)]}' { "log": [ { "commit": "05f5368cf3e9922c2459d5f08b90b5b0e4b8d289", "tree": "fcd8d546529f5b011c237b09bcaff2628cb5f984", "parents": [ "f9cd6fabe0e7c7f6fc30c6c192c7ed72aba37232", "38b7a274cf84af9b1f4b602b8e2741565b81947b" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Sat Jun 13 11:50:31 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Sat Jun 13 11:51:52 2026 +0200" }, "message": "Merge branch \u0027200GbE\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue\n\nTony Nguyen says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nIntel Wired LAN Driver Updates 2026-06-09 (idpf, ixgbe, igc)\n\nPrzemyslaw adds needed padding to idpf PTP structures to match firmware\nexpectations.\n\nLarysa bypasses XPS configuration on XDP queues for ixgbe.\n\nKhai Wen corrects offset into packet buffer when handling for frame\npreemption on igc.\n\n* \u0027200GbE\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:\n igc: skip RX timestamp header for frame preemption verification\n ixgbe: do not configure xps for XDP queues\n idpf: add padding to PTP virtchnl structures\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "f9cd6fabe0e7c7f6fc30c6c192c7ed72aba37232", "tree": "d1196431bb9cc064c6d9aa65c7c9674fc14b667d", "parents": [ "20054869770c7df060c5ecee3e8bbf9029c47191" ], "author": { "name": "Ratheesh Kannoth", "email": "rkannoth@marvell.com", "time": "Wed Jun 10 07:53:44 2026 +0530" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Sat Jun 13 10:48:13 2026 +0200" }, "message": "octeontx2-af: npc: Fix size of entry2cntr_map\n\nKASAN prints below splat. This is caused by allocating counter for\nreserved mcam entry for cpt 2nd pass entry. But mcam-\u003eentry2cntr_map\nis not allocated for reserved entries.\n\nBUG: KASAN: slab-out-of-bounds in npc_map_mcam_entry_and_cntr+0xb0/0x1a0\nWrite of size 2 at addr ffff0001033e7ffe by task kworker/0:1/14\n\nCPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 6.1.67 #1\nHardware name: Marvell CN106XX board (DT)\nWorkqueue: events work_for_cpu_fn\nCall trace:\n dump_backtrace.part.0+0xe4/0xf0\n show_stack+0x18/0x30\n dump_stack_lvl+0x88/0xb4\n print_report+0x154/0x458\n kasan_report+0xb8/0x194\n __asan_store2+0x7c/0xa0\n npc_map_mcam_entry_and_cntr+0xb0/0x1a0\n rvu_mbox_handler_npc_mcam_write_entry+0x268/0x280\n npc_install_flow+0x840/0xfe0\n rvu_npc_install_cpt_pass2_entry+0x138/0x190\n rvu_nix_init+0x148c/0x2880\n rvu_probe+0x1800/0x30b0\n local_pci_probe+0x78/0xe0\n work_for_cpu_fn+0x30/0x50\n process_one_work+0x4cc/0x97c\n worker_thread+0x360/0x630\n kthread+0x1a0/0x1b0\n ret_from_fork+0x10/0x20\n\nFixes: 55307fcb9258 (\"octeontx2-af: Add mbox messages to install and delete MCAM rules\")\nCc: Subbaraya Sundeep \u003csbhatta@marvell.com\u003e\nSigned-off-by: Ratheesh Kannoth \u003crkannoth@marvell.com\u003e\nLink: https://patch.msgid.link/20260610022344.969774-1-rkannoth@marvell.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "20054869770c7df060c5ecee3e8bbf9029c47191", "tree": "a0d94d705a0ee4cafebcf50670a80a02be10cbe6", "parents": [ "d7b0413b35715d7b32cb12d4d424613eff85ed2b" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Thu Jun 11 08:54:55 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 18:42:53 2026 -0700" }, "message": "net: qrtr: fix 32-bit integer overflow in qrtr_endpoint_post()\n\nqrtr_endpoint_post() validates an incoming packet with\n\n\tif (!size || len !\u003d ALIGN(size, 4) + hdrlen)\n\t\tgoto err;\n\nwhere size comes from the wire. On 32-bit, size_t is 32 bits and\nALIGN(size, 4) wraps to 0 for size \u003e\u003d 0xfffffffd, so the check\npasses and skb_put_data(skb, data + hdrlen, size) writes past the\nhdrlen-sized skb and oopses the kernel. 64-bit is unaffected.\n\nThis is the 32-bit residual of ad9d24c9429e2 (\"net: qrtr: fix OOB\nRead in qrtr_endpoint_post\"), which fixed only the 64-bit case.\n\nReject any size that cannot fit the buffer before the ALIGN.\n\nFixes: ad9d24c9429e2 (\"net: qrtr: fix OOB Read in qrtr_endpoint_post\")\nCc: stable@vger.kernel.org\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/20260611125455.2352279-1-michael.bommarito@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d7b0413b35715d7b32cb12d4d424613eff85ed2b", "tree": "a952e8a2ccda671f5da8b20adb8654c8be01ef0e", "parents": [ "ee1ba0add3fbd5a28fa5423be373acd147f1e344" ], "author": { "name": "Dragos Tatulea", "email": "dtatulea@nvidia.com", "time": "Thu Jun 11 16:52:30 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 18:38:07 2026 -0700" }, "message": "net/mlx5: Check max_macs devlink param value against max capability\n\nThe max_macs devlink param is checked against the FW max value only at\nparam register time (driver load) and inside the validate callback\n(devlink param set). The stored DRIVERINIT value persists across FW\nresets and devlink reloads without any further checks against the max.\n\nIf the FW link type changes from Ethernet to IB and a FW reset happens,\nthe MAX cap for log_max_current_uc_list will become zero, but the\npreviously stored max_macs value remains and is unconditionally\nprogrammed into the HCA caps in handle_hca_cap(). FW will then return a\nsyndrome during SET_HCA_CAP:\n\n mlx5_cmd_out_err:839:(pid 3831): SET_HCA_CAP(0x109) op_mod(0x0) failed,\n status bad parameter(0x3), syndrome (0x537801), err(-22)\n set_hca_cap:907:(pid 3831): handle_hca_cap failed\n\nThis results in a failure to register the RDMA device.\n\nThis patch skips programming log_max_current_uc_list when the MAX\ncapability is 0 (in case of IB).\n\nFixes: 8680a60fc1fc (\"net/mlx5: Let user configure max_macs generic param\")\nSigned-off-by: Dragos Tatulea \u003cdtatulea@nvidia.com\u003e\nReviewed-by: Yael Chemla \u003cychemla@nvidia.com\u003e\nReviewed-by: Carolina Jubran \u003ccjubran@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260611135230.534513-1-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ee1ba0add3fbd5a28fa5423be373acd147f1e344", "tree": "252d1b4f18c3aa1edb07d5b6c432334e8911a6d7", "parents": [ "9192a18f6de2f5e3eb3813ecd2895ac0f5c008a9" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Thu Jun 11 17:58:49 2026 -0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:59:32 2026 -0700" }, "message": "net/sched: sch_dualpi2: Add missing module alias\n\nWhen a qdisc is added by name, the kernel tries to autoload its module\nvia request_qdisc_module(), which calls:\n\nrequest_module(NET_SCH_ALIAS_PREFIX \"%s\", name);\n\ni.e. it asks modprobe to resolve the \"net-sch-\u003ckind\u003e\" alias (e.g.\n\"net-sch-dualpi2\") rather than the module\u0027s file name. Since dualpi2\nwas shipped without this alias, the autoload fails:\n\ntc qdisc add dev lo root handle 1: dualpi2\nError: Specified qdisc kind is unknown.\n\nFix this by adding the missing alias so the qdisc is autoloaded on demand\nlike the others.\n\nFixes: 320d031ad6e4 (\"sched: Struct definition and parsing of dualpi2 qdisc\")\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nReviewed-by: Pedro Tammela \u003cpctammela@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260611205849.3287640-1-victor@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9192a18f6de2f5e3eb3813ecd2895ac0f5c008a9", "tree": "1cbee9d508d26e1558a0765036f088018e5362da", "parents": [ "8eed5519e496b7a07f441a0f579cb228a33189f7" ], "author": { "name": "Zhi-Jun You", "email": "hujy652@gmail.com", "time": "Thu Jun 11 23:00:51 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:37:49 2026 -0700" }, "message": "net: ethernet: mtk_wed: fix loading WO firmware for MT7986\n\nMT7986 requires a different mask for second WO firmware.\nWithout this, WO would timeout after loading FW.\n\nThe correct mask was removed when adding WED for MT7988.\nAdd it back and add a WED version check to fix it.\n\nThis can be reproduced with a MT7986 + MT7916 board.\n\nFixes: e2f64db13aa1 (\"net: ethernet: mtk_wed: introduce WED support for MT7988\")\nSigned-off-by: Zhi-Jun You \u003chujy652@gmail.com\u003e\nLink: https://patch.msgid.link/20260611150051.586-1-hujy652@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "8eed5519e496b7a07f441a0f579cb228a33189f7", "tree": "588f97f0dc25427605c64cecde305f60123002e7", "parents": [ "56a0b00c5a04cb270f66e20d365526c9ac34a1fe" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Thu Jun 11 15:27:37 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:34:57 2026 -0700" }, "message": "net: watchdog: fix refcount tracking races\n\nBlamed commit converted the untracked dev_hold()/dev_put() calls\nin the watchdog code to use the tracked dev_hold_track()/dev_put_track()\n(which were later renamed/interfaced to netdev_hold() and netdev_put()).\n\nBy introducing dev-\u003ewatchdog_dev_tracker to store the\nreference tracking information without adding synchronization\nbetween netdev_watchdog_up() and dev_watchdog(), it enabled the\nrace condition where this pointer could be overwritten or freed\nconcurrently, leading to the list corruption crash syzbot reported:\n\nlist_del corruption, ffff888114a18c00-\u003enext is NULL\n kernel BUG at lib/list_debug.c:52 !\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 1 UID: 0 PID: 91 Comm: kworker/u8:5 Not tainted syzkaller #0 PREEMPT(lazy)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026\nWorkqueue: events_unbound linkwatch_event\n RIP: 0010:__list_del_entry_valid_or_report.cold+0x22/0x2a lib/list_debug.c:52\nCall Trace:\n \u003cTASK\u003e\n __list_del_entry_valid include/linux/list.h:132 [inline]\n __list_del_entry include/linux/list.h:246 [inline]\n list_move_tail include/linux/list.h:341 [inline]\n ref_tracker_free+0x1a7/0x6c0 lib/ref_tracker.c:329\n netdev_tracker_free include/linux/netdevice.h:4491 [inline]\n netdev_put include/linux/netdevice.h:4508 [inline]\n netdev_put include/linux/netdevice.h:4504 [inline]\n netdev_watchdog_down net/sched/sch_generic.c:600 [inline]\n dev_deactivate_many+0x28c/0xfe0 net/sched/sch_generic.c:1363\n dev_deactivate+0x109/0x1d0 net/sched/sch_generic.c:1397\n linkwatch_do_dev net/core/link_watch.c:184 [inline]\n linkwatch_do_dev+0xd3/0x120 net/core/link_watch.c:166\n __linkwatch_run_queue+0x3a5/0x810 net/core/link_watch.c:240\n linkwatch_event+0x8f/0xc0 net/core/link_watch.c:314\n process_one_work+0xa0e/0x1980 kernel/workqueue.c:3314\n process_scheduled_works kernel/workqueue.c:3397 [inline]\n worker_thread+0x5ef/0xe50 kernel/workqueue.c:3478\n kthread+0x370/0x450 kernel/kthread.c:436\n ret_from_fork+0x69a/0xc80 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n\nThis patch has three coordinated parts:\n\n1) Add dev-\u003ewatchdog_lock and dev-\u003ewatchdog_ref_held to serialize watchdog operations.\n\n2) Remove netdev_watchdog_up() call from netif_carrier_on():\n This ensures netdev_watchdog_up() is only called from process/BH context\n (via linkwatch workqueue dev_activate()), allowing us to use\n spin_lock_bh() for synchronization.\n\n3) Synchronize watchdog up and watchdog timer:\n Protect netdev_watchdog_up() with tx_global_lock and watchdog_lock.\n Only allocate a new tracker in netdev_watchdog_up() if one is\n not already present.\n In dev_watchdog(), ensure we don\u0027t release the tracker if the\n timer was rescheduled either by dev_watchdog() itself or concurrently\n by netdev_watchdog_up().\n\nFixes: f12bf6f3f942 (\"net: watchdog: add net device refcount tracker\")\nReported-by: syzbot+381d82bbf0253710b35d@syzkaller.appspotmail.com\nCloses: https://lore.kernel.org/netdev/6a26b751.c25708ab.1b19ef.0013.GAE@google.com/T/#u\nTested-by: syzbot+3479efbc2821cb2a79f2@syzkaller.appspotmail.com\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260611152737.2580480-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "56a0b00c5a04cb270f66e20d365526c9ac34a1fe", "tree": "9233729f46d57e227cfa27e68dcc2d771e079e86", "parents": [ "592b792026eaab89efb84bed71b05994645fa790", "f8fd56977eeea3d6939b1a9cd8bd36f1779b3ad0" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:26:16 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:26:17 2026 -0700" }, "message": "Merge branch \u0027net-mana-fix-error-path-issues-in-queue-setup\u0027\n\nAditya Garg says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: mana: fix error-path issues in queue setup\n\nTwo error-path fixes in MANA queue setup, both surfaced during Sashiko\nAI review of a recently upstreamed patch series.\n\nPatch 1 initializes queue-\u003eid to INVALID_QUEUE_ID in\nmana_gd_create_mana_wq_cq() so that a CQ creation failure before the\nfirmware id is assigned does not NULL gc-\u003ecq_table[0] and silently\nbreak whichever real CQ owns that slot. This mirrors the existing\npattern in mana_gd_create_eq().\n\nPatch 2 guards mana_destroy_txq()\u0027s call to mana_destroy_wq_obj() with\nan INVALID_MANA_HANDLE check, mirroring mana_destroy_rxq(). Without\nit, TX setup failures lead to a firmware-rejected destroy of (u64)-1\nand a spurious error in dmesg.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260608101345.2267320-1-gargaditya@linux.microsoft.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f8fd56977eeea3d6939b1a9cd8bd36f1779b3ad0", "tree": "9233729f46d57e227cfa27e68dcc2d771e079e86", "parents": [ "5985474e1cb4034680fac2145497a94b0860be50" ], "author": { "name": "Aditya Garg", "email": "gargaditya@linux.microsoft.com", "time": "Mon Jun 08 03:13:41 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:26:05 2026 -0700" }, "message": "net: mana: guard TX wq object destroy with INVALID_MANA_HANDLE check\n\nmana_create_txq() has several error paths (after mana_alloc_queues() or\nmana_create_wq_obj() failure) where tx_qp[i].tx_object stays as the\nINVALID_MANA_HANDLE sentinel set at allocation. mana_destroy_txq() then\nunconditionally calls mana_destroy_wq_obj() with (u64)-1, which firmware\nrejects and logs an error.\n\nMirror the RX-side pattern in mana_destroy_rxq() and skip the destroy\nwhen the handle is still INVALID_MANA_HANDLE.\n\nFixes: ca9c54d2d6a5 (\"net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)\")\nSigned-off-by: Aditya Garg \u003cgargaditya@linux.microsoft.com\u003e\nReviewed-by: Dipayaan Roy \u003cdipayanroy@linux.microsoft.com\u003e\nReviewed-by: Haiyang Zhang \u003chaiyangz@microsoft.com\u003e\nLink: https://patch.msgid.link/20260608101345.2267320-3-gargaditya@linux.microsoft.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5985474e1cb4034680fac2145497a94b0860be50", "tree": "7abb44ac9aae89491b4abf5310726acdd0b32d12", "parents": [ "592b792026eaab89efb84bed71b05994645fa790" ], "author": { "name": "Aditya Garg", "email": "gargaditya@linux.microsoft.com", "time": "Mon Jun 08 03:13:40 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:26:05 2026 -0700" }, "message": "net: mana: initialize gdma queue id to INVALID_QUEUE_ID\n\nmana_gd_create_mana_wq_cq() leaves queue-\u003eid as 0 (from kzalloc_obj())\nuntil mana_create_wq_obj() assigns the firmware-returned id. If creation\nfails before that, cleanup calls mana_gd_destroy_cq() with id 0, NULLing\ngc-\u003ecq_table[0] and silently breaking whichever real CQ owns that slot.\n\nInitialize queue-\u003eid to INVALID_QUEUE_ID right after allocation, matching\nmana_gd_create_eq(). The existing (id \u003e\u003d max_num_cqs) guard then\nshort-circuits cleanly.\n\nFixes: ca9c54d2d6a5 (\"net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)\")\nSigned-off-by: Aditya Garg \u003cgargaditya@linux.microsoft.com\u003e\nReviewed-by: Dipayaan Roy \u003cdipayanroy@linux.microsoft.com\u003e\nReviewed-by: Haiyang Zhang \u003chaiyangz@microsoft.com\u003e\nLink: https://patch.msgid.link/20260608101345.2267320-2-gargaditya@linux.microsoft.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "592b792026eaab89efb84bed71b05994645fa790", "tree": "07d421ce66a74971b35299515136e5e573cd148a", "parents": [ "344873108ca7f342f1a7ffeb81ffca2347fe9535", "101f1047c2f6261d252d68ca3f77e52ed05a8402" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:20:55 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:20:56 2026 -0700" }, "message": "Merge branch \u0027avoid-mistaken-parent-class-deactivation-during-peek\u0027\n\nVictor Nogueira says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nAvoid mistaken parent class deactivation during peek\n\nSeveral qdiscs (fq_codel, codel and dualpi2) may drop packets while\npeeking at their queue. When that happens they call\nqdisc_tree_reduce_backlog() to notify the parent of the backlog/qlen\nchange. The problem is that they do so *before* reincrementing the qlen\nthat peek had temporarily decremented.\n\nIf the qlen momentarily drops to zero while peek still has an skb to\nreturn, qdisc_tree_reduce_backlog() ends up invoking the parent\u0027s\nqlen_notify() callback even though the child is not actually empty. The\nparent then deactivates the class, while the child still holds a packet.\nFor parents such as QFQ this desync corrupts the active class list and\nleads to wild memory accesses and NULL pointer dereferences (see the\nper-patch splats). For HFSC it might lead to stalls [1].\n\nFix all three qdiscs the same way: only call qdisc_tree_reduce_backlog()\nonce the qlen has been restored, so the parent never observes a\ntransient empty child during peek.\n\nPatch 1 fixes this for fq_codel, patch 2 for codel, patch 3 for dualpi2\nand patch 4 adds test cases for these 3 setups.\n\nNote: Patch 1 is one of two fixes for the stall reported in [1]; the\ncompanion fix is \"net/sched: sch_hfsc: Don\u0027t make class passive twice\",\nsent separately.\n\nNote2: A possible cleaner fix is to create a new helper function for peek\nthat only calls qdisc_tree_reduce_backlog after reincrementing the qlen.\nThis would be called from the 3 vulnerable qdiscs, however we thought this\nmight make it harder for backporting so, if people agree, we can submit\nthis cleaner version to net-next after this one is merged.\n\n[1] https://lore.kernel.org/netdev/CAN2cbVe79oj0O9\u003d\u003dm4+4x3v+O+qzRagA\u003d2\u003dwkrp9i9\u003dCqYvyZA@mail.gmail.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260610192855.3121513-1-victor@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "101f1047c2f6261d252d68ca3f77e52ed05a8402", "tree": "07d421ce66a74971b35299515136e5e573cd148a", "parents": [ "15cd0c93bf4f892d66bc7a93667e2357b5673365" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Wed Jun 10 16:28:55 2026 -0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:20:54 2026 -0700" }, "message": "selftests/tc-testing: Verify child qdisc will not mistakenly deactivate QFQ parent\n\nCreate 3 test cases:\n- Verify fq_codel won\u0027t mistakenly deactivate QFQ parent class during peek\n- Verify codel won\u0027t mistakenly deactivate QFQ parent class during peek\n- Verify dualpi2 won\u0027t mistakenly deactivate QFQ parent class during peek\n\nVerify that these 3 qdiscs (fq_codel, codel, dualpi2) will not call\nqdisc_tree_reduce_backlog with an incorrect qlen (0) during peek and\nmistakenly deactivate a parent class.\n\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260610192855.3121513-5-victor@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "15cd0c93bf4f892d66bc7a93667e2357b5673365", "tree": "1199a4545ceb33391c677eca8d0a4c7a2f8b73c8", "parents": [ "52f1da34c9f4d5bdc1e8b44242da5c7ba8db85f3" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Wed Jun 10 16:28:54 2026 -0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:20:53 2026 -0700" }, "message": "net/sched: sch_dualpi2: Do not call qdisc_tree_reduce_backlog during peek before restoring qlen\n\nWhenever dualpi2 drops packets during peek, it calls\nqdisc_tree_reduce_backlog. An issue arises because it calls\nqdisc_tree_reduce_backlog before it reincrements the qlen. If qlen drops\nto zero, but peek returns an skb, the parent\u0027s qlen_notify callback will be\nexecuted even though dualpi2 still has 1 packet on the queue and, thus,\nmistakenly deactivates the parent\u0027s class which leads to a null-ptr-deref:\n\n[ 101.427314][ T599] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] SMP KASAN NOPTI\n[ 101.427755][ T599] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]\n[ 101.428048][ T599] CPU: 2 UID: 0 PID: 599 Comm: ping Not tainted 7.1.0-rc5-00284-gbce53c430ed7 #102 PREEMPT(full)\n[ 101.428400][ T599] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 101.428608][ T599] RIP: 0010:qfq_dequeue (net/sched/sch_qfq.c:1150) sch_qfq\n[ 101.428821][ T599] Code: 00 fc ff df 80 3c 02 00 0f 85 46 0c 00 00 4c 8d 73 48 48 89 9d b8 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 2d 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b\nAll code\n[ 101.429348][ T599] RSP: 0018:ffff8881110df4f0 EFLAGS: 00010216\n[ 101.429541][ T599] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000\n[ 101.429763][ T599] RDX: 0000000000000009 RSI: 00000024c0000000 RDI: ffff88811436c2b0\n[ 101.429985][ T599] RBP: ffff88811436c000 R08: ffff88811436c280 R09: 1ffff11021277523\n[ 101.430206][ T599] R10: 1ffff11021277526 R11: 1ffff11021277527 R12: 00000024c0000000\n[ 101.430423][ T599] R13: ffff88811436c2b8 R14: 0000000000000048 R15: 0000000020000000\n[ 101.430642][ T599] FS: 00007f61813e1c40(0000) GS:ffff8881691ef000(0000) knlGS:0000000000000000\n[ 101.430913][ T599] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 101.431100][ T599] CR2: 00005651650850a8 CR3: 000000010ca0b000 CR4: 0000000000750ef0\n[ 101.431320][ T599] PKRU: 55555554\n[ 101.431433][ T599] Call Trace:\n[ 101.431544][ T599] \u003cTASK\u003e\n[ 101.431628][ T599] __qdisc_run (net/sched/sch_generic.c:322 net/sched/sch_generic.c:427 net/sched/sch_generic.c:445)\n[ 101.431792][ T599] ? dev_qdisc_enqueue (./include/trace/events/qdisc.h:49 (discriminator 22) net/core/dev.c:4176 (discriminator 22))\n[ 101.431941][ T599] __dev_queue_xmit (./include/net/pkt_sched.h:120 ./include/net/pkt_sched.h:117 net/core/dev.c:4292 net/core/dev.c:4831)\n\nFix this by only calling qdisc_tree_reduce_backlog in peek after the\nqlen is restored.