)]}' { "log": [ { "commit": "0aa05daef7848a5ac11158949dc73cd741995dc1", "tree": "f43b5a45703e3216ad34832b6bba3654ab32bb31", "parents": [ "004e9ecfe6c5384f9e0b2f6f6389d42ec22789af", "881a3113b74964918cdd72747e3bc119c02b0c0c" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 15:23:15 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 15:23:15 2026 +0200" }, "message": "Merge branch \u0027net-mctp-usb-minor-fixes-for-mctp-over-usb-transport-driver\u0027\n\nJeremy Kerr says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: mctp: usb: minor fixes for MCTP over USB transport driver\n\nThis series adds a couple of fixes in the ndo_open / ndo_stop path for\nthe MCTP over USB transport, where we are incorrectly sequencing two\nerror cases.\n\nSigned-off-by: Jeremy Kerr \u003cjk@codeconstruct.com.au\u003e\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-0-29a3aa507609@codeconstruct.com.au\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "881a3113b74964918cdd72747e3bc119c02b0c0c", "tree": "f43b5a45703e3216ad34832b6bba3654ab32bb31", "parents": [ "54665dce982689e2fd99b32e9a0dcc204fda8a51" ], "author": { "name": "Jeremy Kerr", "email": "jk@codeconstruct.com.au", "time": "Mon Jun 08 09:25:41 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 15:23:13 2026 +0200" }, "message": "net: mctp: usb: don\u0027t fail mctp_usb_rx_queue on a deferred submission\n\nIn the ndo_open path, a deferred queue open will report a failure, and\nso the netdev will not be ndo_stop()ed, leaving us with the rx_retry\nwork potentially pending.\n\nDon\u0027t report a deferred queue as an error, as we are still operational.\nThis means we use the ndo_stop() path for future cleanup, which handles\nrx_retry_work cancellation.\n\nFixes: 0791c0327a6e (\"net: mctp: Add MCTP USB transport driver\")\nSigned-off-by: Jeremy Kerr \u003cjk@codeconstruct.com.au\u003e\nLink: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-2-29a3aa507609@codeconstruct.com.au\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "54665dce982689e2fd99b32e9a0dcc204fda8a51", "tree": "7670d788fe22a6c7836a475494a28ba117ce7e17", "parents": [ "004e9ecfe6c5384f9e0b2f6f6389d42ec22789af" ], "author": { "name": "Jeremy Kerr", "email": "jk@codeconstruct.com.au", "time": "Mon Jun 08 09:25:40 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 15:23:13 2026 +0200" }, "message": "net: mctp: usb: fix race between urb completion and rx_retry cancellation\n\nIt\u0027s possible that sequencing between setting -\u003estopped and cancelling\nthe rx_retry work (in ndo_stop) could leave us with an urb queued:\n\n T1: ndo_stop T2: rx_retry_work\n ------------ ----------------\n LD: -\u003estopped \u003d\u003e false\n ST: -\u003estopped \u003c\u003d true\n usb_kill_urb()\n mctp_usb_rx_queue()\n usb_submit_urb()\n cancel_delayed_work_sync()\n\nThat urb completion can then re-schedule rx_retry_work.\n\nStrenghen the sequencing between the stop (preventing another requeue)\nand the cancel by updating both atomically under a new rx lock. After\nsetting -\u003erx_stopped, and cancelling pending work, we know that the\nrequeue cannot occur, so all that\u0027s left is killing any pending urb.\n\nFixes: 0791c0327a6e (\"net: mctp: Add MCTP USB transport driver\")\nSigned-off-by: Jeremy Kerr \u003cjk@codeconstruct.com.au\u003e\nLink: https://patch.msgid.link/20260608-dev-mctp-usb-rx-requeue-v2-1-29a3aa507609@codeconstruct.com.au\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "004e9ecfe6c5384f9e0b2f6f6389d42ec22789af", "tree": "6a28a8eccb1a11b23baf8d60a64e5cf40bf0b7fe", "parents": [ "09a5bf856aa759513afc4afd233d15bcc711b84e" ], "author": { "name": "Anton Leontev", "email": "leontyevantony@gmail.com", "time": "Thu Jun 04 19:59:38 2026 +0300" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 13:16:30 2026 +0200" }, "message": "hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf\n\nnetvsc_copy_to_send_buf() copies page buffer entries into the VMBus\nsend buffer using phys_to_virt() on the entry PFN. Entries for the\nRNDIS header and the skb linear data come from kmalloc\u0027d memory and\nare always in the kernel direct map, but entries for skb fragments\nreference page cache or user pages, which on 32-bit x86 with\nCONFIG_HIGHMEM\u003dy can live above the LOWMEM boundary. For such a page\nphys_to_virt() returns an address outside the direct map and the\nsubsequent memcpy() faults on the transmit softirq path, which is\nfatal.\n\nMap the pages with kmap_local_page() instead, handling two properties\nof the page buffer entries:\n\n - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,\n not a native PFN. Reconstruct the physical address first and derive\n the native page from it, so the mapping stays correct where\n PAGE_SIZE \u003e HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).\n\n - Since commit 41a6328b2c55 (\"hv_netvsc: Preserve contiguous PFN\n grouping in the page buffer array\"), an entry describes a full\n physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,\n while kmap_local_page() maps a single page. Copy page by page,\n splitting at native page boundaries.\n\nThe copy path only handles packets smaller than the send section size\n(6144 bytes by default); larger packets take the cp_partial path where\nonly the RNDIS header is copied. So entries here are bounded by the\nsection size and a copy is split at most once on 4K-page systems. On\n!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and\nno mapping work is added.\n\nFixes: c25aaf814a63 (\"hyperv: Enable sendbuf mechanism on the send path\")\nCc: stable@vger.kernel.org\nSigned-off-by: Anton Leontev \u003cleontyevantony@gmail.com\u003e\nLink: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "09a5bf856aa759513afc4afd233d15bcc711b84e", "tree": "84ad7159664bb8d9825cf9fe802495045a9a678e", "parents": [ "333b6d5bb9f87827ac2639c737bf9613dbae7253" ], "author": { "name": "Dawei Feng", "email": "dawei.feng@seu.edu.cn", "time": "Thu Jun 04 22:37:56 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 12:30:41 2026 +0200" }, "message": "octeontx2-af: fix memory leak in rvu_setup_hw_resources()\n\nIf rvu_npc_exact_init() fails in rvu_setup_hw_resources(), the function\nreturns directly instead of jumping to the error handling path. This\ncauses a resource leak for the previously initialized CGX, NPC, fwdata,\nand MSI-X states.\n\nFix this by replacing the direct return with goto cgx_err to ensure\nproper cleanup.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable. Manual inspection confirms that the bug is still present in\nv7.1-rc6.\n\nAn x86_64 allyesconfig build showed no new warnings. As we do not have\naccess to Marvell OcteonTX2 RVU AF hardware to test with, no runtime\ntesting was able to be performed.\n\nFixes: 3571fe07a090 (\"octeontx2-af: Drop rules for NPC MCAM\")\nCc: stable@vger.kernel.org\nSigned-off-by: Dawei Feng \u003cdawei.feng@seu.edu.cn\u003e\nSigned-off-by: Zilin Guan \u003czilin@seu.edu.cn\u003e\nLink: https://patch.msgid.link/20260604143756.1524482-1-dawei.feng@seu.edu.cn\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "333b6d5bb9f87827ac2639c737bf9613dbae7253", "tree": "5e37bc8cd9386ca8d934dac18bfd9bcbbafdc189", "parents": [ "19440600e729d4f74a42591a872099cf25c7d28a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 04 12:46:00 2026 +0100" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 11:28:17 2026 +0200" }, "message": "rxrpc: Fix the ACK parser to extract the SACK table for parsing\n\nFix modification of the received skbuff in rxrpc_input_soft_acks() and a\npotential incorrect access of the buffer in a fragmented UDP packet (the\npacket would probably have to be deliberately pre-generated as fragmented)\nwhen AF_RXRPC tries to extract the contents of the SACK table by copying\nout the contents of the SACK table into a buffer before attempting to parse\n\nAF_RXRPC assumes that it can just call skb_condense() and then validly\naccess the SACK table from skb-\u003edata and that it will be a flat buffer -\nbut skb_condense() can silently fail to do anything under some\ncircumstances.\n\nNote that whilst rxrpc_input_soft_acks() should be able to parse extended\nACKs, the rest of AF_RXRPC doesn\u0027t currently support that.\n\nFurther, there\u0027s then no need to call skb_condense() in rxrpc_input_ack(),\nso don\u0027t.\n\nFixes: d57a3a151660 (\"rxrpc: Save last ACK\u0027s SACK table rather than marking txbufs\")\nReported-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260513180907.2061972-1-michael.bommarito@gmail.com\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Marc Dionne \u003cmarc.dionne@auristor.com\u003e\ncc: Jeffrey Altman \u003cjaltman@auristor.com\u003e\ncc: Eric Dumazet \u003cedumazet@google.com\u003e\ncc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\ncc: Jakub Kicinski \u003ckuba@kernel.org\u003e\ncc: Paolo Abeni \u003cpabeni@redhat.com\u003e\ncc: Simon Horman \u003chorms@kernel.org\u003e\ncc: linux-afs@lists.infradead.org\ncc: netdev@vger.kernel.org\ncc: stable@kernel.org\nLink: https://patch.msgid.link/105362.1780573560@warthog.procyon.org.uk\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "19440600e729d4f74a42591a872099cf25c7d28a", "tree": "aa88453485536e8804e0a736557f89fb6d04f019", "parents": [ "ee30dd2909d8b98619f4341c70ec8dc8e155ab02" ], "author": { "name": "Chih Kai Hsu", "email": "hsu.chih.kai@realtek.com", "time": "Thu Jun 04 17:22:47 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 09 11:05:35 2026 +0200" }, "message": "r8152: handle the return value of usb_reset_device()\n\nIf usb_reset_device() returns a negative error code, stop the\nprocess of probing.\n\nFixes: 10c3271712f5 (\"r8152: disable the ECM mode\")\nSigned-off-by: Chih Kai Hsu \u003chsu.chih.kai@realtek.com\u003e\nReviewed-by: Hayes Wang \u003chayeswang@realtek.com\u003e\nReviewed-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nLink: https://patch.msgid.link/20260604092247.27158-450-nic_swsd@realtek.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "ee30dd2909d8b98619f4341c70ec8dc8e155ab02", "tree": "b85be7a21a6a37c9e7fe657b8422ec0da670a7bd", "parents": [ "f0e42f0c4337b1f220de1ddd63f47197c7dee4de" ], "author": { "name": "Adrian Moreno", "email": "amorenoz@redhat.com", "time": "Thu Jun 04 14:19:46 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 20:13:02 2026 -0700" }, "message": "net: openvswitch: fix possible kfree_skb of ERR_PTR\n\nAfter the patch in the \"Fixes\" tag, the allocation of the \"reply\" skb\ncan happen either before or after locking the ovs_mutex.\n\nHowever, error cleanups still follow the classical reversed order,\nassuming \"reply\" is allocated before locking: it is freed after unlocking.\n\nIf \"reply\" allocation happens after locking the mutex and it fails,\n\"reply\" is left with an ERR_PTR, and execution jumps to the correspondent\ncleanup stage which will try to free an invalid pointer.\n\nFix this by setting the pointer to NULL after having saved its error\nvalue.\n\nFixes: 893f139b9a6c (\"openvswitch: Minimize ovs_flow_cmd_new|set critical sections.\")\nSigned-off-by: Adrian Moreno \u003camorenoz@redhat.com\u003e\nReviewed-by: Aaron Conole \u003caconole@redhat.com\u003e\nAcked-by: Eelco Chaudron \u003cechaudro@redhat.com\u003e\nLink: https://patch.msgid.link/20260604121946.942164-1-amorenoz@redhat.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f0e42f0c4337b1f220de1ddd63f47197c7dee4de", "tree": "95305c9b67d101fff9c973eb792e218b965b1ffc", "parents": [ "a7767290e77ca2e926b49f8bfa29daa12262c612" ], "author": { "name": "Kyle Zeng", "email": "kylebot@openai.com", "time": "Fri Jun 05 00:34:48 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 19:03:56 2026 -0700" }, "message": "ipv6: sit: reload inner IPv6 header after GSO offloads\n\nipip6_tunnel_xmit() caches the inner IPv6 header pointer at function\nentry and continues using it after iptunnel_handle_offloads().\n\nFor GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().\nWhen the skb header is cloned, skb_header_unclone() can call\npskb_expand_head(), which may move the skb head. The pskb_expand_head()\ncontract requires pointers into the skb header to be reloaded after the\ncall.\n\nIf the later skb_realloc_headroom() branch is not taken, SIT uses the\nstale iph6 pointer to read the inner hop limit and DS field. That can\nread from a freed skb head after the old head\u0027s remaining clone is\nreleased.\n\nReload iph6 after the offload helper succeeds and before subsequent\nreads from the inner IPv6 header. Keep the existing reload after\nskb_realloc_headroom(), since that branch can also replace the skb.\n\nFixes: 14909664e4e1 (\"sit: Setup and TX path for sit/UDP foo-over-udp encapsulation\")\nSigned-off-by: Kyle Zeng \u003ckylebot@openai.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReported-by: syzbot+6eb9ca986d80f6f88cf9@syzkaller.appspotmail.com\nLink: https://patch.msgid.link/20260605073448.6524-1-kylebot@openai.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a7767290e77ca2e926b49f8bfa29daa12262c612", "tree": "9bd124d5be3b39ecc4c0c96ad0b6b8e80d183c36", "parents": [ "b69004f5a6ad32da84d8aa5b23b9c0caafe6252e" ], "author": { "name": "Fushuai Wang", "email": "wangfushuai@baidu.com", "time": "Fri Jun 05 18:21:12 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 19:00:36 2026 -0700" }, "message": "net/mlx5: Use effective affinity mask for IRQ selection\n\nWhen a sf is created after a CPU has been taken offline, the IRQ pool may\ncontain IRQs with affinity masks that include the offline CPU. Since only\nonline CPUs should be considered for IRQ placement, cpumask_subset() check\nwould fail because the iter_mask contains offline CPUs that are not present\nin req_mask, causing sf creation to fail.\n\nThis is an example:\n 1. When mlx5 driver loads, it initializes the IRQ pools.\n For sf_ctrl_pool with ≤64 sf:\n - xa_num_irqs \u003d {N, N} (There is only one slot)\n 2. When the first SF is created:\n - The ctrl IRQ is allocated with mask\u003dcpu_online_mask\u003d{0-191}\n 2. We take CPU 20 offline\n 3. Existing ctl irq still have mask\u003d{0-191}\n 4. Create a new SF:\n - req_mask\u003d{0-19,21-191}\n - iter_mask\u003d{0-191}\n - {0-191} is NOT a subset of {0-19,21-191}\n - least_loaded_irq\u003dNULL\n 5. Try to allocate a new irq via irq_pool_request_irq()\n 6. xa_alloc() fails because the pool is full(There is only one slot)\n 7. sf creation fails with error\n\nUse irq_get_effective_affinity_mask() instead, which returns the IRQ\u0027s\nactual effective affinity that already excludes offline CPUs.\n\nFixes: 061f5b23588a (\"net/mlx5: SF, Use all available cpu for setting cpu affinity\")\nSuggested-by: Shay Drory \u003cshayd@nvidia.com\u003e\nSigned-off-by: Fushuai Wang \u003cwangfushuai@baidu.com\u003e\nReviewed-by: Shay Drory \u003cshayd@nvidia.com\u003e\nReviewed-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260605102112.91772-1-fushuai.wang@linux.dev\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b69004f5a6ad32da84d8aa5b23b9c0caafe6252e", "tree": "d5685db5bb86dc67b39f17dc09caf5b856f1759d", "parents": [ "894e036a24a26a6dd7b17d8d3fb5c53ab48a6074" ], "author": { "name": "Dragos Tatulea", "email": "dtatulea@nvidia.com", "time": "Thu Jun 04 16:54:46 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 18:56:30 2026 -0700" }, "message": "net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure\n\nIn the XSK branch of mlx5e_xmit_xdp_buff(), when sq-\u003exmit_xdp_frame()\nreturns false (e.g. XDPSQ is full), the function returns without\nunmapping the DMA address or freeing the xdp_frame allocated by\nxdp_convert_zc_to_xdp_frame(). The xdpi_fifo push only happens on\nsuccess, so the completion path cannot recover these entries.\n\nWith CONFIG_DMA_API_DEBUG\u003dy, the leak surfaces on driver unbind:\n\n DMA-API: pci 0000:08:00.0: device driver has pending DMA\n allocations while released from device [count\u003d1116]\n One of leaked entries details: [device address\u003d0x000000010ffd7028]\n [size\u003d1534 bytes] [mapped with DMA_TO_DEVICE] [mapped as phy]\n WARNING: kernel/dma/debug.c:881 at dma_debug_device_change+0x127/0x180\n ...\n DMA-API: Mapped at:\n debug_dma_map_phys+0x4b/0xd0\n dma_map_phys+0xfd/0x2d0\n mlx5e_xdp_handle+0x5ae/0xac0 [mlx5_core]\n mlx5e_xsk_skb_from_cqe_mpwrq_linear+0xc4/0x170 [mlx5_core]\n mlx5e_handle_rx_cqe_mpwrq+0xc1/0x290 [mlx5_core]\n\nAdd the missing unmap + xdp_return_frame, matching the cleanup already\ndone in mlx5e_xdp_xmit(). has_frags is rejected earlier in this branch,\nso no per-frag unmap is needed.\n\nFixes: 84a0a2310d6d (\"net/mlx5e: XDP_TX from UMEM support\")\nSigned-off-by: Dragos Tatulea \u003cdtatulea@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260604135446.456119-1-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "894e036a24a26a6dd7b17d8d3fb5c53ab48a6074", "tree": "ae65289297e59d38c043e2040356238dd3665676", "parents": [ "a2171131ecda1ed61a594a1eb715e75fdad0fef5" ], "author": { "name": "Dragos Tatulea", "email": "dtatulea@nvidia.com", "time": "Thu Jun 04 16:58:49 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 18:56:18 2026 -0700" }, "message": "net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list\n\nmlx5_query_nic_vport_mac_list() sizes its firmware command buffer using\nthe PF\u0027s log_max_current_uc/mc_list capabilities. When querying a VF\nvport with a larger configured max (via devlink), the firmware response\ncan overflow this buffer:\n\n BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core]\n Read of size 4 at addr ff1100013ffc8a12 by task kworker/u96:2/385\n\n CPU: 12 UID: 0 PID: 385 Comm: kworker/u96:2 Not tainted 7.0.0-rc6+ #1 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)\n Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x69/0xa0\n print_report+0x176/0x4e4\n kasan_report+0xc8/0x100\n mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core]\n esw_update_vport_addr_list+0x2e3/0xda0 [mlx5_core]\n esw_vport_change_handle_locked+0xa1f/0x1060 [mlx5_core]\n esw_vport_change_handler+0x6a/0x90 [mlx5_core]\n process_one_work+0x87f/0x15e0\n worker_thread+0x62b/0x1020\n kthread+0x375/0x490\n ret_from_fork+0x4dc/0x810\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nFix by querying the vport\u0027s own HCA caps to size the buffer correctly.\nRefactor the function to allocate and return the MAC list internally,\nremoving the caller\u0027s dependency on knowing the correct max.\n\nFixes: e16aea2744ab (\"net/mlx5: Introduce access functions to modify/query vport mac lists\")\nSigned-off-by: Dragos Tatulea \u003cdtatulea@nvidia.com\u003e\nReviewed-by: Carolina Jubran \u003ccjubran@nvidia.com\u003e\nSigned-off-by: Tariq Toukan \u003ctariqt@nvidia.com\u003e\nLink: https://patch.msgid.link/20260604135849.458060-1-tariqt@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a2171131ecda1ed61a594a1eb715e75fdad0fef5", "tree": "e8bba0e5fbcc81caa276f433164d6d3d32a77197", "parents": [ "83fc67ccbd2339e1beb21c361a92c45b177cf9d7" ], "author": { "name": "Mingyu Wang", "email": "25181214217@stu.xidian.edu.cn", "time": "Thu Jun 04 14:48:01 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 18:45:38 2026 -0700" }, "message": "net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove\n\nIn qrtr_port_remove(), the socket reference count is decremented via\n__sock_put() before the port is removed from the qrtr_ports XArray and\nbefore the RCU grace period elapses.\n\nThis breaks the fundamental RCU update paradigm. It exposes a race\nwindow where a concurrent RCU reader (such as qrtr_reset_ports() or\nqrtr_port_lookup()) can obtain a pointer to the socket from the XArray,\nand attempt to call sock_hold() on a socket whose reference count has\nalready dropped to zero.\n\nThis exact race condition was hit during syzkaller fuzzing, leading to\nthe following refcount saturation warning and a potential Use-After-Free:\n\n refcount_t: saturated; leaking memory.\n WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0\n Modules linked in: qrtr(+) bochs drm_shmem_helper ...\n Call Trace:\n \u003cTASK\u003e\n qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr]\n __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr]\n qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr]\n kernel_bind+0xe4/0x120 net/socket.c:3592\n qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr]\n qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr]\n do_one_initcall+0xf5/0x5e0 init/main.c:1283\n ...\n \u003c/TASK\u003e\n\nFix this by deferring the reference count decrement until after the\nxa_erase() and the synchronize_rcu() complete.\n\n(Note: The v1 of this patch incorrectly replaced __sock_put() with\nsock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove()\nstill hold a reference to the socket, so freeing the socket memory here\nwould lead to a subsequent UAF in the caller. Thus, the __sock_put() is\nkept, but only repositioned to close the RCU race.)\n\nFixes: bdabad3e363d (\"net: Add Qualcomm IPC router\")\nSigned-off-by: Mingyu Wang \u003c25181214217@stu.xidian.edu.cn\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/20260604064801.1180388-1-w15303746062@163.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "83fc67ccbd2339e1beb21c361a92c45b177cf9d7", "tree": "b0414a2c41d4c6a3aa525b8a5ab52abc6c365fa5", "parents": [ "c849de7d8757a7af801fc4a4058f71d481d367f2", "5a0082ec20a05ef2378410323a5089a8f1786f4a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:43:29 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:43:29 2026 -0700" }, "message": "Merge branch \u0027net-phy-some-cleanups-following-phy_port-sfp\u0027\n\nMaxime Chevallier says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: phy: some cleanups following phy_port SFP\n\nWhile posting the v11 of phy_port netlink, sashiko found some\npre-existing issues, and following the tentative fix, Nicolai found\nsome more :)\n\nThis is V3, with a re-ordering of the port/sfp cleanup, as well as a new\npatch (patch 3) that also reorders the phy_remove() path.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260604092819.723505-1-maxime.chevallier@bootlin.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5a0082ec20a05ef2378410323a5089a8f1786f4a", "tree": "b0414a2c41d4c6a3aa525b8a5ab52abc6c365fa5", "parents": [ "4497f5028675b7e51c4aa59c3f4df01f29424277" ], "author": { "name": "Maxime Chevallier", "email": "maxime.chevallier@bootlin.com", "time": "Thu Jun 04 11:28:18 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:43:27 2026 -0700" }, "message": "net: phy: don\u0027t try to setup PHY-driven SFP cages when using genphy\n\nWe don\u0027t have support for PHY-driver SFP cages with the genphy code.\n\nOn top of that, it was found by sashiko that running\nsfp_bus_add_upstream() for genphy deadlocks, as for genphy the PHY\nprobing runs under RTNL, which isn\u0027t the case for non-genphy drivers.\n\nThis problem was reproduced, and does lead to a deadlock on RTNL.\n\nBefore the blamed commit, the phy_sfp_probe() call was made by\nindividual PHY drivers, so there was no way to get to the SFP probing\npath when using genphy.\n\nLet\u0027s therefore only run phy_sfp_probe when not using genphy.\n\nReviewed-by: Nicolai Buchwitz \u003cnb@tipi-net.de\u003e\nFixes: bad869b5e41a (\"net: phy: Only rely on phy_port for PHY-driven SFP\")\nSigned-off-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260604092819.723505-5-maxime.chevallier@bootlin.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "4497f5028675b7e51c4aa59c3f4df01f29424277", "tree": "3e30857ffcb3b2dbc5d9fc7db96442604a42185d", "parents": [ "b1e780bb37c641d8291c51d7b4bde33450d18fb4" ], "author": { "name": "Maxime Chevallier", "email": "maxime.chevallier@bootlin.com", "time": "Thu Jun 04 11:28:17 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:43:27 2026 -0700" }, "message": "net: phy: Clean the phy_ports after unregistering the downstream SFP bus\n\nAs reported by sashiko when looking a other patches, we need to ensure\nthat the downstream SFP bus gets unregistered prior to destroying the\nphy_ports attached to a phy_device, as the SFP code may reference these\nports. Let\u0027s make sure we follow that ordering in phy_remove().\n\nFixes: 589e934d2735 (\"net: phy: Introduce PHY ports representation\")\nSigned-off-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nReviewed-by: Nicolai Buchwitz \u003cnb@tipi-net.de\u003e\nLink: https://patch.msgid.link/20260604092819.723505-4-maxime.chevallier@bootlin.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b1e780bb37c641d8291c51d7b4bde33450d18fb4", "tree": "0149de970ea9c28269d73273c8a65c41a71a0290", "parents": [ "48774e87bbaa0056819d4b52301e4692e50e3252" ], "author": { "name": "Maxime Chevallier", "email": "maxime.chevallier@bootlin.com", "time": "Thu Jun 04 11:28:16 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:43:27 2026 -0700" }, "message": "net: phy: remove phy ports upon probe failure\n\nWhen phy_probe fails, let\u0027s clean the phy_ports that were successfully\nadded already.\n\nSuggested-by: Nicolai Buchwitz \u003cnb@tipi-net.de\u003e\nReviewed-by: Nicolai Buchwitz \u003cnb@tipi-net.de\u003e\nFixes: 589e934d2735 (\"net: phy: Introduce PHY ports representation\")\nSigned-off-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260604092819.723505-3-maxime.chevallier@bootlin.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "48774e87bbaa0056819d4b52301e4692e50e3252", "tree": "2e9cc959ebec4764928cc5492c27e6f443d65794", "parents": [ "c849de7d8757a7af801fc4a4058f71d481d367f2" ], "author": { "name": "Maxime Chevallier", "email": "maxime.chevallier@bootlin.com", "time": "Thu Jun 04 11:28:15 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:43:27 2026 -0700" }, "message": "net: phy: clean the sfp upstream if phy probing fails\n\nSashiko reported that we don\u0027t call sfp_bus_del_upstream() in the probe\nfailure path, so let\u0027s add it, otherwise the sfp-bus is left with a\ndangling \u0027upstream\u0027 field, that may be used later on during SFP events.\n\nThis issue existed before the generic phylib sfp support, back when\ndrivers were calling phy_sfp_probe themselves.\n\nReviewed-by: Nicolai Buchwitz \u003cnb@tipi-net.de\u003e\nFixes: 298e54fa810e (\"net: phy: add core phylib sfp support\")\nSigned-off-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260604092819.723505-2-maxime.chevallier@bootlin.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c849de7d8757a7af801fc4a4058f71d481d367f2", "tree": "78b57e6acb055bae16559984441371c4b7f42457", "parents": [ "71de0177b28da751f407581a4515cf4d762f6296" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 18:21:24 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:40:20 2026 -0700" }, "message": "netdev: fix double-free in netdev_nl_bind_rx_doit()\n\nSashiko flags that genlmsg_reply() always consumes the skb.\nThe error path calls nlmsg_free(rsp) so we can\u0027t jump directly\nto it. Let\u0027s not unbind, just propagate the error to the user.\nThis is the typical way of handling genlmsg_reply() failures.\nThey shouldn\u0027t happen unless user does something silly like\ncalling the kernel with an already-full rcvbuf.\n\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nFixes: 170aafe35cb9 (\"netdev: support binding dma-buf to netdevice\")\nReviewed-by: Bobby Eshleman \u003cbobbyeshleman@meta.com\u003e\nAcked-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nReviewed-by: Nikolay Aleksandrov \u003crazor@blackwall.org\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "71de0177b28da751f407581a4515cf4d762f6296", "tree": "7317d8d764878e8f1676d36a7028a69fe703c059", "parents": [ "a0130d682222ae21afc395aead7cd2d87e1a8358" ], "author": { "name": "Santosh Kalluri", "email": "santosh.kalluri129@gmail.com", "time": "Wed Jun 03 17:08:43 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:37:07 2026 -0700" }, "message": "net: phonet: free phonet_device after RCU grace period\n\nphonet_device_destroy() removes a phonet_device from the per-net device\nlist with list_del_rcu(), but frees it immediately. RCU readers walking\nthe same list can still hold a pointer to the object after it has been\nremoved, leading to a slab-use-after-free.\n\nUse kfree_rcu(), matching the lifetime rule already used by\nphonet_address_del() for the same object type.\n\nFixes: eeb74a9d45f7 (\"Phonet: convert devices list to RCU\")\nCc: stable@vger.kernel.org\nSigned-off-by: Santosh Kalluri \u003csantosh.kalluri129@gmail.com\u003e\nAcked-by: Rémi Denis-Courmont \u003cremi@remlab.net\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a0130d682222ae21afc395aead7cd2d87e1a8358", "tree": "26b487cc31706c5140fedf7634b729ee77123ed2", "parents": [ "2365343f4aad3e1b1e7a2e87e98cf66d5e590589" ], "author": { "name": "Rosen Penev", "email": "rosenp@gmail.com", "time": "Wed Jun 03 15:12:17 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:24:58 2026 -0700" }, "message": "net: ibm: emac: Fix use-after-free during device removal\n\nThe driver was using devm_register_netdev() which causes unregister_netdev()\nto be deferred until the devres cleanup phase, which runs after emac_remove()\nreturns. This creates a use-after-free window where:\n\n1. emac_remove() is called, which tears down hardware (cancels work, detaches\n modules, unregisters from MAL)\n2. emac_remove() returns\n3. devres cleanup runs and finally calls unregister_netdev()\n\nDuring step 3, the network stack might still process packets, triggering\nemac_irq(), emac_poll(), or other handlers that access now-freed hardware\nresources (dev-\u003eemacp, dev-\u003emal, etc.).\n\nFix this by replacing devm_register_netdev() with manual register_netdev()\nand calling unregister_netdev() at the beginning of emac_remove(), before\nany hardware teardown. This ensures the network device is fully stopped and\nunregistered before hardware resources are released.\n\nThe change is safe because:\n- dev-\u003endev is assigned very early in probe (before any error paths that\n could bypass emac_remove)\n- platform_set_drvdata() is only called after successful registration, so\n emac_remove() only runs for fully registered devices\n- unregister_netdev() is idempotent and safe to call on any registered device\n\nFixes: a4dd8535a527 (\"net: ibm: emac: use devm for register_netdev\")\nSigned-off-by: Rosen Penev \u003crosenp@gmail.com\u003e\nReviewed-by: Jacob Keller \u003cjacob.e.keller@intel.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2365343f4aad3e1b1e7a2e87e98cf66d5e590589", "tree": "183752eb04b3b2782d245ea32d9971028d33c3bc", "parents": [ "f2bb3434544454099a5b6dec213567267b05d79d" ], "author": { "name": "Yao Sang", "email": "sangyao@kylinos.cn", "time": "Wed Jun 03 14:10:44 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:22:24 2026 -0700" }, "message": "net/mlx4: avoid GCC 10 __bad_copy_from() false positive\n\nmlx4_init_user_cqes() fills a scratch buffer with the CQE\ninitialization pattern and then copies from that buffer to userspace.\n\nIn the single-copy path, the copy length is array_size(entries,\ncqe_size), but the scratch buffer is allocated with PAGE_SIZE. GCC 10\ndoes not carry the branch invariant strongly enough through the object\nsize checks and falsely triggers __bad_copy_from().\n\nSize the scratch buffer to the actual copy length for the active path,\nkeep array_size() for the single-copy case, and retain a WARN_ON_ONCE()\nguard for the PAGE_SIZE invariant before allocating the buffer.\n\nFixes: f69bf5dee7ef (\"net/mlx4: Use array_size() helper in copy_to_user()\")\nSigned-off-by: Yao Sang \u003csangyao@kylinos.cn\u003e\nReviewed-by: Jacob Keller \u003cjacob.e.keller@intel.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f2bb3434544454099a5b6dec213567267b05d79d", "tree": "5bfbc6b1c20b67c16c74ac98098efb69507aaab2", "parents": [ "5d39580f68e6ddeedd15e587282207489dfb3da2" ], "author": { "name": "HanQuan", "email": "eilaimemedsnaimel@gmail.com", "time": "Thu Jun 04 14:46:25 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 17:20:23 2026 -0700" }, "message": "net: add pskb_may_pull() to skb_gro_receive_list()\n\nskb_gro_receive_list() calls skb_pull(skb, skb_gro_offset(skb)) without\nfirst ensuring the data is in the linear area via pskb_may_pull(). When\nthe skb arrives via napi_gro_frags(), skb_headlen can be 0 (all data in\npage fragments) while skb_gro_offset is non-zero (after IP+TCP header\nparsing). The skb_pull() then decrements skb-\u003elen by skb_gro_offset\nbut skb-\u003edata_len stays unchanged, hitting BUG_ON(skb-\u003elen \u003c skb-\u003edata_len)\nin __skb_pull().\n\nThe UDP fraglist GRO path already contains this guard at\nudp_offload.c:749. Adding it to skb_gro_receive_list() itself provides\ncentralized protection for all callers (TCP, UDP, and any future\nprotocols), and ensures the precondition of skb_pull() is satisfied\nbefore it is called.\n\nOn pskb_may_pull() failure, set NAPI_GRO_CB(skb)-\u003eflush \u003d 1 so the\nskb is not held as a new GRO head and is instead delivered through the\nnormal receive path, matching the UDP handling.\n\nFixes: 8d95dc474f85 (\"net: add code for TCP fraglist GRO\")\nReported-by: HanQuan \u003ceilaimemedsnaimel@gmail.com\u003e\nReported-by: MingXuan \u003cbwnie0730@outlook.com\u003e\nSigned-off-by: HanQuan \u003ceilaimemedsnaimel@gmail.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5d39580f68e6ddeedd15e587282207489dfb3da2", "tree": "84053803c7ec09af0bcfa7d8bd21441ddb11bf85", "parents": [ "9772589b57e44aedc240211c5c3f7a684a034d3a" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Fri Jun 05 11:21:34 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Mon Jun 08 15:37:10 2026 -0700" }, "message": "tcp: restrict SO_ATTACH_FILTER to priv users\n\nThis patch restricts the use of SO_ATTACH_FILTER (cBPF) on TCP sockets\nto users with CAP_NET_ADMIN capability.\n\nThis blocks potential side-channel attack where an unprivileged application\nattaches a filter to leak TCP sequence/acknowledgment numbers.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReported-by: Tamir Shahar \u003ctamirthesis@gmail.com\u003e\nReported-by: Amit Klein \u003caksecurity@gmail.com\u003e\nCc: Willem de Bruijn \u003cwillemb@google.com\u003e\nCc: Alexei Starovoitov \u003cast@kernel.org\u003e\nCc: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nCc: Andrii Nakryiko \u003candrii@kernel.org\u003e\nCc: Martin KaFai Lau \u003cmartin.lau@linux.dev\u003e\nCc: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nCc: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nCc: Song Liu \u003csong@kernel.org\u003e\nCc: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nCc: Jiri Olsa \u003cjolsa@kernel.org\u003e\nCc: John Fastabend \u003cjohn.fastabend@gmail.com\u003e\nCc: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nAcked-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9772589b57e44aedc240211c5c3f7a684a034d3a", "tree": "c9dc6992140681df03a277d7955f44dacb77036a", "parents": [ "3847d94783c0b893c27ff0b26a3325796d9444c6" ], "author": { "name": "Chenguang Zhao", "email": "zhaochenguang@kylinos.cn", "time": "Wed Jun 03 09:13:53 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 19:05:06 2026 -0700" }, "message": "netlabel: validate unlabeled address and mask attribute lengths\n\nnetlbl_unlabel_addrinfo_get() used the address attribute length to\ndetermine whether the attribute data could be read as an IPv4 or IPv6\naddress, but did not independently validate the corresponding mask\nattribute length. A crafted Generic Netlink request could therefore\nprovide a valid IPv4/IPv6 address attribute with a shorter mask\nattribute, which would later be read as a full struct in_addr or\nstruct in6_addr.\n\nNLA_BINARY policy lengths are maximum lengths by default, so use\nNLA_POLICY_EXACT_LEN() for the unlabeled IPv4/IPv6 address and mask\nattributes. This rejects short attributes during policy validation and\nalso exposes the exact length requirements through policy introspection.\n\nFixes: 8cc44579d1bd (\"NetLabel: Introduce static network labels for unlabeled connections\")\nSigned-off-by: Chenguang Zhao \u003czhaochenguang@kylinos.cn\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3847d94783c0b893c27ff0b26a3325796d9444c6", "tree": "4985379fdb11c8fbed1b8ca41fd8bd8958a961c7", "parents": [ "954981dbbfbd78f21d2fbac1ac0742dbf38b4e69" ], "author": { "name": "Vikas Gupta", "email": "vikas.gupta@broadcom.com", "time": "Thu Jun 04 22:07:09 2026 +0530" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 18:35:50 2026 -0700" }, "message": "bnge: fix context mem iteration\n\nThe firmware advertises context memory (backing store) types\nthrough a linked list, with BNGE_CTX_INV serving as the\nend-of-list sentinel.\nHowever, the driver incorrectly assumes that the list is strictly\nordered and prematurely terminates traversal when it encounters\nan unrecognized type (\u003e\u003dBNGE_CTX_V2_MAX). As a result, any valid\ncontext types that appear later in the chain are silently skipped,\nleading to incomplete memory configuration and eventual driver load\nfailure.\n\nFix this by traversing the entire list until the BNGE_CTX_INV sentinel\nis reached, while safely ignoring only those context types that fall\noutside the supported range.\n\nFixes: 29c5b358f385 (\"bng_en: Add backing store support\")\nSigned-off-by: Vikas Gupta \u003cvikas.gupta@broadcom.com\u003e\nReviewed-by: Dharmender Garg \u003cdharmender.garg@broadcom.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "954981dbbfbd78f21d2fbac1ac0742dbf38b4e69", "tree": "24581f962878e5f9911e99519e112dc92f7c7841", "parents": [ "f9f25118faa4dd2b6e3d14a03d123bbdbd59925d" ], "author": { "name": "Arthur Kiyanovski", "email": "akiyano@amazon.com", "time": "Thu Jun 04 08:07:04 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 18:28:21 2026 -0700" }, "message": "net: ena: PHC: Add missing barrier\n\nAdd dma_rmb() barrier after req_id completion check in\nena_com_phc_get_timestamp(). On weakly-ordered architectures,\npayload fields may be read before req_id is observed as updated.\n\nFixes: e0ea34158ee8 (\"net: ena: Add PHC support in the ENA driver\")\nCloses: https://sashiko.dev/#/patchset/20260430032507.11586-1-akiyano%40amazon.com\nSigned-off-by: Arthur Kiyanovski \u003cakiyano@amazon.com\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f9f25118faa4dd2b6e3d14a03d123bbdbd59925d", "tree": "38e1a3e80a19781c88874c567a62a575465cd1c3", "parents": [ "c93952cc0034dc491cf082d1df11e996513a53ed" ], "author": { "name": "ZhaoJinming", "email": "zhaojinming@uniontech.com", "time": "Thu Jun 04 15:03:52 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 18:25:14 2026 -0700" }, "message": "net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()\n\nof_reserved_mem_lookup() may return NULL if the reserved memory region\nreferenced by the \"memory-region\" phandle is not found in the reserved\nmemory table (e.g. due to a misconfigured DTS or a removed\nmemory-region node). The current code dereferences the returned\npointer without checking for NULL, leading to a kernel NULL pointer\ndereference at the following lines:\n\n dma_addr \u003d rmem-\u003ebase; // line 1156\n num_desc \u003d div_u64(rmem-\u003esize, buf_size); // line 1160\n\nAdd a NULL check after of_reserved_mem_lookup() and return -ENODEV if\nthe lookup fails, which is consistent with the existing error handling\nfor of_parse_phandle() failure in the same code block.\n\nFixes: 3a1ce9e3d01b (\"net: airoha: Add the capability to allocate hwfd buffers via reserved-memory\")\nCc: stable@vger.kernel.org\nSigned-off-by: ZhaoJinming \u003czhaojinming@uniontech.com\u003e\nAcked-by: Lorenzo Bianconi \u003clorenzo@kernel.org\u003e\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c93952cc0034dc491cf082d1df11e996513a53ed", "tree": "0254e4a8ccb8b99a75c1e7e746e5a53246b5b8e6", "parents": [ "4aacf509e537a711fa71bca9f234e5eb6968850e", "85b0cbc1f38bc1e38956a9e6d7b04d309b435697" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 16:41:19 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 16:41:20 2026 -0700" }, "message": "Merge branch \u0027intel-wired-lan-driver-updates-2026-06-02-i40e-ice-idpf\u0027\n\nTony Nguyen says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nIntel Wired LAN Driver Updates 2026-06-02 (ice, idpf)\n\nPetr Oros adds missing callbacks for U.FL DPLL pins on ice.\n\nAlok Tiwari corrects copy/paste error causing incorrect reporting of PTP\nmailbox capability for idpf.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602225513.393338-1-anthony.l.nguyen@intel.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "85b0cbc1f38bc1e38956a9e6d7b04d309b435697", "tree": "0254e4a8ccb8b99a75c1e7e746e5a53246b5b8e6", "parents": [ "f1fa677e428e8873486938086bd934dc18169b47" ], "author": { "name": "Alok Tiwari", "email": "alok.a.tiwari@oracle.com", "time": "Tue Jun 02 15:55:11 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 16:41:19 2026 -0700" }, "message": "idpf: fix mailbox capability for set device clock time\n\nThe current code incorrectly uses VIRTCHNL2_CAP_PTP_SET_DEVICE_CLK_TIME\nfor both direct and mailbox capabilities, causing mailbox-only support\nto be ignored and potentially reporting IDPF_PTP_NONE.\n\nFixes: d5dba8f7206da (\"idpf: add PTP clock configuration\")\nSigned-off-by: Alok Tiwari \u003calok.a.tiwari@oracle.com\u003e\nTested-by: Samuel Salin \u003cSamuel.salin@intel.com\u003e\nReviewed-by: Aleksandr Loktionov \u003caleksandr.loktionov@intel.com\u003e\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\nLink: https://patch.msgid.link/20260602225513.393338-4-anthony.l.nguyen@intel.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f1fa677e428e8873486938086bd934dc18169b47", "tree": "cba5de3ab3a5d626614cb36e2fd430f435822ddd", "parents": [ "4aacf509e537a711fa71bca9f234e5eb6968850e" ], "author": { "name": "Petr Oros", "email": "poros@redhat.com", "time": "Tue Jun 02 15:55:10 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri Jun 05 16:41:19 2026 -0700" }, "message": "ice: fix missing priority callbacks for U.FL DPLL pins\n\nThe U.FL2 input pin advertises DPLL_PIN_CAPABILITIES_PRIORITY_CAN_CHANGE\nin its capability mask, but ice_dpll_pin_ufl_ops does not provide\n.prio_get and .prio_set callbacks. As a result the DPLL subsystem\ncannot report or accept priority for U.FL pins: pin-get omits the prio\nfield on U.FL2 and pin-set with prio is rejected as invalid, even\nthough the capability is present. This prevents user space from using\npriority to select or disable U.FL2 as a DPLL input source.\n\nReproducer with iproute2 (dpll command):\n\n # dpll pin show board-label U.FL2\n pin id 16:\n module-name ice\n board-label U.FL2\n type ext\n capabilities priority-can-change|state-can-change\n parent-device:\n id 0 direction input state selectable phase-offset 0\n /* note: no \"prio\" between \"direction\" and \"state\",\n even though priority-can-change is advertised */\n\n # dpll pin set id 16 parent-device 0 prio 5\n RTNETLINK answers: Operation not supported\n\nAfter the fix the prio field is reported by pin show and pin set with\nprio is accepted on U.FL2.\n\nAdd the missing .prio_get and .prio_set callbacks to\nice_dpll_pin_ufl_ops, reusing ice_dpll_sw_input_prio_{get,set}. The\nsame ops struct is shared by U.FL1 and U.FL2: U.FL2 (input) delegates\nto the backing hardware input pin, while U.FL1 (output) does not\nadvertise DPLL_PIN_CAPABILITIES_PRIORITY_CAN_CHANGE so the dpll core\ncapability gate never invokes prio_set for it, and prio_get reports\nthe OUTPUT sentinel (ICE_DPLL_PIN_PRIO_OUTPUT) on the output side\nexactly like the SMA path does today.\n\nFixes: 2dd5d03c77e2 (\"ice: redesign dpll sma/u.fl pins control\")\nReviewed-by: Aleksandr Loktionov \u003caleksandr.loktionov@intel.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Petr Oros \u003cporos@redhat.com\u003e\nTested-by: Rinitha S \u003csx.rinitha@intel.com\u003e (A Contingent worker at Intel)\nSigned-off-by: Tony Nguyen \u003canthony.l.nguyen@intel.com\u003e\nLink: https://patch.msgid.link/20260602225513.393338-3-anthony.l.nguyen@intel.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "4aacf509e537a711fa71bca9f234e5eb6968850e", "tree": "f55574501e11b9e97fceff5547a962571b8b1d73", "parents": [ "32594b09854970d7ba83eb2dc8c69a2edd158c8e" ], "author": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Tue Jun 02 09:34:14 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 18:40:31 2026 -0700" }, "message": "net: mv643xx: fix OF node refcount\n\nPlatform devices created with platform_device_alloc() call\nplatform_device_release() when the last reference to the device\u0027s\nkobject is dropped. This function calls of_node_put() unconditionally.\nThis works fine for devices created with platform_device_register_full()\nbut users of the split approach (platform_device_alloc() +\nplatform_device_add()) must bump the reference of the of_node they\nassign manually. Add the missing call to of_node_get().\n\nCc: stable@vger.kernel.org\nFixes: 76723bca2802 (\"net: mv643xx_eth: add DT parsing support\")\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\nLink: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "32594b09854970d7ba83eb2dc8c69a2edd158c8e", "tree": "a81164804f586179f6e3de615302c7fcea686a74", "parents": [ "ddd664bbff63e09e7a7f9acae9c43605d4cf185f" ], "author": { "name": "Hyunwoo Kim", "email": "imv4bel@gmail.com", "time": "Tue Jun 02 19:21:05 2026 +0900" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 18:05:23 2026 -0700" }, "message": "inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush\n\nOn netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and\nflushes every fragment queue that is not yet complete using\ninet_frag_queue_flush(). That helper frees all the skbs queued on the\nfragment queue but does not set INET_FRAG_COMPLETE, and leaves\nq-\u003efragments_tail and q-\u003elast_run_head pointing at the freed skbs.\nThe queue itself stays in the rhashtable.\n\nfqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups,\nbut it cannot stop a fragment that already obtained the queue through\ninet_frag_find() earlier and stalled just before taking the queue lock.\nOnce that fragment resumes after the flush and takes the queue lock,\nit passes the INET_FRAG_COMPLETE check and then dereferences the freed\nfragments_tail. inet_frag_queue_insert() reads FRAG_CB() and -\u003elen of\nthat pointer and, on the append path, writes -\u003enext_frag, causing a\nslab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly\nshare the same flush path and are affected as well.\n\nReset rb_fragments, fragments_tail and last_run_head in\ninet_frag_queue_flush() so a flushed queue no longer points at the\nfreed skbs. A fragment that resumes after the flush and takes the\nqueue lock then finds an empty queue and starts a new run instead of\ndereferencing the freed fragments_tail. ip_frag_reinit() already\nperformed this reset after its own flush, so drop the now duplicate\ncode there.\n\nCc: stable@vger.kernel.org\nFixes: 006a5035b495 (\"inet: frags: flush pending skbs in fqdir_pre_exit()\")\nSuggested-by: Eric Dumazet \u003cedumazet@google.com\u003e\nSigned-off-by: Hyunwoo Kim \u003cimv4bel@gmail.com\u003e\nLink: https://patch.msgid.link/ah6ukYq5G98LshdA@v4bel\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ddd664bbff63e09e7a7f9acae9c43605d4cf185f", "tree": "e679c38664049eb79787147fdfadaf20f9cf171c", "parents": [ "44ed32d16c9d0e0f3a4b594982a2bb168d2f56ea", "b6197b386677ae5268d4702e23849d9ad53051ad" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 04 14:35:55 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 04 14:35:55 2026 -0700" }, "message": "Merge tag \u0027net-7.1-rc7\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net\n\nPull networking fixes from Jakub Kicinski:\n \"Including fixes from Netfilter, wireless and Bluetooth.\n\n Current release - fix to a fix:\n\n - Bluetooth: MGMT: fix backward compatibility with bluetoothd\n which adds stray bytes to MGMT_OP_ADD_EXT_ADV_DATA\n\n Previous releases - regressions:\n\n - af_unix: fix inq_len update inaccuracy on partial read\n\n - eth: fec: fix pinctrl default state restore order on resume\n\n - wifi: iwlwifi:\n - mvm: don\u0027t support the reset handshake for old firmwares\n - pcie: simplify the resume flow if fast resume is not used,\n work around NIC access failures\n\n Previous releases - always broken:\n\n - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig\n\n - sctp: fix a couple of bugs in COOKIE_ECHO processing\n\n - sched: fix pedit partial COW leading to page cache corruption\n\n - wifi: nl80211: reject oversized EMA RNR lists\n\n - netfilter:\n - conntrack_irc: fix possible out-of-bounds read\n - bridge: make ebt_snat ARP rewrite writable\n\n - appletalk: zero-initialize aarp_entry to prevent heap info leak\n\n - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options\n\n - mptcp: fix number of bugs reported by AI scans and discovered\n during NVMe over MPTCP testing\"\n\n* tag \u0027net-7.1-rc7\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (85 commits)\n Reapply \"bnxt_en: bring back rtnl_lock() in the bnxt_open() path\"\n udp: clear skb-\u003edev before running a sockmap verdict\n sctp: purge outqueue on stale COOKIE-ECHO handling\n bonding: annotate data-races arcound churn variables\n net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr\n rtase: Avoid sleeping in get_stats64()\n ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()\n ipv6: mcast: Fix use-after-free when processing MLD queries\n selftests: net: add vxlan vnifilter notification test\n vxlan: vnifilter: fix spurious notification on VNI update\n vxlan: vnifilter: send notification on VNI add\n rtase: Reset TX subqueue when clearing TX ring\n octeontx2-af: npc: Fix CPT channel mask in npc_install_flow\n dt-bindings: ethernet: eswin: fix hsp-sp-csr backward compatibility\n sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing\n net/sched: fix pedit partial COW leading to page cache corruption\n vsock/vmci: fix sk_ack_backlog leak on failed handshake\n net: bonding: fix NULL pointer dereference in bond_do_ioctl()\n geneve: fix length used in GRO hint UDP checksum adjustment\n net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown\n ...\n" }, { "commit": "44ed32d16c9d0e0f3a4b594982a2bb168d2f56ea", "tree": "78b862ffdaa6e0f882064ee05575754385707322", "parents": [ "6a08076f009e3d9460bebae9f209c1dc1d8a46b7", "0652a3daa78723f955b1ebeb621665ce72bec53e" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 04 13:38:42 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 04 13:38:42 2026 -0700" }, "message": "Merge tag \u0027trace-v7.1-rc6\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace\n\nPull tracing fix from Steven Rostedt:\n\n - Fix CFI violation in probestub function\n\n The probestub is a function to allow tprobes to hook to a tracepoint\n to gain access to its parameters.\n\n The function itself is only referenced by the tracepoint structure\n which lives in the __tracepoint section. objtool explicitly ignores\n that section and when processing functions in the kernel, if it\n detects one that has no references it will seal it to have its ENDBR\n stripped on boot up.\n\n This means the probstub function will have its ENDBR stripped and if\n a tprobe is attached to it with IBT enabled, it will go *boom*.\n\n* tag \u0027trace-v7.1-rc6\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:\n tracing: Fix CFI violation in probestub being called by tprobes\n" }, { "commit": "6a08076f009e3d9460bebae9f209c1dc1d8a46b7", "tree": "cd9f599772f850b3e43821eb97283321cbf2fe0e", "parents": [ "9154c4af7829b6f82712b4d1a2a720adddacdb8d", "7c6535c37dbc03c1c35926b7420d66fb122b513a" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 04 12:31:20 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Jun 04 12:31:20 2026 -0700" }, "message": "Merge tag \u0027s390-7.1-4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux\n\nPull s390 fixes from Alexander Gordeev:\n\n - Enable IOMMUFD and VFIO cdev such that PCI pass-through to\n QEMU/KVM can optionally utilize native IOMMUFD\n\n - With HAVE_ARCH_BUG_FORMAT enabled the BUG infrastructure might\n misinterpret flags or fault. Fix this by moving the \"format\"\n field emission into __BUG_ENTRY()\n\n - The generic version of _THIS_IP_ is known to be brittle and may\n break with current and future GCC and Clang optimizations. Fix\n it by overriding _THIS_IP_\n\n* tag \u0027s390-7.1-4\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:\n s390: Implement _THIS_IP_ using inline asm\n s390/bug: Always emit format word in __BUG_ENTRY\n s390/configs: Enable IOMMUFD and VFIO cdev in defconfigs\n" }, { "commit": "b6197b386677ae5268d4702e23849d9ad53051ad", "tree": "7763c40a6482720e27c3a5727ecb040fce27b7ce", "parents": [ "3c94f241f776562c489876ff506f366224565c21" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 12:58:45 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 09:02:37 2026 -0700" }, "message": "Reapply \"bnxt_en: bring back rtnl_lock() in the bnxt_open() path\"\n\nThis reverts commit 850d9248d2eac662f869c766a598c877690c74e5.\nThis reapplies commit 325eb217e41f (\"bnxt_en: bring back rtnl_lock()\nin the bnxt_open() path\").\n\nBreno reports a lockdep warning in bnxt. During FW reset the driver\nmay end up calling netif_set_real_num_tx_queues() (if queue count\nchanges), so calls to bnxt_open() still require rtnl_lock.\n\n net/sched/sch_generic.c:1416 suspicious rcu_dereference_protected() usage!\n\n dev_qdisc_change_real_num_tx+0x54/0xe0\n netif_set_real_num_tx_queues+0x4ed/0xa80\n __bnxt_open_nic+0x9cb/0x3490\n bnxt_open+0x1cb/0x370\n bnxt_fw_reset_task+0x80d/0x1e80\n process_scheduled_works+0x9c1/0x13b0\n\nThe reverted commit was just an optimization / experiment\nso let\u0027s go back to taking the lock.\n\nReported-by: Breno Leitao \u003cleitao@debian.org\u003e\nLink: https://lore.kernel.org/ah726OtFX-Qw3U-R@gmail.com\nFixes: 850d9248d2ea (\"Revert \"bnxt_en: bring back rtnl_lock() in the bnxt_open() path\"\")\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nReviewed-by: Michael Chan \u003cmichael.chan@broadcom.com\u003e\nReviewed-by: Breno Leitao \u003cleitao@debian.org\u003e\nLink: https://patch.msgid.link/20260603195845.2574426-1-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3c94f241f776562c489876ff506f366224565c21", "tree": "689c3855ef03894700de847840f97b568a62eb92", "parents": [ "e374b22e9b07b72a25909621464ff74096151bfb" ], "author": { "name": "Sechang Lim", "email": "rhkrqnwk98@gmail.com", "time": "Wed Jun 03 16:27:33 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 09:01:51 2026 -0700" }, "message": "udp: clear skb-\u003edev before running a sockmap verdict\n\nOn the UDP receive path skb-\u003edev is repurposed as dev_scratch (the\ntruesize/state cache set by udp_set_dev_scratch()), through the\nunion { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.\n\nWhen a UDP socket is in a sockmap, sk_data_ready is\nsk_psock_verdict_data_ready(), which calls udp_read_skb() -\u003e recv_actor()\n(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq.\nIf that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp,\nbpf_skc_lookup_tcp), bpf_skc_lookup() does:\n\n\tif (skb-\u003edev)\n\t\tcaller_net \u003d dev_net(skb-\u003edev);\n\nskb-\u003edev still holds the dev_scratch value (a non-NULL integer), so dev_net()\ndereferences it as a struct net_device * and the kernel takes a general\nprotection fault on a non-canonical address in softirq:\n\n Oops: general protection fault, probably for non-canonical address 0x1010000800004a0\n CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full)\n RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline]\n RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047\n Call Trace:\n \u003cIRQ\u003e\n bpf_prog_4675cb904b7071f8+0x12e/0x14e\n bpf_prog_run_pin_on_cpu+0xc6/0x1f0\n sk_psock_verdict_recv+0x1ba/0x350\n udp_read_skb+0x31a/0x370\n sk_psock_verdict_data_ready+0x2e3/0x600\n __udp_enqueue_schedule_skb+0x4c8/0x650\n udpv6_queue_rcv_one_skb+0x3ec/0x740\n udp6_unicast_rcv_skb+0x11d/0x140\n ip6_protocol_deliver_rcu+0x61e/0x950\n ip6_input_finish+0xa9/0x150\n NF_HOOK+0x286/0x2f0\n ip6_input+0x117/0x220\n NF_HOOK+0x286/0x2f0\n __netif_receive_skb+0x85/0x200\n process_backlog+0x374/0x9a0\n __napi_poll+0x4f/0x1c0\n net_rx_action+0x3b0/0x770\n handle_softirqs+0x15a/0x460\n do_softirq+0x57/0x80\n \u003c/IRQ\u003e\n\nThe rmem charge that dev_scratch accounted for is released by skb_recv_udp() on\ndequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear\nskb-\u003edev so bpf_skc_lookup() falls back to sock_net(skb-\u003esk), which\nskb_set_owner_sk_safe() set just above.\n\nFixes: 965b57b469a5 (\"net: Introduce a new proto_ops -\u003eread_skb()\")\nCc: stable@vger.kernel.org\nSigned-off-by: Sechang Lim \u003crhkrqnwk98@gmail.com\u003e\nReviewed-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260603162737.697215-1-rhkrqnwk98@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e374b22e9b07b72a25909621464ff74096151bfb", "tree": "891e41366a7929c25e7e43b6f1b0d7110a2e1f6f", "parents": [ "b47ff80f280e18ad2310f44293cc057d9b64ff11" ], "author": { "name": "Xin Long", "email": "lucien.xin@gmail.com", "time": "Wed Jun 03 14:11:44 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 09:01:25 2026 -0700" }, "message": "sctp: purge outqueue on stale COOKIE-ECHO handling\n\nsctp_stream_update() is only invoked when the association is moved into\nCOOKIE_WAIT during association setup/reconfiguration. In this path, the\noutbound stream scheduler state (stream-\u003eout_curr) is expected to be\nclean, since no user data should have been transmitted yet unless the\nstate machine has already partially progressed.\n\nHowever, a corner case exists in sctp_sf_do_5_2_6_stale(): when a\nStale Cookie ERROR is received, the association is rolled back from\nCOOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already\nhave been queued and even bundled with the COOKIE-ECHO chunk.\n\nDuring the rollback, sctp_stream_update() frees the old stream table\nand installs a new one, but it does not invalidate stream-\u003eout_curr.\nAs a result, out_curr may still point to a freed sctp_stream_out\nentry from the previous stream state.\n\nLater, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on\nstream-\u003eout_curr-\u003eext, which can lead to use-after-free once the old\nstream state has been released via sctp_stream_free().\n\nThis results in crashes such as (reported by Yuqi):\n\n BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140\n Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312\n CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted\n 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full)\n sctp_sched_fcfs_dequeue+0x13a/0x140\n sctp_outq_flush+0x1603/0x33e0\n sctp_do_sm+0x31c9/0x5d30\n sctp_assoc_bh_rcv+0x392/0x6f0\n sctp_inq_push+0x1db/0x270\n sctp_rcv+0x138d/0x3c10\n\nFix this by fully purging the association outqueue when handling the\nStale Cookie case. This ensures all pending transmit and retransmit\nstate is dropped, and any scheduler cached pointers are invalidated,\nmaking it safe to rebuild stream state during COOKIE_WAIT restart.\n\nUpdating only stream-\u003eout_curr would be insufficient, since queued\nand retransmittable data would still reference the old stream state and\ntrigger later use-after-free in dequeue paths.\n\nFixes: 5bbbbe32a431 (\"sctp: introduce stream scheduler foundations\")\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Yifan Wu \u003cyifanwucs@gmail.com\u003e\nReported-by: Juefei Pu \u003ctomapufckgml@gmail.com\u003e\nReported-by: Zhengchuan Liang \u003czcliangcn@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nReported-by: Yuqi Xu \u003cxuyq21@lenovo.com\u003e\nReported-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nSigned-off-by: Xin Long \u003clucien.xin@gmail.com\u003e\nLink: https://patch.msgid.link/94318159b9052907a6cbb7256aee8b5f8dfbfccb.1780510304.git.lucien.xin@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b47ff80f280e18ad2310f44293cc057d9b64ff11", "tree": "e9752f48578ae1b7513ea5a1f43607b6e525b7bc", "parents": [ "7561c7fbc694308da73300f036719e63e42bf0b4" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Wed Jun 03 12:35:14 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:58:18 2026 -0700" }, "message": "bonding: annotate data-races arcound churn variables\n\nThese fields are updated asynchronously by the bonding state machine\nin ad_churn_machine() while holding bond-\u003emode_lock.\n\nbond_info_show_slave() and bond_fill_slave_info() read them without\nbond-\u003emode_lock being held, we need to add READ_ONCE() and\nWRITE_ONCE() annotations.\n\nNote that AD_CHURN_MONITOR, AD_CHURN, and AD_NO_CHURN are defined\nexclusively in (kernel private) include/net/bond_3ad.h header.\n\nThey should be moved to include/uapi/linux/if_bonding.h or userspace\ntools will have to hardcode their values.\n\nFixes: 4916f2e2f3fc (\"bonding: print churn state via netlink\")\nFixes: 14c9551a32eb (\"bonding: Implement port churn-machine (AD standard 43.4.17).\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260603123514.388226-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7561c7fbc694308da73300f036719e63e42bf0b4", "tree": "dc18277075afdc04993fb6afc75b825153319f36", "parents": [ "9fc237f8d49f06d05f0f8e80361047b718894e81" ], "author": { "name": "Yizhou Zhao", "email": "zhaoyz24@mails.tsinghua.edu.cn", "time": "Wed Jun 03 14:00:13 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:52:41 2026 -0700" }, "message": "net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr\n\nIn mrp_pdu_parse_vecattr(), vector attribute events are encoded three\nper byte and valen tracks the number of events left to process.\n\nThe parser decrements valen after processing the first and second events\nfrom each event byte, but not after processing the third one. When valen\nis exactly a multiple of three, the loop continues after the last valid\nevent and consumes the next byte as a new event byte, applying a\nspurious event to the MRP applicant state.\n\nAdditionally, when valen is zero the parser unconditionally consumes\nattrlen bytes as FirstValue and advances the offset, even though per\nIEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of\nzero and no FirstValue or Vector fields. This corrupts the offset for\nsubsequent PDU parsing.\n\nAlso, when valen exceeds three the loop crosses byte boundaries but\nthe attribute value is not incremented between the last event of one\nbyte and the first event of the next. This causes the first event of\nthe next byte to use the same attribute value as the third event\nrather than the next consecutive value.\n\nDecrement valen after processing the third event, skip FirstValue\nconsumption when valen is zero, and increment the attribute value at\nthe end of each loop iteration.\n\nFixes: febf018d2234 (\"net/802: Implement Multiple Registration Protocol (MRP)\")\nReported-by: Yizhou Zhao \u003czhaoyz24@mails.tsinghua.edu.cn\u003e\nReported-by: Yuxiang Yang \u003cyangyx22@mails.tsinghua.edu.cn\u003e\nReported-by: Ao Wang \u003cwangao@seu.edu.cn\u003e\nReported-by: Xuewei Feng \u003cfengxw06@126.com\u003e\nReported-by: Qi Li \u003cqli01@tsinghua.edu.cn\u003e\nReported-by: Ke Xu \u003cxuke@tsinghua.edu.cn\u003e\nSigned-off-by: Yizhou Zhao \u003czhaoyz24@mails.tsinghua.edu.cn\u003e\nLink: https://patch.msgid.link/20260603060016.21522-1-zhaoyz24@mails.tsinghua.edu.cn\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9fc237f8d49f06d05f0f8e80361047b718894e81", "tree": "ab50391bb55c0f30956fffb9c55b680a71df4640", "parents": [ "3a5f3f7aff18bcc36a57839cf50cf0cc8de707f3" ], "author": { "name": "Justin Lai", "email": "justinlai0215@realtek.com", "time": "Wed Jun 03 14:18:16 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:52:24 2026 -0700" }, "message": "rtase: Avoid sleeping in get_stats64()\n\nThe .ndo_get_stats64 callback must not sleep because it can be\ncalled when reading /proc/net/dev.\n\nrtase_get_stats64() calls rtase_dump_tally_counter(), which polls\nthe tally counter dump bit with read_poll_timeout(). This may\nsleep while waiting for the hardware counter dump to complete.\n\nUse read_poll_timeout_atomic() instead to avoid sleeping in the\nget_stats64() path.\n\nFixes: 079600489960 (\"rtase: Implement net_device_ops\")\nCc: stable@vger.kernel.org\nSigned-off-by: Justin Lai \u003cjustinlai0215@realtek.com\u003e\nLink: https://patch.msgid.link/20260603061816.31356-1-justinlai0215@realtek.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3a5f3f7aff18bcc36a57839cf50cf0cc8de707f3", "tree": "89b3ec6a668e5b39e87ae933afcd3a3a6f8a5896", "parents": [ "791c91dc7a9dfb2457d5e29b8216a6484b9c4b40" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Wed Jun 03 07:29:55 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:51:32 2026 -0700" }, "message": "ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()\n\nThe aoe driver (or similar) generates a non-IPv6 packet\n(e.g., ETH_P_AOE) and queues it for transmission via dev_queue_xmit()\non a 6LoWPAN interface (configured by the user or test case).\n\nSince the packet is not IPv6, the 6LoWPAN header_ops-\u003ecreate function\n(lowpan_header_create or header_create) returns early without initializing\nthe lowpan_addr_info structure in the skb headroom.\n\nIn the transmit function (lowpan_xmit), the driver calls lowpan_header\n(or setup_header) which unconditionally copies and uses the lowpan_addr_info\nfrom the headroom, which contains uninitialized data.\n\nFix this by dropping non IPv6 packets.\n\nA similar fix is needed in net/bluetooth/6lowpan.c bt_xmit().\n\nFixes: 4dc315e267fe (\"ieee802154: 6lowpan: move transmit functionality\")\nReported-by: syzbot+f13c19f75e1097abd116@syzkaller.appspotmail.com\nCloses: https://lore.kernel.org/netdev/6a1fd763.278b5b03.2bcf39.0049.GAE@google.com/T/#u\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Miquel Raynal \u003cmiquel.raynal@bootlin.com\u003e\nLink: https://patch.msgid.link/20260603072955.4032221-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "791c91dc7a9dfb2457d5e29b8216a6484b9c4b40", "tree": "b7c81b6dce0748d25916c490912d79204532b207", "parents": [ "05ef0afa1bd63ae36a594e9b8e92057660e3b3a2" ], "author": { "name": "Ido Schimmel", "email": "idosch@nvidia.com", "time": "Wed Jun 03 13:18:11 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:50:33 2026 -0700" }, "message": "ipv6: mcast: Fix use-after-free when processing MLD queries\n\nWhen processing an MLD query, a pointer to the multicast group address\nis retrieved when initially parsing the packet. This pointer is later\ndereferenced without being reloaded despite the fact that the skb header\nmight have been reallocated following the pskb_may_pull() calls, leading\nto a use-after-free [1].\n\nFix by copying the multicast group address when the packet is initially\nparsed.\n\n[1]\nBUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)\nRead of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118\n\nWorkqueue: mld mld_query_work\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)\nprint_address_description.constprop.0 (mm/kasan/report.c:378)\nprint_report (mm/kasan/report.c:482)\nkasan_report (mm/kasan/report.c:595)\n__mld_query_work (net/ipv6/mcast.c:1512)\nmld_query_work (net/ipv6/mcast.c:1563)\nprocess_one_work (kernel/workqueue.c:3314)\nworker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)\nkthread (kernel/kthread.c:436)\nret_from_fork (arch/x86/kernel/process.c:158)\nret_from_fork_asm (arch/x86/entry/entry_64.S:245)\n\u003c/TASK\u003e\n\n[...]\n\nFreed by task 118:\nkasan_save_stack (mm/kasan/common.c:57)\nkasan_save_track (mm/kasan/common.c:78)\nkasan_save_free_info (mm/kasan/generic.c:584)\n__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)\nkfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)\npskb_expand_head (net/core/skbuff.c:2335)\n__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))\n__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))\nmld_query_work (net/ipv6/mcast.c:1563)\nprocess_one_work (kernel/workqueue.c:3314)\nworker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)\nkthread (kernel/kthread.c:436)\nret_from_fork (arch/x86/kernel/process.c:158)\nret_from_fork_asm (arch/x86/entry/entry_64.S:245)\n\nFixes: 97300b5fdfe2 (\"[MCAST] IPv6: Check packet size when process Multicast\")\nReported-by: Leo Lin \u003cleo@depthfirst.com\u003e\nReviewed-by: David Ahern \u003cdahern@nvidia.com\u003e\nSigned-off-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nLink: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "05ef0afa1bd63ae36a594e9b8e92057660e3b3a2", "tree": "c785e68b6c90a0006d56789889efcfa3d866d889", "parents": [ "ab1ecaabe74b7d86c38ab2ab44bd56cdcc33645a", "8df1c84e7272a5e24b563df7e50111dc81014d4a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:47:48 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:47:48 2026 -0700" }, "message": "Merge branch \u0027vxlan-vnifilter-fix-vni-add-update-notifications\u0027\n\nAndy Roulin says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nvxlan: vnifilter: fix VNI add/update notifications\n\nWhen a vxlan device has vnifilter enabled, userspace observers\n(e.g., bridge monitor vni) miss VNI add events and see spurious\nnotifications on no-op VNI re-adds.\n\nPatch 1 fixes the missing notification on VNI add: vxlan_vni_add()\nguarded the notification on a \u0027changed\u0027 flag that vxlan_vni_update_group()\nonly sets when a multicast group or remote is supplied, so VNIs added\nwithout a group (e.g., L3 VXLAN) were silently created.\n\nPatch 2 fixes the spurious notification on VNI update: vxlan_vni_update()\ntested \u0027if (changed)\u0027 against a bool pointer instead of dereferencing it,\nso every re-add produced a notification regardless of whether anything\nactually changed.\n\nPatch 3 adds a selftest covering both bugs along with a few related\ncases (add with remote, remote update, delete-nonexistent).\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602185138.253265-1-aroulin@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "8df1c84e7272a5e24b563df7e50111dc81014d4a", "tree": "c785e68b6c90a0006d56789889efcfa3d866d889", "parents": [ "84683b5b60c7274e2c8f7f413d39d78d3db5540f" ], "author": { "name": "Andy Roulin", "email": "aroulin@nvidia.com", "time": "Tue Jun 02 11:51:38 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:47:45 2026 -0700" }, "message": "selftests: net: add vxlan vnifilter notification test\n\nAdd a selftest for VXLAN vnifilter netlink notifications that verifies\nRTM_NEWTUNNEL and RTM_DELTUNNEL are sent correctly when VNIs are added,\ndeleted, or updated, and that no spurious notifications are sent when\na VNI is re-added with the same attributes.\n\nSigned-off-by: Andy Roulin \u003caroulin@nvidia.com\u003e\nAcked-by: Petr Machata \u003cpetrm@nvidia.com\u003e\nLink: https://patch.msgid.link/20260602185138.253265-4-aroulin@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "84683b5b60c7274e2c8f7f413d39d78d3db5540f", "tree": "9a747be88694409c7ca040991cce01d46c784fd3", "parents": [ "aa6ca1c5c338907817374b59f7551fd855a88754" ], "author": { "name": "Andy Roulin", "email": "aroulin@nvidia.com", "time": "Tue Jun 02 11:51:37 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:47:45 2026 -0700" }, "message": "vxlan: vnifilter: fix spurious notification on VNI update\n\nWhen a VNI is re-added with the same attributes (e.g. same group or no\ngroup), vxlan_vni_update() sends a spurious RTM_NEWTUNNEL notification\neven though nothing changed.\n\nThe bug is that \u0027if (changed)\u0027 tests whether the pointer is non-NULL,\nnot the bool value it points to. Since every caller passes a valid\npointer, the condition is always true and the notification fires\nunconditionally.\n\nFix by dereferencing the pointer: \u0027if (*changed)\u0027.\n\nReproducer:\n\n # ip link add vxlan100 type vxlan dstport 4789 local 10.0.0.1 \\\n nolearning external vnifilter\n # ip link set vxlan100 up\n # bridge monitor vni \u0026\n # bridge vni add vni 1000 dev vxlan100\n # bridge vni add vni 1000 dev vxlan100 # spurious notification\n\nFixes: f9c4bb0b245c (\"vxlan: vni filtering support on collect metadata device\")\nSigned-off-by: Andy Roulin \u003caroulin@nvidia.com\u003e\nReviewed-by: Petr Machata \u003cpetrm@nvidia.com\u003e\nLink: https://patch.msgid.link/20260602185138.253265-3-aroulin@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "aa6ca1c5c338907817374b59f7551fd855a88754", "tree": "118ba2b0e60695f7d4600062fbab8ce8143dcb3d", "parents": [ "ab1ecaabe74b7d86c38ab2ab44bd56cdcc33645a" ], "author": { "name": "Andy Roulin", "email": "aroulin@nvidia.com", "time": "Tue Jun 02 11:51:36 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:47:45 2026 -0700" }, "message": "vxlan: vnifilter: send notification on VNI add\n\nWhen a new VNI is added to a vxlan device with vnifilter enabled,\nno RTM_NEWTUNNEL notification is sent to userspace. This means\n\u0027bridge monitor vni\u0027 never shows VNI add events, even though\nVNI delete events are reported correctly.\n\nThe bug is in vxlan_vni_add(), where the notification is guarded by\n\u0027if (changed)\u0027. The \u0027changed\u0027 flag is set by vxlan_vni_update_group()\nonly when the multicast group or remote IP is modified, but for a\nnew VNI added without a group (e.g. in L3 VxLAN interface scenarios),\nthe function returns early without setting changed\u003dtrue. Since this\nis a new VNI, the notification should be sent unconditionally.\n\nThe notification is not guarded by the return value of\nvxlan_vni_update_group() because, at this point, the VNI has already\nbeen inserted into the hash table and list with no rollback on error.\nThe VNI will be visible in \u0027bridge vni show\u0027 regardless, so userspace\nshould be informed. This is consistent with vxlan_vni_del() which also\nnotifies unconditionally.\n\nThe \u0027if (changed)\u0027 guard remains correct in vxlan_vni_update(), which\nhandles the case where a VNI already exists and is being re-added --\nthere, we only want to notify if the group/remote actually changed.\n\nReproducer:\n\n # ip link add vxlan100 type vxlan dstport 4789 local 10.0.0.1 \\\n nolearning external vnifilter\n # ip link set vxlan100 up\n # bridge monitor vni \u0026\n # bridge vni add vni 1000 dev vxlan100 # no notification\n # bridge vni delete vni 1000 dev vxlan100 # notification received\n\nFixes: f9c4bb0b245c (\"vxlan: vni filtering support on collect metadata device\")\nReported-by: Chirag Shah \u003cchirag@nvidia.com\u003e\nSigned-off-by: Andy Roulin \u003caroulin@nvidia.com\u003e\nReviewed-by: Petr Machata \u003cpetrm@nvidia.com\u003e\nLink: https://patch.msgid.link/20260602185138.253265-2-aroulin@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ab1ecaabe74b7d86c38ab2ab44bd56cdcc33645a", "tree": "82de85759ada47d11f6500d6c26839cf3c75f224", "parents": [ "1d31eb27e570daa04f5373345f9ac98c95863be9" ], "author": { "name": "Justin Lai", "email": "justinlai0215@realtek.com", "time": "Tue Jun 02 19:46:59 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:35:30 2026 -0700" }, "message": "rtase: Reset TX subqueue when clearing TX ring\n\nrtase_tx_clear() clears the TX ring and resets the ring indexes.\nHowever, the TX queue state and BQL accounting are not reset at\nthe same time.\n\nThis may leave __QUEUE_STATE_STACK_XOFF asserted after\nrtase_sw_reset(), preventing new TX packets from being scheduled.\n\nReset the TX subqueue when clearing the TX ring so the TX queue\nstate and BQL accounting are restored together.\n\nFixes: 5a2a2f15244c (\"rtase: Implement the rtase_down function\")\nCc: stable@vger.kernel.org\nSigned-off-by: Justin Lai \u003cjustinlai0215@realtek.com\u003e\nReviewed-by: Alexander Lobakin \u003caleksander.lobakin@intel.com\u003e\nLink: https://patch.msgid.link/20260602114659.12335-1-justinlai0215@realtek.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "1d31eb27e570daa04f5373345f9ac98c95863be9", "tree": "cab775bd28e2978461bd8b44e1f3f0460348a568", "parents": [ "1232b3104b4b2c0267f31608fe0f8a8758428f28" ], "author": { "name": "Nithin Dabilpuram", "email": "ndabilpuram@marvell.com", "time": "Tue Jun 02 10:28:53 2026 +0530" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:32:06 2026 -0700" }, "message": "octeontx2-af: npc: Fix CPT channel mask in npc_install_flow\n\nUse the CPT-aware NIX channel mask in the npc_install_flow path so that\nwhen the host PF installs steering rules in kernel for a VF used from\nuserspace (e.g. DPDK), MCAM entries see the same channel mask semantics as\nother RX paths.\n\nFixes: 56bcef528bd8 (\"octeontx2-af: Use npc_install_flow API for promisc and broadcast entries\")\nCc: Naveen Mamindlapalli \u003cnaveenm@marvell.com\u003e\nSigned-off-by: Nithin Dabilpuram \u003cndabilpuram@marvell.com\u003e\nSigned-off-by: Ratheesh Kannoth \u003crkannoth@marvell.com\u003e\nLink: https://patch.msgid.link/20260602045853.1558530-1-rkannoth@marvell.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "1232b3104b4b2c0267f31608fe0f8a8758428f28", "tree": "3d70f4a4abc88100ad5d886e75831ddb62d15b6b", "parents": [ "0861615c28de668669d748ef4eb913ea9262d13b" ], "author": { "name": "Zhi Li", "email": "lizhi2@eswincomputing.com", "time": "Tue Jun 02 09:45:28 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:30:37 2026 -0700" }, "message": "dt-bindings: ethernet: eswin: fix hsp-sp-csr backward compatibility\n\nCommit c36069c6f46c (\"dt-bindings: ethernet: eswin: add optional TXD and\nRXD delay register offsets\") added two optional cells to eswin,hsp-sp-csr\nbut omitted minItems: 4.\n\nAs a result, dt-schema implicitly required all 6 cells, which broke\nbackward compatibility with existing 4-cell device trees.\n\nAdd minItems: 4 to preserve backward compatibility.\n\nFixes: c36069c6f46c (\"dt-bindings: ethernet: eswin: add optional TXD and RXD delay register offsets\")\nReported-by: Sashiko AI \u003csashiko-bot@kernel.org\u003e\nCloses: https://lore.kernel.org/all/20260519022334.35742C2BCB7@smtp.kernel.org/\nReviewed-by: Krzysztof Kozlowski \u003ckrzysztof.kozlowski@oss.qualcomm.com\u003e\nSigned-off-by: Zhi Li \u003clizhi2@eswincomputing.com\u003e\nLink: https://patch.msgid.link/20260602014528.2076-1-lizhi2@eswincomputing.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "0861615c28de668669d748ef4eb913ea9262d13b", "tree": "b165fa098021ca0474b5d7d0ee46db43ef2bad14", "parents": [ "899ee91156e57784090c5565e4f31bd7dbffbc5a" ], "author": { "name": "Xin Long", "email": "lucien.xin@gmail.com", "time": "Mon Jun 01 21:06:06 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:30:07 2026 -0700" }, "message": "sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing\n\nWhen a listening SCTP server processes a COOKIE_ECHO chunk, the cached\npeer INIT chunk embedded after the cookie is parsed and its parameters\nare later walked by sctp_process_init() using sctp_walk_params().\n\nHowever, the chunk header length of this cached INIT chunk was not\nvalidated against the remaining buffer in the COOKIE_ECHO payload. If\nthe length field is inflated, the parameter walk can run beyond the\nactual received data, leading to out-of-bounds reads and potential\nmemory corruption during later parameter handling (e.g. STATE_COOKIE\nprocessing and kmemdup() copies).\n\nAdd a bounds check in sctp_unpack_cookie() to ensure the cached INIT\nchunk length does not exceed the available data in the COOKIE_ECHO\nbuffer before it is used.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nReported-by: Brian Geffon \u003cbgeffon@google.com\u003e\nSigned-off-by: Xin Long \u003clucien.xin@gmail.com\u003e\nLink: https://patch.msgid.link/eb60825fa22d6f9e663c7d4dbb69f397b5d34d42.1780362366.git.lucien.xin@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "899ee91156e57784090c5565e4f31bd7dbffbc5a", "tree": "2b86ddaf944d4fa41b32636415608f27264ccf3f", "parents": [ "c05fa14db43ebef3bd862ca9d073981c0358b3f0" ], "author": { "name": "Rajat Gupta", "email": "rajat.gupta@oss.qualcomm.com", "time": "Sun May 31 08:32:21 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu Jun 04 08:29:02 2026 -0700" }, "message": "net/sched: fix pedit partial COW leading to page cache corruption\n\ntcf_pedit_act() computes the COW range for skb_ensure_writable()\nonce before the key loop using tcfp_off_max_hint, but the hint does\nnot account for the runtime header offset added by typed keys. This\ncan leave part of the write region un-COW\u0027d.\n\nFix by moving skb_ensure_writable() inside the per-key loop where\nthe actual write offset is known, and add overflow checking on the\noffset arithmetic. For negative offsets (e.g. Ethernet header edits\nat ingress), use skb_cow() to COW the headroom instead. Guard\noffset_valid() against INT_MIN, where negation is undefined.\n\nFixes: 8b796475fd78 (\"net/sched: act_pedit: really ensure the skb is writable\")\nReported-by: Yiming Qian \u003cyimingqian591@gmail.com\u003e\nReported-by: Keenan Dong \u003ckeenanat2000@gmail.com\u003e\nReported-by: Han Guidong \u003c2045gemini@gmail.com\u003e\nReported-by: Zhang Cen \u003crollkingzzc@gmail.com\u003e\nReviewed-by: Han Guidong \u003c2045gemini@gmail.com\u003e\nTested-by: Han Guidong \u003c2045gemini@gmail.com\u003e\nReviewed-by: Davide Caratti \u003cdcaratti@redhat.com\u003e\nTested-by: Davide Caratti \u003cdcaratti@redhat.com\u003e\nReviewed-by: Toke Høiland-Jørgensen \u003ctoke@redhat.com\u003e\nTested-by: Toke Høiland-Jørgensen \u003ctoke@redhat.com\u003e\nReviewed-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nTested-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nSigned-off-by: Rajat Gupta \u003crajat.gupta@oss.qualcomm.com\u003e\nLink: https://patch.msgid.link/20260531123221.48732-1-jhs@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c05fa14db43ebef3bd862ca9d073981c0358b3f0", "tree": "0841759ebe77ba5a89f490ea1ee9ed85aec3c035", "parents": [ "a764b0e8317a863006e05732e1aefe821b9d8c2d" ], "author": { "name": "Raf Dickson", "email": "rafdog35@gmail.com", "time": "Tue May 26 10:43:56 2026 +0000" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 04 13:08:02 2026 +0200" }, "message": "vsock/vmci: fix sk_ack_backlog leak on failed handshake\n\nWhen vmci_transport_recv_connecting_server() returns an error,\nvmci_transport_recv_listen() calls vsock_remove_pending() but never\ncalls sk_acceptq_removed(). This leaves sk_ack_backlog incremented\npermanently.\n\nRepeated handshake failures (malformed packets, queue pair alloc\nfailure, event subscribe failure) cause sk_ack_backlog to climb\ntoward sk_max_ack_backlog. Once it reaches the limit the listener\npermanently refuses all new connections with -ECONNREFUSED, a\nsilent denial of service requiring a process restart to recover.\n\nThe two existing sk_acceptq_removed() calls in af_vsock.c do not\ncover this path: line 764 checks vsock_is_pending() which returns\nfalse after vsock_remove_pending(), and line 1889 is only reached\non successful accept().\n\nFix by balancing sk_acceptq_added() with sk_acceptq_removed() on\nthe error path.\n\nFixes: d021c344051a (\"VSOCK: Introduce VM Sockets\")\nCc: stable@vger.kernel.org\nSigned-off-by: Raf Dickson \u003crafdog35@gmail.com\u003e\nAcked-by: Stefano Garzarella \u003csgarzare@redhat.com\u003e\nLink: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "a764b0e8317a863006e05732e1aefe821b9d8c2d", "tree": "0d01eb8cd7e5a747649024ed6336eb63c61a7bbf", "parents": [ "1231623fd3b5aa6b41cce799ffb0d82e10914be4" ], "author": { "name": "ZhaoJinming", "email": "zhaojinming@uniontech.com", "time": "Mon Jun 01 16:56:49 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 04 11:38:51 2026 +0200" }, "message": "net: bonding: fix NULL pointer dereference in bond_do_ioctl()\n\nIn bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which\ncan return NULL if the requested interface name does not exist. However,\nthe subsequent slave_dbg() call is placed before the NULL check:\n\n slave_dev \u003d __dev_get_by_name(net, ifr-\u003eifr_slave);\n slave_dbg(bond_dev, slave_dev, \"slave_dev\u003d%p:\\n\", slave_dev); //here\n if (!slave_dev)\n return -ENODEV;\n\nThe slave_dbg() macro expands to netdev_dbg(bond_dev, \"(slave %s): \" fmt,\n(slave_dev)-\u003ename, ...) which unconditionally dereferences slave_dev-\u003ename\nbefore the NULL check is performed. This results in a NULL pointer\ndereference kernel oops when a user calls bonding ioctl (e.g.\nSIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave\ninterface name.\n\nThis is reachable from userspace via the bonding ioctl interface with\nCAP_NET_ADMIN capability, making it a potential local denial-of-service\nvector.\n\nFix by moving the slave_dbg() call after the NULL check.\n\nFixes: e2a7420df2e0 (\"bonding/main: convert to using slave printk macros\")\nCc: stable@vger.kernel.org # v5.2+\nSigned-off-by: ZhaoJinming \u003czhaojinming@uniontech.com\u003e\nLink: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "0652a3daa78723f955b1ebeb621665ce72bec53e", "tree": "aca0bd8b26a5c6361fa1537431c3b337888e895f", "parents": [ "e43ffb69e0438cddd72aaa30898b4dc446f664f8" ], "author": { "name": "Eva Kurchatova", "email": "eva.kurchatova@virtuozzo.com", "time": "Wed Jun 03 18:31:42 2026 +0300" }, "committer": { "name": "Steven Rostedt", "email": "rostedt@goodmis.org", "time": "Thu Jun 04 05:03:56 2026 -0400" }, "message": "tracing: Fix CFI violation in probestub being called by tprobes\n\nThe probestub is a function to allow tprobes to hook to a tracepoint to\ngain access to its parameters. The function itself is only referenced by\nthe tracepoint structure which lives in the __tracepoint section. objtool\nexplicitly ignores that section and when processing functions in the\nkernel, if it detects one that has no references it will seal it to have\nits ENDBR stripped on boot up.\n\nThis means when a tprobe is attached to the sched_wakeup tracepoint, when it\nis triggered it will call __probestub_sched_wakeup and due to the missing\nENDBR on a CFI-enabled machine it will take a #CP exception.\n\nFix this by adding CFI_NOSEAL annotation to probestub declaration.\n\nCc: stable@vger.kernel.org\nAcked-by: Masami Hiramatsu (Google) \u003cmhiramat@kernel.org\u003e\nLink: https://patch.msgid.link/20260603153147.573589-1-eva.kurchatova@virtuozzo.com\nFixes: d5173f753750 (\"objtool: Exclude __tracepoints data from ENDBR checks\")\nSigned-off-by: Eva Kurchatova \u003ceva.kurchatova@virtuozzo.com\u003e\n[ Updated change log ]\nSigned-off-by: Steven Rostedt \u003crostedt@goodmis.org\u003e\n" }, { "commit": "1231623fd3b5aa6b41cce799ffb0d82e10914be4", "tree": "5f86172c294050a66e9d71055504e1c6b14a7b8c", "parents": [ "060c1daac7e0d01651cff326c8e0326b3787b272" ], "author": { "name": "Antoine Tenart", "email": "atenart@kernel.org", "time": "Fri May 29 16:47:00 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Jun 04 10:48:46 2026 +0200" }, "message": "geneve: fix length used in GRO hint UDP checksum adjustment\n\nIn geneve_post_decap_hint the length used for adjusting the UDP checksum\nshould be \u0027skb-\u003elen - gro_hint-\u003enested_tp_offset\u0027 (UDP length) instead\nof \u0027skb-\u003elen - gro_hint-\u003enested_nh_offset\u0027 (IP length).\n\nFixes: fd0dd796576e (\"geneve: use GRO hint option in the RX path\")\nCc: Paolo Abeni \u003cpabeni@redhat.com\u003e\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nCloses: https://sashiko.dev/#/patchset/20260521131436.748832-1-jhs%40mojatatu.com\nSigned-off-by: Antoine Tenart \u003catenart@kernel.org\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/20260529144713.780938-1-atenart@kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "060c1daac7e0d01651cff326c8e0326b3787b272", "tree": "c407a812995141d8817a12eec0b7fa2419209a7f", "parents": [ "d20da913083042203221c16bc19bd2f3c12d171f", "80df409e1a483676826a6c66e693dba6ac507751" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:15:34 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:15:34 2026 -0700" }, "message": "Merge branch \u0027fix-use-after-free-in-metadata-dst-teardown-in-airoha_eth-and-mtk_eth_soc-drivers\u0027\n\nLorenzo Bianconi says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nFix use-after-free in metadata dst teardown in airoha_eth and mtk_eth_soc drivers\n\nairoha_metadata_dst_free() and mtk_free_dev() call metadata_dst_free()\nwhich frees the metadata_dst with kfree() immediately, bypassing the RCU\ngrace period.\nReplace metadata_dst_free() with dst_release() which properly goes\nthrough the refcount path and runs call_rcu_hurry() if refcount goes to\nzero.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602-airoha-mtk-metadata-uaf-fix-v1-0-3aaa99d83351@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "80df409e1a483676826a6c66e693dba6ac507751", "tree": "c407a812995141d8817a12eec0b7fa2419209a7f", "parents": [ "b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0" ], "author": { "name": "Lorenzo Bianconi", "email": "lorenzo@kernel.org", "time": "Tue Jun 02 11:21:05 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:15:32 2026 -0700" }, "message": "net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown\n\nmtk_free_dev() calls metadata_dst_free() which frees the metadata_dst\nwith kfree() immediately, bypassing the RCU grace period.\nIn the RX path, skb_dst_set_noref() sets a non-refcounted pointer from\nthe skb to the metadata_dst. This function requires RCU read-side\nprotection and the dst must remain valid until all RCU readers complete.\nSince metadata_dst_free() calls kfree() directly, a use-after-free can\noccur if any skb still holds a noref pointer to the dst when the driver\ntears it down.\nReplace metadata_dst_free() with dst_release() which properly goes\nthrough the refcount path: when the refcount drops to zero, it schedules\nthe actual free via call_rcu_hurry(), ensuring all RCU readers have\ncompleted before the memory is freed.\n\nFixes: 2d7605a72906 (\"net: ethernet: mtk_eth_soc: enable hardware DSA untagging\")\nSigned-off-by: Lorenzo Bianconi \u003clorenzo@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-airoha-mtk-metadata-uaf-fix-v1-2-3aaa99d83351@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0", "tree": "8e57ae1de56965c96ae99239162a0513479f6fbc", "parents": [ "d20da913083042203221c16bc19bd2f3c12d171f" ], "author": { "name": "Lorenzo Bianconi", "email": "lorenzo@kernel.org", "time": "Tue Jun 02 11:21:04 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:15:32 2026 -0700" }, "message": "net: airoha: Fix use-after-free in metadata dst teardown\n\nairoha_metadata_dst_free() runs metadata_dst_free() which frees the\nmetadata_dst with kfree() immediately, bypassing the RCU grace period.\nIn the RX path, skb_dst_set_noref() sets a non-refcounted pointer from\nthe skb to the metadata_dst. This function requires RCU read-side\nprotection and the dst must remain valid until all RCU readers complete.\nSince metadata_dst_free() calls kfree() directly, an use-after-free can\noccur if any skb still holds a noref pointer to the dst when the driver\ntears it down.\nReplace metadata_dst_free() with dst_release() which properly goes\nthrough the refcount path: when the refcount drops to zero, it schedules\nthe actual free via call_rcu_hurry(), ensuring all RCU readers have\ncompleted before the memory is freed.\n\nFixes: af3cf757d5c9 (\"net: airoha: Move DSA tag in DMA descriptor\")\nSigned-off-by: Lorenzo Bianconi \u003clorenzo@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-airoha-mtk-metadata-uaf-fix-v1-1-3aaa99d83351@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d20da913083042203221c16bc19bd2f3c12d171f", "tree": "47e3d4cf34a9a67c6277e8b983acbac18d4b3ec7", "parents": [ "ac056099822eb6ffba2ad5d793348bc5a8d7552f", "149324fc762c2a7acef9c26790566f81f475e51f" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:07:46 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:07:47 2026 -0700" }, "message": "Merge tag \u0027for-net-2026-06-03\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth\n\nLuiz Augusto von Dentz says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbluetooth pull request for net:\n\n - hci_core: fix memory leak in error path of hci_alloc_dev()\n - hci_sync: reject oversized Broadcast Announcement prepend\n - MGMT: Fix backward compatibility with userspace\n - MGMT: validate advertising TLV before type checks\n - L2CAP: reject BR/EDR signaling packets over MTUsig\n - RFCOMM: validate skb length in MCC handlers\n - RFCOMM: hold listener socket in rfcomm_connect_ind()\n - ISO: Fix not releasing hdev reference on iso_conn_big_sync\n - ISO: Fix a use-after-free of the hci_conn pointer\n - ISO: Fix data-race on iso_pi fields in hci_get_route calls\n - SCO: Fix data-race on sco_pi fields in sco_connect\n - BNEP: reject short frames before parsing\n\n* tag \u0027for-net-2026-06-03\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:\n Bluetooth: MGMT: Fix backward compatibility with userspace\n Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect\n Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls\n Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer\n Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync\n Bluetooth: fix memory leak in error path of hci_alloc_dev()\n Bluetooth: bnep: reject short frames before parsing\n Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend\n Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig\n Bluetooth: RFCOMM: validate skb length in MCC handlers\n Bluetooth: MGMT: validate advertising TLV before type checks\n Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260603162714.342496-1-luiz.dentz@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ac056099822eb6ffba2ad5d793348bc5a8d7552f", "tree": "82435a55d4db5d0987abbe0a77d13ad6ea24d7ca", "parents": [ "11c31f8ee9fb650e3ed6968d4c65c79afb3b9935", "cb9959ab5f99611d27a06586add84811fe8102dc" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:07:34 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:07:35 2026 -0700" }, "message": "Merge tag \u0027wireless-2026-06-03\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless\n\nJohannes Berg says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nThings are finally quieting down:\n - iwlwifi:\n - FW reset handshake removal for older devices\n - NIC access fix in fast resume\n - avoid too large command for some BIOSes\n - fix TX power constraints in AP mode\n - cfg80211:\n - fix netlink parse overflow\n - fix potential 6 GHz scan memory leak\n - enforce HE/EHT consistency to avoid mac80211 crash\n - mac80211: guard radiotap antenna parsing\n\n* tag \u0027wireless-2026-06-03\u0027 of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:\n wifi: cfg80211: enforce HE/EHT cap/oper consistency\n wifi: fix leak if split 6 GHz scanning fails\n wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap\n wifi: nl80211: reject oversized EMA RNR lists\n wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used\n wifi: iwlwifi: mvm: avoid oversized UATS command copy\n wifi: iwlwifi: mld: send tx power constraints before link activation\n wifi: iwlwifi: mvm: don\u0027t support the reset handshake for old firmwares\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260603113208.171874-3-johannes@sipsolutions.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "11c31f8ee9fb650e3ed6968d4c65c79afb3b9935", "tree": "1ca95857982b1625955885cb6fe1140a8d2d3df9", "parents": [ "672bd0519e27c357c43b7f8c0d653fce3817d06e", "bd34fa0257261b76964df1c98f44b3cb4ee14620" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:46 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:47 2026 -0700" }, "message": "Merge branch \u0027mptcp-misc-fixes-for-v7-1-rc7\u0027\n\nMatthieu Baerts says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nmptcp: misc fixes for v7.1-rc7\n\nHere are various unrelated fixes:\n\n- Patch 1: fix missing wakeups when multiple threads are reading from\n the same fd. A fix for v5.7.\n\n- Patch 2: fix retransmission loop when MPTCP checksum is enabled. A fix\n for v5.14.\n\n- Patch 3: fix a TOCTOU race while computing rcv_wnd. A fix for v5.11.\n\n- Patch 4: allow subflows receive window to shrink if needed. A fix for\n v5.19.\n\n- Patches 5-6: avoid \u0027extra_subflows\u0027 to underflow with the userspace\n PM. A fix for v5.19.\n\n- Patch 7: report errors if one subflow cannot set SO_TIMESTAMPING. A\n fix for v5.14.\n\n- Patch 8: try to set TCP_MAXSEG on all subflows, before reporting\n errors, if any. A fix for v6.17.\n\n- Patch 9: check desc-\u003ecount in read_sock, to act as expected. A fix\n for v7.0.\n\n- Patch 10: fix an uninit value in mptcp_established_options, reported\n by syzbot. A fix for v7.1-rc1.\n\n- Patch 11: fix a similar issue than the previous patch, exposed by the\n same modification from v7.1-rc1, but was already causing issues since\n v5.15.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-0-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "bd34fa0257261b76964df1c98f44b3cb4ee14620", "tree": "1ca95857982b1625955885cb6fe1140a8d2d3df9", "parents": [ "5e939544f9d2b4d5c052a07cfcde97de44263946" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue Jun 02 22:14:18 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:27 2026 -0700" }, "message": "mptcp: add-addr: always drop other suboptions\n\nWhen an ADD_ADDR needs to be sent, it could be prepared if there is\nenough remaining space and even if the packet is not a pure ACK. But it\nwould be dropped soon after.\n\nIndeed, in mptcp_pm_add_addr_signal(), there is enough space to fit a\nDSS of 20 octets and an ADD_ADDR echo containing an IPv4 address on 8\noctets for example. In this case, the packet would be prepared, the\nMPTCP_ADD_ADDR_ECHO bit would be removed from pm-\u003eaddr_signal, but the\noption would be silently dropped in mptcp_established_options_add_addr()\nnot to override DSS info in the union from \u0027struct mptcp_out_options\u0027,\nand also because mptcp_write_options() will enforce mutually exclusion\nwith DSS.\n\nInstead, don\u0027t even try to send an ADD_ADDR if it is not a pure ACK.\nRetry for each new packet until a pure-ACK is emitted. That\u0027s fine to do\nthat, because each time an ADD_ADDR (echo) is scheduled, a pure ACK is\nqueued.\n\nThis also simplifies the code, and the skb checks can be done earlier,\nbefore the lock.\n\nNote: also, since commit 6d0060f600ad (\"mptcp: Write MPTCP DSS headers\nto outgoing data packets\"), opts-\u003eahmac would not have been set to 0\nwhen other suboptions were not dropped, and when sending an ADD_ADDR\necho. That would have resulted in sending an ADD_ADDR using garbage\ninfo, where there was not enough space, instead of an echo one without\nthe ADD_ADDR HMAC.\n\nFixes: 1bff1e43a30e (\"mptcp: optimize out option generation\")\nCc: stable@vger.kernel.org\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-11-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5e939544f9d2b4d5c052a07cfcde97de44263946", "tree": "55de690c25b4650d761af8132ac44b4b56504d40", "parents": [ "c378b1a6f8dd3e02eb08661f4d5d50f236eead03" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 02 22:14:17 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:27 2026 -0700" }, "message": "mptcp: fix uninit-value in mptcp_established_options\n\nsyzbot reported the following uninit splat:\n\n BUG: KMSAN: uninit-value in mptcp_write_data_fin net/mptcp/options.c:542 [inline]\n BUG: KMSAN: uninit-value in mptcp_established_options_dss net/mptcp/options.c:590 [inline]\n BUG: KMSAN: uninit-value in mptcp_established_options+0x112f/0x3530 net/mptcp/options.c:874\n mptcp_write_data_fin net/mptcp/options.c:542 [inline]\n mptcp_established_options_dss net/mptcp/options.c:590 [inline]\n mptcp_established_options+0x112f/0x3530 net/mptcp/options.c:874\n tcp_established_options+0x312/0xcc0 net/ipv4/tcp_output.c:1192\n __tcp_transmit_skb+0x5dc/0x5fe0 net/ipv4/tcp_output.c:1575\n __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499\n tcp_send_ack+0x3d/0x60 net/ipv4/tcp_output.c:4505\n mptcp_subflow_shutdown+0x164/0x690 net/mptcp/protocol.c:3137\n mptcp_check_send_data_fin+0x31b/0x3d0 net/mptcp/protocol.c:3218\n __mptcp_wr_shutdown net/mptcp/protocol.c:3234 [inline]\n __mptcp_close+0x860/0x1360 net/mptcp/protocol.c:3313\n mptcp_close+0x42/0x260 net/mptcp/protocol.c:3367\n inet_release+0x1ee/0x2a0 net/ipv4/af_inet.c:442\n __sock_release net/socket.c:722 [inline]\n sock_close+0xd6/0x2f0 net/socket.c:1514\n __fput+0x60e/0x1010 fs/file_table.c:510\n ____fput+0x25/0x30 fs/file_table.c:538\n task_work_run+0x208/0x2b0 kernel/task_work.c:233\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]\n exit_to_user_mode_loop+0x306/0x1b60 kernel/entry/common.c:98\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]\n __do_fast_syscall_32+0x2c7/0x460 arch/x86/entry/syscall_32.c:310\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/syscall_32.c:332\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\n Local variable opts created at:\n __tcp_transmit_skb+0x4d/0x5fe0 net/ipv4/tcp_output.c:1536\n __tcp_send_ack+0x967/0xad0 net/ipv4/tcp_output.c:4499\n\nThe output path currently omits initializing the mptcp extension\n`use_map` flag in a few corner cases.\n\nAddress the issue always zeroing all the extensions flags before\neventually initializing the individual bits. To that extent, introduce\nand use a struct_group to avoid multiple bitwise operations.\n\nFixes: cfcceb7a39fc (\"tcp: shrink per-packet memset in __tcp_transmit_skb()\")\nCc: stable@vger.kernel.org\nReported-by: syzbot+ff020673c5e3d94d9478@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003dff020673c5e3d94d9478\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-10-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c378b1a6f8dd3e02eb08661f4d5d50f236eead03", "tree": "e5f78e704186d471de8765d19facf192e3b35fab", "parents": [ "7690137e70ab0fb1f8b5a30e6f087f8ee908b680" ], "author": { "name": "Gang Yan", "email": "yangang@kylinos.cn", "time": "Tue Jun 02 22:14:16 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:26 2026 -0700" }, "message": "mptcp: check desc-\u003ecount in read_sock\n\n__tcp_read_sock() checks desc-\u003ecount after each skb is consumed and\nbreaks the loop when it reaches 0. The MPTCP variant lacks this check.\n\nThis is a functional bug, other subsystems also rely on this check:\nTLS strparser sets desc-\u003ecount to 0 once a full TLS record is assembled\nand depends on this break to stop reading.\n\nAdd the same desc-\u003ecount check to __mptcp_read_sock(), mirroring\n__tcp_read_sock().\n\nFixes: 250d9766a984 (\"mptcp: implement .read_sock\")\nCc: stable@vger.kernel.org\nCo-developed-by: Geliang Tang \u003cgeliang@kernel.org\u003e\nSigned-off-by: Geliang Tang \u003cgeliang@kernel.org\u003e\nSigned-off-by: Gang Yan \u003cyangang@kylinos.cn\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-9-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7690137e70ab0fb1f8b5a30e6f087f8ee908b680", "tree": "cc221719cb221820fc3fab3788a36d4da90ba203", "parents": [ "57132affbc89c02e1bf73fdf5724311bdc9a29da" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue Jun 02 22:14:15 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:26 2026 -0700" }, "message": "mptcp: sockopt: set sockopt on all subflows\n\nThe mptcp_setsockopt_all_sf(), currently used only with TCP_MAXSEG,\nstopped when one subflow returned an error.\n\nEven if it is not wrong, this is different from the other helpers trying\nto set the option on all subflows, and then returning an error if at\nleast one of them had an issue.\n\nFollow this behaviour, for a question of uniformity.\n\nFixes: 51c5fd09e1b4 (\"mptcp: add TCP_MAXSEG sockopt support\")\nCc: stable@vger.kernel.org\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-8-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "57132affbc89c02e1bf73fdf5724311bdc9a29da", "tree": "b3ee65f7b128916ef8815c28e467425dd5d2c46c", "parents": [ "06fd2bec7aebf393288e4b78924482fe170caabc" ], "author": { "name": "Matthieu Baerts (NGI0)", "email": "matttbe@kernel.org", "time": "Tue Jun 02 22:14:14 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:26 2026 -0700" }, "message": "mptcp: sockopt: check timestamping ret value\n\nsock_set_timestamping() can fail for different reasons. The returned\nvalue should then be checked.\n\nIf sock_set_timestamping() fails for at least one subflow, the first\nerror is now reported to the userspace, similar to what is done with\nother socket options.\n\nFixes: 9061f24bf82e (\"mptcp: sockopt: propagate timestamp request to subflows\")\nCc: stable@vger.kernel.org\nReported-by: Willem de Bruijn \u003cwillemdebruijn.kernel@gmail.com\u003e\nCloses: https://lore.kernel.org/willemdebruijn.kernel.178a41a53d041@gmail.com\nReviewed-by: Mat Martineau \u003cmartineau@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-7-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "06fd2bec7aebf393288e4b78924482fe170caabc", "tree": "5352ee7515b4a77e14e01e0ccdd0a068cb15aa42", "parents": [ "14e9fea30b68fc75b2b3d97396a7e6adb544bd2a" ], "author": { "name": "Tao Cui", "email": "cuitao@kylinos.cn", "time": "Tue Jun 02 22:14:13 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:26 2026 -0700" }, "message": "selftests: mptcp: add test for extra_subflows underflow on userspace PM\n\nAdd a test to verify that when userspace PM fails to create a subflow\n(e.g. using an unreachable address), the extra_subflows counter is not\ndecremented below zero.\n\nFixes: 77e4b94a3de6 (\"mptcp: update userspace pm infos\")\nCc: stable@vger.kernel.org\nSigned-off-by: Tao Cui \u003ccuitao@kylinos.cn\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-6-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "14e9fea30b68fc75b2b3d97396a7e6adb544bd2a", "tree": "91a01a8dfe7cc58ba824527c3ac42704f4bfa186", "parents": [ "da23be77e1292cd611e736c3aa17da633d7ddce7" ], "author": { "name": "Tao Cui", "email": "cuitao@kylinos.cn", "time": "Tue Jun 02 22:14:12 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:26 2026 -0700" }, "message": "mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation\n\nThe userspace PM increments extra_subflows after __mptcp_subflow_connect()\nsucceeds, but __mptcp_subflow_connect() calls mptcp_pm_close_subflow()\non failure to roll back the pre-increment done by the kernel PM\u0027s fill_*()\nhelpers. Because the userspace PM hasn\u0027t incremented yet at that point,\nthis decrement is spurious and causes extra_subflows to underflow.\n\nFix it by aligning the userspace PM with the kernel PM: increment\nextra_subflows before calling __mptcp_subflow_connect(), so the existing\nerror path in subflow.c correctly rolls it back on failure. Also simplify\nthe error handling by taking pm.lock only when needed for cleanup.\n\nFixes: 77e4b94a3de6 (\"mptcp: update userspace pm infos\")\nCc: stable@vger.kernel.org\nSigned-off-by: Tao Cui \u003ccuitao@kylinos.cn\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-5-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "da23be77e1292cd611e736c3aa17da633d7ddce7", "tree": "8b45701448bb6d7c5f6562e3be993670b8eed843", "parents": [ "8ab24fdebc369c0dfb90f82c1650b1e66662bb45" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 02 22:14:11 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:26 2026 -0700" }, "message": "mptcp: allow subflow rcv wnd to shrink\n\nIn MPTCP connection, the `window` field in the TCP header refers to the\nMPTCP-level rcv_nxt and it\u0027s right edge should not move backward. Such\nconstraint is enforced at DSS option generation time.\n\nAt the same time, the TCP stack ensures independently that the TCP-level\nrcv wnd right\u0027s edge does not move backward. That in turn causes artificial\ninflating of the MPTCP rcv window when the incoming data is acked at the\nTCP level and is OoO in the MPTCP sequence space (or lands in the backlog).\n\nAs a consequence, the incoming traffic can exceed the receiver rcvbuf size\neven when the sender is not misbehaving.\n\nPrevent such scenario forcibly allowing the TCP subflow to shrink the\nTCP-level rcv wnd regardless of the current netns setting.\n\nFixes: f3589be0c420 (\"mptcp: never shrink offered window\")\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-4-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "8ab24fdebc369c0dfb90f82c1650b1e66662bb45", "tree": "9ced6f920f4b79e73519968054ae4a68886c3670", "parents": [ "d1918b36edcaed0ec4ef6888b2358c6b1ddcff47" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 02 22:14:10 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:25 2026 -0700" }, "message": "mptcp: close TOCTOU race while computing rcv_wnd\n\nThe MPTCP output path access locklessly the MPTCP-level ack_seq\nin multiple times, using possibly different values for the data_ack\nin the DSS option and to compute the announced rcv wnd for the same\npacket.\n\nRefactor the cote to avoid inconsistencies which may confuse the\npeer. Also ensure that the MPTCP level rcv wnd is updated only when\nthe egress packet actually contains a DSS ack.\n\nFixes: fa3fe2b15031 (\"mptcp: track window announced to peer\")\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-3-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d1918b36edcaed0ec4ef6888b2358c6b1ddcff47", "tree": "da8c2655fca3d861f9bea20e6ba3c8a0a395980a", "parents": [ "9d8d28738f24b75616d6ca7a27cb4aed88520343" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 02 22:14:09 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:25 2026 -0700" }, "message": "mptcp: fix retransmission loop when csum is enabled\n\nSashiko noted that retransmission with csum enabled can actually\ntransmit new data, but currently the relevant code does not update\naccordingly snd_nxt.\n\nThe may cause incoming ack drop and an endless retransmission loop.\n\nAddress the issue incrementing snd_nxt as needed.\n\nFixes: 4e14867d5e91 (\"mptcp: tune re-injections for csum enabled mode\")\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-2-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9d8d28738f24b75616d6ca7a27cb4aed88520343", "tree": "6f8b1c05f45a06c3f90c6a286c73339cc2fb0f7f", "parents": [ "672bd0519e27c357c43b7f8c0d653fce3817d06e" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Tue Jun 02 22:14:08 2026 +1000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 19:04:25 2026 -0700" }, "message": "mptcp: fix missing wakeups in edge scenarios\n\nThe mptcp_recvmsg() can fill MPTCP socket receive queue via\nmptcp_move_skbs(), but currently does not try to wakeup any listener,\nbecause the same process is going to check the receive queue soon.\n\nWhen multiple threads are reading from the same fd, the above can\ncause stall. Add the missing wakeup.\n\nFixes: 6771bfd9ee24 (\"mptcp: update mptcp ack sequence from work queue\")\nCc: stable@vger.kernel.org\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nReviewed-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nSigned-off-by: Matthieu Baerts (NGI0) \u003cmatttbe@kernel.org\u003e\nLink: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-1-856831229976@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "672bd0519e27c357c43b7f8c0d653fce3817d06e", "tree": "1846fe3f96a8d59ad4a3e32cb8e5abf00458ea96", "parents": [ "d3915a1f5a4bc0ac911032903c3c6ab8df9fcc7c" ], "author": { "name": "Kurt Kanzenbach", "email": "kurt@linutronix.de", "time": "Fri May 29 19:11:47 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:58:54 2026 -0700" }, "message": "ptp: vclock: Switch from RCU to SRCU\n\nThe usage of PTP vClocks leads immediately to the following issues with\nptp4l with LOCKDEP and DEBUG_ATOMIC_SLEEP enabled: \"BUG: sleeping function\ncalled from invalid context\".\n\nptp_convert_timestamp() acquires a mutex_t within a RCU read section. This\nis illegal, because acquiring a mutex_t can result in voluntary scheduling\nrequest which is not allowed within a RCU read section.\n\nReplace the RCU usage with SRCU where sleeping is allowed.\n\nReported-by: Florian Zeitz \u003cflorian.zeitz@schettke.com\u003e\nCloses: https://lore.kernel.org/all/00a8cce8-410e-4038-98af-49be6d93d7bd@schettke.com/\nFixes: 67d93ffc0f3c (\"ptp: vclock: use mutex to fix \"sleep on atomic\" bug\")\nSigned-off-by: Kurt Kanzenbach \u003ckurt@linutronix.de\u003e\nReviewed-by: Sebastian Andrzej Siewior \u003cbigeasy@linutronix.de\u003e\nLink: https://patch.msgid.link/20260529-vclock_rcu-v2-1-02a5531fab92@linutronix.de\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d3915a1f5a4bc0ac911032903c3c6ab8df9fcc7c", "tree": "177165bb241519138849933d95bdf99ebbddd845", "parents": [ "c8e14cc9ccf999336d65bd3f638329e8bb7800ef" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Tue Jun 02 16:15:47 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:53:14 2026 -0700" }, "message": "ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options\n\nThis patch restricts setting Loose Source and Record Route (LSRR)\nand Strict Source and Record Route (SSRR) IP options to users\nwith CAP_NET_RAW capability.\n\nThis prevents unprivileged applications from forcing packets to route\nthrough attacker-controlled nodes to leak TCP ISN and possibly other\nprotocol information.\n\nWhile LSRR and SSRR are commonly filtered in many network environments,\nthey may still be supported and forwarded along some network paths.\n\nRFC 7126 (Recommendations on Filtering of IPv4 Packets Containing\nIPv4 Options) recommend to drop these options in 4.3 and 4.4.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nReported-by: Tamir Shahar \u003ctamirthesis@gmail.com\u003e\nReported-by: Amit Klein \u003caksecurity@gmail.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: David Ahern \u003cdsahern@kernel.org\u003e\nReviewed-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260602161547.2642155-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c8e14cc9ccf999336d65bd3f638329e8bb7800ef", "tree": "9dbbd2b8dd8e1dad1675e68f5aa0fef199fe5896", "parents": [ "9a85ec3dc28b6df246801c19e4d9bae6297a25b0", "dd8975ad710ea1f3d7c7a36295072fd5ee59ca0a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:52:28 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:52:29 2026 -0700" }, "message": "Merge branch \u0027af_unix-fix-inq_len-update-issue\u0027\n\nJianyu Li says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\naf_unix: Fix inq_len update issue\n\nFrom: Jianyu Li \u003cjianyu.li@mediatek.com\u003e\n\nThis series fix the problem that inq_len is inconsistent with\nactual remaining byte count when only part of a skb is consumed.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260601113640.231897-1-jianyu.li@mediatek.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "dd8975ad710ea1f3d7c7a36295072fd5ee59ca0a", "tree": "9dbbd2b8dd8e1dad1675e68f5aa0fef199fe5896", "parents": [ "c1f07a7f2d47aeb9878301e7bb36bc1c2bc2be8e" ], "author": { "name": "Jianyu Li", "email": "jianyu.li@mediatek.com", "time": "Mon Jun 01 19:36:40 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:52:25 2026 -0700" }, "message": "af_unix: Add test for SCM_INQ on partial read\n\nAdd test to verify that when a skb is partially consumed,\nunix_inq_len() return correct remaining byte count.\n\nBefore:\n\n # RUN scm_inq.stream.partial_read ...\n # scm_inq.c:165:partial_read:Expected remain (512) \u003d\u003d *(int *)CMSG_DATA(cmsg) (768)\n # partial_read: Test terminated by assertion\n # FAIL scm_inq.stream.partial_read\n not ok 2 scm_inq.stream.partial_read\n\nAfter:\n\n # RUN scm_inq.stream.partial_read ...\n # OK scm_inq.stream.partial_read\n ok 2 scm_inq.stream.partial_read\n\nSigned-off-by: Jianyu Li \u003cjianyu.li@mediatek.com\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nLink: https://patch.msgid.link/20260601113640.231897-3-jianyu.li@mediatek.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c1f07a7f2d47aeb9878301e7bb36bc1c2bc2be8e", "tree": "6e62c19b5a0bf1e877e46467bfeddefec0d173a4", "parents": [ "9a85ec3dc28b6df246801c19e4d9bae6297a25b0" ], "author": { "name": "Jianyu Li", "email": "jianyu.li@mediatek.com", "time": "Mon Jun 01 19:36:39 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:52:25 2026 -0700" }, "message": "af_unix: Fix inq_len update problem in partial read\n\nCurrently inq_len is updated only when the whole skb is consumed.\nIf only part of the data is read, following SIOCINQ query would\nget value greater than what actually left.\n\nThis change update inq_len timely in unix_stream_read_generic(),\nand adjust unix_stream_read_skb() accordingly to prevent\nrepetitive update.\n\nFixes: f4e1fb04c123 (\"af_unix: Use cached value for SOCK_STREAM in unix_inq_len().\")\nSigned-off-by: Jianyu Li \u003cjianyu.li@mediatek.com\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nLink: https://patch.msgid.link/20260601113640.231897-2-jianyu.li@mediatek.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9a85ec3dc28b6df246801c19e4d9bae6297a25b0", "tree": "5df474986ca676b19690f5cd844b9bdea27ad4ec", "parents": [ "a910fb8f7b9e4c566db363e6c2ec378dc7153995" ], "author": { "name": "Suman Ghosh", "email": "sumang@marvell.com", "time": "Fri May 29 17:07:05 2026 +0530" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:12:02 2026 -0700" }, "message": "octeontx2-af: Fix initialization of mcam\u0027s entry2target_pffunc field\n\nNPC mcam entry stores a mapping between mcam entry and target pcifunc.\nDuring initialization of this field, API kmalloc_array has been used which\ncaused some junk values to array. Whereas, the array is expected to be\ninitialized by 0. This patch fixes the same by using kcalloc instead of\nkmalloc_array.\n\nFixes: 55307fcb9258 (\"octeontx2-af: Add mbox messages to install and delete MCAM rules\")\nSigned-off-by: Suman Ghosh \u003csumang@marvell.com\u003e\nSigned-off-by: Subbaraya Sundeep \u003csbhatta@marvell.com\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/1780054625-17090-1-git-send-email-sbhatta@marvell.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a910fb8f7b9e4c566db363e6c2ec378dc7153995", "tree": "524fa25b95b3b4dd5c93ca566e1bc18eca8cad18", "parents": [ "2cdeaba5a1087f0f83e56729ea5c730b498639d9" ], "author": { "name": "Geetha sowjanya", "email": "gakula@marvell.com", "time": "Fri May 29 17:07:57 2026 +0530" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:11:08 2026 -0700" }, "message": "octeontx2-pf: Fix NDC sync operation errors\n\nOn system reboot \"rvu_nicpf 0002:03:00.0: NDC sync operation failed\"\nerror messages are shown, even if the operations is successful.\nThis is due to wrong if error check in ndc_syc() function.\n\nFixes: 42c45ac1419c (\"octeontx2-af: Sync NIX and NPA contexts from NDC to LLC/DRAM\")\nSigned-off-by: Geetha sowjanya \u003cgakula@marvell.com\u003e\nSigned-off-by: Subbaraya Sundeep \u003csbhatta@marvell.com\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/1780054677-17249-1-git-send-email-sbhatta@marvell.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2cdeaba5a1087f0f83e56729ea5c730b498639d9", "tree": "5033a799153cb7c5a70ff49c1e1df4a65bb90a54", "parents": [ "56d0885514491e5ed8f7593400879ab77c52504c" ], "author": { "name": "Yizhou Zhao", "email": "zhaoyz24@mails.tsinghua.edu.cn", "time": "Fri May 29 18:50:16 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 18:08:58 2026 -0700" }, "message": "appletalk: aarp: zero-initialize aarp_entry to prevent heap info leak\n\naarp_alloc() allocates struct aarp_entry without zeroing it, but only\ninitializes refcnt and packet_queue. When an unresolved AARP entry is\ncreated, hwaddr[ETH_ALEN] is left uninitialized.\n\naarp_seq_show() later prints this field with %pM when users read\n/proc/net/atalk/arp. This can expose 6 bytes of stale heap data for\neach unresolved entry.\n\nFix this by zero-initializing struct aarp_entry at allocation time.\n\nReported-by: Yizhou Zhao \u003czhaoyz24@mails.tsinghua.edu.cn\u003e\nReported-by: Yuxiang Yang \u003cyangyx22@mails.tsinghua.edu.cn\u003e\nReported-by: Ao Wang \u003cwangao@seu.edu.cn\u003e\nReported-by: Xuewei Feng \u003cfengxw06@126.com\u003e\nReported-by: Qi Li \u003cqli01@tsinghua.edu.cn\u003e\nReported-by: Ke Xu \u003cxuke@tsinghua.edu.cn\u003e\nSigned-off-by: Yizhou Zhao \u003czhaoyz24@mails.tsinghua.edu.cn\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/20260529105017.81531-1-zhaoyz24@mails.tsinghua.edu.cn\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "56d0885514491e5ed8f7593400879ab77c52504c", "tree": "bc297b7f89226f2afc94c65a48d935481707bd46", "parents": [ "22ba97ea9cc1f63a0d0244fae38057ed452b6ac7" ], "author": { "name": "Jonas Jelonek", "email": "jelonek.jonas@gmail.com", "time": "Thu May 28 20:52:40 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 17:57:31 2026 -0700" }, "message": "net: sfp: initialize i2c_block_size at adapter configure time\n\nsfp-\u003ei2c_block_size is only assigned in sfp_sm_mod_probe(), which runs\nfrom the state machine timer after SFP_F_PRESENT has been set. Between\nthose two points, sfp_module_eeprom() (the ethtool -m callback) gates\nonly on SFP_F_PRESENT and can be entered with i2c_block_size still at\nits kzalloc\u0027d value of 0.\n\nOn a pure-I2C adapter, sfp_i2c_read() then issues an i2c_transfer()\nwith msgs[1].len \u003d 0 inside a loop that subtracts this_len from len\neach iteration; on adapters that succeed a zero-length read the loop\nnever advances, spinning while holding rtnl_lock.\n\nThis was previously addressed by initializing i2c_block_size in\nsfp_alloc() (commit 813c2dd78618), but the initialization was dropped\nwhen i2c_block_size was split from i2c_max_block_size.\n\nInitialize sfp-\u003ei2c_block_size from sfp-\u003ei2c_max_block_size in\nsfp_i2c_configure(), so the field is valid as soon as the adapter is\nknown. sfp_sm_mod_probe() still reassigns it on each module insertion\nto recover from a per-module clamp to 1 (sfp_id_needs_byte_io).\n\nFixes: 7662abf4db94 (\"net: phy: sfp: Add support for SMBus module access\")\nCc: stable@vger.kernel.org\nSigned-off-by: Jonas Jelonek \u003cjelonek.jonas@gmail.com\u003e\nLink: https://patch.msgid.link/20260528205242.971410-2-jelonek.jonas@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "22ba97ea9cc1f63a0d0244fae38057ed452b6ac7", "tree": "c7d445b0846859b18775661600e1ef193e2440a1", "parents": [ "f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3" ], "author": { "name": "Jason Xing", "email": "kernelxing@tencent.com", "time": "Sat May 30 12:26:30 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed Jun 03 17:45:42 2026 -0700" }, "message": "xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()\n\nThe TX metadata area resides in the UMEM buffer which is memory-mapped\nand concurrently writable by userspace. In xsk_skb_metadata(),\ncsum_start and csum_offset are read from shared memory for bounds\nvalidation, then read again for skb assignment. A malicious userspace\napplication can race to overwrite these values between the two reads,\nbypassing the bounds check and causing out-of-bounds memory access\nduring checksum computation in the transmit path.\n\nFix this by reading csum_start and csum_offset into local variables\nonce, then using the local copies for both validation and assignment.\n\nNote that other metadata fields (flags, launch_time) and the cached\ncsum fields may be mutually inconsistent due to concurrent userspace\nwrites, but this is benign: the only security-critical invariant is\nthat each field\u0027s validated value is the same one used, which local\ncaching guarantees.\n\nCloses: https://lore.kernel.org/all/20260503200927.73EA1C2BCB4@smtp.kernel.org/\nReviewed-by: Maciej Fijalkowski \u003cmaciej.fijalkowski@intel.com\u003e\nSigned-off-by: Jason Xing \u003ckernelxing@tencent.com\u003e\nAcked-by: Stanislav Fomichev \u003csdf@fomichev.me\u003e\nFixes: 48eb03dd2630 (\"xsk: Add TX timestamp and TX checksum offload support\")\nLink: https://patch.msgid.link/20260530042630.80626-1-kerneljasonxing@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9154c4af7829b6f82712b4d1a2a720adddacdb8d", "tree": "f430ffea5bb32061d70e7f848376861f232c81b9", "parents": [ "e7524845cda3c0713c0e61681dcd5263f0270fbe", "f595e8e77a51eee35e331f69321766593a845ef2" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 03 09:09:24 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 03 09:09:24 2026 -0700" }, "message": "Merge tag \u0027mmc-v7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc\n\nPull MMC fixes from Ulf Hansson:\n \"MMC core:\n - Fix host controller programming for eMMC fixed driver type\n\n MMC host:\n - dw_mmc-rockchip: Add missing private data for very old controllers\n - litex_mmc: Fix clock management\n - renesas_sdhi: Add OF entry for RZ/G2H SoC\n - sdhci: Manage signal voltage switch during system resume for some hosts\n - sdhci-of-dwcmshc: Fix reset, clk and SDIO support for Eswin EIC7700\"\n\n* tag \u0027mmc-v7.1-rc3\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:\n mmc: sdhci: add signal voltage switch in sdhci_resume_host\n mmc: dw_mmc-rockchip: Add missing private data for very old controllers\n mmc: litex_mmc: Set mandatory idle clocks before CMD0\n mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation\n mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC\n mmc: sdhci-of-dwcmshc: Fix reset, clk, and SDIO support for Eswin EIC7700\n mmc: core: Fix host controller programming for fixed driver type\n" }, { "commit": "e7524845cda3c0713c0e61681dcd5263f0270fbe", "tree": "381e2b34e3fff340dcab173751d9f3c66bc9bfdc", "parents": [ "ac5c3716c699f7eb6f84fc7931fdf74f0b4ceaee", "57aff991119693e09b414aff3267c0eae5e81da0" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 03 08:59:24 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 03 08:59:24 2026 -0700" }, "message": "Merge tag \u0027cgroup-for-7.1-rc6-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup\n\nPull cgroup fixes from Tejun Heo:\n \"One cpuset fix and a maintenance update, both low-risk:\n\n - Fix cpuset partition CPU accounting under sibling CPU exclusion\n that could produce wrong CPU assignments and trigger\n scheduling-domain warnings. Includes selftests.\n\n - Update an email address in MAINTAINERS\"\n\n* tag \u0027cgroup-for-7.1-rc6-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:\n cgroup/cpuset: Change Ridong\u0027s email\n cgroup/cpuset: Add test cases for sibling CPU exclusion on partition update\n cgroup/cpuset: Use effective_xcpus in partcmd_update add/del mask calculation\n" }, { "commit": "ac5c3716c699f7eb6f84fc7931fdf74f0b4ceaee", "tree": "4c799383bd5bf81c8fe7005cd5e90c593b77c1db", "parents": [ "ba3e43a9e601636f5edb54e259a74f96ca3b8fd8", "02e545c4297a26dbbc41df81b831e7f605bcd306" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 03 08:52:26 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 03 08:52:26 2026 -0700" }, "message": "Merge tag \u0027sched_ext-for-7.1-rc6-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext\n\nPull sched_ext fixes from Tejun Heo:\n \"Two low-risk fixes:\n\n - Drop a spurious warning that can fire during cgroup migration while\n a sched_ext scheduler is loaded\n\n - Fix a drgn-based debug script that broke after scheduler state\n moved into a per-scheduler struct\"\n\n* tag \u0027sched_ext-for-7.1-rc6-fixes\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext:\n sched_ext: Don\u0027t warn on NULL cgrp_moving_from in scx_cgroup_move_task()\n tools/sched_ext: Fix scx_show_state per-scheduler state reads\n" }, { "commit": "149324fc762c2a7acef9c26790566f81f475e51f", "tree": "ede5ce1896656f2153b969aaab4ff9f424e85af0", "parents": [ "4847c5bca22227100ae69e96af86618b6fd2671f" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Jun 02 16:48:34 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:24:12 2026 -0400" }, "message": "Bluetooth: MGMT: Fix backward compatibility with userspace\n\nbluetoothd has a bug with makes it send extra bytes as part of\nMGMT_OP_ADD_EXT_ADV_DATA which are now being checked to be the\nexact the expected length, relax this so only when the expected\nlength is greater than the data length to cause an error since\nthat would result in accessing invalid memory, otherwise just\nignore the extra bytes.\n\nLink: https://lore.kernel.org/linux-bluetooth/20260602204749.210857-1-luiz.dentz@gmail.com/T/#u\nFixes: d3f7d17960ed (\"Bluetooth: MGMT: validate Add Extended Advertising Data length\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4847c5bca22227100ae69e96af86618b6fd2671f", "tree": "e96a7688c0301f88f68a4579d05adc989a92f999", "parents": [ "9ca7053d6215d89c33f28893bfd1625a32919d3f" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Mon Jun 01 20:19:08 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:23:52 2026 -0400" }, "message": "Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect\n\nsco_sock_connect() copies the destination address into sco_pi(sk)-\u003edst\nunder lock_sock(), then releases the lock and calls sco_connect(),\nwhich reads dst, src, setting, and codec without holding lock_sock() in\nhci_get_route() and hci_connect_sco().\n\nThese fields may be modified concurrently by connect(), bind(), or\nsetsockopt() on the same socket, resulting in data-races reported by\nKCSAN.\n\nFix this by snapshotting dst, src, setting, and codec under lock_sock()\nat the start of sco_connect() before passing them to hci_get_route()\nand hci_connect_sco().\n\nBUG: KCSAN: data-race in memcmp+0x45/0xb0\n\nrace at unknown origin, with read to 0xffff88800e6b0dd0 of 1 bytes\nby task 315 on cpu 0:\n memcmp+0x45/0xb0\n hci_connect_acl+0x1b7/0x6b0\n hci_connect_sco+0x4d/0xb30\n sco_sock_connect+0x27b/0xd60\n __sys_connect_file+0xbd/0xe0\n __sys_connect+0xe0/0x110\n __x64_sys_connect+0x40/0x50\n x64_sys_call+0xcad/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFixes: 9a8ec9e8ebb5 (\"Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm\")\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "9ca7053d6215d89c33f28893bfd1625a32919d3f", "tree": "59e4ce1d44cb9a23051ecf84d1dade19802cf23c", "parents": [ "f50331f2a1441ec49988832c3a95f2edacc47322" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Mon Jun 01 20:19:07 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:23:30 2026 -0400" }, "message": "Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls\n\niso_connect_bis(), iso_connect_cis(), iso_listen_bis(), and\niso_conn_big_sync() call hci_get_route() using iso_pi(sk)-\u003edst,\niso_pi(sk)-\u003esrc, and iso_pi(sk)-\u003esrc_type without holding lock_sock().\n\nThese fields may be modified concurrently by connect() or setsockopt()\non the same socket, resulting in data-races reported by KCSAN.\n\nFix this by snapshotting the required fields under lock_sock() before\ncalling hci_get_route().\n\nBUG: KCSAN: data-race in memcmp+0x45/0xb0\n\nrace at unknown origin, with read to 0xffff8880122135cf of 1 bytes\nby task 333 on cpu 1:\n memcmp+0x45/0xb0\n hci_get_route+0x27e/0x490\n iso_connect_cis+0x4c/0xa10\n iso_sock_connect+0x60e/0xb30\n __sys_connect_file+0xbd/0xe0\n __sys_connect+0xe0/0x110\n __x64_sys_connect+0x40/0x50\n x64_sys_call+0xcad/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFixes: 241f51931c35 (\"Bluetooth: ISO: Avoid circular locking dependency\")\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "f50331f2a1441ec49988832c3a95f2edacc47322", "tree": "7426afd1acd32b6a01e87755270c82954d893793", "parents": [ "5cbf290b79351971f20c7a533247e8d58a3f970c" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:52:09 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:23:09 2026 -0400" }, "message": "Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer\n\nIn iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is\ndropped:\n\tbis \u003d iso_pi(sk)-\u003econn-\u003ehcon;\n\t/* Release the socket before lookups since that requires hci_dev_lock\n\t * which shall not be acquired while holding sock_lock for proper\n\t * ordering.\n\t */\n\trelease_sock(sk);\n\thci_dev_lock(bis-\u003ehdev);\n\nDuring the unlocked window, could a concurrent close() destroy the connection\nand free the bis structure, causing hci_dev_lock(bis-\u003ehdev) to access memory\nafter it is freed, fix this by using the hdev reference which was safely\nacquired via iso_conn_get_hdev().\n\nFixes: d3413703d5f8 (\"Bluetooth: ISO: Add support to bind to trigger PAST\")\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5cbf290b79351971f20c7a533247e8d58a3f970c", "tree": "f5e87f4bacedd40c9e964198fe1a6d7a881668c3", "parents": [ "37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:45:42 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:22:48 2026 -0400" }, "message": "Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync\n\nhci_get_route() returns a reference-counted hci_dev pointer via\nhci_dev_hold(). The function exits normally or with an error without ever\nreleasing it.\n\nFixes: 07a9342b94a9 (\"Bluetooth: ISO: Send BIG Create Sync via hci_sync\")\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f", "tree": "8fdf8fdf4bfbdf7f1c82458ddb66cb1e6b1ab9f2", "parents": [ "6770d3a8acdf9151769180cc3710346c4cfbe6f0" ], "author": { "name": "Bharath Reddy", "email": "kbreddy.rpbc@gmail.com", "time": "Mon Jun 01 08:54:26 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:22:28 2026 -0400" }, "message": "Bluetooth: fix memory leak in error path of hci_alloc_dev()\n\nEarly failures in Bluetooth HCI UART configuration leak SRCU percpu\nmemory.\n\nWhen device initialization fails before hci_register_dev() completes,\nthe HCI_UNREGISTER flag is never set. As a result, when the device\nreference count reaches zero, bt_host_release() evaluates this flag as\nfalse and falls back to a direct kfree(hdev).\n\nBecause hci_release_dev() is bypassed, the SRCU struct initialized\nearly in hci_alloc_dev() is never cleaned up, resulting in a leak of\npercpu memory.\n\nFix the leak by explicitly calling cleanup_srcu_struct() in the\nfallback (unregistered) branch of bt_host_release() before freeing\nthe device.\n\nReported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d535ecc844591e50588a5\nTested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com\nFixes: 1d6123102e9f (\"Bluetooth: hci_core: Fix use-after-free in vhci_flush()\")\nSigned-off-by: Bharath Reddy \u003ckbreddy.rpbc@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "6770d3a8acdf9151769180cc3710346c4cfbe6f0", "tree": "acc52fd7c30d01e9739ae0dbc65d7079157998fc", "parents": [ "5c65b96b549ea2dcfde497436bf9e048deb87758" ], "author": { "name": "Zhang Cen", "email": "rollkingzzc@gmail.com", "time": "Fri May 29 11:22:09 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:22:10 2026 -0400" }, "message": "Bluetooth: bnep: reject short frames before parsing\n\nA BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the\npacket type byte immediately and, for control packets, reads the control\nopcode and setup UUID-size byte before proving that those bytes are\npresent. bnep_rx_control() also dereferences the control opcode without\nrejecting an empty control payload.\n\nUse skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL\nreturn gates each dereference. Split the control handler so the frame\npath can pass an opcode that has already been pulled, and keep the\nbyte-buffer wrapper for extension control payloads.\n\nFor BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the\nsetup payload. struct bnep_setup_conn_req carries destination and source\nservice UUIDs after that byte, each uuid_size bytes, so the parser now\ndocuments that tuple explicitly instead of leaving the pull length as an\nopaque multiplication.\n\nValidation reproduced this kernel report:\nKASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790\nThe buggy address belongs to the object at ffff88800c0f7908 which belongs\nto the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes to the right of allocated 1-byte\nregion [ffff88800c0f7908, ffff88800c0f7909)\nRead of size 1\nCall trace:\n dump_stack_lvl+0xb3/0x140 (?:?)\n print_address_description+0x57/0x3a0 (?:?)\n bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306)\n print_report+0xb9/0x2b0 (?:?)\n __virt_addr_valid+0x1ba/0x3a0 (?:?)\n srso_alias_return_thunk+0x5/0xfbef5 (?:?)\n kasan_addr_to_slab+0x21/0x60 (?:?)\n kasan_report+0xe0/0x110 (?:?)\n process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200)\n worker_thread+0x65c/0xe40 (?:?)\n __kthread_parkme+0x184/0x230 (?:?)\n kthread+0x35e/0x470 (?:?)\n _raw_spin_unlock_irq+0x28/0x50 (?:?)\n ret_from_fork+0x586/0x870 (?:?)\n __switch_to+0x74f/0xdc0 (?:?)\n ret_from_fork_asm+0x1a/0x30 (?:?)\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nAssisted-by: Codex:gpt-5.5\nSigned-off-by: Zhang Cen \u003crollkingzzc@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5c65b96b549ea2dcfde497436bf9e048deb87758", "tree": "d919a63c5f0ff820f2d9932c6f354928deb19b66", "parents": [ "dd214733544427587a95f66dbf3adff072568990" ], "author": { "name": "Yuqi Xu", "email": "xuyq21@lenovo.com", "time": "Fri May 29 16:54:23 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:21:48 2026 -0400" }, "message": "Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend\n\nExisting advertising instances can already hold the maximum extended\nadvertising payload. When hci_adv_bcast_annoucement() prepends the\nBroadcast Announcement service data to that payload, the combined data\nmay no longer fit in the temporary buffer used to rebuild the\nadvertising data.\n\nReject that case before copying the existing payload and report the\nfailure through the device log. This keeps the existing advertising\ndata intact and avoids overrunning the temporary buffer.\n\nFixes: 5725bc608252 (\"Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance\")\nCc: stable@kernel.org\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Zhengchuan Liang \u003czcliangcn@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nAssisted-by: Codex:GPT-5.4\nSigned-off-by: Yuqi Xu \u003cxuyq21@lenovo.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "dd214733544427587a95f66dbf3adff072568990", "tree": "82426beb7787facf80c09ddb9fc6218f94c57d76", "parents": [ "23882b828c3c8c51d0c946446a396b10abb3b16b" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Thu May 21 10:45:17 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:21:24 2026 -0400" }, "message": "Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig\n\nnet/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR\nsignaling packets up to the channel MTU and dispatches each command\nwithout enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer\nwithin radio range can send a fixed-channel CID 0x0001 packet that is\nlarger than MTUsig and contains many L2CAP_ECHO_REQ commands before\npairing. In a real-radio stock-kernel run, one 681-byte signaling\npacket containing 168 zero-length ECHO_REQ commands made the target\ntransmit 168 ECHO_RSP frames over about 220 ms.\n\nImpact: a Bluetooth BR/EDR peer within radio range, before pairing, can\nforce 168 ECHO_RSP frames from one 681-byte fixed-channel signaling\npacket containing packed ECHO_REQ commands.\n\nDefine Linux\u0027s BR/EDR signaling MTU as the spec minimum of 48 bytes and\nreject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP\ncarrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.\n\nThe Bluetooth Core spec wording for MTUExceeded says the reject\nidentifier shall match the first request command in the packet, and\nthat packets containing only responses shall be silently discarded.\nLinux intentionally deviates from that prescription: silently\ndiscarding desynchronizes the peer because the remote stack never\nlearns its responses were dropped, and locating the first request\ncommand requires walking command headers past MTUsig, i.e. processing\nbytes from a packet we have already decided is too large to process.\nWe therefore always emit one reject and use the identifier from the\nfirst command header, a single fixed-offset byte read.\n\nThe unrestricted BR/EDR signaling parser and ECHO_REQ response path both\ntrace to the initial git import; no later introducing commit is\navailable for a Fixes tag.\n\nCc: stable@vger.kernel.org\nSuggested-by: Luiz Augusto von Dentz \u003cluiz.dentz@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com\nLink: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com\nLink: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com\nAssisted-by: Claude:claude-opus-4-7\nAssisted-by: Codex:gpt-5-5-xhigh\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "23882b828c3c8c51d0c946446a396b10abb3b16b", "tree": "52a3222e637bf0d918d71008f111c1c65a4ac3d5", "parents": [ "de23fb62259aa01d294f77238ae3b835eb674413" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Mon May 25 20:04:43 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:21:03 2026 -0400" }, "message": "Bluetooth: RFCOMM: validate skb length in MCC handlers\n\nThe RFCOMM MCC handlers cast skb-\u003edata to protocol-specific structs\nwithout validating skb-\u003elen first. A malicious remote device can send\ntruncated MCC frames and trigger out-of-bounds reads in these handlers.\n\nFix this by using skb_pull_data() to validate and access the required\ndata before dereferencing it.\n\nrfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows\n1-byte RPN requests. Handle this by validating only the DLCI byte first,\nand validating the full struct only when len \u003e 1.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSuggested-by: Muhammad Bilal \u003cmeatuni001@gmail.com\u003e\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "de23fb62259aa01d294f77238ae3b835eb674413", "tree": "8b7089895c5a510aed0f92c3e48076842266451d", "parents": [ "43c441edacf953b39517a44f5e5e10a93618b226" ], "author": { "name": "Zhang Cen", "email": "rollkingzzc@gmail.com", "time": "Thu May 28 17:45:06 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:20:41 2026 -0400" }, "message": "Bluetooth: MGMT: validate advertising TLV before type checks\n\ntlv_data_is_valid() reads each advertising data field length from\ndata[i], then inspects data[i + 1] for managed EIR types before\nchecking that the current field still fits inside the supplied buffer.\n\nA malformed field whose length byte is the last byte of the buffer can\ntherefore make the parser read one byte past the advertising data.\n\nKASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING\nrequest reached that path:\n\n BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()\n Read of size 1\n Call trace:\n tlv_data_is_valid()\n add_advertising()\n hci_mgmt_cmd()\n hci_sock_sendmsg()\n\nMove the existing element-length check before any type-octet inspection\nso each non-empty element is proven to contain its type byte before the\nparser looks at data[i + 1].\n\nFixes: 2bb36870e8cb (\"Bluetooth: Unify advertising instance flags check\")\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Zhang Cen \u003crollkingzzc@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "43c441edacf953b39517a44f5e5e10a93618b226", "tree": "c7f091f511238a1c3db12c2c17a8f37499ed94c3", "parents": [ "cdf88b35e06f1b385f7f6228060ae541d44fbb72" ], "author": { "name": "Zhang Cen", "email": "rollkingzzc@gmail.com", "time": "Thu May 28 15:56:41 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 11:20:03 2026 -0400" }, "message": "Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()\n\nrfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock,\nbut returns the selected listener after dropping that lock without\ntaking a reference. rfcomm_connect_ind() then locks the listener,\nqueues a child socket on it, and may notify it after unlocking it.\n\nThe buggy scenario involves two paths, with each column showing the\norder within that path:\n\nrfcomm_connect_ind(): listener close:\n 1. Find parent in 1. close() enters\n rfcomm_get_sock_by_channel() rfcomm_sock_release().\n 2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown()\n without pinning parent. closes the listener.\n 3. Call lock_sock(parent) and 3. rfcomm_sock_kill()\n bt_accept_enqueue(parent, unlinks and puts parent.\n sk, true).\n 4. Read parent flags and may 4. parent can be freed.\n call sk_state_change().\n\nIf close wins the race, parent can be freed before\nrfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the\ndeferred-setup callback.\n\nTake a reference on the listener before leaving rfcomm_sk_list.lock.\nAfter lock_sock() succeeds, recheck that it is still in BT_LISTEN\nbefore queueing a child, cache the deferred-setup bit while the parent\nis locked, and drop the reference after the last parent use.\n\nKASAN reported a slab-use-after-free in lock_sock_nested() from\nrfcomm_connect_ind(), with the freeing stack going through\nrfcomm_sock_kill() and rfcomm_sock_release().\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Zhang Cen \u003crollkingzzc@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "cb9959ab5f99611d27a06586add84811fe8102dc", "tree": "146def2d0cfd9c8af39118994d20d2d4189d0f89", "parents": [ "7752c543536d614bfad7ada731bcee90bd214a52" ], "author": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed Jun 03 11:18:11 2026 +0200" }, "committer": { "name": "Johannes Berg", "email": "johannes.berg@intel.com", "time": "Wed Jun 03 13:25:19 2026 +0200" }, "message": "wifi: cfg80211: enforce HE/EHT cap/oper consistency\n\nXiang Mei reports that mac80211 could crash if eht_cap is set\nbut eht_oper isn\u0027t. Rather than fixing that for the individual\nuser(s), enforce that both HE/EHT have consistent elements.\n\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nFixes: 22c64f37e1d4 (\"wifi: mac80211: Update MCS15 support in link_conf\")\nLink: https://patch.msgid.link/20260603091812.101894-2-johannes@sipsolutions.net\nSigned-off-by: Johannes Berg \u003cjohannes.berg@intel.com\u003e\n" } ], "next": "7752c543536d614bfad7ada731bcee90bd214a52" }