<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/net/core/skbuff.c, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-17T07:17:00+00:00</updated>
<entry>
<title>Merge tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next</title>
<updated>2026-06-17T07:17:00+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-17T07:17:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=b85966adbf5de0668a815c6e3527f87e0c387fb4'/>
<id>urn:sha1:b85966adbf5de0668a815c6e3527f87e0c387fb4</id>
<content type='text'>
Pull networking updates from Jakub Kicinski:
 "Core &amp; protocols:

   - Work on removing rtnl_lock protection throughout the stack
     continues. In this chapter:
       - don't use rtnl_lock for IPv6 multicast routing configuration
       - don't take rtnl_lock in ethtool for modern drivers
       - prepare Qdisc dump callbacks for rtnl_lock removal

   - Support dumping just ifindex + name of all interfaces, under RCU.
     It's a common operation for Netlink CLI tools (when translating
     names to ifindexes) and previously required full rtnl_lock.

   - Support dumping qdiscs and page pools for a specific netdev. Even
     tho user space wants a dump of all netdevs, most of the time, the
     OOO programming model results in repeating the dump for each
     netdev. Which, in absence of a cache, leads to a O(n^2) behavior.

   - Flush nexthops once on multi-nexthop removal (e.g. when device goes
     down), another O(n^2) -&gt; O(n) improvement.

   - Rehash locally generated traffic to a different nexthop on
     retransmit timeout.

   - Honor oif when choosing nexthop for locally generated IPv6 traffic.

   - Convert TCP Auth Option to crypto library, and drop non-RFC algos.

   - Increase subflow limits in MPTCP to 64 and endpoint limit to 256.

   - Support MPTCP signaling of IPv6 address + port (ADD_ADDR). We need
     to selectively skip reporting of the standard TCP Timestamp option,
     because they won't fit into the header space together (12 + 30 &gt;
     40).

   - Support using bridge neighbor suppression, Duplicate Address
     Detection, Gratuitous ARP and unsolicited NA forwarding - in EVPN
     deployments, e.g. VXLAN fabrics (IPv4 and IPv6).

   - Improve link state reporting for upper netdevs (e.g. macvlan) over
     tunnel devices (again, mostly for EVPN deployments).

   - Support binding GENEVE tunnels to a local address.

   - Speed up UDP tunnel destruction (remove one synchronize_rcu()).

   - Support exponential field encoding in multicast (IGMPv3 and MLDv2).

   - Support attaching PSP crypto offload to containers (veth, netkit).

   - Add a new IPSec Netlink message XFRM_MSG_MIGRATE_STATE that allows
     migrating individual IPsec SAs independently of their policies.

     The existing XFRM_MSG_MIGRATE is tightly coupled to policy+SA
     migration, lacks SPI for unique SA identification, and cannot
     express reqid changes or migrate Transport mode selectors.

     The new interface identifies the SA via SPI and mark, supports
     reqid changes, address family changes, encap removal, and uses an
     atomic create+install flow under x-&gt;lock to prevent SN/IV reuse
     during AEAD SA migration.

   - Implement GRO/GSO support for PPPoE.

   - Convert sockopt callbacks in a number of protocols to iov_iter.

  Cross-tree stuff:

   - Remove support for Crypto TFM cloning (unblocked after the TCP Auth
     Option rework). This feature regressed performance for all crypto
     API users, since it changed crypto transformation objects into
     reference-counted objects.

   - Add FCrypt-PCBC implementation to rxrpc and remove it from the
     global crypto API as obsolete and insecure.

  Wireless:

   - Major rework of station bandwidth handling, fixing issues with
     lower capability than AP.

   - Cleanups for EMLSR spec issues (drafts differed).

   - More Neighbor Awareness Networking (Wi-Fi Aware) work (multicast,
     schedule improvements, multi-station etc.)

   - Some Ultra High Reliability (UHR) / IEEE 802.11bn (D1.4) work
     (e.g. non-primary channel access, UHR DBE support).

   - Fine Timing Measurement ranging (i.e. distance measurement) APIs.

  Netfilter:

   - Use per-rule hash initval in nf_conncount. This avoids unnecessary
     lock contention with short keys (e.g. conntrack zones) in different
     namespaces.

   - Various safety improvements, both in packet parsing and object
     lifetimes. Notably add refcounts to conntrack timeout policy.

  Deletions:

   - Remove TLS + sockmap integration. TLS wants to pin user pages to
     avoid a copy, and sockmap wants to write to the input stream. More
     work on this integration is clearly needed, and we can't find any
     users (original author admitted that they never deployed it).

   - Remove support for TLS offload with TCP Offload Engine (the far
     more common opportunistic offload is retained). The locking looks
     unfixable (driver sleeps under TCP spin locks) and people from the
     vendor that added this are AWOL.

   - Remove more ATM code, trying to leave behind only what PPPoATM
     needs, AAL5 and br2684 with permanent circuits.

   - Remove AppleTalk. Let it join hamradio in our out of tree protocol
     graveyard, I mean, repository.

   - Disable 32-bit x_tables compatibility (32bit binaries on 64bit
     kernel) interface in user namespaces. To be deleted completely,
     soon.

   - Remove 5/10 MHz support from cfg80211/mac80211.

  Drivers:

   - Software:
       - Support DEVMEM/DMABUF Tx over NETMEM_TX_NO_DMA devices (netkit)
       - bonding: add knob to strictly follow 802.3ad for link state

   - New drivers:
       - Alibaba Elastic Ethernet Adaptor (cloud vNIC).
       - NXP NETC switch within i.MX94.

   - DPLL:
       - Add operational state to pins (implement in zl3073x).
       - Add generic DPLL type, for daisy-chaining DPLLs (implement in ice).

   - Ethernet high-speed NICs:
       - Huawei (hinic3):
           - enhance tc flow offload support with queue selection,
             tunnels
       - nVidia/Mellanox:
           - avoid over-copying payload to the skb's linear part (up to
             60% win for LRO on slow CPUs like ARM64 V2)
           - expose more per-queue stats over the standard API
           - support additional, unprivileged PFs in the DPU
             configuration
           - support Socket Direct (multi-PF) with switchdev offloads
           - add a pool / frag allocator for DMA mapped buffers for
             control objects, save memory on systems with 64kB page size
           - take advantage of the ability to dynamically change RSS
             table size, even when table is configured by the user
           - increase the max RSS table size for even traffic
             distribution

   - Ethernet NICs:
       - Marvell/Aquantia:
           - AQC113 PTP support
       - Realtek USB (r8152):
           - support 10Gbit Link Speeds and Energy-Efficient Ethernet
             (EEE)
           - support firmware loaded (for RTL8157/RTL8159)
           - support for the RTL8159
       - Intel (ixgbe):
           - support Energy-Efficient Ethernet (EEE) on E610 devices

   - Ethernet switches:
       - Airoha:
           - support multiple netdevs on a single GDM block / port
       - Marvell (mv88e6xxx):
           - support SERDES of mv88e6321
       - Microchip (ksz8/9):
           - rework the driver callbacks to remove one indirection layer
       - Motorcomm (yt921x):
           - support port rate policing
           - support TBF qdisc offload
           - support ACL/flower offload
       - nVidia/Mellanox:
           - expose per-PG rx_discards
       - Realtek:
           - rtl8365mb: bridge offloading and VLAN support

   - Ethernet PHYs:
       - Airoha:
           - support Airoha AN8801R Gigabit PHYs.
       - Micrel:
           - implement 3 low-loss cable tunables
       - Realtek:
           - support MDI swapping for RTL8226-CG
           - support MDIO for RTL931x
       - Qualcomm:
           - at803x: Rx and Tx clock management for IPQ5018 PHY
       - Motorcomm:
           - support YT8522 100M RMII PHY
           - set drive strength in YT8531s RGMII
       - TI:
           - dp83822: add optional external PHY clock

   - Bluetooth:
       - hci_sync: add support for HCI_LE_Set_Host_Feature [v2]
       - SMP: use AES-CMAC library API
       - Intel:
           - support Product level reset
           - support smart trigger dump
       - Mediatek:
           - add event filter to filter specific event
       - Realtek:
           - fix RTL8761B/BU broken LE extended scan

   - WiFi:
       - Broadcom (b43):
           - new support for a 11n device
       - MediaTek (mt76):
           - support mt7927
           - mt792x: broken usb transport detection
           - mt7921: regulatory improvements
       - Qualcomm (ath9k):
           - GPIO interface improvements
       - Qualcomm (ath12k):
           - WDS support
           - replace dynamic memory allocation in WMI Rx path
           - thermal throttling/cooling device support
           - 6 GHz incumbent interference detection
           - channel 177 in 5 GHz
       - Realtek (rt89):
           - RTL8922AU support
           - USB 3 mode switch for performance
           - better monitor radiotap support
           - RTL8922DE preparations"

* tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1778 commits)
  ipv4: fib_rule: Move fib4_rules_exit() to -&gt;exit().
  net: serialize netif_running() check in enqueue_to_backlog()
  net: skmsg: preserve sg.copy across SG transforms
  appletalk: move the protocol out of tree
  appletalk: stop storing per-interface state in struct net_device
  selftests/bpf: test that TLS crypto is rejected on a sockmap socket
  selftests/bpf: drop the unused kTLS program from test_sockmap
  selftests/bpf: remove sockmap + ktls tests
  tls: remove dead sockmap (psock) handling from the SW path
  tls: reject the combination of TLS and sockmap
  atm: remove orphaned uAPI for deleted drivers, protocols and SVCs
  atm: remove unused ATM PHY operations
  atm: remove the unused pre_send and send_bh device operations
  atm: remove the unused change_qos device operation
  atm: remove SVC socket support and the signaling daemon interface
  atm: remove the local ATM (NSAP) address registry
  atm: remove dead SONET PHY ioctls
  atm: remove the unused send_oam / push_oam callbacks
  atm: remove AAL3/4 transport support
  net: dsa: sja1105: fix lastused timestamp in flower stats
  ...
</content>
</entry>
<entry>
<title>Merge tag 'slab-for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab</title>
<updated>2026-06-16T03:14:43+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-16T03:14:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f8115f0e8a0585ef1c03d07a68b989023097d16c'/>
<id>urn:sha1:f8115f0e8a0585ef1c03d07a68b989023097d16c</id>
<content type='text'>
Pull slab updates from Vlastimil Babka:

 - Support for "allocation tokens" (currently available in Clang 22+)
   for smarter partitioning of kmalloc caches based on the allocated
   object type, which can be enabled instead of the "random"
   per-caller-address-hash partitioning.

   It should be able to deterministically separate types containing a
   pointer from those that do not (Marco Elver)

 - Improvements and simplification of the kmem_cache_alloc_bulk() and
   mempool_alloc_bulk() API. This includes adaptation of callers
   (Christoph Hellwig)

 - Performance improvements and cleanups related mostly to sheaves
   refill (Hao Li, Shengming Hu, Vlastimil Babka)

 - Several fixups for the slabinfo tool (Xuewen Wang)

* tag 'slab-for-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab:
  mm/slab: do not limit zeroing to orig_size when only red zoning is enabled
  mm/slub: preserve original size in _kmalloc_nolock_noprof retry path
  mm: simplify the mempool_alloc_bulk API
  mm/slab: improve kmem_cache_alloc_bulk
  mm/slub: detach and reattach partial slabs in batch
  mm/slub: introduce helpers for node partial slab state
  mm/slub: use empty sheaf helpers for oversized sheaves
  tools/mm/slabinfo: remove redundant slab-&gt;partial assignment
  tools/mm/slabinfo: remove dead assignment in get_obj_and_str()
  tools/mm/slabinfo: Fix trace disable logic inversion
  MAINTAINERS: add slab-related scripts and tools to SLAB ALLOCATOR
  mm/slub: fix typo in sheaves comment
  mm, slab: simplify returning slab in __refill_objects_node()
  mm, slab: add an optimistic __slab_try_return_freelist()
  slab: fix kernel-docs for mm-api
  slab: improve KMALLOC_PARTITION_RANDOM randomness
  slab: support for compiler-assisted type-based slab cache partitioning
  mm/slub: defer freelist construction until after bulk allocation from a new slab
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-06-11T21:33:35+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-06-11T21:29:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=dad4d4b92a9b9f0edb8c66deda049da1b62f6089'/>
<id>urn:sha1:dad4d4b92a9b9f0edb8c66deda049da1b62f6089</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.1-rc8).

Conflicts:

drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
  f67aead16e85 ("net: txgbe: rework service event handling")
  57d39faed4c9 ("net: txgbe: improve functions of AML 40G devices")

net/rds/info.c
  512db8267b73 ("rds: mark snapshot pages dirty in rds_info_getsockopt()")
  6e94eeb2a2a6 ("rds: convert to getsockopt_iter")

Adjacent changes:

include/net/sock.h
  1ee90b77b727 ("net: guard timestamp cmsgs to real error queue skbs")
  f0de88303d5e ("net: make is_skb_wmem() available to modules")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net: guard timestamp cmsgs to real error queue skbs</title>
<updated>2026-06-10T01:32:08+00:00</updated>
<author>
<name>Kyle Zeng</name>
<email>kylebot@openai.com</email>
</author>
<published>2026-06-07T02:18:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=1ee90b77b727df903033db873c75caac5c27ec98'/>
<id>urn:sha1:1ee90b77b727df903033db873c75caac5c27ec98</id>
<content type='text'>
skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb-&gt;pkt_type == PACKET_OUTGOING, but their skb-&gt;cb is owned by AF_PACKET
instead of struct sock_exterr_skb.

If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb-&gt;len and skb-&gt;data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.

Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.

Fixes: 8605330aac5a ("tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs")
Signed-off-by: Kyle Zeng &lt;kylebot@openai.com&gt;
Reviewed-by: Kuniyuki Iwashima &lt;kuniyu@google.com&gt;
Reviewed-by: Willem de Bruijn &lt;willemb@google.com&gt;
Link: https://patch.msgid.link/20260607021819.49698-1-kylebot@openai.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>mm/slab: improve kmem_cache_alloc_bulk</title>
<updated>2026-06-03T16:20:43+00:00</updated>
<author>
<name>Christoph Hellwig</name>
<email>hch@lst.de</email>
</author>
<published>2026-05-28T09:34:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6bb0009862c5f0e89a6e4afc09b499a02576c7da'/>
<id>urn:sha1:6bb0009862c5f0e89a6e4afc09b499a02576c7da</id>
<content type='text'>
The kmem_cache_alloc_bulk return value is weird.  It returns the number
of allocated objects, but that must always be 0 or the requested number
based on the implementations and the handling in the callers, but that
assumption is not actually documented anywhere, which confuses automated
review tools.

Fix this by returning a bool if the allocation succeeded and adding a
kerneldoc comment explaining the API.

[rob.clark@oss.qualcomm.com: fixups in
 msm_iommu_pagetable_prealloc_allocate() ]

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Alexander Lobakin &lt;aleksander.lobakin@intel.com&gt; # skbuff
Link: https://patch.msgid.link/20260528093437.2519248-2-hch@lst.de
Signed-off-by: Vlastimil Babka (SUSE) &lt;vbabka@kernel.org&gt;
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-06-01T11:42:12+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2026-06-01T11:35:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=c2c0486c56800ce276e79c40a6e576ffd672f2a9'/>
<id>urn:sha1:c2c0486c56800ce276e79c40a6e576ffd672f2a9</id>
<content type='text'>
Conflicts:

drivers/net/ethernet/microsoft/mana/mana_en.c:
  17bfe0a8c014e ("net: mana: Add NULL guards in teardown path to prevent panic on attach failure")
  d07efe5a6e641 ("net: mana: Use per-queue allocation for tx_qp to reduce allocation size")

Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
</entry>
<entry>
<title>net: skbuff: fix pskb_carve leaking zcopy pages</title>
<updated>2026-05-29T19:55:27+00:00</updated>
<author>
<name>Pavel Begunkov</name>
<email>asml.silence@gmail.com</email>
</author>
<published>2026-05-28T18:43:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ff6e798c2eac3ebd0501ad7e796f583fab928de8'/>
<id>urn:sha1:ff6e798c2eac3ebd0501ad7e796f583fab928de8</id>
<content type='text'>
When SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but
their lifetime is controlled by the attached ubuf_info. To make a copy
of the skb_shared_info, we either should clear the flag and reference
the frags, or keep the flag and have frags unreferenced.

pskb_carve_inside_header() and pskb_carve_inside_nonlinear() don't
follow the rule and thus can leak page references. Let's clear
SKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It's the
simplest way to address it, but there are more performant ways to do
that if it ever becomes a problem.

Link: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/
Fixes: 753f1ca4e1e50 ("net: introduce managed frags infrastructure")
Reported-by: Minh Nguyen &lt;minhnguyen.080505@gmail.com&gt;
Reported-by: Willem de Bruijn &lt;willemdebruijn.kernel@gmail.com&gt;
Signed-off-by: Pavel Begunkov &lt;asml.silence@gmail.com&gt;
Reviewed-by: Willem de Bruijn &lt;willemb@google.com&gt;
Link: https://patch.msgid.link/1e2086aa69217d7f9c8da3d38f5be7160f1b4cd1.1779993185.git.asml.silence@gmail.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-05-28T21:02:21+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-05-21T22:02:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=d44646fc9eeb423ad50f3043f11f66f491d908a7'/>
<id>urn:sha1:d44646fc9eeb423ad50f3043f11f66f491d908a7</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.1-rc6).

Conflicts:

drivers/net/phy/air_en8811h.c
  d895767c33781 ("net: phy: air_en8811h: add AN8811HB MCU assert/deassert support")
  dddfadd75197e ("net: phy: Add Airoha phy library for shared code")
  5226bb6634cdf ("net: phy: air_phy_lib: Factorize BuckPBus register accessors")
  e08f0ea6daf2e ("net: phy: Rename Airoha common BuckPBus register accessors")

net/sched/sch_netem.c
  a2f6ed7b4873 ("net/sched: netem: add per-impairment extended statistics")
  9552b11e3eda ("net/sched: fix packet loop on netem when duplicate is on")

Adjacent changes:

drivers/dpll/zl3073x/core.c
  c1224569cef0 ("dpll: zl3073x: make frequency monitor a per-device attribute")
  54e65df8cf18 ("dpll: zl3073x: report FFO as DPLL vs input reference offset")

net/iucv/af_iucv.c
  347fdd4df85f ("af_iucv: convert to getsockopt_iter")
  3589d20a666c ("net/iucv: fix locking in .getsockopt")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net: skbuff: fix missing zerocopy reference in pskb_carve helpers</title>
<updated>2026-05-28T11:26:56+00:00</updated>
<author>
<name>Minh Nguyen</name>
<email>minhnguyen.080505@gmail.com</email>
</author>
<published>2026-05-26T04:12:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=98d0912e9f841e5529a5b89a972805f34cb1c69d'/>
<id>urn:sha1:98d0912e9f841e5529a5b89a972805f34cb1c69d</id>
<content type='text'>
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
the old skb_shared_info header into a new buffer via memcpy(), which
includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.
Neither function calls net_zcopy_get() for the new shinfo, creating an
unaccounted holder: every skb_shared_info with destructor_arg set will
call skb_zcopy_clear() once when freed, but the corresponding
net_zcopy_get() was never called for the new copy. Repeated calls
drive uarg-&gt;refcnt to zero prematurely, freeing ubuf_info_msgzc while
TX skbs still hold live destructor_arg pointers.

KASAN reports use-after-free on a freed ubuf_info_msgzc:

  BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810
  Read of size 8 at addr ffff88801574d3e8 by task poc/220

  Call Trace:
   skb_release_data+0x77b/0x810
   kfree_skb_list_reason+0x13e/0x610
   skb_release_data+0x4cd/0x810
   sk_skb_reason_drop+0xf3/0x340
   skb_queue_purge_reason+0x282/0x440
   rds_tcp_inc_free+0x1e/0x30
   rds_recvmsg+0x354/0x1780
   __sys_recvmsg+0xdf/0x180

  Allocated by task 219:
   msg_zerocopy_realloc+0x157/0x7b0
   tcp_sendmsg_locked+0x2892/0x3ba0

  Freed by task 219:
   ip_recv_error+0x74a/0xb10
   tcp_recvmsg+0x475/0x530

The skb consuming the late access still referenced the same uarg via
shinfo-&gt;destructor_arg copied by pskb_carve_inside_nonlinear() without
a refcount bump. This has been verified to be reliably exploitable: a
working proof-of-concept achieves full root privilege escalation from
an unprivileged local user on a default kernel configuration.

The fix follows the pattern of pskb_expand_head() which has the same
memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()
is placed after skb_orphan_frags() succeeds, so the orphan error path
needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is
placed after all failure points and just before skb_release_data(), so
no error path needs cleanup at all -- matching pskb_expand_head() more
closely and avoiding the need for a balancing net_zcopy_put().

Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Minh Nguyen &lt;minhnguyen.080505@gmail.com&gt;
Reviewed-by: Willem de Bruijn &lt;willemb@google.com&gt;
Link: https://patch.msgid.link/20260526041240.329462-1-minhnguyen.080505@gmail.com
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
</entry>
<entry>
<title>net: Avoid checksumming unreadable skb tail on trim</title>
<updated>2026-05-26T13:21:27+00:00</updated>
<author>
<name>Björn Töpel</name>
<email>bjorn@kernel.org</email>
</author>
<published>2026-05-22T12:06:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=2e357f002c61fd76fd8f12468744a06a5ec48eaa'/>
<id>urn:sha1:2e357f002c61fd76fd8f12468744a06a5ec48eaa</id>
<content type='text'>
pskb_trim_rcsum_slow() keeps CHECKSUM_COMPLETE valid by subtracting
the checksum of the bytes removed from the skb tail. That assumes the
removed bytes can be read.

io_uring zcrx skbs may contain unreadable net_iov frags. With fbnic
header/data split, small TCP/IPv4 packets can carry Ethernet padding
in such a frag. ip_rcv_core() trims the skb to iph-&gt;tot_len before TCP
sees it, and the CHECKSUM_COMPLETE adjustment then calls
skb_checksum() on the padding.

This is exposed by IPv4 because small TCP/IPv4 frames can be shorter
than the Ethernet minimum payload. TCP/IPv6 frames are large enough in
the normal zcrx path, so they do not hit the same padding trim.

Keep the existing checksum adjustment for readable skbs. If the
remaining packet is fully linear, drop CHECKSUM_COMPLETE and let the
stack validate the packet after trimming. If unreadable payload would
remain, fail the trim; the checksum cannot be adjusted without reading
the trimmed tail.

Also clear skb-&gt;unreadable when trimming removes all frags.

Fixes: 65249feb6b3d ("net: add support for skbs with unreadable frags")
Signed-off-by: Björn Töpel &lt;bjorn@kernel.org&gt;
Reviewed-by: Breno Leitao &lt;leitao@debian.org&gt;
Link: https://patch.msgid.link/20260522120643.242974-1-bjorn@kernel.org
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
</entry>
</feed>
