April 2022 - Linux-stable-mirror

[PATCH 5.10] ubsan: remove CONFIG_UBSAN_OBJECT_SIZE

by Tadeusz Struk

From: Kees Cook <keescook(a)chromium.org> Upstream commit: 69d0db01e210 ("ubsan: remove CONFIG_UBSAN_OBJECT_SIZE") The object-size sanitizer is redundant to -Warray-bounds, and inappropriately performs its checks at run-time when all information needed for the evaluation is available at compile-time, making it quite difficult to use: https://bugzilla.kernel.org/show_bug.cgi?id=214861 This run-time object-size checks also trigger false-positive errors, like the below, that make it quite difficult to test stable kernels in test automations like syzkaller: https://syzkaller.appspot.com/text?tag=Error&x=12b3aac3700000 With -Warray-bounds almost enabled globally, it doesn't make sense to keep this around. Link: https://lkml.kernel.org/r/20211203235346.110809-1-keescook@chromium.org Signed-off-by: Kees Cook <keescook(a)chromium.org> Reviewed-by: Marco Elver <elver(a)google.com> Cc: Masahiro Yamada <masahiroy(a)kernel.org> Cc: Michal Marek <michal.lkml(a)markovi.net> Cc: Nick Desaulniers <ndesaulniers(a)google.com> Cc: Nathan Chancellor <nathan(a)kernel.org> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: "Peter Zijlstra (Intel)" <peterz(a)infradead.org> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Tadeusz Struk <tadeusz.struk(a)linaro.org> --- lib/test_ubsan.c | 11 ----------- scripts/Makefile.ubsan | 1 - 2 files changed, 12 deletions(-) diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c index 9ea10adf7a66..b1d0a6ecfe1b 100644 --- a/lib/test_ubsan.c +++ b/lib/test_ubsan.c @@ -89,16 +89,6 @@ static void test_ubsan_misaligned_access(void) *ptr = val; } -static void test_ubsan_object_size_mismatch(void) -{ - /* "((aligned(8)))" helps this not into be misaligned for ptr-access. */ - volatile int val __aligned(8) = 4; - volatile long long *ptr, val2; - - ptr = (long long *)&val; - val2 = *ptr; -} - static const test_ubsan_fp test_ubsan_array[] = { test_ubsan_add_overflow, test_ubsan_sub_overflow, @@ -110,7 +100,6 @@ static const test_ubsan_fp test_ubsan_array[] = { test_ubsan_load_invalid_value, //test_ubsan_null_ptr_deref, /* exclude it because there is a crash */ test_ubsan_misaligned_access, - test_ubsan_object_size_mismatch, }; static int __init test_ubsan_init(void) diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 9716dab06bc7..2156e18391a3 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -23,7 +23,6 @@ ifdef CONFIG_UBSAN_MISC CFLAGS_UBSAN += $(call cc-option, -fsanitize=integer-divide-by-zero) CFLAGS_UBSAN += $(call cc-option, -fsanitize=unreachable) CFLAGS_UBSAN += $(call cc-option, -fsanitize=signed-integer-overflow) - CFLAGS_UBSAN += $(call cc-option, -fsanitize=object-size) CFLAGS_UBSAN += $(call cc-option, -fsanitize=bool) CFLAGS_UBSAN += $(call cc-option, -fsanitize=enum) endif -- 2.35.1

3 years, 8 months

2
2
0 0

[PATCH 5.15.y] Revert "net/mlx5: Accept devlink user input after driver initialization complete"

by dann frazier

This reverts commit 9cc25e8529d567e08da98d11f092b21449763144. This patch was shown to introduce a regression: # devlink dev param show pci/0000:24:00.0 name flow_steering_mode pci/0000:24:00.0: name flow_steering_mode type driver-specific values: (flow steering mode description is missing beneath "values:") # devlink dev param set pci/0000:24:00.0 name flow_steering_mode value smfs cmode runtime Segmentation fault (core dumped) and also with upstream iproute # ./iproute2/devlink/devlink dev param set pci/0000:24:00.0 name flow_steering_mode value smfs cmode runtime Configuration mode not supported Note: Instead of reverting, we could instead also backport commit cf530217408e ("devlink: Notify users when objects are accessible"). However, that makes changes to core devlink code that I'm not sure are suitable for a stable backport. Signed-off-by: dann frazier <dann.frazier(a)canonical.com> --- drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 12 ++++++++++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 -- .../net/ethernet/mellanox/mlx5/core/sf/dev/driver.c | 2 -- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c index d7576b6fa43b..7d56a927081d 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c @@ -793,11 +793,14 @@ int mlx5_devlink_register(struct devlink *devlink) { int err; - err = devlink_params_register(devlink, mlx5_devlink_params, - ARRAY_SIZE(mlx5_devlink_params)); + err = devlink_register(devlink); if (err) return err; + err = devlink_params_register(devlink, mlx5_devlink_params, + ARRAY_SIZE(mlx5_devlink_params)); + if (err) + goto params_reg_err; mlx5_devlink_set_params_init_values(devlink); err = mlx5_devlink_auxdev_params_register(devlink); @@ -808,6 +811,7 @@ int mlx5_devlink_register(struct devlink *devlink) if (err) goto traps_reg_err; + devlink_params_publish(devlink); return 0; traps_reg_err: @@ -815,13 +819,17 @@ int mlx5_devlink_register(struct devlink *devlink) auxdev_reg_err: devlink_params_unregister(devlink, mlx5_devlink_params, ARRAY_SIZE(mlx5_devlink_params)); +params_reg_err: + devlink_unregister(devlink); return err; } void mlx5_devlink_unregister(struct devlink *devlink) { + devlink_params_unpublish(devlink); mlx5_devlink_traps_unregister(devlink); mlx5_devlink_auxdev_params_unregister(devlink); devlink_params_unregister(devlink, mlx5_devlink_params, ARRAY_SIZE(mlx5_devlink_params)); + devlink_unregister(devlink); } diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c index 097ab6fe371c..4ed740994279 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c @@ -1541,7 +1541,6 @@ static int probe_one(struct pci_dev *pdev, const struct pci_device_id *id) dev_err(&pdev->dev, "mlx5_crdump_enable failed with error code %d\n", err); pci_save_state(pdev); - devlink_register(devlink); if (!mlx5_core_is_mp_slave(dev)) devlink_reload_enable(devlink); return 0; @@ -1564,7 +1563,6 @@ static void remove_one(struct pci_dev *pdev) struct devlink *devlink = priv_to_devlink(dev); devlink_reload_disable(devlink); - devlink_unregister(devlink); mlx5_crdump_disable(dev); mlx5_drain_health_wq(dev); mlx5_uninit_one(dev); diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c index 3cf272fa2164..052f48068dc1 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c @@ -46,7 +46,6 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia mlx5_core_warn(mdev, "mlx5_init_one err=%d\n", err); goto init_one_err; } - devlink_register(devlink); devlink_reload_enable(devlink); return 0; @@ -66,7 +65,6 @@ static void mlx5_sf_dev_remove(struct auxiliary_device *adev) devlink = priv_to_devlink(sf_dev->mdev); devlink_reload_disable(devlink); - devlink_unregister(devlink); mlx5_uninit_one(sf_dev->mdev); iounmap(sf_dev->mdev->iseg); mlx5_mdev_uninit(sf_dev->mdev); -- 2.35.1

3 years, 8 months

2
1
0 0

[PATCH 5.10 000/105] 5.10.104-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.104 release. There are 105 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 09 Mar 2022 09:16:25 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.104-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.104-rc1 Jiri Bohac <jbohac(a)suse.cz> Revert "xfrm: xfrm_state_mtu should return at least 1280 for ipv6" Filipe Manana <fdmanana(a)suse.com> btrfs: add missing run of delayed items after unlink during log replay Sidong Yang <realwakka(a)gmail.com> btrfs: qgroup: fix deadlock between rescan worker and remove qgroup Filipe Manana <fdmanana(a)suse.com> btrfs: fix lost prealloc extents beyond eof after full fsync Randy Dunlap <rdunlap(a)infradead.org> tracing: Fix return value of __setup handlers Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing/histogram: Fix sorting on old "cpu" value William Mahon <wmahon(a)chromium.org> HID: add mapping for KEY_ALL_APPLICATIONS William Mahon <wmahon(a)chromium.org> HID: add mapping for KEY_DICTATE David Gow <davidgow(a)google.com> Input: samsung-keypad - properly state IOMEM dependency Hans de Goede <hdegoede(a)redhat.com> Input: elan_i2c - fix regulator enable count imbalance after suspend/resume Hans de Goede <hdegoede(a)redhat.com> Input: elan_i2c - move regulator_[en|dis]able() out of elan_[en|dis]able_power() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dcb: disable softirqs in dcbnl_flush_dev() Qiang Yu <qiang.yu(a)amd.com> drm/amdgpu: fix suspend/resume hang regression Jiasheng Jiang <jiasheng(a)iscas.ac.cn> nl80211: Handle nla_memdup failures in handle_nan_filter Mateusz Palczewski <mateusz.palczewski(a)intel.com> iavf: Refactor iavf state machine tracking Jia-Ju Bai <baijiaju1990(a)gmail.com> net: chelsio: cxgb3: check the return value of pci_find_capability() Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: complete init_done on transport events Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: define flush_reset_queue helper Thierry Reding <treding(a)nvidia.com> ARM: tegra: Move panels to AUX bus Jiasheng Jiang <jiasheng(a)iscas.ac.cn> soc: fsl: qe: Check of ioremap return value Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> soc: fsl: guts: Add a missing memory allocation failure check Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> soc: fsl: guts: Revert commit 3c0d64e867ed Anthoine Bourgeois <anthoine.bourgeois(a)gmail.com> ARM: dts: Use 32KiHz oscillator on devkit8000 Anthoine Bourgeois <anthoine.bourgeois(a)gmail.com> ARM: dts: switch timer config to common devkit8000 devicetree Heiko Carstens <hca(a)linux.ibm.com> s390/extable: fix exception table sorting Hugh Dickins <hughd(a)google.com> memfd: fix F_SEAL_WRITE after shmem huge page allocated Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: free reset-work-item when flushing Sasha Neftin <sasha.neftin(a)intel.com> igc: igc_write_phy_reg_gpy: drop premature return Samuel Holland <samuel(a)sholland.org> pinctrl: sunxi: Use unique lockdep classes for IRQs Amit Cohen <amcohen(a)nvidia.com> selftests: mlxsw: tc_police_scale: Make test more robust Randy Dunlap <rdunlap(a)infradead.org> ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> ARM: Fix kgdb breakpoint for Thumb2 Corinna Vinschen <vinschen(a)redhat.com> igc: igc_read_phy_reg_gpy: drop premature return Brian Norris <briannorris(a)chromium.org> arm64: dts: rockchip: Switch RK3399-Gru DP to SPDIF output Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> can: gs_usb: change active_channels's type from atomic_t to u8 Fabio Estevam <festevam(a)denx.de> ASoC: cs4265: Fix the duplicated control name Alyssa Ross <hi(a)alyssa.is> firmware: arm_scmi: Remove space in MODULE_ALIAS name Jann Horn <jannh(a)google.com> efivars: Respect "block" flag in efivar_entry_set_safe() Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ixgbe: xsk: change !netif_carrier_ok() handling in ixgbe_xmit_zc() Zheyu Ma <zheyuma97(a)gmail.com> net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe() Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: register netdev after init of adapter Randy Dunlap <rdunlap(a)infradead.org> net: sxgbe: fix return value of __setup handler Slawomir Laba <slawomirx.laba(a)intel.com> iavf: Fix missing check for running netdev Johannes Berg <johannes.berg(a)intel.com> mac80211: treat some SAE auth steps as final Randy Dunlap <rdunlap(a)infradead.org> net: stmmac: fix return value of __setup handler Nicolas Escande <nico.escande(a)gmail.com> mac80211: fix forwarded mesh frames AC & queue selection Valentin Schneider <valentin.schneider(a)arm.com> ia64: ensure proper NUMA distance and possible map initialization Dietmar Eggemann <dietmar.eggemann(a)arm.com> sched/topology: Fix sched_domain_topology_level alloc in sched_init_numa() Valentin Schneider <valentin.schneider(a)arm.com> sched/topology: Make sched_init_numa() use a set for the deduplicating sort Jacob Keller <jacob.e.keller(a)intel.com> ice: fix concurrent reset and removal of VFs Brett Creeley <brett.creeley(a)intel.com> ice: Fix race conditions between virtchnl handling and VF ndo ops Frederic Weisbecker <frederic(a)kernel.org> rcu/nocb: Fix missed nocb_timer requeue D. Wythe <alibuda(a)linux.alibaba.com> net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error cause by server D. Wythe <alibuda(a)linux.alibaba.com> net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error generated by client D. Wythe <alibuda(a)linux.alibaba.com> net/smc: fix connection leak Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dcb: flush lingering app table entries for unregistered devices j.nixdorf(a)avm.de <j.nixdorf(a)avm.de> net: ipv6: ensure we call ipv6_mc_down() at most once Sven Eckelmann <sven(a)narfation.org> batman-adv: Don't expect inter-netns unique iflink indices Sven Eckelmann <sven(a)narfation.org> batman-adv: Request iflink once in batadv_get_real_netdevice Sven Eckelmann <sven(a)narfation.org> batman-adv: Request iflink once in batadv-on-batadv check Florian Westphal <fw(a)strlen.de> netfilter: nf_queue: handle socket prefetch Florian Westphal <fw(a)strlen.de> netfilter: nf_queue: fix possible use-after-free Florian Westphal <fw(a)strlen.de> netfilter: nf_queue: don't assume sk is full socket lena wang <lena.wang(a)mediatek.com> net: fix up skbs delta_truesize in UDP GRO frag_list Sasha Neftin <sasha.neftin(a)intel.com> e1000e: Correct NVM checksum verification flow Leon Romanovsky <leon(a)kernel.org> xfrm: enforce validity of offload input flags Antony Antony <antony.antony(a)secunet.com> xfrm: fix the if_id check in changelink Eric Dumazet <edumazet(a)google.com> bpf, sockmap: Do not ignore orig_len parameter Eric Dumazet <edumazet(a)google.com> netfilter: fix use-after-free in __nf_register_net_hook() Jiri Bohac <jbohac(a)suse.cz> xfrm: fix MTU regression Daniel Borkmann <daniel(a)iogearbox.net> mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls Dave Jiang <dave.jiang(a)intel.com> ntb: intel: fix port config status offset for SPR Nicolas Cavallari <nicolas.cavallari(a)green-communications.fr> thermal: core: Fix TZ_GET_TRIP NULL pointer dereference Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com> xen/netfront: destroy queues before real_num_tx_queues is zeroed Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: s/JSP2/ICP2/ PCH Lennert Buytenhek <buytenh(a)wantstofly.org> iommu/amd: Recover from event log overflow Marek Vasut <marex(a)denx.de> ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min Alexandre Ghiti <alexandre.ghiti(a)canonical.com> riscv: Fix config KASAN && DEBUG_VIRTUAL Alexandre Ghiti <alexandre.ghiti(a)canonical.com> riscv: Fix config KASAN && SPARSEMEM && !SPARSE_VMEMMAP Sunil V L <sunilvl(a)ventanamicro.com> riscv/efi_stub: Fix get_boot_hartid_from_fdt() return value Zhen Ni <nizhen(a)uniontech.com> ALSA: intel_hdmi: Fix reference to PCM buffer address Steven Rostedt <rostedt(a)goodmis.org> tracing: Add ustring operation to filtering string pointers Qiang Yu <qiang.yu(a)amd.com> drm/amdgpu: check vm ready by amdgpu_vm->evicting flag Sergey Shtylyov <s.shtylyov(a)omp.ru> ata: pata_hpt37x: fix PCI clock detection Valentin Caron <valentin.caron(a)foss.st.com> serial: stm32: prevent TDR register overwrite when sending x_char Steven Rostedt <rostedt(a)goodmis.org> tracing: Add test for user space strings when filtering on string pointers Christophe Vu-Brugier <christophe.vu-brugier(a)seagate.com> exfat: fix i_blocks for files truncated over 4 GiB Christophe Vu-Brugier <christophe.vu-brugier(a)seagate.com> exfat: reuse exfat_inode_info variable instead of calling EXFAT_I() Hangyu Hua <hbh25y(a)gmail.com> usb: gadget: clear related members when goto fail Hangyu Hua <hbh25y(a)gmail.com> usb: gadget: don't release an existing dev->buf Daniele Palmas <dnlplm(a)gmail.com> net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 Wolfram Sang <wsa(a)kernel.org> i2c: qup: allow COMPILE_TEST Wolfram Sang <wsa(a)kernel.org> i2c: cadence: allow COMPILE_TEST Yongzhi Liu <lyz_cs(a)pku.edu.cn> dmaengine: shdma: Fix runtime PM imbalance on error Sherry Yang <sherry.yang(a)oracle.com> selftests/seccomp: Fix seccomp failure by adding missing headers Ronnie Sahlberg <lsahlber(a)redhat.com> cifs: fix double free race when mount fails in cifs_get_root() Hangyu Hua <hbh25y(a)gmail.com> tipc: fix a bit overflow in tipc_crypto_key_rcv() Marc Zyngier <maz(a)kernel.org> KVM: arm64: vgic: Read HW interrupt pending state from the HW José Expósito <jose.exposito89(a)gmail.com> Input: clear BTN_RIGHT/MIDDLE on buttonpads Oliver Barta <oliver.barta(a)aptiv.com> regulator: core: fix false positive in regulator_late_cleanup() Kai Vehmanen <kai.vehmanen(a)linux.intel.com> ASoC: rt5682: do not block workqueue if card is unbound Kai Vehmanen <kai.vehmanen(a)linux.intel.com> ASoC: rt5668: do not block workqueue if card is unbound Eric Anholt <eric(a)anholt.net> i2c: bcm2835: Avoid clock stretching timeouts JaeMan Park <jaeman(a)google.com> mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work Benjamin Beichler <benjamin.beichler(a)uni-rostock.de> mac80211_hwsim: report NOACK frames in tx_status ------------- Diffstat: Documentation/trace/events.rst | 19 ++++ Makefile | 4 +- arch/arm/boot/dts/omap3-devkit8000-common.dtsi | 18 ++++ arch/arm/boot/dts/omap3-devkit8000.dts | 33 ------- arch/arm/boot/dts/tegra124-nyan-big.dts | 15 +-- arch/arm/boot/dts/tegra124-nyan-blaze.dts | 15 +-- arch/arm/boot/dts/tegra124-venice2.dts | 14 +-- arch/arm/kernel/kgdb.c | 36 +++++-- arch/arm/mm/mmu.c | 2 + arch/arm64/boot/dts/rockchip/rk3399-gru.dtsi | 17 +++- arch/arm64/kvm/vgic/vgic-mmio.c | 2 + arch/ia64/kernel/acpi.c | 7 +- arch/riscv/mm/Makefile | 3 + arch/riscv/mm/kasan_init.c | 3 +- arch/s390/include/asm/extable.h | 9 +- drivers/ata/pata_hpt37x.c | 4 +- drivers/clocksource/timer-ti-dm-systimer.c | 3 +- drivers/dma/sh/shdma-base.c | 4 +- drivers/firmware/arm_scmi/driver.c | 2 +- drivers/firmware/efi/libstub/riscv-stub.c | 17 ++-- drivers/firmware/efi/vars.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 10 +- drivers/gpu/drm/i915/intel_pch.c | 2 +- drivers/gpu/drm/i915/intel_pch.h | 2 +- drivers/hid/hid-debug.c | 5 +- drivers/hid/hid-input.c | 3 + drivers/i2c/busses/Kconfig | 4 +- drivers/i2c/busses/i2c-bcm2835.c | 11 +++ drivers/input/input.c | 6 ++ drivers/input/keyboard/Kconfig | 2 +- drivers/input/mouse/elan_i2c_core.c | 64 +++++------- drivers/iommu/amd/amd_iommu.h | 1 + drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/init.c | 10 ++ drivers/iommu/amd/iommu.c | 10 +- drivers/net/arcnet/com20020-pci.c | 3 + drivers/net/can/usb/gs_usb.c | 10 +- drivers/net/ethernet/chelsio/cxgb3/t3_hw.c | 2 + drivers/net/ethernet/ibm/ibmvnic.c | 39 ++++++-- drivers/net/ethernet/intel/e1000e/ich8lan.c | 4 +- drivers/net/ethernet/intel/iavf/iavf.h | 10 ++ drivers/net/ethernet/intel/iavf/iavf_main.c | 44 +++++---- drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 2 +- drivers/net/ethernet/intel/ice/ice_main.c | 2 + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 58 +++++++++-- drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h | 5 + drivers/net/ethernet/intel/igc/igc_phy.c | 4 - drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 6 +- drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c | 6 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +- drivers/net/usb/cdc_mbim.c | 5 + drivers/net/wireless/mac80211_hwsim.c | 13 +++ drivers/net/xen-netfront.c | 39 +++++--- drivers/ntb/hw/intel/ntb_hw_gen4.c | 17 +++- drivers/ntb/hw/intel/ntb_hw_gen4.h | 16 +++ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 9 ++ drivers/regulator/core.c | 13 +-- drivers/soc/fsl/guts.c | 14 ++- drivers/soc/fsl/qe/qe_io.c | 2 + drivers/thermal/thermal_netlink.c | 5 +- drivers/tty/serial/stm32-usart.c | 12 +++ drivers/usb/gadget/legacy/inode.c | 10 +- fs/btrfs/qgroup.c | 9 +- fs/btrfs/tree-log.c | 61 +++++++++--- fs/cifs/cifsfs.c | 1 + fs/exfat/file.c | 18 ++-- fs/exfat/inode.c | 13 ++- fs/exfat/namei.c | 6 +- fs/exfat/super.c | 10 +- include/linux/topology.h | 1 + include/net/netfilter/nf_queue.h | 2 +- include/net/xfrm.h | 1 - include/uapi/linux/input-event-codes.h | 4 +- include/uapi/linux/xfrm.h | 6 ++ kernel/rcu/tree_plugin.h | 7 +- kernel/sched/topology.c | 99 +++++++++---------- kernel/trace/trace.c | 4 +- kernel/trace/trace_events_filter.c | 107 +++++++++++++++++++-- kernel/trace/trace_events_hist.c | 6 +- kernel/trace/trace_kprobe.c | 2 +- mm/memfd.c | 40 +++++--- mm/util.c | 4 +- net/batman-adv/hard-interface.c | 29 ++++-- net/core/skbuff.c | 2 +- net/core/skmsg.c | 2 +- net/dcb/dcbnl.c | 44 +++++++++ net/ipv4/esp4.c | 2 +- net/ipv6/addrconf.c | 8 +- net/ipv6/esp6.c | 2 +- net/ipv6/ip6_output.c | 11 ++- net/mac80211/ieee80211_i.h | 2 +- net/mac80211/mlme.c | 16 ++- net/mac80211/rx.c | 4 +- net/netfilter/core.c | 5 +- net/netfilter/nf_queue.c | 36 ++++++- net/netfilter/nfnetlink_queue.c | 12 ++- net/smc/af_smc.c | 10 +- net/smc/smc_core.c | 5 +- net/tipc/crypto.c | 2 +- net/wireless/nl80211.c | 12 +++ net/xfrm/xfrm_device.c | 6 +- net/xfrm/xfrm_interface.c | 2 +- net/xfrm/xfrm_state.c | 14 +-- sound/soc/codecs/cs4265.c | 3 +- sound/soc/codecs/rt5668.c | 12 ++- sound/soc/codecs/rt5682.c | 12 ++- sound/soc/soc-ops.c | 4 +- sound/x86/intel_hdmi_audio.c | 2 +- .../selftests/drivers/net/mlxsw/tc_police_scale.sh | 3 +- tools/testing/selftests/seccomp/Makefile | 2 +- 110 files changed, 960 insertions(+), 424 deletions(-)

3 years, 8 months

6
118
0 0

FAILED: patch "[PATCH] bpf: Treat bpf_sk_lookup remote_port as a 2-byte field" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 058ec4a7d9cf77238c73ad9f1e1a3ed9a29afcab Mon Sep 17 00:00:00 2001 From: Jakub Sitnicki <jakub(a)cloudflare.com> Date: Sat, 19 Mar 2022 19:33:54 +0100 Subject: [PATCH] bpf: Treat bpf_sk_lookup remote_port as a 2-byte field In commit 9a69e2b385f4 ("bpf: Make remote_port field in struct bpf_sk_lookup 16-bit wide") the remote_port field has been split up and re-declared from u32 to be16. However, the accompanying changes to the context access converter have not been well thought through when it comes big-endian platforms. Today 2-byte wide loads from offsetof(struct bpf_sk_lookup, remote_port) are handled as narrow loads from a 4-byte wide field. This by itself is not enough to create a problem, but when we combine 1. 32-bit wide access to ->remote_port backed by a 16-wide wide load, with 2. inherent difference between litte- and big-endian in how narrow loads need have to be handled (see bpf_ctx_narrow_access_offset), we get inconsistent results for a 2-byte loads from &ctx->remote_port on LE and BE architectures. This in turn makes BPF C code for the common case of 2-byte load from ctx->remote_port not portable. To rectify it, inform the context access converter that remote_port is 2-byte wide field, and only 1-byte loads need to be treated as narrow loads. At the same time, we special-case the 4-byte load from &ctx->remote_port to continue handling it the same way as do today, in order to keep the existing BPF programs working. Fixes: 9a69e2b385f4 ("bpf: Make remote_port field in struct bpf_sk_lookup 16-bit wide") Signed-off-by: Jakub Sitnicki <jakub(a)cloudflare.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Acked-by: Martin KaFai Lau <kafai(a)fb.com> Link: https://lore.kernel.org/bpf/20220319183356.233666-2-jakub@cloudflare.com diff --git a/net/core/filter.c b/net/core/filter.c index 03655f2074ae..a7044e98765e 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -10989,13 +10989,24 @@ static bool sk_lookup_is_valid_access(int off, int size, case bpf_ctx_range(struct bpf_sk_lookup, local_ip4): case bpf_ctx_range_till(struct bpf_sk_lookup, remote_ip6[0], remote_ip6[3]): case bpf_ctx_range_till(struct bpf_sk_lookup, local_ip6[0], local_ip6[3]): - case offsetof(struct bpf_sk_lookup, remote_port) ... - offsetof(struct bpf_sk_lookup, local_ip4) - 1: case bpf_ctx_range(struct bpf_sk_lookup, local_port): case bpf_ctx_range(struct bpf_sk_lookup, ingress_ifindex): bpf_ctx_record_field_size(info, sizeof(__u32)); return bpf_ctx_narrow_access_ok(off, size, sizeof(__u32)); + case bpf_ctx_range(struct bpf_sk_lookup, remote_port): + /* Allow 4-byte access to 2-byte field for backward compatibility */ + if (size == sizeof(__u32)) + return true; + bpf_ctx_record_field_size(info, sizeof(__be16)); + return bpf_ctx_narrow_access_ok(off, size, sizeof(__be16)); + + case offsetofend(struct bpf_sk_lookup, remote_port) ... + offsetof(struct bpf_sk_lookup, local_ip4) - 1: + /* Allow access to zero padding for backward compatibility */ + bpf_ctx_record_field_size(info, sizeof(__u16)); + return bpf_ctx_narrow_access_ok(off, size, sizeof(__u16)); + default: return false; } @@ -11077,6 +11088,11 @@ static u32 sk_lookup_convert_ctx_access(enum bpf_access_type type, sport, 2, target_size)); break; + case offsetofend(struct bpf_sk_lookup, remote_port): + *target_size = 2; + *insn++ = BPF_MOV32_IMM(si->dst_reg, 0); + break; + case offsetof(struct bpf_sk_lookup, local_port): *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->src_reg, bpf_target_off(struct bpf_sk_lookup_kern,

3 years, 8 months

1
0
0 0

FAILED: patch "[PATCH] bpf: Treat bpf_sk_lookup remote_port as a 2-byte field" failed to apply to 5.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 058ec4a7d9cf77238c73ad9f1e1a3ed9a29afcab Mon Sep 17 00:00:00 2001 From: Jakub Sitnicki <jakub(a)cloudflare.com> Date: Sat, 19 Mar 2022 19:33:54 +0100 Subject: [PATCH] bpf: Treat bpf_sk_lookup remote_port as a 2-byte field In commit 9a69e2b385f4 ("bpf: Make remote_port field in struct bpf_sk_lookup 16-bit wide") the remote_port field has been split up and re-declared from u32 to be16. However, the accompanying changes to the context access converter have not been well thought through when it comes big-endian platforms. Today 2-byte wide loads from offsetof(struct bpf_sk_lookup, remote_port) are handled as narrow loads from a 4-byte wide field. This by itself is not enough to create a problem, but when we combine 1. 32-bit wide access to ->remote_port backed by a 16-wide wide load, with 2. inherent difference between litte- and big-endian in how narrow loads need have to be handled (see bpf_ctx_narrow_access_offset), we get inconsistent results for a 2-byte loads from &ctx->remote_port on LE and BE architectures. This in turn makes BPF C code for the common case of 2-byte load from ctx->remote_port not portable. To rectify it, inform the context access converter that remote_port is 2-byte wide field, and only 1-byte loads need to be treated as narrow loads. At the same time, we special-case the 4-byte load from &ctx->remote_port to continue handling it the same way as do today, in order to keep the existing BPF programs working. Fixes: 9a69e2b385f4 ("bpf: Make remote_port field in struct bpf_sk_lookup 16-bit wide") Signed-off-by: Jakub Sitnicki <jakub(a)cloudflare.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Acked-by: Martin KaFai Lau <kafai(a)fb.com> Link: https://lore.kernel.org/bpf/20220319183356.233666-2-jakub@cloudflare.com diff --git a/net/core/filter.c b/net/core/filter.c index 03655f2074ae..a7044e98765e 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -10989,13 +10989,24 @@ static bool sk_lookup_is_valid_access(int off, int size, case bpf_ctx_range(struct bpf_sk_lookup, local_ip4): case bpf_ctx_range_till(struct bpf_sk_lookup, remote_ip6[0], remote_ip6[3]): case bpf_ctx_range_till(struct bpf_sk_lookup, local_ip6[0], local_ip6[3]): - case offsetof(struct bpf_sk_lookup, remote_port) ... - offsetof(struct bpf_sk_lookup, local_ip4) - 1: case bpf_ctx_range(struct bpf_sk_lookup, local_port): case bpf_ctx_range(struct bpf_sk_lookup, ingress_ifindex): bpf_ctx_record_field_size(info, sizeof(__u32)); return bpf_ctx_narrow_access_ok(off, size, sizeof(__u32)); + case bpf_ctx_range(struct bpf_sk_lookup, remote_port): + /* Allow 4-byte access to 2-byte field for backward compatibility */ + if (size == sizeof(__u32)) + return true; + bpf_ctx_record_field_size(info, sizeof(__be16)); + return bpf_ctx_narrow_access_ok(off, size, sizeof(__be16)); + + case offsetofend(struct bpf_sk_lookup, remote_port) ... + offsetof(struct bpf_sk_lookup, local_ip4) - 1: + /* Allow access to zero padding for backward compatibility */ + bpf_ctx_record_field_size(info, sizeof(__u16)); + return bpf_ctx_narrow_access_ok(off, size, sizeof(__u16)); + default: return false; } @@ -11077,6 +11088,11 @@ static u32 sk_lookup_convert_ctx_access(enum bpf_access_type type, sport, 2, target_size)); break; + case offsetofend(struct bpf_sk_lookup, remote_port): + *target_size = 2; + *insn++ = BPF_MOV32_IMM(si->dst_reg, 0); + break; + case offsetof(struct bpf_sk_lookup, local_port): *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->src_reg, bpf_target_off(struct bpf_sk_lookup_kern,

3 years, 8 months

1
0
0 0

[PATCH net] ipv6: fix panic when forwarding a pkt with no in6 dev

by Nicolas Dichtel

kongweibin reported a kernel panic in ip6_forward() when input interface has no in6 dev associated. The following tc commands were used to reproduce this panic: tc qdisc del dev vxlan100 root tc qdisc add dev vxlan100 root netem corrupt 5% CC: stable(a)vger.kernel.org Fixes: ccd27f05ae7b ("ipv6: fix 'disable_policy' for fwd packets") Reported-by: kongweibin <kongweibin2(a)huawei.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> --- kongweibin, could you test this patch with your setup? Thanks, Nicolas net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index e23f058166af..fa63ef2bd99c 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -485,7 +485,7 @@ int ip6_forward(struct sk_buff *skb) goto drop; if (!net->ipv6.devconf_all->disable_policy && - !idev->cnf.disable_policy && + (!idev || !idev->cnf.disable_policy) && !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); goto drop; -- 2.33.0

3 years, 8 months

5
4
0 0

FAILED: patch "[PATCH] bpf: Make remote_port field in struct bpf_sk_lookup 16-bit" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a69e2b385f443f244a7e8b8bcafe5ccfb0866b4 Mon Sep 17 00:00:00 2001 From: Jakub Sitnicki <jakub(a)cloudflare.com> Date: Wed, 9 Feb 2022 19:43:32 +0100 Subject: [PATCH] bpf: Make remote_port field in struct bpf_sk_lookup 16-bit wide remote_port is another case of a BPF context field documented as a 32-bit value in network byte order for which the BPF context access converter generates a load of a zero-padded 16-bit integer in network byte order. First such case was dst_port in bpf_sock which got addressed in commit 4421a582718a ("bpf: Make dst_port field in struct bpf_sock 16-bit wide"). Loading 4-bytes from the remote_port offset and converting the value with bpf_ntohl() leads to surprising results, as the expected value is shifted by 16 bits. Reduce the confusion by splitting the field in two - a 16-bit field holding a big-endian integer, and a 16-bit zero-padding anonymous field that follows it. Suggested-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Jakub Sitnicki <jakub(a)cloudflare.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Link: https://lore.kernel.org/bpf/20220209184333.654927-2-jakub@cloudflare.com diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index a7f0ddedac1f..afe3d0d7f5f2 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -6453,7 +6453,8 @@ struct bpf_sk_lookup { __u32 protocol; /* IP protocol (IPPROTO_TCP, IPPROTO_UDP) */ __u32 remote_ip4; /* Network byte order */ __u32 remote_ip6[4]; /* Network byte order */ - __u32 remote_port; /* Network byte order */ + __be16 remote_port; /* Network byte order */ + __u16 :16; /* Zero padding */ __u32 local_ip4; /* Network byte order */ __u32 local_ip6[4]; /* Network byte order */ __u32 local_port; /* Host byte order */ diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index cb150f756f3d..f08034500813 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -1147,7 +1147,7 @@ int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog, const union bpf_attr *kat if (!range_is_zero(user_ctx, offsetofend(typeof(*user_ctx), local_port), sizeof(*user_ctx))) goto out; - if (user_ctx->local_port > U16_MAX || user_ctx->remote_port > U16_MAX) { + if (user_ctx->local_port > U16_MAX) { ret = -ERANGE; goto out; } @@ -1155,7 +1155,7 @@ int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog, const union bpf_attr *kat ctx.family = (u16)user_ctx->family; ctx.protocol = (u16)user_ctx->protocol; ctx.dport = (u16)user_ctx->local_port; - ctx.sport = (__force __be16)user_ctx->remote_port; + ctx.sport = user_ctx->remote_port; switch (ctx.family) { case AF_INET: diff --git a/net/core/filter.c b/net/core/filter.c index 99a05199a806..83f06d3b2c52 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -10843,7 +10843,8 @@ static bool sk_lookup_is_valid_access(int off, int size, case bpf_ctx_range(struct bpf_sk_lookup, local_ip4): case bpf_ctx_range_till(struct bpf_sk_lookup, remote_ip6[0], remote_ip6[3]): case bpf_ctx_range_till(struct bpf_sk_lookup, local_ip6[0], local_ip6[3]): - case bpf_ctx_range(struct bpf_sk_lookup, remote_port): + case offsetof(struct bpf_sk_lookup, remote_port) ... + offsetof(struct bpf_sk_lookup, local_ip4) - 1: case bpf_ctx_range(struct bpf_sk_lookup, local_port): case bpf_ctx_range(struct bpf_sk_lookup, ingress_ifindex): bpf_ctx_record_field_size(info, sizeof(__u32));

3 years, 8 months

1
0
0 0

FAILED: patch "[PATCH] bpf: Make remote_port field in struct bpf_sk_lookup 16-bit" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9a69e2b385f443f244a7e8b8bcafe5ccfb0866b4 Mon Sep 17 00:00:00 2001 From: Jakub Sitnicki <jakub(a)cloudflare.com> Date: Wed, 9 Feb 2022 19:43:32 +0100 Subject: [PATCH] bpf: Make remote_port field in struct bpf_sk_lookup 16-bit wide remote_port is another case of a BPF context field documented as a 32-bit value in network byte order for which the BPF context access converter generates a load of a zero-padded 16-bit integer in network byte order. First such case was dst_port in bpf_sock which got addressed in commit 4421a582718a ("bpf: Make dst_port field in struct bpf_sock 16-bit wide"). Loading 4-bytes from the remote_port offset and converting the value with bpf_ntohl() leads to surprising results, as the expected value is shifted by 16 bits. Reduce the confusion by splitting the field in two - a 16-bit field holding a big-endian integer, and a 16-bit zero-padding anonymous field that follows it. Suggested-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Jakub Sitnicki <jakub(a)cloudflare.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Link: https://lore.kernel.org/bpf/20220209184333.654927-2-jakub@cloudflare.com diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index a7f0ddedac1f..afe3d0d7f5f2 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -6453,7 +6453,8 @@ struct bpf_sk_lookup { __u32 protocol; /* IP protocol (IPPROTO_TCP, IPPROTO_UDP) */ __u32 remote_ip4; /* Network byte order */ __u32 remote_ip6[4]; /* Network byte order */ - __u32 remote_port; /* Network byte order */ + __be16 remote_port; /* Network byte order */ + __u16 :16; /* Zero padding */ __u32 local_ip4; /* Network byte order */ __u32 local_ip6[4]; /* Network byte order */ __u32 local_port; /* Host byte order */ diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index cb150f756f3d..f08034500813 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -1147,7 +1147,7 @@ int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog, const union bpf_attr *kat if (!range_is_zero(user_ctx, offsetofend(typeof(*user_ctx), local_port), sizeof(*user_ctx))) goto out; - if (user_ctx->local_port > U16_MAX || user_ctx->remote_port > U16_MAX) { + if (user_ctx->local_port > U16_MAX) { ret = -ERANGE; goto out; } @@ -1155,7 +1155,7 @@ int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog, const union bpf_attr *kat ctx.family = (u16)user_ctx->family; ctx.protocol = (u16)user_ctx->protocol; ctx.dport = (u16)user_ctx->local_port; - ctx.sport = (__force __be16)user_ctx->remote_port; + ctx.sport = user_ctx->remote_port; switch (ctx.family) { case AF_INET: diff --git a/net/core/filter.c b/net/core/filter.c index 99a05199a806..83f06d3b2c52 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -10843,7 +10843,8 @@ static bool sk_lookup_is_valid_access(int off, int size, case bpf_ctx_range(struct bpf_sk_lookup, local_ip4): case bpf_ctx_range_till(struct bpf_sk_lookup, remote_ip6[0], remote_ip6[3]): case bpf_ctx_range_till(struct bpf_sk_lookup, local_ip6[0], local_ip6[3]): - case bpf_ctx_range(struct bpf_sk_lookup, remote_port): + case offsetof(struct bpf_sk_lookup, remote_port) ... + offsetof(struct bpf_sk_lookup, local_ip4) - 1: case bpf_ctx_range(struct bpf_sk_lookup, local_port): case bpf_ctx_range(struct bpf_sk_lookup, ingress_ifindex): bpf_ctx_record_field_size(info, sizeof(__u32));

3 years, 8 months

1
0
0 0

Re: KASAN: use-after-free Read in tc_chain_fill_node

by syzbot

This bug is marked as fixed by commit: net: core: netlink: add helper refcount dec and lock function net: sched: add helper function to take reference to Qdisc net: sched: extend Qdisc with rcu net: sched: rename qdisc_destroy() to qdisc_put() net: sched: use Qdisc rcu API instead of relying on rtnl lock But I can't find it in any tested tree for more than 90 days. Is it a correct commit? Please update it by replying: #syz fix: exact-commit-title Until then the bug is still considered open and new crashes with the same signature are ignored.

3 years, 8 months

1
0
0 0

[PATCH] nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size

by Johannes Berg

From: Johannes Berg <johannes.berg(a)intel.com> We need this to be at least two bytes, so we can access alpha2[0] and alpha2[1]. It may be three in case some userspace used NUL-termination since it was NLA_STRING (and we also push it out with NUL-termination). Cc: stable(a)vger.kernel.org Reported-by: Lee Jones <lee.jones(a)linaro.org> Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> --- net/wireless/nl80211.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index ee1c2b6b6971..21e808fcb676 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -528,7 +528,8 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { .len = IEEE80211_MAX_MESH_ID_LEN }, [NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT, - [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 }, + /* allow 3 for NUL-termination, we used to declare this NLA_STRING */ + [NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3), [NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED }, [NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 }, -- 2.35.1

3 years, 8 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2022