summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)Author
2026-06-05xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()Tristan Madani
iptfs_destroy_state() calls hrtimer_cancel() while holding a spinlock that the timer callback also acquires, leading to an ABBA deadlock on SMP systems. For the output timer (iptfs_timer): - iptfs_destroy_state() holds x->lock, calls hrtimer_cancel() - iptfs_delay_timer() callback takes x->lock For the drop timer (drop_timer): - iptfs_destroy_state() holds drop_lock, calls hrtimer_cancel() - iptfs_drop_timer() callback takes drop_lock Both timers use HRTIMER_MODE_REL_SOFT, so their callbacks run in softirq context. When hrtimer_cancel() is called for a soft timer that is currently executing on another CPU, hrtimer_cancel_wait_running() spins on softirq_expiry_lock -- the same lock held by the softirq running the callback. If the callback is blocked waiting for the spinlock held by the caller of hrtimer_cancel(), a circular dependency forms: CPU 0: holds lock_A -> waits for softirq_expiry_lock CPU 1: holds softirq_expiry_lock -> waits for lock_A Fix by calling hrtimer_cancel() before acquiring the respective locks. hrtimer_cancel() is safe to call without holding any lock and will wait for any in-progress callback to complete. For the output timer, the lock is still acquired afterwards to drain the packet queue. For the drop timer, the lock/unlock pair is removed entirely since it only existed to serialize with the timer callback, which hrtimer_cancel() already guarantees. Found by source code audit. Fixes: 4b3faf610cc6 ("xfrm: iptfs: add new iptfs xfrm mode impl") Cc: Christian Hopps <chopps@labn.net> Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-05wifi: nl80211: Increase ie_len size to prevent truncated IEs in new peer ↵Thiyagarajan Pandiyan
notifications Currently, ie_len in cfg80211_notify_new_peer_candidate is defined as 1-byte field, capping the maximum IE list size at 255 bytes. When a large beacon is received, the IE list is truncated, passing incomplete data to wpa_supplicant. This causes supplicant to fail parsing the IEs. Increasing the size of ie_len to allow the full length of the IE list to be forwarded properly. Signed-off-by: Thiyagarajan Pandiyan <thiyagarajan@aerlync.com> Link: https://patch.msgid.link/20260605054307.427874-1-thiyagarajan@aerlync.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-06-05wifi: mac80211: fold tid_ampdu_rx allocations into a flexible arrayRosen Penev
Convert the separately-allocated reorder_buf pointer to a C99 flexible array member at the end of struct tid_ampdu_rx, with both the sk_buff_head and the jiffies timestamp in each array element. This collapses three allocations into one and removes the corresponding kfree() pairs from the error and free paths. Assisted-by: opencode:big-pickle Signed-off-by: Rosen Penev <rosenp@gmail.com> Link: https://patch.msgid.link/20260605005627.317194-1-rosenp@gmail.com [fix kernel-doc] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-06-05wifi: mac80211: Fix -Wc23-extensions in hwmp_route_info_get()Nathan Chancellor
When building with a version of clang that supports '-fms-anonymous-structs' (which will be used by the kernel instead of the wider '-fms-extensions'), there are a couple warnings after some recent mesg_hwmp.c changes: net/mac80211/mesh_hwmp.c:373:3: error: label followed by a declaration is a C23 extension [-Werror,-Wc23-extensions] 373 | struct ieee80211_mesh_hwmp_preq_top *preq_elem_top = | ^ net/mac80211/mesh_hwmp.c:390:3: error: label followed by a declaration is a C23 extension [-Werror,-Wc23-extensions] 390 | struct ieee80211_mesh_hwmp_prep_top *prep_elem_top = | ^ 2 errors generated. Enclose the switch case blocks in braces to clear up the warning. Fixes: a91c65cb99d1 ("wifi: mac80211: Use struct instead of macro for PREP frame") Fixes: 4ac20bd40b7d ("wifi: mac80211: Use struct instead of macro for PREQ frame") Signed-off-by: Nathan Chancellor <nathan@kernel.org> Link: https://patch.msgid.link/20260604-mac80211-mesh_hwmp-fix-c23-extensions-v1-1-25a64d6ce541@kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-06-05batman-adv: fix kernel-doc typos and grammar errorsSven Eckelmann
Various minor errors were gathered over the time in batman-adv's kernel-doc comments. Get rid of many of them before they are copied (again) to new functions. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: fix batadv_v_ogm_packet_recv error handling kernel-docSven Eckelmann
All receive handlers in batman-adv are consuming the skbuff independent of the result of the handler. The "(without freeing the skb) on failure" is therefore not corrrect anymore for the current implementation. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: bla: update stale kernel-docSven Eckelmann
The bridge-loop-avoidance code was changed recently to avoid inconsistent state and race condition problems. The kernel-doc addded in these commits (and related code) has various minor deficits which are now resolved. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: tp_meter: update stale kernel-doc after refactoringSven Eckelmann
The tp_meter codebase was recently refactored: * throughput meter sender and receiver variables were split into two different structures * the congestion control variables were extracted in a separate structure But the kernel-doc was not updated everywhere to reflect these changes. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: correct batadv_wifi_* kernel-docSven Eckelmann
The original kernel documentation for the batadv_wifi_* functions contained copy+paste errors. Correct them to make it easier understandable. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: document cleanup of batadv_wifi_net_devices entriesSven Eckelmann
It doesn't seem to be obvious how the entries from the batadv_wifi_net_devices rhashtable are getting removed before the actual rhashtable is destroyed. Document the idea behind the process and which steps are involved. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: use GFP_KERNEL allocations for the wifi detection cacheSven Eckelmann
The batadv_wifi_net_device_insert() is called with ASSERT_RTNL() held, but not inside a spinlock or another context which prevents "might_sleep" functions. To relax the requirements for the allocator, use GFP_KERNEL. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: drop duplicated wifi_flags assignmentsSven Eckelmann
During the initialization of the batadv_wifi_net_device_state, it is enough to write the wifi_flags once before the batadv_wifi_net_device_state is added to the batadv_wifi_net_devices rhashtable. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: convert cancellation of work items to disable helperSven Eckelmann
With commit 86898fa6b8cd ("workqueue: Implement disable/enable for (delayed) work items"), work queues gained the ability to permanently disallow re-queuing of work items. This is particularly important during object teardown, where a work item must not be re-armed after shutdown begins. Convert all cancel_work_sync() and cancel_delayed_work_sync() call sites to their disable_* equivalents to clarify the intent to prevent re-arming after teardown. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-05batman-adv: tp_meter: initialize last_recv_time during initSven Eckelmann
The last_recv_time is the most important indicator for a receiver session to figure out whether a session timed out or not. But this information was only initialized after the session was added to the tp_receiver_list and after the timer was started. In the worst case, the timer (function) could have tried to access this information before the actual initialization was reached. Like rest of the variables of the tp_meter receiver session, this field has to be filled out before any other (parallel running) context has the chance to access it. Cc: stable@kernel.org Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-04Merge tag 'batadv-next-pullrequest-20260603' of https://git.open-mesh.org/batadvJakub Kicinski
Simon Wunderlich says: ==================== This cleanup patchset includes the following patches, all by Sven Eckelmann: - tp_meter: fix various minor issues (8 patches) - tp_meter: split generic session type in sender and receiver type - tp_meter: consolidate locking for congestion control (2 patches) - bla: annotate lasttime access with READ/WRITE_ONCE - elp: prevent transmission interval underflow - tt: sync local and global tvlv preparation return values - tt: directly retrieve wifi flags of net_device * tag 'batadv-next-pullrequest-20260603' of https://git.open-mesh.org/batadv: batman-adv: tt: directly retrieve wifi flags of net_device batman-adv: tt: sync local and global tvlv preparation return values batman-adv: prevent ELP transmission interval underflow batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE batman-adv: tp_meter: consolidate congestion control variables batman-adv: tp_meter: use locking for all congestion control variables batman-adv: tp_meter: split vars into sender and receiver types batman-adv: tp_meter: add only finished tp_vars to lists batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection batman-adv: tp_meter: fix fast recovery precondition batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd batman-adv: tp_meter: avoid window underflow batman-adv: tp_meter: initialize dec_cwnd explicitly batman-adv: tp_meter: initialize dup_acks explicitly batman-adv: tp_meter: keep unacked list in ascending ordered ==================== Link: https://patch.msgid.link/20260603072527.174487-1-sw@simonwunderlich.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net/dns_resolver: use kasprintf + kmemdup_nul to simplify dns_queryThorsten Blum
Use kasprintf() for descriptions with a query type and kmemdup_nul() otherwise to simplify dns_query(). Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260602071343.962830-2-thorsten.blum@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04ipv6: use READ_ONCE() in ipv6_flowlabel_get()Runyu Xiao
ipv6_flowlabel_get() reads flowlabel_consistency and flowlabel_state_ranges locklessly. Use READ_ONCE() for these sysctl accesses. Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260602002506.1519901-1-runyu.xiao@seu.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04ipv6: use READ_ONCE() for bindv6only default in inet6_create()Runyu Xiao
inet6_create() reads net->ipv6.sysctl.bindv6only locklessly. Use READ_ONCE() for this sysctl access. Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260602002414.1504106-1-runyu.xiao@seu.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04inet: frags: remove redundant assignment in inet_frag_reasm_prepare()yuan.gao
The assignment is redundant because skb_clone() already copies skb->cb. Remove the unnecessary code. Signed-off-by: yuan.gao <yuan.gao@ucloud.cn> Link: https://patch.msgid.link/20260603065323.2736839-1-yuan.gao@ucloud.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04rtnetlink: use dev_isalive() in rtnl_getlink()Eric Dumazet
rtnl_getlink() uses an RCU lookup to get the netdevice pointer. When/If rtnl_lock() is used, we should check if the netdevice is not being dismantled before potentially perform illegal actions. Move dev_isalive() out of net/core/net-sysfs.c and make it available in net/core/dev.h. Return -ENODEV if rtnl_getlink() finds a device which is currently being dismantled and RTNL is requested. Fixes: e896e5c0734b ("rtnetlink: do not acquire RTNL in rtnl_getlink() with RTEXT_FILTER_NAME_ONLY") Signed-off-by: Eric Dumazet <edumazet@google.com> Suggested-by: Jakub Kicinski <kuba@kernel.org> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://patch.msgid.link/20260603180831.1024716-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04bridge: mcast: Synchronously shutdown port multicast timersIdo Schimmel
Currently, while four timers are set up during port multicast context initialization, only two are synchronously deleted when the context is de-initialized, just before being deleted. This is fine because the structure containing the multicast context (either a bridge port or a VLAN) is only deleted after an RCU grace period and it will not pass as long as the timers are executing. These timers are also not supposed to do any work at this stage. They acquire the bridge multicast lock, see that the multicast context was disabled and exit. Make the code more explicit and symmetric and synchronously shutdown all four timers when the multicast context is de-initialized. Use timer_shutdown_sync() to guarantee that the timers will not be re-armed given that the containing structure is being deleted. Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com> Signed-off-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260603103522.622411-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04inet: frags: fix use-after-free caused by the fqdir_pre_exit() flushHyunwoo Kim
On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable. fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well. Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there. Cc: stable@vger.kernel.org Fixes: 006a5035b495 ("inet: frags: flush pending skbs in fqdir_pre_exit()") Suggested-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Link: https://patch.msgid.link/ah6ukYq5G98LshdA@v4bel Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski
Cross-merge networking fixes after downstream PR (net-7.1-rc7). Silent conflicts: net/wireless/nl80211.c cb9959ab5f99 ("wifi: cfg80211: enforce HE/EHT cap/oper consistency") a384ae969902 ("wifi: cfg80211: move AP HT/VHT/... operation to beacon info") https://lore.kernel.org/aiGJDaHV4UlCexIQ@sirena.org.uk Conflicts: drivers/net/wireless/intel/iwlwifi/mld/ap.c a342c99cb70d ("wifi: iwlwifi: mld: honor BSS_CHANGED_BEACON_ENABLED") 9bf1b409afc7 ("wifi: iwlwifi: mld: send tx power constraints before link activation") https://lore.kernel.org/ah2bfedhV45ZxMO8@sirena.org.uk drivers/net/wireless/intel/iwlwifi/pcie/drv.c 093305d801fa ("wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used") e2323929a68a ("wifi: iwlwifi: pcie: add debug print for resume flow if powered off") https://lore.kernel.org/ah2bfedhV45ZxMO8@sirena.org.uk Adjacent changes: drivers/net/ethernet/airoha/airoha_eth.c b38cae85d1c4 ("net: airoha: Fix use-after-free in metadata dst teardown") ec6c391bcca7 ("net: airoha: Introduce airoha_gdm_dev struct") drivers/net/ethernet/microchip/lan743x_main.c 8173d22b211f ("net: lan743x: permit VLAN-tagged packets up to configured MTU") e3c6508a46f5 ("net: lan743x: avoid netdev-based logging before netdev registration") Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net: ethtool: make sure __ethtool_get_link_ksettings() is ops-lockedJakub Kicinski
All drivers which may call *_get_link_ksettings() on ops-locked devices from paths already holding the ops lock are ready now. Make __ethtool_get_link_ksettings() take the ops lock, and assert that it's held in netif_get_link_ksettings(). Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260603012840.2254293-12-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net: sched: don't recurse on the netdev ops lock in qdiscsJakub Kicinski
cbs_set_port_rate() and taprio_set_picos_per_byte() are reached from two paths and both already hold the device's ops lock: *_change(), via tc_modify_qdisc() which calls netdev_lock_ops(dev) before dispatching to the qdisc ops. *_dev_notifier() on NETDEV_UP / NETDEV_CHANGE, where caller holds the ops lock across the notifier chain. Switch to netif_get_link_ksettings() to avoid deadlock once __ethtool_get_link_ksettings() starts taking the netdev lock. Link: https://patch.msgid.link/20260603012840.2254293-9-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net: bridge: don't recurse on the port's netdev ops lockJakub Kicinski
port_cost() calls __ethtool_get_link_ksettings() on the port device, which will soon take the port's ops lock. br_port_carrier_check() is reached via the NETDEV_CHANGE notifier from linkwatch, which already holds the port's ops lock, so the call would deadlock. Make port_cost() expect the port's ops lock held and switch to netif_get_link_ksettings(). The only other caller is new_nbp(), make sure it takes the lock explicitly. Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260603012840.2254293-8-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net: ethtool: add netif_get_link_ksettings() for correct ops-locked useJakub Kicinski
__ethtool_get_link_ksettings() is exported and called from sysfs and many drivers. It invokes ethtool_ops->get_link_ksettings so by our own docs it should be holding netdev lock for ops locked devices. Looks like commit 2bcf4772e45a ("net: ethtool: try to protect all callback with netdev instance lock") missed adding the ops lock here. There's a number of callers we need to fix up so let's add the netif_get_link_ksettings() helper first, without any actual locking changes (this commit is a nop). Not treating this as a fix because I don't think any driver cares at this point, but if we want to remove the rtnl_lock protection this will become critical. Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260603012840.2254293-5-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net: document NETDEV_CHANGENAME as ops lockedJakub Kicinski
NETDEV_CHANGENAME is only emitted from netif_change_name(). netif_change_name() has two callers both of which hold netdev_lock_ops() around the call site: - dev_change_name() - do_setlink() Document NETDEV_CHANGENAME as always ops locked. Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260603012840.2254293-4-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net: ethtool: cmis_cdb: hold instance lock for ops locked devicesJakub Kicinski
FW module flashing was written so that the flashing happens without holding rtnl_lock. This allows flashing multiple modules at once. Current drivers can handle that well, but we should let drivers depend on the netdev instance lock. Instance lock is per netdev, and so is the module so we won't break parallel updates. Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260603012840.2254293-3-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net: rename netdev_ops_assert_locked()Jakub Kicinski
Jakub suggests renaming the existing assert to match the netdev_lock_ops_compat() semantics. We want netdev_assert_locked_ops() to mean - if the driver is ops locked - check that it's holding the device lock. The existing helper check for either ops lock or rtnl_lock, which is the locking behavior of netdev_lock_ops_compat(). The reason for naming divergence is likely that netdev_ops_assert_locked() predated the _compat() helpers. Suggested-by: Jakub Sitnicki <jakub@cloudflare.com> Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260603012840.2254293-2-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04udp: clear skb->dev before running a sockmap verdictSechang Lim
On the UDP receive path skb->dev is repurposed as dev_scratch (the truesize/state cache set by udp_set_dev_scratch()), through the union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff. When a UDP socket is in a sockmap, sk_data_ready is sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor() (sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq. If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp), bpf_skc_lookup() does: if (skb->dev) caller_net = dev_net(skb->dev); skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net() dereferences it as a struct net_device * and the kernel takes a general protection fault on a non-canonical address in softirq: Oops: general protection fault, probably for non-canonical address 0x1010000800004a0 CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full) RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline] RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047 Call Trace: <IRQ> bpf_prog_4675cb904b7071f8+0x12e/0x14e bpf_prog_run_pin_on_cpu+0xc6/0x1f0 sk_psock_verdict_recv+0x1ba/0x350 udp_read_skb+0x31a/0x370 sk_psock_verdict_data_ready+0x2e3/0x600 __udp_enqueue_schedule_skb+0x4c8/0x650 udpv6_queue_rcv_one_skb+0x3ec/0x740 udp6_unicast_rcv_skb+0x11d/0x140 ip6_protocol_deliver_rcu+0x61e/0x950 ip6_input_finish+0xa9/0x150 NF_HOOK+0x286/0x2f0 ip6_input+0x117/0x220 NF_HOOK+0x286/0x2f0 __netif_receive_skb+0x85/0x200 process_backlog+0x374/0x9a0 __napi_poll+0x4f/0x1c0 net_rx_action+0x3b0/0x770 handle_softirqs+0x15a/0x460 do_softirq+0x57/0x80 </IRQ> The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which skb_set_owner_sk_safe() set just above. Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()") Cc: stable@vger.kernel.org Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260603162737.697215-1-rhkrqnwk98@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04sctp: purge outqueue on stale COOKIE-ECHO handlingXin Long
sctp_stream_update() is only invoked when the association is moved into COOKIE_WAIT during association setup/reconfiguration. In this path, the outbound stream scheduler state (stream->out_curr) is expected to be clean, since no user data should have been transmitted yet unless the state machine has already partially progressed. However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a Stale Cookie ERROR is received, the association is rolled back from COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already have been queued and even bundled with the COOKIE-ECHO chunk. During the rollback, sctp_stream_update() frees the old stream table and installs a new one, but it does not invalidate stream->out_curr. As a result, out_curr may still point to a freed sctp_stream_out entry from the previous stream state. Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on stream->out_curr->ext, which can lead to use-after-free once the old stream state has been released via sctp_stream_free(). This results in crashes such as (reported by Yuqi): BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140 Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312 CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full) sctp_sched_fcfs_dequeue+0x13a/0x140 sctp_outq_flush+0x1603/0x33e0 sctp_do_sm+0x31c9/0x5d30 sctp_assoc_bh_rcv+0x392/0x6f0 sctp_inq_push+0x1db/0x270 sctp_rcv+0x138d/0x3c10 Fix this by fully purging the association outqueue when handling the Stale Cookie case. This ensures all pending transmit and retransmit state is dropped, and any scheduler cached pointers are invalidated, making it safe to rebuild stream state during COOKIE_WAIT restart. Updating only stream->out_curr would be insufficient, since queued and retransmittable data would still reference the old stream state and trigger later use-after-free in dequeue paths. Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Reported-by: Yuqi Xu <xuyq21@lenovo.com> Reported-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Xin Long <lucien.xin@gmail.com> Link: https://patch.msgid.link/94318159b9052907a6cbb7256aee8b5f8dfbfccb.1780510304.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattrYizhou Zhao
In mrp_pdu_parse_vecattr(), vector attribute events are encoded three per byte and valen tracks the number of events left to process. The parser decrements valen after processing the first and second events from each event byte, but not after processing the third one. When valen is exactly a multiple of three, the loop continues after the last valid event and consumes the next byte as a new event byte, applying a spurious event to the MRP applicant state. Additionally, when valen is zero the parser unconditionally consumes attrlen bytes as FirstValue and advances the offset, even though per IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of zero and no FirstValue or Vector fields. This corrupts the offset for subsequent PDU parsing. Also, when valen exceeds three the loop crosses byte boundaries but the attribute value is not incremented between the last event of one byte and the first event of the next. This causes the first event of the next byte to use the same attribute value as the third event rather than the next consecutive value. Decrement valen after processing the third event, skip FirstValue consumption when valen is zero, and increment the attribute value at the end of each loop iteration. Fixes: febf018d2234 ("net/802: Implement Multiple Registration Protocol (MRP)") Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn> Reported-by: Ao Wang <wangao@seu.edu.cn> Reported-by: Xuewei Feng <fengxw06@126.com> Reported-by: Qi Li <qli01@tsinghua.edu.cn> Reported-by: Ke Xu <xuke@tsinghua.edu.cn> Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Link: https://patch.msgid.link/20260603060016.21522-1-zhaoyz24@mails.tsinghua.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()Eric Dumazet
The aoe driver (or similar) generates a non-IPv6 packet (e.g., ETH_P_AOE) and queues it for transmission via dev_queue_xmit() on a 6LoWPAN interface (configured by the user or test case). Since the packet is not IPv6, the 6LoWPAN header_ops->create function (lowpan_header_create or header_create) returns early without initializing the lowpan_addr_info structure in the skb headroom. In the transmit function (lowpan_xmit), the driver calls lowpan_header (or setup_header) which unconditionally copies and uses the lowpan_addr_info from the headroom, which contains uninitialized data. Fix this by dropping non IPv6 packets. A similar fix is needed in net/bluetooth/6lowpan.c bt_xmit(). Fixes: 4dc315e267fe ("ieee802154: 6lowpan: move transmit functionality") Reported-by: syzbot+f13c19f75e1097abd116@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6a1fd763.278b5b03.2bcf39.0049.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://patch.msgid.link/20260603072955.4032221-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04ipv6: mcast: Fix use-after-free when processing MLD queriesIdo Schimmel
When processing an MLD query, a pointer to the multicast group address is retrieved when initially parsing the packet. This pointer is later dereferenced without being reloaded despite the fact that the skb header might have been reallocated following the pskb_may_pull() calls, leading to a use-after-free [1]. Fix by copying the multicast group address when the packet is initially parsed. [1] BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 Workqueue: mld mld_query_work Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) print_address_description.constprop.0 (mm/kasan/report.c:378) print_report (mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:595) __mld_query_work (net/ipv6/mcast.c:1512) mld_query_work (net/ipv6/mcast.c:1563) process_one_work (kernel/workqueue.c:3314) worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:158) ret_from_fork_asm (arch/x86/entry/entry_64.S:245) </TASK> [...] Freed by task 118: kasan_save_stack (mm/kasan/common.c:57) kasan_save_track (mm/kasan/common.c:78) kasan_save_free_info (mm/kasan/generic.c:584) __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) pskb_expand_head (net/core/skbuff.c:2335) __pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) __mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) mld_query_work (net/ipv6/mcast.c:1563) process_one_work (kernel/workqueue.c:3314) worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:158) ret_from_fork_asm (arch/x86/entry/entry_64.S:245) Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") Reported-by: Leo Lin <leo@depthfirst.com> Reviewed-by: David Ahern <dahern@nvidia.com> Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev> Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04sctp: validate cached peer INIT chunk length in COOKIE_ECHO processingXin Long
When a listening SCTP server processes a COOKIE_ECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked by sctp_process_init() using sctp_walk_params(). However, the chunk header length of this cached INIT chunk was not validated against the remaining buffer in the COOKIE_ECHO payload. If the length field is inflated, the parameter walk can run beyond the actual received data, leading to out-of-bounds reads and potential memory corruption during later parameter handling (e.g. STATE_COOKIE processing and kmemdup() copies). Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT chunk length does not exceed the available data in the COOKIE_ECHO buffer before it is used. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Brian Geffon <bgeffon@google.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Link: https://patch.msgid.link/eb60825fa22d6f9e663c7d4dbb69f397b5d34d42.1780362366.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04net/sched: fix pedit partial COW leading to page cache corruptionRajat Gupta
tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined. Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable") Reported-by: Yiming Qian <yimingqian591@gmail.com> Reported-by: Keenan Dong <keenanat2000@gmail.com> Reported-by: Han Guidong <2045gemini@gmail.com> Reported-by: Zhang Cen <rollkingzzc@gmail.com> Reviewed-by: Han Guidong <2045gemini@gmail.com> Tested-by: Han Guidong <2045gemini@gmail.com> Reviewed-by: Davide Caratti <dcaratti@redhat.com> Tested-by: Davide Caratti <dcaratti@redhat.com> Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com> Tested-by: Toke Høiland-Jørgensen <toke@redhat.com> Reviewed-by: Victor Nogueira <victor@mojatatu.com> Tested-by: Victor Nogueira <victor@mojatatu.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com> Link: https://patch.msgid.link/20260531123221.48732-1-jhs@mojatatu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-04vsock/vmci: fix sk_ack_backlog leak on failed handshakeRaf Dickson
When vmci_transport_recv_connecting_server() returns an error, vmci_transport_recv_listen() calls vsock_remove_pending() but never calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented permanently. Repeated handshake failures (malformed packets, queue pair alloc failure, event subscribe failure) cause sk_ack_backlog to climb toward sk_max_ack_backlog. Once it reaches the limit the listener permanently refuses all new connections with -ECONNREFUSED, a silent denial of service requiring a process restart to recover. The two existing sk_acceptq_removed() calls in af_vsock.c do not cover this path: line 764 checks vsock_is_pending() which returns false after vsock_remove_pending(), and line 1889 is only reached on successful accept(). Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on the error path. Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Cc: stable@vger.kernel.org Signed-off-by: Raf Dickson <rafdog35@gmail.com> Acked-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-04wifi: mac80211: fix monitor mode frame capture for real chanctx drivers傅继晗
Commit d594cc6f2c58 ("wifi: mac80211: restore non-chanctx injection behaviour") restored the monitor injection fallback for drivers using chanctx emulation but explicitly deferred drivers that transitioned to real chanctx ops. mt76 falls in that category and still drops every injected frame when monitor coexists with another interface. When the monitor has no chanctx of its own, fall back to the only chanctx in flight if there is exactly one. Refuse if multiple are present: picking arbitrarily would inject on an unrelated channel. Emulated and real chanctx drivers both flow through this fallback, since emulation always presents zero or one chanctx in local->chanctx_list. Reran the airgeddon evil-twin flow (hostapd AP + coexisting monitor VIF on the same phy + aireplay-ng deauth from the monitor) on mt7921e PCIe and mt7921u USB across 2.4 GHz and 5 GHz, and on a Kali VM with MT7921U passthrough as the closest match to the original reporter's setup. None reproduced the hang seen against the earlier attempt at this fix (<20251216111909.25076-2-johannes@sipsolutions.net>) or against v1 on lore in March. Cc: <stable+noautosel@kernel.org> # causes some older drivers to crash Reported-by: Oscar Alfonso Diaz <oscar.alfonso.diaz@gmail.com> Closes: https://github.com/morrownr/USB-WiFi/issues/682 Tested-by: Devin Wittmayer <lucid_duck@justthetip.ca> Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers") Signed-off-by: 傅继晗 <fjhhz1997@gmail.com> Signed-off-by: Devin Wittmayer <lucid_duck@justthetip.ca> Link: https://patch.msgid.link/5c2760bd9bc34616bf7892848872522254dd1ce5.1780513445.git.lucid_duck@justthetip.ca Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-06-04wifi: mac80211: Free keys associated with NAN DeviceIlan Peer
A NAN Device interface can have keys associated with it, e.g., IGTK and BIGTK used for Tx. When a NAN Device interface is stopped, we need to clear these keys. Signed-off-by: Ilan Peer <ilan.peer@intel.com> Link: https://patch.msgid.link/20260603143624.c6c771885383.I929410cb8efec4fab2d42ead396bfefaf9f803f1@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-06-04xfrm: restrict netlink attributes for XFRM_MSG_MIGRATE_STATEAntony Antony
Only accept XFRMA used in this method, reject the rest. Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migrationAntony Antony
Add a new netlink method to migrate a single xfrm_state. Unlike the existing migration mechanism (SA + policy), this supports migrating only the SA and allows changing the reqid. The SA is looked up via xfrm_usersa_id, which uniquely identifies it, so old_saddr is not needed. old_daddr is carried in xfrm_usersa_id.daddr. The reqid is invariant in the old migration. Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: make xfrm_dev_state_add xuo parameter constAntony Antony
The xuo pointer is not modified by xfrm_dev_state_add(); make it const. Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: extract address family and selector validation helpersAntony Antony
Extract verify_xfrm_family() and verify_selector_prefixlen() from verify_newsa_info() to allow reuse by other netlink handlers. verify_xfrm_family() validates that a given address family is AF_INET or AF_INET6 (with CONFIG_IPV6 guard). verify_selector_prefixlen() validates that the selector prefix lengths are within the bounds for the given address family. No functional change. Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: refactor XFRMA_MTIMER_THRESH validation into a helperAntony Antony
Extract verify_mtimer_thresh() to consolidate the XFRMA_MTIMER_THRESH validation logic shared between the add_sa and upcoming patch. Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: move encap and xuo into struct xfrm_migrateAntony Antony
In preparation for an upcoming patch, move the xfrm_encap_tmpl and xfrm_user_offload pointers from separate parameters into struct xfrm_migrate, reducing the parameter count of xfrm_state_migrate_create(), xfrm_state_migrate_install() and xfrm_state_migrate() The fields are placed after the four xfrm_address_t members where the struct is naturally 8-byte aligned, avoiding padding. No functional change. Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: add error messages to state migrationAntony Antony
Add descriptive(extack) error messages for all error paths in state migration. This improves diagnostics by providing clear feedback when migration fails. After xfrm_init_state() use NL_SET_ERR_MSG_WEAK() as fallback for error paths not yet propagating extack e.g. mode_cbs->init_state() No functional change. Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: add state synchronization after migrationAntony Antony
Add xfrm_migrate_sync() to copy curlft and replay state from the old SA to the new one before installation. The function allocates no memory, so it can be called under a spinlock. In preparation for a subsequent patch in this series. A subsequent patch calls this under x->lock, atomically capturing the latest lifetime counters and replay state from the original SA and deleting it in the same critical section to prevent SN/IV reuse for XFRM_MSG_MIGRATE_STATE method. No functional change. Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: check family before comparing addresses in migrateAntony Antony
When migrating between different address families, xfrm_addr_equal() cannot meaningfully compare addresses, different lengths. Only call xfrm_addr_equal() when families match, and take the xfrm_state_insert() path when addresses are equal. Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-06-04xfrm: split xfrm_state_migrate into create and install functionsAntony Antony
To prepare for subsequent patches, split xfrm_state_migrate() into two functions: - xfrm_state_migrate_create(): creates the migrated state - xfrm_state_migrate_install(): installs it into the state table splitting will help to avoid SN/IV reuse when migrating AEAD SA. And add const whenever possible. No functional change. Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>