* Re: [PATCH 1/1] tipc: fix double-free in tipc_buf_append()
From: Lee Jones @ 2026-04-21 12:28 UTC (permalink / raw)
To: Tung Quang Nguyen
Cc: Jon Maloy, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman, netdev@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org
In-Reply-To: <GV1P189MB198888D44169106BFB04359BC62C2@GV1P189MB1988.EURP189.PROD.OUTLOOK.COM>
On Tue, 21 Apr 2026, Tung Quang Nguyen wrote:
> >Subject: Re: [PATCH 1/1] tipc: fix double-free in tipc_buf_append()
> >
> >On Mon, 20 Apr 2026, Lee Jones wrote:
> >
> >> On Mon, 20 Apr 2026, Tung Quang Nguyen wrote:
> >>
> >> > >> Subject: [PATCH 1/1] tipc: fix double-free in tipc_buf_append()
> >> > >> >
> >> > >> >The tipc_msg_validate() function can potentially reallocate the
> >> > >> >skb it is validating, freeing the old one. In
> >> > >> >tipc_buf_append(), it was being called with a pointer to a local
> >> > >> >variable which was a copy of the
> >> > >caller's skb pointer.
> >> > >> >
> >> > >> >If the skb was reallocated and validation subsequently failed,
> >> > >> >the error handling path would free the original skb pointer,
> >> > >> >which had already been freed, leading to double-free.
> >> > >> >
> >> > >> >Fix this by passing the caller's skb pointer-pointer directly to
> >> > >> >tipc_msg_validate(), ensuring any modification is reflected correctly.
> >> > >> >The local skb pointer is then updated from the (possibly
> >> > >> >modified) caller's pointer.
> >> > >> >
> >> > >> >Fixes: d618d09a68e4 ("tipc: enforce valid ratio between skb
> >> > >> >truesize and
> >> > >> >contents")
> >> > >> >Assisted-by: Gemini:gemini-3.1-pro-preview
> >> > >> >Signed-off-by: Lee Jones <lee@kernel.org>
> >> > >> >---
> >> > >> > net/tipc/msg.c | 3 ++-
> >> > >> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >> > >> >
> >> > >> >diff --git a/net/tipc/msg.c b/net/tipc/msg.c index
> >> > >> >76284fc538eb..9f4f612ee027
> >> > >> >100644
> >> > >> >--- a/net/tipc/msg.c
> >> > >> >+++ b/net/tipc/msg.c
> >> > >> >@@ -177,8 +177,9 @@ int tipc_buf_append(struct sk_buff
> >> > >> >**headbuf, struct sk_buff **buf)
> >> > >> >
> >> > >> > if (fragid == LAST_FRAGMENT) {
> >> > >> > TIPC_SKB_CB(head)->validated = 0;
> >> > >> >- if (unlikely(!tipc_msg_validate(&head)))
> >> > >> >+ if (unlikely(!tipc_msg_validate(headbuf)))
> >> > >> > goto err;
> >> > >> >+ head = *headbuf;
> >> > >> This is a known issue and was reported via
> >> > >> https://patchwork.kernel.org/project/netdevbpf/patch/202603302053
> >> > >> 13.24 33372-1-nicholas@carlini.com/ The author did not respond to
> >> > >> my comment.
> >> > >> Can you improve the fix by applying my patch?
> >> > >
> >> > >I'd be happy to make any required changes.
> >> > >
> >> > >However, is this approach superior to simply passing a reference?
> >> > >
> >> > >v1 appears to be simpler, easier to read and avoids the explanation.
> >> > >
> >> > As I explained, your fix adds extra overhead to normal path while the error
> >path is corner case and it rarely happens.
> >> > Whatever approach is applied, we need to add explanation to understand
> >more easily the logic and hidden trick in tipc_msg_validate().
> >>
> >> Very well. I have made the recommended changes.
> >>
> >> The patch is currently in my build-test environment.
> >>
> >> I will post v2, when everything has been satisfied.
> >
> >Okay, I genuinely tried to apply your patch. It builds just fine, but Gemini (the
> >AI I use to pre-review patches before submission) has some doubts that this is
> >the correct approach:
> >
> >> @@ -177,8 +177,20 @@ int tipc_buf_append(struct sk_buff **headbuf,
> >> struct sk_buff **buf)
> >>
> >> if (fragid == LAST_FRAGMENT) {
> >> TIPC_SKB_CB(head)->validated = 0;
> >> - if (unlikely(!tipc_msg_validate(&head)))
> >> +
> >> + /* If the reassembled skb has been freed in
> >> + * tipc_msg_validate() because of an invalid truesize,
> >> + * then head will point to a newly allocated reassembled
> >> + * skb, while *headbuf points to freed reassembled skb.
> >> + * In such cases, correct *headbuf for freeing the newly
> >> + * allocated reassembled skb later.
> >> + *
> >> + * Note: It's done this way instead of passing &head // I added
> >this part to give
> >> + * to avoid slowing down the happy path since this failure // the
> >reviewer some additoinal
> >> + * is a rare event. // context
> >> + */
> >> + if (unlikely(!tipc_msg_validate(headbuf))) {
> You did NOT apply my patch correctly. I did not suggest passing headbuf to tipc_msg_validate().
Ah, you're right. I missed that line change.
Let me revisit. Bear with.
> My patch is very simple:
> + if (unlikely(!tipc_msg_validate(&head))) {
> + /* reassembled skb has been freed in
> + * tipc_msg_validate() because of invalid truesize.
> + * head now points to newly-allocated reassembled skb
> + * while *headbuf points to freed reassembled skb.
> + * So, correct *headbuf for freeing newly-allocated
> + * reassembled skb later.
> + */
> + if (head != *headbuf)
> + *headbuf = head;
> +
> goto err;
> + }
--
Lee Jones [李琼斯]
^ permalink raw reply
* Re: [PATCH v4 net] net: ax25: fix integer overflow in ax25_rx_fragment()
From: Andrew Lunn @ 2026-04-21 12:25 UTC (permalink / raw)
To: hugh
Cc: Paolo Abeni, Mashiro Chen, netdev, linux-hams, kuba, horms, davem,
edumazet, Greg KH
In-Reply-To: <e2a47378-9008-45a2-92e3-d1f374b5e766@blemings.org>
On Tue, Apr 21, 2026 at 06:45:39PM +1000, Hugh Blemings wrote:
> Hi Paolo, All,
>
> On 21/4/2026 17:29, Paolo Abeni wrote:
> > On 4/13/26 10:49 PM, Mashiro Chen wrote:
> > > ax25_rx_fragment() accumulates fragment lengths into ax25_cb->fraglen,
> > > which is an unsigned short. When the total exceeds 65535, fraglen wraps
> > > around to a small value. The subsequent alloc_skb(fraglen) allocates a
> > > too-small buffer, and skb_put() in the copy loop triggers skb_over_panic().
> > >
> > > Add pskb_may_pull(skb, 1) at function entry to ensure the segmentation
> > > header byte is in the linear data area before dereferencing skb->data.
> > > This also rejects zero-length skbs, which the original code did not
> > > check for.
> > >
> > > Two issues in the overflow error path are also fixed:
> > > First, the current skb, after skb_pull(skb, 1), is neither enqueued
> > > nor freed before returning 1, leaking it. Add kfree_skb(skb) before
> > > the return.
> > > Second, ax25->fraglen is not reset after skb_queue_purge(). Add
> > > ax25->fraglen = 0 to restore a consistent state.
> > >
> > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
> > we are moving ax25 out of tree:
> >
> > https://lore.kernel.org/netdev/20260421021824.1293976-1-kuba@kernel.org/
> >
> > please hold off until Thursday (after that our net PR will land into
> > mainline), and eventually resend if the code still exists in Linus's
> > tree at that point.
>
> Is there any flexibility here ?
>
> Jakubs (CC'd) patches to remove unfortunately weren't cross posted to
> linux-hams and so I'm not able to directly reply in netdev
>
> We've had a thread ongoing in linux-hams around the future of
> AX25/ROSE/NETROM for the last week or so and believe we've a path towards an
> orderly exit from the mainline tree, probably towards a userspace
> implementation. This includes a couple of folks who have indicated they
> would be open to overseeing the maintenance of the code in the meantime.
>
> We'd hoped to have a period of a few months to do an orderly exit from the
> tree to minimise the impact on the (admittedly small, but non-zero) users
> that build trees/make use of the in kernel support.
>
> Apologies for my lack of familiarity with the process here to deprecate etc.
I know it is short notice, but there is a conference call today. Jakub
sent this yesterday:
The bi-weekly call is scheduled for tomorrow at 8:30 am (PT) /
5:30 pm (~EU), at https://bbb.lwn.net/rooms/ldm-chf-zxx-we7/join
I'd like to discuss evolution of the process which would prepare
us for the "AI age" (read: influx of plausibly looking yet entirely
computer generated patches).
Andrew
^ permalink raw reply
* Re: [PATCH v3 00/15] firmware: qcom: Add OP-TEE PAS service support
From: Sumit Garg @ 2026-04-21 12:22 UTC (permalink / raw)
To: Bjorn Andersson
Cc: linux-arm-msm, devicetree, dri-devel, freedreno, linux-media,
netdev, linux-wireless, ath12k, linux-remoteproc, konradybcio,
robh, krzk+dt, conor+dt, robin.clark, sean, akhilpo, lumag,
abhinav.kumar, jesszhan0024, marijn.suijten, airlied, simona,
vikash.garodia, dikshita.agarwal, bod, mchehab, elder,
andrew+netdev, davem, edumazet, kuba, pabeni, jjohnson,
mathieu.poirier, trilokkumar.soni, mukesh.ojha, pavan.kondeti,
jorge.ramirez, tonyh, vignesh.viswanathan, srinivas.kandagatla,
amirreza.zarrabi, jens.wiklander, op-tee, apurupa, skare,
harshal.dev, linux-kernel, Sumit Garg
In-Reply-To: <adSOFCL26y5qt1Cu@sumit-xelite>
On Tue, Apr 07, 2026 at 10:24:44AM +0530, Sumit Garg wrote:
> Hi Bjorn,
>
> On Mon, Apr 06, 2026 at 10:09:27AM -0500, Bjorn Andersson wrote:
> > On Fri, Mar 27, 2026 at 06:40:28PM +0530, Sumit Garg wrote:
> > > From: Sumit Garg <sumit.garg@oss.qualcomm.com>
> > >
> > > Qcom platforms has the legacy of using non-standard SCM calls
> > > splintered over the various kernel drivers. These SCM calls aren't
> > > compliant with the standard SMC calling conventions which is a
> > > prerequisite to enable migration to the FF-A specifications from Arm.
> > >
> >
> > Please get our colleagues involved in this discussion, because this
> > non-SCM interface does not match the direction we are taking.
>
> I thought I have already involved folks from QTEE perspective (Apurupa
> and Sree) actively working on FF-A implementation aligned to this
> interface. It would have been better if you could let me know where is
> the direction mismatch here. In case there is a better alternative
> design proposal for PAS service with FF-A, I would be happy to hear
> that.
>
> Anyhow for the legacy SoCs like KLMT, we really don't have any
> alternative but have to stick to existing QTEE PAS design with OP-TEE
> providing as an alternative backend. Surely we want to support loading
> of existing signed firmware present in linux-firmware repo for KLMT with
> OP-TEE being the TZ.
After further offline internal Qcom discussions, the teams are aligned
on the vision to use and extend generic Qcom PAS layer for all the TZ
backends whether it's legacy SCM backend based on QTEE, OP-TEE backend
as proposed by this patch-set or future object invoke (based on
SMCInvoke) for QTEE.
I hope with that we can progress to get this patch-set merged in next
merge window. I will send v4 shortly after merge window closes to
address misc. comments from Harshal on patch 04/15.
-Sumit
^ permalink raw reply
* RE: [PATCH 1/1] tipc: fix double-free in tipc_buf_append()
From: Tung Quang Nguyen @ 2026-04-21 12:10 UTC (permalink / raw)
To: Lee Jones
Cc: Jon Maloy, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman, netdev@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org
In-Reply-To: <20260421103543.GH3202366@google.com>
>Subject: Re: [PATCH 1/1] tipc: fix double-free in tipc_buf_append()
>
>On Mon, 20 Apr 2026, Lee Jones wrote:
>
>> On Mon, 20 Apr 2026, Tung Quang Nguyen wrote:
>>
>> > >> Subject: [PATCH 1/1] tipc: fix double-free in tipc_buf_append()
>> > >> >
>> > >> >The tipc_msg_validate() function can potentially reallocate the
>> > >> >skb it is validating, freeing the old one. In
>> > >> >tipc_buf_append(), it was being called with a pointer to a local
>> > >> >variable which was a copy of the
>> > >caller's skb pointer.
>> > >> >
>> > >> >If the skb was reallocated and validation subsequently failed,
>> > >> >the error handling path would free the original skb pointer,
>> > >> >which had already been freed, leading to double-free.
>> > >> >
>> > >> >Fix this by passing the caller's skb pointer-pointer directly to
>> > >> >tipc_msg_validate(), ensuring any modification is reflected correctly.
>> > >> >The local skb pointer is then updated from the (possibly
>> > >> >modified) caller's pointer.
>> > >> >
>> > >> >Fixes: d618d09a68e4 ("tipc: enforce valid ratio between skb
>> > >> >truesize and
>> > >> >contents")
>> > >> >Assisted-by: Gemini:gemini-3.1-pro-preview
>> > >> >Signed-off-by: Lee Jones <lee@kernel.org>
>> > >> >---
>> > >> > net/tipc/msg.c | 3 ++-
>> > >> > 1 file changed, 2 insertions(+), 1 deletion(-)
>> > >> >
>> > >> >diff --git a/net/tipc/msg.c b/net/tipc/msg.c index
>> > >> >76284fc538eb..9f4f612ee027
>> > >> >100644
>> > >> >--- a/net/tipc/msg.c
>> > >> >+++ b/net/tipc/msg.c
>> > >> >@@ -177,8 +177,9 @@ int tipc_buf_append(struct sk_buff
>> > >> >**headbuf, struct sk_buff **buf)
>> > >> >
>> > >> > if (fragid == LAST_FRAGMENT) {
>> > >> > TIPC_SKB_CB(head)->validated = 0;
>> > >> >- if (unlikely(!tipc_msg_validate(&head)))
>> > >> >+ if (unlikely(!tipc_msg_validate(headbuf)))
>> > >> > goto err;
>> > >> >+ head = *headbuf;
>> > >> This is a known issue and was reported via
>> > >> https://patchwork.kernel.org/project/netdevbpf/patch/202603302053
>> > >> 13.24 33372-1-nicholas@carlini.com/ The author did not respond to
>> > >> my comment.
>> > >> Can you improve the fix by applying my patch?
>> > >
>> > >I'd be happy to make any required changes.
>> > >
>> > >However, is this approach superior to simply passing a reference?
>> > >
>> > >v1 appears to be simpler, easier to read and avoids the explanation.
>> > >
>> > As I explained, your fix adds extra overhead to normal path while the error
>path is corner case and it rarely happens.
>> > Whatever approach is applied, we need to add explanation to understand
>more easily the logic and hidden trick in tipc_msg_validate().
>>
>> Very well. I have made the recommended changes.
>>
>> The patch is currently in my build-test environment.
>>
>> I will post v2, when everything has been satisfied.
>
>Okay, I genuinely tried to apply your patch. It builds just fine, but Gemini (the
>AI I use to pre-review patches before submission) has some doubts that this is
>the correct approach:
>
>> @@ -177,8 +177,20 @@ int tipc_buf_append(struct sk_buff **headbuf,
>> struct sk_buff **buf)
>>
>> if (fragid == LAST_FRAGMENT) {
>> TIPC_SKB_CB(head)->validated = 0;
>> - if (unlikely(!tipc_msg_validate(&head)))
>> +
>> + /* If the reassembled skb has been freed in
>> + * tipc_msg_validate() because of an invalid truesize,
>> + * then head will point to a newly allocated reassembled
>> + * skb, while *headbuf points to freed reassembled skb.
>> + * In such cases, correct *headbuf for freeing the newly
>> + * allocated reassembled skb later.
>> + *
>> + * Note: It's done this way instead of passing &head // I added
>this part to give
>> + * to avoid slowing down the happy path since this failure // the
>reviewer some additoinal
>> + * is a rare event. // context
>> + */
>> + if (unlikely(!tipc_msg_validate(headbuf))) {
You did NOT apply my patch correctly. I did not suggest passing headbuf to tipc_msg_validate().
My patch is very simple:
+ if (unlikely(!tipc_msg_validate(&head))) {
+ /* reassembled skb has been freed in
+ * tipc_msg_validate() because of invalid truesize.
+ * head now points to newly-allocated reassembled skb
+ * while *headbuf points to freed reassembled skb.
+ * So, correct *headbuf for freeing newly-allocated
+ * reassembled skb later.
+ */
+ if (head != *headbuf)
+ *headbuf = head;
+
goto err;
+ }
>> + if (head != *headbuf)
>> + *headbuf = head;
>> goto err;
>> + }
>> +
>
> "It looks like this logic might re-introduce the double-free bug.
> The call to `tipc_msg_validate(headbuf)` is correct, as it passes the
> pointer-to-pointer and allows the callee to update `*headbuf` if the skb
> is reallocated.
>
> However, the subsequent check seems to undo this. If a reallocation
> happens, `head` will hold the pointer to the old, freed skb, while
> `*headbuf` will hold the new one. The condition `head != *headbuf` will
> be true, and the assignment `*headbuf = head` will restore the stale
> pointer, leading to a double-free on the `err` path.
>
> The preceding comment also appears to have the pointer roles reversed.
>
> Would it be simpler and more correct to remove the `if (head != *headbuf)`
> check and the large comment block? The change from `&head` to `headbuf`
> in the function call seems to be the only change required to fix the bug.
> Also, please update the commit message to reflect the corrected logic."
>
>I suggest that we go with the original patch. Although I find it admirable that
>you are thinking about and attempting to protect the more common happy-
>path, I think the resultant single additional variable assignment is negligible
>and that the simplicity of the previous fix has greater benefits in terms of code
>readability and maintainability.
>
>If you like, I can add a small comment, but I doubt even that is necessary.
>
>--
>Lee Jones [李琼斯]
^ permalink raw reply
* Re: Discuss: Future of AX25, NETROM and ROSE in the kernel ?
From: Dan Cross @ 2026-04-21 12:06 UTC (permalink / raw)
To: hugh; +Cc: Steve Conklin, Stuart Longland VK4MSL, linux-hams, netdev
In-Reply-To: <5549733f-c9d6-4bae-84e3-285a317ee334@blemings.org>
On Tue, Apr 21, 2026 at 2:28 AM Hugh Blemings <hugh@blemings.org> wrote:
> Hi All,
>
> Just to note in this thread (top posting as it's a bit orthogonal to the
> rest of this discussion) that events have preceeded us somewhat here
>
> A patch just recently submitted removes the AX25, NETROM and ROSE code
> from the kernel moving it to the mod-orphan sub tree of netdev
>
> https://lore.kernel.org/netdev/20260421021824.1293976-1-kuba@kernel.org/T/#u
Wow, that happened much faster than I had anticipated.
> A shame but perhaps inevitable - but I think we have a good plan
> unfolding to both take care of medium term maintenance of the kernel
> code (in tree or out as it may be) as well as a move to userspace in the
> longer term.
>
> For the benefit of the netdev readership - we had a thread over in
> linux-hams on this but that may not have been visible to folks in
> netdev. TL;DR: we think we have a way forward but appreciate this may
> not be quick enough to meet the requirements/concerns put forward
>
> If we can delay removal, that'd be grand, but appreciate that moment may
> have passed.
Personally, I think this may actually turn out to be a good thing. If
nothing else, it's a forcing function for the ham community to get
serious about providing an implementation that works well, and in the
short term, an out-of-tree module can keep things working for folks
while alternatives are investigated and prepared.
I appreciate that folks want to discuss timing, but it doesn't appear
that there is much else to be done at this point. It would make sense
to continue discussion of alternatives over on linux-hams, sparing the
already-overloaded readers of the netdev list from the sordid details.
- Dan C.
(KZ2X)
^ permalink raw reply
* Re: [PATCH net-deletions] net: remove unused ATM protocols and legacy ATM device drivers
From: David Woodhouse @ 2026-04-21 12:06 UTC (permalink / raw)
To: Geert Uytterhoeven, Herbert Xu
Cc: Jakub Kicinski, davem, netdev, edumazet, pabeni, andrew+netdev,
horms, corbet, skhan, linux, tsbogend, maddy, mpe, npiggin,
chleroy, 3chas3, razor, idosch, jani.nikula, mchehab+huawei,
tytso, ebiggers, johannes.berg, jonathan.cameron, kees, kuniyu,
fourier.thomas, andriy.shevchenko, rdunlap, akpm, linux-doc,
linux-mips, linuxppc-dev, bridge
In-Reply-To: <CAMuHMdU96F_42faeqNzDwaXks7mFrLrkPSJB_QTwxEn9HmVWpQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1154 bytes --]
On Tue, 2026-04-21 at 13:57 +0200, Geert Uytterhoeven wrote:
> Hi Herbert,
>
> On Tue, 21 Apr 2026 at 13:51, Herbert Xu <herbert@gondor.apana.org.au> wrote:
> > On Tue, Apr 21, 2026 at 10:26:18AM +0100, David Woodhouse wrote:
> > > I suspect they don't have a huge amount of interest in the Solos any
> > > more, or the Geode-based SBC they sold with two of them on-board. But
> > > OpenWrt does still support them, and I even have one here (although no
> > > ADSL line to test it with). They were briefly popular as fully Linux-
> > > supported ADSL routers.
> >
> > ADSL is history, it only ever made sense in rich countries where
> > physical copper cables were pre-installed in homes. While rich
> > countries have moved to fibre, the rest of the world won't use
> > ADSL either because there is no copper cable to begin with. So
> > it's actually cheaper to just lay a fibre cable for a new install.
>
> I am afraid the move to fibre hasn't been completed yet.
> ADSL (VDSL2?) is still being used.
VSDL is different, and isn't ATM-based. But even ADSL is still in use;
in the UK some rural areas haven't got fibre yet.
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5069 bytes --]
^ permalink raw reply
* Re: [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
From: Petko Manolov @ 2026-04-21 11:54 UTC (permalink / raw)
To: Morduan Zang
Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-usb, netdev, linux-kernel
In-Reply-To: <678BC10BB9E39322+20260421111025.15833-1-zhangdandan@uniontech.com>
On 26-04-21 19:10:25, Morduan Zang wrote:
> When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
> handed to the USB core and write_bulk_callback() will not run. The
> driver returns NETDEV_TX_OK, which tells the networking stack that the
> skb has been consumed, but nothing actually frees the skb on this
> error path:
>
> dev->tx_skb = skb;
> ...
> if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
> ...
> /* no kfree_skb here */
> }
> return NETDEV_TX_OK;
>
> This leaks the skb on every submit failure and also leaves dev->tx_skb
> pointing at memory that the driver itself may later free, which is
> fragile.
>
> Free the skb with dev_kfree_skb_any() in the error path and clear
> dev->tx_skb so no stale pointer is left behind.
Another approach would be to use skb_copy_from_linear_data() to a static buffer
and free the skb right away. Take a look at pegasus_start_xmit() in
drivers/net/usb/pegasus.c. This comes at the cost of yet another memcpy,
though.
The above is not to say i don't like your current approach, just FYI.
Petko
^ permalink raw reply
* Re: [PATCH net-deletions] net: remove unused ATM protocols and legacy ATM device drivers
From: Geert Uytterhoeven @ 2026-04-21 11:57 UTC (permalink / raw)
To: Herbert Xu
Cc: David Woodhouse, Jakub Kicinski, davem, netdev, edumazet, pabeni,
andrew+netdev, horms, corbet, skhan, linux, tsbogend, maddy, mpe,
npiggin, chleroy, 3chas3, razor, idosch, jani.nikula,
mchehab+huawei, tytso, ebiggers, johannes.berg, jonathan.cameron,
kees, kuniyu, fourier.thomas, andriy.shevchenko, rdunlap, akpm,
linux-doc, linux-mips, linuxppc-dev, bridge
In-Reply-To: <aedkZ5bizasuBPI8@gondor.apana.org.au>
Hi Herbert,
On Tue, 21 Apr 2026 at 13:51, Herbert Xu <herbert@gondor.apana.org.au> wrote:
> On Tue, Apr 21, 2026 at 10:26:18AM +0100, David Woodhouse wrote:
> > I suspect they don't have a huge amount of interest in the Solos any
> > more, or the Geode-based SBC they sold with two of them on-board. But
> > OpenWrt does still support them, and I even have one here (although no
> > ADSL line to test it with). They were briefly popular as fully Linux-
> > supported ADSL routers.
>
> ADSL is history, it only ever made sense in rich countries where
> physical copper cables were pre-installed in homes. While rich
> countries have moved to fibre, the rest of the world won't use
> ADSL either because there is no copper cable to begin with. So
> it's actually cheaper to just lay a fibre cable for a new install.
I am afraid the move to fibre hasn't been completed yet.
ADSL (VDSL2?) is still being used.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
^ permalink raw reply
* Re: [PATCH v3] netfilter: xt_HL: add pr_fmt and checkentry validation
From: Pablo Neira Ayuso @ 2026-04-21 11:56 UTC (permalink / raw)
To: Marino Dzalto
Cc: fw, jacob.e.keller, netfilter-devel, coreteam, netdev,
linux-kernel
In-Reply-To: <20260403205907.92749-1-marino.dzalto@gmail.com>
On Fri, Apr 03, 2026 at 10:59:07PM +0200, Marino Dzalto wrote:
> Add pr_fmt to prefix log messages with the module name for
> easier debugging in dmesg.
>
> Add checkentry functions for IPv4 (ttl_mt_check) and IPv6
> (hl_mt6_check) to validate the match mode at rule registration
> time, rejecting invalid modes with -EINVAL.
>
> Signed-off-by: Marino Dzalto <marino.dzalto@gmail.com>
> ---
BTW, please use "nf-next" as target tree for this.
And use _ratelimited as suggested by the AI reviewer.
Send us a v4, thanks
> v3: Remove mention of NULL checks from commit message, as they
> were never part of the original code.
> v2: Remove NULL checks for skb as suggested by Florian Westphal
> (skb is guaranteed non-NULL by netfilter core). Move mode
> validation to checkentry functions instead of match function,
> also as suggested by Florian Westphal.
> ---
> net/netfilter/xt_hl.c | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
> index c1a70f8f0441..4a12a757ecbf 100644
> --- a/net/netfilter/xt_hl.c
> +++ b/net/netfilter/xt_hl.c
> @@ -6,6 +6,7 @@
> * Hop Limit matching module
> * (C) 2001-2002 Maciej Soltysiak <solt@dns.toxicfilms.tv>
> */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> #include <linux/ip.h>
> #include <linux/ipv6.h>
> @@ -22,6 +23,18 @@ MODULE_LICENSE("GPL");
> MODULE_ALIAS("ipt_ttl");
> MODULE_ALIAS("ip6t_hl");
>
> +static int ttl_mt_check(const struct xt_mtchk_param *par)
> +{
> + const struct ipt_ttl_info *info = par->matchinfo;
> +
> + if (info->mode > IPT_TTL_GT) {
> + pr_err("Unknown TTL match mode: %d\n", info->mode);
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> +
> static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
> {
> const struct ipt_ttl_info *info = par->matchinfo;
> @@ -41,6 +54,18 @@ static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
> return false;
> }
>
> +static int hl_mt6_check(const struct xt_mtchk_param *par)
> +{
> + const struct ip6t_hl_info *info = par->matchinfo;
> +
> + if (info->mode > IP6T_HL_GT) {
> + pr_err("Unknown Hop Limit match mode: %d\n", info->mode);
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> +
> static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
> {
> const struct ip6t_hl_info *info = par->matchinfo;
> @@ -65,6 +90,7 @@ static struct xt_match hl_mt_reg[] __read_mostly = {
> .name = "ttl",
> .revision = 0,
> .family = NFPROTO_IPV4,
> + .checkentry = ttl_mt_check,
> .match = ttl_mt,
> .matchsize = sizeof(struct ipt_ttl_info),
> .me = THIS_MODULE,
> @@ -73,6 +99,7 @@ static struct xt_match hl_mt_reg[] __read_mostly = {
> .name = "hl",
> .revision = 0,
> .family = NFPROTO_IPV6,
> + .checkentry = hl_mt6_check,
> .match = hl_mt6,
> .matchsize = sizeof(struct ip6t_hl_info),
> .me = THIS_MODULE,
> --
> 2.50.1 (Apple Git-155)
>
^ permalink raw reply
* Re: [PATCH net-deletions] net: remove unused ATM protocols and legacy ATM device drivers
From: Herbert Xu @ 2026-04-21 11:49 UTC (permalink / raw)
To: David Woodhouse
Cc: Jakub Kicinski, davem, netdev, edumazet, pabeni, andrew+netdev,
horms, corbet, skhan, linux, tsbogend, maddy, mpe, npiggin,
chleroy, 3chas3, razor, idosch, jani.nikula, mchehab+huawei,
tytso, geert, ebiggers, johannes.berg, jonathan.cameron, kees,
kuniyu, fourier.thomas, andriy.shevchenko, rdunlap, akpm,
linux-doc, linux-mips, linuxppc-dev, bridge
In-Reply-To: <c7506c225ce22a71c03abc2673823cf84bbb5b0d.camel@infradead.org>
On Tue, Apr 21, 2026 at 10:26:18AM +0100, David Woodhouse wrote:
>
> I suspect they don't have a huge amount of interest in the Solos any
> more, or the Geode-based SBC they sold with two of them on-board. But
> OpenWrt does still support them, and I even have one here (although no
> ADSL line to test it with). They were briefly popular as fully Linux-
> supported ADSL routers.
ADSL is history, it only ever made sense in rich countries where
physical copper cables were pre-installed in homes. While rich
countries have moved to fibre, the rest of the world won't use
ADSL either because there is no copper cable to begin with. So
it's actually cheaper to just lay a fibre cable for a new install.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply
* [PATCH] net/stmmac: Fix typos: 'tx_undeflow_irq' -> 'tx_underflow_irq'
From: Jakub Raczynski @ 2026-04-21 11:50 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, kuba, davem, andrew+netdev, kernel-janitors,
linux-arm-kernel, linux-stm32, Jakub Raczynski
In-Reply-To: <CGME20260421115052eucas1p103281c5b25719a44c0875d6b0860bfa6@eucas1p1.samsung.com>
All references to tx_underflow_irq are misspelled as 'undeflow'. Fix them.
Signed-off-by: Jakub Raczynski <j.raczynski@samsung.com>
---
drivers/net/ethernet/stmicro/stmmac/common.h | 2 +-
drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h
index d26e8a063022..e7da9964854d 100644
--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -147,7 +147,7 @@ struct stmmac_extra_stats {
unsigned long rx_vlan;
unsigned long rx_split_hdr_pkt_n;
/* Tx/Rx IRQ error info */
- unsigned long tx_undeflow_irq;
+ unsigned long tx_underflow_irq;
unsigned long tx_process_stopped_irq;
unsigned long tx_jabber_irq;
unsigned long rx_overflow_irq;
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
index 815213223583..068c21f37c29 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
@@ -247,7 +247,7 @@ static int loongson_dwmac_dma_interrupt(struct stmmac_priv *priv,
if (unlikely(abnor_intr_status)) {
if (unlikely(intr_status & DMA_STATUS_UNF)) {
ret = tx_hard_error_bump_tc;
- x->tx_undeflow_irq++;
+ x->tx_underflow_irq++;
}
if (unlikely(intr_status & DMA_STATUS_TJT))
x->tx_jabber_irq++;
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
index c01b86fd64da..a73720811791 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
@@ -459,7 +459,7 @@ static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv,
if (v & EMAC_TX_UNDERFLOW_INT) {
ret |= tx_hard_error;
- x->tx_undeflow_irq++;
+ x->tx_underflow_irq++;
}
if (v & EMAC_TX_EARLY_INT)
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
index a0383f9486c2..79fe50ad33d1 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
@@ -182,7 +182,7 @@ int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
if (unlikely(intr_status & DMA_STATUS_AIS)) {
if (unlikely(intr_status & DMA_STATUS_UNF)) {
ret = tx_hard_error_bump_tc;
- x->tx_undeflow_irq++;
+ x->tx_underflow_irq++;
}
if (unlikely(intr_status & DMA_STATUS_TJT))
x->tx_jabber_irq++;
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
index c1e26965d9b5..df092fb354ed 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
@@ -78,7 +78,7 @@ static const struct stmmac_stats stmmac_gstrings_stats[] = {
STMMAC_STAT(rx_vlan),
STMMAC_STAT(rx_split_hdr_pkt_n),
/* Tx/Rx IRQ error info */
- STMMAC_STAT(tx_undeflow_irq),
+ STMMAC_STAT(tx_underflow_irq),
STMMAC_STAT(tx_process_stopped_irq),
STMMAC_STAT(tx_jabber_irq),
STMMAC_STAT(rx_overflow_irq),
--
2.34.1
^ permalink raw reply related
* Re: [PATCH] netfilter: xt_HL: add pr_fmt, default case and NULL checks
From: kernel test robot @ 2026-04-21 11:48 UTC (permalink / raw)
To: Marino Dzalto, pablo, fw
Cc: oe-kbuild-all, netfilter-devel, coreteam, netdev, linux-kernel,
Marino Dzalto
In-Reply-To: <20260403193929.89449-1-marino.dzalto@gmail.com>
Hi Marino,
kernel test robot noticed the following build errors:
[auto build test ERROR on netfilter-nf/main]
[also build test ERROR on nf-next/master horms-ipvs/master linus/master v7.0 next-20260420]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Marino-Dzalto/netfilter-xt_HL-add-pr_fmt-default-case-and-NULL-checks/20260420-185652
base: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
patch link: https://lore.kernel.org/r/20260403193929.89449-1-marino.dzalto%40gmail.com
patch subject: [PATCH] netfilter: xt_HL: add pr_fmt, default case and NULL checks
config: m68k-allmodconfig (https://download.01.org/0day-ci/archive/20260421/202604211905.6ZPE3dFs-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260421/202604211905.6ZPE3dFs-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604211905.6ZPE3dFs-lkp@intel.com/
All errors (new ones prefixed by >>):
net/netfilter/xt_hl.c: In function 'ttl_mt':
>> net/netfilter/xt_hl.c:34:13: error: assignment of read-only variable 'ttl'
34 | ttl = ip_hdr(skb)->ttl;
| ^
vim +/ttl +34 net/netfilter/xt_hl.c
25
26 static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
27 {
28 const struct ipt_ttl_info *info = par->matchinfo;
29 const u8 ttl;
30
31 if (!skb)
32 return false;
33
> 34 ttl = ip_hdr(skb)->ttl;
35
36 switch (info->mode) {
37 case IPT_TTL_EQ:
38 return ttl == info->ttl;
39 case IPT_TTL_NE:
40 return ttl != info->ttl;
41 case IPT_TTL_LT:
42 return ttl < info->ttl;
43 case IPT_TTL_GT:
44 return ttl > info->ttl;
45 default:
46 pr_warn("Unknown TTL match mode: %d\n", info->mode);
47 return false;
48 }
49 }
50
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply
* [PATCH] net/intel: Replace manual array size calculation with ARRAY_SIZE
From: Jakub Raczynski @ 2026-04-21 11:40 UTC (permalink / raw)
To: netdev
Cc: kuba, przemyslaw.kitszel, anthony.l.nguyen, kernel-janitors,
Jakub Raczynski
In-Reply-To: <CGME20260421114034eucas1p1d746ffe32b49aeb57f10e729d1331124@eucas1p1.samsung.com>
There are still places in the code where manual calculation of array size
exist, but it is good to enforce usage of single macro through the whole
code as it makes code bit more readable.
Signed-off-by: Jakub Raczynski <j.raczynski@samsung.com>
---
drivers/net/ethernet/intel/i40e/i40e_adminq.h | 2 +-
drivers/net/ethernet/intel/iavf/iavf_adminq.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq.h b/drivers/net/ethernet/intel/i40e/i40e_adminq.h
index 1be97a3a86ce..0e7cecd00169 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_adminq.h
+++ b/drivers/net/ethernet/intel/i40e/i40e_adminq.h
@@ -109,7 +109,7 @@ static inline int i40e_aq_rc_to_posix(int aq_ret, int aq_rc)
-EFBIG, /* I40E_AQ_RC_EFBIG */
};
- if (!((u32)aq_rc < (sizeof(aq_to_posix) / sizeof((aq_to_posix)[0]))))
+ if (!((u32)aq_rc < ARRAY_SIZE(aq_to_posix)))
return -ERANGE;
return aq_to_posix[aq_rc];
diff --git a/drivers/net/ethernet/intel/iavf/iavf_adminq.h b/drivers/net/ethernet/intel/iavf/iavf_adminq.h
index bbf5c4b3a2ae..eb0257c86058 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_adminq.h
+++ b/drivers/net/ethernet/intel/iavf/iavf_adminq.h
@@ -113,7 +113,7 @@ static inline int iavf_aq_rc_to_posix(int aq_ret, int aq_rc)
if (aq_ret == IAVF_ERR_ADMIN_QUEUE_TIMEOUT)
return -EAGAIN;
- if (!((u32)aq_rc < (sizeof(aq_to_posix) / sizeof((aq_to_posix)[0]))))
+ if (!((u32)aq_rc < ARRAY_SIZE(aq_to_posix)))
return -ERANGE;
return aq_to_posix[aq_rc];
--
2.34.1
^ permalink raw reply related
* [PATCH] net/sun: Fix multiple typos in comments
From: Jakub Raczynski @ 2026-04-21 11:45 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, kuba, davem, andrew+netdev, kernel-janitors,
Jakub Raczynski
In-Reply-To: <CGME20260421114526eucas1p29a73b6c60123beb164975e931347f1a4@eucas1p2.samsung.com>
There are some typos in comments and while they are harmless and not visible,
there is no reason not to fix them. Fix the ones that are not register related,
which might have intentional naming convention.
Signed-off-by: Jakub Raczynski <j.raczynski@samsung.com>
---
drivers/net/ethernet/sun/cassini.c | 8 ++++----
drivers/net/ethernet/sun/cassini.h | 16 ++++++++--------
drivers/net/ethernet/sun/sunbmac.h | 2 +-
drivers/net/ethernet/sun/sungem.c | 4 ++--
drivers/net/ethernet/sun/sungem.h | 4 ++--
drivers/net/ethernet/sun/sunhme.c | 2 +-
6 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c
index fe00e7dd3fe4..74fb0de12d21 100644
--- a/drivers/net/ethernet/sun/cassini.c
+++ b/drivers/net/ethernet/sun/cassini.c
@@ -1029,7 +1029,7 @@ static int cas_pcs_link_check(struct cas *cp)
* point a bit earlier in the sequence. If we had
* generated a reset a short time ago, we'll wait for
* the link timer to check the status until a
- * timer expires (link_transistion_jiffies_valid is
+ * timer expires (link_transition_jiffies_valid is
* true when the timer is running.) Instead of using
* a system timer, we just do a check whenever the
* link timer is running - this clears the flag after
@@ -4547,7 +4547,7 @@ static int cas_get_link_ksettings(struct net_device *dev,
}
if (linkstate != link_up) {
/* Force these to "unknown" if the link is not up and
- * autonogotiation in enabled. We can set the link
+ * autonegotiation in enabled. We can set the link
* speed to 0, but not cmd->duplex,
* because its legal values are 0 and 1. Ethtool will
* print the value reported in parentheses after the
@@ -4799,7 +4799,7 @@ static void cas_program_bridge(struct pci_dev *cas_pdev)
*/
pci_write_config_word(pdev, 0x50, (5 << 10) | 0x3ff);
- /* The Read Prefecth Policy register is 16-bit and sits at
+ /* The Read Prefetch Policy register is 16-bit and sits at
* offset 0x52. It enables a "smart" pre-fetch policy. We
* enable it and max out all of the settings since only one
* device is sitting underneath and thus bandwidth sharing is
@@ -4906,7 +4906,7 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
/*
* On some architectures, the default cache line size set
- * by pci_try_set_mwi reduces perforamnce. We have to increase
+ * by pci_try_set_mwi reduces performance. We have to increase
* it for this case. To start, we'll print some configuration
* data.
*/
diff --git a/drivers/net/ethernet/sun/cassini.h b/drivers/net/ethernet/sun/cassini.h
index 2d91f4936d52..0c24547a4534 100644
--- a/drivers/net/ethernet/sun/cassini.h
+++ b/drivers/net/ethernet/sun/cassini.h
@@ -259,7 +259,7 @@
/* output enables are provided for each device's chip select and for the rest
* of the outputs from cassini to its local bus devices. two sw programmable
- * bits are connected to general purpus control/status bits.
+ * bits are connected to general purpose control/status bits.
* DEFAULT: 0x7
*/
#define REG_BIM_LOCAL_DEV_EN 0x1020 /* BIM local device
@@ -404,7 +404,7 @@
GMII on SERDES pins for
monitoring. */
#define SATURN_PCFG_FSI 0x00000200 /* 1 = freeze serdes/gmii. all
- pins configed as outputs.
+ pins configured as outputs.
for power saving when using
internal phy. */
#define SATURN_PCFG_LAD 0x00000800 /* 0 = mac core led ctrl
@@ -622,7 +622,7 @@
enabled */
#define RX_CFG_SWIVEL_MASK 0x00001C00 /* byte offset of the 1st
data byte of the packet
- w/in 8 byte boundares.
+ w/in 8 byte boundaries.
this swivels the data
DMA'ed to header
buffers, jumbo buffers
@@ -1248,7 +1248,7 @@
*/
#define REG_MAC_TX_STATUS 0x6010 /* TX MAC status reg */
#define MAC_TX_FRAME_XMIT 0x0001 /* successful frame
- transmision */
+ transmission */
#define MAC_TX_UNDERRUN 0x0002 /* terminated frame
transmission due to
data starvation in the
@@ -1414,7 +1414,7 @@
* when passed to the host. to ensure proper operation, need to wait 3.2ms
* after clearing RX_CFG_EN before writing to any other RX MAC registers
* or other MAC parameters. alternatively, poll RX_CFG_EN until it clears
- * to 0. similary, HASH_FILTER_EN and ADDR_FILTER_EN have the same
+ * to 0. Similarly, HASH_FILTER_EN and ADDR_FILTER_EN have the same
* restrictions as CFG_EN.
*/
#define REG_MAC_RX_CFG 0x6034 /* RX MAC config reg */
@@ -1670,7 +1670,7 @@
* programmed in frame mode. load this register w/ a valid instruction
* (as per IEEE 802.3u MII spec). poll this register to check for instruction
* execution completion. during a read operation, this register will also
- * contain the 16-bit data returned by the tranceiver. unless specified
+ * contain the 16-bit data returned by the transceiver. unless specified
* otherwise, fields are considered "don't care" when polling for
* completion.
*/
@@ -1734,7 +1734,7 @@
#define MIF_CFG_POLL_REG_SHIFT 3
#define MIF_CFG_MDIO_0 0x0100 /* (ro) dual purpose.
when MDIO_0 is idle,
- 1 -> tranceiver is
+ 1 -> transceiver is
connected to MDIO_0.
when MIF is communicating
w/ MDIO_0 in bit-bang
@@ -1750,7 +1750,7 @@
mode, this bit indicates
the incoming bit stream
during a read op */
-#define MIF_CFG_POLL_PHY_MASK 0x7C00 /* tranceiver address to
+#define MIF_CFG_POLL_PHY_MASK 0x7C00 /* transceiver address to
be polled */
#define MIF_CFG_POLL_PHY_SHIFT 10
diff --git a/drivers/net/ethernet/sun/sunbmac.h b/drivers/net/ethernet/sun/sunbmac.h
index d379bd407eca..85778edcf8dc 100644
--- a/drivers/net/ethernet/sun/sunbmac.h
+++ b/drivers/net/ethernet/sun/sunbmac.h
@@ -205,7 +205,7 @@
#define FRAME_WRITE 0x50020000
#define FRAME_READ 0x60020000
-/* Tranceiver registers. */
+/* Transceiver registers. */
#define TCVR_PAL_SERIAL 0x00000001 /* Enable serial mode */
#define TCVR_PAL_EXTLBACK 0x00000002 /* Enable external loopback */
#define TCVR_PAL_MSENSE 0x00000004 /* Media sense */
diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c
index 8e69d917d827..35c3226ce719 100644
--- a/drivers/net/ethernet/sun/sungem.c
+++ b/drivers/net/ethernet/sun/sungem.c
@@ -2187,7 +2187,7 @@ static void gem_do_stop(struct net_device *dev, int wol)
* if we did. This is not an issue however as the reset
* task is synchronized vs. us (rtnl_lock) and will do
* nothing if the device is down or suspended. We do
- * still clear reset_task_pending to avoid a spurrious
+ * still clear reset_task_pending to avoid a spurious
* reset later on in case we do resume before it gets
* scheduled.
*/
@@ -2370,7 +2370,7 @@ static int __maybe_unused gem_resume(struct device *dev_d)
gem_do_start(dev);
/* If we had WOL enabled, the cell clock was never turned off during
- * sleep, so we end up beeing unbalanced. Fix that here
+ * sleep, so we end up being unbalanced. Fix that here
*/
if (gp->asleep_wol)
gem_put_cell(gp);
diff --git a/drivers/net/ethernet/sun/sungem.h b/drivers/net/ethernet/sun/sungem.h
index 626302a9bc89..b921d3074017 100644
--- a/drivers/net/ethernet/sun/sungem.h
+++ b/drivers/net/ethernet/sun/sungem.h
@@ -352,7 +352,7 @@
#define MAC_HASH14 0x60F8UL /* Hash Table 14 Register */
#define MAC_HASH15 0x60FCUL /* Hash Table 15 Register */
#define MAC_NCOLL 0x6100UL /* Normal Collision Counter */
-#define MAC_FASUCC 0x6104UL /* First Attmpt. Succ Coll Ctr. */
+#define MAC_FASUCC 0x6104UL /* First Attempt. Succ Coll Ctr.*/
#define MAC_ECOLL 0x6108UL /* Excessive Collision Counter */
#define MAC_LCOLL 0x610CUL /* Late Collision Counter */
#define MAC_DTIMER 0x6110UL /* Defer Timer */
@@ -657,7 +657,7 @@
/* MIF Frame/Output Register. This 32-bit register allows the host to
* communicate with a transceiver in frame mode (as opposed to big-bang
- * mode). Writes by the host specify an instrution. After being issued
+ * mode). Writes by the host specify an instruction. After being issued
* the host must poll this register for completion. Also, after
* completion this register holds the data returned by the transceiver
* if applicable.
diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c
index 4c9d5d4dd8a0..efbf042e9352 100644
--- a/drivers/net/ethernet/sun/sunhme.c
+++ b/drivers/net/ethernet/sun/sunhme.c
@@ -1118,7 +1118,7 @@ static void happy_meal_transceiver_check(struct happy_meal *hp, void __iomem *tr
*
* We use skb_reserve() to align the data block we get in the skb. We
* also program the etxregs->cfg register to use an offset of 2. This
- * imperical constant plus the ethernet header size will always leave
+ * emperical constant plus the ethernet header size will always leave
* us with a nicely aligned ip header once we pass things up to the
* protocol layers.
*
--
2.34.1
^ permalink raw reply related
* Re: [PATCH net] netdevsim: Initialize all fields of ip header when building dummy sk_buff
From: Nikola Z. Ivanov @ 2026-04-21 11:44 UTC (permalink / raw)
To: Breno Leitao
Cc: kuba, andrew+netdev, davem, edumazet, pabeni, netdev,
linux-kernel
In-Reply-To: <aec-UcPm5pRZjcSL@gmail.com>
On 4/21/26 12:12 PM, Breno Leitao wrote:
> On Tue, Apr 21, 2026 at 11:54:19AM +0300, Nikola Z. Ivanov wrote:
>> On 4/21/26 11:19 AM, Breno Leitao wrote:
>>> On Tue, Apr 21, 2026 at 10:37:38AM +0300, Nikola Z. Ivanov wrote:
>>>> Closes: https://syzkaller.appspot.com/bug?extid=23d7fcd204e3837866ff
>>> How do you check in the report above that the missig un-initialized
>>> fields are "tos" and "id"?
>> I don't think it is visible here, my guess would
>> be because the checksum calculator walks the
>> header in small chunks instead of referencing
>> its fields.
>>
>> The whole "KMSAN: uninit-value in irqentry_exit_to_kernel_mode_preempt"
>> doesn't really sound quite right.
> That's precisely my question - how does this fix relate to that specific
> report?
The fact that the 2 call traces from the allocation and usage
have a common origin in nsim_dev_trap_skb_build sort of gives it away.
Just to be clear, I saw the syzbot report and started investigating from
there, not the other way around.
> Were you able to reproduce the KMSAN report?
>
> Thanks for the quick answer,
> --breno
Yes, but it is a bit inconsistent.
Just booting the disk from the report and adding a device
is enough to trigger it, but we have to wait for some time:
syzkaller
syzkaller login: root
# echo "1 1" > /sys/bus/netdevsim/new_device
# [ 726.477183][ T5462] 8021q: adding VLAN 0 to HW filter on device eth1
# [ 1845.100611][ T80]
=====================================================
[ 1845.102363][ T80] BUG: KMSAN: uninit-value in
irqentry_exit_to_kernel_mode_preempt+0x8f/0xa0
[ 1845.104209][ T80] irqentry_exit_to_kernel_mode_preempt+0x8f/0xa0
[ 1845.105594][ T80] irqentry_exit+0x7c/0x7b0
[ 1845.106629][ T80] sysvec_apic_timer_interrupt+0x52/0x90
[ 1845.107829][ T80] asm_sysvec_apic_timer_interrupt+0x1f/0x30
[ 1845.108959][ T80] srso_alias_safe_ret+0x0/0x7
[ 1845.108959][ T80] __msan_metadata_ptr_for_load_4+0x24/0x40
[ 1845.108959][ T80] ip_fast_csum+0x1e6/0x3f0
[ 1845.108959][ T80] nsim_dev_trap_report_work+0x8c0/0x1430
[ 1845.108959][ T80] process_scheduled_works+0xbdb/0x1e20
[ 1845.108959][ T80] worker_thread+0xee5/0x1590
[ 1845.108959][ T80] kthread+0x540/0x600
[ 1845.108959][ T80] ret_from_fork+0x210/0x8f0
[ 1845.108959][ T80] ret_from_fork_asm+0x1a/0x30
[ 1845.108959][ T80]
[ 1845.108959][ T80] Uninit was created at:
[ 1845.108959][ T80] __kmalloc_node_track_caller_noprof+0x4fb/0x1770
[ 1845.108959][ T80] __alloc_skb+0x90d/0x1190
[ 1845.108959][ T80] nsim_dev_trap_report_work+0x3f2/0x1430
[ 1845.108959][ T80] process_scheduled_works+0xbdb/0x1e20
[ 1845.108959][ T80] worker_thread+0xee5/0x1590
[ 1845.108959][ T80] kthread+0x540/0x600
[ 1845.108959][ T80] ret_from_fork+0x210/0x8f0
[ 1845.108959][ T80] ret_from_fork_asm+0x1a/0x30
[ 1845.108959][ T80]
Thank you,
Nikola
^ permalink raw reply
* Re: [PATCH net v4 2/2] net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()
From: Lorenzo Bianconi @ 2026-04-21 11:42 UTC (permalink / raw)
To: Paolo Abeni
Cc: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Simon Horman, linux-arm-kernel, linux-mediatek, netdev
In-Reply-To: <210f5d0b-6232-4c0f-adff-3a97d54159b3@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1670 bytes --]
On Apr 21, Paolo Abeni wrote:
> On 4/17/26 8:36 AM, Lorenzo Bianconi wrote:
> > @@ -1055,8 +1058,33 @@ static void airoha_qdma_cleanup_tx_queue(struct airoha_queue *q)
> > e->dma_addr = 0;
> > e->skb = NULL;
> > list_add_tail(&e->list, &q->tx_list);
> > +
> > + /* Reset DMA descriptor */
> > + WRITE_ONCE(desc->ctrl, 0);
> > + WRITE_ONCE(desc->addr, 0);
> > + WRITE_ONCE(desc->data, 0);
> > + WRITE_ONCE(desc->msg0, 0);
> > + WRITE_ONCE(desc->msg1, 0);
> > + WRITE_ONCE(desc->msg2, 0);
>
> Sashiko has some complains on this patch that look legit to me.
Hi Paolo,
I looked at the issue reported by Sashiko for patch 2/2 and I will send
a dedicated patch to address it but I guess this problem is not strictly
related to this patch since we already have the reported issue upstream
even without this patch (please consider dma_unmap_single() in
airoha_qdma_cleanup_tx_queue()).
Moreover, in this patch I want to just add missing bits in
airoha_qdma_cleanup_tx_queue().
>
> Also the pre-existing issues mentioned WRT patch 1/2 makes such patch
> IMHO almost ineffective, I think you should address them in the same series.
The issue reported by Sashiko for patch 1/2 are already addressed in the
following upstream series:
https://patchwork.kernel.org/project/netdevbpf/cover/20260420-airoha_qdma_init_rx_queue-fix-v2-0-d99347e5c18d@kernel.org/
>
> Note that you should have commented on sashiko review on the ML, it
> would have saved a significant amount of time on us.
I guess the main issue here is Sashiko is not currently sending the feedbacks
on the ML, right?
Regards,
Lorenzo
>
> /P
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply
* [PATCH] net/intel/e100: Make read-only param_range struct static const
From: Jakub Raczynski @ 2026-04-21 11:41 UTC (permalink / raw)
To: netdev
Cc: kuba, przemyslaw.kitszel, anthony.l.nguyen, kernel-janitors,
Jakub Raczynski
In-Reply-To: <CGME20260421114124eucas1p1198b3e8dd272702a5f717b818729a978@eucas1p1.samsung.com>
No need to use stack for single use read-only struct,
just make it static const.
Signed-off-by: Jakub Raczynski <j.raczynski@samsung.com>
---
drivers/net/ethernet/intel/e100.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
index 9074b558de35..6bce22e15a97 100644
--- a/drivers/net/ethernet/intel/e100.c
+++ b/drivers/net/ethernet/intel/e100.c
@@ -1034,8 +1034,8 @@ static inline int e100_phy_supports_mii(struct nic *nic)
static void e100_get_defaults(struct nic *nic)
{
- struct param_range rfds = { .min = 16, .max = 256, .count = 256 };
- struct param_range cbs = { .min = 64, .max = 256, .count = 128 };
+ static const struct param_range rfds = { .min = 16, .max = 256, .count = 256 };
+ static const struct param_range cbs = { .min = 64, .max = 256, .count = 128 };
/* MAC type is encoded as rev ID; exception: ICH is treated as 82559 */
nic->mac = (nic->flags & ich) ? mac_82559_D101M : nic->pdev->revision;
--
2.34.1
^ permalink raw reply related
* Re: [PATCH net 1/1] net/rose: hold listener socket during call request handling
From: Paolo Abeni @ 2026-04-21 11:23 UTC (permalink / raw)
To: Ren Wei, linux-hams, netdev
Cc: davem, edumazet, kuba, horms, kees, takamitz, kuniyu,
jiayuan.chen, mingo, stanksal, jlayton, yifanwucs, tomapufckgml,
bird, yuantan098, tonanli66
In-Reply-To: <52776256bf0fc38de92fe3edf39434538b672b69.1776327338.git.tonanli66@gmail.com>
On 4/17/26 1:01 PM, Ren Wei wrote:
> From: Nan Li <tonanli66@gmail.com>
>
> The call request receive path keeps using the listener socket after the
> lookup lock has been dropped. Keep the listener alive across the
> remaining validation and child socket setup by taking a reference in the
> lookup path and releasing it once request handling is finished.
>
> This makes listener lifetime handling explicit and avoids races with
> concurrent socket teardown.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@kernel.org
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Co-developed-by: Yuan Tan <yuantan098@gmail.com>
> Signed-off-by: Yuan Tan <yuantan098@gmail.com>
> Signed-off-by: Nan Li <tonanli66@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
we are moving rose out of tree:
https://lore.kernel.org/netdev/20260421021824.1293976-1-kuba@kernel.org/
please hold off until Thursday (after that our net PR will land into
mainline), and eventually resend if the code still exists in Linus's
tree at that point.
Thanks,
Paolo
^ permalink raw reply
* Re: [patch 33/38] powerpc: Select ARCH_HAS_RANDOM_ENTROPY
From: Mukesh Kumar Chaurasiya @ 2026-04-21 11:22 UTC (permalink / raw)
To: Thomas Gleixner
Cc: LKML, Michael Ellerman, linuxppc-dev, Arnd Bergmann, x86,
Lu Baolu, iommu, Michael Grzeschik, netdev, linux-wireless,
Herbert Xu, linux-crypto, Vlastimil Babka, linux-mm,
David Woodhouse, Bernie Thompson, linux-fbdev, Theodore Tso,
linux-ext4, Andrew Morton, Uladzislau Rezki, Marco Elver,
Dmitry Vyukov, kasan-dev, Andrey Ryabinin, Thomas Sailer,
linux-hams, Jason A. Donenfeld, Richard Henderson, linux-alpha,
Russell King, linux-arm-kernel, Catalin Marinas, Huacai Chen,
loongarch, Geert Uytterhoeven, linux-m68k, Dinh Nguyen,
Jonas Bonn, linux-openrisc, Helge Deller, linux-parisc,
Paul Walmsley, linux-riscv, Heiko Carstens, linux-s390,
David S. Miller, sparclinux
In-Reply-To: <20260410120319.789114053@kernel.org>
On Fri, Apr 10, 2026 at 02:21:09PM +0200, Thomas Gleixner wrote:
> The only remaining usage of get_cycles() is to provide random_get_entropy().
>
> Switch powerpc over to the new scheme of selecting ARCH_HAS_RANDOM_ENTROPY
> and providing random_get_entropy() in asm/random.h.
>
> Remove asm/timex.h as it has no functionality anymore.
