[REGRESSION] mt76: fortify panic on mt7921e during firmware load (bisected)

[REGRESSION] mt76: fortify panic on mt7921e during firmware load (bisected)

[Mikhail Gavrilov]

[-- Attachment #1: Type: text/plain, Size: 2971 bytes --]

Hi,

After updating to a kernel containing commit

    f804a5895eba ("wifi: mt76: Strip whitespace from build date")

the MediaTek MT7921e (PCIe) Wi-Fi card triggers a fortify buffer-overrun
warning followed by a kernel BUG/panic very early during boot while the
driver is loading firmware:

[   22.955210] strnlen: detected buffer overflow: 17 byte read of buffer size 16
[   22.955519] kernel BUG at lib/string_helpers.c:1043!
[   22.955523] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
...
[   22.955544]  mt76_connac2_load_patch.cold+0x180/0x1ea [mt76_connac_lib]
[   22.955560]  mt792x_load_firmware+0x85/0x420 [mt792x_lib]
[   22.955563]  mt7921_run_firmware+0x67/0x180 [mt7921_common]
[   22.955567]  mt7921e_mcu_init+0xba/0x18d [mt7921e]
...

Full dmesg and .config are attached (dmesg-6.18.0-559e608c4655.txt,
.config). The system is an ASUS ROG STRIX B650E-I GAMING WIFI with a Ryzen 9
7950 (non-X3D); the Wi-Fi card is the onboard MediaTek MT7921e. Full probe:
https://linux-hardware.org/?probe=e7346d94e1

Bisection cleanly points to the offending commit:
Author: Mario Limonciello (AMD) <superm1@kernel.org>
Date:   Thu Nov 20 09:58:27 2025 -0600

    wifi: mt76: Strip whitespace from build ddate

    On systems I have with mt7925 cards I've been noticing a blank line in my
    kernel logs.  IE:
    ```
    [   17.294105] mt7925e 0000:c3:00.0: HW/SW Version: 0x8a108a10,
Build Time: 20250721232852a

    [   17.314233] r8169 0000:c4:00.0 enp196s0f0: Link is Down
    ```

    This is because the build_date from the header has a newline character
    as does the dev_info() print.  As the firmware isn't guaranteed to always
    have a newline but the print is, copy the firmware build date to a
    temporary variable and strip any whitespace from it before showing it in
    the logs.

    Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
    Link: https://patch.msgid.link/20251120155829.3494747-1-superm1@kernel.org
    Signed-off-by: Felix Fietkau <nbd@nbd.name>

 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Reverting f804a5895eba on top of 559e608c4655 makes the panic disappear
completely and the Wi-Fi card works normally again.

The problem is caused by the new code in mt76_connac_mcu.c that copies
the firmware build-date string into a stack buffer of size 16 and then
calls str_replace(build_date, " ", "") (and later dev_info() with the
modified buffer). The firmware on the MT7921e card apparently contains
a build-date string that is exactly 16 bytes long plus the trailing NUL,
so after the first space is replaced with a NUL the following strim()
(or any other string function) still walks past the end of the 16-byte
buffer when it looks for more whitespace, triggering the fortify check.

I do not have a proposed fix yet, but reverting the commit is a reliable
workaround for now.

#regzbot introduced: f804a5895eba

-- 
Best Regards,
Mike Gavrilov.

[-- Attachment #2: dmesg-6.18.0-559e608c4655.zip --]
[-- Type: application/zip, Size: 49239 bytes --]

[-- Attachment #3: .config.zip --]
[-- Type: application/zip, Size: 70746 bytes --]

[PATCH] [PATCH] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch

[Mikhail Gavrilov]

Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced
a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others
using mt76_connac_lib) due to an incorrect buffer size calculation.

The error logged is:
"strnlen: detected buffer overflow: 17 byte read of buffer size 16"

This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes.
The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)'
(17) as the read limit for strscpy, causing Fortify Source to correctly detect
an attempt to read 17 bytes from the 16-byte source field.

To fix this, replace strscpy with memcpy, which is appropriate for raw data
copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16)
to limit the read, followed by manual null termination.

Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
index ea99167765b0..d2c4c65ec464 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
 	}
 
 	hdr = (const void *)fw->data;
-	strscpy(build_date, hdr->build_date, sizeof(build_date));
-	build_date[16] = '\0';
+	/* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer,
+	 * and then add the null terminator at index 16.
+	 */
+	memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
+	build_date[sizeof(hdr->build_date)] = '\0';
 	strim(build_date);
 	dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
 		 be32_to_cpu(hdr->hw_sw_ver), build_date);
-- 
2.52.0

[PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch

[Mikhail Gavrilov]

Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced
a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others
using mt76_connac_lib) due to an incorrect buffer size calculation.

The error logged is:
"strnlen: detected buffer overflow: 17 byte read of buffer size 16"

This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes.
The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)'
(17) as the read limit for strscpy, causing Fortify Source to correctly detect
an attempt to read 17 bytes from the 16-byte source field.

To fix this, replace strscpy with memcpy, which is appropriate for raw data
copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16)
to limit the read, followed by manual null termination.

Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
index ea99167765b0..d2c4c65ec464 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
 	}
 
 	hdr = (const void *)fw->data;
-	strscpy(build_date, hdr->build_date, sizeof(build_date));
-	build_date[16] = '\0';
+	/* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer,
+	 * and then add the null terminator at index 16.
+	 */
+	memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
+	build_date[sizeof(hdr->build_date)] = '\0';
 	strim(build_date);
 	dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
 		 be32_to_cpu(hdr->hw_sw_ver), build_date);
-- 
2.52.0

Re: [PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch

[Mario Limonciello]

On 12/5/25 10:12 AM, Mikhail Gavrilov wrote:
> Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced
> a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others
> using mt76_connac_lib) due to an incorrect buffer size calculation.
> 
> The error logged is:
> "strnlen: detected buffer overflow: 17 byte read of buffer size 16"
> 
> This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes.
> The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)'
> (17) as the read limit for strscpy, causing Fortify Source to correctly detect
> an attempt to read 17 bytes from the 16-byte source field.
> 
> To fix this, replace strscpy with memcpy, which is appropriate for raw data
> copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16)
> to limit the read, followed by manual null termination.
> 
> Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
> Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>

Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>

> ---
>   drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> index ea99167765b0..d2c4c65ec464 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> @@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
>   	}
>   
>   	hdr = (const void *)fw->data;
> -	strscpy(build_date, hdr->build_date, sizeof(build_date));
> -	build_date[16] = '\0';
> +	/* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer,
> +	 * and then add the null terminator at index 16.
> +	 */
> +	memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
> +	build_date[sizeof(hdr->build_date)] = '\0';
>   	strim(build_date);
>   	dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
>   		 be32_to_cpu(hdr->hw_sw_ver), build_date);

Re: [PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch

[Eric Biggers]

On Fri, Dec 05, 2025 at 09:12:02PM +0500, Mikhail Gavrilov wrote:
> Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced
> a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others
> using mt76_connac_lib) due to an incorrect buffer size calculation.
> 
> The error logged is:
> "strnlen: detected buffer overflow: 17 byte read of buffer size 16"
> 
> This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes.
> The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)'
> (17) as the read limit for strscpy, causing Fortify Source to correctly detect
> an attempt to read 17 bytes from the 16-byte source field.
> 
> To fix this, replace strscpy with memcpy, which is appropriate for raw data
> copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16)
> to limit the read, followed by manual null termination.
> 
> Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
> Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
> ---
>  drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> index ea99167765b0..d2c4c65ec464 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> @@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
>  	}
>  
>  	hdr = (const void *)fw->data;
> -	strscpy(build_date, hdr->build_date, sizeof(build_date));
> -	build_date[16] = '\0';
> +	/* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer,
> +	 * and then add the null terminator at index 16.
> +	 */
> +	memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
> +	build_date[sizeof(hdr->build_date)] = '\0';
>  	strim(build_date);
>  	dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
>  		 be32_to_cpu(hdr->hw_sw_ver), build_date);

Tested-by: Eric Biggers <ebiggers@kernel.org>

Can this be sent upstream soon?

- Eric

Re: [PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch

[Mario Limonciello (AMD) (kernel.org)]

On 12/12/2025 8:35 PM, Eric Biggers wrote:
> On Fri, Dec 05, 2025 at 09:12:02PM +0500, Mikhail Gavrilov wrote:
>> Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced
>> a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others
>> using mt76_connac_lib) due to an incorrect buffer size calculation.
>>
>> The error logged is:
>> "strnlen: detected buffer overflow: 17 byte read of buffer size 16"
>>
>> This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes.
>> The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)'
>> (17) as the read limit for strscpy, causing Fortify Source to correctly detect
>> an attempt to read 17 bytes from the 16-byte source field.
>>
>> To fix this, replace strscpy with memcpy, which is appropriate for raw data
>> copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16)
>> to limit the read, followed by manual null termination.
>>
>> Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
>> Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
>> ---
>>   drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++--
>>   1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
>> index ea99167765b0..d2c4c65ec464 100644
>> --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
>> +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
>> @@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
>>   	}
>>   
>>   	hdr = (const void *)fw->data;
>> -	strscpy(build_date, hdr->build_date, sizeof(build_date));
>> -	build_date[16] = '\0';
>> +	/* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer,
>> +	 * and then add the null terminator at index 16.
>> +	 */
>> +	memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
>> +	build_date[sizeof(hdr->build_date)] = '\0';
>>   	strim(build_date);
>>   	dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
>>   		 be32_to_cpu(hdr->hw_sw_ver), build_date);
> 
> Tested-by: Eric Biggers <ebiggers@kernel.org>
> 
> Can this be sent upstream soon?
> 
> - Eric

Tested-by: Mario Limonciello (AMD) <superm1@kernel.org>

Re: [PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch

[Matthew Schwartz]

> On Dec 5, 2025, at 8:12 AM, Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> wrote:
> 
> Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced
> a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others
> using mt76_connac_lib) due to an incorrect buffer size calculation.
> 
> The error logged is:
> "strnlen: detected buffer overflow: 17 byte read of buffer size 16"
> 
> This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes.
> The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)'
> (17) as the read limit for strscpy, causing Fortify Source to correctly detect
> an attempt to read 17 bytes from the 16-byte source field.
> 
> To fix this, replace strscpy with memcpy, which is appropriate for raw data
> copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16)
> to limit the read, followed by manual null termination.
> 
> Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
> Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>

Ran into this kernel panic while booting into 6.19-rc1 on my handheld, this patch fixed it.

Tested-by: Matthew Schwartz <matthew.schwartz@linux.dev>

> ---
> drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> index ea99167765b0..d2c4c65ec464 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> @@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
> }
> 
> hdr = (const void *)fw->data;
> - strscpy(build_date, hdr->build_date, sizeof(build_date));
> - build_date[16] = '\0';
> + /* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer,
> + * and then add the null terminator at index 16.
> + */
> + memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
> + build_date[sizeof(hdr->build_date)] = '\0';
> strim(build_date);
> dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
> be32_to_cpu(hdr->hw_sw_ver), build_date);
> -- 
> 2.52.0
> 
> 

Re: [PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch

[Filippo Rossoni]

[-- Attachment #1: Type: text/plain, Size: 299 bytes --]

Hello
What is the status of this patch
I'm compiling the latest kernel with this patch to have wifi working
The current status in not working if there are problem with this patch
I propose to revert the commit
[f804a5895ebad2b2d4fb8a3688d2115926e993d5] wifi: mt76: Strip
whitespace from build ddate

[-- Attachment #2: wifi.patch --]
[-- Type: text/x-patch, Size: 1383 bytes --]

diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
index ea99167765b0..0fbfa449d6fe 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -3101,7 +3101,7 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
 	int i, ret, sem, max_len = mt76_is_sdio(dev) ? 2048 : 4096;
 	const struct mt76_connac2_patch_hdr *hdr;
 	const struct firmware *fw = NULL;
-	char build_date[17];
+
 
 	sem = mt76_connac_mcu_patch_sem_ctrl(dev, true);
 	switch (sem) {
@@ -3125,12 +3125,14 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
 	}
 
 	hdr = (const void *)fw->data;
-	strscpy(build_date, hdr->build_date, sizeof(build_date));
-	build_date[16] = '\0';
-	strim(build_date);
-	dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
-		 be32_to_cpu(hdr->hw_sw_ver), build_date);
-
+	{
+		char build_date[sizeof(hdr->build_date)+1];
+		memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
+		build_date[sizeof(hdr->build_date)] = '\0';
+		strim(build_date);
+		dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
+			be32_to_cpu(hdr->hw_sw_ver), build_date);
+	}
 	for (i = 0; i < be32_to_cpu(hdr->desc.n_region); i++) {
 		struct mt76_connac2_patch_sec *sec;
 		u32 len, addr, mode;

Re: [PATCH v2] wifi: mt76: Fix strscpy buffer overflow in mt76_connac2_load_patch

[Nathan Chancellor]

+ netdev and wireless/networking maintainers

On Fri, Dec 05, 2025 at 09:12:02PM +0500, Mikhail Gavrilov wrote:
> Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced
> a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others
> using mt76_connac_lib) due to an incorrect buffer size calculation.
> 
> The error logged is:
> "strnlen: detected buffer overflow: 17 byte read of buffer size 16"
> 
> This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes.
> The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)'
> (17) as the read limit for strscpy, causing Fortify Source to correctly detect
> an attempt to read 17 bytes from the 16-byte source field.
> 
> To fix this, replace strscpy with memcpy, which is appropriate for raw data
> copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16)
> to limit the read, followed by manual null termination.
> 
> Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
> Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>

I got bit by this regression when installing v6.19-rc2 on my new test
machine, which has an MT7925 (RZ717) chip in it. I don't see this in
either Felix's or the main wireless tree yet but I do understand it is
the end of the year with breaks and such (along with Johannes not
actually being on CC since he is not in the output of get_maintainers.pl
for drivers/net/wireless/mediatek/mt76). If there is not going to be a
wireless pull soon, can this be applied to net directly so that it gets
to Linus soon? It was rather annoying to do a bisect for a regression
that already has a pending fix.

Tested-by: Nathan Chancellor <nathan@kernel.org>

> ---
>  drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> index ea99167765b0..d2c4c65ec464 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> @@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
>  	}
>  
>  	hdr = (const void *)fw->data;
> -	strscpy(build_date, hdr->build_date, sizeof(build_date));
> -	build_date[16] = '\0';
> +	/* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer,
> +	 * and then add the null terminator at index 16.
> +	 */
> +	memcpy(build_date, hdr->build_date, sizeof(hdr->build_date));
> +	build_date[sizeof(hdr->build_date)] = '\0';
>  	strim(build_date);
>  	dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
>  		 be32_to_cpu(hdr->hw_sw_ver), build_date);
> -- 
> 2.52.0
>