Linux IIO development
 help / color / mirror / Atom feed
* [bug report] iio: backend: make sure to NULL terminate stack buffer
@ 2026-05-08  9:16 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2026-05-08  9:16 UTC (permalink / raw)
  To: Nuno Sá; +Cc: linux-iio

Hello Nuno Sá,

Commit 035b4989211d ("iio: backend: make sure to NULL terminate stack
buffer") from Feb 18, 2025 (linux-next), leads to the following
Smatch static checker warning:

	drivers/iio/industrialio-backend.c:162 iio_backend_debugfs_write_reg()
	warn: 'rc' not checked for partial writes

drivers/iio/industrialio-backend.c
    149 static ssize_t iio_backend_debugfs_write_reg(struct file *file,
    150                                              const char __user *userbuf,
    151                                              size_t count, loff_t *ppos)
    152 {
    153         struct iio_backend *back = file->private_data;
    154         unsigned int val;
    155         char buf[80];
    156         ssize_t rc;
    157         int ret;
    158 
    159         if (count >= sizeof(buf))
    160                 return -ENOSPC;
    161 
--> 162         rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
    163         if (rc < 0)
    164                 return rc;
    165 
    166         buf[rc] = '\0';

If *ppos is not zero, then the first bytes of buf[] are uninitialized.

The simple_write_to_buffer() function is badly named.  It should really
only be used in situations where it makes sense to split the a big write
into multiple writes.  This should instead just be:

	if (copy_from_user(buf, userbuf, count))
		return -EFAULT;

	buf[count] = '\0';

    167 
    168         ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);
    169 
    170         switch (ret) {
    171         case 1:
    172                 return count;
    173         case 2:
    174                 ret = iio_backend_op_call(back, debugfs_reg_access,
    175                                           back->cached_reg_addr, val, NULL);
    176                 if (ret)
    177                         return ret;
    178                 return count;
    179         default:
    180                 return -EINVAL;
    181         }
    182 }

This email is a free service from the Smatch-CI project [smatch.sf.net].

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2026-05-08  9:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08  9:16 [bug report] iio: backend: make sure to NULL terminate stack buffer Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox