* Re: [PATCH net-deletions] net: remove ax25 and amateur radio (hamradio) subsystem
From: Jiri Slaby @ 2026-06-27 19:04 UTC (permalink / raw)
To: Jakub Kicinski, davem
Cc: netdev, edumazet, pabeni, andrew+netdev, horms, corbet, skhan,
federico.vaga, carlos.bilbao, avadhut.naik, alexs, si.yanteng,
dzm91, 2023002089, tsbogend, dsahern, jani.nikula, mchehab+huawei,
gregkh, tytso, herbert, ebiggers, johannes.berg, geert, pablo,
tglx, mashiro.chen, mingo, dqfext, jreuter, sdf, pkshih,
enelsonmoore, mkl, toke, kees, crossd, jlayton, wangliang74,
aha310510, takamitz, kuniyu, linux-doc, linux-mips
In-Reply-To: <20260421021824.1293976-1-kuba@kernel.org>
On 21. 04. 26, 4:18, Jakub Kicinski wrote:
> Remove the amateur radio (AX.25, NET/ROM, ROSE) protocol implementation
> and all associated hamradio device drivers from the kernel tree.
> This set of protocols has long been a huge bug/syzbot magnet,
> and since nobody stepped up to help us deal with the influx
> of the AI-generated bug reports we need to move it out of tree
> to protect our sanity.
>
> The code is moved to an out-of-tree repo:
> https://github.com/linux-netdev/mod-orphan
> if it's cleaned up and reworked there we can accept it back.
>
> Minimal stub headers are kept for include/net/ax25.h (AX25_P_IP,
> AX25_ADDR_LEN, ax25_address) and include/net/rose.h (ROSE_ADDR_LEN)
> so that the conditional integration code in arp.c and tun.c continues
> to compile and work when the out-of-tree modules are loaded.
...
> delete mode 100644 include/uapi/linux/scc.h
Unfortunately, this broke builds of LLVM -- compiler-rt in particular
(and GCC builds allegedly too). They dropped the include and its use
[1], but IMO we should keep the uapi header with those two structs
(scc_modem + scc_stat) for some time.
[1]
https://github.com/llvm/llvm-project/commit/3dc4fd6dd41100f051a63642f449b16324389c96
thanks,
--
js
suse labs
^ permalink raw reply
* [PATCH net] usbnet: gl620a: fix out-of-bounds read in genelink_rx_fixup()
From: Xiang Mei @ 2026-06-27 20:53 UTC (permalink / raw)
To: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, netdev
Cc: linux-usb, linux-kernel, Weiming Shi, Xiang Mei
genelink_rx_fixup() splits an aggregated RX frame into its individual
packets, using a per-packet length taken from device-supplied data. That
length is only bounded by GL_MAX_PACKET_LEN (1514); it is never compared
against how many bytes were actually received.
A malicious GeneLink (GL620A) device can therefore send a short URB whose
header claims packet_count > 1 and a first packet of up to 1514 bytes.
skb_put_data(gl_skb, packet->packet_data, size);
then copies past the end of the receive buffer and hands the adjacent slab
contents up the network stack, an out-of-bounds read that leaks kernel heap.
No privilege is required: the path runs in the usbnet RX softirq as soon as
the interface is up.
BUG: KASAN: slab-out-of-bounds in genelink_rx_fixup (drivers/net/usb/gl620a.c:112)
Read of size 1514 at addr ffff888011309708 by task ksoftirqd/0/14
Call Trace:
...
__asan_memcpy (mm/kasan/shadow.c:105)
genelink_rx_fixup (include/linux/skbuff.h:2814 drivers/net/usb/gl620a.c:112)
usbnet_bh (drivers/net/usb/usbnet.c:572 drivers/net/usb/usbnet.c:1589)
process_one_work (kernel/workqueue.c:3322)
bh_worker (kernel/workqueue.c:3405)
tasklet_action (kernel/softirq.c:965)
handle_softirqs (kernel/softirq.c:622)
run_ksoftirqd (kernel/softirq.c:1076)
...
skb_pull() already verifies that the requested length fits the buffer and
returns NULL otherwise. Move it ahead of the copy and check its result, so
a packet that overruns the received data is rejected before it is read.
Well-formed frames, whose packets are fully present, are unaffected.
Fixes: 47ee3051c856 ("[PATCH] USB: usbnet (5/9) module for genesys gl620a cables")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
drivers/net/usb/gl620a.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/usb/gl620a.c b/drivers/net/usb/gl620a.c
index 0bfa37c14059..09afd137b64e 100644
--- a/drivers/net/usb/gl620a.c
+++ b/drivers/net/usb/gl620a.c
@@ -104,6 +104,9 @@ static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
return 0;
}
+ if (!skb_pull(skb, size + 4))
+ return 0;
+
// allocate the skb for the individual packet
gl_skb = alloc_skb(size, GFP_ATOMIC);
if (gl_skb) {
@@ -116,9 +119,6 @@ static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
// advance to the next packet
packet = (struct gl_packet *)&packet->packet_data[size];
count--;
-
- // shift the data pointer to the next gl_packet
- skb_pull(skb, size + 4);
}
// skip the packet length field 4 bytes
--
2.43.0
^ permalink raw reply related
* Re: [PATCH net v2 1/1] net/sched: sch_teql: Introduce slaves_lock to avoid race condition and UAF
From: Jamal Hadi Salim @ 2026-06-27 21:03 UTC (permalink / raw)
To: Simon Horman
Cc: netdev, davem, edumazet, kuba, pabeni, jiri, victor, security,
zdi-disclosures, stable, kernel test robot
In-Reply-To: <20260627163602.GG1310988@horms.kernel.org>
On Sat, Jun 27, 2026 at 12:36 PM Simon Horman <horms@kernel.org> wrote:
>
> On Fri, Jun 26, 2026 at 12:11:47PM -0400, Jamal Hadi Salim wrote:
> > Hi Simon,
> >
> > On Fri, Jun 26, 2026 at 10:15 AM Simon Horman <horms@kernel.org> wrote:
> > >
> > > On Fri, Jun 26, 2026 at 06:16:43AM -0400, Jamal Hadi Salim wrote:
> > > > "
> > > >
> > > > On Wed, Jun 24, 2026 at 6:40 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> > > > >
> > > > > The teql master->slaves singly linked list is not protected against
> > > > > multiple writes. It can be mod'ed concurently from teql_master_xmit(),
> > > > > teql_dequeue(), teql_init() and teql_destroy() without holding any list
> > > > > lock or RCU protection.
> > > > >
> > > > > zdi-disclosures@trendmicro.com has demonstrated that the qdisc is freed
> > > > > after an RCU grace period, but teql_master_xmit() running on another
> > > > > CPU can still hold a stale pointer into the list, resulting in a
> > > > > slab-use-after-free:
> > > > >
> > > > > BUG: KASAN: slab-use-after-free in teql_destroy+0x3ca/0x440 linux/net/sched/sch_teql.c:142
> > > > > Read of size 8 at addr ffff88802923aa80 by task ip/10024
> > > > >
> > > > > The zdi-disclosures@trendmicro.com repro created concurrent AF_PACKET
> > > > > senders on a teql device against a thread that repeatedly adds/deletes the
> > > > > slave qdisc, together with a SLUB spray that reclaims the freed slot; the
> > > > > resulting UAF is controllable enough to be turned into a read/write
> > > > > primitive against the freed qdisc object.
> > > > >
> > > > > The fix?
> > > > > Add a per-master slaves_lock spinlock that serializes all mutations of
> > > > > master->slaves and the NEXT_SLAVE() links in teql_destroy() and
> > > > > teql_qdisc_init(). teql_master_xmit() also takes the same slaves_lock
> > > > > around those updates.
> > > > > Annotate master->slaves and the per-slave ->next pointer with __rcu and
> > > > > use the appropriate RCU accessors everywhere they are touched:
> > > > > rcu_assign_pointer() on the writer side (under slaves_lock),
> > > > > rcu_dereference_protected() for the writer-side loads (also under
> > > > > slaves_lock), rcu_dereference_bh() for the loads in teql_master_xmit() and
> > > > > rtnl_dereference() for the loads in teql_master_open()/teql_master_mtu(),
> > > > > which run under RTNL.
> > > > > Pair this with rcu_read_lock_bh()/rcu_read_unlock_bh() around the list
> > > > > traversal in teql_master_xmit(), so that readers either observe a fully
> > > > > linked list or are deferred until the in-flight mutation completes. The two
> > > > > early-return paths in teql_master_xmit() are updated to release the RCU-bh
> > > > > read-side critical section before returning, since leaving it held would
> > > > > disable BH on that CPU for good.
> > > > >
> > > >
> > > > sashiko-gemini's complaints:
> > > > https://sashiko.dev/#/patchset/20260624224016.24018-1-jhs%40mojatatu.com
> > > > seem bogus to me (someone correct me if i am wrong). I am only going
> > > > to address the first claim of "TOCTOU / "resurrection" race in
> > > > teql_master_xmit()"
> > > > teql_master_xmit() holds rcu_read_lock_bh() across the entire
> > > > traversal. teql_destroy() freeing can only proceed once the qdisc's
> > > > RCU grace period has elapsed - so where is this TOCTOU? Let's say this
> > > > were true: both calls hold the slaves_lock.
> > > > The other issues are of similar nature.
> > >
> > > Hi Jamal,
> > >
> > > I think the central question here is about the protection offered by RCU
> > > in these code paths. And while I agree it protects the use of elements
> > > of the list, I think the problem flagged relates to the management of
> > > the list itself.
> > >
> > > The example AI gave me when I asked is like this:
> > >
> > > Assume a TEQL master has one slave, `q`.
> > > The list is circular: `q->next == q`.
> > >
> > > 1. CPU A (Transmitting): Enters `teql_master_xmit()`.
> > > It reads `master->sla ves` and gets a local pointer to `q`.
> > >
> > > 2. CPU B (Destroying): Calls `teql_destroy(q)`.
> > > It takes the lock, unlinks `q`, and sets `master->slaves = NULL`.
> > > The list is now logically empty.
> > >
> > > 3. CPU A: Finishes its work and prepares to rotate the list head
> > > to the next slave.
> > > It takes the lock.
> > >
> > > 4. CPU A (The "Use" / The Resurrection):
> > > It executes: `rcu_assign_pointer(master->slaves, NEXT_SLAVE(q));`
> > > Because `q` was circular, `NEXT_SLAVE(q)` is still `q`.
> > >
> > > 5. CPU A: Releases the lock.
> > > **The global `master->slaves` is now `q` again.**
> > >
> > > 6. The System: The RCU grace period expires. CPU B finishes
> > > `teql_destroy()` and the memory for `q` is freed.
> > >
> > > The global `master->slaves` pointer is now a **dangling pointer**
> > > pointing to freed memory.
> > >
> >
> >
> > Yeah, thats the same earlier claim of TOCTOU (what sashiko-gemini
> > claimed was "resurrecting the freed q")
> > My view is rcu read lock blocks the subsequent call_rcu free - and
> > destroy() and xmit() already serialize on slaves_lock.
>
> The read of master->slaves is outside of the slaves_lock critical
> section(s) in teql_master_xmit(). This is possibly the nub of this issue.
>
Yes, i think this could cause an issue on a second run of xmit() ;->
Let me ponder on it. I will probably have something tommorow..
cheers,
jamal
> > I could be totaly wrong, but it's almost like sashiko-gemini thinks
> > that the list-mutation lock _alone_ governs the object lifetime.
> > The rcu read-side critical section prevents the UAF, not just the
> > slaves_lock alone
> > Only reason i added slaves_lock was to prevent corrupting the list
> > state (whereas the RCU read lock prevents premature free).
> >
> > In step #4 above this thing somehow leaves out any mention of the rcu
> > read lock entirely and places the free in step 6 as if it was
> > independent of CPU A's critical section.
>
> I see what you are saying regarding the free not occurring at step 4
> because CPU A is in an RCU read-side critical section.
>
> But once CPU A has assigned master->slaves as q (again) it exits
> the RCU read-side critical section. Then the free of q can occur.
> And master->slaves will point to memory that has been been freed.
>
> So the access to q is safe when teql_master_xmit is invoked, due to RCU
> protecting object lifetime. But it is unsafe when teql_master_xmit is
> invoked again because by then master->slaves is a dangling pointer.
>
> >
> > I am not sure how to improve it.
> >
> > > > OTOH, sashiko-claude
> > > > (https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260624224016.24018-1-jhs%40mojatatu.com)
> > > > does make some valid claims which are low value, so not sure a resend
> > > > is worth it.
> > > > For example in claim 1 it says "Should the changelog mention this
> > > > teql_dequeue() site too?" Sure I can - but just because I provided
> > > > extra information in the commit log, which I could have omitted, now I
> > > > have to add more info? ;->
> > >
> > > FWIIW, I think there is a value in tightening up the commit message.
> > > E.g. so it's accurate when we look at again in two years time.
> > > But I also lean towards it not being necessary to post an update
> > > only to address this.
> > >
> > >
> > > > The second claim is "rcu_dereference_bh()
> > > > should be rcu_dereference_protected() on writer side". Sparse didnt
> > > > complain and i dont see this as breakage rather a consistency measure.
> > >
> > > I think it would be good to address in the long run. But as per my comment
> > > immediately above, I also lean towards it not being necessary to post an
> > > update only to address this.
> >
> > I can resend with these two taken care of - but i am skeptical of what
> > sashiko-gemini is claiming (and i admit as a human the AI may see
> > something i am totally missing).
> >
> > cheers,
> > jamal
> > >
> > > > Unless I am missing something ..
> > > >
> > > > cheers,
> > > > jamal
^ permalink raw reply
* Re: [PATCH net-next v14 0/9] tls: Add TLS 1.3 hardware offload support
From: Nils Juenemann @ 2026-06-27 21:06 UTC (permalink / raw)
To: rjethwani
Cc: borisp, davem, edumazet, john.fastabend, kuba, leon, mbloch,
netdev, pabeni, saeedm, sd, tariqt
In-Reply-To: <20260515212715.3151307-1-rjethwani@purestorage.com>
Hi Rishikesh, all,
thanks for picking up the sendfile/EOF fix in tls_device_splice_eof().
Separate issue we hit while testing, looks pre-existing in mlx5e
rather than v14: a NULL deref on the RX offload path. Trigger is
ethtool -L <dev> combined 32 (down from 64) under HW-kTLS load,
then a TLS_RX offload setup:
BUG: unable to handle page fault for address: 00000000000031c0
RIP: mlx5e_ktls_add_rx+0x268 [mlx5_core]
Call Trace:
mlx5e_ktls_add
tls_device_dev_add_rx
tls_set_device_offload_rx
tls_setsockopt
sk_rx_queue_get(sk) returns a stale rxq (62 here) after the
reduction; mlx5e_ktls_sk_get_rxq() only guards rxq == -1, so
mlx5e_ktls_add_rx() dereferences priv->channels.c[62], which
appears to be NULL. The resync paths index
priv->channels.c[priv_rx->rxq] the same way. This path is not
TLS 1.3 specific.
I do not have a proposed fix yet. Happy to share the full
decoded oops / additional kdump details or test patches.
Thanks again,
Nils Juenemann
^ permalink raw reply
* Re: [PATCH] netfilter: x_tables: replace strlcat() with snprintf()
From: David Laight @ 2026-06-27 21:16 UTC (permalink / raw)
To: Ian Bridges
Cc: Pablo Neira Ayuso, Florian Westphal, Phil Sutter, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
netfilter-devel, coreteam, netdev, linux-kernel, linux-hardening
In-Reply-To: <aj78X4Cjqcpbb8Co@dev>
On Fri, 26 Jun 2026 17:25:35 -0500
Ian Bridges <icb@fastmail.org> wrote:
> In preparation for removing the deprecated strlcat() API[1], replace the
> strscpy()/strlcat() pairs in xt_proto_init() and xt_proto_fini() with
> snprintf(), which builds each /proc file name in a single call.
>
> Each name is "<prefix><suffix>", where <prefix> is the address-family
> string xt_prefix[af] and <suffix> is one of the FORMAT_TABLES,
> FORMAT_MATCHES or FORMAT_TARGETS literals. snprintf() with a "%s%s"
> format produces the same NUL-terminated, length-bounded string as the
> strscpy()/strlcat() chain it replaces, so the proc entry names are
> unchanged.
>
> Link: https://github.com/KSPP/linux/issues/370 [1]
> Signed-off-by: Ian Bridges <icb@fastmail.org>
> ---
> net/netfilter/x_tables.c | 24 ++++++++----------------
> 1 file changed, 8 insertions(+), 16 deletions(-)
>
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index 4e6708c23922..56f4546be336 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -2033,8 +2033,7 @@ int xt_proto_init(struct net *net, u_int8_t af)
> root_uid = make_kuid(net->user_ns, 0);
> root_gid = make_kgid(net->user_ns, 0);
>
> - strscpy(buf, xt_prefix[af], sizeof(buf));
> - strlcat(buf, FORMAT_TABLES, sizeof(buf));
> + snprintf(buf, sizeof(buf), "%s%s", xt_prefix[af], FORMAT_TABLES);
If you are going to use snprintf either paste the strings together:
snprintf(buf, sizeof(buf), "%s" FORMAT_TABLES, xt_prefix[af]);
or prepend the "%s" onto the #define of FORMAT_TABLES itself:
snprintf(buf, sizeof(buf), FORMAT_TABLES, xt_prefix[af]);
FORMAT_TABLES should also be FORMAT_NAMES.
-- David
> proc = proc_create_net_data(buf, 0440, net->proc_net, &xt_table_seq_ops,
> sizeof(struct seq_net_private),
> (void *)(unsigned long)af);
> @@ -2043,8 +2042,7 @@ int xt_proto_init(struct net *net, u_int8_t af)
> if (uid_valid(root_uid) && gid_valid(root_gid))
> proc_set_user(proc, root_uid, root_gid);
>
> - strscpy(buf, xt_prefix[af], sizeof(buf));
> - strlcat(buf, FORMAT_MATCHES, sizeof(buf));
> + snprintf(buf, sizeof(buf), "%s%s", xt_prefix[af], FORMAT_MATCHES);
> proc = proc_create_seq_private(buf, 0440, net->proc_net,
> &xt_match_seq_ops, sizeof(struct nf_mttg_trav),
> (void *)(unsigned long)af);
> @@ -2053,8 +2051,7 @@ int xt_proto_init(struct net *net, u_int8_t af)
> if (uid_valid(root_uid) && gid_valid(root_gid))
> proc_set_user(proc, root_uid, root_gid);
>
> - strscpy(buf, xt_prefix[af], sizeof(buf));
> - strlcat(buf, FORMAT_TARGETS, sizeof(buf));
> + snprintf(buf, sizeof(buf), "%s%s", xt_prefix[af], FORMAT_TARGETS);
> proc = proc_create_seq_private(buf, 0440, net->proc_net,
> &xt_target_seq_ops, sizeof(struct nf_mttg_trav),
> (void *)(unsigned long)af);
> @@ -2068,13 +2065,11 @@ int xt_proto_init(struct net *net, u_int8_t af)
>
> #ifdef CONFIG_PROC_FS
> out_remove_matches:
> - strscpy(buf, xt_prefix[af], sizeof(buf));
> - strlcat(buf, FORMAT_MATCHES, sizeof(buf));
> + snprintf(buf, sizeof(buf), "%s%s", xt_prefix[af], FORMAT_MATCHES);
> remove_proc_entry(buf, net->proc_net);
>
> out_remove_tables:
> - strscpy(buf, xt_prefix[af], sizeof(buf));
> - strlcat(buf, FORMAT_TABLES, sizeof(buf));
> + snprintf(buf, sizeof(buf), "%s%s", xt_prefix[af], FORMAT_TABLES);
> remove_proc_entry(buf, net->proc_net);
> out:
> return -1;
> @@ -2087,16 +2082,13 @@ void xt_proto_fini(struct net *net, u_int8_t af)
> #ifdef CONFIG_PROC_FS
> char buf[XT_FUNCTION_MAXNAMELEN];
>
> - strscpy(buf, xt_prefix[af], sizeof(buf));
> - strlcat(buf, FORMAT_TABLES, sizeof(buf));
> + snprintf(buf, sizeof(buf), "%s%s", xt_prefix[af], FORMAT_TABLES);
> remove_proc_entry(buf, net->proc_net);
>
> - strscpy(buf, xt_prefix[af], sizeof(buf));
> - strlcat(buf, FORMAT_TARGETS, sizeof(buf));
> + snprintf(buf, sizeof(buf), "%s%s", xt_prefix[af], FORMAT_TARGETS);
> remove_proc_entry(buf, net->proc_net);
>
> - strscpy(buf, xt_prefix[af], sizeof(buf));
> - strlcat(buf, FORMAT_MATCHES, sizeof(buf));
> + snprintf(buf, sizeof(buf), "%s%s", xt_prefix[af], FORMAT_MATCHES);
> remove_proc_entry(buf, net->proc_net);
> #endif /*CONFIG_PROC_FS*/
> }
^ permalink raw reply
* Re: [RFC PATCH net-next] netpoll: hold RCU while walking napi_list
From: Jakub Kicinski @ 2026-06-27 21:21 UTC (permalink / raw)
To: Runyu Xiao
Cc: davem, edumazet, pabeni, horms, leitao, sashal, bigeasy, netdev,
linux-kernel, jianhao.xu
In-Reply-To: <20260627101228.1191586-1-runyu.xiao@seu.edu.cn>
On Sat, 27 Jun 2026 18:12:28 +0800 Runyu Xiao wrote:
> CONFIG_PROVE_RCU_LIST reports the poll_napi() traversal when the helper
> is exercised directly from netpoll_poll_dev(). The current source has
> important lifetime defenses around NAPI deletion and netpoll device
> close, so this is not presented as a proven use-after-free. The issue is
> that the RCU-list reader contract is implicit at the helper boundary.
Please provide the stack trace from the report, rather than just saying
that you can trigger it.
--
pw-bot: rfc
^ permalink raw reply
* Re: [PATCH] netdevsim: remove debugfs files before freeing net_device
From: Jakub Kicinski @ 2026-06-27 21:21 UTC (permalink / raw)
To: syzbot
Cc: syzkaller-bugs, Andrew Lunn, David S. Miller, Eric Dumazet,
netdev, Paolo Abeni, linux-kernel, syzbot
In-Reply-To: <f15205c4-30e1-454f-97e6-92067a74f98f@mail.kernel.org>
On Sat, 27 Jun 2026 11:20:11 +0000 (UTC) syzbot wrote:
> A KASAN slab-use-after-free was detected in debugfs_u32_get() when reading
> a debugfs file associated with a netdevsim port.
Please read the replies to previous submissions:
https://lore.kernel.org/all/20260626184856.4b7f5228@kernel.org/
--
pw-bot: cr
^ permalink raw reply
* Re: [PATCH net-next v2] r8169: migrate Rx path to page_pool
From: Jakub Kicinski @ 2026-06-27 21:24 UTC (permalink / raw)
To: atharva-potdar
Cc: Heiner Kallweit, nic_swsd, Andrew Lunn, David S . Miller,
Eric Dumazet, Paolo Abeni, Francois Romieu, netdev
In-Reply-To: <20260627035241.59689-1-atharvapotdar07@gmail.com>
On Sat, 27 Jun 2026 09:22:41 +0530 atharva-potdar wrote:
> Signed-off-by: atharva-potdar <atharvapotdar07@gmail.com>
net-next is closed see the process documentation
Please also spell our name in a more usual way.
^ permalink raw reply
* [PATCH net] net: usb: net1080: validate packet_len before pad-byte access in rx_fixup
From: Xiang Mei @ 2026-06-27 21:28 UTC (permalink / raw)
To: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, netdev, linux-usb
Cc: linux-kernel, Weiming Shi, Xiang Mei
net1080_rx_fixup() only bounds the device-supplied packet_len against
NC_MAX_PACKET. When packet_len is even it reads skb->data[packet_len] to
check the pad byte, before the skb->len != packet_len check further down.
A malicious NetChip 1080 device can send a short frame advertising a
large even packet_len (e.g. 0x4000), so the pad-byte read lands past the
end of the skb:
BUG: KASAN: slab-out-of-bounds in net1080_rx_fixup
Read of size 1 at addr ffff8880106c83c6 by task ksoftirqd/0/14
...
net1080_rx_fixup (drivers/net/usb/net1080.c:384)
usbnet_bh (drivers/net/usb/usbnet.c:1589)
process_one_work (kernel/workqueue.c:3322)
bh_worker (kernel/workqueue.c:3708)
tasklet_action (kernel/softirq.c:965)
handle_softirqs (kernel/softirq.c:622)
...
Reject the frame if packet_len leaves no room for the pad byte. Valid
even-length frames carry one pad byte (skb->len == packet_len + 1), so
legitimate traffic is unaffected.
Fixes: 904813cd8a0b ("[PATCH] USB: usbnet (4/9) module for net1080 cables")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
drivers/net/usb/net1080.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/usb/net1080.c b/drivers/net/usb/net1080.c
index 5d4a1fd2b524..364c19bd822f 100644
--- a/drivers/net/usb/net1080.c
+++ b/drivers/net/usb/net1080.c
@@ -381,6 +381,13 @@ static int net1080_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
skb_trim(skb, skb->len - sizeof *trailer);
if ((packet_len & 0x01) == 0) {
+ if (packet_len >= skb->len) {
+ dev->net->stats.rx_frame_errors++;
+ netdev_dbg(dev->net, "bad packet len %d (expected %d)\n",
+ skb->len, packet_len);
+ nc_ensure_sync(dev);
+ return 0;
+ }
if (skb->data [packet_len] != PAD_BYTE) {
dev->net->stats.rx_frame_errors++;
netdev_dbg(dev->net, "bad pad\n");
--
2.43.0
^ permalink raw reply related
* Re: [PATCH net-next] Documentation: networking: Add a test plan for ethtool pause validation
From: Jakub Kicinski @ 2026-06-27 21:30 UTC (permalink / raw)
To: Maxime Chevallier
Cc: Andrew Lunn, davem, Eric Dumazet, Paolo Abeni, Simon Horman,
Russell King, Heiner Kallweit, Jonathan Corbet, Shuah Khan,
Oleksij Rempel, Vladimir Oltean, Florian Fainelli,
thomas.petazzoni, netdev, linux-kernel, linux-doc
In-Reply-To: <12b66ea3-42df-4ecb-8eb7-44471407b83f@bootlin.com>
On Sat, 27 Jun 2026 07:34:31 +0200 Maxime Chevallier wrote:
> > This is very far from what existing python tests do in netdev.
>
> We can probably drop the class, as it is with this discussion, it's merely a way
> to regroup doc common to similar tests. The rest really is the usual set of
> ksft funcs you can feed to the run function, with a set of ksft_ethtool_*
> annotators for generic checks.
The common way of checking prereqs in the tests is to call a function
called require_xyz() which then raises a skip. At a quick glance - the
rss_api and xdp_metadata are good tests to get a sense of the usual format.
^ permalink raw reply
* Re: [PATCH net v2 1/1] net: sched: ets: avoid deficit wrap and bound empty dequeue rounds
From: Jakub Kicinski @ 2026-06-27 22:14 UTC (permalink / raw)
To: Ren Wei
Cc: netdev, jhs, jiri, davem, petrm, yuantan098, yifanwucs,
tomapufckgml, zcliangcn, bird, bronzed_45_vested
In-Reply-To: <0e17a0309061300d31036a6a4c139919192f6373.1782379460.git.bronzed_45_vested@icloud.com>
On Fri, 26 Jun 2026 16:32:00 +0800 Ren Wei wrote:
> From: Wyatt Feng <bronzed_45_vested@icloud.com>
>
> ETS keeps each DRR-style deficit in a u32 and replenishes it with
> the configured quantum whenever the head packet is too large. Both
> the quantum and qdisc_pkt_len() are user-controlled inputs: a large
> quantum can wrap the deficit counter, while a tiny quantum combined
> with an inflated qdisc_pkt_len() can force billions of iterations in
> softirq context before any packet becomes eligible.
Do you mean when packet is gigabytes in size?
Where do such packets originate?
> Store the deficit in u64 so replenishment cannot wrap the counter.
> This keeps the existing dequeue logic unchanged while fixing the
> overflow condition.
>
> Bound one dequeue attempt to at most nbands * 2 ETS rotations, as
> suggested in review. This avoids the livelock without adding heavier
> logic to the fast path.
>
> Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
> Cc: stable@vger.kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Assisted-by: Codex:GPT-5.4
> Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
> changes in v2:
> - Instead of doing a div() in the fast path, simply bound the loop per
> dequeue
> - v1 Link: https://lore.kernel.org/all/20260615103759.2404228-2-n05ec@lzu.edu.cn/
>
>
> net/sched/sch_ets.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
> index cb8cf437ce87..12a156ccb0a6 100644
> --- a/net/sched/sch_ets.c
> +++ b/net/sched/sch_ets.c
> @@ -40,7 +40,7 @@ struct ets_class {
> struct list_head alist; /* In struct ets_sched.active. */
> struct Qdisc *qdisc;
> u32 quantum;
> - u32 deficit;
> + u64 deficit;
> struct gnet_stats_basic_sync bstats;
> struct gnet_stats_queue qstats;
> };
> @@ -463,6 +463,8 @@ ets_qdisc_dequeue_skb(struct Qdisc *sch, struct sk_buff *skb)
> static struct sk_buff *ets_qdisc_dequeue(struct Qdisc *sch)
> {
> struct ets_sched *q = qdisc_priv(sch);
> + unsigned int max_loops = READ_ONCE(q->nbands) * 2;
> + unsigned int loops = 0;
> struct ets_class *cl;
> struct sk_buff *skb;
> unsigned int band;
> @@ -499,6 +501,8 @@ static struct sk_buff *ets_qdisc_dequeue(struct Qdisc *sch)
>
> cl->deficit += READ_ONCE(cl->quantum);
> list_move_tail(&cl->alist, &q->active);
> + if (++loops > max_loops)
> + goto out;
> }
> out:
> return NULL;
^ permalink raw reply
* Re: [PATCH net v2 1/1] net: sched: ets: avoid deficit wrap and bound empty dequeue rounds
From: Jakub Kicinski @ 2026-06-27 22:15 UTC (permalink / raw)
To: Ren Wei
Cc: netdev, jhs, jiri, davem, petrm, yuantan098, yifanwucs,
tomapufckgml, zcliangcn, bird, bronzed_45_vested
In-Reply-To: <0e17a0309061300d31036a6a4c139919192f6373.1782379460.git.bronzed_45_vested@icloud.com>
On Fri, 26 Jun 2026 16:32:00 +0800 Ren Wei wrote:
> @@ -499,6 +501,8 @@ static struct sk_buff *ets_qdisc_dequeue(struct Qdisc *sch)
>
> cl->deficit += READ_ONCE(cl->quantum);
> list_move_tail(&cl->alist, &q->active);
> + if (++loops > max_loops)
> + goto out;
BTW sashiko says that this will permanently stall the qdisc.
--
pw-bot: cr
^ permalink raw reply
* [PATCH net v4] net/mlx5e: macsec: fix use-after-free of metadata_dst on RX SC delete
From: Doruk Tan Ozturk @ 2026-06-27 22:30 UTC (permalink / raw)
To: saeedm, leon, tariqt, mbloch, sd, andrew+netdev, davem, edumazet,
kuba, pabeni
Cc: horms, borisp, raeds, ehakim, netdev, linux-rdma, linux-kernel,
stable, Doruk Tan Ozturk
When an offloaded MACsec RX SC is deleted, macsec_del_rxsc_ctx() freed
the per-SC metadata_dst with metadata_dst_free(), which kfree()s the
object unconditionally and ignores the dst reference count. The RX
datapath in mlx5e_macsec_offload_handle_rx_skb() looks up the SC under
rcu_read_lock() via xa_load(), takes a reference with dst_hold() and
attaches the dst to the skb with skb_dst_set(). A reader that already
obtained the rx_sc pointer can race with the delete path and operate on
freed memory.
Fix the owner side by dropping the reference with dst_release() instead
of freeing unconditionally, and convert the RX datapath to
dst_hold_safe() so a reader racing the SC delete cannot attach a dst
whose last reference was just dropped; only attach it when a reference
was actually taken.
mlx5e_macsec_add_rxsc() also published sc_xarray_element via xa_alloc()
before rx_sc->md_dst was allocated and initialised, so a datapath reader
that looked the SC up by fs_id could observe rx_sc with md_dst still
NULL or, on weakly-ordered architectures, a non-NULL md_dst pointer
whose contents were not yet visible. NULL-check the xa_load() result and
md_dst on the datapath, and reorder add_rxsc() so the xa_alloc() publish
happens only after md_dst is fully initialised; the xarray RCU publish
then pairs with the rcu_read_lock()/xa_load() in the datapath.
Note: macsec_del_rxsc_ctx() also kfree()s rx_sc->sc_xarray_element
without an RCU grace period while the same datapath reads it under
rcu_read_lock(); that is a separate pre-existing issue left to a
follow-up patch.
Found by 0sec automated security-research tooling (https://0sec.ai).
Fixes: b7c9400cbc48 ("net/mlx5e: Implement MACsec Rx data path using MACsec skb_metadata_dst")
Cc: stable@vger.kernel.org
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
v4:
- Reorder mlx5e_macsec_add_rxsc() so xa_alloc() publishes the SC only
after rx_sc->md_dst is allocated and initialised; a datapath reader
could otherwise observe a non-NULL md_dst with uninitialised contents
(raised by the automated review forwarded by Simon Horman). Error
paths adjusted (no xa_erase before the publish).
v3: NULL-check the xa_load() result and rx_sc->md_dst on the datapath.
v2: convert the datapath dst_hold() to dst_hold_safe().
v1: https://lore.kernel.org/netdev/20260615140534.52691-1-doruk@0sec.ai/
.../mellanox/mlx5/core/en_accel/macsec.c | 47 +++++++++++--------
1 file changed, 28 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
index 71b3a059c..daff53ba7 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
@@ -714,34 +714,43 @@ static int mlx5e_macsec_add_rxsc(struct macsec_context *ctx)
}
sc_xarray_element->rx_sc = rx_sc;
- err = xa_alloc(&macsec->sc_xarray, &sc_xarray_element->fs_id, sc_xarray_element,
- XA_LIMIT(1, MLX5_MACEC_RX_FS_ID_MAX), GFP_KERNEL);
- if (err) {
- if (err == -EBUSY)
- netdev_err(ctx->netdev,
- "MACsec offload: unable to create entry for RX SC (%d Rx SCs already allocated)\n",
- MLX5_MACEC_RX_FS_ID_MAX);
- goto destroy_sc_xarray_elemenet;
- }
rx_sc->md_dst = metadata_dst_alloc(0, METADATA_MACSEC, GFP_KERNEL);
if (!rx_sc->md_dst) {
err = -ENOMEM;
- goto erase_xa_alloc;
+ goto destroy_sc_xarray_elemenet;
}
rx_sc->sci = ctx_rx_sc->sci;
rx_sc->active = ctx_rx_sc->active;
- list_add_rcu(&rx_sc->rx_sc_list_element, rx_sc_list);
-
rx_sc->sc_xarray_element = sc_xarray_element;
rx_sc->md_dst->u.macsec_info.sci = rx_sc->sci;
+
+ /*
+ * Publish the fully-initialised SC last: xa_alloc() makes
+ * sc_xarray_element->rx_sc (and rx_sc->md_dst) reachable from the RX
+ * datapath via xa_load(). Doing it only after md_dst is allocated and
+ * initialised pairs with the rcu_read_lock()/xa_load() in
+ * mlx5e_macsec_offload_handle_rx_skb(), so a reader can never observe
+ * a non-NULL md_dst with uninitialised contents.
+ */
+ err = xa_alloc(&macsec->sc_xarray, &sc_xarray_element->fs_id, sc_xarray_element,
+ XA_LIMIT(1, MLX5_MACEC_RX_FS_ID_MAX), GFP_KERNEL);
+ if (err) {
+ if (err == -EBUSY)
+ netdev_err(ctx->netdev,
+ "MACsec offload: unable to create entry for RX SC (%d Rx SCs already allocated)\n",
+ MLX5_MACEC_RX_FS_ID_MAX);
+ goto destroy_md_dst;
+ }
+
+ list_add_rcu(&rx_sc->rx_sc_list_element, rx_sc_list);
mutex_unlock(&macsec->lock);
return 0;
-erase_xa_alloc:
- xa_erase(&macsec->sc_xarray, sc_xarray_element->fs_id);
+destroy_md_dst:
+ dst_release(&rx_sc->md_dst->dst);
destroy_sc_xarray_elemenet:
kfree(sc_xarray_element);
destroy_rx_sc:
@@ -829,7 +838,7 @@ static void macsec_del_rxsc_ctx(struct mlx5e_macsec *macsec, struct mlx5e_macsec
*/
list_del_rcu(&rx_sc->rx_sc_list_element);
xa_erase(&macsec->sc_xarray, rx_sc->sc_xarray_element->fs_id);
- metadata_dst_free(rx_sc->md_dst);
+ dst_release(&rx_sc->md_dst->dst);
kfree(rx_sc->sc_xarray_element);
kfree_rcu_mightsleep(rx_sc);
}
@@ -1695,10 +1704,10 @@ void mlx5e_macsec_offload_handle_rx_skb(struct net_device *netdev,
rcu_read_lock();
sc_xarray_element = xa_load(&macsec->sc_xarray, fs_id);
- rx_sc = sc_xarray_element->rx_sc;
- if (rx_sc) {
- dst_hold(&rx_sc->md_dst->dst);
- skb_dst_set(skb, &rx_sc->md_dst->dst);
+ rx_sc = sc_xarray_element ? sc_xarray_element->rx_sc : NULL;
+ if (rx_sc && rx_sc->md_dst) {
+ if (dst_hold_safe(&rx_sc->md_dst->dst))
+ skb_dst_set(skb, &rx_sc->md_dst->dst);
}
rcu_read_unlock();
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v2 net-next] selftests/xsk: Preserve UMEM view in BIDIRECTIONAL test
From: Jakub Kicinski @ 2026-06-27 22:42 UTC (permalink / raw)
To: Maciej Fijalkowski
Cc: netdev, bpf, magnus.karlsson, stfomichev, pabeni, horms,
tushar.vyavahare, kerneljasonxing
In-Reply-To: <20260625115215.1101928-1-maciej.fijalkowski@intel.com>
On Thu, 25 Jun 2026 13:52:15 +0200 Maciej Fijalkowski wrote:
> Subject: [PATCH v2 net-next] selftests/xsk: Preserve UMEM view in BIDIRECTIONAL test
>
> Fixes: b17631032769 ("selftests/xsk: Move UMEM state from ifobject to xsk_socket_info")
Yup, doesn't apply, conflicts with the patches that went via net
but are now in both trees.
--
pw-bot: cr
^ permalink raw reply
* Re: [PATCH net v5] net: dsa: Fix skb ownership in taggers
From: Jakub Kicinski @ 2026-06-27 22:49 UTC (permalink / raw)
To: Linus Walleij
Cc: Andrew Lunn, Vladimir Oltean, David S. Miller, Eric Dumazet,
Paolo Abeni, Simon Horman, Florian Fainelli, Jonas Gorski,
Hauke Mehrtens, Kurt Kanzenbach, Woojung Huh, UNGLinuxDriver,
Chester A. Unal, Daniel Golle, Matthias Brugger,
AngeloGioacchino Del Regno, Wei Fang, Clark Wang,
Clément Léger, George McCollister, David Yang, netdev,
Sashiko AI Review
In-Reply-To: <20260625-dsa-fix-free-skb-v5-1-b5931e4cbdb0@kernel.org>
On Thu, 25 Jun 2026 09:47:01 +0200 Linus Walleij wrote:
> NOTICE: Backporting patches to taggers (e.g. for stable kernels) after
> this point cannot be mechanical or they will introduce double
> kfree_skb().
Sorry for the backporting pain but since the DSA reviews have been
a bit sparse lately - I think we need to keep this code base free
of tribal knowledge, to the extent possible.
^ permalink raw reply
* Re: [PATCH net] net: enetc: check the number of BDs needed for xdp_frame
From: patchwork-bot+netdevbpf @ 2026-06-27 22:50 UTC (permalink / raw)
To: Wei Fang
Cc: claudiu.manoil, vladimir.oltean, xiaoning.wang, andrew+netdev,
davem, edumazet, kuba, pabeni, ast, daniel, hawk, john.fastabend,
sdf, wei.fang, imx, netdev, linux-kernel, bpf
In-Reply-To: <20260626073244.2168214-1-wei.fang@oss.nxp.com>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Fri, 26 Jun 2026 15:32:44 +0800 you wrote:
> From: Wei Fang <wei.fang@nxp.com>
>
> The size of xdp_redirect_arr array is ENETC_MAX_SKB_FRAGS. However, the
> number of fragments contained in xdp_frame may be greater than or equal
> to ENETC_MAX_SKB_FRAGS, which will cause the access to xdp_redirect_arr
> to be out of bounds.
>
> [...]
