From: Breno Leitao <leitao@debian.org>
To: Simon Horman <horms@kernel.org>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Keiichi Kii <k-keiichi@bx.jp.nec.com>,
Satyam Sharma <satyam@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Matthew Wood <thepacketgeek@gmail.com>,
asantostc@gmail.com, gustavold@gmail.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-team@meta.com
Subject: Re: [PATCH net 1/3] netconsole: return count instead of strnlen(buf, count) from store callbacks
Date: Mon, 27 Apr 2026 03:00:52 -0700 [thread overview]
Message-ID: <ae8zD24sBNtZnYtJ@gmail.com> (raw)
In-Reply-To: <20260426084640.GN900403@horms.kernel.org>
Hello Simon,
On Sun, Apr 26, 2026 at 09:46:40AM +0100, Simon Horman wrote:
> On Thu, Apr 23, 2026 at 02:41:15AM -0700, Breno Leitao wrote:
> > Several configfs store callbacks in netconsole end with:
> >
> > ret = strnlen(buf, count);
> >
> > This under-reports the number of bytes consumed when the input
> > contains an embedded NUL within count, telling the VFS that fewer
> > bytes were written than userspace actually handed in. A conformant
> > partial-write loop would then retry the trailing bytes against a
> > callback that has already accepted them.
> >
> > Every other configfs driver in the tree returns count directly from
> > its store callbacks once parsing has succeeded, including
> > drivers/nvme/target/configfs.c, drivers/gpio/gpio-sim.c,
> > drivers/most/configfs.c, drivers/block/null_blk/main.c,
> > drivers/pci/endpoint/pci-ep-cfs.c, and the rest of the configfs
> > users. netconsole was the outlier (along with
> > drivers/infiniband/core/cma_configfs.c, which has the same latent
> > issue).
> >
> > Align netconsole with the rest of the configfs ecosystem: return
> > count once the parser/validator has accepted the input. The numeric
> > and boolean parsers (kstrtobool, kstrtou16, mac_pton,
> > netpoll_parse_ip_addr) have already validated the meaningful prefix;
> > any trailing bytes are padding and should simply be reported as
> > consumed.
> >
> > Fixes: 0bcc1816188e ("[NET] netconsole: Support dynamic reconfiguration using configfs")
> > Signed-off-by: Breno Leitao <leitao@debian.org>
>
> Reviewed-by: Simon Horman <horms@kernel.org>
>
> FTR: Sashiko has provided an AI generated review of this patch.
> Like it's review of patch 3/3 - which I forwarded separately -
> it flags that trim_newline() may perform an OOB access
> if passed an empty string. But this is not correct because
> trim_newline() correctly handles this case.
You're absolutely right. This has been addressed in the patch that recently
landed in Linus' tree.
It appears Sashiko ran its analysis on a tree predating that fix.
https://github.com/torvalds/linux/commit/7079c8c13f2d33992bc846240517d88f4ab07781
Thanks for the review,
--breno
next prev parent reply other threads:[~2026-04-27 10:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 9:41 [PATCH net 0/3] netconsole: configfs store callback fixes Breno Leitao
2026-04-23 9:41 ` [PATCH net 1/3] netconsole: return count instead of strnlen(buf, count) from store callbacks Breno Leitao
2026-04-26 8:46 ` Simon Horman
2026-04-27 10:00 ` Breno Leitao [this message]
2026-04-23 9:41 ` [PATCH net 2/3] netconsole: avoid clobbering userdatum value on truncated write Breno Leitao
2026-04-26 8:35 ` Simon Horman
2026-04-27 10:51 ` Breno Leitao
2026-04-23 9:41 ` [PATCH net 3/3] netconsole: propagate device name truncation in dev_name_store() Breno Leitao
2026-04-26 8:39 ` Simon Horman
2026-04-27 10:26 ` Breno Leitao
2026-04-28 9:23 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae8zD24sBNtZnYtJ@gmail.com \
--to=leitao@debian.org \
--cc=akpm@linux-foundation.org \
--cc=andrew+netdev@lunn.ch \
--cc=asantostc@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gustavold@gmail.com \
--cc=horms@kernel.org \
--cc=k-keiichi@bx.jp.nec.com \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=satyam@infradead.org \
--cc=thepacketgeek@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.