: Deepak Sharma +Date: Thu, 25 Sep 2025 18:58:46 +0530 +Subject: net: nfc: nci: Add parameter validation for packet data + +From: Deepak Sharma + +commit 9c328f54741bd5465ca1dc717c84c04242fac2e1 upstream. + +Syzbot reported an uninitialized value bug in nci_init_req, which was +introduced by commit 5aca7966d2a7 ("Merge tag +'perf-tools-fixes-for-v6.17-2025-09-16' of +git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools"). + +This bug arises due to very limited and poor input validation +that was done at nic_valid_size(). This validation only +validates the skb->len (directly reflects size provided at the +userspace interface) with the length provided in the buffer +itself (interpreted as NCI_HEADER). This leads to the processing +of memory content at the address assuming the correct layout +per what opcode requires there. This leads to the accesses to +buffer of `skb_buff->data` which is not assigned anything yet. + +Following the same silent drop of packets of invalid sizes at +`nic_valid_size()`, add validation of the data in the respective +handlers and return error values in case of failure. Release +the skb if error values are returned from handlers in +`nci_nft_packet` and effectively do a silent drop + +Possible TODO: because we silently drop the packets, the +call to `nci_request` will be waiting for completion of request +and will face timeouts. These timeouts can get excessively logged +in the dmesg. A proper handling of them may require to export +`nci_request_cancel` (or propagate error handling from the +nft packets handlers). + +Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8 +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Tested-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Deepak Sharma +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20250925132846.213425-1-deepak.sharma.472935@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/ntf.c | 135 +++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 99 insertions(+), 36 deletions(-) + +--- a/net/nfc/nci/ntf.c ++++ b/net/nfc/nci/ntf.c +@@ -27,11 +27,16 @@ + + /* Handle NCI Notification packets */ + +-static void nci_core_reset_ntf_packet(struct nci_dev *ndev, +- const struct sk_buff *skb) ++static int nci_core_reset_ntf_packet(struct nci_dev *ndev, ++ const struct sk_buff *skb) + { + /* Handle NCI 2.x core reset notification */ +- const struct nci_core_reset_ntf *ntf = (void *)skb->data; ++ const struct nci_core_reset_ntf *ntf; ++ ++ if (skb->len < sizeof(struct nci_core_reset_ntf)) ++ return -EINVAL; ++ ++ ntf = (struct nci_core_reset_ntf *)skb->data; + + ndev->nci_ver = ntf->nci_ver; + pr_debug("nci_ver 0x%x, config_status 0x%x\n", +@@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(st + __le32_to_cpu(ntf->manufact_specific_info); + + nci_req_complete(ndev, NCI_STATUS_OK); ++ ++ return 0; + } + +-static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, +- struct sk_buff *skb) ++static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, ++ struct sk_buff *skb) + { +- struct nci_core_conn_credit_ntf *ntf = (void *) skb->data; ++ struct nci_core_conn_credit_ntf *ntf; + struct nci_conn_info *conn_info; + int i; + ++ if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) ++ return -EINVAL; ++ ++ ntf = (struct nci_core_conn_credit_ntf *)skb->data; ++ + pr_debug("num_entries %d\n", ntf->num_entries); + + if (ntf->num_entries > NCI_MAX_NUM_CONN) +@@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_pa + conn_info = nci_get_conn_info_by_conn_id(ndev, + ntf->conn_entries[i].conn_id); + if (!conn_info) +- return; ++ return 0; + + atomic_add(ntf->conn_entries[i].credits, + &conn_info->credits_cnt); +@@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_pa + /* trigger the next tx */ + if (!skb_queue_empty(&ndev->tx_q)) + queue_work(ndev->tx_wq, &ndev->tx_work); ++ ++ return 0; + } + +-static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, +- const struct sk_buff *skb) ++static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev, ++ const struct sk_buff *skb) + { +- __u8 status = skb->data[0]; ++ __u8 status; ++ ++ if (skb->len < 1) ++ return -EINVAL; ++ ++ status = skb->data[0]; + + pr_debug("status 0x%x\n", status); + +@@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_p + (the state remains the same) */ + nci_req_complete(ndev, status); + } ++ ++ return 0; + } + +-static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, +- struct sk_buff *skb) ++static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, ++ struct sk_buff *skb) + { +- struct nci_core_intf_error_ntf *ntf = (void *) skb->data; ++ struct nci_core_intf_error_ntf *ntf; ++ ++ if (skb->len < sizeof(struct nci_core_intf_error_ntf)) ++ return -EINVAL; ++ ++ ntf = (struct nci_core_intf_error_ntf *)skb->data; + + ntf->conn_id = nci_conn_id(&ntf->conn_id); + +@@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf + /* complete the data exchange transaction, if