--- /dev/null
+From 01d3c8417b9c1b884a8a981a3b886da556512f36 Mon Sep 17 00:00:00 2001
+From: Quang Le <quanglex97@gmail.com>
+Date: Fri, 1 Aug 2025 13:54:16 -0400
+Subject: net/packet: fix a race in packet_set_ring() and packet_notifier()
+
+From: Quang Le <quanglex97@gmail.com>
+
+commit 01d3c8417b9c1b884a8a981a3b886da556512f36 upstream.
+
+When packet_set_ring() releases po->bind_lock, another thread can
+run packet_notifier() and process an NETDEV_UP event.
+
+This race and the fix are both similar to that of commit 15fe076edea7
+("net/packet: fix a race in packet_bind() and packet_notifier()").
+
+There too the packet_notifier NETDEV_UP event managed to run while a
+po->bind_lock critical section had to be temporarily released. And
+the fix was similarly to temporarily set po->num to zero to keep
+the socket unhooked until the lock is retaken.
+
+The po->bind_lock in packet_set_ring and packet_notifier precede the
+introduction of git history.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quang Le <quanglex97@gmail.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20250801175423.2970334-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4541,10 +4541,10 @@ static int packet_set_ring(struct sock *
+ spin_lock(&po->bind_lock);
+ was_running = po->running;
+ num = po->num;
+- if (was_running) {
+- WRITE_ONCE(po->num, 0);
++ WRITE_ONCE(po->num, 0);
++ if (was_running)
+ __unregister_prot_hook(sk, false);
+- }
++
+ spin_unlock(&po->bind_lock);
+
+ synchronize_net();
+@@ -4576,10 +4576,10 @@ static int packet_set_ring(struct sock *
+ mutex_unlock(&po->pg_vec_lock);
+
+ spin_lock(&po->bind_lock);
+- if (was_running) {
+- WRITE_ONCE(po->num, num);
++ WRITE_ONCE(po->num, num);
++ if (was_running)
+ register_prot_hook(sk);
+- }
++
+ spin_unlock(&po->bind_lock);
+ if (pg_vec && (po->tp_version > TPACKET_V2)) {
+ /* Because we don't support block-based V3 on tx-ring */
--- /dev/null
+From aba0c94f61ec05315fa7815d21aefa4c87f6a9f4 Mon Sep 17 00:00:00 2001
+From: Budimir Markovic <markovicbudimir@gmail.com>
+Date: Thu, 7 Aug 2025 04:18:11 +0000
+Subject: vsock: Do not allow binding to VMADDR_PORT_ANY
+
+From: Budimir Markovic <markovicbudimir@gmail.com>
+
+commit aba0c94f61ec05315fa7815d21aefa4c87f6a9f4 upstream.
+
+It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
+cause a use-after-free when a connection is made to the bound socket.
+The socket returned by accept() also has port VMADDR_PORT_ANY but is not
+on the list of unbound sockets. Binding it will result in an extra
+refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
+the binding until socket destruction).
+
+Modify the check in __vsock_bind_connectible() to also prevent binding
+to VMADDR_PORT_ANY.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
+Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20250807041811.678-1-markovicbudimir@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -686,7 +686,8 @@ static int __vsock_bind_connectible(stru
+ unsigned int i;
+
+ for (i = 0; i < MAX_PORT_RETRIES; i++) {
+- if (port <= LAST_RESERVED_PORT)
++ if (port == VMADDR_PORT_ANY ||
++ port <= LAST_RESERVED_PORT)
+ port = LAST_RESERVED_PORT + 1;
+
+ new_addr.svm_port = port++;
projects / thirdparty / kernel / stable-queue.git / commitdiff
