)]}' { "log": [ { "commit": "78ef59e7a6459b16f8102e0ee1c718443323d1af", "tree": "f0fbbe0162be13360b5e09262b90a2fcf5d0389b", "parents": [ "072aa0f5c3d8f11f3159037418ec45edce7440b8", "f75e3eb08fe31d30a9af6ed80cdd22e6772837e2" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 13:01:31 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 13:01:31 2026 -0700" }, "message": "Merge branch \u0027wireguard-fixes-for-7-1-rc6\u0027\n\nJason A. Donenfeld says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nWireGuard fixes for 7.1-rc6\n\nPlease find one small patch, fixing the order of adding padding onto a\npacket, to ensure padding bytes get zeroed properly.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260529173134.3080773-1-Jason@zx2c4.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f75e3eb08fe31d30a9af6ed80cdd22e6772837e2", "tree": "f0fbbe0162be13360b5e09262b90a2fcf5d0389b", "parents": [ "072aa0f5c3d8f11f3159037418ec45edce7440b8" ], "author": { "name": "Jason A. Donenfeld", "email": "Jason@zx2c4.com", "time": "Fri May 29 19:31:34 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 13:01:27 2026 -0700" }, "message": "wireguard: send: append trailer after expanding head\n\nWith how this is currently written, we add the trailer, zero it out, and\nthen add the header space on. If that header space requires a\nreallocation + copy, the zeros in the trailer aren\u0027t copied, because the\nskb len hasn\u0027t actually been yet expanded to cover that. Instead add the\npadding at the end of the process rather than at the beginning.\n\nFixes: e7096c131e51 (\"net: WireGuard secure network tunnel\")\nCc: stable@vger.kernel.org\nSigned-off-by: Jason A. Donenfeld \u003cJason@zx2c4.com\u003e\nLink: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "072aa0f5c3d8f11f3159037418ec45edce7440b8", "tree": "9a5d7dc6df6c5c76679fe5b676c7a1c994ca0a01", "parents": [ "c84ff04def255edb51e57c9f969efdfade0da16a" ], "author": { "name": "Fernando Fernandez Mancera", "email": "fmancera@suse.de", "time": "Fri May 29 13:23:57 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 13:00:54 2026 -0700" }, "message": "Revert \"ipv6: preserve insertion order for same-scope addresses\"\n\nChris Adams reported that preserving insertion order for same-scope\naddresses is causing SSH connections to be dropped after stopping a VM\nwhile running NetworkManager.\n\nNetworkManager caches the IPv6 address configuration, when a RA arrives,\nit determines the list of addresses to configure and checks if the\naddresses are already in the right order in the kernel. If they aren\u0027t,\nNetworkManager removes and re-adds them to achieve the desired order.\n\nAs the order changes, NetworkManager is confused and reconfigures the\naddresses on every update. In addition, this would also affect to cloud\ntooling that relies on IPv6 addresses order to identify primary and\nsecondaries addresses.\n\nThis reverts commit cb3de96eea66f5e4a580086c6a1be46e765f97f4.\n\nFixes: cb3de96eea66 (\"ipv6: preserve insertion order for same-scope addresses\")\nReported-by: Chris Adams \u003clinux@cmadams.net\u003e\nCloses: https://lore.kernel.org/netdev/20260521135310.GC977@cmadams.net/\nSigned-off-by: Fernando Fernandez Mancera \u003cfmancera@suse.de\u003e\nLink: https://patch.msgid.link/20260529112357.5079-1-fmancera@suse.de\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c84ff04def255edb51e57c9f969efdfade0da16a", "tree": "d9d91746256c5170bf2ac70b129abcfc3c887c2e", "parents": [ "ff6e798c2eac3ebd0501ad7e796f583fab928de8", "6851161feb01cea41358c9ec304bd2f981fc8505" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 12:57:22 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 12:57:23 2026 -0700" }, "message": "Merge tag \u0027ipsec-2026-05-29\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec\n\nSteffen Klassert says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\npull request (net): ipsec 2026-05-29\n\n1) xfrm: route MIGRATE notifications to caller\u0027s netns\n Thread the caller\u0027s netns through km_migrate() so that\n MIGRATE notifications go to the issuing netns, fixing both the\n init_net listener leak and MOBIKE notifications inside\n non-init netns. From Maoyi Xie.\n\n2) xfrm: ipcomp: Free destination pages on acomp errors\n Move the out_free_req label up so that allocated destination\n pages are released on decompression errors, not only on success.\n From Herbert Xu.\n\n3) xfrm: Check for underflow in xfrm_state_mtu\n Reject configurations that cause xfrm_state_mtu() to underflow,\n preventing a negative TFCPAD value from becoming a memset size\n that triggers an out-of-bounds write of several terabytes.\n From David Ahern.\n\n4) xfrm: ah: use skb_to_full_sk in async output callbacks\n Convert the possibly-incomplete skb-\u003esk to a full socket pointer\n in async AH callbacks so that a request_sock or timewait_sock\n never reaches xfrm_output_resume() downstream consumers.\n From Michael Bommarito.\n\n5) Add and revert: esp: fix page frag reference leak on skb_to_sgvec failure\n The patch does not fix te issue completely.\n\n6) xfrm: esp: restore combined single-frag length gate\n Check the aligned post-trailer combined length against a page limit\n in the fast path, preventing skb_page_frag_refill() from falling\n back to a page too small for the destination scatterlist.\n From Jingguo Tan.\n\n7) xfrm: iptfs: reset runtime state when cloning SAs\n Reinitialise the clone\u0027s mode_data runtime objects before\n publishing it, preventing queued skbs from being freed with\n list state copied from the original SA when migration fails.\n From Shaomin Chen.\n\n8) xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit\n Flush policy tables and drain the workqueue in a .pre_exit handler\n so that cleanup_net() pays one RCU grace period per batch instead\n of one per namespace, fixing stalls at high CLONE_NEWNET rates.\n From Usama Arif.\n\n9) xfrm: input: hold netns during deferred transport reinjection\n Take a netns reference when queueing deferred transport reinjection\n work and drop it after the callback completes, keeping the skb-\u003ecb\n net pointer valid until the deferred work runs.\n From Zhengchuan Liang.\n\n* tag \u0027ipsec-2026-05-29\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:\n Revert \"esp: fix page frag reference leak on skb_to_sgvec failure\"\n xfrm: input: hold netns during deferred transport reinjection\n xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit\n xfrm: iptfs: reset runtime state when cloning SAs\n xfrm: esp: restore combined single-frag length gate\n esp: fix page frag reference leak on skb_to_sgvec failure\n xfrm: ah: use skb_to_full_sk in async output callbacks\n xfrm: Check for underflow in xfrm_state_mtu\n xfrm: ipcomp: Free destination pages on acomp errors\n xfrm: route MIGRATE notifications to caller\u0027s netns\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260529092648.3878973-1-steffen.klassert@secunet.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ff6e798c2eac3ebd0501ad7e796f583fab928de8", "tree": "d3a7c5c004e21d60fe354db604d20e7d1e3f4f32", "parents": [ "9c7da87c2dc860bb17ca1ece942495d28b1ce3b9" ], "author": { "name": "Pavel Begunkov", "email": "asml.silence@gmail.com", "time": "Thu May 28 19:43:53 2026 +0100" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 12:55:27 2026 -0700" }, "message": "net: skbuff: fix pskb_carve leaking zcopy pages\n\nWhen SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but\ntheir lifetime is controlled by the attached ubuf_info. To make a copy\nof the skb_shared_info, we either should clear the flag and reference\nthe frags, or keep the flag and have frags unreferenced.\n\npskb_carve_inside_header() and pskb_carve_inside_nonlinear() don\u0027t\nfollow the rule and thus can leak page references. Let\u0027s clear\nSKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It\u0027s the\nsimplest way to address it, but there are more performant ways to do\nthat if it ever becomes a problem.\n\nLink: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/\nFixes: 753f1ca4e1e50 (\"net: introduce managed frags infrastructure\")\nReported-by: Minh Nguyen \u003cminhnguyen.080505@gmail.com\u003e\nReported-by: Willem de Bruijn \u003cwillemdebruijn.kernel@gmail.com\u003e\nSigned-off-by: Pavel Begunkov \u003casml.silence@gmail.com\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/1e2086aa69217d7f9c8da3d38f5be7160f1b4cd1.1779993185.git.asml.silence@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9c7da87c2dc860bb17ca1ece942495d28b1ce3b9", "tree": "d7fd1bb4dd324a79e403e40f5aff59fd1cd252ea", "parents": [ "9f72412bcf60144f252b0d6205106abf14344abc" ], "author": { "name": "Jiayuan Chen", "email": "jiayuan.chen@linux.dev", "time": "Wed May 27 13:31:31 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 12:41:00 2026 -0700" }, "message": "ipv6: fix possible infinite loop in fib6_select_path()\n\nFound while auditing the same pattern Sashiko reported in\nrt6_fill_node() [1]. Apply the same fix as\ncommit f8d8ce1b515a (\"ipv6: fix possible infinite loop in fib6_info_uses_dev()\").\n\nWriters holding tb6_lock can list_del_rcu(\u0026first-\u003efib6_siblings)\nwithout waiting for RCU readers; first-\u003efib6_siblings.next then\nstill points into the old ring and this softirq-side walker never\nreaches \u0026first-\u003efib6_siblings as its terminator. fib6_purge_rt()\nalways WRITE_ONCE()s first-\u003efib6_nsiblings to 0 before\nlist_del_rcu(), so an inside-loop check is a reliable detach signal.\n\n[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev\n\nFixes: d9ccb18f83ea (\"ipv6: Fix soft lockups in fib6_select_path under high next hop churn\")\nSigned-off-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nReviewed-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260527053133.180695-2-jiayuan.chen@linux.dev\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "9f72412bcf60144f252b0d6205106abf14344abc", "tree": "26562abafb4ba54a411c99602262599da37caafc", "parents": [ "f72eed9b84fb771019a955908132410a9ba9ea3f" ], "author": { "name": "Jiayuan Chen", "email": "jiayuan.chen@linux.dev", "time": "Wed May 27 13:31:30 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 12:40:05 2026 -0700" }, "message": "ipv6: fix possible infinite loop in rt6_fill_node()\n\nSashiko reported this issue [1]. Apply the same fix as\ncommit f8d8ce1b515a (\"ipv6: fix possible infinite loop in fib6_info_uses_dev()\").\n\nWriters holding tb6_lock can list_del_rcu(\u0026rt-\u003efib6_siblings)\nwithout waiting for RCU readers; rt-\u003efib6_siblings.next then still\npoints into the old ring and this softirq-side walker never reaches\n\u0026rt-\u003efib6_siblings, causing a CPU stall. fib6_del_route() always\nWRITE_ONCE()s rt-\u003efib6_nsiblings to 0 before list_del_rcu(), so an\ninside-loop check is a reliable detach signal.\n\n[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev\n\nFixes: d9ccb18f83ea (\"ipv6: Fix soft lockups in fib6_select_path under high next hop churn\")\nSigned-off-by: Jiayuan Chen \u003cjiayuan.chen@linux.dev\u003e\nReviewed-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260527053133.180695-1-jiayuan.chen@linux.dev\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f72eed9b84fb771019a955908132410a9ba9ea3f", "tree": "701c7e23794f92bcea58473b9e5cee30c21bd893", "parents": [ "1e584c304cfb94a759417130b1fc6d30b30c4cce" ], "author": { "name": "Yuqi Xu", "email": "xuyq21@lenovo.com", "time": "Wed May 27 11:48:15 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 12:38:35 2026 -0700" }, "message": "bpf: sockmap: fix tail fragment offset in bpf_msg_push_data\n\nWhen bpf_msg_push_data() inserts data in the middle of a scatterlist\nentry, it splits the original entry into a left fragment and a right\nfragment.\n\nThe right fragment offset is page-local, but the code advances it with\n`start`, which is the message-global insertion point. For inserts into a\nnon-first SG entry, this over-advances the offset and leaves the split\nlayout inconsistent.\n\nAdvance the right fragment offset by the fragment-local delta,\n`start - offset`, which matches the length removed from the front of the\noriginal entry.\n\nFixes: 6fff607e2f14 (\"bpf: sk_msg program helper bpf_msg_push_data\")\nCc: stable@kernel.org\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Zhengchuan Liang \u003czcliangcn@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nSigned-off-by: Yuqi Xu \u003cxuyq21@lenovo.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nLink: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "1e584c304cfb94a759417130b1fc6d30b30c4cce", "tree": "c84d7da6bbb99fc4e97994cbb68b7efea2c5d6f2", "parents": [ "422b5233b607476ac7176bfa2a101b9a103d7653" ], "author": { "name": "Jingguo Tan", "email": "tanjingguo@huawei.com", "time": "Wed May 27 10:33:01 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 29 12:38:00 2026 -0700" }, "message": "vsock/virtio: bind uarg before filling zerocopy skb\n\nvirtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg\nbefore entering the send loop, but virtio_transport_alloc_skb() still\nfills the skb before it inherits that uarg. When fixed-buffer vectored\nzerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach\nmanaged frags and return -EMSGSIZE. The rollback path call kfree_skb()\nto free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so\nskb_release_data() falls through to ordinary frag unref.\n\nPass the uarg into virtio_transport_alloc_skb() and bind it immediately\nbefore virtio_transport_fill_skb(). This keeps control or no-payload skbs\nuntouched while ensuring success and rollback share one lifetime rule.\n\nFixes: 581512a6dc93 (\"vsock/virtio: MSG_ZEROCOPY flag support\")\nSigned-off-by: Lin Ma \u003cmalin89@huawei.com\u003e\nSigned-off-by: Rongzhen Cui \u003ccuirongzhen@huawei.com\u003e\nSigned-off-by: Jingguo Tan \u003ctanjingguo@huawei.com\u003e\nAcked-by: Arseniy Krasnov \u003cavkrasnov@salutedevices.com\u003e\nAcked-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nReviewed-by: Stefano Garzarella \u003csgarzare@redhat.com\u003e\nLink: https://patch.msgid.link/20260527023301.1075581-1-malin89@huawei.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6851161feb01cea41358c9ec304bd2f981fc8505", "tree": "b9dc80ff7b6975bd80415718f48f608957e5a905", "parents": [ "c16f74dc1d75d0e2e7670076d5375deda110ebeb" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Fri May 29 10:23:25 2026 +0200" }, "committer": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Fri May 29 10:23:25 2026 +0200" }, "message": "Revert \"esp: fix page frag reference leak on skb_to_sgvec failure\"\n\nThis reverts commit 2982e599fff6faa21c8df147d96fc7af6c1a2f24.\n\nThe patch does not fully fix the issue and the Author does\nnot match the \u0027Signed-off-by:\u0027 tag, so revert it for now.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\n" }, { "commit": "422b5233b607476ac7176bfa2a101b9a103d7653", "tree": "770a91964972cfd04ad25d6ea27ea0cb84cb5687", "parents": [ "2412591cfe66e681374c5265e691695cd913d099" ], "author": { "name": "Frank Wunderlich", "email": "frank-w@public-files.de", "time": "Tue May 26 17:32:38 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 28 18:09:03 2026 -0700" }, "message": "net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration\n\nCommit 8871389da151 introduces common pcs dts properties which writes\nrx\u003dnormal,tx\u003dnormal polarity to register SGMSYS_QPHY_WRAP_CTRL of switch.\nThis is initialized with tx-bit set and so change inverts polarity\ncompared to before.\n\nIt looks like mt7531 has tx polarity inverted in hardware and set tx-bit\nby default to restore the normal polarity.\n\nThe MT7531 datasheet quite clearly states:\nRegister 000050EC QPHY_WRAP_CTRL -- QPHY wrapper control\nReset value: 0x00000501\n\nBIT 1 RX_BIT_POLARITY -- RX bit polarity control\n 1\u0027b0: normal\n 1\u0027b1: inverted\n\nBIT 0 TX_BIT_POLARITY -- TX bit polarity control (TX default inversed\nin MT7531)\n 1\u0027b0: normal\n 1\u0027b1: inverted\n\nTill this patch the register write was only called when mediatek,pnswap\nproperty was set which cannot be done for switch because the fw-node param\nwas always NULL from switch driver in the mtk_pcs_lynxi_create call.\n\nDo not configure switch side like it\u0027s done before.\n\nFixes: 8871389da151 (\"net: pcs: pcs-mtk-lynxi: deprecate \"mediatek,pnswap\"\")\nSigned-off-by: Frank Wunderlich \u003cfrank-w@public-files.de\u003e\nReviewed-by: Vladimir Oltean \u003cvladimir.oltean@nxp.com\u003e\nLink: https://patch.msgid.link/20260526153239.30194-1-linux@fw-web.de\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2412591cfe66e681374c5265e691695cd913d099", "tree": "1f91903eb3be142e4c54b77f098dbbbd55d5e5d3", "parents": [ "f14fe6395a8b3d961a61e138ad7b36ba3626dd4e", "cdf88b35e06f1b385f7f6228060ae541d44fbb72" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 28 17:02:54 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 28 17:02:55 2026 -0700" }, "message": "Merge tag \u0027for-net-2026-05-28\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth\n\nLuiz Augusto von Dentz says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbluetooth pull request for net:\n\n - hci_core: Rework hci_dev_do_reset() to use hci_sync functions\n - hci_conn: Fix memory leak in hci_le_big_terminate()\n - hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close\n - hci_sync: Reset device counters in hci_dev_close_sync()\n - hci_sync: fix UAF in hci_le_create_cis_sync\n - L2CAP: Fix possible crash on l2cap_ecred_conn_rsp\n - L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn\n - L2CAP: use chan timer to close channels in cleanup_listen()\n - L2CAP: clear chan-\u003eident on ECRED reconfiguration success\n - ISO: fix UAF in iso_recv_frame\n - ISO: serialize iso_sock_clear_timer with socket lock\n - HIDP: fix missing length checks in hidp_input_report()\n - 6lowpan: check skb_clone() return value in send_mcast_pkt()\n - btusb: Allow firmware re-download when version matches\n - hci_qca: Use 100 ms SSR delay for rampatch and NVM loading\n\n* tag \u0027for-net-2026-05-28\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:\n Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()\n Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close\n Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions\n Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock\n Bluetooth: ISO: fix UAF in iso_recv_frame\n Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp\n Bluetooth: l2cap: clear chan-\u003eident on ECRED reconfiguration success\n Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading\n Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync\n Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()\n Bluetooth: btusb: Allow firmware re-download when version matches\n Bluetooth: HIDP: fix missing length checks in hidp_input_report()\n Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()\n Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn\n Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260528131839.462344-1-luiz.dentz@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "f14fe6395a8b3d961a61e138ad7b36ba3626dd4e", "tree": "8ceb3246932a734cb62b7c0d2d2aef8dcfe42270", "parents": [ "ab4ac5a93b1b76aa6b12cadcba30450868d21a6f" ], "author": { "name": "Zhenghang Xiao", "email": "kipreyyy@gmail.com", "time": "Wed May 27 11:24:11 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 28 16:36:08 2026 -0700" }, "message": "sctp: fix race between sctp_wait_for_connect and peeloff\n\nsctp_wait_for_connect() drops and re-acquires the socket lock while\nwaiting for the association to reach ESTABLISHED state. During this\nwindow, another thread can peeloff the association to a new socket via\ngetsockopt(SCTP_SOCKOPT_PEELOFF), changing asoc-\u003ebase.sk. After\nre-acquiring the old socket lock, sctp_wait_for_connect() returns\nsuccess without noticing the migration — the caller then accesses\nthe association under the wrong lock in sctp_datamsg_from_user().