)]}' { "log": [ { "commit": "bc0151c59e639c1311ee573434af74b4e2c81de4", "tree": "0837c4c5d41aa6cbb7bca30dcff3c05eaa9854a6", "parents": [ "7a4fc5ca79656955b88b6483f505321e1a683f0d", "27dfe9030acbc601c260b42ecdbb4e5858a97b53" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 19:07:33 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 19:07:33 2026 -0700" }, "message": "Merge branch \u0027net-bcmasp-fix-issues-during-driver-unbind\u0027\n\nJustin Chen says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: bcmasp: Fix issues during driver unbind\n\nFix two issues when we unbind the driver. We hit a double free of the\nWoL irq and a double disable of the clk.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260319234813.1937315-1-justin.chen@broadcom.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "27dfe9030acbc601c260b42ecdbb4e5858a97b53", "tree": "0837c4c5d41aa6cbb7bca30dcff3c05eaa9854a6", "parents": [ "cbfa5be2bf64511d49b854a0f9fd6d0b5118621f" ], "author": { "name": "Justin Chen", "email": "justin.chen@broadcom.com", "time": "Thu Mar 19 16:48:13 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 19:07:28 2026 -0700" }, "message": "net: bcmasp: fix double disable of clk\n\nSwitch to devm_clk_get_optional() so we can manage the clock ourselves.\nWe dynamically control the clocks depending on the state of the interface\nfor power savings. The default state is clock disabled, so unbinding the\ndriver causes a double disable.\n\nFixes: 490cb412007d (\"net: bcmasp: Add support for ASP2.0 Ethernet controller\")\nSigned-off-by: Justin Chen \u003cjustin.chen@broadcom.com\u003e\nReviewed-by: Florian Fainelli \u003cflorian.fainelli@broadcom.com\u003e\nLink: https://patch.msgid.link/20260319234813.1937315-3-justin.chen@broadcom.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "cbfa5be2bf64511d49b854a0f9fd6d0b5118621f", "tree": "fad2fa92922a9e31ad3ae435f11c474b8e89bf78", "parents": [ "7a4fc5ca79656955b88b6483f505321e1a683f0d" ], "author": { "name": "Justin Chen", "email": "justin.chen@broadcom.com", "time": "Thu Mar 19 16:48:12 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 19:07:28 2026 -0700" }, "message": "net: bcmasp: fix double free of WoL irq\n\nWe do not need to free wol_irq since it was instantiated with\ndevm_request_irq(). So devres will free for us.\n\nFixes: a2f0751206b0 (\"net: bcmasp: Add support for WoL magic packet\")\nSigned-off-by: Justin Chen \u003cjustin.chen@broadcom.com\u003e\nReviewed-by: Florian Fainelli \u003cflorian.fainelli@broadcom.com\u003e\nLink: https://patch.msgid.link/20260319234813.1937315-2-justin.chen@broadcom.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7a4fc5ca79656955b88b6483f505321e1a683f0d", "tree": "63fdd98b3e4f7ef9fcb7ed564863647676753917", "parents": [ "24dd586bb4cbba1889a50abe74143817a095c1c9", "ee00a12593ffb69db4dd1a1c00ecb0253376874a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 19:05:14 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 19:05:15 2026 -0700" }, "message": "Merge branch \u0027rtnetlink-add-missing-attributes-in-if_nlmsg_size\u0027\n\nSabrina Dubroca says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nrtnetlink: add missing attributes in if_nlmsg_size\n\nOnce again we have some attributes added by rtnl_fill_ifinfo() that\naren\u0027t counted in if_nlmsg_size().\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/cover.1773919462.git.sd@queasysnail.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ee00a12593ffb69db4dd1a1c00ecb0253376874a", "tree": "63fdd98b3e4f7ef9fcb7ed564863647676753917", "parents": [ "52501989c76206462d9b11a8485beef40ef41821" ], "author": { "name": "Sabrina Dubroca", "email": "sd@queasysnail.net", "time": "Fri Mar 20 00:02:53 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 19:05:12 2026 -0700" }, "message": "rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size\n\nrtnl_link_get_slave_info_data_size counts IFLA_INFO_SLAVE_DATA, but\nrtnl_link_slave_info_fill adds both IFLA_INFO_SLAVE_DATA and\nIFLA_INFO_SLAVE_KIND.\n\nFixes: ba7d49b1f0f8 (\"rtnetlink: provide api for getting and setting slave info\")\nReviewed-by: Jiri Pirko \u003cjiri@nvidia.com\u003e\nSigned-off-by: Sabrina Dubroca \u003csd@queasysnail.net\u003e\nLink: https://patch.msgid.link/049843b532e23cde7ddba263c0bbe35ba6f0d26d.1773919462.git.sd@queasysnail.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "52501989c76206462d9b11a8485beef40ef41821", "tree": "72d9eaf805b050cde39c101bb0faefed27445112", "parents": [ "24dd586bb4cbba1889a50abe74143817a095c1c9" ], "author": { "name": "Sabrina Dubroca", "email": "sd@queasysnail.net", "time": "Fri Mar 20 00:02:52 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 19:05:11 2026 -0700" }, "message": "rtnetlink: count IFLA_PARENT_DEV_{NAME,BUS_NAME} in if_nlmsg_size\n\nCommit 00e77ed8e64d (\"rtnetlink: add IFLA_PARENT_[DEV|DEV_BUS]_NAME\")\nadded those attributes to rtnl_fill_ifinfo, but forgot to extend\nif_nlmsg_size.\n\nFixes: 00e77ed8e64d (\"rtnetlink: add IFLA_PARENT_[DEV|DEV_BUS]_NAME\")\nSigned-off-by: Sabrina Dubroca \u003csd@queasysnail.net\u003e\nLink: https://patch.msgid.link/0b849da95562af45487080528d60f578636aba5c.1773919462.git.sd@queasysnail.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "24dd586bb4cbba1889a50abe74143817a095c1c9", "tree": "2a165576a9e8ba355999f1d11aa618a637379692", "parents": [ "546b68ac893595877ffbd7751e5c55fd1c43ede6" ], "author": { "name": "Qi Tang", "email": "tpluszz77@gmail.com", "time": "Wed Mar 18 14:48:47 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 18:59:30 2026 -0700" }, "message": "net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer\n\nsmc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores\nthe pointer in pipe_buffer.private. The pipe_buf_operations for these\nbuffers used .get \u003d generic_pipe_buf_get, which only increments the page\nreference count when tee(2) duplicates a pipe buffer. The smc_spd_priv\npointer itself was not handled, so after tee() both the original and the\ncloned pipe_buffer share the same smc_spd_priv *.\n\nWhen both pipes are subsequently released, smc_rx_pipe_buf_release() is\ncalled twice against the same object:\n\n 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]\n 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]\n\nKASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which\nthen escalates to a NULL-pointer dereference and kernel panic via\nsmc_rx_update_consumer() when it chases the freed priv-\u003esmc pointer:\n\n BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0\n Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x650\n kasan_report+0xc6/0x100\n smc_rx_pipe_buf_release+0x78/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n RIP: 0010:smc_rx_update_consumer+0x8d/0x350\n Call Trace:\n \u003cTASK\u003e\n smc_rx_pipe_buf_release+0x121/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nBeyond the memory-safety problem, duplicating an SMC splice buffer is\nsemantically questionable: smc_rx_update_cons() would advance the\nconsumer cursor twice for the same data, corrupting receive-window\naccounting. A refcount on smc_spd_priv could fix the double-free, but\nthe cursor-accounting issue would still need to be addressed separately.\n\nThe .get callback is invoked by both tee(2) and splice_pipe_to_pipe()\nfor partial transfers; both will now return -EFAULT. Users who need\nto duplicate SMC socket data must use a copy-based read path.\n\nFixes: 9014db202cb7 (\"smc: add support for splice()\")\nSigned-off-by: Qi Tang \u003ctpluszz77@gmail.com\u003e\nLink: https://patch.msgid.link/20260318064847.23341-1-tpluszz77@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "546b68ac893595877ffbd7751e5c55fd1c43ede6", "tree": "2a4f4ab3d5daf63afee21560f4858d30d1f58a76", "parents": [ "6931d21f87bc6d657f145798fad0bf077b82486c" ], "author": { "name": "Yang Yang", "email": "n05ec@lzu.edu.cn", "time": "Thu Mar 19 08:02:27 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 18:37:31 2026 -0700" }, "message": "openvswitch: validate MPLS set/set_masked payload length\n\nvalidate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for\nSET/SET_MASKED actions. In action handling, OVS expects fixed-size\nMPLS key data (struct ovs_key_mpls).\n\nUse the already normalized key_len (masked case included) and reject\nnon-matching MPLS action key sizes.\n\nReject invalid MPLS action payload lengths early.\n\nFixes: fbdcdd78da7c (\"Change in Openvswitch to support MPLS label depth of 3 in ingress direction\")\nReported-by: Yifan Wu \u003cyifanwucs@gmail.com\u003e\nReported-by: Juefei Pu \u003ctomapufckgml@gmail.com\u003e\nTested-by: Ao Zhou \u003cn05ec@lzu.edu.cn\u003e\nCo-developed-by: Yuan Tan \u003ctanyuan98@outlook.com\u003e\nSigned-off-by: Yuan Tan \u003ctanyuan98@outlook.com\u003e\nSuggested-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nSigned-off-by: Yang Yang \u003cn05ec@lzu.edu.cn\u003e\nReviewed-by: Ilya Maximets \u003ci.maximets@ovn.org\u003e\nLink: https://patch.msgid.link/20260319080228.3423307-1-n05ec@lzu.edu.cn\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6931d21f87bc6d657f145798fad0bf077b82486c", "tree": "a556c22b6ffda33b82fbf86196a02fdfa99c3342", "parents": [ "e069034bd660c7dff408f5906d89c5b396e96838" ], "author": { "name": "Yang Yang", "email": "n05ec@lzu.edu.cn", "time": "Thu Mar 19 07:42:41 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 18:36:29 2026 -0700" }, "message": "openvswitch: defer tunnel netdev_put to RCU release\n\novs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already\ndetached the device. Dropping the netdev reference in destroy can race\nwith concurrent readers that still observe vport-\u003edev.\n\nDo not release vport-\u003edev in ovs_netdev_tunnel_destroy(). Instead, let\nvport_netdev_free() drop the reference from the RCU callback, matching\nthe non-tunnel destroy path and avoiding additional synchronization\nunder RTNL.\n\nFixes: a9020fde67a6 (\"openvswitch: Move tunnel destroy function to oppenvswitch module.\")\nReported-by: Yifan Wu \u003cyifanwucs@gmail.com\u003e\nReported-by: Juefei Pu \u003ctomapufckgml@gmail.com\u003e\nTested-by: Ao Zhou \u003cn05ec@lzu.edu.cn\u003e\nCo-developed-by: Yuan Tan \u003ctanyuan98@outlook.com\u003e\nSigned-off-by: Yuan Tan \u003ctanyuan98@outlook.com\u003e\nSuggested-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nSigned-off-by: Yang Yang \u003cn05ec@lzu.edu.cn\u003e\nReviewed-by: Ilya Maximets \u003ci.maximets@ovn.org\u003e\nLink: https://patch.msgid.link/20260319074241.3405262-1-n05ec@lzu.edu.cn\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e069034bd660c7dff408f5906d89c5b396e96838", "tree": "ac4ee0635da6b729f464705ecd04f2779857f374", "parents": [ "7c770dadfda5cbbde6aa3c4363ed513f1d212bf8", "baa35a698cea26930679a20a7550bbb4c8319725" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 18:25:03 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 18:25:03 2026 -0700" }, "message": "Merge branch \u0027net-macb-fix-two-lock-warnings-when-wol-is-used\u0027\n\nKevin Hao says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: macb: Fix two lock warnings when WOL is used\n\nThis patch series addresses two lock warnings that occur when using WOL as a\nwakeup source on my AMD ZynqMP board.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260318-macb-irq-v2-0-f1179768ab24@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "baa35a698cea26930679a20a7550bbb4c8319725", "tree": "ac4ee0635da6b729f464705ecd04f2779857f374", "parents": [ "317e49358ebbf6390fa439ef3c142f9239dd25fb" ], "author": { "name": "Kevin Hao", "email": "haokexin@gmail.com", "time": "Wed Mar 18 14:36:59 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 18:25:01 2026 -0700" }, "message": "net: macb: Protect access to net_device::ip_ptr with RCU lock\n\nAccess to net_device::ip_ptr and its associated members must be\nprotected by an RCU lock. Since we are modifying this piece of code,\nlet\u0027s also move it to execute only when WAKE_ARP is enabled.\n\nTo minimize the duration of the RCU lock, a local variable is used to\ntemporarily store the IP address. This change resolves the following\nRCU check warning:\n WARNING: suspicious RCU usage\n 7.0.0-rc3-next-20260310-yocto-standard+ #122 Not tainted\n -----------------------------\n drivers/net/ethernet/cadence/macb_main.c:5944 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active \u003d 2, debug_locks \u003d 1\n 5 locks held by rtcwake/518:\n #0: ffff000803ab1408 (sb_writers#5){.+.+}-{0:0}, at: vfs_write+0xf8/0x368\n #1: ffff0008090bf088 (\u0026of-\u003emutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0xbc/0x1c8\n #2: ffff00080098d588 (kn-\u003eactive#70){.+.+}-{0:0}, at: kernfs_fop_write_iter+0xcc/0x1c8\n #3: ffff800081c84888 (system_transition_mutex){+.+.}-{4:4}, at: pm_suspend+0x1ec/0x290\n #4: ffff0008009ba0f8 (\u0026dev-\u003emutex){....}-{4:4}, at: device_suspend+0x118/0x4f0\n\n stack backtrace:\n CPU: 3 UID: 0 PID: 518 Comm: rtcwake Not tainted 7.0.0-rc3-next-20260310-yocto-standard+ #122 PREEMPT\n Hardware name: ZynqMP ZCU102 Rev1.1 (DT)\n Call trace:\n show_stack+0x24/0x38 (C)\n __dump_stack+0x28/0x38\n dump_stack_lvl+0x64/0x88\n dump_stack+0x18/0x24\n lockdep_rcu_suspicious+0x134/0x1d8\n macb_suspend+0xd8/0x4c0\n device_suspend+0x218/0x4f0\n dpm_suspend+0x244/0x3a0\n dpm_suspend_start+0x50/0x78\n suspend_devices_and_enter+0xec/0x560\n pm_suspend+0x194/0x290\n state_store+0x110/0x158\n kobj_attr_store+0x1c/0x30\n sysfs_kf_write+0xa8/0xd0\n kernfs_fop_write_iter+0x11c/0x1c8\n vfs_write+0x248/0x368\n ksys_write+0x7c/0xf8\n __arm64_sys_write+0x28/0x40\n invoke_syscall+0x4c/0xe8\n el0_svc_common+0x98/0xf0\n do_el0_svc+0x28/0x40\n el0_svc+0x54/0x1e0\n el0t_64_sync_handler+0x84/0x130\n el0t_64_sync+0x198/0x1a0\n\nFixes: 0cb8de39a776 (\"net: macb: Add ARP support to WOL\")\nSigned-off-by: Kevin Hao \u003chaokexin@gmail.com\u003e\nCc: stable@vger.kernel.org\nReviewed-by: Théo Lebrun \u003ctheo.lebrun@bootlin.com\u003e\nLink: https://patch.msgid.link/20260318-macb-irq-v2-2-f1179768ab24@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "317e49358ebbf6390fa439ef3c142f9239dd25fb", "tree": "04b0df85fcbb815af6c6f01347073d245fc702f8", "parents": [ "7c770dadfda5cbbde6aa3c4363ed513f1d212bf8" ], "author": { "name": "Kevin Hao", "email": "haokexin@gmail.com", "time": "Wed Mar 18 14:36:58 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Mar 20 18:25:01 2026 -0700" }, "message": "net: macb: Move devm_{free,request}_irq() out of spin lock area\n\nThe devm_free_irq() and devm_request_irq() functions should not be\nexecuted in an atomic context.\n\nDuring device suspend, all userspace processes and most kernel threads\nare frozen. Additionally, we flush all tx/rx status, disable all macb\ninterrupts, and halt rx operations. Therefore, it is safe to split the\nregion protected by bp-\u003elock into two independent sections, allowing\ndevm_free_irq() and devm_request_irq() to run in a non-atomic context.\nThis modification resolves the following lockdep warning:\n BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591\n in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 501, name: rtcwake\n preempt_count: 1, expected: 0\n RCU nest depth: 1, expected: 0\n 7 locks held by rtcwake/501:\n #0: ffff0008038c3408 (sb_writers#5){.+.+}-{0:0}, at: vfs_write+0xf8/0x368\n #1: ffff0008049a5e88 (\u0026of-\u003emutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0xbc/0x1c8\n #2: ffff00080098d588 (kn-\u003eactive#70){.+.+}-{0:0}, at: kernfs_fop_write_iter+0xcc/0x1c8\n #3: ffff800081c84888 (system_transition_mutex){+.+.}-{4:4}, at: pm_suspend+0x1ec/0x290\n #4: ffff0008009ba0f8 (\u0026dev-\u003emutex){....}-{4:4}, at: device_suspend+0x118/0x4f0\n #5: ffff800081d00458 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x48\n #6: ffff0008031fb9e0 (\u0026bp-\u003elock){-.-.}-{3:3}, at: macb_suspend+0x144/0x558\n irq event stamp: 8682\n hardirqs last enabled at (8681): [\u003cffff8000813c7d7c\u003e] _raw_spin_unlock_irqrestore+0x44/0x88\n hardirqs last disabled at (8682): [\u003cffff8000813c7b58\u003e] _raw_spin_lock_irqsave+0x38/0x98\n softirqs last enabled at (7322): [\u003cffff8000800f1b4c\u003e] handle_softirqs+0x52c/0x588\n softirqs last disabled at (7317): [\u003cffff800080010310\u003e] __do_softirq+0x20/0x2c\n CPU: 1 UID: 0 PID: 501 Comm: rtcwake Not tainted 7.0.0-rc3-next-20260310-yocto-standard+ #125 PREEMPT\n Hardware name: ZynqMP ZCU102 Rev1.1 (DT)\n Call trace:\n show_stack+0x24/0x38 (C)\n __dump_stack+0x28/0x38\n dump_stack_lvl+0x64/0x88\n dump_stack+0x18/0x24\n __might_resched+0x200/0x218\n __might_sleep+0x38/0x98\n __mutex_lock_common+0x7c/0x1378\n mutex_lock_nested+0x38/0x50\n free_irq+0x68/0x2b0\n devm_irq_release+0x24/0x38\n devres_release+0x40/0x80\n devm_free_irq+0x48/0x88\n macb_suspend+0x298/0x558\n device_suspend+0x218/0x4f0\n dpm_suspend+0x244/0x3a0\n dpm_suspend_start+0x50/0x78\n suspend_devices_and_enter+0xec/0x560\n pm_suspend+0x194/0x290\n state_store+0x110/0x158\n kobj_attr_store+0x1c/0x30\n sysfs_kf_write+0xa8/0xd0\n kernfs_fop_write_iter+0x11c/0x1c8\n vfs_write+0x248/0x368\n ksys_write+0x7c/0xf8\n __arm64_sys_write+0x28/0x40\n invoke_syscall+0x4c/0xe8\n el0_svc_common+0x98/0xf0\n do_el0_svc+0x28/0x40\n el0_svc+0x54/0x1e0\n el0t_64_sync_handler+0x84/0x130\n el0t_64_sync+0x198/0x1a0\n\nFixes: 558e35ccfe95 (\"net: macb: WoL support for GEM type of Ethernet controller\")\nCc: stable@vger.kernel.org\nReviewed-by: Théo Lebrun \u003ctheo.lebrun@bootlin.com\u003e\nSigned-off-by: Kevin Hao \u003chaokexin@gmail.com\u003e\nLink: https://patch.msgid.link/20260318-macb-irq-v2-1-f1179768ab24@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7c770dadfda5cbbde6aa3c4363ed513f1d212bf8", "tree": "f875d4b6792e3fece8685f43154ff6b5b5a3745e", "parents": [ "4527025d440ce84bf56e75ce1df2e84cb8178616" ], "author": { "name": "Toke Høiland-Jørgensen", "email": "toke@redhat.com", "time": "Wed Mar 18 16:55:51 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Mar 19 17:15:37 2026 -0700" }, "message": "net: openvswitch: Avoid releasing netdev before teardown completes\n\nThe patch cited in the Fixes tag below changed the teardown code for\nOVS ports to no longer unconditionally take the RTNL. After this change,\nthe netdev_destroy() callback can proceed immediately to the call_rcu()\ninvocation if the IFF_OVS_DATAPATH flag is already cleared on the\nnetdev.\n\nThe ovs_netdev_detach_dev() function clears the flag before completing\nthe unregistration, and if it gets preempted after clearing the flag (as\ncan happen on an -rt kernel), netdev_destroy() can complete and the\ndevice can be freed before the unregistration completes. This leads to a\nsplat like:\n\n[ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI\n[ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT\n[ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025\n[ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0\n[ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 \u003c48\u003e 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90\n[ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246\n[ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000\n[ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05\n[ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000\n[ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006\n[ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000\n[ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000\n[ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0\n[ 998.393944] PKRU: 55555554\n[ 998.393946] Call Trace:\n[ 998.393949] \u003cTASK\u003e\n[ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394009] ? __die_body.cold+0x8/0x12\n[ 998.394016] ? die_addr+0x3c/0x60\n[ 998.394027] ? exc_general_protection+0x16d/0x390\n[ 998.394042] ? asm_exc_general_protection+0x26/0x30\n[ 998.394058] ? dev_set_promiscuity+0x8d/0xa0\n[ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]\n[ 998.394092] dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394102] notifier_call_chain+0x5a/0xd0\n[ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60\n[ 998.394110] rtnl_dellink+0x169/0x3e0\n[ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0\n[ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0\n[ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0\n[ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 998.394132] netlink_rcv_skb+0x50/0x100\n[ 998.394138] netlink_unicast+0x292/0x3f0\n[ 998.394141] netlink_sendmsg+0x21b/0x470\n[ 998.394145] ____sys_sendmsg+0x39d/0x3d0\n[ 998.394149] ___sys_sendmsg+0x9a/0xe0\n[ 998.394156] __sys_sendmsg+0x7a/0xd0\n[ 998.394160] do_syscall_64+0x7f/0x170\n[ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 998.394165] RIP: 0033:0x7fad61bf4724\n[ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n[ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724\n[ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003\n[ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f\n[ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2f8380\n[ 998.394196] R13: 0000000069b233d7 R14: 000055df0a256040 R15: 0000000000000000\n[ 998.394200] \u003c/TASK\u003e\n\nTo fix this, reorder the operations in ovs_netdev_detach_dev() to only\nclear the flag after completing the other operations, and introduce an\nsmp_wmb() to make the ordering requirement explicit. The smp_wmb() is\npaired with a full smp_mb() in netdev_destroy() to make sure the\ncall_rcu() invocation does not happen before the unregister operations\nare visible.\n\nReported-by: Minxi Hou \u003cmhou@redhat.com\u003e\nTested-by: Minxi Hou \u003cmhou@redhat.com\u003e\nFixes: 549822767630 (\"net: openvswitch: Avoid needlessly taking the RTNL on vport destroy\")\nSigned-off-by: Toke Høiland-Jørgensen \u003ctoke@redhat.com\u003e\nLink: https://patch.msgid.link/20260318155554.1133405-1-toke@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "4527025d440ce84bf56e75ce1df2e84cb8178616", "tree": "4db6f55aeb815d818046869d809a997a2de74113", "parents": [ "57ce3b2e9cdabcbc4d5a10f0e97a1399058c7417" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Mar 17 12:33:34 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Mar 19 16:56:18 2026 -0700" }, "message": "nfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n nci_rx_work -\u003e nci_rx_data_packet -\u003e nci_data_exchange_complete\n -\u003e __sk_destruct -\u003e rawsock_destruct -\u003e nfc_deactivate_target\n -\u003e nci_deactivate_target -\u003e nci_request -\u003e mutex_lock(\u0026ndev-\u003ereq_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs.\n\nFixes: 6a2968aaf50c (\"NFC: basic NCI protocol implementation\")\nReviewed-by: Ian Ray \u003cian.ray@gehealthcare.com\u003e\nLink: https://patch.msgid.link/20260317193334.988609-1-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "57ce3b2e9cdabcbc4d5a10f0e97a1399058c7417", "tree": "91375155b0354483e73e300429659ea73ebaed83", "parents": [ "cbcb3cfcdc436d6f91a3d95ecfa9c831abe14aed", "761fb8ec8778f0caf2bba5a41e3cff1ea86974f3" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Mar 19 16:49:38 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Mar 19 16:49:38 2026 -0700" }, "message": "Merge tag \u0027for-net-2026-03-19\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth\n\nLuiz Augusto von Dentz says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbluetooth pull request for net:\n\n - hci_ll: Fix firmware leak on error path\n - hci_sync: annotate data-races around hdev-\u003ereq_status\n - L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb\n - L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n - L2CAP: Fix regressions caused by reusing ident\n - L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req\n - MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n - SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold\n\n* tag \u0027for-net-2026-03-19\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:\n Bluetooth: L2CAP: Fix regressions caused by reusing ident\n Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb\n Bluetooth: hci_ll: Fix firmware leak on error path\n Bluetooth: hci_sync: annotate data-races around hdev-\u003ereq_status\n Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold\n Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260319190455.135302-1-luiz.dentz@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "cbcb3cfcdc436d6f91a3d95ecfa9c831abe14aed", "tree": "0a6e40dc950427fbab497cfb05879cfdf7e4d327", "parents": [ "a1d9d8e833781c44ab688708804ce35f20f3cbbd" ], "author": { "name": "Mohammad Heib", "email": "mheib@redhat.com", "time": "Tue Mar 17 19:08:06 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Mar 19 15:45:30 2026 -0700" }, "message": "ionic: fix persistent MAC address override on PF\n\nThe use of IONIC_CMD_LIF_SETATTR in the MAC address update path causes\nthe ionic firmware to update the LIF\u0027s identity in its persistent state.\nSince the firmware state is maintained across host warm boots and driver\nreloads, any MAC change on the Physical Function (PF) becomes \"sticky.\n\nThis is problematic because it causes ethtool -P to report the\nuser-configured MAC as the permanent factory address, which breaks\nsystem management tools that rely on a stable hardware identity.\n\nWhile Virtual Functions (VFs) need this hardware-level programming to\nproperly handle MAC assignments in guest environments, the PF should\nmaintain standard transient behavior. This patch gates the\nionic_program_mac call using is_virtfn so that PF MAC changes remain\nlocal to the netdev filters and do not overwrite the firmware\u0027s\npermanent identity block.\n\nFixes: 19058be7c48c (\"ionic: VF initial random MAC address if no assigned mac\")\nSigned-off-by: Mohammad Heib \u003cmheib@redhat.com\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nReviewed-by: Brett Creeley \u003cbrett.creeley@amd.com\u003e\nLink: https://patch.msgid.link/20260317170806.35390-1-mheib@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "761fb8ec8778f0caf2bba5a41e3cff1ea86974f3", "tree": "c637735494a965e1143dcc75cd36c487d4a6b631", "parents": [ "b6552e0503973daf6f23bd6ed9273ef131ee364f" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 17 11:54:01 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:44:25 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix regressions caused by reusing ident\n\nThis attempt to fix regressions caused by reusing ident which apparently\nis not handled well on certain stacks causing the stack to not respond to\nrequests, so instead of simple returning the first unallocated id this\nstores the last used tx_ident and then attempt to use the next until all\navailable ids are exausted and then cycle starting over to 1.\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221120\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221177\nFixes: 6c3ea155e5ee (\"Bluetooth: L2CAP: Fix not tracking outstanding TX ident\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nTested-by: Christian Eggers \u003cceggers@arri.de\u003e\n" }, { "commit": "b6552e0503973daf6f23bd6ed9273ef131ee364f", "tree": "914bfd44e9175f42357b4101f99620ea12071ee3", "parents": [ "31148a7be723aa9f2e8fbd62424825ab8d577973" ], "author": { "name": "Helen Koike", "email": "koike@igalia.com", "time": "Thu Mar 19 08:58:01 2026 -0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:44:04 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb\n\nBefore using sk pointer, check if it is null.\n\nFix the following:\n\n KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]\n CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025\n Workqueue: events l2cap_info_timeout\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df \u003c0f\u003e b6 04 07 3c 08 0f 92 c0 c3 cc cce\n veth0_macvtap: entered promiscuous mode\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n __kasan_check_byte+0x12/0x40\n lock_acquire+0x79/0x2e0\n lock_sock_nested+0x48/0x100\n ? l2cap_sock_ready_cb+0x46/0x160\n l2cap_sock_ready_cb+0x46/0x160\n l2cap_conn_start+0x779/0xff0\n ? __pfx_l2cap_conn_start+0x10/0x10\n ? l2cap_info_timeout+0x60/0xa0\n ? __pfx___mutex_lock+0x10/0x10\n l2cap_info_timeout+0x68/0xa0\n ? process_scheduled_works+0xa8d/0x18c0\n process_scheduled_works+0xb6e/0x18c0\n ? __pfx_process_scheduled_works+0x10/0x10\n ? assign_work+0x3d5/0x5e0\n worker_thread+0xa53/0xfc0\n kthread+0x388/0x470\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x51e/0xb90\n ? __pfx_ret_from_fork+0x10/0x10\n veth1_macvtap: entered promiscuous mode\n ? __switch_to+0xc7d/0x1450\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n batman_adv: batadv0: Interface activated: batadv_slave_0\n batman_adv: batadv0: Interface activated: batadv_slave_1\n netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df \u003c0f\u003e b6 04 07 3c 08 0f 92 c0 c3 cc cce\n ieee80211 phy39: Selected rate control algorithm \u0027minstrel_ht\u0027\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception\n\nFixes: 54a59aa2b562 (\"Bluetooth: Add l2cap_chan-\u003eops-\u003eready()\")\nSigned-off-by: Helen Koike \u003ckoike@igalia.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "31148a7be723aa9f2e8fbd62424825ab8d577973", "tree": "1c3db5707bd1f94b1869bd1c1bd3d3c0efeb3cdf", "parents": [ "b6807cfc195ef99e1ac37b2e1e60df40295daa8c" ], "author": { "name": "Anas Iqbal", "email": "mohd.abd.6602@gmail.com", "time": "Sun Mar 15 10:51:37 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:43:43 2026 -0400" }, "message": "Bluetooth: hci_ll: Fix firmware leak on error path\n\nSmatch reports:\n\ndrivers/bluetooth/hci_ll.c:587 download_firmware() warn:\n\u0027fw\u0027 from request_firmware() not released on lines: 544.\n\nIn download_firmware(), if request_firmware() succeeds but the returned\nfirmware content is invalid (no data or zero size), the function returns\nwithout releasing the firmware, resulting in a resource leak.\n\nFix this by calling release_firmware() before returning when\nrequest_firmware() succeeded but the firmware content is invalid.\n\nFixes: 371805522f87 (\"bluetooth: hci_uart: add LL protocol serdev driver support\")\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Anas Iqbal \u003cmohd.abd.6602@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b6807cfc195ef99e1ac37b2e1e60df40295daa8c", "tree": "58a47a756fdc95b9f07b4fcfde36f0c57cdae562", "parents": [ "5f5fa4cd35f707344f65ce9e225b6528691dbbaa" ], "author": { "name": "Cen Zhang", "email": "zzzccc427@gmail.com", "time": "Sun Mar 15 20:07:26 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:43:20 2026 -0400" }, "message": "Bluetooth: hci_sync: annotate data-races around hdev-\u003ereq_status\n\n__hci_cmd_sync_sk() sets hdev-\u003ereq_status under hdev-\u003ereq_lock:\n\n hdev-\u003ereq_status \u003d HCI_REQ_PEND;\n\nHowever, several other functions read or write hdev-\u003ereq_status without\nholding any lock:\n\n - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)\n - hci_cmd_sync_complete() reads/writes from HCI event completion\n - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write\n - hci_abort_conn() reads in connection abort path\n\nSince __hci_cmd_sync_sk() runs on hdev-\u003ereq_workqueue while\nhci_send_cmd_sync() runs on hdev-\u003eworkqueue, these are different\nworkqueues that can execute concurrently on different CPUs. The plain\nC accesses constitute a data race.\n\nAdd READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses\nto hdev-\u003ereq_status to prevent potential compiler optimizations that\ncould affect correctness (e.g., load fusing in the wait_event\ncondition or store reordering).\n\nSigned-off-by: Cen Zhang \u003czzzccc427@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5f5fa4cd35f707344f65ce9e225b6528691dbbaa", "tree": "85a39e4c6b5db47768fea5749c9838d7549b33bb", "parents": [ "598dbba9919c5e36c54fe1709b557d64120cb94b" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 16 15:03:27 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:42:57 2026 -0400" }, "message": "Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n\nThis fixes the condition checking so mgmt_pending_valid is executed\nwhenever status !\u003d -ECANCELED otherwise calling mgmt_pending_free(cmd)\nwould kfree(cmd) without unlinking it from the list first, leaving a\ndangling pointer. Any subsequent list traversal (e.g.,\nmgmt_pending_foreach during __mgmt_power_off, or another\nmgmt_pending_valid call) would dereference freed memory.\n\nLink: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06\nFixes: 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\n" }, { "commit": "598dbba9919c5e36c54fe1709b557d64120cb94b", "tree": "2e739ce1b226211858532ab5f7ebccbc8aaf8b4d", "parents": [ "c65bd945d1c08c3db756821b6bf9f1c4a77b29c6" ], "author": { "name": "Hyunwoo Kim", "email": "imv4bel@gmail.com", "time": "Fri Mar 13 05:26:16 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:42:35 2026 -0400" }, "message": "Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold\n\nsco_recv_frame() reads conn-\u003esk under sco_conn_lock() but immediately\nreleases the lock without holding a reference to the socket. A concurrent\nclose() can free the socket between the lock release and the subsequent\nsk-\u003esk_state access, resulting in a use-after-free.\n\nOther functions in the same file (sco_sock_timeout(), sco_conn_del())\ncorrectly use sco_sock_hold() to safely hold a reference under the lock.\n\nFix by using sco_sock_hold() to take a reference before releasing the\nlock, and adding sock_put() on all exit paths.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Hyunwoo Kim \u003cimv4bel@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c65bd945d1c08c3db756821b6bf9f1c4a77b29c6", "tree": "b7489ed6c82c4e8c3bb6b3d86b80c83da91b4b96", "parents": [ "9d87cb22195b2c67405f5485d525190747ad5493" ], "author": { "name": "Hyunwoo Kim", "email": "imv4bel@gmail.com", "time": "Fri Mar 13 05:22:39 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:42:12 2026 -0400" }, "message": "Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb-\u003edata using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb-\u003elen is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path.\n\nFixes: aac23bf63659 (\"Bluetooth: Implement LE L2CAP reassembly\")\nSigned-off-by: Hyunwoo Kim \u003cimv4bel@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "9d87cb22195b2c67405f5485d525190747ad5493", "tree": "5812c527cc805533b92008c9db8ec9940b955ea6", "parents": [ "7ab4a7c5d969642782b8a5b608da0dd02aa9f229" ], "author": { "name": "Minseo Park", "email": "jacob.park.9436@gmail.com", "time": "Sun Mar 15 22:14:37 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:38:07 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req\n\nSyzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()\nthat is triggered by a malformed Enhanced Credit Based Connection Request.\n\nThe vulnerability stems from l2cap_ecred_conn_req(). The function allocates\na local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel\nIDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more\nthan 5 SCIDs, the function calculates `rsp_len` based on this unvalidated\n`cmd_len` before checking if the number of SCIDs exceeds\nL2CAP_ECRED_MAX_CID.\n\nIf the SCID count is too high, the function correctly jumps to the\n`response` label to reject the packet, but `rsp_len` retains the\nattacker\u0027s oversized value. Consequently, l2cap_send_cmd() is instructed\nto read past the end of the 18-byte `pdu` buffer, triggering a\nKASAN panic.\n\nFix this by moving the assignment of `rsp_len` to after the `num_scid`\nboundary check. If the packet is rejected, `rsp_len` will safely\nremain 0, and the error response will only read the 8-byte base header\nfrom the stack.\n\nFixes: c28d2bff7044 (\"Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too short\")\nReported-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003db7f3e7d9a596bf6a63e3\nTested-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com\nSigned-off-by: Minseo Park \u003cjacob.park.9436@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a1d9d8e833781c44ab688708804ce35f20f3cbbd", "tree": "2b1ef43c69d3b4e9d978b508a45b1fac4ee2629e", "parents": [ "e9825d1c79570b4c11259e826b3f7c1511544a85", "7ab4a7c5d969642782b8a5b608da0dd02aa9f229" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 19 11:25:40 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 19 11:25:40 2026 -0700" }, "message": "Merge tag \u0027net-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net\n\nPull networking fixes from Jakub Kicinski:\n \"Including fixes from wireless, Bluetooth and netfilter.\n\n Nothing too exciting here, mostly fixes for corner cases.\n\n Current release - fix to a fix:\n\n - bonding: prevent potential infinite loop in bond_header_parse()\n\n Current release - new code bugs:\n\n - wifi: mac80211: check tdls flag in ieee80211_tdls_oper\n\n Previous releases - regressions:\n\n - af_unix: give up GC if MSG_PEEK intervened\n\n - netfilter: conntrack: add missing netlink policy validations\n\n - NFC: nxp-nci: allow GPIOs to sleep\"\n\n* tag \u0027net-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (78 commits)\n MPTCP: fix lock class name family in pm_nl_create_listen_socket\n icmp: fix NULL pointer dereference in icmp_tag_validation()\n net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths\n net: shaper: protect from late creation of hierarchy\n net: shaper: protect late read accesses to the hierarchy\n net: mvpp2: guard flow control update with global_tx_fc in buffer switching\n nfnetlink_osf: validate individual option lengths in fingerprints\n netfilter: nf_tables: release flowtable after rcu grace period on error\n netfilter: bpf: defer hook memory release until rcu readers are done\n net: bonding: fix NULL deref in bond_debug_rlb_hash_show\n udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6\u003dn\n net/mlx5e: Fix race condition during IPSec ESN update\n net/mlx5e: Prevent concurrent access to IPSec ASO context\n net/mlx5: qos: Restrict RTNL area to avoid a lock cycle\n ipv6: add NULL checks for idev in SRv6 paths\n NFC: nxp-nci: allow GPIOs to sleep\n net: macb: fix uninitialized rx_fs_lock\n net: macb: fix use-after-free access to PTP clock\n netdevsim: drop PSP ext ref on forward failure\n wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure\n ...\n" }, { "commit": "7ab4a7c5d969642782b8a5b608da0dd02aa9f229", "tree": "e81b01f34043a820153bd1ed3f0e32e73517c0fe", "parents": [ "614aefe56af8e13331e50220c936fc0689cf5675" ], "author": { "name": "Li Xiasong", "email": "lixiasong1@huawei.com", "time": "Thu Mar 19 19:21:59 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Mar 19 09:37:48 2026 -0700" }, "message": "MPTCP: fix lock class name family in pm_nl_create_listen_socket\n\nIn mptcp_pm_nl_create_listen_socket(), use entry-\u003eaddr.family\ninstead of sk-\u003esk_family for lock class setup. The \u0027sk\u0027 parameter\nis a netlink socket, not the MPTCP subflow socket being created.\n\nFixes: cee4034a3db1 (\"mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket()\")\nSigned-off-by: Li Xiasong \u003clixiasong1@huawei.com\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260319112159.3118874-1-lixiasong1@huawei.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "614aefe56af8e13331e50220c936fc0689cf5675", "tree": "6f241f1eaab46bcd903df6c5f1a040fdf929f260", "parents": [ "b48731849609cbd8c53785a48976850b443153fd" ], "author": { "name": "Weiming Shi", "email": "bestswngs@gmail.com", "time": "Wed Mar 18 21:06:01 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Mar 19 09:27:36 2026 -0700" }, "message": "icmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n \u003cIRQ\u003e\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n \u003c/IRQ\u003e\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation.\n\nFixes: 8ed1dc44d3e9 (\"ipv4: introduce hardened ip_no_pmtu_disc mode\")\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nSigned-off-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nLink: https://patch.msgid.link/20260318130558.1050247-4-bestswngs@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b48731849609cbd8c53785a48976850b443153fd", "tree": "3e838bdd4df42ef90793ff61e54e741095d3f942", "parents": [ "e7577a06ae28287ca415aec5c12277e3a80ee372" ], "author": { "name": "Anas Iqbal", "email": "mohd.abd.6602@gmail.com", "time": "Wed Mar 18 08:42:12 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Mar 19 09:26:40 2026 -0700" }, "message": "net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths\n\nSmatch reports:\ndrivers/net/dsa/bcm_sf2.c:997 bcm_sf2_sw_resume() warn:\n\u0027priv-\u003eclk\u0027 from clk_prepare_enable() not released on lines: 983,990.\n\nThe clock enabled by clk_prepare_enable() in bcm_sf2_sw_resume()\nis not released if bcm_sf2_sw_rst() or bcm_sf2_cfp_resume() fails.\n\nAdd the missing clk_disable_unprepare() calls in the error paths\nto properly release the clock resource.\n\nFixes: e9ec5c3bd238 (\"net: dsa: bcm_sf2: request and handle clocks\")\nReviewed-by: Jonas Gorski \u003cjonas.gorski@gmail.com\u003e\nReviewed-by: Florian Fainelli \u003cflorian.fainelli@broadcom.com\u003e\nSigned-off-by: Anas Iqbal \u003cmohd.abd.6602@gmail.com\u003e\nLink: https://patch.msgid.link/20260318084212.1287-1-mohd.abd.6602@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e9825d1c79570b4c11259e826b3f7c1511544a85", "tree": "f66082fd270f4381a0f4412c6b8e6a5991795605", "parents": [ "d107dc8c9c6a9f9e4bb213f5a6398fc5c33a00a9", "9633370653151a0d5637634d1887d2f32511e69f" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 19 08:45:34 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 19 08:45:34 2026 -0700" }, "message": "Merge tag \u0027pm-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm\n\nPull power management fixes from Rafael Wysocki:\n \"These fix an idle loop issue exposed by recent changes and a race\n condition related to device removal in the runtime PM core code:\n\n - Consolidate the handling of two special cases in the idle loop that\n occur when only one CPU idle state is present (Rafael Wysocki)\n\n - Fix a race condition related to device removal in the runtime PM\n core code that may cause a stale device object pointer to be\n dereferenced (Bart Van Assche)\"\n\n* tag \u0027pm-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:\n PM: runtime: Fix a race condition related to device removal\n sched: idle: Consolidate the handling of two special cases\n" }, { "commit": "d107dc8c9c6a9f9e4bb213f5a6398fc5c33a00a9", "tree": "cc16550ccad2de368154cbf9942f7c10cfa83dc2", "parents": [ "1863b4055b7902de43a1dcc7396805eb631682e5", "5cbcd6c0742a2986782a9e2c92aa250d8f5c137d" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 19 08:42:59 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Mar 19 08:42:59 2026 -0700" }, "message": "Merge tag \u0027acpi-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm\n\nPull ACPI support fixes from Rafael Wysocki:\n \"These fix an MFD child automatic modprobe issue introduced recently,\n an ACPI processor driver issue introduced by a previous fix and an\n ACPICA issue causing confusing messages regarding _DSM arguments to be\n printed:\n\n - Update the format of the last argument of _DSM to avoid printing\n confusing error messages in some cases (Saket Dumbre)\n\n - Fix MFD child automatic modprobe issue by removing a stale check\n from acpi_companion_match() (Pratap Nirujogi)\n\n - Prevent possible use-after-free in acpi_processor_errata_piix4()\n from occurring by rearranging the code to print debug messages\n while holding references to relevant device objects (Rafael\n Wysocki)\"\n\n* tag \u0027acpi-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:\n ACPI: bus: Fix MFD child automatic modprobe issue\n ACPI: processor: Fix previous acpi_processor_errata_piix4() fix\n ACPICA: Update the format of Arg3 of _DSM\n" }, { "commit": "e7577a06ae28287ca415aec5c12277e3a80ee372", "tree": "7af84ba5d5237a2e248b26c25e83e66de1349bae", "parents": [ "d75ec7e8ba1979a1eb0b9211d94d749cdce849c8", "dbdfaae9609629a9569362e3b8f33d0a20fd783c" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 19 15:39:33 2026 +0100" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 19 15:39:33 2026 +0100" }, "message": "Merge tag \u0027nf-26-03-19\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf\n\nFlorian Westphal says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnetfilter: updates for net\n\nThe following patchset contains Netfilter fixes for *net*:\n\n1) Fix UaF when netfilter bpf link goes away while nfnetlink dumps\n current hook list, we have to wait until rcu readers are gone.\n\n2) Fix UaF when flowtable fails to register all devices, similar\n bug as 1). From Pablo Neira Ayuso.\n\n3) nfnetlink_osf fails to properly validate option length fields.\n From Weiming Shi.\n\nnetfilter pull request nf-26-03-19\n\n* tag \u0027nf-26-03-19\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:\n nfnetlink_osf: validate individual option lengths in fingerprints\n netfilter: nf_tables: release flowtable after rcu grace period on error\n netfilter: bpf: defer hook memory release until rcu readers are done\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260319093834.19933-1-fw@strlen.de\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "5cbcd6c0742a2986782a9e2c92aa250d8f5c137d", "tree": "efb7e1f964fc19317ce802b3348e5c6cd5e2dc74", "parents": [ "bf504b229cb8d534eccbaeaa23eba34c05131e25", "ab93d7eee94205430fc3b0532557cb0494bf2faf", "e7648ffecb7fcb7400e123bb6ea989633a104fc3" ], "author": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Thu Mar 19 14:57:06 2026 +0100" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Thu Mar 19 14:57:06 2026 +0100" }, "message": "Merge branches \u0027acpica\u0027 and \u0027acpi-bus\u0027\n\nMerge an ACPICA fix and a core ACPI support code fix for 7.0-rc5:\n\n - Update the format of the last argument of _DSM to avoid printing\n confusing error messages in some cases (Saket Dumbre)\n\n - Fix MFD child automatic modprobe issue by removing a stale check\n from acpi_companion_match() (Pratap Nirujogi)\n\n* acpica:\n ACPICA: Update the format of Arg3 of _DSM\n\n* acpi-bus:\n ACPI: bus: Fix MFD child automatic modprobe issue\n" }, { "commit": "9633370653151a0d5637634d1887d2f32511e69f", "tree": "5d080218dadd228de99d089e5902015e02b37fbf", "parents": [ "f4c31b07b136839e0fb3026f8a5b6543e3b14d2f", "29ab768277617452d88c0607c9299cdc63b6e9ff" ], "author": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Thu Mar 19 14:49:44 2026 +0100" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Thu Mar 19 14:49:44 2026 +0100" }, "message": "Merge branch \u0027pm-runtime\u0027\n\nMerge a fix for a race condition related to device removal (Bart Van\nAssche) for 7.0-rc5.\n\n* pm-runtime:\n PM: runtime: Fix a race condition related to device removal\n" }, { "commit": "d75ec7e8ba1979a1eb0b9211d94d749cdce849c8", "tree": "60b2a6484b46408356c34ed15d8f9a15085df9bd", "parents": [ "0f9ea7141f365b4f27226898e62220fb98ef8dc6" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Mar 17 09:10:14 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 19 13:47:15 2026 +0100" }, "message": "net: shaper: protect from late creation of hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThe netdev may get unregistered in between the time we take\nthe ref and the time we lock it. We may allocate the hierarchy\nafter flush has already run, which would lead to a leak.\n\nTake the instance lock in pre- already, this saves us from the race\nand removes the need for dedicated lock/unlock callbacks completely.\nAfter all, if there\u0027s any chance of write happening concurrently\nwith the flush - we\u0027re back to leaking the hierarchy.\n\nWe may take the lock for devices which don\u0027t support shapers but\nwe\u0027re only dealing with SET operations here, not taking the lock\nwould be optimizing for an error case.\n\nFixes: 93954b40f6a4 (\"net-shapers: implement NL set and delete operations\")\nLink: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260317161014.779569-2-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "0f9ea7141f365b4f27226898e62220fb98ef8dc6", "tree": "937487a70af1af2d07e1a2ff1cac8af7501139e1", "parents": [ "8a63baadf08453f66eb582fdb6dd234f72024723" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Mar 17 09:10:13 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 19 13:47:15 2026 +0100" }, "message": "net: shaper: protect late read accesses to the hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThis is not proper, a conversion from a ref to a locked netdev\nmust include a liveness check (a check if the netdev hasn\u0027t been\nunregistered already). Fix the read cases (those under RCU).\nWrites needs a separate change to protect from creating the\nhierarchy after flush has already run.\n\nFixes: 4b623f9f0f59 (\"net-shapers: implement NL get operation\")\nReported-by: Paul Moses \u003cp@1g4.org\u003e\nLink: https://lore.kernel.org/20260309173450.538026-1-p@1g4.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://patch.msgid.link/20260317161014.779569-1-kuba@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "8a63baadf08453f66eb582fdb6dd234f72024723", "tree": "a19152d06caadb46501c503b86fc6e99a15bdcfe", "parents": [ "7c46bd845d89ad4772573cfe0f2a56b93db75cc7" ], "author": { "name": "Muhammad Hammad Ijaz", "email": "mhijaz@amazon.com", "time": "Mon Mar 16 12:31:01 2026 -0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 19 10:31:19 2026 +0100" }, "message": "net: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv-\u003ecm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv-\u003ecm3_base remains\nNULL and priv-\u003eglobal_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000000\n Mem abort info:\n ESR \u003d 0x0000000096000006\n EC \u003d 0x25: DABT (current EL), IL \u003d 32 bits\n pc : readl+0x0/0x18\n lr : mvpp2_cm3_read.isra.0+0x14/0x20\n Call trace:\n readl+0x0/0x18\n mvpp2_bm_pool_update_fc+0x40/0x12c\n mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n mvpp2_change_mtu+0x140/0x380\n __dev_set_mtu+0x1c/0x38\n dev_set_mtu_ext+0x78/0x118\n dev_set_mtu+0x48/0xa8\n dev_ifsioc+0x21c/0x43c\n dev_ioctl+0x2d8/0x42c\n sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv-\u003eglobal_tx_fc or port-\u003etx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv-\u003eglobal_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver.\n\nFixes: 3a616b92a9d1 (\"net: mvpp2: Add TX flow control support for jumbo frames\")\nSigned-off-by: Muhammad Hammad Ijaz \u003cmhijaz@amazon.com\u003e\nReviewed-by: Gunnar Kudrjavets \u003cgunnarku@amazon.com\u003e\nLink: https://patch.msgid.link/20260316193157.65748-1-mhijaz@amazon.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "dbdfaae9609629a9569362e3b8f33d0a20fd783c", "tree": "45a230030cbe436d526569a14406d0884c5ae052", "parents": [ "d73f4b53aaaea4c95f245e491aa5eeb8a21874ce" ], "author": { "name": "Weiming Shi", "email": "bestswngs@gmail.com", "time": "Thu Mar 19 15:32:44 2026 +0800" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Thu Mar 19 10:27:07 2026 +0100" }, "message": "nfnetlink_osf: validate individual option lengths in fingerprints\n\nnfnl_osf_add_callback() validates opt_num bounds and string\nNUL-termination but does not check individual option length fields.\nA zero-length option causes nf_osf_match_one() to enter the option\nmatching loop even when foptsize sums to zero, which matches packets\nwith no TCP options where ctx-\u003eoptp is NULL:\n\n Oops: general protection fault\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n nf_osf_match (net/netfilter/nfnetlink_osf.c:227)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\n nf_hook_slow (net/netfilter/core.c:623)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n\nAdditionally, an MSS option (kind\u003d2) with length \u003c 4 causes\nout-of-bounds reads when nf_osf_match_one() unconditionally accesses\noptp[2] and optp[3] for MSS value extraction. While RFC 9293\nsection 3.2 specifies that the MSS option is always exactly 4\nbytes (Kind\u003d2, Length\u003d4), the check uses \"\u003c 4\" rather than\n\"!\u003d 4\" because lengths greater than 4 do not cause memory\nsafety issues -- the buffer is guaranteed to be at least\nfoptsize bytes by the ctx-\u003eoptsize \u003d\u003d foptsize check.\n\nReject fingerprints where any option has zero length, or where an MSS\noption has length less than 4, at add time rather than trusting these\nvalues in the packet matching hot path.\n\nFixes: 11eeef41d5f6 (\"netfilter: passive OS fingerprint xtables match\")\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nSigned-off-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\n" }, { "commit": "d73f4b53aaaea4c95f245e491aa5eeb8a21874ce", "tree": "46515e290da0dde27a142b7bec6e4958c5a807f9", "parents": [ "24f90fa3994b992d1a09003a3db2599330a5232a" ], "author": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Tue Mar 17 20:00:26 2026 +0100" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Thu Mar 19 10:26:31 2026 +0100" }, "message": "netfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks.\n\nFixes: 3b49e2e94e6e (\"netfilter: nf_tables: add flow table netlink frontend\")\nReported-by: Yiming Qian \u003cyimingqian591@gmail.com\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\n" }, { "commit": "24f90fa3994b992d1a09003a3db2599330a5232a", "tree": "e5e94aa247da295d063a5618aaa33cd945a7d5d3", "parents": [ "7c46bd845d89ad4772573cfe0f2a56b93db75cc7" ], "author": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Tue Mar 17 12:23:08 2026 +0100" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Thu Mar 19 10:26:31 2026 +0100" }, "message": "netfilter: bpf: defer hook memory release until rcu readers are done\n\nYiming Qian reports UaF when concurrent process is dumping hooks via\nnfnetlink_hooks:\n\nBUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0\nRead of size 8 at addr ffff888003edbf88 by task poc/79\nCall Trace:\n \u003cTASK\u003e\n nfnl_hook_dump_one.isra.0+0xe71/0x10f0\n netlink_dump+0x554/0x12b0\n nfnl_hook_get+0x176/0x230\n [..]\n\nDefer release until after concurrent readers have completed.\n\nReported-by: Yiming Qian \u003cyimingqian591@gmail.com\u003e\nFixes: 84601d6ee68a (\"bpf: add bpf_link support for BPF_NETFILTER programs\")\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\n" }, { "commit": "7c46bd845d89ad4772573cfe0f2a56b93db75cc7", "tree": "2c25c3e6c5e00038829a91b7385c640cfd98f19d", "parents": [ "605b52497bf89b3b154674deb135da98f916e390", "d5ad6ab61cbd89afdb60881f6274f74328af3ee9" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 19:25:40 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 19:25:41 2026 -0700" }, "message": "Merge tag \u0027wireless-2026-03-18\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless\n\nJohannes Berg says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nJust a few updates:\n - cfg80211:\n - guarantee pmsr work is cancelled\n - mac80211:\n - reject TDLS operations on non-TDLS stations\n - fix crash in AP_VLAN bandwidth change\n - fix leak or double-free on some TX preparation\n failures\n - remove keys needed for beacons _after_ stopping\n those\n - fix debugfs static branch race\n - avoid underflow in inactive time\n - fix another NULL dereference in mesh on invalid\n frames\n - ti/wlcore: avoid infinite realloc loop\n\n* tag \u0027wireless-2026-03-18\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:\n wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure\n wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom\n wifi: mac80211: fix NULL deref in mesh_matches_local()\n wifi: mac80211: check tdls flag in ieee80211_tdls_oper\n wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down\n wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.\n mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations\n wifi: mac80211: use jiffies_delta_to_msecs() for sta_info inactive times\n wifi: mac80211: remove keys after disabling beaconing\n wifi: mac80211_hwsim: fully initialise PMSR capabilities\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260318172515.381148-3-johannes@sipsolutions.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "605b52497bf89b3b154674deb135da98f916e390", "tree": "dd9f0393dc72c362c0e12f72f9a8aceb4a664f02", "parents": [ "b3a6df291fecf5f8a308953b65ca72b7fc9e015d" ], "author": { "name": "Xiang Mei", "email": "xmei5@asu.edu", "time": "Mon Mar 16 17:50:34 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 18:05:40 2026 -0700" }, "message": "net: bonding: fix NULL deref in bond_debug_rlb_hash_show\n\nrlb_clear_slave intentionally keeps RLB hash-table entries on\nthe rx_hashtbl_used_head list with slave set to NULL when no\nreplacement slave is available. However, bond_debug_rlb_hash_show\nvisites client_info-\u003eslave without checking if it\u0027s NULL.\n\nOther used-list iterators in bond_alb.c already handle this NULL-slave\nstate safely:\n\n- rlb_update_client returns early on !client_info-\u003eslave\n- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance\ncompare slave values before visiting\n- lb_req_update_subnet_clients continues if slave is NULL\n\nThe following NULL deref crash can be trigger in\nbond_debug_rlb_hash_show:\n\n[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)\n[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286\n[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204\n[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078\n[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000\n[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0\n[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8\n[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000\n[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0\n[ 1.295897] Call Trace:\n[ 1.296134] seq_read_iter (fs/seq_file.c:231)\n[ 1.296341] seq_read (fs/seq_file.c:164)\n[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))\n[ 1.296658] vfs_read (fs/read_write.c:572)\n[ 1.296981] ksys_read (fs/read_write.c:717)\n[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nAdd a NULL check and print \"(none)\" for entries with no assigned slave.\n\nFixes: caafa84251b88 (\"bonding: add the debugfs interface to see RLB hash table\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nLink: https://patch.msgid.link/20260317005034.1888794-1-xmei5@asu.edu\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b3a6df291fecf5f8a308953b65ca72b7fc9e015d", "tree": "e6a692664a235dccf9b5c9958d4390876f907d90", "parents": [ "6d43a9f6a1727f45fbc5b518a20250ebfec707f3" ], "author": { "name": "Xiang Mei", "email": "xmei5@asu.edu", "time": "Mon Mar 16 18:02:41 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 18:00:07 2026 -0700" }, "message": "udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6\u003dn\n\nWhen CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0\n(success) without actually creating a socket. Callers such as\nfou_create() then proceed to dereference the uninitialized socket\npointer, resulting in a NULL pointer dereference.\n\nThe captured NULL deref crash:\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)\n [...]\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)\n [...]\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n genl_rcv (net/netlink/genetlink.c:1219)\n netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))\n __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)\n\nThis patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so\ncallers correctly take their error paths. There is only one caller of\nthe vulnerable function and only privileged users can trigger it.\n\nFixes: fd384412e199b (\"udp_tunnel: Seperate ipv6 functions into its own file.\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nLink: https://patch.msgid.link/20260317010241.1893893-1-xmei5@asu.edu\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6d43a9f6a1727f45fbc5b518a20250ebfec707f3", "tree": "b84b86f9ba5839b9ad0c739c4c57443bcdb56aa1", "parents": [ "d0f9eca219e6e46f1cf76fc28ae3f753b2b3ecd4", "beb6e2e5976a128b0cccf10d158124422210c5ef" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:54:58 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:54:59 2026 -0700" }, "message": "Merge branch \u0027mlx5-misc-fixes-2026-03-16\u0027\n\nTariq Toukan says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nmlx5 misc fixes 2026-03-16\n\nThis patchset provides misc bug fixes from the team to the mlx5\ncore and Eth drivers.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260316094603.6999-1-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "beb6e2e5976a128b0cccf10d158124422210c5ef", "tree": "b84b86f9ba5839b9ad0c739c4c57443bcdb56aa1", "parents": [ "99b36850d881e2d65912b2520a1c80d0fcc9429a" ], "author": { "name": "Jianbo Liu", "email": "jianbol@nvidia.com", "time": "Mon Mar 16 11:46:03 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:54:53 2026 -0700" }, "message": "net/mlx5e: Fix race condition during IPSec ESN update\n\nIn IPSec full offload mode, the device reports an ESN (Extended\nSequence Number) wrap event to the driver. The driver validates this\nevent by querying the IPSec ASO and checking that the esn_event_arm\nfield is 0x0, which indicates an event has occurred. After handling\nthe event, the driver must re-arm the context by setting esn_event_arm\nback to 0x1.\n\nA race condition exists in this handling path. After validating the\nevent, the driver calls mlx5_accel_esp_modify_xfrm() to update the\nkernel\u0027s xfrm state. This function temporarily releases and\nre-acquires the xfrm state lock.\n\nSo, need to acknowledge the event first by setting esn_event_arm to\n0x1. This prevents the driver from reprocessing the same ESN update if\nthe hardware sends events for other reason. Since the next ESN update\nonly occurs after nearly 2^31 packets are received, there\u0027s no risk of\nmissing an update, as it will happen long after this handling has\nfinished.\n\nProcessing the event twice causes the ESN high-order bits (esn_msb) to\nbe incremented incorrectly. The driver then programs the hardware with\nthis invalid ESN state, which leads to anti-replay failures and a\ncomplete halt of IPSec traffic.\n\nFix this by re-arming the ESN event immediately after it is validated,\nbefore calling mlx5_accel_esp_modify_xfrm(). This ensures that any\nspurious, duplicate events are correctly ignored, closing the race\nwindow.\n\nFixes: fef06678931f (\"net/mlx5e: Fix ESN update kernel panic\")\nSigned-off-by: Jianbo Liu \u003cjianbol@nvidia.com\u003e\nReviewed-by: Leon Romanovsky \u003cleonro@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260316094603.6999-4-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "99b36850d881e2d65912b2520a1c80d0fcc9429a", "tree": "e6e42f29042078d6567bcb11e7f52e53dde6e6d0", "parents": [ "b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8" ], "author": { "name": "Jianbo Liu", "email": "jianbol@nvidia.com", "time": "Mon Mar 16 11:46:02 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:54:53 2026 -0700" }, "message": "net/mlx5e: Prevent concurrent access to IPSec ASO context\n\nThe query or updating IPSec offload object is through Access ASO WQE.\nThe driver uses a single mlx5e_ipsec_aso struct for each PF, which\ncontains a shared DMA-mapped context for all ASO operations.\n\nA race condition exists because the ASO spinlock is released before\nthe hardware has finished processing WQE. If a second operation is\ninitiated immediately after, it overwrites the shared context in the\nDMA area.\n\nWhen the first operation\u0027s completion is processed later, it reads\nthis corrupted context, leading to unexpected behavior and incorrect\nresults.\n\nThis commit fixes the race by introducing a private context within\neach IPSec offload object. The shared ASO context is now copied to\nthis private context while the ASO spinlock is held. Subsequent\nprocessing uses this saved, per-object context, ensuring its integrity\nis maintained.\n\nFixes: 1ed78fc03307 (\"net/mlx5e: Update IPsec soft and hard limits\")\nSigned-off-by: Jianbo Liu \u003cjianbol@nvidia.com\u003e\nReviewed-by: Leon Romanovsky \u003cleonro@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260316094603.6999-3-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b7e3a5d9c0d66b7fb44f63aef3bd734821afa0c8", "tree": "692f22f8bbbca54fa9576d7fa0acfe86c20da24c", "parents": [ "d0f9eca219e6e46f1cf76fc28ae3f753b2b3ecd4" ], "author": { "name": "Cosmin Ratiu", "email": "cratiu@nvidia.com", "time": "Mon Mar 16 11:46:01 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:54:53 2026 -0700" }, "message": "net/mlx5: qos: Restrict RTNL area to avoid a lock cycle\n\nA lock dependency cycle exists where:\n1. mlx5_ib_roce_init -\u003e mlx5_core_uplink_netdev_event_replay -\u003e\nmlx5_blocking_notifier_call_chain (takes notifier_rwsem) -\u003e\nmlx5e_mdev_notifier_event -\u003e mlx5_netdev_notifier_register -\u003e\nregister_netdevice_notifier_dev_net (takes rtnl)\n\u003d\u003e notifier_rwsem -\u003e rtnl\n\n2. mlx5e_probe -\u003e _mlx5e_probe -\u003e\nmlx5_core_uplink_netdev_set (takes uplink_netdev_lock) -\u003e\nmlx5_blocking_notifier_call_chain (takes notifier_rwsem)\n\u003d\u003e uplink_netdev_lock -\u003e notifier_rwsem\n\n3: devlink_nl_rate_set_doit -\u003e devlink_nl_rate_set -\u003e\nmlx5_esw_devlink_rate_leaf_tx_max_set -\u003e esw_qos_devlink_rate_to_mbps -\u003e\nmlx5_esw_qos_max_link_speed_get (takes rtnl) -\u003e\nmlx5_esw_qos_lag_link_speed_get_locked -\u003e\nmlx5_uplink_netdev_get (takes uplink_netdev_lock)\n\u003d\u003e rtnl -\u003e uplink_netdev_lock\n\u003d\u003e BOOM! (lock cycle)\n\nFix that by restricting the rtnl-protected section to just the necessary\npart, the call to netdev_master_upper_dev_get and speed querying, so\nthat the last lock dependency is avoided and the cycle doesn\u0027t close.\nThis is safe because mlx5_uplink_netdev_get uses netdev_hold to keep the\nuplink netdev alive while its master device is queried.\n\nUse this opportunity to rename the ambiguously-named \"hold_rtnl_lock\"\nargument to \"take_rtnl\" and remove the \"_locked\" suffix from\nmlx5_esw_qos_lag_link_speed_get_locked.\n\nFixes: 6b4be64fd9fe (\"net/mlx5e: Harden uplink netdev access against device unbind\")\nSigned-off-by: Cosmin Ratiu \u003ccratiu@nvidia.com\u003e\nReviewed-by: Dragos Tatulea \u003cdtatulea@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260316094603.6999-2-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d0f9eca219e6e46f1cf76fc28ae3f753b2b3ecd4", "tree": "bbefb346b7ba075d98715440dd452bff15022662", "parents": [ "cf2ce96c7150f9997fc87281600c3de7f20311bd", "0d4aef630be9d5f9c1227d07669c26c4383b5ad0" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:41:00 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:41:00 2026 -0700" }, "message": "Merge tag \u0027batadv-net-pullrequest-20260317\u0027 of https://git.open-mesh.org/linux-merge\n\nSimon Wunderlich says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nHere is a batman-adv bugfix:\n\n- avoid OGM aggregation when skb tailroom is insufficient, by Yang Yang\n\n* tag \u0027batadv-net-pullrequest-20260317\u0027 of https://git.open-mesh.org/linux-merge:\n batman-adv: avoid OGM aggregation when skb tailroom is insufficient\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260317160002.1869478-1-sw@simonwunderlich.de\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "cf2ce96c7150f9997fc87281600c3de7f20311bd", "tree": "e03acc484df925ba3934f5aa36135196bcd3617b", "parents": [ "06413793526251870e20402c39930804f14d59c0", "6850deb61118345996f03b87817b4ae0f2f25c38" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:38:15 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:38:15 2026 -0700" }, "message": "Merge branch \u00271GbE\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue\n\nTony Nguyen says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nIntel Wired LAN Driver Updates 2026-03-17 (igc, iavf, libie)\n\nKohei Enju adds use of helper function to add missing update of\nskb-\u003etail when padding is needed for igc.\n\nZdenek Bouska clears stale XSK timestamps when taking down Tx rings on\nigc.\n\nPetr Oros changes handling of iavf VLAN filter handling when an added\nVLAN is also on the delete list to which can race and cause the VLAN\nfilter to not be added.\n\nMichal frees cmd_buf for libie firmware logging to stop memory leaks.\n\n* \u00271GbE\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:\n libie: prevent memleak in fwlog code\n iavf: fix VLAN filter lost on add/delete race\n igc: fix page fault in XDP TX timestamps handling\n igc: fix missing update of skb-\u003etail in igc_xmit_frame()\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260317211906.115505-1-anthony.l.nguyen@intel.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "06413793526251870e20402c39930804f14d59c0", "tree": "04e1c1801e36c52fb304929f3321f879f0b8d7d1", "parents": [ "55dc632ab2ac2889b15995a9eef56c753d48ebc7" ], "author": { "name": "Minhong He", "email": "heminhong@kylinos.cn", "time": "Mon Mar 16 15:33:01 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:23:43 2026 -0700" }, "message": "ipv6: add NULL checks for idev in SRv6 paths\n\n__in6_dev_get() can return NULL when the device has no IPv6 configuration\n(e.g. MTU \u003c IPV6_MIN_MTU or after NETDEV_UNREGISTER).\n\nAdd NULL checks for idev returned by __in6_dev_get() in both\nseg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL\npointer dereferences.\n\nFixes: 1ababeba4a21 (\"ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header)\")\nFixes: bf355b8d2c30 (\"ipv6: sr: add core files for SR HMAC support\")\nSigned-off-by: Minhong He \u003cheminhong@kylinos.cn\u003e\nReviewed-by: Andrea Mayer \u003candrea.mayer@uniroma2.it\u003e\nLink: https://patch.msgid.link/20260316073301.106643-1-heminhong@kylinos.cn\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "55dc632ab2ac2889b15995a9eef56c753d48ebc7", "tree": "4fe42211a8d08e8cf7d1e9f27eecf2196215d057", "parents": [ "34b11cc56e4369bc08b1f4c4a04222d75ed596ce" ], "author": { "name": "Ian Ray", "email": "ian.ray@gehealthcare.com", "time": "Tue Mar 17 10:53:36 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:20:51 2026 -0700" }, "message": "NFC: nxp-nci: allow GPIOs to sleep\n\nAllow the firmware and enable GPIOs to sleep.\n\nThis fixes a `WARN_ON\u0027 and allows the driver to operate GPIOs which are\nconnected to I2C GPIO expanders.\n\n-- \u003e8 --\nkernel: WARNING: CPU: 3 PID: 2636 at drivers/gpio/gpiolib.c:3880 gpiod_set_value+0x88/0x98\n-- \u003e8 --\n\nFixes: 43201767b44c (\"NFC: nxp-nci: Convert to use GPIO descriptor\")\nCc: stable@vger.kernel.org\nSigned-off-by: Ian Ray \u003cian.ray@gehealthcare.com\u003e\nLink: https://patch.msgid.link/20260317085337.146545-1-ian.ray@gehealthcare.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "34b11cc56e4369bc08b1f4c4a04222d75ed596ce", "tree": "96674e5e337723f435d611696d904d41aa091678", "parents": [ "8da13e6d63c1a97f7302d342c89c4a56a55c7015" ], "author": { "name": "Fedor Pchelkin", "email": "pchelkin@ispras.ru", "time": "Mon Mar 16 13:38:25 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:18:53 2026 -0700" }, "message": "net: macb: fix uninitialized rx_fs_lock\n\nIf hardware doesn\u0027t support RX Flow Filters, rx_fs_lock spinlock is not\ninitialized leading to the following assertion splat triggerable via\nset_rxnfc callback.\n\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn\u0027t initialize this object before use?\nturning off the locking correctness validator.\nCPU: 1 PID: 949 Comm: syz.0.6 Not tainted 6.1.164+ #113\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106\n assign_lock_key kernel/locking/lockdep.c:974 [inline]\n register_lock_class+0x141b/0x17f0 kernel/locking/lockdep.c:1287\n __lock_acquire+0x74f/0x6c40 kernel/locking/lockdep.c:4928\n lock_acquire kernel/locking/lockdep.c:5662 [inline]\n lock_acquire+0x190/0x4b0 kernel/locking/lockdep.c:5627\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:162\n gem_del_flow_filter drivers/net/ethernet/cadence/macb_main.c:3562 [inline]\n gem_set_rxnfc+0x533/0xac0 drivers/net/ethernet/cadence/macb_main.c:3667\n ethtool_set_rxnfc+0x18c/0x280 net/ethtool/ioctl.c:961\n __dev_ethtool net/ethtool/ioctl.c:2956 [inline]\n dev_ethtool+0x229c/0x6290 net/ethtool/ioctl.c:3095\n dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510\n sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215\n sock_ioctl+0x577/0x6d0 net/socket.c:1320\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nA more straightforward solution would be to always initialize rx_fs_lock,\njust like rx_fs_list. However, in this case the driver set_rxnfc callback\nwould return with a rather confusing error code, e.g. -EINVAL. So deny\nset_rxnfc attempts directly if the RX filtering feature is not supported\nby hardware.