- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 16810/23403] drivers/misc/uacce/uacce.o: warning: objtool: missing symbol for section .init.text
by kernel test robot 01 Aug '24

01 Aug '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 39e859c5836c18cb021d3435101c4066536caa81 commit: 451823febcb610969f048556cedc41b5e08fafb1 [16810/23403] UACCE backport from mainline config: x86_64-buildonly-randconfig-002-20240731 (https://download.01.org/0day-ci/archive/20240801/202408012317.Ocvc77l4-lkp@…) compiler: gcc-13 (Ubuntu 13.2.0-4ubuntu3) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240801/202408012317.Ocvc77l4-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408012317.Ocvc77l4-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/misc/uacce/uacce.c: In function 'numa_distance_show': drivers/misc/uacce/uacce.c:1032:23: warning: unused variable 'uacce' [-Wunused-variable] 1032 | struct uacce *uacce = UACCE_FROM_CDEV_ATTR(dev); | ^~~~~ drivers/misc/uacce/uacce.c: In function 'node_id_show': drivers/misc/uacce/uacce.c:1046:23: warning: unused variable 'uacce' [-Wunused-variable] 1046 | struct uacce *uacce = UACCE_FROM_CDEV_ATTR(dev); | ^~~~~ drivers/misc/uacce/uacce.c:60: warning: Function parameter or member 'dev' not described in 'dev_to_uacce' drivers/misc/uacce/uacce.c:81: warning: Function parameter or member 'uacce' not described in 'uacce_hw_err_isolate' drivers/misc/uacce/uacce.c:140: warning: Function parameter or member 'q' not described in 'uacce_wake_up' >> drivers/misc/uacce/uacce.o: warning: objtool: missing symbol for section .init.text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] powerpc/eeh: avoid possible crash when edev->pdev changes
by Li Zetao 01 Aug '24

01 Aug '24

From: Ganesh Goudar <ganeshgr(a)linux.ibm.com> stable inclusion from stable-v5.10.223 commit 033c51dfdbb6b79ab43fb3587276fa82d0a329e1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELJ CVE: CVE-2024-41020 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a1216e62d039bf63a539bbe718536ec789a853dd ] If a PCI device is removed during eeh_pe_report_edev(), edev->pdev will change and can cause a crash, hold the PCI rescan/remove lock while taking a copy of edev->pdev->bus. Signed-off-by: Ganesh Goudar <ganeshgr(a)linux.ibm.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240617140240.580453-1-ganeshgr@linux.ibm.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Zetao <lizetao1(a)huawei.com> --- arch/powerpc/kernel/eeh_pe.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c index 845e024321d4..a856d9ba42d2 100644 --- a/arch/powerpc/kernel/eeh_pe.c +++ b/arch/powerpc/kernel/eeh_pe.c @@ -849,6 +849,7 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) { struct eeh_dev *edev; struct pci_dev *pdev; + struct pci_bus *bus = NULL; if (pe->type & EEH_PE_PHB) return pe->phb->bus; @@ -859,9 +860,11 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) /* Retrieve the parent PCI bus of first (top) PCI device */ edev = list_first_entry_or_null(&pe->edevs, struct eeh_dev, entry); + pci_lock_rescan_remove(); pdev = eeh_dev_to_pci_dev(edev); if (pdev) - return pdev->bus; + bus = pdev->bus; + pci_unlock_rescan_remove(); - return NULL; + return bus; } -- 2.34.1

2 1

[PATCH OLK-5.10] powerpc/eeh: avoid possible crash when edev->pdev changes
by Li Zetao 01 Aug '24

01 Aug '24

From: Ganesh Goudar <ganeshgr(a)linux.ibm.com> stable inclusion from stable-v5.10.223 commit 033c51dfdbb6b79ab43fb3587276fa82d0a329e1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELJ CVE: CVE-2024-41020 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a1216e62d039bf63a539bbe718536ec789a853dd ] If a PCI device is removed during eeh_pe_report_edev(), edev->pdev will change and can cause a crash, hold the PCI rescan/remove lock while taking a copy of edev->pdev->bus. Signed-off-by: Ganesh Goudar <ganeshgr(a)linux.ibm.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240617140240.580453-1-ganeshgr@linux.ibm.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Zetao <lizetao1(a)huawei.com> --- arch/powerpc/kernel/eeh_pe.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c index 845e024321d4..a856d9ba42d2 100644 --- a/arch/powerpc/kernel/eeh_pe.c +++ b/arch/powerpc/kernel/eeh_pe.c @@ -849,6 +849,7 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) { struct eeh_dev *edev; struct pci_dev *pdev; + struct pci_bus *bus = NULL; if (pe->type & EEH_PE_PHB) return pe->phb->bus; @@ -859,9 +860,11 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) /* Retrieve the parent PCI bus of first (top) PCI device */ edev = list_first_entry_or_null(&pe->edevs, struct eeh_dev, entry); + pci_lock_rescan_remove(); pdev = eeh_dev_to_pci_dev(edev); if (pdev) - return pdev->bus; + bus = pdev->bus; + pci_unlock_rescan_remove(); - return NULL; + return bus; } -- 2.34.1

2 1

[PATCH OLK-6.6] powerpc/eeh: avoid possible crash when edev->pdev changes
by Li Zetao 01 Aug '24

01 Aug '24

From: Ganesh Goudar <ganeshgr(a)linux.ibm.com> stable inclusion from stable-v6.6.42 commit f23c3d1ca9c4b2d626242a4e7e1ec1770447f7b5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELJ CVE: CVE-2024-41064 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a1216e62d039bf63a539bbe718536ec789a853dd ] If a PCI device is removed during eeh_pe_report_edev(), edev->pdev will change and can cause a crash, hold the PCI rescan/remove lock while taking a copy of edev->pdev->bus. Signed-off-by: Ganesh Goudar <ganeshgr(a)linux.ibm.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240617140240.580453-1-ganeshgr@linux.ibm.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Zetao <lizetao1(a)huawei.com> --- arch/powerpc/kernel/eeh_pe.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c index e0ce81279624..7d1b50599dd6 100644 --- a/arch/powerpc/kernel/eeh_pe.c +++ b/arch/powerpc/kernel/eeh_pe.c @@ -849,6 +849,7 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) { struct eeh_dev *edev; struct pci_dev *pdev; + struct pci_bus *bus = NULL; if (pe->type & EEH_PE_PHB) return pe->phb->bus; @@ -859,9 +860,11 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) /* Retrieve the parent PCI bus of first (top) PCI device */ edev = list_first_entry_or_null(&pe->edevs, struct eeh_dev, entry); + pci_lock_rescan_remove(); pdev = eeh_dev_to_pci_dev(edev); if (pdev) - return pdev->bus; + bus = pdev->bus; + pci_unlock_rescan_remove(); - return NULL; + return bus; } -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS 22383/23403] drivers/gpu/drm/nouveau/nvkm/core/object.o: warning: objtool: nvkm_object_del()+0xd1: unreachable instruction
by kernel test robot 01 Aug '24

01 Aug '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 12dcab98264cb7d9ede69cf67e579aa585d6e4b6 commit: 901dbb48d8a4f60af427f1ec67ac1247ff219f39 [22383/23403] nouveau: lock the client object tree. config: x86_64-buildonly-randconfig-002-20240801 (https://download.01.org/0day-ci/archive/20240801/202408012245.IRmWDQQn-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240801/202408012245.IRmWDQQn-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408012245.IRmWDQQn-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/gpu/drm/nouveau/nvkm/core/object.c:37:19: warning: mixing declarations and code is a C99 extension [-Wdeclaration-after-statement] 37 | struct rb_node *node = client->objroot.rb_node; | ^ 1 warning generated. >> drivers/gpu/drm/nouveau/nvkm/core/object.o: warning: objtool: nvkm_object_del()+0xd1: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1 0/2] bpf: Two bugfix for bpf prog
by Tengda Wu 01 Aug '24

01 Aug '24

This patch set backports two bugfix from upstream for bpf prog. Christophe Leroy (1): bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() Krister Johansen (1): bpf: ensure main program has an extable include/linux/filter.h | 5 +++-- kernel/bpf/core.c | 4 +++- kernel/bpf/verifier.c | 15 +++++++++++---- 3 files changed, 17 insertions(+), 7 deletions(-) -- 2.34.1

2 3

[PATCH OLK-6.6] bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()
by Tengda Wu 01 Aug '24

01 Aug '24

From: Christophe Leroy <christophe.leroy(a)csgroup.eu> stable inclusion from stable-v6.6.37 commit fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOM CVE: CVE-2024-42068 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ] set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: https://github.com/KSPP/linux/issues/7 Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: linux-hardening(a)vger.kernel.org <linux-hardening(a)vger.kernel.org> Reviewed-by: Kees Cook <keescook(a)chromium.org> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy(a)csgroup.eu> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Fixes: 85782e037f8a ("bpf: undo prog rejection on read-only lock failure") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- include/linux/filter.h | 5 +++-- kernel/bpf/core.c | 4 +++- kernel/bpf/verifier.c | 8 ++++++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index 26487fa86cb8..20b777ef5531 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -842,14 +842,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default) #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0])) -static inline void bpf_prog_lock_ro(struct bpf_prog *fp) +static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp) { #ifndef CONFIG_BPF_JIT_ALWAYS_ON if (!fp->jited) { set_vm_flush_reset_perms(fp); - set_memory_ro((unsigned long)fp, fp->pages); + return set_memory_ro((unsigned long)fp, fp->pages); } #endif + return 0; } static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr) diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index a722f41e4f4a..d568244f5ae8 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2375,7 +2375,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) } finalize: - bpf_prog_lock_ro(fp); + *err = bpf_prog_lock_ro(fp); + if (*err) + return fp; /* The tail call compatibility check can only be done at * this late stage as we need to determine, if we deal diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 08a33b2a2021..e02ed203e90b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -18627,10 +18627,14 @@ static int jit_subprogs(struct bpf_verifier_env *env) * bpf_prog_load will add the kallsyms for the main program. */ for (i = 1; i < env->subprog_cnt; i++) { - bpf_prog_lock_ro(func[i]); - bpf_prog_kallsyms_add(func[i]); + err = bpf_prog_lock_ro(func[i]); + if (err) + goto out_free; } + for (i = 1; i < env->subprog_cnt; i++) + bpf_prog_kallsyms_add(func[i]); + /* Last step: make now unused interpreter insns from main * prog consistent for later dump requests, so they can * later look the same as if they were interpreted only. -- 2.34.1

2 1

[PATCH OLK-5.10] bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()
by Tengda Wu 01 Aug '24

01 Aug '24

From: Christophe Leroy <christophe.leroy(a)csgroup.eu> mainline inclusion from mainline-v6.10-rc1 commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOM CVE: CVE-2024-42068 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- set_memory_ro() can fail, leaving memory unprotected. Check its return and take it into account as an error. Link: https://github.com/KSPP/linux/issues/7 Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: linux-hardening(a)vger.kernel.org <linux-hardening(a)vger.kernel.org> Reviewed-by: Kees Cook <keescook(a)chromium.org> Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy(a)csgroup.eu> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Fixes: 85782e037f8a ("bpf: undo prog rejection on read-only lock failure") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- include/linux/filter.h | 5 +++-- kernel/bpf/core.c | 4 +++- kernel/bpf/verifier.c | 8 ++++++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index 273f69057384..1d6ffa60b468 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -835,14 +835,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default) #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0])) -static inline void bpf_prog_lock_ro(struct bpf_prog *fp) +static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp) { #ifndef CONFIG_BPF_JIT_ALWAYS_ON if (!fp->jited) { set_vm_flush_reset_perms(fp); - set_memory_ro((unsigned long)fp, fp->pages); + return set_memory_ro((unsigned long)fp, fp->pages); } #endif + return 0; } static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr) diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 33ea6ab12f47..6fd3f8d0dda3 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -1882,7 +1882,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) } finalize: - bpf_prog_lock_ro(fp); + *err = bpf_prog_lock_ro(fp); + if (*err) + return fp; /* The tail call compatibility check can only be done at * this late stage as we need to determine, if we deal diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 386b5d6b564c..a266ae4b8c3b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -11547,10 +11547,14 @@ static int jit_subprogs(struct bpf_verifier_env *env) * bpf_prog_load will add the kallsyms for the main program. */ for (i = 1; i < env->subprog_cnt; i++) { - bpf_prog_lock_ro(func[i]); - bpf_prog_kallsyms_add(func[i]); + err = bpf_prog_lock_ro(func[i]); + if (err) + goto out_free; } + for (i = 1; i < env->subprog_cnt; i++) + bpf_prog_kallsyms_add(func[i]); + /* Last step: make now unused interpreter insns from main * prog consistent for later dump requests, so they can * later look the same as if they were interpreted only. -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] tap: add missing verification for short frame
by Liu Jian 01 Aug '24

01 Aug '24

From: Si-Wei Liu <si-wei.liu(a)oracle.com> stable inclusion from stable-v5.10.223 commit 7431144b406ae82807eb87d8c98e518475b0450f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8ZG CVE: CVE-2024-41090 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream. The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu… Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Cc: stable(a)vger.kernel.org Signed-off-by: Si-Wei Liu <si-wei.liu(a)oracle.com> Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Reviewed-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/tap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 2c9ae02ada3e..4bef62fc9460 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -1142,6 +1142,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) struct sk_buff *skb; int err, depth; + if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) { + err = -EINVAL; + goto err; + } + if (q->flags & IFF_VNET_HDR) vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); -- 2.34.1

2 3

[PATCH OLK-5.10] tap: add missing verification for short frame
by Liu Jian 01 Aug '24

01 Aug '24

From: Si-Wei Liu <si-wei.liu(a)oracle.com> stable inclusion from stable-v5.10.223 commit 7431144b406ae82807eb87d8c98e518475b0450f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAG8ZG CVE: CVE-2024-41090 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- commit ed7f2afdd0e043a397677e597ced0830b83ba0b3 upstream. The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu… Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Cc: stable(a)vger.kernel.org Signed-off-by: Si-Wei Liu <si-wei.liu(a)oracle.com> Signed-off-by: Dongli Zhang <dongli.zhang(a)oracle.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Reviewed-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/tap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 41ee56015a45..16fa0e3e752a 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -1141,6 +1141,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) struct sk_buff *skb; int err, depth; + if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) { + err = -EINVAL; + goto err; + } + if (q->flags & IFF_VNET_HDR) vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); -- 2.34.1

2 3