\n\nAdd the same sk !\u003d asoc-\u003ebase.sk check that sctp_wait_for_sndbuf()\nalready has, returning an error if the association was migrated while\nwe slept.\n\nFixes: 668c9beb9020 (\"sctp: implement assign_number for sctp_stream_interleave\")\nSigned-off-by: Zhenghang Xiao \u003ckipreyyy@gmail.com\u003e\nAcked-by: Xin Long \u003clucien.xin@gmail.com\u003e\nLink: https://patch.msgid.link/20260527032411.60959-1-kipreyyy@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ab4ac5a93b1b76aa6b12cadcba30450868d21a6f", "tree": "b19f7f767091dc36ff861907752ada81a3c8a841", "parents": [ "3e20009988e2470063824c58b19d1c80816cc46d", "5b05aa36ee24297d7296ca58dfd8c448d0e4cda3" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 28 16:33:45 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 28 16:33:45 2026 -0700" }, "message": "Merge branch \u0027net-mana-fix-null-dereferences-during-teardown-after-attach-failure\u0027\n\nDipayaan Roy says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: mana: Fix NULL dereferences during teardown after attach failure\n\nWhen mana_attach() fails (e.g. during queue allocation), the error\ncleanup frees apc-\u003etx_qp and apc-\u003erxqs and sets them to NULL. Multiple\nsubsequent teardown paths can then dereference these NULL pointers,\ncausing kernel panics.\n\nPatch 1 adds NULL guards in the low-level teardown functions\n(mana_fence_rqs, mana_destroy_vport, mana_dealloc_queues) so they are\nsafe to call regardless of queue initialization state. This covers all\ncallers: mana_remove(), mana_change_mtu() recovery, and internal error\npaths in mana_alloc_queues().\n\nPatch 2 adds an early exit in mana_detach() for already-detached ports,\nmaking it safe for non-close callers. This allows the queue reset\nhandler to safely retry mana_attach() without redundant teardown.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260525081129.1230035-1-dipayanroy@linux.microsoft.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5b05aa36ee24297d7296ca58dfd8c448d0e4cda3", "tree": "b19f7f767091dc36ff861907752ada81a3c8a841", "parents": [ "17bfe0a8c014ee1d542ad352cd6a0a505361664a" ], "author": { "name": "Dipayaan Roy", "email": "dipayanroy@linux.microsoft.com", "time": "Mon May 25 01:08:25 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 28 16:33:42 2026 -0700" }, "message": "net: mana: Skip redundant detach on already-detached port\n\nWhen mana_per_port_queue_reset_work_handler() runs after a previous\ndetach succeeded but attach failed, the port is left in a detached\nstate with apc-\u003etx_qp and apc-\u003erxqs already freed. Calling\nmana_detach() again unconditionally leads to NULL pointer dereferences\nduring queue teardown.\n\nAdd an early exit in mana_detach() when the port is already in\ndetached state (!netif_device_present) for non-close callers, making\nit safe to call idempotently. This allows the queue reset handler and\nother recovery paths to simply retry mana_attach() without redundant\nteardown.\n\nFixes: 3b194343c250 (\"net: mana: Implement ndo_tx_timeout and serialize queue resets per port.\")\nReviewed-by: Haiyang Zhang \u003chaiyangz@microsoft.com\u003e\nSigned-off-by: Dipayaan Roy \u003cdipayanroy@linux.microsoft.com\u003e\nLink: https://patch.msgid.link/20260525081129.1230035-3-dipayanroy@linux.microsoft.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "17bfe0a8c014ee1d542ad352cd6a0a505361664a", "tree": "1e6f9954f5ea87257f48a1f5a0ddbd1b5689f98b", "parents": [ "3e20009988e2470063824c58b19d1c80816cc46d" ], "author": { "name": "Dipayaan Roy", "email": "dipayanroy@linux.microsoft.com", "time": "Mon May 25 01:08:24 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Thu May 28 16:33:42 2026 -0700" }, "message": "net: mana: Add NULL guards in teardown path to prevent panic on attach failure\n\nWhen queue allocation fails partway through, the error cleanup frees\nand NULLs apc-\u003etx_qp and apc-\u003erxqs. Multiple teardown paths such as\nmana_remove(), mana_change_mtu() recovery, and internal error handling\nin mana_alloc_queues() can subsequently call into functions that\ndereference these pointers without NULL checks:\n\n- mana_chn_setxdp() dereferences apc-\u003erxqs[0], causing a NULL pointer\n dereference panic (CR2: 0000000000000000 at mana_chn_setxdp+0x26).\n- mana_destroy_vport() iterates apc-\u003erxqs without a NULL check.\n- mana_fence_rqs() iterates apc-\u003erxqs without a NULL check.\n- mana_dealloc_queues() iterates apc-\u003etx_qp without a NULL check.\n\nAdd NULL guards for apc-\u003erxqs in mana_fence_rqs(),\nmana_destroy_vport(), and before the mana_chn_setxdp() call. Add a\nNULL guard for apc-\u003etx_qp in mana_dealloc_queues() to skip TX queue\ndraining when TX queues were never allocated or already freed.\n\nFixes: ca9c54d2d6a5 (\"net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)\")\nReviewed-by: Haiyang Zhang \u003chaiyangz@microsoft.com\u003e\nSigned-off-by: Dipayaan Roy \u003cdipayanroy@linux.microsoft.com\u003e\nLink: https://patch.msgid.link/20260525081129.1230035-2-dipayanroy@linux.microsoft.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3e20009988e2470063824c58b19d1c80816cc46d", "tree": "6a5f11ee6ca53470424990c29832bf4e31df18f5", "parents": [ "b0f908d785e19d53f0c41cb5d83639b038d2e489", "8d26955ea5a4697c1e21a3869ceb36b90389b051" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 28 13:13:48 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 28 13:13:48 2026 -0700" }, "message": "Merge tag \u0027net-7.1-rc6\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net\n\nPull networking fixes from Paolo Abeni:\n \"This is again significantly bigger than the same point into the\n previous cycle, but at least smaller than last week.\n\n I\u0027m not aware of any pending regression for the current cycle.\n\n Including fixes from netfilter.\n\n Current release - regressions:\n\n - netfilter: walk fib6_siblings under RCU\n\n Previous releases - regressions:\n\n - netlink: fix sending unassigned nsid after assigned one\n\n - bridge: fix sleep in atomic context in netlink path\n\n - sched: fix ethx:ingress -\u003e ethy:egress -\u003e ethx:ingress mirred loop\n\n - ipv4: fix net-\u003eipv4.sysctl_local_reserved_ports UaF\n\n - eth: tun: free page on short-frame rejection in tun_xdp_one()\n\n Previous releases - always broken:\n\n - skbuff: fix missing zerocopy reference in pskb_carve helpers\n\n - handshake: drain pending requests at net namespace exit\n\n - ethtool:\n - rss: avoid modifying the RSS context response\n - module: avoid leaking a netdev ref on module flash errors\n - coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES\n\n - netfilter: fix dst corruption in same register operation\n\n - nfc: hci: fix out-of-bounds read in HCP header parsing\n\n - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()\n\n - eth:\n - vti: use ip6_tnl.net in vti6_changelink().\n - vxlan: do not reuse cached ip_hdr() value after\n skb_tunnel_check_pmtu()\"\n\n* tag \u0027net-7.1-rc6\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits)\n dpll: zl3073x: make frequency monitor a per-device attribute\n dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work\n dpll: export __dpll_device_change_ntf() for use under dpll_lock\n net/handshake: Drain pending requests at net namespace exit\n net/handshake: Verify file-reference balance in submit paths\n net/handshake: Close the submit-side sock_hold race\n net/handshake: hand off the pinned file reference to accept_doit\n net/handshake: Take a long-lived file reference at submit\n net/handshake: Pass negative errno through handshake_complete()\n nvme-tcp: store negative errno in queue-\u003etls_err\n net/handshake: Use spin_lock_bh for hn_lock\n net: skbuff: fix missing zerocopy reference in pskb_carve helpers\n net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path\n net: hibmcge: disable Relaxed Ordering to fix RX packet corruption\n selftests/tc-testing: Add netem test case exercising loops\n selftests/tc-testing: Add mirred test cases exercising loops\n net/sched: act_mirred: Fix return code in early mirred redirect error paths\n net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow\n net/sched: Fix ethx:ingress -\u003e ethy:egress -\u003e ethx:ingress mirred loop\n net/sched: fix packet loop on netem when duplicate is on\n ...\n" }, { "commit": "b0f908d785e19d53f0c41cb5d83639b038d2e489", "tree": "09e93b11d2387899a2cbc1e166d65cfa1dbadfc5", "parents": [ "43a1e3744548e6fd85873e6fb43e293eb4010694", "9500077678230e36d22bf16d2b9539c13e59a801" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 28 12:36:39 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 28 12:36:39 2026 -0700" }, "message": "Merge tag \u0027gpio-fixes-for-v7.1-rc6\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux\n\nPull gpio fixes from Bartosz Golaszewski:\n\n - fix interrupt handling in gpio-mxc\n\n - fix scoped_guard() usage in gpio-adnp\n\n - don\u0027t accept partial writes in gpio-virtuser debugfs interface as\n they can\u0027t really work correctly\n\n - fix resource leaks in gpio-rockchip\n\n - fix locking issues in remove path in shared GPIO management\n\n - undo the vote of a GPIO shared proxy virtual device on GPIO release\n\n* tag \u0027gpio-fixes-for-v7.1-rc6\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:\n gpio: rockchip: teardown bugs and resource leaks\n gpio: rockchip: convert bank-\u003eclk to devm_clk_get_enabled()\n gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()\n gpio: shared: fix lockdep false positive by removing unneeded lock\n gpio: shared: fix deadlock on shared proxy\u0027s parent removal\n gpio: adnp: fix flow control regression caused by scoped_guard()\n gpio: shared: undo the vote of the proxy on GPIO free\n gpio: mxc: fix irq_high handling\n" }, { "commit": "43a1e3744548e6fd85873e6fb43e293eb4010694", "tree": "1718e70a9e68a7b3a3ba412f238df2365ffa6cb8", "parents": [ "eb3f4b7426cfd2b79d65b7d37155480b32259a11" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 28 11:45:41 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 28 11:45:41 2026 -0700" }, "message": "security/keys: fix missed RCU read section on lookup\n\nNicholas Carlini reports that the keyring code calls assoc_array_find()\nin find_key_to_update() without holding the RCU read lock, while the\nassoc_array_gc() code really is designed around removing the node from\nthe tree and then freeing it after an RCU grace-period.\n\nThe regular key handling doesn\u0027t see this because holding the keyring\nsemaphore hides any lifetime issues, but the persistent key handling\nuses a different model.\n\nInstead of extending the keyring locking, just do the simple RCU locking\nthat the assoc_array was designed for.\n\nReported-by: Nicholas Carlini \u003cnpc@anthropic.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: Jarkko Sakkinen \u003cjarkko@kernel.org\u003e\nCc: Paul Moore \u003cpaul@paul-moore.com\u003e\nCc: James Morris James Morris \u003cjmorris@namei.org\u003e\nCc: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9500077678230e36d22bf16d2b9539c13e59a801", "tree": "0578b17e20bc9d2212ccd7a9671d1e4fd4756905", "parents": [ "3e46c18d5d87f063a93ae0fe7662fbf6660459d5" ], "author": { "name": "Marco Scardovi", "email": "scardracs@disroot.org", "time": "Tue May 26 19:02:46 2026 +0200" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Thu May 28 15:23:40 2026 +0200" }, "message": "gpio: rockchip: teardown bugs and resource leaks\n\nAddress several teardown issues and resource leaks in the driver\u0027s remove\npath and error handling:\n\n1. Debounce clock reference leak: The debounce clock (bank-\u003edb_clk) is\n obtained using of_clk_get() which increments the clock\u0027s reference\n count, but clk_put() is never called. Register a devm action to\n cleanly release it on unbind. Note that of_clk_get(..., 1) remains\n necessary over devm_clk_get() because the DT binding does not define\n clock-names, precluding name-based lookup.\n\n2. Unregistered chained IRQ handler: The chained IRQ handler is not\n disconnected in remove(). If a stray interrupt fires after the driver\n is removed, the kernel attempts to execute a stale handler, leading\n to a panic. Fix this by clearing the handler in remove().\n\n3. IRQ domain leak: The linear IRQ domain and its generic chips are\n allocated manually during probe but never removed. Remove the IRQ\n domain during driver teardown to free the associated generic chips\n and mappings.\n\nFixes: 936ee2675eee (\"gpio/rockchip: add driver for rockchip gpio\")\nAssisted-by: Antigravity:gemini-3.5-flash\nSigned-off-by: Marco Scardovi \u003cscardracs@disroot.org\u003e\nLink: https://patch.msgid.link/20260526171050.12785-3-scardracs@disroot.org\n[Bartosz: don\u0027t emit an error message on devres allocation failure]\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "3e46c18d5d87f063a93ae0fe7662fbf6660459d5", "tree": "aea6d6ee7211112545004c6edbc555313b83aa9f", "parents": [ "8a122b5e72cc0043705f0d524bcd15f0c0b3ec15" ], "author": { "name": "Marco Scardovi", "email": "scardracs@disroot.org", "time": "Tue May 26 19:02:45 2026 +0200" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Thu May 28 15:23:40 2026 +0200" }, "message": "gpio: rockchip: convert bank-\u003eclk to devm_clk_get_enabled()\n\nThe bank-\u003eclk was previously obtained via of_clk_get() and manually\nprepared/enabled. However, it was missing a corresponding clk_put() in\nboth the error paths and the remove function, leading to a reference leak.\n\nConvert the allocation to devm_clk_get_enabled(), which also properly\npropagates failures from clk_prepare_enable() that were previously ignored.\n\nThe GPIO bank device uses the same OF node as the previous of_clk_get()\ncall, so devm_clk_get_enabled(dev, NULL) correctly resolves the same\nclock provider entry.\n\nFix the reference leak and simplify the code by removing the manual\nclk_disable_unprepare() calls in the probe error paths and in the\nremove function.\n\nFixes: 936ee2675eee (\"gpio/rockchip: add driver for rockchip gpio\")\nAssisted-by: Antigravity:gemini-3.5-flash\nSigned-off-by: Marco Scardovi \u003cscardracs@disroot.org\u003e\nLink: https://patch.msgid.link/20260526171050.12785-2-scardracs@disroot.org\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "8a122b5e72cc0043705f0d524bcd15f0c0b3ec15", "tree": "648a44d6abc1142c1afdc427b779dd4358a88900", "parents": [ "9d7697fabbc72428f981c01ddbe0a6be0ce8b6fa" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Mon May 25 10:15:16 2026 +0300" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Thu May 28 15:23:40 2026 +0200" }, "message": "gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()\n\nIf *ppos is non-zero (user-space write split over multiple calls to\nwrite()) then simple_write_to_buffer() won\u0027t initialize the start of the\nbuffer. Really, non-zero values for *ppos aren\u0027t going to work at all.\nCheck for that and return -EINVAL at the start of the function.\n\nFixes: 91581c4b3f29 (\"gpio: virtuser: new virtual testing driver for the GPIO API\")\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nLink: https://patch.msgid.link/ahP3BJWWy-m_qI0X@stanley.mountain\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "9d7697fabbc72428f981c01ddbe0a6be0ce8b6fa", "tree": "493fe2323a5bb8d48157d86eb8f8750437c9b785", "parents": [ "a1b836607304f71051f9f9dcccf8b5097b86a1fb" ], "author": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Fri May 22 11:12:37 2026 +0200" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Thu May 28 15:23:40 2026 +0200" }, "message": "gpio: shared: fix lockdep false positive by removing unneeded lock\n\nBy the time gpio_device_teardown_shared() is called, the parent device\nis gone from the global list of GPIO devices and all outstanding SRCU\nread-side critical sections have completed. That means that no\nconcurrent gpio_find_and_request() can call\ngpio_shared_add_proxy_lookup() for this device at this time. There\u0027s\nalso no risk of the parent device being re-bound to the driver before\nthe unbinding completes (including the child devices).\n\nLockdep produces a false-positive report about a possible circular\ndependency as it doesn\u0027t know the ordering guarantee. Not taking the\nref-\u003elock in gpio_device_teardown_shared() silences it and is safe to do.\n\nCc: stable@vger.kernel.org\nFixes: ea513dd3c066 (\"gpio: shared: make locking more fine-grained\")\nReviewed-by: Linus Walleij \u003clinusw@kernel.org\u003e\nLink: https://patch.msgid.link/20260522-gpio-shared-deadlock-v1-2-76bca088f8c0@oss.qualcomm.com\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "a1b836607304f71051f9f9dcccf8b5097b86a1fb", "tree": "eacaa15e6b3bf0c42c5a56a64428a1a28ef9ee57", "parents": [ "a5c627d90809b793fc053849b3a00609db305776" ], "author": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Fri May 22 11:12:36 2026 +0200" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Thu May 28 15:23:39 2026 +0200" }, "message": "gpio: shared: fix deadlock on shared proxy\u0027s parent removal\n\nCommit 710abda58055 (\"gpio: shared: call gpio_chip::of_xlate() if set\")\nused the mutex embedded in struct gpio_shared_entry to protect the\noffset field which now can be modified after assignment. The critical\nsection however is too wide and introduced a potential deadlock on the\nremoval of the shared GPIO proxy\u0027s parent.\n\nMake the critical section shorter - only protect the offset when it\u0027s\nbeing read.\n\nWhile at it: mention the fact that the entry lock is now also used to\nprotect against concurrent access to the offset field in the structure\u0027s\ndocumentation.\n\nCc: stable@vger.kernel.org\nFixes: 710abda58055 (\"gpio: shared: call gpio_chip::of_xlate() if set\")\nReviewed-by: Linus Walleij \u003clinusw@kernel.org\u003e\nLink: https://patch.msgid.link/20260522-gpio-shared-deadlock-v1-1-76bca088f8c0@oss.qualcomm.com\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "a5c627d90809b793fc053849b3a00609db305776", "tree": "6264ce9cd19dc1db0ea6b0ab5dde52231011155b", "parents": [ "bbec30f7e19d9a1c604da7164b8057ccee590e72" ], "author": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Fri May 22 09:35:27 2026 +0200" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Thu May 28 15:23:39 2026 +0200" }, "message": "gpio: adnp: fix flow control regression caused by scoped_guard()\n\nscoped_guard() is implemented as a for loop. Using it to protect code\nusing the continue statement changes the flow as we now only break out\nof the hidden loop inside scoped_guard(), not the original for loop. Use\na regular code block instead.\n\nFixes: c7fe19ed3973 (\"gpio: adnp: use lock guards for the I2C lock\")\nReported-by: David Lechner \u003cdlechner@baylibre.com\u003e\nCloses: https://lore.kernel.org/all/cde2abb2-4cc8-4fc9-b34a-0c5d2b95779f@baylibre.com/\nReviewed-by: Linus Walleij \u003clinusw@kernel.org\u003e\nLink: https://patch.msgid.link/20260522073527.9812-1-bartosz.golaszewski@oss.qualcomm.com\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "bbec30f7e19d9a1c604da7164b8057ccee590e72", "tree": "01dabc0c8d4a742a7d9a0266579dc91cd1e3eec7", "parents": [ "dac917ed5aead741004db8d0d5151dd577802df8" ], "author": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Fri May 22 09:49:35 2026 +0200" }, "committer": { "name": "Bartosz Golaszewski", "email": "bartosz.golaszewski@oss.qualcomm.com", "time": "Thu May 28 15:23:39 2026 +0200" }, "message": "gpio: shared: undo the vote of the proxy on GPIO free\n\nWhen the user of a shared GPIO managed by gpio-shared-proxy calls\ngpiod_put() to release it, we never undo the potential \"vote\" for\ndriving the shared line \"high\". In the free() callback, check if this\nproxy voted for \"high\" and - if so - decrease the number of votes and\npotentially revert the value to low if this is the last user.\n\nCc: stable@vger.kernel.org\nFixes: e992d54c6f97 (\"gpio: shared-proxy: implement the shared GPIO proxy driver\")\nCloses: https://sashiko.dev/#/patchset/20260513-gpio-shared-dynamic-voting-v1-1-8e1c49961b7d%40oss.qualcomm.com\nReviewed-by: Linus Walleij \u003clinusw@kernel.org\u003e\nLink: https://patch.msgid.link/20260522-gpio-shared-free-vote-v3-1-8a4fddc6bedb@oss.qualcomm.com\nSigned-off-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\n" }, { "commit": "cdf88b35e06f1b385f7f6228060ae541d44fbb72", "tree": "a50b271f0435e9194ba1d2fd4e1d416e5225d55d", "parents": [ "525daaea459fc215f432de1b8debbd9144bf97b0" ], "author": { "name": "Heitor Alves de Siqueira", "email": "halves@igalia.com", "time": "Tue May 26 10:50:59 2026 -0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 08:52:21 2026 -0400" }, "message": "Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()\n\nBefore resetting or closing the device, protocol counters should also be\nzeroed.\n\nFixes: d0b137062b2d (\"Bluetooth: hci_sync: Rework init stages\")\nSigned-off-by: Heitor Alves de Siqueira \u003chalves@igalia.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "525daaea459fc215f432de1b8debbd9144bf97b0", "tree": "8d69068986506793426f55e5901ca6b7ba46cca0", "parents": [ "40b87657200cfae93e48904fd9c9c8fc3e192cae" ], "author": { "name": "Heitor Alves de Siqueira", "email": "halves@igalia.com", "time": "Tue May 26 10:50:58 2026 -0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 08:52:21 2026 -0400" }, "message": "Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close\n\nSince hci_dev_close_sync() can now be called during the reset path, we\nshould also set HCI_CMD_DRAIN_WORKQUEUE. This avoids queuing timeouts\nwhile the hdev workqueue is being drained.\n\nFixes: 877afadad2dc (\"Bluetooth: When HCI work queue is drained, only queue chained work\")\nSigned-off-by: Heitor Alves de Siqueira \u003chalves@igalia.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "40b87657200cfae93e48904fd9c9c8fc3e192cae", "tree": "8490949f76f27d1b5edddda0edbbdbe59d9733a3", "parents": [ "4b5f8e608749b7e8fa386c6e4301cf9272595859" ], "author": { "name": "Heitor Alves de Siqueira", "email": "halves@igalia.com", "time": "Tue May 26 10:50:57 2026 -0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 08:52:21 2026 -0400" }, "message": "Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions\n\nThe current HCI reset function in hci_core.c duplicates most of the work\ndone by hci_dev_close_sync(), and doesn\u0027t handle LE, advertising or\ndiscovery.\n\nInstead of porting these to hci_dev_do_reset(), directly call the\nclose/open functions from hci_sync to reset the hdev. MGMT now notifies\nwhen a user performs a reset.\n\nSuggested-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nSigned-off-by: Heitor Alves de Siqueira \u003chalves@igalia.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4b5f8e608749b7e8fa386c6e4301cf9272595859", "tree": "964d6e9ea14ac8437efa2d3924b63b1f8aeff92b", "parents": [ "47f23a259517abbdb8032c057a1e8a6bf3734878" ], "author": { "name": "Muhammad Bilal", "email": "meatuni001@gmail.com", "time": "Wed May 27 04:59:18 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 08:52:21 2026 -0400" }, "message": "Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock\n\niso_sock_close() calls iso_sock_clear_timer() before acquiring\nlock_sock(sk).\n\niso_sock_clear_timer() reads iso_pi(sk)-\u003econn twice without the\nsocket lock held:\n\n if (!iso_pi(sk)-\u003econn)\n return;\n cancel_delayed_work(\u0026iso_pi(sk)-\u003econn-\u003etimeout_work);\n\nConcurrently, iso_conn_del() executes under lock_sock(sk) and calls\niso_chan_del(), which sets iso_pi(sk)-\u003econn to NULL and may result in\nthe final reference to the connection being dropped:\n\n CPU0 CPU1\n ---- ----\n iso_sock_clear_timer()\n if (conn !\u003d NULL) ... lock_sock(sk)\n iso_chan_del()\n iso_pi(sk)-\u003econn \u003d NULL\n cancel_delayed_work(conn) /* NULL deref or UAF */\n\niso_pi(sk)-\u003econn is not stable across the unlock window, causing a\nNULL pointer dereference or use-after-free.\n\nSerialize iso_sock_clear_timer() with the socket lock by moving it\ninside lock_sock()/release_sock(), matching the pattern used in\niso_conn_del() and all other call sites.\n\nFixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a (\"Bluetooth: Add BTPROTO_ISO socket type\")\nCc: stable@vger.kernel.org\nSigned-off-by: Muhammad Bilal \u003cmeatuni001@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "47f23a259517abbdb8032c057a1e8a6bf3734878", "tree": "fb80ad20f4ea11865777bd03fc7b36f7c17f4120", "parents": [ "41c2713b204e6cb6a94587bc6bf6935107df5479" ], "author": { "name": "Muhammad Bilal", "email": "meatuni001@gmail.com", "time": "Wed May 27 04:59:17 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 08:52:21 2026 -0400" }, "message": "Bluetooth: ISO: fix UAF in iso_recv_frame\n\niso_recv_frame reads conn-\u003esk under iso_conn_lock but releases the lock\nbefore using sk, with no reference held. A concurrent iso_sock_kill()\ncan free sk in that window, causing use-after-free on sk-\u003esk_state and\nsock_queue_rcv_skb().\n\nFix by replacing the bare pointer read with iso_sock_hold(conn), which\ncalls sock_hold() while the spinlock is held, atomically elevating the\nrefcount before the lock drops. Add a drop_put label so sock_put() is\ncalled on all exit paths where the hold succeeded.\n\nFixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a (\"Bluetooth: Add BTPROTO_ISO socket type\")\nCc: stable@vger.kernel.org\nSigned-off-by: Muhammad Bilal \u003cmeatuni001@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "41c2713b204e6cb6a94587bc6bf6935107df5479", "tree": "cbbc609498b8b4ea5d94157276bc52455b85029c", "parents": [ "00e1950716c6ed67d74777b2db286b0fa23b4be9" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon May 11 12:09:42 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 08:52:20 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp\n\nIf dcid is received for an already-assigned destination CID the spec\nrequires that both channels to be discarded, but calling l2cap_chan_del\nmay invalidate the tmp cursor created by list_for_each_entry_safe and\nin fact it is the wrong procedure as the chan-\u003edcid may be assigned\npreviously it really needs to be disconnected.\n\nCalling l2cap_chan_clone directly may still lead to l2cap_chan_del so\ninstead schedule l2cap_chan_timeout with delay 0 to close the channel\nasynchronously.\n\nFixes: 15f02b910562 (\"Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "00e1950716c6ed67d74777b2db286b0fa23b4be9", "tree": "3a85cdcfc974bba5649c7f9e7c0bfc41cc98a36a", "parents": [ "fa21e86caba2347e89eb65af926205a36a097c53" ], "author": { "name": "Zhenghang Xiao", "email": "kipreyyy@gmail.com", "time": "Tue May 26 18:51:52 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 08:52:13 2026 -0400" }, "message": "Bluetooth: l2cap: clear chan-\u003eident on ECRED reconfiguration success\n\nl2cap_ecred_reconf_rsp() returns early on success without clearing\nchan-\u003eident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,\nl2cap_le_connect_rsp, l2cap_config_rsp) clears chan-\u003eident after a\nsuccessful transaction to prevent the channel from matching subsequent\nresponses with the recycled ident value.\n\nA remote attacker that completed a reconfiguration as the peer can\nreplay a failure response with the stale ident, causing the kernel to\nmatch and destroy the already-established channel via\nl2cap_chan_del(chan, ECONNRESET).\n\nClear chan-\u003eident for all matching channels on success, and harden the\nfailure path by using l2cap_chan_hold_unless_zero() consistent with\nother L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).\n\nFixes: 15f02b910562 (\"Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode\")\nSigned-off-by: Zhenghang Xiao \u003ckipreyyy@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8d26955ea5a4697c1e21a3869ceb36b90389b051", "tree": "73e9886a6a81b34fdaad06db622cfaff62948c3a", "parents": [ "1af2af707f772f7f7ae7853ebe6d2695354fe85e", "c1224569cef038b040db0459510cd7948ecd467b" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 14:05:31 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 14:05:31 2026 +0200" }, "message": "Merge branch \u0027dpll-zl3073x-various-fixes\u0027\n\nIvan Vecera says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\ndpll: zl3073x: various fixes\n\nThree fixes for the zl3073x DPLL driver.\n\nPatch 1 exports __dpll_device_change_ntf() for use by drivers that\nneed to send device change notifications from within callbacks\nalready running under dpll_lock.\n\nPatch 2 replaces the change_work workqueue mechanism with direct\ncalls to __dpll_device_change_ntf(), eliminating a race condition\nwhere the work handler could dereference a freed dpll_dev pointer\nduring device teardown.\n\nPatch 3 moves the freq_monitor flag from per-DPLL to per-device\nscope to match the hardware behavior where frequency measurement\nregisters are shared across all DPLL channels.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260526074525.1451008-1-ivecera@redhat.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "c1224569cef038b040db0459510cd7948ecd467b", "tree": "73e9886a6a81b34fdaad06db622cfaff62948c3a", "parents": [ "d733f519f6443540f8359461a34e3b0042099bbe" ], "author": { "name": "Ivan Vecera", "email": "ivecera@redhat.com", "time": "Tue May 26 09:45:25 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 14:05:29 2026 +0200" }, "message": "dpll: zl3073x: make frequency monitor a per-device attribute\n\nThe frequency monitoring feature uses shared hardware registers\nthat measure input reference frequencies independently of\nindividual DPLL channels. However, the freq_monitor flag was\nincorrectly placed in the per-DPLL structure, causing each\nchannel to track its own enable/disable state independently.\n\nSince the DPLL core calls measured_freq_get() only for the first\npin registration, the measured_freq_check() in the periodic worker\nwas gated by the per-DPLL freq_monitor flag of whichever channel\nhappens to be checked. If the first DPLL channel had frequency\nmonitoring disabled while another had it enabled, measurements\nwere never reported.\n\nMove freq_monitor from struct zl3073x_dpll to struct zl3073x_dev\nso all DPLL channels share a single flag, matching the hardware\nbehavior. Update freq_monitor_set() to notify other DPLL devices\nabout the change (like phase_offset_avg_factor_set() already does)\nand remove the mode-dependent guard in zl3073x_dpll_changes_check()\nsince all input pin monitoring (pin state, phase offset, FFO, and\nmeasured frequency) works correctly in all DPLL modes.\n\nFixes: bfc923b642874 (\"dpll: zl3073x: implement frequency monitoring\")\nSigned-off-by: Ivan Vecera \u003civecera@redhat.com\u003e\nLink: https://patch.msgid.link/20260526074525.1451008-4-ivecera@redhat.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "d733f519f6443540f8359461a34e3b0042099bbe", "tree": "c351ece34456fd0d2e3301203b44d73d02020e1f", "parents": [ "20040b2a3cb992f84d3db4c086b909eb9b906b31" ], "author": { "name": "Ivan Vecera", "email": "ivecera@redhat.com", "time": "Tue May 26 09:45:24 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 14:05:29 2026 +0200" }, "message": "dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work\n\nThe change_work was introduced to send device change notifications\nfrom DPLL device callbacks without deadlocking on dpll_lock, since\nthe callbacks are already invoked under that lock. Now that\n__dpll_device_change_ntf() is exported for callers that already\nhold dpll_lock, use it directly and remove the change_work\ninfrastructure entirely.\n\nThis eliminates a race condition where change_work could be\nre-scheduled after cancel_work_sync() during device teardown,\npotentially causing the handler to dereference a freed or NULL\ndpll_dev pointer.\n\nFixes: 9363b4837659 (\"dpll: zl3073x: Allow to configure phase offset averaging factor\")\nSigned-off-by: Ivan Vecera \u003civecera@redhat.com\u003e\nLink: https://patch.msgid.link/20260526074525.1451008-3-ivecera@redhat.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "20040b2a3cb992f84d3db4c086b909eb9b906b31", "tree": "bbdd2f13f00d2ea4f637d1bcb70892e703ba6828", "parents": [ "1af2af707f772f7f7ae7853ebe6d2695354fe85e" ], "author": { "name": "Ivan Vecera", "email": "ivecera@redhat.com", "time": "Tue May 26 09:45:23 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 14:05:29 2026 +0200" }, "message": "dpll: export __dpll_device_change_ntf() for use under dpll_lock\n\nExport __dpll_device_change_ntf() so that drivers can send device\nchange notifications from within device callbacks, which are already\ncalled under dpll_lock. Using dpll_device_change_ntf() in that\ncontext would deadlock.\n\nAdd lockdep_assert_held() to catch misuse without the lock held.\n\nSigned-off-by: Ivan Vecera \u003civecera@redhat.com\u003e\nReviewed-by: Jiri Pirko \u003cjiri@nvidia.com\u003e\nLink: https://patch.msgid.link/20260526074525.1451008-2-ivecera@redhat.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "1af2af707f772f7f7ae7853ebe6d2695354fe85e", "tree": "f4a1f3a0b6f1292240edfa6921793afa3621a964", "parents": [ "98d0912e9f841e5529a5b89a972805f34cb1c69d", "ea5fe6a73ca57e5150b8a38b341aef2636eb72f0" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:47 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:47:27 2026 +0200" }, "message": "Merge branch \u0027net-handshake-anchor-request-lifetime-to-a-pinned-file-reference\u0027\n\nChuck Lever says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet/handshake: anchor request lifetime to a pinned file reference\n\nhandshake_nl_accept_doit() has accumulated four follow-on fixes\nsince 3b3009ea8abb (\"net/handshake: Create a NETLINK service for\nhandling handshake requests\"): 7ea9c1ec66bc, 7798b59409c3,\nfe67b063f687, and dabac51b8102. Each was a local refcount or\nNULL-check correction; none moved where the file reference is\nowned, and the same code keeps producing the same class of bug.\nReworking the ownership is what breaks the pattern.\n\nFor the duration of a request, sock-\u003efile has no single owner.\nSubmit publishes the request without taking a file reference;\naccept_doit acquires one inside the handler, after the request\nhas already left the pending list. The consumer can drop its\nown reference at any time, including the moment between\nhandshake_req_next() popping the request and accept_doit\nreaching get_file(). The submit-side sock_hold() pins only\nstruct sock; struct socket and sock-\u003efile remain under the\nconsumer\u0027s control via the file descriptor.\n\nThis series places the file reference under unambiguous\nownership. handshake_req_submit() pins it on the request and\ncompletion or cancel drops it (patches 4-5); the submit-side\nsock_hold() then becomes redundant, and dropping it also closes\na publish-before-pin race the late sock_hold itself opened\n(patch 6). The handshake_complete() API and its consumers move\nto a uniform negative-errno sign convention (patch 3), with the\nmatching sign correction in nvme-tcp (patch 2). Patch 1\nhardens hn_lock for BH context, the netns-exit drain fix\nbuilds on the new file-pin infrastructure (patch 8), and new\nKUnit file-count assertions verify the refcount contract\n(patch 7).\n\nThree things in this restructuring want a careful look. In\nhandshake_complete(), the fput() of the request\u0027s file\nreference has to come after hp_done() -- fput() can transitively\nrun handshake_sk_destruct() and free the request, so the patch\nstashes hr_file in a local first. handshake_sk_destruct()\nitself is kept on purpose: it owns rhashtable removal and\nkfree, and remains the backstop if a consumer path bypasses\nhandshake_complete() entirely. Third, handshake_req_next() now\nreturns its request with an extra get_file() held under\nhn_lock; accept_doit must consume that reference (FD_PREPARE on\nsuccess, explicit fput on the fdf.err path), and any future\ncaller has to honor the same contract.\n\nv2: https://patch.msgid.link/20260521-handshake-file-pin-v2-0-b9dadc472840@oracle.com\nv1: https://patch.msgid.link/20260518-handshake-file-pin-v1-0-4bbcb7e62fda@oracle.com\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-0-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "ea5fe6a73ca57e5150b8a38b341aef2636eb72f0", "tree": "f4a1f3a0b6f1292240edfa6921793afa3621a964", "parents": [ "204a5efde5ed52932840ee1d15d3b581cfda48e2" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:22 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:32 2026 +0200" }, "message": "net/handshake: Drain pending requests at net namespace exit\n\nThe arguments to list_splice_init() in handshake_net_exit() are\nreversed. The call moves the local empty \"requests\" list onto\nhn-\u003ehn_requests, leaving the local list empty, so the subsequent\ndrain loop runs zero iterations. Pending handshake requests that\nhad not yet been accepted are not torn down when the net namespace\nis destroyed; each one keeps a reference on a socket file and on\nthe handshake_req allocation.\n\nPass the source and destination in the documented order\n(list_splice_init(list, head) moves list onto head) so the pending\nlist is transferred to the local scratch list and drained through\nhandshake_complete().\n\nFixing the splice direction exposes a list-corruption race. After\nthe splice each req-\u003ehr_list still has non-empty link pointers,\nthreading the stack-local scratch list rather than hn_requests.\nA concurrent handshake_req_cancel() -- for example, from sunrpc\u0027s\nTLS timeout on a kernel socket whose netns reference was not\ntaken -- finds the request through the rhashtable, calls\nremove_pending(), and sees !list_empty(\u0026req-\u003ehr_list).\n__remove_pending_locked() then list_del_init()s an entry off the\nscratch list while the drain iterates, corrupting it. The same\ncall arriving after the drain loop has run list_del() on an\nentry hits LIST_POISON instead.\n\nHave remove_pending() check HANDSHAKE_F_NET_DRAINING under\nhn_lock and report not-found when drain is in progress. The\ndrain has already taken ownership; handshake_complete()\u0027s existing\ntest_and_set on HANDSHAKE_F_REQ_COMPLETED still arbitrates\nbetween drain and cancel for who calls the consumer\u0027s hp_done. Use\nlist_del_init() rather than list_del() in the drain so req-\u003ehr_list\ndoes not carry LIST_POISON after drain releases the entry.\n\nThe DRAINING guard in remove_pending() makes cancel return false,\nbut cancel still falls through to test_and_set_bit on\nHANDSHAKE_F_REQ_COMPLETED and drops the request\u0027s hr_file reference.\nWithout another pin, if that is the last reference, sk_destruct frees\nthe request while it is still linked on the drain loop\u0027s local list.\nPin each request\u0027s hr_file under hn_lock before releasing the list,\nand drop that drain pin after the loop finishes with the request.\n\nFixes: 3b3009ea8abb (\"net/handshake: Create a NETLINK service for handling handshake requests\")\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@kernel.org\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-8-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "204a5efde5ed52932840ee1d15d3b581cfda48e2", "tree": "a29c53a814cae5340e110dc1a48de301dff20e48", "parents": [ "5da98f55b13173c08f003011b76531b25c821c07" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:21 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:31 2026 +0200" }, "message": "net/handshake: Verify file-reference balance in submit paths\n\nThe new file-reference contract on struct handshake_req is silently\nbreakable: a missing get_file() at submit or a missing fput() on an\nerror path leaves the file leaked but does not crash the test, so\nthe existing absence-of-crash checks pass either way.\n\nSnapshot file_count(filp) before each handshake_req_submit() in\nthe submit-success, EAGAIN, EBUSY, and cancel tests, and assert\nthe expected balance after submit and again after cancel. The\nalready-completed cancel test also asserts the post-complete\nbalance, which pins down that handshake_complete() drops the\nreference and that the subsequent cancel does not double-fput.\nThe destroy test gets the same treatment before __fput_sync(),\nwhich double-checks that cancel\u0027s fput() ran and the only\nremaining reference is the one sock_alloc_file() established.\n\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@kernel.org\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-7-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "5da98f55b13173c08f003011b76531b25c821c07", "tree": "2a4967fb561bafae936e540797e967309b8d7f8d", "parents": [ "f4251190e58b209999c1ba9e6d2976136a1be055" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:20 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:31 2026 +0200" }, "message": "net/handshake: Close the submit-side sock_hold race\n\nhandshake_req_submit() publishes the request via\nhandshake_req_hash_add() and __add_pending_locked(), drops\nhn_lock, and calls handshake_genl_notify() (which can sleep)\nbefore taking sock_hold() on req-\u003ehr_sk. A fast tlshd ACCEPT\nfollowed by DONE can drive handshake_complete()\u0027s sock_put()\ninto the window between the spin_unlock and the late\nsock_hold(); on a system where the consumer\u0027s fd held the\nonly sk reference, the late sock_hold() then operates on an\nsk whose refcount has reached zero.\n\nThe preceding two patches install an explicit file reference\non struct handshake_req. That file pins sock-\u003efile, which\npins the embedded struct socket, which defers inet_release()\u0027s\nsock_put(). As long as hr_file is held, sk cannot reach refcount\nzero from the consumer side, and the submit-side sock_hold()\nwith its matching sock_put() calls in handshake_complete() and\nhandshake_req_cancel() is now redundant.\n\nDrop all three. The file reference already keeps each request\u0027s\nsocket alive, and the lifetime story is contained in a single\nget_file()/fput() pair.\n\nFixes: 3b3009ea8abb (\"net/handshake: Create a NETLINK service for handling handshake requests\")\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@kernel.org\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-6-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "f4251190e58b209999c1ba9e6d2976136a1be055", "tree": "b07511e8a9abde5560a2bc7dd5df4881b755020b", "parents": [ "09dba37eee70d0596e26645015f1aa95a9848e9d" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:19 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:31 2026 +0200" }, "message": "net/handshake: hand off the pinned file reference to accept_doit\n\nhandshake_req_next() removes the request from the per-net\npending list and drops hn_lock before handshake_nl_accept_doit()\nreads req-\u003ehr_sk-\u003esk_socket and dereferences sock-\u003efile (once in\nFD_PREPARE() and again in get_file()). In that window a\nconsumer running tls_handshake_cancel() followed by sockfd_put()\n(svc_sock_free) or __fput_sync() (xs_reset_transport) releases\nsock-\u003efile. sock_release() then runs sock_orphan(), zeroing\nsk_socket, and frees the struct socket. The accept-side code\neither reads NULL through sk_socket or chases freed memory.\n\nThe submit-side sock_hold() does not prevent this. sk_refcnt\nprotects struct sock, but struct socket and sock-\u003efile are\nindependently refcounted via the file descriptor the consumer\nowns. Pinning sk leaves sock and sock-\u003efile unprotected.\n\nRetarget the accept-side dereferences at req-\u003ehr_file, which was\npinned at submit time, instead of req-\u003ehr_sk-\u003esk_socket-\u003efile.\nPinning on its own is not sufficient: a consumer that cancels\nbetween handshake_req_next() returning and accept_doit reaching\nFD_PREPARE() takes the !remove_pending() branch in\nhandshake_req_cancel() and drops hr_file before the accept side\ntakes its own reference. Hand off an additional file reference\ninside handshake_req_next(), under hn_lock, so the accept side\noperates on a reference that no concurrent handshake_req_cancel()\ncan revoke. FD_PREPARE() consumes that handed-off reference,\neither by transferring it to the new fd in fd_publish() or by\ndropping it in the cleanup destructor on error; the explicit\nget_file() that previously balanced FD_PREPARE() is therefore\nredundant and goes away.\n\nUpdate handshake_req_cancel_test2 and _test3 to simulate the\nFD_PREPARE() consumption with an fput() so the kunit file-count\nassertions stay balanced.\n\nReported-by: Chris Mason \u003cclm@meta.com\u003e\nFixes: 3b3009ea8abb (\"net/handshake: Create a NETLINK service for handling handshake requests\")\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@kernel.org\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-5-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "09dba37eee70d0596e26645015f1aa95a9848e9d", "tree": "b54ea39d12dcbbbf2e25231af0df732842373ffc", "parents": [ "6b22d433aa13f68e3cd9534ca9a5f4277bfa01c2" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:18 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:31 2026 +0200" }, "message": "net/handshake: Take a long-lived file reference at submit\n\nhandshake_nl_accept_doit() needs the file pointer backing\nreq-\u003ehr_sk-\u003esk_socket to survive the window between\nhandshake_req_next() and the subsequent FD_PREPARE() and get_file().\nThe submit-side sock_hold() does not provide that. sk_refcnt keeps\nstruct sock alive, but struct socket is owned by sock-\u003efile: when\nthe consumer fputs the last file reference, sock_release() tears\nthe socket down regardless of any sock_hold.\n\nAdd an hr_file pointer to struct handshake_req and acquire an\nexplicit reference on sock-\u003efile during handshake_req_submit().\nhandshake_complete() and handshake_req_cancel() release the\nreference on the completion-bit-winning path.\n\nThe submit error path must also release the file reference, but\nafter rhashtable insertion a concurrent handshake_req_cancel() can\ndiscover the request and race the error path. Gate the error-path\ncleanup -- sk_destruct restoration, fput, and request destruction\n-- with test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED), the same\nserialization handshake_complete() and handshake_req_cancel()\nalready use. When cancel has already claimed ownership, the submit\nerror path returns without touching the request; socket teardown\nhandles final destruction.\n\nThe accept-side dereferences are not yet retargeted; that change\ncomes in the next patch.\n\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-4-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "6b22d433aa13f68e3cd9534ca9a5f4277bfa01c2", "tree": "e8e926a1c27f5312ef13eb3c86a60b44817c95ab", "parents": [ "9015985b5eb1a90eb86caf5bce1dfcf1aa38f8ad" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:17 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:31 2026 +0200" }, "message": "net/handshake: Pass negative errno through handshake_complete()\n\nhandshake_complete() declares status as unsigned int and\ntls_handshake_done() negates that value (-status) before handing\nit to the TLS consumer. Consumers match on negative errno\nconstants -- xs_tls_handshake_done() has\n\n\tswitch (status) {\n\tcase 0:\n\tcase -EACCES:\n\tcase -ETIMEDOUT:\n\t\tlower_transport-\u003exprt_err \u003d status;\n\t\tbreak;\n\tdefault:\n\t\tlower_transport-\u003exprt_err \u003d -EACCES;\n\t}\n\nso the API as designed expects callers to pass positive errno\nvalues that the tlshd shim then negates.\n\nThree internal callers in handshake_nl_accept_doit(), the\nnet-exit drain, and a kunit test follow kernel convention and\npass negative errnos -- -EIO, -ETIMEDOUT, -ETIMEDOUT. The\nimplicit conversion to unsigned int turns -ETIMEDOUT into\n0xFFFFFF92; the subsequent -status in tls_handshake_done()\nwraps back to 110, the consumer\u0027s switch falls through, and\nthe xprt reports -EACCES on what should be -ETIMEDOUT or -EIO.\n\nFix the API rather than the call sites. The natural kernel\nconvention is negative errno in, negative errno out. Change\nhandshake_complete() and hp_done to take int status, drop the\nnegation in tls_handshake_done(), and negate once in\nhandshake_nl_done_doit() where status arrives from the wire\nas an unsigned netlink attribute. The three internal callers\nwere already correct under that convention and need no change.\n\nAt the same wire boundary, declare MAX_ERRNO as the netlink\npolicy upper bound for HANDSHAKE_A_DONE_STATUS. Attribute\nvalidation rejects out-of-range values before\nhandshake_nl_done_doit() runs, and negating a bounded u32 there\nstays within int range -- closing the UBSAN-visible signed-\ninteger overflow that an unconstrained u32 would invoke.\n\nFixes: 3b3009ea8abb (\"net/handshake: Create a NETLINK service for handling handshake requests\")\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@kernel.org\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-3-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "9015985b5eb1a90eb86caf5bce1dfcf1aa38f8ad", "tree": "b6fdbe27a929c7497f61f3b9bd0ae85c2b709d0a", "parents": [ "cc993e0927ec8bd98ea33377ada03295fcda0f24" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:16 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:31 2026 +0200" }, "message": "nvme-tcp: store negative errno in queue-\u003etls_err\n\nnvme_tcp_tls_done() assigns queue-\u003etls_err in three branches. The\nENOKEY lookup failure and the EOPNOTSUPP initializer both store\nnegative errnos. The third branch, reached when the handshake\nlayer reports a non-zero status, stores -status.\n\nThe handshake layer delivers status to the consumer callback as a\nnegative errno; the other in-tree consumers --\nxs_tls_handshake_done() and the nvmet target callback -- treat\ntheir status argument that way. The extra negation in\nnvme_tcp_tls_done() flips the sign, leaving tls_err as a positive\nvalue (for instance, +EIO), which nvme_tcp_start_tls() then\nreturns to its caller.\n\nDrop the extra negation so queue-\u003etls_err uniformly carries a\nnegative errno on failure.\n\nFixes: be8e82caa685 (\"nvme-tcp: enable TLS handshake upcall\")\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@kernel.org\u003e\nReviewed-by: Alistair Francis \u003calistair.francis@wdc.com\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-2-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "cc993e0927ec8bd98ea33377ada03295fcda0f24", "tree": "ef9508726d04cb2d21d40db919b6ca633e191bbd", "parents": [ "98d0912e9f841e5529a5b89a972805f34cb1c69d" ], "author": { "name": "Chuck Lever", "email": "chuck.lever@oracle.com", "time": "Mon May 25 12:51:15 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:35:31 2026 +0200" }, "message": "net/handshake: Use spin_lock_bh for hn_lock\n\nnvmet_tcp_state_change(), a socket callback that runs in BH context,\ncan reach handshake_req_cancel() via nvmet_tcp_schedule_release_queue()\nand tls_handshake_cancel(). handshake_req_cancel() acquires\nhn-\u003ehn_lock with plain spin_lock(). If a process-context thread on\nthe same CPU holds hn-\u003ehn_lock when a softirq invokes the cancel path,\nthe lock attempt deadlocks. This is the only caller that invokes\ntls_handshake_cancel() from BH context; every other consumer calls it\nfrom process context.\n\nDeferring the cancel to process context in the NVMe target is not\nstraightforward: nvmet_tcp_schedule_release_queue() must call\ntls_handshake_cancel() atomically with its state transition to\nDISCONNECTING. If the cancel were deferred, the handshake completion\ncallback could fire in the window before the cancel runs, observe the\nunexpected state, and return without dropping its kref on the queue.\nReworking that interlock is considerably more invasive than hardening\nthe handshake lock. Convert all hn-\u003ehn_lock acquisitions from\nspin_lock/spin_unlock to spin_lock_bh/spin_unlock_bh so the lock is\nnever taken with softirqs enabled.\n\nFixes: 675b453e0241 (\"nvmet-tcp: enable TLS handshake upcall\")\nSigned-off-by: Chuck Lever \u003cchuck.lever@oracle.com\u003e\nReviewed-by: Hannes Reinecke \u003chare@kernel.org\u003e\nLink: https://patch.msgid.link/20260525-handshake-file-pin-v3-1-66c616906ead@oracle.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "98d0912e9f841e5529a5b89a972805f34cb1c69d", "tree": "ecb548d7163cb7c420a6132cf469df843c89f2eb", "parents": [ "85576d7a489a9fcbc2c6fd4364564921f69259ab" ], "author": { "name": "Minh Nguyen", "email": "minhnguyen.080505@gmail.com", "time": "Tue May 26 11:12:39 2026 +0700" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:26:56 2026 +0200" }, "message": "net: skbuff: fix missing zerocopy reference in pskb_carve helpers\n\npskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy\nthe old skb_shared_info header into a new buffer via memcpy(), which\nincludes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.\nNeither function calls net_zcopy_get() for the new shinfo, creating an\nunaccounted holder: every skb_shared_info with destructor_arg set will\ncall skb_zcopy_clear() once when freed, but the corresponding\nnet_zcopy_get() was never called for the new copy. Repeated calls\ndrive uarg-\u003erefcnt to zero prematurely, freeing ubuf_info_msgzc while\nTX skbs still hold live destructor_arg pointers.\n\nKASAN reports use-after-free on a freed ubuf_info_msgzc:\n\n BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810\n Read of size 8 at addr ffff88801574d3e8 by task poc/220\n\n Call Trace:\n skb_release_data+0x77b/0x810\n kfree_skb_list_reason+0x13e/0x610\n skb_release_data+0x4cd/0x810\n sk_skb_reason_drop+0xf3/0x340\n skb_queue_purge_reason+0x282/0x440\n rds_tcp_inc_free+0x1e/0x30\n rds_recvmsg+0x354/0x1780\n __sys_recvmsg+0xdf/0x180\n\n Allocated by task 219:\n msg_zerocopy_realloc+0x157/0x7b0\n tcp_sendmsg_locked+0x2892/0x3ba0\n\n Freed by task 219:\n ip_recv_error+0x74a/0xb10\n tcp_recvmsg+0x475/0x530\n\nThe skb consuming the late access still referenced the same uarg via\nshinfo-\u003edestructor_arg copied by pskb_carve_inside_nonlinear() without\na refcount bump. This has been verified to be reliably exploitable: a\nworking proof-of-concept achieves full root privilege escalation from\nan unprivileged local user on a default kernel configuration.\n\nThe fix follows the pattern of pskb_expand_head() which has the same\nmemcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()\nis placed after skb_orphan_frags() succeeds, so the orphan error path\nneeds no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is\nplaced after all failure points and just before skb_release_data(), so\nno error path needs cleanup at all -- matching pskb_expand_head() more\nclosely and avoiding the need for a balancing net_zcopy_put().\n\nFixes: 6fa01ccd8830 (\"skbuff: Add pskb_extract() helper function\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-sonnet-4-6\nSigned-off-by: Minh Nguyen \u003cminhnguyen.080505@gmail.com\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/20260526041240.329462-1-minhnguyen.080505@gmail.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "85576d7a489a9fcbc2c6fd4364564921f69259ab", "tree": "00bf4fd33507a8ec871b68663500c0218495f8e1", "parents": [ "031f1592e592e333a25d5e2ba9edd4e8c6821fdc", "b545b6ea1802b32436fa97f1d2918718212cc831" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:02:59 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 13:02:59 2026 +0200" }, "message": "Merge branch \u0027hibmcge-fix-rx-packet-corruption-issue\u0027\n\nJijie Shao says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nhibmcge: fix RX packet corruption issue\n\nThis series fixes an RX packet corruption issue observed when SMMU is\ndisabled on the hibmcge driver. The fixes include disabling PCI Relaxed\nOrdering and correcting the order of DMA barrier operations in the RX\ndata sync path.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260525144525.94884-1-shaojijie@huawei.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "b545b6ea1802b32436fa97f1d2918718212cc831", "tree": "00bf4fd33507a8ec871b68663500c0218495f8e1", "parents": [ "463a1271aa26eac992851b9d98cc75bc3cd4a1ed" ], "author": { "name": "Jijie Shao", "email": "shaojijie@huawei.com", "time": "Mon May 25 22:45:25 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:59:36 2026 +0200" }, "message": "net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path\n\nThe dma_rmb() barrier was placed before dma_sync_single_for_cpu(), which\nis incorrect. DMA sync must complete first to make the buffer accessible\nto the CPU, then the rmb barrier ensures subsequent descriptor reads\nobserve the latest data written by the hardware.\n\nReorder the operations so dma_sync_single_for_cpu() is called before\ndma_rmb() to guarantee the driver reads consistent data from the DMA\nbuffer.\n\nFixes: f72e25594061 (\"net: hibmcge: Implement rx_poll function to receive packets\")\nSigned-off-by: Jijie Shao \u003cshaojijie@huawei.com\u003e\nLink: https://patch.msgid.link/20260525144525.94884-3-shaojijie@huawei.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "463a1271aa26eac992851b9d98cc75bc3cd4a1ed", "tree": "e3a580a78448c165b26f417890a94e7125fb79e2", "parents": [ "031f1592e592e333a25d5e2ba9edd4e8c6821fdc" ], "author": { "name": "Jijie Shao", "email": "shaojijie@huawei.com", "time": "Mon May 25 22:45:24 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:59:36 2026 +0200" }, "message": "net: hibmcge: disable Relaxed Ordering to fix RX packet corruption\n\nWhen SMMU is disabled, the hibmcge driver may receive corrupted packets.\nThe hardware writes packet data and descriptors to the same page, but\nwith Relaxed Ordering enabled, PCI write transactions may not be\nstrictly ordered. This can cause the driver to observe a valid\ndescriptor before the corresponding packet data is fully written.\n\nFix this by clearing PCI_EXP_DEVCTL_RELAX_EN in the PCI bridge control\nregister to ensure strict write ordering between packet data and\ndescriptors.\n\nFixes: f72e25594061 (\"net: hibmcge: Implement rx_poll function to receive packets\")\nSigned-off-by: Jijie Shao \u003cshaojijie@huawei.com\u003e\nLink: https://patch.msgid.link/20260525144525.94884-2-shaojijie@huawei.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "031f1592e592e333a25d5e2ba9edd4e8c6821fdc", "tree": "bb9ecd4c7a85ef4335b0d2c72e2e1fe8a8eec23c", "parents": [ "9d5e7a46a9f6d8f503b41bfefef70659845f1679", "0f6e00aa5f652f5653e0039b9c9a8835f4b4174b" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:38 2026 +0200" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:39 2026 +0200" }, "message": "Merge branch \u0027net-sched-fix-packet-loops-in-mirred-and-netem\u0027\n\nJamal Hadi Salim says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet/sched: Fix packet loops in mirred and netem\n\nThis patchset adds a 2-bit per-skb tc_depth counter that travels with\nthe packet. The existing per-CPU mirred nest tracking loses state\nwhen a packet is deferred through the backlog or moves between CPUs\nvia XPS/RPS. A per-skb field covers both cases.\n\nPatch 1 adds the tc_depth field in a padding hole in sk_buff.\nPatches 2-3 revert the check_netem_in_tree() fix and its tests,\nwhich broke legitimate multi-netem configurations.\nPatch 4 uses tc_depth to stop netem duplicate recursion.\nPatch 5 uses tc_depth to catch mirred ingress redirect loops.\nPatch 6 fixes the infinite loop in the mirred egress blockcast case.\nPatch 7 fixes drop stats in early return error scenarios in tcf_mirred_act\nfor redirect (caught by Sashiko [1]).\nPatches 8-9 add mirred and netem test cases.\n\n[1] https://sashiko.dev/#/patchset/20260413082027.2244884-1-hxzene%40gmail.com\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260525122556.973584-1-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "0f6e00aa5f652f5653e0039b9c9a8835f4b4174b", "tree": "bb9ecd4c7a85ef4335b0d2c72e2e1fe8a8eec23c", "parents": [ "d38dc56a0225664e494221b5b251931b35d125ef" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Mon May 25 08:25:56 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:37 2026 +0200" }, "message": "selftests/tc-testing: Add netem test case exercising loops\n\nAdd a netem nested duplicate test case to validate that it won\u0027t\ncause an infinite loop\n\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nAcked-by: Stephen Hemminger \u003cstephen@networkplumber.org\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-10-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "d38dc56a0225664e494221b5b251931b35d125ef", "tree": "b2a45f9418b702b73f93a047c5381e466ff0ab63", "parents": [ "e80ad525fc7e8c933ad78478c5dda286cfd55c60" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Mon May 25 08:25:55 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:36 2026 +0200" }, "message": "selftests/tc-testing: Add mirred test cases exercising loops\n\nAdd mirred loop test cases to validate that those will be caught and other\ntest cases that were previously misinterpreted as loops by mirred.\n\nThis commit adds 12 test cases:\n\n- Redirect multiport: dummy egress -\u003e dev1 ingress -\u003e dummy egress (Loop)\n- Redirect singleport: dev1 ingress -\u003e dev1 egress -\u003e dev1 ingress (Loop)\n- Redirect multiport: dev1 ingress -\u003e dummy ingress -\u003e dev1 egress (No Loop)\n- Redirect multiport: dev1 ingress -\u003e dummy ingress -\u003e dev1 ingress (Loop)\n- Redirect multiport: dev1 ingress -\u003e dummy egress -\u003e dev1 ingress (Loop)\n- Redirect multiport: dummy egress -\u003e dev1 ingress -\u003e dummy egress, different prios (Loop)\n- Redirect multiport: dev1 ingress -\u003e dummy ingress -\u003e dummy egress -\u003e dev1 egress (No Loop)\n- Redirect multiport: dev1 ingress -\u003e dummy egress -\u003e dev1 egress (No Loop)\n- Redirect multiport: dev1 ingress -\u003e dummy egress -\u003e dummy ingress (No Loop)\n- Redirect singleport: dev1 ingress -\u003e dev1 ingress (Loop)\n- Redirect singleport: dummy egress -\u003e dummy ingress (No Loop)\n- Redirect multiport: dev1 ingress -\u003e dummy ingress -\u003e dummy egress (No Loop)\n\nAcked-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nAcked-by: Stephen Hemminger \u003cstephen@networkplumber.org\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-9-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "e80ad525fc7e8c933ad78478c5dda286cfd55c60", "tree": "1859b77b938fb2f4b84405eda68d39e6c6e51ba3", "parents": [ "a005fa5d7502eefec7ee6e1c01adadc06de2f9ad" ], "author": { "name": "Victor Nogueira", "email": "victor@mojatatu.com", "time": "Mon May 25 08:25:54 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:36 2026 +0200" }, "message": "net/sched: act_mirred: Fix return code in early mirred redirect error paths\n\nSince retval is set as TC_ACT_STOLEN in the mirred redirect case, returning\nretval in cases where redirect failed will make the callers not register\nthe skb as being dropped.\n\nFix this by returning TC_ACT_SHOT instead in such scenarios.\n\nFixes: 16085e48cb48 (\"net/sched: act_mirred: Create function tcf_mirred_to_dev and improve readability\")\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nCloses: https://sashiko.dev/#/patchset/20260413082027.2244884-1-hxzene%40gmail.com\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-8-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "a005fa5d7502eefec7ee6e1c01adadc06de2f9ad", "tree": "674521b5f5a031a989be43b46790d1500ddf727d", "parents": [ "db875221ab08d213a83bf30196ae8b64d55a3403" ], "author": { "name": "Kito Xu (veritas501)", "email": "hxzene@gmail.com", "time": "Mon May 25 08:25:53 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:36 2026 +0200" }, "message": "net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow\n\ntcf_mirred_act() checks sched_mirred_nest against MIRRED_NEST_LIMIT (4)\nto prevent deep recursion. However, when the action uses blockcast\n(tcfm_blockid !\u003d 0), the function returns at the tcf_blockcast() call\nBEFORE reaching the counter increment. As a result, the recursion\ncounter never advances and the limit check is entirely bypassed.\n\nWhen two devices share a TC egress block with a mirred blockcast rule,\na packet egressing on device A is mirrored to device B via blockcast;\ndevice B\u0027s egress TC re-enters tcf_mirred_act() via blockcast and\nmirrors back to A, creating an unbounded recursion loop:\n\n tcf_mirred_act -\u003e tcf_blockcast -\u003e tcf_mirred_to_dev -\u003e dev_queue_xmit\n -\u003e sch_handle_egress -\u003e tcf_classify -\u003e tcf_mirred_act -\u003e (repeat)\n\nThis recursion continues until the kernel stack overflows.\n\nThe bug is reachable from an unprivileged user via\nunshare(CLONE_NEWUSER | CLONE_NEWNET): user namespaces grant\nCAP_NET_ADMIN in the new network namespace, which is sufficient to\ncreate dummy devices, attach clsact qdiscs with shared blocks, and\ninstall mirred blockcast filters.\n\n BUG: TASK stack guard page was hit at ffffc90000b7fff8\n Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI\n CPU: 2 UID: 1000 PID: 169 Comm: poc Not tainted 7.0.0-rc7-next-20260410\n RIP: 0010:xas_find+0x17/0x480\n Call Trace:\n xa_find+0x17b/0x1d0\n tcf_mirred_act+0x640/0x1060\n tcf_action_exec+0x400/0x530\n basic_classify+0x128/0x1d0\n tcf_classify+0xd83/0x1150\n tc_run+0x328/0x620\n __dev_queue_xmit+0x797/0x3100\n tcf_mirred_to_dev+0x7b1/0xf70\n tcf_mirred_act+0x68a/0x1060\n [repeating ~30+ times until stack overflow]\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix this by incrementing sched_mirred_nest before calling\ntcf_blockcast() and decrementing it on return, mirroring the\nnon-blockcast path. This ensures subsequent recursive entries see the\nupdated counter and are correctly limited by MIRRED_NEST_LIMIT.\n\nFixes: fe946a751d9b (\"net/sched: act_mirred: add loop detection\")\nSigned-off-by: Kito Xu (veritas501) \u003chxzene@gmail.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-7-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "db875221ab08d213a83bf30196ae8b64d55a3403", "tree": "1f3ae7de53efd7f9d9ab7457d5c4921973451a4f", "parents": [ "9552b11e3edabc97cfcd9f29103d5afbce7ae183" ], "author": { "name": "Jamal Hadi Salim", "email": "jhs@mojatatu.com", "time": "Mon May 25 08:25:52 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:36 2026 +0200" }, "message": "net/sched: Fix ethx:ingress -\u003e ethy:egress -\u003e ethx:ingress mirred loop\n\nWhen mirred redirects to ingress (from either ingress or egress) the loop\nstate from sched_mirred_dev array dev is lost because of 1) the packet\ndeferral into the backlog and 2) the fact the sched_mirred_dev array is\ncleared. In such cases, if there was a loop we won\u0027t discover it.\n\nHere\u0027s a simple test to reproduce:\nip a add dev port0 10.10.10.11/24\n\ntc qdisc add dev port0 clsact\ntc filter add dev port0 egress protocol ip \\\n prio 10 matchall action mirred ingress redirect dev port1\n\ntc qdisc add dev port1 clsact\ntc filter add dev port1 ingress protocol ip \\\n prio 10 matchall action mirred egress redirect dev port0\n\nping -c 1 -W0.01 10.10.10.10\n\nFixes: fe946a751d9b (\"net/sched: act_mirred: add loop detection\")\nTested-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nReviewed-by: Stephen Hemminger \u003cstephen@networkplumber.org\u003e\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-6-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "9552b11e3edabc97cfcd9f29103d5afbce7ae183", "tree": "37acf6f3c7c023cb7c073bd0b40677227e527e30", "parents": [ "b213a4c6074fc4ee4f1cdef9a73b34732606b637" ], "author": { "name": "Jamal Hadi Salim", "email": "jhs@mojatatu.com", "time": "Mon May 25 08:25:51 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:36 2026 +0200" }, "message": "net/sched: fix packet loop on netem when duplicate is on\n\nWhen netem duplicates a packet it re-enqueues the copy at the root qdisc.\nIf another netem sits in the tree the copy can be duplicated\nagain, recursing until the stack or memory is exhausted.\n\nThe original duplication guard temporarily zeroed q-\u003eduplicate around\nthe re-enqueue, but that does not cover all cases because it is\nper-qdisc state shared across all concurrent enqueue paths\nand is not safe without additional locking.\n\nUse the skb tc_depth field introduced in an earlier patch:\n - increment it on the duplicate before re-enqueue\n - skip duplication for any skb whose tc_depth is already non-zero.\n\nThis marks the packet itself rather than mutating qdisc state,\ntherefore it is safe regardless of tree topology or concurrency.\n\nFixes: 0afb51e72855 (\"[PKT_SCHED]: netem: reinsert for duplication\")\nReported-by: William Liu \u003cwill@willsroot.io\u003e\nReported-by: Savino Dicanosa \u003csavy@syst3mfailure.io\u003e\nCloses: https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk\u003d@willsroot.io/\nCo-developed-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nSigned-off-by: Victor Nogueira \u003cvictor@mojatatu.com\u003e\nReviewed-by: William Liu \u003cwill@willsroot.io\u003e\nReviewed-by: Stephen Hemminger \u003cstephen@networkplumber.org\u003e\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-5-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "b213a4c6074fc4ee4f1cdef9a73b34732606b637", "tree": "e33dca41d8c6667a572509af3ffbed0c3ee365e2", "parents": [ "eda0b7f203bb166c98d1418b204135bd566ac83b" ], "author": { "name": "Jamal Hadi Salim", "email": "jhs@mojatatu.com", "time": "Mon May 25 08:25:50 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:36 2026 +0200" }, "message": "Revert \"selftests/tc-testing: Add tests for restrictions on netem duplication\"\n\nThis reverts commit ecdec65ec78d67d3ebd17edc88b88312054abe0d.\n\nThe tests added were related to check_netem_in_tree() which was\njust reverted in the previous patch.\n\nReviewed-by: Stephen Hemminger \u003cstephen@networkplumber.org\u003e\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-4-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "eda0b7f203bb166c98d1418b204135bd566ac83b", "tree": "7807fb19971e269aca2ebfa04ad08c5a591488d2", "parents": [ "98b34f3e8c3492cfc89ff943c9d92b4d52863d1d" ], "author": { "name": "Jamal Hadi Salim", "email": "jhs@mojatatu.com", "time": "Mon May 25 08:25:49 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:36 2026 +0200" }, "message": "net/sched: Revert \"net/sched: Restrict conditions for adding duplicating netems to qdisc tree\"\n\nThis reverts commit ec8e0e3d7adef940cdf9475e2352c0680189d14e.\n\nThe original patch rejects any tree containing two netems when\neither has duplication set, even when they sit on unrelated classes\nof the same classful parent. That broke configurations that have\nworked since netem was introduced.\n\nThe re-entrancy problem the original commit was trying to solve is\nhandled by later patch using tc_depth flag.\n\nDoing this revert will (re)expose the original bug with multiple\nnetem duplication. When this patch is backported make sure\nand get the full series.\n\nFixes: ec8e0e3d7ade (\"net/sched: Restrict conditions for adding duplicating netems to qdisc tree\")\nReported-by: Ji-Soo Chung \u003cjschung2@proton.me\u003e\nReported-by: Gerlinde \u003clrGerlinde@mailfence.com\u003e\nCloses: https://bugzilla.kernel.org/show_bug.cgi?id\u003d220774\nReported-by: zyc zyc \u003czyc199902@zohomail.cn\u003e\nCloses: https://lore.kernel.org/all/19adda5a1e2.12410b78222774.9191120410578703463@zohomail.cn/\nReported-by: Manas Ghandat \u003cghandatmanas@gmail.com\u003e\nCloses: https://lore.kernel.org/netdev/f69b2c8f-8325-4c2e-a011-6dbc089f30e4@gmail.com/\nReviewed-by: Stephen Hemminger \u003cstephen@networkplumber.org\u003e\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-3-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "98b34f3e8c3492cfc89ff943c9d92b4d52863d1d", "tree": "3f26246f535acf5c965c2356e109a4e7bd0d4b0c", "parents": [ "9d5e7a46a9f6d8f503b41bfefef70659845f1679" ], "author": { "name": "Jamal Hadi Salim", "email": "jhs@mojatatu.com", "time": "Mon May 25 08:25:48 2026 -0400" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu May 28 12:26:36 2026 +0200" }, "message": "net: Introduce skb tc depth field to track packet loops\n\nAdd a 2-bit per-skb tc depth field to track packet loops across the stack.\n\nThe previous per-CPU loop counters like MIRRED_NEST_LIMIT\nassume a single call stack and lose state in two cases:\n1) When a packet is queued and reprocessed later (e.g., egress-\u003eingress\n via backlog), the per-cpu state is gone by the time it is dequeued.\n2) With XPS/RPS a packet may arrive on one CPU and be processed on\n another.\n\nA per-skb field solves both by travelling with the packet itself.\n\nThe field fits in existing padding, using 2 bits that were previously a\nhole:\n\npahole before(-) and after (+) diff looks like:\n __u8 slow_gro:1; /* 132: 3 1 */\n __u8 csum_not_inet:1; /* 132: 4 1 */\n __u8 unreadable:1; /* 132: 5 1 */\n + __u8 tc_depth:2; /* 132: 6 1 */\n\n - /* XXX 2 bits hole, try to pack */\n /* XXX 1 byte hole, try to pack */\n\n __u16 tc_index; /* 134 2 */\n\nThere used to be a ttl field which was removed as part of tc_verd in commit\naec745e2c520 (\"net-tc: remove unused tc_verd fields\"). It was already\nunused by that time, due to remove earlier in commit c19ae86a510c (\"tc: remove\nunused redirect ttl\").\n\nThe first user of this field is netem, which increments tc_depth on\nduplicated packets before re-enqueueing them at the root qdisc. On\nre-entry, netem skips duplication for any skb with tc_depth already set,\nbounding recursion to a single level regardless of tree topology.\n\nThe other user is mirred which increments it on each pass\nand limits to depth to MIRRED_DEFER_LIMIT (3).\n\nThe new field was called ttl in earlier versions of this patch\nbut renamed to tc_depth to avoid confusion with IP ttl.\n\nNote (looking at you Sashiko! Dont ignore me and continue bringing this up):\n1. Since both mirred and netem utilize the same 2-bit tc_depth field it is\n possible when netem and mirred are used together that netem qdisc to skip\n the duplication step. This is a known trade-off, as a 2-bit field cannot\n independently track both features\u0027 recursion depths and it is not considered\n sane to have a setup that addresses both features on at the same time.\n\n2. skb_scrub_packet does not clear tc_depth. This means a packet\u0027s loop history\n is preserved even across namespaces. While this might be restrictive for\n some topologies, it is also design intent to provide robustness against loops\n across namespaces.\n\nReviewed-by: Stephen Hemminger \u003cstephen@networkplumber.org\u003e\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-2-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "9d5e7a46a9f6d8f503b41bfefef70659845f1679", "tree": "5d74fe7000befdc742c7b7e849c65c43ca79ed95", "parents": [ "d07e5b20f1c81f53d6e99a666b1944c6edf5be71" ], "author": { "name": "Rahul Chandelkar", "email": "rc@rexion.ai", "time": "Mon May 25 21:10:31 2026 +0530" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 19:05:53 2026 -0700" }, "message": "ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()\n\nipv6_rpl_srh_decompress() computes:\n\n outhdr-\u003ehdrlen \u003d (((n + 1) * sizeof(struct in6_addr)) \u003e\u003e 3);\n\nhdrlen is __u8. For n \u003e\u003d 127 the result exceeds 255 and silently\ntruncates. With n\u003d127 (cmpri\u003d15, cmpre\u003d15, pad\u003d0, hdrlen\u003d16):\n\n (128 * 16) \u003e\u003e 3 \u003d 256, truncated to 0 as __u8\n\nThe caller in ipv6_rpl_srh_rcv() then places the compressed header\nat buf + ((ohdr-\u003ehdrlen + 1) \u003c\u003c 3). With hdrlen\u003d0 this is buf + 8,\nbut the decompressed region occupies buf[0..2055] (8-byte header\nplus 128 full addresses). The compressed header overlaps the\ndecompressed data, and ipv6_rpl_srh_compress() writes into this\noverlap, corrupting the routing header of the forwarded packet.\n\nThe existing guard at exthdrs.c:546 checks (n + 1) \u003e 255, which\nprevents n+1 from overflowing unsigned char (the segments_left\nfield), but does not prevent the computed hdrlen from overflowing\n__u8. n\u003d127 passes because 128 \u003c\u003d 255, yet hdrlen\u003d256 does not\nfit.\n\nTighten the bound to (n + 1) \u003e 127. This caps n at 126, giving\nhdrlen \u003d (127 * 16) \u003e\u003e 3 \u003d 254, which fits in __u8. The compressed\nheader then lands at buf + ((254 + 1) \u003c\u003c 3) \u003d buf + 2040, exactly\npast the decompressed region (buf[0..2039]). No overlap. 127\nsegments is well beyond any realistic RPL deployment.\n\nFixes: 8610c7c6e3bd (\"net: ipv6: add support for rpl sr exthdr\")\nSigned-off-by: Rahul Chandelkar \u003crc@rexion.ai\u003e\nLink: https://patch.msgid.link/20260525154031.2290876-1-rc@rexion.ai\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d07e5b20f1c81f53d6e99a666b1944c6edf5be71", "tree": "5e68dab613ef2f1d5a977c6760f3e474f7be0ce2", "parents": [ "ce1e33020a5f365823e9a0bfd18d6b3f20e206c6", "67cfdd9210b99f260b3e0afeb9525e0acc7be31e" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:18 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:19 2026 -0700" }, "message": "Merge branch \u0027ethtool-more-bug-fixes\u0027\n\nJakub Kicinski says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nethtool: more bug fixes\n\nLast week I sent two patch sets - one fixing bugs in RSS handling,\nand one fixing CMIS / module handling. This set contains the remaining\nfixes. There\u0027s a concentration of fixes around PHY and timestamp config\nhandling but not enough to break those out as separate sets.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260526153533.2779187-1-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "67cfdd9210b99f260b3e0afeb9525e0acc7be31e", "tree": "5e68dab613ef2f1d5a977c6760f3e474f7be0ce2", "parents": [ "2376586f85f972fefe701f095bb37dcfe7405d21" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:33 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:09 2026 -0700" }, "message": "ethtool: eeprom: add more safeties to EEPROM Netlink fallback\n\nThe Netlink fallback path for reading module EEPROM\n(fallback_set_params()) validates that offset \u003c eeprom_len,\nbut does not check that offset + length stays within eeprom_len.\nThe ioctl equivalent (ethtool_get_any_eeprom() in ioctl.c) has\nalways enforced both bounds:\n\n if (eeprom.offset + eeprom.len \u003e total_len)\n return -EINVAL;\n\nThis could lead to surprises in both drivers and device FW.\nAdd the missing offset + length validation to fallback_set_params(),\nmirroring the ioctl.\n\nSimilarly - ethtool core in general, and ethtool_get_any_eeprom()\nin particular tries to zero-init all buffers passed to the drivers\nto avoid any extra work of zeroing things out. eeprom_fallback()\nuses a plain kmalloc(), change it to zalloc.\n\nFixes: 96d971e307cc (\"ethtool: Add fallback to get_module_eeprom from netlink command\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-11-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "2376586f85f972fefe701f095bb37dcfe7405d21", "tree": "c51c60d60ffe3dd06f64c0f5b679596d6e9db52f", "parents": [ "a8d8bef6b45bf7cc0b1f6110c5cd8d0160a9bad7" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:32 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:09 2026 -0700" }, "message": "ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback\n\nAll ethtool driver op calls should be sandwiched between\nethnl_ops_begin() / ethnl_ops_complete(). In Netlink eeprom code,\nif the paged access failed we fall back to old API, but we\nfirst call _complete() and the fallback never does its own\nethnl_ops_begin(). Move the fallback into the _begin() / _complete()\nsection.\n\nFixes: 96d971e307cc (\"ethtool: Add fallback to get_module_eeprom from netlink command\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-10-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a8d8bef6b45bf7cc0b1f6110c5cd8d0160a9bad7", "tree": "090df3464d4ada4901df9812cbbe99ceea2624a8", "parents": [ "c3fc9976f686f9a95baf87db9d387f218fd65394" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:31 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:09 2026 -0700" }, "message": "ethtool: strset: fix header attribute index in ethnl_req_get_phydev()\n\nstrset_prepare_data() passes ETHTOOL_A_HEADER_FLAGS (3) as the header\nattribute to ethnl_req_get_phydev(). This is incorrect, in the main\nattr space 3 is ETHTOOL_A_STRSET_COUNTS_ONLY, not the request\nheader attr. The correct constant is ETHTOOL_A_STRSET_HEADER (1).\n\nethnl_req_get_phydev() only uses this value for the extack,\nso this is not a \"functionally visible\"(?) bug.\n\nFixes: e96c93aa4be9 (\"net: ethtool: strset: Allow querying phy stats by index\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-9-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "c3fc9976f686f9a95baf87db9d387f218fd65394", "tree": "711c0076de4a13997b51cb31227a305c6c1b5565", "parents": [ "1de405699c62c3a9544bcdcfb9eff8a01cfc7582" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:30 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:08 2026 -0700" }, "message": "ethtool: tsinfo: don\u0027t pass ERR_PTR to genlmsg_cancel on prepare failure\n\nThe goto err label leads to:\n\n\tgenlmsg_cancel(skb, ehdr);\n\treturn ret;\n\nIf ethnl_tsinfo_prepare_dump() failed, it has not started a genlmsg.\nThere\u0027s nothing to cancel, and passing an error pointer to\ngenlmsg_cancel() would cause a crash.\n\nFixes: b9e3f7dc9ed9 (\"net: ethtool: tsinfo: Enhance tsinfo to support several hwtstamp by net topology\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nReviewed-by: Kory Maincent \u003ckory.maincent@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-8-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "1de405699c62c3a9544bcdcfb9eff8a01cfc7582", "tree": "cd8de49f02389f4eef87e2c315e4312d4c5d1ca6", "parents": [ "6386bd772de64e6760306eb91c7e86163af6c22f" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:29 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:08 2026 -0700" }, "message": "ethtool: tsinfo: fix uninitialized stats on the by-PHC path\n\ntsinfo_prepare_data() has two code paths: a \"by-PHC\" path for\nuser-specified hardware timestamping providers, and the old path.\nCommit 89e281ebff72 (\"ethtool: init tsinfo stats if requested\") added\nethtool_stats_init() to mark stat slots as ETHTOOL_STAT_NOT_SET before\nthe driver callback populates them, but placed the call inside the\nold-path block.\n\nWhen commit b9e3f7dc9ed9 (\"net: ethtool: tsinfo: Enhance tsinfo to\nsupport several hwtstamp by net topology\") added the by-PHC early\nreturn, it landed above the stats initialization. On that path\nthe stats array retains the zero-fill from ethnl_init_reply_data()\u0027s\nzalloc. This leads to the reply including a stats nest with four\nzero-valued attributes that should have been absent.\n\nReject GET requests for stats with HWTSTAMP_PROVIDER or dump.\n\nFixes: b9e3f7dc9ed9 (\"net: ethtool: tsinfo: Enhance tsinfo to support several hwtstamp by net topology\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-7-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6386bd772de64e6760306eb91c7e86163af6c22f", "tree": "d3ab6596df8948de02b8dc6f49171c3f625c141d", "parents": [ "ab5bf428fb6bd361163c7247b92750d1d24ca2ed" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:28 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:08 2026 -0700" }, "message": "ethtool: tsconfig: fix missing ethnl_ops_complete()\n\ntsconfig_prepare_data() calls ethnl_ops_begin(), we need to call\nethnl_ops_complete() before returning the error.\n\nFixes: 6e9e2eed4f39 (\"net: ethtool: Add support for tsconfig command to get/set hwtstamp config\")\nReviewed-by: Vadim Fedorenko \u003cvadim.fedorenko@linux.dev\u003e\nReviewed-by: Kory Maincent \u003ckory.maincent@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-6-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ab5bf428fb6bd361163c7247b92750d1d24ca2ed", "tree": "0e73343e3c16ab6b28e2223ca33a0d846283e07c", "parents": [ "596c51ed9e125b12c4d85b4530dfd4c7847634b7" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:27 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:08 2026 -0700" }, "message": "ethtool: pse-pd: fix missing ethnl_ops_complete()\n\npse_prepare_data() is missing ethnl_ops_complete() if\nethnl_req_get_phydev() returned an error. Move getting\nphydev up so that we don\u0027t have to worry about this\n(similar order to linkstate_prepare_data()).\n\nNote that phydev may still be NULL (this is checked in\npse_get_pse_attributes()), the goal isn\u0027t really to avoid\nthe _begin() / _complete() calls, only to simplify the error\nhandling.\n\nWhile at it propagate the original error. Why this code\noverrides the error with -ENODEV but !phydev generates\n-EOPNOTSUPP is unclear to me...\n\nFixes: 31748765bed3 (\"net: ethtool: pse-pd: Target the command to the requested PHY\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-5-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "596c51ed9e125b12c4d85b4530dfd4c7847634b7", "tree": "e155e9b929f152a51270ac37adc16af61f353a57", "parents": [ "a888bbd43940cada72f7686337741ce86d1cf869" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:26 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:08 2026 -0700" }, "message": "ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error\n\nlinkstate_prepare_data() calls ethnl_req_get_phydev() before\nethnl_ops_begin(), but routes its error path through \"goto out\"\nwhich calls ethnl_ops_complete().\n\nFixes: fe55b1d401c6 (\"ethtool: linkstate: migrate linkstate functions to support multi-PHY setups\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-4-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "a888bbd43940cada72f7686337741ce86d1cf869", "tree": "aa38db33a443ede9528d13d08fd5b803b3cee311", "parents": [ "7281b096b072f6c6e30420e3467d738f2e4c4b57" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:25 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:08 2026 -0700" }, "message": "ethtool: tsconfig: fix reply error handling\n\nA couple of trivial bugs in error handling in tsconfig_send_reply().\nIf we failed to allocate rskb we need to set the error.\nIf we did allocate it but failed to send it - we need to remember\nto free it.\n\nFixes: 6e9e2eed4f39 (\"net: ethtool: Add support for tsconfig command to get/set hwtstamp config\")\nReviewed-by: Vadim Fedorenko \u003cvadim.fedorenko@linux.dev\u003e\nReviewed-by: Kory Maincent \u003ckory.maincent@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-3-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7281b096b072f6c6e30420e3467d738f2e4c4b57", "tree": "8641050652940b18fa79dd26ce890bb769416876", "parents": [ "ce1e33020a5f365823e9a0bfd18d6b3f20e206c6" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:35:24 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:42:07 2026 -0700" }, "message": "ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES\n\nethnl_update_profile() walks the ETHTOOL_A_PROFILE_IRQ_MODERATION\nnest list with an index \u0027i\u0027 and writes new_profile[i++] without\nbounding i. The destination is kmemdup()\u0027d at NET_DIM_PARAMS_NUM_PROFILES\nentries (5), but the Netlink nest count is entirely user-controlled.\nNetlink policies do not have support for constraining the number\nof nested entries (or number of multi-attr entries).\n\nFixes: f750dfe825b9 (\"ethtool: provide customized dim profile management\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nLink: https://patch.msgid.link/20260526153533.2779187-2-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "ce1e33020a5f365823e9a0bfd18d6b3f20e206c6", "tree": "5f0a8a122f3365db7a86d97c1fb79f9f2b470b92", "parents": [ "8ba68464e4787b6a7ec938826e16124df20fd23d", "147f3b1f23cbd74f1022cc5689570a06f6bc47c8" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:23:07 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:23:07 2026 -0700" }, "message": "Merge branch \u0027bridge-fix-sleep-in-atomic-context\u0027\n\nIdo Schimmel says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nbridge: Fix sleep in atomic context\n\nUnder certain circumstances the bridge driver can call\ndev_set_promiscuity() while holding the bridge spin lock. This is a\nproblem as dev_set_promiscuity() might sleep.\n\nPatches #1-#2 fix the problem in the netlink and sysfs configuration\npaths by only taking the lock where it is actually needed, thereby\navoiding calling dev_set_promiscuity() from an atomic context.\n\nPatch #3 adds test cases for both configuration paths in rtnetlink.sh\nwhich already includes test cases for similar issues.\n\nNote that dev_set_promiscuity() can sleep either when it takes the net\ndevice mutex or when calling netif_rx_mode_sync(). I encountered the\nproblem with the latter, but blamed the former since it came earlier.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260526064818.272516-1-idosch@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "147f3b1f23cbd74f1022cc5689570a06f6bc47c8", "tree": "5f0a8a122f3365db7a86d97c1fb79f9f2b470b92", "parents": [ "6d34594cc619d0d4b07d5afcad8b5984f3526dcf" ], "author": { "name": "Ido Schimmel", "email": "idosch@nvidia.com", "time": "Tue May 26 09:48:18 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:23:05 2026 -0700" }, "message": "selftests: rtnetlink: Add bridge promiscuity tests\n\nAdd two test cases that always pass, but trigger sleeping in atomic\ncontext BUGs without \"bridge: Fix sleep in atomic context in netlink\npath\" and \"bridge: Fix sleep in atomic context in sysfs path\".\n\nReviewed-by: Nikolay Aleksandrov \u003cnikolay@nvidia.com\u003e\nSigned-off-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260526064818.272516-4-idosch@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6d34594cc619d0d4b07d5afcad8b5984f3526dcf", "tree": "a519034f474b30ef4c350405e48187dc40176980", "parents": [ "5eec4427b89c2fb2beac54920101e55a2f1c0c21" ], "author": { "name": "Ido Schimmel", "email": "idosch@nvidia.com", "time": "Tue May 26 09:48:17 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:23:05 2026 -0700" }, "message": "bridge: Fix sleep in atomic context in sysfs path\n\nSince the start of the git history, brport_store() always acquired the\nbridge lock. Back then this decision made sense: The bridge lock\nprotects the STP state of the bridge and its ports and at that time the\nfunction was only used by two STP related attributes (cost and\npriority).\n\nNowadays, brport_store() processes a lot more attributes and most of\nthem do not need the bridge lock:\n\n* Bridge flags: Only require RTNL. Read locklessly by the data path.\n Annotations can be added in net-next.\n\n* FDB port flushing: Only requires the FDB lock.\n\n* Multicast attributes: Only require the multicast lock.\n\n* Group forward mask: Only requires RTNL. Read locklessly by the data\n path. Annotations can be added in net-next.\n\n* Backup port: Only requires RTNL. Read locklessly by the data path.\n\nThis is a problem as the bridge calls dev_set_promiscuity() when certain\nbridge port flags change and this function can sleep since the commit\ncited below, resulting in a splat such as [1].\n\nFix this by reducing the scope of the bridge lock and only take it when\nprocessing the two STP related attributes that require it. Remove the\nnow stale comment from br_switchdev_set_port_flag(). The\nSWITCHDEV_F_DEFER flag can be removed in net-next.\n\n[1]\nBUG: sleeping function called from invalid context at net/core/dev_addr_lists.c:1262\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 372, name: bash\npreempt_count: 201, expected: 0\nRCU nest depth: 0, expected: 0\n5 locks held by bash/372:\n#0: ffff88810c51c3f0 (sb_writers#7){.+.+}-{0:0}, at: ksys_write (fs/read_write.c:740)\n#1: ffff888115ce9480 (\u0026of-\u003emutex){+.+.}-{4:4}, at: kernfs_fop_write_iter (fs/kernfs/file.c:343)\n#2: ffff88810b9fd330 (kn-\u003eactive#37){.+.+}-{0:0}, at: kernfs_fop_write_iter (fs/kernfs/file.c:80 fs/kernfs/file.c:344)\n#3: ffffffffa59473a0 (rtnl_mutex){+.+.}-{4:4}, at: brport_store (net/bridge/br_sysfs_if.c:326)\n#4: ffff8881099d2d58 (\u0026br-\u003elock){+...}-{3:3}, at: brport_store (./include/linux/spinlock.h:348 net/bridge/br_sysfs_if.c:345)\nPreemption disabled at:\n 0x0\nHardware name: Bochs Bochs, BIOS Bochs 01/01/2011\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)\n__might_resched.cold (kernel/sched/core.c:9163)\nnetif_rx_mode_run (net/core/dev_addr_lists.c:1262)\nnetif_rx_mode_sync (net/core/dev_addr_lists.c:1428)\ndev_set_promiscuity (net/core/dev_api.c:289)\nbr_manage_promisc (net/bridge/br_if.c:135 net/bridge/br_if.c:172)\nbr_port_flags_change (net/bridge/br_if.c:242 net/bridge/br_if.c:747)\nstore_learning (net/bridge/br_sysfs_if.c:79 net/bridge/br_sysfs_if.c:235)\nbrport_store (net/bridge/br_sysfs_if.c:346)\nkernfs_fop_write_iter (fs/kernfs/file.c:352)\nnew_sync_write (fs/read_write.c:595)\nvfs_write (fs/read_write.c:688)\nksys_write (fs/read_write.c:740)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\n\nFixes: 78cd408356fe (\"net: add missing instance lock to dev_set_promiscuity\")\nReviewed-by: Nikolay Aleksandrov \u003cnikolay@nvidia.com\u003e\nSigned-off-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260526064818.272516-3-idosch@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "5eec4427b89c2fb2beac54920101e55a2f1c0c21", "tree": "fb2abdee457a04e99ed2cbbbf54d5e4869dbdd31", "parents": [ "8ba68464e4787b6a7ec938826e16124df20fd23d" ], "author": { "name": "Ido Schimmel", "email": "idosch@nvidia.com", "time": "Tue May 26 09:48:16 2026 +0300" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 17:23:05 2026 -0700" }, "message": "bridge: Fix sleep in atomic context in netlink path\n\nSince the introduction of the netlink configuration path for bridge\nports in commit 25c71c75ac87 (\"bridge: bridge port parameters over\nnetlink\"), br_setport() was always called with the bridge lock held\naround it. Back then this decision made sense: The bridge lock protects\nthe STP state of the bridge and its ports and at that time the function\nonly processed three STP related netlink attributes (cost, priority and\nstate).