Commit 54e08dbe8f for qemu.org

commit 54e08dbe8f2aeca57e3b1a5eab09a9fec88c1c67
Author: Matt Turner <mattst88@gmail.com>
Date:   Thu Jun 18 09:33:53 2026 -0400

    linux-user/xtensa: fix unlock of uninitialized frame pointer on sigreturn

    If lock_user_struct fails, frame is uninitialized but the badframe
    label unconditionally calls unlock_user_struct on it. Handle the
    lock failure inline so badframe is only reached with a valid lock.

    Signed-off-by: Matt Turner <mattst88@gmail.com>
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Helge Deller <deller@gmx.de>

diff --git a/linux-user/xtensa/signal.c b/linux-user/xtensa/signal.c
index e3f9da322b..4990c50045 100644
--- a/linux-user/xtensa/signal.c
+++ b/linux-user/xtensa/signal.c
@@ -355,7 +355,8 @@ long do_rt_sigreturn(CPUXtensaState *env)

     trace_user_do_rt_sigreturn(env, frame_addr);
     if (!lock_user_struct(VERIFY_READ, frame, frame_addr, 1)) {
-        goto badframe;
+        force_sig(TARGET_SIGSEGV);
+        return -QEMU_ESIGRETURN;
     }
     target_to_host_sigset(&set, &frame->uc.tuc_sigmask);
     set_sigmask(&set);