Re: [PATCH 2/2] net: usb: cdc_ncm: prevent silent u16 truncation in min_tx_pkt_store()

[Greg KH <gregkh@linuxfoundation.org>]

On Tue, Mar 17, 2026 at 11:06:32PM -0500, Omer Zalman wrote:
> min_tx_pkt is a u16 field but the sysfs store handler accepted any
> unsigned long and assigned it directly. Values that do not fit in 16
> bits silently truncate: writing 65537 wraps to 1, turning a
> "never pad" intent into "always pad".
> 
> ctx->tx_max can itself reach 65537 because cdc_ncm_update_rxtx_max()
> increments the negotiated NTB size by one pad byte when it is an exact
> multiple of the USB maxpacket size.
> 
> Clamp the stored value to min(tx_max, U16_MAX). Any value above tx_max
> is already semantically equivalent to tx_max since frame lengths never
> exceed it; the U16_MAX cap ensures the result is always representable
> in the u16 field without wrapping.
> 
> Fixes: 39eb7e0e8c88 ("net: cdc_ncm: allow tuning min_tx_pkt")
> Signed-off-by: Omer Zalman <omerzalman42@gmail.com>
> ---
>  drivers/net/usb/cdc_ncm.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
> index 6fcb4d711a64..edd69f4e1596 100644
> --- a/drivers/net/usb/cdc_ncm.c
> +++ b/drivers/net/usb/cdc_ncm.c
> @@ -242,11 +242,17 @@ static ssize_t min_tx_pkt_store(struct device *d,
>  	struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0];
>  	unsigned long val;
>  
> -	/* no need to restrict values - anything from 0 to infinity is OK */
>  	if (kstrtoul(buf, 0, &val))
>  		return -EINVAL;
>  
> -	ctx->min_tx_pkt = val;
> +	/* Clamp to tx_max: the frame length can never exceed tx_max,
> +	 * so any threshold above it has the same effect (padding is
> +	 * never applied).  Also cap at U16_MAX since min_tx_pkt is
> +	 * a u16 - without this, values like 65537 silently wrap to 1
> +	 * and invert the intended behavior.
> +	 */
> +	ctx->min_tx_pkt = min_t(unsigned long, val,
> +				min_t(u32, ctx->tx_max, U16_MAX));
>  	return len;
>  }
>  
> -- 
> 2.39.5 (Apple Git-154)
> 
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- You have marked a patch with a "Fixes:" tag for a commit that is in an
  older released kernel, yet you do not have a cc: stable line in the
  signed-off-by area at all, which means that the patch will not be
  applied to any older kernel releases.  To properly fix this, please
  follow the documented rules in the
  Documentation/process/stable-kernel-rules.rst file for how to resolve
  this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot