)]}' { "log": [ { "commit": "fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0", "tree": "fc6254372916832b89cb60f94464d41a48b2f045", "parents": [ "19cbc75c56c0ed4fa3f637e3c41a98895a68dfae", "41ae14071cd7f6a7770e2fe1f8a0859d4c2c6ba4" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 07 10:32:03 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 07 10:32:03 2026 -0700" }, "message": "Merge tag \u0027net-7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net\n\nPull networking fixes from Jakub Kicinski:\n \"Including fixes from Netfilter, IPsec, Bluetooth and WiFi.\n\n Current release - fix to a fix:\n\n - ipmr: add __rcu to netns_ipv4.mrt, make sure we hold the RCU lock\n in all relevant places\n\n Current release - new code bugs:\n\n - fixes for the recently added resizable hash tables\n\n - ipv6: make sure we default IPv6 tunnel drivers to \u003dm now that IPv6\n itself is built in\n\n - drv: octeontx2-af: fixes for parser/CAM fixes\n\n Previous releases - regressions:\n\n - phy: micrel: fix LAN8814 QSGMII soft reset\n\n - wifi:\n - cw1200: revert \"Fix locking in error paths\"\n - ath12k: fix crash on WCN7850, due to adding the same queue\n buffer to a list multiple times\n\n Previous releases - always broken:\n\n - number of info leak fixes\n\n - ipv6: implement limits on extension header parsing\n\n - wifi: number of fixes for missing bound checks in the drivers\n\n - Bluetooth: fixes for races and locking issues\n\n - af_unix:\n - fix an issue between garbage collection and PEEK\n - fix yet another issue with OOB data\n\n - xfrm: esp: avoid in-place decrypt on shared skb frags\n\n - netfilter: replace skb_try_make_writable() by skb_ensure_writable()\n\n - openvswitch: vport: fix race between tunnel creation and linking\n leading to invalid memory accesses (type confusion)\n\n - drv: amd-xgbe: fix PTP addend overflow causing frozen clock\n\n Misc:\n\n - sched/isolation: make HK_TYPE_KTHREAD an alias of HK_TYPE_DOMAIN\n (for relevant IPVS change)\"\n\n* tag \u0027net-7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (190 commits)\n net: sparx5: configure serdes for 1000BASE-X in sparx5_port_init()\n net: sparx5: fix wrong chip ids for TSN SKUs\n net: stmmac: dwmac-nuvoton: fix NULL pointer dereference in nvt_set_phy_intf_sel()\n tcp: Fix dst leak in tcp_v6_connect().\n ipmr: Call ipmr_fib_lookup() under RCU.\n net: phy: broadcom: Save PHY counters during suspend\n net/smc: fix missing sk_err when TCP handshake fails\n af_unix: Reject SIOCATMARK on non-stream sockets\n veth: fix OOB txq access in veth_poll() with asymmetric queue counts\n eth: fbnic: fix double-free of PCS on phylink creation failure\n net: ethernet: cortina: Drop half-assembled SKB\n selftests: mptcp: pm: restrict \u0027unknown\u0027 check to pm_nl_ctl\n selftests: mptcp: check output: catch cmd errors\n mptcp: pm: prio: skip closed subflows\n mptcp: pm: ADD_ADDR rtx: return early if no retrans\n mptcp: pm: ADD_ADDR rtx: skip inactive subflows\n mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker\n mptcp: pm: ADD_ADDR rtx: free sk if last\n mptcp: pm: ADD_ADDR rtx: always decrease sk refcount\n mptcp: pm: ADD_ADDR rtx: fix potential data-race\n ...\n" }, { "commit": "41ae14071cd7f6a7770e2fe1f8a0859d4c2c6ba4", "tree": "baf3da55b33fee0456b680154bd3a952c6d450f3", "parents": [ "b131dc93f7bf1b1461f5bde0c06c4c2384aa5b58" ], "author": { "name": "Daniel Machon", "email": "daniel.machon@microchip.com", "time": "Wed May 06 09:25:39 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 07 09:08:47 2026 -0700" }, "message": "net: sparx5: configure serdes for 1000BASE-X in sparx5_port_init()\n\nsparx5_port_init() only invokes sparx5_serdes_set() and the associated\nshadow-device enable and low-speed device switch for SGMII and QSGMII.\nOn any port with a high-speed primary device (DEV5G/DEV10G/DEV25G)\nconfigured for 1000BASE-X the serdes is therefore left uninitialized,\nthe DEV2G5 shadow is never enabled, and the port stays pointed at its\nhigh-speed device rather than the DEV2G5. The PCS1G block looks\nhealthy in isolation, but no frames reach the link partner.\n\nAdd 1000BASE-X to the check so the same three steps run.\n\nNote: the same issue might apply to 2500BASE-X, but that will,\neventually, be addressed in a separate commit.\n\nReported-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nFixes: 946e7fd5053a (\"net: sparx5: add port module support\")\nSigned-off-by: Daniel Machon \u003cdaniel.machon@microchip.com\u003e\nLink: https://patch.msgid.link/20260506-misc-fixes-sparx5-lan969x-v2-4-fb236aa96908@microchip.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b131dc93f7bf1b1461f5bde0c06c4c2384aa5b58", "tree": "64c5ef73c89dbb589355cd1cdcba3e6a4e9cc40e", "parents": [ "dedf6c90386d99b878763c183a08b61d3ce4824e" ], "author": { "name": "Daniel Machon", "email": "daniel.machon@microchip.com", "time": "Wed May 06 09:25:38 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 07 09:08:46 2026 -0700" }, "message": "net: sparx5: fix wrong chip ids for TSN SKUs\n\nThe TSN SKUs in enum spx5_target_chiptype have incorrect IDs:\n\n SPX5_TARGET_CT_7546TSN \u003d 0x47546,\n SPX5_TARGET_CT_7549TSN \u003d 0x47549,\n SPX5_TARGET_CT_7552TSN \u003d 0x47552,\n SPX5_TARGET_CT_7556TSN \u003d 0x47556,\n SPX5_TARGET_CT_7558TSN \u003d 0x47558,\n\nThe value read back from the chip is GCB_CHIP_ID_PART_ID, which is a\nGENMASK(27, 12) field, i.e. at most 16 bits wide. It can never match\nthese IDs, so probing a TSN part fails with a \"Target not supported\"\nerror.\n\nFix the enum to use the actual 16-bit part IDs returned by the\nhardware: 0x0546, 0x0549, 0x0552, 0x0556 and 0x0558.\n\nReported-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nFixes: 3cfa11bac9bb (\"net: sparx5: add the basic sparx5 driver\")\nSigned-off-by: Daniel Machon \u003cdaniel.machon@microchip.com\u003e\nLink: https://patch.msgid.link/20260506-misc-fixes-sparx5-lan969x-v2-3-fb236aa96908@microchip.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "19cbc75c56c0ed4fa3f637e3c41a98895a68dfae", "tree": "5dbb8e9287d0494e4fb67bbd636fc259a91c1dfa", "parents": [ "1e38f888f9f070591e54c690e78f2ff8affa8881", "06bc7ff0a1e0f2b0102e1314e3527a7ec0997851" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 07 08:55:15 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 07 08:55:15 2026 -0700" }, "message": "Merge tag \u0027sound-7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound\n\nPull sound fixes from Takashi Iwai:\n \"Again a collection of small fixes, mostly for device-specific ones.\n\n The only big LOC is about the removal of pretty old dead code in\n ab8500 codec driver, while the rest all nice small changes.\n\n Core / API:\n - Fix race in deferred fasync state checks\n - Fix UMP group filtering in sequencer\n\n ASoC:\n - cs35l56: fixes for driver cleanup and error paths\n - tas2764/2770: workaround for bogus temperature readings\n - wm_adsp: fixes for firmware unit tests\n - amd-yc: more DMI quirks for laptops\n - Minor fixes for fsl_xcvr and spacemit\n\n HD-Audio:\n - Mute LED and speaker quirks for HP, Lenovo, and Xiaomi laptops\n\n USB-audio:\n - New device-specific quirks (Motu, JBL, AlphaTheta, Razer)\n - Fix of MIDI2 playback on resume\n\n Others:\n - Firewire-tascam control event fix\n - Minor cleanups and fixes for sparc/dbri and pcmtest\"\n\n* tag \u0027sound-7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (28 commits)\n ASoC: cs35l56: Destroy workqueue in probe error path\n ASoC: cs35l56: Don\u0027t use devres to unregister component\n ALSA: sparc/dbri: add missing fallthrough\n ALSA: core: Serialize deferred fasync state checks\n ALSA: hda/realtek: Add mute LED fixup for HP Pavilion 15-cs1xxx\n ALSA: seq: Fix UMP group 16 filtering\n ASoC: wm_adsp_fw_find_test: Clear searched_fw_files in find-by-index test\n ASoC: wm_adsp_fw_find_test: Redirect wm_adsp_release_firmware_files()\n ASoC: tas2770: Deal with bogus initial temperature value\n ASoC: tas2764: Deal with bogus initial temperature register value\n ALSA: usb-audio: add clock quirk for Motu 1248\n ALSA: usb-audio: midi2: Restart output URBs on resume\n ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx\n ALSA: usb-audio: Add quirk flags for JBL Pebbles\n ALSA: firewire-tascam: Do not drop unread control events\n ALSA: usb-audio: Add quirk flags for AlphaTheta EUPHONIA\n ASoC: fsl_xcvr: Fix event generation for cached controls\n ASoC: sdw_utils: avoid the SDCA companion function not supported failure\n ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table\n ASoC: cs35l56: Fix out-of-bounds in dev_err() in cs35l56_read_onchip_spkid()\n ...\n" }, { "commit": "1e38f888f9f070591e54c690e78f2ff8affa8881", "tree": "4245c06c44aa6772b5d10008607d7c4177d35064", "parents": [ "b3737eac0a0f70b2a6b6a872213f0f235624e487", "863810d4985ad214f70c1623f24384ccc850f2a2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 07 08:46:27 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 07 08:46:27 2026 -0700" }, "message": "Merge tag \u0027platform-drivers-x86-v7.1-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86\n\nPull x86 platform driver fixes from Ilpo Järvinen:\n\n - Silence unknown board warning for 8D41 (hp-wmi)\n\n - Fix uninitialized variable in fan RPM handling (lenovo/wmi-other)\n\n - Check min_size also when ACPI does not return an out object (wmi)\n\n* tag \u0027platform-drivers-x86-v7.1-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:\n platform/x86: lenovo: wmi-other: Fix uninitialized variable in lwmi_om_hwmon_write()\n platform/x86: hp-wmi: silence unknown board warning for 8D41\n platform/wmi: Fix unchecked min_size in wmidev_invoke_method()\n" }, { "commit": "b3737eac0a0f70b2a6b6a872213f0f235624e487", "tree": "95b2e7c3b82566b33cd3bfab80ec9dcc5470a977", "parents": [ "8ab992f815d6736b5c7a6f5fd7bfe7bc106bb3dc", "ec1fcddb3117d9452210e838fd37389ee61e10e8" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 07 08:43:25 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 07 08:43:25 2026 -0700" }, "message": "Merge tag \u0027pmdomain-v7.1-rc1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm\n\nPull pmdomain fixes from Ulf Hansson:\n\n - Fix detach procedure for virtual devices in genpd\n\n - mediatek: Fix use-after-free in scpsys_get_bus_protection_legacy()\n\n* tag \u0027pmdomain-v7.1-rc1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:\n pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()\n pmdomain: core: Fix detach procedure for virtual devices in genpd\n" }, { "commit": "dedf6c90386d99b878763c183a08b61d3ce4824e", "tree": "e8b26e8dc2337596a4b3d4d6b06890bda83cba06", "parents": [ "ecddc523cfdb85b3e132f13e293224ebfdfab564" ], "author": { "name": "Joey Lu", "email": "a0987203069@gmail.com", "time": "Wed May 06 16:46:13 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 07 08:41:30 2026 -0700" }, "message": "net: stmmac: dwmac-nuvoton: fix NULL pointer dereference in nvt_set_phy_intf_sel()\n\npriv-\u003edev was never initialized after devm_kzalloc() allocates the\nprivate data structure. When nvt_set_phy_intf_sel() is later invoked\nvia the phylink interface_select callback, it calls\nnvt_gmac_get_delay(priv-\u003edev, ...) which dereferences the NULL pointer.\n\nFix this by assigning priv-\u003edev \u003d dev immediately after allocation.\n\nFixes: 4d7c557f58ef (\"net: stmmac: dwmac-nuvoton: Add dwmac glue for Nuvoton MA35 family\")\nSigned-off-by: Joey Lu \u003ca0987203069@gmail.com\u003e\nLink: https://patch.msgid.link/20260506084614.192894-2-a0987203069@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ecddc523cfdb85b3e132f13e293224ebfdfab564", "tree": "c53ebfe64284fc4e9e5249f6a82c38ed76005901", "parents": [ "019c892e46544af0ae94ec833f79aa903c837666" ], "author": { "name": "Kuniyuki Iwashima", "email": "kuniyu@google.com", "time": "Wed May 06 07:04:42 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 07 08:39:15 2026 -0700" }, "message": "tcp: Fix dst leak in tcp_v6_connect().\n\nIf a socket is bound to a wildcard address, tcp_v[46]_connect()\nupdates it with a non-wildcard address based on the route lookup.\n\nAfter bhash2 was introduced in the cited commit, we must call\ninet_bhash2_update_saddr() to update the bhash2 entry as well.\n\nIf inet_bhash2_update_saddr() fails, we must release the refcount\nfor dst by ip_route_connect() or ip6_dst_lookup_flow().\n\nWhile tcp_v4_connect() calls ip_rt_put() in the error path,\ntcp_v6_connect() does not call dst_release().\n\nLet\u0027s call dst_release() when inet_bhash2_update_saddr() fails\nin tcp_v6_connect().\n\nFixes: 28044fc1d495 (\"net: Add a bhash2 table hashed by port and address\")\nReported-by: Damiano Melotti \u003cmelotti@google.com\u003e\nSigned-off-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260506070443.1699879-1-kuniyu@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "019c892e46544af0ae94ec833f79aa903c837666", "tree": "5c997721e6c4594f0614677e21225fb3e11c9f35", "parents": [ "32cd651d14fc72a93703ea2384cb5cd8998523a8" ], "author": { "name": "Kuniyuki Iwashima", "email": "kuniyu@google.com", "time": "Wed May 06 06:59:53 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 07 08:38:37 2026 -0700" }, "message": "ipmr: Call ipmr_fib_lookup() under RCU.\n\nYi Lai reported RCU splat in reg_vif_xmit() below. [0]\n\nWhen CONFIG_IP_MROUTE_MULTIPLE_TABLES\u003dn, ipmr_fib_lookup()\nuses rcu_dereference() without explicit rcu_read_lock().\n\nAlthough rcu_read_lock_bh() is already held by the caller\n__dev_queue_xmit(), lockdep requires explicit rcu_read_lock()\nfor rcu_dereference().\n\nLet\u0027s move up rcu_read_lock() in reg_vif_xmit() to\ncover ipmr_fib_lookup().\n\n[0]:\nWARNING: suspicious RCU usage\n7.1.0-rc2-next-20260504-9d0d467c3572 #1 Not tainted\n -----------------------------\nnet/ipv4/ipmr.c:329 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active \u003d 2, debug_locks \u003d 1\n2 locks held by syz.2.17/1779:\n #0: ffffffff87896440 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]\n #0: ffffffff87896440 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:891 [inline]\n #0: ffffffff87896440 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x239/0x4140 net/core/dev.c:4792\n #1: ffff88801a199d18 (_xmit_PIMREG#2){+...}-{3:3}, at: spin_lock include/linux/spinlock.h:342 [inline]\n #1: ffff88801a199d18 (_xmit_PIMREG#2){+...}-{3:3}, at: __netif_tx_lock include/linux/netdevice.h:4795 [inline]\n #1: ffff88801a199d18 (_xmit_PIMREG#2){+...}-{3:3}, at: __dev_queue_xmit+0x1d5d/0x4140 net/core/dev.c:4865\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 1779 Comm: syz.2.17 Not tainted 7.1.0-rc2-next-20260504-9d0d467c3572 #1 PREEMPT(lazy)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x121/0x150 lib/dump_stack.c:120\n dump_stack+0x19/0x20 lib/dump_stack.c:129\n lockdep_rcu_suspicious+0x15b/0x1f0 kernel/locking/lockdep.c:6878\n ipmr_fib_lookup net/ipv4/ipmr.c:329 [inline]\n reg_vif_xmit+0x2ee/0x3c0 net/ipv4/ipmr.c:540\n __netdev_start_xmit include/linux/netdevice.h:5382 [inline]\n netdev_start_xmit include/linux/netdevice.h:5391 [inline]\n xmit_one net/core/dev.c:3889 [inline]\n dev_hard_start_xmit+0x170/0x700 net/core/dev.c:3905\n __dev_queue_xmit+0x1df1/0x4140 net/core/dev.c:4871\n dev_queue_xmit include/linux/netdevice.h:3423 [inline]\n packet_xmit+0x252/0x370 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3082 [inline]\n packet_sendmsg+0x39ad/0x5650 net/packet/af_packet.c:3114\n sock_sendmsg_nosec net/socket.c:797 [inline]\n __sock_sendmsg net/socket.c:812 [inline]\n ____sys_sendmsg+0xa21/0xba0 net/socket.c:2716\n ___sys_sendmsg+0x121/0x1c0 net/socket.c:2770\n __sys_sendmsg+0x177/0x220 net/socket.c:2802\n __do_sys_sendmsg net/socket.c:2807 [inline]\n __se_sys_sendmsg net/socket.c:2805 [inline]\n __x64_sys_sendmsg+0x80/0xc0 net/socket.c:2805\n x64_sys_call+0x1d9c/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc1/0x1020 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f37e563ee5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffe5caa7fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007f37e563ee5d\nRDX: 0000000000000000 RSI: 00002000000012c0 RDI: 0000000000000004\nRBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00000000005c5fac R15: 00000000005c5fa0\n \u003c/TASK\u003e\n\nFixes: b3b6babf4751 (\"ipmr: Free mr_table after RCU grace period.\")\nReported-by: syzkaller \u003csyzkaller@googlegroups.com\u003e\nReported-by: Yi Lai \u003cyi1.lai@intel.com\u003e\nCloses: https://lore.kernel.org/netdev/afrY34dLXNUboevf@ly-workstation/\nSigned-off-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260506065955.1695753-1-kuniyu@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "32cd651d14fc72a93703ea2384cb5cd8998523a8", "tree": "041c5e83ffbe44bf298d0907759f2b33d7653fbe", "parents": [ "9032f7676935a13fd402608223d326c5f62da9c0" ], "author": { "name": "Justin Chen", "email": "justin.chen@broadcom.com", "time": "Tue May 05 10:39:26 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 07 08:36:47 2026 -0700" }, "message": "net: phy: broadcom: Save PHY counters during suspend\n\nThe PHY counters can be lost if the PHY is reset during suspend. We\nneed to save the values into the shadow counters or the accounting\nwill be incorrect over multiple suspend and resume cycles.\n\nFixes: 820ee17b8d3b (\"net: phy: broadcom: Add support code for reading PHY counters\")\nSigned-off-by: Justin Chen \u003cjustin.chen@broadcom.com\u003e\nReviewed-by: Florian Fainelli \u003cflorian.fainelli@broadcom.com\u003e\nLink: https://patch.msgid.link/20260505173926.2870069-1-justin.chen@broadcom.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9032f7676935a13fd402608223d326c5f62da9c0", "tree": "f77ab2af6c01765f231cd8402fdbf19b6f79a2bc", "parents": [ "d119775f2bad827edc28071c061fdd4a91f889a5" ], "author": { "name": "D. Wythe", "email": "alibuda@linux.alibaba.com", "time": "Wed May 06 09:41:05 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 07 08:36:34 2026 -0700" }, "message": "net/smc: fix missing sk_err when TCP handshake fails\n\nIn smc_connect_work(), when the underlying TCP handshake fails, the error\ncode (rc) must be propagated to sk_err to ensure userspace can correctly\nretrieve the error status via SO_ERROR. Currently, the code only handles\na restricted set of error codes (e.g., EPIPE, ECONNREFUSED). If other\nerrors occurs, such as EHOSTUNREACH, sk_err remains unset (zero).\n\nThis affects applications that rely on SO_ERROR to determine connect\noutcome. For example, higher versions of Go\u0027s netpoller treats\nSO_ERROR \u003d\u003d 0 combined with a failed getpeername() as a spurious wakeup\nand re-enters epoll_wait(). Under ET mode, no further edge will be\ngenerated since the socket is already in a terminal state, causing the\nconnect to hang indefinitely or until a user-specified timeout, if one\nis set.\n\nFixes: 50717a37db03 (\"net/smc: nonblocking connect rework\")\nSigned-off-by: D. Wythe \u003calibuda@linux.alibaba.com\u003e\nReviewed-by: Dust Li \u003cdust.li@linux.alibaba.com\u003e\nLink: https://patch.msgid.link/20260506014105.27093-1-alibuda@linux.alibaba.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d119775f2bad827edc28071c061fdd4a91f889a5", "tree": "a8307d50171cc273deb9c6c7afa514c15aab5b32", "parents": [ "08f566e8f83bb70f04ad5aba5be352c490a01c8a" ], "author": { "name": "Jiexun Wang", "email": "wangjiexun2025@gmail.com", "time": "Wed May 06 22:08:23 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 07 08:36:02 2026 -0700" }, "message": "af_unix: Reject SIOCATMARK on non-stream sockets\n\nSIOCATMARK reports whether the receive queue is at the urgent mark for\nMSG_OOB.\n\nIn AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets.\nSOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(),\nso they should not support SIOCATMARK either.\n\nReturn -EOPNOTSUPP for non-stream sockets before checking the receive\nqueue.\n\nFixes: 314001f0bf92 (\"af_unix: Add OOB support\")\nCc: stable@kernel.org\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Yifan Wu \u003cyifanwucs@gmail.com\u003e\nReported-by: Juefei Pu \u003ctomapufckgml@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nSuggested-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nSigned-off-by: Jiexun Wang \u003cwangjiexun2025@gmail.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nLink: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "08f566e8f83bb70f04ad5aba5be352c490a01c8a", "tree": "675eeeb44f57a5c54254b4f8550b9872906bb99a", "parents": [ "593dfd40a94ca0ab20297ea4629d94268deed0ed" ], "author": { "name": "Jesper Dangaard Brouer", "email": "hawk@kernel.org", "time": "Tue May 05 15:21:53 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 07 16:24:07 2026 +0200" }, "message": "veth: fix OOB txq access in veth_poll() with asymmetric queue counts\n\nXDP redirect into a veth device (via bpf_redirect()) calls\nveth_xdp_xmit(), which enqueues frames into the peer\u0027s ptr_ring using\n smp_processor_id() % peer-\u003ereal_num_rx_queues\nas the ring index. With an asymmetric veth pair where the peer has\nfewer TX queues than RX queues, that index can exceed\npeer-\u003ereal_num_tx_queues.\n\nveth_poll() then resolves peer_txq for the ring via:\n\n peer_txq \u003d peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL;\n\nwhere queue_idx \u003d rq-\u003exdp_rxq.queue_index. When queue_idx exceeds\npeer_dev-\u003ereal_num_tx_queues this is an out-of-bounds (OOB) access\ninto the peer\u0027s netdev_queue array, triggering DEBUG_NET_WARN_ON_ONCE\nin netdev_get_tx_queue().\n\nThe normal ndo_start_xmit path is not affected: the stack clamps\nskb-\u003equeue_mapping via netdev_cap_txqueue() before invoking\nndo_start_xmit, so rxq in veth_xmit() never exceeds real_num_tx_queues.\n\nFix veth_poll() by clamping: only dereference peer_txq when queue_idx is\nwithin bounds, otherwise set it to NULL. The out-of-range rings are fed\nexclusively via XDP redirect (veth_xdp_xmit), never via ndo_start_xmit\n(veth_xmit), so the peer txq was never stopped and there is nothing to\nwake; NULL is the correct fallback.\n\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nCloses: https://lore.kernel.org/all/20260502071828.616C3C19425@smtp.kernel.org/\nFixes: dc82a33297fc (\"veth: apply qdisc backpressure on full ptr_ring to reduce TX drops\")\nSigned-off-by: Jesper Dangaard Brouer \u003chawk@kernel.org\u003e\nLink: https://patch.msgid.link/20260505132159.241305-2-hawk@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "593dfd40a94ca0ab20297ea4629d94268deed0ed", "tree": "43fe426f1d05fcdbec0353de83d9c24059304755", "parents": [ "b266bacba796ff5c4dcd2ae2fc08aacf7ab39153" ], "author": { "name": "Bobby Eshleman", "email": "bobbyeshleman@meta.com", "time": "Mon May 04 18:42:11 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 07 12:34:42 2026 +0200" }, "message": "eth: fbnic: fix double-free of PCS on phylink creation failure\n\nfbnic_phylink_create() stores the newly allocated PCS in fbn-\u003epcs and\nthen calls phylink_create(). When phylink_create() fails, the error path\ncorrectly destroys the PCS via xpcs_destroy_pcs(), but the caller,\nfbnic_netdev_alloc(), responds by invoking fbnic_netdev_free() which\ncalls fbnic_phylink_destroy(). That function finds fbn-\u003epcs non-NULL and\ncalls xpcs_destroy_pcs() a second time on the already-freed object,\ntriggering a refcount underflow use-after-free:\n\n[ 1.934973] fbnic 0000:01:00.0: Failed to create Phylink interface, err: -22\n[ 1.935103] ------------[ cut here ]------------\n[ 1.935179] refcount_t: underflow; use-after-free.\n[ 1.935252] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x59/0x90, CPU#0: swapper/0/1\n[ 1.935389] Modules linked in:\n[ 1.935484] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-virtme-04244-g1f5ffc672165-dirty #1 PREEMPT(lazy)\n[ 1.935661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 1.935826] RIP: 0010:refcount_warn_saturate+0x59/0x90\n[ 1.935931] Code: 44 48 8d 3d 49 f9 a7 01 67 48 0f b9 3a e9 bf 1e 96 00 48 8d 3d 48 f9 a7 01 67 48 0f b9 3a c3 cc cc cc cc 48 8d 3d 47 f9 a7 01 \u003c67\u003e 48 0f b9 3a c3 cc cc cc cc 48 8d 3d 46 f9 a7 01 67 48 0f b9 3a\n[ 1.936274] RSP: 0000:ffffd0d440013c58 EFLAGS: 00010246\n[ 1.936376] RAX: 0000000000000000 RBX: ffff8f39c188c278 RCX: 000000000000002b\n[ 1.936524] RDX: ffff8f39c004f000 RSI: 0000000000000003 RDI: ffffffff96abab00\n[ 1.936692] RBP: ffff8f39c188c240 R08: ffffffff96988e88 R09: 00000000ffffdfff\n[ 1.936835] R10: ffffffff96878ea0 R11: 0000000000000187 R12: 0000000000000000\n[ 1.936970] R13: ffff8f39c0cef0c8 R14: ffff8f39c1ac01c0 R15: 0000000000000000\n[ 1.937114] FS: 0000000000000000(0000) GS:ffff8f3ba08b4000(0000) knlGS:0000000000000000\n[ 1.937273] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1.937382] CR2: ffff8f3b3ffff000 CR3: 0000000172642001 CR4: 0000000000372ef0\n[ 1.937540] Call Trace:\n[ 1.937619] \u003cTASK\u003e\n[ 1.937698] xpcs_destroy_pcs+0x25/0x40\n[ 1.937783] fbnic_netdev_alloc+0x1e5/0x200\n[ 1.937859] fbnic_probe+0x230/0x370\n[ 1.937939] local_pci_probe+0x3e/0x90\n[ 1.938013] pci_device_probe+0xbb/0x1e0\n[ 1.938091] ? sysfs_do_create_link_sd+0x6d/0xe0\n[ 1.938188] really_probe+0xc1/0x2b0\n[ 1.938282] __driver_probe_device+0x73/0x120\n[ 1.938371] driver_probe_device+0x1e/0xe0\n[ 1.938466] __driver_attach+0x8d/0x190\n[ 1.938560] ? __pfx___driver_attach+0x10/0x10\n[ 1.938663] bus_for_each_dev+0x7b/0xd0\n[ 1.938758] bus_add_driver+0xe8/0x210\n[ 1.938854] driver_register+0x60/0x120\n[ 1.938929] ? __pfx_fbnic_init_module+0x10/0x10\n[ 1.939026] fbnic_init_module+0x25/0x60\n[ 1.939109] do_one_initcall+0x49/0x220\n[ 1.939202] ? rdinit_setup+0x20/0x40\n[ 1.939304] kernel_init_freeable+0x1b0/0x310\n[ 1.939449] ? __pfx_kernel_init+0x10/0x10\n[ 1.939560] kernel_init+0x1a/0x1c0\n[ 1.939640] ret_from_fork+0x1ed/0x240\n[ 1.939730] ? __pfx_kernel_init+0x10/0x10\n[ 1.939805] ret_from_fork_asm+0x1a/0x30\n[ 1.939886] \u003c/TASK\u003e\n[ 1.939927] ---[ end trace 0000000000000000 ]---\n[ 1.940184] fbnic 0000:01:00.0: Netdev allocation failed\n\nInstead of calling fbnic_phylink_destroy(), the prior initialization of\nnetdev should just be unrolled with free_netdev() and clearing\nfbd-\u003enetdev.\n\nClearing fbd-\u003enetdev to NULL avoids UAF in init_failure_mode where\ncallers guard by checking !fbd-\u003enetdev, such as fbnic_mdio_read_pmd().\nThese callers remain active even after a failed probe, so fdb-\u003enetdev\nstill needs to be cleared.\n\nFixes: d0fe7104c795 (\"fbnic: Replace use of internal PCS w/ Designware XPCS\")\nSigned-off-by: Bobby Eshleman \u003cbobbyeshleman@meta.com\u003e\nLink: https://patch.msgid.link/20260504-fbnic-pcs-fix-v2-1-de45192821d9@meta.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "8ab992f815d6736b5c7a6f5fd7bfe7bc106bb3dc", "tree": "52c66a9d4530ea90af3e1a5fdc1e219f2e48b9c8", "parents": [ "b625e47f04274538e32e99fe6d3dc01edc93d280", "996454bc0da84d5a1dedb1a7861823087e01a7ae" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 06 22:02:28 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 06 22:02:28 2026 -0700" }, "message": "Merge tag \u0027v7.1-rc3-ksmbd-server-fixes\u0027 of git://git.samba.org/ksmbd\n\nPull smb server fixes from Steve French:\n\n - Fix memory leak in connection free\n\n - Fix inherited ACL ACE validation\n\n - Minor cleanup\n\n - Fix for share config\n\n - Fix durable handle cleanup race\n\n - Fix close_file_table_ids in session teardown\n\n - smbdirect fixes:\n - Fix memory region registration\n - Two fixes for out-of-tree builds\n\n* tag \u0027v7.1-rc3-ksmbd-server-fixes\u0027 of git://git.samba.org/ksmbd:\n ksmbd: validate inherited ACE SID length\n ksmbd: fix kernel-doc warnings from ksmbd_conn_get/put()\n ksmbd: fail share config requests when path allocation fails\n ksmbd: close durable scavenger races against m_fp_list lookups\n ksmbd: harden file lifetime during session teardown\n ksmbd: centralize ksmbd_conn final release to plug transport leak\n smb: smbdirect: fix MR registration for coalesced SG lists\n smb: smbdirect: introduce and use include/linux/smbdirect.h\n smb: smbdirect: make use of DEFAULT_SYMBOL_NAMESPACE and EXPORT_SYMBOL_GPL\n" }, { "commit": "b625e47f04274538e32e99fe6d3dc01edc93d280", "tree": "191d8d8bb209685ab792053cfe3e2f30282902e5", "parents": [ "5862221fddede6bb15566ab3c1f23a3c353da5e1", "525cb7ba6661074c1c5cc3772bccc6afab6791ef" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 06 20:44:03 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 06 20:44:03 2026 -0700" }, "message": "Merge tag \u0027chrome-platform-fixes-v7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux\n\nPull chrome-platform fix from Tzung-Bi Shih:\n\n - Fix a NULL dereference in cros_ec_typec\n\n* tag \u0027chrome-platform-fixes-v7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux:\n platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration\n" }, { "commit": "b266bacba796ff5c4dcd2ae2fc08aacf7ab39153", "tree": "81d8b06d4509d00465b01170b2daaae6b22f173c", "parents": [ "2b1f48cc0f31abd1115a8c4b74b6425aba46eae4" ], "author": { "name": "Andreas Haarmann-Thiemann", "email": "eitschman@nebelreich.de", "time": "Tue May 05 23:52:17 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:43:41 2026 -0700" }, "message": "net: ethernet: cortina: Drop half-assembled SKB\n\nIn gmac_rx() (drivers/net/ethernet/cortina/gemini.c), when\ngmac_get_queue_page() returns NULL for the second page of a multi-page\nfragment, the driver logs an error and continues — but does not free the\npartially assembled skb that was being assembled via napi_build_skb() /\nnapi_get_frags().\n\nFree the in-progress partially assembled skb via napi_free_frags()\nand increase the number of dropped frames appropriately\nand assign the skb pointer NULL to make sure it is not lingering\naround, matching the pattern already used elsewhere in the driver.\n\nFixes: 4d5ae32f5e1e (\"net: ethernet: Add a driver for Gemini gigabit ethernet\")\nSigned-off-by: Andreas Haarmann-Thiemann \u003ceitschman@nebelreich.de\u003e\nSigned-off-by: Linus Walleij \u003clinusw@kernel.org\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260505-gemini-ethernet-fix-v2-1-997c31d06079@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2b1f48cc0f31abd1115a8c4b74b6425aba46eae4", "tree": "5aa3af72025501df785192808a303899c3f9db99", "parents": [ "c8f7244c8cccaaed4e6c9fe4b8a07e101d0423e5", "53705ddfa18408f8e1f064331b6387509fa19f7f" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:49 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:50 2026 -0700" }, "message": "Merge branch \u0027mptcp-pm-misc-fixes-for-v7-1-rc3\u0027\n\nMatthieu Baerts says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nmptcp: pm: misc. fixes for v7.1-rc3\n\nHere are various fixes, mainly related to ADD_ADDRs:\n\n- Patch 1: save ADD_ADDR for rtx with ID0 when needed. A fix for v6.1.\n\n- Patch 2: remove unneeded exception for ID 0. A fix for v5.10.\n\n- Patches 3-5: fix potential data-race and leaks during ADD_ADDR rtx. A\n fix for v5.10.\n\n- Patch 6: resched blocked ADD_ADDR rtx after a more appropriated\n timeout, not after 15 seconds. A fix for v5.10.\n\n- Patch 7: skip inactive subflows when when looking at the max RTO. A\n fix for v6.18.\n\n- Patch 8: avoid iterating over all subflows when there is no need to. A\n fix for v6.18.\n\n- Patch 9: skip closed subflows when looking at sending MP_PRIO. A fix\n for v5.17.\n\n- Patch 10: properly catch errors when using check_output() in the\n selftests. A fix for v6.9.\n\n- Patch 11: skip the \u0027unknown\u0027 flag test when \u0027ip mptcp\u0027 is used. A fix\n for v6.10.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-0-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "53705ddfa18408f8e1f064331b6387509fa19f7f", "tree": "5aa3af72025501df785192808a303899c3f9db99", "parents": [ "65db7b27b90e2ea8d4966935aa9a50b6a60c31ac" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:59 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:45 2026 -0700" }, "message": "selftests: mptcp: pm: restrict \u0027unknown\u0027 check to pm_nl_ctl\n\nWhen pm_netlink.sh is executed with \u0027-i\u0027, \u0027ip mptcp\u0027 is used instead of\n\u0027pm_nl_ctl\u0027. IPRoute2 doesn\u0027t support the \u0027unknown\u0027 flag, which has only\nbeen added to \u0027pm_nl_ctl\u0027 for this specific check: to ensure that the\nkernel ignores such unsupported flag.\n\nNo reason to add this flag to \u0027ip mptcp\u0027. Then, this check should be\nskipped when \u0027ip mptcp\u0027 is used.\n\nFixes: 0cef6fcac24d (\"selftests: mptcp: ip_mptcp option for more scripts\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-11-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "65db7b27b90e2ea8d4966935aa9a50b6a60c31ac", "tree": "a8dd2ff2e188abbecb8a2dffaa0709da5b511a08", "parents": [ "166b78344031bf7ac9f55cb5282776cfd85f220e" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:58 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:45 2026 -0700" }, "message": "selftests: mptcp: check output: catch cmd errors\n\nUsing \u0027${?}\u0027 inside the if-statement to check the returned value from\nthe command that was evaluated as part of the if-statement is not\ncorrect: here, \u0027${?}\u0027 will be linked to the previous instruction, not\nthe one that is expected here (${cmd}).\n\nInstead, simply mark the error, except if an error is expected. If\nthat\u0027s the case, 1 can be passed as the 4th argument of this helper.\nThree checks from pm_netlink.sh expect an error.\n\nWhile at it, improve the error message when the command unexpectedly\nfails or succeeds.\n\nNote that we could expect a specific returned value, but the checks\ncurrently expecting an error can be used with \u0027ip mptcp\u0027 or \u0027pm_nl_ctl\u0027,\nand these two tools don\u0027t return the same error code.\n\nFixes: 2d0c1d27ea4e (\"selftests: mptcp: add mptcp_lib_check_output helper\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-10-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "166b78344031bf7ac9f55cb5282776cfd85f220e", "tree": "a7e938e19f4b039c4959103e80680a8be597b44b", "parents": [ "62a9b19dce77e72426f049fb99b9d1d032b9a8ea" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:57 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:45 2026 -0700" }, "message": "mptcp: pm: prio: skip closed subflows\n\nWhen sending an MP_PRIO, closed subflows need to be skipped.\n\nThis fixes the case where the initial subflow got closed, re-opened\nlater, then an MP_PRIO is needed for the same local address.\n\nNote that explicit MP_PRIO cannot be sent during the 3WHS, so it is fine\nto use __mptcp_subflow_active().\n\nFixes: 067065422fcd (\"mptcp: add the outgoing MP_PRIO support\")\nCc: stable@vger.kernel.org\nFixes: b29fcfb54cd7 (\"mptcp: full disconnect implementation\")\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-9-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "62a9b19dce77e72426f049fb99b9d1d032b9a8ea", "tree": "2451d51f9f35a6715bb2ffb6bf210d6b84d1d2f9", "parents": [ "c6d395e2de1306b5fef0344a3c3835fbbfaa18be" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:56 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:45 2026 -0700" }, "message": "mptcp: pm: ADD_ADDR rtx: return early if no retrans\n\nNo need to iterate over all subflows if there is no retransmission\nneeded.\n\nExit early in this case then.\n\nFixes: 30549eebc4d8 (\"mptcp: make ADD_ADDR retransmission timeout adaptive\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-8-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c6d395e2de1306b5fef0344a3c3835fbbfaa18be", "tree": "018c6723e3b0a22c0b5753c67d808eebd09b4b14", "parents": [ "3cf12492891c4b5ff54dda404a2de4ec54c9e1b5" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:55 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:45 2026 -0700" }, "message": "mptcp: pm: ADD_ADDR rtx: skip inactive subflows\n\nWhen looking at the maximum RTO amongst the subflows, inactive subflows\nwere taken into account: that includes stale ones, and the initial one\nif it has been already been closed.\n\nUnusable subflows are now simply skipped. Stale ones are used as an\nalternative: if there are only stale ones, to take their maximum RTO and\navoid to eventually fallback to net.mptcp.add_addr_timeout, which is set\nto 2 minutes by default.