Here is the summary with links:
- [net] net: enetc: check the number of BDs needed for xdp_frame
https://git.kernel.org/netdev/net/c/555c5475e787
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH net v5] net: dsa: Fix skb ownership in taggers
From: patchwork-bot+netdevbpf @ 2026-06-27 22:50 UTC (permalink / raw)
To: Linus Walleij
Cc: andrew, olteanv, davem, edumazet, kuba, pabeni, horms,
florian.fainelli, jonas.gorski, hauke, kurt, woojung.huh,
UNGLinuxDriver, chester.a.unal, daniel, matthias.bgg,
angelogioacchino.delregno, wei.fang, xiaoning.wang, clement.leger,
george.mccollister, mmyangfl, netdev, sashiko-bot
In-Reply-To: <20260625-dsa-fix-free-skb-v5-1-b5931e4cbdb0@kernel.org>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 25 Jun 2026 09:47:01 +0200 you wrote:
> The tag_8021q.c tagger calls vlan_insert_tag() in dsa_8021q_xmit().
> vlan_insert_tag() will consume the skb with kfree_skb() on failure
> and return NULL.
>
> When NULL is returned as error code to ->xmit() in dsa_user_xmit()
> it will free the same skb again leading to a double-free.
>
> [...]
Here is the summary with links:
- [net,v5] net: dsa: Fix skb ownership in taggers
https://git.kernel.org/netdev/net/c/d4be5f6f9094
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH net v2] sctp: fix SCTP_RESET_STREAMS stream list length limit
From: patchwork-bot+netdevbpf @ 2026-06-27 22:50 UTC (permalink / raw)
To: Yousef Alhouseen
Cc: marcelo.leitner, lucien.xin, davem, edumazet, kuba, pabeni, horms,
linux-sctp, netdev, linux-kernel
In-Reply-To: <20260625142354.2600-1-alhouseenyousef@gmail.com>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 25 Jun 2026 16:23:54 +0200 you wrote:
> SCTP_RESET_STREAMS carries a flexible array of u16 stream IDs, but the
> optlen clamps treat USHRT_MAX as a byte count and then multiply
> sizeof(__u16) by the fixed header size.
>
> That caps the copied and validated option buffer at about 64 KiB, which
> rejects valid requests containing more than about half of the u16 stream
> ID range.
>
> [...]
Here is the summary with links:
- [net,v2] sctp: fix SCTP_RESET_STREAMS stream list length limit
https://git.kernel.org/netdev/net/c/2b9f5ef53418
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH net v2] netpoll: fix a use-after-free on shutdown path
From: patchwork-bot+netdevbpf @ 2026-06-27 22:50 UTC (permalink / raw)
To: Breno Leitao
Cc: davem, edumazet, kuba, pabeni, horms, amwang, netdev,
linux-kernel, vlad.wing, asantostc, paulmck, kernel-team, stable,
pavan.chebbi
In-Reply-To: <20260625-netpoll_rcu_fix-v2-1-0748ffac1e98@debian.org>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 25 Jun 2026 05:03:18 -0700 you wrote:
> There is a use-after-free error on netpoll, which is clearly detected by
> KASAN.
>
> BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x3b/0x80
> Read of size 1 at addr ... by task kworker/9:1
> Workqueue: events queue_process
> Call Trace:
> skb_dequeue+0x1e/0xb0
> queue_process+0x2c/0x600
> process_scheduled_works+0x4b6/0x850
> worker_thread+0x414/0x5a0
> Allocated by task 242:
> __netpoll_setup+0x201/0x4a0
> netpoll_setup+0x249/0x550
> enabled_store+0x32f/0x380
> Freed by task 0:
> kfree+0x1b7/0x540
> rcu_core+0x3f8/0x7a0
>
> [...]
Here is the summary with links:
- [net,v2] netpoll: fix a use-after-free on shutdown path
https://git.kernel.org/netdev/net/c/45f1458a8501
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH net] MAINTAINERS: Update Marvell octeontx2 driver maintainers
From: patchwork-bot+netdevbpf @ 2026-06-27 22:50 UTC (permalink / raw)
To: Ratheesh Kannoth
Cc: netdev, linux-kernel, sgoutham, davem, edumazet, kuba, pabeni,
andrew+netdev
In-Reply-To: <20260626044819.3004811-1-rkannoth@marvell.com>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Fri, 26 Jun 2026 10:18:19 +0530 you wrote:
> Update the maintainer entries for the Marvell OcteonTX (RVU) drivers to
> reflect recent organizational changes.
>
> Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
> ---
> MAINTAINERS | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
Here is the summary with links:
- [net] MAINTAINERS: Update Marvell octeontx2 driver maintainers
https://git.kernel.org/netdev/net/c/56114690ff3c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH net v3] sctp: add INIT verification after cookie unpacking
From: patchwork-bot+netdevbpf @ 2026-06-27 22:50 UTC (permalink / raw)
To: Xin Long
Cc: netdev, linux-sctp, davem, kuba, edumazet, pabeni, horms,
marcelo.leitner
In-Reply-To: <ebcbbac574815b0850f371b4bdb02f2e602b94d3.1782341592.git.lucien.xin@gmail.com>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 24 Jun 2026 18:53:12 -0400 you wrote:
> In SCTP handshake, the INIT chunk is initially processed by the server
> and embedded into the cookie carried in INIT-ACK. The client then
> returns this cookie via COOKIE-ECHO, where the server unpacks it and
> reconstructs the original INIT chunk.
>
> When cookie authentication is enabled, the cookie contents are protected
> against tampering, so reusing the unpacked INIT without re-verification
> is safe.
>
> [...]
Here is the summary with links:
- [net,v3] sctp: add INIT verification after cookie unpacking
https://git.kernel.org/netdev/net/c/414c5447fe6a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH net] net: airoha: dma map xmit frags with skb_frag_dma_map()
From: patchwork-bot+netdevbpf @ 2026-06-27 22:50 UTC (permalink / raw)
To: Lorenzo Bianconi
Cc: andrew+netdev, davem, edumazet, kuba, pabeni, linux-arm-kernel,
linux-mediatek, netdev
In-Reply-To: <20260625-airoha-eth-skb_frag_dma_map-v1-1-31d9e460aae6@kernel.org>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 25 Jun 2026 11:42:46 +0200 you wrote:
> Map xmit skb fragments using skb_frag_dma_map() instead of
> dma_map_single(skb_frag_address()). skb_frag_address() relies on
> page_address() to obtain a kernel virtual address, which is not
> guaranteed to work for all page types (e.g. highmem pages or
> user-pinned pages from MSG_ZEROCOPY).
> skb_frag_dma_map() maps the fragment directly via its struct page and
> offset through dma_map_page(), avoiding the need for a kernel virtual
> address entirely.
> Introduce an enum airoha_dma_map_type to track how each queue entry was
> mapped (single vs page), so that the matching unmap function is called
> on completion and in error paths.
>
> [...]
Here is the summary with links:
- [net] net: airoha: dma map xmit frags with skb_frag_dma_map()
https://git.kernel.org/netdev/net/c/32f1c2bbb26a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH net-next] Documentation: networking: Add a test plan for ethtool pause validation
From: Andrew Lunn @ 2026-06-27 23:46 UTC (permalink / raw)
To: Jakub Kicinski
Cc: Maxime Chevallier, davem, Eric Dumazet, Paolo Abeni, Simon Horman,
Russell King, Heiner Kallweit, Jonathan Corbet, Shuah Khan,
Oleksij Rempel, Vladimir Oltean, Florian Fainelli,
thomas.petazzoni, netdev, linux-kernel, linux-doc
In-Reply-To: <20260627143028.5afed23a@kernel.org>
On Sat, Jun 27, 2026 at 02:30:28PM -0700, Jakub Kicinski wrote:
> On Sat, 27 Jun 2026 07:34:31 +0200 Maxime Chevallier wrote:
> > > This is very far from what existing python tests do in netdev.
> >
> > We can probably drop the class, as it is with this discussion, it's merely a way
> > to regroup doc common to similar tests. The rest really is the usual set of
> > ksft funcs you can feed to the run function, with a set of ksft_ethtool_*
> > annotators for generic checks.
>
> The common way of checking prereqs in the tests is to call a function
> called require_xyz() which then raises a skip. At a quick glance - the
> rss_api and xdp_metadata are good tests to get a sense of the usual format.
The counter example is the ksft_disruptive() decorator.
Pythons own unittest framework makes use of decorators to skip
tests. Its the Pythonic way.
Andrew
^ permalink raw reply
* [PATCH net] ieee802154: hwsim: free PIB after unregistering hardware
From: Yousef Alhouseen @ 2026-06-27 23:58 UTC (permalink / raw)
To: Alexander Aring, Stefan Schmidt
Cc: Miquel Raynal, Andrew Lunn, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, linux-wpan, netdev, linux-kernel,
stable, syzbot+4707bb8a43a42fca2b97, Yousef Alhouseen
hwsim_del() queues the currently published PIB for RCU freeing before
unregistering the hardware. The unregister path can still invoke driver
callbacks, including set_promiscuous_mode(), after that grace period has
started. A callback can consequently dereference the freed PIB.
Unregister the hardware first, then fetch and free the final PIB. This also
handles a PIB replacement performed by a callback during unregister.
Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling")
Reported-by: syzbot+4707bb8a43a42fca2b97@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4707bb8a43a42fca2b97
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
drivers/net/ieee802154/mac802154_hwsim.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
index 6daa0f198..2a2d8a9eb 100644
--- a/drivers/net/ieee802154/mac802154_hwsim.c
+++ b/drivers/net/ieee802154/mac802154_hwsim.c
@@ -1004,12 +1004,11 @@ static void hwsim_del(struct hwsim_phy *phy)
list_del_rcu(&e->list);
hwsim_free_edge(e);
}
- pib = rcu_dereference(phy->pib);
rcu_read_unlock();
- kfree_rcu(pib, rcu);
-
ieee802154_unregister_hw(phy->hw);
+ pib = rcu_dereference_protected(phy->pib, 1);
+ kfree_rcu(pib, rcu);
ieee802154_free_hw(phy->hw);
}
--
2.54.0
^ permalink raw reply related
* [PATCH] netdevsim: remove ethtool debugfs files before freeing netdev
From: Yousef Alhouseen @ 2026-06-28 0:28 UTC (permalink / raw)
To: Jakub Kicinski, Andrew Lunn
Cc: davem, Eric Dumazet, Paolo Abeni, netdev, linux-kernel, stable,
syzbot+6c25f4750230faf70be9, Yousef Alhouseen
The ethtool debugfs files point directly into struct netdevsim, which is
allocated as net_device private data. Their containing port directory is
removed only after nsim_destroy() calls free_netdev().
An open simple-attribute file can consequently dereference the freed
private data before the directory is removed. KASAN observed this in
debugfs_u32_get() during network namespace teardown.
Track and remove the ethtool subtree before free_netdev() on both the
normal and registration-failure paths. debugfs removal drains active
file users before returning.
Fixes: ff1f7c17fb20 ("netdevsim: add pause frame stats")
Reported-by: syzbot+6c25f4750230faf70be9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6c25f4750230faf70be9
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
drivers/net/netdevsim/ethtool.c | 6 ++++++
drivers/net/netdevsim/netdev.c | 2 ++
drivers/net/netdevsim/netdevsim.h | 2 ++
3 files changed, 10 insertions(+)
diff --git a/drivers/net/netdevsim/ethtool.c b/drivers/net/netdevsim/ethtool.c
index 9350ba48eb81..025ea79879f3 100644
--- a/drivers/net/netdevsim/ethtool.c
+++ b/drivers/net/netdevsim/ethtool.c
@@ -252,6 +252,7 @@ void nsim_ethtool_init(struct netdevsim *ns)
ns->ethtool.channels = ns->nsim_bus_dev->num_queues;
ethtool = debugfs_create_dir("ethtool", ns->nsim_dev_port->ddir);
+ ns->ethtool_ddir = ethtool;
debugfs_create_u32("get_err", 0600, ethtool, &ns->ethtool.get_err);
debugfs_create_u32("set_err", 0600, ethtool, &ns->ethtool.set_err);
@@ -272,3 +273,8 @@ void nsim_ethtool_init(struct netdevsim *ns)
debugfs_create_u32("tx_max_pending", 0600, dir,
&ns->ethtool.ring.tx_max_pending);
}
+
+void nsim_ethtool_fini(struct netdevsim *ns)
+{
+ debugfs_remove(ns->ethtool_ddir);
+}
diff --git a/drivers/net/netdevsim/netdev.c b/drivers/net/netdevsim/netdev.c
index 27e5f109f933..4e9d7e10b527 100644
--- a/drivers/net/netdevsim/netdev.c
+++ b/drivers/net/netdevsim/netdev.c
@@ -1165,6 +1165,7 @@ struct netdevsim *nsim_create(struct nsim_dev *nsim_dev,
return ns;
err_free_netdev:
+ nsim_ethtool_fini(ns);
free_netdev(dev);
return ERR_PTR(err);
}
@@ -1178,6 +1179,7 @@ void nsim_destroy(struct netdevsim *ns)
debugfs_remove(ns->vlan_dfs);
debugfs_remove(ns->qr_dfs);
debugfs_remove(ns->pp_dfs);
+ nsim_ethtool_fini(ns);
if (ns->nb.notifier_call)
unregister_netdevice_notifier_dev_net(ns->netdev, &ns->nb,
diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h
index 4c9cc96dcec3..64f77f93d937 100644
--- a/drivers/net/netdevsim/netdevsim.h
+++ b/drivers/net/netdevsim/netdevsim.h
@@ -154,6 +154,7 @@ struct netdevsim {
struct dentry *pp_dfs;
struct dentry *qr_dfs;
struct dentry *vlan_dfs;
+ struct dentry *ethtool_ddir;
struct nsim_ethtool ethtool;
struct netdevsim __rcu *peer;
@@ -169,6 +170,7 @@ void nsim_destroy(struct netdevsim *ns);
bool netdev_is_nsim(struct net_device *dev);
void nsim_ethtool_init(struct netdevsim *ns);
+void nsim_ethtool_fini(struct netdevsim *ns);
void nsim_udp_tunnels_debugfs_create(struct nsim_dev *nsim_dev);
int nsim_udp_tunnels_info_create(struct nsim_dev *nsim_dev,
--
2.54.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox