<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/net/6lowpan, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-11T22:27:07+00:00</updated>
<entry>
<title>6lowpan: fix NHC entry use-after-free on error path</title>
<updated>2026-06-11T22:27:07+00:00</updated>
<author>
<name>Yizhou Zhao</name>
<email>zhaoyz24@mails.tsinghua.edu.cn</email>
</author>
<published>2026-06-09T08:00:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=1720db928e5a58ca7d75ac1d514c3b73fd7061a7'/>
<id>urn:sha1:1720db928e5a58ca7d75ac1d514c3b73fd7061a7</id>
<content type='text'>
lowpan_nhc_do_uncompression() looks up an NHC descriptor while holding
lowpan_nhc_lock.  If the descriptor has no uncompress callback, the error
path drops the lock before printing nhc-&gt;name.

lowpan_nhc_del() removes descriptors under the same lock and then relies
on synchronize_net() before the owning module can be unloaded.  That only
waits for net RX RCU readers.  lowpan_header_decompress() is also exported
and can be reached from callers that are not necessarily covered by the net
core RX critical section, for example the Bluetooth 6LoWPAN L2CAP receive
path.

This leaves a race where one task drops lowpan_nhc_lock in the error path,
another task unregisters and frees the matching descriptor after
synchronize_net() returns, and the first task then dereferences nhc-&gt;name
for the warning.

With the post-unlock window widened, KASAN reports:

  BUG: KASAN: slab-use-after-free in lowpan_nhc_do_uncompression+0x1f4/0x220
  Read of size 8
  lowpan_nhc_do_uncompression
  lowpan_header_decompress

Fix this by printing the warning before dropping lowpan_nhc_lock, so the
descriptor name is read while unregister is still excluded.  The malformed
packet is still rejected with -ENOTSUPP.

Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface")
Cc: stable@vger.kernel.org
Reported-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Reported-by: Yuxiang Yang &lt;yangyx22@mails.tsinghua.edu.cn&gt;
Reported-by: Ao Wang &lt;wangao@seu.edu.cn&gt;
Reported-by: Xuewei Feng &lt;fengxw06@126.com&gt;
Reported-by: Qi Li &lt;qli01@tsinghua.edu.cn&gt;
Reported-by: Ke Xu &lt;xuke@tsinghua.edu.cn&gt;
Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Acked-by: Alexander Aring &lt;aahringo@redhat.com&gt;
Link: https://patch.msgid.link/20260609080054.4541-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>6lowpan: fix off-by-one in multicast context address compression</title>
<updated>2026-06-02T02:10:16+00:00</updated>
<author>
<name>Yizhou Zhao</name>
<email>zhaoyz24@mails.tsinghua.edu.cn</email>
</author>
<published>2026-05-27T08:18:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=2a58899d11009bffc7b4b32a571858f381121837'/>
<id>urn:sha1:2a58899d11009bffc7b4b32a571858f381121837</id>
<content type='text'>
The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&amp;data[1] as destination and &amp;ipaddr-&gt;s6_addr[11] as source, but
both should be offset by one: &amp;data[2] and &amp;ipaddr-&gt;s6_addr[12]
respectively.

This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
   field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
   is transmitted over the network via lowpan_push_hc_data(),
   leaking kernel stack contents

The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
  data[0..1] = s6_addr[1..2]  (flags/scope + RIID)
  data[2..5] = s6_addr[12..15] (group ID)

Also zero-initialize the data array as a defensive measure against
similar bugs in the future.

Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
Reported-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Reported-by: Yuxiang Yang &lt;yangyx22@mails.tsinghua.edu.cn&gt;
Reported-by: Ao Wang &lt;wangao@seu.edu.cn&gt;
Reported-by: Xuewei Feng &lt;fengxw06@126.com&gt;
Reported-by: Qi Li &lt;qli01@tsinghua.edu.cn&gt;
Reported-by: Ke Xu &lt;xuke@tsinghua.edu.cn&gt;
Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Acked-by: Alexander Aring &lt;aahringo@redhat.com&gt;
Link: https://patch.msgid.link/20260527081806.42747-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net: replace ND_PRINTK with dynamic debug</title>
<updated>2025-07-10T22:27:32+00:00</updated>
<author>
<name>Wang Liang</name>
<email>wangliang74@huawei.com</email>
</author>
<published>2025-07-08T03:33:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=96698d1898bc79c783990ac7d5458b7c8f8e0b69'/>
<id>urn:sha1:96698d1898bc79c783990ac7d5458b7c8f8e0b69</id>
<content type='text'>
ND_PRINTK with val &gt; 1 only works when the ND_DEBUG was set in compilation
phase. Replace it with dynamic debug. Convert ND_PRINTK with val &lt;= 1 to
net_{err,warn}_ratelimited, and convert the rest to net_dbg_ratelimited.

Suggested-by: Ido Schimmel &lt;idosch@idosch.org&gt;
Signed-off-by: Wang Liang &lt;wangliang74@huawei.com&gt;
Reviewed-by: Ido Schimmel &lt;idosch@nvidia.com&gt;
Link: https://patch.msgid.link/20250708033342.1627636-1-wangliang74@huawei.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>ipv6: eliminate ndisc_ops_is_useropt()</title>
<updated>2024-08-13T00:23:57+00:00</updated>
<author>
<name>Maciej Żenczykowski</name>
<email>maze@google.com</email>
</author>
<published>2024-07-30T00:30:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=246ef40670b71fef0c3e2cd11404279bc6d6468e'/>
<id>urn:sha1:246ef40670b71fef0c3e2cd11404279bc6d6468e</id>
<content type='text'>
as it doesn't seem to offer anything of value.

There's only 1 trivial user:
  int lowpan_ndisc_is_useropt(u8 nd_opt_type) {
    return nd_opt_type == ND_OPT_6CO;
  }

but there's no harm to always treating that as
a useropt...

Cc: David Ahern &lt;dsahern@kernel.org&gt;
Cc: YOSHIFUJI Hideaki / 吉藤英明 &lt;yoshfuji@linux-ipv6.org&gt;
Signed-off-by: Maciej Żenczykowski &lt;maze@google.com&gt;
Link: https://patch.msgid.link/20240730003010.156977-1-maze@google.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net: fill in MODULE_DESCRIPTION()s for 6LoWPAN</title>
<updated>2024-02-09T22:12:01+00:00</updated>
<author>
<name>Breno Leitao</name>
<email>leitao@debian.org</email>
</author>
<published>2024-02-08T16:42:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=2898f3075e6a0b0584781272aac88377e5ced0a0'/>
<id>urn:sha1:2898f3075e6a0b0584781272aac88377e5ced0a0</id>
<content type='text'>
W=1 builds now warn if module is built without a MODULE_DESCRIPTION().
Add descriptions to IPv6 over Low power Wireless Personal Area Network.

Signed-off-by: Breno Leitao &lt;leitao@debian.org&gt;
Acked-by: Alexander Aring &lt;aahringo@redhat.com&gt;
Reviewed-by: Simon Horman &lt;horms@kernel.org&gt;
Link: https://lore.kernel.org/r/20240208164244.3818498-5-leitao@debian.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>6lowpan: Remove redundant initialisation.</title>
<updated>2023-03-29T07:22:52+00:00</updated>
<author>
<name>Kuniyuki Iwashima</name>
<email>kuniyu@amazon.com</email>
</author>
<published>2023-03-27T23:54:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=be689c719eb6153b0fbd83536ae656dca8981f12'/>
<id>urn:sha1:be689c719eb6153b0fbd83536ae656dca8981f12</id>
<content type='text'>
We'll call memset(&amp;tmp, 0, sizeof(tmp)) later.

Signed-off-by: Kuniyuki Iwashima &lt;kuniyu@amazon.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
<entry>
<title>net: 6lowpan: constify lowpan_nhc structures</title>
<updated>2022-06-09T19:53:28+00:00</updated>
<author>
<name>Alexander Aring</name>
<email>aahringo@redhat.com</email>
</author>
<published>2022-04-28T03:05:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f3de6f4eccddfcaf3f8b3674ab57a0646b572650'/>
<id>urn:sha1:f3de6f4eccddfcaf3f8b3674ab57a0646b572650</id>
<content type='text'>
This patch constify the lowpan_nhc declarations. Since we drop the rb
node datastructure there is no need for runtime manipulation of this
structure.

Signed-off-by: Alexander Aring &lt;aahringo@redhat.com&gt;
Reviewed-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
Acked-by: Jukka Rissanen &lt;jukka.rissanen@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20220428030534.3220410-4-aahringo@redhat.com
Signed-off-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
</content>
</entry>
<entry>
<title>net: 6lowpan: use array for find nhc id</title>
<updated>2022-06-09T19:53:28+00:00</updated>
<author>
<name>Alexander Aring</name>
<email>aahringo@redhat.com</email>
</author>
<published>2022-04-28T03:05:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=31264f9563e6c2b2f895582e0632881cbc197af9'/>
<id>urn:sha1:31264f9563e6c2b2f895582e0632881cbc197af9</id>
<content type='text'>
This patch will remove the complete overengineered and overthinking rb data
structure for looking up the nhc by nhcid. Instead we using the existing
nhc next header array and iterate over it. It works now for 1 byte values
only. However there are only 1 byte nhc id values currently
supported and IANA also does not specify large than 1 byte values yet.
If there are 2 byte values for nhc ids specified we can revisit this
data structure and add support for it.

Signed-off-by: Alexander Aring &lt;aahringo@redhat.com&gt;
Reviewed-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
Acked-by: Jukka Rissanen &lt;jukka.rissanen@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20220428030534.3220410-3-aahringo@redhat.com
Signed-off-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
</content>
</entry>
<entry>
<title>net: 6lowpan: remove const from scalars</title>
<updated>2022-06-09T19:53:28+00:00</updated>
<author>
<name>Alexander Aring</name>
<email>aahringo@redhat.com</email>
</author>
<published>2022-04-28T03:05:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=eb9edf4366a2364b626c000b9ac720b0c13a551c'/>
<id>urn:sha1:eb9edf4366a2364b626c000b9ac720b0c13a551c</id>
<content type='text'>
The keyword const makes no sense for scalar types inside the lowpan_nhc
structure. Most compilers will ignore it so we remove the keyword from
the scalar types.

Signed-off-by: Alexander Aring &lt;aahringo@redhat.com&gt;
Reviewed-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
Acked-by: Jukka Rissanen &lt;jukka.rissanen@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20220428030534.3220410-2-aahringo@redhat.com
Signed-off-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
</content>
</entry>
<entry>
<title>net: don't include ndisc.h from ipv6.h</title>
<updated>2022-02-04T22:15:11+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2022-02-03T23:12:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=c78b8b20e34920231eda02fb40c7aca7d88be837'/>
<id>urn:sha1:c78b8b20e34920231eda02fb40c7aca7d88be837</id>
<content type='text'>
Nothing in ipv6.h needs ndisc.h, drop it.

Link: https://lore.kernel.org/r/20220203043457.2222388-1-kuba@kernel.org
Acked-by: Jeremy Kerr &lt;jk@codeconstruct.com.au&gt;
Acked-by: Stefan Schmidt &lt;stefan@datenfreihafen.org&gt;
Link: https://lore.kernel.org/r/20220203231240.2297588-1-kuba@kernel.org
Reviewed-by: David Ahern &lt;dsahern@kernel.org&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
</feed>
