summaryrefslogtreecommitdiff
path: root/include/net
AgeCommit message (Collapse)Author
2026-05-05wifi: cfg80211: add LTF keyseed support for secure rangingPeddolla Harshavardhan Reddy
Currently there is no way to install an LTF key seed that can be used in non-trigger-based (NTB) and trigger-based (TB) FTM ranging to protect NDP frames. Without this, drivers cannot enable PHY-layer security for peer measurement sessions, leaving ranging measurements vulnerable to eavesdropping and manipulation. Introduce NL80211_KEY_LTF_SEED attribute and the dedicated extended feature flag NL80211_EXT_FEATURE_SET_KEY_LTF_SEED to allow drivers to advertise and install LTF key seeds via nl80211. The key seed must be configured beforehand to ensure the peer measurement session is secure. The driver must advertise both NL80211_EXT_FEATURE_SECURE_LTF and NL80211_EXT_FEATURE_SET_KEY_LTF_SEED for the key seed installation to be permitted. The LTF key seed is pairwise key material and must only be used with pairwise key type. Reject attempts to use it with other key types. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-13-peddolla.reddy@oss.qualcomm.com [fix policy coding style] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: allow suppressing FTM result reporting for PD requestsPeddolla Harshavardhan Reddy
Proximity detection often does not require detailed ranging measurements, yet userspace currently receives full FTM results for every request, causing unnecessary data transfer, host wakeups, and processing overhead. Add an optional control to suppress ranging result reporting for peer-to-peer PD requests. Introduce the NL80211_PMSR_FTM_REQ_ATTR_PD_SUPPRESS_RESULTS flag; when set with a PD request, the device may perform the measurements (e.g. when acting as RSTA) but must not report the measurement results to userspace. Validate that the flag is only accepted when request_type is set to NL80211_PMSR_FTM_REQ_TYPE_PD, reject otherwise. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-12-peddolla.reddy@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: add PD-specific preamble and bandwidth capabilitiesPeddolla Harshavardhan Reddy
Devices may support different preamble and bandwidth configurations for proximity detection (PD) ranging versus standard ranging. Add separate pd_preambles and pd_bandwidths fields to cfg80211_pmsr_capabilities to allow drivers to advertise PD-specific capabilities. Expose these over nl80211 using new attributes NL80211_PMSR_FTM_CAPA_ATTR_PD_PREAMBLES and NL80211_PMSR_FTM_CAPA_ATTR_PD_BANDWIDTHS, advertised only when pd_support is set. For PD requests, validate bandwidth and preamble against pd_bandwidths and pd_preambles. For non-PD requests, validate against the existing bandwidths and preambles fields. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-11-peddolla.reddy@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: add ingress/egress distance thresholds for FTMPeddolla Harshavardhan Reddy
Proximity detection applications need to receive measurement results only when devices cross specific distance boundaries to avoid unnecessary host wakeups and reduce power consumption. Introduce configurable distance-based reporting thresholds that drivers can use to implement selective result reporting. Add ingress and egress distance parameters allowing applications to specify when results should be reported as peers cross these boundaries. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-10-peddolla.reddy@oss.qualcomm.com [remove mm units from variables] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: add role-based peer limits to FTM capabilitiesPeddolla Harshavardhan Reddy
Peer measurement capabilities currently advertise a single maximum peer count regardless of device role. Some devices support different peer limits when operating as initiator versus responder. Add max_peers fields inside the ftm.ista and ftm.rsta sub-structs of cfg80211_pmsr_capabilities to allow drivers to advertise per-role peer limits. These limits are generic and not restricted to any specific ranging type. Expose these over nl80211 using new NL80211_PMSR_ATTR_MAX_PEER_ISTA_ROLE and NL80211_PMSR_ATTR_MAX_PEER_RSTA_ROLE attributes inside the ISTA_CAPS and RSTA_CAPS nested attributes respectively. When a role limit is advertised, validate the number of peers in the request separately for each role using the existing rsta flag in the FTM request, and reject the request if the limit is exceeded. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-9-peddolla.reddy@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: extend PMSR FTM response for proximity rangingPeddolla Harshavardhan Reddy
Applications need negotiated session parameters to interpret proximity ranging results and perform post-processing. Currently, the FTM response lacks LTF repetition counts, time constraints, spatial stream configuration, and availability window parameters. Extend the FTM response structure to report these negotiated parameters, enabling applications to track session configuration and use them in post-processing to increase ranging precision. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-8-peddolla.reddy@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: add NTB continuous ranging and FTM request type supportPeddolla Harshavardhan Reddy
Enable NTB continuous ranging with configurable timing and measurement parameters as per the Wi-Fi Alliance specification "Proximity Ranging (PR) Implementation Consideration Draft 1.9 Rev 1, section 5.3". Add new FTM request attributes for min/max time between measurements, nominal time (mandatory for NTB), AW duration, and total measurement count. Add NL80211_PMSR_PEER_ATTR_REQ_TYPE attribute using the new nl80211_peer_measurement_ftm_req_type enum to allow userspace to specify the ranging request type per peer: - NL80211_PMSR_FTM_REQ_TYPE_INFRA: STA-to-AP or AP-to-STA ranging (default if attribute is absent) - NL80211_PMSR_FTM_REQ_TYPE_PD: peer-to-peer ranging Validate the request type against the device TYPE_CAPS capabilities advertised via NL80211_PMSR_FTM_CAPA_ATTR_TYPE_CAPS. Reject PD requests if the device does not advertise PD support. Reject PD requests that set trigger-based ranging, as TB ranging is not compatible with peer-to-peer proximity detection. Add ftms_per_burst limit of 4 for PD NTB ranging requests. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-7-peddolla.reddy@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: add proximity detection capabilities to PMSRPeddolla Harshavardhan Reddy
Introduce Proximity Detection (PD) capabilities in Peer Measurement Service (PMSR) as defined in the Wi-Fi Alliance specification "Proximity Ranging (PR) Implementation Consideration Draft 1.9 Rev 1 section 3.3". This enables devices to advertise peer to peer ranging support. Restructure FTM capabilities in cfg80211_pmsr_capabilities to replace the single support_rsta flag with nested ista and rsta sub-structs, each carrying per-mode flags for Non-Trigger Based (NTB), Trigger Based (TB), and EDCA based ranging. This allows drivers to advertise detailed role and protocol support for both initiator and responder roles. Add support to pass additional ISTA and RSTA role capabilities to userspace using new nested ISTA_CAPS and RSTA_CAPS attributes. The legacy RSTA_SUPPORT flag is retained for backward compatibility. Add NL80211_PMSR_FTM_CAPA_ATTR_TYPE_CAPS nested attribute using the nl80211_peer_measurement_ftm_type_capa enum with two sub-flags: NL80211_PMSR_FTM_TYPE_CAPA_ATTR_INFRA_SUPPORT for STA-to-AP or AP-to-STA ranging, and NL80211_PMSR_FTM_TYPE_CAPA_ATTR_PD_SUPPORT for peer-to-peer ranging. Add CONCURRENT_ISTA_RSTA_SUPPORT as a FTM capability flag indicating the device can simultaneously act as initiator and responder in a multi-peer measurement request. Extend FTM capabilities with antenna configuration fields (max_no_of_tx_antennas, max_no_of_rx_antennas) for the PR Element during PASN negotiation, and ranging interval limits (min_allowed_ranging_interval_edca, min_allowed_ranging_interval_ntb) to advertise device timing constraints for EDCA and NTB-based ranging. Update the FTM request validation path in pmsr.c to check RSTA requests against the per-mode rsta capabilities (NTB, TB, EDCA), rejecting requests for modes the device does not support. Co-developed-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com> Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com> Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-6-peddolla.reddy@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: add start/stop proximity detection commandsPeddolla Harshavardhan Reddy
Currently, the proximity detection (PD) interface type has no start/stop commands defined, preventing user space from controlling PD operations through the nl80211 interface. Add NL80211_CMD_START_PD and NL80211_CMD_STOP_PD commands to allow user space to start and stop a PD interface. Add the corresponding start_pd and stop_pd operations to cfg80211_ops and ieee80211_ops, along with nl80211 command handlers, rdev wrappers, and tracing support. Validate that drivers advertising PD interface support implement the required operations. Handle PD interface teardown during device unregistration and when the interface leaves the network. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-5-peddolla.reddy@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: Add MAC address filter to remain_on_channelPeddolla Harshavardhan Reddy
Currently the remain_on_channel operation does not support filtering incoming frames by destination MAC address. This prevents use cases such as PASN authentication in the responder side that need to receive frames addressed to a specific MAC during the off-channel period. Add an rx_addr parameter to the remain_on_channel operation callback and propagate it through the call chain from nl80211 to driver implementations. Introduce the extended feature NL80211_EXT_FEATURE_ROC_ADDR_FILTER as a capability gate so that cfg80211 rejects the request if the driver does not advertise support for address filtering. Extract the address from the NL80211_ATTR_MAC attribute when provided in the netlink message and update the tracing infrastructure to include the address in remain_on_channel trace events. The rx_addr parameter is optional and can be NULL, maintaining backward compatibility with existing drivers. Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> Link: https://patch.msgid.link/20260420090856.2152905-3-peddolla.reddy@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: mac80211: add NAN channel evacuation supportMiri Korenblit
A NAN channel can be evacuated, i.e. detached from its chanctx, if all chanctxs are used by NAN and a chanctx is needed for something else. For example if the STA interface needs to perform a channel switch. Implement the evacuation: detach the NAN channel from its chanctx, remove all the peer NAN channels that were using this chanctx, and update the driver. Internally, the NAN channel evacuation will be triggered in the scenario described above, and API is provided for the driver to also trigger it. The driver/device is assumed to publish a ULW to notify the peers about the fact that we won't be present on this NAN channel anymore. Also export this as an API for the drivers: if a driver has other resources per channel, it might want to trigger channel evacuation in order to free up such internal resources for other usages. Reviewed-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260504101829.1e1dc40d2f3e.I003fe84dc6373bb9ad55abd7824b9fc21c51203f@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: mac80211: track the id of the NAN cluster we joinedMiri Korenblit
Currently, we store in nan.conf the cluster id that was configured from upper layer to be used when the device opens a cluster. But after we joined a cluster, the configured cluster id is no longer relevant. Particularly, in reconfig we will give the driver the (possibly) wrong cluster id. Add an API to be called by the driver when joined a cluster in which the cluster id will be updated. Use the locally stored cluster id instead of cfg80211's copy. Ignore cluster id updates from cfg80211 if we already have one configured. Adjust the drivers that use the cfg80211 API (cfg80211_nan_cluster_joined) directly, otherwise we break functionality (i.e. accept frame check won't evaluate to true). Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260504101829.5dada1b756a4.I0f1060215267fd8aef31afd99f8f42e6fde7f234@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: indicate (Re)Association frame encryption to userspaceKavita Kavita
In SME-in-driver mode, the driver handles the entire (re)association exchange. Userspace (e.g., wpa_supplicant) currently has no explicit indication of whether the (re)association exchange was encrypted, making it difficult to distinguish EPP (Enhanced Privacy Protection, IEEE 802.11bi) associations from non-EPP associations. When (Re)Association frame encryption is used, the (Re)Association Response frame must contain a Key Delivery element as specified in IEEE P802.11bi/D4.0, Table 9-65. Userspace must process this element only when the (Re)Association Response frame is actually encrypted. Processing it unconditionally for unencrypted frames leads to incorrect behavior. Without an explicit indication from the driver, userspace cannot determine whether encryption was used and whether the Key Delivery element is valid. Add a new flag attribute NL80211_ATTR_ASSOC_ENCRYPTED and a corresponding field "assoc_encrypted" in cfg80211_connect_resp_params to indicate that both the (Re)Association Request and Response frames are transmitted encrypted over the air. For mac80211-based drivers, extend cfg80211_rx_assoc_resp_data with the assoc_encrypted field as well, which is then propagated to cfg80211_connect_resp_params. Pass the flag to userspace via NL80211_CMD_CONNECT event. Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com> Link: https://patch.msgid.link/20260504123624.529218-2-kavita.kavita@oss.qualcomm.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-05wifi: cfg80211: fix max_channel_switch_time documentation unitIsrael Kozitz
The max_channel_switch_time field in struct wiphy_nan_capa was documented as being in milliseconds, but it is actually in microseconds as defined in the Wi-Fi Aware specification and as indicated in the nl80211 NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME attribute. Fix the documentation to say microseconds. Signed-off-by: Israel Kozitz <israel.kozitz@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260504121734.d0a0152f7d8c.I47e5c91f7ead4f8006fb13f9194d95a55cf9c398@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-05-04ipmr: Add __rcu to netns_ipv4.mrt.Kuniyuki Iwashima
kernel test robot reported this Sparse warning: $ make C=1 net/ipv4/ipmr.o net/ipv4/ipmr.c:312:24: error: incompatible types in comparison expression (different address spaces): net/ipv4/ipmr.c:312:24: struct mr_table [noderef] __rcu * net/ipv4/ipmr.c:312:24: struct mr_table * Let's add __rcu annotation to netns_ipv4.mrt. Fixes: b3b6babf4751 ("ipmr: Free mr_table after RCU grace period.") Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202605030032.glNApko7-lkp@intel.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260502180755.359554-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-04ipv6: mld: encode multicast exponential fieldsUjjal Roy
In MLD, MRC and QQIC fields are not correctly encoded when generating query packets. Since the receiver of the query interprets these fields using the MLDv2 floating-point decoding logic, any value that exceeds the linear threshold is incorrectly parsed as an exponential value, leading to an incorrect interval calculation. Encode and assign the corresponding protocol fields during query generation. Introduce the logic to dynamically calculate the exponent and mantissa using bit-scan (fls). This ensures MRC (16-bit) and QQIC (8-bit) fields are properly encoded when transmitting query packets with intervals that exceed their respective linear thresholds (32768 for MRD; 128 for QQI). RFC3810: If Maximum Response Code >= 32768, the Maximum Response Code field represents a floating-point value as follows: 0 1 2 3 4 5 6 7 8 9 A B C D E F +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| exp | mant | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ RFC3810: If QQIC >= 128, the QQIC field represents a floating-point value as follows: 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |1| exp | mant | +-+-+-+-+-+-+-+-+ Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: Ujjal Roy <royujjal@gmail.com> Link: https://patch.msgid.link/20260502131907.987-5-royujjal@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-04ipv6: mld: rename mldv2_mrc() and add mldv2_qqi()Ujjal Roy
Rename mldv2_mrc() to mldv2_mrd() as it is used to calculate the Maximum Response Delay from the Maximum Response Code. Introduce a new API mldv2_qqi() to define the existing calculation logic of QQI from QQIC. This also organizes the existing mld_update_qi() API. Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: Ujjal Roy <royujjal@gmail.com> Link: https://patch.msgid.link/20260502131907.987-3-royujjal@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-04net/sched: add qstats_cpu_drop_inc() helperEric Dumazet
1) Using this_cpu_inc() is better than going through this_cpu_ptr(): - Single instruction on x86. - Store tearing prevention. 2) Change tcf_action_update_stats() to use this_cpu_add(). 3) Add WRITE_ONCE() to __qdisc_qstats_drop() and qstats_drop_inc() in preparation for lockless "tc qdisc show". $ scripts/bloat-o-meter -t vmlinux.old vmlinux.new add/remove: 0/0 grow/shrink: 3/17 up/down: 72/-216 (-144) Function old new delta dualpi2_enqueue_skb 462 511 +49 tcf_ife_act 1061 1077 +16 taprio_enqueue 613 620 +7 codel_qdisc_enqueue 149 143 -6 tcf_vlan_act 684 676 -8 tcf_skbedit_act 626 618 -8 tcf_police_act 725 717 -8 tcf_mpls_act 1297 1289 -8 tcf_gate_act 310 302 -8 tcf_gact_act 222 214 -8 tcf_csum_act 2438 2430 -8 tcf_bpf_act 709 701 -8 tcf_action_update_stats 124 115 -9 pie_qdisc_enqueue 865 856 -9 pfifo_enqueue 116 107 -9 choke_enqueue 2069 2059 -10 plug_enqueue 139 128 -11 bfifo_enqueue 121 110 -11 tcf_nat_act 1501 1489 -12 gred_enqueue 1743 1668 -75 Total: Before=24388609, After=24388465, chg -0.00% Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260501135916.2566766-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-05ipvs: Guard access of HK_TYPE_KTHREAD cpumask with RCUWaiman Long
The ip_vs_ctl.c file and the associated ip_vs.h file are the only places in the kernel where HK_TYPE_KTHREAD cpumask is being retrieved and used. Now that HK_TYPE_KTHREAD/HK_TYPE_DOMAIN cpumask can be changed at run time. We need to use RCU to guard access to this cpumask to avoid a potential UAF problem as the returned cpumask may be freed before it is being used. We can replace HK_TYPE_KTHREAD by HK_TYPE_DOMAIN as they are aliases of each other, but keeping the HK_TYPE_KTHREAD name can highlight the fact that it is the kthread initiated by ipvs that is being controlled. Fixes: 03ff73510169 ("cpuset: Update HK_TYPE_DOMAIN cpumask from cpuset") Signed-off-by: Waiman Long <longman@redhat.com> Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-05-05ipvs: fix races around est_mutex and est_cpulistJulian Anastasov
Sashiko reports for races and possible crash around the usage of est_cpulist_valid and sysctl_est_cpulist. The problem is that we do not lock est_mutex in some places which can lead to wrong write ordering and as result problems when calling cpumask_weight() and cpumask_empty(). Fix them by moving the est_max_threads read/write under locked est_mutex. Do the same for one ip_vs_est_reload_start() call to protect the cpumask_empty() usage of sysctl_est_cpulist. To remove the chance of deadlock while stopping the estimation kthreads, keep the data structure for kthread 0 even after last estimator is removed and do not hold mutexes while stopping this task. Now we will use a new flag 'needed' to know when kthread 0 should run. The kthreads above 0 do not use mutexes, so stop them under est_mutex because their kthread data still can be destroyed if they do not serve estimators. Now all kthreads will be started by the est_reload_work to properly serialize the stop/start for kthread 0. Reduce the use of service_mutex in ip_vs_est_calc_phase() because under est_mutex we can safely walk est_kt_arr to stop the kthreads above slot 0. As ip_vs_stop_estimator() for tot_stats should be called under service_mutex, do it early in the netns exit path in ip_vs_flush() to avoid locking the mutex again later. It still should be called in ip_vs_control_net_cleanup_sysctl() when we are called during netns init error. Use -2 for ktid as indicator if estimator was already stopped. Finally, fix use-after-free for kd->est_row in ip_vs_est_calc_phase(). est->ktrow should simply switch to a delay value while estimator is linked to est_temp_list. Link: https://sashiko.dev/#/patchset/20260331165015.2777765-1-longman%40redhat.com Link: https://sashiko.dev/#/patchset/20260420171308.87192-1-ja%40ssi.bg Link: https://sashiko.dev/#/patchset/20260422125123.40658-1-ja%40ssi.bg Link: https://sashiko.dev/#/patchset/20260424175858.54752-1-ja%40ssi.bg Link: https://sashiko.dev/#/patchset/20260425103918.7447-1-ja%40ssi.bg Fixes: f0be83d54217 ("ipvs: add est_cpulist and est_nice sysctl vars") Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-05-02net: dsa: pass extack to dsa_switch_ops :: port_policer_add()David Yang
Drivers might have error messages to propagate to user space. Propagate the netlink extack so that they can inform user space in a verbal way of their limitations. Make the according transformations to the two users (sja1105 and felix). Signed-off-by: David Yang <mmyangfl@gmail.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260430114529.3536911-2-mmyangfl@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-01ne2k: fold drivers/net/Space.c into ne.cArnd Bergmann
drivers/net/Space.c is the last remnant of the linux-2.4.x driver model that required each subsystem and device driver init function to be called from init/main.c explicitly, before the introduction of initcall levels. In linux-7.0, this was only used for a handful of ISA network drivers, with the ne2000 driver being the last one. Fold the code into ne.c directly, with minimal changes to preserve the existing command line parsing. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> # m68k Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260429145624.2948432-2-arnd@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-01net: cs89x0: remove ISA bus probingArnd Bergmann
The cs89x0 driver is really two in one, and they are mutually exclusive: - the ISA driver was used on 486-era PCs. It likely has no remaining users, like the other ethernet drivers that got removed in linux-7.1. The DMA support in here is the last device driver use of the deprecated isa_bus_to_virt() interface, all other users are either x86 specific or or got converted to the normal dma-mapping interface. The driver was maintained by Andrew Morton at the time, based on the linux-2.2 vendor driver from Cirrus Logic. - the platform_driver instance was used on some embedded Arm boards around the same time, such as the EP7211 Development Kit. This is the same chip, but uses modern devicetree based probing and no DMA. This was added by Alexander Shiyan. Remove the ISA driver as a cleanup, including all of the outdated documentation referring to its configuration. Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260429145624.2948432-1-arnd@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-01Merge tag 'nf-26-05-01' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following batch contains Netfilter fixes for net: 1) Replace skb_try_make_writable() by skb_ensure_writable() in nft_fwd_netdev and the flowtable to deal with uncloned packets having their network header in paged fragments. 2) Drop packet if output device does not exist and ensure sufficient headroom in nft_fwd_netdev before transmitting the skb. 3) Use the existing dup recursion counter in nft_fwd_netdev for the neigh_xmit variant, from Weiming Shi. 4) Add .check_hooks interface to x_tables to detach the control plane hook check based on the match/target configuration. Then, update nft_compat to use .check_hooks from .validate path, this fixes a lack of hook validation for several match/targets. 5) Fix incorrect .usersize in xt_CT, from Florian Westphal. 6) Fix a memleak with netdev tables in dormant state, from Florian Westphal. 7) Several patches to check if the packet is a fragment, then skip layer 4 inspection, for x_tables and nf_tables; as well as common nf_socket infrastructure. The xt_hashlimit match drops fragments to stay consistent with the existing approach when failing to parse the layer 4 protocol header. 8) Ensure sufficient headroom in the flowtable before transmitting the skb. 9) Fix the flowtable inline vlan approach for double-tagged vlan: Reverse the iteration over .encap[] since it represents the encapsulation as seen from the ingress path. Postpone pushing layer 2 header so output device is available to calculate needed headroom. Finally, add and use nf_flow_vlan_push() to fix it. 10) Fix flowtable inline pppoe with GSO packets. Moreover, use FLOW_OFFLOAD_XMIT_DIRECT to fill up destination hardware address since neighbour cache does not exist in pppoe. 11) Use skb_pull_rcsum() to decapsulate vlan and pppoe headers, for double-tagged vlan in particular this should provide some benefits in certain scenarios. More notes regarding 9-11): - sashiko is also signalling to use it for IPIP headers, but that needs more adjustments such setting skb->protocol after removing the IPIP header, will follow up in a separated patch. - I plan to submit selftests to cover double-tagged-vlan. As for pppoe, it should be possible but that would mandate a few userspace dependencies. This has been semi-automatically tested by me and reporters describing broken double-vlan-tagged and pppoe currently in the flowtable. * tag 'nf-26-05-01' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: flowtable: use skb_pull_rcsum() to pop vlan/pppoe header netfilter: flowtable: fix inline pppoe encapsulation in xmit path netfilter: flowtable: fix inline vlan encapsulation in xmit path netfilter: flowtable: ensure sufficient headroom in xmit path netfilter: xtables: fix L4 header parsing for non-first fragments netfilter: nf_tables: skip L4 header parsing for non-first fragments netfilter: nf_socket: skip socket lookup for non-first fragments netfilter: nf_tables: fix netdev hook allocation memleak with dormant tables netfilter: xt_CT: fix usersize for v1 and v2 revision netfilter: nft_compat: run xt_check_hooks_{match,target}() from .validate netfilter: x_tables: add .check_hooks to matches and targets netfilter: nft_fwd_netdev: use recursion counter in neigh egress path netfilter: nft_fwd_netdev: add device and headroom validate with neigh forwarding netfilter: replace skb_try_make_writable() by skb_ensure_writable() ==================== Link: https://patch.msgid.link/20260501122237.296262-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-30ipv6: Implement limits on extension header parsingDaniel Borkmann
ipv6_{skip_exthdr,find_hdr}() and ip6_{tnl_parse_tlv_enc_lim, protocol_deliver_rcu}() iterate over IPv6 extension headers until they find a non-extension-header protocol or run out of packet data. The loops have no iteration counter, relying solely on the packet length to bound them. For a crafted packet with 8-byte extension headers filling a 64KB jumbogram, this means a worst case of up to ~8k iterations with a skb_header_pointer call each. ipv6_skip_exthdr(), for example, is used where it parses the inner quoted packet inside an incoming ICMPv6 error: - icmpv6_rcv - checksum validation - case ICMPV6_DEST_UNREACH - icmpv6_notify - pskb_may_pull() <- pull inner IPv6 header - ipv6_skip_exthdr() <- iterates here - pskb_may_pull() - ipprot->err_handler() <- sk lookup The per-iteration cost of ipv6_skip_exthdr itself is generally light, but skb_header_pointer becomes more costly on reassembled packets: the first ~1232 bytes of the inner packet are in the skb's linear area, but the remaining ~63KB are in the frag_list where skb_copy_bits is needed to read data. Initially, the idea was to add a configurable limit via a new sysctl knob with default 8, in line with knobs from commit 47d3d7ac656a ("ipv6: Implement limits on Hop-by-Hop and Destination options"), but two reasons eventually argued against it: - It adds to UAPI that needs to be maintained forever, and upcoming work is restricting extension header ordering anyway, leaving little reason for another sysctl knob - exthdrs_core.c is always built-in even when CONFIG_IPV6=n, where struct net has no .ipv6 member, so the read site would need an ifdef'd fallback to a constant anyway Therefore, just use a constant (IP6_MAX_EXT_HDRS_CNT). All four extension header walking functions are now bound by this limit. Note that the check in ip6_protocol_deliver_rcu() happens right before the goto resubmit, such that we don't have to have a test for ipv6_ext_hdr() in the fast-path. There's an ongoing IETF draft-iurman-6man-eh-occurrences to enforce IPv6 extension headers ordering and occurrence. The latter also discusses security implications. As per RFC8200 section 4.1, the occurrence rules for extension headers provide a practical upper bound which is 8. In order to be conservative, let's define IP6_MAX_EXT_HDRS_CNT as 12 to leave enough room for quirky setups. In the unlikely event that this is still not enough, then we might need to reconsider a sysctl. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Justin Iurman <justin.iurman@gmail.com> Link: https://patch.msgid.link/20260429154648.809751-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-30Merge tag 'wireless-next-2026-04-30' of ↵Jakub Kicinski
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next Johannes Berg says: ==================== Some new content already, notably: - mac80211: major rework of station bandwidth handling, fixing issues with lower capability than AP - general: cleanups for EMLSR spec issues (drafts differed) - ath9k: GPIO interface improvements - ath12k: replace dynamic memory allocation in WMI RX path * tag 'wireless-next-2026-04-30' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next: (39 commits) wifi: brcmsmac: phy_lcn: Remove dead code in wlc_lcnphy_radio_2064_channel_tune_4313() wifi: mac80211: always allow transmitting null-data on TXQs wifi: mac80211: use kstrtobool_from_user() in debugfs callbacks wifi: cfg80211: validate cipher suite for NAN Data keys wifi: nl80211: check link is beaconing for color change wifi: mac80211: clarify an 802.11 VHT spec reference wifi: mac80211: fix per-station PHY capability bandwidth wifi: mac80211: clarify per-STA bandwidth handling wifi: nl80211: always validate AP operation/PHY regulatory wifi: cfg80211: provide HT/VHT operation for AP beacon wifi: nl80211: reject too short HT/VHT/HE/EHT capability/operation wifi: cfg80211: move AP HT/VHT/... operation to beacon info wifi: nl80211: reject beacons with bad HE operation wifi: cfg80211: remove HE/SAE H2E required fields wifi: mac80211: remove ieee80211_sta_cur_vht_bw() wifi: mac80211: clean up ieee80211_sta_cap_rx_bw() wifi: mac80211: clean up initial STA NSS/bandwidth handling wifi: mac80211: clean up STA NSS handling wifi: mac80211: simplify ieee80211_sta_rx_bw_to_chan_width() wifi: nl80211: document channel opmode change channel width ... ==================== Link: https://patch.msgid.link/20260430120304.249081-3-johannes@sipsolutions.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-01netfilter: flowtable: fix inline pppoe encapsulation in xmit pathPablo Neira Ayuso
Address two issues in the inline pppoe encapsulation: - Add needs_gso_segment flag to segment PPPoE packets in software given that there is no GSO support for this. - Use FLOW_OFFLOAD_XMIT_DIRECT since neighbour cache is not available in point-to-point device, use the hardware address that is obtained via flowtable path discovery (ie. fill_forward_path). Fixes: 18d27bed0880 ("netfilter: flowtable: inline pppoe encapsulation in xmit path") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-04-30Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski
Cross-merge networking fixes after downstream PR (net-7.1-rc2). No conflicts, or adjacent changes. Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-30net/tcp: Remove tcp_sigpoolEric Biggers
tcp_sigpool is no longer used. It existed only as a workaround for issues in the design of the crypto_ahash API, which have been avoided by switching to the much easier-to-use library APIs instead. Remove it. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Link: https://patch.msgid.link/20260427172727.9310-6-ebiggers@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-04-30net/tcp-ao: Return void from functions that can no longer failEric Biggers
Since tcp-ao now uses the crypto library API instead of crypto_ahash, and MACs and keys now have a statically-known maximum size, many tcp-ao functions can no longer fail. Propagate this change up into the return types of various functions. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Link: https://patch.msgid.link/20260427172727.9310-5-ebiggers@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-04-30net/tcp-ao: Use crypto library API instead of crypto_ahashEric Biggers
Currently the kernel's TCP-AO implementation does the MAC and KDF computations using the crypto_ahash API. This API is inefficient and difficult to use, and it has required extensive workarounds in the form of per-CPU preallocated objects (tcp_sigpool) to work at all. Let's use lib/crypto/ instead. This means switching to straightforward stack-allocated structures, virtually addressed buffers, and direct function calls. It also means removing quite a bit of error handling. This makes TCP-AO quite a bit faster. This also enables many additional cleanups, which later commits will handle: removing tcp-sigpool, removing support for crypto_tfm cloning, removing more error handling, and replacing more dynamically-allocated buffers with stack buffers based on the now-statically-known limits. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Link: https://patch.msgid.link/20260427172727.9310-3-ebiggers@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-04-29tcp: add tcp_mstamp_refresh_inline()Eric Dumazet
We want to inline tcp_mstamp_refresh() in fast path only: - tcp_rcv_established() - tcp_write_xmit() Add tcp_mstamp_refresh_inline() for this purpose. Add noinline qualifier on tcp_mstamp_refresh() for the other paths, to reduce bloat. $ scripts/bloat-o-meter -t vmlinux.old vmlinux.new add/remove: 0/0 grow/shrink: 1/4 up/down: 26/-123 (-97) Function old new delta tcp_rcv_established 2238 2264 +26 tcp_connect 4027 4003 -24 tcp_tsq_write 152 120 -32 tcp_send_active_reset 476 444 -32 tcp_send_window_probe 235 200 -35 Total: Before=25316710, After=25316613, chg -0.00% Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Neal Cardwell <ncardwell@google.com> Link: https://patch.msgid.link/20260429010809.784315-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-29bonding: 3ad: implement proper RCU rules for port->aggregatorEric Dumazet
syzbot found a data-race in bond_3ad_get_active_agg_info / bond_3ad_state_machine_handler [1] which hints at lack of proper RCU implementation. Add __rcu qualifier to port->aggregator, and add proper RCU API. [1] BUG: KCSAN: data-race in bond_3ad_get_active_agg_info / bond_3ad_state_machine_handler write to 0xffff88813cf5c4b0 of 8 bytes by task 36 on cpu 0: ad_port_selection_logic drivers/net/bonding/bond_3ad.c:1659 [inline] bond_3ad_state_machine_handler+0x9d5/0x2d60 drivers/net/bonding/bond_3ad.c:2569 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3385 worker_thread+0x58a/0x780 kernel/workqueue.c:3466 kthread+0x22a/0x280 kernel/kthread.c:436 ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 read to 0xffff88813cf5c4b0 of 8 bytes by task 22063 on cpu 1: __bond_3ad_get_active_agg_info drivers/net/bonding/bond_3ad.c:2858 [inline] bond_3ad_get_active_agg_info+0x8c/0x230 drivers/net/bonding/bond_3ad.c:2881 bond_fill_info+0xe0f/0x10f0 drivers/net/bonding/bond_netlink.c:853 rtnl_link_info_fill net/core/rtnetlink.c:906 [inline] rtnl_link_fill+0x1d7/0x4e0 net/core/rtnetlink.c:927 rtnl_fill_ifinfo+0xf8e/0x1380 net/core/rtnetlink.c:2168 rtmsg_ifinfo_build_skb+0x11c/0x1b0 net/core/rtnetlink.c:4453 rtmsg_ifinfo_event net/core/rtnetlink.c:4486 [inline] rtmsg_ifinfo+0x6d/0x110 net/core/rtnetlink.c:4495 __dev_notify_flags+0x76/0x390 net/core/dev.c:9790 netif_change_flags+0xac/0xd0 net/core/dev.c:9823 do_setlink+0x905/0x2950 net/core/rtnetlink.c:3180 rtnl_group_changelink net/core/rtnetlink.c:3813 [inline] __rtnl_newlink net/core/rtnetlink.c:3981 [inline] rtnl_newlink+0xf55/0x1400 net/core/rtnetlink.c:4109 rtnetlink_rcv_msg+0x64b/0x720 net/core/rtnetlink.c:6995 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550 rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:7022 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5a8/0x680 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x5c8/0x6f0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg net/socket.c:802 [inline] ____sys_sendmsg+0x563/0x5b0 net/socket.c:2698 ___sys_sendmsg+0x195/0x1e0 net/socket.c:2752 __sys_sendmsg net/socket.c:2784 [inline] __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2787 x64_sys_call+0x194c/0x3020 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x0000000000000000 -> 0xffff88813cf5c400 Reported by Kernel Concurrency Sanitizer on: CPU: 1 UID: 0 PID: 22063 Comm: syz.0.31122 Tainted: G W syzkaller #0 PREEMPT(full) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 Fixes: 47e91f56008b ("bonding: use RCU protection for 3ad xmit path") Reported-by: syzbot+9bb2ff2a4ab9e17307e1@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/69f0a82f.050a0220.3aadc4.0000.GAE@google.com/ Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Jay Vosburgh <jv@jvosburgh.net> Cc: Andrew Lunn <andrew+netdev@lunn.ch> Link: https://patch.msgid.link/20260428123207.3809211-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-29net/sched: rename qstats_overlimit_inc() to qstats_cpu_overlimit_inc()Eric Dumazet
qstats_overlimit_inc() is only used to increment per cpu overlimits. It can use this_cpu_inc() to avoid this_cpu_ptr() extra cost and avoid potential store tearing. Change qstats_overlimit_inc() name and its argument type. Also add a WRITE_ONCE() in qdisc_qstats_overlimit() to prevent store tearing. $ scripts/bloat-o-meter -t vmlinux.0 vmlinux.1 add/remove: 0/0 grow/shrink: 0/7 up/down: 0/-91 (-91) Function old new delta tcf_skbmod_act 772 764 -8 tcf_police_act 733 725 -8 tcf_gate_act 318 310 -8 tcf_pedit_act 1295 1284 -11 tcf_mirred_to_dev 1126 1114 -12 tcf_ife_act 1077 1061 -16 tcf_mirred_act 1324 1296 -28 Total: Before=24274627, After=24274536, chg -0.00% Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260428070919.3109557-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-29net: add net_iov_init() and use it to initialize ->page_typeJakub Kicinski
Commit db359fccf212 ("mm: introduce a new page type for page pool in page type") added a page_type field to struct net_iov at the same offset as struct page::page_type, so that page_pool_set_pp_info() can call __SetPageNetpp() uniformly on both pages and net_iovs. The page-type API requires the field to hold the UINT_MAX "no type" sentinel before a type can be set; for real struct page that invariant is established by the page allocator on free. struct net_iov is not allocated through the page allocator, so the field is left as zero (io_uring zcrx, which uses __GFP_ZERO) or as slab garbage (devmem, which uses kvmalloc_objs() without zeroing). When the page pool then calls page_pool_set_pp_info() on a freshly-bound niov, __SetPageNetpp()'s VM_BUG_ON_PAGE(page->page_type != UINT_MAX) fires and the kernel BUGs. Triggered in selftests by io_uring zcrx setup through the fbnic queue restart path: kernel BUG at ./include/linux/page-flags.h:1062! RIP: 0010:page_pool_set_pp_info (./include/linux/page-flags.h:1062 net/core/page_pool.c:716) Call Trace: <TASK> net_mp_niov_set_page_pool (net/core/page_pool.c:1360) io_pp_zc_alloc_netmems (io_uring/zcrx.c:1089 io_uring/zcrx.c:1110) fbnic_fill_bdq (./include/net/page_pool/helpers.h:160 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c:906) __fbnic_nv_restart (drivers/net/ethernet/meta/fbnic/fbnic_txrx.c:2470 drivers/net/ethernet/meta/fbnic/fbnic_txrx.c:2874) fbnic_queue_start (drivers/net/ethernet/meta/fbnic/fbnic_txrx.c:2903) netdev_rx_queue_reconfig (net/core/netdev_rx_queue.c:137) __netif_mp_open_rxq (net/core/netdev_rx_queue.c:234) io_register_zcrx (io_uring/zcrx.c:818 io_uring/zcrx.c:903) __io_uring_register (io_uring/register.c:931) __do_sys_io_uring_register (io_uring/register.c:1029) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) </TASK> The same path is reachable through devmem dmabuf binding via netdev_nl_bind_rx_doit() -> net_devmem_bind_dmabuf_to_queue(). Add a net_iov_init() helper that stamps ->owner, ->type and the ->page_type sentinel, and use it from both the devmem and io_uring zcrx niov init loops. Fixes: db359fccf212 ("mm: introduce a new page type for page pool in page type") Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Acked-by: Byungchul Park <byungchul@sk.com> Reviewed-by: Jens Axboe <axboe@kernel.dk> Acked-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://patch.msgid.link/20260428025320.853452-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-30netfilter: nft_fwd_netdev: use recursion counter in neigh egress pathWeiming Shi
nft_fwd_neigh can be used in egress chains (NF_NETDEV_EGRESS). When the forwarding rule targets the same device or two devices forward to each other, neigh_xmit() triggers dev_queue_xmit() which re-enters nf_hook_egress(), causing infinite recursion and stack overflow. Move the nf_get_nf_dup_skb_recursion() accessor and NF_RECURSION_LIMIT to the shared header nf_dup_netdev.h as a static inline, so that nft_fwd_netdev can use the recursion counter directly without exported function call overhead. Guard neigh_xmit() with the same recursion limit already used in nf_do_netdev_egress(). [ Updated to cache the nf_get_nf_dup_skb_recursion pointer. --pablo ] Fixes: f87b9464d152 ("netfilter: nft_fwd_netdev: Support egress hook") Reported-by: Xiang Mei <xmei5@asu.edu> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-04-28Merge tag 'nf-26-04-28' of ↵Jakub Kicinski
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) IEEE1394 ARP payload contains no target hardware address in the ARP packet. Apparently, arp_tables was never updated to deal with IEEE1394 ARP properly. To deal with this, return no match in case the target hardware address selector is used, either for inverse or normal match. Moreover, arpt_mangle disallows mangling of the target hardware and IP address because, it is not worth to adjust the offset calculation to fix this, we suspect no users of arp_tables for this family. 2) Use list_del_rcu() to delete device hooks in nf_tables, this hook list is RCU protected, concurrent netlink dump readers can be walking on this list, fix it by adding a helper function and use it for consistency. From Florian Westphal. 3) Add list_splice_rcu(), this is useful for joining the local list of new device hooks to the RCU protected hook list in chain and flowtable. Reviewed by Paul E. McKenney. 4) Use list_splice_rcu() to publish the new device hooks in chain and flowtable to fix concurrent netlink dump traversal. 5) Add a new hook transaction object to track device hook deletions. The current approach moves device hooks to be deleted around during the preparation phase, this breaks concurrent RCU reader via netlink dump. This new hook transaction is combined with NFT_HOOK_REMOVE flag to annotate hooks for removal in the preparation phase. 6) xt_policy inbound policy check in strict mode can lead to out-of-bound access of the secpath array due to incorrect. The iteration over the secpath needs to be reversed in the inbound to check for the human readable policy, expecting inner in first position and outer in second position, the secpath from inbound actually stores outer in first position then in second position. From Jiexun Wang. 7) Fix possible zero shift in nft_bitwise triggering UBSAN splat, reject zero shift from control plane, from Kai Ma. 8) Replace simple_strtoul() in the conntrack SIP helper since it relies on nul-terminated strings. From Florian Westphal. * tag 'nf-26-04-28' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_conntrack_sip: don't use simple_strtoul netfilter: reject zero shift in nft_bitwise netfilter: xt_policy: fix strict mode inbound policy matching netfilter: nf_tables: add hook transactions for device deletions netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase rculist: add list_splice_rcu() for private lists netfilter: nf_tables: use list_del_rcu for netlink hooks netfilter: arp_tables: fix IEEE1394 ARP payload parsing ==================== Link: https://patch.msgid.link/20260428095840.51961-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-28wifi: cfg80211: provide HT/VHT operation for AP beaconJohannes Berg
In addition to providing HE/EHT/UHR operation, also check and provide HT/VHT operation, so that drivers have it and can use it, e.g. to correctly calculate station bandwidth. Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260415144514.32ad98454543.Ia9692671b699164edcc0bdaf4fdbdbefc50b18f8@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-04-28wifi: cfg80211: move AP HT/VHT/... operation to beacon infoJohannes Berg
The HT/VHT/HE/EHT/UHR operation can change, and might thus be updated on each beacon update. Move them to the beacon struct and parse them out of the beacon also on updates, not just on starting the AP. This also fixes checks in two ways: - Regulatory checks in nl80211_validate_ap_phy_operation() are now done also on updates, disallowing enabling HE/EHT/UHR on channels that don't allow that after start. This checks only operation now, but clients can't use it without operation. - NL80211_ATTR_UHR_OPERATION is now required whenever UHR is present in the beacon, and rejected otherwise. Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260415144514.f70758a46904.I0d21120b41eed661eefc61d5417dadaae7145845@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-04-28wifi: cfg80211: remove HE/SAE H2E required fieldsJohannes Berg
These are not used by any drivers, even the HT/VHT ones are only used by the qtnfmac driver. Remove the fields. Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260415144514.a4a3ebb0f95a.Ifadd953e13133e7a45ee3318fb04b2ff9dde62e4@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-04-28wifi: mac80211: add __packed to union members of struct ieee80211_rx_statusPing-Ke Shih
The arm-linux-gnueabi-gcc compiler, align the field followed by union members, causing size of struct ieee80211_rx_status over skb->cb (48 bytes). By investigation, the union member starts at offset 32, and the offset of next field rate_idx is 36 instead of expected 33, and the total size is (unexpected) 52. When compiling rtw88 driver, it throws: In file included from /work/linux-src/linux-stable/include/linux/string.h:386, from /work/linux-src/linux-stable/include/linux/bitmap.h:13, from /work/linux-src/linux-stable/include/linux/cpumask.h:11, from /work/linux-src/linux-stable/include/linux/smp.h:13, from /work/linux-src/linux-stable/include/linux/lockdep.h:14, from /work/linux-src/linux-stable/include/linux/mutex.h:17, from /work/linux-src/linux-stable/include/linux/kernfs.h:11, from /work/linux-src/linux-stable/include/linux/sysfs.h:16, from /work/linux-src/linux-stable/include/linux/kobject.h:20, from /work/linux-src/linux-stable/include/linux/dmi.h:6, from pci.c:5: In function 'fortify_memcpy_chk', inlined from 'rtw_pci_rx_napi.constprop' at pci.c:1095:4: /work/linux-src/linux-stable/include/linux/fortify-string.h:569:25: warning: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] 569 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After this patch, the size of struct ieee80211_rx_status is 48. Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Link: https://patch.msgid.link/20260411072509.1556635-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-04-24Merge tag '9p-for-7.1-rc1' of https://github.com/martinetd/linuxLinus Torvalds
Pull 9p updates from Dominique Martinet: - 9p access flag fix (cannot change access flag since new mount API implem) - some minor cleanup * tag '9p-for-7.1-rc1' of https://github.com/martinetd/linux: 9p/trans_xen: replace simple_strto* with kstrtouint 9p/trans_xen: make cleanup idempotent after dataring alloc errors 9p: document missing enum values in kernel-doc comments 9p: fix access mode flags being ORed instead of replaced 9p: fix memory leak in v9fs_init_fs_context error path
2026-04-24Merge tag 'net-deletions' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next Pull networking deletions from Jakub Kicinski: "Delete some obsolete networking code Old code like amateur radio and NFC have long been a burden to core networking developers. syzbot loves to find bugs in BKL-era code, and noobs try to fix them. If we want to have a fighting chance of surviving the LLM-pocalypse this code needs to find a dedicated owner or get deleted. We've talked about these deletions multiple times in the past and every time someone wanted the code to stay. It is never very clear to me how many of those people actually use the code vs are just nostalgic to see it go. Amateur radio did have occasional users (or so I think) but most users switched to user space implementations since its all super slow stuff. Nobody stepped up to maintain the kernel code. We were lucky enough to find someone who wants to help with NFC so we're giving that a chance. Let's try to put the rest of this code behind us" * tag 'net-deletions' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: drivers: net: 8390: wd80x3: Remove this driver drivers: net: 8390: ultra: Remove this driver drivers: net: 8390: AX88190: Remove this driver drivers: net: fujitsu: fmvj18x: Remove this driver drivers: net: smsc: smc91c92: Remove this driver drivers: net: smsc: smc9194: Remove this driver drivers: net: amd: nmclan: Remove this driver drivers: net: amd: lance: Remove this driver drivers: net: 3com: 3c589: Remove this driver drivers: net: 3com: 3c574: Remove this driver drivers: net: 3com: 3c515: Remove this driver drivers: net: 3com: 3c509: Remove this driver net: packetengines: remove obsolete yellowfin driver and vendor dir net: packetengines: remove obsolete hamachi driver net: remove unused ATM protocols and legacy ATM device drivers net: remove ax25 and amateur radio (hamradio) subsystem net: remove ISDN subsystem and Bluetooth CMTP caif: remove CAIF NETWORK LAYER
2026-04-23Merge tag 'net-7.1-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from Netfilter. Steady stream of fixes. Last two weeks feel comparable to the two weeks before the merge window. Lots of AI-aided bug discovery. A newer big source is Sashiko/Gemini (Roman Gushchin's system), which points out issues in existing code during patch review (maybe 25% of fixes here likely originating from Sashiko). Nice thing is these are often fixed by the respective maintainers, not drive-bys. Current release - new code bugs: - kconfig: MDIO_PIC64HPSC should depend on ARCH_MICROCHIP Previous releases - regressions: - add async ndo_set_rx_mode and switch drivers which we promised to be called under the per-netdev mutex to it - dsa: remove duplicate netdev_lock_ops() for conduit ethtool ops - hv_sock: report EOF instead of -EIO for FIN - vsock/virtio: fix MSG_PEEK calculation on bytes to copy Previous releases - always broken: - ipv6: fix possible UAF in icmpv6_rcv() - icmp: validate reply type before using icmp_pointers - af_unix: drop all SCM attributes for SOCKMAP - netfilter: fix a number of bugs in the osf (OS fingerprinting) - eth: intel: fix timestamp interrupt configuration for E825C Misc: - bunch of data-race annotations" * tag 'net-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (148 commits) rxrpc: Fix error handling in rxgk_extract_token() rxrpc: Fix re-decryption of RESPONSE packets rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets rxrpc: Fix missing validation of ticket length in non-XDR key preparsing rxgk: Fix potential integer overflow in length check rxrpc: Fix conn-level packet handling to unshare RESPONSE packets rxrpc: Fix potential UAF after skb_unshare() failure rxrpc: Fix rxkad crypto unalignment handling rxrpc: Fix memory leaks in rxkad_verify_response() net: rds: fix MR cleanup on copy error m68k: mvme147: Make me the maintainer net: txgbe: fix firmware version check selftests/bpf: check epoll readiness during reuseport migration tcp: call sk_data_ready() after listener migration vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() ipv6: Cap TLV scan in ip6_tnl_parse_tlv_enc_lim tipc: fix double-free in tipc_buf_append() llc: Return -EINPROGRESS from llc_ui_connect() ipv4: icmp: validate reply type before using icmp_pointers selftests/net: packetdrill: cover RFC 5961 5.2 challenge ACK on both edges ...
2026-04-23drivers: net: 8390: wd80x3: Remove this driverAndrew Lunn
The wd80x3 was written by Donald Becker 1993 to 1994. It is an ISA device, so unlikely to be used with modern kernels. Acked-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260422-v7-0-0-net-next-driver-removal-v1-v2-15-08a5b59784d5@lunn.ch Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-23drivers: net: 8390: ultra: Remove this driverAndrew Lunn
The ultra was written by Donald Becker 1993 to 1998. It is an ISA device, so unlikely to be used with modern kernels. Acked-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260422-v7-0-0-net-next-driver-removal-v1-v2-14-08a5b59784d5@lunn.ch Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-23drivers: net: smsc: smc9194: Remove this driverAndrew Lunn
The smc9194 was written by Erik Stahlman in 1996. It is an ISA device, so unlikely to be used with modern kernels. Signed-off-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260422-v7-0-0-net-next-driver-removal-v1-v2-7-08a5b59784d5@lunn.ch Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-23drivers: net: amd: lance: Remove this driverAndrew Lunn
The lance was written by Donald Becker between 1993-1998. It is an ISA device, so unlikely to be used with modern kernels. Signed-off-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260422-v7-0-0-net-next-driver-removal-v1-v2-5-08a5b59784d5@lunn.ch Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-23drivers: net: 3com: 3c515: Remove this driverAndrew Lunn
The 3c515 was written by Donald Becker between 1997-1998. It is an ISA device, so unlikely to be used with modern kernels. Signed-off-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260422-v7-0-0-net-next-driver-removal-v1-v2-2-08a5b59784d5@lunn.ch Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-23net: remove unused ATM protocols and legacy ATM device driversJakub Kicinski
Remove the ATM protocol modules and PCI/SBUS ATM device drivers that are no longer in active use. The ATM core protocol stack, PPPoATM, BR2684, and USB DSL modem drivers (drivers/usb/atm/) are retained in-tree to maintain PPP over ATM (PPPoA) and PPPoE-over-BR2684 support for DSL connections. The Solos ADSL2+ PCI driver is also retained. Removed ATM protocol modules: - net/atm/clip.c - Classical IP over ATM (RFC 2225) - net/atm/lec.c - LAN Emulation Client (LANE) - net/atm/mpc.c, mpoa_caches.c, mpoa_proc.c - Multi-Protocol Over ATM Removed PCI/SBUS ATM device drivers (drivers/atm/): - adummy, atmtcp - software/testing ATM devices - eni - Efficient Networks ENI155P (OC-3, ~1995) - fore200e - FORE Systems 200E PCI/SBUS (OC-3, ~1999) - he - ForeRunner HE (OC-3/OC-12, ~2000) - idt77105 - IDT 77105 25 Mbps ATM PHY - idt77252 - IDT 77252 NICStAR II (OC-3, ~2000) - iphase - Interphase ATM PCI (OC-3/DS3/E3) - lanai - Efficient Networks Speedstream 3010 - nicstar - IDT 77201 NICStAR (155/25 Mbps, ~1999) - suni - PMC S/UNI SONET PHY library Also clean up references in: - net/bridge/ - remove ATM LANE hook (br_fdb_test_addr_hook, br_fdb_test_addr) - net/core/dev.c - remove br_fdb_test_addr_hook export - defconfig files - remove ATM driver config options The removed code is moved to an out-of-tree module package (mod-orphan). Acked-by: Andy Shevchenko <andriy.shevchenko@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> Link: https://patch.msgid.link/20260422041846.2035118-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>