From: kernel test robot <lkp@intel.com>
To: Kangzheng Gu <xiaoguai0992@gmail.com>,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, kees@kernel.org,
thorsten.blum@linux.dev, arnd@arndb.de,
sjur.brandeland@stericsson.com
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v3] net: caif: fix stack out-of-bounds write in cfctrl_link_setup()
Date: Mon, 30 Mar 2026 22:24:41 +0800 [thread overview]
Message-ID: <202603302217.BEd0DrgM-lkp@intel.com> (raw)
In-Reply-To: <20260329190350.19065-1-xiaoguai0992@gmail.com>
Hi Kangzheng,
kernel test robot noticed the following build warnings:
[auto build test WARNING on net-next/main]
[also build test WARNING on net/main soc/for-next linus/master v7.0-rc6 next-20260327]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kangzheng-Gu/net-caif-fix-stack-out-of-bounds-write-in-cfctrl_link_setup/20260330-163130
base: net-next/main
patch link: https://lore.kernel.org/r/20260329190350.19065-1-xiaoguai0992%40gmail.com
patch subject: [PATCH v3] net: caif: fix stack out-of-bounds write in cfctrl_link_setup()
config: hexagon-randconfig-001-20260330 (https://download.01.org/0day-ci/archive/20260330/202603302217.BEd0DrgM-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project 2cd67b8b69f78e3f95918204320c3075a74ba16c)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260330/202603302217.BEd0DrgM-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603302217.BEd0DrgM-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> net/caif/cfctrl.c:423:6: warning: format specifies type 'unsigned long' but the argument has type '__size_t' (aka 'unsigned int') [-Wformat]
422 | pr_warn("Request reject, volume name length exceeds %lu\n",
| ~~~
| %zu
423 | sizeof(linkparam.u.rfm.volume));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/printk.h:564:37: note: expanded from macro 'pr_warn'
564 | printk(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/printk.h:511:60: note: expanded from macro 'printk'
511 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/printk.h:483:19: note: expanded from macro 'printk_index_wrap'
483 | _p_func(_fmt, ##__VA_ARGS__); \
| ~~~~ ^~~~~~~~~~~
1 warning generated.
vim +423 net/caif/cfctrl.c
351
352 static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp)
353 {
354 u8 len;
355 u8 linkid = 0;
356 enum cfctrl_srv serv;
357 enum cfctrl_srv servtype;
358 u8 endpoint;
359 u8 physlinkid;
360 u8 prio;
361 u8 tmp;
362 u8 *cp;
363 int i;
364 struct cfctrl_link_param linkparam;
365 struct cfctrl_request_info rsp, *req;
366
367 memset(&linkparam, 0, sizeof(linkparam));
368
369 tmp = cfpkt_extr_head_u8(pkt);
370
371 serv = tmp & CFCTRL_SRV_MASK;
372 linkparam.linktype = serv;
373
374 servtype = tmp >> 4;
375 linkparam.chtype = servtype;
376
377 tmp = cfpkt_extr_head_u8(pkt);
378 physlinkid = tmp & 0x07;
379 prio = tmp >> 3;
380
381 linkparam.priority = prio;
382 linkparam.phyid = physlinkid;
383 endpoint = cfpkt_extr_head_u8(pkt);
384 linkparam.endpoint = endpoint & 0x03;
385
386 switch (serv) {
387 case CFCTRL_SRV_VEI:
388 case CFCTRL_SRV_DBG:
389 if (CFCTRL_ERR_BIT & cmdrsp)
390 break;
391 /* Link ID */
392 linkid = cfpkt_extr_head_u8(pkt);
393 break;
394 case CFCTRL_SRV_VIDEO:
395 tmp = cfpkt_extr_head_u8(pkt);
396 linkparam.u.video.connid = tmp;
397 if (CFCTRL_ERR_BIT & cmdrsp)
398 break;
399 /* Link ID */
400 linkid = cfpkt_extr_head_u8(pkt);
401 break;
402
403 case CFCTRL_SRV_DATAGRAM:
404 linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt);
405 if (CFCTRL_ERR_BIT & cmdrsp)
406 break;
407 /* Link ID */
408 linkid = cfpkt_extr_head_u8(pkt);
409 break;
410 case CFCTRL_SRV_RFM:
411 /* Construct a frame, convert
412 * DatagramConnectionID
413 * to network format long and copy it out...