\n\nNowadays, br_setport() processes a lot more attributes and most of them\ndo not need the bridge lock:\n\n* Bridge flags: Only require RTNL. Read locklessly by the data path.\n Annotations can be added in net-next.\n\n* FDB port flushing: Only requires the FDB lock.\n\n* Multicast attributes: Only require the multicast lock.\n\n* Group forward mask: Only requires RTNL. Read locklessly by the data\n path. Annotations can be added in net-next.\n\n* Backup port and NHID: Only require RTNL. Read locklessly by the data\n path.\n\nThis is a problem as the bridge calls dev_set_promiscuity() when certain\nbridge port flags change and this function can sleep since the commit\ncited below, resulting in a splat such as [1].\n\nFix this by reducing the scope of the bridge lock and only take it when\nprocessing the three STP related attributes that require it. This is\nconsistent with the multicast attributes where each attribute acquires\nthe multicast lock instead of having one critical section for all\nrelevant attributes.\n\n[1]\nBUG: sleeping function called from invalid context at net/core/dev_addr_lists.c:1262\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 356, name: bridge\npreempt_count: 201, expected: 0\nRCU nest depth: 0, expected: 0\n2 locks held by bridge/356:\n#0: ffffffff919473a0 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg (net/core/rtnetlink.c:80 net/core/rtnetlink.c:7002)\n#1: ffff888115072d58 (\u0026br-\u003elock){+...}-{3:3}, at: br_setlink (./include/linux/spinlock.h:348 net/bridge/br_netlink.c:1117)\nPreemption disabled at:\n 0x0\nHardware name: Bochs Bochs, BIOS Bochs 01/01/2011\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)\n__might_resched.cold (kernel/sched/core.c:9163)\nnetif_rx_mode_run (net/core/dev_addr_lists.c:1262)\nnetif_rx_mode_sync (net/core/dev_addr_lists.c:1428)\ndev_set_promiscuity (net/core/dev_api.c:289)\nbr_manage_promisc (net/bridge/br_if.c:135 net/bridge/br_if.c:172)\nbr_port_flags_change (net/bridge/br_if.c:242 net/bridge/br_if.c:747)\nbr_setport (net/bridge/br_netlink.c:1000)\nbr_setlink (net/bridge/br_netlink.c:1118)\nrtnl_bridge_setlink (net/core/rtnetlink.c:5572)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:7005)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1318 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sock_sendmsg (net/socket.c:787 (discriminator 4) net/socket.c:802 (discriminator 4))\n____sys_sendmsg (net/socket.c:2698)\n___sys_sendmsg (net/socket.c:2752)\n__sys_sendmsg (net/socket.c:2784)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\n\nFixes: 78cd408356fe (\"net: add missing instance lock to dev_set_promiscuity\")\nReviewed-by: Nikolay Aleksandrov \u003cnikolay@nvidia.com\u003e\nSigned-off-by: Ido Schimmel \u003cidosch@nvidia.com\u003e\nLink: https://patch.msgid.link/20260526064818.272516-2-idosch@nvidia.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "8ba68464e4787b6a7ec938826e16124df20fd23d", "tree": "2dc6f852d220c305e2dad41840540f6c9235d64b", "parents": [ "dd433671fef381fdaf7b530c631e6b782d66e224" ], "author": { "name": "Oliver Hartkopp", "email": "socketcan@hartkopp.net", "time": "Tue May 26 21:33:19 2026 +0200" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Wed May 27 16:58:28 2026 -0700" }, "message": "bonding: refuse to enslave CAN devices\n\nsyzbot reported a kernel paging request crash in\ncan_rx_unregister() inside net/can/af_can.c. The crash occurs\nbecause a virtual CAN device (vxcan) is being enslaved to a\nbonding master.\n\nDuring the enslavement process, the bonding driver mutates\nand modifies the network device states to fit an Ethernet-like\naggregation model. However, CAN devices operate on a completely\ndifferent Layer 2 architecture, relying on the CAN mid-layer\nprivate data structure (can_ml_priv) instead of standard\nEthernet structures. Since bonding does not initialize or\nmaintain these CAN structures, subsequent operations on the\nhalf-enslaved interface (such as closing associated sockets\nvia isotp_release) lead to a null-pointer dereference when\naccessing the CAN receiver lists.\n\nBonding CAN interfaces is architecturally invalid as CAN lacks\nMAC addresses, ARP capabilities, and standard Ethernet\nlink-layer mechanisms. While generic loopback devices are\nblocked globally in net/core/dev.c, virtual CAN devices\nbypass this check because they do not carry the IFF_LOOPBACK\nflag, despite acting as local software-loopbacks.\n\nFix this by explicitly blocking network devices of type\nARPHRD_CAN from being enslaved at the very beginning of\nbond_enslave(). This prevents illegal state mutations,\neliminates the resulting KASAN crashes, and avoids potential\nmemory leaks from incomplete socket cleanups.\n\nAs the CAN support has been added a long time after bonding\nthe Fixes-tag points to the introduction of ARPHRD_CAN that\nwould have needed a specific handling in bonding_main.c.\n\nFixes: cd05acfe65ed (\"[CAN]: Allocate protocol numbers for PF_CAN\")\nReported-by: syzbot+8ed98cbd0161632bce95@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d8ed98cbd0161632bce95\nSigned-off-by: Oliver Hartkopp \u003csocketcan@hartkopp.net\u003e\nAcked-by: Jay Vosburgh \u003cjv@jvosburgh.net\u003e\nLink: https://patch.msgid.link/20260526-bonding-candev-v1-1-ba1df400918a@hartkopp.net\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "fa21e86caba2347e89eb65af926205a36a097c53", "tree": "e9572066041368996cce56a12a6960b8252be3d6", "parents": [ "bfea6091e0fffb270c20e74384b660910277eb6c" ], "author": { "name": "Shuai Zhang", "email": "shuai.zhang@oss.qualcomm.com", "time": "Mon May 25 14:51:56 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 16:44:02 2026 -0400" }, "message": "Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading\n\nWhen bt_en is pulled high by hardware, the host does not re-download\nthe firmware after SSR. The controller loads the rampatch and NVM\ninternally.\n\nOn HMT chip, the rampatch is ~264 KB and the NVM is ~9.4 KB. The\nloading process takes approximately 70 ms. The previous 50 ms delay is\ntoo short, causing the controller to not respond to the reset command\nsent by the host, which leads to BT initialization failure:\n\n Bluetooth: hci0: QCA memdump Done, received 458752, total 458752\n Bluetooth: hci0: mem_dump_status: 2\n Bluetooth: hci0: Opcode 0x0c03 failed: -110\n\nIncrease the delay to 100 ms, which was confirmed as a safe value by\nthe controller, to ensure the controller has finished loading the\nfirmware before the host sends commands.\n\nSteps to reproduce:\n1. Trigger SSR and wait for SSR to complete:\n hcitool cmd 0x3f 0c 26\n2. Run \"bluetoothctl power on\" and observe that BT fails to start.\n\nFixes: fce1a9244a0f (\"Bluetooth: hci_qca: Fix SSR (SubSystem Restart) fail when BT_EN is pulled up by hw\")\nCc: stable@vger.kernel.org\nReviewed-by: Dmitry Baryshkov \u003cdmitry.baryshkov@oss.qualcomm.com\u003e\nSigned-off-by: Shuai Zhang \u003cshuai.zhang@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "bfea6091e0fffb270c20e74384b660910277eb6c", "tree": "4882a7d2820e2b4064c859341f69e4fdeeee7dc1", "parents": [ "3c40d381ce04f9575a5d8b542898183c3b4b38dc" ], "author": { "name": "Doruk Tan Ozturk", "email": "doruk@0sec.ai", "time": "Mon May 25 18:24:38 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 16:44:02 2026 -0400" }, "message": "Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync\n\nhci_le_create_cis_sync() dereferences conn-\u003econn_timeout after releasing\nboth rcu_read_lock() and hci_dev_lock(hdev). The conn pointer was\nobtained from an RCU-protected iteration over hdev-\u003econn_hash.list and\nis not valid once these locks are dropped. A concurrent disconnect can\nfree the hci_conn between the unlock and the dereference, causing a\nuse-after-free read.\n\nThe cancellation mechanism in hci_conn_del() cannot prevent this because\nhci_le_create_cis_pending() queues hci_create_cis_sync with data\u003dNULL:\n\n hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);\n\nWhile hci_conn_del() dequeues with data\u003dconn:\n\n hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);\n\nSince NULL !\u003d conn, the lookup in _hci_cmd_sync_lookup_entry() never\nmatches, and the pending work item is not cancelled.\n\nFix this by saving conn-\u003econn_timeout into a local variable while the\nlocks are still held, so the stale conn pointer is never dereferenced\nafter unlock.\n\nThis is the same class of bug as the one fixed by commit 035c25007c9e\n(\"Bluetooth: hci_sync: Fix UAF on le_read_features_complete\") which\naddressed the identical pattern in a different function.\n\nThis vulnerability was identified using 0sec.ai, an open-source\nautomated security auditing platform (https://github.com/0sec-labs).\n\nFixes: c09b80be6ffc (\"Bluetooth: hci_conn: Fix not waiting for HCI_EVT_LE_CIS_ESTABLISHED\")\nCc: stable@vger.kernel.org\nReported-by: Doruk Tan Ozturk \u003cdoruk@0sec.ai\u003e\nSigned-off-by: Doruk Tan Ozturk \u003cdoruk@0sec.ai\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3c40d381ce04f9575a5d8b542898183c3b4b38dc", "tree": "0a8fd859ef2298f657365e4bc5d135bdf4b4cf3c", "parents": [ "82855073c1081732656734b74d7d1d5e4cfd0da7" ], "author": { "name": "Zhao Dongdong", "email": "zhaodongdong@kylinos.cn", "time": "Tue May 26 11:21:39 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 16:44:02 2026 -0400" }, "message": "Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()\n\nThe skb_clone() function can return NULL if memory allocation fails.\nsend_mcast_pkt() calls skb_clone() without checking the return value, which\ncan lead to a NULL pointer dereference in send_pkt() when it dereferences\nskb-\u003edata.\nAdd a NULL check after skb_clone() and skip the peer if the clone fails.\n\nFixes: 18722c247023 (\"Bluetooth: Enable 6LoWPAN support for BT LE devices\")\nSigned-off-by: Zhao Dongdong \u003czhaodongdong@kylinos.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "82855073c1081732656734b74d7d1d5e4cfd0da7", "tree": "911e879139be96bf88fe93006da091920e113edb", "parents": [ "2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6" ], "author": { "name": "Shuai Zhang", "email": "shuai.zhang@oss.qualcomm.com", "time": "Thu May 21 13:25:47 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 16:44:02 2026 -0400" }, "message": "Bluetooth: btusb: Allow firmware re-download when version matches\n\nThe Bluetooth host decides whether to download firmware by reading the\ncontroller firmware download completion flag and firmware version\ninformation.\n\nIf a USB error occurs during the firmware download process (for example\ndue to a USB disconnect), the download is aborted immediately. An\nincomplete firmware transfer does not cause the controller to set the\ndownload completion flag, but the firmware version information may be\nupdated at an early stage of the download process.\n\nIn this case, after USB reconnection, the host attempts to re-download\nthe firmware because the download completion flag is not set. However,\nsince the controller reports the same firmware version as the target\nfirmware, the download is skipped. This ultimately results in the\nfirmware not being properly updated on the controller.\n\nThis change removes the restriction that skips firmware download when\nthe versions are equal. It covers scenarios where the USB connection\ncan be disconnected at any time and ensures that firmware download can\nbe retriggered after USB reconnection, allowing the Bluetooth firmware\nto be correctly and completely updated.\n\nFixes: 3267c884cefa (\"Bluetooth: btusb: Add support for QCA ROME chipset family\")\nCc: stable@vger.kernel.org\nSigned-off-by: Shuai Zhang \u003cshuai.zhang@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6", "tree": "55564e488966e12b685920a91789a2df88f027d7", "parents": [ "8c8e620467a7b51562dbcefbd1f09f288d7d710d" ], "author": { "name": "Muhammad Bilal", "email": "meatuni001@gmail.com", "time": "Wed May 20 18:56:43 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 16:44:02 2026 -0400" }, "message": "Bluetooth: HIDP: fix missing length checks in hidp_input_report()\n\nhidp_input_report() reads keyboard and mouse payload data from an skb\nwithout first verifying that skb-\u003elen contains enough data.\n\nhidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching\nto hidp_input_report(). If a paired device sends a truncated packet,\nthe handler reads beyond the valid skb data, resulting in an\nout-of-bounds read of skb data. The OOB bytes may be interpreted as\nphantom key presses or spurious mouse movement.\n\nReplace the open-coded length tracking and pointer arithmetic with\nskb_pull_data() calls. skb_pull_data() returns NULL if the requested\nbytes are not present, eliminating the need for a manual size variable\nand the separate skb-\u003elen guard.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nCc: stable@vger.kernel.org\nSigned-off-by: Muhammad Bilal \u003cmeatuni001@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8c8e620467a7b51562dbcefbd1f09f288d7d710d", "tree": "947a53eadbec7a1cc42ce1498e01b7fc9e373e64", "parents": [ "9dbd84990394c51f5cee1e8871bb5ff8af5ed939" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed May 20 22:12:20 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 16:44:01 2026 -0400" }, "message": "Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()\n\nl2cap_chan_close() removes the channel from conn-\u003echan_l, which\nmust be done under conn-\u003elock. cleanup_listen() runs under the\nparent sk_lock, so acquiring conn-\u003elock would invert the\nestablished conn-\u003elock -\u003e chan-\u003elock -\u003e sk_lock order.\n\nInstead of calling l2cap_chan_close() directly, schedule\nl2cap_chan_timeout with delay 0 to close the channel\nasynchronously. The timeout handler already acquires conn-\u003elock\nand chan-\u003elock in the correct order.\n\nThe timer is only armed when chan-\u003econn is still set: if it is\nalready NULL, l2cap_conn_del() has already processed this channel\n(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),\nso there is nothing left to do. If l2cap_conn_del() races in\nafter the timer is armed, __clear_chan_timer() inside\nl2cap_chan_del() cancels it; if the timer has already fired, the\nhandler returns harmlessly because chan-\u003econn was cleared.\n\nFixes: 3df91ea20e74 (\"Bluetooth: Revert to mutexes from RCU list\")\nCc: \u003cstable@vger.kernel.org\u003e # 0b58004: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "9dbd84990394c51f5cee1e8871bb5ff8af5ed939", "tree": "d1fa891eaea2eae104486d6a2e4e10cadfcf0cbe", "parents": [ "bfa9d28960ed677d556bdf097073bc3129686229" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed May 20 22:30:36 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 16:44:01 2026 -0400" }, "message": "Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn\n\n__set_chan_timer() takes a l2cap_chan reference via l2cap_chan_hold()\nbefore scheduling the delayed work. The normal path in\nl2cap_chan_timeout() drops this reference with l2cap_chan_put() at the\nend, but the early return when chan-\u003econn is NULL skips the put,\nleaking the reference.\n\nAdd the missing l2cap_chan_put() before the early return.\n\nFixes: adf0398cee86 (\"Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\")\nCc: stable@vger.kernel.org\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "bfa9d28960ed677d556bdf097073bc3129686229", "tree": "a738d6bf14482f60a067f16d8246be2243310424", "parents": [ "ab1513597c6cf17cd1ad2a21e3b045421b48e022" ], "author": { "name": "Pavitra Jha", "email": "jhapavitra98@gmail.com", "time": "Thu May 21 04:04:14 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 16:44:01 2026 -0400" }, "message": "Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()\n\nhci_le_big_terminate() allocates iso_list_data via kzalloc_obj but\nreturns 0 without freeing it when neither pa_sync_term nor big_sync_term\nflags are set after evaluating the PA and BIG sync connection state.\n\nThis early-return path was introduced when hci_le_big_terminate() was\nrefactored to take struct hci_conn instead of raw u8 parameters, adding\nPA/BIG flag evaluation logic. The existing kfree() on hci_cmd_sync_queue\nfailure does not cover this path.\n\nFixes: a7bcffc673de (\"Bluetooth: Add PA_LINK to distinguish BIG sync and PA sync connections\")\nCc: stable@vger.kernel.org\nSigned-off-by: Pavitra Jha \u003cjhapavitra98@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "dd433671fef381fdaf7b530c631e6b782d66e224", "tree": "36163bcea4a5f6c1778b110ef967f8d724629ce2", "parents": [ "e66c456f7ce45f2b6c267e5a77bb6e049378dd86" ], "author": { "name": "Qi Tang", "email": "tpluszz77@gmail.com", "time": "Sat May 23 22:32:45 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 18:53:10 2026 -0700" }, "message": "ipv6: validate extension header length before copying to cmsg\n\nip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR}\ncmsgs (and their IPV6_2292* legacy counterparts) by trusting the\non-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length.\nThe length was validated only at parse time (ipv6_parse_hopopts(),\netc.). An nftables payload-write expression can rewrite hdrlen after\nparsing and before the skb reaches recvmsg; the write itself is\nin-bounds but put_cmsg() then reads up to ((hdrlen+1) \u003c\u003c 3) \u003d 2040\nbytes from an 8-byte header. nftables is reachable from an\nunprivileged user namespace, so this is an unprivileged\nslab-out-of-bounds read:\n\n BUG: KASAN: slab-out-of-bounds in put_cmsg+0x3ac/0x540\n put_cmsg+0x3ac/0x540\n udpv6_recvmsg+0xca0/0x1250\n sock_recvmsg+0xdf/0x190\n ____sys_recvmsg+0x1b1/0x620\n\nAdd ipv6_get_exthdr_len() which validates that at least two bytes\nare accessible before reading the hdrlen field, then checks the\ncomputed length against skb_tail_pointer(skb), returning 0 on\nfailure. Extension headers are kept in the linear skb area by\npskb_may_pull() during input, so skb_tail_pointer() is the correct\nbound.\n\nUse ipv6_get_exthdr_len() at all non-AH call sites: the five\nstandalone cmsg blocks (HbH, 2292HbH, 2292DSTOPTS x2, 2292RTHDR)\nand the three standard cases in the extension-header walk loop\n(DSTOPTS, ROUTING, default). AH retains an inline bounds check\nbecause its length formula differs ((ptr[1]+2)\u003c\u003c2).\n\nThe walk loop also gets a pre-read bounds check at the top to\nvalidate ptr before any case accesses ptr[0] or ptr[1].\n\nWhen the walk loop detects a corrupted header, return from the\nfunction instead of continuing to process later socket options.\n\nCc: stable@vger.kernel.org\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Qi Tang \u003ctpluszz77@gmail.com\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/20260523143245.2281415-1-tpluszz77@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "e66c456f7ce45f2b6c267e5a77bb6e049378dd86", "tree": "4896bca547182b51c033a20746d57bf667c57ef5", "parents": [ "509323077ef79a26ba0c60bb556e45c12c398b2d", "f23bf992d65a42007c517b060ca35cebdea3525a" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 18:32:34 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 18:32:34 2026 -0700" }, "message": "Merge tag \u0027nfc-7.1-rc6\u0027 of https://codeberg.org/linux-nfc/linux\n\nDavid Heidelberg says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnfc pull request for net:\n\nCode improvements\n - llcp: Fix use-after-free in llcp_sock_release()\n - llcp: Fix use-after-free race in nfc_llcp_recv_cc()\n - hci: fix out-of-bounds read in HCP header parsing\nRegression fixes:\n - nxp-nci: i2c: use rising-edge IRQ on ACPI systems\n\nSigned-off-by: David Heidelberg \u003cdavid@ixit.cz\u003e\n\n* tag \u0027nfc-7.1-rc6\u0027 of https://codeberg.org/linux-nfc/linux:\n nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems\n nfc: hci: fix out-of-bounds read in HCP header parsing\n nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()\n nfc: llcp: Fix use-after-free in llcp_sock_release()\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/217c0646-8a30-4037-b613-580c2b189729@ixit.cz\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "509323077ef79a26ba0c60bb556e45c12c398b2d", "tree": "ac3694890fbdf6e9dec6ada642aa6c4223a00f5f", "parents": [ "7d9ef0cb271555d8cf39fefe6c981e1493b25ecf" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Fri May 22 11:55:12 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 18:11:47 2026 -0700" }, "message": "tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()\n\nIn some cases, iptunnel_pmtud_check_icmp() can be called while\nskb transport header is not set.\n\nThis triggers an out-of-bound access, because\n(typeof(skb-\u003etransport_header))~0U is 65535.\n\nAccess the icmp header based on IPv4 network header,\nafter making sure icmp-\u003etype is present in skb linear part.\n\nNote that iptunnel_pmtud_check_icmpv6()) is fine.\n\nFixes: 4cb47a8644cc (\"tunnels: PMTU discovery support for directly bridged IP packets\")\nReported-by: Damiano Melotti \u003cmelotti@google.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nLink: https://patch.msgid.link/20260522115512.1519110-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "7d9ef0cb271555d8cf39fefe6c981e1493b25ecf", "tree": "8eb447e2c4b9aa1abf729a7a39fa12b62637c37a", "parents": [ "b4bc94353050b1fa7b702bd4c6600710dd926cff" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Mon May 25 20:36:42 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 18:10:55 2026 -0700" }, "message": "vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()\n\nskb_tunnel_check_pmtu() can change skb-\u003ehead.\n\nReusing old_iph afer skb_tunnel_check_pmtu() can cause an UAF.\n\nUse instead ip_hdr(skb) as done in drivers/net/bareudp.c\nand drivers/net/geneve.c.\n\nFound by Sashiko.\n\nFixes: 4cb47a8644cc (\"tunnels: PMTU discovery support for directly bridged IP packets\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Stefano Brivio \u003csbrivio@redhat.com\u003e\nLink: https://patch.msgid.link/20260525203642.2389723-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "b4bc94353050b1fa7b702bd4c6600710dd926cff", "tree": "733ca2ad2496f37626eda800456268b2067cfc5a", "parents": [ "d895767c337814cf4b97d5ad5375e5ed7e12018d" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Mon May 25 20:13:35 2026 +0000" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 18:10:25 2026 -0700" }, "message": "tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()\n\nSashiko found that iptunnel_pmtud_build_icmp() and\niptunnel_pmtud_build_icmpv6() were caching ip_hdr() and ipv6_hdr()\nbefore an skb_cow() call which can reallocate skb-\u003ehead.\n\nFix this possible UAF by initializing the local variables\nafter the skb_cow() call.\n\nRemove skb_reset_network_header() calls which were not needed.\n\nFixes: 4cb47a8644cc (\"tunnels: PMTU discovery support for directly bridged IP packets\")\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Stefano Brivio \u003csbrivio@redhat.com\u003e\nLink: https://patch.msgid.link/20260525201335.2361845-1-edumazet@google.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d895767c337814cf4b97d5ad5375e5ed7e12018d", "tree": "386a4372d37fefcd1b274e123bf8e8409c638f4d", "parents": [ "05f95729ca844704d15e49ce14868af4b403b32b" ], "author": { "name": "Lucien.Jheng", "email": "lucienzx159@gmail.com", "time": "Sun May 24 14:39:15 2026 +0800" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 17:59:47 2026 -0700" }, "message": "net: phy: air_en8811h: add AN8811HB MCU assert/deassert support\n\nAN8811HB needs a MCU soft-reset cycle before firmware loading begins.\nAssert the MCU (hold it in reset) and immediately deassert (release)\nvia a dedicated PBUS register pair (0x5cf9f8 / 0x5cf9fc), accessed\nthrough a registered mdio_device at PHY-addr+8.\n\nAdd __air_pbus_reg_write() as a low-level helper taking a struct\nmdio_device *, create and register the PBUS mdio_device in\nan8811hb_probe() and store it in priv-\u003epbusdev, then implement\nan8811hb_mcu_assert() / _deassert() on top of it. Add\nan8811hb_remove() to unregister the PBUS device on teardown. Wire\nboth calls into an8811hb_load_firmware() and en8811h_restart_mcu()\nso every firmware load or MCU restart on AN8811HB correctly sequences\nthe reset control registers.\n\nFixes: 5afda1d734ed (\"net: phy: air_en8811h: add Airoha AN8811HB support\")\nSigned-off-by: Lucien Jheng \u003clucienzx159@gmail.com\u003e\nReviewed-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nLink: https://patch.msgid.link/20260524063915.47961-1-lucienzx159@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "05f95729ca844704d15e49ce14868af4b403b32b", "tree": "a6b3771f45c2a3d4a67f5281daf00c23548c22d1", "parents": [ "c66d7c3c1f173cf73a2a2f8302666d86beafff22" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Fri May 22 22:34:23 2026 -0400" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 17:35:12 2026 -0700" }, "message": "l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname\n\nA reader in l2tp_session_get_by_ifname() can return a pointer to a\nsession whose refcount has reached zero. The getter takes its\nreference with plain refcount_inc(), but every other session getter\nin the same file (l2tp_v2_session_get, l2tp_v3_session_get, and the\ncorresponding _get_next variants) uses refcount_inc_not_zero()\nbecause the IDR/RCU lookup can race with refcount_dec_and_test() -\u003e\nl2tp_session_free() -\u003e kfree_rcu(). The ifname getter is the only\noutlier; the inconsistency was raised on-list after 979c017803c4\n(\"l2tp: use list_del_rcu in l2tp_session_unhash\").\n\nA reader inside rcu_read_lock_bh() that matches session-\u003eifname can\nbe preempted between the strcmp() and the refcount_inc(). If the\nlast reference drops on another CPU in that window, the reader\u0027s\nrefcount_inc() runs on a counter that has reached zero. refcount_t\ncatches the addition-on-zero, prints \"refcount_t: addition on 0;\nuse-after-free\", saturates the counter, and returns the saturated\npointer to the caller. Session memory is held live by the in-flight\nRCU read section, but the kfree_rcu() callback queued from\nl2tp_session_free() will free it once the grace period closes; a\ncaller that dereferences the returned session past that point hits\na slab-use-after-free. On PREEMPT_RT local_bh_disable() is a per-CPU\nsleeping lock and the preemption window is real; on stock PREEMPT\nkernels local_bh_disable() is a preempt_count increment that closes\nthe cross-CPU race in practice (see below).\n\nUse refcount_inc_not_zero() and continue the list walk on failure,\nmatching the other session getters in the file. The ifname getter\nis the only session getter in net/l2tp/ that still uses the bare\nrefcount_inc() pattern; this change restores file-internal\nconsistency. The success path is unchanged.\n\nFixes: abe7a1a7d0b6 (\"l2tp: improve tunnel/session refcount helpers\")\nCc: stable@vger.kernel.org\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nReviewed-by: James Chapman \u003cjchapman@katalix.com\u003e\nReviewed-by: Simon Horman \u003chorms@kernel.org\u003e\nLink: https://patch.msgid.link/20260523023423.2568972-1-michael.bommarito@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "eb3f4b7426cfd2b79d65b7d37155480b32259a11", "tree": "adb9ed5b086c5c501915884cb8a26247b2c4f1c5", "parents": [ "e909cedf6800ef493063f18a089f3632817a8c2d", "0b474240327cebeff08ad429e8ed3cfc6c8ee816" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 26 13:49:13 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 26 13:49:13 2026 -0700" }, "message": "Merge tag \u0027nfsd-7.1-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux\n\nPull nfsd fixes from Chuck Lever:\n \"Regressions:\n\n - Tighten bounds checking for sunrpc cache hash tables\n\n - Don\u0027t report key material in the ftrace log\n\n Stable fix:\n\n - Fix lockd\u0027s implementation of the NLM TEST procedure\"\n\n* tag \u0027nfsd-7.1-2\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:\n lockd: fix TEST handling when not all permissions are available.\n NFSD: Report whether fh_key was actually updated\n sunrpc: prevent out-of-bounds read in __cache_seq_start()\n" }, { "commit": "e909cedf6800ef493063f18a089f3632817a8c2d", "tree": "d1ff437b168fefda1e63465ef8e1b4a14074250d", "parents": [ "d60ec36cab338dfe2ae40d73e9c8d6c4af70d2b8", "fb6988b83b4cafe8db63999c1ddff1b7c66d2ff5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 26 13:37:26 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 26 13:37:26 2026 -0700" }, "message": "Merge tag \u0027linux_kselftest-kunit-fixes-7.1-rc6\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest\n\nPull kunit fix from Shuah Khan:\n \"Fix a use-after-free in kunit debugfs when using kunit.filter when the\n executor frees dynamically allocated resources after running boot-time\n tests. This resulted in fatal hardware exception due to invalidation\n of capability flags on the reclaimed memory on some architectures such\n as CHERI RISC-V that support the feature, and silent memory corruption\n on others.\n\n The fix for this couples the lifetime of the filtered suite memory\n allocation to the lifetime of the kunit subsystem and its associated\n VFS nodes. Ownership of the boot-time suite_set is now transferred to\n a global tracker (\u0027kunit_boot_suites\u0027), and the memory is cleanly\n released in kunit_exit() during module teardown\"\n\n* tag \u0027linux_kselftest-kunit-fixes-7.1-rc6\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:\n kunit: fix use-after-free in debugfs when using kunit.filter\n" }, { "commit": "d60ec36cab338dfe2ae40d73e9c8d6c4af70d2b8", "tree": "e9a0c763a92a7f4a33c956c4d1ad6a6026e583dc", "parents": [ "e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7", "54cf41c969da6637cce790b7400da1451609db9b" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 26 08:23:19 2026 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 26 08:23:19 2026 -0700" }, "message": "Merge tag \u0027mm-hotfixes-stable-2026-05-25-16-22\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm\n\nPull misc fixes from Andrew Morton:\n \"13 hotfixes. 9 are for MM. 9 are cc:stable and the remaining 4 address\n post-7.1 issues or aren\u0027t considered suitable for backporting.\n\n All patches are singletons - please see the individual changelogs for\n details\"\n\n* tag \u0027mm-hotfixes-stable-2026-05-25-16-22\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:\n Revert \"mm: introduce a new page type for page pool in page type\"\n mm/vmalloc: do not trigger BUG() on BH disabled context\n MAINTAINERS, mailmap: change email for Eugen Hristev\n mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page\n kernel/fork: validate exit_signal in kernel_clone()\n mm: memcontrol: propagate NMI slab stats to memcg vmstats\n mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()\n mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one\n zram: fix use-after-free in zram_writeback_endio\n memfd: deny writeable mappings when implying SEAL_WRITE\n ipc: limit next_id allocation to the valid ID range\n Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"\n MAINTAINERS: .mailmap: update after GEHC spin-off\n" }, { "commit": "c66d7c3c1f173cf73a2a2f8302666d86beafff22", "tree": "1286df8c0b8ebfa80822f625cb198c469b14d802", "parents": [ "a0bfd64397b819c8ad0c4ac7fd948702e78193e0", "d5551f4c1800dc714cec86647bdd651ae0de923e" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:19:36 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:19:36 2026 -0700" }, "message": "Merge branch \u0027ethtool-module-fix-a-handful-of-small-bugs\u0027\n\nJakub Kicinski says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nethtool: module: fix a handful of small bugs\n\nI\u0027ve been poking at the locking in ethtool and it appears\nthat the FW flashing is not currently taking the ops lock.\nExisting drivers which implement module FW flashing seem\nto have their own locking, so this series doesn\u0027t actually\nadd the ops lock (I\u0027ll add it in net-next). But a number\nof other errors have been surfaced in the process.\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/20260522231312.1710836-1-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "d5551f4c1800dc714cec86647bdd651ae0de923e", "tree": "1286df8c0b8ebfa80822f625cb198c469b14d802", "parents": [ "12c2496a71f82f63617971ca9b730dffa05cf58b" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 22 16:13:12 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:19:33 2026 -0700" }, "message": "ethtool: cmis: validate fw-\u003esize against start_cmd_payload_size\n\ncmis_fw_update_start_download() copies start_cmd_payload_size bytes\nfrom the firmware blob into the CDB LPL vendor_data[] payload without\nvalidating that the FW has enough data.\n\nSince the start_cmd_payload_size can only be ~120B an image too short\nis most likely corrupted, so reject it.\n\nFixes: c4f78134d45c (\"ethtool: cmis_fw_update: add a layer for supporting firmware update using CDB\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nReviewed-by: Danielle Ratson \u003cdanieller@nvidia.com\u003e\nLink: https://patch.msgid.link/20260522231312.1710836-10-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "12c2496a71f82f63617971ca9b730dffa05cf58b", "tree": "e443df210e5d2e8b311e285022e6864452faba18", "parents": [ "3e8c3d464c36bb342fe377b026577c7ec27fdbb4" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 22 16:13:11 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:19:33 2026 -0700" }, "message": "ethtool: cmis: validate start_cmd_payload_size from module\n\nThe CMIS firmware update code reads start_cmd_payload_size from\nthe module\u0027s FW Management Features CDB reply and uses it directly\nas the byte count for memcpy. The destination buffer is 112 bytes\n(ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH - 8). So a malicious\nmodule (or corrupted response) can cause a OOB write later on in\ncmis_fw_update_start_download().\n\nLet\u0027s error out. If modules that expect longer LPL writes actually\nexist we should revisit.\n\nstruct cmis_cdb_start_fw_download_pl\u0027s definition has to move,\nno change there.\n\nFixes: c4f78134d45c (\"ethtool: cmis_fw_update: add a layer for supporting firmware update using CDB\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nReviewed-by: Danielle Ratson \u003cdanieller@nvidia.com\u003e\nLink: https://patch.msgid.link/20260522231312.1710836-9-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "3e8c3d464c36bb342fe377b026577c7ec27fdbb4", "tree": "802a556a9f53276f2943fd53aee9f5e401d8cdec", "parents": [ "6c3f999a9d1338c6c89a9ff4549eafe72bc2e7b1" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 22 16:13:10 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:19:33 2026 -0700" }, "message": "ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl\n\nethtool_cmis_cdb_compose_args() accepts msleep_pre_rpl as u16 but stores\nit into the u8 field ethtool_cmis_cdb_cmd_args::msleep_pre_rpl, silently\ntruncating values \u003e\u003d 256. Seven of the nine call sites pass 1000 ms\n(it\u0027s the third argument from the end).\n\nFixes: a39c84d79625 (\"ethtool: cmis_cdb: Add a layer for supporting CDB commands\")\nReviewed-by: Maxime Chevallier \u003cmaxime.chevallier@bootlin.com\u003e\nReviewed-by: Danielle Ratson \u003cdanieller@nvidia.com\u003e\nLink: https://patch.msgid.link/20260522231312.1710836-8-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" }, { "commit": "6c3f999a9d1338c6c89a9ff4549eafe72bc2e7b1", "tree": "13187b02076cca373e34aff99ffbba21aa927ed5", "parents": [ "760d04ebad5c4304f22c0d2251c9623b87a117c8" ], "author": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Fri May 22 16:13:09 2026 -0700" }, "committer": { "name": "Jakub Kicinski", "email": "kuba@kernel.org", "time": "Tue May 26 08:19:33 2026 -0700" }, "message": "ethtool: cmis: require exact CDB reply length\n\nMalicious SFP module could respond with rpl_len longer than\nwhat cmis_cdb_process_reply() expected, leading to OOB writes.\nMalicious HW is a bit theoretical but some modules may just\nbe buggy and/or the reads may occasionally get corrupted,\nso let\u0027s protect the kernel.\n\nThe existing check protects from short replies. We need to\nprotect from long ones, too. All callers that pass a non-zero\nrpl_exp_len cast the reply payload to a fixed-layout struct\nand read fields at fixed offsets, with no version negotiation\nor short-reply handling:\n\n - cmis_cdb_validate_password()\n - cmis_cdb_module_features_get()\n - cmis_fw_update_fw_mng_features_get()\n\nso let\u0027s assume that responses longer than expected do not\nhave to be handled gracefully here. Add a warning message\nto make the debug easier in case my understanding is wrong...\n\nNote that page_data-\u003elength (argument of kmalloc) comes from\nlast arg to ethtool_cmis_page_init() which is rpl_exp_len.\n\nNote2 that AIs also like to point out overflows in args-\u003ereq.payload\nitself (which is a fixed-size 120 B buffer, on the stack),\nbut callers should be reading structs defined by the standard,\nso protecting from requests for more data than max seem like\ndefensive programming.\n\nFixes: a39c84d79625 (\"ethtool: cmis_cdb: Add a layer for supporting CDB commands\")\nReviewed-by: Danielle Ratson \u003cdanieller@nvidia.com\u003e\nLink: https://patch.msgid.link/20260522231312.1710836-7-kuba@kernel.org\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n" } ], "next": "760d04ebad5c4304f22c0d2251c9623b87a117c8" }