* Re: [PATCH v3] net: caif: fix stack out-of-bounds write in cfctrl_link_setup()
[not found] <20260329190350.19065-1-xiaoguai0992@gmail.com>
@ 2026-03-30 14:24 ` kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2026-03-30 14:24 UTC (permalink / raw)
To: Kangzheng Gu, davem, edumazet, kuba, pabeni, horms, kees,
thorsten.blum, arnd, sjur.brandeland
Cc: llvm, oe-kbuild-all, netdev, linux-kernel, stable
Hi Kangzheng,
kernel test robot noticed the following build warnings:
[auto build test WARNING on net-next/main]
[also build test WARNING on net/main soc/for-next linus/master v7.0-rc6 next-20260327]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kangzheng-Gu/net-caif-fix-stack-out-of-bounds-write-in-cfctrl_link_setup/20260330-163130
base: net-next/main
patch link: https://lore.kernel.org/r/20260329190350.19065-1-xiaoguai0992%40gmail.com
patch subject: [PATCH v3] net: caif: fix stack out-of-bounds write in cfctrl_link_setup()
config: hexagon-randconfig-001-20260330 (https://download.01.org/0day-ci/archive/20260330/202603302217.BEd0DrgM-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project 2cd67b8b69f78e3f95918204320c3075a74ba16c)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260330/202603302217.BEd0DrgM-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603302217.BEd0DrgM-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> net/caif/cfctrl.c:423:6: warning: format specifies type 'unsigned long' but the argument has type '__size_t' (aka 'unsigned int') [-Wformat]
422 | pr_warn("Request reject, volume name length exceeds %lu\n",
| ~~~
| %zu
423 | sizeof(linkparam.u.rfm.volume));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/printk.h:564:37: note: expanded from macro 'pr_warn'
564 | printk(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/printk.h:511:60: note: expanded from macro 'printk'
511 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/printk.h:483:19: note: expanded from macro 'printk_index_wrap'
483 | _p_func(_fmt, ##__VA_ARGS__); \
| ~~~~ ^~~~~~~~~~~
1 warning generated.
vim +423 net/caif/cfctrl.c
351
352 static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp)
353 {
354 u8 len;
355 u8 linkid = 0;
356 enum cfctrl_srv serv;
357 enum cfctrl_srv servtype;
358 u8 endpoint;
359 u8 physlinkid;
360 u8 prio;
361 u8 tmp;
362 u8 *cp;
363 int i;
364 struct cfctrl_link_param linkparam;
365 struct cfctrl_request_info rsp, *req;
366
367 memset(&linkparam, 0, sizeof(linkparam));
368
369 tmp = cfpkt_extr_head_u8(pkt);
370
371 serv = tmp & CFCTRL_SRV_MASK;
372 linkparam.linktype = serv;
373
374 servtype = tmp >> 4;
375 linkparam.chtype = servtype;
376
377 tmp = cfpkt_extr_head_u8(pkt);
378 physlinkid = tmp & 0x07;
379 prio = tmp >> 3;
380
381 linkparam.priority = prio;
382 linkparam.phyid = physlinkid;
383 endpoint = cfpkt_extr_head_u8(pkt);
384 linkparam.endpoint = endpoint & 0x03;
385
386 switch (serv) {
387 case CFCTRL_SRV_VEI:
388 case CFCTRL_SRV_DBG:
389 if (CFCTRL_ERR_BIT & cmdrsp)
390 break;
391 /* Link ID */
392 linkid = cfpkt_extr_head_u8(pkt);
393 break;
394 case CFCTRL_SRV_VIDEO:
395 tmp = cfpkt_extr_head_u8(pkt);
396 linkparam.u.video.connid = tmp;
397 if (CFCTRL_ERR_BIT & cmdrsp)
398 break;
399 /* Link ID */
400 linkid = cfpkt_extr_head_u8(pkt);
401 break;
402
403 case CFCTRL_SRV_DATAGRAM:
404 linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt);
405 if (CFCTRL_ERR_BIT & cmdrsp)
406 break;
407 /* Link ID */
408 linkid = cfpkt_extr_head_u8(pkt);
409 break;
410 case CFCTRL_SRV_RFM:
411 /* Construct a frame, convert
412 * DatagramConnectionID
413 * to network format long and copy it out...
414 */
415 linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt);
416 cp = (u8 *) linkparam.u.rfm.volume;
417 for (tmp = cfpkt_extr_head_u8(pkt);
418 cfpkt_more(pkt) && tmp != '\0';
419 tmp = cfpkt_extr_head_u8(pkt)) {
420 if (cp >= (u8 *)linkparam.u.rfm.volume +
421 sizeof(linkparam.u.rfm.volume) - 1) {
422 pr_warn("Request reject, volume name length exceeds %lu\n",
> 423 sizeof(linkparam.u.rfm.volume));
424 cmdrsp |= CFCTRL_ERR_BIT;
425 break;
426 }
427 *cp++ = tmp;
428 }
429 *cp = '\0';
430
431 if (CFCTRL_ERR_BIT & cmdrsp)
432 break;
433 /* Link ID */
434 linkid = cfpkt_extr_head_u8(pkt);
435
436 break;
437 case CFCTRL_SRV_UTIL:
438 /* Construct a frame, convert
439 * DatagramConnectionID
440 * to network format long and copy it out...
441 */
442 /* Fifosize KB */
443 linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt);
444 /* Fifosize bufs */
445 linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt);
446 /* name */
447 cp = (u8 *) linkparam.u.utility.name;
448 caif_assert(sizeof(linkparam.u.utility.name)
449 >= UTILITY_NAME_LENGTH);
450 for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) {
451 tmp = cfpkt_extr_head_u8(pkt);
452 *cp++ = tmp;
453 }
454 /* Length */
455 len = cfpkt_extr_head_u8(pkt);
456 linkparam.u.utility.paramlen = len;
457 /* Param Data */
458 cp = linkparam.u.utility.params;
459 while (cfpkt_more(pkt) && len--) {
460 tmp = cfpkt_extr_head_u8(pkt);
461 *cp++ = tmp;
462 }
463 if (CFCTRL_ERR_BIT & cmdrsp)
464 break;
465 /* Link ID */
466 linkid = cfpkt_extr_head_u8(pkt);
467 /* Length */
468 len = cfpkt_extr_head_u8(pkt);
469 /* Param Data */
470 cfpkt_extr_head(pkt, NULL, len);
471 break;
472 default:
473 pr_warn("Request setup, invalid type (%d)\n", serv);
474 return -1;
475 }
476
477 rsp.cmd = CFCTRL_CMD_LINK_SETUP;
478 rsp.param = linkparam;
479 spin_lock_bh(&cfctrl->info_list_lock);
480 req = cfctrl_remove_req(cfctrl, &rsp);
481
482 if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
483 cfpkt_erroneous(pkt)) {
484 pr_err("Invalid O/E bit or parse error "
485 "on CAIF control channel\n");
486 cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0,
487 req ? req->client_layer : NULL);
488 } else {
489 cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid,
490 serv, physlinkid,
491 req ? req->client_layer : NULL);
492 }
493
494 kfree(req);
495
496 spin_unlock_bh(&cfctrl->info_list_lock);
497
498 return 0;
499 }
500
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-30 14:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260329190350.19065-1-xiaoguai0992@gmail.com>
2026-03-30 14:24 ` [PATCH v3] net: caif: fix stack out-of-bounds write in cfctrl_link_setup() kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox