From nobody Wed Jun 17 06:27:58 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 71C272777F3; Mon, 27 Apr 2026 14:30:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777300257; cv=none; b=CtysA6JEHrbZYTqxGTEmAEGH90pLiCYNy55pXjfkkvCnp/t2BmnCZLSZ6ss91PUH4c2aL5PdlPWGdLdgVywRMGHHKw3+EiHLxzPEDu7rJrWgmRVg5DSHp5WO2u+cVRbBZQ0iwgy0cNljWNdmw7qqLw3mZqPXdxCh9vZ13s8IBLQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777300257; c=relaxed/simple; bh=rT7wv1OJRw4kOZrgDt+N6diYoUEjWWzAzeRJgzAKsNg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=PjPrrdForSZj0E68AYRpqMp1LKH5A2vdRV6LW/xw5isP6/Rmo1q+YtpjkBRs0LasZqNjIodTInze/cxZ703tvgcZrkSaVWwgyGMZe8xy7H5UnAlRYjuw9r0VjxgJn7imEGJN9qd0o3MMfMvoLt5LhrVExiBd5UHjvylzAgO7CyU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=dOTuTZc1; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="dOTuTZc1" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=hkq35yjTpGqW8KKdFdXwyAd3IzepkaLH2TT1IS7RR0g=; b=dOTuTZc1AM4+HhYVQBaKascq5W 3rN6KLP2/ViwAmHoyjhLYLiypncptspdgJ5/xAAov0eAKujGZUYsf3vFn4vxAPPPnhL1va2yCP4KF LNJa68AMJ1/I7ft7o1CbjaUt7ERXT6eyEH2jyQO7Z2yan55n4+VXAs8M3+J2l1PwjRL3wDONgYnGD wjxzW0hJhmWXcgL2EMOi30NQcezR/pq4ci0iUVaUEHKyAGm0ui0ZtkJDG0N9t/HyvNSbJWPNUppLM WJDhdSfrZAXsXNCvw1mvsy9vlsEHszDf6HA6nPoX8HvnpFNyp+pCKR/lYg1F6tfbxNhr2gZcoPyv8 JYHb00sw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wHMz7-005Xwj-1o; Mon, 27 Apr 2026 14:30:53 +0000 From: Breno Leitao Date: Mon, 27 Apr 2026 07:30:35 -0700 Subject: [PATCH net v2 1/4] netconsole: return count instead of strnlen(buf, count) from store callbacks Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-netconsole_ai_fixes-v2-1-59965f29d9cc@debian.org> References: <20260427-netconsole_ai_fixes-v2-0-59965f29d9cc@debian.org> In-Reply-To: <20260427-netconsole_ai_fixes-v2-0-59965f29d9cc@debian.org> To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Keiichi Kii , Satyam Sharma , Andrew Morton , Matthew Wood , asantostc@gmail.com, gustavold@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com, Simon Horman X-Mailer: b4 0.16-dev-453a6 X-Developer-Signature: v=1; a=openpgp-sha256; l=5298; i=leitao@debian.org; h=from:subject:message-id; bh=rT7wv1OJRw4kOZrgDt+N6diYoUEjWWzAzeRJgzAKsNg=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBp73MSX3XfBkpiWAN/78kZDKbMhaq0dVxPxuNI0 WOCIbaNodWJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCae9zEgAKCRA1o5Of/Hh3 bYDmD/9IKn+rqV33g7Ipr7hvsCvlOpetrCc3Rq0q6n+4JSBv+noyF0ZRyZML8NuYn2qYjEgE7eg Z+hbogsUmq4h6qqyOzgYWcvYN3TWWNtSKWUPyOemMkz4T9Ny8kGBs5LD7e5+EnY21Ia33tHxa9Z euZ5xElm0aFdYq12jofcRbCKrghBnKDv+K0FD5RyU/L9WxYUEEYXZR1iO5IZFPChahhclFoCCIr y/RfjmwReVDyJg8CaRTjfZvQOsvPLlQnpydlY4mGT/vx678+iyCi9qQLoqtu+E3IbRuMSswYcRN 5ptLSMziv6yMlD26IDBbyEmZts2pvCpr/0XAcnqjeoloWoJX008pe/xPWu0VDNaTV0+jdybceKW z12MzdSUoVP9vA87u82/6JZTxt/J6u6oe9joI0jNTiyCz3HcMX84LppJ5BRvVYMchCQyZ2xkHPB ZgIfz+rrH6KVb5iEQ02gc1oC1qB9xtrKuDxJb6NuejdsUp1dRrP3ltmacbcI1XepqzRKCz+NGr1 /U8rH3QdGjAOnfVncyvH2Qo0gW9ymgFAlgCmCjfTpfRXIcUfHxN06hIDxjGdgy4P1B4E2gAKQNm jamVqKeDcdSHFMTFpr7MGxnwTFlNq00KMsGdJGjxx+/ppFHqyKX4I4r4QOuD8GOJwERwUg3ihz+ giDHEp2OC0MK+4Q== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao Several configfs store callbacks in netconsole end with: ret =3D strnlen(buf, count); This under-reports the number of bytes consumed when the input contains an embedded NUL within count, telling the VFS that fewer bytes were written than userspace actually handed in. A conformant partial-write loop would then retry the trailing bytes against a callback that has already accepted them. Every other configfs driver in the tree returns count directly from its store callbacks once parsing has succeeded, including drivers/nvme/target/configfs.c, drivers/gpio/gpio-sim.c, drivers/most/configfs.c, drivers/block/null_blk/main.c, drivers/pci/endpoint/pci-ep-cfs.c, and the rest of the configfs users. netconsole was the outlier (along with drivers/infiniband/core/cma_configfs.c, which has the same latent issue). Align netconsole with the rest of the configfs ecosystem: return count once the parser/validator has accepted the input. The numeric and boolean parsers (kstrtobool, kstrtou16, mac_pton, netpoll_parse_ip_addr) have already validated the meaningful prefix; any trailing bytes are padding and should simply be reported as consumed. Fixes: 0bcc1816188e ("[NET] netconsole: Support dynamic reconfiguration usi= ng configfs") Reviewed-by: Simon Horman Signed-off-by: Breno Leitao --- drivers/net/netconsole.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c index 205384dab89a6..76d7fbf9e1883 100644 --- a/drivers/net/netconsole.c +++ b/drivers/net/netconsole.c @@ -752,7 +752,7 @@ static ssize_t enabled_store(struct config_item *item, unregister_netcons_consoles(); } =20 - ret =3D strnlen(buf, count); + ret =3D count; /* Deferred cleanup */ netconsole_process_cleanups(); out_unlock: @@ -781,7 +781,7 @@ static ssize_t release_store(struct config_item *item, = const char *buf, =20 nt->release =3D release; =20 - ret =3D strnlen(buf, count); + ret =3D count; out_unlock: dynamic_netconsole_mutex_unlock(); return ret; @@ -807,7 +807,7 @@ static ssize_t extended_store(struct config_item *item,= const char *buf, goto out_unlock; =20 nt->extended =3D extended; - ret =3D strnlen(buf, count); + ret =3D count; out_unlock: dynamic_netconsole_mutex_unlock(); return ret; @@ -830,7 +830,7 @@ static ssize_t dev_name_store(struct config_item *item,= const char *buf, trim_newline(nt->np.dev_name, IFNAMSIZ); =20 dynamic_netconsole_mutex_unlock(); - return strnlen(buf, count); + return count; } =20 static ssize_t local_port_store(struct config_item *item, const char *buf, @@ -849,7 +849,7 @@ static ssize_t local_port_store(struct config_item *ite= m, const char *buf, ret =3D kstrtou16(buf, 10, &nt->np.local_port); if (ret < 0) goto out_unlock; - ret =3D strnlen(buf, count); + ret =3D count; out_unlock: dynamic_netconsole_mutex_unlock(); return ret; @@ -871,7 +871,7 @@ static ssize_t remote_port_store(struct config_item *it= em, ret =3D kstrtou16(buf, 10, &nt->np.remote_port); if (ret < 0) goto out_unlock; - ret =3D strnlen(buf, count); + ret =3D count; out_unlock: dynamic_netconsole_mutex_unlock(); return ret; @@ -896,7 +896,7 @@ static ssize_t local_ip_store(struct config_item *item,= const char *buf, goto out_unlock; nt->np.ipv6 =3D !!ipv6; =20 - ret =3D strnlen(buf, count); + ret =3D count; out_unlock: dynamic_netconsole_mutex_unlock(); return ret; @@ -921,7 +921,7 @@ static ssize_t remote_ip_store(struct config_item *item= , const char *buf, goto out_unlock; nt->np.ipv6 =3D !!ipv6; =20 - ret =3D strnlen(buf, count); + ret =3D count; out_unlock: dynamic_netconsole_mutex_unlock(); return ret; @@ -957,7 +957,7 @@ static ssize_t remote_mac_store(struct config_item *ite= m, const char *buf, goto out_unlock; memcpy(nt->np.remote_mac, remote_mac, ETH_ALEN); =20 - ret =3D strnlen(buf, count); + ret =3D count; out_unlock: dynamic_netconsole_mutex_unlock(); return ret; @@ -1133,7 +1133,7 @@ static ssize_t sysdata_msgid_enabled_store(struct con= fig_item *item, disable_sysdata_feature(nt, SYSDATA_MSGID); =20 unlock_ok: - ret =3D strnlen(buf, count); + ret =3D count; dynamic_netconsole_mutex_unlock(); mutex_unlock(&netconsole_subsys.su_mutex); return ret; @@ -1162,7 +1162,7 @@ static ssize_t sysdata_release_enabled_store(struct c= onfig_item *item, disable_sysdata_feature(nt, SYSDATA_RELEASE); =20 unlock_ok: - ret =3D strnlen(buf, count); + ret =3D count; dynamic_netconsole_mutex_unlock(); mutex_unlock(&netconsole_subsys.su_mutex); return ret; @@ -1191,7 +1191,7 @@ static ssize_t sysdata_taskname_enabled_store(struct = config_item *item, disable_sysdata_feature(nt, SYSDATA_TASKNAME); =20 unlock_ok: - ret =3D strnlen(buf, count); + ret =3D count; dynamic_netconsole_mutex_unlock(); mutex_unlock(&netconsole_subsys.su_mutex); return ret; @@ -1225,7 +1225,7 @@ static ssize_t sysdata_cpu_nr_enabled_store(struct co= nfig_item *item, disable_sysdata_feature(nt, SYSDATA_CPU_NR); =20 unlock_ok: - ret =3D strnlen(buf, count); + ret =3D count; dynamic_netconsole_mutex_unlock(); mutex_unlock(&netconsole_subsys.su_mutex); return ret; --=20 2.52.0 From nobody Wed Jun 17 06:27:58 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27757282F1F; Mon, 27 Apr 2026 14:31:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777300262; cv=none; b=nARkeze7xahyDKATOGAFBXQHsteqnpL8JS2geLVRLIp3XEDD2Ij01O0UYDDBByOBA0nYy1nrTIvHjHA5K0i3+5iMV2xf8+179qCH3wLMXQrGj3jkf4BE4PpGCLh/crYR4pSWfqURKaMQFw1q4IncyBA0CVzrA+sozT942V4Hm0w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777300262; c=relaxed/simple; bh=KodAU0o/aW0JCiBZcsROyi5m2eOF+XjRMGBypL+/zD0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Pm6iwuAvwQcZgh5p6GRkOTLl1EEXDQZQ7aDnSNzxWvkQ97la38GqbpXh/M01mLm/A6mnrqtbxqXz+y+EuWJddzSpxjdloQNBmPHwBbl+nBWHfqJIJoqomCK7p31qlk011tv9pl5zWDRXcKu2ZMAL30LPl74LvQBD6zvN9QJC8CE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=RL9hFqx5; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="RL9hFqx5" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=j0xnknkesHHx8SV+c+ZI5NY+iZi0FGFf3mY5i0W0UW4=; b=RL9hFqx5piroLnJXixEK2PB7YO uceTmWSu5wvamHi4+tnkiWS5mSUmT/BgfhLhMK7P9t7lI8qG2FBmvPj5h25klLhumJKhdWkoDRPLN kZZ7BfIZIY0ZVMl+73smVv6RObS2D660PfWyFcVXMJtkyN+T9Ox652nxxyzjw2EanRPPS+K2KXQQ0 BVhIfI3X579885kq5CbB4UjDFc6PMiPVNHaPbQXnyqJpq/9+Fm3vqAPI+fMopQrEeTLwjPwBfs7lv QrZWVlr1cONSCxWxZSq9XRiBzJvhGjXLWxnZfNE88c/wzVXjVUQZJM+RsqhJJN3ZADYZiVqjellIj RO3d6FMA==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wHMzC-005Xwx-0m; Mon, 27 Apr 2026 14:30:58 +0000 From: Breno Leitao Date: Mon, 27 Apr 2026 07:30:36 -0700 Subject: [PATCH net v2 2/4] netconsole: avoid clobbering userdatum value on truncated write Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-netconsole_ai_fixes-v2-2-59965f29d9cc@debian.org> References: <20260427-netconsole_ai_fixes-v2-0-59965f29d9cc@debian.org> In-Reply-To: <20260427-netconsole_ai_fixes-v2-0-59965f29d9cc@debian.org> To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Keiichi Kii , Satyam Sharma , Andrew Morton , Matthew Wood , asantostc@gmail.com, gustavold@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com X-Mailer: b4 0.16-dev-453a6 X-Developer-Signature: v=1; a=openpgp-sha256; l=2347; i=leitao@debian.org; h=from:subject:message-id; bh=KodAU0o/aW0JCiBZcsROyi5m2eOF+XjRMGBypL+/zD0=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBp73MS1rz3v3CK0J4q7uWpLFO0EIiyB72ZJ4yyL RtswfSIWZqJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCae9zEgAKCRA1o5Of/Hh3 berLD/94YtC0AXkMBmRO4Adv1No23X90jb3eDdVmgExuTXjsCI0MiQePRoqyxQA5NjbI2jEwSyf Z59wKpU54dJ9WYWyXuVwse74PMzF+T7a6mOsB50GPFb4FJngPWgYSW21rZl/87qRvfmqaTSnO7f VbsUzp/raE4/JcCb96Vy69uMF1qeF8TB4IPyF0LSRT4sevSKzwq6AMR1nKOgNkSH/Zyg3SlTj4+ tP1IvJzaQhJNNRfZDDZePlJXaPxNa7pJr5oa4/0NDqS7VakUZyl4zfRPSoET8xc2kTLDCMFs/wg F1WTm8KcDx6jWLCL/0xqtHHFpINfI5cbtfX9djVD8obBaWttv0yQUudXcGlVPTMH8Omz2Y5aQRE e7If274l2DNf9z/WuQIF3CX9Rw1mxBSBYlFmwZxWruwg5oQWOliakpAMHIi68NZFb4fRB9pm2nU GCCpFG38GWC/roCOW62bMMy2qKNddyOZzRSybUUMIh6pXfNx7z8rkgvvRekrOj/LaJmPxfXxnIQ HDmKbsKRen4Frv9YQrrZ7YI0/dzLaiUTL0W9AUc3ayOsWaUCJCKXGOLALINrG/gBsc8RaAOvIek h2UwmneTgKBsxU1EwEJDkhWTz0YvhP1Dzb10p+J6D8F8NyRZPotx9k5TNkeZNHKadAxVmD84roD YJYjZJLo5xqkq+g== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao userdatum_value_store() bounds count by MAX_EXTRADATA_VALUE_LEN (200) and then copies straight into udm->value, which is itself 200 bytes: if (count > MAX_EXTRADATA_VALUE_LEN) return -EMSGSIZE; ... ret =3D strscpy(udm->value, buf, sizeof(udm->value)); if (ret < 0) goto out_unlock; If userspace writes exactly MAX_EXTRADATA_VALUE_LEN bytes with no NUL within them, strscpy() copies 199 bytes plus a NUL into udm->value and returns -E2BIG. The function jumps to out_unlock and reports the error to userspace, but udm->value has already been overwritten with the truncated string and update_userdata() is skipped, so the corruption is not yet visible on the wire. The next successful write to any userdatum entry under the same target calls update_userdata(), which packs udm->value into the active netconsole payload. From that point on, every netconsole message carries the silently truncated value, and userspace has no indication that a previous, error-returning write left state behind. Tighten the entry check from "count > MAX_EXTRADATA_VALUE_LEN" to "count >=3D MAX_EXTRADATA_VALUE_LEN". With count strictly less than sizeof(udm->value), strscpy() can no longer return -E2BIG here, so the corrupting truncation path is removed entirely. Fixes: 8a6d5fec6c7f ("net: netconsole: add a userdata config_group member t= o netconsole_target") Signed-off-by: Breno Leitao --- drivers/net/netconsole.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c index 76d7fbf9e1883..595e09bd1ccfc 100644 --- a/drivers/net/netconsole.c +++ b/drivers/net/netconsole.c @@ -1076,15 +1076,13 @@ static ssize_t userdatum_value_store(struct config_= item *item, const char *buf, struct userdata *ud; ssize_t ret; =20 - if (count > MAX_EXTRADATA_VALUE_LEN) + if (count >=3D MAX_EXTRADATA_VALUE_LEN) return -EMSGSIZE; =20 mutex_lock(&netconsole_subsys.su_mutex); dynamic_netconsole_mutex_lock(); - - ret =3D strscpy(udm->value, buf, sizeof(udm->value)); - if (ret < 0) - goto out_unlock; + /* count is bounded above, so strscpy() cannot truncate here */ + strscpy(udm->value, buf, sizeof(udm->value)); trim_newline(udm->value, sizeof(udm->value)); =20 ud =3D to_userdata(item->ci_parent); --=20 2.52.0 From nobody Wed Jun 17 06:27:58 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2936428CF6F; Mon, 27 Apr 2026 14:31:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777300266; cv=none; b=nlD45PR9uQ1zxXPUcpXF6/rRtLIAZDQnYyQpOiXSbGh+Mk/l06TdpHlJzduWkQsz9gzbpkIpURWYst6XTq9LMj/LuBDSNwXh7W9Lb6IUqoD5ofqnizQ8Ju3cjtkppEsAWJUj9XWz/w7ExVWDHajto7v9ddnD4MWRMCLE80395D0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777300266; c=relaxed/simple; bh=bLVkfGlE+4YnYdZzUHD5T0aMLExjNa75wtaMKlYgH+E=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=SZuSgMBs91NjHP6KzsUqJ66WEpkvbHp4imjG8l9jACqg1zQPr9vvJuPCsbvFMfwdpAj22Ghk7lW/gLvQtfd4+XC5PEz1A+NEGwyIbixeWHVTeOY/qksHE9fpJ1j3Ro+0ve0ByBABMT9uEjkbyqi21Uy7tAPyHXq5k3GaZKTgcgI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=uKVhUxMT; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="uKVhUxMT" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=Y9dLqnTcJyOaORD2CtNejwcCJpl079ntYSyxySX/GqQ=; b=uKVhUxMTYsG0kPf0o/8N5nor6s qegt1xD8XSE6FxOQqKKJ57yc75104LjuC4NJCjzW8q8sXV7lEdygGXdiHSupYfuoPqfRTTyuEchDe 3zcul+vP/1TDY7IEseegSJhj0mwzpMxN3+Zfhl/Y8xBvR3cbEqpBLXg7ZGHvFCDQYexnbVwMa5waP amyGyafelY377gWqZrKVdN2iRcr+C2JaJeVaczjca8M+T9ilXoysVMcPbZeIqEL1D6KjjVKghVUrE GY0ZqRrrXm08hTc5H+Z40Uskkni17g1ZIZIPVhcQyKMkHQKCqabAVfH7YU1/TmRr9k1MGpH0S/YRe hpqRzv6g==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wHMzG-005Xx9-2f; Mon, 27 Apr 2026 14:31:03 +0000 From: Breno Leitao Date: Mon, 27 Apr 2026 07:30:37 -0700 Subject: [PATCH net v2 3/4] netconsole: propagate device name truncation in dev_name_store() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-netconsole_ai_fixes-v2-3-59965f29d9cc@debian.org> References: <20260427-netconsole_ai_fixes-v2-0-59965f29d9cc@debian.org> In-Reply-To: <20260427-netconsole_ai_fixes-v2-0-59965f29d9cc@debian.org> To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Keiichi Kii , Satyam Sharma , Andrew Morton , Matthew Wood , asantostc@gmail.com, gustavold@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com X-Mailer: b4 0.16-dev-453a6 X-Developer-Signature: v=1; a=openpgp-sha256; l=1603; i=leitao@debian.org; h=from:subject:message-id; bh=bLVkfGlE+4YnYdZzUHD5T0aMLExjNa75wtaMKlYgH+E=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBp73MSFszut1Lpo2zCapNDG9M3iQndsKrCygjbK PScv+xJwJyJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCae9zEgAKCRA1o5Of/Hh3 bQXBD/451tess8Xs1KHdYImSlyuZAJQFvQPOIcGoVYUJv5MSrgjzEWhmt5zpUStCCTeAMm1c0/D LArN4l71soNakDgGcWcz20Hbpv5SKjnRlahxl+rnGkM1p3LSEK1w7yMxar/OFiSirEFUlFkgbMF qlOFCTuY24b60Pc3ftcZm8Z+z2VRcdDrOuIdo5uYjuJamrDb+5rMvOEjD+L1SpMCpekjd6JU0r6 /nTXvWwWJAos2OUABm+OIC3OFH+sFFCLlTfMT98qU5ev+v7aQJom0MmFtrGrw8I7tBqovbuVHqf Vy9UvtagRjM2Diz1kzLMHjGkax7/ObBjr6myHOeycRadAvWBgrpH8qW6kPNpt9nwdD533EAsBhd O3olWn+MthXcir4JgOvWSTZSiHiU46mFy3UD4/JTIFEnSzqVb7dummAVqwQJCuOrIS3puVwOMgn 1d85A72e7B2Yt4lnpIh1qIfdAUE2FtjjX8tB5Nx7nKqMXMTuowFKx6yk92KQ73wcKJAJttphIN3 coNGdBhyGgCrJEhrbHUxgAkS/a/jgudEJldu4opNr4LeY3TIx/7vI5igHXoEt0OixeQDeXcZc0f s2uynD1a7VuJiPpkR9I58VmJhR6bEn2Sakcp6BfDoPl2/92QHvBDxSyjPleivGbGl1O0990Usmk hX3jznfCWYR9Zaw== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao dev_name_store() calls strscpy(nt->np.dev_name, buf, IFNAMSIZ) without checking the return value. If userspace writes an interface name longer than IFNAMSIZ - 1, strscpy() silently truncates and returns -E2BIG, but the function ignores it and reports a fully successful write back to userspace. If a real interface happens to match the truncated name, netconsole will bind to the wrong device on the next enable, sending kernel logs and panic output to an unintended network segment with no indication to userspace that anything was rewritten. Reject writes whose length cannot fit in nt->np.dev_name up front: if (count >=3D IFNAMSIZ) return -ENAMETOOLONG; This is not a big deal of a problem, but, it is still the correct approach. Fixes: 0bcc1816188e57 ("[NET] netconsole: Support dynamic reconfiguration u= sing configfs") Signed-off-by: Breno Leitao --- drivers/net/netconsole.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c index 595e09bd1ccfc..b3b36e3ddd03d 100644 --- a/drivers/net/netconsole.c +++ b/drivers/net/netconsole.c @@ -817,6 +817,13 @@ static ssize_t dev_name_store(struct config_item *item= , const char *buf, size_t count) { struct netconsole_target *nt =3D to_target(item); + size_t len =3D count; + + /* Account for a trailing newline appended by tools like echo */ + if (len && buf[len - 1] =3D=3D '\n') + len--; + if (len >=3D IFNAMSIZ) + return -ENAMETOOLONG; =20 dynamic_netconsole_mutex_lock(); if (nt->state =3D=3D STATE_ENABLED) { --=20 2.52.0 From nobody Wed Jun 17 06:27:58 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FEC62C0F75; Mon, 27 Apr 2026 14:31:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777300270; cv=none; b=MoU6rpxDNd1jpvSfxwMtfvglOy8rxmqaPEVuGd1vAw/YQcZbjWeZLn1nOLmgL7r9tVyzva+59jNiUmsv9x7Bul9JtB1mI1LSuiOWHBWwAroOEqIt6yksC6UZeEfKRaSmWW9zpRzpm/Z7hkqwtwTss7DkqEQj0Lu/Ob8PJJHsag0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777300270; c=relaxed/simple; bh=EQtgOJ5IHiKp+IAO11NZ8ST4+IXE+twkle0BsyIVcWU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Kiq5rAfvKb4ogI/CoT+X5J6vMgy9jP4olqE0pdgoi0mSEIg1zk1HWs/6VVqz9tPDJ3WyMFO5NQVdcYGVSvrfbfOuwmMeLq1RgvStieY1Xzd92Z/XkYLzGXZcfxdujosFwTxHOpV8A61arduv961ZmWFpmXIgBEWe+1OcC1ALCkU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=eEIHxUV8; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="eEIHxUV8" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=hWVr3gs672tukeyy0Zsxw/jNhU8JNzM+TBCpGKY/YI8=; b=eEIHxUV8MtYAhhzOxMH2Fw2S21 4ou1wxlcmeGH7RiBSt7YArf8NRh3Xv8+NBL9mRN2LvgPomDVqXbyE9/ddheqMftj1kDMGiiPoLfqJ j4p9DBHiWTM2LMcFEuF7dLedAXlz8HW7Wm+hEV2Six+WK11r4ki85KP2wL0bdTW0pcUVj8wbregGw fskaFw19lZcktai6zQ969+Jcr3uGrmisU/FEiGlrKhpKVKumcw6WtZqZbQGdHlMsLBecu0HnfRbrq e0tzV3jlo9Sj3b/3idZUiYFhMpqq0GaLnOesIsU+oF1VZHpQudlW20CDf3G0Nwm9E72wX2TnzY0c0 ep++J3mw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wHMzL-005XxP-15; Mon, 27 Apr 2026 14:31:07 +0000 From: Breno Leitao Date: Mon, 27 Apr 2026 07:30:38 -0700 Subject: [PATCH net v2 4/4] netconsole: restore userdatum value on update_userdata() failure Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-netconsole_ai_fixes-v2-4-59965f29d9cc@debian.org> References: <20260427-netconsole_ai_fixes-v2-0-59965f29d9cc@debian.org> In-Reply-To: <20260427-netconsole_ai_fixes-v2-0-59965f29d9cc@debian.org> To: Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Keiichi Kii , Satyam Sharma , Andrew Morton , Matthew Wood , asantostc@gmail.com, gustavold@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com X-Mailer: b4 0.16-dev-453a6 X-Developer-Signature: v=1; a=openpgp-sha256; l=2450; i=leitao@debian.org; h=from:subject:message-id; bh=EQtgOJ5IHiKp+IAO11NZ8ST4+IXE+twkle0BsyIVcWU=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBp73MS9mmTIYHP8vc5QV5Voz0rA5K4AfRwDpbfP d2hUob1rEeJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCae9zEgAKCRA1o5Of/Hh3 bQ4QEACNKjzMdA48Sy9nzothEqkBmSdmG705YUP6JBnogkO+Excb+BOfO8C5iWU3AzlbZ5946Wj hbAt+QN1efNAPgY9aQNJ4aoCXUgUYv+3YpR3DiOYD7sMlfzRaInuPNIiGuldTQvWeksEyP2t8Xa jFx5drMFN13al9LmWxtHeAOBkbo9caV/nwaDTSdD6MN1KK/qzUd8aESHLmoyd9f5zJBsDXRHK3I ffnbC8Facbm0hrfsAhKjHsmJAYPwZnnF/ziXNQXYhpI8bmJNfov9uJsz6ISfgvio5Bgrz+UulFl sClETnBZRwR0iOPq6UT6ZD7OmfR9iSrf2rxWd8o14mXLDZoNZFPZoah+SVGqT5Of55q0Bdc8Ejp BAF4huJgfyzB0kUPoq+kojigVuUakva7lx+J1DAtBHVPOvtEhhXLRzVDdE35OjegqtzNkfLAS9l wSjKEudcvYgNRt/7LNUpb2kSB5oJe3siFoJpDnZzZGlGC04cECH0YXM6IJImcug5w8Sy4yrNgZn y8gTfXOpUaJ+k8ZqCysjd9L3oUtoTZjUDHnSIiFEWsN3s5bKaYSFkx65atCfeYPj2Wq7lX+x/s9 N6vMvPLkPQqaYFp8idwWn5sHT2M/MdBDQaaByv0apEh4+FRgVIKST9IuS7hazHlXse4fRgoH3dF +Pw0tslNfZM9kww== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao userdatum_value_store() updates udm->value first and only then calls update_userdata() to rebuild the on-the-wire payload. If update_userdata() fails (e.g. -ENOMEM from kmalloc), the function returns the error to userspace, but udm->value already holds the new string while the live nt->userdata buffer still reflects the old one. The next successful write to any sibling userdatum on the same target will call update_userdata() again, which walks every entry and packs the now-stale udm->value into the payload. The failed write is thus silently activated later, with no indication to userspace that the value it tried to set was rejected. Snapshot the previous value before overwriting udm->value and restore it if update_userdata() fails so the visible state and the active payload stay consistent. Fixes: eb83801af2dc ("netconsole: Dynamic allocation of userdata buffer") Signed-off-by: Breno Leitao --- drivers/net/netconsole.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c index b3b36e3ddd03d..57dd6821a8aa9 100644 --- a/drivers/net/netconsole.c +++ b/drivers/net/netconsole.c @@ -1079,6 +1079,7 @@ static ssize_t userdatum_value_store(struct config_it= em *item, const char *buf, size_t count) { struct userdatum *udm =3D to_userdatum(item); + char old_value[MAX_EXTRADATA_VALUE_LEN]; struct netconsole_target *nt; struct userdata *ud; ssize_t ret; @@ -1088,6 +1089,8 @@ static ssize_t userdatum_value_store(struct config_it= em *item, const char *buf, =20 mutex_lock(&netconsole_subsys.su_mutex); dynamic_netconsole_mutex_lock(); + /* Snapshot for rollback if update_userdata() fails below */ + strscpy(old_value, udm->value, sizeof(old_value)); /* count is bounded above, so strscpy() cannot truncate here */ strscpy(udm->value, buf, sizeof(udm->value)); trim_newline(udm->value, sizeof(udm->value)); @@ -1095,8 +1098,11 @@ static ssize_t userdatum_value_store(struct config_i= tem *item, const char *buf, ud =3D to_userdata(item->ci_parent); nt =3D userdata_to_target(ud); ret =3D update_userdata(nt); - if (ret < 0) + if (ret < 0) { + /* Restore the previous value so it matches the live payload */ + strscpy(udm->value, old_value, sizeof(udm->value)); goto out_unlock; + } ret =3D count; out_unlock: dynamic_netconsole_mutex_unlock(); --=20 2.52.0