From nobody Wed Oct  8 08:14:50 2025
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 058C92949F1
	for <linux-kernel@vger.kernel.org>; Mon, 30 Jun 2025 16:33:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1751301198; cv=none;
 b=eJYfCKPJr6QRvMDDXd6Y9eLyHZTytw3DLuFY9QC9OG3CLzFosct+Oh7qbJE2cjaHTYZ9Plcf7qcaADwu5bheroZAthHq8uA5uzykLYS3wNSaWx7zoPz/0Z1kyE9tilpiy46rh4jzmNV3T6j499T3nlYWaEI0TTwsJ1QAsYgWQfQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1751301198; c=relaxed/simple;
	bh=/1mZkg9E1CztpAIZTDXcSM72W7GdGrTSeNoLQv6fDzM=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=vD8DBd8idKeuVLnWwbL2Ipv3S6f4Yp9vhq50puG850q1eQHU8Q0y/NZ50MIFhYwUh4yrLqNWNNHhamMMTrr/xqdFEb3l/x9ST5l5BN7i7wM3/kJ/K2jd2F3kLWnueu6otu2hiinOlsgTrcgNA55pXLxjTDlPwA0mNm8SDvjSeg4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=c2eFQ16M; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="c2eFQ16M"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1751301195;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tTsSQg95XhUJtNWRtD1zSv7COm3LSbhhvPf6ApdLYIE=;
	b=c2eFQ16MOvF1euVEwDmldNdkGsbq/kGtVw4Ai/OEbf3yadQIX9RD37oJrgbZPq82Px6IAX
	XxM4r66qiiwVF6hQ+Bc0iEBb4uTyMZ9KF8q2GbKzJ9D26BKIlCk3xtu5nV8zco/S34afQV
	UiRiK0JgfRKTOjBxxRfOytPf/1BpgX4=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-303-Et7HjF4WO4-IG-QFYIOkPQ-1; Mon, 30 Jun 2025 12:33:12 -0400
X-MC-Unique: Et7HjF4WO4-IG-QFYIOkPQ-1
X-Mimecast-MFC-AGG-ID: Et7HjF4WO4-IG-QFYIOkPQ_1751301192
Received: by mail-wm1-f69.google.com with SMTP id
 5b1f17b1804b1-451d2037f1eso14061545e9.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 30 Jun 2025 09:33:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1751301191; x=1751905991;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=tTsSQg95XhUJtNWRtD1zSv7COm3LSbhhvPf6ApdLYIE=;
        b=hnwUymXCF3Tn7C78o8tCURhrFhNz8osJrizeSNfnJCzHBlinVuOsna0I2ZHF8Rv1ei
         m3+OtOIq3MjljTMhCSV1pEQp3CTi3dDIfRe7Ggy08jlTwIndlmDihU1lYHevJTpzBul0
         NiaQgIl9RubA0RehZjtejnwXy1b6nAIFqp6Te6fr8voOS3scpIYAGW177NbQLLlsoTtn
         QkU4jB7NlAoimWGXdDmPmPNJLqW5zyx7cSvzwp+boptp4kgrk1qGibj3wEeU41/8lTSR
         29jbMoCquasD+ownQLynUsc4Qawgc9gQx+oLUXZp66jjwHiYwc2tV8Tot/SYEx6N7XPg
         LXhA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVwyK4p6d7/y3qkvokAL9OV+2WhTAwZmOd1855INvmlRB6WhibIkKMSFT/o+yTychKzM0zSw2ZhRmLHwW0=@vger.kernel.org
X-Gm-Message-State: AOJu0YzC8PcT8PrxrVOY/TDv/vWRaW+ONJTvEe5Tj0CAQ2E3b/1VE7Bx
	V0hM5BaIu/isB8Nf2KmqnFcoEGqMEkmudVhAY1iXtgqOCGRnMLLnLD90SWFVTLGLZxj7mGZw/iy
	1Bj2rEbCrewwo7Bl/6zo7G6laQXc5t31iwFOsemCglLrk8BgxioywvNbh1V8djkdo7Q==
X-Gm-Gg: ASbGnctnVU4nyiQbTWI+DqwdTXDaS57kBGoHSpkRhvgue4Ew2K5gTQFIWdkwFCVeD4i
	OmZ9cAs5gGdBl3l38wfIH0LbWtW3dVTRTWA3B25hNj4YJjH/C4M0jwhdlA5kIA70J6DMei+kbdg
	+c7q9ez9Mn4dw9fPN82At7r/JsdrNyY1ZyoqRly+DdIxFa5Z5LsyP8TEmgTO1h9wp2kIdKIDg8K
	J9e30iYRyNyuf6fyeaVupENn247IrdXhYkmvFQRuTv9RA81mXLQlfllXrY8LhRq60nfctEMOPjL
	u9LSjcaAHn6qIuSyZcOkOatNdm5fj1As3Vyssqvjitd4QhV/iBR/5w==
X-Received: by 2002:a05:600c:5298:b0:440:68db:9fef with SMTP id
 5b1f17b1804b1-4538ee61e72mr107704305e9.20.1751301191454;
        Mon, 30 Jun 2025 09:33:11 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFfyROXvO4meZTA+eBrF6ZQx2AlPL1v9K81ASsw27IwZVehxZ2JH+GDPwndnAfiwnao4RKYTA==
X-Received: by 2002:a05:600c:5298:b0:440:68db:9fef with SMTP id
 5b1f17b1804b1-4538ee61e72mr107704055e9.20.1751301191020;
        Mon, 30 Jun 2025 09:33:11 -0700 (PDT)
Received: from lleonard-thinkpadp16vgen1.rmtit.csb ([176.206.17.146])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4538a406ab6sm142554375e9.30.2025.06.30.09.33.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 30 Jun 2025 09:33:10 -0700 (PDT)
From: Luigi Leonardi <leonardi@redhat.com>
Date: Mon, 30 Jun 2025 18:33:03 +0200
Subject: [PATCH net-next v5 1/2] vsock/test: Add macros to identify
 transports
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20250630-test_vsock-v5-1-2492e141e80b@redhat.com>
References: <20250630-test_vsock-v5-0-2492e141e80b@redhat.com>
In-Reply-To: <20250630-test_vsock-v5-0-2492e141e80b@redhat.com>
To: Stefano Garzarella <sgarzare@redhat.com>, Michal Luczaj <mhal@rbox.co>
Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Luigi Leonardi <leonardi@redhat.com>
X-Mailer: b4 0.14.2

Add three new macros: TRANSPORTS_G2H, TRANSPORTS_H2G and
TRANSPORTS_LOCAL.
They can be used to identify the type of the transport(s) loaded when
using the `get_transports()` function.

Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
---
 tools/testing/vsock/util.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/testing/vsock/util.h b/tools/testing/vsock/util.h
index 71895192cc02313bf52784e2f77aa3b0c28a0c94..fdd4649fe2d49f57c93c4aa5dfb=
b37b710c65918 100644
--- a/tools/testing/vsock/util.h
+++ b/tools/testing/vsock/util.h
@@ -33,6 +33,10 @@ static const char * const transport_ksyms[] =3D {
 static_assert(ARRAY_SIZE(transport_ksyms) =3D=3D TRANSPORT_NUM);
 static_assert(BITS_PER_TYPE(int) >=3D TRANSPORT_NUM);
=20
+#define TRANSPORTS_G2H   (TRANSPORT_VIRTIO | TRANSPORT_VMCI | TRANSPORT_HY=
PERV)
+#define TRANSPORTS_H2G   (TRANSPORT_VHOST | TRANSPORT_VMCI)
+#define TRANSPORTS_LOCAL (TRANSPORT_LOOPBACK)
+
 /* Tests can either run as the client or the server */
 enum test_mode {
 	TEST_MODE_UNSET,

--=20
2.50.0
From nobody Wed Oct  8 08:14:50 2025
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A7D6F2949F6
	for <linux-kernel@vger.kernel.org>; Mon, 30 Jun 2025 16:33:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1751301198; cv=none;
 b=Rty6F8rAauFO8hEs9mIPwIv8uCse2XtfDzBSXC0WLyb7ghbnW326xFZvsvv/zjGJ9Mm9+wqZJLUPMBocmaXuTGIMeyc+W/6ueQfyJyUBSNDCDzE33Agb32UwhUvltD6mN2vc9UNZ7btrrhAFxZQsFj3BVFH+mogv63GK6baEOsU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1751301198; c=relaxed/simple;
	bh=55nBQP4aQogOiNPUuY3xmiEkkmF8mXTJvQsg6cuG+mo=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=doMo2gXTIXtJ22E2CX+Yg8VV7n6tVxqGfDOvz1CCbps9uoVvPWshoGgbAHCmp75zzPclM82NEBFVKjxkVVa6TxYuDPEkp7C9TJadHg97s2J/6/qGKiqf11klLseeaG2vBNM6+v76eySyUDvFqU287MEkkaqORU9Q7Yc4zGDl6VI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=HbWgG891; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="HbWgG891"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1751301195;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Jp6vU3a/maHYin/wHunAio05ZqjI5MWCleh0lULp+Ic=;
	b=HbWgG8911IA1DW5P2b7K0gWr2GJRRqjlyjMBbexIShx5Woq2mZH/nBSSNqnA6pWVp2xBJH
	C4pHiDDjnz78k0JtFHQo5zts4Km1CtEeux/PZvlx68T65WnXnJj+0Gq3sMckDf+3I9grFb
	jEQHwKWSy+1cn+tuUrB6NotfNFo41bg=
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com
 [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-375-dgDOics1Phia7YeAV7EsAA-1; Mon, 30 Jun 2025 12:33:13 -0400
X-MC-Unique: dgDOics1Phia7YeAV7EsAA-1
X-Mimecast-MFC-AGG-ID: dgDOics1Phia7YeAV7EsAA_1751301193
Received: by mail-wm1-f71.google.com with SMTP id
 5b1f17b1804b1-450d64026baso24123575e9.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 30 Jun 2025 09:33:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1751301193; x=1751905993;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Jp6vU3a/maHYin/wHunAio05ZqjI5MWCleh0lULp+Ic=;
        b=XtdpbPye+UsxFd66g7NkaCvbBIWZjwir1vZhgtNdt2S4Shx386oZhbFQFKXmnXbGko
         85GmjR6aJbZsvQfOvQ5ZVhhW6XaRUpTJnqpQbpMUrLriiQNrCK+wRHMGEG/fJQCmEOde
         sNFx6HYbZNU5K/J5eMSlXTRLxwE3lNjbEvHjTewt43P9JVLAUQ8bmx6dpbU5v/Ec33qe
         NYFsW84SwI1j4URhajxoKq0qBbqDKCTMLZmC9h8pmU7dRX8LPgCmvEqunU5dUWZJKgdn
         764/vXn2l27Q87MmJtkX6EMEPoiM0v5umJqUzd0Nz2bFi7DXJI6HAS7aQ0uGQ3r3nw4K
         96lA==
X-Forwarded-Encrypted: i=1;
 AJvYcCV0gz+GJruh+X/834vI/h1sV8YaTd/e+dP4PBU2Nvz46MfLqIAgnwBt6uL+3j2vuasvjZll3umHDIK5maY=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx3xSXHzNLZl8TdoMwfXcBy7pQQTL5ZHE3EuG7qu5FnzlLi7yFe
	qPZsBgET0rZSNij7wNGtGbie+GxHNCZ+IK0/BOJu37KZy5zDSDSSe2bksELY05kEmZ02VEs260f
	VQVe/HnHfkNsKnnODlGv5OSPVMrwAXFwbBEwfhytpaBK5XINRbrgEh7RzgKjedcja+A==
X-Gm-Gg: ASbGnct/IWH1MPAoHwchXtYojsiLojgwGG9Tnf+cZWK8kW/xso0sv5/pi/yE4dza4SU
	nzUXBgVguVTgQN9PgyDRA6kIAIx43uwRDG9XFMi30HVVqQTCOhkyq/zJCkwxc7ZzWskI6VKn4JX
	I/lyFkBAaxAjO9TxAw3W62FfahlPtByJ10k+Uo0Fzj1opbMWBwTNpRhvB0QX95EWx/4WD3/nfrB
	Gm9HNueS/SGXI+zyCQnF4vhdnfM/gBWzhHbVIFJP0h2gfrbcvaYV+cdIUnQSLMM93F5nKgXrchh
	3X2iHUodCiQKQON1ksP6POQlzqJ7ZWnvBQSxyCy435HGJn/Sv3L23Q==
X-Received: by 2002:a05:600c:1c87:b0:442:c993:6f94 with SMTP id
 5b1f17b1804b1-4538ee59148mr145794865e9.12.1751301192507;
        Mon, 30 Jun 2025 09:33:12 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IESUYnLV9mLJES+dnzLMWgW+EAj5nFEgfcZV4b9wyuk6B2naT7aQ30uKx8PgEkOAfEg+Z1Jlw==
X-Received: by 2002:a05:600c:1c87:b0:442:c993:6f94 with SMTP id
 5b1f17b1804b1-4538ee59148mr145794525e9.12.1751301191977;
        Mon, 30 Jun 2025 09:33:11 -0700 (PDT)
Received: from lleonard-thinkpadp16vgen1.rmtit.csb ([176.206.17.146])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4538a406ab6sm142554375e9.30.2025.06.30.09.33.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 30 Jun 2025 09:33:11 -0700 (PDT)
From: Luigi Leonardi <leonardi@redhat.com>
Date: Mon, 30 Jun 2025 18:33:04 +0200
Subject: [PATCH net-next v5 2/2] vsock/test: Add test for null ptr deref
 when transport changes
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20250630-test_vsock-v5-2-2492e141e80b@redhat.com>
References: <20250630-test_vsock-v5-0-2492e141e80b@redhat.com>
In-Reply-To: <20250630-test_vsock-v5-0-2492e141e80b@redhat.com>
To: Stefano Garzarella <sgarzare@redhat.com>, Michal Luczaj <mhal@rbox.co>
Cc: virtualization@lists.linux.dev, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Luigi Leonardi <leonardi@redhat.com>,
 Hyunwoo Kim <v4bel@theori.io>
X-Mailer: b4 0.14.2

Add a new test to ensure that when the transport changes a null pointer
dereference does not occur. The bug was reported upstream [1] and fixed
with commit 2cb7c756f605 ("vsock/virtio: discard packets if the
transport changes").

KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]
CPU: 2 UID: 0 PID: 463 Comm: kworker/2:3 Not tainted
Workqueue: vsock-loopback vsock_loopback_work
RIP: 0010:vsock_stream_has_data+0x44/0x70
Call Trace:
 virtio_transport_do_close+0x68/0x1a0
 virtio_transport_recv_pkt+0x1045/0x2ae4
 vsock_loopback_work+0x27d/0x3f0
 process_one_work+0x846/0x1420
 worker_thread+0x5b3/0xf80
 kthread+0x35a/0x700
 ret_from_fork+0x2d/0x70
 ret_from_fork_asm+0x1a/0x30

Note that this test may not fail in a kernel without the fix, but it may
hang on the client side if it triggers a kernel oops.

This works by creating a socket, trying to connect to a server, and then
executing a second connect operation on the same socket but to a
different CID (0). This triggers a transport change. If the connect
operation is interrupted by a signal, this could cause a null-ptr-deref.

Since this bug is non-deterministic, we need to try several times. It
is reasonable to assume that the bug will show up within the timeout
period.

If there is a G2H transport loaded in the system, the bug is not
triggered and this test will always pass. This is because
`vsock_assign_transport`, when using CID 0, like in this case, sets
vsk->transport to `transport_g2h` that is not NULL if a G2H transport is
available.

[1]https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-=
AX/

Suggested-by: Hyunwoo Kim <v4bel@theori.io>
Suggested-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
---
 tools/testing/vsock/Makefile     |   1 +
 tools/testing/vsock/vsock_test.c | 170 +++++++++++++++++++++++++++++++++++=
++++
 2 files changed, 171 insertions(+)

diff --git a/tools/testing/vsock/Makefile b/tools/testing/vsock/Makefile
index 6e0b4e95e230500f99bb9c74350701a037ecd198..88211fd132d23ecdfd56ab08155=
80a237889e7f2 100644
--- a/tools/testing/vsock/Makefile
+++ b/tools/testing/vsock/Makefile
@@ -5,6 +5,7 @@ vsock_test: vsock_test.o vsock_test_zerocopy.o timeout.o co=
ntrol.o util.o msg_ze
 vsock_diag_test: vsock_diag_test.o timeout.o control.o util.o
 vsock_perf: vsock_perf.o msg_zerocopy_common.o
=20
+vsock_test: LDLIBS =3D -lpthread
 vsock_uring_test: LDLIBS =3D -luring
 vsock_uring_test: control.o util.o vsock_uring_test.o timeout.o msg_zeroco=
py_common.o
=20
diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_t=
est.c
index eb6f54378667ac7ed324f4823e988ec9846e41a3..be6ce764f69480c0f9c3e2288fc=
19cd2e74be148 100644
--- a/tools/testing/vsock/vsock_test.c
+++ b/tools/testing/vsock/vsock_test.c
@@ -22,6 +22,8 @@
 #include <signal.h>
 #include <sys/ioctl.h>
 #include <linux/time64.h>
+#include <pthread.h>
+#include <fcntl.h>
=20
 #include "vsock_test_zerocopy.h"
 #include "timeout.h"
@@ -1867,6 +1869,169 @@ static void test_stream_connect_retry_server(const =
struct test_opts *opts)
 	close(fd);
 }
=20
+#define TRANSPORT_CHANGE_TIMEOUT 2 /* seconds */
+
+static void *test_stream_transport_change_thread(void *vargp)
+{
+	pid_t *pid =3D (pid_t *)vargp;
+	int ret;
+
+	ret =3D pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
+	if (ret) {
+		fprintf(stderr, "pthread_setcanceltype: %d\n", ret);
+		exit(EXIT_FAILURE);
+	}
+
+	while (true) {
+		if (kill(*pid, SIGUSR1) < 0) {
+			perror("kill");
+			exit(EXIT_FAILURE);
+		}
+	}
+	return NULL;
+}
+
+static void test_transport_change_signal_handler(int signal)
+{
+	/* We need a custom handler for SIGUSR1 as the default one terminates the=
 process. */
+}
+
+static void test_stream_transport_change_client(const struct test_opts *op=
ts)
+{
+	__sighandler_t old_handler;
+	pid_t pid =3D getpid();
+	pthread_t thread_id;
+	time_t tout;
+	int ret, tr;
+
+	tr =3D get_transports();
+
+	/* Print a warning if there is a G2H transport loaded.
+	 * This is on a best effort basis because VMCI can be either G2H and H2G,=
 and there is
+	 * no easy way to understand it.
+	 * The bug we are testing only appears when G2H transports are not loaded.
+	 * This is because `vsock_assign_transport`, when using CID 0, assigns a =
G2H transport
+	 * to vsk->transport. If none is available it is set to NULL, causing the=
 null-ptr-deref.
+	 */
+	if (tr & TRANSPORTS_G2H)
+		fprintf(stderr, "G2H Transport detected. This test will not fail.\n");
+
+	old_handler =3D signal(SIGUSR1, test_transport_change_signal_handler);
+	if (old_handler =3D=3D SIG_ERR) {
+		perror("signal");
+		exit(EXIT_FAILURE);
+	}
+
+	ret =3D pthread_create(&thread_id, NULL, test_stream_transport_change_thr=
ead, &pid);
+	if (ret) {
+		fprintf(stderr, "pthread_create: %d\n", ret);
+		exit(EXIT_FAILURE);
+	}
+
+	control_expectln("LISTENING");
+
+	tout =3D current_nsec() + TRANSPORT_CHANGE_TIMEOUT * NSEC_PER_SEC;
+	do {
+		struct sockaddr_vm sa =3D {
+			.svm_family =3D AF_VSOCK,
+			.svm_cid =3D opts->peer_cid,
+			.svm_port =3D opts->peer_port,
+		};
+		int s;
+
+		s =3D socket(AF_VSOCK, SOCK_STREAM, 0);
+		if (s < 0) {
+			perror("socket");
+			exit(EXIT_FAILURE);
+		}
+
+		ret =3D connect(s, (struct sockaddr *)&sa, sizeof(sa));
+		/* The connect can fail due to signals coming from the thread,
+		 * or because the receiver connection queue is full.
+		 * Ignoring also the latter case because there is no way
+		 * of synchronizing client's connect and server's accept when
+		 * connect(s) are constantly being interrupted by signals.
+		 */
+		if (ret =3D=3D -1 && (errno !=3D EINTR && errno !=3D ECONNRESET)) {
+			perror("connect");
+			exit(EXIT_FAILURE);
+		}
+
+		/* Set CID to 0 cause a transport change. */
+		sa.svm_cid =3D 0;
+
+		/* Ignore return value since it can fail or not.
+		 * If the previous connect is interrupted while the
+		 * connection request is already sent, the second
+		 * connect() will wait for the response.
+		 */
+		connect(s, (struct sockaddr *)&sa, sizeof(sa));
+
+		close(s);
+
+		control_writeulong(CONTROL_CONTINUE);
+
+	} while (current_nsec() < tout);
+
+	control_writeulong(CONTROL_DONE);
+
+	ret =3D pthread_cancel(thread_id);
+	if (ret) {
+		fprintf(stderr, "pthread_cancel: %d\n", ret);
+		exit(EXIT_FAILURE);
+	}
+
+	ret =3D pthread_join(thread_id, NULL);
+	if (ret) {
+		fprintf(stderr, "pthread_join: %d\n", ret);
+		exit(EXIT_FAILURE);
+	}
+
+	if (signal(SIGUSR1, old_handler) =3D=3D SIG_ERR) {
+		perror("signal");
+		exit(EXIT_FAILURE);
+	}
+}
+
+static void test_stream_transport_change_server(const struct test_opts *op=
ts)
+{
+	int s =3D vsock_stream_listen(VMADDR_CID_ANY, opts->peer_port);
+
+	/* Set the socket to be nonblocking because connects that have been inter=
rupted
+	 * (EINTR) can fill the receiver's accept queue anyway, leading to connec=
t failure.
+	 * As of today (6.15) in such situation there is no way to understand, fr=
om the
+	 * client side, if the connection has been queued in the server or not.
+	 */
+	if (fcntl(s, F_SETFL, fcntl(s, F_GETFL, 0) | O_NONBLOCK) < 0) {
+		perror("fcntl");
+		exit(EXIT_FAILURE);
+	}
+	control_writeln("LISTENING");
+
+	while (control_readulong() =3D=3D CONTROL_CONTINUE) {
+		/* Must accept the connection, otherwise the `listen`
+		 * queue will fill up and new connections will fail.
+		 * There can be more than one queued connection,
+		 * clear them all.
+		 */
+		while (true) {
+			int client =3D accept(s, NULL, NULL);
+
+			if (client < 0) {
+				if (errno =3D=3D EAGAIN)
+					break;
+
+				perror("accept");
+				exit(EXIT_FAILURE);
+			}
+
+			close(client);
+		}
+	}
+
+	close(s);
+}
+
 static void test_stream_linger_client(const struct test_opts *opts)
 {
 	int fd;
@@ -2106,6 +2271,11 @@ static struct test_case test_cases[] =3D {
 		.run_client =3D test_stream_nolinger_client,
 		.run_server =3D test_stream_nolinger_server,
 	},
+	{
+		.name =3D "SOCK_STREAM transport change null-ptr-deref",
+		.run_client =3D test_stream_transport_change_client,
+		.run_server =3D test_stream_transport_change_server,
+	},
 	{},
 };
=20

--=20
2.50.0