Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.92 2026-05-07T04:09:27+00:00 2026-05-07T04:09:27+00:00 Zhengchuan Liang zcliangcn@gmail.com 2026-04-11T15:10:26+00:00 urn:sha1:3ac6db584d9d420267bb8413115707eeec76d9cf commit f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 upstream. `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless. Fixes: 43e369210108 ("caif: Move refcount from service layer to sock and dev.") Cc: stable@kernel.org Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Co-developed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Yuan Tan <yuantan098@gmail.com> Suggested-by: Xin Liu <bird@lzu.edu.cn> Tested-by: Ren Wei <enjou1224z@gmail.com> Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-01-08T09:14:01+00:00 Junrui Luo moonafterrain@outlook.com 2025-12-04T13:30:47+00:00 urn:sha1:4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3 [ Upstream commit 8a11ff0948b5ad09b71896b7ccc850625f9878d1 ] The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential information disclosure if padding contains uninitialized kernel memory. Fix this by validating that len >= 2 before performing the subtraction. Reported-by: Yuhao Jiang <danisjiang@gmail.com> Reported-by: Junrui Luo <moonafterrain@outlook.com> Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack") Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-08-15T10:13:40+00:00 Arnd Bergmann arnd@arndb.de 2025-06-20T11:22:39+00:00 urn:sha1:1b8397c2d14e84f4a05b981ae75c556ac8d5ad17 [ Upstream commit b630c781bcf6ff87657146661816d0d30a902139 ] I tried to fix the stack usage in this function a couple of years ago, but there is still a problem with the latest gcc versions in some configurations: net/caif/cfctrl.c:553:1: error: the frame size of 1296 bytes is larger than 1280 bytes [-Werror=frame-larger-than=] Reduce this once again, with a separate cfctrl_link_setup() function that holds the bulk of all the local variables. It also turns out that the param[] array that takes up a large portion of the stack is write-only and can be left out here. Fixes: ce6289661b14 ("caif: reduce stack size with KASAN") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://patch.msgid.link/20250620112244.3425554-1-arnd@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-10-02T21:23:23+00:00 Al Viro viro@zeniv.linux.org.uk 2024-10-01T19:35:57+00:00 urn:sha1:5f60d5f6bbc12e782fac78110b0ee62698f3b576 asm/unaligned.h is always an include of asm-generic/unaligned.h; might as well move that thing to linux/unaligned.h and include that - there's nothing arch-specific in that header. auto-generated by the following: for i in `git grep -l -w asm/unaligned.h`; do sed -i -e "s/asm\/unaligned.h/linux\/unaligned.h/" $i done for i in `git grep -l -w asm-generic/unaligned.h`; do sed -i -e "s/asm-generic\/unaligned.h/linux\/unaligned.h/" $i done git mv include/asm-generic/unaligned.h include/linux/unaligned.h git mv tools/include/asm-generic/unaligned.h tools/include/linux/unaligned.h sed -i -e "/unaligned.h/d" include/asm-generic/Kbuild sed -i -e "s/__ASM_GENERIC/__LINUX/" include/linux/unaligned.h tools/include/linux/unaligned.h 2024-09-13T03:29:04+00:00 Jakub Kicinski kuba@kernel.org 2024-09-11T01:52:28+00:00 urn:sha1:5905c024a776c7f592581551993817aaf0cd1f36 Justin sent a patch to use strscpy_pad() instead of strncpy() on the name field. Simon rightly asked why the _pad() version is used, and looking closer name seems completely unused, the last code which referred to it was removed in commit 8391c4aab1aa ("caif: Bugfixes in CAIF netdevice for close and flow control") Link: https://lore.kernel.org/20240909-strncpy-net-caif-chnl_net-c-v1-1-438eb870c155@google.com Reviewed-by: Simon Horman <horms@kernel.org> Acked-by: Justin Stitt <justinstitt@google.com> Link: https://patch.msgid.link/20240911015228.1555779-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2024-08-26T16:48:53+00:00 Li Zetao lizetao1@huawei.com 2024-08-22T13:39:03+00:00 urn:sha1:b4985aa8e312fd40fbbce0fe44ce677368fdee43 When processing the tail append of sk buffer, the final length needs to be determined based on expectlen and addlen. Using max() here can increase the readability of the code. Signed-off-by: Li Zetao <lizetao1@huawei.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20240822133908.1042240-4-lizetao1@huawei.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2024-06-05T09:18:06+00:00 Dr. David Alan Gilbert linux@treblig.org 2024-05-31T23:29:17+00:00 urn:sha1:6f49c3fb563c0a95a838216eaf7d9b02ece44bf5 'cfpktq' has been unused since commit 73d6ac633c6c ("caif: code cleanup"). 'caif_packet_funcs' is declared but never defined. Remove both of them. Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2024-04-03T01:20:00+00:00 Christophe JAILLET christophe.jaillet@wanadoo.fr 2024-03-30T08:32:12+00:00 urn:sha1:f9a4506438a1068d9ff613319bc64dcaa65f681d UTILITY_NAME_LENGTH is 16. So better use the former when defining the 'utility_name' array. This makes the intent clearer when it is used around line 260. While at it, declare variable in reverse xmas tree style. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/8c1160501f69b64bb2d45ce9f26f746eec80ac77.1711787352.git.christophe.jaillet@wanadoo.fr Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2024-01-05T16:06:35+00:00 Jakub Kicinski kuba@kernel.org 2024-01-04T14:48:55+00:00 urn:sha1:cb420106901ad038ea8b3c58fe26a5a465c40080 W=1 builds now warn if module is built without a MODULE_DESCRIPTION(). Add descriptions to all the CAIF sub-modules. Link: https://lore.kernel.org/r/20240104144855.1320993-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-06-24T22:50:13+00:00 David Howells dhowells@redhat.com 2023-06-23T22:55:12+00:00 urn:sha1:dc97391e661009eab46783030d2404c9b6e6f2e7 Remove ->sendpage() and ->sendpage_locked(). sendmsg() with MSG_SPLICE_PAGES should be used instead. This allows multiple pages and multipage folios to be passed through. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> # for net/can cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> cc: linux-afs@lists.infradead.org cc: mptcp@lists.linux.dev cc: rds-devel@oss.oracle.com cc: tipc-discussion@lists.sourceforge.net cc: virtualization@lists.linux-foundation.org Link: https://lore.kernel.org/r/20230623225513.2732256-16-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>