<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-toradex.git, branch toradex_6.18-2.0.x-imx</title>
<subtitle>Linux kernel for Apalis and Colibri modules</subtitle>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/'/>
<entry>
<title>LF-18465: firmware: imx: se_ctrl: raise MAX_DATA_SIZE_PER_USER to 128 KiB</title>
<updated>2026-06-09T02:25:20+00:00</updated>
<author>
<name>Pankaj Gupta</name>
<email>pankaj.gupta@nxp.com</email>
</author>
<published>2026-06-08T14:52:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=b096ce610e956cc2596006343df8a2a26ed6e019'/>
<id>b096ce610e956cc2596006343df8a2a26ed6e019</id>
<content type='text'>
MAX_DATA_SIZE_PER_USER is currently defined as 65 KiB. However, the
kernel does not back this request with an exact 65 KiB physically
contiguous allocation.

For DMA-capable buffers, Linux allocates memory in page-based,
power-of-two orders. With a 4 KiB page size, a 65 KiB request spans
17 pages, which cannot be satisfied as-is by the buddy allocator.
The allocator therefore rounds the request up to the next supported
order, i.e. 32 pages = 128 KiB. In other words, requesting 65 KiB
already results in a 128 KiB allocation in practice.

Keeping the software-visible limit at 65 KiB while the kernel allocates
128 KiB creates an unnecessary mismatch between:
  - the constant used in the driver,
  - the actual backing allocation size, and
  - the memory/reserved-memory expectations communicated to users.

This mismatch is confusing during code review, debug, memory sizing,
and user-guide documentation, because the code suggests a 65 KiB limit
while the real allocation footprint is 128 KiB. The existing value also
artificially hides the fact that the kernel already reserves 128 KiB for
this buffer due to allocator granularity.

Update MAX_DATA_SIZE_PER_USER to 128 KiB so that the driver constant
matches the real allocation behaviour of the kernel. This makes the
limit explicit, removes ambiguity, and keeps the implementation aligned
with reserved-memory guidance and buffer sizing expectations. The
underlying allocator behaviour does not change; this patch simply makes
the driver reflect what the kernel already allocates.

Signed-off-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: Meenakshi Aggarwal &lt;meenakshi.aggarwal@nxp.com&gt;
Reviewed-by: Rahul Kumar Yadav &lt;rahulkumar.yadav@nxp.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
MAX_DATA_SIZE_PER_USER is currently defined as 65 KiB. However, the
kernel does not back this request with an exact 65 KiB physically
contiguous allocation.

For DMA-capable buffers, Linux allocates memory in page-based,
power-of-two orders. With a 4 KiB page size, a 65 KiB request spans
17 pages, which cannot be satisfied as-is by the buddy allocator.
The allocator therefore rounds the request up to the next supported
order, i.e. 32 pages = 128 KiB. In other words, requesting 65 KiB
already results in a 128 KiB allocation in practice.

Keeping the software-visible limit at 65 KiB while the kernel allocates
128 KiB creates an unnecessary mismatch between:
  - the constant used in the driver,
  - the actual backing allocation size, and
  - the memory/reserved-memory expectations communicated to users.

This mismatch is confusing during code review, debug, memory sizing,
and user-guide documentation, because the code suggests a 65 KiB limit
while the real allocation footprint is 128 KiB. The existing value also
artificially hides the fact that the kernel already reserves 128 KiB for
this buffer due to allocator granularity.

Update MAX_DATA_SIZE_PER_USER to 128 KiB so that the driver constant
matches the real allocation behaviour of the kernel. This makes the
limit explicit, removes ambiguity, and keeps the implementation aligned
with reserved-memory guidance and buffer sizing expectations. The
underlying allocator behaviour does not change; this patch simply makes
the driver reflect what the kernel already allocates.

Signed-off-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: Meenakshi Aggarwal &lt;meenakshi.aggarwal@nxp.com&gt;
Reviewed-by: Rahul Kumar Yadav &lt;rahulkumar.yadav@nxp.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>LF-18461: firmware: imx: ele get info update for soc_id</title>
<updated>2026-06-09T02:25:20+00:00</updated>
<author>
<name>Pankaj Gupta</name>
<email>pankaj.gupta@nxp.com</email>
</author>
<published>2026-06-08T12:39:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=b754c49ff391320b2ad8ff0df039af3c2443e1b1'/>
<id>b754c49ff391320b2ad8ff0df039af3c2443e1b1</id>
<content type='text'>
Changes to accommodate the changes in the soc_id values
returned from ELE FW via get_info (0xda) message exchange.

Signed-off-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: Meenakshi Aggarwal &lt;meenakshi.aggarwal@nxp.com&gt;
Reviewed-by: Rahul Kumar Yadav &lt;rahulkumar.yadav@nxp.com&gt;
Acked-by: Jason Liu &lt;jason.hui.liu@nxp.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Changes to accommodate the changes in the soc_id values
returned from ELE FW via get_info (0xda) message exchange.

Signed-off-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: Meenakshi Aggarwal &lt;meenakshi.aggarwal@nxp.com&gt;
Reviewed-by: Rahul Kumar Yadav &lt;rahulkumar.yadav@nxp.com&gt;
Acked-by: Jason Liu &lt;jason.hui.liu@nxp.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>LF-18417-02: pmdomain: imx93-blk-ctrl: Extract PHY as shared domain for DSI/CSI</title>
<updated>2026-06-08T09:38:12+00:00</updated>
<author>
<name>Guoniu Zhou</name>
<email>guoniu.zhou@nxp.com</email>
</author>
<published>2026-06-08T07:23:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=b87ebbb083d0530a230b43efbcf2ff31cd56c66d'/>
<id>b87ebbb083d0530a230b43efbcf2ff31cd56c66d</id>
<content type='text'>
The MIPI DSI and CSI domains share control bits for clock and reset, which
can lead to incorrect behavior if one domain disables the shared resource
while the other is still active.

To fix the issue, introduce a shared MIPI PHY power domain to own the
common resources and make DSI and CSI its subdomains. This ensures the
shared bits are properly managed and not disabled while still in use.

Fixes: e9aa77d413c9 ("soc: imx: add i.MX93 media blk ctrl driver")
Reviewed-by: Robby Cai &lt;robby.cai@nxp.com&gt;
Signed-off-by: Guoniu Zhou &lt;guoniu.zhou@nxp.com&gt;
Acked-by: Jason Liu &lt;jason.hui.liu@nxp.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The MIPI DSI and CSI domains share control bits for clock and reset, which
can lead to incorrect behavior if one domain disables the shared resource
while the other is still active.

To fix the issue, introduce a shared MIPI PHY power domain to own the
common resources and make DSI and CSI its subdomains. This ensures the
shared bits are properly managed and not disabled while still in use.

Fixes: e9aa77d413c9 ("soc: imx: add i.MX93 media blk ctrl driver")
Reviewed-by: Robby Cai &lt;robby.cai@nxp.com&gt;
Signed-off-by: Guoniu Zhou &lt;guoniu.zhou@nxp.com&gt;
Acked-by: Jason Liu &lt;jason.hui.liu@nxp.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>LF-18417-01: dt-bindings: power: imx93: Add MIPI PHY power domain</title>
<updated>2026-06-08T09:38:12+00:00</updated>
<author>
<name>Guoniu Zhou</name>
<email>guoniu.zhou@nxp.com</email>
</author>
<published>2026-06-08T07:23:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=244ddb6d0cc73c0c6bb4a31a22abb0b58cd12864'/>
<id>244ddb6d0cc73c0c6bb4a31a22abb0b58cd12864</id>
<content type='text'>
Add MIPI PHY power domain for shared PHY resources used by both
MIPI DSI and CSI blocks.

Reviewed-by: Robby Cai &lt;robby.cai@nxp.com&gt;
Signed-off-by: Guoniu Zhou &lt;guoniu.zhou@nxp.com&gt;
Acked-by: Jason Liu &lt;jason.hui.liu@nxp.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add MIPI PHY power domain for shared PHY resources used by both
MIPI DSI and CSI blocks.

Reviewed-by: Robby Cai &lt;robby.cai@nxp.com&gt;
Signed-off-by: Guoniu Zhou &lt;guoniu.zhou@nxp.com&gt;
Acked-by: Jason Liu &lt;jason.hui.liu@nxp.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>smb/client: fix out-of-bounds read in smb2_compound_op()</title>
<updated>2026-06-08T02:53:17+00:00</updated>
<author>
<name>Zisen Ye</name>
<email>zisenye@stu.xidian.edu.cn</email>
</author>
<published>2026-05-06T03:49:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=e250ba241bf3ec9f59f3e273e30732214ff9d3dc'/>
<id>e250ba241bf3ec9f59f3e273e30732214ff9d3dc</id>
<content type='text'>
commit 8d09328dfda089675e4c049f3f256064a1d1996b upstream.

If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.

Then smb2_compound_op() does:
    memcpy(idata-&gt;wsl.eas, data[0], size[0]);

Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.

Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/
Fixes: ea41367b2a60 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA")
Cc: stable@vger.kernel.org
Signed-off-by: Zisen Ye &lt;zisenye@stu.xidian.edu.cn&gt;
Reviewed-by: ChenXiaoSong &lt;chenxiaosong@kylinos.cn&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
(cherry picked from commit 512d33bc8ea4ea5c19728ee118715f4b1f4d1926)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8d09328dfda089675e4c049f3f256064a1d1996b upstream.

If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.

Then smb2_compound_op() does:
    memcpy(idata-&gt;wsl.eas, data[0], size[0]);

Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.

Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/
Fixes: ea41367b2a60 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA")
Cc: stable@vger.kernel.org
Signed-off-by: Zisen Ye &lt;zisenye@stu.xidian.edu.cn&gt;
Reviewed-by: ChenXiaoSong &lt;chenxiaosong@kylinos.cn&gt;
Signed-off-by: Steve French &lt;stfrench@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
(cherry picked from commit 512d33bc8ea4ea5c19728ee118715f4b1f4d1926)
</pre>
</div>
</content>
</entry>
<entry>
<title>mptcp: pm: ADD_ADDR rtx: fix potential data-race</title>
<updated>2026-06-08T02:53:02+00:00</updated>
<author>
<name>Matthieu Baerts (NGI0)</name>
<email>matttbe@kernel.org</email>
</author>
<published>2026-05-05T15:00:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=8ca49f82c1abe07ef6b87b028c07dced197267ae'/>
<id>8ca49f82c1abe07ef6b87b028c07dced197267ae</id>
<content type='text'>
commit 5cd6e0ad79d2615264f63929f8b457ad97ae550d upstream.

This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().

If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.

Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau &lt;martineau@kernel.org&gt;
Signed-off-by: Matthieu Baerts (NGI0) &lt;matttbe@kernel.org&gt;
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
(cherry picked from commit 2ad56e434199ca24a812bb353667aa1c3860f513)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5cd6e0ad79d2615264f63929f8b457ad97ae550d upstream.

This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().

If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.

Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau &lt;martineau@kernel.org&gt;
Signed-off-by: Matthieu Baerts (NGI0) &lt;matttbe@kernel.org&gt;
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
(cherry picked from commit 2ad56e434199ca24a812bb353667aa1c3860f513)
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_conntrack_expect: use expect-&gt;helper</title>
<updated>2026-06-08T02:52:17+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2026-03-25T13:11:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=1a8c4def48baa1d536e3f2aba6a9e413225019b2'/>
<id>1a8c4def48baa1d536e3f2aba6a9e413225019b2</id>
<content type='text'>
[ Upstream commit f01794106042ee27e54af6fdf5b319a2fe3df94d ]

Use expect-&gt;helper in ctnetlink and /proc to dump the helper name.
Using nfct_help() without holding a reference to the master conntrack
is unsafe.

Use exp-&gt;master-&gt;helper in ctnetlink path if userspace does not provide
an explicit helper when creating an expectation to retain the existing
behaviour. The ctnetlink expectation path holds the reference on the
master conntrack and nf_conntrack_expect lock and the nfnetlink glue
path refers to the master ct that is attached to the skb.

Reported-by: Hyunwoo Kim &lt;imv4bel@gmail.com&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Stable-dep-of: 917b61fa2042 ("netfilter: ctnetlink: ignore explicit helper on new expectations")
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
(cherry picked from commit b53294bff19e56ada2f230ceb8b1ffde61cc3817)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit f01794106042ee27e54af6fdf5b319a2fe3df94d ]

Use expect-&gt;helper in ctnetlink and /proc to dump the helper name.
Using nfct_help() without holding a reference to the master conntrack
is unsafe.

Use exp-&gt;master-&gt;helper in ctnetlink path if userspace does not provide
an explicit helper when creating an expectation to retain the existing
behaviour. The ctnetlink expectation path holds the reference on the
master conntrack and nf_conntrack_expect lock and the nfnetlink glue
path refers to the master ct that is attached to the skb.

Reported-by: Hyunwoo Kim &lt;imv4bel@gmail.com&gt;
Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Stable-dep-of: 917b61fa2042 ("netfilter: ctnetlink: ignore explicit helper on new expectations")
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
(cherry picked from commit b53294bff19e56ada2f230ceb8b1ffde61cc3817)
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_conntrack_expect: honor expectation helper field</title>
<updated>2026-06-08T02:51:41+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2026-03-25T13:11:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=984a17bc8a06fa5861534f5258b5454dfcf8873b'/>
<id>984a17bc8a06fa5861534f5258b5454dfcf8873b</id>
<content type='text'>
[ Upstream commit 9c42bc9db90a154bc61ae337a070465f3393485a ]

The expectation helper field is mostly unused. As a result, the
netfilter codebase relies on accessing the helper through exp-&gt;master.

Always set on the expectation helper field so it can be used to reach
the helper.

nf_ct_expect_init() is called from packet path where the skb owns
the ct object, therefore accessing exp-&gt;master for the newly created
expectation is safe. This saves a lot of updates in all callsites
to pass the ct object as parameter to nf_ct_expect_init().

This is a preparation patches for follow up fixes.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Stable-dep-of: 917b61fa2042 ("netfilter: ctnetlink: ignore explicit helper on new expectations")
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
(cherry picked from commit 54cb3500e8af5fb0c34e639ab51145f4c2a1f9ef)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 9c42bc9db90a154bc61ae337a070465f3393485a ]

The expectation helper field is mostly unused. As a result, the
netfilter codebase relies on accessing the helper through exp-&gt;master.

Always set on the expectation helper field so it can be used to reach
the helper.

nf_ct_expect_init() is called from packet path where the skb owns
the ct object, therefore accessing exp-&gt;master for the newly created
expectation is safe. This saves a lot of updates in all callsites
to pass the ct object as parameter to nf_ct_expect_init().

This is a preparation patches for follow up fixes.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Stable-dep-of: 917b61fa2042 ("netfilter: ctnetlink: ignore explicit helper on new expectations")
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
(cherry picked from commit 54cb3500e8af5fb0c34e639ab51145f4c2a1f9ef)
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_conntrack_helper: pass helper to expect cleanup</title>
<updated>2026-06-08T02:51:25+00:00</updated>
<author>
<name>Qi Tang</name>
<email>tpluszz77@gmail.com</email>
</author>
<published>2026-03-29T16:50:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=dafc569e44f1a42d8ec58c29cf50771a5e0a7d0d'/>
<id>dafc569e44f1a42d8ec58c29cf50771a5e0a7d0d</id>
<content type='text'>
[ Upstream commit a242a9ae58aa46ff7dae51ce64150a93957abe65 ]

nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()
to remove expectations belonging to the helper being unregistered.
However, it passes NULL instead of the helper pointer as the data
argument, so expect_iter_me() never matches any expectation and all
of them survive the cleanup.

After unregister returns, nfnl_cthelper_del() frees the helper
object immediately.  Subsequent expectation dumps or packet-driven
init_conntrack() calls then dereference the freed exp-&gt;helper,
causing a use-after-free.

Pass the actual helper pointer so expectations referencing it are
properly destroyed before the helper object is freed.

  BUG: KASAN: slab-use-after-free in string+0x38f/0x430
  Read of size 1 at addr ffff888003b14d20 by task poc/103
  Call Trace:
   string+0x38f/0x430
   vsnprintf+0x3cc/0x1170
   seq_printf+0x17a/0x240
   exp_seq_show+0x2e5/0x560
   seq_read_iter+0x419/0x1280
   proc_reg_read+0x1ac/0x270
   vfs_read+0x179/0x930
   ksys_read+0xef/0x1c0
  Freed by task 103:
  The buggy address is located 32 bytes inside of
   freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)

Fixes: ac7b84839003 ("netfilter: expect: add and use nf_ct_expect_iterate helpers")
Signed-off-by: Qi Tang &lt;tpluszz77@gmail.com&gt;
Reviewed-by: Phil Sutter &lt;phil@nwl.cc&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
(cherry picked from commit 620f3d14c1ef51d425060a3056ad8dbae8f998a3)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a242a9ae58aa46ff7dae51ce64150a93957abe65 ]

nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()
to remove expectations belonging to the helper being unregistered.
However, it passes NULL instead of the helper pointer as the data
argument, so expect_iter_me() never matches any expectation and all
of them survive the cleanup.

After unregister returns, nfnl_cthelper_del() frees the helper
object immediately.  Subsequent expectation dumps or packet-driven
init_conntrack() calls then dereference the freed exp-&gt;helper,
causing a use-after-free.

Pass the actual helper pointer so expectations referencing it are
properly destroyed before the helper object is freed.

  BUG: KASAN: slab-use-after-free in string+0x38f/0x430
  Read of size 1 at addr ffff888003b14d20 by task poc/103
  Call Trace:
   string+0x38f/0x430
   vsnprintf+0x3cc/0x1170
   seq_printf+0x17a/0x240
   exp_seq_show+0x2e5/0x560
   seq_read_iter+0x419/0x1280
   proc_reg_read+0x1ac/0x270
   vfs_read+0x179/0x930
   ksys_read+0xef/0x1c0
  Freed by task 103:
  The buggy address is located 32 bytes inside of
   freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)

Fixes: ac7b84839003 ("netfilter: expect: add and use nf_ct_expect_iterate helpers")
Signed-off-by: Qi Tang &lt;tpluszz77@gmail.com&gt;
Reviewed-by: Phil Sutter &lt;phil@nwl.cc&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
(cherry picked from commit 620f3d14c1ef51d425060a3056ad8dbae8f998a3)
</pre>
</div>
</content>
</entry>
<entry>
<title>mptcp: pm: ADD_ADDR rtx: allow ID 0</title>
<updated>2026-06-08T02:49:40+00:00</updated>
<author>
<name>Matthieu Baerts (NGI0)</name>
<email>matttbe@kernel.org</email>
</author>
<published>2026-05-05T15:00:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=bde4ed7d4f2e66abd69d14a43fcd09df41970678'/>
<id>bde4ed7d4f2e66abd69d14a43fcd09df41970678</id>
<content type='text'>
commit 03f324f3f1f7619a47b9c91282cb12775ab0a2f1 upstream.

ADD_ADDR can be sent for the ID 0, which corresponds to the local
address and port linked to the initial subflow.

Indeed, this address could be removed, and re-added later on, e.g. what
is done in the "delete re-add signal" MPTCP Join selftests. So no reason
to ignore it.

Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau &lt;martineau@kernel.org&gt;
Signed-off-by: Matthieu Baerts (NGI0) &lt;matttbe@kernel.org&gt;
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-2-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
(cherry picked from commit cffc6fc446a27f3eb35779b6285089e6849259b7)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 03f324f3f1f7619a47b9c91282cb12775ab0a2f1 upstream.

ADD_ADDR can be sent for the ID 0, which corresponds to the local
address and port linked to the initial subflow.

Indeed, this address could be removed, and re-added later on, e.g. what
is done in the "delete re-add signal" MPTCP Join selftests. So no reason
to ignore it.

Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau &lt;martineau@kernel.org&gt;
Signed-off-by: Matthieu Baerts (NGI0) &lt;matttbe@kernel.org&gt;
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-2-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
(cherry picked from commit cffc6fc446a27f3eb35779b6285089e6849259b7)
</pre>
</div>
</content>
</entry>
</feed>
