WireGuard for the Linux kernel https://git.zx2c4.com/wireguard-linux/atom/tools?h=devel 2026-05-05T02:09:42Z 2026-05-05T02:09:42Z Ujjal Roy royujjal@gmail.com 2026-05-02T13:19:06Z urn:sha1:529dbe762de03dc9bea343a9b5313bd9c8c3a697 Enhance vlmc_query_intvl_test and vlmc_query_response_intvl_test in bridge_vlan_mcast.sh to validate IGMPv3/MLDv2 protocol compliance for MRC and QQIC field encoding across both linear and exponential ranges. TEST: Vlan multicast snooping enable [ OK ] TEST: Vlan mcast_query_interval global option default value [ OK ] TEST: Number of tagged IGMPv2 general query [ OK ] TEST: IGMPv3 QQIC linear value 60(s) [ OK ] TEST: MLDv2 QQIC linear value 60(s) [ OK ] TEST: IGMPv3 QQIC non linear value 160(s) [ OK ] TEST: MLDv2 QQIC non linear value 160(s) [ OK ] TEST: Vlan mcast_query_response_interval global option default value [ OK ] TEST: IGMPv3 MRC linear value of 60(x0.1s) [ OK ] TEST: MLDv2 MRC linear value of 24000(ms) [ OK ] TEST: IGMPv3 MRC non linear value of 240(x0.1s) [ OK ] TEST: MLDv2 MRC non linear value of 48000(ms) [ OK ] Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: Ujjal Roy <royujjal@gmail.com> Link: https://patch.msgid.link/20260502131907.987-6-royujjal@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-05-05T02:02:30Z Breno Leitao leitao@debian.org 2026-05-01T15:52:53Z urn:sha1:d39887f55d8edaacdb4fbc4cbfecff31dec1dc6a Add a single kselftest covering the proto_ops getsockopt_iter conversions for AF_NETLINK and AF_VSOCK, using one fixture per protocol: netlink: NETLINK_PKTINFO covers the flag-style int path (exact size, oversize clamp, undersize -EINVAL); NETLINK_LIST_MEMBERSHIPS covers the size-discovery path that always reports the required buffer length back via optlen, even when the user buffer is too small to receive any group bits. vsock: SO_VM_SOCKETS_BUFFER_SIZE covers the u64 path (exact size, oversize clamp, undersize -EINVAL). Each fixture also exercises an unknown optname and a bogus level so the returned-length / errno semantics preserved by the sockopt_t conversion are pinned down. Signed-off-by: Breno Leitao <leitao@debian.org> Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com> Acked-by: Stanislav Fomichev <sdf@fomichev.me> Link: https://patch.msgid.link/20260501-getsock_one-v1-3-810ce23ea70e@debian.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-05-02T00:10:06Z Dimitri Daskalakis daskald@meta.com 2026-04-30T16:52:17Z urn:sha1:c301658dfe08880a6a864fe192ca5967994c2e54 Certain devices which support ntuple-filters do not enable the feature by default. The existing tests will skip (if they check for the feature), or fail if they blindly attempt to install rules. Therefore, attempt to turn on ntuple-filters if the device supports them. Signed-off-by: Dimitri Daskalakis <daskald@meta.com> Reviewed-by: Joe Damato <joe@dama.to> Link: https://patch.msgid.link/20260430165217.3700469-1-dimitri.daskalakis1@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-05-01T03:54:09Z Eric Dumazet edumazet@google.com 2026-04-30T02:14:44Z urn:sha1:bc6a9b667f9ff66789c6c66b3bfe0ce5df972b67 These tests check syncookie mode is able to reconstruct some client options when TCP TS are used: - wscale option. - sackOK. - MSS (in a limited way, especially for IPv4). - ECN : not enabled. Note that IPv4 and IPv6 have different msstab[] values: IPv4 msstab[4] = { 536, 1300, 1440, 1460 } IPv6 msstab[4] = { 1280 - 60, 1480 - 60, 1500 - 60, 9000 - 60 } IPv4 is currently capping SND_MSS to 1460, even on a 9K MTU network. Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Neal Cardwell <ncardwell@google.com> Link: https://patch.msgid.link/20260430021444.2929534-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-05-01T00:35:17Z Danielle Ratson danieller@nvidia.com 2026-04-29T06:24:05Z urn:sha1:a3f88d89f698743a8cd91fb43f997e2d292a168d Add test cases to verify that ARP probes and DAD Neighbor Solicitations are handled correctly by the bridge neighbor suppression feature. When neighbor suppression is enabled on a bridge VXLAN port, the bridge should reply to ARP/NS messages on behalf of remote hosts when both FDB and neighbor entries exist, and the answer is known. However, when either the FDB or the neighbor exists, ARP probes / DAD NS should be treated like regular ARP requests / NS and flood to VXLAN. Add two new test functions: neigh_suppress_arp_probe(): Tests ARP probe handling by triggering duplicate address detection using arping -D. Verifies that probes are flooded when the bridge doesn't know the answer, and suppressed when FDB and neighbor entries exist. neigh_suppress_dad_ns(): Tests DAD NS handling by constructing DAD NS packets using mausezahn and verifies correct flooding/suppression behavior. Before the previous patch: $ ./test_bridge_neigh_suppress.sh -t "neigh_suppress_arp_probe neigh_suppress_dad_ns" Per-port ARP probe suppression ------------------------------ TEST: ARP probe suppression [ OK ] TEST: "neigh_suppress" is on [ OK ] TEST: ARP probe suppression [FAIL] TEST: FDB and neighbor entry installation [ OK ] TEST: arping [FAIL] TEST: ARP probe suppression [FAIL] TEST: neighbor removal [ OK ] TEST: ARP probe suppression [FAIL] TEST: "neigh_suppress" is off [ OK ] TEST: ARP probe suppression [FAIL] Per-port DAD NS suppression --------------------------- TEST: DAD NS suppression [ OK ] TEST: "neigh_suppress" is on [ OK ] TEST: DAD NS suppression [FAIL] TEST: FDB and neighbor entry installation [ OK ] TEST: DAD NS suppression [FAIL] TEST: neighbor removal [ OK ] TEST: DAD NS suppression [FAIL] TEST: DAD NS proxy NA reply [FAIL] TEST: "neigh_suppress" is off [ OK ] TEST: DAD NS suppression [FAIL] Tests passed: 10 Tests failed: 10 After the previous patch: $ ./test_bridge_neigh_suppress.sh -t "neigh_suppress_arp_probe neigh_suppress_dad_ns" Per-port ARP probe suppression ------------------------------ TEST: ARP probe suppression [ OK ] TEST: "neigh_suppress" is on [ OK ] TEST: ARP probe suppression [ OK ] TEST: FDB and neighbor entry installation [ OK ] TEST: arping [ OK ] TEST: ARP probe suppression [ OK ] TEST: neighbor removal [ OK ] TEST: ARP probe suppression [ OK ] TEST: "neigh_suppress" is off [ OK ] TEST: ARP probe suppression [ OK ] Per-port DAD NS suppression --------------------------- TEST: DAD NS suppression [ OK ] TEST: "neigh_suppress" is on [ OK ] TEST: DAD NS suppression [ OK ] TEST: FDB and neighbor entry installation [ OK ] TEST: DAD NS suppression [ OK ] TEST: neighbor removal [ OK ] TEST: DAD NS suppression [ OK ] TEST: DAD NS proxy NA reply [ OK ] TEST: "neigh_suppress" is off [ OK ] TEST: DAD NS suppression [ OK ] Tests passed: 20 Tests failed: 0 Signed-off-by: Danielle Ratson <danieller@nvidia.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Link: https://patch.msgid.link/20260429062405.1386417-3-danieller@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-04-30T19:51:05Z Jakub Kicinski kuba@kernel.org 2026-04-30T19:49:56Z urn:sha1:7c04aa3b2f3751f3eb2370f280eeb8557962ad96 Cross-merge networking fixes after downstream PR (net-7.1-rc2). No conflicts, or adjacent changes. Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2026-04-30T15:45:43Z Linus Torvalds torvalds@linux-foundation.org 2026-04-30T15:45:43Z urn:sha1:08d0d3466664000ba0670e0ef0d447f23459e0d4 Pull networking fixes from Paolo Abeni: "Including fixes from netfilter. Current release - regressions: - ipmr: free mr_table after RCU grace period. Previous releases - regressions: - core: add net_iov_init() and use it to initialize ->page_type - sched: taprio: fix NULL pointer dereference in class dump - netfilter: nf_tables: - use list_del_rcu for netlink hooks - fix strict mode inbound policy matching - tcp: make probe0 timer handle expired user timeout - vrf: fix a potential NPD when removing a port from a VRF - eth: ice: - fix NULL pointer dereference in ice_reset_all_vfs() - fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw Previous releases - always broken: - page_pool: fix memory-provider leak in error path - sched: sch_cake: annotate data-races in cake_dump_stats() - mptcp: fix scheduling with atomic in timestamp sockopt - psp: check for device unregister when creating assoc - tls: fix strparser anchor skb leak on offload RX setup failure - eth: - stmmac: prevent NULL deref when RX memory exhausted - airoha: do not read uninitialized fragment address - rtl8150: fix use-after-free in rtl8150_start_xmit() Misc: - add Ido Schimmel as IPv4/IPv6 maintainer - add David Heidelberg as NFC subsystem maintainer" * tag 'net-7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (79 commits) net/sched: cls_flower: revert unintended changes sfc: fix error code in efx_devlink_info_running_versions() net: tls: fix strparser anchor skb leak on offload RX setup failure ice: add dpll peer notification for paired SMA and U.FL pins ice: fix missing dpll notifications for SW pins dpll: export __dpll_pin_change_ntf() for use under dpll_lock ice: fix SMA and U.FL pin state changes affecting paired pin ice: fix missing SMA pin initialization in DPLL subsystem ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw ice: fix NULL pointer dereference in ice_reset_all_vfs() iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler iavf: wait for PF confirmation before removing VLAN filters iavf: stop removing VLAN filters from PF on interface down iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING page_pool: fix memory-provider leak in page_pool_create_percpu() error path bonding: 3ad: implement proper RCU rules for port->aggregator net: airoha: Do not return err in ndo_stop() callback hv_sock: fix ARM64 support MAINTAINERS: update the IPv4/IPv6 entry and add Ido Schimmel selftests: drv-net: clarify linters and frameworks in README ... 2026-04-30T07:38:56Z Eric Biggers ebiggers@kernel.org 2026-04-27T17:27:24Z urn:sha1:068f5a00955675f10348986d4809edc4dbc0cae0 Currently the kernel's TCP-AO implementation does the MAC and KDF computations using the crypto_ahash API. This API is inefficient and difficult to use, and it has required extensive workarounds in the form of per-CPU preallocated objects (tcp_sigpool) to work at all. Let's use lib/crypto/ instead. This means switching to straightforward stack-allocated structures, virtually addressed buffers, and direct function calls. It also means removing quite a bit of error handling. This makes TCP-AO quite a bit faster. This also enables many additional cleanups, which later commits will handle: removing tcp-sigpool, removing support for crypto_tfm cloning, removing more error handling, and replacing more dynamically-allocated buffers with stack buffers based on the now-statically-known limits. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Link: https://patch.msgid.link/20260427172727.9310-3-ebiggers@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2026-04-30T07:38:56Z Eric Biggers ebiggers@kernel.org 2026-04-27T17:27:23Z urn:sha1:5eb0cfedb2588650b63f0a65963ad64272df938d RFC 5926 (https://datatracker.ietf.org/doc/html/rfc5926) specifies the use of AES-128-CMAC and HMAC-SHA1 with TCP-AO. This includes a specification for how traffic keys shall be derived for each algorithm. Support for any other algorithms with TCP-AO isn't standardized, though an expired Internet Draft (a work-in-progress document, not a standard) from 2019 does propose adding HMAC-SHA256 support: https://datatracker.ietf.org/doc/html/draft-nayak-tcp-sha2-03 Since both documents specify the KDF for each algorithm individually, it isn't necessarily clear how any other algorithm should be integrated. Nevertheless, the Linux implementation of TCP-AO allows userspace to specify the MAC algorithm as a string tcp_ao_add::alg_name naming either "cmac(aes128)" or an arbitrary algorithm in the crypto_ahash API. The set of valid strings is undocumented. The implementation assumes that "cmac(aes128)" is the only algorithm that requires an entropy extraction step and that all algorithms accept keys with length equal to the untruncated MAC; thus, arbitrary HMAC algorithms probably do work, but some other MAC algorithms like AES-256-CMAC have never actually worked. Unfortunately, this undocumented string allows many obsolete, insecure, or redundant algorithms. For example, "hmac(md5)" and the non-cryptographic "crc32" are accepted. It also ties the implementation to crypto_ahash and requires that most memory be dynamically allocated, making the implementation unnecessarily complex and inefficient. Still furthermore, this implementation requires the crypto API to support "transformation cloning", whose only user is this feature. Fortunately, it's very likely that only a few algorithms are actually used in practice. Let's restrict the set of allowed algorithms to "cmac(aes128)" (or "cmac(aes)" with keylen=16), "hmac(sha1)", and "hmac(sha256)". The first two are the actually standard ones, while HMAC-SHA256 seems like a reasonable algorithm to continue supporting as a Linux extension, considering the Internet Draft for it and the fact that SHA-256 is the usual choice of upgrade from the outdated SHA-1. If any other algorithm ever turns out to be needed, e.g. HMAC-SHA512, it can of course be (re-)added in library form. However, note that the TCP options space limits TCP-AO MACs to 20 bytes (160 bits) anyway, which limits the potential benefit of any further upgrade to the algorithm. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Link: https://patch.msgid.link/20260427172727.9310-2-ebiggers@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2026-04-29T23:53:41Z Jakub Kicinski kuba@kernel.org 2026-04-28T20:36:24Z urn:sha1:1656f1788342a05eb9c8fc30ebfb1f9f674fcce7 We had some issues with a suspected traffic imbalance on an RSS context. Make sure the tests cover the RXFH field selection vs additional contexts. Tested-by: Pavan Chebbi <pavan.chebbi@broadcom.com> Link: https://patch.msgid.link/20260428203624.1224387-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>