<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/net/smc, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-05-28T21:02:21+00:00</updated>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-05-28T21:02:21+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-05-21T22:02:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=d44646fc9eeb423ad50f3043f11f66f491d908a7'/>
<id>urn:sha1:d44646fc9eeb423ad50f3043f11f66f491d908a7</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.1-rc6).

Conflicts:

drivers/net/phy/air_en8811h.c
  d895767c33781 ("net: phy: air_en8811h: add AN8811HB MCU assert/deassert support")
  dddfadd75197e ("net: phy: Add Airoha phy library for shared code")
  5226bb6634cdf ("net: phy: air_phy_lib: Factorize BuckPBus register accessors")
  e08f0ea6daf2e ("net: phy: Rename Airoha common BuckPBus register accessors")

net/sched/sch_netem.c
  a2f6ed7b4873 ("net/sched: netem: add per-impairment extended statistics")
  9552b11e3eda ("net/sched: fix packet loop on netem when duplicate is on")

Adjacent changes:

drivers/dpll/zl3073x/core.c
  c1224569cef0 ("dpll: zl3073x: make frequency monitor a per-device attribute")
  54e65df8cf18 ("dpll: zl3073x: report FFO as DPLL vs input reference offset")

net/iucv/af_iucv.c
  347fdd4df85f ("af_iucv: convert to getsockopt_iter")
  3589d20a666c ("net/iucv: fix locking in .getsockopt")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net/smc: Do not re-initialize smc hashtables</title>
<updated>2026-05-23T00:38:02+00:00</updated>
<author>
<name>Alexandra Winter</name>
<email>wintera@linux.ibm.com</email>
</author>
<published>2026-05-21T14:56:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=9e4389b0038781f19f97895186ed941ff8ac1678'/>
<id>urn:sha1:9e4389b0038781f19f97895186ed941ff8ac1678</id>
<content type='text'>
INIT_HLIST_HEAD(&amp;smc_v*_hashinfo.ht) are called after smc_nl_init(),
proto_register() and sock_register(). This can lead to smc_v*_hashinfo.ht
being reset even though hash entries already exist and are being used,
possibly resulting in a corrupted list.

Remove unnecessary and dangerous re-initialisation of smc_v*_hashinfo.ht in
smc_init(); it is implicitly initialised to zero anyhow. Add
HLIST_HEAD_INIT to the definitions for clarity.

Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets")
Suggested-by: Halil Pasic &lt;pasic@linux.ibm.com&gt;
Signed-off-by: Alexandra Winter &lt;wintera@linux.ibm.com&gt;
Acked-by: Halil Pasic &lt;pasic@linux.ibm.com&gt;
Reviewed-by: Mahanta Jambigi &lt;mjambigi@linux.ibm.com&gt;
Link: https://patch.msgid.link/20260521145639.10317-1-wintera@linux.ibm.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>smc: Use flexible array for SMCD connections</title>
<updated>2026-05-21T00:13:18+00:00</updated>
<author>
<name>Rosen Penev</name>
<email>rosenp@gmail.com</email>
</author>
<published>2026-05-19T00:52:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=5026c42d7f147fb6bc4e063abfa5b52bfd52ca35'/>
<id>urn:sha1:5026c42d7f147fb6bc4e063abfa5b52bfd52ca35</id>
<content type='text'>
Store the per-DMB connection pointers in the SMCD device allocation
instead of allocating a separate connection array.

This keeps the connection table tied to the SMCD device lifetime and
simplifies the allocation and cleanup paths.

Signed-off-by: Rosen Penev &lt;rosenp@gmail.com&gt;
Reviewed-by: Sidraya Jayagond &lt;sidraya@linux.ibm.com&gt;
Link: https://patch.msgid.link/20260519005206.628071-1-rosenp@gmail.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-05-14T17:08:06+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-04-30T19:49:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=878492af7d503f4b093ea903173500be00e9cbe7'/>
<id>urn:sha1:878492af7d503f4b093ea903173500be00e9cbe7</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.1-rc4).

No conflicts, or adjacent changes.

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot</title>
<updated>2026-05-14T10:20:06+00:00</updated>
<author>
<name>Xiang Mei</name>
<email>xmei5@asu.edu</email>
</author>
<published>2026-05-11T06:21:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=277740023def559a4a2ddc3e8e784ee37a0f16a9'/>
<id>urn:sha1:277740023def559a4a2ddc3e8e784ee37a0f16a9</id>
<content type='text'>
On the SMC-D client, slot 0 of ini-&gt;ism_dev[]/ini-&gt;ism_chid[] is
reserved for an SMC-Dv1 device. smc_find_ism_v2_device_clnt()
populates V2 entries starting at index 1, so when no V1 device is
selected slot 0 is left in its kzalloc()'ed state with ism_dev[0] ==
NULL and ism_chid[0] == 0.

smc_v2_determine_accepted_chid() then matches the peer's CHID against
the array starting from index 0 using the CHID alone. A malicious
peer replying to a SMC-Dv2-only proposal with d1.chid == 0 matches
the empty slot, ini-&gt;ism_selected becomes 0, and the subsequent
ism_dev[0]-&gt;lgr_lock dereference in smc_conn_create() faults at
offsetof(struct smcd_dev, lgr_lock) == 0x68:

  BUG: KASAN: null-ptr-deref in _raw_spin_lock_bh+0x79/0xe0
  Write of size 4 at addr 0000000000000068 by task exploit/144
  Call Trace:
   _raw_spin_lock_bh
   smc_conn_create (net/smc/smc_core.c:1997)
   __smc_connect (net/smc/af_smc.c:1447)
   smc_connect (net/smc/af_smc.c:1720)
   __sys_connect
   __x64_sys_connect
   do_syscall_64

Require ism_dev[i] to be non-NULL before accepting a CHID match.

Fixes: a7c9c5f4af7f ("net/smc: CLC accept / confirm V2")
Reported-by: Weiming Shi &lt;bestswngs@gmail.com&gt;
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Xiang Mei &lt;xmei5@asu.edu&gt;
Link: https://patch.msgid.link/20260511062138.2839584-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
</entry>
<entry>
<title>net/smc: avoid NULL deref of conn-&gt;lnk in smc_msg_event tracepoint</title>
<updated>2026-05-13T01:44:36+00:00</updated>
<author>
<name>Xiang Mei</name>
<email>xmei5@asu.edu</email>
</author>
<published>2026-05-10T22:26:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=7bf563badd37cb796df5477d2b78bb64148a1268'/>
<id>urn:sha1:7bf563badd37cb796df5477d2b78bb64148a1268</id>
<content type='text'>
The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and
smc_rx_recvmsg, unconditionally dereferences smc-&gt;conn.lnk:

	__string(name, smc-&gt;conn.lnk-&gt;ibname)

conn-&gt;lnk is only set for SMC-R; for SMC-D it is NULL. Other code on
these paths already handles this (e.g. !conn-&gt;lnk in
SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first
sendmsg()/recvmsg() on an SMC-D socket crashes:

  Oops: general protection fault, probably for non-canonical address
  KASAN: null-ptr-deref in range [...]
  RIP: 0010:strlen+0x1e/0xa0
  Call Trace:
   trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44)
   smc_rx_recvmsg (net/smc/smc_rx.c:515)
   smc_recvmsg (net/smc/af_smc.c:2859)
   __sys_recvfrom (net/socket.c:2315)
   __x64_sys_recvfrom (net/socket.c:2326)
   do_syscall_64

The faulting address 0x3e0 is offsetof(struct smc_link, ibname),
confirming the NULL -&gt;lnk deref. Enabling the tracepoint requires
root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has
no capability check, and SMC-D negotiation needs no admin step on
s390 or on x86 with the loopback ISM device loaded.

Log an empty device name for SMC-D instead of dereferencing NULL.

Fixes: aff3083f10bf ("net/smc: Introduce tracepoints for tx and rx msg")
Reported-by: Weiming Shi &lt;bestswngs@gmail.com&gt;
Signed-off-by: Xiang Mei &lt;xmei5@asu.edu&gt;
Reviewed-by: Dust Li &lt;dust.li@linux.alibaba.com&gt;
Reviewed-by: Sidraya Jayagond &lt;sidraya@linux.ibm.com&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS</title>
<updated>2026-05-13T01:43:40+00:00</updated>
<author>
<name>Nicolò Coccia</name>
<email>n.coccia96@gmail.com</email>
</author>
<published>2026-05-10T16:34:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=a3fdd924d88c30b9f488636ce0e4696012cf5511'/>
<id>urn:sha1:a3fdd924d88c30b9f488636ce0e4696012cf5511</id>
<content type='text'>
A logic flaw in __smc_setsockopt() allows a local unprivileged user to
cause a Denial of Service (DoS) by holding the socket lock indefinitely.

The function __smc_setsockopt() calls copy_from_sockptr() while holding
lock_sock(sk). By passing a userfaultfd-monitored memory page (or
FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
as the optval, an attacker can halt execution during the copy operation,
keeping the lock held.

Combined with asynchronous tear-down operations like shutdown(), this
exhausts the kernel wq (kworkers) and triggers the hung task watchdog.

[  240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
[  240.123489] Call Trace:
[  240.123501]  smc_shutdown+...
[  240.123512]  lock_sock_nested+...

This patch moves the user-space copy outside the lock_sock() critical
section to prevent the issue.

Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")
Signed-off-by: Nicolò Coccia &lt;n.coccia96@gmail.com&gt;
Reviewed-by: Dust Li &lt;dust.li@linux.alibaba.com&gt;
Tested-by: Dust Li &lt;dust.li@linux.alibaba.com&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-05-07T18:19:07+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-04-30T19:49:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6a4c4656b0d2d4056a1f0c35442db4e8a5cf8021'/>
<id>urn:sha1:6a4c4656b0d2d4056a1f0c35442db4e8a5cf8021</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.1-rc3).

Conflicts:

net/ipv4/igmp.c
  726fa7da2d8c ("ipv4: igmp: get rid of IGMPV3_{QQIC,MRC} and simplify calculation")
  c6bebaa744f7 ("ipv4: igmp: annotate data-races in igmp_heard_query()")
https://lore.kernel.org/a7365e4873340f7a5e30411207de3bf9@kernel.org

Adjacent changes:

net/psp/psp_main.c
  30cb24f97d44 ("psp: strip variable-length PSP header in psp_dev_rcv()")
  c2b22277ad89 ("psp: validate IPv4 header fields in psp_dev_rcv()")

net/sched/sch_fq_codel.c
  f83e07b29246 ("net/sched: sch_fq_codel: annotate data-races from fq_codel_dump_class_stats()")
  3f3aa77ff1c8 ("net/sched: add qstats_cpu_drop_inc() helper")

net/wireless/pmsr.c
  0f3c0a197309 ("wifi: nl80211: fix NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST usage")
  410aa47fd9d3 ("wifi: cfg80211: allow suppressing FTM result reporting for PD requests")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net/smc: fix missing sk_err when TCP handshake fails</title>
<updated>2026-05-07T15:36:34+00:00</updated>
<author>
<name>D. Wythe</name>
<email>alibuda@linux.alibaba.com</email>
</author>
<published>2026-05-06T01:41:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=9032f7676935a13fd402608223d326c5f62da9c0'/>
<id>urn:sha1:9032f7676935a13fd402608223d326c5f62da9c0</id>
<content type='text'>
In smc_connect_work(), when the underlying TCP handshake fails, the error
code (rc) must be propagated to sk_err to ensure userspace can correctly
retrieve the error status via SO_ERROR. Currently, the code only handles
a restricted set of error codes (e.g., EPIPE, ECONNREFUSED). If other
errors occurs, such as EHOSTUNREACH, sk_err remains unset (zero).

This affects applications that rely on SO_ERROR to determine connect
outcome. For example, higher versions of Go's netpoller treats
SO_ERROR == 0 combined with a failed getpeername() as a spurious wakeup
and re-enters epoll_wait(). Under ET mode, no further edge will be
generated since the socket is already in a terminal state, causing the
connect to hang indefinitely or until a user-specified timeout, if one
is set.

Fixes: 50717a37db03 ("net/smc: nonblocking connect rework")
Signed-off-by: D. Wythe &lt;alibuda@linux.alibaba.com&gt;
Reviewed-by: Dust Li &lt;dust.li@linux.alibaba.com&gt;
Link: https://patch.msgid.link/20260506014105.27093-1-alibuda@linux.alibaba.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net/smc: cap allocation order for SMC-R physically contiguous buffers</title>
<updated>2026-05-01T00:33:11+00:00</updated>
<author>
<name>D. Wythe</name>
<email>alibuda@linux.alibaba.com</email>
</author>
<published>2026-04-29T02:16:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=4cc5130ee84adcc8904772df44d64e59727c72bd'/>
<id>urn:sha1:4cc5130ee84adcc8904772df44d64e59727c72bd</id>
<content type='text'>
The alloc_pages() cannot satisfy requests exceeding MAX_PAGE_ORDER,
and attempting such allocations will lead to guaranteed failures
and potential kernel warnings.

For SMCR_PHYS_CONT_BUFS, cap the allocation order to MAX_PAGE_ORDER.
This ensures the attempts to allocate the largest possible physically
contiguous chunk succeed, instead of failing with an invalid order.
This also avoids redundant "try-fail-degrade" cycles in
__smc_buf_create().

For SMCR_MIXED_BUFS, no cap is needed: if the order exceeds
MAX_PAGE_ORDER, alloc_pages() will silently fail (__GFP_NOWARN)
and automatically fall back to virtual memory.

Signed-off-by: D. Wythe &lt;alibuda@linux.alibaba.com&gt;
Reviewed-by: Dust Li &lt;dust.li@linux.alibaba.com&gt;
Reviewed-by: Simon Horman &lt;horms@kernel.org&gt;
Reviewed-by: Sidraya Jayagond &lt;sidraya@linux.ibm.com&gt;
Link: https://patch.msgid.link/20260429021637.21815-1-alibuda@linux.alibaba.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
</feed>
