From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 12 Jan 2026 11:15:31 +0000 (+0100)
Subject: 6.6-stable patches
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0a8ce2e7db5ecec79451983b501198f232e71ae;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch
---

diff --git a/queue-6.6/series b/queue-6.6/series
index 17ac6ceee3..d10c8410f9 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -24,3 +24,4 @@ nfsd-convert-to-new-timestamp-accessors.patch
 nfsd-fix-nfsv3-atomicity-bugs-in-nfsd_setattr.patch
 nfsd-set-security-label-during-create-operations.patch
 nfsd-nfsv4-file-creation-neglects-setting-acl.patch
+tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch
diff --git a/queue-6.6/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch b/queue-6.6/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch
new file mode 100644
index 0000000000..53cf8abaee
--- /dev/null
+++ b/queue-6.6/tls-use-__sk_dst_get-and-dst_dev_rcu-in-get_netdev_for_sock.patch
@@ -0,0 +1,62 @@
+From c65f27b9c3be2269918e1cbad6d8884741f835c5 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:23 +0000
+Subject: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+commit c65f27b9c3be2269918e1cbad6d8884741f835c5 upstream.
+
+get_netdev_for_sock() is called during setsockopt(),
+so not under RCU.
+
+Using sk_dst_get(sk)->dev could trigger UAF.
+
+Let's use __sk_dst_get() and dst_dev_rcu().
+
+Note that the only ->ndo_sk_get_lower_dev() user is
+bond_sk_get_lower_dev(), which uses RCU.
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Keerthana: Backport to v6.6.y ]
+Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c |   18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -125,17 +125,19 @@ static void tls_device_queue_ctx_destruc
+ /* We assume that the socket is already connected */
+ static struct net_device *get_netdev_for_sock(struct sock *sk)
+ {
+-	struct dst_entry *dst = sk_dst_get(sk);
+-	struct net_device *netdev = NULL;
++	struct net_device *dev, *lowest_dev = NULL;
++	struct dst_entry *dst;
+ 
+-	if (likely(dst)) {
+-		netdev = netdev_sk_get_lowest_dev(dst->dev, sk);
+-		dev_hold(netdev);
++	rcu_read_lock();
++	dst = __sk_dst_get(sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	if (likely(dev)) {
++		lowest_dev = netdev_sk_get_lowest_dev(dev, sk);
++		dev_hold(lowest_dev);
+ 	}
++	rcu_read_unlock();
+ 
+-	dst_release(dst);
+-
+-	return netdev;
++	return lowest_dev;
+ }
+ 
+ static void destroy_record(struct tls_record_info *record)