\n\nFixes: 30549eebc4d8 (\"mptcp: make ADD_ADDR retransmission timeout adaptive\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-7-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3cf12492891c4b5ff54dda404a2de4ec54c9e1b5", "tree": "491e4a06ac34538778a0fb3b704f569fb6d1a82d", "parents": [ "b7b9a461569734d33d3259d58d2507adfac107ed" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:54 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:45 2026 -0700" }, "message": "mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker\n\nWhen an ADD_ADDR needs to be retransmitted and another one has already\nbeen prepared -- e.g. multiple ADD_ADDRs have been sent in a row and\nneed to be retransmitted later -- this additional retransmission will\nneed to wait.\n\nIn this case, the timer was reset to TCP_RTO_MAX / 8, which is ~15\nseconds. This delay is unnecessary long: it should just be rescheduled\nat the next opportunity, e.g. after the retransmission timeout.\n\nWithout this modification, some issues can be seen from time to time in\nthe selftests when multiple ADD_ADDRs are sent, and the host takes time\nto process them, e.g. the \"signal addresses, ADD_ADDR timeout\" MPTCP\nJoin selftest, especially with a debug kernel config.\n\nNote that on older kernels, \u0027timeout\u0027 is not available. It should be\nenough to replace it by one second (HZ).\n\nFixes: 00cfd77b9063 (\"mptcp: retransmit ADD_ADDR when timeout\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-6-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b7b9a461569734d33d3259d58d2507adfac107ed", "tree": "64a46f9b0c0787c4c5a7a41f64fab2ad0ba8b7ca", "parents": [ "9634cb35af17019baec21ca648516ce376fa10e6" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:53 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:44 2026 -0700" }, "message": "mptcp: pm: ADD_ADDR rtx: free sk if last\n\nWhen an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(),\nand released at the end.\n\nIf at that moment, it was the last reference being held, the sk would\nnot be freed. sock_put() should then be called instead of __sock_put().\n\nBut that\u0027s not enough: if it is the last reference, sock_put() will call\nsk_free(), which will end up calling sk_stop_timer_sync() on the same\ntimer, and waiting indefinitely to finish. So it is needed to mark that\nthe timer is done at the end of the timer handler when it has not been\nrescheduled, not to call sk_stop_timer_sync() on \"itself\".\n\nFixes: 00cfd77b9063 (\"mptcp: retransmit ADD_ADDR when timeout\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-5-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9634cb35af17019baec21ca648516ce376fa10e6", "tree": "550d609a82ffe93c7776ab55392d4607cc52a33f", "parents": [ "5cd6e0ad79d2615264f63929f8b457ad97ae550d" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:52 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:44 2026 -0700" }, "message": "mptcp: pm: ADD_ADDR rtx: always decrease sk refcount\n\nWhen an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().\nIt should then be released in all cases at the end.\n\nSome (unlikely) checks were returning directly instead of calling\nsock_put() to decrease the refcount. Jump to a new \u0027exit\u0027 label to call\n__sock_put() (which will become sock_put() in the next commit) to fix\nthis potential leak.\n\nWhile at it, drop the \u0027!msk\u0027 check which cannot happen because it is\nnever reset, and explicitly mark the remaining one as \"unlikely\".\n\nFixes: 00cfd77b9063 (\"mptcp: retransmit ADD_ADDR when timeout\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-4-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5cd6e0ad79d2615264f63929f8b457ad97ae550d", "tree": "2377b3a62992b0e5e779e012e8f7f893090931f6", "parents": [ "03f324f3f1f7619a47b9c91282cb12775ab0a2f1" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:51 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:44 2026 -0700" }, "message": "mptcp: pm: ADD_ADDR rtx: fix potential data-race\n\nThis mptcp_pm_add_timer() helper is executed as a timer callback in\nsoftirq context. To avoid any data races, the socket lock needs to be\nheld with bh_lock_sock().\n\nIf the socket is in use, retry again soon after, similar to what is done\nwith the keepalive timer.\n\nFixes: 00cfd77b9063 (\"mptcp: retransmit ADD_ADDR when timeout\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "03f324f3f1f7619a47b9c91282cb12775ab0a2f1", "tree": "225eda8e8e24dc7f53dc9118dd816c1b042965dd", "parents": [ "b12014d2d36eaed4e4bec5f1ac7e91110eeb100d" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:50 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:44 2026 -0700" }, "message": "mptcp: pm: ADD_ADDR rtx: allow ID 0\n\nADD_ADDR can be sent for the ID 0, which corresponds to the local\naddress and port linked to the initial subflow.\n\nIndeed, this address could be removed, and re-added later on, e.g. what\nis done in the \"delete re-add signal\" MPTCP Join selftests. So no reason\nto ignore it.\n\nFixes: 00cfd77b9063 (\"mptcp: retransmit ADD_ADDR when timeout\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-2-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b12014d2d36eaed4e4bec5f1ac7e91110eeb100d", "tree": "dec7b7d2d8b8e2e1c02d87d0d9807237c1dcb05d", "parents": [ "c8f7244c8cccaaed4e6c9fe4b8a07e101d0423e5" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue May 05 17:00:49 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:16:44 2026 -0700" }, "message": "mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0\n\nWhen adding the ADD_ADDR to the list, the address including the IP, port\nand ID are copied. On the other hand, when the endpoint corresponds to\nthe one from the initial subflow, the ID is set to 0, as specified by\nthe MPTCP protocol.\n\nThe issue is that the ID was reset after having copied the ID in the\nADD_ADDR entry. So the retransmission was done, but using a different ID\nthan the initial one.\n\nFixes: 8b8ed1b429f8 (\"mptcp: pm: reuse ID 0 after delete and re-add\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-1-fca8091060a4@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c8f7244c8cccaaed4e6c9fe4b8a07e101d0423e5", "tree": "410de56141b25893ef9a03f0c23982d512c9eabd", "parents": [ "770b136ff9bf3e319d19875da59c4f7f4853da3a" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Tue May 05 15:39:27 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 18:11:33 2026 -0700" }, "message": "tcp: tcp_child_process() related UAF\n\ntcp_child_process( .. child ...) currently calls sock_put(child).\n\nUnfortunately @child (named @nsk in callers) can be used after\nthis point to send a RST packet.\n\nTo fix this UAF, I remove the sock_put() from tcp_child_process()\nand let the callers handle this after it is safe.\n\nRemove @rsk variable in tcp_v4_do_rcv() and change tcp_v6_do_rcv()\nso that both functions look the same.\n\nFixes: cfb6eeb4c860 (\"[TCP]: MD5 Signature Option (RFC2385) support.\")\nReported-by: Damiano Melotti \u003cmelotti@google.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nLink: https://patch.msgid.link/20260505153927.3435532-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "770b136ff9bf3e319d19875da59c4f7f4853da3a", "tree": "a6b1b39ef131d5b234aba3d9245c469e913cd64a", "parents": [ "67ef49047d312be692c8c439145f4514174e517f" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Tue May 05 09:11:33 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:46:05 2026 -0700" }, "message": "net/sched: sch_sfq: annotate data-races from sfq_dump_class_stats()\n\nsfq_dump_class_stats() runs locklessly, add needed READ_ONCE()\nand WRITE_ONCE() annotations.\n\nFixes: edb09eb17ed8 (\"net: sched: do not acquire qdisc spinlock in qdisc/class stats dump\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260505091133.2452510-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "67ef49047d312be692c8c439145f4514174e517f", "tree": "a65655486018a571d0e1345b0986ac1693f3538c", "parents": [ "701ea57feaabdea403cf299ee5cd0445083bc0ac" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Tue May 05 13:32:33 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:44:13 2026 -0700" }, "message": "inetpeer: add a missing read_seqretry() in inet_getpeer()\n\nWhen performing a lockless lookup over the inet_peer rbtree,\nif a matching node is found, inet_getpeer() returns it immediately\nwithout validating the seqlock sequence.\n\nThis missing check introduces a race condition:\n\nTrigger Path: When a host receives an incoming fragmented IPv4 packet,\nip4_frag_init() (in net/ipv4/ip_fragment.c) calls inet_getpeer_v4()\nto track the peer.\n\nThe Race: If the packet is from a new source IP, CPU A acquires the\nwrite_seqlock, allocates a new inet_peer node (p), sets its IP address\n(daddr), and links it to the rbtree (rb_link_node).\n\nUninitialized Access: Due to the lack of memory barriers between\nrb_link_node and the initialization of the rest of the struct\n(like refcount_set(\u0026p-\u003erefcnt, 1)), CPU A can make the node visible\nto readers before its refcnt is initialized.\nThis is especially true on weakly-ordered architectures like ARM64\nwhere the CPU can reorder the memory stores.\n\nLockless Reader: Concurrently, CPU B processes a second fragmented packet\nfrom the same source IP. CPU B does a lockless lookup, finds the newly\ninserted node, and returns it immediately.\n\nUse-After-Free (UAF): CPU B reads p-\u003erefcnt as uninitialized garbage\n(left over from previous kmalloc-128/192 allocations).\nIf the garbage is \u003e 0, refcount_inc_not_zero(\u0026p-\u003erefcnt) succeeds.\nCPU A then executes refcount_set(\u0026p-\u003erefcnt, 1), overwriting CPU B\u0027s increment.\nWhen CPU B finishes with the fragment queue, it calls inet_putpeer(),\nwhich drops the refcount to 0 and frees the node via RCU.\nThe node is now freed but remains linked in the rbtree,\nresulting in a Use-After-Free in the rbtree.\n\nFixes: b145425f269a (\"inetpeer: remove AVL implementation in favor of RB tree\")\nReported-by: Damiano Melotti \u003cmelotti@google.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260505133233.3039575-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "701ea57feaabdea403cf299ee5cd0445083bc0ac", "tree": "603afe28b3c73cb4adbe3ed3d98e82b243abdc12", "parents": [ "e4182739363b32c33012daf3b77a8cab3cd160be" ], "author": { "name": "Shitalkumar Gandhi", "email": "shital.gandhi45@gmail.com", "time": "Tue May 05 18:02:36 2026 +0530" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:42:50 2026 -0700" }, "message": "net: rtsn: fix mdio_node leak in rtsn_mdio_alloc()\n\nof_get_child_by_name() takes a reference. The rtsn_reset() and\nrtsn_change_mode() failure paths jump to out_free_bus and leak\nmdio_node.\n\nAdd out_put_node to drop it before falling through.\n\nFixes: b0d3969d2b4d (\"net: ethernet: rtsn: Add support for Renesas Ethernet-TSN\")\nSigned-off-by: Shitalkumar Gandhi \u003cshitalkumar.gandhi@cambiumnetworks.com\u003e\nReviewed-by: Geert Uytterhoeven \u003cgeert+renesas@glider.be\u003e\nReviewed-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nReviewed-by: Niklas Söderlund \u003cniklas.soderlund+renesas@ragnatech.se\u003e\nLink: https://patch.msgid.link/20260505123236.406000-1-shitalkumar.gandhi@cambiumnetworks.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e4182739363b32c33012daf3b77a8cab3cd160be", "tree": "a256a46bc8fc92a5ee81952c40f6582e8c61a09d", "parents": [ "7aaa8f5e45a92678256c1e17f1fa2c2f45c61dd1", "07bdec3fc737aac7f4c273aafa803d353174c43e" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:39:22 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:39:22 2026 -0700" }, "message": "Merge branch \u0027netdevsim-psp-fix-init-and-uninit-bugs\u0027\n\nDaniel Zahka says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnetdevsim: psp: fix init and uninit bugs\n\nThis series has three fixes. The first is a straightforward NULL\npointer dereference that is reachable by creating and destroying some\nvfs on a kernel with INET_PSP enabled.\n\nThe last two patches deal with nsim_psp_rereg_write(), which is a\ndebugfs handler that reregisters netdevsim\u0027s psp_dev without\naquiescing and disabling tx/rx processing. This was added to enable\nsome tests in psp.py where a psp device is unregistered while it still\nreferenced by tcp socket state.\n\nThere are two issues with this code:\n1. Calls to nsim_psp_uninit() are not properly serialized\n2. netdevsim\u0027s psp_dev refcount can be released while nsim_do_psp() is\n reading from it.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260505-psd-rcu-v1-0-a8f69ec1ab96@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "07bdec3fc737aac7f4c273aafa803d353174c43e", "tree": "a256a46bc8fc92a5ee81952c40f6582e8c61a09d", "parents": [ "24c96a42006ee27a078ec8c631c906dea8a3ca6d" ], "author": { "name": "Daniel Zahka", "email": "daniel.zahka@gmail.com", "time": "Tue May 05 03:42:25 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:39:20 2026 -0700" }, "message": "netdevsim: psp: rcu protect psp_dev reference\n\nThere are two issues with the way psp_dev is used in nsim_do_psp():\n\n1. There is no check for IS_ERR() on the peers psp_dev, before\n dereferencing.\n2. The refcount on this psp_dev can be dropped by\n nsim_psp_rereg_write()\n\nTo fix this, we can make netdevsim\u0027s reference to its psp_dev an rcu\nreference, and then nsim_do_psp() can read the fields it needs from an\nrcu critical section.\n\nFixes: f857478d6206 (\"netdevsim: a basic test PSP implementation\")\nSigned-off-by: Daniel Zahka \u003cdaniel.zahka@gmail.com\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/20260505-psd-rcu-v1-3-a8f69ec1ab96@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "24c96a42006ee27a078ec8c631c906dea8a3ca6d", "tree": "249ea6ab2da44c302fef8073e406377688543070", "parents": [ "7ce3f1bedaac88880594720ba0f687da3bd7fc8a" ], "author": { "name": "Daniel Zahka", "email": "daniel.zahka@gmail.com", "time": "Tue May 05 03:42:24 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:39:20 2026 -0700" }, "message": "netdevsim: psp: serialize calls to nsim_psp_uninit()\n\nThe debugfs write handler, nsim_psp_rereg_write(), can race against\nnsim_destroy() and against itself, causing nsim_psp_uninit() to run\nmore than once concurrently. Two complementary changes serialize all\ncallers:\n\n1. Delete the psp_rereg debugfs file from nsim_psp_uninit() before\n doing the actual teardown. debugfs_remove() drains any in-flight\n writers and prevents new ones from starting.\n\n2. Add a mutex around the body of nsim_psp_rereg_write() so that two\n concurrent userspace writers cannot both enter the teardown path\n at once.\n\nThe teardown work itself is moved into a new __nsim_psp_uninit() that\nthe rereg handler calls under the mutex, while the public\nnsim_psp_uninit() wraps it with the debugfs_remove()/mutex_destroy()\npair so nsim_destroy() doesn\u0027t have to know about the psp internals.\n\nFixes: f857478d6206 (\"netdevsim: a basic test PSP implementation\")\nSigned-off-by: Daniel Zahka \u003cdaniel.zahka@gmail.com\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/20260505-psd-rcu-v1-2-a8f69ec1ab96@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7ce3f1bedaac88880594720ba0f687da3bd7fc8a", "tree": "6ac156d24a69336812d79baf1f065b5aa1b99a90", "parents": [ "7aaa8f5e45a92678256c1e17f1fa2c2f45c61dd1" ], "author": { "name": "Daniel Zahka", "email": "daniel.zahka@gmail.com", "time": "Tue May 05 03:42:23 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:39:20 2026 -0700" }, "message": "netdevsim: psp: only call nsim_psp_uninit() on PFs\n\nVFs go through nsim_init_netdevsim_vf() which never calls\nnsim_psp_init(), so ns-\u003epsp.dev stays NULL. nsim_psp_uninit() guards\nwith !IS_ERR(ns-\u003epsp.dev), so destroying a VF reaches\npsp_dev_unregister(NULL) and dereferences NULL on the first\nmutex_lock(\u0026psd-\u003elock):\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n RIP: 0010:mutex_lock+0x1c/0x30\n Call Trace:\n psp_dev_unregister+0x2a/0x1a0\n nsim_psp_uninit+0x1f/0x40 [netdevsim]\n nsim_destroy+0x61/0x1e0 [netdevsim]\n __nsim_dev_port_del+0x47/0x90 [netdevsim]\n nsim_drv_configure_vfs+0xc9/0x130 [netdevsim]\n nsim_bus_dev_numvfs_store+0x79/0xb0 [netdevsim]\n\nGate nsim_psp_uninit() on nsim_dev_port_is_pf(), matching the pattern\nalready used for nsim_exit_netdevsim() and the bpf/ipsec/macsec/queue\nteardowns.\n\nReproducer:\n modprobe netdevsim\n echo \"10 1\" \u003e /sys/bus/netdevsim/new_device\n echo 1 \u003e /sys/bus/netdevsim/devices/netdevsim10/sriov_numvfs\n devlink dev eswitch set netdevsim/netdevsim10 mode switchdev\n echo 0 \u003e /sys/bus/netdevsim/devices/netdevsim10/sriov_numvfs\n\nFixes: f857478d6206 (\"netdevsim: a basic test PSP implementation\")\nSigned-off-by: Daniel Zahka \u003cdaniel.zahka@gmail.com\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/20260505-psd-rcu-v1-1-a8f69ec1ab96@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7aaa8f5e45a92678256c1e17f1fa2c2f45c61dd1", "tree": "a32967d41a88fefdc7f1694b3d5ed4b6f636dbc5", "parents": [ "0e1368a28dd5231ae0dbe240dfe0ff2657de5647" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Tue May 05 13:00:56 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:29:23 2026 -0700" }, "message": "ipv6: fix potential UAF caused by ip6_forward_proxy_check()\n\nip6_forward_proxy_check() calls pskb_may_pull() which might re-allocate\nskb-\u003ehead.\n\nReload ipv6_hdr() after the pskb_may_pull() call to avoid using\nthe freed memory.\n\nFixes: e21e0b5f19ac (\"[IPV6] NDISC: Handle NDP messages to proxied addresses.\")\nReported-by: Damiano Melotti \u003cmelotti@google.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: David Ahern \u003cdsahern@kernel.org\u003e\nReviewed-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260505130056.2927197-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "0e1368a28dd5231ae0dbe240dfe0ff2657de5647", "tree": "09f8c9c799205299a8ba45b01507bee96c663f95", "parents": [ "dc61989e37726e0ff3d669e6ad94e62b97149329" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:22:05 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 17:22:24 2026 -0700" }, "message": "selftests: drv-net: fix sort order of makefile and config\n\nRecent changes added configs and tests in the wrong spot.\n\nLink: https://lore.kernel.org/20260506170435.34984dfc@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "dc61989e37726e0ff3d669e6ad94e62b97149329", "tree": "3c3f92340762c577852554e4a50960c598cc28f3", "parents": [ "f4eac70d1e0c1fb6b3b4743ff12753c9fedb88e4", "f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 16:49:41 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 16:49:42 2026 -0700" }, "message": "Merge tag \u0027ipsec-2026-05-05\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec\n\nSteffen Klassert says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\npull request (net): ipsec 2026-05-05\n\n1. Fix an IPv6 encapsulation error path that leaked route references\n when UDPv6 ESP decapsulation resolved to an error route.\n From Yilin Zhu.\n\n2. Fix AH with ESN on async crypto paths by accounting for the extra\n high-order sequence number when reconstructing the temporary\n authentication layout in the completion callbacks.\n From Michael Bomarito.\n\n3. Fix XFRM output so it does not overwrite already-correct inner header\n pointers when a tunnel layer such as VXLAN has already saved them.\n The fix comes with new selftests. From Cosmin Ratiu.\n\n4. Add the missing native payload size entry for XFRM_MSG_MAPPING in the\n compat translation path. From Ruijie Li.\n\n5. Harden __xfrm_state_delete() against repeated or inconsistent unhashing\n of state list nodes by keying the removal on actual list membership and\n using delete-and-init helpers. From Michal Kosiorek.\n\n6. Prevent ESP from decrypting shared splice-backed skb fragments in place\n by marking UDP splice frags as shared and forcing copy-on-write in ESP\n input when needed. From Kuan-Ting Chen.\n\n* tag \u0027ipsec-2026-05-05\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:\n xfrm: esp: avoid in-place decrypt on shared skb frags\n xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete\n xfrm: provide message size for XFRM_MSG_MAPPING\n xfrm: Don\u0027t clobber inner headers when already set\n tools/selftests: Add a VXLAN+IPsec traffic test\n tools/selftests: Use a sensible timeout value for iperf3 client\n xfrm: ah: account for ESN high bits in async callbacks\n ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260505132326.1362733-1-steffen.klassert@secunet.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f4eac70d1e0c1fb6b3b4743ff12753c9fedb88e4", "tree": "1a7fa6e7f81cdb0dc46d7415dae36f6601c3b512", "parents": [ "bd75e1003d3ec295fcadca62ee5a4280a22c7e29", "201ba706318d460a2ea660e3652610be62532a70" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 16:10:02 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 16:10:03 2026 -0700" }, "message": "Merge tag \u0027ovpn-net-20260504\u0027 of https://github.com/OpenVPN/ovpn-net-next\n\nAntonio Quartulli says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nIncludes changes:\n\n* ensure MAC header offset is reset before delivering packet\n* ensure gro_cells_receive() and dstats_dev_add() are called\n with BH disabled\n* reduce ping count in selftest to ensure it completes within\n timeout\n\n* tag \u0027ovpn-net-20260504\u0027 of https://github.com/OpenVPN/ovpn-net-next:\n selftests: ovpn: reduce ping count in test.sh\n ovpn: ensure packet delivery happens with BH disabled\n ovpn: reset MAC header before passing skb up\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260504230305.2681646-1-antonio@openvpn.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "bd75e1003d3ec295fcadca62ee5a4280a22c7e29", "tree": "80688a0a862f6a446ef6d6cd0117a46ffb8aeb22", "parents": [ "b89e0100a5f6885f9748bbacc3f4e3bcff654e4c", "c5d415596cb6fbdf6334b06cc87a1a5a268d8725" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 15:43:33 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 15:43:34 2026 -0700" }, "message": "Merge tag \u0027for-net-2026-05-06\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth\n\nLuiz Augusto von Dentz says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbluetooth pull request for net:\n\n - hci_conn: fix potential UAF in create_big_sync\n - hci_event: fix memset typo\n - hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\n - L2CAP: fix MPS check in l2cap_ecred_reconf_req\n - L2CAP: defer conn param update to avoid conn-\u003elock/hdev-\u003elock inversion\n - L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()\n - L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()\n - L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()\n - RFCOMM: pull credit byte with skb_pull_data()\n - SCO: fix sleeping under spinlock in sco_conn_ready\n - SCO: hold sk properly in sco_conn_ready\n - ISO: Fix data-race on dst in iso_sock_connect()\n - ISO: Fix data-race on iso_pi(sk) in socket and HCI event paths\n - bnep: fix incorrect length parsing in bnep_rx_frame() extension handling\n - hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized\n - virtio_bt: clamp rx length before skb_put\n - virtio_bt: validate rx pkt_type header length\n - HIDP: serialise l2cap_unregister_user via hidp_session_sem\n - btintel_pcie: treat boot stage bit 12 as warning\n - btmtk: validate WMT event SKB length before struct access\n\n* tag \u0027for-net-2026-05-06\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:\n Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem\n Bluetooth: hci_event: fix memset typo\n Bluetooth: RFCOMM: pull credit byte with skb_pull_data()\n Bluetooth: virtio_bt: validate rx pkt_type header length\n Bluetooth: virtio_bt: clamp rx length before skb_put\n Bluetooth: btmtk: validate WMT event SKB length before struct access\n Bluetooth: ISO: Fix data-race on iso_pi(sk) in socket and HCI event paths\n Bluetooth: ISO: Fix data-race on dst in iso_sock_connect()\n Bluetooth: hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized\n Bluetooth: btintel_pcie: treat boot stage bit 12 as warning\n Bluetooth: SCO: hold sk properly in sco_conn_ready\n Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()\n Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()\n Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()\n Bluetooth: l2cap: defer conn param update to avoid conn-\u003elock/hdev-\u003elock inversion\n Bluetooth: l2cap: fix MPS check in l2cap_ecred_reconf_req\n Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling\n Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\n Bluetooth: hci_conn: fix potential UAF in create_big_sync\n Bluetooth: SCO: fix sleeping under spinlock in sco_conn_ready\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260506204553.58686-1-luiz.dentz@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c5d415596cb6fbdf6334b06cc87a1a5a268d8725", "tree": "80688a0a862f6a446ef6d6cd0117a46ffb8aeb22", "parents": [ "72d97cae2a83cecf6f47208646675ecd066d0a3e" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Sat May 02 12:43:03 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:27:53 2026 -0400" }, "message": "Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem\n\nCommit dbf666e4fc9b (\"Bluetooth: HIDP: Fix possible UAF\") made\nhidp_session_remove() drop the L2CAP reference and set\nsession-\u003econn \u003d NULL once the session is considered removed, and\nadded a bare if (session-\u003econn) guard around the kthread-exit\nl2cap_unregister_user() call in hidp_session_thread(). The sibling\nioctl site in hidp_connection_del() still reads session-\u003econn\nunlocked and unguarded, and the kthread-exit guard itself is a\nlockless double-read.\n\nhidp_session_find() drops hidp_session_sem before returning, so\nhidp_session_remove() can null session-\u003econn between the lookup and\nthe call in hidp_connection_del(). Worse, since commit 752a6c9596dd\n(\"Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\")\ntakes mutex_lock(\u0026conn-\u003elock) inside l2cap_unregister_user(), a\nstale non-NULL snapshot also UAFs on conn-\u003elock. v1 only added an\nif (session-\u003econn) guard at the ioctl site, which doesn\u0027t address\neither race; Luiz suggested snapshotting session-\u003econn under the\nsem and clearing it before the call.\n\nTaking hidp_session_sem across l2cap_unregister_user() would be\nwrong: l2cap_conn_del() already establishes the lock order\n\n conn-\u003elock -\u003e hidp_session_sem\n\nvia l2cap_unregister_all_users() -\u003e user-\u003eremove \u003d\u003d\nhidp_session_remove(), so taking hidp_session_sem before conn-\u003elock\nwould AB/BA deadlock.\n\nFactor a helper hidp_session_unregister_conn() that under\ndown_write(\u0026hidp_session_sem) snapshots session-\u003econn and clears\nthe member, then outside the sem calls l2cap_unregister_user() and\nl2cap_conn_put() on the snapshot. Call it from both\nhidp_connection_del() and hidp_session_thread()\u0027s exit path. At\nmost one consumer wins the write-sem; later callers observe\nsession-\u003econn \u003d\u003d NULL and skip the unregister and put, so the\nreference hidp_session_new() took via l2cap_conn_get() is consumed\nexactly once. session_free() already tolerates a NULL session-\u003econn.\n\nFixes: dbf666e4fc9b (\"Bluetooth: HIDP: Fix possible UAF\")\nSuggested-by: Luiz Augusto von Dentz \u003cluiz.dentz@gmail.com\u003e\nLink: https://lore.kernel.org/all/20260422011437.176643-1-michael.bommarito@gmail.com/\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "72d97cae2a83cecf6f47208646675ecd066d0a3e", "tree": "acb47f0120d3b9315816038c506489de334ca53b", "parents": [ "8f59d17b18a78fdfdbb67d693b3d3eb03db184e0" ], "author": { "name": "Jann Horn", "email": "jannh@google.com", "time": "Wed Apr 29 15:40:46 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:27:29 2026 -0400" }, "message": "Bluetooth: hci_event: fix memset typo\n\nhci_le_big_sync_established_evt() currently does:\n\n conn-\u003enum_bis \u003d 0;\n memset(conn-\u003ebis, 0, sizeof(conn-\u003enum_bis));\n\nsizeof(conn-\u003enum_bis) is wrong - it would make sense to either use\nconn-\u003enum_bis (before setting that to 0) or sizeof(conn-\u003ebis).\nFix it by using sizeof(conn-\u003ebis), the least intrusive change.\n\nLuckily, nothing actually depends on this memset() working properly:\nNothing seems to ever read from conn-\u003ebis beyond conn-\u003enum_bis, and when\nconn-\u003enum_bis is increased, the corresponding elements of conn-\u003ebis are\ninitialized. So I think this line could also just be removed.\n\nThis is a purely theoretical fix and should have no impact on actual\nbehavior.\n\nFixes: 42ecf1947135 (\"Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending\")\nSigned-off-by: Jann Horn \u003cjannh@google.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8f59d17b18a78fdfdbb67d693b3d3eb03db184e0", "tree": "6fdf0b512a4182b84e91c2f1f95eaeaa25b617c4", "parents": [ "daf23014e5d975e72ea9c02b5160d3fcf070ea47" ], "author": { "name": "Pengpeng Hou", "email": "pengpeng@iscas.ac.cn", "time": "Thu Apr 23 23:31:00 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:23:20 2026 -0400" }, "message": "Bluetooth: RFCOMM: pull credit byte with skb_pull_data()\n\nrfcomm_recv_data() treats the first payload byte as a credit field when\nthe UIH frame carries PF and credit-based flow control is enabled.\n\nAfter the header has been stripped, the PF/CFC path consumes that byte\nwith a direct skb-\u003edata dereference followed by skb_pull(). A malformed\nshort frame can reach this path without a byte available.\n\nUse skb_pull_data() so the length check and pull happen together before\nthe returned credit byte is consumed.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Pengpeng Hou \u003cpengpeng@iscas.ac.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "daf23014e5d975e72ea9c02b5160d3fcf070ea47", "tree": "83e06248e1d3b9adc9c15d5f95983cc274a7855a", "parents": [ "21bd244b6de5d2fe1063c23acc93fbdd2b20d112" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Tue Apr 21 13:08:45 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:22:33 2026 -0400" }, "message": "Bluetooth: virtio_bt: validate rx pkt_type header length\n\nvirtbt_rx_handle() reads the leading pkt_type byte from the RX skb\nand forwards the remainder to hci_recv_frame() for every\nevent/ACL/SCO/ISO type, without checking that the remaining payload\nis at least the fixed HCI header for that type.\n\nAfter the preceding patch bounds the backend-supplied used.len to\n[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches\nhci_recv_frame() with skb-\u003elen already pulled to 0. If the byte\nhappened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification\nfast-path in hci_dev_classify_pkt_type() dereferences\nhci_acl_hdr(skb)-\u003ehandle whenever the HCI device has an active\nCIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of\nuninitialized RX-buffer data. The same hazard exists for every\npacket type the driver accepts because none of the switch cases in\nvirtbt_rx_handle() check skb-\u003elen against the per-type minimum HCI\nheader size before handing the frame to the core.\n\nAfter stripping pkt_type, require skb-\u003elen to cover the fixed\nheader size for the selected type (event 2, ACL 4, SCO 3, ISO 4)\nbefore calling hci_recv_frame(); drop ratelimited otherwise.\nUnknown pkt_type values still take the original kfree_skb() default\npath.\n\nUse bt_dev_err_ratelimited() because both the length and pkt_type\nvalues come from an untrusted backend that can otherwise flood the\nkernel log.\n\nFixes: 160fbcf3bfb9 (\"Bluetooth: virtio_bt: Use skb_put to set length\")\nCc: stable@vger.kernel.org\nCc: Soenke Huster \u003csoenke.huster@eknoes.de\u003e\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "21bd244b6de5d2fe1063c23acc93fbdd2b20d112", "tree": "a161811179d1a13cc0654294f82297d698c9cc6d", "parents": [ "634a4408c0615c523cf7531790f4f14a422b9206" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Tue Apr 21 13:08:44 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:22:25 2026 -0400" }, "message": "Bluetooth: virtio_bt: clamp rx length before skb_put\n\nvirtbt_rx_work() calls skb_put(skb, len) where len comes directly\nfrom virtqueue_get_buf() with no validation against the buffer we\nposted to the device. The RX skb is allocated in virtbt_add_inbuf()\nand exposed to virtio as exactly 1000 bytes via sg_init_one().\n\nChecking len against skb_tailroom(skb) is not sufficient because\nalloc_skb() can leave more tailroom than the 1000 bytes actually\nhanded to the device. A malicious or buggy backend can therefore\nreport used.len between 1001 and skb_tailroom(skb), causing skb_put()\nto include uninitialized kernel heap bytes that were never written by\nthe device.\n\nThe same path also accepts len \u003d\u003d 0, in which case skb_put(skb, 0)\nleaves the skb empty but virtbt_rx_handle() still reads the pkt_type\nbyte from skb-\u003edata, consuming uninitialized memory.\n\nDefine VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and\nsg_init_one(), and gate virtbt_rx_work() on that same constant so\nthe bound checked matches the buffer actually exposed to the device.\nReject used.len \u003d\u003d 0 in the same gate so an empty completion can\nno longer reach virtbt_rx_handle().\n\nUse bt_dev_err_ratelimited() because the length value comes from an\nuntrusted backend that can otherwise flood the kernel log.\n\nSame class of bug as commit c04db81cd028 (\"net/9p: Fix buffer\noverflow in USB transport layer\"), which hardened the USB 9p\ntransport against unchecked device-reported length.\n\nFixes: 160fbcf3bfb9 (\"Bluetooth: virtio_bt: Use skb_put to set length\")\nCc: stable@vger.kernel.org\nCc: Soenke Huster \u003csoenke.huster@eknoes.de\u003e\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "634a4408c0615c523cf7531790f4f14a422b9206", "tree": "a0c3529588fea3d1f5469b501e3ae11636504b2b", "parents": [ "f958c7805b18e9d69f6b322b231ecee46ec6f331" ], "author": { "name": "Tristan Madani", "email": "tristan@talencesecurity.com", "time": "Tue Apr 21 11:14:54 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:22:19 2026 -0400" }, "message": "Bluetooth: btmtk: validate WMT event SKB length before struct access\n\nbtmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to\nstruct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc\n(9 bytes) without first checking that the SKB contains enough data.\nA short firmware response causes out-of-bounds reads from SKB tailroom.\n\nUse skb_pull_data() to validate and advance past the base WMT event\nheader. For the FUNC_CTRL case, pull the additional status field bytes\nbefore accessing them.\n\nFixes: d019930b0049 (\"Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c\")\nCc: stable@vger.kernel.org\nSigned-off-by: Tristan Madani \u003ctristan@talencesecurity.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "f958c7805b18e9d69f6b322b231ecee46ec6f331", "tree": "0b90dd95276ffa11b3a3ece4194a0697a2c44ddf", "parents": [ "ca40d481079c05c6891a14a798c79596fd2d5f0c" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Tue Apr 21 11:51:22 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:22:05 2026 -0400" }, "message": "Bluetooth: ISO: Fix data-race on iso_pi(sk) in socket and HCI event paths\n\nSeveral iso_pi(sk) fields (qos, qos_user_set, bc_sid, base, base_len,\nsync_handle, bc_num_bis) are written under lock_sock in\niso_sock_setsockopt() and iso_sock_bind(), but read and written under\nhci_dev_lock only in two other paths:\n\n - iso_connect_bis() / iso_connect_cis(), invoked from connect(2),\n read qos/base/bc_sid and reset qos to default_qos on the\n qos_user_set validation failure -- all without lock_sock.\n\n - iso_connect_ind(), invoked from hci_rx_work, writes sync_handle,\n bc_sid, qos.bcast.encryption, bc_num_bis, base and base_len on\n PA_SYNC_ESTABLISHED / PAST_RECEIVED / BIG_INFO_ADV_REPORT /\n PER_ADV_REPORT events. The BIG_INFO handler additionally passes\n \u0026iso_pi(sk)-\u003eqos together with sync_handle / bc_num_bis / bc_bis\n to hci_conn_big_create_sync() while setsockopt may be mutating\n them.\n\nAcquire lock_sock around the affected accesses in both paths.\n\nThe locking order hci_dev_lock -\u003e lock_sock matches the existing\niso_conn_big_sync() precedent, whose comment documents the same\nrequirement for hci_conn_big_create_sync(). The HCI connect/bind\nhelpers do not wait for command completion -- they enqueue work via\nhci_cmd_sync_queue{,_once}() / hci_le_create_cis_pending() and\nreturn -- so the added hold time is comparable to iso_conn_big_sync().\n\nKCSAN report:\n\nBUG: KCSAN: data-race in iso_connect_cis / iso_sock_setsockopt\n\nread to 0xffffa3ae8ce3cdc8 of 1 bytes by task 335 on cpu 0:\n iso_connect_cis+0x49f/0xa20\n iso_sock_connect+0x60e/0xb40\n __sys_connect_file+0xbd/0xe0\n __sys_connect+0xe0/0x110\n __x64_sys_connect+0x40/0x50\n x64_sys_call+0xcad/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nwrite to 0xffffa3ae8ce3cdc8 of 60 bytes by task 334 on cpu 1:\n iso_sock_setsockopt+0x69a/0x930\n do_sock_setsockopt+0xc3/0x170\n __sys_setsockopt+0xd1/0x130\n __x64_sys_setsockopt+0x64/0x80\n x64_sys_call+0x1547/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 UID: 0 PID: 334 Comm: iso_setup_race Not tainted 7.0.0-10949-g8541d8f725c6 #44 PREEMPT(lazy)\n\nThe iso_connect_ind() races were found by inspection.\n\nFixes: ccf74f2390d6 (\"Bluetooth: Add BTPROTO_ISO socket type\")\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ca40d481079c05c6891a14a798c79596fd2d5f0c", "tree": "f187dff0bae48fcaf61918fd06ea757a39c42610", "parents": [ "902fe40bce7059722f7ffa1c378e577675cf1918" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Tue Apr 21 11:51:21 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:21:58 2026 -0400" }, "message": "Bluetooth: ISO: Fix data-race on dst in iso_sock_connect()\n\niso_sock_connect() copies the destination address into\niso_pi(sk)-\u003edst under lock_sock, then releases the lock and reads\nit back with bacmp() to decide between the CIS and BIS connect\npaths:\n\n lock_sock(sk);\n bacpy(\u0026iso_pi(sk)-\u003edst, \u0026sa-\u003eiso_bdaddr);\n iso_pi(sk)-\u003edst_type \u003d sa-\u003eiso_bdaddr_type;\n release_sock(sk);\n\n if (bacmp(\u0026iso_pi(sk)-\u003edst, BDADDR_ANY)) // \u003c- no lock held\n\nThis read after release_sock() races with any concurrent write to\niso_pi(sk)-\u003edst on the same socket.\n\nFix by reading the destination address directly from the local\nsockaddr argument (sa-\u003eiso_bdaddr) instead of iso_pi(sk)-\u003edst.\nSince sa is a function-local argument, reading it requires no\nlocking and avoids the race.\n\nThis patch addresses only the bacmp() race in iso_sock_connect();\nother unprotected iso_pi(sk) accesses are fixed separately in the\nnext patch.\n\nKCSAN report:\n\nBUG: KCSAN: data-race in memcmp+0x39/0xb0\n\nrace at unknown origin, with read to 0xffff8f96ea66dde3 of 1 bytes by task 549 on cpu 1:\n memcmp+0x39/0xb0\n iso_sock_connect+0x275/0xb40\n __sys_connect_file+0xbd/0xe0\n __sys_connect+0xe0/0x110\n __x64_sys_connect+0x40/0x50\n x64_sys_call+0xcad/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00 -\u003e 0xee\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 UID: 0 PID: 549 Comm: iso_race_combin Not tainted 7.0.0-08391-g1d51b370a0f8 #40 PREEMPT(lazy)\n\nFixes: ccf74f2390d6 (\"Bluetooth: Add BTPROTO_ISO socket type\")\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "902fe40bce7059722f7ffa1c378e577675cf1918", "tree": "2061022d61838d5efa946ef0aa3596c9df67a1fa", "parents": [ "5917dd39db2bfc8b1b4c6ea8ed99adb4badef707" ], "author": { "name": "Aurelien DESBRIERES", "email": "aurelien@hackers.camp", "time": "Tue Apr 21 15:53:31 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:21:43 2026 -0400" }, "message": "Bluetooth: hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized\n\nWhen a fault is injected during hci_uart line discipline setup, the\nproto open() callback may fail leaving hu-\u003epriv as NULL. A subsequent\nTIOCSTI ioctl can trigger the recv() callback before priv is\ninitialized, causing a NULL pointer dereference.\n\nFix all four affected HCI UART protocol drivers by adding a NULL check\non hu-\u003epriv at the start of their recv() callbacks: h4, h5, ath and\nbcsp.\n\nReported-by: syzbot+ff30eeab8e07b37d524e@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003dff30eeab8e07b37d524e\nSigned-off-by: Aurelien DESBRIERES \u003caurelien@hackers.camp\u003e\nAssisted-by: Claude:claude-sonnet-4-6\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5917dd39db2bfc8b1b4c6ea8ed99adb4badef707", "tree": "9de8a837577e32372f757c278d565a4a0bab2da3", "parents": [ "4e37f6452d586b95c346a9abdd2fb80b67794f39" ], "author": { "name": "Sai Teja Aluvala", "email": "aluvala.sai.teja@intel.com", "time": "Mon Apr 20 23:07:35 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:21:34 2026 -0400" }, "message": "Bluetooth: btintel_pcie: treat boot stage bit 12 as warning\n\nCSR boot stage register bit 12 is documented as a device warning,\nnot a fatal error. Rename the bit definition accordingly and stop\nincluding it in btintel_pcie_in_error().\n\nThis keeps warning-only boot stage values from being classified as\nerrors while preserving abort-handler state as the actual error\ncondition.\n\nFixes: 190377500fde (\"Bluetooth: btintel_pcie: Dump debug registers on error\")\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Sai Teja Aluvala \u003caluvala.sai.teja@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4e37f6452d586b95c346a9abdd2fb80b67794f39", "tree": "132ad649148c0e11b69a5de91082f05f46244dcd", "parents": [ "0a120d96166301d7a95be75b52f843837dbd1219" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Sat Apr 18 18:41:12 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:21:25 2026 -0400" }, "message": "Bluetooth: SCO: hold sk properly in sco_conn_ready\n\nsk deref in sco_conn_ready must be done either under conn-\u003elock, or\nholding a refcount, to avoid concurrent close. conn-\u003esk and parent sk is\ncurrently accessed without either, and without checking parent-\u003esk_state:\n\n [Task 1] [Task 2]\n sco_sock_release\n sco_conn_ready\n sk \u003d conn-\u003esk\n lock_sock(sk)\n conn-\u003esk \u003d NULL\n lock_sock(sk)\n release_sock(sk)\n sco_sock_kill(sk)\n UAF on sk deref\n\nand similarly for access to sco_get_sock_listen() return value.\n\nFix possible UAF by holding sk refcount in sco_conn_ready() and making\nsco_get_sock_listen() increase refcount. Also recheck after lock_sock\nthat the socket is still valid. Adjust conn-\u003esk locking so it\u0027s\nprotected also by lock_sock() of the associated socket if any.\n\nFixes: 27c24fda62b60 (\"Bluetooth: switch to lock_sock in SCO\")\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0a120d96166301d7a95be75b52f843837dbd1219", "tree": "bf22aa3447538d499049cdf2e00c5aa381a4cc31", "parents": [ "78a88d43dab8d23aeef934ed8ce34d40e6b3d613" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed Apr 15 16:49:59 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:21:09 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().\n\nFixes: 80808e431e1e (\"Bluetooth: Add l2cap_chan_ops abstraction\")\nCc: stable@kernel.org\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "78a88d43dab8d23aeef934ed8ce34d40e6b3d613", "tree": "dd7a6422dcff4a895fba1fabd5a96a2272f527f7", "parents": [ "2ff1a41a912de8517b4482e946dd951b7d80edbf" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed Apr 15 16:53:36 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:21:07 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().\n\nFixes: 8d836d71e222 (\"Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c\")\nCc: stable@kernel.org\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2ff1a41a912de8517b4482e946dd951b7d80edbf", "tree": "41868e40fe3a72da58372d0787fe1d71dc47ee60", "parents": [ "91b5a598b5285da794b72619f31777b62dd336f8" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed Apr 15 16:51:36 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:21:04 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().\n\nFixes: 89bc500e41fc (\"Bluetooth: Add state tracking to struct l2cap_chan\")\nCc: stable@kernel.org\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "91b5a598b5285da794b72619f31777b62dd336f8", "tree": "0b384f03e6f10d96e47a551c96faabdf1ae21d54", "parents": [ "4f42363c814f28fe3f59847c35acf1ed033bedd4" ], "author": { "name": "Mikhail Gavrilov", "email": "mikhail.v.gavrilov@gmail.com", "time": "Wed Apr 15 02:52:37 2026 +0500" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:20:51 2026 -0400" }, "message": "Bluetooth: l2cap: defer conn param update to avoid conn-\u003elock/hdev-\u003elock inversion\n\nWhen a BLE peripheral sends an L2CAP Connection Parameter Update Request\nthe processing path is:\n\n process_pending_rx() [takes conn-\u003elock]\n l2cap_le_sig_channel()\n l2cap_conn_param_update_req()\n hci_le_conn_update() [takes hdev-\u003elock]\n\nMeanwhile other code paths take the locks in the opposite order:\n\n l2cap_chan_connect() [takes hdev-\u003elock]\n ...\n mutex_lock(\u0026conn-\u003elock)\n\n l2cap_conn_ready() [hdev-\u003elock via hci_cb_list_lock]\n ...\n mutex_lock(\u0026conn-\u003elock)\n\nThis is a classic AB/BA deadlock which lockdep reports as a circular\nlocking dependency when connecting a BLE MIDI keyboard (Carry-On FC-49).\n\nFix this by making hci_le_conn_update() defer the HCI command through\nhci_cmd_sync_queue() so it no longer needs to take hdev-\u003elock in the\ncaller context. The sync callback uses __hci_cmd_sync_status_sk() to\nwait for the HCI_EV_LE_CONN_UPDATE_COMPLETE event, then updates the\nstored connection parameters (hci_conn_params) and notifies userspace\n(mgmt_new_conn_param) only after the controller has confirmed the update.\n\nA reference on hci_conn is held via hci_conn_get()/hci_conn_put() for\nthe lifetime of the queued work to prevent use-after-free, and\nhci_conn_valid() is checked before proceeding in case the connection was\nremoved while the work was pending. The hci_dev_lock is held across\nhci_conn_valid() and all conn field accesses to prevent a concurrent\ndisconnect from invalidating the connection mid-use.\n\nFixes: f044eb0524a0 (\"Bluetooth: Store latency and supervision timeout in connection params\")\nSigned-off-by: Mikhail Gavrilov \u003cmikhail.v.gavrilov@gmail.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4f42363c814f28fe3f59847c35acf1ed033bedd4", "tree": "026032f05fbae0e4b6af9dd9c70b9b008ad0ca5e", "parents": [ "72b8deccff17a7644e0367e1aaf1a36cfb014324" ], "author": { "name": "Dudu Lu", "email": "phx0fer@gmail.com", "time": "Wed Apr 15 18:43:55 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:20:38 2026 -0400" }, "message": "Bluetooth: l2cap: fix MPS check in l2cap_ecred_reconf_req\n\nThe L2CAP specification states that if more than one channel is being\nreconfigured, the MPS shall not be decreased. The current check has\ntwo issues:\n\n1) The comparison uses \u003e\u003d (greater-than-or-equal), which incorrectly\n rejects reconfiguration requests where the MPS stays the same.\n Since the spec says MPS \"shall be greater than or equal to the\n current MPS\", only a strict decrease (remote_mps \u003e mps) should be\n rejected. Keeping the same MPS is valid.\n\n2) The multi-channel guard uses `\u0026\u0026 i` (loop index) to approximate\n \"more than one channel\", but this incorrectly allows MPS decrease\n for the first channel (i\u003d\u003d0) even when multiple channels are being\n reconfigured. Replace with `\u0026\u0026 num_scid \u003e 1` which correctly\n checks whether the request covers more than one channel.\n\nFixes: 7accb1c4321a (\"Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ\")\nSigned-off-by: Dudu Lu \u003cphx0fer@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "72b8deccff17a7644e0367e1aaf1a36cfb014324", "tree": "c916dcd5d16fe2ac26989d260152bee0d92da32a", "parents": [ "5ddb8014261137cadaf83ab5617a588d80a22586" ], "author": { "name": "Dudu Lu", "email": "phx0fer@gmail.com", "time": "Wed Apr 15 17:39:53 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:19:09 2026 -0400" }, "message": "Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling\n\nIn bnep_rx_frame(), the BNEP_FILTER_NET_TYPE_SET and\nBNEP_FILTER_MULTI_ADDR_SET extension header parsing has two bugs:\n\n1) The 2-byte length field is read with *(u16 *)(skb-\u003edata + 1), which\n performs a native-endian read. The BNEP protocol specifies this field\n in big-endian (network byte order), and the same file correctly uses\n get_unaligned_be16() for the identical fields in\n bnep_ctrl_set_netfilter() and bnep_ctrl_set_mcfilter().\n\n2) The length is multiplied by 2, but unlike BNEP_SETUP_CONN_REQ where\n the length byte counts UUID pairs (requiring * 2 for two UUIDs per\n entry), the filter extension length field already represents the total\n data size in bytes. This is confirmed by bnep_ctrl_set_netfilter()\n which reads the same field as a byte count and divides by 4 to get\n the number of filter entries.\n\n The bogus * 2 means skb_pull advances twice as far as it should,\n either dropping valid data from the next header or causing the pull\n to fail entirely when the doubled length exceeds the remaining skb.\n\nFix by splitting the pull into two steps: first use skb_pull_data() to\nsafely pull and validate the 3-byte fixed header (ctrl type + length),\nthen pull the variable-length data using the properly decoded length.\n\nFixes: bf8b9a9cb77b (\"Bluetooth: bnep: Add support to extended headers of control frames\")\nSigned-off-by: Dudu Lu \u003cphx0fer@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5ddb8014261137cadaf83ab5617a588d80a22586", "tree": "3055535bb754f9b38827814d2b463860ee38ad17", "parents": [ "0beddb0c380bed5f5b8e61ddbe14635bb73d0b41" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Fri Apr 10 15:29:52 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 16:18:22 2026 -0400" }, "message": "Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\n\nhci_le_create_big_complete_evt() iterates over BT_BOUND connections for\na BIG handle using a while loop, accessing ev-\u003ebis_handle[i++] on each\niteration. However, there is no check that i stays within ev-\u003enum_bis\nbefore the array access.\n\nWhen a controller sends a LE_Create_BIG_Complete event with fewer\nbis_handle entries than there are BT_BOUND connections for that BIG,\nor with num_bis\u003d0, the loop reads beyond the valid bis_handle[] flex\narray into adjacent heap memory. Since the out-of-bounds values\ntypically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()\nrejects them and the connection remains in BT_BOUND state. The same\nconnection is then found again by hci_conn_hash_lookup_big_state(),\ncreating an infinite loop with hci_dev_lock held.\n\nFix this by terminating the BIG if in case not all BIS could be setup\nproperly.\n\nFixes: a0bfde167b50 (\"Bluetooth: ISO: Add support for connecting multiple BISes\")\nCc: stable@vger.kernel.org\nSigned-off-by: ZhiTao Ou \u003chkbinbinbin@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0beddb0c380bed5f5b8e61ddbe14635bb73d0b41", "tree": "45e09636320185b480c45465e990f68b05e129ac", "parents": [ "b819db93d73f4593636299e229914052b89e3ef2" ], "author": { "name": "David Carlier", "email": "devnexen@gmail.com", "time": "Sun Apr 12 21:29:16 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:58:40 2026 -0400" }, "message": "Bluetooth: hci_conn: fix potential UAF in create_big_sync\n\nAdd hci_conn_valid() check in create_big_sync() to detect stale\nconnections before proceeding with BIG creation. Handle the\nresulting -ECANCELED in create_big_complete() and re-validate the\nconnection under hci_dev_lock() before dereferencing, matching the\npattern used by create_le_conn_complete() and create_pa_complete().\n\nKeep the hci_conn object alive across the async boundary by taking\na reference via hci_conn_get() when queueing create_big_sync(), and\ndropping it in the completion callback. The refcount and the lock\nare complementary: the refcount keeps the object allocated, while\nhci_dev_lock() serializes hci_conn_hash_del()\u0027s list_del_rcu() on\nhdev-\u003econn_hash, as required by hci_conn_del().\n\nhci_conn_put() is called outside hci_dev_unlock() so the final put\n(which resolves to kfree() via bt_link_release) does not run under\nhdev-\u003elock, though the release path would be safe either way.\n\nWithout this, create_big_complete() would unconditionally\ndereference the conn pointer on error, causing a use-after-free\nvia hci_connect_cfm() and hci_conn_del().\n\nFixes: eca0ae4aea66 (\"Bluetooth: Add initial implementation of BIS connections\")\nCc: stable@vger.kernel.org\nCo-developed-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nSigned-off-by: David Carlier \u003cdevnexen@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b819db93d73f4593636299e229914052b89e3ef2", "tree": "0fabf2cbbcbcf88da9db872b7f365e7bc773b8ea", "parents": [ "b89e0100a5f6885f9748bbacc3f4e3bcff654e4c" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Sun Apr 12 21:47:42 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:58:29 2026 -0400" }, "message": "Bluetooth: SCO: fix sleeping under spinlock in sco_conn_ready\n\nsco_conn_ready calls sleeping functions under conn-\u003elock spinlock.\n\nThe critical section can be reduced: conn-\u003ehcon is modified only with\nhdev-\u003elock held. It is guaranteed to be held in sco_conn_ready, so\nconn-\u003elock is not needed to guard it.\n\nMove taking conn-\u003elock after lock_sock(parent). This also follows the\nlock ordering lock_sock() \u003e conn-\u003elock elsewhere in the file.\n\nFixes: 27c24fda62b60 (\"Bluetooth: switch to lock_sock in SCO\")\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5862221fddede6bb15566ab3c1f23a3c353da5e1", "tree": "b1b4f9a5694d431af89279c3c066a7bb08518def", "parents": [ "adc1e5c6203cf13fe05a1ead08edcb3d3a3baae8", "37b0dc5e279f35036fb638d1e187197b6c05a76d" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 06 12:51:07 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 06 12:51:07 2026 -0700" }, "message": "Merge tag \u0027parisc-for-7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux\n\nPull parisc fixes from Helge Deller:\n\n - Revert \"parisc: led: fix reference leak on failed device\n registration\"\n\n - Fix build failures introduced when allowing to build 32-/64-bit only\n VDSO\n\n - Switch to dynamic parisc root device to avoid upcoming warnings\n\n - Fix IRQ leak in LASI driver\n\n* tag \u0027parisc-for-7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:\n parisc: Fix IRQ leak in LASI driver\n parisc: Fix 64-bit kernel build when CONFIG_COMPAT\u003dn\n parisc: Fix build failure for 32-bit kernel with PA2.0 instruction set\n parisc: drivers: switch to dynamic root device\n Revert \"parisc: led: fix reference leak on failed device registration\"\n" }, { "commit": "b89e0100a5f6885f9748bbacc3f4e3bcff654e4c", "tree": "996105fec4d54f46aed04d26ef6d58955d7f9f28", "parents": [ "3e8ec3440b3731576f0e71a01121445e66c26bfd", "79240f3f6d766b342b57c32397d643e1cfa26b81" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 07:29:31 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 06 07:29:31 2026 -0700" }, "message": "Merge tag \u0027wireless-2026-05-06\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless\n\nJohannes Berg says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nQuite a number of fixes now:\n - mac80211\n - remove HT NSS validation to work with broken APs\n (with a kunit fix now)\n - remove \u0027static\u0027 that could cause races\n - check station link lookup before further processing\n - fix use-after-free due to delete in list iteration\n - remove AP station on assoc failures to fix crashes\n - ath12k\n - fix OF node refcount imbalance\n - fix queue flush (\"REO update\") in MLO\n - fix RCU assert\n - ath12k:\n - fix Kconfig with POWER_SEQUENCING\n - fix WMI buffer leaks on error conditions\n - don\u0027t use uninitialized stack data when processing RSSI events\n - fix logic for determining the peer ID in the RX path\n - ath5k: fix a potential stack buffer overwrite\n - rsi: fix thread lifetime race\n - brcmfmac: fix potential UAF\n - nl80211:\n - stricter permissions/checks for PMK and netns\n - fix netlink policy vs. code type confusion\n - cw1200: revert a broken locking change\n - various fixes to not trust values from firmware\n\n* tag \u0027wireless-2026-05-06\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: (25 commits)\n wifi: nl80211: re-check wiphy netns in nl80211_prepare_wdev_dump() continuation\n wifi: nl80211: require CAP_NET_ADMIN over the target netns in SET_WIPHY_NETNS\n wifi: nl80211: fix NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST usage\n wifi: mac80211: remove station if connection prep fails\n wifi: mac80211: use safe list iteration in radar detect work\n wifi: libertas: notify firmware load wait on disconnect\n wifi: ath5k: do not access array OOB\n wifi: ath12k: fix peer_id usage in normal RX path\n wifi: ath12k: initialize RSSI dBm conversion event state\n wifi: ath12k: fix leak in some ath12k_wmi_xxx() functions\n wifi: cw1200: Revert \"Fix locking in error paths\"\n wifi: mac80211: tests: mark HT check strict\n wifi: rsi: fix kthread lifetime race between self-exit and external-stop\n wifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result\n wifi: mac80211: check ieee80211_rx_data_set_link return in pubsta MLO path\n wifi: nl80211: require admin perm on SET_PMK / DEL_PMK\n wifi: libertas: fix integer underflow in process_cmdrequest()\n wifi: b43legacy: enforce bounds check on firmware key index in RX path\n wifi: b43: enforce bounds check on firmware key index in b43_rx()\n wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task\n ...\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260506110325.219675-3-johannes@sipsolutions.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "adc1e5c6203cf13fe05a1ead08edcb3d3a3baae8", "tree": "0b918c5cc258211873baf58bd4be3a79080c1920", "parents": [ "e80948062dcfff0543c5c60ba8654e825bf73b5a", "2c340aab5485ebe9e33c01437dd4815ef33c8df5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 06 07:27:30 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed May 06 07:27:30 2026 -0700" }, "message": "Merge tag \u0027efi-fixes-for-v7.1-1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi\n\nPull EFI fixes from Ard Biesheuvel:\n\n - Fix issues in EFI graceful recovery on x86 introduced by changes to\n the kernel mode FPU APIs\n\n - I-cache coherency fixes for the LoongArch EFI stub\n\n - Locking fix for EFI pstore\n\n - Code tweak for efivarfs\n\n* tag \u0027efi-fixes-for-v7.1-1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:\n x86/efi: Restore IRQ state in EFI page fault handler\n x86/efi: Fix graceful fault handling after FPU softirq changes\n efi/libstub: Synchronize instruction cache after kernel relocation\n efi/loongarch: Implement efi_cache_sync_image()\n efi/libstub: Move efi_relocate_kernel() into its only remaining user\n efi: pstore: Drop efivar lock when efi_pstore_open() returns with an error\n efivarfs: use QSTR() in efivarfs_alloc_dentry\n" }, { "commit": "06bc7ff0a1e0f2b0102e1314e3527a7ec0997851", "tree": "fc0fe1da457a988a463e8c883940e445873a28c4", "parents": [ "2bcbb163162789d3488562073dbb99d9bd71a762", "5776bcdf4dccac8edc1160482792b512da5c08b4" ], "author": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Wed May 06 16:10:00 2026 +0200" }, "committer": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Wed May 06 16:10:00 2026 +0200" }, "message": "Merge tag \u0027asoc-fix-v7.1-rc2\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus\n\nASoC: Fixes for v7.1\n\nAnother batch of fixes, plus a couple of quirks (mostly AMD ones, as has\nbeen the case recently). All driver changes, including fixes for the\nKUnit tests for the Cirrus drivers that could cause memory corruption.\n" }, { "commit": "5776bcdf4dccac8edc1160482792b512da5c08b4", "tree": "68e1174a85d2abb0775aec4a025d813ebf37005b", "parents": [ "027ef9a9297c6ae8be11681e0fa485c1829d0572", "fd4d83e1437d6395021b21531e187c8a67ac21b0" ], "author": { "name": "Mark Brown", "email": "broonie@kernel.org", "time": "Wed May 06 21:22:53 2026 +0900" }, "committer": { "name": "Mark Brown", "email": "broonie@kernel.org", "time": "Wed May 06 21:22:53 2026 +0900" }, "message": "ASoC: cs35l56: Fixes for driver cleanup\n\nRichard Fitzgerald \u003crf@opensource.cirrus.com\u003e says:\n\nTwo patches to fix cleanup during driver remove() and the error path\nof probe().\n\nThe main purpose is to fix cleanup of the workqueue.\n" }, { "commit": "fd4d83e1437d6395021b21531e187c8a67ac21b0", "tree": "fb065345ee921af09d0111740d9a1667776135c6", "parents": [ "bee87cf0f1248c0f20710d7a79df41fe892d9f88" ], "author": { "name": "Richard Fitzgerald", "email": "rf@opensource.cirrus.com", "time": "Tue May 05 17:11:24 2026 +0100" }, "committer": { "name": "Mark Brown", "email": "broonie@kernel.org", "time": "Wed May 06 21:22:51 2026 +0900" }, "message": "ASoC: cs35l56: Destroy workqueue in probe error path\n\nThe error path in cs35l56_common_probe() should call destroy_workqueue()\non the workqueue that was created by cs35l56_dsp_init().\n\nFixes: e49611252900 (\"ASoC: cs35l56: Add driver for Cirrus Logic CS35L56\")\nSigned-off-by: Richard Fitzgerald \u003crf@opensource.cirrus.com\u003e\nLink: https://patch.msgid.link/20260505161124.3621000-3-rf@opensource.cirrus.com\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\n" }, { "commit": "bee87cf0f1248c0f20710d7a79df41fe892d9f88", "tree": "5c36ea063834c15889b7da6ac5bac59bc5d2ba94", "parents": [ "7fd2df204f342fc17d1a0bfcd474b24232fb0f32" ], "author": { "name": "Richard Fitzgerald", "email": "rf@opensource.cirrus.com", "time": "Tue May 05 17:11:23 2026 +0100" }, "committer": { "name": "Mark Brown", "email": "broonie@kernel.org", "time": "Wed May 06 21:22:50 2026 +0900" }, "message": "ASoC: cs35l56: Don\u0027t use devres to unregister component\n\nManually call snd_soc_unregister_component() from cs35l56_remove()\ninstead of using devres cleanup. This ensures that the component is\ndestroyed before cs35l56_remove() starts cleanup of anything the\ncomponent code could be using.\n\nDevres cleanup happens after the driver remove() callback, so if\nsnd_soc_register_component() is used, it will not be destroyed until\nafter cs35l56_remove() has returned. But there is some cleanup that\nmust be done in cs35l56_remove(), or wrapped in a custom devres\ncleanup handler to ensure correct ordering. The simplest option is\nto call snd_soc_unregister_component() at the start of cs35l56_remove().\n\nFixes: e49611252900 (\"ASoC: cs35l56: Add driver for Cirrus Logic CS35L56\")\nCloses: https://sashiko.dev/#/patchset/20260501103002.2843735-1-rf%40opensource.cirrus.com\nSigned-off-by: Richard Fitzgerald \u003crf@opensource.cirrus.com\u003e\nLink: https://patch.msgid.link/20260505161124.3621000-2-rf@opensource.cirrus.com\nSigned-off-by: Mark Brown \u003cbroonie@kernel.org\u003e\n" }, { "commit": "79240f3f6d766b342b57c32397d643e1cfa26b81", "tree": "4c8b6a50859545d9573fb2f741fc037a63873bd1", "parents": [ "15994bb0cbb8fc4879da7552ddd08c1896261c39" ], "author": { "name": "Maoyi Xie", "email": "maoyi.xie@ntu.edu.sg", "time": "Wed May 06 14:48:54 2026 +0800" }, "committer": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed May 06 11:08:41 2026 +0200" }, "message": "wifi: nl80211: re-check wiphy netns in nl80211_prepare_wdev_dump() continuation\n\nNL80211_CMD_GET_SCAN is implemented as a multi-call dumpit. The first\ninvocation of nl80211_prepare_wdev_dump() validates the requested wdev\nagainst the caller\u0027s netns via __cfg80211_wdev_from_attrs(). Subsequent\ninvocations look up the same wiphy by its global index and do not check\nthat the wiphy is still in the caller\u0027s netns.\n\nAdd the same filter to the continuation path. If the wiphy\u0027s netns no\nlonger matches the caller\u0027s, return -ENODEV and the netlink dump\nmachinery terminates the walk cleanly.\n\nSigned-off-by: Maoyi Xie \u003cmaoyi.xie@ntu.edu.sg\u003e\nLink: https://patch.msgid.link/20260506064854.2207105-3-maoyixie.tju@gmail.com\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n" }, { "commit": "15994bb0cbb8fc4879da7552ddd08c1896261c39", "tree": "53d7783826dccdbe9f890066d9658928f037b93b", "parents": [ "0f3c0a197309717d74729568f88957d448847937" ], "author": { "name": "Maoyi Xie", "email": "maoyi.xie@ntu.edu.sg", "time": "Wed May 06 14:48:53 2026 +0800" }, "committer": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed May 06 11:05:52 2026 +0200" }, "message": "wifi: nl80211: require CAP_NET_ADMIN over the target netns in SET_WIPHY_NETNS\n\nNL80211_CMD_SET_WIPHY_NETNS dispatches with GENL_UNS_ADMIN_PERM, which\nverifies that the caller has CAP_NET_ADMIN for the source netns. It\ndoesn\u0027t verify that the caller has CAP_NET_ADMIN over the target netns\nselected by NL80211_ATTR_NETNS_FD or NL80211_ATTR_PID.\n\nThis diverges from the convention enforced in\nnet/core/rtnetlink.c::rtnl_get_net_ns_capable():\n\n /* For now, the caller is required to have CAP_NET_ADMIN in\n * the user namespace owning the target net ns.\n */\n if (!sk_ns_capable(sk, net-\u003euser_ns, CAP_NET_ADMIN))\n return ERR_PTR(-EACCES);\n\nA user with CAP_NET_ADMIN in their own user namespace can therefore\npush a wiphy into an arbitrary netns (including init_net) over which\nthey have no privilege.\n\nMirror the rtnetlink convention by requiring CAP_NET_ADMIN in the\ntarget netns before calling cfg80211_switch_netns().\n\nSigned-off-by: Maoyi Xie \u003cmaoyi.xie@ntu.edu.sg\u003e\nLink: https://patch.msgid.link/20260506064854.2207105-2-maoyixie.tju@gmail.com\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n" }, { "commit": "0f3c0a197309717d74729568f88957d448847937", "tree": "e5dbea0843604ad6e89936a961ac59211c1d2bba", "parents": [ "283fc9e44ff5b5ac967439b4951b80bd4299f4e4" ], "author": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Tue May 05 13:38:37 2026 +0200" }, "committer": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed May 06 11:03:21 2026 +0200" }, "message": "wifi: nl80211: fix NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST usage\n\nThis is documented as a u8 and has a policy of NLA_U8, but uses\nnla_get_u32() which means it\u0027s completely broken on big-endian.\nFix it to use nla_get_u8().\n\nFixes: 9bb7e0f24e7e (\"cfg80211: add peer measurement with FTM initiator API\")\nLink: https://patch.msgid.link/20260505113837.260159-2-johannes@sipsolutions.net\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n" }, { "commit": "283fc9e44ff5b5ac967439b4951b80bd4299f4e4", "tree": "a4d82037ea1cf8c1ddc41d30a5d36bc029ced933", "parents": [ "ac8eb3e18f41e2cc8492cc1d358bcb786c850270" ], "author": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Tue May 05 15:15:34 2026 +0200" }, "committer": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed May 06 11:02:57 2026 +0200" }, "message": "wifi: mac80211: remove station if connection prep fails\n\nIf connection preparation fails for MLO connections, then the\ninterface is completely reset to non-MLD. In this case, we must\nnot keep the station since it\u0027s related to the link of the vif\nbeing removed. Delete an existing station. Any \"new_sta\" is\nalready being removed, so that doesn\u0027t need changes.\n\nThis fixes a use-after-free/double-free in debugfs if that\u0027s\nenabled, because a vif going from MLD (and to MLD, but that\u0027s\nnot relevant here) recreates its entire debugfs.\n\nCc: stable@vger.kernel.org\nFixes: 81151ce462e5 (\"wifi: mac80211: support MLO authentication/association with one link\")\nReviewed-by: Miriam Rachel Korenblit \u003cmiriam.rachel.korenblit@intel.com\u003e\nLink: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n" }, { "commit": "2bcbb163162789d3488562073dbb99d9bd71a762", "tree": "3d7d4ac19b6b481f05743fde08c8482da87a899e", "parents": [ "5337213381df578058e2e41da93cbd0e4639935f" ], "author": { "name": "Rosen Penev", "email": "rosenp@gmail.com", "time": "Tue May 05 20:18:54 2026 -0700" }, "committer": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Wed May 06 10:09:17 2026 +0200" }, "message": "ALSA: sparc/dbri: add missing fallthrough\n\nFixes compiler error with probably newer compilers:\n\nsound/sparc/dbri.c:595:2: error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough]\n 595 | case 1:\n | ^\nsound/sparc/dbri.c:595:2: note: insert \u0027break;\u0027 to avoid fall-through\n 595 | case 1:\n | ^\n | break;\n\nSigned-off-by: Rosen Penev \u003crosenp@gmail.com\u003e\nLink: https://patch.msgid.link/20260506031854.780411-1-rosenp@gmail.com\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\n" }, { "commit": "5337213381df578058e2e41da93cbd0e4639935f", "tree": "60dbe636cc177f2cff2faed68d3f631250c36027", "parents": [ "01801e20d69346e1e6cec0d908f1cea3a49e51b5" ], "author": { "name": "Cássio Gabriel", "email": "cassiogabrielcontato@gmail.com", "time": "Wed May 06 00:34:47 2026 -0300" }, "committer": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Wed May 06 10:07:36 2026 +0200" }, "message": "ALSA: core: Serialize deferred fasync state checks\n\nsnd_fasync_helper() updates fasync-\u003eon under snd_fasync_lock, and\nsnd_fasync_work_fn() now also evaluates fasync-\u003eon under the same\nlock. snd_kill_fasync() still tests the flag before taking the lock,\nleaving an unsynchronized read against FASYNC enable/disable updates.\n\nMove the enabled-state check into the locked section.\n\nAlso clear fasync-\u003eon under snd_fasync_lock in snd_fasync_free()\nbefore unlinking the pending entry. Together with the locked sender-side\ncheck, this publishes teardown before flushing the deferred work and\nprevents a racing sender from requeueing the entry after free has\nstarted.\n\nFixes: ef34a0ae7a26 (\"ALSA: core: Add async signal helpers\")\nFixes: 8146cd333d23 (\"ALSA: core: Fix potential data race at fasync handling\")\nCc: stable@vger.kernel.org\nSigned-off-by: Cássio Gabriel \u003ccassiogabrielcontato@gmail.com\u003e\nLink: https://patch.msgid.link/20260506-alsa-core-fasync-on-lock-v1-1-ea48c77d6ca4@gmail.com\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\n" }, { "commit": "01801e20d69346e1e6cec0d908f1cea3a49e51b5", "tree": "9c138b9a3d739868437b7f5aa80f5bffe053b9fd", "parents": [ "92429ca999db99febced82f23362a71b2ba4c1d8" ], "author": { "name": "Rodrigo Faria", "email": "rodrigofilipefaria@gmail.com", "time": "Tue May 05 19:55:18 2026 +0100" }, "committer": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Wed May 06 09:57:43 2026 +0200" }, "message": "ALSA: hda/realtek: Add mute LED fixup for HP Pavilion 15-cs1xxx\n\nAdd a new fixup for the mute LED on the HP Pavilion 15-cs1xxx series\nusing the VREF on NID 0x1b.\n\nThe BIOS on these models (tested up to F.32) incorrectly reports\nthe mute LED on NID 0x18 via DMI OEM strings, which lacks VREF\ncapabilities. This fixup overrides the LED pin to the correct\nNID 0x1b.\n\nSigned-off-by: Rodrigo Faria \u003crodrigofilipefaria@gmail.com\u003e\nLink: https://patch.msgid.link/20260505185518.23625-1-rodrigofilipefaria@gmail.com\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\n" }, { "commit": "92429ca999db99febced82f23362a71b2ba4c1d8", "tree": "93e8a64e7d4c0db104f0c796aec0cd07160789bd", "parents": [ "320e55722ca466a7d40dd69e1aea982cb6189006" ], "author": { "name": "Cássio Gabriel", "email": "cassiogabrielcontato@gmail.com", "time": "Wed May 06 00:15:48 2026 -0300" }, "committer": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Wed May 06 09:56:54 2026 +0200" }, "message": "ALSA: seq: Fix UMP group 16 filtering\n\nThe sequencer UAPI defines group_filter as an unsigned int bitmap.\nBit 0 filters groupless messages and bits 1-16 filter UMP groups 1-16.\n\nThe internal snd_seq_client storage is only unsigned short, so bit 16\nis truncated when userspace sets the filter. The same truncation affects\nthe automatic UMP client filter used to avoid delivery to inactive\ngroups, so events for group 16 cannot be filtered.\n\nStore the internal bitmap as unsigned int and keep both userspace-provided\nand automatically generated values limited to the defined UAPI bits.\n\nFixes: d2b706077792 (\"ALSA: seq: Add UMP group filter\")\nCc: stable@vger.kernel.org\nSigned-off-by: Cássio Gabriel \u003ccassiogabrielcontato@gmail.com\u003e\nLink: https://patch.msgid.link/20260506-alsa-seq-ump-group16-filter-v1-1-b75160bf6993@gmail.com\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\n" }, { "commit": "e80948062dcfff0543c5c60ba8654e825bf73b5a", "tree": "d16c0c5f98a9b726bbdd054c9f20eeb985f45bf1", "parents": [ "74fe02ce122a6103f207d29fafc8b3a53de6abaf", "5a873d77ba792410a796595a917be6a440f9b7d2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 05 19:44:46 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 05 19:44:46 2026 -0700" }, "message": "Merge tag \u0027loongarch-fixes-7.1-1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson\n\nPull LoongArch fixes from Huacai Chen:\n \"Fix some build and runtime issues after 32BIT Kconfig option enabled,\n improve the platform-specific PCI controller compatibility, drop\n custom __arch_vdso_hres_capable(), and fix a lot of KVM bugs\"\n\n* tag \u0027loongarch-fixes-7.1-1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:\n LoongArch: KVM: Move unconditional delay into timer clear scenery\n LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software\n LoongArch: KVM: Move AVEC interrupt injection into switch loop\n LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()\n LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()\n LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS\n LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry\n LoongArch: KVM: Compile switch.S directly into the kernel\n LoongArch: vDSO: Drop custom __arch_vdso_hres_capable()\n LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()\n LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup\n LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT\n LoongArch: Specify -m32/-m64 explicitly for 32BIT/64BIT\n LoongArch: Make CONFIG_64BIT as the default option\n" }, { "commit": "3e8ec3440b3731576f0e71a01121445e66c26bfd", "tree": "e5a45083eb2049055b5ae4a675fac831b49b42a5", "parents": [ "22675f07260ca26423851a42b553b0ea669228d1", "203cee647f551abc87b992045cd920b117ff990a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:54 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:55 2026 -0700" }, "message": "Merge branch \u0027xsk-fix-bugs-around-xsk-skb-allocation\u0027\n\nJason Xing says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nxsk: fix bugs around xsk skb allocation\n\nThere are rare issues around xsk_build_skb(). Some of them\nwere founded by Sashiko[1][2].\n\n[1]: https://lore.kernel.org/all/20260415082654.21026-1-kerneljasonxing@gmail.com/\n[2]: https://lore.kernel.org/all/20260418045644.28612-1-kerneljasonxing@gmail.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260502200722.53960-1-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "203cee647f551abc87b992045cd920b117ff990a", "tree": "e5a45083eb2049055b5ae4a675fac831b49b42a5", "parents": [ "e0f229025a8e774a695017a376c4a01279c0e66e" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 02 23:07:22 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:51 2026 -0700" }, "message": "xsk: fix u64 descriptor address truncation on 32-bit architectures\n\nIn copy mode TX, xsk_skb_destructor_set_addr() stores the 64-bit\ndescriptor address into skb_shinfo(skb)-\u003edestructor_arg (void *) via a\nuintptr_t cast:\n\n skb_shinfo(skb)-\u003edestructor_arg \u003d (void *)((uintptr_t)addr | 0x1UL);\n\nOn 32-bit architectures uintptr_t is 32 bits, so the upper 32 bits of\nthe descriptor address are silently dropped. In XDP_ZEROCOPY unaligned\nmode the chunk offset is encoded in bits 48-63 of the descriptor\naddress (XSK_UNALIGNED_BUF_OFFSET_SHIFT \u003d 48), meaning the offset is\nlost entirely. The completion queue then returns a truncated address to\nuserspace, making buffer recycling impossible.\n\nFix this by handling the 32-bit case directly in\nxsk_skb_destructor_set_addr(): when !CONFIG_64BIT, allocate an\nxsk_addrs struct (the same path already used for multi-descriptor\nSKBs) to store the full u64 address. The existing tagged-pointer logic\nin xsk_skb_destructor_is_addr() stays unchanged: slab pointers returned\nfrom kmem_cache_zalloc() are always word-aligned and therefore have\nbit 0 clear, which correctly identifies them as a struct pointer\nrather than an inline tagged address on every architecture.\n\nFactor the shared kmem_cache_zalloc + destructor_arg assignment into\n__xsk_addrs_alloc() and add a wrapper xsk_addrs_alloc() that handles\nthe inline-to-list upgrade (is_addr check + get_addr + num_descs \u003d 1).\nThe three former open-coded kmem_cache_zalloc call sites now reduce to\na single call each.\n\nPropagate the -ENOMEM from xsk_skb_destructor_set_addr() through\nxsk_skb_init_misc() so the caller can clean up the skb via kfree_skb()\nbefore skb-\u003edestructor is installed.\n\nThe overhead is one extra kmem_cache_zalloc per first descriptor on\n32-bit only; 64-bit builds are completely unchanged.\n\nCloses: https://lore.kernel.org/all/20260419045824.D9E5EC2BCAF@smtp.kernel.org/\nFixes: 0ebc27a4c67d (\"xsk: avoid data corruption on cq descriptor number\")\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260502200722.53960-9-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e0f229025a8e774a695017a376c4a01279c0e66e", "tree": "e2350b37c607e6c71b1dd8efcf5f6d5ecbc123d9", "parents": [ "8c2cff50afdd2b53c7cc2ca2297301c0ffd3e802" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 02 23:07:21 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:51 2026 -0700" }, "message": "xsk: fix xsk_addrs slab leak on multi-buffer error path\n\nWhen xsk_build_skb() / xsk_build_skb_zerocopy() sees the first\ncontinuation descriptor, it promotes destructor_arg from an inlined\naddress to a freshly allocated xsk_addrs (num_descs \u003d 1). The counter\nis bumped to \u003e\u003d 2 only at the very end of a successful build (by calling\nxsk_inc_num_desc()).\n\nIf the build fails in between (e.g. alloc_page() returns NULL with\n-EAGAIN, or the MAX_SKB_FRAGS overflow hits), we jump to free_err, skip\ncalling xsk_inc_num_desc() to increment num_descs and leave the half-built\nskb attached to xs-\u003eskb for the app to retry. The skb now has\n1) destructor_arg \u003d a real xsk_addrs pointer,\n2) num_descs \u003d 1\n\nIf the app never retries and just close()s the socket, xsk_release()\ncalls xsk_drop_skb() -\u003e xsk_consume_skb(), which decides whether to\nfree xsk_addrs by testing num_descs \u003e 1:\n\n if (unlikely(num_descs \u003e 1))\n kmem_cache_free(xsk_tx_generic_cache, destructor_arg);\n\nBecause num_descs is exactly 1 the branch is skipped and the\nxsk_addrs object is leaked to the xsk_tx_generic_cache slab.\n\nFix it by directly testing if destructor_arg is still addr. Or else it\nis modified and used to store the newly allocated memory from\nxsk_tx_generic_cache regardless of increment of num_desc, which we\nneed to handle.\n\nCloses: https://lore.kernel.org/all/20260419045824.D9E5EC2BCAF@smtp.kernel.org/\nFixes: 0ebc27a4c67d (\"xsk: avoid data corruption on cq descriptor number\")\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260502200722.53960-8-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "8c2cff50afdd2b53c7cc2ca2297301c0ffd3e802", "tree": "be02987c00f1fd7c7a7737dc6f7da6c470dbf5d7", "parents": [ "3dec153ae484e3b2ddac841156e197ba54c8df94" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 02 23:07:20 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:50 2026 -0700" }, "message": "xsk: avoid skb leak in XDP_TX_METADATA case\n\nFix it by explicitly adding kfree_skb() before returning back to its\ncaller.\n\nHow to reproduce it in virtio_net:\n1. the current skb is the first one (which means no frag and xs-\u003eskb is\n NULL) and users enable metadata feature.\n2. xsk_skb_metadata() returns a error code.\n3. the caller xsk_build_skb() clears skb by using \u0027skb \u003d NULL;\u0027.\n4. there is no chance to free this skb anymore.\n\nCloses: https://lore.kernel.org/all/20260415085204.3F87AC19424@smtp.kernel.org/\nFixes: 30c3055f9c0d (\"xsk: wrap generic metadata handling onto separate function\")\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260502200722.53960-7-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3dec153ae484e3b2ddac841156e197ba54c8df94", "tree": "39f1736e97855cd758ea24f6fffd70b02505dbff", "parents": [ "0f3776583d282550dbafe6082a914efcf9094d59" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 02 23:07:19 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:50 2026 -0700" }, "message": "xsk: prevent CQ desync when freeing half-built skbs in xsk_build_skb()\n\nOnce xsk_skb_init_misc() has been called on an skb, its destructor is\nset to xsk_destruct_skb(), which submits the descriptor address(es) to\nthe completion queue and advances the CQ producer. If such an skb is\nsubsequently freed via kfree_skb() along an error path - before the\nskb has ever been handed to the driver - the destructor still runs and\nsubmits a bogus, half-initialized address to the CQ.\n\nPostpone the init phase when we believe the allocation of first frag is\nsuccessfully completed. Before this init, skb can be safely freed by\nkfree_skb().\n\nCloses: https://lore.kernel.org/all/20260419045822.843BFC2BCAF@smtp.kernel.org/\nFixes: c30d084960cf (\"xsk: avoid overwriting skb fields for multi-buffer traffic\")\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260502200722.53960-6-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "0f3776583d282550dbafe6082a914efcf9094d59", "tree": "08154a6a2d30bd881d1ac749d4ac4454fcc4609f", "parents": [ "8cd3c1c6e7d9a1f0954159ec5f2fdaa7f6a48bd8" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 02 23:07:18 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:50 2026 -0700" }, "message": "xsk: fix use-after-free of xs-\u003eskb in xsk_build_skb() free_err path\n\nWhen xsk_build_skb() processes multi-buffer packets in copy mode, the\nfirst descriptor stores data into the skb linear area without adding\nany frags, so nr_frags stays at 0. The caller then sets xs-\u003eskb \u003d skb\nto accumulate subsequent descriptors.\n\nIf a continuation descriptor fails (e.g. alloc_page returns NULL with\n-EAGAIN), we jump to free_err where the condition:\n\n if (skb \u0026\u0026 !skb_shinfo(skb)-\u003enr_frags)\n kfree_skb(skb);\n\nevaluates to true because nr_frags is still 0 (the first descriptor\nused the linear area, not frags). This frees the skb while xs-\u003eskb\nstill points to it, creating a dangling pointer. On the next transmit\nattempt or socket close, xs-\u003eskb is dereferenced, causing a\nuse-after-free or double-free.\n\nFix by using a !xs-\u003eskb check to handle first frag situation, ensuring\nwe only free skbs that were freshly allocated in this call\n(xs-\u003eskb is NULL) and never free an in-progress multi-buffer skb that\nthe caller still references.\n\nCloses: https://lore.kernel.org/all/20260415082654.21026-4-kerneljasonxing@gmail.com/\nFixes: 6b9c129c2f93 (\"xsk: remove @first_frag from xsk_build_skb()\")\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260502200722.53960-5-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "8cd3c1c6e7d9a1f0954159ec5f2fdaa7f6a48bd8", "tree": "a78e7f9775e61c70cde03b0170afe794d7bfdb99", "parents": [ "0bb7a9caf5c1d6e25ba376ea6b39261ad28550f4" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 02 23:07:17 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:50 2026 -0700" }, "message": "xsk: handle NULL dereference of the skb without frags issue\n\nWhen a first descriptor (xs-\u003eskb \u003d\u003d NULL) triggers -EOVERFLOW in\nxsk_build_skb_zerocopy() (e.g., MAX_SKB_FRAGS exceeded), the\nfree_err -EOVERFLOW handler unconditionally dereferences xs-\u003eskb\nvia xsk_inc_num_desc(xs-\u003eskb) and xsk_drop_skb(xs-\u003eskb), causing\na NULL pointer dereference.\n\nFix this by guarding the existing xsk_inc_num_desc()/xsk_drop_skb()\ncalls with an xs-\u003eskb check (for the continuation case), and add\nan else branch for the first-descriptor case that manually cancels\nthe one reserved CQ slot and increments invalid_descs by one to\naccount for the single invalid descriptor.\n\nFixes: cf24f5a5feea (\"xsk: add support for AF_XDP multi-buffer on Tx path\")\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260502200722.53960-4-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "0bb7a9caf5c1d6e25ba376ea6b39261ad28550f4", "tree": "dab2ccc4aa86aa3cc5e20f43baeebd31a72dd88c", "parents": [ "d73a9a63f9f7f7c17637731fd28daf3665992d1e" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 02 23:07:16 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:50 2026 -0700" }, "message": "xsk: free the skb when hitting the upper bound MAX_SKB_FRAGS\n\nFix it by explicitly adding kfree_skb() before returning back to its\ncaller.\n\nHow to reproduce it in virtio_net:\n1. the current skb is the first one (which means xs-\u003eskb is NULL) and\n hit the limit MAX_SKB_FRAGS.\n2. xsk_build_skb_zerocopy() returns -EOVERFLOW.\n3. the caller xsk_build_skb() clears skb by using \u0027skb \u003d NULL;\u0027. This\n is why bug can be triggered.\n4. there is no chance to free this skb anymore.\n\nNote that if in this case the xs-\u003eskb is not NULL, xsk_build_skb() will\ncall xsk_drop_skb(xs-\u003eskb) to do the right thing.\n\nFixes: cf24f5a5feea (\"xsk: add support for AF_XDP multi-buffer on Tx path\")\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260502200722.53960-3-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d73a9a63f9f7f7c17637731fd28daf3665992d1e", "tree": "662e600178e6ff9cf74406663371b2b182f5563a", "parents": [ "22675f07260ca26423851a42b553b0ea669228d1" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 02 23:07:15 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:27:49 2026 -0700" }, "message": "xsk: reject sw-csum UMEM binding to IFF_TX_SKB_NO_LINEAR devices\n\nskb_checksum_help() is a common helper that writes the folded\n16-bit checksum back via skb-\u003edata + csum_start + csum_offset,\ni.e. it relies on the skb\u0027s linear head and fails (with WARN_ONCE\nand -EINVAL) when skb_headlen() is 0.\n\nAF_XDP generic xmit takes two very different paths depending on the\nnetdev. Drivers that advertise IFF_TX_SKB_NO_LINEAR (e.g. virtio_net)\nskip the \"copy payload into a linear head\" step on purpose as a\nperformance optimisation: xsk_build_skb_zerocopy() only attaches UMEM\npages as frags and never calls skb_put(), so skb_headlen() stays 0\nfor the whole skb. For these skbs there is simply no linear area for\nskb_checksum_help() to write the csum into - the sw-csum fallback is\nstructurally inapplicable.\n\nThe patch tries to catch this and reject the combination with error at\nsetup time. Rejecting at bind() converts this silent per-packet failure\ninto a synchronous, actionable -EOPNOTSUPP at setup time. HW csum and\nlaunch_time metadata on IFF_TX_SKB_NO_LINEAR drivers are unaffected\nbecause they do not call skb_checksum_help().\n\nWithout the patch, every descriptor carrying \u0027XDP_TX_METADATA |\nXDP_TXMD_FLAGS_CHECKSUM\u0027 produces:\n1) a WARN_ONCE \"offset (N) \u003e\u003d skb_headlen() (0)\" from skb_checksum_help(),\n2) sendmsg() returning -EINVAL without consuming the descriptor\n (invalid_descs is not incremented),\n3) a wedged TX ring: __xsk_generic_xmit() does not advance the\n consumer on non-EOVERFLOW errors, so the next sendmsg() re-reads\n the same descriptor and re-hits the same WARN until the socket\n is closed.\n\nCloses: https://lore.kernel.org/all/20260419045822.843BFC2BCAF@smtp.kernel.org/#t\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nFixes: 30c3055f9c0d (\"xsk: wrap generic metadata handling onto separate function\")\nLink: https://patch.msgid.link/20260502200722.53960-2-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "525cb7ba6661074c1c5cc3772bccc6afab6791ef", "tree": "bae345d5a4c614c7b536aec7897190a656a5f8fc", "parents": [ "168e4b208ca8c2e04de20cc6cb7e2fb035dc1ec8" ], "author": { "name": "Tzung-Bi Shih", "email": "tzungbi@kernel.org", "time": "Tue May 05 05:34:03 2026 +0000" }, "committer": { "name": "Tzung-Bi Shih", "email": "tzungbi@kernel.org", "time": "Wed May 06 02:14:33 2026 +0000" }, "message": "platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration\n\ncros_typec_register_thunderbolt() missed initializing the `adata-\u003elock`\nmutex. This leads to a NULL dereference when the mutex is later\nacquired (e.g. in cros_typec_altmode_work()).\n\nInitialize the mutex in cros_typec_register_thunderbolt() to fix the\nissue.\n\nCc: stable@vger.kernel.org\nFixes: 3b00be26b16a (\"platform/chrome: cros_ec_typec: Thunderbolt support\")\nReviewed-by: Benson Leung \u003cbleung@chromium.org\u003e\nReviewed-by: Abhishek Pandit-Subedi \u003cabhishekpandit@chromium.org\u003e\nLink: https://lore.kernel.org/r/20260505053403.3335740-1-tzungbi@kernel.org\nSigned-off-by: Tzung-Bi Shih \u003ctzungbi@kernel.org\u003e\n" }, { "commit": "22675f07260ca26423851a42b553b0ea669228d1", "tree": "6351ced2b9eef23d33d4375867da6c529e0dfe31", "parents": [ "af0e9b26b9667d765d71a7f53b7ed242eb1ba671", "d466ddda5500b6b8ae060909d2317811f2c32a6a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:13:12 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:13:12 2026 -0700" }, "message": "Merge branch \u0027net-mlx5-fixes-for-socket-direct\u0027\n\nTariq Toukan says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet/mlx5: Fixes for Socket-Direct\n\nThis series fixes several race conditions and bugs in the mlx5\nSocket-Direct (SD) single netdev flow.\n\nPatch 1 serializes mlx5_sd_init()/mlx5_sd_cleanup() with\nmlx5_devcom_comp_lock() and tracks the SD group state on the primary\ndevice, preventing concurrent or duplicate bring-up/tear-down.\n\nPatch 2 fixes the debugfs \"multi-pf\" directory being stored on the\ncalling device\u0027s sd struct instead of the primary\u0027s, which caused\nmemory leaks and recreation errors when cleanup ran from a different PF.\n\nPatch 3 fixes a race where a secondary PF could access the primary\u0027s\nauxiliary device after it had been unbound, by holding the primary\u0027s\ndevice lock while operating on its auxiliary device.\n\nPatch 4 fixes missing cleanup on ETH probe errors. The analogous gap on\nthe resume path requires introducing sd_suspend/resume APIs that only\ndestroy FW resources and is left for a follow-up series.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260504180206.268568-1-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d466ddda5500b6b8ae060909d2317811f2c32a6a", "tree": "6351ced2b9eef23d33d4375867da6c529e0dfe31", "parents": [ "3564222cfdde83a2d760b80192155a3ada1c9bdd" ], "author": { "name": "Shay Drory", "email": "shayd@nvidia.com", "time": "Mon May 04 21:02:06 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:13:09 2026 -0700" }, "message": "net/mlx5e: SD, Fix race condition in secondary device probe/remove\n\nWhen utilizing Socket-Direct single netdev functionality the driver\nresolves the actual auxiliary device using mlx5_sd_get_adev(). However,\nthe current implementation returns the primary ETH auxiliary device\nwithout holding the device lock, leading to a potential race condition\nwhere the ETH device could be unbound or removed concurrently during\nprobe, suspend, resume, or remove operations.[1]\n\nFix this by introducing mlx5_sd_put_adev() and updating\nmlx5_sd_get_adev() so that secondaries devices would get a ref and\nacquire the device lock of the returned auxiliary device. After the lock\nis acquired, a second devcom check is needed[2].\nIn addition, update The callers to pair the get operation with the new\nput operation, ensuring the lock is held while the auxiliary device is\nbeing operated on and released afterwards.\n\nThe \"primary\" designation is determined once in sd_register(). It\u0027s set\nbefore devcom is marked ready, and it never changes after that.\nIn Addition, The primary path never locks a secondary: When the primary\ndevice invoke mlx5_sd_get_adev(), it sees dev \u003d\u003d primary and returns.\nno additional lock is taken.\nTherefore lock ordering is always: secondary_lock -\u003e primary_lock. The\nreverse never happens, so ABBA deadlock is impossible.\n\n[1]\nfor example:\nBUG: kernel NULL pointer dereference, address: 0000000000000370\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP\nCPU: 4 UID: 0 PID: 3945 Comm: bash Not tainted 6.19.0-rc3+ #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 [mlx5_core]\nCall Trace:\n \u003cTASK\u003e\n mlx5e_remove+0x82/0x12a [mlx5_core]\n device_release_driver_internal+0x194/0x1f0\n bus_remove_device+0xc6/0x140\n device_del+0x159/0x3c0\n ? devl_param_driverinit_value_get+0x29/0x80\n mlx5_rescan_drivers_locked+0x92/0x160 [mlx5_core]\n mlx5_unregister_device+0x34/0x50 [mlx5_core]\n mlx5_uninit_one+0x43/0xb0 [mlx5_core]\n remove_one+0x4e/0xc0 [mlx5_core]\n pci_device_remove+0x39/0xa0\n device_release_driver_internal+0x194/0x1f0\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x55/0xe90\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n CPU0 (primary) CPU1 (secondary)\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nmlx5e_remove() (device_lock held)\n mlx5e_remove() (2nd device_lock held)\n mlx5_sd_get_adev()\n mlx5_devcom_comp_is_ready() \u003d\u003e true\n device_lock(primary)\n mlx5_sd_get_adev() \u003d\u003d\u003e ret adev\n _mlx5e_remove()\n mlx5_sd_cleanup()\n // mlx5e_remove finished\n // releasing device_lock\n //need another check here...\n mlx5_devcom_comp_is_ready() \u003d\u003e false\n\nFixes: 381978d28317 (\"net/mlx5e: Create single netdev per SD group\")\nSigned-off-by: Shay Drory \u003cshayd@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260504180206.268568-5-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3564222cfdde83a2d760b80192155a3ada1c9bdd", "tree": "23bff06c8d92823b2cdc465ede49318c7e1843c2", "parents": [ "05217e4ffbb229e7218cf318e0033780abadb624" ], "author": { "name": "Shay Drory", "email": "shayd@nvidia.com", "time": "Mon May 04 21:02:05 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:13:09 2026 -0700" }, "message": "net/mlx5e: SD, Fix missing cleanup on probe error\n\nWhen _mlx5e_probe() fails, the preceding successful mlx5_sd_init() is\nnot undone. Auxiliary bus probe failure skips binding, so mlx5e_remove()\nis never called for that adev and the matching mlx5_sd_cleanup() never\nruns - leaking the per-dev SD struct.\n\nCall mlx5_sd_cleanup() on the probe error path to balance\nmlx5_sd_init().\n\nA similar gap exists on the resume path: mlx5_sd_init() and\nmlx5_sd_cleanup() are currently bundled with both probe/remove and\nsuspend/resume, even though only the FW alias state actually needs to\nfollow the suspend/resume lifecycle - the sd struct allocation and\ndevcom membership are software state that should track the full bound\nlifetime. As a result, a failed resume can leave a still-bound device\nwith sd \u003d\u003d NULL, which mlx5_sd_get_adev() can\u0027t distinguish from a\nnon-SD device. Fixing this requires sd_suspend/resume APIs which will\nonly destroy FW resources and is left for a follow-up series.\n\nFixes: 381978d28317 (\"net/mlx5e: Create single netdev per SD group\")\nSigned-off-by: Shay Drory \u003cshayd@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260504180206.268568-4-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "05217e4ffbb229e7218cf318e0033780abadb624", "tree": "d8156e1856a93d6c83466be84d9a3acd924e06d3", "parents": [ "3abcedfdfd3125431ed404fa75724118beac630b" ], "author": { "name": "Shay Drory", "email": "shayd@nvidia.com", "time": "Mon May 04 21:02:04 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:13:09 2026 -0700" }, "message": "net/mlx5: SD, Keep multi-pf debugfs entries on primary\n\nmlx5_sd_init() creates the \"multi-pf\" debugfs directory under the\nprimary device debugfs root, but stored the dentry in the calling\ndevice\u0027s sd struct. When sd_cleanup() run on a different PF,\nthis leads to using the wrong sd-\u003edfs for removing entries, which\nresults in memory leak and an error in when re-creating the SD.[1]\n\nFix it by explicitly storing the debugfs dentry in the primary\ndevice sd struct and use it for all per-group files.\n\n[1]\ndebugfs: \u0027multi-pf\u0027 already exists in \u00270000:08:00.1\u0027\n\nFixes: 4375130bf527 (\"net/mlx5: SD, Add debugfs\")\nSigned-off-by: Shay Drory \u003cshayd@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260504180206.268568-3-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3abcedfdfd3125431ed404fa75724118beac630b", "tree": "c540b2ab57d386cf0da45428dadc5f44a5230c18", "parents": [ "af0e9b26b9667d765d71a7f53b7ed242eb1ba671" ], "author": { "name": "Shay Drory", "email": "shayd@nvidia.com", "time": "Mon May 04 21:02:03 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:13:09 2026 -0700" }, "message": "net/mlx5: SD: Serialize init/cleanup\n\nmlx5_sd_init() / mlx5_sd_cleanup() may run from multiple PFs in the same\nSocket-Direct group. This can cause the SD bring-up/tear-down sequence\nto be executed more than once or interleaved across PFs.\n\nProtect SD init/cleanup with mlx5_devcom_comp_lock() and track the SD\ngroup state on the primary device. Skip init if the primary is already\nUP, and skip cleanup unless the primary is UP.\n\nThe state check on cleanup is needed because sd_register() drops the\ndevcom comp lock between marking the comp ready and assigning\nprimary_dev on each peer. A concurrent cleanup that acquires the lock\nin this window would observe devcom_is_ready\u003d\u003dtrue while primary_dev\nis still NULL (causing mlx5_sd_get_primary() to return NULL) or while\nthe FW alias setup performed by mlx5_sd_init()\u0027s body has not yet run\n(causing sd_cmd_unset_primary() to dereference a NULL tx_ft). Gate the\ncleanup body on primary_sd-\u003estate \u003d\u003d MLX5_SD_STATE_UP, which is set\nonly at the very end of mlx5_sd_init() under the same comp lock - so\nobserving UP guarantees primary_dev, secondaries[], tx_ft, and dfs are\nall populated. Also bail explicitly if mlx5_sd_get_primary() returns\nNULL, in case state is checked on a peer whose primary_dev hasn\u0027t been\nassigned yet.\n\nIn addition, move mlx5_devcom_comp_set_ready(false) from sd_unregister()\ninto the cleanup\u0027s locked section, including the !primary and\nstate !\u003d UP early-exit paths, so the device cannot unregister and free\nits struct mlx5_sd while devcom is still marked ready. A concurrent\ninit acquiring the devcom lock will now observe devcom is no longer\nready and bail out immediately.\n\nFixes: 381978d28317 (\"net/mlx5e: Create single netdev per SD group\")\nSigned-off-by: Shay Drory \u003cshayd@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260504180206.268568-2-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "af0e9b26b9667d765d71a7f53b7ed242eb1ba671", "tree": "5ba083020053adffbadb965750594c90bf1e00b5", "parents": [ "0e7c074cfcd9bd93765505f9eb8b42f03ed2a744", "c4a5c46199b5addf0157934da3aa89c33eb02a6d" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:09:07 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:09:07 2026 -0700" }, "message": "Merge branch \u0027net-mlx5e-psp-fixes\u0027\n\nTariq Toukan says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet/mlx5e: PSP fixes\n\nThis patchset provides bug fixes from Cosmin to the mlx5e PSP feature.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260504181100.269334-1-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c4a5c46199b5addf0157934da3aa89c33eb02a6d", "tree": "5ba083020053adffbadb965750594c90bf1e00b5", "parents": [ "50690733db59fbb3de9fa811b606af324eeb4e37" ], "author": { "name": "Cosmin Ratiu", "email": "cratiu@nvidia.com", "time": "Mon May 04 21:11:00 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:09:04 2026 -0700" }, "message": "net/mlx5e: psp: Hook PSP dev reg/unreg to profile enable/disable\n\ndevlink reload while PSP connections are active does:\n\nmlx5_unload_one_devl_locked() -\u003e mlx5_detach_device()\n-\u003e _mlx5e_suspend()\n -\u003e mlx5e_detach_netdev()\n -\u003e profile-\u003ecleanup_rx\n -\u003e profile-\u003ecleanup_tx\n -\u003e mlx5e_destroy_mdev_resources() -\u003e mlx5_core_dealloc_pd() fails:\n...\nmlx5_core 0000:08:00.0: mlx5_cmd_out_err:821:(pid 19722):\nDEALLOC_PD(0x801) op_mod(0x0) failed, status bad resource state(0x9),\nsyndrome (0xef0c8a), err(-22)\n...\n\nThe reason for failure is the existence of TX keys, which are removed by\nthe PSP dev unregistration happening in:\nprofile-\u003ecleanup() -\u003e mlx5e_psp_unregister() -\u003e mlx5e_psp_cleanup()\n -\u003e psp_dev_unregister()\n...but this isn\u0027t invoked in the devlink reload flow, only when changing\nthe NIC profile (e.g. when transitioning to switchdev mode) or on dev\nteardown.\n\nMove PSP device registration into mlx5e_nic_enable(), and unregistration\ninto the corresponding mlx5e_nic_disable(). These functions are called\nduring netdev attach/detach after RX \u0026 TX are set up.\nThis ensures that the keys will be gone by the time the PD is destroyed.\n\nFixes: 89ee2d92f66c (\"net/mlx5e: Support PSP offload functionality\")\nSigned-off-by: Cosmin Ratiu \u003ccratiu@nvidia.com\u003e\nReviewed-by: Dragos Tatulea \u003cdtatulea@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260504181100.269334-4-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "50690733db59fbb3de9fa811b606af324eeb4e37", "tree": "c6df2a41af2c2016652059e752fd9907c2b57db6", "parents": [ "ae9582cd0b9ccc4a121af300df68fd27f72e9822" ], "author": { "name": "Cosmin Ratiu", "email": "cratiu@nvidia.com", "time": "Mon May 04 21:10:59 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:09:04 2026 -0700" }, "message": "net/mlx5e: psp: Expose only a fully initialized priv-\u003epsp\n\nCurrently, during PSP init, priv-\u003epsp is initialized to an incompletely\nbuilt psp struct. Additionally, on fs init failure priv-\u003epsp is reset to\nNULL.\n\nChange this so that only a fully initialized priv-\u003epsp is set, which\nmakes the code easier to reason about in failure scenarios.\n\nFixes: af2196f49480 (\"net/mlx5e: Implement PSP operations .assoc_add and .assoc_del\")\nSigned-off-by: Cosmin Ratiu \u003ccratiu@nvidia.com\u003e\nReviewed-by: Dragos Tatulea \u003cdtatulea@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260504181100.269334-3-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ae9582cd0b9ccc4a121af300df68fd27f72e9822", "tree": "6e16ef323585c1e2ebbc982b288c1a75af3ac872", "parents": [ "0e7c074cfcd9bd93765505f9eb8b42f03ed2a744" ], "author": { "name": "Cosmin Ratiu", "email": "cratiu@nvidia.com", "time": "Mon May 04 21:10:58 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:09:04 2026 -0700" }, "message": "net/mlx5e: psp: Fix invalid access on PSP dev registration fail\n\npriv-\u003epsp-\u003epsp is initialized with the PSP device as returned by\npsp_dev_create(). This could also return an error, in which case a\nfuture psp_dev_unregister() will result in unpleasantness.\n\nAvoid that by using a local variable and only saving the PSP device when\nregistration succeeds.\n\nIn case psp_dev_create() fails, priv-\u003epsp and steering structs are left\nin place, but they will be inert. The unchecked access of priv-\u003epsp in\nmlx5e_psp_offload_handle_rx_skb() won\u0027t happen because without a PSP\ndevice, there can be no SAs added and therefore no packets will be\nsuccessfully decrypted and be handed off to the SW handler.\n\nFixes: 89ee2d92f66c (\"net/mlx5e: Support PSP offload functionality\")\nSigned-off-by: Cosmin Ratiu \u003ccratiu@nvidia.com\u003e\nReviewed-by: Dragos Tatulea \u003cdtatulea@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260504181100.269334-2-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "0e7c074cfcd9bd93765505f9eb8b42f03ed2a744", "tree": "db6792d984d12515470957bca8d107ba5dc13e63", "parents": [ "f83e07b29246f468bc7c99f98ca1897843fa8167" ], "author": { "name": "Pavitra Jha", "email": "jhapavitra98@gmail.com", "time": "Fri May 01 07:07:12 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 19:05:11 2026 -0700" }, "message": "net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler\n\nt7xx_port_enum_msg_handler() uses the modem-supplied port_count field as\na loop bound over port_msg-\u003edata[] without checking that the message buffer\ncontains sufficient data. A modem sending port_count\u003d65535 in a 12-byte\nbuffer triggers a slab-out-of-bounds read of up to 262140 bytes.\n\nAdd a sizeof(*port_msg) check before accessing the port message header\nfields to guard against undersized messages.\n\nAdd a struct_size() check after extracting port_count and before the loop.\n\nIn t7xx_parse_host_rt_data(), guard the rt_feature header read with a\nremaining-buffer check before accessing data_len, validate feat_data_len\nagainst the actual remaining buffer to prevent OOB reads and signed\ninteger overflow on offset.\n\nPass msg_len from both call sites: skb-\u003elen at the DPMAIF path after\nskb_pull(), and the validated feat_data_len at the handshake path.\n\nFixes: da45d2566a1d (\"net: wwan: t7xx: Add control port\")\nCc: stable@vger.kernel.org\nSigned-off-by: Pavitra Jha \u003cjhapavitra98@gmail.com\u003e\nLink: https://patch.msgid.link/20260501110713.145563-1-jhapavitra98@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f83e07b29246f468bc7c99f98ca1897843fa8167", "tree": "32c4a95fe703b917ae27622e07b0fc3b75701b45", "parents": [ "40aa9fcea0721f5b885eec2fb9aa526145e83797" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Mon May 04 16:38:42 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 18:01:28 2026 -0700" }, "message": "net/sched: sch_fq_codel: annotate data-races from fq_codel_dump_class_stats()\n\nfq_codel_dump_class_stats() acquires qdisc spinlock only when requested\nto follow flow-\u003ehead chain.\n\nAs we did in sch_cake recently, add the missing READ_ONCE()/WRITE_ONCE()\nannotations.\n\nFixes: edb09eb17ed8 (\"net: sched: do not acquire qdisc spinlock in qdisc/class stats dump\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260504163842.1162001-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "40aa9fcea0721f5b885eec2fb9aa526145e83797", "tree": "c576e0c39e3e503c0a69468859ba72588217ce39", "parents": [ "561a22d979a42f8c58f7757145e06d30bc2fa4ae", "8f78b749f3da0f43990490b4c1193b5ede3eec0a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 17:55:25 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 05 17:55:25 2026 -0700" }, "message": "Merge tag \u0027nf-26-05-05\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf\n\nPablo Neira Ayuso says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nIPVS fixes for net\n\nThe following batch contains IPVS fixes for net to address issues\nfrom the latest net-next pull request.\n\nJulian Anastasov made the following summary:\n\n1-3) Fixes for the recently added resizable hash tables\n\n4) dest from trash can be leaked if ip_vs_start_estimator() fails\n\n5) fixed races and locking for the estimation kthreads\n\n6) fix for wrong roundup_pow_of_two() usage in the resizable hash\n tables\n\n7-8) v2 of the changes from Waiman Long to properly guard against\n the housekeeping_cpumask() updates:\n\n https://lore.kernel.org/netfilter-devel/20260331165015.2777765-1-longman@redhat.com/\n\n I added missing Fixes tag. The original description:\n\n Since commit 041ee6f3727a (\"kthread: Rely on HK_TYPE_DOMAIN for preferred\n affinity management\"), the HK_TYPE_KTHREAD housekeeping cpumask may no\n longer be correct in showing the actual CPU affinity of kthreads that\n have no predefined CPU affinity. As the ipvs networking code is still\n using HK_TYPE_KTHREAD, we need to make HK_TYPE_KTHREAD reflect the\n reality.\n\n This patch series makes HK_TYPE_KTHREAD an alias of HK_TYPE_DOMAIN\n and uses RCU to protect access to the HK_TYPE_KTHREAD housekeeping\n cpumask.\n\nJulian plans to post a nf-next patch to limit the connections by using\n\"conn_max\" sysctl. With Simon Horman, they agreed that this is an old\nproblem that we do not have a limit of connections and it is not a\nstopper for this patchset.\n\n* tag \u0027nf-26-05-05\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:\n sched/isolation: Make HK_TYPE_KTHREAD an alias of HK_TYPE_DOMAIN\n ipvs: Guard access of HK_TYPE_KTHREAD cpumask with RCU\n ipvs: fix shift-out-of-bounds in ip_vs_rht_desired_size\n ipvs: fix races around est_mutex and est_cpulist\n ipvs: do not leak dest after get from dest trash\n ipvs: fix the spin_lock usage for RT build\n ipvs: fix races around the conn_lfactor and svc_lfactor sysctl vars\n ipvs: fixes for the new ip_vs_status info\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260505001648.360569-1-pablo@netfilter.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" } ], "next": "561a22d979a42f8c58f7757145e06d30bc2fa4ae" }