summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)Author
2026-06-01batman-adv: use neigh_node's orig_node only as idSven Eckelmann
The orig_node member of struct batadv_neigh_node is no longer used in B.A.T.M.A.N. IV. But batadv_neigh_node_create() is still storing it. Only batadv_v_ogm_route_update() uses it to check if we route toward it - not needing the data stored in the batadv_orig_node object itself, but merely a pointer to identify the originator. The field cannot hold a proper reference because that would create a reference cycle, so it must never be dereferenced. Rename it to orig_node_id and mark it __private to make any future attempt to dereference it immediately noticeable. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: tvlv: avoid unnecessary OGM buffer reallocationsSven Eckelmann
Both OGMv1 (on the primary interface) and OGM2 unconditionally reallocated their packet buffer on every transmission cycle, regardless of whether the required size had changed. This meant a kfree/kmalloc pair even when the TVLV payload size was identical to the previous send. Introduce struct batadv_ogm_buf to encapsulate the OGM packet buffer together with its current length, allocated capacity, and fixed header length. This consolidates the separate buf/len arguments that were previously threaded through each call site. In batadv_tvlv_realloc_packet_buff(), the capacity is rounded up to the next power of two so that small growth or shrinkage in TVLV data does not trigger a reallocation. When kmalloc fails but the existing buffer is large enough to hold the new data, the oversized buffer is reused rather than returning an error. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: tt: replace open-coded overflow check with helperSven Eckelmann
The commit 6043a632dd06 ("batman-adv: reject oversized global TT response buffers") introduced an open-coded check to ensure that the allocated buffer size can be stored in a u16. The check_add_overflow() helper can perform the addition and overflow check in one step, so use that instead. Acked-by: Antonio Quartulli <antonio@mandelbit.com> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: replace non-atomic last_ttvn with (READ|WRITE)_ONCESven Eckelmann
The last TT version number of an meshif is only accessed as plain loads/stores and does not require full atomic_t semantics. Convert to an native integer and replace its users with READ_ONCE()/WRITE_ONCE() to avoid load/store tearing. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: replace non-atomic packet_size_max with (READ|WRITE)_ONCESven Eckelmann
The maximum packet size of an meshif is only accessed as plain loads/stores and does not require full atomic_t semantics. Convert to a native integer and replace its users with READ_ONCE()/WRITE_ONCE() to avoid load/store tearing. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: replace non-atomic mesh state with (READ|WRITE)_ONCESven Eckelmann
The mesh state is only accessed as plain loads/stores and does not require full atomic_t semantics. Convert to an enum and replace its users with READ_ONCE()/WRITE_ONCE() to avoid load/store tearing. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: replace non-atomic vlan config fields with (READ|WRITE)_ONCESven Eckelmann
The vlan configuration values are only accessed as plain loads/stores and do not require full atomic_t semantics. Convert these fields to native integer types and replace their users with READ_ONCE()/WRITE_ONCE() to avoid load/store tearing. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: replace non-atomic hardif config fields with (READ|WRITE)_ONCESven Eckelmann
The hardif configuration values are only accessed as plain loads/stores and do not require full atomic_t semantics. Convert these fields to native integer types and replace their users with READ_ONCE()/WRITE_ONCE() to avoid load/store tearing. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: replace non-atomic meshif config fields with (READ|WRITE)_ONCESven Eckelmann
The meshif configuration values are only accessed as plain loads/stores and do not require full atomic_t semantics. Convert these fields to native integer types and replace their users with READ_ONCE()/WRITE_ONCE() to avoid load/store tearing. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01batman-adv: extract netdev wifi detection information objectSven Eckelmann
Previously, wifi_flags were stored directly in batadv_hard_iface, which is created for every network interface on the system (including those never attached to a mesh interface). This wastes memory and complicates the long-term goal of lazily allocating batadv_hard_iface only for interfaces that actually join a mesh. The problem is that several batman-adv features need wifi detection for net_devices (and their underlying devices) regardless of whether a batadv_hard_iface exists for them: * B.A.T.M.A.N. IV TQ hop penalty calculation * B.A.T.M.A.N. V ELP probing / throughput estimation * AP isolation To decouple wifi detection from batadv_hard_iface lifetime, introduce a global rhashtable (batadv_wifi_net_devices) mapping net_device pointers to batadv_wifi_net_device_state objects. Only net_devices that are actually detected as (indirect) wifi interfaces occupy an entry, keeping the common (non-wifi) case allocation-free. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-06-01netfilter: nft_byteorder: remove multi-register supportFlorian Westphal
64bit byteorder conversion is broken when several registers need to be converted because the source register array advances in steps for 4 bytes instead of 8: for (i = ... src64 = nft_reg_load64(&src[i]); ~~~~~ u32 *src nft_reg_store64(&dst64[i], Remove the multi-register support, it has other issues as well: Pablo points out that commit caf3ef7468f7 ("netfilter: nf_tables: prevent OOB access in nft_byteorder_eval") alters semantics: before the loop operated on registers, i.e. for ( ... ) dst32[i] = htons((u16)src32[i]) .. but after the patch it will operate on bytes, which makes this useless to convert e.g. concatenations, which store each compound in its own register. Multi-convert of u32 has one theoretical application: ct mark . meta mark . tcp dport @intervalset Because ct mark and meta mark are host byte order, use with intervals has to convert the byteorder for ct/meta mark value to network byte order (bigendian). nftables emits this: [ meta load mark => reg 1 ] [ byteorder reg 1 = hton(reg 1, 4, 4) ] [ ct load mark => reg 9 ] [ byteorder reg 9 = hton(reg 9, 4, 4) ] ... I.e. two separate calls. Theoretically it could be changed to do: [ meta load mark => reg 1 ] [ ct load mark => reg 9 ] [ byteorder reg 1 = htonl(reg 1, 4, 8) ] ... But then all it would take to change the set to meta mark . tcp dport . ct mark ... and we'd be back to two "byteorder" calls. IOW, support to convert a range of registers is both dysfunctional and dubious. Simplify this: remove the feature. Pablo Neira Ayuso points out that nftables before 1.1.0 can generate incorrect byteorder conversions, see 9fe58952c45a, "evaluate: skip byteorder conversion for selector smaller than 2 bytes" in nftables.git). Affected rulesets fail to load with this change and old userspace due to 'len != size' check. Fixes: c301f0981fdd ("netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()") Cc: <stable+noautosel@kernel.org> # may break rule load with old nftables versions Reported-by: Michal Kubecek <mkubecek@suse.cz> Link: https://lore.kernel.org/netfilter-devel/20240206104336.ctigqpkunom2ufmn@lion.mk-sys.cz/ Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01netfilter: bridge: make ebt_snat ARP rewrite writableYiming Qian
The ebtables SNAT target keeps the Ethernet source address rewrite behind skb_ensure_writable(skb, 0). This is intentional: at the bridge ebtables hooks the Ethernet header is addressed through skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check the payload, not the Ethernet header, and would reintroduce the small packet regression fixed by commit 63137bc5882a. However, the optional ARP sender hardware address rewrite is different. It writes through skb_store_bits() at an offset relative to skb->data: skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN) skb_header_pointer() only safely reads the ARP header; it does not make the later sender hardware address range writable. If that range is still held in a nonlinear skb fragment backed by a splice-imported file page, skb_store_bits() maps the frag page and copies the new MAC address directly into it. Ensure the ARP SHA range is writable before reading the ARP header and before calling skb_store_bits(). Fixes: 63137bc5882a ("netfilter: ebtables: Fixes dropping of small packets in bridge nat") Reported-by: Yiming Qian <yimingqian591@gmail.com> Signed-off-by: Yiming Qian <yimingqian591@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01netfilter: nft_ct: bail out on template ct in get evalJiayuan Chen
I noticed this issue while looking at a historic syzbot report [1]. A rule like the one below is enough to trigger the bug: table ip t { chain pre { type filter hook prerouting priority raw; ct zone set 1 ct original saddr 1.2.3.4 accept } } The first expression attaches a per-cpu template ct via nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all zero, nf_ct_l3num(ct) == 0). The next expression then calls nft_ct_get_eval() on the same skb, treats the template as a real ct and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this overflows past struct nft_regs on the kernel stack; with smaller dreg values it silently clobbers adjacent registers. Reject template ct at the eval entry and in nft_ct_get_fast_eval(), mirroring the check nft_ct_set_eval() already has. Additionally, bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple before pkt_to_tuple() fills in only the protocol-relevant leading bytes, so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zero. priv->len is validated at rule load, so the copy size is now bounded by the destination register rather than by an untrusted field on the conntrack. [1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c Fixes: 45d9bcda21f4 ("netfilter: nf_tables: validate len in nft_validate_data_load()") Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01netfilter: nft_tunnel: fix use-after-free on object destroyTristan Madani
nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set. Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01netfilter: conntrack_irc: fix possible out-of-bounds readFlorian Westphal
When parsing fails after we've matched the command string we should bail out instead of trying to match a different command. This helper should be deprecated, given prevalence of TLS I doubt it has any relevance in 2026. Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") Closes: https://sashiko.dev/#/patchset/20260525182924.28456-1-fw%40strlen.de Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01netfilter: synproxy: add mutex to guard hook reference countingFernando Fernandez Mancera
As the synproxy infrastructure register netfilter hooks on-demand when a user adds the first iptables target or nftables expression, if done concurrently they can race each other. Introduce a mutex to serialize the refcount control blocks access from both frontends. While a per namespace mutex might be more efficient, it is not needed for target/expression like SYNPROXY. Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support") Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01netfilter: nft_fib_ipv6: bail out of sibling walk if rt got unlinkedJiayuan Chen
This was reported by Sashiko [1]. The RCU walk over rt->fib6_siblings can spin forever if rt is unlinked mid-iteration: rt->fib6_siblings.next still points into the old ring, so the loop never meets &rt->fib6_siblings as its terminator. fib6_purge_rt() always does WRITE_ONCE(rt->fib6_nsiblings, 0) before list_del_rcu(), so readers can use rt->fib6_nsiblings == 0 as the detach signal. The same pattern is used in fib6_info_uses_dev() and rt6_nlmsg_size(). [1]: https://sashiko.dev/#/patchset/20260520023411.391233-1-jiayuan.chen%40linux.dev Suggested-by: Florian Westphal <fw@strlen.de> Fixes: 1c32b24c234b ("netfilter: nft_fib_ipv6: switch to fib6_lookup") Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01ipvs: clear the svc scheduler ptr early on editJulian Anastasov
ip_vs_edit_service() while unbinding the old scheduler clears the svc->scheduler ptr after the scheduler module initiates RCU callbacks. This can cause packets to use the old scheduler at the time when svc->sched_data is already freed after RCU grace period. Fix it by clearing the ptr early in ip_vs_unbind_scheduler(), before the done_service method schedules any RCU callbacks. Also, if the new scheduler fails to initialize when replacing the old scheduler, try to restore the old scheduler while still returning the error code. Link: https://sashiko.dev/#/patchset/20260519015506.634185-1-rosenp%40gmail.com Fixes: 05f00505a89a ("ipvs: fix crash if scheduler is changed") Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01netfilter: xt_NFQUEUE: prefer raw_smp_processor_idFernando Fernandez Mancera
With PREEMPT_RCU this triggers a splat because smp_processor_id() can be preempted while inside a RCU critical section. If xt_NFQUEUE target is invoked via nft_compat_eval() path, we are inside a RCU critical section. Just use the raw version instead. Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-06-01Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netPaolo Abeni
Conflicts: drivers/net/ethernet/microsoft/mana/mana_en.c: 17bfe0a8c014e ("net: mana: Add NULL guards in teardown path to prevent panic on attach failure") d07efe5a6e641 ("net: mana: Use per-queue allocation for tx_qp to reduce allocation size") Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-06-01xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()Takao Sato
iptfs_consume_frags() transfers paged fragments from one socket buffer to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is the same class of bug that was fixed in skb_try_coalesce() for CVE-2026-46300: when fragments backed by read-only page-cache pages are merged, the marker indicating their shared nature must be preserved so that ESP can decide correctly whether in-place encryption is safe. Apply the same two-line fix used in skb_try_coalesce() to iptfs_consume_frags(). Fixes: b96ba312e21c ("xfrm: iptfs: share page fragments of inner packets") Cc: stable@vger.kernel.org # 6.14+ Signed-off-by: Takao Sato <takaosato1997@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-05-29Revert "ipv6: preserve insertion order for same-scope addresses"Fernando Fernandez Mancera
Chris Adams reported that preserving insertion order for same-scope addresses is causing SSH connections to be dropped after stopping a VM while running NetworkManager. NetworkManager caches the IPv6 address configuration, when a RA arrives, it determines the list of addresses to configure and checks if the addresses are already in the right order in the kernel. If they aren't, NetworkManager removes and re-adds them to achieve the desired order. As the order changes, NetworkManager is confused and reconfigures the addresses on every update. In addition, this would also affect to cloud tooling that relies on IPv6 addresses order to identify primary and secondaries addresses. This reverts commit cb3de96eea66f5e4a580086c6a1be46e765f97f4. Fixes: cb3de96eea66 ("ipv6: preserve insertion order for same-scope addresses") Reported-by: Chris Adams <linux@cmadams.net> Closes: https://lore.kernel.org/netdev/20260521135310.GC977@cmadams.net/ Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Link: https://patch.msgid.link/20260529112357.5079-1-fmancera@suse.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-29Merge tag 'ipsec-2026-05-29' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2026-05-29 1) xfrm: route MIGRATE notifications to caller's netns Thread the caller's netns through km_migrate() so that MIGRATE notifications go to the issuing netns, fixing both the init_net listener leak and MOBIKE notifications inside non-init netns. From Maoyi Xie. 2) xfrm: ipcomp: Free destination pages on acomp errors Move the out_free_req label up so that allocated destination pages are released on decompression errors, not only on success. From Herbert Xu. 3) xfrm: Check for underflow in xfrm_state_mtu Reject configurations that cause xfrm_state_mtu() to underflow, preventing a negative TFCPAD value from becoming a memset size that triggers an out-of-bounds write of several terabytes. From David Ahern. 4) xfrm: ah: use skb_to_full_sk in async output callbacks Convert the possibly-incomplete skb->sk to a full socket pointer in async AH callbacks so that a request_sock or timewait_sock never reaches xfrm_output_resume() downstream consumers. From Michael Bommarito. 5) Add and revert: esp: fix page frag reference leak on skb_to_sgvec failure The patch does not fix te issue completely. 6) xfrm: esp: restore combined single-frag length gate Check the aligned post-trailer combined length against a page limit in the fast path, preventing skb_page_frag_refill() from falling back to a page too small for the destination scatterlist. From Jingguo Tan. 7) xfrm: iptfs: reset runtime state when cloning SAs Reinitialise the clone's mode_data runtime objects before publishing it, preventing queued skbs from being freed with list state copied from the original SA when migration fails. From Shaomin Chen. 8) xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit Flush policy tables and drain the workqueue in a .pre_exit handler so that cleanup_net() pays one RCU grace period per batch instead of one per namespace, fixing stalls at high CLONE_NEWNET rates. From Usama Arif. 9) xfrm: input: hold netns during deferred transport reinjection Take a netns reference when queueing deferred transport reinjection work and drop it after the callback completes, keeping the skb->cb net pointer valid until the deferred work runs. From Zhengchuan Liang. * tag 'ipsec-2026-05-29' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec: Revert "esp: fix page frag reference leak on skb_to_sgvec failure" xfrm: input: hold netns during deferred transport reinjection xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit xfrm: iptfs: reset runtime state when cloning SAs xfrm: esp: restore combined single-frag length gate esp: fix page frag reference leak on skb_to_sgvec failure xfrm: ah: use skb_to_full_sk in async output callbacks xfrm: Check for underflow in xfrm_state_mtu xfrm: ipcomp: Free destination pages on acomp errors xfrm: route MIGRATE notifications to caller's netns ==================== Link: https://patch.msgid.link/20260529092648.3878973-1-steffen.klassert@secunet.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-29net: skbuff: fix pskb_carve leaking zcopy pagesPavel Begunkov
When SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but their lifetime is controlled by the attached ubuf_info. To make a copy of the skb_shared_info, we either should clear the flag and reference the frags, or keep the flag and have frags unreferenced. pskb_carve_inside_header() and pskb_carve_inside_nonlinear() don't follow the rule and thus can leak page references. Let's clear SKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It's the simplest way to address it, but there are more performant ways to do that if it ever becomes a problem. Link: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/ Fixes: 753f1ca4e1e50 ("net: introduce managed frags infrastructure") Reported-by: Minh Nguyen <minhnguyen.080505@gmail.com> Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/1e2086aa69217d7f9c8da3d38f5be7160f1b4cd1.1779993185.git.asml.silence@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-29ipv6: fix possible infinite loop in fib6_select_path()Jiayuan Chen
Found while auditing the same pattern Sashiko reported in rt6_fill_node() [1]. Apply the same fix as commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()"). Writers holding tb6_lock can list_del_rcu(&first->fib6_siblings) without waiting for RCU readers; first->fib6_siblings.next then still points into the old ring and this softirq-side walker never reaches &first->fib6_siblings as its terminator. fib6_purge_rt() always WRITE_ONCE()s first->fib6_nsiblings to 0 before list_del_rcu(), so an inside-loop check is a reliable detach signal. [1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn") Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260527053133.180695-2-jiayuan.chen@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-29ipv6: fix possible infinite loop in rt6_fill_node()Jiayuan Chen
Sashiko reported this issue [1]. Apply the same fix as commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()"). Writers holding tb6_lock can list_del_rcu(&rt->fib6_siblings) without waiting for RCU readers; rt->fib6_siblings.next then still points into the old ring and this softirq-side walker never reaches &rt->fib6_siblings, causing a CPU stall. fib6_del_route() always WRITE_ONCE()s rt->fib6_nsiblings to 0 before list_del_rcu(), so an inside-loop check is a reliable detach signal. [1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn") Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260527053133.180695-1-jiayuan.chen@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-29bpf: sockmap: fix tail fragment offset in bpf_msg_push_dataYuqi Xu
When bpf_msg_push_data() inserts data in the middle of a scatterlist entry, it splits the original entry into a left fragment and a right fragment. The right fragment offset is page-local, but the code advances it with `start`, which is the message-global insertion point. For inserts into a non-first SG entry, this over-advances the offset and leaves the split layout inconsistent. Advance the right fragment offset by the fragment-local delta, `start - offset`, which matches the length removed from the front of the original entry. Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Yuqi Xu <xuyq21@lenovo.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-29vsock/virtio: bind uarg before filling zerocopy skbJingguo Tan
virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg before entering the send loop, but virtio_transport_alloc_skb() still fills the skb before it inherits that uarg. When fixed-buffer vectored zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach managed frags and return -EMSGSIZE. The rollback path call kfree_skb() to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so skb_release_data() falls through to ordinary frag unref. Pass the uarg into virtio_transport_alloc_skb() and bind it immediately before virtio_transport_fill_skb(). This keeps control or no-payload skbs untouched while ensuring success and rollback share one lifetime rule. Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support") Signed-off-by: Lin Ma <malin89@huawei.com> Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com> Signed-off-by: Jingguo Tan <tanjingguo@huawei.com> Acked-by: Arseniy Krasnov <avkrasnov@salutedevices.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://patch.msgid.link/20260527023301.1075581-1-malin89@huawei.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-29batman-adv: use atomic_xchg() for gw.reselect checkSven Eckelmann
batadv_gw_election() only needs to test whether gw.reselect was set and clear it afterwards. Replace the batadv_atomic_dec_not_zero() [atomic_add_unless(..., -1, 0)] call with atomic_xchg(..., 0) to simplify the logic and make the intent more explicit. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-05-29batman-adv: add missing includesSven Eckelmann
Some of the recent fixes required features from new header files. There is currently no build problem because transitive includes take care of it. But the batman-adv source code tries to avoid the dependency to transitive/implicite includes because it has no control over them and they might get removed at some point. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-05-29batman-adv: drop batman-adv specific versionSven Eckelmann
Bumping the version number on the first pull request after each merge window was deemed inappropriate for an in-tree component. The version number carries little meaningful information in the context of the Linux kernel release model, where stable and distribution might all carry slightly different patches (without any change to the batman-adv version). Instead, expose a UTS_RELEASE-based string to consumers of the netlink and ethtool interfaces. To avoid recompilation for each (re)generate of generated/utsrelease.h, init_utsname()->release is used in code which can dynamically retrieve the version string. The MODULE_VERSION is moved to a separate file because it doesn't support dynamic retrieval of the version string (but constant "at compile time" string) and it is required for the /sys/module/batman_adv/version. The latter is unfortunately still required by userspace tools. Link: https://lore.kernel.org/r/20210203163302.13e8a2a7@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com Link: https://lore.kernel.org/r/YnfjtpuAaH+Zkf9S@unreal Link: https://lore.kernel.org/r/Y9faTA0rNSXg%2FsLD@nanopsycho Signed-off-by: Sven Eckelmann <sven@narfation.org>
2026-05-29Revert "esp: fix page frag reference leak on skb_to_sgvec failure"Steffen Klassert
This reverts commit 2982e599fff6faa21c8df147d96fc7af6c1a2f24. The patch does not fully fix the issue and the Author does not match the 'Signed-off-by:' tag, so revert it for now. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2026-05-29net: Remove support for AIO on socketsDemi Marie Obenour
The only user of msg->msg_iocb was AF_ALG, but that's deprecated. It can be removed entirely at the cost of only supporting synchronous operations. This doesn't break userspace, which will silently block (for a bounded amount of time) in io_submit instead of operating asynchronously. This also makes struct msghdr smaller, helping every other caller of sendmsg(). Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> Acked-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2026-05-28net/rds: use special gfp_t format specifierBrendan Jackman
%pGg produces nice readable output and decouples the format string from the size of gfp_t. Link: https://lore.kernel.org/20260326-gfp64-v2-4-d916021cecdf@google.com Signed-off-by: Brendan Jackman <jackmanb@google.com> Acked-by: Allison Henderson <achender@kernel.org> Cc: Alexander Potapenko <glider@google.com> Cc: Allison Collins <allison.henderson@oracle.com> Cc: Dave Airlie <airlied@gmail.com> Cc: David S. Miller <davem@davemloft.net> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kacinski <kuba@kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Marco Elver <elver@google.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Simon Horman <horms@kernel.org> Cc: Stanislaw Gruszka <stf_xl@wp.pl> Cc: Thomas Zimemrmann <tzimmermann@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-29net/9p: fix infinite loop in p9_client_rpc on fatal signalVasiliy Kovalev
When p9_client_rpc() is called with type P9_TFLUSH and the transport has no peer (e.g. fd transport backed by pipes with no 9p server), a fatal signal causes an infinite loop: again: err = io_wait_event_killable(req->wq, ...) /* SIGKILL wakes the task, returns -ERESTARTSYS */ if (err == -ERESTARTSYS && c->status == Connected && type == P9_TFLUSH) { sigpending = 1; clear_thread_flag(TIF_SIGPENDING); goto again; } clear_thread_flag() clears TIF_SIGPENDING before jumping back to io_wait_event_killable(). signal_pending_state() checks TIF_SIGPENDING, finds it zero, and the task goes to sleep again. The task can only wake on the next signal delivery that calls signal_wake_up() and sets TIF_SIGPENDING again. When that happens the loop repeats, clears TIF_SIGPENDING, and sleeps again indefinitely. This is triggered in practice by coredump_wait(): when a thread in a multi-threaded process causes a coredump (e.g. via SIGSYS from Syscall User Dispatch), coredump_wait() sends SIGKILL to all other threads and waits for them to call mm_release(). If one of those threads is blocked in p9_client_rpc() over an fd transport with no peer, it enters the P9_TFLUSH loop and never calls mm_release(), so coredump_wait() stalls forever: INFO: task syz.0.18:676 blocked for more than 143 seconds. Not tainted 6.12.77+ #1 task:syz.0.18 state:D stack:27600 pid:676 tgid:673 ppid:630 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5344 [inline] __schedule+0xcb4/0x5d50 kernel/sched/core.c:6724 __schedule_loop kernel/sched/core.c:6801 [inline] schedule+0xe5/0x350 kernel/sched/core.c:6816 schedule_timeout+0x253/0x290 kernel/time/timer.c:2593 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x409/0x600 kernel/sched/completion.c:116 wait_for_common kernel/sched/completion.c:127 [inline] wait_for_completion_state+0x1d/0x40 kernel/sched/completion.c:264 coredump_wait fs/coredump.c:448 [inline] do_coredump+0x854/0x4350 fs/coredump.c:629 get_signal+0x1425/0x2730 kernel/signal.c:2903 arch_do_signal_or_restart+0x81/0x880 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xf9/0x160 kernel/entry/common.c:218 do_syscall_64+0x102/0x220 arch/x86/entry/common.c:84 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Fix: check fatal_signal_pending() before clearing TIF_SIGPENDING in the P9_TFLUSH retry loop. At that point TIF_SIGPENDING is still set, so fatal_signal_pending() works correctly. If a fatal signal is pending, jump to recalc_sigpending to restore TIF_SIGPENDING and return -ERESTARTSYS to the caller. The same defect is present in stable kernels back to 5.4. On those kernels the infinite loop is broken earlier by a second SIGKILL from the parent process (e.g. kill_and_wait() retrying after a timeout), resulting in a zombie process and a shutdown delay rather than a permanent D-state hang, but the underlying flaw is the same. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 91b8534fa8f5 ("9p: make rpc code common and rework flush code") Closes: https://syzkaller.appspot.com/bug?extid=3ce7863f8fc836a427e7 Cc: stable@vger.kernel.org Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org> Message-ID: <20260415155237.182891-1-kovalev@altlinux.org> Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2026-05-28net: make page_pool_get_stats() voidJakub Kicinski
The kdoc for page_pool_get_stats() is missing a Returns: statement. Looking at this function, I have no idea what is the purpose of the bool it returns. My guess was that maybe the static inline stub returns false if CONFIG_PAGE_POOL_STATS=n but such static inline helper doesn't exist at all. All callers pass a pointer to a struct on the stack. Make this function void. Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Reviewed-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260526155722.2790742-5-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28docs: page_pool: drop the mention of the legacy stats APIJakub Kicinski
The Netlink support for querying page pool stats has been proven out in production, let's remove the mention of the helper meant for dumping page pool stats into ethtool -S from the docs. Call out in the kdoc that this API is deprecated. Some drivers may not be able to use the Netlink API (if page pool is shared across netdevs). So the old API is not _completely_ dead. But we shouldn't advertise it. Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de> Reviewed-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260526155722.2790742-4-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28Merge tag 'wireless-next-2026-05-28' of ↵Jakub Kicinski
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next Johannes Berg says: ==================== Mostly driver updates: - iwlwifi - more UHR support - NAN (multicast, schedule improvements, multi-station) - cleanups, etc. - ath12k - thermal throttling/cooling device support - 6 GHz incumbent interference detection - channel 177 in 5 GHz - hwsim: S1G fixes - mac80211: NAN channel handling improvements * tag 'wireless-next-2026-05-28' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next: (143 commits) wifi: cfg80211: use strscpy in cfg80211_wext_giwname wifi: mac80211: fix channel evacuation logic wifi: mac80211: refactor ieee80211_nan_try_evacuate wifi: mac80211: add an option to filter out a channel in combinations check wifi: mac80211_hwsim: add debug messages for link changes wifi: nl80211: re-check wiphy netns in testmode and vendor dump continuations wifi: mac80211_hwsim: modernise S1G channel list wifi: mac80211_hwsim: don't run RC update on new STA on S1G vif wifi: mwifiex: remove an unnecessary check wifi: mac80211: add KUnit coverage for negotiated TTLM parser wifi: ath12k: fix error unwind on arch_init() failure in PCI probe wifi: iwlwifi: mld: fix indentation in iwl_mld_fill_supp_rates() wifi: iwlwifi: transport: add memory read under NIC access wifi: iwlwifi: dbg: remove unused 'range_len' arg from dump wifi: iwlwifi: fw: separate out old-style dump code wifi: iwlwifi: fw: dbg: always use non-tracing PRPH access wifi: iwlwifi: fw: separate ini dump allocation wifi: iwlwifi: fw: move struct iwl_fw_ini_dump_entry to dbg.c wifi: iwlwifi: clean up location format/BW encoding wifi: iwlwifi: Add names for Killer BE1735x and BE1730x ... ==================== Link: https://patch.msgid.link/20260528123911.284536-26-johannes@sipsolutions.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28Merge tag 'for-net-2026-05-28' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - hci_core: Rework hci_dev_do_reset() to use hci_sync functions - hci_conn: Fix memory leak in hci_le_big_terminate() - hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close - hci_sync: Reset device counters in hci_dev_close_sync() - hci_sync: fix UAF in hci_le_create_cis_sync - L2CAP: Fix possible crash on l2cap_ecred_conn_rsp - L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn - L2CAP: use chan timer to close channels in cleanup_listen() - L2CAP: clear chan->ident on ECRED reconfiguration success - ISO: fix UAF in iso_recv_frame - ISO: serialize iso_sock_clear_timer with socket lock - HIDP: fix missing length checks in hidp_input_report() - 6lowpan: check skb_clone() return value in send_mcast_pkt() - btusb: Allow firmware re-download when version matches - hci_qca: Use 100 ms SSR delay for rampatch and NVM loading * tag 'for-net-2026-05-28' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync() Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Bluetooth: ISO: fix UAF in iso_recv_frame Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Bluetooth: btusb: Allow firmware re-download when version matches Bluetooth: HIDP: fix missing length checks in hidp_input_report() Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate() ==================== Link: https://patch.msgid.link/20260528131839.462344-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28sctp: fix race between sctp_wait_for_connect and peeloffZhenghang Xiao
sctp_wait_for_connect() drops and re-acquires the socket lock while waiting for the association to reach ESTABLISHED state. During this window, another thread can peeloff the association to a new socket via getsockopt(SCTP_SOCKOPT_PEELOFF), changing asoc->base.sk. After re-acquiring the old socket lock, sctp_wait_for_connect() returns success without noticing the migration — the caller then accesses the association under the wrong lock in sctp_datamsg_from_user(). Add the same sk != asoc->base.sk check that sctp_wait_for_sndbuf() already has, returning an error if the association was migrated while we slept. Fixes: 668c9beb9020 ("sctp: implement assign_number for sctp_stream_interleave") Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com> Acked-by: Xin Long <lucien.xin@gmail.com> Link: https://patch.msgid.link/20260527032411.60959-1-kipreyyy@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28net: ethtool: don't take rtnl_lock for global string dumpJakub Kicinski
ETHTOOL_MSG_STRSET_GET is the only op which sets allow_nodev_do. When no device is provided it dumps static tables, there's no need to hold rtnl_lock for this. Not taking rtnl_lock is a minor win in itself so I think this patch stands on its own merits. Later on it will be useful to do locking only in paths which have access to a netdev, so that we can decide which locks to take per-netdev. Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Link: https://patch.msgid.link/20260527162522.3344231-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28Revert "vsock/virtio: fix skb overhead overflow on 32-bit builds"Stefano Garzarella
This reverts commit 4157501b9a8f ("vsock/virtio: fix skb overhead overflow on 32-bit builds"). The fix was semantically correct (although it would have been better to use mul_u32_u32(), as David pointed out), but in practice we are estimating the memory used to allocate the SKBs, and this will never cause a 32-bit variable to overflow on a 32-bit system, since the memory would have run out long before that. On 64-bit, SKB_TRUESIZE() already evaluates to size_t, so the multiplication is already in 64-bit arithmetic without the cast. Let's revert this to avoid unnecessary 64-bit multiplies on the per-packet receive path on 32-bit systems. Reported-by: David Laight <david.laight.linux@gmail.com> Closes: https://lore.kernel.org/netdev/20260523173557.5cc4f4f6@pumpkin Suggested-by: "Michael S. Tsirkin" <mst@redhat.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: David Laight <david.laight.linux@gmail.com> Link: https://patch.msgid.link/20260527171046.130211-1-sgarzare@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski
Cross-merge networking fixes after downstream PR (net-7.1-rc6). Conflicts: drivers/net/phy/air_en8811h.c d895767c33781 ("net: phy: air_en8811h: add AN8811HB MCU assert/deassert support") dddfadd75197e ("net: phy: Add Airoha phy library for shared code") 5226bb6634cdf ("net: phy: air_phy_lib: Factorize BuckPBus register accessors") e08f0ea6daf2e ("net: phy: Rename Airoha common BuckPBus register accessors") net/sched/sch_netem.c a2f6ed7b4873 ("net/sched: netem: add per-impairment extended statistics") 9552b11e3eda ("net/sched: fix packet loop on netem when duplicate is on") Adjacent changes: drivers/dpll/zl3073x/core.c c1224569cef0 ("dpll: zl3073x: make frequency monitor a per-device attribute") 54e65df8cf18 ("dpll: zl3073x: report FFO as DPLL vs input reference offset") net/iucv/af_iucv.c 347fdd4df85f ("af_iucv: convert to getsockopt_iter") 3589d20a666c ("net/iucv: fix locking in .getsockopt") Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-28Merge tag 'net-7.1-rc6' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "This is again significantly bigger than the same point into the previous cycle, but at least smaller than last week. I'm not aware of any pending regression for the current cycle. Including fixes from netfilter. Current release - regressions: - netfilter: walk fib6_siblings under RCU Previous releases - regressions: - netlink: fix sending unassigned nsid after assigned one - bridge: fix sleep in atomic context in netlink path - sched: fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop - ipv4: fix net->ipv4.sysctl_local_reserved_ports UaF - eth: tun: free page on short-frame rejection in tun_xdp_one() Previous releases - always broken: - skbuff: fix missing zerocopy reference in pskb_carve helpers - handshake: drain pending requests at net namespace exit - ethtool: - rss: avoid modifying the RSS context response - module: avoid leaking a netdev ref on module flash errors - coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES - netfilter: fix dst corruption in same register operation - nfc: hci: fix out-of-bounds read in HCP header parsing - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() - eth: - vti: use ip6_tnl.net in vti6_changelink(). - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()" * tag 'net-7.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits) dpll: zl3073x: make frequency monitor a per-device attribute dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work dpll: export __dpll_device_change_ntf() for use under dpll_lock net/handshake: Drain pending requests at net namespace exit net/handshake: Verify file-reference balance in submit paths net/handshake: Close the submit-side sock_hold race net/handshake: hand off the pinned file reference to accept_doit net/handshake: Take a long-lived file reference at submit net/handshake: Pass negative errno through handshake_complete() nvme-tcp: store negative errno in queue->tls_err net/handshake: Use spin_lock_bh for hn_lock net: skbuff: fix missing zerocopy reference in pskb_carve helpers net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path net: hibmcge: disable Relaxed Ordering to fix RX packet corruption selftests/tc-testing: Add netem test case exercising loops selftests/tc-testing: Add mirred test cases exercising loops net/sched: act_mirred: Fix return code in early mirred redirect error paths net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop net/sched: fix packet loop on netem when duplicate is on ...
2026-05-28Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()Heitor Alves de Siqueira
Before resetting or closing the device, protocol counters should also be zeroed. Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages") Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-28Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device closeHeitor Alves de Siqueira
Since hci_dev_close_sync() can now be called during the reset path, we should also set HCI_CMD_DRAIN_WORKQUEUE. This avoids queuing timeouts while the hdev workqueue is being drained. Fixes: 877afadad2dc ("Bluetooth: When HCI work queue is drained, only queue chained work") Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-28Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functionsHeitor Alves de Siqueira
The current HCI reset function in hci_core.c duplicates most of the work done by hci_dev_close_sync(), and doesn't handle LE, advertising or discovery. Instead of porting these to hci_dev_do_reset(), directly call the close/open functions from hci_sync to reset the hdev. MGMT now notifies when a user performs a reset. Suggested-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-28Bluetooth: ISO: serialize iso_sock_clear_timer with socket lockMuhammad Bilal
iso_sock_close() calls iso_sock_clear_timer() before acquiring lock_sock(sk). iso_sock_clear_timer() reads iso_pi(sk)->conn twice without the socket lock held: if (!iso_pi(sk)->conn) return; cancel_delayed_work(&iso_pi(sk)->conn->timeout_work); Concurrently, iso_conn_del() executes under lock_sock(sk) and calls iso_chan_del(), which sets iso_pi(sk)->conn to NULL and may result in the final reference to the connection being dropped: CPU0 CPU1 ---- ---- iso_sock_clear_timer() if (conn != NULL) ... lock_sock(sk) iso_chan_del() iso_pi(sk)->conn = NULL cancel_delayed_work(conn) /* NULL deref or UAF */ iso_pi(sk)->conn is not stable across the unlock window, causing a NULL pointer dereference or use-after-free. Serialize iso_sock_clear_timer() with the socket lock by moving it inside lock_sock()/release_sock(), matching the pattern used in iso_conn_del() and all other call sites. Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal <meatuni001@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-28Bluetooth: ISO: fix UAF in iso_recv_frameMuhammad Bilal
iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock before using sk, with no reference held. A concurrent iso_sock_kill() can free sk in that window, causing use-after-free on sk->sk_state and sock_queue_rcv_skb(). Fix by replacing the bare pointer read with iso_sock_hold(conn), which calls sock_hold() while the spinlock is held, atomically elevating the refcount before the lock drops. Add a drop_put label so sock_put() is called on all exit paths where the hold succeeded. Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal <meatuni001@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-28Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rspLuiz Augusto von Dentz
If dcid is received for an already-assigned destination CID the spec requires that both channels to be discarded, but calling l2cap_chan_del may invalidate the tmp cursor created by list_for_each_entry_safe and in fact it is the wrong procedure as the chan->dcid may be assigned previously it really needs to be disconnected. Calling l2cap_chan_clone directly may still lead to l2cap_chan_del so instead schedule l2cap_chan_timeout with delay 0 to close the channel asynchronously. Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>