--- /dev/null
+From 0aaa7238333084956b2ad5359f5af765381d9de6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Dec 2020 18:11:22 +0200
+Subject: af_vsock: Assign the vsock transport considering the vsock address
+ flags
+
+From: Andra Paraschiv <andraprs@amazon.com>
+
+[ Upstream commit 7f816984f439dfe24da25032254cb10512900346 ]
+
+The vsock flags field can be set in the connect path (user space app)
+and the (listen) receive path (kernel space logic).
+
+When the vsock transport is assigned, the remote CID is used to
+distinguish between types of connection.
+
+Use the vsock flags value (in addition to the CID) from the remote
+address to decide which vsock transport to assign. For the sibling VMs
+use case, all the vsock packets need to be forwarded to the host, so
+always assign the guest->host transport if the VMADDR_FLAG_TO_HOST flag
+is set. For the other use cases, the vsock transport assignment logic is
+not changed.
+
+Changelog
+
+v3 -> v4
+
+* Update the "remote_flags" local variable type to reflect the change of
+ the "svm_flags" field to be 1 byte in size.
+
+v2 -> v3
+
+* Update bitwise check logic to not compare result to the flag value.
+
+v1 -> v2
+
+* Use bitwise operator to check the vsock flag.
+* Use the updated "VMADDR_FLAG_TO_HOST" flag naming.
+* Merge the checks for the g2h transport assignment in one "if" block.
+
+Signed-off-by: Andra Paraschiv <andraprs@amazon.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 687aa0c5581b ("vsock: Fix transport_* TOCTOU")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 8a6af90f2ff2c..beacbe957594a 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -431,7 +431,8 @@ static void vsock_deassign_transport(struct vsock_sock *vsk)
+ * The vsk->remote_addr is used to decide which transport to use:
+ * - remote CID == VMADDR_CID_LOCAL or g2h->local_cid or VMADDR_CID_HOST if
+ * g2h is not loaded, will use local transport;
+- * - remote CID <= VMADDR_CID_HOST will use guest->host transport;
++ * - remote CID <= VMADDR_CID_HOST or h2g is not loaded or remote flags field
++ * includes VMADDR_FLAG_TO_HOST flag value, will use guest->host transport;
+ * - remote CID > VMADDR_CID_HOST will use host->guest transport;
+ */
+ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+@@ -439,6 +440,7 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ const struct vsock_transport *new_transport;
+ struct sock *sk = sk_vsock(vsk);
+ unsigned int remote_cid = vsk->remote_addr.svm_cid;
++ __u8 remote_flags;
+ int ret;
+
+ /* If the packet is coming with the source and destination CIDs higher
+@@ -453,6 +455,8 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ vsk->remote_addr.svm_cid > VMADDR_CID_HOST)
+ vsk->remote_addr.svm_flags |= VMADDR_FLAG_TO_HOST;
+
++ remote_flags = vsk->remote_addr.svm_flags;
++
+ switch (sk->sk_type) {
+ case SOCK_DGRAM:
+ new_transport = transport_dgram;
+@@ -460,7 +464,8 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ case SOCK_STREAM:
+ if (vsock_use_local_transport(remote_cid))
+ new_transport = transport_local;
+- else if (remote_cid <= VMADDR_CID_HOST || !transport_h2g)
++ else if (remote_cid <= VMADDR_CID_HOST || !transport_h2g ||
++ (remote_flags & VMADDR_FLAG_TO_HOST))
+ new_transport = transport_g2h;
+ else
+ new_transport = transport_h2g;
+--
+2.39.5
+
--- /dev/null
+From b4686c232f2638802d875aa43aa7ca9f8d2ad5b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Dec 2020 18:11:21 +0200
+Subject: af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path
+
+From: Andra Paraschiv <andraprs@amazon.com>
+
+[ Upstream commit 1b5f2ab98e7f99f1a83960b17c5596012a7c5e88 ]
+
+The vsock flags can be set during the connect() setup logic, when
+initializing the vsock address data structure variable. Then the vsock
+transport is assigned, also considering this flags field.
+
+The vsock transport is also assigned on the (listen) receive path. The
+flags field needs to be set considering the use case.
+
+Set the value of the vsock flags of the remote address to the one
+targeted for packets forwarding to the host, if the following conditions
+are met:
+
+* The source CID of the packet is higher than VMADDR_CID_HOST.
+* The destination CID of the packet is higher than VMADDR_CID_HOST.
+
+Changelog
+
+v3 -> v4
+
+* No changes.
+
+v2 -> v3
+
+* No changes.
+
+v1 -> v2
+
+* Set the vsock flag on the receive path in the vsock transport
+ assignment logic.
+* Use bitwise operator for the vsock flag setup.
+* Use the updated "VMADDR_FLAG_TO_HOST" flag naming.
+
+Signed-off-by: Andra Paraschiv <andraprs@amazon.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 687aa0c5581b ("vsock: Fix transport_* TOCTOU")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 5f82dfe50c123..8a6af90f2ff2c 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -441,6 +441,18 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ unsigned int remote_cid = vsk->remote_addr.svm_cid;
+ int ret;
+
++ /* If the packet is coming with the source and destination CIDs higher
++ * than VMADDR_CID_HOST, then a vsock channel where all the packets are
++ * forwarded to the host should be established. Then the host will
++ * need to forward the packets to the guest.
++ *
++ * The flag is set on the (listen) receive path (psk is not NULL). On
++ * the connect path the flag can be set by the user space application.
++ */
++ if (psk && vsk->local_addr.svm_cid > VMADDR_CID_HOST &&
++ vsk->remote_addr.svm_cid > VMADDR_CID_HOST)
++ vsk->remote_addr.svm_flags |= VMADDR_FLAG_TO_HOST;
++
+ switch (sk->sk_type) {
+ case SOCK_DGRAM:
+ new_transport = transport_dgram;
+--
+2.39.5
+
--- /dev/null
+From 2227bae5883add39aac2f0254699a476e831b5a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 10:05:04 +0800
+Subject: ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit cbe876121633dadb2b0ce52711985328638e9aab ]
+
+When USRC=0, there is underrun issue for the non-ideal ratio mode;
+according to the reference mannual, the internal measured ratio can be
+used with USRC=1 and IDRC=0.
+
+Fixes: d0250cf4f2ab ("ASoC: fsl_asrc: Add an option to select internal ratio mode")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://patch.msgid.link/20250625020504.2728161-1-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_asrc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/fsl_asrc.c b/sound/soc/fsl/fsl_asrc.c
+index 5e3c71f025f45..cf6d3c549707b 100644
+--- a/sound/soc/fsl/fsl_asrc.c
++++ b/sound/soc/fsl/fsl_asrc.c
+@@ -513,7 +513,8 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate)
+ regmap_update_bits(asrc->regmap, REG_ASRCTR,
+ ASRCTR_ATSi_MASK(index), ASRCTR_ATS(index));
+ regmap_update_bits(asrc->regmap, REG_ASRCTR,
+- ASRCTR_USRi_MASK(index), 0);
++ ASRCTR_IDRi_MASK(index) | ASRCTR_USRi_MASK(index),
++ ASRCTR_USR(index));
+
+ /* Set the input and output clock sources */
+ regmap_update_bits(asrc->regmap, REG_ASRCSR,
+--
+2.39.5
+
--- /dev/null
+From e93227dfcdfdbbbce29bca973036a03242ee1ae9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:53 +0000
+Subject: atm: clip: Fix infinite recursive call of clip_push().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit c489f3283dbfc0f3c00c312149cae90d27552c45 ]
+
+syzbot reported the splat below. [0]
+
+This happens if we call ioctl(ATMARP_MKIP) more than once.
+
+During the first call, clip_mkip() sets clip_push() to vcc->push(),
+and the second call copies it to clip_vcc->old_push().
+
+Later, when the socket is close()d, vcc_destroy_socket() passes
+NULL skb to clip_push(), which calls clip_vcc->old_push(),
+triggering the infinite recursion.
+
+Let's prevent the second ioctl(ATMARP_MKIP) by checking
+vcc->user_back, which is allocated by the first call as clip_vcc.
+
+Note also that we use lock_sock() to prevent racy calls.
+
+[0]:
+BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)
+Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191
+Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00
+RSP: 0018:ffffc9000d670000 EFLAGS: 00010246
+RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000
+RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e
+R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300
+R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578
+FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+...
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ vcc_destroy_socket net/atm/common.c:183 [inline]
+ vcc_release+0x157/0x460 net/atm/common.c:205
+ __sock_release net/socket.c:647 [inline]
+ sock_close+0xc0/0x240 net/socket.c:1391
+ __fput+0x449/0xa70 fs/file_table.c:465
+ task_work_run+0x1d1/0x260 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114
+ exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
+ do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7ff31c98e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f
+R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c
+R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090
+ </TASK>
+Modules linked in:
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+0c77cccd6b7cd917b35a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2371d94d248d126c1eb1
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index 14b485f725d0c..936b9558be4b9 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -429,6 +429,8 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
+
+ if (!vcc->push)
+ return -EBADFD;
++ if (vcc->user_back)
++ return -EINVAL;
+ clip_vcc = kmalloc(sizeof(struct clip_vcc), GFP_KERNEL);
+ if (!clip_vcc)
+ return -ENOMEM;
+--
+2.39.5
+
--- /dev/null
+From 016eeaa767a57c01298a98d90d3f379f34247654 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:52 +0000
+Subject: atm: clip: Fix memory leak of struct clip_vcc.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 62dba28275a9a3104d4e33595c7b3328d4032d8d ]
+
+ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to
+vcc->user_back.
+
+The code assumes that vcc_destroy_socket() passes NULL skb
+to vcc->push() when the socket is close()d, and then clip_push()
+frees clip_vcc.
+
+However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in
+atm_init_atmarp(), resulting in memory leak.
+
+Let's serialise two ioctl() by lock_sock() and check vcc->push()
+in atm_init_atmarp() to prevent memleak.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-3-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index 8059b7d1fb931..14b485f725d0c 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -645,6 +645,9 @@ static struct atm_dev atmarpd_dev = {
+
+ static int atm_init_atmarp(struct atm_vcc *vcc)
+ {
++ if (vcc->push == clip_push)
++ return -EINVAL;
++
+ mutex_lock(&atmarpd_lock);
+ if (atmarpd) {
+ mutex_unlock(&atmarpd_lock);
+@@ -669,6 +672,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc)
+ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ {
+ struct atm_vcc *vcc = ATM_SD(sock);
++ struct sock *sk = sock->sk;
+ int err = 0;
+
+ switch (cmd) {
+@@ -689,14 +693,18 @@ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ err = clip_create(arg);
+ break;
+ case ATMARPD_CTRL:
++ lock_sock(sk);
+ err = atm_init_atmarp(vcc);
+ if (!err) {
+ sock->state = SS_CONNECTED;
+ __module_get(THIS_MODULE);
+ }
++ release_sock(sk);
+ break;
+ case ATMARP_MKIP:
++ lock_sock(sk);
+ err = clip_mkip(vcc, arg);
++ release_sock(sk);
+ break;
+ case ATMARP_SETENTRY:
+ err = clip_setentry(vcc, (__force __be32)arg);
+--
+2.39.5
+
--- /dev/null
+From 97e39198018ba733944f8be169c32ed57f6016c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jul 2025 16:52:28 +0800
+Subject: atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+[ Upstream commit 22fc46cea91df3dce140a7dc6847c6fcf0354505 ]
+
+atmarpd_dev_ops does not implement the send method, which may cause crash
+as bellow.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 0 P4D 0
+Oops: Oops: 0010 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246
+RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000
+RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000
+RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287
+R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00
+R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88
+FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg+0x219/0x270 net/socket.c:727
+ ____sys_sendmsg+0x52d/0x830 net/socket.c:2566
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
+ __sys_sendmmsg+0x227/0x430 net/socket.c:2709
+ __do_sys_sendmmsg net/socket.c:2736 [inline]
+ __se_sys_sendmmsg net/socket.c:2733 [inline]
+ __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+e34e5e6b5eddb0014def@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/682f82d5.a70a0220.1765ec.0143.GAE@google.com/T
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250705085228.329202-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index 936b9558be4b9..53d62361ae460 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -632,8 +632,16 @@ static void atmarpd_close(struct atm_vcc *vcc)
+ module_put(THIS_MODULE);
+ }
+
++static int atmarpd_send(struct atm_vcc *vcc, struct sk_buff *skb)
++{
++ atm_return_tx(vcc, skb);
++ dev_kfree_skb_any(skb);
++ return 0;
++}
++
+ static const struct atmdev_ops atmarpd_dev_ops = {
+- .close = atmarpd_close
++ .close = atmarpd_close,
++ .send = atmarpd_send
+ };
+
+
+--
+2.39.5
+
--- /dev/null
+From 89d9f2bb67ec6695027565fab4f4f065345fb5e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:51 +0000
+Subject: atm: clip: Fix potential null-ptr-deref in to_atmarpd().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 706cc36477139c1616a9b2b96610a8bb520b7119 ]
+
+atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip
+causes unregister hang").
+
+However, it is not enough because to_atmarpd() is called without RTNL,
+especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable.
+
+Also, there is no RTNL dependency around atmarpd.
+
+Let's use a private mutex and RCU to protect access to atmarpd in
+to_atmarpd().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index 511467bb7fe40..8059b7d1fb931 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -45,7 +45,8 @@
+ #include <net/atmclip.h>
+
+ static struct net_device *clip_devs;
+-static struct atm_vcc *atmarpd;
++static struct atm_vcc __rcu *atmarpd;
++static DEFINE_MUTEX(atmarpd_lock);
+ static struct timer_list idle_timer;
+ static const struct neigh_ops clip_neigh_ops;
+
+@@ -53,24 +54,35 @@ static int to_atmarpd(enum atmarp_ctrl_type type, int itf, __be32 ip)
+ {
+ struct sock *sk;
+ struct atmarp_ctrl *ctrl;
++ struct atm_vcc *vcc;
+ struct sk_buff *skb;
++ int err = 0;
+
+ pr_debug("(%d)\n", type);
+- if (!atmarpd)
+- return -EUNATCH;
++
++ rcu_read_lock();
++ vcc = rcu_dereference(atmarpd);
++ if (!vcc) {
++ err = -EUNATCH;
++ goto unlock;
++ }
+ skb = alloc_skb(sizeof(struct atmarp_ctrl), GFP_ATOMIC);
+- if (!skb)
+- return -ENOMEM;
++ if (!skb) {
++ err = -ENOMEM;
++ goto unlock;
++ }
+ ctrl = skb_put(skb, sizeof(struct atmarp_ctrl));
+ ctrl->type = type;
+ ctrl->itf_num = itf;
+ ctrl->ip = ip;
+- atm_force_charge(atmarpd, skb->truesize);
++ atm_force_charge(vcc, skb->truesize);
+
+- sk = sk_atm(atmarpd);
++ sk = sk_atm(vcc);
+ skb_queue_tail(&sk->sk_receive_queue, skb);
+ sk->sk_data_ready(sk);
+- return 0;
++unlock:
++ rcu_read_unlock();
++ return err;
+ }
+
+ static void link_vcc(struct clip_vcc *clip_vcc, struct atmarp_entry *entry)
+@@ -607,10 +619,12 @@ static void atmarpd_close(struct atm_vcc *vcc)
+ {
+ pr_debug("\n");
+
+- rtnl_lock();
+- atmarpd = NULL;
++ mutex_lock(&atmarpd_lock);
++ RCU_INIT_POINTER(atmarpd, NULL);
++ mutex_unlock(&atmarpd_lock);
++
++ synchronize_rcu();
+ skb_queue_purge(&sk_atm(vcc)->sk_receive_queue);
+- rtnl_unlock();
+
+ pr_debug("(done)\n");
+ module_put(THIS_MODULE);
+@@ -631,15 +645,15 @@ static struct atm_dev atmarpd_dev = {
+
+ static int atm_init_atmarp(struct atm_vcc *vcc)
+ {
+- rtnl_lock();
++ mutex_lock(&atmarpd_lock);
+ if (atmarpd) {
+- rtnl_unlock();
++ mutex_unlock(&atmarpd_lock);
+ return -EADDRINUSE;
+ }
+
+ mod_timer(&idle_timer, jiffies + CLIP_CHECK_INTERVAL * HZ);
+
+- atmarpd = vcc;
++ rcu_assign_pointer(atmarpd, vcc);
+ set_bit(ATM_VF_META, &vcc->flags);
+ set_bit(ATM_VF_READY, &vcc->flags);
+ /* allow replies and avoid getting closed if signaling dies */
+@@ -648,7 +662,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc)
+ vcc->push = NULL;
+ vcc->pop = NULL; /* crash */
+ vcc->push_oam = NULL; /* crash */
+- rtnl_unlock();
++ mutex_unlock(&atmarpd_lock);
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 8ff7e19d028d2f62bbe56a2436bff395a7c47407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 02:52:13 -0400
+Subject: fix proc_sys_compare() handling of in-lookup dentries
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit b969f9614885c20f903e1d1f9445611daf161d6d ]
+
+There's one case where ->d_compare() can be called for an in-lookup
+dentry; usually that's nothing special from ->d_compare() point of
+view, but... proc_sys_compare() is weird.
+
+The thing is, /proc/sys subdirectories can look differently for
+different processes. Up to and including having the same name
+resolve to different dentries - all of them hashed.
+
+The way it's done is ->d_compare() refusing to admit a match unless
+this dentry is supposed to be visible to this caller. The information
+needed to discriminate between them is stored in inode; it is set
+during proc_sys_lookup() and until it's done d_splice_alias() we really
+can't tell who should that dentry be visible for.
+
+Normally there's no negative dentries in /proc/sys; we can run into
+a dying dentry in RCU dcache lookup, but those can be safely rejected.
+
+However, ->d_compare() is also called for in-lookup dentries, before
+they get positive - or hashed, for that matter. In case of match
+we will wait until dentry leaves in-lookup state and repeat ->d_compare()
+afterwards. In other words, the right behaviour is to treat the
+name match as sufficient for in-lookup dentries; if dentry is not
+for us, we'll see that when we recheck once proc_sys_lookup() is
+done with it.
+
+While we are at it, fix the misspelled READ_ONCE and WRITE_ONCE there.
+
+Fixes: d9171b934526 ("parallel lookups machinery, part 4 (and last)")
+Reported-by: NeilBrown <neilb@brown.name>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Reviewed-by: NeilBrown <neil@brown.name>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/inode.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +++++++++++-------
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/fs/proc/inode.c b/fs/proc/inode.c
+index ba35ffc426eac..269a14a50d8b0 100644
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -54,7 +54,7 @@ static void proc_evict_inode(struct inode *inode)
+
+ head = ei->sysctl;
+ if (head) {
+- RCU_INIT_POINTER(ei->sysctl, NULL);
++ WRITE_ONCE(ei->sysctl, NULL);
+ proc_sys_evict_inode(inode, head);
+ }
+ }
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index f5c9677353354..78bd606314281 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -909,17 +909,21 @@ static int proc_sys_compare(const struct dentry *dentry,
+ struct ctl_table_header *head;
+ struct inode *inode;
+
+- /* Although proc doesn't have negative dentries, rcu-walk means
+- * that inode here can be NULL */
+- /* AV: can it, indeed? */
+- inode = d_inode_rcu(dentry);
+- if (!inode)
+- return 1;
+ if (name->len != len)
+ return 1;
+ if (memcmp(name->name, str, len))
+ return 1;
+- head = rcu_dereference(PROC_I(inode)->sysctl);
++
++ // false positive is fine here - we'll recheck anyway
++ if (d_in_lookup(dentry))
++ return 0;
++
++ inode = d_inode_rcu(dentry);
++ // we just might have run into dentry in the middle of __dentry_kill()
++ if (!inode)
++ return 1;
++
++ head = READ_ONCE(PROC_I(inode)->sysctl);
+ return !head || !sysctl_is_seen(head);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 24941121fc9a2f9be8203b5438607f7d76ea8ac7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:49:39 +0200
+Subject: net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit a141af8eb2272ab0f677a7f2653874840bc9b214 ]
+
+Correct the Auto-MDIX configuration to ensure userspace settings are
+respected when the feature is disabled by the AUTOMDIX_EN hardware strap.
+
+The LAN9500 PHY allows its default MDI-X mode to be configured via a
+hardware strap. If this strap sets the default to "MDI-X off", the
+driver was previously unable to enable Auto-MDIX from userspace.
+
+When handling the ETH_TP_MDI_AUTO case, the driver would set the
+SPECIAL_CTRL_STS_AMDIX_ENABLE_ bit but neglected to set the required
+SPECIAL_CTRL_STS_OVRRD_AMDIX_ bit. Without the override flag, the PHY
+falls back to its hardware strap default, ignoring the software request.
+
+This patch corrects the behavior by also setting the override bit when
+enabling Auto-MDIX. This ensures that the userspace configuration takes
+precedence over the hardware strap, allowing Auto-MDIX to be enabled
+correctly in all scenarios.
+
+Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: Andre Edich <andre.edich@microchip.com>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250703114941.3243890-2-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index b67de3f9ef186..9ec2485df645e 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -132,7 +132,8 @@ static int lan87xx_config_aneg(struct phy_device *phydev)
+ SPECIAL_CTRL_STS_AMDIX_STATE_;
+ break;
+ case ETH_TP_MDI_AUTO:
+- val = SPECIAL_CTRL_STS_AMDIX_ENABLE_;
++ val = SPECIAL_CTRL_STS_OVRRD_AMDIX_ |
++ SPECIAL_CTRL_STS_AMDIX_ENABLE_;
+ break;
+ default:
+ return genphy_config_aneg(phydev);
+--
+2.39.5
+
--- /dev/null
+From f0299ea83e5249d5a80b30b6de26198a28e8ff41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:49:41 +0200
+Subject: net: phy: smsc: Fix link failure in forced mode with Auto-MDIX
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 9dfe110cc0f6ef42af8e81ce52aef34a647d0b8a ]
+
+Force a fixed MDI-X mode when auto-negotiation is disabled to prevent
+link instability.
+
+When forcing the link speed and duplex on a LAN9500 PHY (e.g., with
+`ethtool -s eth0 autoneg off ...`) while leaving MDI-X control in auto
+mode, the PHY fails to establish a stable link. This occurs because the
+PHY's Auto-MDIX algorithm is not designed to operate when
+auto-negotiation is disabled. In this state, the PHY continuously
+toggles the TX/RX signal pairs, which prevents the link partner from
+synchronizing.
+
+This patch resolves the issue by detecting when auto-negotiation is
+disabled. If the MDI-X control mode is set to 'auto', the driver now
+forces a specific, stable mode (ETH_TP_MDI) to prevent the pair
+toggling. This choice of a fixed MDI mode mirrors the behavior the
+hardware would exhibit if the AUTOMDIX_EN strap were configured for a
+fixed MDI connection.
+
+Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: Andre Edich <andre.edich@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250703114941.3243890-4-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index 9ec2485df645e..d860a2626b13b 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -120,10 +120,29 @@ static int lan911x_config_init(struct phy_device *phydev)
+
+ static int lan87xx_config_aneg(struct phy_device *phydev)
+ {
+- int rc;
++ u8 mdix_ctrl;
+ int val;
++ int rc;
++
++ /* When auto-negotiation is disabled (forced mode), the PHY's
++ * Auto-MDIX will continue toggling the TX/RX pairs.
++ *
++ * To establish a stable link, we must select a fixed MDI mode.
++ * If the user has not specified a fixed MDI mode (i.e., mdix_ctrl is
++ * 'auto'), we default to ETH_TP_MDI. This choice of a ETH_TP_MDI mode
++ * mirrors the behavior the hardware would exhibit if the AUTOMDIX_EN
++ * strap were configured for a fixed MDI connection.
++ */
++ if (phydev->autoneg == AUTONEG_DISABLE) {
++ if (phydev->mdix_ctrl == ETH_TP_MDI_AUTO)
++ mdix_ctrl = ETH_TP_MDI;
++ else
++ mdix_ctrl = phydev->mdix_ctrl;
++ } else {
++ mdix_ctrl = phydev->mdix_ctrl;
++ }
+
+- switch (phydev->mdix_ctrl) {
++ switch (mdix_ctrl) {
+ case ETH_TP_MDI:
+ val = SPECIAL_CTRL_STS_OVRRD_AMDIX_;
+ break;
+@@ -149,7 +168,7 @@ static int lan87xx_config_aneg(struct phy_device *phydev)
+ rc |= val;
+ phy_write(phydev, SPECIAL_CTRL_STS, rc);
+
+- phydev->mdix = phydev->mdix_ctrl;
++ phydev->mdix = mdix_ctrl;
+ return genphy_config_aneg(phydev);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 649a240a2d095698c7b74f390abfa400c5bde6bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 18:08:01 -0300
+Subject: net/sched: Abort __tc_modify_qdisc if parent class does not exist
+
+From: Victor Nogueira <victor@mojatatu.com>
+
+[ Upstream commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963 ]
+
+Lion's patch [1] revealed an ancient bug in the qdisc API.
+Whenever a user creates/modifies a qdisc specifying as a parent another
+qdisc, the qdisc API will, during grafting, detect that the user is
+not trying to attach to a class and reject. However grafting is
+performed after qdisc_create (and thus the qdiscs' init callback) is
+executed. In qdiscs that eventually call qdisc_tree_reduce_backlog
+during init or change (such as fq, hhf, choke, etc), an issue
+arises. For example, executing the following commands:
+
+sudo tc qdisc add dev lo root handle a: htb default 2
+sudo tc qdisc add dev lo parent a: handle beef fq
+
+Qdiscs such as fq, hhf, choke, etc unconditionally invoke
+qdisc_tree_reduce_backlog() in their control path init() or change() which
+then causes a failure to find the child class; however, that does not stop
+the unconditional invocation of the assumed child qdisc's qlen_notify with
+a null class. All these qdiscs make the assumption that class is non-null.
+
+The solution is ensure that qdisc_leaf() which looks up the parent
+class, and is invoked prior to qdisc_create(), should return failure on
+not finding the class.
+In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the
+parentid doesn't correspond to a class, so that we can detect it
+earlier on and abort before qdisc_create is called.
+
+[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
+
+Fixes: 5e50da01d0ce ("[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs")
+Reported-by: syzbot+d8b58d7b0ad89a678a16@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68663c93.a70a0220.5d25f.0857.GAE@google.com/
+Reported-by: syzbot+5eccb463fa89309d8bdc@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68663c94.a70a0220.5d25f.0858.GAE@google.com/
+Reported-by: syzbot+1261670bbdefc5485a06@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0013.GAE@google.com/
+Reported-by: syzbot+15b96fc3aac35468fe77@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0014.GAE@google.com/
+Reported-by: syzbot+4dadc5aecf80324d5a51@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68679e81.a70a0220.29cf51.0016.GAE@google.com/
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Link: https://patch.msgid.link/20250707210801.372995-1-victor@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 7fd4c94d6f464..a325036f3ae02 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -331,17 +331,22 @@ struct Qdisc *qdisc_lookup_rcu(struct net_device *dev, u32 handle)
+ return q;
+ }
+
+-static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid)
++static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid,
++ struct netlink_ext_ack *extack)
+ {
+ unsigned long cl;
+ const struct Qdisc_class_ops *cops = p->ops->cl_ops;
+
+- if (cops == NULL)
+- return NULL;
++ if (cops == NULL) {
++ NL_SET_ERR_MSG(extack, "Parent qdisc is not classful");
++ return ERR_PTR(-EOPNOTSUPP);
++ }
+ cl = cops->find(p, classid);
+
+- if (cl == 0)
+- return NULL;
++ if (cl == 0) {
++ NL_SET_ERR_MSG(extack, "Specified class not found");
++ return ERR_PTR(-ENOENT);
++ }
+ return cops->leaf(p, cl);
+ }
+
+@@ -1462,7 +1467,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+ NL_SET_ERR_MSG(extack, "Failed to find qdisc with specified classid");
+ return -ENOENT;
+ }
+- q = qdisc_leaf(p, clid);
++ q = qdisc_leaf(p, clid, extack);
+ } else if (dev_ingress_queue(dev)) {
+ q = dev_ingress_queue(dev)->qdisc_sleeping;
+ }
+@@ -1473,6 +1478,8 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+ NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device");
+ return -ENOENT;
+ }
++ if (IS_ERR(q))
++ return PTR_ERR(q);
+
+ if (tcm->tcm_handle && q->handle != tcm->tcm_handle) {
+ NL_SET_ERR_MSG(extack, "Invalid handle");
+@@ -1569,7 +1576,9 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+ NL_SET_ERR_MSG(extack, "Failed to find specified qdisc");
+ return -ENOENT;
+ }
+- q = qdisc_leaf(p, clid);
++ q = qdisc_leaf(p, clid, extack);
++ if (IS_ERR(q))
++ return PTR_ERR(q);
+ } else if (dev_ingress_queue_create(dev)) {
+ q = dev_ingress_queue(dev)->qdisc_sleeping;
+ }
+--
+2.39.5
+
--- /dev/null
+From d640c036aeafa08bc7f93c0bbca9b372763e4cfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 05:48:18 +0000
+Subject: netlink: Fix wraparounds of sk->sk_rmem_alloc.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc ]
+
+Netlink has this pattern in some places
+
+ if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
+ atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+
+, which has the same problem fixed by commit 5a465a0da13e ("udp:
+Fix multiple wraparounds of sk->sk_rmem_alloc.").
+
+For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition
+is always false as the two operands are of int.
+
+Then, a single socket can eat as many skb as possible until OOM
+happens, and we can see multiple wraparounds of sk->sk_rmem_alloc.
+
+Let's fix it by using atomic_add_return() and comparing the two
+variables as unsigned int.
+
+Before:
+ [root@fedora ~]# ss -f netlink
+ Recv-Q Send-Q Local Address:Port Peer Address:Port
+ -1668710080 0 rtnl:nl_wraparound/293 *
+
+After:
+ [root@fedora ~]# ss -f netlink
+ Recv-Q Send-Q Local Address:Port Peer Address:Port
+ 2147483072 0 rtnl:nl_wraparound/290 *
+ ^
+ `--- INT_MAX - 576
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Jason Baron <jbaron@akamai.com>
+Closes: https://lore.kernel.org/netdev/cover.1750285100.git.jbaron@akamai.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250704054824.1580222-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 81 ++++++++++++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 32 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 4da043d9f2c7a..6f71b4c84d1d2 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -379,7 +379,6 @@ static void netlink_skb_set_owner_r(struct sk_buff *skb, struct sock *sk)
+ WARN_ON(skb->sk != NULL);
+ skb->sk = sk;
+ skb->destructor = netlink_skb_destructor;
+- atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+ sk_mem_charge(sk, skb->truesize);
+ }
+
+@@ -1207,41 +1206,48 @@ static struct sk_buff *netlink_alloc_large_skb(unsigned int size,
+ int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
+ long *timeo, struct sock *ssk)
+ {
++ DECLARE_WAITQUEUE(wait, current);
+ struct netlink_sock *nlk;
++ unsigned int rmem;
+
+ nlk = nlk_sk(sk);
++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
+
+- if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||
+- test_bit(NETLINK_S_CONGESTED, &nlk->state))) {
+- DECLARE_WAITQUEUE(wait, current);
+- if (!*timeo) {
+- if (!ssk || netlink_is_kernel(ssk))
+- netlink_overrun(sk);
+- sock_put(sk);
+- kfree_skb(skb);
+- return -EAGAIN;
+- }
+-
+- __set_current_state(TASK_INTERRUPTIBLE);
+- add_wait_queue(&nlk->wait, &wait);
++ if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) &&
++ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
++ netlink_skb_set_owner_r(skb, sk);
++ return 0;
++ }
+
+- if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||
+- test_bit(NETLINK_S_CONGESTED, &nlk->state)) &&
+- !sock_flag(sk, SOCK_DEAD))
+- *timeo = schedule_timeout(*timeo);
++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+
+- __set_current_state(TASK_RUNNING);
+- remove_wait_queue(&nlk->wait, &wait);
++ if (!*timeo) {
++ if (!ssk || netlink_is_kernel(ssk))
++ netlink_overrun(sk);
+ sock_put(sk);
++ kfree_skb(skb);
++ return -EAGAIN;
++ }
+
+- if (signal_pending(current)) {
+- kfree_skb(skb);
+- return sock_intr_errno(*timeo);
+- }
+- return 1;
++ __set_current_state(TASK_INTERRUPTIBLE);
++ add_wait_queue(&nlk->wait, &wait);
++ rmem = atomic_read(&sk->sk_rmem_alloc);
++
++ if (((rmem && rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)) ||
++ test_bit(NETLINK_S_CONGESTED, &nlk->state)) &&
++ !sock_flag(sk, SOCK_DEAD))
++ *timeo = schedule_timeout(*timeo);
++
++ __set_current_state(TASK_RUNNING);
++ remove_wait_queue(&nlk->wait, &wait);
++ sock_put(sk);
++
++ if (signal_pending(current)) {
++ kfree_skb(skb);
++ return sock_intr_errno(*timeo);
+ }
+- netlink_skb_set_owner_r(skb, sk);
+- return 0;
++
++ return 1;
+ }
+
+ static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb)
+@@ -1301,6 +1307,7 @@ static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb,
+ ret = -ECONNREFUSED;
+ if (nlk->netlink_rcv != NULL) {
+ ret = skb->len;
++ atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+ netlink_skb_set_owner_r(skb, sk);
+ NETLINK_CB(skb).sk = ssk;
+ netlink_deliver_tap_kernel(sk, ssk, skb);
+@@ -1379,13 +1386,19 @@ EXPORT_SYMBOL_GPL(netlink_strict_get_check);
+ static int netlink_broadcast_deliver(struct sock *sk, struct sk_buff *skb)
+ {
+ struct netlink_sock *nlk = nlk_sk(sk);
++ unsigned int rmem, rcvbuf;
+
+- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
++ rcvbuf = READ_ONCE(sk->sk_rcvbuf);
++
++ if ((rmem != skb->truesize || rmem <= rcvbuf) &&
+ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
+ netlink_skb_set_owner_r(skb, sk);
+ __netlink_sendskb(sk, skb);
+- return atomic_read(&sk->sk_rmem_alloc) > (sk->sk_rcvbuf >> 1);
++ return rmem > (rcvbuf >> 1);
+ }
++
++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+ return -1;
+ }
+
+@@ -2202,6 +2215,7 @@ static int netlink_dump(struct sock *sk, bool lock_taken)
+ struct module *module;
+ int err = -ENOBUFS;
+ int alloc_min_size;
++ unsigned int rmem;
+ int alloc_size;
+
+ if (!lock_taken)
+@@ -2211,9 +2225,6 @@ static int netlink_dump(struct sock *sk, bool lock_taken)
+ goto errout_skb;
+ }
+
+- if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
+- goto errout_skb;
+-
+ /* NLMSG_GOODSIZE is small to avoid high order allocations being
+ * required, but it makes sense to _attempt_ a 16K bytes allocation
+ * to reduce number of system calls on dump operations, if user
+@@ -2236,6 +2247,12 @@ static int netlink_dump(struct sock *sk, bool lock_taken)
+ if (!skb)
+ goto errout_skb;
+
++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
++ if (rmem >= READ_ONCE(sk->sk_rcvbuf)) {
++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
++ goto errout_skb;
++ }
++
+ /* Trim skb to allocated size. User is expected to provide buffer as
+ * large as max(min_dump_alloc, 16KiB (mac_recvmsg_len capped at
+ * netlink_recvmsg())). dump will pack as many smaller messages as
+--
+2.39.5
+
--- /dev/null
+From e6149926bd7f131c7da6f9c17121a596ac74f23a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:21:44 +0200
+Subject: perf: Revert to requiring CAP_SYS_ADMIN for uprobes
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit ba677dbe77af5ffe6204e0f3f547f3ba059c6302 ]
+
+Jann reports that uprobes can be used destructively when used in the
+middle of an instruction. The kernel only verifies there is a valid
+instruction at the requested offset, but due to variable instruction
+length cannot determine if this is an instruction as seen by the
+intended execution stream.
+
+Additionally, Mark Rutland notes that on architectures that mix data
+in the text segment (like arm64), a similar things can be done if the
+data word is 'mistaken' for an instruction.
+
+As such, require CAP_SYS_ADMIN for uprobes.
+
+Fixes: c9e0924e5c2b ("perf/core: open access to probes for CAP_PERFMON privileged process")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/CAG48ez1n4520sq0XrWYDHKiKxE_+WCfAK+qt9qkY4ZiBGmL-5g@mail.gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index b133abe23a4b1..bf9f9eab6f67f 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9823,7 +9823,7 @@ static int perf_uprobe_event_init(struct perf_event *event)
+ if (event->attr.type != perf_uprobe.type)
+ return -ENOENT;
+
+- if (!perfmon_capable())
++ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
+ /*
+--
+2.39.5
+
media-uvcvideo-rollback-non-processed-entities-on-error.patch
staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch
drm-exynos-exynos7_drm_decon-add-vblank-check-in-irq-handling.patch
+asoc-fsl_asrc-use-internal-measured-ratio-for-non-id.patch
+perf-revert-to-requiring-cap_sys_admin-for-uprobes.patch
+fix-proc_sys_compare-handling-of-in-lookup-dentries.patch
+netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch
+tipc-fix-use-after-free-in-tipc_conn_close.patch
+vsock-fix-transport_-g2h-h2g-toctou.patch
+vm_sockets-add-flags-field-in-the-vsock-address-data.patch
+vm_sockets-add-vmaddr_flag_to_host-vsock-flag.patch
+af_vsock-set-vmaddr_flag_to_host-flag-on-the-receive.patch
+af_vsock-assign-the-vsock-transport-considering-the-.patch
+vsock-fix-transport_-toctou.patch
+vsock-fix-ioctl_vm_sockets_get_local_cid-to-check-al.patch
+net-phy-smsc-fix-auto-mdix-configuration-when-disabl.patch
+net-phy-smsc-fix-link-failure-in-forced-mode-with-au.patch
+atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch
+atm-clip-fix-memory-leak-of-struct-clip_vcc.patch
+atm-clip-fix-infinite-recursive-call-of-clip_push.patch
+atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch
+net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch
--- /dev/null
+From 1e272c76020dc8a7a442c1687cac41c9a5424298 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 01:43:40 +0000
+Subject: tipc: Fix use-after-free in tipc_conn_close().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 667eeab4999e981c96b447a4df5f20bdf5c26f13 ]
+
+syzbot reported a null-ptr-deref in tipc_conn_close() during netns
+dismantle. [0]
+
+tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls
+tipc_conn_close() for each tipc_conn.
+
+The problem is that tipc_conn_close() is called after releasing the
+IDR lock.
+
+At the same time, there might be tipc_conn_recv_work() running and it
+could call tipc_conn_close() for the same tipc_conn and release its
+last ->kref.
+
+Once we release the IDR lock in tipc_topsrv_stop(), there is no
+guarantee that the tipc_conn is alive.
+
+Let's hold the ref before releasing the lock and put the ref after
+tipc_conn_close() in tipc_topsrv_stop().
+
+[0]:
+BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
+Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435
+
+CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: netns cleanup_net
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
+ print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
+ kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
+ kasan_report mm/kasan/report.c:412 [inline]
+ __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
+ tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
+ tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]
+ tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722
+ ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
+ cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+Allocated by task 23:
+ kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
+ kmalloc include/linux/slab.h:515 [inline]
+ kzalloc include/linux/slab.h:709 [inline]
+ tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192
+ tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+Freed by task 23:
+ __cache_free mm/slab.c:3503 [inline]
+ kfree+0xcc/0x210 mm/slab.c:3822
+ tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]
+ kref_put include/linux/kref.h:70 [inline]
+ conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+The buggy address belongs to the object at ffff888099305a00
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 8 bytes inside of
+ 512-byte region [ffff888099305a00, ffff888099305c00)
+The buggy address belongs to the page:
+page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
+flags: 0xfff00000000100(slab)
+raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940
+raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure")
+Reported-by: syzbot+d333febcf8f4bc5f6110@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=27169a847a70550d17be
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20250702014350.692213-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/topsrv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
+index 89d8a2bd30cd0..d914c5eb25178 100644
+--- a/net/tipc/topsrv.c
++++ b/net/tipc/topsrv.c
+@@ -699,8 +699,10 @@ static void tipc_topsrv_stop(struct net *net)
+ for (id = 0; srv->idr_in_use; id++) {
+ con = idr_find(&srv->conn_idr, id);
+ if (con) {
++ conn_get(con);
+ spin_unlock_bh(&srv->idr_lock);
+ tipc_conn_close(con);
++ conn_put(con);
+ spin_lock_bh(&srv->idr_lock);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 49d0afbd593ee669c2eedb53f126015b6da141fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Dec 2020 18:11:18 +0200
+Subject: vm_sockets: Add flags field in the vsock address data structure
+
+From: Andra Paraschiv <andraprs@amazon.com>
+
+[ Upstream commit dc8eeef73b63ed8988224ba6b5ed19a615163a7f ]
+
+vsock enables communication between virtual machines and the host they
+are running on. With the multi transport support (guest->host and
+host->guest), nested VMs can also use vsock channels for communication.
+
+In addition to this, by default, all the vsock packets are forwarded to
+the host, if no host->guest transport is loaded. This behavior can be
+implicitly used for enabling vsock communication between sibling VMs.
+
+Add a flags field in the vsock address data structure that can be used
+to explicitly mark the vsock connection as being targeted for a certain
+type of communication. This way, can distinguish between different use
+cases such as nested VMs and sibling VMs.
+
+This field can be set when initializing the vsock address variable used
+for the connect() call.
+
+Changelog
+
+v3 -> v4
+
+* Update the size of "svm_flags" field to be 1 byte instead of 2 bytes.
+
+v2 -> v3
+
+* Add "svm_flags" as a new field, not reusing "svm_reserved1".
+
+v1 -> v2
+
+* Update the field name to "svm_flags".
+* Split the current patch in 2 patches.
+
+Signed-off-by: Andra Paraschiv <andraprs@amazon.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 687aa0c5581b ("vsock: Fix transport_* TOCTOU")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/vm_sockets.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/vm_sockets.h b/include/uapi/linux/vm_sockets.h
+index 67e3938e86bd0..490ca99dcada1 100644
+--- a/include/uapi/linux/vm_sockets.h
++++ b/include/uapi/linux/vm_sockets.h
+@@ -22,6 +22,7 @@
+ #endif
+
+ #include <linux/socket.h>
++#include <linux/types.h>
+
+ /* Option name for STREAM socket buffer size. Use as the option name in
+ * setsockopt(3) or getsockopt(3) to set or get an unsigned long long that
+@@ -152,10 +153,13 @@ struct sockaddr_vm {
+ unsigned short svm_reserved1;
+ unsigned int svm_port;
+ unsigned int svm_cid;
++ __u8 svm_flags;
+ unsigned char svm_zero[sizeof(struct sockaddr) -
+ sizeof(sa_family_t) -
+ sizeof(unsigned short) -
+- sizeof(unsigned int) - sizeof(unsigned int)];
++ sizeof(unsigned int) -
++ sizeof(unsigned int) -
++ sizeof(__u8)];
+ };
+
+ #define IOCTL_VM_SOCKETS_GET_LOCAL_CID _IO(7, 0xb9)
+--
+2.39.5
+
--- /dev/null
+From 4b9f18ef5e13a22a787b56655306beb0ae5be5f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Dec 2020 18:11:19 +0200
+Subject: vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag
+
+From: Andra Paraschiv <andraprs@amazon.com>
+
+[ Upstream commit caaf95e0f23f9ed240b02251aab0f6fdb652b33d ]
+
+Add VMADDR_FLAG_TO_HOST vsock flag that is used to setup a vsock
+connection where all the packets are forwarded to the host.
+
+Then, using this type of vsock channel, vsock communication between
+sibling VMs can be built on top of it.
+
+Changelog
+
+v3 -> v4
+
+* Update the "VMADDR_FLAG_TO_HOST" value, as the size of the field has
+ been updated to 1 byte.
+
+v2 -> v3
+
+* Update comments to mention when the flag is set in the connect and
+ listen paths.
+
+v1 -> v2
+
+* New patch in v2, it was split from the first patch in the series.
+* Remove the default value for the vsock flags field.
+* Update the naming for the vsock flag to "VMADDR_FLAG_TO_HOST".
+
+Signed-off-by: Andra Paraschiv <andraprs@amazon.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 687aa0c5581b ("vsock: Fix transport_* TOCTOU")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/vm_sockets.h | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/include/uapi/linux/vm_sockets.h b/include/uapi/linux/vm_sockets.h
+index 490ca99dcada1..4263c85593fa0 100644
+--- a/include/uapi/linux/vm_sockets.h
++++ b/include/uapi/linux/vm_sockets.h
+@@ -119,6 +119,26 @@
+
+ #define VMADDR_CID_HOST 2
+
++/* The current default use case for the vsock channel is the following:
++ * local vsock communication between guest and host and nested VMs setup.
++ * In addition to this, implicitly, the vsock packets are forwarded to the host
++ * if no host->guest vsock transport is set.
++ *
++ * Set this flag value in the sockaddr_vm corresponding field if the vsock
++ * packets need to be always forwarded to the host. Using this behavior,
++ * vsock communication between sibling VMs can be setup.
++ *
++ * This way can explicitly distinguish between vsock channels created for
++ * different use cases, such as nested VMs (or local communication between
++ * guest and host) and sibling VMs.
++ *
++ * The flag can be set in the connect logic in the user space application flow.
++ * In the listen logic (from kernel space) the flag is set on the remote peer
++ * address. This happens for an incoming connection when it is routed from the
++ * host and comes from the guest (local CID and remote CID > VMADDR_CID_HOST).
++ */
++#define VMADDR_FLAG_TO_HOST 0x01
++
+ /* Invalid vSockets version. */
+
+ #define VM_SOCKETS_INVALID_VERSION -1U
+--
+2.39.5
+
--- /dev/null
+From b665c3d31ca5af7f937c3c6526a4f9eb813822df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:18:20 +0200
+Subject: vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also
+ `transport_local`
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 1e7d9df379a04ccd0c2f82f39fbb69d482e864cc ]
+
+Support returning VMADDR_CID_LOCAL in case no other vsock transport is
+available.
