Netdev List
 help / color / mirror / Atom feed
* Re: [PATCH net v8 0/4] macsec: Add support for VLAN filtering in offload mode
From: patchwork-bot+netdevbpf @ 2026-04-10  3:10 UTC (permalink / raw)
  To: Cosmin Ratiu
  Cc: netdev, sd, andrew+netdev, davem, edumazet, kuba, pabeni, horms,
	sdf, dw, shuah, linux-kselftest, dtatulea
In-Reply-To: <20260408115240.1636047-1-cratiu@nvidia.com>

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 8 Apr 2026 14:52:36 +0300 you wrote:
> This short series adds support for VLANs in MACsec devices when offload
> mode is enabled. This allows VLAN netdevs on top of MACsec netdevs to
> function, which accidentally used to be the case in the past, but was
> broken. This series adds back proper support.
> 
> As part of this, the existing nsim-only MACsec offload tests were
> translated to Python so they can run against real HW and new
> traffic-based tests were added for VLAN filter propagation, since
> there's currently no uAPI to check VLAN filters.
> 
> [...]

Here is the summary with links:
  - [net,v8,1/4] selftests: Migrate nsim-only MACsec tests to Python
    https://git.kernel.org/netdev/net/c/e1ab601bb230
  - [net,v8,2/4] nsim: Add support for VLAN filters
    https://git.kernel.org/netdev/net/c/c89f194b6b8e
  - [net,v8,3/4] selftests: Add MACsec VLAN propagation traffic test
    https://git.kernel.org/netdev/net/c/26555673bc78
  - [net,v8,4/4] macsec: Support VLAN-filtering lower devices
    https://git.kernel.org/netdev/net/c/a363b1c8be87

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [net-next,PATCH v6 1/3] dt-bindings: net: realtek,rtl82xx: Keep property list sorted
From: patchwork-bot+netdevbpf @ 2026-04-10  3:10 UTC (permalink / raw)
  To: Marek Vasut
  Cc: netdev, robh, davem, olek2, andrew, conor+dt, edumazet,
	f.fainelli, hkallweit1, ivan.galkin, kuba, krzk+dt, michael,
	pabeni, linux, vladimir.oltean, devicetree
In-Reply-To: <20260405233008.148974-1-marek.vasut@mailbox.org>

Hello:

This series was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon,  6 Apr 2026 01:29:56 +0200 you wrote:
> Sort the documented properties alphabetically, no functional change.
> 
> Acked-by: Rob Herring (Arm) <robh@kernel.org>
> Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
> ---
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Aleksander Jan Bajkowski <olek2@wp.pl>
> Cc: Andrew Lunn <andrew@lunn.ch>
> Cc: Conor Dooley <conor+dt@kernel.org>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Florian Fainelli <f.fainelli@gmail.com>
> Cc: Heiner Kallweit <hkallweit1@gmail.com>
> Cc: Ivan Galkin <ivan.galkin@axis.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Krzysztof Kozlowski <krzk+dt@kernel.org>
> Cc: Michael Klein <michael@fossekall.de>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Rob Herring <robh@kernel.org>
> Cc: Russell King <linux@armlinux.org.uk>
> Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
> Cc: devicetree@vger.kernel.org
> Cc: netdev@vger.kernel.org
> 
> [...]

Here is the summary with links:
  - [net-next,v6,1/3] dt-bindings: net: realtek,rtl82xx: Keep property list sorted
    https://git.kernel.org/netdev/net-next/c/4de7a8acd18e
  - [net-next,v6,2/3] dt-bindings: net: realtek,rtl82xx: Document realtek,*-ssc-enable property
    https://git.kernel.org/netdev/net-next/c/bfb859a5cb49
  - [net-next,v6,3/3] net: phy: realtek: Add property to enable SSC
    https://git.kernel.org/netdev/net-next/c/84c5a3f00084

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net-next] ppp: consolidate refcount decrements
From: patchwork-bot+netdevbpf @ 2026-04-10  3:10 UTC (permalink / raw)
  To: Qingfang Deng
  Cc: andrew+netdev, davem, edumazet, kuba, pabeni, bigeasy, kees,
	kuniyu, linux-ppp, netdev, linux-kernel
In-Reply-To: <20260407094058.257246-1-qingfang.deng@linux.dev>

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue,  7 Apr 2026 17:40:56 +0800 you wrote:
> ppp_destroy_{channel,interface} are always called after
> refcount_dec_and_test().
> 
> To reduce boilerplate code, consolidate the decrements by moving them
> into the two functions. To reflect this change in semantics, rename the
> functions to ppp_release_*.
> 
> [...]

Here is the summary with links:
  - [net-next] ppp: consolidate refcount decrements
    https://git.kernel.org/netdev/net-next/c/5ecbebc9483c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net-next v2] ipv6: move IFA_F_PERMANENT percpu allocation in process scope
From: patchwork-bot+netdevbpf @ 2026-04-10  3:10 UTC (permalink / raw)
  To: Paolo Abeni; +Cc: netdev, davem, dsahern, edumazet, kuba, horms
In-Reply-To: <46a7a030727e236af2dc7752994cd4f04f4a91d2.1775658924.git.pabeni@redhat.com>

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed,  8 Apr 2026 16:36:49 +0200 you wrote:
> Observed at boot time:
> 
>  CPU: 43 UID: 0 PID: 3595 Comm: (t-daemon) Not tainted 6.12.0 #1
>  Call Trace:
>   <TASK>
>   dump_stack_lvl+0x4e/0x70
>   pcpu_alloc_noprof.cold+0x1f/0x4b
>   fib_nh_common_init+0x4c/0x110
>   fib6_nh_init+0x387/0x740
>   ip6_route_info_create+0x46d/0x640
>   addrconf_f6i_alloc+0x13b/0x180
>   addrconf_permanent_addr+0xd0/0x220
>   addrconf_notify+0x93/0x540
>   notifier_call_chain+0x5a/0xd0
>   __dev_notify_flags+0x5c/0xf0
>   dev_change_flags+0x54/0x70
>   do_setlink+0x36c/0xce0
>   rtnl_setlink+0x11f/0x1d0
>   rtnetlink_rcv_msg+0x142/0x3f0
>   netlink_rcv_skb+0x50/0x100
>   netlink_unicast+0x242/0x390
>   netlink_sendmsg+0x21b/0x470
>   __sys_sendto+0x1dc/0x1f0
>   __x64_sys_sendto+0x24/0x30
>   do_syscall_64+0x7d/0x160
>   entry_SYSCALL_64_after_hwframe+0x76/0x7e
>  RIP: 0033:0x7f5c3852f127
>  Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 85 ef 0c 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 71 c3 55 48 83 ec 30 44 89 4c 24 2c 4c 89 44
>  RSP: 002b:00007ffe86caf4c8 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
>  RAX: ffffffffffffffda RBX: 0000556c5cd93210 RCX: 00007f5c3852f127
>  RDX: 0000000000000020 RSI: 0000556c5cd938b0 RDI: 0000000000000003
>  RBP: 00007ffe86caf5a0 R08: 00007ffe86caf4e0 R09: 0000000000000080
>  R10: 0000000000000000 R11: 0000000000000202 R12: 0000556c5cd932d0
>  R13: 00000000021d05d1 R14: 00000000021d05d1 R15: 0000000000000001
> 
> [...]

Here is the summary with links:
  - [net-next,v2] ipv6: move IFA_F_PERMANENT percpu allocation in process scope
    https://git.kernel.org/netdev/net-next/c/8e6405f8218b

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH v4 net-next] net: use get_random_u{16,32,64}() where appropriate
From: patchwork-bot+netdevbpf @ 2026-04-10  3:10 UTC (permalink / raw)
  To: David CARLIER
  Cc: kuba, davem, edumazet, pabeni, andrew+netdev, horms, idryomov,
	johannes, matttbe, martineau, geliang, aconole, i.maximets,
	marcelo.leitner, lucien.xin, jmaloy, netdev, linux-wireless,
	mptcp, dev, linux-sctp, tipc-discussion, linux-kernel
In-Reply-To: <20260407150758.5889-1-devnexen@gmail.com>

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue,  7 Apr 2026 16:07:58 +0100 you wrote:
> Use the typed random integer helpers instead of
> get_random_bytes() when filling a single integer variable.
> The helpers return the value directly, require no pointer
> or size argument, and better express intent.
> 
> Skipped sites writing into __be16 (netdevsim) and __le64
> (ceph) fields where a direct assignment would trigger
> sparse endianness warnings.
> 
> [...]

Here is the summary with links:
  - [v4,net-next] net: use get_random_u{16,32,64}() where appropriate
    https://git.kernel.org/netdev/net-next/c/9addea5d44b6

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net-next v4 3/3] gve: implement PTP gettimex64
From: Jakub Kicinski @ 2026-04-10  3:16 UTC (permalink / raw)
  To: Harshitha Ramamurthy
  Cc: netdev, joshwash, andrew+netdev, davem, edumazet, pabeni,
	richardcochran, willemb, nktgrg, jfraker, ziweixiao, maolson,
	thostet, jordanrhee, jefrogers, alok.a.tiwari, yyd,
	jacob.e.keller, linux-kernel, Naman Gulati
In-Reply-To: <20260406234002.3610542-4-hramamurthy@google.com>

On Mon,  6 Apr 2026 23:40:02 +0000 Harshitha Ramamurthy wrote:
> From: Jordan Rhee <jordanrhee@google.com>
> 
> Enable chrony and phc2sys to synchronize system clock to NIC clock.
> 
> The system cycle counters are sampled by the device to minimize the
> uncertainty window. If the system times are sampled in the host, the
> delta between pre and post readings is 100us or more due to AQ command
> latency. The system times returned by the device have a delta of ~1us,
> which enables significantly more accurate clock synchronization.

Interesting. I'd like this looked over by David Woodhouse and tglx.
Please repost after the merge window or send them an RFC.

> +static int gve_ptp_read_timestamp(struct gve_ptp *ptp, cycles_t *pre_cycles,
> +				  cycles_t *post_cycles,
> +				  struct system_time_snapshot *snap)
> +{
> +	unsigned long delay_us = 1000;
> +	int retry_count = 0;
> +	int err;
> +
> +	lockdep_assert_held(&ptp->nic_ts_read_lock);
> +
> +	do {

This can't be a for () loop with 5 iterations?

> +		if (snap)
> +			ktime_get_snapshot(snap);
> +
> +		*pre_cycles = get_cycles();
> +		err = gve_adminq_report_nic_ts(ptp->priv,
> +					       ptp->nic_ts_report_bus);
> +
> +		/* Prevent get_cycles() from being speculatively executed
> +		 * before the AdminQ command
> +		 */
> +		rmb();
> +		*post_cycles = get_cycles();
> +		if (likely(err != -EAGAIN))
> +			return err;
> +
> +		fsleep(delay_us);
> +
> +		/* Exponential backoff */
> +		delay_us *= 2;
> +		retry_count++;
> +	} while (retry_count < 5);
> +
> +	return -ETIMEDOUT;
> +}
> +
>  /* Read the nic timestamp from hardware via the admin queue. */
> -static int gve_clock_nic_ts_read(struct gve_ptp *ptp, u64 *nic_raw)
> +static int gve_clock_nic_ts_read(struct gve_ptp *ptp, u64 *nic_raw,
> +				 struct gve_sysclock_sample *sysclock)
>  {
> +	cycles_t host_pre_cycles, host_post_cycles;
> +	struct gve_nic_ts_report *ts_report;
>  	int err;
>  
>  	mutex_lock(&ptp->nic_ts_read_lock);
> -	err = gve_adminq_report_nic_ts(ptp->priv, ptp->nic_ts_report_bus);
> -	if (err)
> +	err = gve_ptp_read_timestamp(ptp, &host_pre_cycles, &host_post_cycles,
> +				     sysclock ? &sysclock->snapshot : NULL);
> +	if (err) {
> +		dev_err_ratelimited(&ptp->priv->pdev->dev,
> +				    "AdminQ timestamp read failed: %d\n", err);
>  		goto out;
> +	}
>  
> -	*nic_raw = be64_to_cpu(ptp->nic_ts_report->nic_timestamp);
> +	ts_report = ptp->nic_ts_report;
> +	*nic_raw = be64_to_cpu(ts_report->nic_timestamp);
> +
> +	if (sysclock) {
> +		sysclock->nic_pre_cycles = be64_to_cpu(ts_report->pre_cycles);
> +		sysclock->nic_post_cycles = be64_to_cpu(ts_report->post_cycles);
> +		sysclock->host_pre_cycles = host_pre_cycles;
> +		sysclock->host_post_cycles = host_post_cycles;
> +	}
>  
>  out:
>  	mutex_unlock(&ptp->nic_ts_read_lock);
>  	return err;
>  }
>  
> +struct gve_cycles_to_clock_callback_ctx {
> +	u64 cycles;
> +};
> +
> +static int gve_cycles_to_clock_fn(ktime_t *device_time,
> +				  struct system_counterval_t *system_counterval,
> +				  void *ctx)

Does this do anything GVE specific??

> +{
> +	struct gve_cycles_to_clock_callback_ctx *context = ctx;
> +
> +	*device_time = 0;
> +
> +	system_counterval->cycles = context->cycles;
> +	system_counterval->use_nsecs = false;
> +
> +	if (IS_ENABLED(CONFIG_X86))
> +		system_counterval->cs_id = CSID_X86_TSC;
> +	else if (IS_ENABLED(CONFIG_ARM64))
> +		system_counterval->cs_id = CSID_ARM_ARCH_COUNTER;
> +	else
> +		return -EOPNOTSUPP;
> +
> +	return 0;
> +}
-- 
pw-bot: cr

^ permalink raw reply

* Re: [net-next v38] mctp pcc: Implement MCTP over PCC Transport
From: Jakub Kicinski @ 2026-04-10  3:24 UTC (permalink / raw)
  To: admiyo
  Cc: Jakub Kicinski, jk, matt, andrew+netdev, davem, edumazet, pabeni,
	netdev, linux-kernel, sudeep.holla, Jonathan.Cameron, lihuisong
In-Reply-To: <20260405180741.1496198-1-admiyo@os.amperecomputing.com>

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
mctp pcc: Implement MCTP over PCC Transport

This commit implements a network driver for the Management Component
Transport Protocol (MCTP) over the Platform Communication Channel (PCC).

Link: https://www.dmtf.org/sites/default/files/standards/documents/DSP0292_1.0.0WIP50.pdf
Link: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/14_Platform_Communications_Channel/Platform_Comm_Channel.html

> diff --git a/drivers/net/mctp/mctp-pcc.c b/drivers/net/mctp/mctp-pcc.c
> new file mode 100644
> --- /dev/null
> +++ b/drivers/net/mctp/mctp-pcc.c

[ ... ]

> +static void mctp_pcc_client_rx_callback(struct mbox_client *cl, void *mssg)
> +{

[ ... ]

> +	// The message must at least have the PCC command indicating it is an MCTP
> +	// message followed by the MCTP header, or we have a malformed message.
> +	if (pcc_header.length < sizeof(pcc_header.command) + sizeof(struct mctp_hdr)) {
> +		dev_dstats_rx_dropped(mctp_pcc_ndev->ndev);
> +		return;
> +	}
> +
> +	size = pcc_header.length - sizeof(pcc_header.command) + sizeof(pcc_header);

Can this size calculation wrap around? Because pcc_header.length is read from
shared memory, a maliciously large value (e.g. 0xFFFFFFF8) could wrap around
the unsigned 32-bit addition, resulting in a small positive size.

This small positive size would then bypass the check below, and eventually
fail in skb_pull(), leaving the malformed skb to be passed to the network
stack.

> +	// If the reported size is larger than the shared memory, something is wrong
> +	// and the best we can do is treat it as corrupted data.
> +	if (size > inbox->chan->shmem_size) {
> +		dev_dstats_rx_dropped(mctp_pcc_ndev->ndev);
> +		return;
> +	}

[ ... ]

> +static netdev_tx_t mctp_pcc_tx(struct sk_buff *skb, struct net_device *ndev)
> +{

[ ... ]

> +	pcc_header = skb_push(skb, sizeof(*pcc_header));
> +	pcc_header->signature = PCC_SIGNATURE | mpnd->outbox.index;
> +	pcc_header->flags = PCC_CMD_COMPLETION_NOTIFY;
> +	memcpy(&pcc_header->command, MCTP_SIGNATURE, MCTP_SIGNATURE_LENGTH);
> +	pcc_header->length = len + MCTP_SIGNATURE_LENGTH;

Are these assignments writing native endian values into shared memory?

The ACPI Platform Communications Channel specification defines the shared
memory region as strictly little-endian. Writing without cpu_to_le32() will
cause big endian architectures to write byte-swapped metadata, resulting in
dropped packets.

> +
> +	rc = mbox_send_message(mpnd->outbox.chan->mchan, skb);
> +	if (rc < 0) {

[ ... ]

> +static void mctp_pcc_tx_prepare(struct mbox_client *cl, void *mssg)
> +{

[ ... ]

> +	if (skb->len > outbox->chan->shmem_size) {
> +		dev_dstats_tx_dropped(mctp_pcc_ndev->ndev);
> +		return;
> +	}

If the skb is oversized, this skips the copy and returns, but does it abort
the transmission?

Since mctp_pcc_tx() already submitted the message and tx_prepare() returns
void, the hardware doorbell will still be rung. The remote endpoint would
process the unmodified shared memory, replaying the previous packet's data.

> +	memcpy_toio(outbox->chan->shmem,  skb->data, skb->len);

Is it possible to read out of bounds here if the skb is fragmented?

The skb->data pointer only points to the linear portion of the packet, while
skb->len represents the total packet length including page fragments.
skb_cow_head() does not linearize the packet, so a call to skb_linearize()
might be needed before copying.

> +}
> +
> +static void mctp_pcc_tx_done(struct mbox_client *c, void *mssg, int r)
> +{
> +	struct mctp_pcc_ndev *mctp_pcc_ndev;
> +	struct sk_buff *skb = mssg;
> +
> +	mctp_pcc_ndev = container_of(c, struct mctp_pcc_ndev, outbox.client);
> +	dev_dstats_tx_add(mctp_pcc_ndev->ndev, skb->len);

Could this lead to sequence counter corruption and deadlock?

mctp_pcc_tx() runs in process or softirq context and calls
dev_dstats_tx_dropped(). mctp_pcc_tx_done() runs in the controller's hardirq
context and calls dev_dstats_tx_add().

The generic dev_dstats_* macros use u64_stats_update_begin(), which does not
disable interrupts. If a hardware interrupt fires while the softirq path is
inside u64_stats_update_begin(), the hardirq path will re-enter the lock.

> +	dev_consume_skb_any(skb);
> +	netif_wake_queue(mctp_pcc_ndev->ndev);
> +}

[ ... ]

> +static int mctp_pcc_ndo_stop(struct net_device *ndev)
> +{
> +	struct mctp_pcc_ndev *mctp_pcc_ndev;
> +	unsigned int count, idx;
> +	struct mbox_chan *chan;
> +	struct sk_buff *skb;
> +
> +	mctp_pcc_ndev = netdev_priv(ndev);
> +	chan = mctp_pcc_ndev->outbox.chan->mchan;
> +
> +	scoped_guard(spinlock_irqsave, &chan->lock) {
> +		chan->active_req = NULL;

Does this bypass the mailbox API and cause a memory leak?

By explicitly setting active_req to NULL without freeing the in-flight skb,
the skb is leaked.

Additionally, when the hardware completion interrupt fires, mbox_chan_txdone()
will pass NULL as the mssg parameter to mctp_pcc_tx_done(). Since
mctp_pcc_tx_done() dereferences skb->len, this will result in a NULL pointer
dereference.

> +		while (chan->msg_count > 0) {
> +			count = chan->msg_count;
> +			idx = chan->msg_free;
> +			if (idx >= count)
> +				idx -= count;
> +			else
> +				idx += MBOX_TX_QUEUE_LEN - count;

Is this index calculation accurate?

Since msg_free is incremented and msg_count is decremented in each iteration
below, the calculated idx jumps by 2. This skips alternate skbs, leaking
them, and reads uninitialized memory, which is then passed to
dev_consume_skb_any(), causing a use-after-free or double free.

> +			skb = chan->msg_data[idx];
> +			dev_dstats_tx_dropped(ndev);
> +			dev_consume_skb_any(skb);
> +			chan->msg_count--;
> +			chan->msg_free++;
> +		}
> +	}

[ ... ]

> +static int mctp_pcc_driver_add(struct acpi_device *acpi_dev)
> +{
> +	struct mctp_pcc_lookup_context context = {0};
> +	struct mctp_pcc_ndev *mctp_pcc_ndev;

[ ... ]

> +	status = acpi_walk_resources(dev_handle, "_CRS", lookup_pcct_indices,
> +				     &context);
> +	if (!ACPI_SUCCESS(status)) {
> +		dev_err(dev, "FAILED to lookup PCC indexes from CRS\n");
> +		return -EINVAL;
> +	}

What happens if the _CRS table contains fewer than two PCC_DWORD_TYPE
resources?

If context.index is not verified to be at least 2 here, context.inbox_index
and context.outbox_index might remain uninitialized or at their default zero
values. This could cause the driver to blindly request PCC channel 0, which
may belong to another hardware subsystem.

> +
> +	snprintf(name, sizeof(name), "mctppcc%d", context.inbox_index);
> +	ndev = alloc_netdev(sizeof(*mctp_pcc_ndev), name, NET_NAME_PREDICTABLE,
> +			    mctp_pcc_setup);
-- 
pw-bot: cr

^ permalink raw reply

* Re: [net-next v38] mctp pcc: Implement MCTP over PCC Transport
From: Jakub Kicinski @ 2026-04-10  3:29 UTC (permalink / raw)
  To: Adam Young
  Cc: Jeremy Kerr, Matt Johnston, Andrew Lunn, David S. Miller,
	Eric Dumazet, Paolo Abeni, netdev, linux-kernel, Sudeep Holla,
	Jonathan Cameron, Huisong Li
In-Reply-To: <20260405180741.1496198-1-admiyo@os.amperecomputing.com>

On Sun,  5 Apr 2026 14:07:40 -0400 Adam Young wrote:
> +	rc = mbox_send_message(mpnd->outbox.chan->mchan, skb);
> +	if (rc < 0) {
> +		//Remove the header in case it gets sent again

space after //

> +		skb_pull(skb, sizeof(*pcc_header));
> +		netif_stop_queue(ndev);
> +		return NETDEV_TX_BUSY;
> +	}
> +
> +	return NETDEV_TX_OK;
> +}
> +
> +static void mctp_pcc_tx_prepare(struct mbox_client *cl, void *mssg)
> +{
> +	struct mctp_pcc_ndev *mctp_pcc_ndev;
> +	struct mctp_pcc_mailbox *outbox;
> +	struct sk_buff *skb = mssg;
> +
> +	mctp_pcc_ndev = container_of(cl, struct mctp_pcc_ndev, outbox.client);
> +	outbox = &mctp_pcc_ndev->outbox;
> +
> +	if (!skb)
> +		return;

Is this really ever called with a NULL pointer?

> +	if (skb->len > outbox->chan->shmem_size) {
> +		dev_dstats_tx_dropped(mctp_pcc_ndev->ndev);
> +		return;
> +	}
> +	memcpy_toio(outbox->chan->shmem,  skb->data, skb->len);
> +}

> +static int mctp_pcc_ndo_open(struct net_device *ndev)

dont say ndo in function names

> +{
> +	struct mctp_pcc_ndev *mctp_pcc_ndev = netdev_priv(ndev);
> +	struct mctp_pcc_mailbox *outbox, *inbox;
> +
> +	outbox = &mctp_pcc_ndev->outbox;
> +	inbox = &mctp_pcc_ndev->inbox;
> +
> +	outbox->chan = pcc_mbox_request_channel(&outbox->client, outbox->index);
> +	if (IS_ERR(outbox->chan))
> +		return PTR_ERR(outbox->chan);
> +
> +	inbox->client.rx_callback = mctp_pcc_client_rx_callback;
> +	inbox->chan = pcc_mbox_request_channel(&inbox->client, inbox->index);
> +	if (IS_ERR(inbox->chan)) {
> +		pcc_mbox_free_channel(outbox->chan);
> +		return PTR_ERR(inbox->chan);
> +	}
> +	return 0;

> +static int initialize_MTU(struct net_device *ndev)

don't use capital letter in function names for no good reason

> +{
> +	struct mctp_pcc_ndev *mctp_pcc_ndev;
> +	struct mctp_pcc_mailbox *outbox;
> +	struct pcc_mbox_chan *pchan;
> +	int mctp_pcc_max_mtu;
> +
> +	mctp_pcc_ndev = netdev_priv(ndev);
> +	outbox = &mctp_pcc_ndev->outbox;
> +	pchan = pcc_mbox_request_channel(&outbox->client, outbox->index);
> +	if (IS_ERR(pchan))
> +		return -1;

why not return PTR_ERR(pchan) ?

> +	if (pchan->shmem_size < MCTP_MIN_MTU + sizeof(struct acpi_pcct_ext_pcc_shared_memory)) {
> +		pcc_mbox_free_channel(pchan);
> +		return -1;

EINVAL


We are about to close for the merge window please wait until.. Apr 27th
I think with the next version.
> +	}

^ permalink raw reply

* Re: [PATCH net] netrom: do some basic forms of validation on incoming frames
From: Jakub Kicinski @ 2026-04-10  3:32 UTC (permalink / raw)
  To: Simon Horman
  Cc: Greg Kroah-Hartman, netdev, linux-kernel, David S. Miller,
	Eric Dumazet, Paolo Abeni, linux-hams, Yizhe Zhuang, stable
In-Reply-To: <20260409190328.GS469338@kernel.org>

On Thu, 9 Apr 2026 20:03:28 +0100 Simon Horman wrote:
> I expect that checking skb->len isn't sufficient here
> and pskb_may_pull needs to be used to ensure that
> the data is also available in the linear section of the skb.

Or for simplicity we could also be testing against skb_headlen()
since we don't expect any legit non-linear frames here? Dunno.

^ permalink raw reply

* Re: [PATCH net v3] net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()
From: Jakub Kicinski @ 2026-04-10  3:35 UTC (permalink / raw)
  To: Lorenzo Bianconi
  Cc: Andrew Lunn, David S. Miller, Eric Dumazet, Paolo Abeni,
	Xuegang Lu, Simon Horman, linux-arm-kernel, linux-mediatek,
	netdev
In-Reply-To: <20260407-airoha_qdma_rx_process-fix-reordering-v3-1-91c36e9da31f@kernel.org>

On Tue, 07 Apr 2026 08:48:04 +0200 Lorenzo Bianconi wrote:
> Add missing dma_rmb() in airoha_qdma_rx_process routine to make sure the
> DMA read operations are completed when the NIC reports the processing on
> the current descriptor is done. Moreover, add missing READ_ONCE() in
> airoha_qdma_rx_process() for DMA descriptor control fields in order to
> avoid any compiler reordering.

Sashiko seems to have more orthogonal complaints FWIW

^ permalink raw reply

* [PATCH net v4 2/2] pppoe: drop PFC frames
From: Qingfang Deng @ 2026-04-10  3:36 UTC (permalink / raw)
  To: linux-ppp, Andrew Lunn, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Qingfang Deng, Guillaume Nault,
	Breno Leitao, Kuniyuki Iwashima, Kees Cook,
	Sebastian Andrzej Siewior, Eric Woudstra, Sam Protsenko, netdev,
	linux-kernel
  Cc: Paul Mackerras, Jaco Kroon, James Carlson, Wojciech Drewek,
	Marcin Szycik
In-Reply-To: <20260410033627.93786-1-qingfang.deng@linux.dev>

RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.

If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.

To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.

Fixes: 7fb1b8ca8fa1 ("ppp: Move PFC decompression to PPP generic layer")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
---
Changes in v4:
 Update Fixes tag as suggested by AI review
 Link to v3: https://lore.kernel.org/r/20260409031107.616630-2-qingfang.deng@linux.dev
Changes in v3:
 Fix kdoc warning
 Link to v2: https://lore.kernel.org/r/20260408024245.312732-1-qingfang.deng@linux.dev

 drivers/net/ppp/ppp_generic.c |  2 +-
 drivers/net/ppp/pppoe.c       |  8 +++++++-
 include/linux/ppp_defs.h      | 16 ++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index b097d1b38ac9..853da966ad46 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2242,7 +2242,7 @@ ppp_do_recv(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
  */
 static void __ppp_decompress_proto(struct sk_buff *skb)
 {
-	if (skb->data[0] & 0x01)
+	if (ppp_skb_is_compressed_proto(skb))
 		*(u8 *)skb_push(skb, 1) = 0x00;
 }
 
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 1ac61c273b28..4cd10c908711 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -393,7 +393,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
 	if (skb_mac_header_len(skb) < ETH_HLEN)
 		goto drop;
 
-	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
+	if (!pskb_may_pull(skb, PPPOE_SES_HLEN))
 		goto drop;
 
 	ph = pppoe_hdr(skb);
@@ -403,6 +403,12 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
 	if (skb->len < len)
 		goto drop;
 
+	/* skb->data points to the PPP protocol header after skb_pull_rcsum.
+	 * Drop PFC frames.
+	 */
+	if (ppp_skb_is_compressed_proto(skb))
+		goto drop;
+
 	if (pskb_trim_rcsum(skb, len))
 		goto drop;
 
diff --git a/include/linux/ppp_defs.h b/include/linux/ppp_defs.h
index 45c0947fa404..6e9587ce651c 100644
--- a/include/linux/ppp_defs.h
+++ b/include/linux/ppp_defs.h
@@ -8,8 +8,24 @@
 #define _PPP_DEFS_H_
 
 #include <linux/crc-ccitt.h>
+#include <linux/skbuff.h>
 #include <uapi/linux/ppp_defs.h>
 
 #define PPP_FCS(fcs, c) crc_ccitt_byte(fcs, c)
 
+/**
+ * ppp_skb_is_compressed_proto - checks if PPP protocol in a skb is compressed
+ * @skb: skb to check
+ *
+ * Check if the PPP protocol field is compressed (the least significant
+ * bit of the most significant octet is 1). skb->data must point to the PPP
+ * protocol header.
+ *
+ * Return: Whether the PPP protocol field is compressed.
+ */
+static inline bool ppp_skb_is_compressed_proto(const struct sk_buff *skb)
+{
+	return unlikely(skb->data[0] & 0x01);
+}
+
 #endif /* _PPP_DEFS_H_ */
-- 
2.43.0


^ permalink raw reply related

* [PATCH net v4 1/2] flow_dissector: do not dissect PPPoE PFC frames
From: Qingfang Deng @ 2026-04-10  3:36 UTC (permalink / raw)
  To: linux-ppp, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Simon Horman, Qingfang Deng, Guillaume Nault,
	Wojciech Drewek, Tony Nguyen, linux-kernel, netdev
  Cc: Paul Mackerras, Jaco Kroon, James Carlson, Marcin Szycik

RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.

During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.

The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:

$ 0   : 00000000 80c40000 00000000 85144817
$ 4   : 00000008 00000100 80a75758 81dc9bb8
$ 8   : 00000010 8087ae2c 0000003d 00000000
$12   : 000000e0 00000039 00000000 00000000
$16   : 85043240 80a75758 81dc9bb8 00006488
$20   : 0000002f 00000007 85144810 80a70000
$24   : 81d1bda0 00000000
$28   : 81dc8000 81dc9aa8 00000000 805ead08
Hi    : 00009d51
Lo    : 2163358a
epc   : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50
ra    : 805ead08 __skb_get_hash_net+0x74/0x12c
Status: 11000403        KERNEL EXL IE
Cause : 40800010 (ExcCode 04)
BadVA : 85144817
PrId  : 0001992f (MIPS 1004Kc)
Call Trace:
[<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50
[<805ead08>] __skb_get_hash_net+0x74/0x12c
[<805ef330>] get_rps_cpu+0x1b8/0x3fc
[<805fca70>] netif_receive_skb_list_internal+0x324/0x364
[<805fd120>] napi_complete_done+0x68/0x2a4
[<8058de5c>] mtk_napi_rx+0x228/0xfec
[<805fd398>] __napi_poll+0x3c/0x1c4
[<805fd754>] napi_threaded_poll_loop+0x234/0x29c
[<805fd848>] napi_threaded_poll+0x8c/0xb0
[<80053544>] kthread+0x104/0x12c
[<80002bd8>] ret_from_kernel_thread+0x14/0x1c

Code: 02d51821  1060045b  00000000 <8c640000> 3084000f  2c820005  144001a2  00042080  8e220000

To reduce the attack surface and maintain performance, do not process
PPPoE PFC frames. While at it, avoid byte-swapping at runtime, restoring
the original behavior.

[1] https://patch.msgid.link/20220630231016.GA392@debian.home
Fixes: 46126db9c861 ("flow_dissector: Add PPPoE dissectors")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
---
Changes in v4: no new changes
 Link to v3: https://lore.kernel.org/r/20260409031107.616630-1-qingfang.deng@linux.dev
Changes in v3:
 Make ppp_proto_is_valid() private and fix kdoc warning, avoiding
 gotchas if some out-of-tree modules use this function.
 Link to v1: https://lore.kernel.org/r/20260407045743.174446-1-qingfang.deng@linux.dev

 include/linux/ppp_defs.h  | 13 -------------
 net/core/flow_dissector.c | 39 +++++++++++++++++++++++----------------
 2 files changed, 23 insertions(+), 29 deletions(-)

diff --git a/include/linux/ppp_defs.h b/include/linux/ppp_defs.h
index b7e57fdbd413..45c0947fa404 100644
--- a/include/linux/ppp_defs.h
+++ b/include/linux/ppp_defs.h
@@ -12,17 +12,4 @@
 
 #define PPP_FCS(fcs, c) crc_ccitt_byte(fcs, c)
 
-/**
- * ppp_proto_is_valid - checks if PPP protocol is valid
- * @proto: PPP protocol
- *
- * Assumes proto is not compressed.
- * Protocol is valid if the value is odd and the least significant bit of the
- * most significant octet is 0 (see RFC 1661, section 2).
- */
-static inline bool ppp_proto_is_valid(u16 proto)
-{
-	return !!((proto & 0x0101) == 0x0001);
-}
-
 #endif /* _PPP_DEFS_H_ */
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 1b61bb25ba0e..64b843800370 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1035,6 +1035,21 @@ static bool is_pppoe_ses_hdr_valid(const struct pppoe_hdr *hdr)
 	return hdr->ver == 1 && hdr->type == 1 && hdr->code == 0;
 }
 
+/**
+ * ppp_proto_is_valid - checks if PPP protocol is valid
+ * @proto: PPP protocol
+ *
+ * Assumes proto is not compressed.
+ * Protocol is valid if the value is odd and the least significant bit of the
+ * most significant octet is 0 (see RFC 1661, section 2).
+ *
+ * Return: Whether the PPP protocol is valid.
+ */
+static bool ppp_proto_is_valid(__be16 proto)
+{
+	return (proto & htons(0x0101)) == htons(0x0001);
+}
+
 /**
  * __skb_flow_dissect - extract the flow_keys struct and return it
  * @net: associated network namespace, derived from @skb if NULL
@@ -1361,7 +1376,7 @@ bool __skb_flow_dissect(const struct net *net,
 			struct pppoe_hdr hdr;
 			__be16 proto;
 		} *hdr, _hdr;
-		u16 ppp_proto;
+		__be16 ppp_proto;
 
 		hdr = __skb_header_pointer(skb, nhoff, sizeof(_hdr), data, hlen, &_hdr);
 		if (!hdr) {
@@ -1374,27 +1389,19 @@ bool __skb_flow_dissect(const struct net *net,
 			break;
 		}
 
-		/* least significant bit of the most significant octet
-		 * indicates if protocol field was compressed
-		 */
-		ppp_proto = ntohs(hdr->proto);
-		if (ppp_proto & 0x0100) {
-			ppp_proto = ppp_proto >> 8;
-			nhoff += PPPOE_SES_HLEN - 1;
-		} else {
-			nhoff += PPPOE_SES_HLEN;
-		}
+		ppp_proto = hdr->proto;
+		nhoff += PPPOE_SES_HLEN;
 
-		if (ppp_proto == PPP_IP) {
+		if (ppp_proto == htons(PPP_IP)) {
 			proto = htons(ETH_P_IP);
 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
-		} else if (ppp_proto == PPP_IPV6) {
+		} else if (ppp_proto == htons(PPP_IPV6)) {
 			proto = htons(ETH_P_IPV6);
 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
-		} else if (ppp_proto == PPP_MPLS_UC) {
+		} else if (ppp_proto == htons(PPP_MPLS_UC)) {
 			proto = htons(ETH_P_MPLS_UC);
 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
-		} else if (ppp_proto == PPP_MPLS_MC) {
+		} else if (ppp_proto == htons(PPP_MPLS_MC)) {
 			proto = htons(ETH_P_MPLS_MC);
 			fdret = FLOW_DISSECT_RET_PROTO_AGAIN;
 		} else if (ppp_proto_is_valid(ppp_proto)) {
@@ -1412,7 +1419,7 @@ bool __skb_flow_dissect(const struct net *net,
 							      FLOW_DISSECTOR_KEY_PPPOE,
 							      target_container);
 			key_pppoe->session_id = hdr->hdr.sid;
-			key_pppoe->ppp_proto = htons(ppp_proto);
+			key_pppoe->ppp_proto = ppp_proto;
 			key_pppoe->type = htons(ETH_P_PPP_SES);
 		}
 		break;
-- 
2.43.0


^ permalink raw reply related

* Re: [PATCH net v3 0/3] net: bcmgenet: fix queue lock up
From: patchwork-bot+netdevbpf @ 2026-04-10  3:40 UTC (permalink / raw)
  To: Justin Chen
  Cc: netdev, pabeni, kuba, edumazet, davem, andrew+netdev,
	bcm-kernel-feedback-list, florian.fainelli, opendmb, nb
In-Reply-To: <20260406175756.134567-1-justin.chen@broadcom.com>

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon,  6 Apr 2026 10:57:53 -0700 you wrote:
> We have been seeing reports of logs like this.
> # [   39.713199] bcmgenet 1001300000.ethernet eth0: NETDEV WATCHDOG: CPU: 0: transmit queue 2 timed out 7991 ms
> [   41.761198] bcmgenet 1001300000.ethernet eth0: NETDEV WATCHDOG: CPU: 0: transmit queue 2 timed out 10039 ms
> [   43.745198] bcmgenet 1001300000.ethernet eth0: NETDEV WATCHDOG: CPU: 0: transmit queue 2 timed out 12023 ms
> [   45.729198] bcmgenet 1001300000.ethernet eth0: NETDEV WATCHDOG: CPU: 0: transmit queue 2 timed out 14007 ms
> 
> We have two issues. The persistent queue timeouts and the eventual lock up of the entire transmit.
> 
> [...]

Here is the summary with links:
  - [net,v3,1/3] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
    https://git.kernel.org/netdev/net/c/57f3f53d2c9c
  - [net,v3,2/3] net: bcmgenet: fix leaking free_bds
    https://git.kernel.org/netdev/net/c/3f3168300efb
  - [net,v3,3/3] net: bcmgenet: fix racing timeout handler
    https://git.kernel.org/netdev/net/c/5393b2b5bee2

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net v3] net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()
From: patchwork-bot+netdevbpf @ 2026-04-10  3:40 UTC (permalink / raw)
  To: Lorenzo Bianconi
  Cc: andrew+netdev, davem, edumazet, kuba, pabeni, xuegang.lu, horms,
	linux-arm-kernel, linux-mediatek, netdev
In-Reply-To: <20260407-airoha_qdma_rx_process-fix-reordering-v3-1-91c36e9da31f@kernel.org>

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 07 Apr 2026 08:48:04 +0200 you wrote:
> Add missing dma_rmb() in airoha_qdma_rx_process routine to make sure the
> DMA read operations are completed when the NIC reports the processing on
> the current descriptor is done. Moreover, add missing READ_ONCE() in
> airoha_qdma_rx_process() for DMA descriptor control fields in order to
> avoid any compiler reordering.
> 
> Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC")
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
> 
> [...]

Here is the summary with links:
  - [net,v3] net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()
    https://git.kernel.org/netdev/net/c/4ae0604a0673

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net] eth: fbnic: Use wake instead of start
From: patchwork-bot+netdevbpf @ 2026-04-10  3:40 UTC (permalink / raw)
  To: Mohsin Bashir
  Cc: netdev, alexanderduyck, alok.a.tiwari, andrew+netdev, davem,
	dg573847474, edumazet, horms, jacob.e.keller, kernel-team, kuba,
	lee, linux-kernel, pabeni
In-Reply-To: <20260408002415.2963915-1-mohsin.bashr@gmail.com>

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue,  7 Apr 2026 17:24:15 -0700 you wrote:
> From: Mohsin Bashir <hmohsin@meta.com>
> 
> fbnic_up() calls netif_tx_start_all_queues(), which only clears
> __QUEUE_STATE_DRV_XOFF.  If qdisc backlog has accumulated on any TX
> queue before the reconfiguration (e.g. ring resize via ethtool -G),
> start does not call __netif_schedule() to kick the qdisc, so the
> pending backlog is never drained and the queue stalls.
> 
> [...]

Here is the summary with links:
  - [net] eth: fbnic: Use wake instead of start
    https://git.kernel.org/netdev/net/c/12ff2a4aee6c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net v2] net: txgbe: fix RTNL assertion warning when remove module
From: patchwork-bot+netdevbpf @ 2026-04-10  3:40 UTC (permalink / raw)
  To: Jiawen Wu
  Cc: netdev, linux, andrew+netdev, davem, edumazet, kuba, pabeni,
	horms, mengyuanlou, stable
In-Reply-To: <8B47A5872884147D+20260407094041.4646-1-jiawenwu@trustnetic.com>

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue,  7 Apr 2026 17:40:41 +0800 you wrote:
> For the copper NIC with external PHY, the driver called
> phylink_connect_phy() during probe and phylink_disconnect_phy() during
> remove. It caused an RTNL assertion warning in phylink_disconnect_phy()
> upon module remove.
> 
> To fix this, add rtnl_lock() and rtnl_unlock() around the
> phylink_disconnect_phy() in remove function.
> 
> [...]

Here is the summary with links:
  - [net,v2] net: txgbe: fix RTNL assertion warning when remove module
    https://git.kernel.org/netdev/net/c/e159f05e12cc

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net-next] net: macb: Use napi_schedule_irqoff() in IRQ handler
From: patchwork-bot+netdevbpf @ 2026-04-10  3:40 UTC (permalink / raw)
  To: Kevin Hao
  Cc: nicolas.ferre, claudiu.beznea, andrew+netdev, davem, edumazet,
	kuba, pabeni, bigeasy, clrkwllms, rostedt, netdev, linux-rt-devel
In-Reply-To: <20260407-macb-napi-irqoff-v1-1-61bec60047d7@gmail.com>

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 07 Apr 2026 08:45:39 +0800 you wrote:
> For non-PREEMPT_RT kernels, the IRQ handler runs with interrupts
> disabled, allowing the use of napi_schedule_irqoff() to save a pair of
> local_irq_{save,restore} operations. For PREEMPT_RT kernels,
> napi_schedule_irqoff() behaves identically to napi_schedule().
> 
> Signed-off-by: Kevin Hao <haokexin@gmail.com>
> 
> [...]

Here is the summary with links:
  - [net-next] net: macb: Use napi_schedule_irqoff() in IRQ handler
    https://git.kernel.org/netdev/net-next/c/a17d3c3d0cb2

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH v2 net-next] ipv6: sit: remove redundant ret = 0 assignment
From: patchwork-bot+netdevbpf @ 2026-04-10  3:40 UTC (permalink / raw)
  To: Yue Haibing
  Cc: davem, dsahern, edumazet, kuba, pabeni, horms, netdev,
	linux-kernel
In-Reply-To: <20260408032051.3096449-1-yuehaibing@huawei.com>

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 8 Apr 2026 11:20:51 +0800 you wrote:
> The variable ret is assigned a value at all places where it is used;
> There is no need to assign a value when it is initially defined.
> 
> Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
> ---
> v2: Remove redundant init during definition instead of init before copy_to_user
> 
> [...]

Here is the summary with links:
  - [v2,net-next] ipv6: sit: remove redundant ret = 0 assignment
    https://git.kernel.org/netdev/net-next/c/3c6132ccc58e

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net-next] selftests: net: py: explicitly forbid multiple ksft_run() calls
From: patchwork-bot+netdevbpf @ 2026-04-10  3:40 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: davem, netdev, edumazet, pabeni, andrew+netdev, horms, shuah,
	petrm, willemb, linux-kselftest
In-Reply-To: <20260408221952.819822-1-kuba@kernel.org>

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed,  8 Apr 2026 15:19:52 -0700 you wrote:
> People (do people still write code or is it all AI?) seem to not
> get that ksft_run() can only be called once. If we call it
> multiple times KTAP parsers will likely cut off after the first
> batch has finished.
> 
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> 
> [...]

Here is the summary with links:
  - [net-next] selftests: net: py: explicitly forbid multiple ksft_run() calls
    https://git.kernel.org/netdev/net-next/c/3d2c3d2eea9a

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH net-next v6 00/14] net: sleepable ndo_set_rx_mode
From: Jakub Kicinski @ 2026-04-10  3:44 UTC (permalink / raw)
  To: Stanislav Fomichev; +Cc: netdev, davem, edumazet, pabeni
In-Reply-To: <20260407153101.3694714-1-sdf@fomichev.me>

On Tue,  7 Apr 2026 08:30:47 -0700 Stanislav Fomichev wrote:
> This series adds a new ndo_set_rx_mode_async callback that enables
> drivers to handle address list updates in a sleepable context. The
> current ndo_set_rx_mode is called under the netif_addr_lock spinlock
> with BHs disabled, which prevents drivers from sleeping. This is
> problematic for ops-locked drivers that need to sleep.

I merged the queue leasing, now netkit warns :(

^ permalink raw reply

* [PATCH net-next] net: skb: clean up dead code after skb_kfree_head() simplification
From: Jiayuan Chen @ 2026-04-10  3:47 UTC (permalink / raw)
  To: netdev
  Cc: Jiayuan Chen, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Simon Horman, Jason Xing, Kuniyuki Iwashima,
	Michal Luczaj, Mina Almasry, Eric Biggers,
	Toke Høiland-Jørgensen, linux-kernel

Since commit 0f42e3f4fe2a ("net: skb: fix cross-cache free of
KFENCE-allocated skb head"), skb_kfree_head() always calls kfree()
and no longer uses end_offset to distinguish between skb_small_head_cache
and generic kmalloc caches.

Clean up the leftovers:

- Remove the unused end_offset parameter from skb_kfree_head() and
  update all callers.
- Remove the SKB_SMALL_HEAD_HEADROOM guard in __skb_unclone_keeptruesize()
  which was protecting the old skb_kfree_head() logic.
- Update the SKB_SMALL_HEAD_CACHE_SIZE comment to reflect that the
  non-power-of-2 sizing is no longer used for free-path disambiguation.

No functional change.

Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
 net/core/skbuff.c | 33 +++++++++------------------------
 1 file changed, 9 insertions(+), 24 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index e50f2d4867c1..c5441154795c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -106,10 +106,9 @@ static struct kmem_cache *skbuff_ext_cache __ro_after_init;
 #define SKB_SMALL_HEAD_SIZE SKB_HEAD_ALIGN(max(MAX_TCP_HEADER, \
 					       GRO_MAX_HEAD_PAD))
 
-/* We want SKB_SMALL_HEAD_CACHE_SIZE to not be a power of two.
- * This should ensure that SKB_SMALL_HEAD_HEADROOM is a unique
- * size, and we can differentiate heads from skb_small_head_cache
- * vs system slabs by looking at their size (skb_end_offset()).
+/* SKB_SMALL_HEAD_CACHE_SIZE is the size used for the skbuff_small_head
+ * kmem_cache. The non-power-of-2 padding is kept for historical reasons and
+ * to avoid potential collisions with generic kmalloc bucket sizes.
  */
 #define SKB_SMALL_HEAD_CACHE_SIZE					\
 	(is_power_of_2(SKB_SMALL_HEAD_SIZE) ?			\
@@ -1071,7 +1070,7 @@ static int skb_pp_frag_ref(struct sk_buff *skb)
 	return 0;
 }
 
-static void skb_kfree_head(void *head, unsigned int end_offset)
+static void skb_kfree_head(void *head)
 {
 	kfree(head);
 }
@@ -1085,7 +1084,7 @@ static void skb_free_head(struct sk_buff *skb)
 			return;
 		skb_free_frag(head);
 	} else {
-		skb_kfree_head(head, skb_end_offset(skb));
+		skb_kfree_head(head);
 	}
 }
 
@@ -2361,7 +2360,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	return 0;
 
 nofrags:
-	skb_kfree_head(data, size);
+	skb_kfree_head(data);
 nodata:
 	return -ENOMEM;
 }
@@ -2407,20 +2406,6 @@ int __skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri)
 	if (likely(skb_end_offset(skb) == saved_end_offset))
 		return 0;
 
-	/* We can not change skb->end if the original or new value
-	 * is SKB_SMALL_HEAD_HEADROOM, as it might break skb_kfree_head().
-	 */
-	if (saved_end_offset == SKB_SMALL_HEAD_HEADROOM ||
-	    skb_end_offset(skb) == SKB_SMALL_HEAD_HEADROOM) {
-		/* We think this path should not be taken.
-		 * Add a temporary trace to warn us just in case.
-		 */
-		pr_err_once("__skb_unclone_keeptruesize() skb_end_offset() %u -> %u\n",
-			    saved_end_offset, skb_end_offset(skb));
-		WARN_ON_ONCE(1);
-		return 0;
-	}
-
 	shinfo = skb_shinfo(skb);
 
 	/* We are about to change back skb->end,
@@ -6815,7 +6800,7 @@ static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
 	if (skb_cloned(skb)) {
 		/* drop the old head gracefully */
 		if (skb_orphan_frags(skb, gfp_mask)) {
-			skb_kfree_head(data, size);
+			skb_kfree_head(data);
 			return -ENOMEM;
 		}
 		for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
@@ -6922,7 +6907,7 @@ static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
 	memcpy((struct skb_shared_info *)(data + size),
 	       skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0]));
 	if (skb_orphan_frags(skb, gfp_mask)) {
-		skb_kfree_head(data, size);
+		skb_kfree_head(data);
 		return -ENOMEM;
 	}
 	shinfo = (struct skb_shared_info *)(data + size);
@@ -6958,7 +6943,7 @@ static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
 		/* skb_frag_unref() is not needed here as shinfo->nr_frags = 0. */
 		if (skb_has_frag_list(skb))
 			kfree_skb_list(skb_shinfo(skb)->frag_list);
-		skb_kfree_head(data, size);
+		skb_kfree_head(data);
 		return -ENOMEM;
 	}
 	skb_release_data(skb, SKB_CONSUMED);
-- 
2.43.0


^ permalink raw reply related

* Re: [PATCH net-next] tools: ynl: tests: fix leading space on Makefile target
From: patchwork-bot+netdevbpf @ 2026-04-10  3:50 UTC (permalink / raw)
  To: Hangbin Liu
  Cc: donald.hunter, kuba, davem, edumazet, pabeni, horms, netdev,
	linux-kernel
In-Reply-To: <20260408-ynl_makefile-v1-1-f9624acc2ad9@gmail.com>

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 08 Apr 2026 15:19:05 +0800 you wrote:
> The ../generated/protos.a rule had a spurious leading space before the
> target name. In make, target rules must start at column 0; only recipe
> lines are indented with a tab. The extra space caused make to misparse
> the rule.
> 
> Remove the leading space to match the style of the adjacent
> ../lib/ynl.a rule.
> 
> [...]

Here is the summary with links:
  - [net-next] tools: ynl: tests: fix leading space on Makefile target
    https://git.kernel.org/netdev/net-next/c/42f9b4c6ef19

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* [PATCH v2] selftests: vsock: avoid races creating Unix socket paths
From: Cao Ruichuang @ 2026-04-10  3:52 UTC (permalink / raw)
  To: stefano.garzarella
  Cc: sgarzare, shuah, virtualization, netdev, linux-kselftest,
	linux-kernel, horms, Cao Ruichuang
In-Reply-To: <20260405195733.86043-1-create0818@163.com>

Signed-off-by: Cao Ruichuang <create0818@163.com>
---
v2:
- retitle the patch to describe the race being fixed
- replace rm -rf with explicit rm and rmdir cleanup

 tools/testing/selftests/vsock/vmtest.sh | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/vsock/vmtest.sh b/tools/testing/selftests/vsock/vmtest.sh
index 86e338886b3..c345fa539d3 100755
--- a/tools/testing/selftests/vsock/vmtest.sh
+++ b/tools/testing/selftests/vsock/vmtest.sh
@@ -718,6 +718,7 @@ test_ns_diff_global_host_connect_to_global_vm_ok() {
 	local pids pid pidfile
 	local ns0 ns1 port
 	declare -a pids
+	local unixdir
 	local unixfile
 	ns0="global0"
 	ns1="global1"
@@ -736,7 +737,8 @@ test_ns_diff_global_host_connect_to_global_vm_ok() {
 	oops_before=$(vm_dmesg_oops_count "${ns0}")
 	warn_before=$(vm_dmesg_warn_count "${ns0}")
 
-	unixfile=$(mktemp -u /tmp/XXXX.sock)
+	unixdir=$(mktemp -d /tmp/vsock_vmtest_XXXXXX)
+	unixfile="${unixdir}/sock"
 	ip netns exec "${ns1}" \
 		socat TCP-LISTEN:"${TEST_HOST_PORT}",fork \
 			UNIX-CONNECT:"${unixfile}" &
@@ -758,6 +760,8 @@ test_ns_diff_global_host_connect_to_global_vm_ok() {
 
 	terminate_pids "${pids[@]}"
 	terminate_pidfiles "${pidfile}"
+	rm "${unixfile}"
+	rmdir "${unixdir}"
 
 	if [[ "${rc}" -ne 0 ]] || [[ "${dmesg_rc}" -ne 0 ]]; then
 		return "${KSFT_FAIL}"
@@ -814,6 +818,7 @@ test_ns_diff_global_vm_connect_to_global_host_ok() {
 	local ns0="global0"
 	local ns1="global1"
 	local port=12345
+	local unixdir
 	local unixfile
 	local dmesg_rc
 	local pidfile
@@ -826,7 +831,8 @@ test_ns_diff_global_vm_connect_to_global_host_ok() {
 
 	log_host "Setup socat bridge from ns ${ns0} to ns ${ns1} over port ${port}"
 
-	unixfile=$(mktemp -u /tmp/XXXX.sock)
+	unixdir=$(mktemp -d /tmp/vsock_vmtest_XXXXXX)
+	unixfile="${unixdir}/sock"
 
 	ip netns exec "${ns0}" \
 		socat TCP-LISTEN:"${port}" UNIX-CONNECT:"${unixfile}" &
@@ -845,7 +851,8 @@ test_ns_diff_global_vm_connect_to_global_host_ok() {
 	if ! vm_start "${pidfile}" "${ns0}"; then
 		log_host "failed to start vm (cid=${cid}, ns=${ns0})"
 		terminate_pids "${pids[@]}"
-		rm -f "${unixfile}"
+		rm "${unixfile}"
+		rmdir "${unixdir}"
 		return "${KSFT_FAIL}"
 	fi
 
@@ -862,7 +869,8 @@ test_ns_diff_global_vm_connect_to_global_host_ok() {
 
 	terminate_pidfiles "${pidfile}"
 	terminate_pids "${pids[@]}"
-	rm -f "${unixfile}"
+	rm "${unixfile}"
+	rmdir "${unixdir}"
 
 	if [[ "${rc}" -ne 0 ]] || [[ "${dmesg_rc}" -ne 0 ]]; then
 		return "${KSFT_FAIL}"
-- 
2.39.5 (Apple Git-154)


^ permalink raw reply related

* Re: [PATCH net v2] net: netrom: fix lock order inversion in nr_add_node, nr_del_node and nr_dec_obs
From: Mashiro Chen @ 2026-04-10  5:04 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: netdev, linux-hams, davem, edumazet, pabeni, horms, linux-kernel,
	syzbot+6eb7834837cf6a8db75b
In-Reply-To: <20260409195436.3d021e7f@kernel.org>

On Mon, 6 Apr 2026 Jakub Kicinski wrote:
 > Can we please merge nr_node_list_lock and nr_neigh_list_lock
 > into one instead?

This makes more sense, thanks for the suggestion.
I'll rework the patch to merge the two locks into one and
repost next week.

On 4/10/26 10:54, Jakub Kicinski wrote:
> On Mon,  6 Apr 2026 19:49:04 +0800 Mashiro Chen wrote:
>> nr_del_node() and nr_dec_obs() acquire nr_node_list_lock first, then
>> call nr_remove_neigh() which internally acquires nr_neigh_list_lock.
>> nr_add_node() acquires node_lock first, then calls nr_remove_neigh()
>> which acquires nr_neigh_list_lock.
> Can we please merge nr_node_list_lock and nr_neigh_list_lock
> into one instead?
>
> Lets try to simplify this code as much as possible.
> It's a maintenance nightmare and has fewer users than syzbot reports
> (i'm not joking).

^ permalink raw reply

* Re: [PATCH net v3] net: rose: defer rose_neigh cleanup to workqueue to fix UAF
From: Mashiro Chen @ 2026-04-10  5:08 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: netdev, linux-hams, davem, edumazet, pabeni, horms, linux-kernel,
	syzbot+abd2b69348e2d9b107a1
In-Reply-To: <20260409194957.5465e98b@kernel.org>

On Tue, 7 Apr 2026 Jakub Kicinski wrote:
 > What if ROSE is built as a module and gets unloaded?
 > Please don't post the next version until next week

Got it, I will not post any patches until next week.

I've never thought about the module unload path, this is
the point I missed in my previous patch. I will deep analysis
if the timers are properly stopped before the module is
removed. I will address this in v4 next week.

Sorry for low quality and  simple analysis without auditing.

73s,
Mashiro Chen

On 4/10/26 10:49, Jakub Kicinski wrote:
> On Tue,  7 Apr 2026 01:01:25 +0800 Mashiro Chen wrote:
>> rose_neigh_put() frees the rose_neigh object when the reference count
>> reaches zero, but does not stop the t0timer and ftimer beforehand.
>> If a timer has been scheduled and fires after the object is freed,
>> the callback will access already-freed memory, leading to a
>> use-after-free.
> What if ROSE is built as a module and gets unloaded?
>
> Please don't post the next version until next week, we're drowning in
> these AI generated patches.

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox