Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/atm-clip-fix-infinite-recursive-call-of-clip_push.patch b/queue-5.4/atm-clip-fix-infinite-recursive-call-of-clip_push.patch
new file mode 100644 (file)
index 0000000..c88d0a7
--- /dev/null
+++ b/queue-5.4/atm-clip-fix-infinite-recursive-call-of-clip_push.patch
@@ -0,0 +1,102 @@
+From 10fd84c82b47df13341e9130240f16fc5f209e02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:53 +0000
+Subject: atm: clip: Fix infinite recursive call of clip_push().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit c489f3283dbfc0f3c00c312149cae90d27552c45 ]
+
+syzbot reported the splat below. [0]
+
+This happens if we call ioctl(ATMARP_MKIP) more than once.
+
+During the first call, clip_mkip() sets clip_push() to vcc->push(),
+and the second call copies it to clip_vcc->old_push().
+
+Later, when the socket is close()d, vcc_destroy_socket() passes
+NULL skb to clip_push(), which calls clip_vcc->old_push(),
+triggering the infinite recursion.
+
+Let's prevent the second ioctl(ATMARP_MKIP) by checking
+vcc->user_back, which is allocated by the first call as clip_vcc.
+
+Note also that we use lock_sock() to prevent racy calls.
+
+[0]:
+BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)
+Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191
+Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00
+RSP: 0018:ffffc9000d670000 EFLAGS: 00010246
+RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000
+RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e
+R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300
+R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578
+FS:  000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+...
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ vcc_destroy_socket net/atm/common.c:183 [inline]
+ vcc_release+0x157/0x460 net/atm/common.c:205
+ __sock_release net/socket.c:647 [inline]
+ sock_close+0xc0/0x240 net/socket.c:1391
+ __fput+0x449/0xa70 fs/file_table.c:465
+ task_work_run+0x1d1/0x260 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114
+ exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
+ do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7ff31c98e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f
+R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c
+R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090
+ </TASK>
+Modules linked in:
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+0c77cccd6b7cd917b35a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2371d94d248d126c1eb1
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index 8415ac2805474..bf62d94554d9f 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -430,6 +430,8 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
+ 
+       if (!vcc->push)
+               return -EBADFD;
++      if (vcc->user_back)
++              return -EINVAL;
+       clip_vcc = kmalloc(sizeof(struct clip_vcc), GFP_KERNEL);
+       if (!clip_vcc)
+               return -ENOMEM;
+-- 
+2.39.5
+

diff --git a/queue-5.4/atm-clip-fix-memory-leak-of-struct-clip_vcc.patch b/queue-5.4/atm-clip-fix-memory-leak-of-struct-clip_vcc.patch
new file mode 100644 (file)
index 0000000..a494b4e
--- /dev/null
+++ b/queue-5.4/atm-clip-fix-memory-leak-of-struct-clip_vcc.patch
@@ -0,0 +1,76 @@
+From 98490daabbd8777abd6f5f4e43014845115a646c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:52 +0000
+Subject: atm: clip: Fix memory leak of struct clip_vcc.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 62dba28275a9a3104d4e33595c7b3328d4032d8d ]
+
+ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to
+vcc->user_back.
+
+The code assumes that vcc_destroy_socket() passes NULL skb
+to vcc->push() when the socket is close()d, and then clip_push()
+frees clip_vcc.
+
+However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in
+atm_init_atmarp(), resulting in memory leak.
+
+Let's serialise two ioctl() by lock_sock() and check vcc->push()
+in atm_init_atmarp() to prevent memleak.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-3-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index d5363ae5296ad..8415ac2805474 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -646,6 +646,9 @@ static struct atm_dev atmarpd_dev = {
+ 
+ static int atm_init_atmarp(struct atm_vcc *vcc)
+ {
++      if (vcc->push == clip_push)
++              return -EINVAL;
++
+       mutex_lock(&atmarpd_lock);
+       if (atmarpd) {
+               mutex_unlock(&atmarpd_lock);
+@@ -670,6 +673,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc)
+ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ {
+       struct atm_vcc *vcc = ATM_SD(sock);
++      struct sock *sk = sock->sk;
+       int err = 0;
+ 
+       switch (cmd) {
+@@ -690,14 +694,18 @@ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+               err = clip_create(arg);
+               break;
+       case ATMARPD_CTRL:
++              lock_sock(sk);
+               err = atm_init_atmarp(vcc);
+               if (!err) {
+                       sock->state = SS_CONNECTED;
+                       __module_get(THIS_MODULE);
+               }
++              release_sock(sk);
+               break;
+       case ATMARP_MKIP:
++              lock_sock(sk);
+               err = clip_mkip(vcc, arg);
++              release_sock(sk);
+               break;
+       case ATMARP_SETENTRY:
+               err = clip_setentry(vcc, (__force __be32)arg);
+-- 
+2.39.5
+

diff --git a/queue-5.4/atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch b/queue-5.4/atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch
new file mode 100644 (file)
index 0000000..57960b1
--- /dev/null
+++ b/queue-5.4/atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch
@@ -0,0 +1,82 @@
+From 4eba949b8c2179d36d2f83bd39cc437e7c5ac68d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jul 2025 16:52:28 +0800
+Subject: atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+[ Upstream commit 22fc46cea91df3dce140a7dc6847c6fcf0354505 ]
+
+atmarpd_dev_ops does not implement the send method, which may cause crash
+as bellow.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 0 P4D 0
+Oops: Oops: 0010 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246
+RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000
+RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000
+RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287
+R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00
+R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88
+FS:  00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg+0x219/0x270 net/socket.c:727
+ ____sys_sendmsg+0x52d/0x830 net/socket.c:2566
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
+ __sys_sendmmsg+0x227/0x430 net/socket.c:2709
+ __do_sys_sendmmsg net/socket.c:2736 [inline]
+ __se_sys_sendmmsg net/socket.c:2733 [inline]
+ __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+e34e5e6b5eddb0014def@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/682f82d5.a70a0220.1765ec.0143.GAE@google.com/T
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250705085228.329202-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index bf62d94554d9f..0caed86736582 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -633,8 +633,16 @@ static void atmarpd_close(struct atm_vcc *vcc)
+       module_put(THIS_MODULE);
+ }
+ 
++static int atmarpd_send(struct atm_vcc *vcc, struct sk_buff *skb)
++{
++      atm_return_tx(vcc, skb);
++      dev_kfree_skb_any(skb);
++      return 0;
++}
++
+ static const struct atmdev_ops atmarpd_dev_ops = {
+-      .close = atmarpd_close
++      .close = atmarpd_close,
++      .send = atmarpd_send
+ };
+ 
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch b/queue-5.4/atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch
new file mode 100644 (file)
index 0000000..a341259
--- /dev/null
+++ b/queue-5.4/atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch
@@ -0,0 +1,134 @@
+From 54122099b82c0974c80b53536ea9f4527c1f0f73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:51 +0000
+Subject: atm: clip: Fix potential null-ptr-deref in to_atmarpd().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 706cc36477139c1616a9b2b96610a8bb520b7119 ]
+
+atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip
+causes unregister hang").
+
+However, it is not enough because to_atmarpd() is called without RTNL,
+especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable.
+
+Also, there is no RTNL dependency around atmarpd.
+
+Let's use a private mutex and RCU to protect access to atmarpd in
+to_atmarpd().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index 294cb9efe3d38..d5363ae5296ad 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -45,7 +45,8 @@
+ #include <net/atmclip.h>
+ 
+ static struct net_device *clip_devs;
+-static struct atm_vcc *atmarpd;
++static struct atm_vcc __rcu *atmarpd;
++static DEFINE_MUTEX(atmarpd_lock);
+ static struct timer_list idle_timer;
+ static const struct neigh_ops clip_neigh_ops;
+ 
+@@ -53,24 +54,35 @@ static int to_atmarpd(enum atmarp_ctrl_type type, int itf, __be32 ip)
+ {
+       struct sock *sk;
+       struct atmarp_ctrl *ctrl;
++      struct atm_vcc *vcc;
+       struct sk_buff *skb;
++      int err = 0;
+ 
+       pr_debug("(%d)\n", type);
+-      if (!atmarpd)
+-              return -EUNATCH;
++
++      rcu_read_lock();
++      vcc = rcu_dereference(atmarpd);
++      if (!vcc) {
++              err = -EUNATCH;
++              goto unlock;
++      }
+       skb = alloc_skb(sizeof(struct atmarp_ctrl), GFP_ATOMIC);
+-      if (!skb)
+-              return -ENOMEM;
++      if (!skb) {
++              err = -ENOMEM;
++              goto unlock;
++      }
+       ctrl = skb_put(skb, sizeof(struct atmarp_ctrl));
+       ctrl->type = type;
+       ctrl->itf_num = itf;
+       ctrl->ip = ip;
+-      atm_force_charge(atmarpd, skb->truesize);
++      atm_force_charge(vcc, skb->truesize);
+ 
+-      sk = sk_atm(atmarpd);
++      sk = sk_atm(vcc);
+       skb_queue_tail(&sk->sk_receive_queue, skb);
+       sk->sk_data_ready(sk);
+-      return 0;
++unlock:
++      rcu_read_unlock();
++      return err;
+ }
+ 
+ static void link_vcc(struct clip_vcc *clip_vcc, struct atmarp_entry *entry)
+@@ -608,10 +620,12 @@ static void atmarpd_close(struct atm_vcc *vcc)
+ {
+       pr_debug("\n");
+ 
+-      rtnl_lock();
+-      atmarpd = NULL;
++      mutex_lock(&atmarpd_lock);
++      RCU_INIT_POINTER(atmarpd, NULL);
++      mutex_unlock(&atmarpd_lock);
++
++      synchronize_rcu();
+       skb_queue_purge(&sk_atm(vcc)->sk_receive_queue);
+-      rtnl_unlock();
+ 
+       pr_debug("(done)\n");
+       module_put(THIS_MODULE);
+@@ -632,15 +646,15 @@ static struct atm_dev atmarpd_dev = {
+ 
+ static int atm_init_atmarp(struct atm_vcc *vcc)
+ {
+-      rtnl_lock();
++      mutex_lock(&atmarpd_lock);
+       if (atmarpd) {
+-              rtnl_unlock();
++              mutex_unlock(&atmarpd_lock);
+               return -EADDRINUSE;
+       }
+ 
+       mod_timer(&idle_timer, jiffies + CLIP_CHECK_INTERVAL * HZ);
+ 
+-      atmarpd = vcc;
++      rcu_assign_pointer(atmarpd, vcc);
+       set_bit(ATM_VF_META, &vcc->flags);
+       set_bit(ATM_VF_READY, &vcc->flags);
+           /* allow replies and avoid getting closed if signaling dies */
+@@ -649,7 +663,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc)
+       vcc->push = NULL;
+       vcc->pop = NULL; /* crash */
+       vcc->push_oam = NULL; /* crash */
+-      rtnl_unlock();
++      mutex_unlock(&atmarpd_lock);
+       return 0;
+ }
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/fix-proc_sys_compare-handling-of-in-lookup-dentries.patch b/queue-5.4/fix-proc_sys_compare-handling-of-in-lookup-dentries.patch
new file mode 100644 (file)
index 0000000..f4e48e7
--- /dev/null
+++ b/queue-5.4/fix-proc_sys_compare-handling-of-in-lookup-dentries.patch
@@ -0,0 +1,96 @@
+From c7794ac12ea589c1069d6f29f072994cfbc384b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 02:52:13 -0400
+Subject: fix proc_sys_compare() handling of in-lookup dentries
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit b969f9614885c20f903e1d1f9445611daf161d6d ]
+
+There's one case where ->d_compare() can be called for an in-lookup
+dentry; usually that's nothing special from ->d_compare() point of
+view, but... proc_sys_compare() is weird.
+
+The thing is, /proc/sys subdirectories can look differently for
+different processes.  Up to and including having the same name
+resolve to different dentries - all of them hashed.
+
+The way it's done is ->d_compare() refusing to admit a match unless
+this dentry is supposed to be visible to this caller.  The information
+needed to discriminate between them is stored in inode; it is set
+during proc_sys_lookup() and until it's done d_splice_alias() we really
+can't tell who should that dentry be visible for.
+
+Normally there's no negative dentries in /proc/sys; we can run into
+a dying dentry in RCU dcache lookup, but those can be safely rejected.
+
+However, ->d_compare() is also called for in-lookup dentries, before
+they get positive - or hashed, for that matter.  In case of match
+we will wait until dentry leaves in-lookup state and repeat ->d_compare()
+afterwards.  In other words, the right behaviour is to treat the
+name match as sufficient for in-lookup dentries; if dentry is not
+for us, we'll see that when we recheck once proc_sys_lookup() is
+done with it.
+
+While we are at it, fix the misspelled READ_ONCE and WRITE_ONCE there.
+
+Fixes: d9171b934526 ("parallel lookups machinery, part 4 (and last)")
+Reported-by: NeilBrown <neilb@brown.name>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Reviewed-by: NeilBrown <neil@brown.name>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/inode.c       |  2 +-
+ fs/proc/proc_sysctl.c | 18 +++++++++++-------
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/fs/proc/inode.c b/fs/proc/inode.c
+index a6bb1b5c903e6..86175a8c04b3f 100644
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -53,7 +53,7 @@ static void proc_evict_inode(struct inode *inode)
+ 
+       head = ei->sysctl;
+       if (head) {
+-              RCU_INIT_POINTER(ei->sysctl, NULL);
++              WRITE_ONCE(ei->sysctl, NULL);
+               proc_sys_evict_inode(inode, head);
+       }
+ }
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index f4264dd4ea31b..c8dad20069803 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -928,17 +928,21 @@ static int proc_sys_compare(const struct dentry *dentry,
+       struct ctl_table_header *head;
+       struct inode *inode;
+ 
+-      /* Although proc doesn't have negative dentries, rcu-walk means
+-       * that inode here can be NULL */
+-      /* AV: can it, indeed? */
+-      inode = d_inode_rcu(dentry);
+-      if (!inode)
+-              return 1;
+       if (name->len != len)
+               return 1;
+       if (memcmp(name->name, str, len))
+               return 1;
+-      head = rcu_dereference(PROC_I(inode)->sysctl);
++
++      // false positive is fine here - we'll recheck anyway
++      if (d_in_lookup(dentry))
++              return 0;
++
++      inode = d_inode_rcu(dentry);
++      // we just might have run into dentry in the middle of __dentry_kill()
++      if (!inode)
++              return 1;
++
++      head = READ_ONCE(PROC_I(inode)->sysctl);
+       return !head || !sysctl_is_seen(head);
+ }
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch b/queue-5.4/net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch
new file mode 100644 (file)
index 0000000..5454122
--- /dev/null
+++ b/queue-5.4/net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch
@@ -0,0 +1,121 @@
+From 98de995d534361f8f450b7567685a56bf5a8e7b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 18:08:01 -0300
+Subject: net/sched: Abort __tc_modify_qdisc if parent class does not exist
+
+From: Victor Nogueira <victor@mojatatu.com>
+
+[ Upstream commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963 ]
+
+Lion's patch [1] revealed an ancient bug in the qdisc API.
+Whenever a user creates/modifies a qdisc specifying as a parent another
+qdisc, the qdisc API will, during grafting, detect that the user is
+not trying to attach to a class and reject. However grafting is
+performed after qdisc_create (and thus the qdiscs' init callback) is
+executed. In qdiscs that eventually call qdisc_tree_reduce_backlog
+during init or change (such as fq, hhf, choke, etc), an issue
+arises. For example, executing the following commands:
+
+sudo tc qdisc add dev lo root handle a: htb default 2
+sudo tc qdisc add dev lo parent a: handle beef fq
+
+Qdiscs such as fq, hhf, choke, etc unconditionally invoke
+qdisc_tree_reduce_backlog() in their control path init() or change() which
+then causes a failure to find the child class; however, that does not stop
+the unconditional invocation of the assumed child qdisc's qlen_notify with
+a null class. All these qdiscs make the assumption that class is non-null.
+
+The solution is ensure that qdisc_leaf() which looks up the parent
+class, and is invoked prior to qdisc_create(), should return failure on
+not finding the class.
+In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the
+parentid doesn't correspond to a class, so that we can detect it
+earlier on and abort before qdisc_create is called.
+
+[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
+
+Fixes: 5e50da01d0ce ("[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs")
+Reported-by: syzbot+d8b58d7b0ad89a678a16@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68663c93.a70a0220.5d25f.0857.GAE@google.com/
+Reported-by: syzbot+5eccb463fa89309d8bdc@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68663c94.a70a0220.5d25f.0858.GAE@google.com/
+Reported-by: syzbot+1261670bbdefc5485a06@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0013.GAE@google.com/
+Reported-by: syzbot+15b96fc3aac35468fe77@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0014.GAE@google.com/
+Reported-by: syzbot+4dadc5aecf80324d5a51@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68679e81.a70a0220.29cf51.0016.GAE@google.com/
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Link: https://patch.msgid.link/20250707210801.372995-1-victor@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index fe3808cc6eb82..7c91f29f69c1d 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -328,17 +328,22 @@ struct Qdisc *qdisc_lookup_rcu(struct net_device *dev, u32 handle)
+       return q;
+ }
+ 
+-static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid)
++static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid,
++                              struct netlink_ext_ack *extack)
+ {
+       unsigned long cl;
+       const struct Qdisc_class_ops *cops = p->ops->cl_ops;
+ 
+-      if (cops == NULL)
+-              return NULL;
++      if (cops == NULL) {
++              NL_SET_ERR_MSG(extack, "Parent qdisc is not classful");
++              return ERR_PTR(-EOPNOTSUPP);
++      }
+       cl = cops->find(p, classid);
+ 
+-      if (cl == 0)
+-              return NULL;
++      if (cl == 0) {
++              NL_SET_ERR_MSG(extack, "Specified class not found");
++              return ERR_PTR(-ENOENT);
++      }
+       return cops->leaf(p, cl);
+ }
+ 
+@@ -1452,7 +1457,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+                                       NL_SET_ERR_MSG(extack, "Failed to find qdisc with specified classid");
+                                       return -ENOENT;
+                               }
+-                              q = qdisc_leaf(p, clid);
++                              q = qdisc_leaf(p, clid, extack);
+                       } else if (dev_ingress_queue(dev)) {
+                               q = dev_ingress_queue(dev)->qdisc_sleeping;
+                       }
+@@ -1463,6 +1468,8 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+                       NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device");
+                       return -ENOENT;
+               }
++              if (IS_ERR(q))
++                      return PTR_ERR(q);
+ 
+               if (tcm->tcm_handle && q->handle != tcm->tcm_handle) {
+                       NL_SET_ERR_MSG(extack, "Invalid handle");
+@@ -1559,7 +1566,9 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+                                       NL_SET_ERR_MSG(extack, "Failed to find specified qdisc");
+                                       return -ENOENT;
+                               }
+-                              q = qdisc_leaf(p, clid);
++                              q = qdisc_leaf(p, clid, extack);
++                              if (IS_ERR(q))
++                                      return PTR_ERR(q);
+                       } else if (dev_ingress_queue_create(dev)) {
+                               q = dev_ingress_queue(dev)->qdisc_sleeping;
+                       }
+-- 
+2.39.5
+

diff --git a/queue-5.4/netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch b/queue-5.4/netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch
new file mode 100644 (file)
index 0000000..2fbac4c
--- /dev/null
+++ b/queue-5.4/netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch
@@ -0,0 +1,200 @@
+From b8cad071e722b1def54d161bc61100c1b8b5c7b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 05:48:18 +0000
+Subject: netlink: Fix wraparounds of sk->sk_rmem_alloc.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc ]
+
+Netlink has this pattern in some places
+
+  if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
+       atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+
+, which has the same problem fixed by commit 5a465a0da13e ("udp:
+Fix multiple wraparounds of sk->sk_rmem_alloc.").
+
+For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition
+is always false as the two operands are of int.
+
+Then, a single socket can eat as many skb as possible until OOM
+happens, and we can see multiple wraparounds of sk->sk_rmem_alloc.
+
+Let's fix it by using atomic_add_return() and comparing the two
+variables as unsigned int.
+
+Before:
+  [root@fedora ~]# ss -f netlink
+  Recv-Q      Send-Q Local Address:Port                Peer Address:Port
+  -1668710080 0               rtnl:nl_wraparound/293               *
+
+After:
+  [root@fedora ~]# ss -f netlink
+  Recv-Q     Send-Q Local Address:Port                Peer Address:Port
+  2147483072 0               rtnl:nl_wraparound/290               *
+  ^
+  `--- INT_MAX - 576
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Jason Baron <jbaron@akamai.com>
+Closes: https://lore.kernel.org/netdev/cover.1750285100.git.jbaron@akamai.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250704054824.1580222-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 81 ++++++++++++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 32 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 17d86eee8bd8b..4c7af7f5117ae 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -378,7 +378,6 @@ static void netlink_skb_set_owner_r(struct sk_buff *skb, struct sock *sk)
+       WARN_ON(skb->sk != NULL);
+       skb->sk = sk;
+       skb->destructor = netlink_skb_destructor;
+-      atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+       sk_mem_charge(sk, skb->truesize);
+ }
+ 
+@@ -1206,41 +1205,48 @@ static struct sk_buff *netlink_alloc_large_skb(unsigned int size,
+ int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
+                     long *timeo, struct sock *ssk)
+ {
++      DECLARE_WAITQUEUE(wait, current);
+       struct netlink_sock *nlk;
++      unsigned int rmem;
+ 
+       nlk = nlk_sk(sk);
++      rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
+ 
+-      if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||
+-           test_bit(NETLINK_S_CONGESTED, &nlk->state))) {
+-              DECLARE_WAITQUEUE(wait, current);
+-              if (!*timeo) {
+-                      if (!ssk || netlink_is_kernel(ssk))
+-                              netlink_overrun(sk);
+-                      sock_put(sk);
+-                      kfree_skb(skb);
+-                      return -EAGAIN;
+-              }
+-
+-              __set_current_state(TASK_INTERRUPTIBLE);
+-              add_wait_queue(&nlk->wait, &wait);
++      if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) &&
++          !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
++              netlink_skb_set_owner_r(skb, sk);
++              return 0;
++      }
+ 
+-              if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||
+-                   test_bit(NETLINK_S_CONGESTED, &nlk->state)) &&
+-                  !sock_flag(sk, SOCK_DEAD))
+-                      *timeo = schedule_timeout(*timeo);
++      atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+ 
+-              __set_current_state(TASK_RUNNING);
+-              remove_wait_queue(&nlk->wait, &wait);
++      if (!*timeo) {
++              if (!ssk || netlink_is_kernel(ssk))
++                      netlink_overrun(sk);
+               sock_put(sk);
++              kfree_skb(skb);
++              return -EAGAIN;
++      }
+ 
+-              if (signal_pending(current)) {
+-                      kfree_skb(skb);
+-                      return sock_intr_errno(*timeo);
+-              }
+-              return 1;
++      __set_current_state(TASK_INTERRUPTIBLE);
++      add_wait_queue(&nlk->wait, &wait);
++      rmem = atomic_read(&sk->sk_rmem_alloc);
++
++      if (((rmem && rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)) ||
++           test_bit(NETLINK_S_CONGESTED, &nlk->state)) &&
++          !sock_flag(sk, SOCK_DEAD))
++              *timeo = schedule_timeout(*timeo);
++
++      __set_current_state(TASK_RUNNING);
++      remove_wait_queue(&nlk->wait, &wait);
++      sock_put(sk);
++
++      if (signal_pending(current)) {
++              kfree_skb(skb);
++              return sock_intr_errno(*timeo);
+       }
+-      netlink_skb_set_owner_r(skb, sk);
+-      return 0;
++
++      return 1;
+ }
+ 
+ static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb)
+@@ -1300,6 +1306,7 @@ static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb,
+       ret = -ECONNREFUSED;
+       if (nlk->netlink_rcv != NULL) {
+               ret = skb->len;
++              atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+               netlink_skb_set_owner_r(skb, sk);
+               NETLINK_CB(skb).sk = ssk;
+               netlink_deliver_tap_kernel(sk, ssk, skb);
+@@ -1378,13 +1385,19 @@ EXPORT_SYMBOL_GPL(netlink_strict_get_check);
+ static int netlink_broadcast_deliver(struct sock *sk, struct sk_buff *skb)
+ {
+       struct netlink_sock *nlk = nlk_sk(sk);
++      unsigned int rmem, rcvbuf;
+ 
+-      if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
++      rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
++      rcvbuf = READ_ONCE(sk->sk_rcvbuf);
++
++      if ((rmem != skb->truesize || rmem <= rcvbuf) &&
+           !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
+               netlink_skb_set_owner_r(skb, sk);
+               __netlink_sendskb(sk, skb);
+-              return atomic_read(&sk->sk_rmem_alloc) > (sk->sk_rcvbuf >> 1);
++              return rmem > (rcvbuf >> 1);
+       }
++
++      atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+       return -1;
+ }
+ 
+@@ -2177,6 +2190,7 @@ static int netlink_dump(struct sock *sk)
+       struct module *module;
+       int err = -ENOBUFS;
+       int alloc_min_size;
++      unsigned int rmem;
+       int alloc_size;
+ 
+       mutex_lock(nlk->cb_mutex);
+@@ -2185,9 +2199,6 @@ static int netlink_dump(struct sock *sk)
+               goto errout_skb;
+       }
+ 
+-      if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
+-              goto errout_skb;
+-
+       /* NLMSG_GOODSIZE is small to avoid high order allocations being
+        * required, but it makes sense to _attempt_ a 16K bytes allocation
+        * to reduce number of system calls on dump operations, if user
+@@ -2209,6 +2220,12 @@ static int netlink_dump(struct sock *sk)
+       if (!skb)
+               goto errout_skb;
+ 
++      rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
++      if (rmem >= READ_ONCE(sk->sk_rcvbuf)) {
++              atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
++              goto errout_skb;
++      }
++
+       /* Trim skb to allocated size. User is expected to provide buffer as
+        * large as max(min_dump_alloc, 16KiB (mac_recvmsg_len capped at
+        * netlink_recvmsg())). dump will pack as many smaller messages as
+-- 
+2.39.5
+

diff --git a/queue-5.4/proc-clear-the-pieces-of-proc_inode-that-proc_evict_.patch b/queue-5.4/proc-clear-the-pieces-of-proc_inode-that-proc_evict_.patch
new file mode 100644 (file)
index 0000000..02652e3
--- /dev/null
+++ b/queue-5.4/proc-clear-the-pieces-of-proc_inode-that-proc_evict_.patch
@@ -0,0 +1,66 @@
+From 7b1eb9aaa158f044eb96efd9a5c4a7a1bfa7c172 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2020 11:17:28 -0600
+Subject: proc: Clear the pieces of proc_inode that proc_evict_inode cares
+ about
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+[ Upstream commit 71448011ea2a1cd36d8f5cbdab0ed716c454d565 ]
+
+This just keeps everything tidier, and allows for using flags like
+SLAB_TYPESAFE_BY_RCU where slabs are not always cleared before reuse.
+I don't see reuse without reinitializing happening with the proc_inode
+but I had a false alarm while reworking flushing of proc dentries and
+indoes when a process dies that caused me to tidy this up.
+
+The code is a little easier to follow and reason about this
+way so I figured the changes might as well be kept.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Stable-dep-of: b969f9614885 ("fix proc_sys_compare() handling of in-lookup dentries")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/inode.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/fs/proc/inode.c b/fs/proc/inode.c
+index 3f0c89001fcff..a6bb1b5c903e6 100644
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -33,21 +33,27 @@ static void proc_evict_inode(struct inode *inode)
+ {
+       struct proc_dir_entry *de;
+       struct ctl_table_header *head;
++      struct proc_inode *ei = PROC_I(inode);
+ 
+       truncate_inode_pages_final(&inode->i_data);
+       clear_inode(inode);
+ 
+       /* Stop tracking associated processes */
+-      put_pid(PROC_I(inode)->pid);
++      if (ei->pid) {
++              put_pid(ei->pid);
++              ei->pid = NULL;
++      }
+ 
+       /* Let go of any associated proc directory entry */
+-      de = PDE(inode);
+-      if (de)
++      de = ei->pde;
++      if (de) {
+               pde_put(de);
++              ei->pde = NULL;
++      }
+ 
+-      head = PROC_I(inode)->sysctl;
++      head = ei->sysctl;
+       if (head) {
+-              RCU_INIT_POINTER(PROC_I(inode)->sysctl, NULL);
++              RCU_INIT_POINTER(ei->sysctl, NULL);
+               proc_sys_evict_inode(inode, head);
+       }
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 09c8dafa3629967b6436fe579cba101760bb2869..eb09099cb47df98e8ca293ada2e5cb6f532e9cf7 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -110,3 +110,12 @@ media-uvcvideo-send-control-events-for-partial-succeeds.patch
 media-uvcvideo-rollback-non-processed-entities-on-error.patch
 staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch
 drm-exynos-exynos7_drm_decon-add-vblank-check-in-irq-handling.patch
 media-uvcvideo-rollback-non-processed-entities-on-error.patch
 staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch
 drm-exynos-exynos7_drm_decon-add-vblank-check-in-irq-handling.patch

+proc-clear-the-pieces-of-proc_inode-that-proc_evict_.patch
+fix-proc_sys_compare-handling-of-in-lookup-dentries.patch
+netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch
+tipc-fix-use-after-free-in-tipc_conn_close.patch
+atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch
+atm-clip-fix-memory-leak-of-struct-clip_vcc.patch
+atm-clip-fix-infinite-recursive-call-of-clip_push.patch
+atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch
+net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch

diff --git a/queue-5.4/tipc-fix-use-after-free-in-tipc_conn_close.patch b/queue-5.4/tipc-fix-use-after-free-in-tipc_conn_close.patch
new file mode 100644 (file)
index 0000000..0d77ef7
--- /dev/null
+++ b/queue-5.4/tipc-fix-use-after-free-in-tipc_conn_close.patch
@@ -0,0 +1,123 @@
+From 464d32ca680ad8891948882008f37571f07d94b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 01:43:40 +0000
+Subject: tipc: Fix use-after-free in tipc_conn_close().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 667eeab4999e981c96b447a4df5f20bdf5c26f13 ]
+
+syzbot reported a null-ptr-deref in tipc_conn_close() during netns
+dismantle. [0]
+
+tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls
+tipc_conn_close() for each tipc_conn.
+
+The problem is that tipc_conn_close() is called after releasing the
+IDR lock.
+
+At the same time, there might be tipc_conn_recv_work() running and it
+could call tipc_conn_close() for the same tipc_conn and release its
+last ->kref.
+
+Once we release the IDR lock in tipc_topsrv_stop(), there is no
+guarantee that the tipc_conn is alive.
+
+Let's hold the ref before releasing the lock and put the ref after
+tipc_conn_close() in tipc_topsrv_stop().
+
+[0]:
+BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
+Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435
+
+CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: netns cleanup_net
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
+ print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
+ kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
+ kasan_report mm/kasan/report.c:412 [inline]
+ __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
+ tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
+ tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]
+ tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722
+ ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
+ cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+Allocated by task 23:
+ kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
+ kmalloc include/linux/slab.h:515 [inline]
+ kzalloc include/linux/slab.h:709 [inline]
+ tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192
+ tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+Freed by task 23:
+ __cache_free mm/slab.c:3503 [inline]
+ kfree+0xcc/0x210 mm/slab.c:3822
+ tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]
+ kref_put include/linux/kref.h:70 [inline]
+ conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+The buggy address belongs to the object at ffff888099305a00
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 8 bytes inside of
+ 512-byte region [ffff888099305a00, ffff888099305c00)
+The buggy address belongs to the page:
+page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
+flags: 0xfff00000000100(slab)
+raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940
+raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                      ^
+ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure")
+Reported-by: syzbot+d333febcf8f4bc5f6110@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=27169a847a70550d17be
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20250702014350.692213-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/topsrv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
+index 88e8e8d69b60e..820bed3b9cc51 100644
+--- a/net/tipc/topsrv.c
++++ b/net/tipc/topsrv.c
+@@ -699,8 +699,10 @@ static void tipc_topsrv_stop(struct net *net)
+       for (id = 0; srv->idr_in_use; id++) {
+               con = idr_find(&srv->conn_idr, id);
+               if (con) {
++                      conn_get(con);
+                       spin_unlock_bh(&srv->idr_lock);
+                       tipc_conn_close(con);
++                      conn_put(con);
+                       spin_lock_bh(&srv->idr_lock);
+               }
+       }
+-- 
+2.39.5
+