[PATCH] wifi: mac80211: validate S1G beacon length before RX

[PATCH] wifi: mac80211: validate S1G beacon length before RX

[Zhao Li]

S1G beacons are extension frames, so ieee80211_hdrlen() only guarantees
the extension header before the generic RX path starts dispatching the
frame.

The RX path can then reach helpers and interface handling code that read
regular 802.11 header address fields, which are not present at those
offsets in an S1G beacon.

Pull the complete S1G beacon fixed header, including optional fixed
fields indicated by frame control, before generic RX dispatch.

Also make ieee80211_get_bssid() length-safe for S1G beacons and avoid
regular-header address reads for S1G frames in accept/interface/MLO
address handling. Skip extension frames in duplicate detection for the
same reason, since that path consumes the regular sequence-control field.

Fixes: 09a740ce352e ("mac80211: receive and process S1G beacons")
Cc: stable@vger.kernel.org
Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
---
 include/linux/ieee80211.h | 13 +++++++++++++
 net/mac80211/rx.c         | 33 ++++++++++++++++++++++++++++-----
 net/mac80211/util.c       |  3 +++
 3 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 23f9df9be8372..baee81fbb4a79 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -2855,6 +2855,19 @@ struct ieee80211_tbtt_info_ge_11 {
 #include "ieee80211-p2p.h"
 #include "ieee80211-nan.h"
 
+/**
+ * ieee80211_s1g_beacon_min_len - minimum length of an S1G beacon frame
+ * @fc: frame control bytes in little-endian byteorder
+ *
+ * Return: the minimum frame length containing the fixed S1G beacon fields and
+ * optional fixed fields indicated in the S1G beacon frame control.
+ */
+static inline size_t ieee80211_s1g_beacon_min_len(__le16 fc)
+{
+	return offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
+	       ieee80211_s1g_optional_len(fc);
+}
+
 /**
  * ieee80211_check_tim - check if AID bit is set in TIM
  * @tim: the TIM IE
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 3fb40449c6c5c..2e6d0ce8509e4 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1526,6 +1526,9 @@ ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
 	if (status->flag & RX_FLAG_DUP_VALIDATED)
 		return RX_CONTINUE;
 
+	if (ieee80211_is_ext(hdr->frame_control))
+		return RX_CONTINUE;
+
 	/*
 	 * Drop duplicate 802.11 retransmissions
 	 * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
@@ -4487,12 +4490,17 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
 	struct ieee80211_hdr *hdr = (void *)skb->data;
 	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 	u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
-	bool multicast = is_multicast_ether_addr(hdr->addr1) ||
-			 ieee80211_is_s1g_beacon(hdr->frame_control);
+	bool s1g = ieee80211_is_s1g_beacon(hdr->frame_control);
+	bool multicast;
 	static const u8 nan_network_id[ETH_ALEN] __aligned(2) = {
 		0x51, 0x6F, 0x9A, 0x01, 0x00, 0x00
 	};
 
+	if (s1g)
+		return sdata->vif.type == NL80211_IFTYPE_STATION && bssid;
+
+	multicast = is_multicast_ether_addr(hdr->addr1);
+
 	switch (sdata->vif.type) {
 	case NL80211_IFTYPE_STATION:
 		if (!bssid && !sdata->u.mgd.use_4addr)
@@ -5175,11 +5183,13 @@ static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
 	}
 
 	/* Store a copy of the pre-translated link addresses for SW crypto */
-	if (unlikely(is_unicast_ether_addr(hdr->addr1) &&
+	if (unlikely(!ieee80211_is_s1g_beacon(hdr->frame_control) &&
+		     is_unicast_ether_addr(hdr->addr1) &&
 		     !ieee80211_is_data(hdr->frame_control)))
 		memcpy(rx->link_addrs, &hdr->addrs, 3 * ETH_ALEN);
 
 	if (unlikely(rx->sta && rx->sta->sta.mlo) &&
+	    !ieee80211_is_s1g_beacon(hdr->frame_control) &&
 	    is_unicast_ether_addr(hdr->addr1) &&
 	    !ieee80211_is_probe_resp(hdr->frame_control) &&
 	    !ieee80211_is_beacon(hdr->frame_control)) {
@@ -5260,23 +5270,30 @@ static bool ieee80211_rx_for_interface(struct ieee80211_rx_data *rx,
 {
 	struct link_sta_info *link_sta;
 	struct ieee80211_hdr *hdr = (void *)skb->data;
+	u8 *sta_addr = hdr->addr2;
 	struct sta_info *sta;
 	int link_id = -1;
 
+	if (ieee80211_is_s1g_beacon(hdr->frame_control)) {
+		sta_addr = ieee80211_get_bssid(hdr, skb->len, rx->sdata->vif.type);
+		if (!sta_addr)
+			return false;
+	}
+
 	/*
 	 * Look up link station first, in case there's a
 	 * chance that they might have a link address that
 	 * is identical to the MLD address, that way we'll
 	 * have the link information if needed.
 	 */
-	link_sta = link_sta_info_get_bss(rx->sdata, hdr->addr2);
+	link_sta = link_sta_info_get_bss(rx->sdata, sta_addr);
 	if (link_sta) {
 		sta = link_sta->sta;
 		link_id = link_sta->link_id;
 	} else {
 		struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 
-		sta = sta_info_get_bss(rx->sdata, hdr->addr2);
+		sta = sta_info_get_bss(rx->sdata, sta_addr);
 		if (status->link_valid) {
 			link_id = status->link_id;
 		} else if (ieee80211_vif_is_mld(&rx->sdata->vif) &&
@@ -5347,6 +5364,12 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
 		return;
 	}
 
+	if (ieee80211_is_s1g_beacon(fc) &&
+	    !pskb_may_pull(skb, ieee80211_s1g_beacon_min_len(fc))) {
+		dev_kfree_skb(skb);
+		return;
+	}
+
 	hdr = (struct ieee80211_hdr *)skb->data;
 	ieee80211_parse_qos(&rx);
 	ieee80211_verify_alignment(&rx);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 2529b01e2cd55..5bc719222a87d 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -73,6 +73,9 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
 	if (ieee80211_is_s1g_beacon(fc)) {
 		struct ieee80211_ext *ext = (void *) hdr;
 
+		if (len < offsetofend(struct ieee80211_ext, u.s1g_beacon.sa))
+			return NULL;
+
 		return ext->u.s1g_beacon.sa;
 	}
 
-- 
2.50.1 (Apple Git-155)

Re: [PATCH] wifi: mac80211: validate S1G beacon length before RX

[Johannes Berg]

On Thu, 2026-06-11 at 00:27 +0800, Zhao Li wrote:
> S1G beacons are extension frames, so ieee80211_hdrlen() only guarantees
> the extension header before the generic RX path starts dispatching the
> frame.
> 
> The RX path can then reach helpers and interface handling code that read
> regular 802.11 header address fields, which are not present at those
> offsets in an S1G beacon.
> 
> Pull the complete S1G beacon fixed header, including optional fixed
> fields indicated by frame control, before generic RX dispatch.
> 
> Also make ieee80211_get_bssid() length-safe for S1G beacons and avoid
> regular-header address reads for S1G frames in accept/interface/MLO
> address handling. Skip extension frames in duplicate detection for the
> same reason, since that path consumes the regular sequence-control field.

This is all true, but all of the below seems far too complicated a fix?

Also seems like you should probably disclose some LLM usage, unless
you're going to tell me you wrote all this code yourself?


> @@ -4487,12 +4490,17 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
>  	struct ieee80211_hdr *hdr = (void *)skb->data;
>  	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
>  	u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
> -	bool multicast = is_multicast_ether_addr(hdr->addr1) ||
> -			 ieee80211_is_s1g_beacon(hdr->frame_control);
> +	bool s1g = ieee80211_is_s1g_beacon(hdr->frame_control);
> +	bool multicast;
>  	static const u8 nan_network_id[ETH_ALEN] __aligned(2) = {
>  		0x51, 0x6F, 0x9A, 0x01, 0x00, 0x00
>  	};
>  
> +	if (s1g)

no need to introduce the 's1g' variable, and it sounds weird anyway
because s1g uses other frames too, not just beacons

> @@ -5175,11 +5183,13 @@ static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
>  	}
>  
>  	/* Store a copy of the pre-translated link addresses for SW crypto */
> -	if (unlikely(is_unicast_ether_addr(hdr->addr1) &&
> +	if (unlikely(!ieee80211_is_s1g_beacon(hdr->frame_control) &&
> +		     is_unicast_ether_addr(hdr->addr1) &&
>  		     !ieee80211_is_data(hdr->frame_control)))
>  		memcpy(rx->link_addrs, &hdr->addrs, 3 * ETH_ALEN);
>  
>  	if (unlikely(rx->sta && rx->sta->sta.mlo) &&
> +	    !ieee80211_is_s1g_beacon(hdr->frame_control) &&
>  	    is_unicast_ether_addr(hdr->addr1) &&
>  	    !ieee80211_is_probe_resp(hdr->frame_control) &&
>  	    !ieee80211_is_beacon(hdr->frame_control)) {

This seems very ... specific, and doing the same thing twice also seems
odd. While not great, I'd probably advocate for a goto or just doing the
invoke() separately for s1g beacons.

> @@ -5260,23 +5270,30 @@ static bool ieee80211_rx_for_interface(struct ieee80211_rx_data *rx,
>  {
>  	struct link_sta_info *link_sta;
>  	struct ieee80211_hdr *hdr = (void *)skb->data;
> +	u8 *sta_addr = hdr->addr2;
>  	struct sta_info *sta;
>  	int link_id = -1;
>  
> +	if (ieee80211_is_s1g_beacon(hdr->frame_control)) {
> +		sta_addr = ieee80211_get_bssid(hdr, skb->len, rx->sdata->vif.type);
> +		if (!sta_addr)
> +			return false;
> +	}

That one seems even weirder - especially in the face of your *other*
changes that attempt to never access hdr-> without making sure it's
actually the right format ... you still create a pointer to addr2 here.
It's valid since you never use it, but it's also weird because it pretty
much looks like hdr->addr2 _is_ OK at the whole function level.

> +
>  	/*
>  	 * Look up link station first, in case there's a
>  	 * chance that they might have a link address that
>  	 * is identical to the MLD address, that way we'll
>  	 * have the link information if needed.
>  	 */
> -	link_sta = link_sta_info_get_bss(rx->sdata, hdr->addr2);
> +	link_sta = link_sta_info_get_bss(rx->sdata, sta_addr);

Obviously, if things work today, we didn't really need the link_sta for
these frames, and that makes some sense since there's no MLO and it's
just ieee80211_rx_mgmt_beacon() basically. Probably better to just skip
this entirely and handle s1g beacons separately.

>  	if (link_sta) {
>  		sta = link_sta->sta;
>  		link_id = link_sta->link_id;
>  	} else {
>  		struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
>  
> -		sta = sta_info_get_bss(rx->sdata, hdr->addr2);
> +		sta = sta_info_get_bss(rx->sdata, sta_addr);
>  		if (status->link_valid) {
>  			link_id = status->link_id;
>  		} else if (ieee80211_vif_is_mld(&rx->sdata->vif) &&
> @@ -5347,6 +5364,12 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
>  		return;
>  	}
>  
> +	if (ieee80211_is_s1g_beacon(fc) &&
> +	    !pskb_may_pull(skb, ieee80211_s1g_beacon_min_len(fc))) {
> +		dev_kfree_skb(skb);
> +		return;
> +	}

I'm fairly certain this still leaves things (e.g.
ieee80211_rx_mgmt_beacon()) wrong if the driver ever reports an s1g
beacon as a frag skb.

I think much better to just treat this frame like mgmt frames and
linearize it earlier in the function along with mgmt frames etc. Still
need to check the length, but we could even do that there as well,
rather than this late.

johannes

[PATCH v2 0/2] wifi: handle S1G and extension-frame RX layout

[Zhao Li]

Hi,

v2 keeps the mac80211 RX fix focused on the extension-frame layout and
adds a small cfg80211 companion fix for S1G scan-result TSF handling.

The first patch changes the RX entry path to validate and linearize S1G
beacons before generic RX dispatch, route S1G beacons without regular
addr2 station lookup, and drop unsupported extension frames before they
can reach regular-header address handling.

The second patch keeps cfg80211's regular management-frame TSF read out
of the S1G path and derives the S1G BSS TSF from the S1G beacon timestamp
and the S1G Beacon Compatibility element.

For process clarity: I used AI-assisted tooling for data-flow tracing,
state-machine analysis, code review, security checks, side-effect review,
and patch drafting. I reviewed the result and take responsibility for the
submission.

Changes since v1:
- Linearize S1G beacon SKBs together with management frames instead of
  using a later pskb_may_pull() check.
- Keep the management-frame and S1G beacon minimum-length checks tied to
  their respective frame layouts.
- Route S1G beacons through the station/default-link RX path without
  regular addr2 station lookup.
- Avoid repeated per-sink S1G guards in the address-copy and MLO
  translation paths by invoking RX handlers directly for S1G beacons.
- Drop unsupported non-S1G extension frames before generic RX dispatch.
- Add the cfg80211 S1G TSF companion fix.

Zhao Li (2):
  wifi: mac80211: validate extension-frame layout before RX
  wifi: cfg80211: derive S1G beacon TSF from S1G fields

 net/mac80211/rx.c   | 34 ++++++++++++++++++++++++++++++++--
 net/mac80211/util.c |  3 +++
 net/wireless/scan.c |  5 +++--
 3 files changed, 38 insertions(+), 4 deletions(-)

-- 
2.50.1 (Apple Git-155)

[PATCH v2 1/2] wifi: mac80211: validate extension-frame layout before RX

[Zhao Li]

Extension frames only have the extension header at the regular 802.11
header offset. The generic RX path can still reach helpers and interface
dispatch code that read regular header address fields before unsupported
extension subtypes are dropped.

mac80211 currently only handles S1G beacon extension frames. Drop other
extension subtypes before they can reach regular-header RX processing.
For S1G beacons, linearize the SKB with the management-frame path and
require the fixed S1G beacon header, including optional fixed fields
indicated by frame control, before generic RX dispatch.

Route S1G beacons through the station/default-link RX path without
regular-header station lookup. Avoid regular-header address reads in the
mac80211 RX paths that process S1G extension beacons, including
accept-frame, duplicate-detection, address-copy, and MLO
address-translation paths.

Also make ieee80211_get_bssid() length-safe before returning the S1G
source-address pointer.

Fixes: 09a740ce352e ("mac80211: receive and process S1G beacons")
Cc: stable@vger.kernel.org
Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
---
 net/mac80211/rx.c   | 34 ++++++++++++++++++++++++++++++++--
 net/mac80211/util.c |  3 +++
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 3fb40449c6c5c..3ddde3e808364 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1526,6 +1526,9 @@ ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
 	if (status->flag & RX_FLAG_DUP_VALIDATED)
 		return RX_CONTINUE;
 
+	if (ieee80211_is_ext(hdr->frame_control))
+		return RX_CONTINUE;
+
 	/*
 	 * Drop duplicate 802.11 retransmissions
 	 * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
@@ -4487,12 +4490,16 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
 	struct ieee80211_hdr *hdr = (void *)skb->data;
 	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 	u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
-	bool multicast = is_multicast_ether_addr(hdr->addr1) ||
-			 ieee80211_is_s1g_beacon(hdr->frame_control);
+	bool multicast;
 	static const u8 nan_network_id[ETH_ALEN] __aligned(2) = {
 		0x51, 0x6F, 0x9A, 0x01, 0x00, 0x00
 	};
 
+	if (ieee80211_is_s1g_beacon(hdr->frame_control))
+		return sdata->vif.type == NL80211_IFTYPE_STATION && bssid;
+
+	multicast = is_multicast_ether_addr(hdr->addr1);
+
 	switch (sdata->vif.type) {
 	case NL80211_IFTYPE_STATION:
 		if (!bssid && !sdata->u.mgd.use_4addr)
@@ -5174,6 +5181,11 @@ static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
 		hdr = (struct ieee80211_hdr *)rx->skb->data;
 	}
 
+	if (ieee80211_is_s1g_beacon(hdr->frame_control)) {
+		ieee80211_invoke_rx_handlers(rx);
+		return true;
+	}
+
 	/* Store a copy of the pre-translated link addresses for SW crypto */
 	if (unlikely(is_unicast_ether_addr(hdr->addr1) &&
 		     !ieee80211_is_data(hdr->frame_control)))
@@ -5263,6 +5275,13 @@ static bool ieee80211_rx_for_interface(struct ieee80211_rx_data *rx,
 	struct sta_info *sta;
 	int link_id = -1;
 
+	if (ieee80211_is_s1g_beacon(hdr->frame_control)) {
+		if (!ieee80211_rx_data_set_sta(rx, NULL, -1))
+			return false;
+
+		return ieee80211_prepare_and_rx_handle(rx, skb, consume);
+	}
+
 	/*
 	 * Look up link station first, in case there's a
 	 * chance that they might have a link address that
@@ -5338,6 +5357,17 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
 			err = -ENOBUFS;
 		else
 			err = skb_linearize(skb);
+	} else if (ieee80211_is_s1g_beacon(fc)) {
+		size_t s1g_hdr_len = offsetof(struct ieee80211_ext,
+					      u.s1g_beacon.variable) +
+				     ieee80211_s1g_optional_len(fc);
+
+		if (skb->len < s1g_hdr_len)
+			err = -ENOBUFS;
+		else
+			err = skb_linearize(skb);
+	} else if (ieee80211_is_ext(fc)) {
+		err = -EINVAL;
 	} else {
 		err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
 	}
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 2529b01e2cd55..5bc719222a87d 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -73,6 +73,9 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
 	if (ieee80211_is_s1g_beacon(fc)) {
 		struct ieee80211_ext *ext = (void *) hdr;
 
+		if (len < offsetofend(struct ieee80211_ext, u.s1g_beacon.sa))
+			return NULL;
+
 		return ext->u.s1g_beacon.sa;
 	}
 
-- 
2.50.1 (Apple Git-155)

[PATCH v2 2/2] wifi: cfg80211: derive S1G beacon TSF from S1G fields

[Zhao Li]

cfg80211_inform_bss_frame_data() parses S1G beacons with the extension
frame layout, but still reads the TSF from the regular probe response
layout after the S1G branch. For S1G beacons that reads bytes at the
regular management-frame timestamp offset instead of the S1G timestamp.

Use the 32-bit S1G beacon timestamp and the S1G Beacon Compatibility
element's TSF completion field when informing an S1G BSS. Keep the
regular management-frame timestamp read in the non-S1G branch.

Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results")
Cc: stable@vger.kernel.org
Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
---
 net/wireless/scan.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 27a56ee2e8f0b..c90619eeb03b1 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -3309,14 +3309,15 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
 		bssid = ext->u.s1g_beacon.sa;
 		capability = le16_to_cpu(compat->compat_info);
 		beacon_interval = le16_to_cpu(compat->beacon_int);
+		tsf = le32_to_cpu(ext->u.s1g_beacon.timestamp);
+		tsf |= (u64)le32_to_cpu(compat->tsf_completion) << 32;
 	} else {
 		bssid = mgmt->bssid;
 		beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int);
 		capability = le16_to_cpu(mgmt->u.probe_resp.capab_info);
+		tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
 	}
 
-	tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
-
 	if (ieee80211_is_probe_resp(mgmt->frame_control))
 		ftype = CFG80211_BSS_FTYPE_PRESP;
 	else if (ext)
-- 
2.50.1 (Apple Git-155)

Re: [PATCH v2 2/2] wifi: cfg80211: derive S1G beacon TSF from S1G fields

[Lachlan Hodges]

On Fri, Jun 12, 2026 at 12:19:46AM +0800, Zhao Li wrote:
> cfg80211_inform_bss_frame_data() parses S1G beacons with the extension
> frame layout, but still reads the TSF from the regular probe response
> layout after the S1G branch. For S1G beacons that reads bytes at the
> regular management-frame timestamp offset instead of the S1G timestamp.
> 
> Use the 32-bit S1G beacon timestamp and the S1G Beacon Compatibility
> element's TSF completion field when informing an S1G BSS. Keep the
> regular management-frame timestamp read in the non-S1G branch.
> 
> Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhao Li <enderaoelyther@gmail.com>

Looks much better now when passive scanning, thanks :)

Tested-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
Reviewed-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>

Re: [PATCH v2 0/2] wifi: handle S1G and extension-frame RX layout

[Lachlan Hodges]

> For process clarity: I used AI-assisted tooling for data-flow tracing,
> state-machine analysis, code review, security checks, side-effect review,
> and patch drafting. I reviewed the result and take responsibility for the
> submission.

FWIW I believe Johannes was saying you need to disclose via the
assisted-by tags [1] on each individual patch, not the cover letter
(since that is not applied)

Thanks for these fixes though :)

lachlan

[1] https://docs.kernel.org/process/coding-assistants.html#attribution