CVE-2026-22983

In the Linux kernel, the following vulnerability has been resolved:

net: do not write to msggetinq in callee

NULL pointer dereference fix.

msggetinq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse.

This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below.

Callers set msggetinq to request the input queue length to be returned in msginq. This is equivalent to but independent from the SOINQ request to return that same info as a cmsg (tp->recvmsginq). To reduce branching in the hot path the second also sets the msginq. That is WAI.

This is a fix to commit 4d1442979e4a ("afunix: don't post cmsg for SOINQ unless explicitly asked for"), which fixed the inverse.

Also avoid NULL pointer dereference in unixstreamreadgeneric if state->msg is NULL and msg->msggetinq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 ("net: afunix: implement splice for stream af_unix sockets").

Also collapse two branches using a bitwise or.