From patchwork Fri Jul 14 12:06:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [01/22] kbuild: disable -Wformat-truncation warnings by default X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107780 Message-Id: <20170714120720.906842-2-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Masahiro Yamada , Michal Marek Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , linux-kbuild@vger.kernel.org Date: Fri, 14 Jul 2017 14:06:53 +0200 From: Arnd Bergmann List-Id: With x86 allmodconfig, we currently get 233 -Wformat-truncation warnings, which makes the entire warnings rather useless. This turns off the warning by default, unless we specify W=1 or higher Signed-off-by: Arnd Bergmann --- scripts/Makefile.extrawarn | 3 +++ 1 file changed, 3 insertions(+) -- 2.9.0 diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn index fb3522fd8702..4b63c2f71adb 100644 --- a/scripts/Makefile.extrawarn +++ b/scripts/Makefile.extrawarn @@ -67,5 +67,8 @@ KBUILD_CFLAGS += $(call cc-disable-warning, format) KBUILD_CFLAGS += $(call cc-disable-warning, sign-compare) KBUILD_CFLAGS += $(call cc-disable-warning, format-zero-length) KBUILD_CFLAGS += $(call cc-disable-warning, uninitialized) +else +# noisy gcc-7 warnings +KBUILD_CFLAGS += $(call cc-option,-Wformat-truncation=0) endif endif From patchwork Fri Jul 14 12:06:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [02/22] scsi: megaraid: fix format-overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107781 Message-Id: <20170714120720.906842-3-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Kashyap Desai , Sumit Saxena , Shivasharan S , "James E.J. Bottomley" , "Martin K. Petersen" Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , megaraidlinux.pdl@broadcom.com Date: Fri, 14 Jul 2017 14:06:54 +0200 From: Arnd Bergmann List-Id: gcc-7 complains that the firmware version strings might overflow for some values: drivers/scsi/megaraid.c: In function 'megaraid_probe_one': drivers/scsi/megaraid.c:314:33: error: '%d' directive writing between 1 and 2 bytes into a region of size between 1 and 2 [-Werror=format-overflow=] drivers/scsi/megaraid.c:314:33: note: directive argument in the range [0, 15] drivers/scsi/megaraid.c:314:3: note: 'sprintf' output between 7 and 9 bytes into a destination of size 7 drivers/scsi/megaraid.c:320:35: error: '%d' directive writing between 1 and 2 bytes into a region of size between 1 and 2 [-Werror=format-overflow=] drivers/scsi/megaraid.c:320:35: note: directive argument in the range [0, 15] drivers/scsi/megaraid.c:320:3: note: 'sprintf' output between 7 and 9 bytes into a destination of size 7 This makes the code use a truncating snprintf() instead, which shuts up that warning. Signed-off-by: Arnd Bergmann --- drivers/scsi/megaraid.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.9.0 diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c index 3c63c292cb92..7195cff51d4c 100644 --- a/drivers/scsi/megaraid.c +++ b/drivers/scsi/megaraid.c @@ -311,13 +311,15 @@ mega_query_adapter(adapter_t *adapter) right 8 bits making them zero. This 0 value was hardcoded to fix sparse warnings. */ if (adapter->product_info.subsysvid == PCI_VENDOR_ID_HP) { - sprintf (adapter->fw_version, "%c%d%d.%d%d", + snprintf(adapter->fw_version, sizeof(adapter->fw_version), + "%c%d%d.%d%d", adapter->product_info.fw_version[2], 0, adapter->product_info.fw_version[1] & 0x0f, 0, adapter->product_info.fw_version[0] & 0x0f); - sprintf (adapter->bios_version, "%c%d%d.%d%d", + snprintf(adapter->bios_version, sizeof(adapter->fw_version), + "%c%d%d.%d%d", adapter->product_info.bios_version[2], 0, adapter->product_info.bios_version[1] & 0x0f, From patchwork Fri Jul 14 12:06:55 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [03/22] scsi: mpt3sas: fix format overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107782 Message-Id: <20170714120720.906842-4-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Sathya Prakash , Chaitra P B , Suganath Prabu Subramani , "James E.J. Bottomley" , "Martin K. Petersen" Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , Hannes Reinecke , Calvin Owens , Adam Manzanares , Bart Van Assche , James Bottomley , MPT-FusionLinux.pdl@broadcom.com Date: Fri, 14 Jul 2017 14:06:55 +0200 From: Arnd Bergmann List-Id: We print the driver name into one string and then add and ID and copy it into a second string of the same length, at which point gcc complains about a possible overflow: drivers/scsi/mpt3sas/mpt3sas_scsih.c: In function '_scsih_probe': drivers/scsi/mpt3sas/mpt3sas_scsih.c:8884:21: error: '_cm' directive writing 3 bytes into a region of size between 1 and 32 [-Werror=format-overflow=] printf(ioc->name, "%s_cm%d", ioc->driver_name, ioc->id); ^~~~~~~~~ drivers/scsi/mpt3sas/mpt3sas_scsih.c:8884:21: note: directive argument in the range [0, 255] drivers/scsi/mpt3sas/mpt3sas_scsih.c:8884:2: note: 'sprintf' output between 5 and 38 bytes into a destination of size 32 sprintf(ioc->name, "%s_cm%d", ioc->driver_name, ioc->id); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Making the first string shorter is sufficient to avoid the warning here, as we know it can only contain either "mpt2sas" or "mpt3sas". Signed-off-by: Arnd Bergmann --- drivers/scsi/mpt3sas/mpt3sas_base.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.h b/drivers/scsi/mpt3sas/mpt3sas_base.h index 099ab4ca7edf..a77bb7dc12b1 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.h +++ b/drivers/scsi/mpt3sas/mpt3sas_base.h @@ -970,7 +970,7 @@ struct MPT3SAS_ADAPTER { u8 id; int cpu_count; char name[MPT_NAME_LENGTH]; - char driver_name[MPT_NAME_LENGTH]; + char driver_name[MPT_NAME_LENGTH - 8]; char tmp_string[MPT_STRING_LENGTH]; struct pci_dev *pdev; Mpi2SystemInterfaceRegs_t __iomem *chip; From patchwork Fri Jul 14 12:06:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [04/22] scsi: fusion: fix string overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107783 Message-Id: <20170714120720.906842-5-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Sathya Prakash , Chaitra P B , Suganath Prabu Subramani Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , Helge Deller , MPT-FusionLinux.pdl@broadcom.com Date: Fri, 14 Jul 2017 14:06:56 +0200 From: Arnd Bergmann List-Id: gcc points out a theorerical string overflow: drivers/message/fusion/mptbase.c: In function 'mpt_detach': drivers/message/fusion/mptbase.c:2103:17: error: '%s' directive writing up to 31 bytes into a region of size 28 [-Werror=format-overflow=] sprintf(pname, MPT_PROCFS_MPTBASEDIR "/%s/summary", ioc->name); ^~~~~ drivers/message/fusion/mptbase.c:2103:2: note: 'sprintf' output between 13 and 44 bytes into a destination of size 32 We can simply double the size of the local buffer here to be on the safe side. Signed-off-by: Arnd Bergmann --- drivers/message/fusion/mptbase.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c index 62cff5afc6bd..46b67a67edc8 100644 --- a/drivers/message/fusion/mptbase.c +++ b/drivers/message/fusion/mptbase.c @@ -2079,7 +2079,7 @@ void mpt_detach(struct pci_dev *pdev) { MPT_ADAPTER *ioc = pci_get_drvdata(pdev); - char pname[32]; + char pname[64]; u8 cb_idx; unsigned long flags; struct workqueue_struct *wq; From patchwork Fri Jul 14 12:06:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [05/22] scsi: gdth: avoid buffer overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107785 Message-Id: <20170714120720.906842-6-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Achim Leubner , "James E.J. Bottomley" , "Martin K. Petersen" Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , David Howells Date: Fri, 14 Jul 2017 14:06:57 +0200 From: Arnd Bergmann List-Id: gcc notices that we would overflow the buffer for the inquiry of the product name if we have too many adapters: drivers/scsi/gdth.c: In function 'gdth_next': drivers/scsi/gdth.c:2357:29: warning: 'sprintf' may write a terminating nul past the end of the destination [-Wformat-overflow=] sprintf(inq.product,"Host Drive #%02d",t); ^~~~~~~~~~~~~~~~~~~ drivers/scsi/gdth.c:2357:9: note: 'sprintf' output between 16 and 17 bytes into a destination of size 16 sprintf(inq.product,"Host Drive #%02d",t); This won't happen in practice, so just use snprintf to truncate the string. Signed-off-by: Arnd Bergmann --- drivers/scsi/gdth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/scsi/gdth.c b/drivers/scsi/gdth.c index facc7271f932..a4473356a9dc 100644 --- a/drivers/scsi/gdth.c +++ b/drivers/scsi/gdth.c @@ -2354,7 +2354,7 @@ static int gdth_internal_cache_cmd(gdth_ha_str *ha, Scsi_Cmnd *scp) inq.resp_aenc = 2; inq.add_length= 32; strcpy(inq.vendor,ha->oem_name); - sprintf(inq.product,"Host Drive #%02d",t); + snprintf(inq.product, sizeof(inq.product), "Host Drive #%02d",t); strcpy(inq.revision," "); gdth_copy_internal_data(ha, scp, (char*)&inq, sizeof(gdth_inq_data)); break; From patchwork Fri Jul 14 12:06:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [06/22] scsi: fnic: fix format string overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107784 Message-Id: <20170714120720.906842-7-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Satish Kharat , Sesidhar Baddela , Karan Tilak Kumar , "James E.J. Bottomley" , "Martin K. Petersen" Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann Date: Fri, 14 Jul 2017 14:06:58 +0200 From: Arnd Bergmann List-Id: The MSI interrupt name can require 11 bytes in addition to the device name, for a total of 23 bytes: drivers/scsi/fnic/fnic_isr.c: In function 'fnic_request_intr': drivers/scsi/fnic/fnic_isr.c:192:4: error: '-fcs-rq' directive writing 7 bytes into a region of size between 5 and 16 [-Werror=format-overflow=] "%.11s-fcs-rq", fnic->name); drivers/scsi/fnic/fnic_isr.c:206:3: note: 'sprintf' output between 12 and 23 bytes into a destination of size 16 sprintf(fnic->msix[FNIC_MSIX_ERR_NOTIFY].devname, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "%.11s-err-notify", fnic->name); This extends the buffer to fit any possible value. Signed-off-by: Arnd Bergmann --- drivers/scsi/fnic/fnic.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/scsi/fnic/fnic.h b/drivers/scsi/fnic/fnic.h index 67aab965c0f4..d094ba59ed15 100644 --- a/drivers/scsi/fnic/fnic.h +++ b/drivers/scsi/fnic/fnic.h @@ -180,7 +180,7 @@ enum fnic_msix_intr_index { struct fnic_msix_entry { int requested; - char devname[IFNAMSIZ]; + char devname[IFNAMSIZ + 11]; irqreturn_t (*isr)(int, void *); void *devid; }; From patchwork Fri Jul 14 12:06:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [07/22] scsi: gdth: increase the procfs event buffer size X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107801 Message-Id: <20170714120720.906842-8-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Achim Leubner , "James E.J. Bottomley" , "Martin K. Petersen" Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann Date: Fri, 14 Jul 2017 14:06:59 +0200 From: Arnd Bergmann List-Id: We print a 256 byte event string into a buffer that is only 161 bytes long, this is clearly wrong: drivers/scsi/gdth_proc.c: In function 'gdth_show_info': drivers/scsi/gdth.c:3660:41: error: '%s' directive writing up to 255 bytes into a region of size between 141 and 150 [-Werror=format-overflow=] sprintf(buffer,"Adapter %d: %s\n", ^~ /git/arm-soc/drivers/scsi/gdth.c:3660:13: note: 'sprintf' output between 13 and 277 bytes into a destination of size 161 sprintf(buffer,"Adapter %d: %s\n", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ dvr->eu.async.ionode,dvr->event_string); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gcc calculates that the worst case buffer size would be 277 bytes, so we can use that. Signed-off-by: Arnd Bergmann --- drivers/scsi/gdth_proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/scsi/gdth_proc.c b/drivers/scsi/gdth_proc.c index be609db66807..d08b2716752c 100644 --- a/drivers/scsi/gdth_proc.c +++ b/drivers/scsi/gdth_proc.c @@ -147,7 +147,7 @@ int gdth_show_info(struct seq_file *m, struct Scsi_Host *host) gdth_cmd_str *gdtcmd; gdth_evt_str *estr; - char hrec[161]; + char hrec[277]; char *buf; gdth_dskstat_str *pds; From patchwork Fri Jul 14 12:07:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [08/22] isdn: divert: fix sprintf buffer overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107786 Message-Id: <20170714120720.906842-9-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Karsten Keil , Geliang Tang , "David S. Miller" , Arnd Bergmann Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org Date: Fri, 14 Jul 2017 14:07:00 +0200 From: Arnd Bergmann List-Id: One string we pass into the cs->info buffer might be too long, as pointed out by gcc: drivers/isdn/divert/isdn_divert.c: In function 'll_callback': drivers/isdn/divert/isdn_divert.c:488:22: error: '%d' directive writing between 1 and 3 bytes into a region of size between 1 and 69 [-Werror=format-overflow=] sprintf(cs->info, "%d 0x%lx %s %s %s %s 0x%x 0x%x %d %d %s\n", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/isdn/divert/isdn_divert.c:488:22: note: directive argument in the range [0, 255] drivers/isdn/divert/isdn_divert.c:488:4: note: 'sprintf' output 25 or more bytes (assuming 129) into a destination of size 90 This is unlikely to actually cause problems, so let's use snprintf as a simple workaround to shut up the warning and truncate the buffer instead. Signed-off-by: Arnd Bergmann --- drivers/isdn/divert/isdn_divert.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) -- 2.9.0 diff --git a/drivers/isdn/divert/isdn_divert.c b/drivers/isdn/divert/isdn_divert.c index 060d357f107f..6f423bc49d0d 100644 --- a/drivers/isdn/divert/isdn_divert.c +++ b/drivers/isdn/divert/isdn_divert.c @@ -485,18 +485,19 @@ static int isdn_divert_icall(isdn_ctrl *ic) cs->deflect_dest[0] = '\0'; retval = 4; /* only proceed */ } - sprintf(cs->info, "%d 0x%lx %s %s %s %s 0x%x 0x%x %d %d %s\n", - cs->akt_state, - cs->divert_id, - divert_if.drv_to_name(cs->ics.driver), - (ic->command == ISDN_STAT_ICALLW) ? "1" : "0", - cs->ics.parm.setup.phone, - cs->ics.parm.setup.eazmsn, - cs->ics.parm.setup.si1, - cs->ics.parm.setup.si2, - cs->ics.parm.setup.screen, - dv->rule.waittime, - cs->deflect_dest); + snprintf(cs->info, sizeof(cs->info), + "%d 0x%lx %s %s %s %s 0x%x 0x%x %d %d %s\n", + cs->akt_state, + cs->divert_id, + divert_if.drv_to_name(cs->ics.driver), + (ic->command == ISDN_STAT_ICALLW) ? "1" : "0", + cs->ics.parm.setup.phone, + cs->ics.parm.setup.eazmsn, + cs->ics.parm.setup.si1, + cs->ics.parm.setup.si2, + cs->ics.parm.setup.screen, + dv->rule.waittime, + cs->deflect_dest); if ((dv->rule.action == DEFLECT_REPORT) || (dv->rule.action == DEFLECT_REJECT)) { put_info_buffer(cs->info); From patchwork Fri Jul 14 12:07:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [10/22] bnx2x: fix format overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107788 Message-Id: <20170714120720.906842-11-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Yuval Mintz , Ariel Elior , everest-linux-l2@cavium.com Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , Colin Ian King , Philippe Reynes Date: Fri, 14 Jul 2017 14:07:02 +0200 From: Arnd Bergmann List-Id: gcc notices that large queue numbers would overflow the queue name string: drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c: In function 'bnx2x_get_strings': drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c:3165:25: error: '%d' directive writing between 1 and 10 bytes into a region of size 5 [-Werror=format-overflow=] drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c:3165:25: note: directive argument in the range [0, 2147483647] drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c:3165:5: note: 'sprintf' output between 2 and 11 bytes into a destination of size 5 There is a hard limit in place that makes the number at most two digits, so the code is fine. This changes it to use snprintf() to truncate instead of overflowing, which shuts up that warning. Signed-off-by: Arnd Bergmann --- drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c index 21bc4bed6b26..1e33abde4a3e 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c @@ -3162,7 +3162,8 @@ static void bnx2x_get_strings(struct net_device *dev, u32 stringset, u8 *buf) if (is_multi(bp)) { for_each_eth_queue(bp, i) { memset(queue_name, 0, sizeof(queue_name)); - sprintf(queue_name, "%d", i); + snprintf(queue_name, sizeof(queue_name), + "%d", i); for (j = 0; j < BNX2X_NUM_Q_STATS; j++) snprintf(buf + (k + j)*ETH_GSTRING_LEN, ETH_GSTRING_LEN, From patchwork Fri Jul 14 12:07:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [11/22] net: thunder_bgx: avoid format string overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107790 Message-Id: <20170714120720.906842-12-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Sunil Goutham , Robert Richter Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , Thanneeru Srinivasulu , George Cherian , Vadim Lomovtsev , Radha Mohan Chintakuntla , linux-arm-kernel@lists.infradead.org Date: Fri, 14 Jul 2017 14:07:03 +0200 From: Arnd Bergmann List-Id: gcc warns that the temporary buffer might be too small here: drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function 'bgx_probe': drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:16: error: '%d' directive writing between 1 and 10 bytes into a region of size between 9 and 11 [-Werror=format-overflow=] sprintf(str, "BGX%d LMAC%d mode", bgx->bgx_id, lmacid); ^~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:16: note: directive argument in the range [0, 2147483647] drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:3: note: 'sprintf' output between 16 and 27 bytes into a destination of size 20 This probably can't happen, but it can't hurt to make it long enough for the theoretical limit. Signed-off-by: Arnd Bergmann --- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c index a0ca68ce3fbb..79112563a25a 100644 --- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c @@ -1008,7 +1008,7 @@ static void bgx_print_qlm_mode(struct bgx *bgx, u8 lmacid) { struct device *dev = &bgx->pdev->dev; struct lmac *lmac; - char str[20]; + char str[27]; if (!bgx->is_dlm && lmacid) return; From patchwork Fri Jul 14 12:07:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [12/22] vmxnet3: avoid format strint overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107789 Message-Id: <20170714120720.906842-13-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Shrikrishna Khare , "VMware, Inc." Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann Date: Fri, 14 Jul 2017 14:07:04 +0200 From: Arnd Bergmann List-Id: gcc-7 notices that "-event-%d" could be more than 11 characters long if we had larger 'vector' numbers: drivers/net/vmxnet3/vmxnet3_drv.c: In function 'vmxnet3_activate_dev': drivers/net/vmxnet3/vmxnet3_drv.c:2095:40: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] sprintf(intr->event_msi_vector_name, "%s-event-%d", ^~~~~~~~~~~~~ drivers/net/vmxnet3/vmxnet3_drv.c:2095:3: note: 'sprintf' output between 9 and 33 bytes into a destination of size 32 The current code is safe, but making the string a little longer is harmless and lets gcc see that it's ok. Signed-off-by: Arnd Bergmann --- drivers/net/vmxnet3/vmxnet3_int.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/net/vmxnet3/vmxnet3_int.h b/drivers/net/vmxnet3/vmxnet3_int.h index ba1c9f93592b..9c51b8be0038 100644 --- a/drivers/net/vmxnet3/vmxnet3_int.h +++ b/drivers/net/vmxnet3/vmxnet3_int.h @@ -311,7 +311,7 @@ struct vmxnet3_intr { u8 num_intrs; /* # of intr vectors */ u8 event_intr_idx; /* idx of the intr vector for event */ u8 mod_levels[VMXNET3_LINUX_MAX_MSIX_VECT]; /* moderation level */ - char event_msi_vector_name[IFNAMSIZ+11]; + char event_msi_vector_name[IFNAMSIZ+17]; #ifdef CONFIG_PCI_MSI struct msix_entry msix_entries[VMXNET3_LINUX_MAX_MSIX_VECT]; #endif From patchwork Fri Jul 14 12:07:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [13/22] liquidio: fix possible eeprom format string overflow X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107791 Message-Id: <20170714120720.906842-14-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Derek Chickles , Satanand Burla , Felix Manlunas , Raghu Vatsavayi Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , Weilin Chang , Prasad Kanneganti Date: Fri, 14 Jul 2017 14:07:05 +0200 From: Arnd Bergmann List-Id: gcc reports that the temporary buffer for computing the string length may be too small here: drivers/net/ethernet/cavium/liquidio/lio_ethtool.c: In function 'lio_get_eeprom_len': /drivers/net/ethernet/cavium/liquidio/lio_ethtool.c:345:21: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] len = sprintf(buf, "boardname:%s serialnum:%s maj:%lld min:%lld\n", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/cavium/liquidio/lio_ethtool.c:345:6: note: 'sprintf' output between 35 and 167 bytes into a destination of size 128 len = sprintf(buf, "boardname:%s serialnum:%s maj:%lld min:%lld\n", This extends it to 192 bytes, which is certainly enough. As far as I could tell, there are no other constraints that require a specific maximum size. Signed-off-by: Arnd Bergmann --- drivers/net/ethernet/cavium/liquidio/lio_ethtool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c b/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c index 28ecda3d3404..ebd353bc78ff 100644 --- a/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c +++ b/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c @@ -335,7 +335,7 @@ lio_ethtool_get_channels(struct net_device *dev, static int lio_get_eeprom_len(struct net_device *netdev) { - u8 buf[128]; + u8 buf[192]; struct lio *lio = GET_LIO(netdev); struct octeon_device *oct_dev = lio->oct_dev; struct octeon_board_info *board_info; From patchwork Fri Jul 14 12:07:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [14/22,media] usbvision-i2c: fix format overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107793 Message-Id: <20170714120720.906842-15-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Hans Verkuil , Mauro Carvalho Chehab Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , Sakari Ailus , linux-media@vger.kernel.org Date: Fri, 14 Jul 2017 14:07:06 +0200 From: Arnd Bergmann List-Id: gcc-7 notices that we copy a fixed length string into another string of the same size, with additional characters: drivers/media/usb/usbvision/usbvision-i2c.c: In function 'usbvision_i2c_register': drivers/media/usb/usbvision/usbvision-i2c.c:190:36: error: '%d' directive writing between 1 and 11 bytes into a region of size between 0 and 47 [-Werror=format-overflow=] sprintf(usbvision->i2c_adap.name, "%s-%d-%s", i2c_adap_template.name, ^~~~~~~~~~ drivers/media/usb/usbvision/usbvision-i2c.c:190:2: note: 'sprintf' output between 4 and 76 bytes into a destination of size 48 We know this is fine as the template name is always "usbvision", so we can easily avoid the warning by using this as the format string directly. Signed-off-by: Arnd Bergmann --- drivers/media/usb/usbvision/usbvision-i2c.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.9.0 diff --git a/drivers/media/usb/usbvision/usbvision-i2c.c b/drivers/media/usb/usbvision/usbvision-i2c.c index fdf6b6e285da..aae9f69884da 100644 --- a/drivers/media/usb/usbvision/usbvision-i2c.c +++ b/drivers/media/usb/usbvision/usbvision-i2c.c @@ -187,8 +187,8 @@ int usbvision_i2c_register(struct usb_usbvision *usbvision) usbvision->i2c_adap = i2c_adap_template; - sprintf(usbvision->i2c_adap.name, "%s-%d-%s", i2c_adap_template.name, - usbvision->dev->bus->busnum, usbvision->dev->devpath); + sprintf(usbvision->i2c_adap.name, "usbvision-%d-%s", + usbvision->dev->bus->busnum, usbvision->dev->devpath); PDEBUG(DBG_I2C, "Adaptername: %s", usbvision->i2c_adap.name); usbvision->i2c_adap.dev.parent = &usbvision->dev->dev; From patchwork Fri Jul 14 12:07:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [15/22] hwmon: applesmc: fix format string overflow X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107792 Message-Id: <20170714120720.906842-16-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Henrik Rydberg , Jean Delvare , Guenter Roeck Cc: Greg Kroah-Hartman , Linus Torvalds , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , linux-hwmon@vger.kernel.org Date: Fri, 14 Jul 2017 14:07:07 +0200 From: Arnd Bergmann List-Id: gcc-7 warns that the key might exceed five bytes for lage index values: drivers/hwmon/applesmc.c: In function 'applesmc_show_fan_position': drivers/hwmon/applesmc.c:906:18: error: '%d' directive writing between 1 and 5 bytes into a region of size 4 [-Werror=format-overflow=] sprintf(newkey, FAN_ID_FMT, to_index(attr)); ^~~~~~~ drivers/hwmon/applesmc.c:906:18: note: directive argument in the range [0, 65535] drivers/hwmon/applesmc.c:906:2: note: 'sprintf' output between 5 and 9 bytes into a destination of size 5 As the key is required to be four characters plus trailing zero, we know that the index has to be small here. I'm using snprintf() to avoid the warning. This would truncate the string instead of overflowing. Signed-off-by: Arnd Bergmann --- drivers/hwmon/applesmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c index 0af7fd311979..515163b9a89f 100644 --- a/drivers/hwmon/applesmc.c +++ b/drivers/hwmon/applesmc.c @@ -903,7 +903,7 @@ static ssize_t applesmc_show_fan_position(struct device *dev, char newkey[5]; u8 buffer[17]; - sprintf(newkey, FAN_ID_FMT, to_index(attr)); + snprintf(newkey, sizeof(newkey), FAN_ID_FMT, to_index(attr)); ret = applesmc_read_key(newkey, buffer, 16); buffer[16] = 0; From patchwork Fri Jul 14 12:07:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [16/22] x86: intel-mid: fix a format string overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107797 Message-Id: <20170714120720.906842-17-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, Arnd Bergmann Date: Fri, 14 Jul 2017 14:07:08 +0200 From: Arnd Bergmann List-Id: We have space for exactly one character for the index in "max7315_%d_base", but as gcc points out having more would cause an string overflow: arch/x86/platform/intel-mid/device_libs/platform_max7315.c: In function 'max7315_platform_data': arch/x86/platform/intel-mid/device_libs/platform_max7315.c:41:26: error: '%d' directive writing between 1 and 11 bytes into a region of size 9 [-Werror=format-overflow=] sprintf(base_pin_name, "max7315_%d_base", nr); ^~~~~~~~~~~~~~~~~ arch/x86/platform/intel-mid/device_libs/platform_max7315.c:41:26: note: directive argument in the range [-2147483647, 2147483647] arm-soc/arch/x86/platform/intel-mid/device_libs/platform_max7315.c:41:3: note: 'sprintf' output between 15 and 25 bytes into a destination of size 17 sprintf(base_pin_name, "max7315_%d_base", nr); This makes it use an snprintf() to truncate the string if that happened rather than overflowing the stack. Signed-off-by: Arnd Bergmann --- arch/x86/platform/intel-mid/device_libs/platform_max7315.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.9.0 diff --git a/arch/x86/platform/intel-mid/device_libs/platform_max7315.c b/arch/x86/platform/intel-mid/device_libs/platform_max7315.c index 6e075afa7877..58337b2bc682 100644 --- a/arch/x86/platform/intel-mid/device_libs/platform_max7315.c +++ b/arch/x86/platform/intel-mid/device_libs/platform_max7315.c @@ -38,8 +38,10 @@ static void __init *max7315_platform_data(void *info) */ strcpy(i2c_info->type, "max7315"); if (nr++) { - sprintf(base_pin_name, "max7315_%d_base", nr); - sprintf(intr_pin_name, "max7315_%d_int", nr); + snprintf(base_pin_name, sizeof(base_pin_name), + "max7315_%d_base", nr); + snprintf(intr_pin_name, sizeof(intr_pin_name), + "max7315_%d_int", nr); } else { strcpy(base_pin_name, "max7315_base"); strcpy(intr_pin_name, "max7315_int"); From patchwork Fri Jul 14 12:07:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [17/22] platform/x86: alienware-wmi: fix format string overflow warning X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107795 Message-Id: <20170714120720.906842-18-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Darren Hart , Andy Shevchenko Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , Mario Limonciello , Arvind Yadav , platform-driver-x86@vger.kernel.org Date: Fri, 14 Jul 2017 14:07:09 +0200 From: Arnd Bergmann List-Id: gcc points out a possible format string overflow for a large value of 'zone': drivers/platform/x86/alienware-wmi.c: In function 'alienware_wmi_init': drivers/platform/x86/alienware-wmi.c:461:24: error: '%02X' directive writing between 2 and 8 bytes into a region of size 6 [-Werror=format-overflow=] sprintf(buffer, "zone%02X", i); ^~~~ drivers/platform/x86/alienware-wmi.c:461:19: note: directive argument in the range [0, 2147483646] sprintf(buffer, "zone%02X", i); ^~~~~~~~~~ drivers/platform/x86/alienware-wmi.c:461:3: note: 'sprintf' output between 7 and 13 bytes into a destination of size 10 While the zone should never be that large, it's easy to make the buffer a few bytes longer so gcc can prove this to be safe. Signed-off-by: Arnd Bergmann --- drivers/platform/x86/alienware-wmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.0 Signed-off-by: Mario Limonciello diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c index 0831b428c217..acc01242da82 100644 --- a/drivers/platform/x86/alienware-wmi.c +++ b/drivers/platform/x86/alienware-wmi.c @@ -421,7 +421,7 @@ static DEVICE_ATTR(lighting_control_state, 0644, show_control_state, static int alienware_zone_init(struct platform_device *dev) { int i; - char buffer[10]; + char buffer[13]; char *name; if (interface == WMAX) { From patchwork Fri Jul 14 12:07:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [20/22] sound: pci: avoid string overflow warnings X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107799 Message-Id: <20170714120720.906842-21-arnd@arndb.de> To: linux-kernel@vger.kernel.org, Jaroslav Kysela , Takashi Iwai Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , Geliang Tang , Takashi Sakamoto , alsa-devel@alsa-project.org Date: Fri, 14 Jul 2017 14:07:12 +0200 From: Arnd Bergmann List-Id: With gcc-7, we get various warnings about a possible string overflow: sound/pci/rme9652/hdspm.c: In function 'snd_hdspm_create_alsa_devices': sound/pci/rme9652/hdspm.c:2123:17: error: ' MIDIoverMADI' directive writing 13 bytes into a region of size between 1 and 32 [-Werror=format-overflow=] sound/pci/pcxhr/pcxhr.c: In function 'pcxhr_probe': sound/pci/pcxhr/pcxhr.c:1647:28: error: ' [PCM #' directive writing 7 bytes into a region of size between 1 and 32 [-Werror=format-overflow=] sound/pci/mixart/mixart.c: In function 'snd_mixart_probe': sound/pci/mixart/mixart.c:1353:28: error: ' [PCM #' directive writing 7 bytes into a region of size between 1 and 32 [-Werror=format-overflow=] sprintf(card->shortname, "%s [PCM #%d]", mgr->shortname, i); ^~~~~~~~~~~~~~ sound/pci/mixart/mixart.c:1353:28: note: using the range [-2147483648, 2147483647] for directive argument sound/pci/mixart/mixart.c:1353:3: note: 'sprintf' output between 10 and 51 bytes into a destination of size 32 sprintf(card->shortname, "%s [PCM #%d]", mgr->shortname, i); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sound/pci/mixart/mixart.c:1354:27: error: ' [PCM #' directive writing 7 bytes into a region of size between 1 and 80 [-Werror=format-overflow=] sprintf(card->longname, "%s [PCM #%d]", mgr->longname, i); ^~~~~~~~~~~~~~ sound/pci/mixart/mixart.c:1354:27: note: using the range [-2147483648, 2147483647] for directive argument sound/pci/mixart/mixart.c:1354:3: note: 'sprintf' output between 10 and 99 bytes into a destination of size 80 I have checked these all and found that the driver-private shortname strings for mixart and pcxhr are longer than necessary, and making them shorter will be safe while also making it clear that no overflow can happen when they get passed as a substring into the card shortname. For hdspm, we have a local buffer of the same size as its substring. In this case, making the buffer a little longer is safe as the functions that take it as an argument all use length checking and the strings we pass into it are actually short enough. Signed-off-by: Arnd Bergmann --- sound/pci/mixart/mixart.h | 4 ++-- sound/pci/pcxhr/pcxhr.h | 4 ++-- sound/pci/rme9652/hdspm.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) -- 2.9.0 diff --git a/sound/pci/mixart/mixart.h b/sound/pci/mixart/mixart.h index 426743871540..c8309e327663 100644 --- a/sound/pci/mixart/mixart.h +++ b/sound/pci/mixart/mixart.h @@ -75,8 +75,8 @@ struct mixart_mgr { struct mem_area mem[2]; /* share the name */ - char shortname[32]; /* short name of this soundcard */ - char longname[80]; /* name of this soundcard */ + char shortname[16]; /* short name of this soundcard */ + char longname[40]; /* name of this soundcard */ /* one and only blocking message or notification may be pending */ u32 pending_event; diff --git a/sound/pci/pcxhr/pcxhr.h b/sound/pci/pcxhr/pcxhr.h index 9e39e509a3ef..4909a43ce3d9 100644 --- a/sound/pci/pcxhr/pcxhr.h +++ b/sound/pci/pcxhr/pcxhr.h @@ -75,8 +75,8 @@ struct pcxhr_mgr { unsigned long port[3]; /* share the name */ - char shortname[32]; /* short name of this soundcard */ - char longname[96]; /* name of this soundcard */ + char shortname[16]; /* short name of this soundcard */ + char longname[40]; /* name of this soundcard */ struct pcxhr_rmh *prmh; diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c index 254c3d040118..a1cbf5938a0e 100644 --- a/sound/pci/rme9652/hdspm.c +++ b/sound/pci/rme9652/hdspm.c @@ -2061,7 +2061,7 @@ static int snd_hdspm_create_midi(struct snd_card *card, struct hdspm *hdspm, int id) { int err; - char buf[32]; + char buf[64]; hdspm->midi[id].id = id; hdspm->midi[id].hdspm = hdspm; From patchwork Fri Jul 14 12:07:13 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [21/22] fscache: fix fscache_objlist_show format processing X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 107798 Message-Id: <20170714120720.906842-22-arnd@arndb.de> To: linux-kernel@vger.kernel.org, David Howells Cc: Greg Kroah-Hartman , Linus Torvalds , Guenter Roeck , akpm@linux-foundation.org, netdev@vger.kernel.org, "David S . Miller" , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, x86@kernel.org, Arnd Bergmann , James Morris , linux-cachefs@redhat.com Date: Fri, 14 Jul 2017 14:07:13 +0200 From: Arnd Bergmann List-Id: gcc points out a minor bug in the handling of unknown cookie types, which could result in a string overflow when the integer is copied into a 3-byte string: fs/fscache/object-list.c: In function 'fscache_objlist_show': fs/fscache/object-list.c:265:19: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] sprintf(_type, "%02u", cookie->def->type); ^~~~~~ fs/fscache/object-list.c:265:4: note: 'sprintf' output between 3 and 4 bytes into a destination of size 3 This is currently harmless as no code sets a type other than 0 or 1, but it makes sense to use snprintf() here to avoid overflowing the array if that changes. Signed-off-by: Arnd Bergmann --- fs/fscache/object-list.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.9.0 diff --git a/fs/fscache/object-list.c b/fs/fscache/object-list.c index 67f940892ef8..b5ab06fabc60 100644 --- a/fs/fscache/object-list.c +++ b/fs/fscache/object-list.c @@ -262,7 +262,8 @@ static int fscache_objlist_show(struct seq_file *m, void *v) type = "DT"; break; default: - sprintf(_type, "%02u", cookie->def->type); + snprintf(_type, sizeof(_type), "%02u", + cookie->def->type); type = _type; break; }