\n\nFixes: ae8223de3df5 (\"net: macb: Added support for RX filtering\")\nSigned-off-by: Fedor Pchelkin \u003cpchelkin@ispras.ru\u003e\nLink: https://patch.msgid.link/20260316103826.74506-2-pchelkin@ispras.ru\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "8da13e6d63c1a97f7302d342c89c4a56a55c7015", "tree": "2aedae0f0e346ee25f6079b717aa369175ae73e0", "parents": [ "7d9351435ebba08bbb60f42793175c9dc714d2fb" ], "author": { "name": "Fedor Pchelkin", "email": "pchelkin@ispras.ru", "time": "Mon Mar 16 13:38:24 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:18:47 2026 -0700" }, "message": "net: macb: fix use-after-free access to PTP clock\n\nPTP clock is registered on every opening of the interface and destroyed on\nevery closing. However it may be accessed via get_ts_info ethtool call\nwhich is possible while the interface is just present in the kernel.\n\nBUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\nRead of size 4 at addr ffff8880194345cc by task syz.0.6/948\n\nCPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x17f/0x496 mm/kasan/report.c:420\n kasan_report+0xd9/0x180 mm/kasan/report.c:524\n ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\n gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349\n macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371\n __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558\n ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]\n __dev_ethtool net/ethtool/ioctl.c:3017 [inline]\n dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095\n dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510\n sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215\n sock_ioctl+0x577/0x6d0 net/socket.c:1320\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n \u003c/TASK\u003e\n\nAllocated by task 457:\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:699 [inline]\n ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235\n gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375\n macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920\n __dev_open+0x2ce/0x500 net/core/dev.c:1501\n __dev_change_flags+0x56a/0x740 net/core/dev.c:8651\n dev_change_flags+0x92/0x170 net/core/dev.c:8722\n do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833\n __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608\n rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655\n rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150\n netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x14b/0x180 net/socket.c:730\n __sys_sendto+0x320/0x3b0 net/socket.c:2152\n __do_sys_sendto net/socket.c:2164 [inline]\n __se_sys_sendto net/socket.c:2160 [inline]\n __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 938:\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1729 [inline]\n slab_free_freelist_hook mm/slub.c:1755 [inline]\n slab_free mm/slub.c:3687 [inline]\n __kmem_cache_free+0xbc/0x320 mm/slub.c:3700\n device_release+0xa0/0x240 drivers/base/core.c:2507\n kobject_cleanup lib/kobject.c:681 [inline]\n kobject_release lib/kobject.c:712 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1cd/0x350 lib/kobject.c:729\n put_device+0x1b/0x30 drivers/base/core.c:3805\n ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391\n gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404\n macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966\n __dev_close_many+0x1b9/0x310 net/core/dev.c:1585\n __dev_close net/core/dev.c:1597 [inline]\n __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649\n dev_change_flags+0x92/0x170 net/core/dev.c:8722\n dev_ifsioc+0x151/0xe00 net/core/dev_ioctl.c:326\n dev_ioctl+0x33e/0x1070 net/core/dev_ioctl.c:572\n sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215\n sock_ioctl+0x577/0x6d0 net/socket.c:1320\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nSet the PTP clock pointer to NULL after unregistering.\n\nFixes: c2594d804d5c (\"macb: Common code to enable ptp support for MACB/GEM\")\nCc: stable@vger.kernel.org\nSigned-off-by: Fedor Pchelkin \u003cpchelkin@ispras.ru\u003e\nLink: https://patch.msgid.link/20260316103826.74506-1-pchelkin@ispras.ru\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7d9351435ebba08bbb60f42793175c9dc714d2fb", "tree": "c3ab9dbd0f656c93c87d68ac453b3c376053f7c1", "parents": [ "64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3" ], "author": { "name": "Wesley Atwell", "email": "atwellwea@gmail.com", "time": "Tue Mar 17 00:14:31 2026 -0600" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Mar 18 17:13:34 2026 -0700" }, "message": "netdevsim: drop PSP ext ref on forward failure\n\nnsim_do_psp() takes an extra reference to the PSP skb extension so the\nextension survives __dev_forward_skb(). That forward path scrubs the skb\nand drops attached skb extensions before nsim_psp_handle_ext() can\nreattach the PSP metadata.\n\nIf __dev_forward_skb() fails in nsim_forward_skb(), the function returns\nbefore nsim_psp_handle_ext() can attach that extension to the skb, leaving\nthe extra reference leaked.\n\nDrop the saved PSP extension reference before returning from the\nforward-failure path. Guard the put because plain or non-decapsulated\ntraffic can also fail forwarding without ever taking the extra PSP\nreference.\n\nFixes: f857478d6206 (\"netdevsim: a basic test PSP implementation\")\nSigned-off-by: Wesley Atwell \u003catwellwea@gmail.com\u003e\nReviewed-by: Daniel Zahka \u003cdaniel.zahka@gmail.com\u003e\nLink: https://patch.msgid.link/20260317061431.1482716-1-atwellwea@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "1863b4055b7902de43a1dcc7396805eb631682e5", "tree": "7ea64ca6855fa0add866b3916e966b62f4796a60", "parents": [ "8a30aeb0d1b4e4aaf7f7bae72f20f2ae75385ccb", "d5b66179b0e27c14a9033c4356937506577485e3" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 15:50:29 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 15:50:29 2026 -0700" }, "message": "Merge tag \u0027libcrypto-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux\n\nPull crypto library fixes from Eric Biggers:\n\n - Disable the \"padlock\" SHA-1 and SHA-256 driver on Zhaoxin\n processors, since it does not compute hash values correctly\n\n - Make a generated file be removed by \u0027make clean\u0027\n\n - Fix excessive stack usage in some of the arm64 AES code\n\n* tag \u0027libcrypto-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux:\n lib/crypto: powerpc: Add powerpc/aesp8-ppc.S to clean-files\n crypto: padlock-sha - Disable for Zhaoxin processor\n crypto: arm64/aes-neonbs - Move key expansion off the stack\n" }, { "commit": "8a30aeb0d1b4e4aaf7f7bae72f20f2ae75385ccb", "tree": "172b3674cd1563edf6f437aca9b6d09007c04879", "parents": [ "04a9f1766954687f0a1b7a0f7184dc4f86edcb30", "5133b61aaf437e5f25b1b396b14242a6bb0508e2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 14:27:11 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 14:27:11 2026 -0700" }, "message": "Merge tag \u0027nfsd-7.0-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux\n\nPull nfsd fixes from Chuck Lever:\n\n - Fix cache_request leak in cache_release()\n\n - Fix heap overflow in the NFSv4.0 LOCK replay cache\n\n - Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\n - Defer sub-object cleanup in export \"put\" callbacks\n\n* tag \u0027nfsd-7.0-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:\n nfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n sunrpc: fix cache_request leak in cache_release\n NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n NFSD: Defer sub-object cleanup in export put callbacks\n" }, { "commit": "04a9f1766954687f0a1b7a0f7184dc4f86edcb30", "tree": "9ceea0d20c4b117b1f1f6fb56dadd57ca1e4637e", "parents": [ "c5cb126c48e728aaf7f2ac209ef5506e47c2ad6a", "df3ef89d7ef8185fa719812e2d175b83112aa315" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 08:28:54 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 08:28:54 2026 -0700" }, "message": "Merge tag \u0027soc-fixes-7.0\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc\n\nPull SoC fixes from Arnd Bergmann:\n \"The firmware drivers for ARM SCMI, FF-A and the Tee subsystem, as\n well as the reset controller and cache controller subsystem all see\n small bugfixes for reference ounting errors, ABI correctness, and\n NULL pointer dereferences.\n\n Similarly, there are multiple reference counting fixes in drivers/soc/\n for vendor specific drivers (rockchips, microchip), while the\n freescale drivers get a fix for a race condition and error handling.\n\n The devicetree fixes for Rockchips and NXP got held up, so for\n the moment there is only Renesas fixing problesm with SD card\n initialization, a boot hang on one board and incorrect descriptions\n for interrupts and clock registers on some SoCs. The Microchip\n polarfire gets a dts fix for a boot time warning.\n\n A defconfig fix avoids a warning about a conflicting assignment\"\n\n* tag \u0027soc-fixes-7.0\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (21 commits)\n ARM: multi_v7_defconfig: Drop duplicate CONFIG_TI_PRUSS\u003dm\n firmware: arm_scmi: Spelling s/mulit/multi/, s/currenly/currently/\n firmware: arm_scmi: Fix NULL dereference on notify error path\n firmware: arm_scpi: Fix device_node reference leak in probe path\n firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()\n arm64: dts: renesas: r8a78000: Fix out-of-range SPI interrupt numbers\n arm64: dts: renesas: rzg3s-smarc-som: Set bypass for Versa3 PLL2\n arm64: dts: renesas: r9a09g087: Fix CPG register region sizes\n arm64: dts: renesas: r9a09g077: Fix CPG register region sizes\n arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes\n arm64: dts: renesas: rzv2-evk-cn15-sd: Add ramp delay for SD0 regulator\n arm64: dts: renesas: rzt2h-n2h-evk: Add ramp delay for SD0 card regulator\n tee: shm: Remove refcounting of kernel pages\n reset: rzg2l-usbphy-ctrl: Check pwrrdy is valid before using it\n soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in qmc_qe_init_resources()\n soc: fsl: qbman: fix race condition in qman_destroy_fq\n soc: rockchip: grf: Add missing of_node_put() when returning\n cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()\n cache: starfive: fix device node leak in starlink_cache_init()\n riscv: dts: microchip: add can resets to mpfs\n ...\n" }, { "commit": "c5cb126c48e728aaf7f2ac209ef5506e47c2ad6a", "tree": "75b5f5f662ef07c69c1281d32899dd467a4d2bfc", "parents": [ "efa0adb5041591a3bf63e30b36239e4537211222", "5c52607c43c397b79a9852ce33fc61de58c3645c" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 08:11:46 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 08:11:46 2026 -0700" }, "message": "Merge tag \u0027v7.0-p3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6\n\nPull crypto fix from Herbert Xu:\n\n - Remove duplicate snp_leak_pages call in ccp\n\n* tag \u0027v7.0-p3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:\n crypto: ccp - Fix leaking the same page twice\n" }, { "commit": "efa0adb5041591a3bf63e30b36239e4537211222", "tree": "6661e768d6f450ce0d3a42593206847136367f9a", "parents": [ "a989fde763f4f24209e4702f50a45be572340e68", "c252c12d1f55bd5737e3b8e7839914ccdc7a701c" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 08:06:30 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 18 08:06:30 2026 -0700" }, "message": "Merge tag \u0027loongarch-fixes-7.0-1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson\n\nPull LoongArch fixes from Huacai Chen:\n\n - only use SC.Q when supported by the assembler to fix a build failure\n\n - fix calling smp_processor_id() in preemptible code\n\n - make a BPF helper arch_protect_bpf_trampoline() return 0 to fix a\n kernel memory access failure\n\n - fix a typo issue in kvm_vm_init_features()\n\n* tag \u0027loongarch-fixes-7.0-1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson:\n LoongArch: KVM: Fix typo issue in kvm_vm_init_features()\n LoongArch: BPF: Make arch_protect_bpf_trampoline() return 0\n LoongArch: No need to flush icache if text copy failed\n LoongArch: Check return values for set_memory_{rw,rox}\n LoongArch: Give more information if kmem access failed\n LoongArch: Fix calling smp_processor_id() in preemptible code\n LoongArch: Only use SC.Q when supported by the assembler\n" }, { "commit": "df3ef89d7ef8185fa719812e2d175b83112aa315", "tree": "337a94515cdbf5668babbf3c17e1eaee6462a42a", "parents": [ "dfc80d650be7f9ccbe2173fe2c53a803e9da93a6", "4e701b47c3ba8f4eaf51d676732b11204bc75b35" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Mar 18 14:06:34 2026 +0100" }, "committer": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Mar 18 14:06:34 2026 +0100" }, "message": "Merge tag \u0027scmi-fixes-7.0\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into arm/fixes\n\nArm SCMI fixes for v7.0\n\nFew fixes to:\n1. Address a NULL dereference in the SCMI notify error path by ensurin\n __scmi_event_handler_get_ops() consistently returns an ERR_PTR on\n failure, as expected by callers.\n2. Fix a device_node reference leak in the SCPI probe path by introducing\n scope-based cleanup for acquired DT nodes.\n3. Correct minor spelling errors.\n\n* tag \u0027scmi-fixes-7.0\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux:\n firmware: arm_scmi: Spelling s/mulit/multi/, s/currenly/currently/\n firmware: arm_scmi: Fix NULL dereference on notify error path\n firmware: arm_scpi: Fix device_node reference leak in probe path\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\n" }, { "commit": "dfc80d650be7f9ccbe2173fe2c53a803e9da93a6", "tree": "8b71d9323ec87e88c99a23340f93468295e1ec67", "parents": [ "b3315ba042f2c8d3bc66502ada4555c11363cdeb", "a4e8473b775160f3ce978f621cf8dea2c7250433" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Mar 18 14:05:30 2026 +0100" }, "committer": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Mar 18 14:05:31 2026 +0100" }, "message": "Merge tag \u0027ffa-fix-7.0\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into arm/fixes\n\nArm FF-A fix for v7.0\n\nFix removing the vm_id argument from ffa_rxtx_unmap(), as the FF-A\nspecification mandates this field be zero in all contexts except a\nnon-secure physical FF-A instance, where the ID is inherently 0.\n\n* tag \u0027ffa-fix-7.0\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux:\n firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\n" }, { "commit": "b3315ba042f2c8d3bc66502ada4555c11363cdeb", "tree": "c36813676513fc8c879027f945543cfa8c519241", "parents": [ "ffe6989c73b31f92a22cab1132e86545f8306d69", "08d9a4580f71120be3c5b221af32dca00a48ceb0" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Mar 18 13:28:45 2026 +0100" }, "committer": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Mar 18 13:29:06 2026 +0100" }, "message": "Merge tag \u0027tee-fix-for-v7.0\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee into arm/fixes\n\nTEE shared memory update for 7.0\n\nRemove refcounting of kernel pages in register_shm_helper() to support\nslab allocations.\n\n* tag \u0027tee-fix-for-v7.0\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee:\n tee: shm: Remove refcounting of kernel pages\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\n" }, { "commit": "e7648ffecb7fcb7400e123bb6ea989633a104fc3", "tree": "77b78006ea357e001a2506cd95100282ba4e2328", "parents": [ "f338e77383789c0cae23ca3d48adcc5e9e137e3c" ], "author": { "name": "Pratap Nirujogi", "email": "pratap.nirujogi@amd.com", "time": "Tue Mar 17 23:47:57 2026 -0400" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Wed Mar 18 11:57:22 2026 +0100" }, "message": "ACPI: bus: Fix MFD child automatic modprobe issue\n\nMFD child devices sharing parent\u0027s ACPI Companion fails to probe as\nacpi_companion_match() returns incompatible ACPI Companion handle for\nbinding with the check for pnp.type.backlight added recently. Remove this\npnp.type.backlight check in acpi_companion_match() to fix the automatic\nmodprobe issue.\n\nFixes: 7a7a7ed5f8bdb (\"ACPI: scan: Register platform devices for backlight device objects\")\nSigned-off-by: Pratap Nirujogi \u003cpratap.nirujogi@amd.com\u003e\nLink: https://patch.msgid.link/20260318034842.1216536-1-pratap.nirujogi@amd.com\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\n" }, { "commit": "bf504b229cb8d534eccbaeaa23eba34c05131e25", "tree": "712c139445b120a871dca41d7422c921bfb8f98e", "parents": [ "f338e77383789c0cae23ca3d48adcc5e9e137e3c" ], "author": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Tue Mar 17 21:39:05 2026 +0100" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Wed Mar 18 11:53:07 2026 +0100" }, "message": "ACPI: processor: Fix previous acpi_processor_errata_piix4() fix\n\nAfter commi f132e089fe89 (\"ACPI: processor: Fix NULL-pointer dereference\nin acpi_processor_errata_piix4()\"), device pointers may be dereferenced\nafter dropping references to the device objects pointed to by them,\nwhich may cause a use-after-free to occur.\n\nMoreover, debug messages about enabling the errata may be printed\nif the errata flags corresponding to them are unset.\n\nAddress all of these issues by moving message printing to the points\nin the code where the errata flags are set.\n\nFixes: f132e089fe89 (\"ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()\")\nReported-by: Guenter Roeck \u003clinux@roeck-us.net\u003e\nCloses: https://lore.kernel.org/linux-acpi/938e2206-def5-4b7a-9b2c-d1fd37681d8a@roeck-us.net/\nReviewed-by: Guenter Roeck \u003clinux@roeck-us.net\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nLink: https://patch.msgid.link/5975693.DvuYhMxLoT@rafael.j.wysocki\n" }, { "commit": "d5ad6ab61cbd89afdb60881f6274f74328af3ee9", "tree": "22de5814a918b183cf4d9014f73547ce41ccc5be", "parents": [ "deb353d9bb009638b7762cae2d0b6e8fdbb41a69" ], "author": { "name": "Felix Fietkau", "email": "nbd@nbd.name", "time": "Sat Mar 14 06:54:55 2026 +0000" }, "committer": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed Mar 18 09:09:58 2026 +0100" }, "message": "wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure\n\nieee80211_tx_prepare_skb() has three error paths, but only two of them\nfree the skb. The first error path (ieee80211_tx_prepare() returning\nTX_DROP) does not free it, while invoke_tx_handlers() failure and the\nfragmentation check both do.\n\nAdd kfree_skb() to the first error path so all three are consistent,\nand remove the now-redundant frees in callers (ath9k, mt76,\nmac80211_hwsim) to avoid double-free.\n\nDocument the skb ownership guarantee in the function\u0027s kdoc.\n\nSigned-off-by: Felix Fietkau \u003cnbd@nbd.name\u003e\nLink: https://patch.msgid.link/20260314065455.2462900-1-nbd@nbd.name\nFixes: 06be6b149f7e (\"mac80211: add ieee80211_tx_prepare_skb() helper function\")\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n" }, { "commit": "deb353d9bb009638b7762cae2d0b6e8fdbb41a69", "tree": "6aa857cb764a4b6f0981eb74f0b871d79d7c625a", "parents": [ "c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd" ], "author": { "name": "Guenter Roeck", "email": "linux@roeck-us.net", "time": "Tue Mar 17 23:46:36 2026 -0700" }, "committer": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed Mar 18 09:05:06 2026 +0100" }, "message": "wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom\n\nSince upstream commit e75665dd0968 (\"wifi: wlcore: ensure skb headroom\nbefore skb_push\"), wl1271_tx_allocate() and with it\nwl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.\nHowever, in wlcore_tx_work_locked(), a return value of -EAGAIN from\nwl1271_prepare_tx_frame() is interpreted as the aggregation buffer being\nfull. This causes the code to flush the buffer, put the skb back at the\nhead of the queue, and immediately retry the same skb in a tight while\nloop.\n\nBecause wlcore_tx_work_locked() holds wl-\u003emutex, and the retry happens\nimmediately with GFP_ATOMIC, this will result in an infinite loop and a\nCPU soft lockup. Return -ENOMEM instead so the packet is dropped and\nthe loop terminates.\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y.\n\nAssisted-by: Gemini:gemini-3.1-pro\nFixes: e75665dd0968 (\"wifi: wlcore: ensure skb headroom before skb_push\")\nCc: Peter Astrand \u003castrand@lysator.liu.se\u003e\nSigned-off-by: Guenter Roeck \u003clinux@roeck-us.net\u003e\nLink: https://patch.msgid.link/20260318064636.3065925-1-linux@roeck-us.net\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n" }, { "commit": "c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd", "tree": "b5cafb7a304d9c38ce1de70507dba6be65d6b27b", "parents": [ "7d73872d949c488a1d7c308031d6a9d89b5e0a8b" ], "author": { "name": "Xiang Mei", "email": "xmei5@asu.edu", "time": "Tue Mar 17 20:42:44 2026 -0700" }, "committer": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed Mar 18 09:01:16 2026 +0100" }, "message": "wifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie-\u003emesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie-\u003emesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems-\u003emesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems-\u003emesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n \u003cTASK\u003e\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \u003c/TASK\u003e\n\nThis patch adds a NULL check for ie-\u003emesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent.\n\nFixes: 2e3c8736820b (\"mac80211: support functions for mesh\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nLink: https://patch.msgid.link/20260318034244.2595020-1-xmei5@asu.edu\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n" }, { "commit": "64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3", "tree": "e93d3479c94c23b45fc22240401a5c65fd8ced75", "parents": [ "069c8f5aebe4d5224cf62acc7d4b3486091c658a" ], "author": { "name": "Junrui Luo", "email": "moonafterrain@outlook.com", "time": "Sat Mar 14 17:41:04 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Mar 17 15:57:57 2026 -0700" }, "message": "bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler\n\nThe ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in\nbnxt_async_event_process() uses a firmware-supplied \u0027type\u0027 field\ndirectly as an index into bp-\u003ebs_trace[] without bounds validation.\n\nThe \u0027type\u0027 field is a 16-bit value extracted from DMA-mapped completion\nring memory that the NIC writes directly to host RAM. A malicious or\ncompromised NIC can supply any value from 0 to 65535, causing an\nout-of-bounds access into kernel heap memory.\n\nThe bnxt_bs_trace_check_wrap() call then dereferences bs_trace-\u003emagic_byte\nand writes to bs_trace-\u003elast_offset and bs_trace-\u003ewrapped, leading to\nkernel memory corruption or a crash.\n\nFix by adding a bounds check and defining BNXT_TRACE_MAX as\nDBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently\ndefined firmware trace types (0x0 through 0xc).\n\nFixes: 84fcd9449fd7 (\"bnxt_en: Manage the FW trace context memory\")\nReported-by: Yuhao Jiang \u003cdanisjiang@gmail.com\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Junrui Luo \u003cmoonafterrain@outlook.com\u003e\nReviewed-by: Michael Chan \u003cmichael.chan@broadcom.com\u003e\nLink: https://patch.msgid.link/SYBPR01MB7881A253A1C9775D277F30E9AF42A@SYBPR01MB7881.ausprd01.prod.outlook.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a989fde763f4f24209e4702f50a45be572340e68", "tree": "13a3ed749e4be8a321aa16d006ea4fbd822cd707", "parents": [ "9e22d8e18f37059678c2f34ab3b447b8c964c6bf", "a8aec14230322ed8f1e8042b6d656c1631d41163" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 17 15:19:58 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 17 15:19:58 2026 -0700" }, "message": "Merge tag \u0027libnvdimm-fixes-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm\n\nPull libnvdimm fix from Ira Weiny:\n\n - Fix old potential use after free bug\n\n* tag \u0027libnvdimm-fixes-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:\n nvdimm/bus: Fix potential use after free in asynchronous initialization\n" }, { "commit": "9e22d8e18f37059678c2f34ab3b447b8c964c6bf", "tree": "8dec43e0721696dcfc7b3f3791197d950fe5a539", "parents": [ "f0caa1d49cc07b30a7e2f104d3853ec6dc1c3cad", "8b8f1d5e350acdf972b6b02e225d9e14c600f7ad" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 17 15:00:53 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 17 15:00:53 2026 -0700" }, "message": "Merge tag \u0027linux_kselftest-kunit-fixes-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest\n\nPull kunit fix from Shuah Khan:\n\n - Add documentation for --list_suites feature\n\n* tag \u0027linux_kselftest-kunit-fixes-7.0-rc5\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:\n kunit: Add documentation of --list_suites\n" }, { "commit": "6850deb61118345996f03b87817b4ae0f2f25c38", "tree": "fbb23b3b0bcb646558eaca512464a104b322774d", "parents": [ "fc9c69be594756b81b54c6bc40803fa6052f35ae" ], "author": { "name": "Michal Swiatkowski", "email": "michal.swiatkowski@linux.intel.com", "time": "Wed Feb 11 10:10:08 2026 +0100" }, "committer": { "name": "Tony Nguyen", "email": "anthony.l.nguyen@intel.com", "time": "Tue Mar 17 14:12:36 2026 -0700" }, "message": "libie: prevent memleak in fwlog code\n\nAll cmd_buf buffers are allocated and need to be freed after usage.\nAdd an error unwinding path that properly frees these buffers.\n\nThe memory leak happens whenever fwlog configuration is changed. For\nexample:\n\n$echo 256K \u003e /sys/kernel/debug/ixgbe/0000\\:32\\:00.0/fwlog/log_size\n\nFixes: 96a9a9341cda (\"ice: configure FW logging\")\nReviewed-by: Aleksandr Loktionov \u003caleksandr.loktionov@intel.com\u003e\nSigned-off-by: Michal Swiatkowski \u003cmichal.swiatkowski@linux.intel.com\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nTested-by: Rinitha S \u003csx.rinitha@intel.com\u003e (A Contingent worker at Intel)\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\n" }, { "commit": "f0caa1d49cc07b30a7e2f104d3853ec6dc1c3cad", "tree": "4805247acc224d42a845f87e52985e847e1d7f43", "parents": [ "8a91ebb337fa68e01339a8c1c411a38d66eac80e", "e716edafedad4952fe3a4a273d2e039a84e8681a" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 17 13:55:51 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Mar 17 13:55:51 2026 -0700" }, "message": "Merge tag \u0027hid-for-linus-2026031701\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid\n\nPull HID fixes from Jiri Kosina:\n\n - various fixes dealing with (intentionally) broken devices in HID\n core, logitech-hidpp and multitouch drivers (Lee Jones)\n\n - fix for OOB in wacom driver (Benoît Sevens)\n\n - fix for potentialy HID-bpf-induced buffer overflow in () (Benjamin\n Tissoires)\n\n - various other small fixes and device ID / quirk additions\n\n* tag \u0027hid-for-linus-2026031701\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:\n HID: multitouch: Check to ensure report responses match the request\n HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure\n HID: bpf: prevent buffer overflow in hid_hw_request\n selftests/hid: fix compilation when bpf_wq and hid_device are not exported\n HID: core: Mitigate potential OOB by removing bogus memset()\n HID: intel-thc-hid: Set HID_PHYS with PCI BDF\n HID: appletb-kbd: add .resume method in PM\n HID: logitech-hidpp: Enable MX Master 4 over bluetooth\n HID: input: Add HID_BATTERY_QUIRK_DYNAMIC for Elan touchscreens\n HID: input: Drop Asus UX550* touchscreen ignore battery quirks\n HID: asus: add xg mobile 2022 external hardware support\n HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\n" }, { "commit": "fc9c69be594756b81b54c6bc40803fa6052f35ae", "tree": "6019c6899c355e2fb7e3eb38843bd8db8bca579b", "parents": [ "45b33e805bd39f615d9353a7194b2da5281332df" ], "author": { "name": "Petr Oros", "email": "poros@redhat.com", "time": "Wed Feb 25 11:01:37 2026 +0100" }, "committer": { "name": "Tony Nguyen", "email": "anthony.l.nguyen@intel.com", "time": "Tue Mar 17 13:48:02 2026 -0700" }, "message": "iavf: fix VLAN filter lost on add/delete race\n\nWhen iavf_add_vlan() finds an existing filter in IAVF_VLAN_REMOVE\nstate, it transitions the filter to IAVF_VLAN_ACTIVE assuming the\npending delete can simply be cancelled. However, there is no guarantee\nthat iavf_del_vlans() has not already processed the delete AQ request\nand removed the filter from the PF. In that case the filter remains in\nthe driver\u0027s list as IAVF_VLAN_ACTIVE but is no longer programmed on\nthe NIC. Since iavf_add_vlans() only picks up filters in\nIAVF_VLAN_ADD state, the filter is never re-added, and spoof checking\ndrops all traffic for that VLAN.\n\n CPU0 CPU1 Workqueue\n ---- ---- ---------\n iavf_del_vlan(vlan 100)\n f-\u003estate \u003d REMOVE\n schedule AQ_DEL_VLAN\n iavf_add_vlan(vlan 100)\n f-\u003estate \u003d ACTIVE\n iavf_del_vlans()\n f is ACTIVE, skip\n iavf_add_vlans()\n f is ACTIVE, skip\n\n Filter is ACTIVE in driver but absent from NIC.\n\nTransition to IAVF_VLAN_ADD instead and schedule\nIAVF_FLAG_AQ_ADD_VLAN_FILTER so iavf_add_vlans() re-programs the\nfilter. A duplicate add is idempotent on the PF.\n\nFixes: 0c0da0e95105 (\"iavf: refactor VLAN filter states\")\nSigned-off-by: Petr Oros \u003cporos@redhat.com\u003e\nTested-by: Rafal Romanowski \u003crafal.romanowski@intel.com\u003e\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\n" }, { "commit": "45b33e805bd39f615d9353a7194b2da5281332df", "tree": "d6495af404425581608266d97e14b3876fc414e7", "parents": [ "0ffba246652faf4a36aedc66059c2f94e4c83ea5" ], "author": { "name": "Zdenek Bouska", "email": "zdenek.bouska@siemens.com", "time": "Wed Feb 25 10:58:29 2026 +0100" }, "committer": { "name": "Tony Nguyen", "email": "anthony.l.nguyen@intel.com", "time": "Tue Mar 17 13:28:55 2026 -0700" }, "message": "igc: fix page fault in XDP TX timestamps handling\n\nIf an XDP application that requested TX timestamping is shutting down\nwhile the link of the interface in use is still up the following kernel\nsplat is reported:\n\n[ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008\n...\n[ 883.803650] [ T1554] Call Trace:\n[ 883.803652] [ T1554] \u003cTASK\u003e\n[ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc]\n[ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc]\n...\n\nDuring shutdown of the TX ring the xsk_meta pointers are left behind, so\nthat the IRQ handler is trying to touch them.\n\nThis issue is now being fixed by cleaning up the stale xsk meta data on\nTX shutdown. TX timestamps on other queues remain unaffected.\n\nFixes: 15fd021bc427 (\"igc: Add Tx hardware timestamp request for AF_XDP zero-copy packet\")\nSigned-off-by: Zdenek Bouska \u003czdenek.bouska@siemens.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nReviewed-by: Florian Bezdeka \u003cflorian.bezdeka@siemens.com\u003e\nTested-by: Avigail Dahan \u003cavigailx.dahan@intel.com\u003e\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\n" }, { "commit": "0ffba246652faf4a36aedc66059c2f94e4c83ea5", "tree": "af303aac5f96fff775b013d845d241193e6f1c85", "parents": [ "069c8f5aebe4d5224cf62acc7d4b3486091c658a" ], "author": { "name": "Kohei Enju", "email": "kohei@enjuk.jp", "time": "Sat Feb 14 19:46:32 2026 +0000" }, "committer": { "name": "Tony Nguyen", "email": "anthony.l.nguyen@intel.com", "time": "Tue Mar 17 13:28:55 2026 -0700" }, "message": "igc: fix missing update of skb-\u003etail in igc_xmit_frame()\n\nigc_xmit_frame() misses updating skb-\u003etail when the packet size is\nshorter than the minimum one.\nUse skb_put_padto() in alignment with other Intel Ethernet drivers.\n\nFixes: 0507ef8a0372 (\"igc: Add transmit and receive fastpath and interrupt handlers\")\nSigned-off-by: Kohei Enju \u003ckohei@enjuk.jp\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nTested-by: Avigail Dahan \u003cavigailx.dahan@intel.com\u003e\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\n" }, { "commit": "ab93d7eee94205430fc3b0532557cb0494bf2faf", "tree": "55cf7bd5f24ee0c76c4af80f1d94964f08064beb", "parents": [ "f338e77383789c0cae23ca3d48adcc5e9e137e3c" ], "author": { "name": "Saket Dumbre", "email": "saket.dumbre@intel.com", "time": "Tue Mar 17 20:34:49 2026 +0100" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Tue Mar 17 20:51:13 2026 +0100" }, "message": "ACPICA: Update the format of Arg3 of _DSM\n\nTo get rid of type incompatibility warnings in Linux.\n\nFixes: 81f92cff6d42 (\"ACPICA: ACPI_TYPE_ANY does not include the package type\")\nLink: https://github.com/acpica/acpica/commit/4fb74872dcec\nSigned-off-by: Saket Dumbre \u003csaket.dumbre@intel.com\u003e\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nLink: https://patch.msgid.link/12856643.O9o76ZdvQC@rafael.j.wysocki\n" }, { "commit": "d5b66179b0e27c14a9033c4356937506577485e3", "tree": "2f9aae7099afb7c166ce1e97563dbf68bbadbe76", "parents": [ "ebba09f198078b7a2565004104ef762d1148e7f0" ], "author": { "name": "Eric Biggers", "email": "ebiggers@kernel.org", "time": "Mon Mar 16 21:49:25 2026 -0700" }, "committer": { "name": "Eric Biggers", "email": "ebiggers@kernel.org", "time": "Tue Mar 17 09:27:11 2026 -0700" }, "message": "lib/crypto: powerpc: Add powerpc/aesp8-ppc.S to clean-files\n\nMake the generated file powerpc/aesp8-ppc.S be removed by \u0027make clean\u0027.\n\nFixes: 7cf2082e74ce (\"lib/crypto: powerpc/aes: Migrate POWER8 optimized code into library\")\nAcked-by: Ard Biesheuvel \u003cardb@kernel.org\u003e\nLink: https://lore.kernel.org/r/20260317044925.104184-1-ebiggers@kernel.org\nSigned-off-by: Eric Biggers \u003cebiggers@kernel.org\u003e\n" }, { "commit": "069c8f5aebe4d5224cf62acc7d4b3486091c658a", "tree": "6d4bd6fadbe0d69d8af21661404a44bc4fd29a7b", "parents": [ "a0671125d4f55e1e98d9bde8a0b671941987e208" ], "author": { "name": "Nikola Z. Ivanov", "email": "zlatistiv@gmail.com", "time": "Fri Mar 13 16:16:43 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Mar 17 13:36:12 2026 +0100" }, "message": "net: usb: aqc111: Do not perform PM inside suspend callback\n\nsyzbot reports \"task hung in rpm_resume\"\n\nThis is caused by aqc111_suspend calling\nthe PM variant of its write_cmd routine.\n\nThe simplified call trace looks like this:\n\nrpm_suspend()\n usb_suspend_both() - here udev-\u003edev.power.runtime_status \u003d\u003d RPM_SUSPENDING\n aqc111_suspend() - called for the usb device interface\n aqc111_write32_cmd()\n usb_autopm_get_interface()\n pm_runtime_resume_and_get()\n rpm_resume() - here we call rpm_resume() on our parent\n rpm_resume() - Here we wait for a status change that will never happen.\n\nAt this point we block another task which holds\nrtnl_lock and locks up the whole networking stack.\n\nFix this by replacing the write_cmd calls with their _nopm variants\n\nReported-by: syzbot+48dc1e8dfc92faf1124c@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d48dc1e8dfc92faf1124c\nFixes: e58ba4544c77 (\"net: usb: aqc111: Add support for wake on LAN by MAGIC packet\")\nSigned-off-by: Nikola Z. Ivanov \u003czlatistiv@gmail.com\u003e\nLink: https://patch.msgid.link/20260313141643.1181386-1-zlatistiv@gmail.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "a0671125d4f55e1e98d9bde8a0b671941987e208", "tree": "c9ea686a84db62e56df305eedf917f5e565a4625", "parents": [ "e4c00ba7274b613e3ab19e27eb009f0ec2e28379" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Fri Mar 13 07:55:31 2026 +0100" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Mar 17 12:09:16 2026 +0100" }, "message": "clsact: Fix use-after-free in init/destroy rollback asymmetry\n\nFix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.\nThe latter is achieved by first fully initializing a clsact instance, and\nthen in a second step having a replacement failure for the new clsact qdisc\ninstance. clsact_init() initializes ingress first and then takes care of the\negress part. This can fail midway, for example, via tcf_block_get_ext(). Upon\nfailure, the kernel will trigger the clsact_destroy() callback.\n\nCommit 1cb6f0bae504 (\"bpf: Fix too early release of tcx_entry\") details the\nway how the transition is happening. If tcf_block_get_ext on the q-\u003eingress_block\nends up failing, we took the tcx_miniq_inc reference count on the ingress\nside, but not yet on the egress side. clsact_destroy() tests whether the\n{ingress,egress}_entry was non-NULL. However, even in midway failure on the\nreplacement, both are in fact non-NULL with a valid egress_entry from the\nprevious clsact instance.\n\nWhat we really need to test for is whether the qdisc instance-specific ingress\nor egress side previously got initialized. This adds a small helper for checking\nthe miniq initialization called mini_qdisc_pair_inited, and utilizes that upon\nclsact_destroy() in order to fix the use-after-free scenario. Convert the\ningress_destroy() side as well so both are consistent to each other.\n\nFixes: 1cb6f0bae504 (\"bpf: Fix too early release of tcx_entry\")\nReported-by: Keenan Dong \u003ckeenanat2000@gmail.com\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nCc: Martin KaFai Lau \u003cmartin.lau@kernel.org\u003e\nAcked-by: Martin KaFai Lau \u003cmartin.lau@kernel.org\u003e\nLink: https://patch.msgid.link/20260313065531.98639-1-daniel@iogearbox.net\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "e716edafedad4952fe3a4a273d2e039a84e8681a", "tree": "0cdcea7537049f1fe7240da4e6575273748cbba3", "parents": [ "f7a4c78bfeb320299c1b641500fe7761eadbd101" ], "author": { "name": "Lee Jones", "email": "lee@kernel.org", "time": "Fri Feb 27 16:30:25 2026 +0000" }, "committer": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Tue Mar 17 11:36:16 2026 +0100" }, "message": "HID: multitouch: Check to ensure report responses match the request\n\nIt is possible for a malicious (or clumsy) device to respond to a\nspecific report\u0027s feature request using a completely different report\nID. This can cause confusion in the HID core resulting in nasty\nside-effects such as OOB writes.\n\nAdd a check to ensure that the report ID in the response, matches the\none that was requested. If it doesn\u0027t, omit reporting the raw event and\nreturn early.\n\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\nSigned-off-by: Benjamin Tissoires \u003cbentiss@kernel.org\u003e\n" }, { "commit": "ffe6989c73b31f92a22cab1132e86545f8306d69", "tree": "2e7807ea7b7a81519c2090e642b1eb746cb3f7f8", "parents": [ "9e22e9c4a5bd208a2d17f0b1a8414c170b4e5939", "24ed11ee5bacf9a9aca18fc6b47667c7f38d578b" ], "author": { "name": "Krzysztof Kozlowski", "email": "krzk@kernel.org", "time": "Tue Mar 17 09:35:40 2026 +0100" }, "committer": { "name": "Krzysztof Kozlowski", "email": "krzk@kernel.org", "time": "Tue Mar 17 09:35:40 2026 +0100" }, "message": "Merge tag \u0027v7.0-rockchip-drvfixes1\u0027 of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes\n\nFixing a missing of_node_put() call.\n\n* tag \u0027v7.0-rockchip-drvfixes1\u0027 of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip:\n soc: rockchip: grf: Add missing of_node_put() when returning\n\nSigned-off-by: Krzysztof Kozlowski \u003ckrzk@kernel.org\u003e\n" }, { "commit": "e4c00ba7274b613e3ab19e27eb009f0ec2e28379", "tree": "4e467c43c7dee65a1976626139a50806c80243a1", "parents": [ "b9ba668296ffd6143b01b0545a52bcda44f94837" ], "author": { "name": "Paul SAGE", "email": "paul.sage@42.fr", "time": "Sun Mar 15 03:24:30 2026 +0530" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 20:22:29 2026 -0700" }, "message": "tg3: replace placeholder MAC address with device property\n\nOn some systems (e.g. iMac 20,1 with BCM57766), the tg3 driver reads\na default placeholder mac address (00:10:18:00:00:00) from the\nmailbox. The correct value on those systems are stored in the\n\u0027local-mac-address\u0027 property.\n\nThis patch, detect the default value and tries to retrieve\nthe correct address from the device_get_mac_address\nfunction instead.\n\nThe patch has been tested on two different systems:\n- iMac 20,1 (BCM57766) model which use the local-mac-address property\n- iMac 13,2 (BCM57766) model which can use the mailbox,\n NVRAM or MAC control registers\n\nTested-by: Rishon Jonathan R \u003cmithicalaviator85@gmail.com\u003e\n\nCo-developed-by: Vincent MORVAN \u003cvinc@42.fr\u003e\nSigned-off-by: Vincent MORVAN \u003cvinc@42.fr\u003e\nSigned-off-by: Paul SAGE \u003cpaul.sage@42.fr\u003e\nSigned-off-by: Atharva Tiwari \u003catharvatiwarilinuxdev@gmail.com\u003e\nReviewed-by: Michael Chan \u003cmichael.chan@broadcom.com\u003e\nLink: https://patch.msgid.link/20260314215432.3589-1-atharvatiwarilinuxdev@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b9ba668296ffd6143b01b0545a52bcda44f94837", "tree": "9cf3795ce1622db170ef44043cc39ee3de55e13d", "parents": [ "d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca", "77914255155e68a20aa41175edeecf8121dac391" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 20:14:50 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 20:14:50 2026 -0700" }, "message": "Merge branch \u0027net-usb-cdc_ncm-add-ndpoffset-to-ndp-nframes-bounds-check\u0027\n\ntobgaertner says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: usb: cdc_ncm: add ndpoffset to NDP nframes bounds check\n\nThe nframes bounds check in cdc_ncm_rx_verify_ndp16() and\ncdc_ncm_rx_verify_ndp32() does not account for ndpoffset,\nallowing out-of-bounds reads when the NDP is placed near the\nend of the NTB.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260314054640.2895026-1-tob.gaertner@me.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "77914255155e68a20aa41175edeecf8121dac391", "tree": "9cf3795ce1622db170ef44043cc39ee3de55e13d", "parents": [ "2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a" ], "author": { "name": "Tobi Gaertner", "email": "tob.gaertner@me.com", "time": "Fri Mar 13 22:46:40 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 20:14:48 2026 -0700" }, "message": "net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check\n\nThe same bounds-check bug fixed for NDP16 in the previous patch also\nexists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated\nagainst the total skb length without accounting for ndpoffset, allowing\nout-of-bounds reads when the NDP32 is placed near the end of the NTB.\n\nAdd ndpoffset to the nframes bounds check and use struct_size_t() to\nexpress the NDP-plus-DPE-array size more clearly.\n\nCompile-tested only.\n\nFixes: 0fa81b304a79 (\"cdc_ncm: Implement the 32-bit version of NCM Transfer Block\")\nSigned-off-by: Tobi Gaertner \u003ctob.gaertner@me.com\u003e\nLink: https://patch.msgid.link/20260314054640.2895026-3-tob.gaertner@me.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2aa8a4fa8d5b7d0e1ebcec100e1a4d80a1f4b21a", "tree": "ddadd6095f2286cb5ae543ae81f2ce84261d9332", "parents": [ "d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca" ], "author": { "name": "Tobi Gaertner", "email": "tob.gaertner@me.com", "time": "Fri Mar 13 22:46:39 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 20:14:48 2026 -0700" }, "message": "net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check\n\ncdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE\nentries fit within the skb. The first check correctly accounts for\nndpoffset:\n\n if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) \u003e skb_in-\u003elen)\n\nbut the second check omits it:\n\n if ((sizeof(struct usb_cdc_ncm_ndp16) +\n ret * (sizeof(struct usb_cdc_ncm_dpe16))) \u003e skb_in-\u003elen)\n\nThis validates the DPE array size against the total skb length as if\nthe NDP were at offset 0, rather than at ndpoffset. When the NDP is\nplaced near the end of the NTB (large wNdpIndex), the DPE entries can\nextend past the skb data buffer even though the check passes.\ncdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating\nthe DPE array.\n\nAdd ndpoffset to the nframes bounds check and use struct_size_t() to\nexpress the NDP-plus-DPE-array size more clearly.\n\nFixes: ff06ab13a4cc (\"net: cdc_ncm: splitting rx_fixup for code reuse\")\nSigned-off-by: Tobi Gaertner \u003ctob.gaertner@me.com\u003e\nLink: https://patch.msgid.link/20260314054640.2895026-2-tob.gaertner@me.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d4a533ad249e9fbdc2d0633f2ddd60a5b3a9a4ca", "tree": "84faa86857cf52ab27790b3b8b89946faa590982", "parents": [ "66360460cab63c248ca5b1070a01c0c29133b960" ], "author": { "name": "Lorenzo Bianconi", "email": "lorenzo@kernel.org", "time": "Fri Mar 13 12:27:00 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 20:06:05 2026 -0700" }, "message": "net: airoha: Remove airoha_dev_stop() in airoha_remove()\n\nDo not run airoha_dev_stop routine explicitly in airoha_remove()\nsince ndo_stop() callback is already executed by unregister_netdev() in\n__dev_close_many routine if necessary and, doing so, we will end up causing\nan underflow in the qdma users atomic counters. Rely on networking subsystem\nto stop the device removing the airoha_eth module.\n\nFixes: 23020f0493270 (\"net: airoha: Introduce ethernet support for EN7581 SoC\")\nSigned-off-by: Lorenzo Bianconi \u003clorenzo@kernel.org\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/20260313-airoha-remove-ndo_stop-remove-net-v2-1-67542c3ceeca@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "66360460cab63c248ca5b1070a01c0c29133b960", "tree": "08169e51a45c9173644997d6b0e6fbbeb52ca775", "parents": [ "6d5e4538364b9ceb1ac2941a4deb86650afb3538" ], "author": { "name": "Jamal Hadi Salim", "email": "jhs@mojatatu.com", "time": "Sun Mar 15 11:54:22 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 19:40:32 2026 -0700" }, "message": "net/sched: teql: Fix double-free in teql_master_xmit\n\nWhenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should\nbe called using the seq_lock to avoid racing with the datapath. Failure\nto do so may cause crashes like the following:\n\n[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)\n[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318\n[ 238.029749][ T318]\n[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)\n[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 238.029910][ T318] Call Trace:\n[ 238.029913][ T318] \u003cTASK\u003e\n[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)\n[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)\n[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)\n[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))\n[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)\n...\n[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)\n[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)\n[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)\n[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)\n[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)\n[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)\n[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)\n[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)\n...\n[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:\n[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)\n[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)\n[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))\n[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)\n[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)\n[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)\n[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)\n[ 238.081469][ T318]\n[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:\n[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))\n[ 238.085900][ T318] __kasan_slab_free (mm/kasan/common.c:287)\n[ 238.086439][ T318] kmem_cache_free (mm/slub.c:6168 (discriminator 3) mm/slub.c:6298 (discriminator 3))\n[ 238.087007][ T318] skb_release_data (net/core/skbuff.c:1139)\n[ 238.087491][ T318] consume_skb (net/core/skbuff.c:1451)\n[ 238.087757][ T318] teql_master_xmit (net/sched/sch_teql.c:358)\n[ 238.088116][ T318] dev_hard_start_xmit (./include/linux/netdevice.h:5324 ./include/linux/netdevice.h:5333 net/core/dev.c:3871 net/core/dev.c:3887)\n[ 238.088468][ T318] sch_direct_xmit (net/sched/sch_generic.c:347)\n[ 238.088820][ T318] __qdisc_run (net/sched/sch_generic.c:420 (discriminator 1))\n[ 238.089166][ T318] __dev_queue_xmit (./include/net/sch_generic.h:229 ./include/net/pkt_sched.h:121 ./include/net/pkt_sched.h:117 net/core/dev.c:4196 net/core/dev.c:4802)\n\nWorkflow to reproduce:\n1. Initialize a TEQL topology (dummy0 and ifb0 as slaves, teql0 up).\n2. Start multiple sender workers continuously transmitting packets\n through teql0 to drive teql_master_xmit().\n3. In parallel, repeatedly delete and re-add the root qdisc on\n dummy0 and ifb0 via RTNETLINK, forcing frequent teardown and reset activity\n (teql_destroy() / qdisc_reset()).\n4. After running both workloads concurrently for several iterations,\n KASAN reports slab-use-after-free or double-free in the skb free path.\n\nFix this by moving dev_reset_queue to sch_generic.h and calling it, instead\nof qdisc_reset, in teql_destroy since it handles both the lock and lockless\ncases correctly for root qdiscs.\n\nFixes: 96009c7d500e (\"sched: replace __QDISC_STATE_RUNNING bit with a spin lock\")\nReported-by: Xianrui Dong \u003ckeenanat2000@gmail.com\u003e\nTested-by: Xianrui Dong \u003ckeenanat2000@gmail.com\u003e\nCo-developed-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260315155422.147256-1-jhs@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6d5e4538364b9ceb1ac2941a4deb86650afb3538", "tree": "9ad8c7568071cb7c9396eb33e48897a1c28fbac0", "parents": [ "b7405dcf7385445e10821777143f18c3ce20fa04" ], "author": { "name": "Jiayuan Chen", "email": "jiayuan.chen@shopee.com", "time": "Thu Mar 12 17:29:07 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 19:31:28 2026 -0700" }, "message": "net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()\n\nSyzkaller reported a panic in smc_tcp_syn_recv_sock() [1].\n\nsmc_tcp_syn_recv_sock() is called in the TCP receive path\n(softirq) via icsk_af_ops-\u003esyn_recv_sock on the clcsock (TCP\nlistening socket). It reads sk_user_data to get the smc_sock\npointer. However, when the SMC listen socket is being closed\nconcurrently, smc_close_active() sets clcsock-\u003esk_user_data\nto NULL under sk_callback_lock, and then the smc_sock itself\ncan be freed via sock_put() in smc_release().\n\nThis leads to two issues:\n\n1) NULL pointer dereference: sk_user_data is NULL when\n accessed.\n2) Use-after-free: sk_user_data is read as non-NULL, but the\n smc_sock is freed before its fields (e.g., queued_smc_hs,\n ori_af_ops) are accessed.\n\nThe race window looks like this (the syzkaller crash [1]\ntriggers via the SYN cookie path: tcp_get_cookie_sock() -\u003e\nsmc_tcp_syn_recv_sock(), but the normal tcp_check_req() path\nhas the same race):\n\n CPU A (softirq) CPU B (process ctx)\n\n tcp_v4_rcv()\n TCP_NEW_SYN_RECV:\n sk \u003d req-\u003ersk_listener\n sock_hold(sk)\n /* No lock on listener */\n smc_close_active():\n write_lock_bh(cb_lock)\n sk_user_data \u003d NULL\n write_unlock_bh(cb_lock)\n ...\n smc_clcsock_release()\n sock_put(smc-\u003esk) x2\n -\u003e smc_sock freed!\n tcp_check_req()\n smc_tcp_syn_recv_sock():\n smc \u003d user_data(sk)\n -\u003e NULL or dangling\n smc-\u003equeued_smc_hs\n -\u003e crash!\n\nNote that the clcsock and smc_sock are two independent objects\nwith separate refcounts. TCP stack holds a reference on the\nclcsock, which keeps it alive, but this does NOT prevent the\nsmc_sock from being freed.\n\nFix this by using RCU and refcount_inc_not_zero() to safely\naccess smc_sock. Since smc_tcp_syn_recv_sock() is called in\nthe TCP three-way handshake path, taking read_lock_bh on\nsk_callback_lock is too heavy and would not survive a SYN\nflood attack. Using rcu_read_lock() is much more lightweight.\n\n- Set SOCK_RCU_FREE on the SMC listen socket so that\n smc_sock freeing is deferred until after the RCU grace\n period. This guarantees the memory is still valid when\n accessed inside rcu_read_lock().\n- Use rcu_read_lock() to protect reading sk_user_data.\n- Use refcount_inc_not_zero(\u0026smc-\u003esk.sk_refcnt) to pin the\n smc_sock. If the refcount has already reached zero (close\n path completed), it returns false and we bail out safely.\n\nNote: smc_hs_congested() has a similar lockless read of\nsk_user_data without rcu_read_lock(), but it only checks for\nNULL and accesses the global smc_hs_wq, never dereferencing\nany smc_sock field, so it is not affected.\n\nReproducer was verified with mdelay injection and smc_run,\nthe issue no longer occurs with this patch applied.\n\n[1] https://syzkaller.appspot.com/bug?extid\u003d827ae2bfb3a3529333e9\n\nFixes: 8270d9c21041 (\"net/smc: Limit backlog connections\")\nReported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com\nCloses: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/\nSuggested-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: Jiayuan Chen \u003cjiayuan.chen@shopee.com\u003e\nLink: https://patch.msgid.link/20260312092909.48325-1-jiayuan.chen@linux.dev\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b7405dcf7385445e10821777143f18c3ce20fa04", "tree": "3eb6579409018c3cd699b6c521201a4e6dfb5d7d", "parents": [ "43d222fbcdff9a715dbe63a0c9e5902f1c9ddd10" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Sun Mar 15 10:41:52 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Mar 16 19:29:45 2026 -0700" }, "message": "bonding: prevent potential infinite loop in bond_header_parse()\n\nbond_header_parse() can loop if a stack of two bonding devices is setup,\nbecause skb-\u003edev always points to the hierarchy top.\n\nAdd new \"const struct net_device *dev\" parameter to\n(struct header_ops)-\u003eparse() method to make sure the recursion\nis bounded, and that the final leaf parse method is called.\n\nFixes: 950803f72547 (\"bonding: fix type confusion in bond_setup_by_slave()\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Jiayuan Chen \u003cjiayuan.chen@shopee.com\u003e\nTested-by: Jiayuan Chen \u003cjiayuan.chen@shopee.com\u003e\nCc: Jay Vosburgh \u003cjv@jvosburgh.net\u003e\nCc: Andrew Lunn \u003candrew+netdev@lunn.ch\u003e\nLink: https://patch.msgid.link/20260315104152.1436867-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5133b61aaf437e5f25b1b396b14242a6bb0508e2", "tree": "b0bd92bd8e36074c49202033d181a2ce8e0dcd40", "parents": [ "17ad31b3a43b72aec3a3d83605891e1397d0d065" ], "author": { "name": "Jeff Layton", "email": "jlayton@kernel.org", "time": "Tue Feb 24 11:33:35 2026 -0500" }, "committer": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon Mar 16 16:58:01 2026 -0400" }, "message": "nfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nCc: stable@kernel.org\nReported-by: Nicholas Carlini \u003cnpc@anthropic.com\u003e\nTested-by: Nicholas Carlini \u003cnpc@anthropic.com\u003e\nSigned-off-by: Jeff Layton \u003cjlayton@kernel.org\u003e\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\n" }, { "commit": "29ab768277617452d88c0607c9299cdc63b6e9ff", "tree": "9ec7d050a7434642d2cf5c986dac1280907cb3a0", "parents": [ "f338e77383789c0cae23ca3d48adcc5e9e137e3c" ], "author": { "name": "Bart Van Assche", "email": "bvanassche@acm.org", "time": "Thu Mar 12 11:27:20 2026 -0700" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Mon Mar 16 20:33:09 2026 +0100" }, "message": "PM: runtime: Fix a race condition related to device removal\n\nThe following code in pm_runtime_work() may dereference the dev-\u003eparent\npointer after the parent device has been freed:\n\n\t/* Maybe the parent is now able to suspend. */\n\tif (parent \u0026\u0026 !parent-\u003epower.ignore_children) {\n\t\tspin_unlock(\u0026dev-\u003epower.lock);\n\n\t\tspin_lock(\u0026parent-\u003epower.lock);\n\t\trpm_idle(parent, RPM_ASYNC);\n\t\tspin_unlock(\u0026parent-\u003epower.lock);\n\n\t\tspin_lock(\u0026dev-\u003epower.lock);\n\t}\n\nFix this by inserting a flush_work() call in pm_runtime_remove().\n\nWithout this patch blktest block/001 triggers the following complaint\nsporadically:\n\nBUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160\nRead of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081\nWorkqueue: pm pm_runtime_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x8b/0x310\n print_report+0xfd/0x1d7\n kasan_report+0xd8/0x1d0\n __kasan_check_byte+0x42/0x60\n lock_acquire.part.0+0x38/0x230\n lock_acquire+0x70/0x160\n _raw_spin_lock+0x36/0x50\n rpm_suspend+0xc6a/0xfe0\n rpm_idle+0x578/0x770\n pm_runtime_work+0xee/0x120\n process_one_work+0xde3/0x1410\n worker_thread+0x5eb/0xfe0\n kthread+0x37b/0x480\n ret_from_fork+0x6cb/0x920\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nAllocated by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_alloc_info+0x3d/0x50\n __kasan_kmalloc+0xa0/0xb0\n __kmalloc_noprof+0x311/0x990\n scsi_alloc_target+0x122/0xb60 [scsi_mod]\n __scsi_scan_target+0x101/0x460 [scsi_mod]\n scsi_scan_channel+0x179/0x1c0 [scsi_mod]\n scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]\n store_scan+0x2d2/0x390 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810\n do_syscall_64+0xee/0xfc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nFreed by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_free_info+0x3f/0x50\n __kasan_slab_free+0x67/0x80\n kfree+0x225/0x6c0\n scsi_target_dev_release+0x3d/0x60 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_put+0x7f/0xc0 [scsi_mod]\n sdev_store_delete+0xa5/0x120 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810\n\nReported-by: Ming Lei \u003cming.lei@redhat.com\u003e\nCloses: https://lore.kernel.org/all/ZxdNvLNI8QaOfD2d@fedora/\nReported-by: syzbot+6c905ab800f20cf4086c@syzkaller.appspotmail.com\nCloses: https://lore.kernel.org/all/68c13942.050a0220.2ff435.000b.GAE@google.com/\nFixes: 5e928f77a09a (\"PM: Introduce core framework for run-time PM of I/O devices (rev. 17)\")\nSigned-off-by: Bart Van Assche \u003cbvanassche@acm.org\u003e\nLink: https://patch.msgid.link/20260312182720.2776083-1-bvanassche@acm.org\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\n" }, { "commit": "f4c31b07b136839e0fb3026f8a5b6543e3b14d2f", "tree": "14b9bbb9313a64e71964ad6a647cdba988daaae5", "parents": [ "f338e77383789c0cae23ca3d48adcc5e9e137e3c" ], "author": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Fri Mar 13 13:25:41 2026 +0100" }, "committer": { "name": "Rafael J. Wysocki", "email": "rafael.j.wysocki@intel.com", "time": "Mon Mar 16 20:29:47 2026 +0100" }, "message": "sched: idle: Consolidate the handling of two special cases\n\nThere are two special cases in the idle loop that are handled\ninconsistently even though they are analogous.\n\nThe first one is when a cpuidle driver is absent and the default CPU\nidle time power management implemented by the architecture code is used.\nIn that case, the scheduler tick is stopped every time before invoking\ndefault_idle_call().\n\nThe second one is when a cpuidle driver is present, but there is only\none idle state in its table. In that case, the scheduler tick is never\nstopped at all.\n\nSince each of these approaches has its drawbacks, reconcile them with\nthe help of one simple heuristic. Namely, stop the tick if the CPU has\nbeen woken up by it in the previous iteration of the idle loop, or let\nit tick otherwise.\n\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\nReviewed-by: Christian Loehle \u003cchristian.loehle@arm.com\u003e\nReviewed-by: Frederic Weisbecker \u003cfrederic@kernel.org\u003e\nReviewed-by: Qais Yousef \u003cqyousef@layalina.io\u003e\nReviewed-by: Aboorva Devarajan \u003caboorvad@linux.ibm.com\u003e\nFixes: ed98c3491998 (\"sched: idle: Do not stop the tick before cpuidle_idle_call()\")\n[ rjw: Added Fixes tag, changelog edits ]\nLink: https://patch.msgid.link/4741364.LvFx2qVVIh@rafael.j.wysocki\nSigned-off-by: Rafael J. Wysocki \u003crafael.j.wysocki@intel.com\u003e\n" }, { "commit": "8a91ebb337fa68e01339a8c1c411a38d66eac80e", "tree": "730e172117d8e38c109ca01ef42f657fee1b0401", "parents": [ "2d1373e4246da3b58e1df058374ed6b101804e07", "182b9b3d8d1d36500f58e4f3dc82b144d6487bdf" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Mar 16 12:21:00 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Mar 16 12:21:00 2026 -0700" }, "message": "Merge tag \u0027mm-hotfixes-stable-2026-03-16-12-15\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm\n\nPull misc fixes from Andrew Morton:\n \"6 hotfixes. 4 are cc:stable. 3 are for MM.\n\n All are singletons - please see the changelogs for details\"\n\n* tag \u0027mm-hotfixes-stable-2026-03-16-12-15\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:\n MAINTAINERS: update email address for Ignat Korchagin\n mm/huge_memory: fix early failure try_to_migrate() when split huge pmd for shared THP\n mm/rmap: fix incorrect pte restoration for lazyfree folios\n mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()\n build_bug.h: correct function parameters names in kernel-doc\n crash_dump: don\u0027t log dm-crypt key bytes in read_key_from_user_keying\n" }, { "commit": "2d1373e4246da3b58e1df058374ed6b101804e07", "tree": "e92a024951e516e12c233bed382fce1f88034c2a", "parents": [ "f338e77383789c0cae23ca3d48adcc5e9e137e3c", "fc1cd1f18c34f91e78362f9629ab9fd43b9dcab9" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Mar 16 08:53:06 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Mar 16 08:53:06 2026 -0700" }, "message": "Merge tag \u0027for-7.0-rc4-tag\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux\n\nPull btrfs fixes from David Sterba:\n\n - fix logging of new dentries when logging parent directory and there\n are conflicting inodes (e.g. deleted directory)\n\n - avoid taking big device lock for zone setup, this is not necessary\n during mount\n\n - tune message verbosity when auto-reclaiming zones when low on space\n\n - fix slightly misleading message of root item check\n\n* tag \u0027for-7.0-rc4-tag\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:\n btrfs: tree-checker: fix misleading root drop_level error message\n btrfs: log new dentries when logging parent dir of a conflicting inode\n btrfs: don\u0027t take device_list_mutex when querying zone info\n btrfs: pass \u0027verbose\u0027 parameter to btrfs_relocate_block_group\n" }, { "commit": "f7a4c78bfeb320299c1b641500fe7761eadbd101", "tree": "0f25b3ef4b247763e17f1b4f2fc25c044d1c5444", "parents": [ "2b658c1c442ec1cd9eec5ead98d68662c40fe645" ], "author": { "name": "Lee Jones", "email": "lee@kernel.org", "time": "Fri Feb 27 10:09:38 2026 +0000" }, "committer": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Mon Mar 16 16:21:48 2026 +0100" }, "message": "HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure\n\nPresently, if the force feedback initialisation fails when probing the\nLogitech G920 Driving Force Racing Wheel for Xbox One, an error number\nwill be returned and propagated before the userspace infrastructure\n(sysfs and /dev/input) has been torn down. If userspace ignores the\nerrors and continues to use its references to these dangling entities, a\nUAF will promptly follow.\n\nWe have 2 options; continue to return the error, but ensure that all of\nthe infrastructure is torn down accordingly or continue to treat this\ncondition as a warning by emitting the message but returning success.\nIt is thought that the original author\u0027s intention was to emit the\nwarning but keep the device functional, less the force feedback feature,\nso let\u0027s go with that.\n\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\nReviewed-by: Günther Noack \u003cgnoack@google.com\u003e\nSigned-off-by: Benjamin Tissoires \u003cbentiss@kernel.org\u003e\n" }, { "commit": "2b658c1c442ec1cd9eec5ead98d68662c40fe645", "tree": "127b0f24350f5b370ad30a2ddae4a55eb303fdee", "parents": [ "5d4c6c132ea9a967d48890dd03e6a786c060e968" ], "author": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Fri Mar 13 08:40:25 2026 +0100" }, "committer": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Mon Mar 16 16:21:06 2026 +0100" }, "message": "HID: bpf: prevent buffer overflow in hid_hw_request\n\nright now the returned value is considered to be always valid. However,\nwhen playing with HID-BPF, the return value can be arbitrary big,\nbecause it\u0027s the return value of dispatch_hid_bpf_raw_requests(), which\ncalls the struct_ops and we have no guarantees that the value makes\nsense.\n\nFixes: 8bd0488b5ea5 (\"HID: bpf: add HID-BPF hooks for hid_hw_raw_requests\")\nCc: stable@vger.kernel.org\nAcked-by: Jiri Kosina \u003cjkosina@suse.com\u003e\nSigned-off-by: Benjamin Tissoires \u003cbentiss@kernel.org\u003e\n" }, { "commit": "5d4c6c132ea9a967d48890dd03e6a786c060e968", "tree": "da2b51f5ef27b467489570a00820f7ae44344af0", "parents": [ "0a3fe972a7cb1404f693d6f1711f32bc1d244b1c" ], "author": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Fri Mar 13 08:40:24 2026 +0100" }, "committer": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Mon Mar 16 16:21:06 2026 +0100" }, "message": "selftests/hid: fix compilation when bpf_wq and hid_device are not exported\n\nThis can happen in situations when CONFIG_HID_SUPPORT is set to no, or\nsome complex situations where struct bpf_wq is not exported.\n\nSo do the usual dance of hiding them before including vmlinux.h, and\nthen redefining them and make use of CO-RE to have the correct offsets.\n\nReported-by: kernel test robot \u003clkp@intel.com\u003e\nCloses: https://lore.kernel.org/oe-kbuild-all/202603111558.KLCIxsZB-lkp@intel.com/\nFixes: fe8d561db3e8 (\"selftests/hid: add wq test for hid_bpf_input_report()\")\nCc: stable@vger.kernel.org\nAcked-by: Jiri Kosina \u003cjkosina@suse.com\u003e\nReviewed-by: Thomas Weißschuh \u003cthomas.weissschuh@linutronix.de\u003e\nSigned-off-by: Benjamin Tissoires \u003cbentiss@kernel.org\u003e\n" }, { "commit": "0a3fe972a7cb1404f693d6f1711f32bc1d244b1c", "tree": "75618fe0ca043efaf4f1984d913e4bed2d7732a6", "parents": [ "4bc7bc457922742d38915458e630195e761c1efd" ], "author": { "name": "Lee Jones", "email": "lee@kernel.org", "time": "Mon Mar 09 14:59:29 2026 +0000" }, "committer": { "name": "Benjamin Tissoires", "email": "bentiss@kernel.org", "time": "Mon Mar 16 16:21:06 2026 +0100" }, "message": "HID: core: Mitigate potential OOB by removing bogus memset()\n\nThe memset() in hid_report_raw_event() has the good intention of\nclearing out bogus data by zeroing the area from the end of the incoming\ndata string to the assumed end of the buffer. However, as we have\npreviously seen, doing so can easily result in OOB reads and writes in\nthe subsequent thread of execution.\n\nThe current suggestion from one of the HID maintainers is to remove the\nmemset() and simply return if the incoming event buffer size is not\nlarge enough to fill the associated report.\n\nSuggested-by Benjamin Tissoires \u003cbentiss@kernel.org\u003e\n\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n[bentiss: changed the return value]\nSigned-off-by: Benjamin Tissoires \u003cbentiss@kernel.org\u003e\n" }, { "commit": "4bc7bc457922742d38915458e630195e761c1efd", "tree": "aec6d60e1ae9597f0d5c6fe01f7dda5f935371a0", "parents": [ "1965445e13c09b79932ca8154977b4408cb9610c" ], "author": { "name": "Daniel Schaefer", "email": "git@danielschaefer.me", "time": "Fri Mar 13 21:39:25 2026 +0800" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.com", "time": "Mon Mar 16 11:25:07 2026 +0100" }, "message": "HID: intel-thc-hid: Set HID_PHYS with PCI BDF\n\nCurrently HID_PHYS is empty, which means userspace tools (e.g. fwupd)\nthat depend on it for distinguishing the devices, are unable to do so.\nOther drivers like i2c-hid, usbhid, surface-hid, all populate it.\n\nWith this change it\u0027s set to, for example: HID_PHYS\u003d0000:00:10.0\n\nEach function has just a single HID device, as far as I can tell, so\nthere is no need to add a suffix.\n\nTested with fwupd 2.1.1, can avoid https://github.com/fwupd/fwupd/pull/9995\n\nCc: Even Xu \u003ceven.xu@intel.com\u003e\nCc: Xinpeng Sun \u003cxinpeng.sun@intel.com\u003e\nCc: Jiri Kosina \u003cjikos@kernel.org\u003e\nCc: Benjamin Tissoires \u003cbentiss@kernel.org\u003e\nCc: Sakari Ailus \u003csakari.ailus@linux.intel.com\u003e\nSigned-off-by: Daniel Schaefer \u003cgit@danielschaefer.me\u003e\nReviewed-by: Even Xu \u003ceven.xu@intel.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.com\u003e\n" }, { "commit": "c252c12d1f55bd5737e3b8e7839914ccdc7a701c", "tree": "0a90a565265b7204536b0f6d0274b3896dfef311", "parents": [ "b254c629a963f0b9d635902f3f979bddbc65f90f" ], "author": { "name": "Bibo Mao", "email": "maobibo@loongson.cn", "time": "Mon Mar 16 10:36:02 2026 +0800" }, "committer": { "name": "Huacai Chen", "email": "chenhuacai@loongson.cn", "time": "Mon Mar 16 10:36:02 2026 +0800" }, "message": "LoongArch: KVM: Fix typo issue in kvm_vm_init_features()\n\nMost of VM feature detections are integer OR operations, and integer\nassignment operation will clear previous integer OR operation. So here\nchange all integer assignment operations to integer OR operations.\n\nFixes: 82db90bf461b (\"LoongArch: KVM: Move feature detection in kvm_vm_init_features()\")\nSigned-off-by: Bibo Mao \u003cmaobibo@loongson.cn\u003e\nSigned-off-by: Huacai Chen \u003cchenhuacai@loongson.cn\u003e\n" }, { "commit": "b254c629a963f0b9d635902f3f979bddbc65f90f", "tree": "cb3ead64fdd0b95e318d0cfa225a186396e9d396", "parents": [ "d3b8491961207ac967795c34375890407fd51a45" ], "author": { "name": "Tiezhu Yang", "email": "yangtiezhu@loongson.cn", "time": "Mon Mar 16 10:36:01 2026 +0800" }, "committer": { "name": "Huacai Chen", "email": "chenhuacai@loongson.cn", "time": "Mon Mar 16 10:36:01 2026 +0800" }, "message": "LoongArch: BPF: Make arch_protect_bpf_trampoline() return 0\n\nOccasionally there exist \"text_copy_cb: operation failed\" when executing\nthe bpf selftests, the reason is copy_to_kernel_nofault() failed and the\necode of ESTAT register is 0x4 (PME: Page Modification Exception) due to\nthe pte is not writeable. The root cause is that there is another place\nto set the pte entry as readonly which is in the generic weak version of\narch_protect_bpf_trampoline().\n\nThere are two ways to fix this race condition issue: the direct way is\nto modify the generic weak arch_protect_bpf_trampoline() to add a mutex\nlock for set_memory_rox(), but the other simple and proper way is to\njust make arch_protect_bpf_trampoline() return 0 in the arch-specific\ncode because LoongArch has already use the BPF prog pack allocator for\ntrampoline.\n\nHere are the trimmed kernel log messages:\n\n copy_to_kernel_nofault: memory access failed, ecode 0x4\n copy_to_kernel_nofault: the caller is text_copy_cb+0x50/0xa0\n text_copy_cb: operation failed\n ------------[ cut here ]------------\n bpf_prog_pack bug: missing bpf_arch_text_invalidate?\n WARNING: kernel/bpf/core.c:1008 at bpf_prog_pack_free+0x200/0x228\n ...\n Call Trace:\n [\u003c9000000000248914\u003e] show_stack+0x64/0x188\n [\u003c9000000000241308\u003e] dump_stack_lvl+0x6c/0x9c\n [\u003c90000000002705bc\u003e] __warn+0x9c/0x200\n [\u003c9000000001c428c0\u003e] __report_bug+0xa8/0x1c0\n [\u003c9000000001c42b5c\u003e] report_bug+0x64/0x120\n [\u003c9000000001c7dcd0\u003e] do_bp+0x270/0x3c0\n [\u003c9000000000246f40\u003e] handle_bp+0x120/0x1c0\n [\u003c900000000047b030\u003e] bpf_prog_pack_free+0x200/0x228\n [\u003c900000000047b2ec\u003e] bpf_jit_binary_pack_free+0x24/0x60\n [\u003c900000000026989c\u003e] bpf_jit_free+0x54/0xb0\n [\u003c900000000029e10c\u003e] process_one_work+0x184/0x610\n [\u003c900000000029ef8c\u003e] worker_thread+0x24c/0x388\n [\u003c90000000002a902c\u003e] kthread+0x13c/0x170\n [\u003c9000000001c7dfe8\u003e] ret_from_kernel_thread+0x28/0x1c0\n [\u003c9000000000246624\u003e] ret_from_kernel_thread_asm+0xc/0x88\n\n ---[ end trace 0000000000000000 ]---\n\nHere is a simple shell script to reproduce:\n\n #!/bin/bash\n\n for ((i\u003d1; i\u003c\u003d1000; i++))\n do\n echo \"Under testing $i ...\"\n dmesg -c \u003e /dev/null\n ./test_progs -t fentry_attach_stress \u003e /dev/null\n dmesg -t | grep \"text_copy_cb: operation failed\"\n if [ $? -eq 0 ]; then\n break\n fi\n done\n\nCc: stable@vger.kernel.org\nFixes: 4ab17e762b34 (\"LoongArch: BPF: Use BPF prog pack allocator\")\nAcked-by: Hengqi Chen \u003chengqi.chen@gmail.com\u003e\nSigned-off-by: Tiezhu Yang \u003cyangtiezhu@loongson.cn\u003e\nSigned-off-by: Huacai Chen \u003cchenhuacai@loongson.cn\u003e\n" } ], "next": "d3b8491961207ac967795c34375890407fd51a45" }