From 145412ada25d33d331fee43df048fc822acbc6eb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 12 Aug 2025 12:55:25 +0200
Subject: [PATCH] 6.6-stable patches

added patches:
	net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch
	vsock-do-not-allow-binding-to-vmaddr_port_any.patch
---
 ...-packet_set_ring-and-packet_notifier.patch | 64 +++++++++++++++++++
 queue-6.6/series                              |  2 +
 ...not-allow-binding-to-vmaddr_port_any.patch | 42 ++++++++++++
 3 files changed, 108 insertions(+)
 create mode 100644 queue-6.6/net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch
 create mode 100644 queue-6.6/vsock-do-not-allow-binding-to-vmaddr_port_any.patch

diff --git a/queue-6.6/net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch b/queue-6.6/net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch
new file mode 100644
index 0000000000..2cde7f0bff
--- /dev/null
+++ b/queue-6.6/net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch
@@ -0,0 +1,64 @@
+From 01d3c8417b9c1b884a8a981a3b886da556512f36 Mon Sep 17 00:00:00 2001
+From: Quang Le <quanglex97@gmail.com>
+Date: Fri, 1 Aug 2025 13:54:16 -0400
+Subject: net/packet: fix a race in packet_set_ring() and packet_notifier()
+
+From: Quang Le <quanglex97@gmail.com>
+
+commit 01d3c8417b9c1b884a8a981a3b886da556512f36 upstream.
+
+When packet_set_ring() releases po->bind_lock, another thread can
+run packet_notifier() and process an NETDEV_UP event.
+
+This race and the fix are both similar to that of commit 15fe076edea7
+("net/packet: fix a race in packet_bind() and packet_notifier()").
+
+There too the packet_notifier NETDEV_UP event managed to run while a
+po->bind_lock critical section had to be temporarily released. And
+the fix was similarly to temporarily set po->num to zero to keep
+the socket unhooked until the lock is retaken.
+
+The po->bind_lock in packet_set_ring and packet_notifier precede the
+introduction of git history.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quang Le <quanglex97@gmail.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20250801175423.2970334-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4566,10 +4566,10 @@ static int packet_set_ring(struct sock *
+ 	spin_lock(&po->bind_lock);
+ 	was_running = packet_sock_flag(po, PACKET_SOCK_RUNNING);
+ 	num = po->num;
+-	if (was_running) {
+-		WRITE_ONCE(po->num, 0);
++	WRITE_ONCE(po->num, 0);
++	if (was_running)
+ 		__unregister_prot_hook(sk, false);
+-	}
++
+ 	spin_unlock(&po->bind_lock);
+ 
+ 	synchronize_net();
+@@ -4601,10 +4601,10 @@ static int packet_set_ring(struct sock *
+ 	mutex_unlock(&po->pg_vec_lock);
+ 
+ 	spin_lock(&po->bind_lock);
+-	if (was_running) {
+-		WRITE_ONCE(po->num, num);
++	WRITE_ONCE(po->num, num);
++	if (was_running)
+ 		register_prot_hook(sk);
+-	}
++
+ 	spin_unlock(&po->bind_lock);
+ 	if (pg_vec && (po->tp_version > TPACKET_V2)) {
+ 		/* Because we don't support block-based V3 on tx-ring */
diff --git a/queue-6.6/series b/queue-6.6/series
index 3c6e31f2e3..a60ed43e2b 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -232,3 +232,5 @@ perf-core-don-t-leak-aux-buffer-refcount-on-allocation-failure.patch
 perf-core-exit-early-on-perf_mmap-fail.patch
 perf-core-prevent-vma-split-of-buffer-mappings.patch
 selftests-perf_events-add-a-mmap-correctness-test.patch
+net-packet-fix-a-race-in-packet_set_ring-and-packet_notifier.patch
+vsock-do-not-allow-binding-to-vmaddr_port_any.patch
diff --git a/queue-6.6/vsock-do-not-allow-binding-to-vmaddr_port_any.patch b/queue-6.6/vsock-do-not-allow-binding-to-vmaddr_port_any.patch
new file mode 100644
index 0000000000..a08aecb52d
--- /dev/null
+++ b/queue-6.6/vsock-do-not-allow-binding-to-vmaddr_port_any.patch
@@ -0,0 +1,42 @@
+From aba0c94f61ec05315fa7815d21aefa4c87f6a9f4 Mon Sep 17 00:00:00 2001
+From: Budimir Markovic <markovicbudimir@gmail.com>
+Date: Thu, 7 Aug 2025 04:18:11 +0000
+Subject: vsock: Do not allow binding to VMADDR_PORT_ANY
+
+From: Budimir Markovic <markovicbudimir@gmail.com>
+
+commit aba0c94f61ec05315fa7815d21aefa4c87f6a9f4 upstream.
+
+It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
+cause a use-after-free when a connection is made to the bound socket.
+The socket returned by accept() also has port VMADDR_PORT_ANY but is not
+on the list of unbound sockets. Binding it will result in an extra
+refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
+the binding until socket destruction).
+
+Modify the check in __vsock_bind_connectible() to also prevent binding
+to VMADDR_PORT_ANY.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
+Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20250807041811.678-1-markovicbudimir@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -688,7 +688,8 @@ static int __vsock_bind_connectible(stru
+ 		unsigned int i;
+ 
+ 		for (i = 0; i < MAX_PORT_RETRIES; i++) {
+-			if (port <= LAST_RESERVED_PORT)
++			if (port == VMADDR_PORT_ANY ||
++			    port <= LAST_RESERVED_PORT)
+ 				port = LAST_RESERVED_PORT + 1;
+ 
+ 			new_addr.svm_port = port++;
-- 
2.47.3