414 */
415 linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt);
416 cp = (u8 *) linkparam.u.rfm.volume;
417 for (tmp = cfpkt_extr_head_u8(pkt);
418 cfpkt_more(pkt) && tmp != '\0';
419 tmp = cfpkt_extr_head_u8(pkt)) {
420 if (cp >= (u8 *)linkparam.u.rfm.volume +
421 sizeof(linkparam.u.rfm.volume) - 1) {
422 pr_warn("Request reject, volume name length exceeds %lu\n",
> 423 sizeof(linkparam.u.rfm.volume));
424 cmdrsp |= CFCTRL_ERR_BIT;
425 break;
426 }
427 *cp++ = tmp;
428 }
429 *cp = '\0';
430
431 if (CFCTRL_ERR_BIT & cmdrsp)
432 break;
433 /* Link ID */
434 linkid = cfpkt_extr_head_u8(pkt);
435
436 break;
437 case CFCTRL_SRV_UTIL:
438 /* Construct a frame, convert
439 * DatagramConnectionID
440 * to network format long and copy it out...
441 */
442 /* Fifosize KB */
443 linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt);
444 /* Fifosize bufs */
445 linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt);
446 /* name */
447 cp = (u8 *) linkparam.u.utility.name;
448 caif_assert(sizeof(linkparam.u.utility.name)
449 >= UTILITY_NAME_LENGTH);
450 for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) {
451 tmp = cfpkt_extr_head_u8(pkt);
452 *cp++ = tmp;
453 }
454 /* Length */
455 len = cfpkt_extr_head_u8(pkt);
456 linkparam.u.utility.paramlen = len;
457 /* Param Data */
458 cp = linkparam.u.utility.params;
459 while (cfpkt_more(pkt) && len--) {
460 tmp = cfpkt_extr_head_u8(pkt);
461 *cp++ = tmp;
462 }
463 if (CFCTRL_ERR_BIT & cmdrsp)
464 break;
465 /* Link ID */
466 linkid = cfpkt_extr_head_u8(pkt);
467 /* Length */
468 len = cfpkt_extr_head_u8(pkt);
469 /* Param Data */
470 cfpkt_extr_head(pkt, NULL, len);
471 break;
472 default:
473 pr_warn("Request setup, invalid type (%d)\n", serv);
474 return -1;
475 }
476
477 rsp.cmd = CFCTRL_CMD_LINK_SETUP;
478 rsp.param = linkparam;
479 spin_lock_bh(&cfctrl->info_list_lock);
480 req = cfctrl_remove_req(cfctrl, &rsp);
481
482 if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
483 cfpkt_erroneous(pkt)) {
484 pr_err("Invalid O/E bit or parse error "
485 "on CAIF control channel\n");
486 cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0,
487 req ? req->client_layer : NULL);
488 } else {
489 cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid,
490 serv, physlinkid,
491 req ? req->client_layer : NULL);
492 }
493
494 kfree(req);
495
496 spin_unlock_bh(&cfctrl->info_list_lock);
497
498 return 0;
499 }
500
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2026-03-30 14:25 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAKvcANP6ihR9ZJpm73ep6aTPqzcpVhTHsVSgGBd28HwwfdBcxw@mail.gmail.com>
2026-03-29 19:03 ` [PATCH v3] net: caif: fix stack out-of-bounds write in cfctrl_link_setup() Kangzheng Gu
2026-03-30 6:53 ` [PATCH v4] " Kangzheng Gu
2026-04-02 9:05 ` Paolo Abeni
2026-04-08 12:53 ` [PATCH v5] " Kangzheng Gu
2026-04-12 13:57 ` Simon Horman
2026-04-13 9:30 ` Paolo Abeni
2026-04-14 11:29 ` Simon Horman
2026-04-20 8:09 ` Kangzheng Gu
2026-04-20 8:14 ` Arnd Bergmann
2026-04-20 13:38 ` Kangzheng Gu
2026-03-30 14:24 ` kernel test robot [this message]
2026-03-30 15:32 ` [PATCH v3] " kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603302217.BEd0DrgM-lkp@intel.com \
--to=lkp@intel.com \
--cc=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=pabeni@redhat.com \
--cc=sjur.brandeland@stericsson.com \
--cc=stable@vger.kernel.org \
--cc=thorsten.blum@linux.dev \
--cc=xiaoguai0992@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.