>
> Signed-off-by: Thomas Gleixner <tglx@kernel.org>
> Cc: Michael Ellerman <mpe@ellerman.id.au>
> Cc: linuxppc-dev@lists.ozlabs.org
> ---
> arch/powerpc/Kconfig | 1 +
> arch/powerpc/include/asm/random.h | 13 +++++++++++++
> arch/powerpc/include/asm/timex.h | 21 ---------------------
> 3 files changed, 14 insertions(+), 21 deletions(-)
>
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -150,6 +150,7 @@ config PPC
> select ARCH_HAS_PREEMPT_LAZY
> select ARCH_HAS_PTDUMP
> select ARCH_HAS_PTE_SPECIAL
> + select ARCH_HAS_RANDOM_ENTROPY
> select ARCH_HAS_SCALED_CPUTIME if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64
> select ARCH_HAS_SET_MEMORY
> select ARCH_HAS_STRICT_KERNEL_RWX if (PPC_BOOK3S || PPC_8xx) && !HIBERNATION
> --- /dev/null
> +++ b/arch/powerpc/include/asm/random.h
> @@ -0,0 +1,13 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _ASM_POWERPC_RANDOM_H
> +#define _ASM_POWERPC_RANDOM_H
> +
> +#include <asm/cputable.h>
> +#include <asm/vdso/timebase.h>
> +
> +static inline unsigned long random_get_entropy(void)
> +{
> + return mftb();
> +}
> +
> +#endif /* _ASM_POWERPC_RANDOM_H */
> --- a/arch/powerpc/include/asm/timex.h
> +++ b/arch/powerpc/include/asm/timex.h
> @@ -1,21 +0,0 @@
> -/* SPDX-License-Identifier: GPL-2.0 */
> -#ifndef _ASM_POWERPC_TIMEX_H
> -#define _ASM_POWERPC_TIMEX_H
> -
> -#ifdef __KERNEL__
> -
> -/*
> - * PowerPC architecture timex specifications
> - */
> -
> -#include <asm/cputable.h>
> -#include <asm/vdso/timebase.h>
> -
> -ostatic inline cycles_t get_cycles(void)
> -{
R> - return mftb();
> -}
> -#define get_cycles get_cycles
> -
> -#endif /* __KERNEL__ */
> -#endif /* _ASM_POWERPC_TIMEX_H */
>
Build tested for this series with allmodconfig and allyesconfig on ppc64le
machine for ppc64le.
tree: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/devel.git getcycles-v1
Boot tested for this series on powernv9 qemu, powernv10 qemu and pSeries
power11 hardware.
Tested-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
Reviewed-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
^ permalink raw reply
* Re: [PATCH net v4 2/2] net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()
From: Paolo Abeni @ 2026-04-21 11:20 UTC (permalink / raw)
To: Lorenzo Bianconi, Andrew Lunn, David S. Miller, Eric Dumazet,
Jakub Kicinski, Simon Horman
Cc: linux-arm-kernel, linux-mediatek, netdev
In-Reply-To: <20260417-airoha_qdma_cleanup_tx_queue-fix-net-v4-2-e04bcc2c9642@kernel.org>
On 4/17/26 8:36 AM, Lorenzo Bianconi wrote:
> @@ -1055,8 +1058,33 @@ static void airoha_qdma_cleanup_tx_queue(struct airoha_queue *q)
> e->dma_addr = 0;
> e->skb = NULL;
> list_add_tail(&e->list, &q->tx_list);
> +
> + /* Reset DMA descriptor */
> + WRITE_ONCE(desc->ctrl, 0);
> + WRITE_ONCE(desc->addr, 0);
> + WRITE_ONCE(desc->data, 0);
> + WRITE_ONCE(desc->msg0, 0);
> + WRITE_ONCE(desc->msg1, 0);
> + WRITE_ONCE(desc->msg2, 0);
Sashiko has some complains on this patch that look legit to me.
Also the pre-existing issues mentioned WRT patch 1/2 makes such patch
IMHO almost ineffective, I think you should address them in the same series.
Note that you should have commented on sashiko review on the ML, it
would have saved a significant amount of time on us.
/P
^ permalink raw reply
* Re: [PATCH net v2 2/2] selftests/bpf: check epoll readiness after reuseport migration
From: Zhenzhong Wu @ 2026-04-21 11:16 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: davem, dsahern, edumazet, horms, kuba, linux-kernel,
linux-kselftest, ncardwell, netdev, pabeni, shuah, tamird
In-Reply-To: <20260421072017.1653163-1-kuniyu@google.com>
Thanks Kuniyuki, will fold this into v3.
Your approach of checking epoll right around shutdown() is much
better. I didn't think to put the check inside migrate_dance(). With
my original placement, the test still passed without patch 1 — I
should have called this out in the cover letter instead of settling
for what was effectively just a smoke test.
On Tue, Apr 21, 2026 at 3:20 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> From: Zhenzhong Wu <jt26wzz@gmail.com>
> Date: Sun, 19 Apr 2026 02:13:33 +0800
> > After migrate_dance() moves established children to the target
> > listener, add it to an epoll set and verify that epoll_wait(..., 0)
> > reports it ready before accept().
> >
> > This adds epoll coverage for the TCP_ESTABLISHED reuseport migration
> > case in migrate_reuseport.
> >
> > Keep the check limited to TCP_ESTABLISHED cases. TCP_SYN_RECV and
> > TCP_NEW_SYN_RECV still depend on asynchronous handshake completion,
> > so a zero-timeout epoll_wait() would race there.
> >
> > Signed-off-by: Zhenzhong Wu <jt26wzz@gmail.com>
> > ---
> > .../bpf/prog_tests/migrate_reuseport.c | 32 ++++++++++++++++++-
> > 1 file changed, 31 insertions(+), 1 deletion(-)
> >
> > diff --git a/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c b/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
> > index 653b0a20f..580a53424 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
> > @@ -18,13 +18,16 @@
> > * 9. call shutdown() for the second server
> > * and migrate the requests in the accept queue
> > * to the last server socket.
> > - * 10. call accept() for the last server socket.
> > + * 10. for TCP_ESTABLISHED cases, call epoll_wait(..., 0)
> > + * for the last server socket.
> > + * 11. call accept() for the last server socket.
> > *
> > * Author: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
> > */
> >
> > #include <bpf/bpf.h>
> > #include <bpf/libbpf.h>
> > +#include <sys/epoll.h>
> >
> > #include "test_progs.h"
> > #include "test_migrate_reuseport.skel.h"
> > @@ -522,6 +525,33 @@ static void run_test(struct migrate_reuseport_test_case *test_case,
> > goto close_clients;
> > }
> >
> > + /* Only TCP_ESTABLISHED has already-migrated accept-queue entries
> > + * here. Later states still depend on follow-up handshake work.
> > + */
> > + if (test_case->state == BPF_TCP_ESTABLISHED) {
> > + struct epoll_event ev = {
> > + .events = EPOLLIN,
> > + };
> > + int epfd;
> > + int nfds;
> > +
> > + epfd = epoll_create1(EPOLL_CLOEXEC);
> > + if (!ASSERT_NEQ(epfd, -1, "epoll_create1"))
> > + goto close_clients;
> > +
> > + ev.data.fd = test_case->servers[MIGRATED_TO];
> > + if (!ASSERT_OK(epoll_ctl(epfd, EPOLL_CTL_ADD,
> > + test_case->servers[MIGRATED_TO], &ev),
> > + "epoll_ctl"))
> > + goto close_epfd;
> > +
> > + nfds = epoll_wait(epfd, &ev, 1, 0);
> > + ASSERT_EQ(nfds, 1, "epoll_wait");
>
> Thanks for the update, but the test passes without patch 1.
>
> I think it would be best to test just after shutdown()
> where migration happens.
>
> Also, TCP_SYN_RECV should be covered in the same way.
>
> ---8<---
> diff --git a/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c b/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
> index 580a534249a7..66fea936649e 100644
> --- a/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
> +++ b/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
> @@ -353,8 +353,29 @@ static int update_maps(struct migrate_reuseport_test_case *test_case,
>
> static int migrate_dance(struct migrate_reuseport_test_case *test_case)
> {
> + struct epoll_event ev = {
> + .events = EPOLLIN,
> + };
> + int epoll, nfds;
> int i, err;
>
> + if (test_case->state != BPF_TCP_NEW_SYN_RECV) {
> + epoll = epoll_create1(0);
> + if (!ASSERT_NEQ(epoll, -1, "epoll_create1"))
> + return -1;
> +
> + ev.data.fd = test_case->servers[MIGRATED_TO];
> + if (!ASSERT_OK(epoll_ctl(epoll, EPOLL_CTL_ADD,
> + test_case->servers[MIGRATED_TO], &ev),
> + "epoll_ctl")) {
> + goto close_epoll;
> + }
> +
> + nfds = epoll_wait(epoll, &ev, 1, 0);
> + if (!ASSERT_EQ(nfds, 0, "epoll_wait 1"))
> + goto close_epoll;
> + }
> +
> /* Migrate TCP_ESTABLISHED and TCP_SYN_RECV requests
> * to the last listener based on eBPF.
> */
> @@ -368,6 +389,15 @@ static int migrate_dance(struct migrate_reuseport_test_case *test_case)
> if (test_case->state == BPF_TCP_NEW_SYN_RECV)
> return 0;
>
> + nfds = epoll_wait(epoll, &ev, 1, 0);
> + if (!ASSERT_EQ(nfds, 1, "epoll_wait 2")) {
> +close_epoll:
> + close(epoll);
> + return -1;
> + }
> +
> + close(epoll);
> +
> /* Note that we use the second listener instead of the
> * first one here.
> *
> @@ -525,33 +555,6 @@ static void run_test(struct migrate_reuseport_test_case *test_case,
> goto close_clients;
> }
>
> - /* Only TCP_ESTABLISHED has already-migrated accept-queue entries
> - * here. Later states still depend on follow-up handshake work.
> - */
> - if (test_case->state == BPF_TCP_ESTABLISHED) {
> - struct epoll_event ev = {
> - .events = EPOLLIN,
> - };
> - int epfd;
> - int nfds;
> -
> - epfd = epoll_create1(EPOLL_CLOEXEC);
> - if (!ASSERT_NEQ(epfd, -1, "epoll_create1"))
> - goto close_clients;
> -
> - ev.data.fd = test_case->servers[MIGRATED_TO];
> - if (!ASSERT_OK(epoll_ctl(epfd, EPOLL_CTL_ADD,
> - test_case->servers[MIGRATED_TO], &ev),
> - "epoll_ctl"))
> - goto close_epfd;
> -
> - nfds = epoll_wait(epfd, &ev, 1, 0);
> - ASSERT_EQ(nfds, 1, "epoll_wait");
> -
> -close_epfd:
> - close(epfd);
> - }
> -
> count_requests(test_case, skel);
>
> close_clients:
> ---8<---
^ permalink raw reply
* [PATCH net] iavf: iavf_virtchnl_completion: drop duplicate ether_addr_equal() test
From: Corinna Vinschen @ 2026-04-21 11:12 UTC (permalink / raw)
To: intel-wired-lan, netdev
Cc: Jose Ignacio Tornos Martinez, Michal Schmidt, Corinna Vinschen,
stable
In-Reply-To: <IA3PR11MB898664A49E614F197D4FED6EE52C2@IA3PR11MB8986.namprd11.prod.outlook.com>
This is just a simple cleanup fix. Commit 35a2443d0910f ("iavf: Add
waiting for response from PF in set mac") introduced a duplicate
ether_addr_equal() check, so the current code tests the new MAC twice
against the former MAC.
Remove the outer ether_addr_equal() test, remnant of commit c5c922b3e09b
("iavf: fix MAC address setting for VFs when filter is rejected")
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
Fixes: 35a2443d0910f ("iavf: Add waiting for response from PF in set mac")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
---
Added CC: stable@vger.kernel.org
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index a52c100dcbc5..9b8e7e4376c2 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -2579,13 +2579,11 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
case VIRTCHNL_OP_ADD_ETH_ADDR:
if (!v_retval)
iavf_mac_add_ok(adapter);
- if (!ether_addr_equal(netdev->dev_addr, adapter->hw.mac.addr))
- if (!ether_addr_equal(netdev->dev_addr,
- adapter->hw.mac.addr)) {
- netif_addr_lock_bh(netdev);
- eth_hw_addr_set(netdev, adapter->hw.mac.addr);
- netif_addr_unlock_bh(netdev);
- }
+ if (!ether_addr_equal(netdev->dev_addr, adapter->hw.mac.addr)) {
+ netif_addr_lock_bh(netdev);
+ eth_hw_addr_set(netdev, adapter->hw.mac.addr);
+ netif_addr_unlock_bh(netdev);
+ }
wake_up(&adapter->vc_waitqueue);
break;
case VIRTCHNL_OP_GET_STATS: {
--
2.53.0
^ permalink raw reply related
* [PATCH] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
From: Morduan Zang @ 2026-04-21 11:10 UTC (permalink / raw)
To: Petko Manolov
Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-usb, netdev, linux-kernel, Morduan Zang
When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
handed to the USB core and write_bulk_callback() will not run. The
driver returns NETDEV_TX_OK, which tells the networking stack that the
skb has been consumed, but nothing actually frees the skb on this
error path:
dev->tx_skb = skb;
...
if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
...
/* no kfree_skb here */
}
return NETDEV_TX_OK;
This leaks the skb on every submit failure and also leaves dev->tx_skb
pointing at memory that the driver itself may later free, which is
fragile.
Free the skb with dev_kfree_skb_any() in the error path and clear
dev->tx_skb so no stale pointer is left behind.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
---
drivers/net/usb/rtl8150.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index a0f790a368ba..d358b6d41a53 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -716,6 +716,13 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
netdev->stats.tx_errors++;
netif_start_queue(netdev);
}
+ /*
+ * The URB was not submitted, so write_bulk_callback() will
+ * never run to free dev->tx_skb. Drop the skb here and
+ * clear tx_skb to avoid leaving a stale pointer.
+ */
+ dev->tx_skb = NULL;
+ dev_kfree_skb_any(skb);
} else {
netdev->stats.tx_packets++;
netdev->stats.tx_bytes += skb_len;
--
2.50.1
^ permalink raw reply related
* [PATCH] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
From: Morduan Zang @ 2026-04-21 11:04 UTC (permalink / raw)
To: petkan
Cc: davem, edumazet, kuba, pabeni, andrew+netdev, linux-usb, netdev,
linux-kernel, syzkaller-bugs, Zhan Jun,
syzbot+3f46c095ac0ca048cb71
From: Zhan Jun <zhanjun@uniontech.com>
syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit()
when accessing skb->len for tx statistics after usb_submit_urb() has
been called:
BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760
drivers/net/usb/rtl8150.c:712
Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226
The URB completion handler write_bulk_callback() frees the skb via
dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU
in softirq context before usb_submit_urb() returns in the submitter,
so by the time the submitter reads skb->len the skb has already been
queued to the per-CPU completion_queue and freed by net_tx_action():
CPU A (xmit) CPU B (USB completion softirq)
------------ ------------------------------
dev->tx_skb = skb;
usb_submit_urb() --+
|-------> write_bulk_callback()
| dev_kfree_skb_irq(dev->tx_skb)
| net_tx_action()
| napi_skb_cache_put() <-- free
netdev->stats.tx_bytes |
+= skb->len; <-- UAF read
Fix it by caching skb->len before submitting the URB and using the
cached value when updating the tx_bytes counter. This mirrors the
fix pattern used by other USB network drivers.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+3f46c095ac0ca048cb71@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e69ee7.050a0220.24bfd3.002b.GAE@google.com/
Closes: https://syzkaller.appspot.com/bug?extid=3f46c095ac0ca048cb71
Signed-off-by: Zhan Jun <zhanjun@uniontech.com>
---
drivers/net/usb/rtl8150.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 4cda0643afb6..6fc6be0cced6 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -683,6 +683,7 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
struct net_device *netdev)
{
rtl8150_t *dev = netdev_priv(netdev);
+ unsigned int skb_len;
int count, res;
/* pad the frame and ensure terminating USB packet, datasheet 9.2.3 */
@@ -694,6 +695,14 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
return NETDEV_TX_OK;
}
+ /*
+ * Cache skb->len before submitting the URB: the URB completion
+ * handler (write_bulk_callback) frees the skb, and it may run
+ * on another CPU before usb_submit_urb() returns, which would
+ * leave skb dangling here.
+ */
+ skb_len = skb->len;
+
netif_stop_queue(netdev);
dev->tx_skb = skb;
usb_fill_bulk_urb(dev->tx_urb, dev->udev, usb_sndbulkpipe(dev->udev, 2),
@@ -709,7 +718,7 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
}
} else {
netdev->stats.tx_packets++;
- netdev->stats.tx_bytes += skb->len;
+ netdev->stats.tx_bytes += skb_len;
netif_trans_update(netdev);
}
--
2.51.0
^ permalink raw reply related
* Re: [PATCH net v8 00/15] net: sleepable ndo_set_rx_mode
From: patchwork-bot+netdevbpf @ 2026-04-21 11:00 UTC (permalink / raw)
To: Stanislav Fomichev; +Cc: netdev, davem, edumazet, kuba, pabeni
In-Reply-To: <20260416185712.2155425-1-sdf@fomichev.me>
Hello:
This series was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Thu, 16 Apr 2026 11:56:57 -0700 you wrote:
> This series adds a new ndo_set_rx_mode_async callback that enables
> drivers to handle address list updates in a sleepable context. The
> current ndo_set_rx_mode is called under the netif_addr_lock spinlock
> with BHs disabled, which prevents drivers from sleeping. This is
> problematic for ops-locked drivers that need to sleep.
>
> The approach:
> 1. Add snapshot/reconcile infrastructure for address lists
> 2. Introduce dev_rx_mode_work that takes snapshots under the lock,
> drops the lock, calls the driver, then reconciles changes back
> 3. Move promiscuity handling into the scheduled work as well
> 4. Convert existing ops-locked drivers to ndo_set_rx_mode_async
> 5. Add a warning for ops-locked drivers still using ndo_set_rx_mode
> 6. Add a selftest exercising the team+bridge+macvlan topology that
> triggers the addr_lock -> ops_lock ordering issue
>
> [...]
Here is the summary with links:
- [net,v8,01/15] net: add address list snapshot and reconciliation infrastructure
https://git.kernel.org/netdev/net/c/db9e726525e4
- [net,v8,02/15] net: introduce ndo_set_rx_mode_async and netdev_rx_mode_work
https://git.kernel.org/netdev/net/c/3554b4345d85
- [net,v8,03/15] net: cache snapshot entries for ndo_set_rx_mode_async
https://git.kernel.org/netdev/net/c/a4c833278144
- [net,v8,04/15] net: move promiscuity handling into netdev_rx_mode_work
https://git.kernel.org/netdev/net/c/7ef83bf1712b
- [net,v8,05/15] fbnic: convert to ndo_set_rx_mode_async
https://git.kernel.org/netdev/net/c/60dd9781e9b8
- [net,v8,06/15] mlx5: convert to ndo_set_rx_mode_async
https://git.kernel.org/netdev/net/c/5cf06fbdaf02
- [net,v8,07/15] bnxt: convert to ndo_set_rx_mode_async
https://git.kernel.org/netdev/net/c/f6c53cfa1217
- [net,v8,08/15] bnxt: use snapshot in bnxt_cfg_rx_mode
https://git.kernel.org/netdev/net/c/a453b5d9b3ed
- [net,v8,09/15] iavf: convert to ndo_set_rx_mode_async
https://git.kernel.org/netdev/net/c/d071c15b43e9
- [net,v8,10/15] netdevsim: convert to ndo_set_rx_mode_async
https://git.kernel.org/netdev/net/c/8a5df09e70c2
- [net,v8,11/15] dummy: convert to ndo_set_rx_mode_async
https://git.kernel.org/netdev/net/c/4d157e89bde4
- [net,v8,12/15] netkit: convert to ndo_set_rx_mode_async
https://git.kernel.org/netdev/net/c/754b7e1169a7
- [net,v8,13/15] net: warn ops-locked drivers still using ndo_set_rx_mode
https://git.kernel.org/netdev/net/c/3cbd22938877
- [net,v8,14/15] selftests: net: add team_bridge_macvlan rx_mode test
https://git.kernel.org/netdev/net/c/ee514cdb07b3
- [net,v8,15/15] selftests: net: use ip commands instead of teamd in team rx_mode test
https://git.kernel.org/netdev/net/c/c4dde411bc36
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox