<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-next.git/net/socket.c, branch master</title>
<subtitle>Linux kernel latest source</subtitle>
<id>http://mirrors.hust.edu.cn/git/linux-next.git/atom?h=master</id>
<link rel='self' href='http://mirrors.hust.edu.cn/git/linux-next.git/atom?h=master'/>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/'/>
<updated>2026-07-03T15:21:11+00:00</updated>
<entry>
<title>Merge branch 'master' of git://git.code.sf.net/p/tomoyo/tomoyo.git</title>
<updated>2026-07-03T15:21:11+00:00</updated>
<author>
<name>Mark Brown</name>
<email>broonie@kernel.org</email>
</author>
<published>2026-07-03T15:21:11+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=e1c68a43919d23be3c16bd28e080b381f769eadf'/>
<id>urn:sha1:e1c68a43919d23be3c16bd28e080b381f769eadf</id>
<content type='text'>
</content>
</entry>
<entry>
<title>net: update dev_put()/dev_hold() debugging</title>
<updated>2026-06-29T11:26:36+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@I-love.SAKURA.ne.jp</email>
</author>
<published>2026-06-29T11:26:36+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=bfe347a0819f2fb26d0c6d2fecc3b92c09a97ea0'/>
<id>urn:sha1:bfe347a0819f2fb26d0c6d2fecc3b92c09a97ea0</id>
<content type='text'>
This change is not for upstream. This change is for linux-next only.

syzbot is still reporting

  unregister_netdevice: waiting for DEV to become free

problem. Since commit 4c6c11ea0f7b ("net: refine dev_put()/dev_hold()
debugging") is not sufficient for me, let's try to report all locations
which called dev_put()/dev_hold(), with a hope that we can find some hints
for locations where dev_put() is missing.

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
</content>
</entry>
<entry>
<title>fs: Add bpf_sock_read_xattr() kfunc to read socket xattrs</title>
<updated>2026-06-29T08:31:14+00:00</updated>
<author>
<name>Christian Brauner</name>
<email>brauner@kernel.org</email>
</author>
<published>2026-06-17T11:18:27+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=b4e124d16855213409f5dfa6aa18b81cd00fdbba'/>
<id>urn:sha1:b4e124d16855213409f5dfa6aa18b81cd00fdbba</id>
<content type='text'>
In c8db08110cbe ("Merge tag 'vfs-7.1-rc1.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs")
we added support for extended attributes for sockets. This comes in two
flavors: sockfs and non-sockfs/filesystem sockets. Filesystem sockets
are actual filesystem objects so reading xattrs must use dedicated fs
helpers such as bpf_get_dentry_xattr() and bpf_get_file_xattr(). Those
are inherently sleeping operations. Sockfs sockets on the other hand
don't need to use sleeping operations as the underlying data structure
is lockless. In addition, retrieval of sockfs extended attributes often
happens from LSM hooks that only provide struct socket and it's
completely nonsensical to grab a reference to a file, then force a
sleeping operation to retrieve the xattr and drop the reference. We know
that the sockfs file cannot go away while the LSM hook runs.

This series adds a bpf_sock_read_xattr() kfunc that, given a struct
socket, reads a user.* extended attribute from the socket's sockfs inode
into a bpf_dynptr. Together with fsetxattr() from userspace this lets a
process label a socket with a user.* xattr and have a BPF LSM program
retrieve that label locklessly. The kfunc mirrors the existing
bpf_cgroup_read_xattr(), including the restriction to the user.*
namespace.

systemd uses user.* xattrs on sockets to implement socket rate limiting
and to tag sockets for other purposes [1] such as implementing a varlink
registry. There is currently no efficient way for a BPF program to read
those labels back. The new helper allows a listening socket marked with
an extended attribute to be read back during bind/connect and then act
on the connect()ing socket. Extended attributes make it possible to
allow an unprivileged user manager such as systemd --user to mark
sockets from userspace and then rediscover them or implement policies.

The kfunc is registered KF_RCU and only for BPF LSM programs. A struct
socket is only guaranteed to live in sockfs when an LSM socket hook hands
it out, which is what keeps SOCK_INODE() valid. Sockets that embed struct
socket outside sockfs (tun, tap) are only reachable from tracing programs
and are excluded by the registration. (Btw, for consistency it would
be nice to force allocation of struct socket from sockfs instead of
simply embedding it in e.g., struct tun_file which makes the SOCKFS_I()
pattern a hazard - at least outside of sockfs functions.)

The read never sleeps and takes no lock. For sockfs the value lives in
the inode's in-memory xattr store and simple_xattr_get() resolves it
with an RCU-protected rhashtable lookup, taking neither the inode lock
nor any xattr lock. The kfunc is therefore usable from both sleepable
and non-sleepable LSM hooks.

Link: https://github.com/systemd/systemd/pull/40559 [1]
Link: https://patch.msgid.link/20260617-work-bpf-sock-xattr-v1-1-a1276f7c9da3@kernel.org
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
</entry>
<entry>
<title>Merge tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next</title>
<updated>2026-06-17T07:17:00+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-17T07:17:00+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=b85966adbf5de0668a815c6e3527f87e0c387fb4'/>
<id>urn:sha1:b85966adbf5de0668a815c6e3527f87e0c387fb4</id>
<content type='text'>
Pull networking updates from Jakub Kicinski:
 "Core &amp; protocols:

   - Work on removing rtnl_lock protection throughout the stack
     continues. In this chapter:
       - don't use rtnl_lock for IPv6 multicast routing configuration
       - don't take rtnl_lock in ethtool for modern drivers
       - prepare Qdisc dump callbacks for rtnl_lock removal

   - Support dumping just ifindex + name of all interfaces, under RCU.
     It's a common operation for Netlink CLI tools (when translating
     names to ifindexes) and previously required full rtnl_lock.

   - Support dumping qdiscs and page pools for a specific netdev. Even
     tho user space wants a dump of all netdevs, most of the time, the
     OOO programming model results in repeating the dump for each
     netdev. Which, in absence of a cache, leads to a O(n^2) behavior.

   - Flush nexthops once on multi-nexthop removal (e.g. when device goes
     down), another O(n^2) -&gt; O(n) improvement.

   - Rehash locally generated traffic to a different nexthop on
     retransmit timeout.

   - Honor oif when choosing nexthop for locally generated IPv6 traffic.

   - Convert TCP Auth Option to crypto library, and drop non-RFC algos.

   - Increase subflow limits in MPTCP to 64 and endpoint limit to 256.

   - Support MPTCP signaling of IPv6 address + port (ADD_ADDR). We need
     to selectively skip reporting of the standard TCP Timestamp option,
     because they won't fit into the header space together (12 + 30 &gt;
     40).

   - Support using bridge neighbor suppression, Duplicate Address
     Detection, Gratuitous ARP and unsolicited NA forwarding - in EVPN
     deployments, e.g. VXLAN fabrics (IPv4 and IPv6).

   - Improve link state reporting for upper netdevs (e.g. macvlan) over
     tunnel devices (again, mostly for EVPN deployments).

   - Support binding GENEVE tunnels to a local address.

   - Speed up UDP tunnel destruction (remove one synchronize_rcu()).

   - Support exponential field encoding in multicast (IGMPv3 and MLDv2).

   - Support attaching PSP crypto offload to containers (veth, netkit).

   - Add a new IPSec Netlink message XFRM_MSG_MIGRATE_STATE that allows
     migrating individual IPsec SAs independently of their policies.

     The existing XFRM_MSG_MIGRATE is tightly coupled to policy+SA
     migration, lacks SPI for unique SA identification, and cannot
     express reqid changes or migrate Transport mode selectors.

     The new interface identifies the SA via SPI and mark, supports
     reqid changes, address family changes, encap removal, and uses an
     atomic create+install flow under x-&gt;lock to prevent SN/IV reuse
     during AEAD SA migration.

   - Implement GRO/GSO support for PPPoE.

   - Convert sockopt callbacks in a number of protocols to iov_iter.

  Cross-tree stuff:

   - Remove support for Crypto TFM cloning (unblocked after the TCP Auth
     Option rework). This feature regressed performance for all crypto
     API users, since it changed crypto transformation objects into
     reference-counted objects.

   - Add FCrypt-PCBC implementation to rxrpc and remove it from the
     global crypto API as obsolete and insecure.

  Wireless:

   - Major rework of station bandwidth handling, fixing issues with
     lower capability than AP.

   - Cleanups for EMLSR spec issues (drafts differed).

   - More Neighbor Awareness Networking (Wi-Fi Aware) work (multicast,
     schedule improvements, multi-station etc.)

   - Some Ultra High Reliability (UHR) / IEEE 802.11bn (D1.4) work
     (e.g. non-primary channel access, UHR DBE support).

   - Fine Timing Measurement ranging (i.e. distance measurement) APIs.

  Netfilter:

   - Use per-rule hash initval in nf_conncount. This avoids unnecessary
     lock contention with short keys (e.g. conntrack zones) in different
     namespaces.

   - Various safety improvements, both in packet parsing and object
     lifetimes. Notably add refcounts to conntrack timeout policy.

  Deletions:

   - Remove TLS + sockmap integration. TLS wants to pin user pages to
     avoid a copy, and sockmap wants to write to the input stream. More
     work on this integration is clearly needed, and we can't find any
     users (original author admitted that they never deployed it).

   - Remove support for TLS offload with TCP Offload Engine (the far
     more common opportunistic offload is retained). The locking looks
     unfixable (driver sleeps under TCP spin locks) and people from the
     vendor that added this are AWOL.

   - Remove more ATM code, trying to leave behind only what PPPoATM
     needs, AAL5 and br2684 with permanent circuits.

   - Remove AppleTalk. Let it join hamradio in our out of tree protocol
     graveyard, I mean, repository.

   - Disable 32-bit x_tables compatibility (32bit binaries on 64bit
     kernel) interface in user namespaces. To be deleted completely,
     soon.

   - Remove 5/10 MHz support from cfg80211/mac80211.

  Drivers:

   - Software:
       - Support DEVMEM/DMABUF Tx over NETMEM_TX_NO_DMA devices (netkit)
       - bonding: add knob to strictly follow 802.3ad for link state

   - New drivers:
       - Alibaba Elastic Ethernet Adaptor (cloud vNIC).
       - NXP NETC switch within i.MX94.

   - DPLL:
       - Add operational state to pins (implement in zl3073x).
       - Add generic DPLL type, for daisy-chaining DPLLs (implement in ice).

   - Ethernet high-speed NICs:
       - Huawei (hinic3):
           - enhance tc flow offload support with queue selection,
             tunnels
       - nVidia/Mellanox:
           - avoid over-copying payload to the skb's linear part (up to
             60% win for LRO on slow CPUs like ARM64 V2)
           - expose more per-queue stats over the standard API
           - support additional, unprivileged PFs in the DPU
             configuration
           - support Socket Direct (multi-PF) with switchdev offloads
           - add a pool / frag allocator for DMA mapped buffers for
             control objects, save memory on systems with 64kB page size
           - take advantage of the ability to dynamically change RSS
             table size, even when table is configured by the user
           - increase the max RSS table size for even traffic
             distribution

   - Ethernet NICs:
       - Marvell/Aquantia:
           - AQC113 PTP support
       - Realtek USB (r8152):
           - support 10Gbit Link Speeds and Energy-Efficient Ethernet
             (EEE)
           - support firmware loaded (for RTL8157/RTL8159)
           - support for the RTL8159
       - Intel (ixgbe):
           - support Energy-Efficient Ethernet (EEE) on E610 devices

   - Ethernet switches:
       - Airoha:
           - support multiple netdevs on a single GDM block / port
       - Marvell (mv88e6xxx):
           - support SERDES of mv88e6321
       - Microchip (ksz8/9):
           - rework the driver callbacks to remove one indirection layer
       - Motorcomm (yt921x):
           - support port rate policing
           - support TBF qdisc offload
           - support ACL/flower offload
       - nVidia/Mellanox:
           - expose per-PG rx_discards
       - Realtek:
           - rtl8365mb: bridge offloading and VLAN support

   - Ethernet PHYs:
       - Airoha:
           - support Airoha AN8801R Gigabit PHYs.
       - Micrel:
           - implement 3 low-loss cable tunables
       - Realtek:
           - support MDI swapping for RTL8226-CG
           - support MDIO for RTL931x
       - Qualcomm:
           - at803x: Rx and Tx clock management for IPQ5018 PHY
       - Motorcomm:
           - support YT8522 100M RMII PHY
           - set drive strength in YT8531s RGMII
       - TI:
           - dp83822: add optional external PHY clock

   - Bluetooth:
       - hci_sync: add support for HCI_LE_Set_Host_Feature [v2]
       - SMP: use AES-CMAC library API
       - Intel:
           - support Product level reset
           - support smart trigger dump
       - Mediatek:
           - add event filter to filter specific event
       - Realtek:
           - fix RTL8761B/BU broken LE extended scan

   - WiFi:
       - Broadcom (b43):
           - new support for a 11n device
       - MediaTek (mt76):
           - support mt7927
           - mt792x: broken usb transport detection
           - mt7921: regulatory improvements
       - Qualcomm (ath9k):
           - GPIO interface improvements
       - Qualcomm (ath12k):
           - WDS support
           - replace dynamic memory allocation in WMI Rx path
           - thermal throttling/cooling device support
           - 6 GHz incumbent interference detection
           - channel 177 in 5 GHz
       - Realtek (rt89):
           - RTL8922AU support
           - USB 3 mode switch for performance
           - better monitor radiotap support
           - RTL8922DE preparations"

* tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1778 commits)
  ipv4: fib_rule: Move fib4_rules_exit() to -&gt;exit().
  net: serialize netif_running() check in enqueue_to_backlog()
  net: skmsg: preserve sg.copy across SG transforms
  appletalk: move the protocol out of tree
  appletalk: stop storing per-interface state in struct net_device
  selftests/bpf: test that TLS crypto is rejected on a sockmap socket
  selftests/bpf: drop the unused kTLS program from test_sockmap
  selftests/bpf: remove sockmap + ktls tests
  tls: remove dead sockmap (psock) handling from the SW path
  tls: reject the combination of TLS and sockmap
  atm: remove orphaned uAPI for deleted drivers, protocols and SVCs
  atm: remove unused ATM PHY operations
  atm: remove the unused pre_send and send_bh device operations
  atm: remove the unused change_qos device operation
  atm: remove SVC socket support and the signaling daemon interface
  atm: remove the local ATM (NSAP) address registry
  atm: remove dead SONET PHY ioctls
  atm: remove the unused send_oam / push_oam callbacks
  atm: remove AAL3/4 transport support
  net: dsa: sja1105: fix lastused timestamp in flower stats
  ...
</content>
</entry>
<entry>
<title>Merge tag 'v7.2-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6</title>
<updated>2026-06-16T03:31:23+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-16T03:31:23+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=0d8c1134936f1fb6678156ab4248ac740d274525'/>
<id>urn:sha1:0d8c1134936f1fb6678156ab4248ac740d274525</id>
<content type='text'>
Pull crypto updates from Herbert Xu:
 "API:
   - Drop support for off-CPU cryptography in af_alg
   - Document that af_alg is *always* slower
   - Document the deprecation of af_alg
   - Remove zero-copy support from skcipher and aead in af_alg
   - Cap AEAD AD length to 0x80000000 in af_alg
   - Free default RNG on module exit

  Algorithms:
   - Fix vli multiplication carry overflow in ecc
   - Drop unused cipher_null crypto_alg
   - Remove unused variants of drbg
   - Use lib/crypto in drbg
   - Use memcpy_from/to_sglist in authencesn
   - Allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode
   - Disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode
   - Filter out async aead implementations at alloc in krb5
   - Fix non-parallel fallback by rstoring callback in pcrypt
   - Validate poly1305 template argument in chacha20poly1305

  Drivers:
   - Add sysfs PCI reset support to qat
   - Add KPT support for GEN6 devices to qat
   - Remove unused character device and ioctls from qat
   - Add support for hw access via SMCC to mtk
   - Remove prng support from crypto4xx
   - Remove prng support from hisi-trng
   - Remove prng support from sun4i-ss
   - Remove prng support from xilinx-trng
   - Remove loongson-rng
   - Remove exynos-rng

  Others:
   - Remove support for AIO on sockets"

* tag 'v7.2-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (196 commits)
  crypto: tegra - fix refcount leak in tegra_se_host1x_submit()
  crypto: rng - Free default RNG on module exit
  crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode
  hwrng: jh7110 - fix refcount leak in starfive_trng_read()
  crypto: atmel-ecc - drop dead code in atmel_ecdh_max_size
  crypto: cavium/cpt - fix DMA cleanup using wrong loop index
  crypto: marvell/octeontx - fix DMA cleanup using wrong loop index
  MAINTAINERS: make myself the maintainer of the Qualcomm QCE driver
  crypto: amcc - convert irq_of_parse_and_map to platform_get_irq
  crypto: sun4i-ss - Remove insecure and unused rng_alg
  hwrng: xilinx - Move xilinx-rng into drivers/char/hw_random/
  crypto: xilinx-trng - Replace crypto_drbg_ctr_df() with HMAC-SHA512
  crypto: xilinx-trng - Fix return value of xtrng_hwrng_trng_read()
  crypto: xilinx-trng - Remove crypto_rng interface
  crypto: exynos-rng - Remove exynos-rng driver
  hwrng: hisi-trng - Move hisi-trng into drivers/char/hw_random/
  crypto: hisi-trng - Remove crypto_rng interface
  crypto: loongson - Remove broken and unused loongson-rng
  crypto: crypto4xx - Remove insecure and unused rng_alg
  crypto: qat - validate RSA CRT component lengths
  ...
</content>
</entry>
<entry>
<title>Merge tag 'vfs-7.2-rc1.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs</title>
<updated>2026-06-14T22:24:54+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-14T22:24:54+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=ff8747aacaff8266dd751b8a8648fb728dcc3b21'/>
<id>urn:sha1:ff8747aacaff8266dd751b8a8648fb728dcc3b21</id>
<content type='text'>
Pull simple_xattr updates from Christian Brauner:
 "This reworks the simple xattr api to make it more efficient and easier
  to use for all consumers.

  The simple_xattr hash table moves from the inode into a per-superblock
  cache, removing the per-inode overhead for the common case of few or
  no xattrs. The interface now passes struct simple_xattrs ** so lazy
  allocation is handled internally instead of by every caller, kernfs
  xattr operations on kernfs nodes shared between multiple superblocks
  are properly serialized, and tmpfs constructs "security.foo" xattr
  names with kasprintf() instead of kmalloc() plus two memcpy()s.

  A follow-up fix links kernfs nodes to their parent before the LSM init
  hook runs: with the per-sb cache kernfs_xattr_set() computes the cache
  via kernfs_root(kn), which faulted on a freshly allocated node when
  selinux_kernfs_init_security() called into it - reproducible as a NULL
  pointer dereference on the first cgroup mkdir on SELinux-enabled
  systems.

  On top of this bpffs gains support for trusted.* and security.* xattrs
  so that user space and BPF LSM programs can attach metadata - for
  example a content hash or a security label - to pinned objects and
  directories and inspect it uniformly like on other filesystems. The
  store is in-memory and non-persistent, living only for the lifetime of
  the mount like everything else in bpffs"

* tag 'vfs-7.2-rc1.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
  bpf: Add simple xattr support to bpffs
  kernfs: link kn to its parent before the LSM init hook
  simpe_xattr: use per-sb cache
  simple_xattr: change interface to pass struct simple_xattrs **
  tmpfs: simplify constructing "security.foo" xattr names
  kernfs: fix xattr race condition with multiple superblocks
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2026-06-11T21:33:35+00:00</updated>
<author>
<name>Jakub Kicinski</name>
<email>kuba@kernel.org</email>
</author>
<published>2026-06-11T21:29:53+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=dad4d4b92a9b9f0edb8c66deda049da1b62f6089'/>
<id>urn:sha1:dad4d4b92a9b9f0edb8c66deda049da1b62f6089</id>
<content type='text'>
Cross-merge networking fixes after downstream PR (net-7.1-rc8).

Conflicts:

drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
  f67aead16e85 ("net: txgbe: rework service event handling")
  57d39faed4c9 ("net: txgbe: improve functions of AML 40G devices")

net/rds/info.c
  512db8267b73 ("rds: mark snapshot pages dirty in rds_info_getsockopt()")
  6e94eeb2a2a6 ("rds: convert to getsockopt_iter")

Adjacent changes:

include/net/sock.h
  1ee90b77b727 ("net: guard timestamp cmsgs to real error queue skbs")
  f0de88303d5e ("net: make is_skb_wmem() available to modules")

Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>net: guard timestamp cmsgs to real error queue skbs</title>
<updated>2026-06-10T01:32:08+00:00</updated>
<author>
<name>Kyle Zeng</name>
<email>kylebot@openai.com</email>
</author>
<published>2026-06-07T02:18:19+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=1ee90b77b727df903033db873c75caac5c27ec98'/>
<id>urn:sha1:1ee90b77b727df903033db873c75caac5c27ec98</id>
<content type='text'>
skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb-&gt;pkt_type == PACKET_OUTGOING, but their skb-&gt;cb is owned by AF_PACKET
instead of struct sock_exterr_skb.

If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb-&gt;len and skb-&gt;data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.

Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.

Fixes: 8605330aac5a ("tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs")
Signed-off-by: Kyle Zeng &lt;kylebot@openai.com&gt;
Reviewed-by: Kuniyuki Iwashima &lt;kuniyu@google.com&gt;
Reviewed-by: Willem de Bruijn &lt;willemb@google.com&gt;
Link: https://patch.msgid.link/20260607021819.49698-1-kylebot@openai.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>simpe_xattr: use per-sb cache</title>
<updated>2026-06-06T13:21:41+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2026-06-05T13:53:19+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=1e7cd8a53b72a58a44c4d282aed95f6ce0e76db0'/>
<id>urn:sha1:1e7cd8a53b72a58a44c4d282aed95f6ce0e76db0</id>
<content type='text'>
Move the hash table to the super block to remove excessive overhead in case
of small number of xattrs per inode.

Add linked list to the inode, used for listxattr and eviction.  Listxattr
uses rcu protection to iterate the list of xattrs.

Before being made per-sb, lazy allocation was protected by inode lock.  Now
inode lock no longer provides sufficient exclusion, so use cmpxchg() to
ensure atomicity.

Though I haven't found a description of this pattern, after some research
it seems that cmpxchg_release() and READ_ONCE() should provide the
necessary memory barriers.

Use simple_xattr_free_rcu() in simple_xattrs_free(). This is needed because
the hash table is now shared between inodes and lookup on a different inode
might be running the compare function on the just freed element within the
RCU grace period.

Following stats are based on slabinfo diff, after creating 100k empty
files, then adding a "user.test=foo" xattr to each:

v7.0 (no rhashtable):
  File creation: 993.40 bytes/file
  Xattr addition: 79.99 bytes/file

v7.1-rc2 (per-inode rhashtable):
  File creation: 939.73 bytes/file
  Xattr addition: 1296.08 bytes/file

v7.1-rc2 + this patch (per-sb rhashtable)
  File creation: 946.84 bytes/file
  Xattr addition: 111.86 bytes/file

The overhead of a single xattr is reduced to nearly v7.0 levels.  The per
xattr overhead is slightly larger due to the addition of three pointers to
struct simple_xattr.

Fixes: b32c4a213698 ("xattr: add rhashtable-based simple_xattr infrastructure")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Link: https://patch.msgid.link/20260605135322.2632068-5-mszeredi@redhat.com
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
</entry>
<entry>
<title>simple_xattr: change interface to pass struct simple_xattrs **</title>
<updated>2026-06-06T13:21:41+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2026-06-05T13:53:18+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=076e5cef28e27febfc09b5f72544d2b857c75201'/>
<id>urn:sha1:076e5cef28e27febfc09b5f72544d2b857c75201</id>
<content type='text'>
Change the simple_xattr API to accept pointer-to-pointer (struct
simple_xattrs **) instead of pointer.  This allows the functions to handle
lazy allocation internally without requiring callers to use
simple_xattrs_lazy_alloc().

The simple_xattr_set(), simple_xattr_set_limited() and simple_xattr_add()
functions now handle allocation when xattrs is NULL.  simple_xattrs_free()
now also frees the xattrs structure itself and sets the pointer to NULL.

This simplifies callers and removes the need for most callers to explicitly
manage xattrs allocation and lifetime.

In shmem_initxattrs(), the total required space for all initial xattrs
(ispace) is pre-calculated and deducted from sbinfo-&gt;free_ispace.

Since this patch modifies the function to add new xattrs directly to the
inode's &amp;info-&gt;xattrs list rather than using a local temporary variable, a
failure means that the partially populated info-&gt;xattrs list remains
attached to the inode.

When the VFS caller handles the -ENOMEM error, it drops the newly created
inode via iput(), shmem_free_inode() adds freed to sbinfo-&gt;free_ispace a
second time, permanently inflating the tmpfs free space quota.

Fix by substracting already added xattrs from ispace.

Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Link: https://patch.msgid.link/20260605135322.2632068-4-mszeredi@redhat.com
Signed-off-by: Christian Brauner (Amutable) &lt;brauner@kernel.org&gt;
</content>
</entry>
</feed>
