From: David Laight <david.laight.linux@gmail.com>
To: Simon Horman <horms@kernel.org>
Cc: kernel test robot <lkp@intel.com>, Ilya Krutskih <devsec@tpz.ru>,
Andrew Lunn <andrew+netdev@lunn.ch>,
oe-kbuild-all@lists.linux.dev, Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org, stable@vger.kernel.org
Subject: Re: [PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in
Date: Fri, 12 Dec 2025 17:36:03 +0000 [thread overview]
Message-ID: <20251212173603.46f27e9b@pumpkin> (raw)
In-Reply-To: <aTwqqxPgMWG9CqJL@horms.kernel.org>
On Fri, 12 Dec 2025 14:46:03 +0000
Simon Horman <horms@kernel.org> wrote:
> On Fri, Dec 12, 2025 at 07:30:04PM +0800, kernel test robot wrote:
> > Hi Ilya,
> >
> > kernel test robot noticed the following build warnings:
> >
> > [auto build test WARNING on net-next/main]
> > [also build test WARNING on net/main linus/master v6.18 next-20251212]
> > [If your patch is applied to the wrong git tree, kindly drop us a note.
> > And when submitting patch, we suggest to use '--base' as documented in
> > https://git-scm.com/docs/git-format-patch#_base_tree_information]
> >
> > url: https://github.com/intel-lab-lkp/linux/commits/Ilya-Krutskih/net-fealnx-fix-possible-card_idx-integer-overflow-in/20251212-013335
> > base: net-next/main
> > patch link: https://lore.kernel.org/r/20251211173035.852756-1-devsec%40tpz.ru
> > patch subject: [PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in
> > config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20251212/202512121907.n3Bzh2zF-lkp@intel.com/config)
> > compiler: alpha-linux-gcc (GCC) 15.1.0
> > reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251212/202512121907.n3Bzh2zF-lkp@intel.com/reproduce)
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <lkp@intel.com>
> > | Closes: https://lore.kernel.org/oe-kbuild-all/202512121907.n3Bzh2zF-lkp@intel.com/
> >
> > All warnings (new ones prefixed by >>):
> >
> > drivers/net/ethernet/fealnx.c: In function 'fealnx_init_one':
> > >> drivers/net/ethernet/fealnx.c:496:35: warning: '%d' directive writing between 1 and 11 bytes into a region of size 6 [-Wformat-overflow=]
> > 496 | sprintf(boardname, "fealnx%d", card_idx);
> > | ^~
> > drivers/net/ethernet/fealnx.c:496:28: note: directive argument in the range [-2147483647, 2147483647]
> > 496 | sprintf(boardname, "fealnx%d", card_idx);
> > | ^~~~~~~~~~
> > drivers/net/ethernet/fealnx.c:496:9: note: 'sprintf' output between 8 and 18 bytes into a destination of size 12
> > 496 | sprintf(boardname, "fealnx%d", card_idx);
> > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Although I think these new warnings are not strictly for problems
> introduced by this patch. They do make me wonder
> if it would be best to cap card_index MAX_UNITS and
> return an error if that limit is exceeded.
The code seems to be written allowing for more than MAX_UNITS 'units'.
Actually it all looks pretty broken to me...
'card_idx' is incremented by every call to fealnx_init_one().
That is the pci_driver.probe() function.
So every card remove and rescan will increment it.
(Is the .probe() even serialised? I can't remember...)
Then there is the MODULE_PARAM_DESC() that states that bit 17 of 'options'
is the 'full duplex' flag, but the code checks 'options & 0x200'.
And I just don't understand the assignment: option = dev->mem_start;
The code was like this when Linux created git.
David
next prev parent reply other threads:[~2025-12-12 19:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 17:30 [PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in Ilya Krutskih
2025-12-12 9:45 ` Simon Horman
2025-12-12 11:30 ` kernel test robot
2025-12-12 14:46 ` Simon Horman
2025-12-12 17:36 ` David Laight [this message]
2025-12-13 0:21 ` Francois Romieu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251212173603.46f27e9b@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=devsec@tpz.ru \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=lvc-project@linuxtesting.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).