| Message ID | 20241011-string-thing-v1-3-acc506568033@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | net: String format safety updates | expand |
On 10/11/2024 3:57 AM, Simon Horman wrote: > Recently I noticed that both gcc-14 and clang-18 report that passing > a non-string literal as the format argument of alloc_workqueue() > is potentially insecure. > > E.g. clang-18 says: > > .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security] > 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); > | ^~~ > .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this > 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); > | ^ > | "%s", > > It is always the case where the contents of fmt is safe to pass as the > format argument. That is, in my understanding, it never contains any > format escape sequences. > > But, it seems better to be safe than sorry. And, as a bonus, compiler > output becomes less verbose by addressing this issue as suggested by > clang-18. > > Also, change the name of the parameter of qaicm_wq_init from > fmt to name to better reflect it's purpose. > > Compile tested only. I'm not sure why this looks like it is targeted for net-next. I'm not seeing any dependencies on net code, nor is this a net driver. My confusion makes me think I might be missing something. I'll plan on independently taking this through DRM, unless something is brought to my attention. Regarding the patch itself, looks sane to me. I'll give it run through on hardware soon. -Jeff
On Fri, Oct 11, 2024 at 08:27:43AM -0600, Jeffrey Hugo wrote: > On 10/11/2024 3:57 AM, Simon Horman wrote: > > Recently I noticed that both gcc-14 and clang-18 report that passing > > a non-string literal as the format argument of alloc_workqueue() > > is potentially insecure. > > > > E.g. clang-18 says: > > > > .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security] > > 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); > > | ^~~ > > .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this > > 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); > > | ^ > > | "%s", > > > > It is always the case where the contents of fmt is safe to pass as the > > format argument. That is, in my understanding, it never contains any > > format escape sequences. > > > > But, it seems better to be safe than sorry. And, as a bonus, compiler > > output becomes less verbose by addressing this issue as suggested by > > clang-18. > > > > Also, change the name of the parameter of qaicm_wq_init from > > fmt to name to better reflect it's purpose. > > > > Compile tested only. > > I'm not sure why this looks like it is targeted for net-next. I'm not > seeing any dependencies on net code, nor is this a net driver. My confusion > makes me think I might be missing something. > > I'll plan on independently taking this through DRM, unless something is > brought to my attention. > > Regarding the patch itself, looks sane to me. I'll give it run through on > hardware soon. Sorry, the error is on my side. I should not targeted this patch at net-next. Let me know if I should repost it. As the series isn't entirely for net-next, I'll mark it as changes requested in netdev patchwork. And plan on reposting the other two patches for net-next some time soon.
On 10/11/2024 3:57 AM, Simon Horman wrote: > Recently I noticed that both gcc-14 and clang-18 report that passing > a non-string literal as the format argument of alloc_workqueue() > is potentially insecure. > > E.g. clang-18 says: > > .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security] > 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); > | ^~~ > .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this > 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); > | ^ > | "%s", > > It is always the case where the contents of fmt is safe to pass as the > format argument. That is, in my understanding, it never contains any > format escape sequences. > > But, it seems better to be safe than sorry. And, as a bonus, compiler > output becomes less verbose by addressing this issue as suggested by > clang-18. > > Also, change the name of the parameter of qaicm_wq_init from > fmt to name to better reflect it's purpose. > > Compile tested only. > > Signed-off-by: Simon Horman <horms@kernel.org> Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com> Tested-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
On 10/11/2024 3:57 AM, Simon Horman wrote: > Recently I noticed that both gcc-14 and clang-18 report that passing > a non-string literal as the format argument of alloc_workqueue() > is potentially insecure. > > E.g. clang-18 says: > > .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security] > 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); > | ^~~ > .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this > 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); > | ^ > | "%s", > > It is always the case where the contents of fmt is safe to pass as the > format argument. That is, in my understanding, it never contains any > format escape sequences. > > But, it seems better to be safe than sorry. And, as a bonus, compiler > output becomes less verbose by addressing this issue as suggested by > clang-18. > > Also, change the name of the parameter of qaicm_wq_init from > fmt to name to better reflect it's purpose. > > Compile tested only. > > Signed-off-by: Simon Horman <horms@kernel.org> Applied to drm-misc-next
diff --git a/drivers/accel/qaic/qaic_drv.c b/drivers/accel/qaic/qaic_drv.c index bf10156c334e..30e6bf7897bd 100644 --- a/drivers/accel/qaic/qaic_drv.c +++ b/drivers/accel/qaic/qaic_drv.c @@ -53,12 +53,12 @@ static void qaicm_wq_release(struct drm_device *dev, void *res) destroy_workqueue(wq); } -static struct workqueue_struct *qaicm_wq_init(struct drm_device *dev, const char *fmt) +static struct workqueue_struct *qaicm_wq_init(struct drm_device *dev, const char *name) { struct workqueue_struct *wq; int ret; - wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); + wq = alloc_workqueue("%s", WQ_UNBOUND, 0, name); if (!wq) return ERR_PTR(-ENOMEM); ret = drmm_add_action_or_reset(dev, qaicm_wq_release, wq);
Recently I noticed that both gcc-14 and clang-18 report that passing a non-string literal as the format argument of alloc_workqueue() is potentially insecure. E.g. clang-18 says: .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security] 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); | ^~~ .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this 61 | wq = alloc_workqueue(fmt, WQ_UNBOUND, 0); | ^ | "%s", It is always the case where the contents of fmt is safe to pass as the format argument. That is, in my understanding, it never contains any format escape sequences. But, it seems better to be safe than sorry. And, as a bonus, compiler output becomes less verbose by addressing this issue as suggested by clang-18. Also, change the name of the parameter of qaicm_wq_init from fmt to name to better reflect it's purpose. Compile tested only. Signed-off-by: Simon Horman <horms@kernel.org> --- drivers/accel/qaic/qaic_drv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)