\n\nFixes: 8f9516daedd6 (\"sched: Add enqueue/dequeue of dualpi2 qdisc\")\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260610192855.3121513-4-victor@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "52f1da34c9f4d5bdc1e8b44242da5c7ba8db85f3", "tree": "81b4a2615e1769f4325f71a18ab1ff27c55d1cac", "parents": [ "097f6fc7b1ae362dd7a9444b2572162fda73b284" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Wed Jun 10 16:28:53 2026 -0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:20:53 2026 -0700" }, "message": "net/sched: sch_codel: Do not call qdisc_tree_reduce_backlog during peek before restoring qlen\n\nWhenever codel drops packets during peek, it calls\nqdisc_tree_reduce_backlog. An issue arises because it calls\nqdisc_tree_reduce_backlog before it reincrements the qlen. If qlen drops\nto zero, but peek returns an skb, the parent\u0027s qlen_notify callback will\nbe executed even though codel still has 1 packet on the queue and, thus,\nwill mistakenly deactivate the parent\u0027s class causing issues like a wild\nmemory access when qfq has codel as a child:\n\n[ 36.339843][ T370] Oops: general protection fault, probably for non-canonical address 0xfbd59c0000000024: 0000 [#1] SMP KASAN NOPTI\n[ 36.340408][ T370] KASAN: maybe wild-memory-access in range [0xdead000000000120-0xdead000000000127]\n[ 36.340737][ T370] CPU: 2 UID: 0 PID: 370 Comm: tc Not tainted 7.1.0-rc5-00287-g66e13b626592 #87 PREEMPT(full)\n[ 36.341113][ T370] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 36.341357][ T370] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:1029 (discriminator 2) include/linux/list.h:1043 (discriminator 2) net/sched/sch_qfq.c:1369 (discriminator 2) net/sched/sch_qfq.c:1395 (discriminator 2)) sch_qfq\n[ 36.342221][ T370] RSP: 0018:ffff8881100ef370 EFLAGS: 00010216\n[ 36.342422][ T370] RAX: 0000000000000000 RBX: ffff8881058a9568 RCX: dffffc0000000000\n[ 36.342664][ T370] RDX: 1ffff11021064dc3 RSI: ffff888108326e00 RDI: dffffc0000000000\n[ 36.342905][ T370] RBP: ffff8881058a8280 R08: dead000000000122 R09: 1bd5a00000000024\n[ 36.343140][ T370] R10: fffffbfff2940329 R11: fffffbfff2940329 R12: 0000000000000000\n[ 36.343383][ T370] R13: dead000000000100 R14: ffff8881058a9580 R15: ffff8881058a9578\n[ 36.343631][ T370] FS: 00007fc04b0ca780(0000) GS:ffff888184fef000(0000) knlGS:0000000000000000\n[ 36.343911][ T370] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 36.344116][ T370] CR2: 0000557c02c02000 CR3: 000000010e0ba000 CR4: 0000000000750ef0\n[ 36.344359][ T370] PKRU: 55555554\n[ 36.344481][ T370] Call Trace:\n...\n[ 36.345054][ T370] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1487) sch_qfq\n[ 36.345222][ T370] qdisc_reset (net/sched/sch_generic.c:1057)\n[ 36.345503][ T370] __qdisc_destroy (net/sched/sch_generic.c:1096)\n[ 36.345677][ T370] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)\n[ 36.346335][ T370] tc_get_qdisc (net/sched/sch_api.c:1528 net/sched/sch_api.c:1556)\n\nFix this by only calling qdisc_tree_reduce_backlog in peek after the\nqlen is restored.\n\nFixes: 342debc12183 (\"codel: remove sch-\u003eq.qlen check before qdisc_tree_reduce_backlog()\")\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260610192855.3121513-3-victor@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "097f6fc7b1ae362dd7a9444b2572162fda73b284", "tree": "1642f75a7831684307f0003c2eb326e88c19ea5d", "parents": [ "344873108ca7f342f1a7ffeb81ffca2347fe9535" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Wed Jun 10 16:28:52 2026 -0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 17:20:53 2026 -0700" }, "message": "net/sched: sch_fq_codel: Do not call qdisc_tree_reduce_backlog during peek before restoring qlen\n\nWhenever fq_codel drops packets during peek, it calls\nqdisc_tree_reduce_backlog. An issue arises because it calls\nqdisc_tree_reduce_backlog before it reincrements the qlen. If qlen drops\nto zero, but peek returns an skb, the parent\u0027s qlen_notify callback will be\nexecuted even though fq_codel still has 1 packet on the queue and, thus,\nwill mistakenly deactivate the parent\u0027s class causing issues like a recent\nreport [1] and a wild memory access in qfq:\n\n[ 29.371146][ T360] Oops: general protection fault, probably for non-canonical address 0xfbd59c0000000024: 0000 [#1] SMP KASAN NOPTI\n[ 29.371666][ T360] KASAN: maybe wild-memory-access in range [0xdead000000000120-0xdead000000000127]\n[ 29.371987][ T360] CPU: 6 UID: 0 PID: 360 Comm: tc Not tainted 7.1.0-rc5-00285-gc530e5b2dbc6-dirty #82 PREEMPT(full)\n[ 29.372384][ T360] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 29.372620][ T360] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:1029 (discriminator 2) include/linux/list.h:1043 (discriminator 2) net/sched/sch_qfq.c:1369 (discriminator 2) net/sched/sch_qfq.c:1395 (discriminator 2)) sch_qfq\n[ 29.373544][ T360] RSP: 0018:ffff888102417370 EFLAGS: 00010216\n[ 29.373800][ T360] RAX: 0000000000000000 RBX: ffff88811224d568 RCX: dffffc0000000000\n[ 29.374079][ T360] RDX: 1ffff11021fe1543 RSI: ffff88810ff0aa00 RDI: dffffc0000000000\n[ 29.374368][ T360] RBP: ffff88811224c280 R08: dead000000000122 R09: 1bd5a00000000024\n[ 29.374649][ T360] R10: fffffbfff7940329 R11: fffffbfff7940329 R12: 0000000000000000\n[ 29.374926][ T360] R13: dead000000000100 R14: ffff88811224d580 R15: ffff88811224d578\n[ 29.375207][ T360] FS: 00007f5b794e5780(0000) GS:ffff88815d1e9000(0000) knlGS:0000000000000000\n[ 29.375545][ T360] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 29.375823][ T360] CR2: 000055ffb091f000 CR3: 000000010a305000 CR4: 0000000000750ef0\n[ 29.376103][ T360] PKRU: 55555554\n[ 29.376258][ T360] Call Trace:\n[ 29.376401][ T360] \u003cTASK\u003e\n...\n[ 29.376885][ T360] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1487) sch_qfq\n[ 29.377074][ T360] qdisc_reset (net/sched/sch_generic.c:1057)\n[ 29.377414][ T360] __qdisc_destroy (net/sched/sch_generic.c:1096)\n[ 29.377600][ T360] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)\n[ 29.378593][ T360] tc_get_qdisc (net/sched/sch_api.c:1528 net/sched/sch_api.c:1556)\n\nFix this by only calling qdisc_tree_reduce_backlog in peek after the\nqlen is restored.\n\n[1] http://lore.kernel.org/netdev/CAN2cbVe79oj0O9\u003d\u003dm4+4x3v+O+qzRagA\u003d2\u003dwkrp9i9\u003dCqYvyZA@mail.gmail.com/\n\nFixes: 342debc12183 (\"codel: remove sch-\u003eq.qlen check before qdisc_tree_reduce_backlog()\")\nReported-by: Anirudh Gupta \u003canirudhrudr@gmail.com\u003e\nCloses: https://lore.kernel.org/netdev/CAN2cbVe79oj0O9\u003d\u003dm4+4x3v+O+qzRagA\u003d2\u003dwkrp9i9\u003dCqYvyZA@mail.gmail.com/\nTested-by: Anirudh Gupta \u003canirudhrudr@gmail.com\u003e\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260610192855.3121513-2-victor@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "344873108ca7f342f1a7ffeb81ffca2347fe9535", "tree": "884cdede7a62a374a8ca17e654611046944ec32c", "parents": [ "86c51f0f23136ea5ef5541f607287e07150cd23f", "dc175389b18c29a5303ee83169ec653adfae3e17" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:48:57 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:49:37 2026 -0700" }, "message": "Merge branch \u0027rxrpc-miscellaneous-fixes\u0027\n\nDavid Howells says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nrxrpc: Miscellaneous fixes\n\nHere are some miscellaneous AF_RXRPC fixes:\n\n (1) Make sure rxrpc_verify_data() allocates a buffer, even if the DATA\n packet being looked at is zero length to avoid potential NULL-pointer\n exceptions.\n\n (2) Don\u0027t move an OOB message (e.g. an RxGK CHALLENGE) off the receive\n queue onto the pending queue in recvmsg() if MSG_PEEK is specified.\n\n (3) Fix a potential UAF in rxgk_issue_challenge() in which a tracepoint\n refers to memory just freed by a different pointer.\n\n (4) Fix afs net namespace teardown to cancel the incoming call\n preallocation charger before we disable listening (which will delete\n the preallocation queue).\n\n (5) Fix rxrpc_kernel_charge_accept() to use the socket mutex to defend\n against listen(0)/shutdown simultaneously deleting the preallocation\n queue.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260609140911.838677-1-dhowells@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "dc175389b18c29a5303ee83169ec653adfae3e17", "tree": "884cdede7a62a374a8ca17e654611046944ec32c", "parents": [ "47694fbc9d24ab6bf210f91e8efe06a10a478064" ], "author": { "name": "Li Daming", "email": "d4n.for.sec@gmail.com", "time": "Tue Jun 09 15:09:09 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:48:55 2026 -0700" }, "message": "rxrpc: serialize kernel accept preallocation with socket teardown\n\nrxrpc_kernel_charge_accept() reads rx-\u003ebacklog without any\nsocket/backlog synchronization and passes that raw pointer into\nrxrpc_service_prealloc_one(). A concurrent rxrpc_discard_prealloc()\nsets rx-\u003ebacklog \u003d NULL and frees the backlog rings, so a kernel\npreallocation worker can keep using a freed struct rxrpc_backlog\nwhile updating *_backlog_head/tail and array slots.\n\nSerialize the state check and backlog lookup with the socket lock,\nand reject kernel preallocation once teardown has disabled\nlistening or discarded the service backlog.\n\nFixes: 00e907127e6f (\"rxrpc: Preallocate peers, conns and calls for incoming service requests\")\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Yifan Wu \u003cyifanwucs@gmail.com\u003e\nReported-by: Juefei Pu \u003ctomapufckgml@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nSigned-off-by: Li Daming \u003cd4n.for.sec@gmail.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Marc Dionne \u003cmarc.dionne@auristor.com\u003e\ncc: Jeffrey Altman \u003cjaltman@auristor.com\u003e\ncc: Simon Horman \u003chorms@kernel.org\u003e\ncc: linux-afs@lists.infradead.org\ncc: stable@kernel.org\nLink: https://patch.msgid.link/20260609140911.838677-6-dhowells@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "47694fbc9d24ab6bf210f91e8efe06a10a478064", "tree": "32ce404f78fdd19e4b4532de2c453a0e309b1200", "parents": [ "107a4cb0d47e735830f852d83970d5c81f8e1e08" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jun 09 15:09:08 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:48:55 2026 -0700" }, "message": "afs: Fix netns teardown to cancel the preallocation charger\n\nFix the teardown of an afs network namespace to make sure it cancels the\nwork item that keeps the preallocated rxrpc call/conn/peer queue charged\nbefore incoming calls are disabled (i.e. listen 0).\n\nAlso, if net-\u003elive is false because the afs netns is being deleted, make\nafs_charge_preallocation() skip charging and make afs_rx_new_call() avoid\nrequeuing the charger.\n\n(This was found by AI review).\n\nFixes: 00e907127e6f (\"rxrpc: Preallocate peers, conns and calls for incoming service requests\")\nReported-by: Simon Horman \u003chorms@kernel.org\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Li Daming \u003cd4n.for.sec@gmail.com\u003e\ncc: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\ncc: Marc Dionne \u003cmarc.dionne@auristor.com\u003e\ncc: Jeffrey Altman \u003cjaltman@auristor.com\u003e\ncc: linux-afs@lists.infradead.org\ncc: stable@kernel.org\nLink: https://patch.msgid.link/20260609140911.838677-5-dhowells@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "107a4cb0d47e735830f852d83970d5c81f8e1e08", "tree": "889f58cf60de7849e19bea1e7cb47b688d03d6b7", "parents": [ "5801cff7d5d7b4e9d877dfb627b23eb63167f02c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jun 09 15:09:07 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:48:54 2026 -0700" }, "message": "rxrpc: Fix UAF in rxgk_issue_challenge()\n\nFix rxgk_issue_challenge() to free the page containing the challenge\ncontent after invoking the tracepoint as the whdr passed to the tracepoint\npoints into the page just freed.\n\nFixes: 9d1d2b59341f (\"rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)\")\nReported-by: Marc Dionne \u003cmarc.dionne@auristor.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Simon Horman \u003chorms@kernel.org\u003e\ncc: linux-afs@lists.infradead.org\ncc: stable@kernel.org\nLink: https://patch.msgid.link/20260609140911.838677-4-dhowells@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5801cff7d5d7b4e9d877dfb627b23eb63167f02c", "tree": "8f6d3e620687376d674ce715f3ed18301f924d67", "parents": [ "16c8ae9735c5bd7e54dd7478d6348e0fc860842d" ], "author": { "name": "Hyunwoo Kim", "email": "imv4bel@gmail.com", "time": "Tue Jun 09 15:09:06 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:48:54 2026 -0700" }, "message": "rxrpc: Don\u0027t move a peeked OOB message onto the pending queue\n\nrxrpc_recvmsg_oob() takes a received oob message off recvmsg_oobq and,\nif a response is needed, moves it onto the pending_oobq tree. However,\nonly the unlink from recvmsg_oobq is guarded by MSG_PEEK; the move onto\npending_oobq always runs.\n\nAs a result, reading a challenge with MSG_PEEK leaves the skb on\nrecvmsg_oobq while also adding it to pending_oobq. Since struct\nsk_buff\u0027s rbnode shares storage with its next and prev pointers,\nrb_insert_color() overwrites the list linkage, and the skb, which holds\na single reference, becomes reachable from both queues at once.\n\nWhen the socket is closed both queues are drained in turn. While\ndraining recvmsg_oobq, __skb_unlink() follows the next and prev\npointers that rbnode has overwritten and writes to a bad address. Also,\nas the skb holds a single reference but is freed from each queue, both\nthe skb and the connection reference it holds are released twice. This\nleads to memory corruption and to a use-after-free caused by the\nconnection refcount underflow.\n\nMSG_PEEK does not consume the message from the queue, so only unlink it\nfrom recvmsg_oobq and then move it onto pending_oobq or free it when\nthe message is actually consumed.\n\nFixes: 5800b1cf3fd8 (\"rxrpc: Allow CHALLENGEs to the passed to the app for a RESPONSE\")\nSigned-off-by: Hyunwoo Kim \u003cimv4bel@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Marc Dionne \u003cmarc.dionne@auristor.com\u003e\ncc: Simon Horman \u003chorms@kernel.org\u003e\ncc: linux-afs@lists.infradead.org\ncc: stable@kernel.org\nLink: https://patch.msgid.link/20260609140911.838677-3-dhowells@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "16c8ae9735c5bd7e54dd7478d6348e0fc860842d", "tree": "671f2cbc3d46a1a1012462c66a6fa1a052730304", "parents": [ "86c51f0f23136ea5ef5541f607287e07150cd23f" ], "author": { "name": "Jeffrey Altman", "email": "jaltman@auristor.com", "time": "Tue Jun 09 15:09:05 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:48:54 2026 -0700" }, "message": "rxrpc: rxrpc_verify_data ensure rx_dec_buffer alloc\n\nrxrpc_recvmsg_data() calls rxrpc_verify_data() whenever the\nrxrpc_call.rx_dec_buffer is unallocated and assumes that upon\nsuccessful return that rx_dec_buffer must be allocated.\nHowever, rxrpc_verify_data() does not request an allocation if\nthe rxrpc_skb_priv.len is zero.\n\nIn addition, failure to allocate rx_dec_buffer will result in a\ncall to skb_copy_bits() with a NULL destination which can\ntrigger a NULL pointer dereference.\n\nTo prevent these issues rxrpc_verify_data() is modified to\nalways attempt to allocate the rxrpc_call.rx_dec_buffer if it\nis NULL.\n\nThis issue was identified with assistance of a private\nsashiko instance.\n\nFixes: d2bc90cf6c75cb (\"rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg\")\nReported-by: Simon Horman \u003csimon.horman@redhat.com\u003e\nSigned-off-by: Jeffrey Altman \u003cjaltman@auristor.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\ncc: Marc Dionne \u003cmarc.dionne@auristor.com\u003e\ncc: linux-afs@lists.infradead.org\ncc: stable@kernel.org\nLink: https://patch.msgid.link/20260609140911.838677-2-dhowells@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "86c51f0f23136ea5ef5541f607287e07150cd23f", "tree": "7e6583ab53badc4e53e98b550c98591bbbdddf51", "parents": [ "cdf19f380e46192e7084be559638aab1f6ed86a2" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 18:36:48 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:38:32 2026 -0700" }, "message": "virtio_net: do not allow tunnel csum offload for non GSO packets\n\nFiona reports broken connectivity for virtio net setup using UDP tunnel\ninside the guest and NIC with not UDP tunnel TSO support in the host.\n\nCurrently the virtio_net driver exposes csum offload for UDP-tunneled,\nTCP non GSO packets. Such packet reach the host as CSUM_PARTIAL ones\nwith the \u0027encapsulation\u0027 flag cleared, as the virtio specification do\nnot support this specific kind of offload.\n\nHW NICs with UDP tunnel TSO support - and those drivers directly\naccessing skb-\u003ecsum_start/csum_offset - are still capable of computing\nthe needed csum correctly, but otherwise the packets reach the wire with\nbad csum on both the inner and outer transport header.\n\nAddress the issue explicitly disabling csum offload for UDP tunneled,\nnon GSO packets via the ndo_features_check op.\n\nFixes: 56a06bd40fab (\"virtio_net: enable gso over UDP tunnel support.\")\nReported-by: Fiona Ebner \u003cf.ebner@proxmox.com\u003e\nCloses: https://bugzilla.proxmox.com/show_bug.cgi?id\u003d7627\nTested-by: Fiona Ebner \u003cf.ebner@proxmox.com\u003e\nTested-by: Gabriel Goller \u003cg.goller@proxmox.com\u003e\nAcked-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nReviewed-by: Gabriel Goller \u003cg.goller@proxmox.com\u003e\nTested-by: Gabriel Goller \u003cg.goller@proxmox.com\u003e\nLink: https://patch.msgid.link/6c3b6c47fb05c100f384630dc48f3975cf37b67a.1781195144.git.pabeni@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "cdf19f380e46192e7084be559638aab1f6ed86a2", "tree": "d7f21f0ad6b93c6daa50194bb942c87c692c7298", "parents": [ "990348e5bb457697c2f1f7f7b65154a3334d9d2b" ], "author": { "name": "Zhengchuan Liang", "email": "zcliangcn@gmail.com", "time": "Tue Jun 09 16:34:37 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:33:36 2026 -0700" }, "message": "net: atm: reject out-of-range traffic classes in QoS validation\n\nReject ATM traffic classes above ATM_ANYCLASS in check_tp().\nSO_ATMQOS stores the supplied QoS after check_qos() succeeds, so\naccepting larger values leaves invalid traffic_class values in\nvcc-\u003eqos.\n\nThat bad state later reaches pvc_info(), which indexes class_name[]\nwith vcc-\u003eqos.{rx,tp}.traffic_class. Values above ATM_ANYCLASS cause\nan out-of-bounds read when /proc/net/atm/pvc is read.\n\nTighten the existing QoS validation so invalid traffic_class values\nare rejected at the point where user supplied QoS is accepted.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nCc: stable@vger.kernel.org\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nSigned-off-by: Zhengchuan Liang \u003czcliangcn@gmail.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/58f02c6f73d9818fd5d2022e1116759fdde6116b.1780965530.git.zcliangcn@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "990348e5bb457697c2f1f7f7b65154a3334d9d2b", "tree": "91513936806986a8ed15dd7f954a3c43ef3a8f43", "parents": [ "e26657fe3b85c068b01f42bb0c602f242d643ba9" ], "author": { "name": "Sechang Lim", "email": "rhkrqnwk98@gmail.com", "time": "Thu Jun 11 09:29:18 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 16:18:39 2026 -0700" }, "message": "tcp: clear sock_ops cb flags before force-closing a child socket\n\nA child socket inherits the listener\u0027s bpf_sock_ops_cb_flags via\nsk_clone_lock(). If its setup fails in tcp_v4_syn_recv_sock() /\ntcp_v6_syn_recv_sock(), the child is freed through put_and_exit, where\ninet_csk_prepare_forced_close() drops the socket lock and tcp_done() runs\nwithout it.\n\nIf BPF_SOCK_OPS_STATE_CB_FLAG was inherited, tcp_done() -\u003e tcp_set_state()\ncalls tcp_call_bpf(), which expects the lock and trips sock_owned_by_me():\n\n WARNING: include/net/sock.h:1799 at tcp_set_state+0x433/0x550\n RIP: 0010:tcp_set_state+0x433/0x550 include/net/sock.h:1799\n Call Trace:\n \u003cIRQ\u003e\n tcp_done+0xba/0x250 net/ipv4/tcp.c:5095\n tcp_v4_syn_recv_sock+0x850/0xa50 net/ipv4/tcp_ipv4.c:1787\n tcp_check_req+0xf30/0x1360 net/ipv4/tcp_minisocks.c:926\n tcp_v4_rcv+0x1047/0x1b50 net/ipv4/tcp_ipv4.c:2164\n \u003c/IRQ\u003e\n\nThe child is freed before it is ever established, so it should run no\nsock_ops callback. Clear its cb flags in inet_csk_prepare_for_destroy_sock(),\nthe common point for the IPv4, IPv6 and chtls forced-close paths and for the\nMPTCP -\u003esyn_recv_sock() failure path (dispose_child), which reaches tcp_done()\non a child that was never established too.\n\nSuggested-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nFixes: d44874910a26 (\"bpf: Add BPF_SOCK_OPS_STATE_CB\")\nSigned-off-by: Sechang Lim \u003crhkrqnwk98@gmail.com\u003e\nReviewed-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260611092923.1895982-1-rhkrqnwk98@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e26657fe3b85c068b01f42bb0c602f242d643ba9", "tree": "bb5bdc22174d71abb2acf9e70db9680404a10d70", "parents": [ "9bf10032894f429b3e221de63cf95a8544511a90" ], "author": { "name": "Joe Damato", "email": "joe@dama.to", "time": "Tue Jun 09 13:44:58 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 12 15:57:23 2026 -0700" }, "message": "bnxt: fix head underflow on XDP head-grow\n\nThe xdp.py test test_xdp_native_adjst_head_grow_data crashes when run on\na bnxt machine (and also crashes in NIPA).\n\nIt seems that the bug is an underflow in bnxt_rx_multi_page_skb, which\nbuilds the skb head:\n\n napi_build_skb(data_ptr - bp-\u003erx_offset, rxr-\u003erx_page_size);\n\nThe problem with this expression is that in page mode, rx_offset is:\n\n bp-\u003erx_offset \u003d NET_IP_ALIGN + XDP_PACKET_HEADROOM;\n\nWhich evaluates (at least on x86_64) to 258.\n\nThe test test_xdp_native_adjst_head_grow_data tests a case where the\nhead is adjusted by -256.\n\nWhen this test runs, data_ptr is shifted to frag_start + 2 (where\nfrag_start \u003d page_address(page) + offset).\n\nThen, bnxt_rx_multi_page_skb is invoked and the napi_build_skb\nexpression subtracts 258, landing at an address before frag_start. This\ncould be either the previous fragment or the previous physical page when\nthe offset is \u003c 256 (e.g. if the fragment started at offset 0).\n\nWhen the skb is freed, the page pool fragment reference is dropped on\neither the wrong page or the wrong frag of the right page. In either\ncase, the corrupted reference count can lead to the page being\nprematurely recycled while still in use. Once (incorrectly) recycled, it\ncan be handed out again and on driver teardown this would result in a\ndouble free.\n\nThe commit under fixes updated this code to handle the case where the\nnative page size is \u003e\u003d 64k, but it unintentionally broke the head grow\ncase.\n\nTo fix this, add an offset field to struct bnxt_sw_rx_bd, mirroring the\nexisting offset field in struct bnxt_sw_rx_agg_bd. Populate it on\nallocation and preserve it on reuse.\n\nIn bnxt_rx_multi_page_skb, use the newly added offset field to compute\nthe fragment start and pass that to napi_build_skb. Adjust the layout\nwith skb_reserve.\n\nThere are two cases, the non-adjustment case and the adjustment case.\n\nIn both cases, the skb is built at page_address(page) + offset to\naccount for the case where the native page size \u003e\u003d 64K and skb_reserve\nis called with data_ptr - (page_address(page) + offset). That\ndifference equals bp-\u003erx_offset when data_ptr was not moved, or\nbp-\u003erx_offset + xdp_adjust when XDP adjusted the head.\n\nRe-running the failing test with this commit applied causes the test to\nrun successfully to completion.\n\nThe other rx_skb_func implementations don\u0027t have this issue.\n\nFixes: f6974b4c2d8e (\"bnxt_en: Fix page pool logic for page size \u003e\u003d 64K\")\nSigned-off-by: Joe Damato \u003cjoe@dama.to\u003e\nReviewed-by: Michael Chan \u003cmichael.chan@broadcom.com\u003e\nLink: https://patch.msgid.link/20260609204458.2237787-2-joe@dama.to\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9bf10032894f429b3e221de63cf95a8544511a90", "tree": "b1510fc2ff89bf8281022ecbd01247f18232625c", "parents": [ "90b662ea25f5e83bb3b8ccec5b93ced810b92fb8", "2afb648f7b99216c687db1f89739c995e1144153" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 16:01:18 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 16:01:19 2026 -0700" }, "message": "Merge branch \u0027tipc-fix-netlink-gate-and-receive-path-bugs\u0027\n\nMichael Bommarito says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\ntipc: fix netlink gate and receive-path bugs\n\nThis is v4 of the public TIPC series. The only change from v3 is in\npatch 1: TIPC_NL_MEDIA_SET now uses GENL_UNS_ADMIN_PERM like the other\nmutators, instead of GENL_ADMIN_PERM, so the whole series uses the\nnamespace-aware CAP_NET_ADMIN check that matches the legacy TIPC netlink\npath. Patches 2 and 3 are unchanged.\n\nPatch 1 gives the TIPCv2 mutating generic-netlink operations the admin\ngate the legacy API already has, so a local unprivileged process can no\nlonger change TIPC state. Patch 2 drops CONN_ACK messages that\nacknowledge more outstanding sends than exist, preventing the\nsnt_unacked underflow. Patch 3 rejects peer bindings with lower \u003e upper,\nwhich would otherwise leak binding-table memory.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260610124003.3831170-1-michael.bommarito@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2afb648f7b99216c687db1f89739c995e1144153", "tree": "b1510fc2ff89bf8281022ecbd01247f18232625c", "parents": [ "ab3e10b44ba5411779aac7afd2477917dd77750f" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Wed Jun 10 08:40:03 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 16:01:16 2026 -0700" }, "message": "tipc: reject inverted service ranges from peer bindings\n\ntipc_update_nametbl() inserts a binding advertised by a peer node using\nthe lower and upper service-range bounds taken directly from the wire,\nwithout checking that lower \u003c\u003d upper. The local bind path validates the\nordering (tipc_uaddr_valid()), but the name-distribution path does not.\n\nA binding with lower \u003e upper is inserted at the far end of the\nservice-range rbtree (keyed on lower) where no lookup or withdrawal can\never match it (service_range_foreach_match() requires sr-\u003elower \u003c\u003d end).\nThe publication, its service_range node and the augmented rbtree entry\nare then leaked for the lifetime of the namespace, and there is no\nper-peer cap equivalent to TIPC_MAX_PUBL on locally created bindings.\n\nReject inverted ranges in the network path as well. A peer node can\notherwise leak unbounded binding-table memory by sending PUBLICATION\nitems with lower \u003e upper.\n\nFixes: 37922ea4a310 (\"tipc: permit overlapping service ranges in name table\")\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nReviewed-by: Tung Nguyen \u003ctung.quang.nguyen@est.tech\u003e\nLink: https://patch.msgid.link/20260610124003.3831170-4-michael.bommarito@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ab3e10b44ba5411779aac7afd2477917dd77750f", "tree": "517e112e86ba8c90bc8fe5e25f1e7b45f40b0d9c", "parents": [ "86b0c540e2ea397cde021eecd24145f7c16a3d4e" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Wed Jun 10 08:40:02 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 16:01:16 2026 -0700" }, "message": "tipc: prevent snt_unacked underflow on CONN_ACK\n\ntipc_sk_conn_proto_rcv() subtracts the peer-supplied connection ack count\nfrom the unsigned 16-bit send counter snt_unacked without checking that it\ndoes not exceed the number of messages actually outstanding:\n\n\ttsk-\u003esnt_unacked -\u003d msg_conn_ack(hdr);\n\nmsg_conn_ack() is read straight from a received CONN_MANAGER/CONN_ACK\nmessage. If the ack count is larger than snt_unacked, the subtraction\nwraps to a near-maximum value, leaving tsk_conn_cong() permanently true\nand starving the connection of further transmits.\n\nValidate the ACK count at the start of the CONN_ACK block and drop the\nmessage if it acknowledges more messages than are outstanding. A peer (or,\nfor a local connection, the connected peer socket) can otherwise wedge a\nTIPC connection\u0027s send side by sending an oversized connection ack.\n\nFixes: 10724cc7bb78 (\"tipc: redesign connection-level flow control\")\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nReviewed-by: Tung Nguyen \u003ctung.quang.nguyen@est.tech\u003e\nLink: https://patch.msgid.link/20260610124003.3831170-3-michael.bommarito@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "86b0c540e2ea397cde021eecd24145f7c16a3d4e", "tree": "8ad926550626de449c5ea4a4b23b93667776a1fd", "parents": [ "90b662ea25f5e83bb3b8ccec5b93ced810b92fb8" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Wed Jun 10 08:40:01 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 16:01:16 2026 -0700" }, "message": "tipc: require net admin for TIPCv2 netlink mutators\n\nTIPCv2 registers mutating generic-netlink operations without admin\npermission flags. Generic netlink only checks CAP_NET_ADMIN when an\noperation sets GENL_ADMIN_PERM or GENL_UNS_ADMIN_PERM, so a local\nunprivileged process can currently change TIPC state through commands\nsuch as TIPC_NL_NET_SET, TIPC_NL_KEY_SET, TIPC_NL_KEY_FLUSH, and\nbearer enable/disable.\n\nThe legacy TIPC netlink API already checks netlink_net_capable(...,\nCAP_NET_ADMIN) for administrative commands. Give the TIPCv2 mutators\nthe equivalent generic-netlink gate. Use GENL_UNS_ADMIN_PERM, which\nmaps to the same namespace-aware CAP_NET_ADMIN check that\nnetlink_net_capable() performs, so the behaviour matches the legacy\npath and keeps working for CAP_NET_ADMIN holders in a non-initial user\nnamespace (containers).\n\nA QEMU/KASAN repro run as uid/gid 65534 with zero effective\ncapabilities previously succeeded in changing the network id and node\nidentity, setting and flushing key material, and enabling/disabling a\nUDP bearer. With this patch applied the same operations fail with\n-EPERM.\n\nFixes: 0655f6a8635b (\"tipc: add bearer disable/enable to new netlink api\")\nLink: https://lore.kernel.org/all/20260604163102.2658553-1-dominik.czarnota@trailofbits.com/\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nReviewed-by: Tung Nguyen \u003ctung.quang.nguyen@est.tech\u003e\nLink: https://patch.msgid.link/20260610124003.3831170-2-michael.bommarito@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "90b662ea25f5e83bb3b8ccec5b93ced810b92fb8", "tree": "4e98adc2a8894348ead8f7332b5eb11572c18989", "parents": [ "37314c9dbe95b4d924c7b61aaf563cec4f4e4133" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Wed Jun 10 10:28:24 2026 -0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:59:40 2026 -0700" }, "message": "net/sched: sch_hfsc: Don\u0027t make class passive twice\n\nupdate_vf() is called from two places for the same class during a single\ndequeue when the class\u0027s child qdisc (e.g. codel/fq_codel) drops its last\npackets while dequeuing:\n\n1. The child calls qdisc_tree_reduce_backlog(), which, now that the child\n is empty, invokes hfsc_qlen_notify() -\u003e update_vf(cl, 0, 0) and turns\n the class passive (cl_nactive is decremented up the hierarchy).\n\n2. hfsc_dequeue() then calls update_vf(cl, qdisc_pkt_len(skb), cur_time)\n to charge the dequeued bytes.\n\nOn the second call the class is already passive, but its child qdisc is\nstill empty, so update_vf() arms go_passive again:\n\n if (cl-\u003eqdisc-\u003eq.qlen \u003d\u003d 0 \u0026\u0026 cl-\u003ecl_flags \u0026 HFSC_FSC)\n go_passive \u003d 1;\n\nThe leaf is then skipped by the cl_nactive \u003d\u003d 0 check inside the loop,\nwhich does not clear go_passive, so the stale go_passive propagates to the\nparent and decrements its cl_nactive a second time. A parent that still\nhas other active children is driven to cl_nactive \u003d\u003d 0 and removed from\nthe vttree, even though those siblings are still backlogged. They are\nnever dequeued again and the qdisc stalls.\n\nFix this by only arming go_passive when the class is actually active, so an\nalready-passive class no longer triggers a second passive transition. The\nbyte accounting (cl-\u003ecl_total +\u003d len) still runs for every ancestor, so\ndequeued bytes continue to be counted exactly once.\n\nFixes: 51eb3b65544c (\"sch_hfsc: make hfsc_qlen_notify() idempotent\")\nReported-by: Anirudh Gupta \u003canirudhrudr@gmail.com\u003e\nCloses: https://lore.kernel.org/netdev/CAN2cbVe79oj0O9\u003d\u003dm4+4x3v+O+qzRagA\u003d2\u003dwkrp9i9\u003dCqYvyZA@mail.gmail.com/\nTested-by: Anirudh Gupta \u003canirudhrudr@gmail.com\u003e\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260610132824.3027549-1-victor@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "37314c9dbe95b4d924c7b61aaf563cec4f4e4133", "tree": "70fe08c52ed637b392ca63f778e991be4740cd7f", "parents": [ "1720db928e5a58ca7d75ac1d514c3b73fd7061a7" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Tue Jun 09 23:22:40 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:57:39 2026 -0700" }, "message": "net: Stop leased rxq before uninstalling its memory provider\n\nnetif_rxq_cleanup_unlease() tears down the memory provider that was\ninstalled on a physical RX queue through a netkit queue lease. It\ncurrently revokes the provider\u0027s DMA mappings before stopping the\nphysical queue:\n\n __netif_mp_uninstall_rxq(virt_rxq, p); /* DMA unmap */\n __netif_mp_close_rxq(phys_rxq-\u003edev, rxq_idx, p); /* queue stop */\n\nThis inverts the ordering used by the regular teardown paths (normal\ndevice unregister and the io_uring zcrx close path), which stop the\nqueue before revoking the provider\u0027s mappings.\n\nWith the physical queue still live, its NAPI can keep consuming\nnet_iov entries from the page_pool alloc cache after the\n__netif_mp_uninstall_rxq() has already cleared their dma_addr,\nopening a window for the device to DMA to a stale or zero address.\n\nFix it by swapping the two calls so the queue is stopped (and its\nNAPI quiesced) before the provider is uninstalled. No functional\nregression was observed across repeated runs of the nk_qlease.py\nHW selftest, which exercises the lease teardown path; this was\ntested against fbnic QEMU emulation.\n\nFixes: 5602ad61ebee (\"net: Proxy netif_mp_{open,close}_rxq for leased queues\")\nReported-by: Ahmed Abdelmoemen \u003cahmedabdelmoumen05@gmail.com\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nCc: David Wei \u003cdw@davidwei.uk\u003e\nReviewed-by: Bobby Eshleman \u003cbobbyeshleman@meta.com\u003e\nReviewed-by: Nikolay Aleksandrov \u003crazor@blackwall.org\u003e\nLink: https://patch.msgid.link/20260609212240.677889-1-daniel@iogearbox.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "1720db928e5a58ca7d75ac1d514c3b73fd7061a7", "tree": "c314093aeb24c0793b502d49e02ce00e765d806a", "parents": [ "24041543da8cd84eb5d8ae738c534372fff54820" ], "author": { "name": "Yizhou Zhao", "email": "zhaoyz24@mails.tsinghua.edu.cn", "time": "Tue Jun 09 16:00:52 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:27:07 2026 -0700" }, "message": "6lowpan: fix NHC entry use-after-free on error path\n\nlowpan_nhc_do_uncompression() looks up an NHC descriptor while holding\nlowpan_nhc_lock. If the descriptor has no uncompress callback, the error\npath drops the lock before printing nhc-\u003ename.\n\nlowpan_nhc_del() removes descriptors under the same lock and then relies\non synchronize_net() before the owning module can be unloaded. That only\nwaits for net RX RCU readers. lowpan_header_decompress() is also exported\nand can be reached from callers that are not necessarily covered by the net\ncore RX critical section, for example the Bluetooth 6LoWPAN L2CAP receive\npath.\n\nThis leaves a race where one task drops lowpan_nhc_lock in the error path,\nanother task unregisters and frees the matching descriptor after\nsynchronize_net() returns, and the first task then dereferences nhc-\u003ename\nfor the warning.\n\nWith the post-unlock window widened, KASAN reports:\n\n BUG: KASAN: slab-use-after-free in lowpan_nhc_do_uncompression+0x1f4/0x220\n Read of size 8\n lowpan_nhc_do_uncompression\n lowpan_header_decompress\n\nFix this by printing the warning before dropping lowpan_nhc_lock, so the\ndescriptor name is read while unregister is still excluded. The malformed\npacket is still rejected with -ENOTSUPP.\n\nFixes: 92aa7c65d295 (\"6lowpan: add generic nhc layer interface\")\nCc: stable@vger.kernel.org\nReported-by: Yizhou Zhao \u003czhaoyz24@mails.tsinghua.edu.cn\u003e\nReported-by: Yuxiang Yang \u003cyangyx22@mails.tsinghua.edu.cn\u003e\nReported-by: Ao Wang \u003cwangao@seu.edu.cn\u003e\nReported-by: Xuewei Feng \u003cfengxw06@126.com\u003e\nReported-by: Qi Li \u003cqli01@tsinghua.edu.cn\u003e\nReported-by: Ke Xu \u003cxuke@tsinghua.edu.cn\u003e\nSigned-off-by: Yizhou Zhao \u003czhaoyz24@mails.tsinghua.edu.cn\u003e\nAcked-by: Alexander Aring \u003caahringo@redhat.com\u003e\nLink: https://patch.msgid.link/20260609080054.4541-1-zhaoyz24@mails.tsinghua.edu.cn\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "24041543da8cd84eb5d8ae738c534372fff54820", "tree": "2894a701fbacaf5303d160817657d4b713bd57a3", "parents": [ "e9361d0ca55c4af12aac09e2572852fa91046229" ], "author": { "name": "Samuel Moelius", "email": "sam.moelius@trailofbits.com", "time": "Tue Jun 09 23:22:45 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:19:17 2026 -0700" }, "message": "net: pfcp: allocate per-cpu tstats for PFCP netdevs\n\nPFCP uses dev_get_tstats64() as its ndo_get_stats64 callback, but\npfcp_link_setup() does not request NETDEV_PCPU_STAT_TSTATS. The net\ncore therefore leaves dev-\u003etstats NULL for PFCP devices.\n\nCreating a PFCP rtnetlink device can immediately ask the new netdev for\nstats while building the RTM_NEWLINK notification. That reaches\ndev_get_tstats64() and dereferences the NULL dev-\u003etstats pointer.\n\nSet pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS during PFCP link setup so\nthe net core allocates the storage expected by dev_get_tstats64().\n\nFixes: 76c8764ef36a (\"pfcp: add PFCP module\")\nSigned-off-by: Samuel Moelius \u003csam.moelius@trailofbits.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260609232244.1602027.c569f6c530f6.pfcp-missing-tstats-link-create-oops@trailofbits.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e9361d0ca55c4af12aac09e2572852fa91046229", "tree": "858a3e36e65954f8dffd96639b1ef6b30e8d2042", "parents": [ "f3e02edd8322b31b8e6517faa6ba053bf29d1e26" ], "author": { "name": "Xin Long", "email": "lucien.xin@gmail.com", "time": "Tue Jun 09 18:14:28 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:18:08 2026 -0700" }, "message": "sctp: validate embedded address parameter length\n\nsctp_verify_asconf() and sctp_verify_param() only validate ADD_IP, DEL_IP,\nand SET_PRIMARY parameters against a fixed minimum size of sizeof(struct\nsctp_addip_param) + sizeof(struct sctp_paramhdr). This ensures the outer\nparameter is large enough to contain an embedded address parameter header,\nbut does not verify that the embedded address parameter\u0027s declared length\nfits within the bounds of the outer parameter.\n\nLater, sctp_process_param() and sctp_process_asconf_param() extract the\nembedded address parameter and pass it to af-\u003efrom_addr_param(), which uses\nthe address parameter length to parse the variable-length address payload.\nA malformed peer can therefore advertise an embedded address parameter\nlength that exceeds the remaining bytes in the enclosing parameter.\n\nValidate that addr_param-\u003ep.length does not exceed the space available\nafter the sctp_addip_param header before processing the embedded address\nparameter. Reject malformed parameters when the embedded address length\nextends beyond the enclosing parameter bounds.\n\nThis prevents out-of-bounds reads when parsing malformed parameters carried\nin INIT or ASCONF processing paths.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nReported-by: sashiko \u003csashiko-bot@kernel.org\u003e\nSigned-off-by: Xin Long \u003clucien.xin@gmail.com\u003e\nLink: https://patch.msgid.link/7838b86b69f52add28808fb59034c8f992e97b2d.1781043268.git.lucien.xin@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f3e02edd8322b31b8e6517faa6ba053bf29d1e26", "tree": "37adcb320a808d270ce3f9321660f8f3d37a2874", "parents": [ "c33da0eeca927add8045e16015ace1ec66a297a5" ], "author": { "name": "Xiang Mei", "email": "xmei5@asu.edu", "time": "Mon Jun 08 23:51:16 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:16:12 2026 -0700" }, "message": "bridge: cfm: reject invalid CCM interval at configuration time\n\nccm_tx_work_expired() re-arms itself via queue_delayed_work() using\nthe configured exp_interval converted by interval_to_us(). When\nexp_interval is BR_CFM_CCM_INTERVAL_NONE or out of range,\ninterval_to_us() returns 0, causing the worker to fire immediately in\na tight loop that allocates skbs until OOM.\n\nFix this by validating exp_interval at configuration time:\n\n - Constrain IFLA_BRIDGE_CFM_CC_CONFIG_EXP_INTERVAL to the valid range\n [BR_CFM_CCM_INTERVAL_3_3_MS, BR_CFM_CCM_INTERVAL_10_MIN] in the\n netlink policy so userspace cannot set an invalid value.\n\n - Reject starting CCM TX in br_cfm_cc_ccm_tx() when exp_interval has\n not yet been configured (defaults to 0 from kzalloc).\n\nFixes: 2be665c3940d (\"bridge: cfm: Netlink SET configuration Interface.\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nAcked-by: Nikolay Aleksandrov \u003crazor@blackwall.org\u003e\nReviewed-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260609065116.2818837-1-xmei5@asu.edu\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c33da0eeca927add8045e16015ace1ec66a297a5", "tree": "68e9ded362f704151cbdb8eb43b68cfb78a7eff8", "parents": [ "f294fc71c4a0fa4964f6428a1b4e7929c1d83125", "2821e85c058f81c9948a2fb1a634f7b47457d51c" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:14:04 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:14:05 2026 -0700" }, "message": "Merge branch \u0027net-fib-fix-two-use-after-free-in-drivers-during-rcu-dump\u0027\n\nKuniyuki Iwashima says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: fib: Fix two use-after-free in drivers during RCU dump.\n\nsyzbot reported fib_info UAF in netdevsim, and the same bug\nexists in rocker and mlxsw.\n\nPatch 1 fixes it, and Patch 2 fixes the same type of bug of\nfib_rule.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260610061744.2030996-1-kuniyu@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2821e85c058f81c9948a2fb1a634f7b47457d51c", "tree": "68e9ded362f704151cbdb8eb43b68cfb78a7eff8", "parents": [ "06b693d2eb6651a63ad85bad8673de3b7d4edd6d" ], "author": { "name": "Kuniyuki Iwashima", "email": "kuniyu@google.com", "time": "Wed Jun 10 06:17:19 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:14:03 2026 -0700" }, "message": "net: fib_rules: Don\u0027t dump dying fib_rule in fib_rules_dump().\n\nrocker_router_fib_event() calls fib_rule_get() during RCU dump.\n\nIf the fib_rule is dying, refcount_inc() will complain about it.\n\nLet\u0027s call refcount_inc_not_zero() in fib_rules_dump().\n\nFixes: 5d7bfd141924 (\"ipv4: fib_rules: Dump FIB rules when registering FIB notifier\")\nSigned-off-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nReviewed-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nReviewed-by: David Ahern \u003cdsahern@kernel.org\u003e\nLink: https://patch.msgid.link/20260610061744.2030996-3-kuniyu@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "06b693d2eb6651a63ad85bad8673de3b7d4edd6d", "tree": "8169897fd8d173166101c32d6c2667e39a2ed5bc", "parents": [ "f294fc71c4a0fa4964f6428a1b4e7929c1d83125" ], "author": { "name": "Kuniyuki Iwashima", "email": "kuniyu@google.com", "time": "Wed Jun 10 06:17:18 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:14:03 2026 -0700" }, "message": "ipv4: fib: Don\u0027t dump dying fib_info in fib_leaf_notify().\n\nsyzbot reported use-after-free in nsim_fib4_prepare_event(). [0]\n\nThe problem is that the following functions call fib_info_hold() /\nrefcount_inc() while dumping fib_info under RCU, which is unsafe.\n\n * mlxsw_sp_router_fib4_event()\n * rocker_router_fib_event()\n * nsim_fib4_prepare_event()\n\nrefcount_inc_not_zero() must be used, but it would be too late\nthere.\n\nLet\u0027s guarantee the lifetime of fib_info in fib_leaf_notify().\n\nNote that IPv6 does not need the corresponding change since\nfib6_table_dump() holds fib6_table.tb6_lock.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: lib/refcount.c:25 at refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25, CPU#0: kworker/u8:15/3420\nModules linked in:\nCPU: 0 UID: 0 PID: 3420 Comm: kworker/u8:15 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026\nWorkqueue: netns cleanup_net\nRIP: 0010:refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25\nCode: eb 66 85 db 74 3e 83 fb 01 75 4c e8 1b f1 22 fd 48 8d 3d 84 cb f1 0a 67 48 0f b9 3a eb 4a e8 08 f1 22 fd 48 8d 3d 81 cb f1 0a \u003c67\u003e 48 0f b9 3a eb 37 e8 f5 f0 22 fd 48 8d 3d 7e cb f1 0a 67 48 0f\nRSP: 0018:ffffc9000f2c7270 EFLAGS: 00010293\nRAX: ffffffff84a18858 RBX: 0000000000000002 RCX: ffff888032ff9ec0\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8f9353e0\nRBP: 0000000000000000 R08: ffff888032ff9ec0 R09: 0000000000000005\nR10: 0000000000000100 R11: 0000000000000004 R12: ffff8880570cc000\nR13: dffffc0000000000 R14: ffff88802b40563c R15: ffff8880570cc000\nFS: 0000000000000000(0000) GS:ffff888126173000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb1f4d5d000 CR3: 000000006072a000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n __refcount_add include/linux/refcount.h:-1 [inline]\n __refcount_inc include/linux/refcount.h:366 [inline]\n refcount_inc include/linux/refcount.h:383 [inline]\n fib_info_hold include/net/ip_fib.h:629 [inline]\n nsim_fib4_prepare_event drivers/net/netdevsim/fib.c:930 [inline]\n nsim_fib_event_schedule_work drivers/net/netdevsim/fib.c:1000 [inline]\n nsim_fib_event_nb+0x1055/0x1240 drivers/net/netdevsim/fib.c:1043\n call_fib_notifier+0x45/0x80 net/core/fib_notifier.c:25\n call_fib_entry_notifier net/ipv4/fib_trie.c:90 [inline]\n fib_leaf_notify net/ipv4/fib_trie.c:2176 [inline]\n fib_table_notify net/ipv4/fib_trie.c:2194 [inline]\n fib_notify+0x36b/0x5e0 net/ipv4/fib_trie.c:2217\n fib_net_dump net/core/fib_notifier.c:70 [inline]\n register_fib_notifier+0x184/0x360 net/core/fib_notifier.c:108\n nsim_fib_create+0x85d/0x9f0 drivers/net/netdevsim/fib.c:1596\n nsim_dev_reload_create drivers/net/netdevsim/dev.c:1604 [inline]\n nsim_dev_reload_up+0x374/0x7c0 drivers/net/netdevsim/dev.c:1058\n devlink_reload+0x501/0x8d0 net/devlink/dev.c:475\n devlink_pernet_pre_exit+0x1ff/0x420 net/devlink/core.c:558\n ops_pre_exit_list net/core/net_namespace.c:161 [inline]\n ops_undo_list+0x187/0x940 net/core/net_namespace.c:234\n cleanup_net+0x56e/0x800 net/core/net_namespace.c:702\n process_one_work kernel/workqueue.c:3314 [inline]\n process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397\n worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478\n kthread+0x388/0x470 kernel/kthread.c:436\n ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nFixes: 0ae3eb7b4611 (\"netdevsim: fib: Perform the route programming in a non-atomic context\")\nFixes: c3852ef7f2f8 (\"ipv4: fib: Replay events when registering FIB notifier\")\nReported-by: syzbot+cb2aa2390ac024e25f5c@syzkaller.appspotmail.com\nCloses: https://lore.kernel.org/netdev/6a290011.39669fcc.33b062.00b1.GAE@google.com/\nSigned-off-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nReviewed-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nReviewed-by: David Ahern \u003cdsahern@kernel.org\u003e\nLink: https://patch.msgid.link/20260610061744.2030996-2-kuniyu@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f294fc71c4a0fa4964f6428a1b4e7929c1d83125", "tree": "968982d191fcdd9649ced35fa613e7c981af777a", "parents": [ "0b7b378ce6cafbb948786cb6f17f406d94016c8c" ], "author": { "name": "Jamal Hadi Salim", "email": "jhs@mojatatu.com", "time": "Wed Jun 10 06:18:39 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:04:56 2026 -0700" }, "message": "net/sched: cls_flow: Dont expose folded kernel pointers\n\nThe flow classifier falls back to addr_fold() for fields that are missing\nfrom packet headers. In map mode, userspace controls mask, xor, rshift,\naddend and divisor, and can observe the resulting classid through class\nstatistics. This allows a tc classifier in a user/network namespace to\nrecover the 32-bit folded value of skb-\u003esk, skb_dst() or skb_nfct().\n\nAlign with standard kernel practices for pointer hashing and replace the\nXOR folding with a keyed siphash (which is cryptographically secure)\n\nFixes: e5dfb815181f (\"[NET_SCHED]: Add flow classifier\")\nReported-by: Kyle Zeng \u003ckylebot@openai.com\u003e\nTested-by: Kyle Zeng \u003ckylebot@openai.com\u003e\nTested-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260610101839.14135-1-jhs@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "0b7b378ce6cafbb948786cb6f17f406d94016c8c", "tree": "ab3c11719245d050c91012e7a2c65af5926373d8", "parents": [ "22e2036479cb77df6281ebbd376ae6c330774790" ], "author": { "name": "George Moussalem", "email": "george.moussalem@outlook.com", "time": "Mon Jun 08 11:22:08 2026 +0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 11 15:02:52 2026 -0700" }, "message": "net: dsa: qca8k: fix led devicename when using external mdio bus\n\nThe qca8k dsa switch can use either an external or internal mdio bus.\nThis depends on whether the mdio node is defined under the switch node\nitself. Upon registering the internal mdio bus, the internal_mdio_bus\nof the dsa switch is assigned to this bus. When an external mdio bus is\nused, the driver still uses the internal_mdio_bus id which is used to\ncreate the device names of the leds.\nThis leads to the leds being prefixed with \u0027(efault)\u0027 as the\ninternal_mii_bus is null. So let\u0027s fix this by adding a null check and\nuse the devicename of the external bus instead when an external bus is\nconfigured.\n\nFixes: 1e264f9d2918 (\"net: dsa: qca8k: add LEDs basic support\")\nSigned-off-by: George Moussalem \u003cgeorge.moussalem@outlook.com\u003e\nReviewed-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nLink: https://patch.msgid.link/20260608-qca8k-leds-fix-v3-1-a915bb2f37ae@outlook.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "22e2036479cb77df6281ebbd376ae6c330774790", "tree": "d872b0d89bf987fe6abf5897d6034baea0b5608f", "parents": [ "79f2670da86722d075633d20fa57418994ee6940", "7360b96099806396f4ce15233f6dddcb69248d34" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 10:17:49 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 10:17:49 2026 -0700" }, "message": "Merge tag \u0027net-7.1-rc8\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net\n\nPull networking fixes from Paolo Abeni:\n \"Including fixes from IPsec and netfilter.\n\n This is relatively small, mostly because we are a bit behind our PW\n queue. I\u0027m not aware of any pending regression.\n\n Current release - regressions:\n\n - netfilter: nf_tables_offload: drop device refcount on error\n\n Previous releases - regressions:\n\n - core: add pskb_may_pull() to skb_gro_receive_list()\n\n - xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()\n\n - ipv6: fix a potential NPD in cleanup_prefix_route()\n\n - ipv4: fix use-after-free caused by the fqdir_pre_exit() flush\n\n - eth:\n - bnxt_en: fix NULL pointer dereference\n - emac: fix use-after-free during device removal\n - octeontx2-af: fix memory leak in rvu_setup_hw_resources()\n - tun: zero the whole vnet header in tun_put_user()\n - sit: reload inner IPv6 header after GSO offloads\n\n Previous releases - always broken:\n\n - core: fix double-free in netdev_nl_bind_rx_doit()\n\n - netfilter: nf_log: validate MAC header was set before dumping it\n\n - xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()\n\n - tcp: restrict SO_ATTACH_FILTER to priv users\n\n - mctp: usb: fix race between urb completion and rx_retry\n cancellation\n\n - eth:\n - mlx5: fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list\n - mvpp2: sync RX data at the hardware packet offset\"\n\n* tag \u0027net-7.1-rc8\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (64 commits)\n octeontx2-af: fix IP fragment flag corruption on custom KPU profile load\n ipv6: Fix a potential NPD in cleanup_prefix_route()\n net: txgbe: initialize PHY interface to 0\n net: txgbe: distinguish module types by checking identifier\n net: txgbe: initialize module info buffer\n net: mvpp2: build skb from XDP-adjusted data on XDP_PASS\n net: mvpp2: refill RX buffers before XDP or skb use\n net: mvpp2: limit XDP frame size to the RX buffer\n net: mvpp2: sync RX data at the hardware packet offset\n netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register\n netfilter: nft_fib: fix stale stack leak via the OIFNAME register\n netfilter: nft_exthdr: fix register tracking for F_PRESENT flag\n netfilter: nf_log: validate MAC header was set before dumping it\n netfilter: x_tables: avoid leaking percpu counter pointers\n netfilter: nf_conntrack: destroy stale expectfn expectations on unregister\n netfilter: nf_tables_offload: drop device refcount on error\n netfilter: revalidate bridge ports\n rds: mark snapshot pages dirty in rds_info_getsockopt()\n ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()\n ptp: ocp: fix resource freeing order\n ...\n" }, { "commit": "79f2670da86722d075633d20fa57418994ee6940", "tree": "0d2f43a8115f545204ab0fb32e800718516f4bab", "parents": [ "6e9e0dfc7f2e34627a4280b8e168479018d95732", "fba0510cd62666951dcc0221527edc0c47ae6599" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 09:54:51 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 09:54:51 2026 -0700" }, "message": "Merge tag \u0027pmdomain-v7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm\n\nPull pmdomain fixes from Ulf Hansson:\n\n - imx: Fix OF node refcount\n\n - ti: Fix wakeup configuration for parent devices of wakeup sources\n\n* tag \u0027pmdomain-v7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:\n pmdomain: imx: fix OF node refcount\n pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source\n" }, { "commit": "6e9e0dfc7f2e34627a4280b8e168479018d95732", "tree": "ea9e9c32d46105105c8aff10deab06aa3f7cfda0", "parents": [ "9716c086c8e8b141d35aa61f2e96a2e83de212a7", "a23226b7c1f69eafd9ced4e037fb51c9758c0501" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 09:15:57 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 11 09:15:57 2026 -0700" }, "message": "Merge tag \u0027gpio-fixes-for-v7.1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux\n\nPull gpio fixes from Bartosz Golaszewski:\n\n - fix NULL pointer dereference in gpio-mvebu\n\n - fix runtime PM leak in remove path in gpio-zynq\n\n - reject invalid module params in gpio-mockup\n\n - fix generic IRQ chip leak in remove parh in gpio-rockchip\n\n - fix resource leaks in GPIO chip cleanup path on hog failure\n\n - fix a regression in how GPIO hogging code handles multiple GPIO chips\n reusing the same OF node\n\n* tag \u0027gpio-fixes-for-v7.1\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:\n gpiolib: handle gpio-hogs only once\n gpio: fix cleanup path on hog failure\n gpio: rockchip: fix generic IRQ chip leak on remove\n gpio: mockup: reject invalid gpio_mockup_ranges widths\n gpio: zynq: fix runtime PM leak on remove\n gpio: mvebu: fix NULL pointer dereference in suspend/resume\n" }, { "commit": "7360b96099806396f4ce15233f6dddcb69248d34", "tree": "0d26fe1f8292949f5da3727d3500f37b5f22046f", "parents": [ "64ced6c0882756db52cbedf50bc66338de4a4045" ], "author": { "name": "Kiran Kumar K", "email": "kirankumark@marvell.com", "time": "Mon Jun 08 15:24:55 2026 +0530" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 12:59:34 2026 +0200" }, "message": "octeontx2-af: fix IP fragment flag corruption on custom KPU profile load\n\nnpc_cn20k_apply_custom_kpu() overwrites KPU profile entries with custom\nfirmware values and then calls npc_cn20k_update_action_entries_n_flags()\nover all entries. Since the same function already ran during default\nprofile initialisation, entries not overridden by the custom firmware\nget their flags translated twice, corrupting the CN20K-specific values.\n\nFix this by extracting the per-entry translation into a helper\nnpc_cn20k_translate_action_flags() and calling it as each custom entry\nis loaded, removing the redundant batch call at the end.\n\nFixes: ef992a0f12e8 (\"octeontx2-af: npc: cn20k: MKEX profile support\")\nCc: Suman Ghosh \u003csumang@marvell.com\u003e\nSigned-off-by: Kiran Kumar K \u003ckirankumark@marvell.com\u003e\nSigned-off-by: Nitin Shetty J \u003cnshettyj@marvell.com\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/20260608095455.1499203-1-nshettyj@marvell.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "64ced6c0882756db52cbedf50bc66338de4a4045", "tree": "e367659ac44fc0518a60896bec81e60840fa6755", "parents": [ "29899ec61ac6fcc9d46f5f8d0b72117d9a676c2e", "c7d573551f9286100a055ef696cde6af54549677" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 12:29:59 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 12:30:00 2026 +0200" }, "message": "Merge tag \u0027nf-26-06-10\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf\n\nPablo Neira Ayuso says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nNetfilter fixes for net\n\nThe following patchset contains Netfilter fixes for net:\n\n1) Revalidate bridge ports, add missing NULL checks to fetch the bridge\n device by the port. From Florian Westphal.\n\n2) Fix netdevice refcount leak in the error path of nft_fwd hardware\n offload function, also from Florian.\n\n3) Unregister helper expectfn callback on conntrack helper module\n removal, otherwise dangling pointer remains in place,\n from Weiming Shi.\n\n4) Fix possible pointer infoleak in getsockopt() IPT_SO_GET_ENTRIES,\n From Kyle Zeng.\n\n5) Validate that device MAC header is present before nf_syslog\n accesses it. From Xiang Mei.\n\n6-8) Three patches to address a possible infoleak of stale stack\n data in three nf_tables expressions, due to mismatch in the\n _init() and _eval() function which is possible since 14fb07130c7d.\n From Davide Ornaghi and Florian Westphal.\n\nnetfilter pull request 26-06-10\n\n* tag \u0027nf-26-06-10\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:\n netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register\n netfilter: nft_fib: fix stale stack leak via the OIFNAME register\n netfilter: nft_exthdr: fix register tracking for F_PRESENT flag\n netfilter: nf_log: validate MAC header was set before dumping it\n netfilter: x_tables: avoid leaking percpu counter pointers\n netfilter: nf_conntrack: destroy stale expectfn expectations on unregister\n netfilter: nf_tables_offload: drop device refcount on error\n netfilter: revalidate bridge ports\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260610161629.214092-1-pablo@netfilter.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "29899ec61ac6fcc9d46f5f8d0b72117d9a676c2e", "tree": "ab82359e5c0d7089f7fceaa8a065b7736927e3b1", "parents": [ "b70c687b7cf267fb08586667a3946c8851cad672", "26aad08a928901296aabfbc7a33ecb951656bb98" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 12:00:49 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 12:00:49 2026 +0200" }, "message": "Merge tag \u0027ipsec-2026-06-10\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec\n\nSteffen Klassert says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\npull request (net): ipsec 2026-06-10\n\n1) xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()\n Propagate SKBFL_SHARED_FRAG when paged fragments are moved between\n skbs so ESP can decide whether in-place crypto is safe.\n\n2) xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload\n Replace the unlocked read of xtfs-\u003era_newskb with a local flag so a\n concurrent reassembly can no longer free first_skb between\n spin_unlock and the post-loop check.\n\n3) xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()\n Prune the inexact bin under xfrm_policy_lock so a concurrent\n xfrm_hash_rebuild() can no longer free it before xfrm_policy_kill()\n dereferences it.\n\n4) xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()\n Move hrtimer_cancel() for the output and drop timers ahead of their\n spinlocks, breaking the softirq/lock cycle that could deadlock\n against the timer callbacks on SMP.\n\n5) xfrm: espintcp: do not reuse an in-progress partial send\n Fail a new send when espintcp_push_msgs() returns with emsg-\u003elen\n still set, so a blocking caller can no longer overwrite ctx-\u003epartial\n while a previous transfer still owns it.\n\n6) esp: fix page frag reference leak on skb_to_sgvec failure\n Add a flag to esp_ssg_unref() to unconditionally unref the source\n scatterlist, releasing the old page references that are otherwise\n leaked when the second skb_to_sgvec() in esp_output_tail() fails.\n\nPlease pull or let me know if there are problems.\n\nipsec-2026-06-10\n\n* tag \u0027ipsec-2026-06-10\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:\n esp: fix page frag reference leak on skb_to_sgvec failure\n xfrm: espintcp: do not reuse an in-progress partial send\n xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()\n xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()\n xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload\n xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260610140800.2562818-1-steffen.klassert@secunet.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "b70c687b7cf267fb08586667a3946c8851cad672", "tree": "39c7bed2d853db117c8467e216891b644ea9ee62", "parents": [ "0068940907d33217ae01217f84910a5cde606c17" ], "author": { "name": "Ido Schimmel", "email": "idosch@nvidia.com", "time": "Tue Jun 09 17:54:48 2026 +0300" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 11:57:11 2026 +0200" }, "message": "ipv6: Fix a potential NPD in cleanup_prefix_route()\n\naddrconf_get_prefix_route() can return the fib6_null_entry sentinel\nentry which has a NULL fib6_table pointer. Therefore, before setting the\nroute\u0027s expiration time, check that we are not working with this entry,\nas otherwise a NPD will be triggered [1].\n\nNote that the other callers of addrconf_get_prefix_route() are not\nsusceptible to this bug:\n\n1. addrconf_prefix_rcv(): Requests a route with the \u0027RTF_ADDRCONF |\n RTF_PREFIX_RT\u0027 flags which are not set on fib6_null_entry.\n\n2. modify_prefix_route(): Fixed by commit a747e02430df (\"ipv6: avoid\n possible NULL deref in modify_prefix_route()\").\n\n3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for\n fib6_null_entry and returns an error.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[...]\nCall Trace:\n\u003cTASK\u003e\n__kasan_check_byte (mm/kasan/common.c:573)\nlock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1))\n_raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1))\ncleanup_prefix_route (net/ipv6/addrconf.c:1280)\nipv6_del_addr (net/ipv6/addrconf.c:1342)\ninet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119)\ninet6_rtm_deladdr (net/ipv6/addrconf.c:4812)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6997)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2555)\nnetlink_unicast (net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1899)\n__sock_sendmsg (net/socket.c:802 (discriminator 4))\n____sys_sendmsg (net/socket.c:2698)\n___sys_sendmsg (net/socket.c:2752)\n__sys_sendmsg (net/socket.c:2784)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\n\nFixes: 5eb902b8e719 (\"net/ipv6: Remove expired routes with a separated list of routes.\")\nReported-by: Ji\u0027an Zhou \u003ceilaimemedsnaimel@gmail.com\u003e\nReviewed-by: David Ahern \u003cdahern@nvidia.com\u003e\nSigned-off-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260609145448.768318-1-idosch@nvidia.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "0068940907d33217ae01217f84910a5cde606c17", "tree": "aa2ce14e471e9d7d586d306e7e1cad4466719489", "parents": [ "b59873c9c40d0cbc16df86cf6cb5430330a0ac74", "47f848aac4e79bdb197f849fa86e71fff1ad36ef" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 10:55:15 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 10:55:16 2026 +0200" }, "message": "Merge branch \u0027net-txgbe-fix-module-identification\u0027\n\nJiawen Wu says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: txgbe: fix module identification\n\nFor AML devices, there are some issues where the wrong module\nindentified then configure PHY failed.\n\nThe module info buffers should be initialized to 0 before the firmware\nreturns information. And DECLARE_PHY_INTERFACE_MASK() does not guarantee\nzeroed contents, so explicitly clear the temporary interface masks before\nsetting supported interfaces.\n\nRework txgbe_identify_module() to validate module identifiers through\nexplicit type checks instead of relying on transceiver_type heuristics.\nWhen using the SFP module, transceiver_type could be a random value,\nbecause it was read from an invalid register.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260608070842.36504-1-jiawenwu@trustnetic.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "47f848aac4e79bdb197f849fa86e71fff1ad36ef", "tree": "aa2ce14e471e9d7d586d306e7e1cad4466719489", "parents": [ "f2df54ddbfb04a006ee326a5d8270434a414e0af" ], "author": { "name": "Jiawen Wu", "email": "jiawenwu@trustnetic.com", "time": "Mon Jun 08 15:08:42 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 10:55:14 2026 +0200" }, "message": "net: txgbe: initialize PHY interface to 0\n\nDECLARE_PHY_INTERFACE_MASK() does not guarantee zeroed contents. Add a\nnew macro DECLARE_PHY_INTERFACE_MASK_ZERO(), make the stack variable to\nbe zeroed before setting supported interfaces.\n\nFixes: 57d39faed4c9 (\"net: txgbe: improve functions of AML 40G devices\")\nSigned-off-by: Jiawen Wu \u003cjiawenwu@trustnetic.com\u003e\nLink: https://patch.msgid.link/20260608070842.36504-4-jiawenwu@trustnetic.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "f2df54ddbfb04a006ee326a5d8270434a414e0af", "tree": "c324685962425d4260e8e82d6284466bf54d671f", "parents": [ "0487cfca46517ff6699c72dc1a8872b0af3c31a9" ], "author": { "name": "Jiawen Wu", "email": "jiawenwu@trustnetic.com", "time": "Mon Jun 08 15:08:41 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 10:55:14 2026 +0200" }, "message": "net: txgbe: distinguish module types by checking identifier\n\nRework txgbe_identify_module() to validate module identifiers through\nexplicit type checks instead of relying on transceiver_type heuristics.\nWhen using the SFP module, transceiver_type could be a random value,\nbecause it was read from an invalid register.\n\nFixes: 57d39faed4c9 (\"net: txgbe: improve functions of AML 40G devices\")\nSigned-off-by: Jiawen Wu \u003cjiawenwu@trustnetic.com\u003e\nLink: https://patch.msgid.link/20260608070842.36504-3-jiawenwu@trustnetic.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "0487cfca46517ff6699c72dc1a8872b0af3c31a9", "tree": "d6b994cf0f085cd66054d5fd0265b8c54bd4c7b5", "parents": [ "b59873c9c40d0cbc16df86cf6cb5430330a0ac74" ], "author": { "name": "Jiawen Wu", "email": "jiawenwu@trustnetic.com", "time": "Mon Jun 08 15:08:40 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 10:55:14 2026 +0200" }, "message": "net: txgbe: initialize module info buffer\n\nThe module info buffer should be initialized to 0 before the firmware\nreturns information. Otherwise, there is a risk that the buffer field\nnot filled by the firmware is random value.\n\nFixes: 343929799ace (\"net: txgbe: Support to handle GPIO IRQs for AML devices\")\nSigned-off-by: Jiawen Wu \u003cjiawenwu@trustnetic.com\u003e\nLink: https://patch.msgid.link/20260608070842.36504-2-jiawenwu@trustnetic.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "b59873c9c40d0cbc16df86cf6cb5430330a0ac74", "tree": "b0eb340983a1a9528d273b170e237255f038c236", "parents": [ "512db8267b73a220a64180d95ab5eebe7c4964a8", "77a6b90ce56bc982dcfa94229b8e28e6abb16e95" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 09:57:33 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 09:57:33 2026 +0200" }, "message": "Merge branch \u0027net-mvpp2-fix-xdp-rx-buffer-handling\u0027\n\nTil Kaiser says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: mvpp2: fix XDP RX buffer handling\n\nThis is v5 of the earlier XDP_PASS fix. The XDP_PASS change is\nretained, and the series also fixes related RX/XDP buffer handling\nissues found during review.\n\nTested with tools/testing/selftests/drivers/net/xdp.py on mvpp2\nhardware.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260607134943.21996-1-mail@tk154.de\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "77a6b90ce56bc982dcfa94229b8e28e6abb16e95", "tree": "b0eb340983a1a9528d273b170e237255f038c236", "parents": [ "5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6" ], "author": { "name": "Til Kaiser", "email": "mail@tk154.de", "time": "Sun Jun 07 15:49:43 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 09:57:31 2026 +0200" }, "message": "net: mvpp2: build skb from XDP-adjusted data on XDP_PASS\n\nWhen an XDP program uses bpf_xdp_adjust_head() or bpf_xdp_adjust_tail()\nand then returns XDP_PASS, mvpp2 still builds the skb from fixed offsets\nderived from the original RX descriptor. Packet geometry changes made by\nthe XDP program are therefore discarded before the skb reaches the stack.\n\nUpdate rx_offset and rx_bytes from xdp.data and xdp.data_end for\nXDP_PASS. This makes skb_reserve() and skb_put() reflect the packet seen\nby XDP, and makes RX byte accounting for XDP_PASS follow the length of the\nskb passed to the network stack.\n\nKeep a separate rx_sync_size for page-pool recycling on skb allocation\nfailure, which must stay tied to the received buffer range.\n\nNon-PASS verdicts continue to account the descriptor length because no skb\nis passed up in those cases.\n\nFixes: 07dd0a7aae7f (\"mvpp2: add basic XDP support\")\nSigned-off-by: Til Kaiser \u003cmail@tk154.de\u003e\nLink: https://patch.msgid.link/20260607134943.21996-5-mail@tk154.de\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6", "tree": "adb0381ccb32e0e21023ba87db46fa17078dfb79", "parents": [ "f3c6aa078927e6fe8121c9c591ddee8716c5305a" ], "author": { "name": "Til Kaiser", "email": "mail@tk154.de", "time": "Sun Jun 07 15:49:42 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 09:57:31 2026 +0200" }, "message": "net: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. Returning such a buffer to BM lets hardware DMA\ninto memory that is no longer owned by the RX ring.\n\nRefill the BM pool before handing the current buffer to XDP or to the\nskb. If the allocation fails there, drop the packet and return the\nstill-owned current buffer to BM, preserving the pool depth. Once the\nrefill succeeds, later local drops retire/free the current buffer instead\nof returning it to BM.\n\nFixes: 07dd0a7aae7f (\"mvpp2: add basic XDP support\")\nFixes: d6526926de73 (\"net: mvpp2: fix memory leak in mvpp2_rx\")\nSigned-off-by: Til Kaiser \u003cmail@tk154.de\u003e\nLink: https://patch.msgid.link/20260607134943.21996-4-mail@tk154.de\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "f3c6aa078927e6fe8121c9c591ddee8716c5305a", "tree": "1c280e4029f2d969be34e95055b03c9791b4492e", "parents": [ "180235600934bef6add3be637c296d6cf3272e67" ], "author": { "name": "Til Kaiser", "email": "mail@tk154.de", "time": "Sun Jun 07 15:49:41 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 09:57:31 2026 +0200" }, "message": "net: mvpp2: limit XDP frame size to the RX buffer\n\nmvpp2 has short and long BM pools, and short pool buffers can be smaller\nthan PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with\nPAGE_SIZE as frame size.\n\nXDP helpers use frame_sz to validate tail growth and to derive the hard\nend of the data area. Advertising PAGE_SIZE for short buffers can let\nbpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting\nmemory or later tripping skb tailroom checks.\n\nInitialize the XDP buffer with bm_pool-\u003efrag_size so XDP tailroom matches\nthe actual buffer backing the packet.\n\nFixes: 07dd0a7aae7f (\"mvpp2: add basic XDP support\")\nSigned-off-by: Til Kaiser \u003cmail@tk154.de\u003e\nLink: https://patch.msgid.link/20260607134943.21996-3-mail@tk154.de\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "180235600934bef6add3be637c296d6cf3272e67", "tree": "ecb9855b324d5a209827608ae91fc302d3d85901", "parents": [ "512db8267b73a220a64180d95ab5eebe7c4964a8" ], "author": { "name": "Til Kaiser", "email": "mail@tk154.de", "time": "Sun Jun 07 15:49:40 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 11 09:57:31 2026 +0200" }, "message": "net: mvpp2: sync RX data at the hardware packet offset\n\nmvpp2 programs the RX queue packet offset, so hardware writes received\ndata at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at\ndma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the\nunused headroom and misses the same number of bytes at the packet tail.\n\nOn non-coherent DMA systems this can leave the CPU reading stale cache\ncontents for the end of the received frame.\n\nUse dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range\noffset so the sync covers the Marvell header and packet data actually\nwritten by hardware.\n\nFixes: e1921168bbd4 (\"mvpp2: sync only the received frame\")\nSigned-off-by: Til Kaiser \u003cmail@tk154.de\u003e\nLink: https://patch.msgid.link/20260607134943.21996-2-mail@tk154.de\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "9716c086c8e8b141d35aa61f2e96a2e83de212a7", "tree": "918331b178b771fa02019c3fc60c8da519c22ddf", "parents": [ "767622308a1d8b111038fca0059b964da1f6d9c4", "6100a82e34cb75571feba920a9c18f60698d598a" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 11:53:55 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 11:53:55 2026 -0700" }, "message": "Merge tag \u0027pm-7.1-rc8\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm\n\nPull power management fixes from Rafael Wysocki:\n \"These address some remaining fallout after introducing dynamic EPP\n support in the amd-pstate driver during the current development cycle:\n\n - Restore allowing writing EPP of 0 when in performance mode in the\n amd-pstate driver which was unnecessarily disallowed by one of the\n recent updates (Mario Limonciello)\n\n - Remove stale documentation of the epp_cached field in struct\n amd_cpudata that has been dropped recently (Zhan Xusheng)\"\n\n* tag \u0027pm-7.1-rc8\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:\n cpufreq/amd-pstate: Fix setting EPP in performance mode\n cpufreq/amd-pstate: drop stale @epp_cached kdoc\n" }, { "commit": "c7d573551f9286100a055ef696cde6af54549677", "tree": "3b55982a657bd6eaadfa6632b3acc0ec7c1f8dc4", "parents": [ "ab185e0c4fb82dfba6fb86f8271e06f931d9c64c" ], "author": { "name": "Davide Ornaghi", "email": "d.ornaghi97@gmail.com", "time": "Wed Jun 10 12:39:13 2026 +0200" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Wed Jun 10 18:00:32 2026 +0200" }, "message": "netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register\n\nNFT_META_BRI_IIFHWADDR declares its destination register with\nlen \u003d ETH_ALEN (6 bytes), which the register-init tracking rounds up to\ntwo 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does\nmemcpy(dest, br_dev-\u003edev_addr, ETH_ALEN), writing only 6 bytes and\nleaving the upper 2 bytes of the second register as uninitialised\nnft_do_chain() stack. A downstream load of that register span leaks\nthose stale bytes to userspace.\n\nZero the second register before the memcpy so the full declared span is\nwritten.\n\nFixes: cbd2257dc96e (\"netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support\")\nCc: stable@vger.kernel.org\nSigned-off-by: Davide Ornaghi \u003cd.ornaghi97@gmail.com\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "ab185e0c4fb82dfba6fb86f8271e06f931d9c64c", "tree": "fe4753675107e422020c0706b4ef3453286bef14", "parents": [ "772cecf198da732faebb5dcfc46d66a505be8495" ], "author": { "name": "Davide Ornaghi", "email": "d.ornaghi97@gmail.com", "time": "Wed Jun 10 12:39:12 2026 +0200" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Wed Jun 10 18:00:19 2026 +0200" }, "message": "netfilter: nft_fib: fix stale stack leak via the OIFNAME register\n\nFor NFT_FIB_RESULT_OIFNAME the destination register is declared with\nlen \u003d IFNAMSIZ (four 32-bit registers), but on the lookup-fail,\nRTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one\nregister via \"*dest \u003d 0\". The remaining three registers are left as\nwhatever was on the stack in nft_do_chain()\u0027s struct nft_regs, and a\ndownstream expression that loads the register span can leak that\nuninitialised kernel stack to userspace.\n\nThe NFTA_FIB_F_PRESENT existence check has the same shape: it is only\nmeaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type\nwhile the eval stores a single byte via nft_reg_store8(), leaving the rest\nof the declared span stale.\n\nFix both:\n\n - replace the bare \"*dest \u003d 0\" in the eval with nft_fib_store_result(),\n which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already\n used on the other early-return path), and\n\n - restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its\n destination as a single u8, so the marked span matches the one byte\n the eval writes.\n\nFixes: f6d0cbcf09c5 (\"netfilter: nf_tables: add fib expression\")\nSuggested-by: Florian Westphal \u003cfw@strlen.de\u003e\nCc: stable@vger.kernel.org\nSigned-off-by: Davide Ornaghi \u003cd.ornaghi97@gmail.com\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "772cecf198da732faebb5dcfc46d66a505be8495", "tree": "477ccc145bc5973aa7d806445cd8e4f6b38a0b4c", "parents": [ "a84b6fedbc97078788be78dbdd7517d143ad1a77" ], "author": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Tue Jun 09 21:28:09 2026 +0200" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Wed Jun 10 18:00:12 2026 +0200" }, "message": "netfilter: nft_exthdr: fix register tracking for F_PRESENT flag\n\nnft_exthdr_init() passes user-controlled priv-\u003elen to\nnft_parse_register_store(), which marks that many bytes in the\nregister bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT\nis set, the eval paths write only 1 byte (nft_reg_store8) or\n4 bytes (*dest \u003d 0 on TCP/DCCP error path). When len \u003e 4,\nregisters beyond the first are never written, retaining\nuninitialized stack data from nft_regs.\n\nBail out if userspace requests too much data when F_PRESENT is set.\n\nReported-by: Ji\u0027an Zhou \u003ceilaimemedsnaimel@gmail.com\u003e\nFixes: c078ca3b0c5b (\"netfilter: nft_exthdr: Add support for existence check\")\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "a84b6fedbc97078788be78dbdd7517d143ad1a77", "tree": "b949480e102f10fa258f524b96b607699c7151c6", "parents": [ "f7f2fbb0e893a0238dc464f8d8c0f5609bec584f" ], "author": { "name": "Xiang Mei", "email": "xmei5@asu.edu", "time": "Tue Jun 09 15:55:02 2026 -0700" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Wed Jun 10 18:00:01 2026 +0200" }, "message": "netfilter: nf_log: validate MAC header was set before dumping it\n\nThe fallback path of dump_mac_header() guards the MAC header access\nonly with \"skb-\u003emac_header !\u003d skb-\u003enetwork_header\", without checking\nskb_mac_header_was_set(). When the MAC header is unset, mac_header is\n0xffff, so the test passes and skb_mac_header(skb) returns\nskb-\u003ehead + 0xffff, ~64 KiB past the buffer; the loop then reads\ndev-\u003ehard_header_len bytes out of bounds into the kernel log.\n\nThis is reachable via the netdev logger: nf_log_unknown_packet() calls\ndump_mac_header() unconditionally, and an skb sent through AF_PACKET\nwith PACKET_QDISC_BYPASS reaches the egress hook with mac_header still\nunset (__dev_queue_xmit(), which would reset it, is bypassed).\n\nAdd the skb_mac_header_was_set() check the ARPHRD_ETHER path already\nuses, and replace the open-coded MAC header length test with\nskb_mac_header_len(). Only skbs with an unset MAC header are affected;\nvalid ones are dumped as before.\n\n BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)\n Read of size 1 at addr ffff88800ea49d3f by task exploit/148\n Call Trace:\n kasan_report (mm/kasan/report.c:595)\n dump_mac_header (net/netfilter/nf_log_syslog.c:831)\n nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)\n nf_log_packet (net/netfilter/nf_log.c:260)\n nft_log_eval (net/netfilter/nft_log.c:60)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)\n nf_hook_slow (net/netfilter/core.c:619)\n nf_hook_direct_egress (net/packet/af_packet.c:257)\n packet_xmit (net/packet/af_packet.c:280)\n packet_sendmsg (net/packet/af_packet.c:3114)\n __sys_sendto (net/socket.c:2265)\n\nFixes: 7eb9282cd0ef (\"netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nAssisted-by: Claude:claude-opus-4-8\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "f7f2fbb0e893a0238dc464f8d8c0f5609bec584f", "tree": "e2886b33a6821900694c7e4fc017a6a89c360de1", "parents": [ "c3009418f9fa1dcb3eb86f4d8c92583537b5faa3" ], "author": { "name": "Kyle Zeng", "email": "kylebot@openai.com", "time": "Sat Jun 06 01:10:31 2026 -0700" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Wed Jun 10 17:59:01 2026 +0200" }, "message": "netfilter: x_tables: avoid leaking percpu counter pointers\n\nThe native and compat get-entries paths copy the fixed rule entry header\nfrom the kernelized rule blob to userspace before overwriting the entry\u0027s\ncounter fields with a sanitized counter snapshot.\n\nOn SMP kernels, entry-\u003ecounters.pcnt contains the percpu allocation\naddress used by x_tables rule counters. A caller can provide a userspace\nbuffer that faults during the initial fixed-header copy after pcnt has\nbeen copied but before the later sanitized counter copy runs. The syscall\nthen returns -EFAULT while leaving the raw percpu pointer in userspace.\n\nCopy only the fixed entry prefix before counters from the kernelized rule\nblob, then copy the sanitized counter snapshot into the counter field.\nApply this ordering to the IPv4, IPv6, and ARP native and compat\nget-entries implementations so a fault cannot expose the internal percpu\ncounter pointer.\n\nFixes: 71ae0dff02d7 (\"netfilter: xtables: use percpu rule counters\")\nSigned-off-by: Kyle Zeng \u003ckylebot@openai.com\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "c3009418f9fa1dcb3eb86f4d8c92583537b5faa3", "tree": "8ab258ae3560c0e20835e1745b54c9a9aa886bf3", "parents": [ "efc542561729a2859397dad51bda1fe41262beb1" ], "author": { "name": "Weiming Shi", "email": "bestswngs@gmail.com", "time": "Wed Jun 03 00:38:17 2026 -0700" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Wed Jun 10 17:58:39 2026 +0200" }, "message": "netfilter: nf_conntrack: destroy stale expectfn expectations on unregister\n\nNAT helpers such as nf_nat_h323 store a raw pointer to module text in\nexp-\u003eexpectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()\nonly unlinks the callback descriptor and never walks the expectation table,\nso an expectation pending at module removal survives with a dangling\nexp-\u003eexpectfn into freed module text.\n\nWhen the expected connection arrives, init_conntrack() invokes\nexp-\u003eexpectfn(), now a stale pointer into the unloaded module. Reproduced\non a KASAN build by loading the H.323 helpers, creating a Q.931\nexpectation, unloading nf_nat_h323, then connecting to the expected port:\n\n Oops: int3: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:0xffffffffa06102d1\n init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)\n nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)\n ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)\n nf_hook_slow (net/netfilter/core.c:619)\n __ip_local_out (net/ipv4/ip_output.c:120)\n __tcp_transmit_skb (net/ipv4/tcp_output.c:1715)\n tcp_connect (net/ipv4/tcp_output.c:4374)\n tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)\n __sys_connect (net/socket.c:2167)\n Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]\n\nReaching the dangling state requires CAP_SYS_MODULE in the initial user\nnamespace to remove a NAT helper that still has live expectations, so this\nis a robustness fix; leaving an expectation pointing at freed text is wrong\nregardless.\n\nAdd nf_ct_helper_expectfn_destroy(), which walks the expectation table and\ndrops every expectation whose -\u003eexpectfn matches the descriptor being torn\ndown. Call it from each NAT helper\u0027s exit path after the existing RCU grace\nperiod, so no expectation outlives the code it points at and no extra\nsynchronize_rcu() is introduced. With the fix, the same reproducer runs to\ncompletion without the Oops.\n\nFixes: f587de0e2feb (\"[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port\")\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nAssisted-by: Claude:claude-opus-4-8\nSigned-off-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "efc542561729a2859397dad51bda1fe41262beb1", "tree": "2bb16a7ee4276bb9c7d2905291e42b5cee73b3c6", "parents": [ "ccb9fd4b87538ccf19ccff78ee26700526d94867" ], "author": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Fri Jun 05 13:47:12 2026 +0200" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Wed Jun 10 17:58:29 2026 +0200" }, "message": "netfilter: nf_tables_offload: drop device refcount on error\n\nReported by sashiko:\nIf nft_flow_action_entry_next() returns NULL, dev reference leaks.\n\nFixes: c6f85577584b (\"netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it\")\nReported-by: Juri Lelli \u003cjuri.lelli@redhat.com\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "ccb9fd4b87538ccf19ccff78ee26700526d94867", "tree": "85002bc68f328b5d7c414d4157689881fa3d000f", "parents": [ "4aacf509e537a711fa71bca9f234e5eb6968850e" ], "author": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Tue Jun 02 17:04:25 2026 +0200" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Wed Jun 10 17:58:20 2026 +0200" }, "message": "netfilter: revalidate bridge ports\n\nebt_redirect_tg() dereferences br_port_get_rcu() return without a\nNULL check, causing a kernel panic when the bridge port has been\nremoved between the original hook invocation and an NFQUEUE\nreinject.\n\nA mere NULL check isn\u0027t sufficient, however. As sashiko review\npoints out userspace can not only remove the port from the bridge,\nit could also place the device in a different virtual device, e.g.\nmacvlan.\n\nIf this happens, we must drop the packet, there is no way for us to\nreinject it into the bridge path.\n\nSwitch to _upper API, we don\u0027t need the bridge port structure.\nAlso, this fix keeps another bug intact:\n\nBoth nfnetlink_log and nfnetlink_queue use CONFIG_BRIDGE_NETFILTER\ntoo aggressive, which prevents certain logging features when queueing\nin bridge family: NETFILTER_FAMILY_BRIDGE can be enabled while the old\nCONFIG_BRIDGE_NETFILTER cruft is off.\n\nFixes tag is a common ancestor, this was always broken.\n\nFixes: f350a0a87374 (\"bridge: use rx_handler_data pointer to store net_bridge_port pointer\")\nReported-by: Ji\u0027an Zhou \u003ceilaimemedsnaimel@gmail.com\u003e\nAssisted-by: Claude:claude-sonnet-4-6\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "512db8267b73a220a64180d95ab5eebe7c4964a8", "tree": "3b8a0b6a7ed0b5cf632cf6eef72cf7ff1924f0e3", "parents": [ "a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9" ], "author": { "name": "Breno Leitao", "email": "leitao@debian.org", "time": "Mon Jun 08 02:32:05 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 10 08:18:16 2026 -0700" }, "message": "rds: mark snapshot pages dirty in rds_info_getsockopt()\n\nrds_info_getsockopt() pins the destination user pages with FOLL_WRITE and\nthe RDS_INFO_* producers memcpy the snapshot into them through\nkmap_atomic(). Because that copy goes through the kernel direct map, the\ndirty bit on the user PTE is never set, so unpin_user_pages() releases the\npages without marking them dirty. A file-backed destination page can then\nbe reclaimed without writeback, silently discarding the copied data.\n\nUse unpin_user_pages_dirty_lock() with make_dirty\u003dtrue so the modified\npages are marked dirty before they are unpinned.\n\nFixes: a8c879a7ee98 (\"RDS: Info and stats\")\nSigned-off-by: Breno Leitao \u003cleitao@debian.org\u003e\nReviewed-by: Allison Henderson \u003cachender@kernel.org\u003e\nLink: https://patch.msgid.link/20260608-rds_fix-v1-1-006c88543408@debian.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9", "tree": "df7e012789b2152c7b475522d48e3d05cc4fe710", "parents": [ "627366c51145a07f675b1800fb5ea2ec960bd900" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Mon Jun 08 16:46:13 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 10 08:16:07 2026 -0700" }, "message": "ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()\n\nIn vti6_tnl_lookup(), when an exact match for a tunnel fails,\nthe code falls back to searching for wildcard tunnels:\n\n- Tunnels matching the packet\u0027s local address, with any remote address\n wildcard remote).\n\n- Tunnels matching the packet\u0027s remote address, with any local address\n (wildcard local).\n\nHowever, vti6 stores all these different types of tunnels in the same\nhash table (ip6n-\u003etnls_r_l) prone to hash collisions.\n\nThe bug is that the fallback search loops in vti6_tnl_lookup() were\nmissing checks to ensure that the candidate tunnel actually has\na wildcard address.\n\nFixes: fbe68ee87522 (\"vti6: Add a lookup method for tunnels with wildcard endpoints.\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nReviewed-by: Nicolas Dichtel \u003cnicolas.dichtel@6wind.com\u003e\nLink: https://patch.msgid.link/20260608164613.933023-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "767622308a1d8b111038fca0059b964da1f6d9c4", "tree": "567c86cdc36bf13a566c93f28a0d38f5e0a87a4f", "parents": [ "805d5a2b792819171be100c50c9ddafa0f8c2231", "15b4155138505669d3d43d7692459ee8ea2a86e7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 07:18:32 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 07:18:32 2026 -0700" }, "message": "Merge tag \u0027riscv-for-linux-7.1-rc8\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux\n\nPull RISC-V fixes from Paul Walmsley:\n\n - Fix the implementation of the CFI branch landing pad control prctl()s\n to return -EINVAL if unknown control bits are set, rather than\n silently ignoring the request; and add a kselftest for this case\n\n - Fix unaligned access performance testing to happen earlier in boot,\n which fixes a performance regression in the lib/checksum code\n\n - Fix a binfmt_elf warning when dumping core (due to missing\n .core_note_name for CFI registers)\n\n* tag \u0027riscv-for-linux-7.1-rc8\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:\n riscv: cfi: reject unknown flags in PR_SET_CFI\n riscv: Fix fast_unaligned_access_speed_key not getting initialized\n riscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI\n" }, { "commit": "805d5a2b792819171be100c50c9ddafa0f8c2231", "tree": "cd654c208c02a858c590003e3e05039c430facf3", "parents": [ "acb7500801e98639f6d8c2d796ed9f64cba83d3a" ], "author": { "name": "Jann Horn", "email": "jannh@google.com", "time": "Fri Jun 05 22:27:33 2026 +0200" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 10 07:09:20 2026 -0700" }, "message": "namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories\n\nopen_tree(..., OPEN_TREE_NAMESPACE) and\nfsmount(..., FSMOUNT_NAMESPACE, ...) currently work on non-directories,\nlike regular files. That\u0027s bad for two reasons:\n\n - It ends up mounting a regular file over the inherited namespace root,\n which is a directory; mounting a non-directory over a directory is\n normally explicitly forbidden, see for example do_move_mount()\n\n - It causes setns() on the new namespace to set the cwd to a regular\n file, which the rest of VFS does not expect\n\nFix it by restricting create_new_namespace() (which is used by both of\nthese flags) to directories.\n\nLeave the behavior for OPEN_TREE_CLONE as-is, that seems unproblematic.\n\nFixes: 9b8a0ba68246 (\"mount: add OPEN_TREE_NAMESPACE\")\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Christian Brauner \u003cbrauner@kernel.org\u003e\nCc: Jan Kara \u003cjack@suse.cz\u003e\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \u003cjannh@google.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a23226b7c1f69eafd9ced4e037fb51c9758c0501", "tree": "bdb1249e86f117d266f43007e12e8a20d577d87f", "parents": [ "64911f5aac534191e6b9a52ca1d50ba870a12d86" ], "author": { "name": "Daniel Drake", "email": "dan@reactivated.net", "time": "Mon Jun 08 22:01:08 2026 +0100" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Wed Jun 10 10:12:57 2026 +0200" }, "message": "gpiolib: handle gpio-hogs only once\n\nCommit d1d564ec49929 (\"gpio: move hogs into GPIO core\") introduced a\nbehaviour change that breaks boot on Raspberry Pi 5 when using the\nfirmware-supplied device tree:\n\n gpiochip_add_data_with_key: GPIOs 544..575\n (/soc@107c000000/gpio@7d517c00) failed to register, -22\n brcmstb-gpio 107d517c00.gpio: Could not add gpiochip for bank 1\n brcmstb-gpio 107d517c00.gpio: probe with driver brcmstb-gpio failed\n with error -22\n\ngpio-brcmstb registers two gpio_chips against the device tree\nnode gpio@7d517c00, one for each bank. The firmware-supplied DT includes\na gpio-hog on RP1 RUN, and this gpio-hog is attempted to be applied to\n*both* gpio_chips. This succeeds against bank 0 (which hosts the GPIO)\nand fails for bank 1 (which does not).\n\nIn the previous implementation, failures to apply gpio-hogs were\nquietly ignored. In the new code, the error code propagates and causes\nprobe to fail.\n\nClosely approximate the previous behaviour by using the OF_POPULATED flag\nto ensure that each gpio-hog is processed only once. The flag was\npreviously being set before the gpio-hogs were processed, so as part\nof this change, the flag now gets set only after the gpio-hog is actioned.\nThe handling of gpio-hogs on a DT node with multiple gpio_chips remains a\nbit incomplete/unclear, but this at least retains the ability to apply\nhogs to the first gpio_chip per node.\n\nFixes: d1d564ec49929 (\"gpio: move hogs into GPIO core\")\nSigned-off-by: Daniel Drake \u003cdan@reactivated.net\u003e\nLink: https://patch.msgid.link/20260608210108.36248-1-dan@reactivated.net\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "64911f5aac534191e6b9a52ca1d50ba870a12d86", "tree": "0c1f69b8aac45264830b5a5b0d898425842077fe", "parents": [ "1c1e0fc88d6ef65bf15d517853251f75ab9d18c3" ], "author": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Tue Jun 09 14:17:50 2026 +0200" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Wed Jun 10 09:29:19 2026 +0200" }, "message": "gpio: fix cleanup path on hog failure\n\nIf gpiochip_hog_lines() successfully processes some hogs but fails on\na later one, the error handling path in gpiochip_add_data_with_key()\njumps directly to err_remove_of_chip. This leaks resources allocated\nearlier for ACPI, interrupts and hogs that were successfully processed.\nUse the right label in error path.\n\nCloses: https://sashiko.dev/#/patchset/20260608210108.36248-1-dan%40reactivated.net\nFixes: d1d564ec4992 (\"gpio: move hogs into GPIO core\")\nReviewed-by: Andy Shevchenko \u003candriy.shevchenko@linux.intel.com\u003e\nReviewed-by: Mika Westerberg \u003cmika.westerberg@linux.intel.com\u003e\nLink: https://patch.msgid.link/20260609-gpio-hogs-fixes-v1-2-b4064f8070e7@oss.qualcomm.com\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "627366c51145a07f675b1800fb5ea2ec960bd900", "tree": "990be156d92cb46ee485603636a17cde5e1fb1c9", "parents": [ "7f2fcff15e99bb852f6967396ed12b38376e2c8d" ], "author": { "name": "Vadim Fedorenko", "email": "vadim.fedorenko@linux.dev", "time": "Mon Jun 08 15:59:52 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 19:26:56 2026 -0700" }, "message": "ptp: ocp: fix resource freeing order\n\nCommit a60fc3294a37 (\"ptp: rework ptp_clock_unregister() to disable\nevents\") added a call to ptp_disable_all_events() which changes the\nconfiguration of pins if they support EXTTS events. In ptp_ocp_detach()\npins resources are freed before ptp_clock_unregister() and it leads to\nuse-after-free during driver removal. Fix it by changing the order of\nfree/unregister calls. To avoid irq handler running on the other core\nwhile ptp device unregistering, call synchronize_irq() after HW is\nconfigured to stop producing irqs and no irqs are in-flight.\n\nFixes: a60fc3294a37 (\"ptp: rework ptp_clock_unregister() to disable events\")\nSigned-off-by: Vadim Fedorenko \u003cvadim.fedorenko@linux.dev\u003e\nLink: https://patch.msgid.link/20260608155952.240304-1-vadim.fedorenko@linux.dev\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7f2fcff15e99bb852f6967396ed12b38376e2c8d", "tree": "9e55df43af361295d6b49d09c03eed3bba79fab5", "parents": [ "34080db3e70ddf94c38512ad2331e3c3afca6cc1" ], "author": { "name": "Xiang Mei", "email": "xmei5@asu.edu", "time": "Sat Jun 06 22:44:28 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 18:33:18 2026 -0700" }, "message": "tun: zero the whole vnet header in tun_put_user()\n\ntun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel\nwithout zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb()\nonly initializes the first 10 bytes (sizeof(struct virtio_net_hdr)),\nleaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack\ngarbage.\n\nAn unprivileged user can set the vnet header size to 24 with\nTUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the\npartially-initialized struct to userspace, leaking 14 bytes of kernel\nstack on every read of a non-tunnel packet.\n\nFix it the same way tun_get_user() already does by zeroing the whole\nheader right after declaration.\n\nFixes: 288f30435132 (\"tun: enable gso over UDP tunnel support.\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/20260607054428.3050243-1-xmei5@asu.edu\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "34080db3e70ddf94c38512ad2331e3c3afca6cc1", "tree": "4c2f6bc5d976a1095a47e92e9fd9bd7a44caef19", "parents": [ "1ee90b77b727df903033db873c75caac5c27ec98" ], "author": { "name": "Weiming Shi", "email": "bestswngs@gmail.com", "time": "Sat Jun 06 12:24:48 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 18:32:54 2026 -0700" }, "message": "net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion\n\nrds_ib_xmit_atomic() always programs a masked atomic opcode\n(IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD)\nfor every RDS atomic cmsg. But the completion-side switch in\nrds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked\natomic completion falls through to default and returns rm \u003d\u003d NULL while\nsend-\u003es_op is left set. rds_ib_send_cqe_handler() then dereferences the\nNULL rm via rm-\u003em_final_op, oopsing in softirq context. An unprivileged\nAF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection\ntriggers it; on hardware that natively accepts masked atomics (mlx4,\nmlx5) no extra setup is needed.\n\n RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR!\n Oops: general protection fault [#1] SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197]\n RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282)\n Call Trace:\n \u003cIRQ\u003e\n rds_ib_send_cqe_handler (net/rds/ib_send.c:282)\n poll_scq (net/rds/ib_cm.c:274)\n rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294)\n tasklet_action_common (kernel/softirq.c:943)\n handle_softirqs (kernel/softirq.c:573)\n run_ksoftirqd (kernel/softirq.c:479)\n \u003c/IRQ\u003e\n Kernel panic - not syncing: Fatal exception in interrupt\n\nHandle the masked atomic opcodes in the same case as the non-masked\nones: they map to the same struct rds_message.atomic union member, so\nthe existing container_of()/rds_ib_send_unmap_atomic() body is correct\nfor them.\n\nFixes: 20c72bd5f5f9 (\"RDS: Implement masked atomic operations\")\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nSigned-off-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nReviewed-by: Allison Henderson \u003cachender@kernel.org\u003e\nLink: https://patch.msgid.link/20260606192447.1179255-2-bestswngs@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "1ee90b77b727df903033db873c75caac5c27ec98", "tree": "fa75c2bd3b0ed9cffc4194f8bff69d673a1718c9", "parents": [ "6f4c80a2a7e6d06753b89a578b710a2499a5e62b" ], "author": { "name": "Kyle Zeng", "email": "kylebot@openai.com", "time": "Sat Jun 06 19:18:19 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 18:32:08 2026 -0700" }, "message": "net: guard timestamp cmsgs to real error queue skbs\n\nskb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb\nfrom sk_error_queue. That assumption is not true for AF_PACKET sockets:\noutgoing packet taps are also delivered to packet sockets with\nskb-\u003epkt_type \u003d\u003d PACKET_OUTGOING, but their skb-\u003ecb is owned by AF_PACKET\ninstead of struct sock_exterr_skb.\n\nIf such an skb is received with timestamping enabled, the generic\ntimestamp cmsg path can read AF_PACKET control-buffer state as\nsock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop\ncounter overlaps opt_stats. An odd drop count makes the path emit\nSCM_TIMESTAMPING_OPT_STATS with skb-\u003elen and skb-\u003edata. For non-linear\nskbs this copies past the linear head and can trigger hardened usercopy or\ndisclose adjacent heap contents.\n\nKeep skb_is_err_queue() local to net/socket.c, but make it verify that\nthe PACKET_OUTGOING marker is paired with the sock_rmem_free destructor\ninstalled by sock_queue_err_skb(). AF_PACKET receive skbs use normal\nreceive ownership and no longer pass as error-queue skbs, while legitimate\nsk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free\nownership.\n\nFixes: 8605330aac5a (\"tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs\")\nSigned-off-by: Kyle Zeng \u003ckylebot@openai.com\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/20260607021819.49698-1-kylebot@openai.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6f4c80a2a7e6d06753b89a578b710a2499a5e62b", "tree": "2b6aaf21646e46bbab6f4801c2c31236c3a27457", "parents": [ "d289d5307762d1838aaece22c6b6fcad9e8865f9" ], "author": { "name": "Xin Long", "email": "lucien.xin@gmail.com", "time": "Sun Jun 07 19:03:47 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 18:16:51 2026 -0700" }, "message": "sctp: validate embedded INIT chunk and address list lengths in cookie\n\nsctp_unpack_cookie() only checked that the embedded INIT chunk length\ndid not exceed the remaining cookie payload, but did not ensure that the\nINIT chunk is large enough to contain a complete INIT header.\n\nA malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose\nlength field is smaller than sizeof(struct sctp_init_chunk). Later,\nsctp_process_init() accesses INIT parameters unconditionally, which may\nlead to out-of-bounds reads.\n\nIn addition, raw_addr_list_len is not fully validated against the\nremaining cookie payload. When cookie authentication is disabled, an\nattacker can supply an oversized raw_addr_list_len and cause\nsctp_raw_to_bind_addrs() to read beyond the end of the cookie. The\naddress parser also lacks sufficient bounds checks for parameter headers\nand lengths, allowing malformed address parameters to trigger\nout-of-bounds reads.\n\nFix this by:\n\n- requiring the embedded INIT chunk length to be at least sizeof(struct\n sctp_init_chunk);\n- validating that the INIT chunk and raw address list together fit\n within the cookie payload;\n- verifying sufficient data exists for each address parameter header and\n payload before parsing it.\n\nNote that sctp_verify_init() must be called after sctp_unpack_cookie()\nand before sctp_process_init() when cookie authentication is disabled.\nThis will be addressed in a separate patch.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nSigned-off-by: Xin Long \u003clucien.xin@gmail.com\u003e\nLink: https://patch.msgid.link/75af23a89adf881a0895d511775e4770da367cbf.1780873427.git.lucien.xin@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d289d5307762d1838aaece22c6b6fcad9e8865f9", "tree": "2c008ad8dcfc38cd1c966da1512feb37083df696", "parents": [ "f8373d7090b745728de66308deeecc67e8d319ce" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Mon Jun 08 15:59:18 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 18:15:47 2026 -0700" }, "message": "ip6_vti: set netns_immutable on the fallback device.\n\njohn1988 and Noam Rathaus reported that vti6_init_net() does not set the\nnetns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).\n\nOther similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)\ncorrectly set this flag during their fallback device initialization to\nprevent them from being moved to another network namespace.\n\nFixes: 61220ab34948 (\"vti6: Enable namespace changing\")\nReported-by: Noam Rathaus \u003cnoamr@ssd-disclosure.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nCc: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nReviewed-by: Nicolas Dichtel \u003cnicolas.dichtel@6wind.com\u003e\nLink: https://patch.msgid.link/20260608155918.787644-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f8373d7090b745728de66308deeecc67e8d319ce", "tree": "5af795adee2dd851c0090a2115ffa86d3e76e92c", "parents": [ "d930276f2cddd0b7294cac7a8fe7b877f6d9e08d" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Mon Jun 08 08:22:34 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 18:12:30 2026 -0700" }, "message": "sctp: fix uninit-value in __sctp_rcv_asconf_lookup()\n\n__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF\nchunk can hold the ADDIP header and a parameter header, then calls\naf-\u003efrom_addr_param(), which reads the full address (16 bytes for IPv6)\ntrusting the parameter\u0027s declared length.\n\nAn unauthenticated peer can send a truncated trailing ASCONF chunk that\ndeclares an IPv6 address parameter but stops after the 4-byte parameter\nheader; reached from the no-association lookup path, from_addr_param() then\nreads uninitialized bytes past the parameter.\n\nImpact: an unauthenticated SCTP peer makes the receive path read up to 16\nbytes of uninitialized memory past a truncated ASCONF address parameter.\n\nThe sibling __sctp_rcv_init_lookup() bounds parameters with\nsctp_walk_params(); this path open-codes the fetch and omits the bound.\nVerify the whole address parameter lies within the chunk before\nfrom_addr_param() reads it, the same class of fix as commit 51e5ad549c43\n(\"net: sctp: fix KMSAN uninit-value in sctp_inq_pop\").\n\nFixes: df2185771439 (\"[SCTP]: Update association lookup to look at ASCONF chunks as well\")\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nAcked-by: Xin Long \u003clucien.xin@gmail.com\u003e\nLink: https://patch.msgid.link/20260608122234.459098-1-michael.bommarito@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d930276f2cddd0b7294cac7a8fe7b877f6d9e08d", "tree": "85fd60da08cdd488a2863a90dc68603f0436cf36", "parents": [ "a5f8a90ac9f77c678a9781c0a464b635e0d63e49" ], "author": { "name": "Kyle Meyer", "email": "kyle.meyer@hpe.com", "time": "Fri Jun 05 17:25:24 2026 -0500" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 17:52:46 2026 -0700" }, "message": "bnxt_en: Fix NULL pointer dereference\n\nPCIe errors detected by a Root Port or Downstream Port cause error\nrecovery services to run on all subordinate devices regardless of\nadministrative state.\n\nThe .error_detected() callback, bnxt_io_error_detected(), disables\nand synchronizes IRQs via bnxt_disable_int_sync(), which calls\nbnxt_cp_num_to_irq_num() to map completion rings to IRQs using\nbp-\u003ebnapi.\n\nSince bp-\u003ebnapi is allocated on NIC open and freed on NIC close, PCIe\nerror recovery on a closed NIC can dereference a NULL pointer.\n\nCheck if bp-\u003ebnapi is NULL before disabling and synchronizing IRQs.\n\nFixes: e5811b8c09df (\"bnxt_en: Add IRQ remapping logic.\")\nCc: stable@vger.kernel.org\nSigned-off-by: Kyle Meyer \u003ckyle.meyer@hpe.com\u003e\nReviewed-by: Pavan Chebbi \u003cpavan.chebbi@broadcom.com\u003e\nLink: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a5f8a90ac9f77c678a9781c0a464b635e0d63e49", "tree": "1a686298be8be6edcbbca8365866f197865a337e", "parents": [ "0aa05daef7848a5ac11158949dc73cd741995dc1" ], "author": { "name": "Wyatt Feng", "email": "bronzed_45_vested@icloud.com", "time": "Fri Jun 05 13:53:42 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue Jun 09 17:26:25 2026 -0700" }, "message": "sctp: stream: fully roll back denied add-stream state\n\nWhen ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and\nthen lowers outcnt. That leaves removed stream metadata behind, so a\nlater re-add can reuse a stale ext and hit a null-pointer dereference in\nthe scheduler get path.\n\nFix the rollback by tearing down the removed stream state the same way\nother stream resizes do. Unschedule the current scheduler state, drop\nthe removed stream ext state with sctp_stream_outq_migrate(), and then\nreschedule the remaining streams.\n\nThis keeps scheduler-private RR/FC/PRIO lists consistent while fully\nrolling back denied outgoing stream additions.\n\nFixes: 637784ade221 (\"sctp: introduce priority based stream scheduler\")\nCc: stable@kernel.org\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Yifan Wu \u003cyifanwucs@gmail.com\u003e\nReported-by: Juefei Pu \u003ctomapufckgml@gmail.com\u003e\nReported-by: Zhengchuan Liang \u003czcliangcn@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nSigned-off-by: Wyatt Feng \u003cbronzed_45_vested@icloud.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nAcked-by: Xin Long \u003clucien.xin@gmail.com\u003e\nLink: https://patch.msgid.link/d78954ecd94954653ee299400e98d74a03a6f7d3.1780603399.git.bronzed_45_vested@icloud.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "acb7500801e98639f6d8c2d796ed9f64cba83d3a", "tree": "1d142242540514e6af00a31ace858acb79fdebf8", "parents": [ "06f4462d05bdfb6f1fb7b1f263f5a3425ab210f7", "df996599cc69a9b74ff437c67751cf8a61f62e39" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 09 17:20:00 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 09 17:20:00 2026 -0700" }, "message": "Merge tag \u0027trace-rv-v7.1-rc6-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace\n\nPull runtime verifier fixes from Steven Rostedt:\n\n - Fix reset ordering on per-task destruction\n\n Reset the task before dropping the slot instead of after, which was\n causing out-of-bound memory accesses.\n\n - Fix HA monitor synchronization and cleanup\n\n Ensure synchronous cleanup for HA monitors by running timer callbacks\n in RCU read-side critical sections and using synchronize_rcu() during\n destruction.\n\n - Avoid armed timers after tasks exit\n\n Add automatic cleanup for per-task HA monitors to prevent timers from\n firing after task exit.\n\n - Fix memory ordering for DA/HA monitors\n\n Fix race conditions during monitor start by using release-acquire\n semantics for the monitoring flag.\n\n - Fix initialization for DA/HA monitors\n\n Ensure monitors are not initialized relying on potentially corrupted\n state like the monitoring flag, that is not reset by all monitors\n type and may have an unknown state in monitors reusing the storage\n (per-task).\n\n - Fix memory safety in per-task and per-object monitors\n\n Prevent use-after-free and out-of-bounds access by synchronizing with\n in-flight tracepoint probes using tracepoint_synchronize_unregister()\n before freeing monitor storage or releasing task slots.\n\n - Adjust monitors for preemptible tracepoints\n\n Fix monitors that relied on tracepoints disabling preemption.\n Explicitly disable task migration when per-CPU monitors handle events\n to avoid accessing the wrong state and update the opid monitor logic.\n\n - Fix incorrect __user specifier usage\n\n Remove __user from a non-pointer variable in the extract_params()\n helper.\n\n - Fix bugs in the rv tool\n\n Ensure strings are NUL-terminated, fix substring matching in monitor\n searches, and improve cleanup and exit status handling.\n\n - Fix several bugs in rvgen\n\n Fix LTL literal stringification, subparsers\u0027 options handling, and\n suffix stripping in dot2k.\n\n* tag \u0027trace-rv-v7.1-rc6-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:\n verification/rvgen: Fix ltl2k writing True as a literal\n verification/rvgen: Fix options shared among commands\n verification/rvgen: Fix suffix strip in dot2k\n tools/rv: Fix cleanup after failed trace setup\n tools/rv: Fix substring match when listing container monitors\n tools/rv: Fix substring match bug in monitor name search\n tools/rv: Ensure monitor name and desc are NUL-terminated\n rv: Use 0 to check preemption enabled in opid\n rv: Prevent task migration while handling per-CPU events\n rv: Ensure synchronous cleanup for HA monitors\n rv: Add automatic cleanup handlers for per-task HA monitors\n rv: Do not rely on clean monitor when initialising HA\n rv: Fix monitor start ordering and memory ordering for monitoring flag\n rv: Ensure all pending probes terminate on per-obj monitor destroy\n rv: Prevent in-flight per-task handlers from using invalid slots\n rv: Reset per-task DA monitors before releasing the slot\n rv: Fix __user specifier usage in extract_params()\n" }, { "commit": "06f4462d05bdfb6f1fb7b1f263f5a3425ab210f7", "tree": "cab4ce06dafc836671a351b487912c3fa25e9710", "parents": [ "685441a6d3f17404b47087d051963bc7fb665ef0", "e9e41d3035032ed6053d8bad7b7077e1cb3a6540" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 09 17:05:19 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 09 17:05:19 2026 -0700" }, "message": "Merge tag \u0027trace-tools-v7.1-rc7\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace\n\nPull RTLA fix from Steven Rostedt:\n\n - Fix multi-character short option parsing\n\n Fix regression in parsing of multiple-character short options\n (eg -p100 /\u003d -p 100/, -un /\u003d -u -n/) caused by getopt_long()\n internal state corruption after a refactoring.\n\n* tag \u0027trace-tools-v7.1-rc7\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:\n rtla: Fix parsing of multi-character short options\n" }, { "commit": "38b7a274cf84af9b1f4b602b8e2741565b81947b", "tree": "2829d2760e4d98056c226f3ca6272a95ea7d71ec", "parents": [ "7bd4355272de34c2e90e34b72c5613736d03c32b" ], "author": { "name": "KhaiWenTan", "email": "khai.wen.tan@linux.intel.com", "time": "Fri Apr 24 15:59:07 2026 +0800" }, "committer": { "name": "Tony Nguyen", "email": "anthony.l.nguyen@intel.com", "time": "Tue Jun 09 10:01:07 2026 -0700" }, "message": "igc: skip RX timestamp header for frame preemption verification\n\nWhen RX hardware timestamping is enabled, a 16-byte inline timestamp header\nis added to the start of the packet buffer, causing FPE handshake\nverification to fail.\n\nBecause an incorrect packet buffer is passed to igc_fpe_handle_mpacket(),\nthe mem_is_zero() check inspects the timestamp metadata instead of the\nactual mPacket payload. As a result, valid Verify/Response mPackets can be\nmissed when inline RX timestamps are present.\n\nPass pktbuf + pkt_offset to igc_fpe_handle_mpacket() so it inspects the\nactual mPacket payload instead of the timestamp header.\n\nFixes: 5422570c0010 (\"igc: add support for frame preemption verification\")\nCo-developed-by: Faizal Rahim \u003cfaizal.abdul.rahim@linux.intel.com\u003e\nSigned-off-by: Faizal Rahim \u003cfaizal.abdul.rahim@linux.intel.com\u003e\nSigned-off-by: KhaiWenTan \u003ckhai.wen.tan@linux.intel.com\u003e\nReviewed-by: Aleksandr Loktionov \u003caleksandr.loktionov@intel.com\u003e\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\n" }, { "commit": "7bd4355272de34c2e90e34b72c5613736d03c32b", "tree": "a260e951bf70931378778dbe40a023ddbd160a81", "parents": [ "d1e8f9fd6b98307bc8d2863c7baa465d8a5a43be" ], "author": { "name": "Larysa Zaremba", "email": "larysa.zaremba@intel.com", "time": "Mon May 18 13:15:04 2026 +0200" }, "committer": { "name": "Tony Nguyen", "email": "anthony.l.nguyen@intel.com", "time": "Tue Jun 09 10:01:07 2026 -0700" }, "message": "ixgbe: do not configure xps for XDP queues\n\nnetif_set_xps_queue() should not be called for an XDP Tx queue, since such\nqueues are not netdev-exposed. On systems with number of CPUs \u003e\u003d64, on E610\nadapter, netdev is configured with maximum number queue pairs being 63\n(due to MSI-X assignment), but configuring XDP results in 64 XDP queues.\n\nSo, during XDP program load, when netif_set_xps_queue() is called for the\nlast XDP queue, we get a WARNING with a call trace and KASAN report\nafterwards (if enabled).\n\n[ 2012.699800] WARNING: net/core/dev.c:2854 at __netif_set_xps_queue+0x116a/0x1e40, CPU#36: xdpsock/103668\n[...]\n[ 2012.700029] RIP: 0010:__netif_set_xps_queue+0x116a/0x1e40\n[ 2012.700035] Code: b6 34 06 48 89 f8 83 e0 07 83 c0 01 40 38 f0 7c 09 40 84 f6 0f 85 03 0a 00 00 0f b7 44 24 40 66 43 89 44 6a 18 e9 01 fb ff ff \u003c0f\u003e 0b e9 f2 ee ff ff 44 8b 44 24 44 45 85 c0 74 50 4d 85 e4 0f 84\n[ 2012.700040] RSP: 0018:ffff8882369aeb28 EFLAGS: 00010246\n[ 2012.700046] RAX: 0000000000000000 RBX: 000000000000003f RCX: 0000000000000000\n[ 2012.700050] RDX: 1ffff1111da3d891 RSI: ffff888120e34250 RDI: ffff8888ed1ec488\n[ 2012.700054] RBP: ffff888913281560 R08: 0000000000000000 R09: ffff8888ed1ec000\n[ 2012.700058] R10: ffff8888a2e83180 R11: 0000000000000000 R12: 0000000000007fa8\n[ 2012.700061] R13: 000000000000003f R14: ffff888120e34854 R15: ffff8889132817c8\n[ 2012.700065] FS: 00007fc8ea9ff740(0000) GS:ffff88884cefe000(0000) knlGS:0000000000000000\n[ 2012.700069] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 2012.700073] CR2: 00007f81c8000020 CR3: 00000002299f8006 CR4: 00000000007726f0\n[ 2012.700077] PKRU: 55555554\n[ 2012.700080] Call Trace:\n[ 2012.700084] \u003cTASK\u003e\n[ 2012.700087] ? ktime_get+0x61/0x150\n[ 2012.700097] ? usleep_range_state+0x133/0x1b0\n[ 2012.700108] ? __pfx_usleep_range_state+0x10/0x10\n[ 2012.700114] netif_set_xps_queue+0x31/0x50\n[ 2012.700119] ixgbe_configure_tx_ring+0x472/0x920 [ixgbe]\n[...]\n[ 2012.700486] ixgbe_xdp+0x38f/0x750 [ixgbe]\n\n[...]\n\n[ 2012.701094] BUG: KASAN: slab-out-of-bounds in __netif_set_xps_queue+0x1ac5/0x1e40\n[ 2012.701100] Write of size 4 at addr ffff88888d43cff8 by task xdpsock/103668\n\nSkip XPS configuration for XDP Tx queues.\n\nFixes: 33fdc82f0883 (\"ixgbe: add support for XDP_TX action\")\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nReviewed-by: Aleksandr Loktionov \u003caleksandr.loktionov@intel.com\u003e\nSigned-off-by: Larysa Zaremba \u003clarysa.zaremba@intel.com\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nTested-by: Patryk Holda \u003cpatryk.holda@intel.com\u003e\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\n" }, { "commit": "d1e8f9fd6b98307bc8d2863c7baa465d8a5a43be", "tree": "7fda63a2700794981ef9525fc1a23bf89e1ca600", "parents": [ "0aa05daef7848a5ac11158949dc73cd741995dc1" ], "author": { "name": "Przemyslaw Korba", "email": "przemyslaw.korba@intel.com", "time": "Mon May 25 10:38:03 2026 +0200" }, "committer": { "name": "Tony Nguyen", "email": "anthony.l.nguyen@intel.com", "time": "Tue Jun 09 10:01:07 2026 -0700" }, "message": "idpf: add padding to PTP virtchnl structures\n\nAdd padding to virtchnl2 PTP structures to match the Control Plane\nexpected message sizes:\n* virtchnl2_ptp_get_dev_clk_time: 8 -\u003e 16 bytes\n* virtchnl2_ptp_set_dev_clk_time: 8 -\u003e 16 bytes\n* virtchnl2_ptp_get_cross_time: 16 -\u003e 24 bytes\n\nThe FW expects the above sizes and PTP negotiation fails due to the\nmismatch. Previously neither the FW nor the driver checked message/reply\nsizes strictly, so the problem appeared only after recent validation\nimprovements.\n\nreproduction steps:\nptp4l -i \u003cpf\u003e -m\nObserve: failed to open /dev/ptp0: Permission denied\n\nFixes: bf27283ba594 (\"virtchnl: add PTP virtchnl definitions\")\nCc: stable@vger.kernel.org\nReviewed-by: Aleksandr Loktionov \u003caleksandr.loktionov@intel.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nSigned-off-by: Przemyslaw Korba \u003cprzemyslaw.korba@intel.com\u003e\nTested-by: Samuel Salin \u003cSamuel.salin@intel.com\u003e\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\n" }, { "commit": "685441a6d3f17404b47087d051963bc7fb665ef0", "tree": "c7266fb3f79a0e9fd6c4ae7feba2206afd5ca535", "parents": [ "fed2efe803e014e5c419bc7592caa8633683603e", "0c25b8734367574e21aeb8468c2e522713134da7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 09 08:24:25 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 09 08:24:25 2026 -0700" }, "message": "Merge tag \u0027mm-hotfixes-stable-2026-06-08-20-51\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm\n\nPull misc fixes from Andrew Morton:\n \"11 hotfixes. 9 are for MM. 8 are cc:stable and the remaining 3 address\n post-7.1 issues or aren\u0027t considered suitable for backporting.\n\n Thre\u0027s a two-patch series \"mm/damon/{reclaim,lru_sort}: handle ctx\n allocation failures\" from SeongJae Park which fixes a couple of DAMON\n -ENOMEM bloopers. The rest are singletons - please see the individual\n changelogs for details\"\n\n* tag \u0027mm-hotfixes-stable-2026-06-08-20-51\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:\n mm/mincore: handle non-swap entries before !CONFIG_SWAP guard\n arm64: mm: call pagetable dtor when freeing hot-removed page tables\n mm/list_lru: drain before clearing xarray entry on reparent\n mm/huge_memory: use correct flags for device private PMD entry\n mm/damon/lru_sort: handle ctx allocation failure\n mm/damon/reclaim: handle ctx allocation failure\n zram: fix use-after-free in zram_bvec_write_partial()\n MAINTAINERS: update Baoquan He\u0027s email address\n tools headers UAPI: sync linux/taskstats.h for procacct.c\n mm/cma_sysfs: skip inactive CMA areas in sysfs\n ipc/shm: serialize orphan cleanup with shm_nattch updates\n" }, { "commit": "fed2efe803e014e5c419bc7592caa8633683603e", "tree": "8bfe7ac9f7e96aa8a7f135fb149c17abaae4faf2", "parents": [ "2d3090a8aeb596a26935db0955d46c9a5db5c6ce", "13e91fd076306f5d0cdfa14f53d69e37274723c4" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 09 08:19:48 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 09 08:19:48 2026 -0700" }, "message": "Merge tag \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma\n\nPull rdma fixes from Jason Gunthorpe:\n \"Several significant bug fixes of pre-existing issues:\n\n - Missing validation on ucap fd types passed from userspace\n\n - Missing validation of HW DMA space vs userpace expected sizes in\n EFA queue setup\n\n - DMA corruption when using DMA block sizes \u003e\u003d 4G when setting up MRs\n in all drivers\n\n - Missing validation of CPU IDs when setting up dma handles\n\n - Missing validation of IB_MR_REREG_ACCESS when changing writability\n of a MR\n\n - Missing validation of received message/packet size in ISER and SRP\"\n\n* tag \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:\n RDMA/srp: bound SRP_RSP sense copy by the received length\n IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN\n RDMA: During rereg_mr ensure that REREG_ACCESS is compatible\n RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc\n RDMA/umem: Fix truncation for block sizes \u003e\u003d 4G\n RDMA/efa: Validate SQ ring size against max LLQ size\n RDMA/core: Validate the passed in fops for ib_get_ucaps()\n" }, { "commit": "26aad08a928901296aabfbc7a33ecb951656bb98", "tree": "594f0c022bba117c9af59d6d44858bfd1b4b2480", "parents": [ "c381039ade2e161ab08c0eda73c4f8b9a7115928" ], "author": { "name": "Alessandro Schino", "email": "7991aleschino@gmail.com", "time": "Fri Jun 05 14:22:15 2026 +0200" }, "committer": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Tue Jun 09 15:58:17 2026 +0200" }, "message": "esp: fix page frag reference leak on skb_to_sgvec failure\n\nIn esp_output_tail(), when esp-\u003einplace is false, the old skb page frags\nare replaced with a new page from the xfrm page_frag cache The source\nscatterlist (sg) is built from the old frags before the replacement, and\nesp_ssg_unref() is responsible for releasing the old page references\nafter the crypto operation completes\n\nHowever, if the second skb_to_sgvec() call (which builds the destination\nscatterlist from the new page) fails, the code jumps to error_free which\nonly calls kfree(tmp). The old page frag references captured in the\nsource scatterlist are never released:\n\n 1 sg[] is built from old frags via skb_to_sgvec() (no extra get_page)\n 2 nr_frags is set to 1 and frag[0] is replaced with the new page\n 3 Second skb_to_sgvec() fails -\u003e goto error_free\n\nFix this by adding a bool parameter to esp_ssg_unref() that, when true,\nunconditionally unrefs the source scatterlist frags. Since req-\u003esrc is\nnot yet initialized by aead_request_set_crypt() at the point of the\nerror, the source scatterlist is obtained directly via esp_req_sg()\nExisting callers pass false to preserve the original behavior\n\nThe same issue exists in both esp4 and esp6 as the code is identical\n\nFixes: cac2661c53f3 (\"esp4: Avoid skb_cow_data whenever possible\")\nFixes: 03e2a30f6a27 (\"esp6: Avoid skb_cow_data whenever possible\")\nSigned-off-by: Alessandro Schino \u003c7991aleschino@gmail.com\u003e\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\n" }, { "commit": "0aa05daef7848a5ac11158949dc73cd741995dc1", "tree": "f43b5a45703e3216ad34832b6bba3654ab32bb31", "parents": [ "004e9ecfe6c5384f9e0b2f6f6389d42ec22789af", "881a3113b74964918cdd72747e3bc119c02b0c0c" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 15:23:15 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 15:23:15 2026 +0200" }, "message": "Merge branch \u0027net-mctp-usb-minor-fixes-for-mctp-over-usb-transport-driver\u0027\n\nJeremy Kerr says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: mctp: usb: minor fixes for MCTP over USB transport driver\n\nThis series adds a couple of fixes in the ndo_open / ndo_stop path for\nthe MCTP over USB transport, where we are incorrectly sequencing two\nerror cases.\n\nSigned-off-by: Jeremy Kerr \u003cjk@codeconstruct.com.au\u003e\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-0-29a3aa507609@codeconstruct.com.au\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "881a3113b74964918cdd72747e3bc119c02b0c0c", "tree": "f43b5a45703e3216ad34832b6bba3654ab32bb31", "parents": [ "54665dce982689e2fd99b32e9a0dcc204fda8a51" ], "author": { "name": "Jeremy Kerr", "email": "jk@codeconstruct.com.au", "time": "Mon Jun 08 09:25:41 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 15:23:13 2026 +0200" }, "message": "net: mctp: usb: don\u0027t fail mctp_usb_rx_queue on a deferred submission\n\nIn the ndo_open path, a deferred queue open will report a failure, and\nso the netdev will not be ndo_stop()ed, leaving us with the rx_retry\nwork potentially pending.\n\nDon\u0027t report a deferred queue as an error, as we are still operational.\nThis means we use the ndo_stop() path for future cleanup, which handles\nrx_retry_work cancellation.\n\nFixes: 0791c0327a6e (\"net: mctp: Add MCTP USB transport driver\")\nSigned-off-by: Jeremy Kerr \u003cjk@codeconstruct.com.au\u003e\nLink: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-2-29a3aa507609@codeconstruct.com.au\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "54665dce982689e2fd99b32e9a0dcc204fda8a51", "tree": "7670d788fe22a6c7836a475494a28ba117ce7e17", "parents": [ "004e9ecfe6c5384f9e0b2f6f6389d42ec22789af" ], "author": { "name": "Jeremy Kerr", "email": "jk@codeconstruct.com.au", "time": "Mon Jun 08 09:25:40 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 15:23:13 2026 +0200" }, "message": "net: mctp: usb: fix race between urb completion and rx_retry cancellation\n\nIt\u0027s possible that sequencing between setting -\u003estopped and cancelling\nthe rx_retry work (in ndo_stop) could leave us with an urb queued:\n\n T1: ndo_stop T2: rx_retry_work\n ------------ ----------------\n LD: -\u003estopped \u003d\u003e false\n ST: -\u003estopped \u003c\u003d true\n usb_kill_urb()\n mctp_usb_rx_queue()\n usb_submit_urb()\n cancel_delayed_work_sync()\n\nThat urb completion can then re-schedule rx_retry_work.\n\nStrenghen the sequencing between the stop (preventing another requeue)\nand the cancel by updating both atomically under a new rx lock. After\nsetting -\u003erx_stopped, and cancelling pending work, we know that the\nrequeue cannot occur, so all that\u0027s left is killing any pending urb.\n\nFixes: 0791c0327a6e (\"net: mctp: Add MCTP USB transport driver\")\nSigned-off-by: Jeremy Kerr \u003cjk@codeconstruct.com.au\u003e\nLink: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-1-29a3aa507609@codeconstruct.com.au\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "1c1e0fc88d6ef65bf15d517853251f75ab9d18c3", "tree": "adf34faa4f14178dc807b1ee176a0a21eceabce1", "parents": [ "446e8c31d0fc7f1d92c06c2d2f7e7ed27f55f0c6" ], "author": { "name": "Marco Scardovi", "email": "scardracs@disroot.org", "time": "Mon Jun 08 01:05:02 2026 +0200" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Tue Jun 09 13:24:20 2026 +0200" }, "message": "gpio: rockchip: fix generic IRQ chip leak on remove\n\nThe driver allocates domain generic chips using\nirq_alloc_domain_generic_chips() during probe. However, on driver\nremove/teardown, the generic chips are not automatically freed when the\nIRQ domain is removed because the domain flags do not include\nIRQ_DOMAIN_FLAG_DESTROY_GC.\n\nThis causes both the domain generic chips structure and the associated\ngeneric chips to be leaked. Additionally, the generic chips remain on\nthe global gc_list and may later be visited by generic IRQ chip suspend,\nresume, or shutdown callbacks after the GPIO bank has been removed,\npotentially resulting in a use-after-free and kernel crash.\n\nFix the resource leak by explicitly calling\nirq_domain_remove_generic_chips() before removing the IRQ domain in\nrockchip_gpio_remove().\n\nFixes: 936ee2675eee (\"gpio/rockchip: add driver for rockchip gpio\")\nAssisted-by: Antigravity:gemini-3.5-flash\nSigned-off-by: Marco Scardovi \u003cscardracs@disroot.org\u003e\nLink: https://patch.msgid.link/20260607230504.35392-2-scardracs@disroot.org\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "446e8c31d0fc7f1d92c06c2d2f7e7ed27f55f0c6", "tree": "37d6a8410f1214db8279640beecb35aa423aaac8", "parents": [ "6edb934de9bda3b7abcec856eaee6fc8b4278dd1" ], "author": { "name": "Samuel Moelius", "email": "sam.moelius@trailofbits.com", "time": "Tue Jun 09 00:45:38 2026 +0000" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Tue Jun 09 13:19:56 2026 +0200" }, "message": "gpio: mockup: reject invalid gpio_mockup_ranges widths\n\ngpio-mockup validates only that each second gpio_mockup_ranges value is\nnon-negative before creating the mock chips. The fixed-base form uses\nthe second value as the first GPIO number after the range, while the\ndynamic-base form uses it as the number of GPIOs.\n\ngpio_mockup_register_chip() stores the resulting number of GPIOs in a\nu16 and passes it through a PROPERTY_ENTRY_U16(\"nr-gpios\", ...). Values\ngreater than U16_MAX therefore truncate silently. For example,\ngpio_mockup_ranges\u003d-1,65537 creates a one-line mock GPIO chip instead of\nrejecting the invalid request.\n\nReject zero-width, reversed, and over-U16 ranges before registering any\nmock chip.\n\nAssisted-by: Codex:gpt-5.5-cyber-preview\nSigned-off-by: Samuel Moelius \u003csam.moelius@trailofbits.com\u003e\nLink: https://patch.msgid.link/20260609004538.1240091.3fba33a20b88.gpio-mockup-ngpio-u16-truncation@trailofbits.com\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "6edb934de9bda3b7abcec856eaee6fc8b4278dd1", "tree": "ace584cea97c1379a1bd19e312c5fbe3d7e6f11f", "parents": [ "b9ad50d7505ebd48282ec3630258dc820fc85c81" ], "author": { "name": "Ruoyu Wang", "email": "ruoyuw560@gmail.com", "time": "Tue Jun 09 15:33:13 2026 +0800" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Tue Jun 09 13:19:13 2026 +0200" }, "message": "gpio: zynq: fix runtime PM leak on remove\n\npm_runtime_get_sync() increments the runtime PM usage counter even when it\nreturns an error. zynq_gpio_remove() uses it to keep the controller active\nwhile removing the GPIO chip, but never drops the usage counter again.\n\nBalance the get with pm_runtime_put_noidle() after disabling runtime PM.\n\nFixes: 3242ba117e9b (\"gpio: Add driver for Zynq GPIO controller\")\nSigned-off-by: Ruoyu Wang \u003cruoyuw560@gmail.com\u003e\nLink: https://patch.msgid.link/20260609073313.5-1-ruoyuw560@gmail.com\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "004e9ecfe6c5384f9e0b2f6f6389d42ec22789af", "tree": "6a28a8eccb1a11b23baf8d60a64e5cf40bf0b7fe", "parents": [ "09a5bf856aa759513afc4afd233d15bcc711b84e" ], "author": { "name": "Anton Leontev", "email": "leontyevantony@gmail.com", "time": "Thu Jun 04 19:59:38 2026 +0300" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 13:16:30 2026 +0200" }, "message": "hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf\n\nnetvsc_copy_to_send_buf() copies page buffer entries into the VMBus\nsend buffer using phys_to_virt() on the entry PFN. Entries for the\nRNDIS header and the skb linear data come from kmalloc\u0027d memory and\nare always in the kernel direct map, but entries for skb fragments\nreference page cache or user pages, which on 32-bit x86 with\nCONFIG_HIGHMEM\u003dy can live above the LOWMEM boundary. For such a page\nphys_to_virt() returns an address outside the direct map and the\nsubsequent memcpy() faults on the transmit softirq path, which is\nfatal.\n\nMap the pages with kmap_local_page() instead, handling two properties\nof the page buffer entries:\n\n - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,\n not a native PFN. Reconstruct the physical address first and derive\n the native page from it, so the mapping stays correct where\n PAGE_SIZE \u003e HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).\n\n - Since commit 41a6328b2c55 (\"hv_netvsc: Preserve contiguous PFN\n grouping in the page buffer array\"), an entry describes a full\n physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,\n while kmap_local_page() maps a single page. Copy page by page,\n splitting at native page boundaries.\n\nThe copy path only handles packets smaller than the send section size\n(6144 bytes by default); larger packets take the cp_partial path where\nonly the RNDIS header is copied. So entries here are bounded by the\nsection size and a copy is split at most once on 4K-page systems. On\n!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and\nno mapping work is added.\n\nFixes: c25aaf814a63 (\"hyperv: Enable sendbuf mechanism on the send path\")\nCc: stable@vger.kernel.org\nSigned-off-by: Anton Leontev \u003cleontyevantony@gmail.com\u003e\nLink: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "09a5bf856aa759513afc4afd233d15bcc711b84e", "tree": "84ad7159664bb8d9825cf9fe802495045a9a678e", "parents": [ "333b6d5bb9f87827ac2639c737bf9613dbae7253" ], "author": { "name": "Dawei Feng", "email": "dawei.feng@seu.edu.cn", "time": "Thu Jun 04 22:37:56 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 12:30:41 2026 +0200" }, "message": "octeontx2-af: fix memory leak in rvu_setup_hw_resources()\n\nIf rvu_npc_exact_init() fails in rvu_setup_hw_resources(), the function\nreturns directly instead of jumping to the error handling path. This\ncauses a resource leak for the previously initialized CGX, NPC, fwdata,\nand MSI-X states.\n\nFix this by replacing the direct return with goto cgx_err to ensure\nproper cleanup.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable. Manual inspection confirms that the bug is still present in\nv7.1-rc6.\n\nAn x86_64 allyesconfig build showed no new warnings. As we do not have\naccess to Marvell OcteonTX2 RVU AF hardware to test with, no runtime\ntesting was able to be performed.\n\nFixes: 3571fe07a090 (\"octeontx2-af: Drop rules for NPC MCAM\")\nCc: stable@vger.kernel.org\nSigned-off-by: Dawei Feng \u003cdawei.feng@seu.edu.cn\u003e\nSigned-off-by: Zilin Guan \u003czilin@seu.edu.cn\u003e\nLink: https://patch.msgid.link/20260604143756.1524482-1-dawei.feng@seu.edu.cn\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "333b6d5bb9f87827ac2639c737bf9613dbae7253", "tree": "5e37bc8cd9386ca8d934dac18bfd9bcbbafdc189", "parents": [ "19440600e729d4f74a42591a872099cf25c7d28a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 04 12:46:00 2026 +0100" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 11:28:17 2026 +0200" }, "message": "rxrpc: Fix the ACK parser to extract the SACK table for parsing\n\nFix modification of the received skbuff in rxrpc_input_soft_acks() and a\npotential incorrect access of the buffer in a fragmented UDP packet (the\npacket would probably have to be deliberately pre-generated as fragmented)\nwhen AF_RXRPC tries to extract the contents of the SACK table by copying\nout the contents of the SACK table into a buffer before attempting to parse\n\nAF_RXRPC assumes that it can just call skb_condense() and then validly\naccess the SACK table from skb-\u003edata and that it will be a flat buffer -\nbut skb_condense() can silently fail to do anything under some\ncircumstances.\n\nNote that whilst rxrpc_input_soft_acks() should be able to parse extended\nACKs, the rest of AF_RXRPC doesn\u0027t currently support that.\n\nFurther, there\u0027s then no need to call skb_condense() in rxrpc_input_ack(),\nso don\u0027t.\n\nFixes: d57a3a151660 (\"rxrpc: Save last ACK\u0027s SACK table rather than marking txbufs\")\nReported-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260513180907.2061972-1-michael.bommarito@gmail.com\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Marc Dionne \u003cmarc.dionne@auristor.com\u003e\ncc: Jeffrey Altman \u003cjaltman@auristor.com\u003e\ncc: Eric Dumazet \u003cedumazet@google.com\u003e\ncc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\ncc: Jakub Kicinski \u003ckuba@kernel.org\u003e\ncc: Paolo Abeni \u003cpabeni@redhat.com\u003e\ncc: Simon Horman \u003chorms@kernel.org\u003e\ncc: linux-afs@lists.infradead.org\ncc: netdev@vger.kernel.org\ncc: stable@kernel.org\nLink: https://patch.msgid.link/105362.1780573560@warthog.procyon.org.uk\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "19440600e729d4f74a42591a872099cf25c7d28a", "tree": "aa88453485536e8804e0a736557f89fb6d04f019", "parents": [ "ee30dd2909d8b98619f4341c70ec8dc8e155ab02" ], "author": { "name": "Chih Kai Hsu", "email": "hsu.chih.kai@realtek.com", "time": "Thu Jun 04 17:22:47 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 11:05:35 2026 +0200" }, "message": "r8152: handle the return value of usb_reset_device()\n\nIf usb_reset_device() returns a negative error code, stop the\nprocess of probing.\n\nFixes: 10c3271712f5 (\"r8152: disable the ECM mode\")\nSigned-off-by: Chih Kai Hsu \u003chsu.chih.kai@realtek.com\u003e\nReviewed-by: Hayes Wang \u003chayeswang@realtek.com\u003e\nReviewed-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nLink: https://patch.msgid.link/20260604092247.27158-450-nic_swsd@realtek.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "ee30dd2909d8b98619f4341c70ec8dc8e155ab02", "tree": "b85be7a21a6a37c9e7fe657b8422ec0da670a7bd", "parents": [ "f0e42f0c4337b1f220de1ddd63f47197c7dee4de" ], "author": { "name": "Adrian Moreno", "email": "amorenoz@redhat.com", "time": "Thu Jun 04 14:19:46 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 20:13:02 2026 -0700" }, "message": "net: openvswitch: fix possible kfree_skb of ERR_PTR\n\nAfter the patch in the \"Fixes\" tag, the allocation of the \"reply\" skb\ncan happen either before or after locking the ovs_mutex.\n\nHowever, error cleanups still follow the classical reversed order,\nassuming \"reply\" is allocated before locking: it is freed after unlocking.\n\nIf \"reply\" allocation happens after locking the mutex and it fails,\n\"reply\" is left with an ERR_PTR, and execution jumps to the correspondent\ncleanup stage which will try to free an invalid pointer.\n\nFix this by setting the pointer to NULL after having saved its error\nvalue.\n\nFixes: 893f139b9a6c (\"openvswitch: Minimize ovs_flow_cmd_new|set critical sections.\")\nSigned-off-by: Adrian Moreno \u003camorenoz@redhat.com\u003e\nReviewed-by: Aaron Conole \u003caconole@redhat.com\u003e\nAcked-by: Eelco Chaudron \u003cechaudro@redhat.com\u003e\nLink: https://patch.msgid.link/20260604121946.942164-1-amorenoz@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f0e42f0c4337b1f220de1ddd63f47197c7dee4de", "tree": "95305c9b67d101fff9c973eb792e218b965b1ffc", "parents": [ "a7767290e77ca2e926b49f8bfa29daa12262c612" ], "author": { "name": "Kyle Zeng", "email": "kylebot@openai.com", "time": "Fri Jun 05 00:34:48 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 19:03:56 2026 -0700" }, "message": "ipv6: sit: reload inner IPv6 header after GSO offloads\n\nipip6_tunnel_xmit() caches the inner IPv6 header pointer at function\nentry and continues using it after iptunnel_handle_offloads().\n\nFor GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().\nWhen the skb header is cloned, skb_header_unclone() can call\npskb_expand_head(), which may move the skb head. The pskb_expand_head()\ncontract requires pointers into the skb header to be reloaded after the\ncall.\n\nIf the later skb_realloc_headroom() branch is not taken, SIT uses the\nstale iph6 pointer to read the inner hop limit and DS field. That can\nread from a freed skb head after the old head\u0027s remaining clone is\nreleased.\n\nReload iph6 after the offload helper succeeds and before subsequent\nreads from the inner IPv6 header. Keep the existing reload after\nskb_realloc_headroom(), since that branch can also replace the skb.\n\nFixes: 14909664e4e1 (\"sit: Setup and TX path for sit/UDP foo-over-udp encapsulation\")\nSigned-off-by: Kyle Zeng \u003ckylebot@openai.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReported-by: syzbot+6eb9ca986d80f6f88cf9@syzkaller.appspotmail.com\nLink: https://patch.msgid.link/20260605073448.6524-1-kylebot@openai.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" } ], "next": "a7767290e77ca2e926b49f8bfa29daa12262c612" }