+
+Fixes: 0e12190578d0 ("vsock: add local transport support in the vsock core")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-3-98f0eb530747@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index f65868d2e82c3..56bbc2970ffef 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -2186,6 +2186,8 @@ static long vsock_dev_do_ioctl(struct file *filp,
+ cid = vsock_registered_transport_cid(&transport_g2h);
+ if (cid == VMADDR_CID_ANY)
+ cid = vsock_registered_transport_cid(&transport_h2g);
++ if (cid == VMADDR_CID_ANY)
++ cid = vsock_registered_transport_cid(&transport_local);
+
+ if (put_user(cid, p) != 0)
+ retval = -EFAULT;
+--
+2.39.5
+
--- /dev/null
+From c4be5c1235be29e7677a1b80372c901ede5ee4a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:18:18 +0200
+Subject: vsock: Fix transport_{g2h,h2g} TOCTOU
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 209fd720838aaf1420416494c5505096478156b4 ]
+
+vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload.
+transport_{g2h,h2g} may become NULL after the NULL check.
+
+Introduce vsock_transport_local_cid() to protect from a potential
+null-ptr-deref.
+
+KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
+RIP: 0010:vsock_find_cid+0x47/0x90
+Call Trace:
+ __vsock_bind+0x4b2/0x720
+ vsock_bind+0x90/0xe0
+ __sys_bind+0x14d/0x1e0
+ __x64_sys_bind+0x6e/0xc0
+ do_syscall_64+0x92/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
+RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0
+Call Trace:
+ __x64_sys_ioctl+0x12d/0x190
+ do_syscall_64+0x92/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-1-98f0eb530747@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index fc0306ba2d43e..5f82dfe50c123 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -498,9 +498,25 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ }
+ EXPORT_SYMBOL_GPL(vsock_assign_transport);
+
++/*
++ * Provide safe access to static transport_{h2g,g2h,dgram,local} callbacks.
++ * Otherwise we may race with module removal. Do not use on `vsk->transport`.
++ */
++static u32 vsock_registered_transport_cid(const struct vsock_transport **transport)
++{
++ u32 cid = VMADDR_CID_ANY;
++
++ mutex_lock(&vsock_register_mutex);
++ if (*transport)
++ cid = (*transport)->get_local_cid();
++ mutex_unlock(&vsock_register_mutex);
++
++ return cid;
++}
++
+ bool vsock_find_cid(unsigned int cid)
+ {
+- if (transport_g2h && cid == transport_g2h->get_local_cid())
++ if (cid == vsock_registered_transport_cid(&transport_g2h))
+ return true;
+
+ if (transport_h2g && cid == VMADDR_CID_HOST)
+@@ -2124,18 +2140,17 @@ static long vsock_dev_do_ioctl(struct file *filp,
+ unsigned int cmd, void __user *ptr)
+ {
+ u32 __user *p = ptr;
+- u32 cid = VMADDR_CID_ANY;
+ int retval = 0;
++ u32 cid;
+
+ switch (cmd) {
+ case IOCTL_VM_SOCKETS_GET_LOCAL_CID:
+ /* To be compatible with the VMCI behavior, we prioritize the
+ * guest CID instead of well-know host CID (VMADDR_CID_HOST).
+ */
+- if (transport_g2h)
+- cid = transport_g2h->get_local_cid();
+- else if (transport_h2g)
+- cid = transport_h2g->get_local_cid();
++ cid = vsock_registered_transport_cid(&transport_g2h);
++ if (cid == VMADDR_CID_ANY)
++ cid = vsock_registered_transport_cid(&transport_h2g);
+
+ if (put_user(cid, p) != 0)
+ retval = -EFAULT;
+--
+2.39.5
+
--- /dev/null
+From 6ef9c5fb0e1f07861c1d7a36c31b992b249f548a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:18:19 +0200
+Subject: vsock: Fix transport_* TOCTOU
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 687aa0c5581b8d4aa87fd92973e4ee576b550cdf ]
+
+Transport assignment may race with module unload. Protect new_transport
+from becoming a stale pointer.
+
+This also takes care of an insecure call in vsock_use_local_transport();
+add a lockdep assert.
+
+BUG: unable to handle page fault for address: fffffbfff8056000
+Oops: Oops: 0000 [#1] SMP KASAN
+RIP: 0010:vsock_assign_transport+0x366/0x600
+Call Trace:
+ vsock_connect+0x59c/0xc40
+ __sys_connect+0xe8/0x100
+ __x64_sys_connect+0x6e/0xc0
+ do_syscall_64+0x92/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-2-98f0eb530747@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index beacbe957594a..f65868d2e82c3 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -400,6 +400,8 @@ EXPORT_SYMBOL_GPL(vsock_enqueue_accept);
+
+ static bool vsock_use_local_transport(unsigned int remote_cid)
+ {
++ lockdep_assert_held(&vsock_register_mutex);
++
+ if (!transport_local)
+ return false;
+
+@@ -457,6 +459,8 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+
+ remote_flags = vsk->remote_addr.svm_flags;
+
++ mutex_lock(&vsock_register_mutex);
++
+ switch (sk->sk_type) {
+ case SOCK_DGRAM:
+ new_transport = transport_dgram;
+@@ -471,12 +475,15 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ new_transport = transport_h2g;
+ break;
+ default:
+- return -ESOCKTNOSUPPORT;
++ ret = -ESOCKTNOSUPPORT;
++ goto err;
+ }
+
+ if (vsk->transport) {
+- if (vsk->transport == new_transport)
+- return 0;
++ if (vsk->transport == new_transport) {
++ ret = 0;
++ goto err;
++ }
+
+ /* transport->release() must be called with sock lock acquired.
+ * This path can only be taken during vsock_stream_connect(),
+@@ -500,8 +507,16 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ /* We increase the module refcnt to prevent the transport unloading
+ * while there are open sockets assigned to it.
+ */
+- if (!new_transport || !try_module_get(new_transport->module))
+- return -ENODEV;
++ if (!new_transport || !try_module_get(new_transport->module)) {
++ ret = -ENODEV;
++ goto err;
++ }
++
++ /* It's safe to release the mutex after a successful try_module_get().
++ * Whichever transport `new_transport` points at, it won't go away until
++ * the last module_put() below or in vsock_deassign_transport().
++ */
++ mutex_unlock(&vsock_register_mutex);
+
+ ret = new_transport->init(vsk, psk);
+ if (ret) {
+@@ -512,6 +527,9 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ vsk->transport = new_transport;
+
+ return 0;
++err:
++ mutex_unlock(&vsock_register_mutex);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(vsock_assign_transport);
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