exists */ + if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags)) + nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO); ++ ++ return 0; + } + + static const __u8 * +@@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_de + ndev->n_targets = 0; + } + +-static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, +- const struct sk_buff *skb) ++static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, ++ const struct sk_buff *skb) + { + struct nci_rf_discover_ntf ntf; +- const __u8 *data = skb->data; ++ const __u8 *data; + bool add_target = true; + ++ if (skb->len < sizeof(struct nci_rf_discover_ntf)) ++ return -EINVAL; ++ ++ data = skb->data; ++ + ntf.rf_discovery_id = *data++; + ntf.rf_protocol = *data++; + ntf.rf_tech_and_mode = *data++; +@@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(s + nfc_targets_found(ndev->nfc_dev, ndev->targets, + ndev->n_targets); + } ++ ++ return 0; + } + + static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, +@@ -531,14 +566,19 @@ static int nci_store_general_bytes_nfc_d + return NCI_STATUS_OK; + } + +-static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, +- const struct sk_buff *skb) ++static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, ++ const struct sk_buff *skb) + { + struct nci_conn_info *conn_info; + struct nci_rf_intf_activated_ntf ntf; +- const __u8 *data = skb->data; ++ const __u8 *data; + int err = NCI_STATUS_OK; + ++ if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) ++ return -EINVAL; ++ ++ data = skb->data; ++ + ntf.rf_discovery_id = *data++; + ntf.rf_interface = *data++; + ntf.rf_protocol = *data++; +@@ -645,7 +685,7 @@ exit: + if (err == NCI_STATUS_OK) { + conn_info = ndev->rf_conn_info; + if (!conn_info) +- return; ++ return 0; + + conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size; + conn_info->initial_num_credits = ntf.initial_num_credits; +@@ -691,19 +731,26 @@ listen: + pr_err("error when signaling tm activation\n"); + } + } ++ ++ return 0; + } + +-static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, +- const struct sk_buff *skb) ++static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, ++ const struct sk_buff *skb) + { + const struct nci_conn_info *conn_info; +- const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data; ++ const struct nci_rf_deactivate_ntf *ntf; ++ ++ if (skb->len < sizeof(struct nci_rf_deactivate_ntf)) ++ return -EINVAL; ++ ++ ntf = (struct nci_rf_deactivate_ntf *)skb->data; + + pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason); + + conn_info = ndev->rf_conn_info; + if (!conn_info) +- return; ++ return 0; + + /* drop tx data queue */ + skb_queue_purge(&ndev->tx_q); +@@ -735,14 +782,20 @@ static void nci_rf_deactivate_ntf_packet + } + + nci_req_complete(ndev, NCI_STATUS_OK); ++ ++ return 0; + } + +-static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, +- const struct sk_buff *skb) ++static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, ++ const struct sk_buff *skb) + { + u8 status = NCI_STATUS_OK; +- const struct nci_nfcee_discover_ntf *nfcee_ntf = +- (struct nci_nfcee_discover_ntf *)skb->data; ++ const struct nci_nfcee_discover_ntf *nfcee_ntf; ++ ++ if (skb->len < sizeof(struct nci_nfcee_discover_ntf)) ++ return -EINVAL; ++ ++ nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data; + + /* NFCForum NCI 9.2.1 HCI Network Specific Handling + * If the NFCC supports the HCI Network, it SHALL return one, +@@ -753,6 +806,8 @@ static void nci_nfcee_discover_ntf_packe + ndev->cur_params.id = nfcee_ntf->nfcee_id; + + nci_req_complete(ndev, status); ++ ++ return 0; + } + + void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) +@@ -779,35 +834,43 @@ void nci_ntf_packet(struct nci_dev *ndev + + switch (ntf_opcode) { + case NCI_OP_CORE_RESET_NTF: +- nci_core_reset_ntf_packet(ndev, skb); ++ if (nci_core_reset_ntf_packet(ndev, skb)) ++ goto end; + break; + + case NCI_OP_CORE_CONN_CREDITS_NTF: +- nci_core_conn_credits_ntf_packet(ndev, skb); ++ if (nci_core_conn_credits_ntf_packet(ndev, skb)) ++ goto end; + break; + + case NCI_OP_CORE_GENERIC_ERROR_NTF: +- nci_core_generic_error_ntf_packet(ndev, skb); ++ if (nci_core_generic_error_ntf_packet(ndev, skb)) ++ goto end; + break; + + case NCI_OP_CORE_INTF_ERROR_NTF: +- nci_core_conn_intf_error_ntf_packet(ndev, skb); ++ if (nci_core_conn_intf_error_ntf_packet(ndev, skb)) ++ goto end; + break; + + case NCI_OP_RF_DISCOVER_NTF: +- nci_rf_discover_ntf_packet(ndev, skb); ++ if (nci_rf_discover_ntf_packet(ndev, skb)) ++ goto end; + break; + + case NCI_OP_RF_INTF_ACTIVATED_NTF: +- nci_rf_intf_activated_ntf_packet(ndev, skb); ++ if (nci_rf_intf_activated_ntf_packet(ndev, skb)) ++ goto end; + break; + + case NCI_OP_RF_DEACTIVATE_NTF: +- nci_rf_deactivate_ntf_packet(ndev, skb); ++ if (nci_rf_deactivate_ntf_packet(ndev, skb)) ++ goto end; + break; + + case NCI_OP_NFCEE_DISCOVER_NTF: +- nci_nfcee_discover_ntf_packet(ndev, skb); ++ if (nci_nfcee_discover_ntf_packet(ndev, skb)) ++ goto end; + break; + + case NCI_OP_RF_NFCEE_ACTION_NTF: diff --git a/queue-6.6/series b/queue-6.6/series index 443f46f86a..0f7957aca3 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -168,3 +168,10 @@ revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch vhost-vringh-modify-the-return-value-check.patch bpf-reject-negative-offsets-for-alu-ops.patch squashfs-fix-uninit-value-in-squashfs_get_parent.patch +uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch +asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch +asoc-sof-ipc3-topology-fix-multi-core-and-static-pipelines-tear-down.patch +fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch +net-nfc-nci-add-parameter-validation-for-packet-data.patch +mfd-rz-mtu3-fix-mtu5-nfcr-register-offset.patch +mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch diff --git a/queue-6.6/uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch b/queue-6.6/uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch new file mode 100644 index 0000000000..2ffd512ddb --- /dev/null +++ b/queue-6.6/uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch @@ -0,0 +1,97 @@ +From b15b7d2a1b09ef5428a8db260251897405a19496 Mon Sep 17 00:00:00 2001 +From: Naman Jain +Date: Thu, 28 Aug 2025 10:12:00 +0530 +Subject: uio_hv_generic: Let userspace take care of interrupt mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Naman Jain + +commit b15b7d2a1b09ef5428a8db260251897405a19496 upstream. + +Remove the logic to set interrupt mask by default in uio_hv_generic +driver as the interrupt mask value is supposed to be controlled +completely by the user space. If the mask bit gets changed +by the driver, concurrently with user mode operating on the ring, +the mask bit may be set when it is supposed to be clear, and the +user-mode driver will miss an interrupt which will cause a hang. + +For eg- when the driver sets inbound ring buffer interrupt mask to 1, +the host does not interrupt the guest on the UIO VMBus channel. +However, setting the mask does not prevent the host from putting a +message in the inbound ring buffer. So let’s assume that happens, +the host puts a message into the ring buffer but does not interrupt. + +Subsequently, the user space code in the guest sets the inbound ring +buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”. +User space code then calls pread() to wait for an interrupt. +Then one of two things happens: + +* The host never sends another message. So the pread() waits forever. +* The host does send another message. But because there’s already a + message in the ring buffer, it doesn’t generate an interrupt. + This is the correct behavior, because the host should only send an + interrupt when the inbound ring buffer transitions from empty to + not-empty. Adding an additional message to a ring buffer that is not + empty is not supposed to generate an interrupt on the guest. + Since the guest is waiting in pread() and not removing messages from + the ring buffer, the pread() waits forever. + +This could be easily reproduced in hv_fcopy_uio_daemon if we delay +setting interrupt mask to 0. + +Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1, +there’s a race condition. Once user space empties the inbound ring +buffer, but before user space sets interrupt_mask to 0, the host could +put another message in the ring buffer but it wouldn’t interrupt. +Then the next pread() would hang. + +Fix these by removing all instances where interrupt_mask is changed, +while keeping the one in set_event() unchanged to enable userspace +control the interrupt mask by writing 0/1 to /dev/uioX. + +Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus") +Suggested-by: John Starks +Signed-off-by: Naman Jain +Cc: stable@vger.kernel.org +Reviewed-by: Michael Kelley +Reviewed-by: Long Li +Reviewed-by: Tianyu Lan +Tested-by: Tianyu Lan +Link: https://lore.kernel.org/r/20250828044200.492030-1-namjain@linux.microsoft.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio_hv_generic.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -96,7 +96,6 @@ static void hv_uio_channel_cb(void *cont + struct hv_device *hv_dev = chan->device_obj; + struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); + +- chan->inbound.ring_buffer->interrupt_mask = 1; + virt_mb(); + + uio_event_notify(&pdata->info); +@@ -173,8 +172,6 @@ hv_uio_new_channel(struct vmbus_channel + return; + } + +- /* Disable interrupts on sub channel */ +- new_sc->inbound.ring_buffer->interrupt_mask = 1; + set_channel_read_mode(new_sc, HV_CALL_ISR); + + ret = sysfs_create_bin_file(&new_sc->kobj, &ring_buffer_bin_attr); +@@ -218,9 +215,7 @@ hv_uio_open(struct uio_info *info, struc + + ret = vmbus_connect_ring(dev->channel, + hv_uio_channel_cb, dev->channel); +- if (ret == 0) +- dev->channel->inbound.ring_buffer->interrupt_mask = 1; +- else ++ if (ret) + atomic_dec(&pdata->refcnt); + + return ret; -- 2.47.3