diff mbox series

[net-next,2/3] bnxt_en: check for irq name truncation

Message ID 20240705-bnxt-str-v1-2-bafc769ed89e@kernel.org (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series bnxt_en: address string truncation | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 816 this patch: 816
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 5 of 5 maintainers
netdev/build_clang success Errors and warnings before: 821 this patch: 821
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 823 this patch: 821
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 68 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 2 this patch: 2
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-07-05--15-00 (tests: 694)

Commit Message

Simon Horman July 5, 2024, 11:26 a.m. UTC 
Given the sizes of the buffers involved, it is theoretically
possible for irq names to be truncated. Detect this and
propagate an error if this occurs.

Flagged by gcc-14:

  .../bnxt.c: In function 'bnxt_setup_int_mode':
  .../bnxt.c:10584:48: warning: '%s' directive output may be truncated writing 4 bytes into a region of size between 2 and 17 [-Wformat-truncation=]
  10584 |         snprintf(bp->irq_tbl[0].name, len, "%s-%s-%d", bp->dev->name, "TxRx",
        |                                                ^~                     ~~~~~~
  In function 'bnxt_setup_inta',
      inlined from 'bnxt_setup_int_mode' at .../bnxt.c:10604:3:
  .../bnxt.c:10584:9: note: 'snprintf' output between 8 and 23 bytes into a destination of size 18
  10584 |         snprintf(bp->irq_tbl[0].name, len, "%s-%s-%d", bp->dev->name, "TxRx",
        |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  10585 |                  0);
        |                  ~~
  .../bnxt.c: In function 'bnxt_setup_int_mode':
  .../bnxt.c:10569:62: warning: '%s' directive output may be truncated writing between 2 and 4 bytes into a region of size between 2 and 17 [-Wformat-truncation=]
  10569 |                 snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
        |                                                              ^~
  In function 'bnxt_setup_msix',
      inlined from 'bnxt_setup_int_mode' at .../bnxt.c:10602:3:
  .../bnxt.c:10569:58: note: directive argument in the range [-2147483643, 2147483646]
  10569 |                 snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
        |                                                          ^~~~~~~~~~
  .../bnxt.c:10569:17: note: 'snprintf' output between 6 and 33 bytes into a destination of size 18
  10569 |                 snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  10570 |                          attr, i);
        |                          ~~~~~~~~

Compile tested only.

Signed-off-by: Simon Horman <horms@kernel.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

Comments

Michael Chan July 5, 2024, 6:27 p.m. UTC | #1 
On Fri, Jul 5, 2024 at 4:27 AM Simon Horman <horms@kernel.org> wrote:
> diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> index 220d05e2f6fa..15e68c8e599d 100644
> --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> @@ -10538,7 +10538,7 @@ static int bnxt_trim_rings(struct bnxt *bp, int *rx, int *tx, int max,
>         return __bnxt_trim_rings(bp, rx, tx, max, sh);
>  }
>
> -static void bnxt_setup_msix(struct bnxt *bp)
> +static int bnxt_setup_msix(struct bnxt *bp)
>  {
>         const int len = sizeof(bp->irq_tbl[0].name);
>         struct net_device *dev = bp->dev;
> @@ -10558,6 +10558,7 @@ static void bnxt_setup_msix(struct bnxt *bp)
>         for (i = 0; i < bp->cp_nr_rings; i++) {
>                 int map_idx = bnxt_cp_num_to_irq_num(bp, i);
>                 char *attr;
> +               int rc;
>
>                 if (bp->flags & BNXT_FLAG_SHARED_RINGS)
>                         attr = "TxRx";
> @@ -10566,24 +10567,35 @@ static void bnxt_setup_msix(struct bnxt *bp)
>                 else
>                         attr = "tx";
>
> -               snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
> -                        attr, i);
> +               rc = snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d",
> +                             dev->name, attr, i);
> +               if (rc >= len)
> +                       return -E2BIG;

I may be missing something obvious here.  snprintf() will truncate and
not overwrite the buffer, right?  Why is it necessary to abort if
there is truncation?  Thanks.
Simon Horman July 5, 2024, 7:09 p.m. UTC | #2 
On Fri, Jul 05, 2024 at 11:27:47AM -0700, Michael Chan wrote:
> On Fri, Jul 5, 2024 at 4:27 AM Simon Horman <horms@kernel.org> wrote:
> > diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> > index 220d05e2f6fa..15e68c8e599d 100644
> > --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> > +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
> > @@ -10538,7 +10538,7 @@ static int bnxt_trim_rings(struct bnxt *bp, int *rx, int *tx, int max,
> >         return __bnxt_trim_rings(bp, rx, tx, max, sh);
> >  }
> >
> > -static void bnxt_setup_msix(struct bnxt *bp)
> > +static int bnxt_setup_msix(struct bnxt *bp)
> >  {
> >         const int len = sizeof(bp->irq_tbl[0].name);
> >         struct net_device *dev = bp->dev;
> > @@ -10558,6 +10558,7 @@ static void bnxt_setup_msix(struct bnxt *bp)
> >         for (i = 0; i < bp->cp_nr_rings; i++) {
> >                 int map_idx = bnxt_cp_num_to_irq_num(bp, i);
> >                 char *attr;
> > +               int rc;
> >
> >                 if (bp->flags & BNXT_FLAG_SHARED_RINGS)
> >                         attr = "TxRx";
> > @@ -10566,24 +10567,35 @@ static void bnxt_setup_msix(struct bnxt *bp)
> >                 else
> >                         attr = "tx";
> >
> > -               snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
> > -                        attr, i);
> > +               rc = snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d",
> > +                             dev->name, attr, i);
> > +               if (rc >= len)
> > +                       return -E2BIG;
> 
> I may be missing something obvious here.  snprintf() will truncate and
> not overwrite the buffer, right?  Why is it necessary to abort if
> there is truncation?  Thanks.

The (incorrect) assumption on my side was that truncated names
are undesirable and should be treated as an error case.
Sorry for not making that clearer.
diff mbox series

Patch

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 220d05e2f6fa..15e68c8e599d 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -10538,7 +10538,7 @@  static int bnxt_trim_rings(struct bnxt *bp, int *rx, int *tx, int max,
 	return __bnxt_trim_rings(bp, rx, tx, max, sh);
 }
 
-static void bnxt_setup_msix(struct bnxt *bp)
+static int bnxt_setup_msix(struct bnxt *bp)
 {
 	const int len = sizeof(bp->irq_tbl[0].name);
 	struct net_device *dev = bp->dev;
@@ -10558,6 +10558,7 @@  static void bnxt_setup_msix(struct bnxt *bp)
 	for (i = 0; i < bp->cp_nr_rings; i++) {
 		int map_idx = bnxt_cp_num_to_irq_num(bp, i);
 		char *attr;
+		int rc;
 
 		if (bp->flags & BNXT_FLAG_SHARED_RINGS)
 			attr = "TxRx";
@@ -10566,24 +10567,35 @@  static void bnxt_setup_msix(struct bnxt *bp)
 		else
 			attr = "tx";
 
-		snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
-			 attr, i);
+		rc = snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d",
+			      dev->name, attr, i);
+		if (rc >= len)
+			return -E2BIG;
 		bp->irq_tbl[map_idx].handler = bnxt_msix;
 	}
+
+	return 0;
 }
 
-static void bnxt_setup_inta(struct bnxt *bp)
+static int bnxt_setup_inta(struct bnxt *bp)
 {
 	const int len = sizeof(bp->irq_tbl[0].name);
+	int rc;
+
 
 	if (bp->num_tc) {
 		netdev_reset_tc(bp->dev);
 		bp->num_tc = 0;
 	}
 
-	snprintf(bp->irq_tbl[0].name, len, "%s-%s-%d", bp->dev->name, "TxRx",
-		 0);
+	rc = snprintf(bp->irq_tbl[0].name, len, "%s-%s-%d", bp->dev->name,
+		      "TxRx", 0);
+	if (rc >= len)
+		return -E2BIG;
+
 	bp->irq_tbl[0].handler = bnxt_inta;
+
+	return 0;
 }
 
 static int bnxt_init_int_mode(struct bnxt *bp);
@@ -10599,9 +10611,11 @@  static int bnxt_setup_int_mode(struct bnxt *bp)
 	}
 
 	if (bp->flags & BNXT_FLAG_USING_MSIX)
-		bnxt_setup_msix(bp);
+		rc = bnxt_setup_msix(bp);
 	else
-		bnxt_setup_inta(bp);
+		rc = bnxt_setup_inta(bp);
+	if (rc)
+		return rc;
 
 	rc = bnxt_set_real_num_queues(bp);
 	return rc;