--- /dev/null
+From 9a0d18853c280f6a0ee99f91619f2442a17a323a Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 21 Feb 2024 18:27:33 +0100
+Subject: netlink: add nla be16/32 types to minlen array
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 9a0d18853c280f6a0ee99f91619f2442a17a323a upstream.
+
+BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]
+BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]
+BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]
+BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
+ nla_validate_range_unsigned lib/nlattr.c:222 [inline]
+ nla_validate_int_range lib/nlattr.c:336 [inline]
+ validate_nla lib/nlattr.c:575 [inline]
+...
+
+The message in question matches this policy:
+
+ [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255),
+
+but because NLA_BE32 size in minlen array is 0, the validation
+code will read past the malformed (too small) attribute.
+
+Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:
+those likely should be added too.
+
+Reported-by: syzbot+3f497b07aa3baf2fb4d0@syzkaller.appspotmail.com
+Reported-by: xingwei lee <xrivendell7@gmail.com>
+Closes: https://lore.kernel.org/all/CABOYnLzFYHSnvTyS6zGa-udNX55+izqkOt2sB9WDqUcEGW6n8w@mail.gmail.com/raw
+Fixes: ecaf75ffd5f5 ("netlink: introduce bigendian integer types")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20240221172740.5092-1-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/nlattr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -30,6 +30,8 @@ static const u8 nla_attr_len[NLA_TYPE_MA
+ [NLA_S16] = sizeof(s16),
+ [NLA_S32] = sizeof(s32),
+ [NLA_S64] = sizeof(s64),
++ [NLA_BE16] = sizeof(__be16),
++ [NLA_BE32] = sizeof(__be32),
+ };
+
+ static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = {
+@@ -43,6 +45,8 @@ static const u8 nla_attr_minlen[NLA_TYPE
+ [NLA_S16] = sizeof(s16),
+ [NLA_S32] = sizeof(s32),
+ [NLA_S64] = sizeof(s64),
++ [NLA_BE16] = sizeof(__be16),
++ [NLA_BE32] = sizeof(__be32),
+ };
+
+ /*
--- /dev/null
+From cd7e1fef5a1ca1c4fcd232211962ac2395601636 Mon Sep 17 00:00:00 2001
+From: GuoHan Zhao <zhaoguohan@kylinos.cn>
+Date: Wed, 25 Mar 2026 20:02:46 +0800
+Subject: xen/privcmd: unregister xenstore notifier on module exit
+
+From: GuoHan Zhao <zhaoguohan@kylinos.cn>
+
+commit cd7e1fef5a1ca1c4fcd232211962ac2395601636 upstream.
+
+Commit 453b8fb68f36 ("xen/privcmd: restrict usage in
+unprivileged domU") added a xenstore notifier to defer setting the
+restriction target until Xenstore is ready.
+
+XEN_PRIVCMD can be built as a module, but privcmd_exit() leaves that
+notifier behind. Balance the notifier lifecycle by unregistering it on
+module exit.
+
+This is harmless even if xenstore was already ready at registration
+time and the notifier was never queued on the chain.
+
+Fixes: 453b8fb68f3641fe ("xen/privcmd: restrict usage in unprivileged domU")
+Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20260325120246.252899-1-zhaoguohan@kylinos.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/privcmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/xen/privcmd.c
++++ b/drivers/xen/privcmd.c
+@@ -1068,6 +1068,9 @@ static int __init privcmd_init(void)
+
+ static void __exit privcmd_exit(void)
+ {
++ if (!xen_initial_domain())
++ unregister_xenstore_notifier(&xenstore_notifier);
++
+ misc_deregister(&privcmd_dev);
+ misc_deregister(&xen_privcmdbuf_dev);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
