* [PATCH net] mac802154: wait for RCU readers when removing interfaces
From: Yousef Alhouseen @ 2026-06-30 21:18 UTC (permalink / raw)
To: Alexander Aring, Stefan Schmidt, Miquel Raynal
Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Marcel Holtmann, linux-wpan, netdev, linux-kernel,
stable, syzbot+36256deb69a588e9290e, Yousef Alhouseen
Queue wake, stop, and disable paths walk local->interfaces under RCU.
The bulk hardware teardown path removes entries with list_del() and
immediately unregisters their netdevices, so an asynchronous transmit
completion can follow a poisoned list node in ieee802154_wake_queue().
Match ieee802154_if_remove(): use list_del_rcu() and wait for existing
readers before unregistering each interface.
Fixes: 592dfbfc72f5 ("mac820154: move interface unregistration into iface")
Reported-by: syzbot+36256deb69a588e9290e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=36256deb69a588e9290e
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
---
net/mac802154/iface.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 000be60d9580..73d82a015184 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -703,7 +703,8 @@ void ieee802154_remove_interfaces(struct ieee802154_local *local)
mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
- list_del(&sdata->list);
+ list_del_rcu(&sdata->list);
+ synchronize_rcu();
unregister_netdevice(sdata->dev);
}
--
2.55.0
^ permalink raw reply related
* Re: [PATCH net-next v2] ipv4: igmp: remove multicast group from hash table on device destruction
From: Kuniyuki Iwashima @ 2026-06-30 21:13 UTC (permalink / raw)
To: idosch
Cc: davem, dsahern, edumazet, horms, jedrzej.jagielski, kuba,
linux-kernel, netdev, pabeni, xiyou.wangcong, yuyanghuang
In-Reply-To: <20260630165934.GA1227354@shredder>
From: Ido Schimmel <idosch@nvidia.com>
Date: Tue, 30 Jun 2026 19:59:34 +0300
> On Tue, Jun 30, 2026 at 04:55:22PM +0900, Yuyang Huang wrote:
> > > Hi,
> > >
> > > why sending this to net-next not to net if that's a bug fix?
> > >
> > > In the v1 thread it was said
> > > >This is a long-standing bug, not a recent regression.
> > >
> > > so why do not cc stable kernel to get rid of this bug from
> > > stable kernels in such case?
> >
> > Thanks for the advise, will send this patch to stable kernel.
>
> Please target v3 at net and add a trace given you're claiming for a
> use-after-free. That way we know that the problem is real and not a
> false-positive from some tool. You can reproduce it by adding enough
> delay in inetdev_destroy():
I guess delay was added between ip_mc_destroy_dev() and
RCU_INIT_POINTER(dev->ip_ptr, NULL) ?
I feel like we should clear it first and destroy everything
as done in IPv6 addrconf_ifdown().
>
> BUG: KASAN: slab-use-after-free in ip_check_mc_rcu+0x2cc/0x500
> Read of size 4 at addr ffff88810c571208 by task mausezahn/419
>
> CPU: 2 UID: 0 PID: 419 Comm: mausezahn Not tainted 7.1.0-virtme-g15d4a7c23bf6 #17 PREEMPT(lazy)
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> Call Trace:
> <IRQ>
> dump_stack_lvl+0x4d/0x70
> print_report+0x153/0x4c2
> kasan_report+0xda/0x110
> ip_check_mc_rcu+0x2cc/0x500
> ip_route_input_rcu.part.0+0x13d/0xbc0
> ip_route_input_noref+0xb6/0x110
> ip_rcv_finish_core+0x41b/0x1d90
> ip_rcv_finish+0xea/0x1b0
> ip_rcv+0xb7/0x1b0
> __netif_receive_skb_one_core+0xfc/0x180
> process_backlog+0x1ea/0x5e0
> __napi_poll+0x97/0x480
> net_rx_action+0x97c/0xfa0
> handle_softirqs+0x18c/0x4f0
> do_softirq+0x42/0x60
> </IRQ>
>
^ permalink raw reply
* [PATCH bpf 2/2] selftests/bpf: test sockmap strparser recover with undelivered ingress
From: Sechang Lim @ 2026-06-30 20:50 UTC (permalink / raw)
To: Eric Dumazet, Neal Cardwell, John Fastabend, Jakub Sitnicki,
Jiayuan Chen, David S. Miller, Jakub Kicinski, Paolo Abeni,
Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Eduard Zingerman, Kumar Kartikeya Dwivedi, Shuah Khan
Cc: Kuniyuki Iwashima, Simon Horman, Martin KaFai Lau, Song Liu,
Yonghong Song, Jiri Olsa, Emil Tsalapatis, Ihor Solodrai, netdev,
bpf, linux-kernel, linux-kselftest
In-Reply-To: <20260630205043.184894-1-rhkrqnwk98@gmail.com>
Park SK_PASS data on a stream-parser socket's ingress_msg queue, drop the
socket from the sockmap without reading it, then check the native stack
still delivers data queued afterwards. Without the fix copied_seq is left
behind sk_receive_queue and tcp_recvmsg_locked() warns instead of
delivering.
Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
---
.../selftests/bpf/prog_tests/sockmap_basic.c | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
index cb3229711f93..86b584f5491e 100644
--- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
+++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
@@ -1292,6 +1292,63 @@ static int wait_for_fionread(int fd, int expected, unsigned int timeout_ms)
return avail;
}
+static void test_sockmap_strp_recover_undelivered(void)
+{
+ struct test_sockmap_pass_prog *skel = NULL;
+ int c0 = -1, p0 = -1, c1 = -1, p1 = -1;
+ char buf[10] = "0123456789", rcv[11];
+ int err, map, verdict, parser, sent, recvd, avail, zero = 0;
+
+ skel = test_sockmap_pass_prog__open_and_load();
+ if (!ASSERT_OK_PTR(skel, "open_and_load"))
+ return;
+
+ if (create_socket_pairs(AF_INET, SOCK_STREAM, &c0, &c1, &p0, &p1))
+ goto out;
+
+ map = bpf_map__fd(skel->maps.sock_map_rx);
+
+ verdict = bpf_program__fd(skel->progs.prog_skb_verdict);
+ err = bpf_prog_attach(verdict, map, BPF_SK_SKB_STREAM_VERDICT, 0);
+ if (!ASSERT_OK(err, "bpf_prog_attach"))
+ goto out;
+
+ parser = bpf_program__fd(skel->progs.prog_skb_verdict_ingress_strp);
+ err = bpf_prog_attach(parser, map, BPF_SK_SKB_STREAM_PARSER, 0);
+ if (!ASSERT_OK(err, "bpf_prog_attach"))
+ goto out;
+
+ err = bpf_map_update_elem(map, &zero, &p1, BPF_ANY);
+ if (!ASSERT_OK(err, "bpf_map_update(p1)"))
+ goto out;
+
+ sent = xsend(c1, buf, sizeof(buf), 0);
+ if (!ASSERT_EQ(sent, sizeof(buf), "xsend(c1) bpf"))
+ goto out;
+
+ avail = wait_for_fionread(p1, sizeof(buf), 1000);
+ if (!ASSERT_EQ(avail, sizeof(buf), "fionread"))
+ goto out;
+
+ err = bpf_map_delete_elem(map, &zero);
+ if (!ASSERT_OK(err, "map_delete(p1)"))
+ goto out;
+
+ sent = xsend(c1, buf, sizeof(buf), 0);
+ if (!ASSERT_EQ(sent, sizeof(buf), "xsend(c1) native"))
+ goto out;
+ recvd = recv_timeout(p1, rcv, sizeof(buf), MSG_DONTWAIT, 1);
+ ASSERT_EQ(recvd, sent, "recv(p1) native after drop");
+
+out:
+ close(c0);
+ close(p0);
+ close(c1);
+ close(p1);
+
+ test_sockmap_pass_prog__destroy(skel);
+}
+
/* it is used to send data to via native stack and BPF redirecting */
static void test_sockmap_multi_channels(int sotype)
{
@@ -1447,6 +1504,8 @@ void test_sockmap_basic(void)
test_sockmap_copied_seq(false);
if (test__start_subtest("sockmap recover with strp"))
test_sockmap_copied_seq(true);
+ if (test__start_subtest("sockmap strp recover undelivered"))
+ test_sockmap_strp_recover_undelivered();
if (test__start_subtest("sockmap tcp multi channels"))
test_sockmap_multi_channels(SOCK_STREAM);
if (test__start_subtest("sockmap udp multi channels"))
--
2.43.0
^ permalink raw reply related
* [PATCH bpf 1/2] bpf, sockmap: settle copied_seq when a stream parser is removed
From: Sechang Lim @ 2026-06-30 20:50 UTC (permalink / raw)
To: Eric Dumazet, Neal Cardwell, John Fastabend, Jakub Sitnicki,
Jiayuan Chen, David S. Miller, Jakub Kicinski, Paolo Abeni,
Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Eduard Zingerman, Kumar Kartikeya Dwivedi, Shuah Khan
Cc: Kuniyuki Iwashima, Simon Horman, Martin KaFai Lau, Song Liu,
Yonghong Song, Jiri Olsa, Emil Tsalapatis, Ihor Solodrai, netdev,
bpf, linux-kernel, linux-kselftest
In-Reply-To: <20260630205043.184894-1-rhkrqnwk98@gmail.com>
tcp_bpf_strp_read_sock() rolls tp->copied_seq back by the SK_PASS bytes
parked on the psock ingress_msg queue; tcp_bpf_recvmsg_parser() repays it
as those bytes are delivered. When the socket leaves the sockmap they are
purged undelivered and nothing repays the rollback, so copied_seq is left
behind sk_receive_queue and the native tcp_recvmsg() warns:
TCP recvmsg seq # bug: copied 66913561, seq 6691356A, rcvnxt 66913572, fl 40
WARNING: net/ipv4/tcp.c:2733 at tcp_recvmsg_locked+0x2d0/0x1270
tcp_recvmsg+0xba/0x340
inet_recvmsg+0x7a/0x370
sock_recvmsg+0xef/0x110
__sys_recvfrom+0x132/0x1e0
Settle copied_seq to the parser's consume point as the socket leaves the
sockmap so it cannot trail the receive queue.
Fixes: 36b62df5683c ("bpf: Fix wrong copied_seq calculation")
Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
---
net/ipv4/tcp_bpf.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index cc0bd73f36b6..918f8da02c39 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -715,6 +715,15 @@ int tcp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore)
}
if (restore) {
+#if IS_ENABLED(CONFIG_BPF_STREAM_PARSER)
+ /*
+ * Settle the copied_seq rollback for the now-discarded
+ * ingress_msg data so it cannot trail the receive queue
+ */
+ if (sk_psock_test_state(psock, SK_PSOCK_RX_STRP_ENABLED) &&
+ before(tcp_sk(sk)->copied_seq, psock->copied_seq))
+ WRITE_ONCE(tcp_sk(sk)->copied_seq, psock->copied_seq);
+#endif
if (inet_csk_has_ulp(sk)) {
/* TLS does not have an unhash proto in SW cases,
* but we need to ensure we stop using the sock_map
--
2.43.0
^ permalink raw reply related
* [PATCH bpf 0/2] bpf, sockmap: fix copied_seq left behind when a stream parser is removed
From: Sechang Lim @ 2026-06-30 20:50 UTC (permalink / raw)
To: Eric Dumazet, Neal Cardwell, John Fastabend, Jakub Sitnicki,
Jiayuan Chen, David S. Miller, Jakub Kicinski, Paolo Abeni,
Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Eduard Zingerman, Kumar Kartikeya Dwivedi, Shuah Khan
Cc: Kuniyuki Iwashima, Simon Horman, Martin KaFai Lau, Song Liu,
Yonghong Song, Jiri Olsa, Emil Tsalapatis, Ihor Solodrai, netdev,
bpf, linux-kernel, linux-kselftest
A stream-parser sockmap socket can be removed with SK_PASS data still
parked on its ingress_msg queue. The copied_seq rollback for that data is
never repaid, leaving copied_seq behind sk_receive_queue, so the native
tcp_recvmsg() warns. Patch 1 settles copied_seq on removal. Patch 2 adds a
selftest.
Sechang Lim (2):
bpf, sockmap: settle copied_seq when a stream parser is removed
selftests/bpf: test sockmap strparser recover with undelivered ingress
net/ipv4/tcp_bpf.c | 9 +++
.../selftests/bpf/prog_tests/sockmap_basic.c | 59 +++++++++++++++++++
2 files changed, 68 insertions(+)
--
2.43.0
^ permalink raw reply
* Re: [PATCH net-next v4] vsock/virtio: rewrite MSG_ZEROCOPY flag handling
From: patchwork-bot+netdevbpf @ 2026-06-30 20:32 UTC (permalink / raw)
To: Arseniy Krasnov
Cc: stefanha, sgarzare, davem, edumazet, kuba, pabeni, mst, jasowang,
bobbyeshleman, xuanzhuo, eperezma, horms, kvm, virtualization,
netdev, linux-kernel, oxffffaa, rulkc
In-Reply-To: <20260628182052.951760-1-avkrasnov@rulkc.org>
Hello:
This patch was applied to netdev/net-next.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Sun, 28 Jun 2026 21:20:52 +0300 you wrote:
> Logically it was based on TCP implementation, so to make further support
> easier, rewrite it in the TCP way (like in 'tcp_sendmsg_locked()'). By
> this way, patch also adds handling case when 'msg_ubuf' is already set.
>
> Signed-off-by: Arseniy Krasnov <avkrasnov@rulkc.org>
> ---
> Changelog v1->v2:
> * Rebase on last 'net-next'. Don't need 'skb_zcopy_set()' now - it was
> already added.
> Changelog v2->v3:
> * Update commit message.
> * Remove one empty line.
> Changelog v3->v4:
> * Update commit message.
>
> [...]
Here is the summary with links:
- [net-next,v4] vsock/virtio: rewrite MSG_ZEROCOPY flag handling
https://git.kernel.org/netdev/net-next/c/f456c1922c49
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH V2] MAINTAINERS: Update Jason Wang's email address
From: patchwork-bot+netdevbpf @ 2026-06-30 20:32 UTC (permalink / raw)
To: Jason Wang; +Cc: mst, virtualization, netdev, eperezma, kvm, linux-kernel
In-Reply-To: <20260629014525.16297-1-jasowang@redhat.com>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Mon, 29 Jun 2026 09:45:24 +0800 you wrote:
> I will use jasowangio@gmail.com for future review and discussion.
>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
> Changes since V1:
> - Add mailmap entry
>
> [...]
Here is the summary with links:
- [V2] MAINTAINERS: Update Jason Wang's email address
https://git.kernel.org/netdev/net/c/1398b1014909
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: Please backport bridge multicast exponential field encoding fix series to stable kernels
From: Greg KH @ 2026-06-30 20:29 UTC (permalink / raw)
To: Ujjal Roy
Cc: Sasha Levin, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman, Nikolay Aleksandrov, Ido Schimmel,
David Ahern, Shuah Khan, Andy Roulin, Yong Wang, Petr Machata,
stable, Ujjal Roy, bridge, Kernel, Kernel, linux-kselftest
In-Reply-To: <CAE2MWkkON7HuB+Szc1VhaPL8ZTYMAyfzmPM_7FkXvOPnjnF5rQ@mail.gmail.com>
On Wed, Jul 01, 2026 at 01:33:07AM +0530, Ujjal Roy wrote:
> On Thu, Jun 25, 2026 at 8:20 PM Ujjal Roy <royujjal@gmail.com> wrote:
> >
> > On Thu, Jun 25, 2026 at 4:12 PM Sasha Levin <sashal@kernel.org> wrote:
> > >
> > > > Please backport the 5-patch bridge multicast exponential field
> > > > encoding series (726fa7da2d8c, 12cfb4ecc471, 95bfd196f0dc,
> > > > e51560f4220a, 529dbe762de0) to the stable kernels.
> > >
> > > I tried, but it doesn't apply to 7.1. Could you provide a backport please?
> > >
> > > --
> > > Thanks,
> > > Sasha
> >
> > I will create patches on top of 7.1. But tell me what about all other
> > stable releases? I have to create patches to all stables and how to
> > share the patches to you? Via this email or any other process? I am a
> > fresh on backporting my changes to all stables.
>
> I have prepared the patches for stable releases mentioned in kernel.org.
>
> And I am waiting for your response so that I can send you the patchset.
Please just send the patches :)
^ permalink raw reply
* Re: [PATCH v2 7/7] pci: fix UAF when probe runs concurrent to dyn ID removal
From: Danilo Krummrich @ 2026-06-30 20:25 UTC (permalink / raw)
To: Gary Guo
Cc: Bjorn Helgaas, Zhenzhong Duan, Greg Kroah-Hartman,
Rafael J. Wysocki, Damien Le Moal, Niklas Cassel, GOTO Masanori,
YOKOTA Hiroshi, James E.J. Bottomley, Martin K. Petersen,
Vaibhav Gupta, Jens Taprogge, Ido Schimmel, Petr Machata,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-pci, driver-core, linux-kernel, linux-ide,
linux-scsi, industrypack-devel, netdev, Sashiko
In-Reply-To: <20260630-pci_id_fix-v2-7-b834a98c0af2@garyguo.net>
On Tue Jun 30, 2026 at 1:09 PM CEST, Gary Guo wrote:
> -static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
> - struct pci_dev *dev)
> +static bool pci_match_device(struct pci_driver *drv,
> + struct pci_dev *dev,
> + struct pci_device_id *id)
> {
> struct pci_dynid *dynid;
> const struct pci_device_id *found_id = NULL;
> @@ -196,30 +198,33 @@ static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
> /* When driver_override is set, only bind to the matching driver */
> ret = device_match_driver_override(&dev->dev, &drv->driver);
> if (ret == 0)
> - return NULL;
> + return false;
>
> dev_id = pci_id_from_device(dev);
> /* Look at the dynamic ids first, before the static ones */
> - spin_lock(&drv->dynids.lock);
> - list_for_each_entry(dynid, &drv->dynids.list, node) {
> - if (pci_match_one_id(&dynid->id, &dev_id)) {
> - found_id = &dynid->id;
> - break;
> + {
> + guard(spinlock)(&drv->dynids.lock);
> + list_for_each_entry(dynid, &drv->dynids.list, node) {
> + if (pci_match_one_id(&dynid->id, &dev_id)) {
> + *id = dynid->id;
> + return true;
> + }
> }
> }
Should be scoped_guard(spinlock, &drv->dynids.lock). It also looks like dynid
could be moved into the scoped_guard().
^ permalink raw reply
* Re: [RFC] connectat()/bindat() or an alternative design
From: John Ericson @ 2026-06-30 20:22 UTC (permalink / raw)
To: Cong Wang
Cc: Li Chen, Andy Lutomirski, Christian Brauner, Jens Axboe,
network dev, linux-fsdevel
In-Reply-To: <66eb8227-85b6-4684-a4fa-e3e17ac2fa45@app.fastmail.com>
I'm bumping this and adding new recipients again in light of the
discussion happening elsewhere in
<https://lore.kernel.org/all/a49ce818-f38d-41b0-bbf7-80b8aad998b1@app.fastmail.com/>.
I don't want to count my chickens before they are hatched, but it is
looking to me like a consensus in that thread is building around the
ability to opt into intentionally empty/unusable root and working
directories (at least with nullfs, maybe but less likely with other
mechanisms instead).
That new functionality concretizes the motivation for what I am
proposing in this thread: in such a world, there is little to no point
binding listening sockets in the file system, because the containing
directory would have to be conveyed by file descriptor anyways --- might
as well just directly convey the socket to connect to by file
descriptor. Likewise, abstract sockets are not appealing, because the
abstract socket namespace is either too coarse-grained (leaking info in
the same way root/cwd would), or too cumbersome to keep it from leaking.
To recap (with some slight changes, like renames), my latest proposal (a
new version, not either of the two variations in the original email) is
new syscalls `bind_unix_anon` and `connectat`, supporting a workflow
like this:
/* server */
int lfd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
int addrfd = bind_unix_anon(
lfd,
/*flags, for the future*/0);
listen(lfd, 64);
/* client, handed `addrfd` */
int cfd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
connectat(addrfd, cfd, AT_EMPTY_PATH);
Or, more radically, `bind_unix_anon` and `connectat` could let one skip
the initial `socket` calls by returning those new sockets directly:
/* server */
int fds[2];
bind_unix_anon(
SOCK_STREAM | SOCK_CLOEXEC,
/*flags, for the future*/0,
fds);
int lfd = fds[0], addrfd = fds[1];
listen(lfd, 64);
/* client, handed `addrfd` */
int cfd = connectat(
addrfd,
SOCK_STREAM | SOCK_CLOEXEC,
AT_EMPTY_PATH);
(Note that in this variation `bind_unix_anon` would return *two* file
descriptors: one for the server, with the permission to listen, and the
other for clients, with just the privilege to `connectat`.) (Maybe
`bind_unix_anon` should furthermore `listen` right away on `lfd` too?)
Of course, it would be nice to have io_uring versions of these too. But
I don't know what the usual process is for that (regular first? io_uring
first? both at the same time?)
Thanks,
John
P.S. For anyone just getting CC'd now, the first message in this thread
is
<https://lore.kernel.org/all/b1af80fc-a57c-408d-bdfe-fa6bae26eaca@app.fastmail.com/>.
Hope that might save people a few keypresses :).
^ permalink raw reply
* Re: [PATCH v2 6/7] pci: fix dyn_id add TOCTOU
From: Danilo Krummrich @ 2026-06-30 20:16 UTC (permalink / raw)
To: Gary Guo
Cc: Bjorn Helgaas, Zhenzhong Duan, Greg Kroah-Hartman,
Rafael J. Wysocki, Damien Le Moal, Niklas Cassel, GOTO Masanori,
YOKOTA Hiroshi, James E.J. Bottomley, Martin K. Petersen,
Vaibhav Gupta, Jens Taprogge, Ido Schimmel, Petr Machata,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-pci, driver-core, linux-kernel, linux-ide,
linux-scsi, industrypack-devel, netdev
In-Reply-To: <20260630-pci_id_fix-v2-6-b834a98c0af2@garyguo.net>
On Tue Jun 30, 2026 at 1:09 PM CEST, Gary Guo wrote:
> +static int do_pci_add_dynid(struct pci_driver *drv, const struct pci_device_id *id, bool check_dup)
> +{
> + struct pci_dynid *dynid, *existing_dynid;
> +
> + dynid = kzalloc_obj(*dynid);
> + if (!dynid)
> + return -ENOMEM;
> +
> + dynid->id = *id;
> +
> + {
> + guard(spinlock)(&drv->dynids.lock);
> + if (check_dup) {
> + list_for_each_entry(existing_dynid, &drv->dynids.list, node) {
> + if (pci_match_one_id(&existing_dynid->id, id)) {
> + kfree(dynid);
> + return -EEXIST;
> + }
> + }
> + }
> + list_add_tail(&dynid->node, &drv->dynids.list);
> + }
This should use scoped_guard(spinlock, &drv->dynids.lock) instead.
> static const struct pci_device_id *do_pci_match_id(const struct pci_device_id *ids,
> - const struct pci_device_id *dev_id)
> + const struct pci_device_id *dev_id,
> + bool match_override_only)
Maybe something along the lines of include_override_only? At a quick glance
match_override_only could be read as "match override-only entries exclusively".
^ permalink raw reply
* [PATCH 5.10] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
From: Elizaveta Tereshkina @ 2026-06-30 20:07 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Elizaveta Tereshkina, Grygorii Strashko, David S. Miller,
Jakub Kicinski, Sasha Levin, Kevin Hao, Alexander Sverdlin,
Wenshan Lan, Ilias Apalodimas, Murali Karicheri, linux-omap,
netdev, linux-kernel, lvc-project
From: Kevin Hao <haokexin@gmail.com>
commit 9d724b34fbe13b71865ad0906a4be97571f19cf5 upstream.
If an error occurs during register_netdev() for the first MAC in
cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,
cpsw->slaves[1].ndev would remain unchanged. This could later cause
cpsw_unregister_ports() to attempt unregistering the second MAC.
To address this, add a check for ndev->reg_state before calling
unregister_netdev(). With this change, setting cpsw->slaves[i].ndev
to NULL becomes unnecessary and can be removed accordingly.
Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Link: https://patch.msgid.link/20260205-cpsw-error-path-v1-2-6e58bae6b299@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Elizaveta Tereshkina <etereshkina@astralinux.ru>
---
Backport fix for CVE-2026-43219
drivers/net/ethernet/ti/cpsw_new.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/ti/cpsw_new.c b/drivers/net/ethernet/ti/cpsw_new.c
index 66b1620b6f5b..cc276241f391 100644
--- a/drivers/net/ethernet/ti/cpsw_new.c
+++ b/drivers/net/ethernet/ti/cpsw_new.c
@@ -1456,7 +1456,8 @@ static void cpsw_unregister_ports(struct cpsw_common *cpsw)
int i = 0;
for (i = 0; i < cpsw->data.slaves; i++) {
- if (!cpsw->slaves[i].ndev)
+ if (!cpsw->slaves[i].ndev ||
+ cpsw->slaves[i].ndev->reg_state != NETREG_REGISTERED)
continue;
unregister_netdev(cpsw->slaves[i].ndev);
@@ -1476,7 +1477,6 @@ static int cpsw_register_ports(struct cpsw_common *cpsw)
if (ret) {
dev_err(cpsw->dev,
"cpsw: err registering net device%d\n", i);
- cpsw->slaves[i].ndev = NULL;
break;
}
}
--
2.39.2
^ permalink raw reply related
* Re: [PATCH v2 5/7] pci: make pci_match_one_device match on ID instead of device
From: Danilo Krummrich @ 2026-06-30 20:04 UTC (permalink / raw)
To: Gary Guo
Cc: Bjorn Helgaas, Zhenzhong Duan, Greg Kroah-Hartman,
Rafael J. Wysocki, Damien Le Moal, Niklas Cassel, GOTO Masanori,
YOKOTA Hiroshi, James E.J. Bottomley, Martin K. Petersen,
Vaibhav Gupta, Jens Taprogge, Ido Schimmel, Petr Machata,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-pci, driver-core, linux-kernel, linux-ide,
linux-scsi, industrypack-devel, netdev
In-Reply-To: <20260630-pci_id_fix-v2-5-b834a98c0af2@garyguo.net>
On Tue Jun 30, 2026 at 1:09 PM CEST, Gary Guo wrote:
> There is a need to match just IDs instead of against devices. Thus rename
> this function to pci_match_one_id, and add a pci_id_from_device helper to
> make it easy to convert users.
>
> Similar convert pci_match_id to do_pci_match_id, however the existing API
> is kept due to quite a few users.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
^ permalink raw reply
* Re: Please backport bridge multicast exponential field encoding fix series to stable kernels
From: Ujjal Roy @ 2026-06-30 20:03 UTC (permalink / raw)
To: Sasha Levin
Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Nikolay Aleksandrov, Ido Schimmel, David Ahern,
Shuah Khan, Andy Roulin, Yong Wang, Petr Machata, stable, Greg KH,
Greg Kroah-Hartman, Ujjal Roy, bridge, Kernel, Kernel,
linux-kselftest
In-Reply-To: <CAE2MWkn=azz3gUKGBYc1jjvVnLxDHuHk9M7wAJHdAW8v=dP5GA@mail.gmail.com>
On Thu, Jun 25, 2026 at 8:20 PM Ujjal Roy <royujjal@gmail.com> wrote:
>
> On Thu, Jun 25, 2026 at 4:12 PM Sasha Levin <sashal@kernel.org> wrote:
> >
> > > Please backport the 5-patch bridge multicast exponential field
> > > encoding series (726fa7da2d8c, 12cfb4ecc471, 95bfd196f0dc,
> > > e51560f4220a, 529dbe762de0) to the stable kernels.
> >
> > I tried, but it doesn't apply to 7.1. Could you provide a backport please?
> >
> > --
> > Thanks,
> > Sasha
>
> I will create patches on top of 7.1. But tell me what about all other
> stable releases? I have to create patches to all stables and how to
> share the patches to you? Via this email or any other process? I am a
> fresh on backporting my changes to all stables.
I have prepared the patches for stable releases mentioned in kernel.org.
And I am waiting for your response so that I can send you the patchset.
^ permalink raw reply
* Re: [PATCH net] selftests: net: bump default cmd() timeout to 20 seconds
From: Nimrod Oren @ 2026-06-30 19:59 UTC (permalink / raw)
To: Jakub Kicinski
Cc: davem, netdev, edumazet, pabeni, andrew+netdev, horms, shuah,
petrm, leitao, dw, gal, linux-kselftest
In-Reply-To: <20260629233348.2145841-1-kuba@kernel.org>
On 30/06/2026 2:33, Jakub Kicinski wrote:
> We always used 5 sec as the default command timeout. But soon after
> it was introduced, David effectively made us ignore the timeout
> (it was passed to process.communicate() as the wrong argument).
> Gal recently fixed that, but turns out the 5 sec is not enough
> for a lot of tests and setups. The fix regressed regressions.
>
> In particular running reconfig commands (e.g. XDP attach) on mlx5
> with 32 rings and 9k MTU, on a heavily-debug-enabled kernel takes
> more than 5 sec. The XDP installation command will time out after
> 5 sec but since the sleeps in the kernel are non interruptible
> the command finishes anyway, leaving the XDP program attached,
> but with non-zero exit code. defer()ed cleanups are not installed,
> breaking the environment for subsequent tests.
>
> Since "install XDP" is a pretty normal command a "point fix"
> does not seem appropriate. 32 rings is a fairly reasonable
> config, too, so we should just increase the timeout to 20 sec.
>
> There's no real reason behind the value of 20.
>
> Fixes: 1cf270424218 ("net: selftest: add test for netdev netlink queue-get API")
> Fixes: f0bd19316663 ("selftests: net: fix timeout passed as positional argument to communicate()")
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> ---
> CC: shuah@kernel.org
> CC: petrm@nvidia.com
> CC: leitao@debian.org
> CC: dw@davidwei.uk
> CC: noren@nvidia.com
> CC: gal@nvidia.com
> CC: linux-kselftest@vger.kernel.org
> ---
> tools/testing/selftests/net/lib/py/utils.py | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
Reviewed-by: Nimrod Oren <noren@nvidia.com>
> diff --git a/tools/testing/selftests/net/lib/py/utils.py b/tools/testing/selftests/net/lib/py/utils.py
> index 308c91833239..9b40049e2dbb 100644
> --- a/tools/testing/selftests/net/lib/py/utils.py
> +++ b/tools/testing/selftests/net/lib/py/utils.py
> @@ -44,7 +44,7 @@ import time
> Use bkg() instead to run a command in the background.
> """
> def __init__(self, comm, shell=None, fail=True, expect_fail=False, ns=None,
> - background=False, host=None, timeout=5, ksft_ready=None,
> + background=False, host=None, timeout=20, ksft_ready=None,
> ksft_wait=None):
> if ns:
> if hasattr(ns, 'user_ns_path'):
> @@ -113,7 +113,7 @@ import time
>
> return stdout, stderr
>
> - def process(self, terminate=True, fail=None, expect_fail=False, timeout=5):
> + def process(self, terminate=True, fail=None, expect_fail=False, timeout=20):
> if fail is None:
> fail = not terminate
>
^ permalink raw reply
* Re: [PATCH v6 1/9] block: partitions: of: Skip child nodes without reg property
From: Loic Poulain @ 2026-06-30 19:59 UTC (permalink / raw)
To: Rob Herring
Cc: Ulf Hansson, Krzysztof Kozlowski, Conor Dooley, Bjorn Andersson,
Konrad Dybcio, Jens Axboe, Johannes Berg, Jeff Johnson,
Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz,
Balakrishna Godavarthi, Rocky Liao, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, Srinivas Kandagatla,
Andrew Lunn, Heiner Kallweit, Russell King, Saravana Kannan,
Christian Marangi, linux-mmc, devicetree, linux-kernel,
linux-arm-msm, linux-block, linux-wireless, ath10k,
linux-bluetooth, netdev, daniel, stable, Bartosz Golaszewski
In-Reply-To: <20260630180219.GA4139943-robh@kernel.org>
Hi Rob,
On Tue, Jun 30, 2026 at 8:02 PM Rob Herring <robh@kernel.org> wrote:
>
> On Mon, Jun 29, 2026 at 10:55:20AM +0200, Loic Poulain wrote:
> > Child nodes of a fixed-partitions node are not necessarily partition
> > entries, for example an nvmem-layout node has no reg property. The
> > current code passes a NULL reg pointer and uninitialized len to the
> > length check, which can result in a kernel panic or silent failure to
> > register any partitions.
>
> That does not sound right to me. A fixed-partitions node should only be
> defining partitions with address ranges. I would expect a partition node
> could be nvmem-layout, but not the whole address range. If you wanted
> the latter, then just do:
>
> partitions {
> ...
> };
>
> nvmem-layout {
> ...
> };
In our case, the nvmem-layout needs to be associated with a specific
eMMC hardware partition, nvmem cells can be a simple sub-range within
the global eMMC, each hardware partition (boot0, boot1, user...)
having its own address spaces.
That said, your point about not abusing fixed-partitions is valid. I
initially dropped the compatible = "fixed-partitions" from the
partitions-boot1 node when it only carries an nvmem-layout and no
actual partition entries, making it a plain named container node. But
it's a bit fragile if we want to support both nvmem-layout and
fixed-partitions.
Regarding your expectation of a partition node being a nvmem-layout,
do you mean that the nvmem-layout should live under a fixed-partitions
node? Something along these lines:
partitions-boot1 {
compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
nvmem@4400 {
reg = <0x4400 0x1000>;
nvmem-layout {
compatible = "fixed-layout";
#address-cells = <1>;
#size-cells = <1>;
wifi_mac_addr: mac-addr@0 {
compatible = "mac-base";
reg = <0x0 0x6>;
#nvmem-cell-cells = <1>;
};
[...]
That makes some sense, this would require extra work for the
emmc/block layer to also associate fwnodes with logical partitions,
not just the whole disk/hw (hw part), Is that the direction you'd like
us to go?
Also, Note that regardless of which approach we settle on, this
specific fix/patch remains necessary to validate the partition node
and prevent NULL-deref.
Regards,
Loic
^ permalink raw reply
* Re: [PATCH v1 net-next 10/10] ipv6: fib_rules: Convert fib6_rules_net_exit_rtnl() to ->exit().
From: Kuniyuki Iwashima @ 2026-06-30 19:56 UTC (permalink / raw)
To: David Ahern, Ido Schimmel, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, netdev
In-Reply-To: <20260629181226.1929658-11-kuniyu@google.com>
Replying to Sashiko review
On Mon, Jun 29, 2026 at 11:12 AM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> Now fib_rule is protected by per-ops mutex.
>
> fib6_rules_net_exit_batch() no longer needs RTNL.
>
> Let's convert it to ->exit() and drop RTNL.
>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
> net/ipv6/fib6_rules.c | 13 +++----------
> 1 file changed, 3 insertions(+), 10 deletions(-)
>
> diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
> index 5ab4dde07225..04dab9329d0c 100644
> --- a/net/ipv6/fib6_rules.c
> +++ b/net/ipv6/fib6_rules.c
> @@ -635,21 +635,14 @@ static int __net_init fib6_rules_net_init(struct net *net)
> goto out;
> }
>
> -static void __net_exit fib6_rules_net_exit_batch(struct list_head *net_list)
> +static void __net_exit fib6_rules_net_exit(struct net *net)
> {
> - struct net *net;
> -
> - rtnl_lock();
> - list_for_each_entry(net, net_list, exit_list) {
> - fib_rules_unregister(net->ipv6.fib6_rules_ops);
> - cond_resched();
> - }
> - rtnl_unlock();
> + fib_rules_unregister(net->ipv6.fib6_rules_ops);
> }
---8<---
Does removing the rtnl_lock() here introduce a use-after-free and list
corruption regression with the netdev notifier fib_rules_event()?
When a veth interface is deleted while its peer is in a network namespace
undergoing teardown, the cleanup_net workqueue can execute this locklessly.
---8<---
Again, Sashiko misunderstands that a veth device can be removed
while the netns of its paired veth is being destroyed, which cannot
happen.
Even if it's possible, the concerned net->rules_ops is namespacified,
so no race can happen.
>
> static struct pernet_operations fib6_rules_net_ops = {
> .init = fib6_rules_net_init,
> - .exit_batch = fib6_rules_net_exit_batch,
> + .exit = fib6_rules_net_exit,
> };
>
> int __init fib6_rules_init(void)
> --
> 2.55.0.rc0.799.gd6f94ed593-goog
>
^ permalink raw reply
* Re: [PATCH v1 net-next 07/10] net: fib_rules: Drop RTNL assertions.
From: Kuniyuki Iwashima @ 2026-06-30 19:52 UTC (permalink / raw)
To: David Ahern, Ido Schimmel, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, netdev
In-Reply-To: <20260629181226.1929658-8-kuniyu@google.com>
Replying to Sashiko review.
On Mon, Jun 29, 2026 at 11:12 AM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> Now, fib_rule structs are protected by per-fib_rules_ops mutex.
>
> Let's drop ASSERT_RTNL_NET() and rtnl_dereference().
>
> Note that fib_rules_event() iterates over net->rules_ops without
> net->rules_mod_lock, but this is fine because all fib_rule users
> are built-in and concurrent fib_rules_unregister() does not happen.
---8<---
Is this description accurate?
---8<---
Yes.
---8<---
It appears that unprivileged users can trigger a race here via user
namespaces. If a user creates two network namespaces with a veth pair, moving
one interface to each, and then triggers netns destruction on one namespace
while concurrently deleting the veth interface from the other namespace:
...
---8<---
Sashiko somehow thinks it's possible to remove a netdev and dismantle
another netns, both of which require RTNL, so false-positive.
>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
> net/core/fib_rules.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
> index 25a3fd997782..5eef5d6ace82 100644
> --- a/net/core/fib_rules.c
> +++ b/net/core/fib_rules.c
> @@ -387,7 +387,6 @@ static int call_fib_rule_notifiers(struct net *net,
> .rule = rule,
> };
>
> - ASSERT_RTNL_NET(net);
> lockdep_assert_held(&ops->lock);
>
> /* Paired with READ_ONCE() in fib_rules_seq() */
> @@ -955,7 +954,7 @@ int fib_newrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,
> list_for_each_entry(r, &ops->rules_list, list) {
> if (r->action == FR_ACT_GOTO &&
> r->target == rule->pref &&
> - rtnl_dereference(r->ctarget) == NULL) {
> + !rcu_access_pointer(r->ctarget)) {
> rcu_assign_pointer(r->ctarget, rule);
> if (--ops->unresolved_rules == 0)
> break;
> @@ -1064,7 +1063,7 @@ int fib_delrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,
>
> if (rule->action == FR_ACT_GOTO) {
> ops->nr_goto_rules--;
> - if (rtnl_dereference(rule->ctarget) == NULL)
> + if (!rcu_access_pointer(rule->ctarget))
> ops->unresolved_rules--;
> }
>
> @@ -1082,7 +1081,7 @@ int fib_delrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,
> if (&n->list == &ops->rules_list || n->pref != rule->pref)
> n = NULL;
> list_for_each_entry(r, &ops->rules_list, list) {
> - if (rtnl_dereference(r->ctarget) != rule)
> + if (rcu_access_pointer(r->ctarget) != rule)
> continue;
> rcu_assign_pointer(r->ctarget, n);
> if (!n)
> @@ -1400,8 +1399,6 @@ static int fib_rules_event(struct notifier_block *this, unsigned long event,
> struct net *net = dev_net(dev);
> struct fib_rules_ops *ops;
>
> - ASSERT_RTNL();
> -
> switch (event) {
> case NETDEV_REGISTER:
> list_for_each_entry(ops, &net->rules_ops, list) {
> --
> 2.55.0.rc0.799.gd6f94ed593-goog
>
^ permalink raw reply
* [PATCH net] llc: fix SAP refcount leak in llc_ui_autobind()
From: Shuangpeng Bai @ 2026-06-30 19:48 UTC (permalink / raw)
To: netdev
Cc: davem, edumazet, kuba, pabeni, horms, linux-kernel,
Shuangpeng Bai, stable
llc_ui_autobind() opens a SAP after choosing a dynamic LSAP.
llc_sap_open() returns a reference owned by the caller, and
llc_sap_add_socket() takes a second reference for the socket's
membership in the SAP hash tables.
llc_ui_bind() drops the caller's reference after adding the socket,
but llc_ui_autobind() keeps it. When the socket is closed,
llc_sap_remove_socket() releases only the socket reference, leaving
the SAP on llc_sap_list with sk_count == 0.
This is user-visible because repeated autobind and close cycles can consume
all dynamic SAP values and make later autobinds fail with -EUSERS.
Drop the caller's reference after a successful autobind, matching
llc_ui_bind()'s ownership model.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
---
net/llc/af_llc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 8ed1be1ecccc..b0447c33dbf0 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -312,6 +312,7 @@ static int llc_ui_autobind(struct socket *sock, struct sockaddr_llc *addr)
/* assign new connection to its SAP */
llc_sap_add_socket(sap, sk);
sock_reset_flag(sk, SOCK_ZAPPED);
+ llc_sap_put(sap);
rc = 0;
out:
dev_put(dev);
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v2 4/7] mlxsw: don't keep pci_device_id
From: Danilo Krummrich @ 2026-06-30 19:48 UTC (permalink / raw)
To: Gary Guo
Cc: Bjorn Helgaas, Zhenzhong Duan, Greg Kroah-Hartman,
Rafael J. Wysocki, Damien Le Moal, Niklas Cassel, GOTO Masanori,
YOKOTA Hiroshi, James E.J. Bottomley, Martin K. Petersen,
Vaibhav Gupta, Jens Taprogge, Ido Schimmel, Petr Machata,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-pci, driver-core, linux-kernel, linux-ide,
linux-scsi, industrypack-devel, netdev
In-Reply-To: <20260630-pci_id_fix-v2-4-b834a98c0af2@garyguo.net>
On Tue Jun 30, 2026 at 1:09 PM CEST, Gary Guo wrote:
> pci_device_id is not guaranteed to live longer than probe due to presence
> of dynamic ID. This stored ID is unused so remove it.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
^ permalink raw reply
* Re: [PATCH v2 3/7] ipack: tpci200: don't keep pci_device_id
From: Danilo Krummrich @ 2026-06-30 19:47 UTC (permalink / raw)
To: Gary Guo
Cc: Bjorn Helgaas, Zhenzhong Duan, Greg Kroah-Hartman,
Rafael J. Wysocki, Damien Le Moal, Niklas Cassel, GOTO Masanori,
YOKOTA Hiroshi, James E.J. Bottomley, Martin K. Petersen,
Vaibhav Gupta, Jens Taprogge, Ido Schimmel, Petr Machata,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-pci, driver-core, linux-kernel, linux-ide,
linux-scsi, industrypack-devel, netdev
In-Reply-To: <20260630-pci_id_fix-v2-3-b834a98c0af2@garyguo.net>
On Tue Jun 30, 2026 at 1:09 PM CEST, Gary Guo wrote:
> pci_device_id is not guaranteed to live longer than probe due to presence
> of dynamic ID. This stored ID is unused so remove it.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
^ permalink raw reply
* Re: [PATCH v2 2/7] nsp32: don't keep pci_device_id
From: Danilo Krummrich @ 2026-06-30 19:46 UTC (permalink / raw)
To: Gary Guo
Cc: Bjorn Helgaas, Zhenzhong Duan, Greg Kroah-Hartman,
Rafael J. Wysocki, Damien Le Moal, Niklas Cassel, GOTO Masanori,
YOKOTA Hiroshi, James E.J. Bottomley, Martin K. Petersen,
Vaibhav Gupta, Jens Taprogge, Ido Schimmel, Petr Machata,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-pci, driver-core, linux-kernel, linux-ide,
linux-scsi, industrypack-devel, netdev
In-Reply-To: <20260630-pci_id_fix-v2-2-b834a98c0af2@garyguo.net>
On Tue Jun 30, 2026 at 1:09 PM CEST, Gary Guo wrote:
> pci_device_id is not guaranteed to live longer than probe due to presence
> of dynamic ID. All information apart from driver_data can be easily
> retrieved from pci_dev, so just store driver_data.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
^ permalink raw reply
* Re: [PATCH v2 1/7] ata: don't keep pci_device_id
From: Danilo Krummrich @ 2026-06-30 19:46 UTC (permalink / raw)
To: Gary Guo
Cc: Bjorn Helgaas, Zhenzhong Duan, Greg Kroah-Hartman,
Rafael J. Wysocki, Damien Le Moal, Niklas Cassel, GOTO Masanori,
YOKOTA Hiroshi, James E.J. Bottomley, Martin K. Petersen,
Vaibhav Gupta, Jens Taprogge, Ido Schimmel, Petr Machata,
Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-pci, driver-core, linux-kernel, linux-ide,
linux-scsi, industrypack-devel, netdev
In-Reply-To: <20260630-pci_id_fix-v2-1-b834a98c0af2@garyguo.net>
On Tue Jun 30, 2026 at 1:09 PM CEST, Gary Guo wrote:
> pci_device_id is not guaranteed to live longer than probe due to presence
> of dynamic ID. All information apart from driver_data can be easily
> retrieved from pci_dev, so just store driver_data.
>
> Signed-off-by: Gary Guo <gary@garyguo.net>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
^ permalink raw reply
* Re: [syzbot] [wireless?] WARNING in mac80211_hwsim_tx (2)
From: syzbot @ 2026-06-30 19:33 UTC (permalink / raw)
To: johannes, linux-kernel, linux-wireless, netdev, syzkaller-bugs
In-Reply-To: <6a00f268.170a0220.1c0296.021c.GAE@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: dc59e4fea9d8 Linux 7.2-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12f58032580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3c3d59be33cf7e9a
dashboard link: https://syzkaller.appspot.com/bug?extid=435fdb053cf98bfa5778
compiler: Debian clang version 22.1.8 (++20260613092233+e80beda6e255-1~exp1~20260613092250.77), Debian LLD 22.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a73289580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=135db61e580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-dc59e4fe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9ee1f0ea24f2/vmlinux-dc59e4fe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/729e963a1370/bzImage-dc59e4fe.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+435fdb053cf98bfa5778@syzkaller.appspotmail.com
mac80211_hwsim hwsim5 wlan1: entered allmulticast mode
------------[ cut here ]------------
hwsim_get_chanwidth(bw) > hwsim_get_chanwidth(confbw)
WARNING: drivers/net/wireless/virtual/mac80211_hwsim_main.c:2248 at mac80211_hwsim_tx+0x1ab4/0x2500 drivers/net/wireless/virtual/mac80211_hwsim_main.c:2248, CPU#0: syz.0.17/5510
Modules linked in:
CPU: 0 UID: 0 PID: 5510 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:mac80211_hwsim_tx+0x1ab4/0x2500 drivers/net/wireless/virtual/mac80211_hwsim_main.c:2248
Code: c6 05 da 65 07 09 01 48 c7 c7 e0 74 7a 8c be 6b 08 00 00 48 c7 c2 20 76 7a 8c e8 a7 d6 8c fa e9 ff ee ff ff e8 7d eb b0 fa 90 <0f> 0b 90 49 bc 00 00 00 00 00 fc ff df e9 dd fe ff ff e8 65 eb b0
RSP: 0018:ffffc9000278efe0 EFLAGS: 00010293
RAX: ffffffff87158693 RBX: 0000000000000000 RCX: ffff888000ad8000
RDX: 0000000000000000 RSI: 0000000000000014 RDI: 00000000000000a0
RBP: ffffc9000278f170 R08: ffff888000ad8000 R09: 000000000000000e
R10: 000000000000000d R11: 0000000000000000 R12: 0000000000000014
R13: ffff8880120b3cb0 R14: 00000000000000a0 R15: 0000000000000030
FS: 000055559073c500(0000) GS:ffff88808c815000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005562391e0138 CR3: 0000000012ea1000 CR4: 0000000000352ef0
Call Trace:
<TASK>
drv_tx net/mac80211/driver-ops.h:38 [inline]
ieee80211_tx_frags+0x3df/0x890 net/mac80211/tx.c:1746
__ieee80211_tx+0x267/0x580 net/mac80211/tx.c:1801
ieee80211_tx+0x312/0x4b0 net/mac80211/tx.c:1984
ieee80211_monitor_start_xmit+0xb33/0x1280 net/mac80211/tx.c:2479
__netdev_start_xmit include/linux/netdevice.h:5400 [inline]
netdev_start_xmit include/linux/netdevice.h:5409 [inline]
xmit_one net/core/dev.c:3889 [inline]
dev_hard_start_xmit+0x2cd/0x830 net/core/dev.c:3905
__dev_queue_xmit+0x1435/0x37f0 net/core/dev.c:4872
packet_snd net/packet/af_packet.c:3082 [inline]
packet_sendmsg+0x3d95/0x5040 net/packet/af_packet.c:3114
sock_sendmsg_nosec+0x13a/0x180 net/socket.c:775
__sock_sendmsg net/socket.c:790 [inline]
__sys_sendto+0x408/0x5a0 net/socket.c:2252
__do_sys_sendto net/socket.c:2259 [inline]
__se_sys_sendto net/socket.c:2255 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2255
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc04219ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcb766be38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc042415fa0 RCX: 00007fc04219ce59
RDX: 0000000000000030 RSI: 0000200000000640 RDI: 0000000000000008
RBP: 00007fc042232e6f R08: 0000200000000380 R09: 0000000000000014
R10: 0000000004000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc042415fac R14: 00007fc042415fa0 R15: 00007fc042415fa0
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply
* [RFC PATCH bpf-next v1 7/7] selftests/bpf: cover bpf_xdp_metadata_rx_csum in xdp_metadata
From: Vladimir Vdovin @ 2026-06-30 19:15 UTC (permalink / raw)
To: bpf, netdev
Cc: ast, daniel, andrii, martin.lau, sdf, hawk, john.fastabend, kuba,
Vladimir Vdovin
In-Reply-To: <20260630191510.81402-1-deliran@verdict.gg>
Call bpf_xdp_metadata_rx_csum() in the xdp_metadata program and export the
status to userspace. veth surfaces skb->ip_summed: a frame injected via
AF_XDP carries no checksum context (XDP_CSUM_NONE), while one sent through
the stack is CHECKSUM_PARTIAL (XDP_CSUM_VERIFIED). Assert each.
Signed-off-by: Vladimir Vdovin <deliran@verdict.gg>
---
tools/testing/selftests/bpf/prog_tests/xdp_metadata.c | 10 ++++++++++
tools/testing/selftests/bpf/progs/xdp_metadata.c | 9 +++++++++
tools/testing/selftests/bpf/xdp_metadata.h | 8 ++++++++
3 files changed, 27 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_metadata.c b/tools/testing/selftests/bpf/prog_tests/xdp_metadata.c
index 5c31054ad4a4..77f55696eb78 100644
--- a/tools/testing/selftests/bpf/prog_tests/xdp_metadata.c
+++ b/tools/testing/selftests/bpf/prog_tests/xdp_metadata.c
@@ -310,6 +310,16 @@ static int verify_xsk_metadata(struct xsk *xsk, bool sent_from_af_xdp)
if (!ASSERT_NEQ(meta->rx_hash, 0, "rx_hash"))
return -1;
+ /* veth surfaces the checksum verdict from skb->ip_summed. A packet
+ * injected via AF_XDP carries no checksum context and is CHECKSUM_NONE,
+ * while one sent through the stack is CHECKSUM_PARTIAL and reads back as
+ * verified.
+ */
+ if (!ASSERT_EQ(meta->rx_csum_status,
+ sent_from_af_xdp ? XDP_META_CSUM_NONE : XDP_META_CSUM_VERIFIED,
+ "rx_csum_status"))
+ return -1;
+
if (!sent_from_af_xdp) {
if (!ASSERT_NEQ(meta->rx_hash_type & XDP_RSS_TYPE_L4, 0, "rx_hash_type"))
return -1;
diff --git a/tools/testing/selftests/bpf/progs/xdp_metadata.c b/tools/testing/selftests/bpf/progs/xdp_metadata.c
index 09bb8a038d52..0089c6c5a2e4 100644
--- a/tools/testing/selftests/bpf/progs/xdp_metadata.c
+++ b/tools/testing/selftests/bpf/progs/xdp_metadata.c
@@ -33,6 +33,8 @@ extern int bpf_xdp_metadata_rx_hash(const struct xdp_md *ctx, __u32 *hash,
extern int bpf_xdp_metadata_rx_vlan_tag(const struct xdp_md *ctx,
__be16 *vlan_proto,
__u16 *vlan_tci) __ksym;
+extern int bpf_xdp_metadata_rx_csum(const struct xdp_md *ctx,
+ enum xdp_csum_status *csum_status) __ksym;
SEC("xdp")
int rx(struct xdp_md *ctx)
@@ -43,6 +45,7 @@ int rx(struct xdp_md *ctx)
struct udphdr *udp = NULL;
struct iphdr *iph = NULL;
struct xdp_meta *meta;
+ enum xdp_csum_status csum_status;
u64 timestamp = -1;
int ret;
@@ -99,6 +102,12 @@ int rx(struct xdp_md *ctx)
bpf_xdp_metadata_rx_vlan_tag(ctx, &meta->rx_vlan_proto,
&meta->rx_vlan_tci);
+ ret = bpf_xdp_metadata_rx_csum(ctx, &csum_status);
+ if (ret < 0)
+ meta->rx_csum_err = ret;
+ else
+ meta->rx_csum_status = csum_status;
+
return bpf_redirect_map(&xsk, ctx->rx_queue_index, XDP_PASS);
}
diff --git a/tools/testing/selftests/bpf/xdp_metadata.h b/tools/testing/selftests/bpf/xdp_metadata.h
index 87318ad1117a..ba1b2902b371 100644
--- a/tools/testing/selftests/bpf/xdp_metadata.h
+++ b/tools/testing/selftests/bpf/xdp_metadata.h
@@ -30,6 +30,10 @@ enum xdp_meta_field {
XDP_META_FIELD_VLAN_TAG = BIT(2),
};
+/* Mirror of enum xdp_csum_status (include/net/xdp.h) for userspace asserts. */
+#define XDP_META_CSUM_NONE 0
+#define XDP_META_CSUM_VERIFIED 1
+
struct xdp_meta {
union {
__u64 rx_timestamp;
@@ -48,5 +52,9 @@ struct xdp_meta {
};
__s32 rx_vlan_tag_err;
};
+ union {
+ __u32 rx_csum_status;
+ __s32 rx_csum_err;
+ };
enum xdp_meta_field hint_valid;
};
--
2.47.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox