<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v7.2-rc3</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Merge tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs</title>
<updated>2026-07-11T01:15:26+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-11T01:15:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=58d9f84279a86b1b24239107a3d1c4d8dccb41e6'/>
<id>58d9f84279a86b1b24239107a3d1c4d8dccb41e6</id>
<content type='text'>
Pull NFS client fixes from Anna Schumaker:

 - SUNRPC:
    - Release lower rpc_clnt if killed waiting for XPRT_LOCKED
    - Pin upper rpc_clnt across the TLS connect_worker

 - NFS:
    - Include MAY_WRITE in open permission mask for O_TRUNC
    - Charge unstable writes by request size, not folio size

* tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
  NFS: Charge unstable writes by request size, not folio size
  NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
  SUNRPC: pin upper rpc_clnt across the TLS connect_worker
  SUNRPC: release lower rpc_clnt if killed waiting for XPRT_LOCKED
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull NFS client fixes from Anna Schumaker:

 - SUNRPC:
    - Release lower rpc_clnt if killed waiting for XPRT_LOCKED
    - Pin upper rpc_clnt across the TLS connect_worker

 - NFS:
    - Include MAY_WRITE in open permission mask for O_TRUNC
    - Charge unstable writes by request size, not folio size

* tag 'nfs-for-7.2-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
  NFS: Charge unstable writes by request size, not folio size
  NFSv4: include MAY_WRITE in open permission mask for O_TRUNC
  SUNRPC: pin upper rpc_clnt across the TLS connect_worker
  SUNRPC: release lower rpc_clnt if killed waiting for XPRT_LOCKED
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-07-09T15:26:51+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-07-09T15:26:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2c7c88a412aa6d09cd04b414211b4ef8553b5309'/>
<id>2c7c88a412aa6d09cd04b414211b4ef8553b5309</id>
<content type='text'>
Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter, Bluetooth and batman-adv.

  Current release - regressions:

   - bluetooth: fix using chan-&gt;conn as indication to no remote netdev

  Current release - new code bugs:

   - netfilter: cap to maximum number of expectation per master on
     updates

  Previous releases - regressions:

   - bluetooth:
      - fix UAF of hci_conn_params in add_device_complete
      - fix null ptr deref in hci_abort_conn()

   - igmp: remove multicast group from hash table on device destruction

   - batman-adv: prevent TVLV OOB check overflow

   - eth: mlx5/mlx5e:
      - fix off-by-one in single-FDB error rollback
      - skip peer flow cleanup when LAG seq is unavailable
      - fix crashes in dynamic per-channel stats and HV VHCA agent

   - eth: mana: Sync page pool RX frags for CPU

  Previous releases - always broken:

   - netfilter:
      - mark malformed IPv6 extension headers for hotdrop
      - terminate table name before find_table_lock()
      - ipvs: use parsed transport offset in TCP state lookup

   - sched: act_pedit: fix TOCTOU heap OOB write in tc offload

   - ethtool: rss: fix hfunc and input_xfrm parsing on big endian

   - ipv4/ipv6: fix UAF and memory leak in IGMP/MLD

   - tls: consume empty data records in tls_sw_read_sock()

   - eth:
      - octeontx2-af: fix VF bringup affecting PF promiscuous state
      - gue: validate REMCSUM private option length"

* tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits)
  macsec: don't read an unset MAC header in macsec_encrypt()
  dibs: loopback: validate offset and size in move_data()
  octeontx2-af: fix VF bringup affecting PF promiscuous state
  ethtool: rss: Fix hfunc and input_xfrm parsing on big endian
  net/mlx5: Fix L3 tunnel entropy refcount leak
  net: macb: drop in-flight Tx SKBs on close
  net: mana: Sync page pool RX frags for CPU
  net: mana: Validate the packet length reported by the NIC
  selftests/net: fix EVP_MD_CTX leak in tcp_mmap
  ipvs: ensure inner headers in ICMP errors are in headroom
  ipvs: use parsed transport offset in SCTP state lookup
  ipvs: use parsed transport offset in TCP state lookup
  ipvs: pass parsed transport offset to state handlers
  netfilter: handle unreadable frags
  netfilter: flowtable: support IPIP tunnel with direct xmit
  netfilter: flowtable: IPIP tunnel hardware offload is not yet support
  netfilter: flowtable: use dst in this direction when pushing IPIP header
  netfilter: ipset: allocate the proper memory for the generic hash structure
  netfilter: ipset: cleanup the add/del backlog when resize failed
  netfilter: ipset: exclude gc when resize is in progress
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter, Bluetooth and batman-adv.

  Current release - regressions:

   - bluetooth: fix using chan-&gt;conn as indication to no remote netdev

  Current release - new code bugs:

   - netfilter: cap to maximum number of expectation per master on
     updates

  Previous releases - regressions:

   - bluetooth:
      - fix UAF of hci_conn_params in add_device_complete
      - fix null ptr deref in hci_abort_conn()

   - igmp: remove multicast group from hash table on device destruction

   - batman-adv: prevent TVLV OOB check overflow

   - eth: mlx5/mlx5e:
      - fix off-by-one in single-FDB error rollback
      - skip peer flow cleanup when LAG seq is unavailable
      - fix crashes in dynamic per-channel stats and HV VHCA agent

   - eth: mana: Sync page pool RX frags for CPU

  Previous releases - always broken:

   - netfilter:
      - mark malformed IPv6 extension headers for hotdrop
      - terminate table name before find_table_lock()
      - ipvs: use parsed transport offset in TCP state lookup

   - sched: act_pedit: fix TOCTOU heap OOB write in tc offload

   - ethtool: rss: fix hfunc and input_xfrm parsing on big endian

   - ipv4/ipv6: fix UAF and memory leak in IGMP/MLD

   - tls: consume empty data records in tls_sw_read_sock()

   - eth:
      - octeontx2-af: fix VF bringup affecting PF promiscuous state
      - gue: validate REMCSUM private option length"

* tag 'net-7.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits)
  macsec: don't read an unset MAC header in macsec_encrypt()
  dibs: loopback: validate offset and size in move_data()
  octeontx2-af: fix VF bringup affecting PF promiscuous state
  ethtool: rss: Fix hfunc and input_xfrm parsing on big endian
  net/mlx5: Fix L3 tunnel entropy refcount leak
  net: macb: drop in-flight Tx SKBs on close
  net: mana: Sync page pool RX frags for CPU
  net: mana: Validate the packet length reported by the NIC
  selftests/net: fix EVP_MD_CTX leak in tcp_mmap
  ipvs: ensure inner headers in ICMP errors are in headroom
  ipvs: use parsed transport offset in SCTP state lookup
  ipvs: use parsed transport offset in TCP state lookup
  ipvs: pass parsed transport offset to state handlers
  netfilter: handle unreadable frags
  netfilter: flowtable: support IPIP tunnel with direct xmit
  netfilter: flowtable: IPIP tunnel hardware offload is not yet support
  netfilter: flowtable: use dst in this direction when pushing IPIP header
  netfilter: ipset: allocate the proper memory for the generic hash structure
  netfilter: ipset: cleanup the add/del backlog when resize failed
  netfilter: ipset: exclude gc when resize is in progress
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'nf-26-07-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf</title>
<updated>2026-07-09T09:42:57+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2026-07-09T09:42:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=24c4c88259464d38b35c3fbaecb68675de64137d'/>
<id>24c4c88259464d38b35c3fbaecb68675de64137d</id>
<content type='text'>
Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*.

Most of these are LLM fixes for old issues flagged by sashiko/LLMs.

Many of these trigger drive-by-findings in sashiko. In particular:

- many load/store tearing and missing memory barriers, races
  etc. in ipset, esp. with GC and resizing.
  Keeping the proposed patches spinning for yet-another-iteration
  keeps legit fixes back, so I prefer to add these now and follow
  up with other reports later.
- flowtable work queue still has possible races with teardown,
  but same rationale as with ipset: drive-by findings, not
  problems coming with the flowtable IPIP changeset in this PR.
- ever since unreadable frag skb support was added in 6.12, we can no
  longer do: BUG_ON(skb_copy_bits( ...): it will fire with such skbs.
  Mina Almasry is looking at similar patterns elsewhere in the stack.

1) Guard skb-&gt;mac_header adjustment after IPv6 defragmentation in
nf_conntrack_reasm.  From Xiang Mei.

2) NUL-terminate ebtables table names before calling find_table_lock() to
prevent stack-out-of-bounds reads.  Also from Xiang Mei.

3) Zero the ebtables chainstack array, else error unwind may free bogus
pointer when CPU mask is sparse.  All three issues date from 2.6 days.

4) Ensure ebtables module names are c-strings, same bug pattern as 2).
Bug added in 4.6.

5) Fix catchall element handling for inverted lookups in nft_lookup. Fold the
catchall lookup into ext before computing the match status.  Was like
this ever since catchall elements got introduced in 5.13.
From Tamaki Yanagawa.

6-9) ipset updates from Jozsef Kadlecsik:
- mark rcu protected areas correctly
- address gc and resize clash in the comment extension
- add/del backlog cleanup in the error path
- allocate right size for the generic hash structure

10-12): IPIP flowtable updates from Pablo Neira Ayuso:
 - Use the current direction's route when pushing IPIP headers
   Fix incorrect headroom and fragmentation offset calculations.
 - Avoid hardware offload for IPIP tunnels due to lack of driver support.
 - Support IPIP tunnels with direct xmit in netfilter flowtable.
   dst_cache and dst_cookie are moved outside the union to share route
   state across flows.  This is a followup to work done in 6.19 cycle.

13) Don't BUG() on skb_copy_bits error. Handle unreadable fragments by
either returning an error or restricting the copy operations to linear area,
This became an issue when unreable frag support was merged in 6.12.

14-16): IPVS updates from Yizhou Zhao:
 - Pass parsed transport offset to IPVS state handlers.
   update callback signatures.
 - use correct transport header offset on state lookp in TCP.
   As-is it was possible for ipv6 extension header data to be
   treated as L4 header.
 - same for SCTP.  This was also broken since 2.6 days.

17) Ensure inner IP headers in ICMP errors are in the skb headroom after
stripping outer headers. Add more checks for the length of inner headers.
This was broken since 3.7 days.
From Julian Anastasov.

netfilter pull request nf-26-07-08

* tag 'nf-26-07-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  ipvs: ensure inner headers in ICMP errors are in headroom
  ipvs: use parsed transport offset in SCTP state lookup
  ipvs: use parsed transport offset in TCP state lookup
  ipvs: pass parsed transport offset to state handlers
  netfilter: handle unreadable frags
  netfilter: flowtable: support IPIP tunnel with direct xmit
  netfilter: flowtable: IPIP tunnel hardware offload is not yet support
  netfilter: flowtable: use dst in this direction when pushing IPIP header
  netfilter: ipset: allocate the proper memory for the generic hash structure
  netfilter: ipset: cleanup the add/del backlog when resize failed
  netfilter: ipset: exclude gc when resize is in progress
  netfilter: ipset: mark the rcu locked areas properly
  netfilter: nft_lookup: fix catchall element handling with inverted lookups
  netfilter: ebtables: module names must be null-terminated
  netfilter: ebtables: zero chainstack array
  netfilter: ebtables: terminate table name before find_table_lock()
  netfilter: nf_conntrack_reasm: guard mac_header adjustment after IPv6 defrag
====================

Link: https://patch.msgid.link/20260708140309.19633-1-fw@strlen.de
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*.

Most of these are LLM fixes for old issues flagged by sashiko/LLMs.

Many of these trigger drive-by-findings in sashiko. In particular:

- many load/store tearing and missing memory barriers, races
  etc. in ipset, esp. with GC and resizing.
  Keeping the proposed patches spinning for yet-another-iteration
  keeps legit fixes back, so I prefer to add these now and follow
  up with other reports later.
- flowtable work queue still has possible races with teardown,
  but same rationale as with ipset: drive-by findings, not
  problems coming with the flowtable IPIP changeset in this PR.
- ever since unreadable frag skb support was added in 6.12, we can no
  longer do: BUG_ON(skb_copy_bits( ...): it will fire with such skbs.
  Mina Almasry is looking at similar patterns elsewhere in the stack.

1) Guard skb-&gt;mac_header adjustment after IPv6 defragmentation in
nf_conntrack_reasm.  From Xiang Mei.

2) NUL-terminate ebtables table names before calling find_table_lock() to
prevent stack-out-of-bounds reads.  Also from Xiang Mei.

3) Zero the ebtables chainstack array, else error unwind may free bogus
pointer when CPU mask is sparse.  All three issues date from 2.6 days.

4) Ensure ebtables module names are c-strings, same bug pattern as 2).
Bug added in 4.6.

5) Fix catchall element handling for inverted lookups in nft_lookup. Fold the
catchall lookup into ext before computing the match status.  Was like
this ever since catchall elements got introduced in 5.13.
From Tamaki Yanagawa.

6-9) ipset updates from Jozsef Kadlecsik:
- mark rcu protected areas correctly
- address gc and resize clash in the comment extension
- add/del backlog cleanup in the error path
- allocate right size for the generic hash structure

10-12): IPIP flowtable updates from Pablo Neira Ayuso:
 - Use the current direction's route when pushing IPIP headers
   Fix incorrect headroom and fragmentation offset calculations.
 - Avoid hardware offload for IPIP tunnels due to lack of driver support.
 - Support IPIP tunnels with direct xmit in netfilter flowtable.
   dst_cache and dst_cookie are moved outside the union to share route
   state across flows.  This is a followup to work done in 6.19 cycle.

13) Don't BUG() on skb_copy_bits error. Handle unreadable fragments by
either returning an error or restricting the copy operations to linear area,
This became an issue when unreable frag support was merged in 6.12.

14-16): IPVS updates from Yizhou Zhao:
 - Pass parsed transport offset to IPVS state handlers.
   update callback signatures.
 - use correct transport header offset on state lookp in TCP.
   As-is it was possible for ipv6 extension header data to be
   treated as L4 header.
 - same for SCTP.  This was also broken since 2.6 days.

17) Ensure inner IP headers in ICMP errors are in the skb headroom after
stripping outer headers. Add more checks for the length of inner headers.
This was broken since 3.7 days.
From Julian Anastasov.

netfilter pull request nf-26-07-08

* tag 'nf-26-07-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  ipvs: ensure inner headers in ICMP errors are in headroom
  ipvs: use parsed transport offset in SCTP state lookup
  ipvs: use parsed transport offset in TCP state lookup
  ipvs: pass parsed transport offset to state handlers
  netfilter: handle unreadable frags
  netfilter: flowtable: support IPIP tunnel with direct xmit
  netfilter: flowtable: IPIP tunnel hardware offload is not yet support
  netfilter: flowtable: use dst in this direction when pushing IPIP header
  netfilter: ipset: allocate the proper memory for the generic hash structure
  netfilter: ipset: cleanup the add/del backlog when resize failed
  netfilter: ipset: exclude gc when resize is in progress
  netfilter: ipset: mark the rcu locked areas properly
  netfilter: nft_lookup: fix catchall element handling with inverted lookups
  netfilter: ebtables: module names must be null-terminated
  netfilter: ebtables: zero chainstack array
  netfilter: ebtables: terminate table name before find_table_lock()
  netfilter: nf_conntrack_reasm: guard mac_header adjustment after IPv6 defrag
====================

Link: https://patch.msgid.link/20260708140309.19633-1-fw@strlen.de
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ethtool: rss: Fix hfunc and input_xfrm parsing on big endian</title>
<updated>2026-07-09T09:38:30+00:00</updated>
<author>
<name>Gal Pressman</name>
<email>gal@nvidia.com</email>
</author>
<published>2026-07-06T05:50:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b62869a81a7ce388d1fbb0fac5fa8300ea614d81'/>
<id>b62869a81a7ce388d1fbb0fac5fa8300ea614d81</id>
<content type='text'>
ETHTOOL_A_RSS_HFUNC and ETHTOOL_A_RSS_INPUT_XFRM are NLA_U32 attributes,
but ethnl_rss_set() and ethnl_rss_create_doit() parse them with
ethnl_update_u8(), which reads a single byte.

On little endian this happens to read the least significant byte and
works as long as the value fits in a byte. On big endian it reads the
most significant byte, so the requested value is parsed incorrectly.

The destination fields in struct ethtool_rxfh_param are u8, so the
attribute can't be read directly with ethnl_update_u32().
Cap the hfunc policy at U8_MAX so an out of range value is rejected
instead of being silently truncated into the u8 field, and add
ethnl_update_u8_u32() to read the full u32 and narrow it into the u8
destination.

Fixes: 82ae67cbc423 ("ethtool: rss: support setting hfunc via Netlink")
Fixes: d3e2c7bab124 ("ethtool: rss: support setting input-xfrm via Netlink")
Fixes: a166ab7816c5 ("ethtool: rss: support creating contexts via Netlink")
Reviewed-by: Dragos Tatulea &lt;dtatulea@nvidia.com&gt;
Reviewed-by: Nimrod Oren &lt;noren@nvidia.com&gt;
Signed-off-by: Gal Pressman &lt;gal@nvidia.com&gt;
Link: https://patch.msgid.link/20260706055017.3355806-1-gal@nvidia.com
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
ETHTOOL_A_RSS_HFUNC and ETHTOOL_A_RSS_INPUT_XFRM are NLA_U32 attributes,
but ethnl_rss_set() and ethnl_rss_create_doit() parse them with
ethnl_update_u8(), which reads a single byte.

On little endian this happens to read the least significant byte and
works as long as the value fits in a byte. On big endian it reads the
most significant byte, so the requested value is parsed incorrectly.

The destination fields in struct ethtool_rxfh_param are u8, so the
attribute can't be read directly with ethnl_update_u32().
Cap the hfunc policy at U8_MAX so an out of range value is rejected
instead of being silently truncated into the u8 field, and add
ethnl_update_u8_u32() to read the full u32 and narrow it into the u8
destination.

Fixes: 82ae67cbc423 ("ethtool: rss: support setting hfunc via Netlink")
Fixes: d3e2c7bab124 ("ethtool: rss: support setting input-xfrm via Netlink")
Fixes: a166ab7816c5 ("ethtool: rss: support creating contexts via Netlink")
Reviewed-by: Dragos Tatulea &lt;dtatulea@nvidia.com&gt;
Reviewed-by: Nimrod Oren &lt;noren@nvidia.com&gt;
Signed-off-by: Gal Pressman &lt;gal@nvidia.com&gt;
Link: https://patch.msgid.link/20260706055017.3355806-1-gal@nvidia.com
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'batadv-net-pullrequest-20260708' of https://git.open-mesh.org/batadv</title>
<updated>2026-07-09T09:09:06+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2026-07-09T09:09:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=604e9594449b9907181f4285d0cd6a398bfc9d08'/>
<id>604e9594449b9907181f4285d0cd6a398bfc9d08</id>
<content type='text'>
Simon Wunderlich says:

====================
Here are some batman-adv bugfixes, all by Sven Eckelmann:

 - ensure minimal ethernet header on TX

 - fix VLAN priority offset

 - clean untagged VLAN on netdev registration failure

 - tt: avoid request storms during pending request

 - tt: prevent TVLV OOB check overflow

 - frag: free unfragmentable packet

 - frag: fix primary_if leak on failed linearization

 - mcast: avoid OOB read of num_dests header

 - dat: fix tie-break for candidate selection

* tag 'batadv-net-pullrequest-20260708' of https://git.open-mesh.org/batadv:
  batman-adv: dat: fix tie-break for candidate selection
  batman-adv: mcast: avoid OOB read of num_dests header
  batman-adv: frag: fix primary_if leak on failed linearization
  batman-adv: frag: free unfragmentable packet
  batman-adv: tt: prevent TVLV OOB check overflow
  batman-adv: tt: avoid request storms during pending request
  batman-adv: clean untagged VLAN on netdev registration failure
  batman-adv: fix VLAN priority offset
  batman-adv: ensure minimal ethernet header on TX
====================

Link: https://patch.msgid.link/20260708091821.314516-1-sw@simonwunderlich.de
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Simon Wunderlich says:

====================
Here are some batman-adv bugfixes, all by Sven Eckelmann:

 - ensure minimal ethernet header on TX

 - fix VLAN priority offset

 - clean untagged VLAN on netdev registration failure

 - tt: avoid request storms during pending request

 - tt: prevent TVLV OOB check overflow

 - frag: free unfragmentable packet

 - frag: fix primary_if leak on failed linearization

 - mcast: avoid OOB read of num_dests header

 - dat: fix tie-break for candidate selection

* tag 'batadv-net-pullrequest-20260708' of https://git.open-mesh.org/batadv:
  batman-adv: dat: fix tie-break for candidate selection
  batman-adv: mcast: avoid OOB read of num_dests header
  batman-adv: frag: fix primary_if leak on failed linearization
  batman-adv: frag: free unfragmentable packet
  batman-adv: tt: prevent TVLV OOB check overflow
  batman-adv: tt: avoid request storms during pending request
  batman-adv: clean untagged VLAN on netdev registration failure
  batman-adv: fix VLAN priority offset
  batman-adv: ensure minimal ethernet header on TX
====================

Link: https://patch.msgid.link/20260708091821.314516-1-sw@simonwunderlich.de
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: pin upper rpc_clnt across the TLS connect_worker</title>
<updated>2026-07-08T18:07:19+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2026-05-04T10:28:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=46bc86c833956219bbfd246c1ffd832a479c5199'/>
<id>46bc86c833956219bbfd246c1ffd832a479c5199</id>
<content type='text'>
The TLS connect path has a use-after-free: nothing pins the
upper rpc_clnt across the delayed connect_worker. xs_connect()
stores task-&gt;tk_client in sock_xprt::clnt as a raw pointer
and queues the worker; for TLS-secured transports that worker
is xs_tcp_tls_setup_socket(), which reads several fields out
of the saved pointer (cl_timeout, cl_program, cl_prog,
cl_vers, cl_cred, cl_stats) to construct the args for the
inner handshake rpc_clnt.

The xprt does not reference the rpc_clnt; the rpc_clnt
references the xprt. xs_destroy() does cancel the
connect_worker, but it runs only when the xprt's refcount
drops to zero, which cannot happen until the rpc_clnt
releases its cl_xprt reference in rpc_free_client_work().
When a TLS handshake fails fatally (for example, an mTLS
mount whose client cert does not match the server), the
connecting task is woken with -EACCES and exits, the mount
caller invokes rpc_shutdown_client(), and the upper rpc_clnt
is freed before the queued connect_worker fires.
xs_tcp_tls_setup_socket() then dereferences the freed clnt,
producing the refcount_t underflow Michael Nemanov reported.

Take a reference on the upper rpc_clnt in xs_connect() for
TLS transports via a new rpc_hold_client() helper, and drop
it in the connect_worker's exit path with rpc_release_client().
The xprt_lock_connect() / xprt_unlock_connect() pairing
already serialises xs_connect() with xs_tcp_tls_setup_socket(),
so the take and release are balanced one-for-one.

The non-TLS connect worker (xs_tcp_setup_socket) never reads
sock_xprt::clnt, so leave that path alone and avoid the
clnt-holds-xprt-holds-clnt cycle that would otherwise prevent
xprt destruction.

Reported-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Closes: https://lore.kernel.org/linux-nfs/40e3d522-dfcf-4fc1-9c55-b5e81f1536d5@vastdata.com/
Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Reviewed-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@hammerspace.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The TLS connect path has a use-after-free: nothing pins the
upper rpc_clnt across the delayed connect_worker. xs_connect()
stores task-&gt;tk_client in sock_xprt::clnt as a raw pointer
and queues the worker; for TLS-secured transports that worker
is xs_tcp_tls_setup_socket(), which reads several fields out
of the saved pointer (cl_timeout, cl_program, cl_prog,
cl_vers, cl_cred, cl_stats) to construct the args for the
inner handshake rpc_clnt.

The xprt does not reference the rpc_clnt; the rpc_clnt
references the xprt. xs_destroy() does cancel the
connect_worker, but it runs only when the xprt's refcount
drops to zero, which cannot happen until the rpc_clnt
releases its cl_xprt reference in rpc_free_client_work().
When a TLS handshake fails fatally (for example, an mTLS
mount whose client cert does not match the server), the
connecting task is woken with -EACCES and exits, the mount
caller invokes rpc_shutdown_client(), and the upper rpc_clnt
is freed before the queued connect_worker fires.
xs_tcp_tls_setup_socket() then dereferences the freed clnt,
producing the refcount_t underflow Michael Nemanov reported.

Take a reference on the upper rpc_clnt in xs_connect() for
TLS transports via a new rpc_hold_client() helper, and drop
it in the connect_worker's exit path with rpc_release_client().
The xprt_lock_connect() / xprt_unlock_connect() pairing
already serialises xs_connect() with xs_tcp_tls_setup_socket(),
so the take and release are balanced one-for-one.

The non-TLS connect worker (xs_tcp_setup_socket) never reads
sock_xprt::clnt, so leave that path alone and avoid the
clnt-holds-xprt-holds-clnt cycle that would otherwise prevent
xprt destruction.

Reported-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Closes: https://lore.kernel.org/linux-nfs/40e3d522-dfcf-4fc1-9c55-b5e81f1536d5@vastdata.com/
Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Reviewed-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@hammerspace.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: release lower rpc_clnt if killed waiting for XPRT_LOCKED</title>
<updated>2026-07-08T18:07:19+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2026-05-04T10:28:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=29bacb096d43bd04062f6655e50ceeed27fe6d2f'/>
<id>29bacb096d43bd04062f6655e50ceeed27fe6d2f</id>
<content type='text'>
xs_tcp_tls_setup_socket() creates a temporary "lower" rpc_clnt with
rpc_create() to drive the inner TLS handshake, then waits for
XPRT_LOCKED on its xprt with TASK_KILLABLE so a stuck handshake can
be aborted by signal. When the wait is interrupted, the function
jumps to out_unlock without releasing lower_clnt. The success path
and the out_close error path both call
rpc_shutdown_client(lower_clnt); only the killed-wait path skips it,
leaking the clnt and its underlying xprt.

Call rpc_shutdown_client() on this path before joining out_unlock.
xprt_release_write() is not needed here because XPRT_LOCKED was
never acquired.

Fixes: 26e8bfa30dac ("SUNRPC/TLS: Lock the lower_xprt during the tls handshake")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Reviewed-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@hammerspace.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
xs_tcp_tls_setup_socket() creates a temporary "lower" rpc_clnt with
rpc_create() to drive the inner TLS handshake, then waits for
XPRT_LOCKED on its xprt with TASK_KILLABLE so a stuck handshake can
be aborted by signal. When the wait is interrupted, the function
jumps to out_unlock without releasing lower_clnt. The success path
and the out_close error path both call
rpc_shutdown_client(lower_clnt); only the killed-wait path skips it,
leaking the clnt and its underlying xprt.

Call rpc_shutdown_client() on this path before joining out_unlock.
xprt_release_write() is not needed here because XPRT_LOCKED was
never acquired.

Fixes: 26e8bfa30dac ("SUNRPC/TLS: Lock the lower_xprt during the tls handshake")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Reviewed-by: Michael Nemanov &lt;michael.nemanov@vastdata.com&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@hammerspace.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipvs: ensure inner headers in ICMP errors are in headroom</title>
<updated>2026-07-08T13:33:44+00:00</updated>
<author>
<name>Julian Anastasov</name>
<email>ja@ssi.bg</email>
</author>
<published>2026-07-07T18:25:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3f7a535ff0fa627a0132803e4c2f903ceffcbc1c'/>
<id>3f7a535ff0fa627a0132803e4c2f903ceffcbc1c</id>
<content type='text'>
Sashiko points out that after stripping the outer headers
with pskb_pull() we should ensure the inner IP headers
in ICMP errors from tunnels are present in the skb headroom
for functions like ipv4_update_pmtu(), icmp_send() and
IP_VS_DBG().

Also, add more checks for the length of the inner headers.

Fixes: f2edb9f7706d ("ipvs: implement passive PMTUD for IPIP packets")
Link: https://sashiko.dev/#/patchset/20260702073430.67680-1-zhaoyz24%40mails.tsinghua.edu.cn
Signed-off-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Sashiko points out that after stripping the outer headers
with pskb_pull() we should ensure the inner IP headers
in ICMP errors from tunnels are present in the skb headroom
for functions like ipv4_update_pmtu(), icmp_send() and
IP_VS_DBG().

Also, add more checks for the length of the inner headers.

Fixes: f2edb9f7706d ("ipvs: implement passive PMTUD for IPIP packets")
Link: https://sashiko.dev/#/patchset/20260702073430.67680-1-zhaoyz24%40mails.tsinghua.edu.cn
Signed-off-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipvs: use parsed transport offset in SCTP state lookup</title>
<updated>2026-07-08T13:33:44+00:00</updated>
<author>
<name>Yizhou Zhao</name>
<email>zhaoyz24@mails.tsinghua.edu.cn</email>
</author>
<published>2026-07-06T10:16:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f75c0faa3361b28e36cc0512b3299e163e25789'/>
<id>2f75c0faa3361b28e36cc0512b3299e163e25789</id>
<content type='text'>
set_sctp_state() reads the SCTP chunk header again in order to drive the
IPVS SCTP state table. For IPv6 it computes the offset with
sizeof(struct ipv6hdr), while the surrounding IPVS code uses iph.len from
ip_vs_fill_iph_skb(), where ipv6_find_hdr() has already skipped
extension headers and found the real transport header.

This makes the state machine read from the wrong offset for IPv6 SCTP
packets that carry extension headers. For example, an INIT packet with an
8-byte destination options header can be scheduled correctly by
sctp_conn_schedule(), but set_sctp_state() reads the first byte of the
SCTP verification tag as a DATA chunk type. The connection then moves
from NONE to ESTABLISHED instead of INIT1, gets the longer established
timeout, and updates the active/inactive destination counters
incorrectly. This happens even though the SCTP handshake has not
completed.

Use the parsed transport offset passed down from ip_vs_set_state() for
the SCTP chunk-header lookup. For IPv4 and IPv6 packets without
extension headers this preserves the existing offset.

Fixes: 2906f66a5682 ("ipvs: SCTP Trasport Loadbalancing Support")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/netdev/20260705123040.35755-1-zhaoyz24@mails.tsinghua.edu.cn/
Reported-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Reported-by: Yuxiang Yang &lt;yangyx22@mails.tsinghua.edu.cn&gt;
Reported-by: Ao Wang &lt;wangao@seu.edu.cn&gt;
Reported-by: Xuewei Feng &lt;fengxw06@126.com&gt;
Reported-by: Qi Li &lt;qli01@tsinghua.edu.cn&gt;
Reported-by: Ke Xu &lt;xuke@tsinghua.edu.cn&gt;
Assisted-by: Claude Code:GLM-5.2
Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
set_sctp_state() reads the SCTP chunk header again in order to drive the
IPVS SCTP state table. For IPv6 it computes the offset with
sizeof(struct ipv6hdr), while the surrounding IPVS code uses iph.len from
ip_vs_fill_iph_skb(), where ipv6_find_hdr() has already skipped
extension headers and found the real transport header.

This makes the state machine read from the wrong offset for IPv6 SCTP
packets that carry extension headers. For example, an INIT packet with an
8-byte destination options header can be scheduled correctly by
sctp_conn_schedule(), but set_sctp_state() reads the first byte of the
SCTP verification tag as a DATA chunk type. The connection then moves
from NONE to ESTABLISHED instead of INIT1, gets the longer established
timeout, and updates the active/inactive destination counters
incorrectly. This happens even though the SCTP handshake has not
completed.

Use the parsed transport offset passed down from ip_vs_set_state() for
the SCTP chunk-header lookup. For IPv4 and IPv6 packets without
extension headers this preserves the existing offset.

Fixes: 2906f66a5682 ("ipvs: SCTP Trasport Loadbalancing Support")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/netdev/20260705123040.35755-1-zhaoyz24@mails.tsinghua.edu.cn/
Reported-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Reported-by: Yuxiang Yang &lt;yangyx22@mails.tsinghua.edu.cn&gt;
Reported-by: Ao Wang &lt;wangao@seu.edu.cn&gt;
Reported-by: Xuewei Feng &lt;fengxw06@126.com&gt;
Reported-by: Qi Li &lt;qli01@tsinghua.edu.cn&gt;
Reported-by: Ke Xu &lt;xuke@tsinghua.edu.cn&gt;
Assisted-by: Claude Code:GLM-5.2
Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipvs: use parsed transport offset in TCP state lookup</title>
<updated>2026-07-08T13:33:44+00:00</updated>
<author>
<name>Yizhou Zhao</name>
<email>zhaoyz24@mails.tsinghua.edu.cn</email>
</author>
<published>2026-07-06T10:16:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2500fa3958b1ba51c2b065e39db1b04dfa7e23a2'/>
<id>2500fa3958b1ba51c2b065e39db1b04dfa7e23a2</id>
<content type='text'>
TCP state handling reparses the skb to find the TCP header. For IPv6 it
uses sizeof(struct ipv6hdr), while the surrounding IPVS code already
parsed the packet with ip_vs_fill_iph_skb() and has the real
transport-header offset in iph.len.

This makes TCP state handling look at the wrong bytes when an IPv6
packet carries extension headers. Use the parsed transport offset passed
down from ip_vs_set_state() when reading the TCP header.

For IPv4 and for IPv6 packets without extension headers, the passed
offset matches the previous value.

Fixes: 0bbdd42b7efa6 ("IPVS: Extend protocol DNAT/SNAT and state handlers")
Link: https://lore.kernel.org/netdev/20260705125659.37744-1-zhaoyz24@mails.tsinghua.edu.cn/
Reported-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Reported-by: Yuxiang Yang &lt;yangyx22@mails.tsinghua.edu.cn&gt;
Reported-by: Ao Wang &lt;wangao@seu.edu.cn&gt;
Reported-by: Xuewei Feng &lt;fengxw06@126.com&gt;
Reported-by: Qi Li &lt;qli01@tsinghua.edu.cn&gt;
Reported-by: Ke Xu &lt;xuke@tsinghua.edu.cn&gt;
Assisted-by: Claude Code:GLM-5.2
Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
TCP state handling reparses the skb to find the TCP header. For IPv6 it
uses sizeof(struct ipv6hdr), while the surrounding IPVS code already
parsed the packet with ip_vs_fill_iph_skb() and has the real
transport-header offset in iph.len.

This makes TCP state handling look at the wrong bytes when an IPv6
packet carries extension headers. Use the parsed transport offset passed
down from ip_vs_set_state() when reading the TCP header.

For IPv4 and for IPv6 packets without extension headers, the passed
offset matches the previous value.

Fixes: 0bbdd42b7efa6 ("IPVS: Extend protocol DNAT/SNAT and state handlers")
Link: https://lore.kernel.org/netdev/20260705125659.37744-1-zhaoyz24@mails.tsinghua.edu.cn/
Reported-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Reported-by: Yuxiang Yang &lt;yangyx22@mails.tsinghua.edu.cn&gt;
Reported-by: Ao Wang &lt;wangao@seu.edu.cn&gt;
Reported-by: Xuewei Feng &lt;fengxw06@126.com&gt;
Reported-by: Qi Li &lt;qli01@tsinghua.edu.cn&gt;
Reported-by: Ke Xu &lt;xuke@tsinghua.edu.cn&gt;
Assisted-by: Claude Code:GLM-5.2
Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Acked-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
</pre>
</div>
</content>
</entry>
</feed>
