* [remoteproc:rpmsg-next 4/4] drivers/rpmsg/qcom_glink_native.c:504 qcom_glink_send_open_req() error: strcpy() 'channel->name' too large for 'req->data' (1010102 vs 32)
@ 2024-09-15 14:17 kernel test robot
0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2024-09-15 14:17 UTC (permalink / raw)
To: oe-kbuild; +Cc: lkp, Dan Carpenter
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
TO: "Gustavo A. R. Silva" <gustavoars@kernel.org>
CC: Bjorn Andersson <andersson@kernel.org>
CC: Kees Cook <kees@kernel.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux.git rpmsg-next
head: c1ddb29709e675ea2a406e3114dbf5c8c705dd59
commit: c1ddb29709e675ea2a406e3114dbf5c8c705dd59 [4/4] rpmsg: glink: Avoid -Wflex-array-member-not-at-end warnings
:::::: branch date: 2 days ago
:::::: commit date: 2 days ago
config: x86_64-randconfig-r072-20240914 (https://download.01.org/0day-ci/archive/20240915/202409152202.xXbeT6sp-lkp@intel.com/config)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202409152202.xXbeT6sp-lkp@intel.com/
smatch warnings:
drivers/rpmsg/qcom_glink_native.c:504 qcom_glink_send_open_req() error: strcpy() 'channel->name' too large for 'req->data' (1010102 vs 32)
vim +504 drivers/rpmsg/qcom_glink_native.c
fb23b97346f9aa Bjorn Andersson 2023-02-13 469
835764ddd9af0d Bjorn Andersson 2017-08-24 470 /**
4e816d0318fdfe Bjorn Andersson 2023-02-14 471 * qcom_glink_send_open_req() - send a GLINK_CMD_OPEN request to the remote
835764ddd9af0d Bjorn Andersson 2017-08-24 472 * @glink: Ptr to the glink edge
835764ddd9af0d Bjorn Andersson 2017-08-24 473 * @channel: Ptr to the channel that the open req is sent
835764ddd9af0d Bjorn Andersson 2017-08-24 474 *
4e816d0318fdfe Bjorn Andersson 2023-02-14 475 * Allocates a local channel id and sends a GLINK_CMD_OPEN message to the remote.
835764ddd9af0d Bjorn Andersson 2017-08-24 476 * Will return with refcount held, regardless of outcome.
835764ddd9af0d Bjorn Andersson 2017-08-24 477 *
631af6e0f41002 Arnaud Pouliquen 2021-11-08 478 * Return: 0 on success, negative errno otherwise.
835764ddd9af0d Bjorn Andersson 2017-08-24 479 */
835764ddd9af0d Bjorn Andersson 2017-08-24 480 static int qcom_glink_send_open_req(struct qcom_glink *glink,
835764ddd9af0d Bjorn Andersson 2017-08-24 481 struct glink_channel *channel)
835764ddd9af0d Bjorn Andersson 2017-08-24 482 {
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 483 DEFINE_RAW_FLEX(struct glink_msg, req, data, GLINK_NAME_SIZE);
835764ddd9af0d Bjorn Andersson 2017-08-24 484 int name_len = strlen(channel->name) + 1;
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 485 int req_len = ALIGN(sizeof(*req) + name_len, 8);
835764ddd9af0d Bjorn Andersson 2017-08-24 486 int ret;
44f6df922a260f Sricharan Ramabadhran 2017-08-24 487 unsigned long flags;
835764ddd9af0d Bjorn Andersson 2017-08-24 488
835764ddd9af0d Bjorn Andersson 2017-08-24 489 kref_get(&channel->refcount);
835764ddd9af0d Bjorn Andersson 2017-08-24 490
44f6df922a260f Sricharan Ramabadhran 2017-08-24 491 spin_lock_irqsave(&glink->idr_lock, flags);
835764ddd9af0d Bjorn Andersson 2017-08-24 492 ret = idr_alloc_cyclic(&glink->lcids, channel,
835764ddd9af0d Bjorn Andersson 2017-08-24 493 RPM_GLINK_CID_MIN, RPM_GLINK_CID_MAX,
44f6df922a260f Sricharan Ramabadhran 2017-08-24 494 GFP_ATOMIC);
44f6df922a260f Sricharan Ramabadhran 2017-08-24 495 spin_unlock_irqrestore(&glink->idr_lock, flags);
835764ddd9af0d Bjorn Andersson 2017-08-24 496 if (ret < 0)
835764ddd9af0d Bjorn Andersson 2017-08-24 497 return ret;
835764ddd9af0d Bjorn Andersson 2017-08-24 498
835764ddd9af0d Bjorn Andersson 2017-08-24 499 channel->lcid = ret;
835764ddd9af0d Bjorn Andersson 2017-08-24 500
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 501 req->cmd = cpu_to_le16(GLINK_CMD_OPEN);
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 502 req->param1 = cpu_to_le16(channel->lcid);
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 503 req->param2 = cpu_to_le32(name_len);
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 @504 strcpy(req->data, channel->name);
835764ddd9af0d Bjorn Andersson 2017-08-24 505
34f79c11fb2f31 Bjorn Andersson 2024-08-05 506 trace_qcom_glink_cmd_open_tx(glink->label, channel->name,
34f79c11fb2f31 Bjorn Andersson 2024-08-05 507 channel->lcid, channel->rcid);
34f79c11fb2f31 Bjorn Andersson 2024-08-05 508
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 509 ret = qcom_glink_tx(glink, req, req_len, NULL, 0, true);
835764ddd9af0d Bjorn Andersson 2017-08-24 510 if (ret)
835764ddd9af0d Bjorn Andersson 2017-08-24 511 goto remove_idr;
835764ddd9af0d Bjorn Andersson 2017-08-24 512
835764ddd9af0d Bjorn Andersson 2017-08-24 513 return 0;
835764ddd9af0d Bjorn Andersson 2017-08-24 514
835764ddd9af0d Bjorn Andersson 2017-08-24 515 remove_idr:
44f6df922a260f Sricharan Ramabadhran 2017-08-24 516 spin_lock_irqsave(&glink->idr_lock, flags);
835764ddd9af0d Bjorn Andersson 2017-08-24 517 idr_remove(&glink->lcids, channel->lcid);
835764ddd9af0d Bjorn Andersson 2017-08-24 518 channel->lcid = 0;
44f6df922a260f Sricharan Ramabadhran 2017-08-24 519 spin_unlock_irqrestore(&glink->idr_lock, flags);
835764ddd9af0d Bjorn Andersson 2017-08-24 520
835764ddd9af0d Bjorn Andersson 2017-08-24 521 return ret;
835764ddd9af0d Bjorn Andersson 2017-08-24 522 }
835764ddd9af0d Bjorn Andersson 2017-08-24 523
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread* [remoteproc:rpmsg-next 4/4] drivers/rpmsg/qcom_glink_native.c:504 qcom_glink_send_open_req() error: strcpy() 'channel->name' too large for 'req->data' (1010102 vs 32)
@ 2024-09-15 14:40 Dan Carpenter
2024-09-15 14:46 ` Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2024-09-15 14:40 UTC (permalink / raw)
To: oe-kbuild, Gustavo A. R. Silva
Cc: lkp, oe-kbuild-all, Bjorn Andersson, Kees Cook
tree: https://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux.git rpmsg-next
head: c1ddb29709e675ea2a406e3114dbf5c8c705dd59
commit: c1ddb29709e675ea2a406e3114dbf5c8c705dd59 [4/4] rpmsg: glink: Avoid -Wflex-array-member-not-at-end warnings
config: x86_64-randconfig-r072-20240914 (https://download.01.org/0day-ci/archive/20240915/202409152202.xXbeT6sp-lkp@intel.com/config)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202409152202.xXbeT6sp-lkp@intel.com/
smatch warnings:
drivers/rpmsg/qcom_glink_native.c:504 qcom_glink_send_open_req() error: strcpy() 'channel->name' too large for 'req->data' (1010102 vs 32)
vim +504 drivers/rpmsg/qcom_glink_native.c
835764ddd9af0d Bjorn Andersson 2017-08-24 480 static int qcom_glink_send_open_req(struct qcom_glink *glink,
835764ddd9af0d Bjorn Andersson 2017-08-24 481 struct glink_channel *channel)
835764ddd9af0d Bjorn Andersson 2017-08-24 482 {
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 483 DEFINE_RAW_FLEX(struct glink_msg, req, data, GLINK_NAME_SIZE);
835764ddd9af0d Bjorn Andersson 2017-08-24 484 int name_len = strlen(channel->name) + 1;
How do we know that channel->name is NUL terminated? I believe it comes from
qcom_glink_rx_defer() where we call:
qcom_glink_rx_peek(glink, &dcmd->msg, 0, sizeof(dcmd->msg) + extra);
We add it to the &glink->rx_queue and then in qcom_glink_work() we call:
qcom_glink_rx_open(glink, param1, msg->data);
^^^^^^^^^
qcom_glink_rx_open() assumes msg->data is NUL terminated.
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 485 int req_len = ALIGN(sizeof(*req) + name_len, 8);
835764ddd9af0d Bjorn Andersson 2017-08-24 486 int ret;
44f6df922a260f Sricharan Ramabadhran 2017-08-24 487 unsigned long flags;
835764ddd9af0d Bjorn Andersson 2017-08-24 488
835764ddd9af0d Bjorn Andersson 2017-08-24 489 kref_get(&channel->refcount);
835764ddd9af0d Bjorn Andersson 2017-08-24 490
44f6df922a260f Sricharan Ramabadhran 2017-08-24 491 spin_lock_irqsave(&glink->idr_lock, flags);
835764ddd9af0d Bjorn Andersson 2017-08-24 492 ret = idr_alloc_cyclic(&glink->lcids, channel,
835764ddd9af0d Bjorn Andersson 2017-08-24 493 RPM_GLINK_CID_MIN, RPM_GLINK_CID_MAX,
44f6df922a260f Sricharan Ramabadhran 2017-08-24 494 GFP_ATOMIC);
44f6df922a260f Sricharan Ramabadhran 2017-08-24 495 spin_unlock_irqrestore(&glink->idr_lock, flags);
835764ddd9af0d Bjorn Andersson 2017-08-24 496 if (ret < 0)
835764ddd9af0d Bjorn Andersson 2017-08-24 497 return ret;
835764ddd9af0d Bjorn Andersson 2017-08-24 498
835764ddd9af0d Bjorn Andersson 2017-08-24 499 channel->lcid = ret;
835764ddd9af0d Bjorn Andersson 2017-08-24 500
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 501 req->cmd = cpu_to_le16(GLINK_CMD_OPEN);
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 502 req->param1 = cpu_to_le16(channel->lcid);
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 503 req->param2 = cpu_to_le32(name_len);
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 @504 strcpy(req->data, channel->name);
Use strscpy(req->data, channel->name, GLINK_NAME_SIZE);
835764ddd9af0d Bjorn Andersson 2017-08-24 505
34f79c11fb2f31 Bjorn Andersson 2024-08-05 506 trace_qcom_glink_cmd_open_tx(glink->label, channel->name,
34f79c11fb2f31 Bjorn Andersson 2024-08-05 507 channel->lcid, channel->rcid);
34f79c11fb2f31 Bjorn Andersson 2024-08-05 508
c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 509 ret = qcom_glink_tx(glink, req, req_len, NULL, 0, true);
835764ddd9af0d Bjorn Andersson 2017-08-24 510 if (ret)
835764ddd9af0d Bjorn Andersson 2017-08-24 511 goto remove_idr;
835764ddd9af0d Bjorn Andersson 2017-08-24 512
835764ddd9af0d Bjorn Andersson 2017-08-24 513 return 0;
835764ddd9af0d Bjorn Andersson 2017-08-24 514
835764ddd9af0d Bjorn Andersson 2017-08-24 515 remove_idr:
44f6df922a260f Sricharan Ramabadhran 2017-08-24 516 spin_lock_irqsave(&glink->idr_lock, flags);
835764ddd9af0d Bjorn Andersson 2017-08-24 517 idr_remove(&glink->lcids, channel->lcid);
835764ddd9af0d Bjorn Andersson 2017-08-24 518 channel->lcid = 0;
44f6df922a260f Sricharan Ramabadhran 2017-08-24 519 spin_unlock_irqrestore(&glink->idr_lock, flags);
835764ddd9af0d Bjorn Andersson 2017-08-24 520
835764ddd9af0d Bjorn Andersson 2017-08-24 521 return ret;
835764ddd9af0d Bjorn Andersson 2017-08-24 522 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [remoteproc:rpmsg-next 4/4] drivers/rpmsg/qcom_glink_native.c:504 qcom_glink_send_open_req() error: strcpy() 'channel->name' too large for 'req->data' (1010102 vs 32)
2024-09-15 14:40 Dan Carpenter
@ 2024-09-15 14:46 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2024-09-15 14:46 UTC (permalink / raw)
To: oe-kbuild, Gustavo A. R. Silva
Cc: lkp, oe-kbuild-all, Bjorn Andersson, Kees Cook
On Sun, Sep 15, 2024 at 05:40:51PM +0300, Dan Carpenter wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux.git rpmsg-next
> head: c1ddb29709e675ea2a406e3114dbf5c8c705dd59
> commit: c1ddb29709e675ea2a406e3114dbf5c8c705dd59 [4/4] rpmsg: glink: Avoid -Wflex-array-member-not-at-end warnings
> config: x86_64-randconfig-r072-20240914 (https://download.01.org/0day-ci/archive/20240915/202409152202.xXbeT6sp-lkp@intel.com/config)
> compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> | Closes: https://lore.kernel.org/r/202409152202.xXbeT6sp-lkp@intel.com/
>
> smatch warnings:
> drivers/rpmsg/qcom_glink_native.c:504 qcom_glink_send_open_req() error: strcpy() 'channel->name' too large for 'req->data' (1010102 vs 32)
>
> vim +504 drivers/rpmsg/qcom_glink_native.c
>
> 835764ddd9af0d Bjorn Andersson 2017-08-24 480 static int qcom_glink_send_open_req(struct qcom_glink *glink,
> 835764ddd9af0d Bjorn Andersson 2017-08-24 481 struct glink_channel *channel)
> 835764ddd9af0d Bjorn Andersson 2017-08-24 482 {
> c1ddb29709e675 Gustavo A. R. Silva 2024-08-07 483 DEFINE_RAW_FLEX(struct glink_msg, req, data, GLINK_NAME_SIZE);
> 835764ddd9af0d Bjorn Andersson 2017-08-24 484 int name_len = strlen(channel->name) + 1;
>
> How do we know that channel->name is NUL terminated? I believe it comes from
> qcom_glink_rx_defer() where we call:
>
> qcom_glink_rx_peek(glink, &dcmd->msg, 0, sizeof(dcmd->msg) + extra);
->peek is either glink_rpm_rx_peek() or glink_smem_rx_peek().
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-09-15 14:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-15 14:17 [remoteproc:rpmsg-next 4/4] drivers/rpmsg/qcom_glink_native.c:504 qcom_glink_send_open_req() error: strcpy() 'channel->name' too large for 'req->data' (1010102 vs 32) kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2024-09-15 14:40 Dan Carpenter
2024-09-15 14:46 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.