linux.git/include/linux/atmdev.h, branch v7.2-rc1 Linux kernel source tree atm: remove unused ATM PHY operations 2026-06-16T15:53:53+00:00 Jakub Kicinski kuba@kernel.org 2026-06-15T19:44:15+00:00 e44e224e2f44c9ad3ab422b513d5ee2f0f45e416 The PHY operations are vestiges of the SAR/framer split used by the removed PCI/SBUS ATM adapters: - atmdev_ops::phy_put / ::phy_get (register accessors) are never called by the core and solos-pci only listed them as NULL - struct atmphy_ops and atm_dev::phy have no users at all - nothing assigns or dereferences them Remove all of them. atm_dev::phy_data is kept: solos-pci repurposes it to stash its per-port channel index. Link: https://patch.msgid.link/20260615194416.752559-9-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
The PHY operations are vestiges of the SAR/framer split used by the
removed PCI/SBUS ATM adapters:

 - atmdev_ops::phy_put / ::phy_get (register accessors) are never called
   by the core and solos-pci only listed them as NULL
 - struct atmphy_ops and atm_dev::phy have no users at all - nothing
   assigns or dereferences them

Remove all of them. atm_dev::phy_data is kept: solos-pci repurposes it
to stash its per-port channel index.

Link: https://patch.msgid.link/20260615194416.752559-9-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: remove the unused pre_send and send_bh device operations 2026-06-16T15:53:52+00:00 Jakub Kicinski kuba@kernel.org 2026-06-15T19:44:14+00:00 ae6e653514d156f0cc2327fe9e7db731ecb35a76 atmdev_ops::pre_send (a TX pre-processing hook) and ::send_bh (a bottom-half capable send variant) have no implementation behind them: no remaining ATM driver sets either, so vcc_sendmsg() always skipped pre_send and the raw AAL0/AAL5 paths always fell back to ->send(). The drivers that used these hooks were removed with the legacy ATM adapters. Drop both operations and the dead branches that tested for them. Link: https://patch.msgid.link/20260615194416.752559-8-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
atmdev_ops::pre_send (a TX pre-processing hook) and ::send_bh (a
bottom-half capable send variant) have no implementation behind them:
no remaining ATM driver sets either, so vcc_sendmsg() always skipped
pre_send and the raw AAL0/AAL5 paths always fell back to ->send().
The drivers that used these hooks were removed with the legacy ATM
adapters.

Drop both operations and the dead branches that tested for them.

Link: https://patch.msgid.link/20260615194416.752559-8-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: remove the unused change_qos device operation 2026-06-16T15:53:52+00:00 Jakub Kicinski kuba@kernel.org 2026-06-15T19:44:13+00:00 6719d57ee047cba211e8684eef46d5486a3295bb atmdev_ops::change_qos() was the hook for renegotiating the traffic parameters of an already-connected VCC, driven from SO_ATMQOS on a connected socket (and previously from the SVC as_modify path, now gone). None of the ATM drivers left in tree implement it - solos-pci only listed change_qos = NULL - so atm_change_qos() always returned -EOPNOTSUPP. Drop the operation and return -EOPNOTSUPP directly. Link: https://patch.msgid.link/20260615194416.752559-7-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
atmdev_ops::change_qos() was the hook for renegotiating the traffic
parameters of an already-connected VCC, driven from SO_ATMQOS on a
connected socket (and previously from the SVC as_modify path, now gone).
None of the ATM drivers left in tree implement it - solos-pci only listed
change_qos = NULL - so atm_change_qos() always returned -EOPNOTSUPP.

Drop the operation and return -EOPNOTSUPP directly.

Link: https://patch.msgid.link/20260615194416.752559-7-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: remove SVC socket support and the signaling daemon interface 2026-06-16T15:53:52+00:00 Jakub Kicinski kuba@kernel.org 2026-06-15T19:44:12+00:00 aa582dc25ace8951ad595c71fb93d21ed2ec4624 ATM switched virtual circuits (SVCs) are set up and torn down by a user-space signaling daemon (atmsigd) which the kernel talks to over a dedicated "sigd" socket: the kernel marshals Q.2931-style requests (as_connect, as_listen, as_accept, as_close, ...) to the daemon and applies the results to PF_ATMSVC sockets. This is the machinery behind classical SVC use and was the foundation for LANE / MPOA, all of which have been removed. DSL deployments do not use any of this. PPPoATM and BR2684 run over permanent virtual circuits (PF_ATMPVC) with a statically configured VPI/VCI; no atmsigd, no Q.2931. Neither remaining ATM driver (solos-pci, the USB DSL modems) is reachable through the SVC path. Remove the SVC socket family and the signaling interface: - delete net/atm/svc.c, net/atm/signaling.c and signaling.h - drop atmsvc_init()/atmsvc_exit() and the PF_ATMSVC registration and module alias - drop the ATMSIGD_CTRL ioctl (sigd_attach) and the /proc/net/atm/svc file - fold the SVC branch out of atm_change_qos(); all sockets are PVCs now The obsolete ATM_SETSC ioctl stub is left in place (it already just warns and returns 0), as is the struct atm_vcc SVC bookkeeping shared with the queueing layer. Link: https://patch.msgid.link/20260615194416.752559-6-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
ATM switched virtual circuits (SVCs) are set up and torn down by a
user-space signaling daemon (atmsigd) which the kernel talks to over
a dedicated "sigd" socket: the kernel marshals Q.2931-style requests
(as_connect, as_listen, as_accept, as_close, ...) to the daemon and
applies the results to PF_ATMSVC sockets. This is the machinery behind
classical SVC use and was the foundation for LANE / MPOA, all of which
have been removed.

DSL deployments do not use any of this. PPPoATM and BR2684 run over
permanent virtual circuits (PF_ATMPVC) with a statically configured
VPI/VCI; no atmsigd, no Q.2931. Neither remaining ATM driver
(solos-pci, the USB DSL modems) is reachable through the SVC path.

Remove the SVC socket family and the signaling interface:

 - delete net/atm/svc.c, net/atm/signaling.c and signaling.h
 - drop atmsvc_init()/atmsvc_exit() and the PF_ATMSVC registration and
   module alias
 - drop the ATMSIGD_CTRL ioctl (sigd_attach) and the /proc/net/atm/svc
   file
 - fold the SVC branch out of atm_change_qos(); all sockets are PVCs now

The obsolete ATM_SETSC ioctl stub is left in place (it already just
warns and returns 0), as is the struct atm_vcc SVC bookkeeping shared
with the queueing layer.

Link: https://patch.msgid.link/20260615194416.752559-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: remove the local ATM (NSAP) address registry 2026-06-16T15:53:52+00:00 Jakub Kicinski kuba@kernel.org 2026-06-15T19:44:11+00:00 a5a12d76d2cb23b3f2150ed3a5d674b0eba6a8b7 net/atm/addr.c maintained the per-device lists of local NSAP addresses (dev->local) and ILMI-learned LECS addresses (dev->lecs). These exist solely to serve SVC signaling: the lists are populated through the ATM_{ADD,DEL,RST}ADDR / ATM_{ADD,DEL,GET}LECSADDR ioctls used by the atmsigd / ILMI daemons, and consumed when registering addresses with the signaling daemon. The LECS list belonged to LAN Emulation, which has been removed. With no SVC users in a DSL-only configuration these lists are always empty, so drop the registry entirely: - remove the ADDR/LECSADDR/RSTADDR ioctls - drop the now-always-empty "atmaddress" sysfs attribute - remove the dev->local / dev->lecs lists, structs and enums - delete net/atm/addr.c and net/atm/addr.h The device ESI ("MAC" address) and its ATM_{G,S}ETESI ioctls and "address" sysfs attribute are retained - the USB DSL modems populate the ESI. Link: https://patch.msgid.link/20260615194416.752559-5-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
net/atm/addr.c maintained the per-device lists of local NSAP addresses
(dev->local) and ILMI-learned LECS addresses (dev->lecs). These exist
solely to serve SVC signaling: the lists are populated through the
ATM_{ADD,DEL,RST}ADDR / ATM_{ADD,DEL,GET}LECSADDR ioctls used by the
atmsigd / ILMI daemons, and consumed when registering addresses with the
signaling daemon. The LECS list belonged to LAN Emulation, which has
been removed.

With no SVC users in a DSL-only configuration these lists are always
empty, so drop the registry entirely:

 - remove the ADDR/LECSADDR/RSTADDR ioctls
 - drop the now-always-empty "atmaddress" sysfs attribute
 - remove the dev->local / dev->lecs lists, structs and enums
 - delete net/atm/addr.c and net/atm/addr.h

The device ESI ("MAC" address) and its ATM_{G,S}ETESI ioctls and
"address" sysfs attribute are retained - the USB DSL modems populate
the ESI.

Link: https://patch.msgid.link/20260615194416.752559-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: remove the unused send_oam / push_oam callbacks 2026-06-16T15:53:52+00:00 Jakub Kicinski kuba@kernel.org 2026-06-15T19:44:09+00:00 b20aa9eded107bc78b7e54e64ccf79fbaeda9ecd The atmdev_ops::send_oam device operation and the atm_vcc::push_oam callback were the kernel's interface for raw F4/F5 OAM cell exchange. Nothing assigns them a non-NULL value and nothing ever invokes them: the core only ever initialises push_oam to NULL (in vcc_create() and the AAL init helpers) and the Solos driver only lists send_oam = NULL for documentation. The drivers that actually drove OAM through these hooks were removed along with the legacy ATM adapters. Drop both callbacks and the NULL initialisers. Link: https://patch.msgid.link/20260615194416.752559-3-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
The atmdev_ops::send_oam device operation and the atm_vcc::push_oam
callback were the kernel's interface for raw F4/F5 OAM cell exchange.
Nothing assigns them a non-NULL value and nothing ever invokes them:
the core only ever initialises push_oam to NULL (in vcc_create() and the
AAL init helpers) and the Solos driver only lists send_oam = NULL for
documentation. The drivers that actually drove OAM through these hooks
were removed along with the legacy ATM adapters.

Drop both callbacks and the NULL initialisers.

Link: https://patch.msgid.link/20260615194416.752559-3-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: atmdev: add function parameter names and description 2026-03-03T02:55:21+00:00 Randy Dunlap rdunlap@infradead.org 2026-02-28T22:08:45+00:00 c69855ada28656fdd7e197b6e24cd40a04fe14d3 kernel-doc reports function parameters not described for parameters that are not named. Add parameter names for these functions and then describe the function parameters in kernel-doc format. Fixes these warnings: Warning: include/linux/atmdev.h:316 function parameter '' not described in 'register_atm_ioctl' Warning: include/linux/atmdev.h:321 function parameter '' not described in 'deregister_atm_ioctl' Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Link: https://patch.msgid.link/20260228220845.2978547-1-rdunlap@infradead.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
kernel-doc reports function parameters not described for parameters
that are not named. Add parameter names for these functions and then
describe the function parameters in kernel-doc format.

Fixes these warnings:
Warning: include/linux/atmdev.h:316 function parameter '' not described
 in 'register_atm_ioctl'
Warning: include/linux/atmdev.h:321 function parameter '' not described
 in 'deregister_atm_ioctl'

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260228220845.2978547-1-rdunlap@infradead.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). 2025-08-23T00:23:15+00:00 Kuniyuki Iwashima kuniyu@google.com 2025-08-21T02:18:24+00:00 ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length. Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc. The notable thing is struct atmtcp_control is uAPI but has a space for an in-kernel pointer. struct atmtcp_control { struct atmtcp_hdr hdr; /* must be first */ ... atm_kptr_t vcc; /* both directions */ ... } __ATM_API_ALIGN; typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t; The special message is processed in atmtcp_recv_control() called from atmtcp_c_send(). atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths: 1. .ndo_start_xmit() (vcc->send() == atm_send_aal0()) 2. vcc_sendmsg() The problem is sendmsg() does not validate the message length and userspace can abuse atmtcp_recv_control() to overwrite any kptr by atmtcp_control. Let's add a new ->pre_send() hook to validate messages from sendmsg(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f] CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline] RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297 Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203 RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000 R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0 Call Trace: <TASK> vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8d7e96a4a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9 RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005 RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250 </TASK> Modules linked in: Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+1741b56d54536f4ec349@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68a6767c.050a0220.3d78fd.0011.GAE@google.com/ Tested-by: syzbot+1741b56d54536f4ec349@syzkaller.appspotmail.com Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20250821021901.2814721-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
syzbot reported the splat below. [0]

When atmtcp_v_open() or atmtcp_v_close() is called via connect()
or close(), atmtcp_send_control() is called to send an in-kernel
special message.

The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.
Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc.

The notable thing is struct atmtcp_control is uAPI but has a
space for an in-kernel pointer.

  struct atmtcp_control {
  	struct atmtcp_hdr hdr;	/* must be first */
  ...
  	atm_kptr_t vcc;		/* both directions */
  ...
  } __ATM_API_ALIGN;

  typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;

The special message is processed in atmtcp_recv_control() called
from atmtcp_c_send().

atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:

  1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())
  2. vcc_sendmsg()

The problem is sendmsg() does not validate the message length and
userspace can abuse atmtcp_recv_control() to overwrite any kptr
by atmtcp_control.

Let's add a new ->pre_send() hook to validate messages from sendmsg().

[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]
CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]
RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297
Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c
RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203
RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c
RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd
R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000
R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff
FS:  00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8d7e96a4a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9
RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005
RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac
R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250
 </TASK>
Modules linked in:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+1741b56d54536f4ec349@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68a6767c.050a0220.3d78fd.0011.GAE@google.com/
Tested-by: syzbot+1741b56d54536f4ec349@syzkaller.appspotmail.com
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250821021901.2814721-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: Revert atm_account_tx() if copy_from_iter_full() fails. 2025-06-18T01:42:44+00:00 Kuniyuki Iwashima kuniyu@google.com 2025-06-16T18:21:15+00:00 7851263998d4269125fd6cb3fdbfc7c6db853859 In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by atm_account_tx(). It is expected to be reverted by atm_pop_raw() later called by vcc->dev->ops->send(vcc, skb). However, vcc_sendmsg() misses the same revert when copy_from_iter_full() fails, and then we will leak a socket. Let's factorise the revert part as atm_return_tx() and call it in the failure path. Note that the corresponding sk_wmem_alloc operation can be found in alloc_tx() as of the blamed commit. $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Simon Horman <horms@kernel.org> Closes: https://lore.kernel.org/netdev/20250614161959.GR414686@horms.kernel.org/ Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20250616182147.963333-3-kuni1840@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 
In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by
atm_account_tx().

It is expected to be reverted by atm_pop_raw() later called by
vcc->dev->ops->send(vcc, skb).

However, vcc_sendmsg() misses the same revert when copy_from_iter_full()
fails, and then we will leak a socket.

Let's factorise the revert part as atm_return_tx() and call it in
the failure path.

Note that the corresponding sk_wmem_alloc operation can be found in
alloc_tx() as of the blamed commit.

  $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Simon Horman <horms@kernel.org>
Closes: https://lore.kernel.org/netdev/20250614161959.GR414686@horms.kernel.org/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250616182147.963333-3-kuni1840@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
atm: fix a typo in the struct description 2021-03-08T23:16:30+00:00 Tong Zhang ztong0001@gmail.com 2021-03-08T03:25:28+00:00 1019d7923d9d4cc878a1a85d4fc2d6619cfe1a6a phy_data means private PHY data not date Signed-off-by: Tong Zhang <ztong0001@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
phy_data means private PHY data not date

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>