Thread (6 messages) 6 messages, 5 authors, 2025-12-13

Re: [PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in

From: David Laight <hidden>
Date: 2025-12-12 19:36:30
Also in: lkml, oe-kbuild-all, stable 

On Fri, 12 Dec 2025 14:46:03 +0000
Simon Horman [off-list ref] wrote:

On Fri, Dec 12, 2025 at 07:30:04PM +0800, kernel test robot wrote:
quoted
Hi Ilya,

kernel test robot noticed the following build warnings:

[auto build test WARNING on net-next/main]
[also build test WARNING on net/main linus/master v6.18 next-20251212]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ilya-Krutskih/net-fealnx-fix-possible-card_idx-integer-overflow-in/20251212-013335
base:   net-next/main
patch link:    https://lore.kernel.org/r/20251211173035.852756-1-devsec%40tpz.ru
patch subject: [PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in
config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20251212/202512121907.n3Bzh2zF-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 15.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251212/202512121907.n3Bzh2zF-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot [off-list ref]
| Closes: https://lore.kernel.org/oe-kbuild-all/202512121907.n3Bzh2zF-lkp@intel.com/ (local)

All warnings (new ones prefixed by >>):

   drivers/net/ethernet/fealnx.c: In function 'fealnx_init_one':
quoted
quoted
drivers/net/ethernet/fealnx.c:496:35: warning: '%d' directive writing between 1 and 11 bytes into a region of size 6 [-Wformat-overflow=]  
     496 |         sprintf(boardname, "fealnx%d", card_idx);
         |                                   ^~
   drivers/net/ethernet/fealnx.c:496:28: note: directive argument in the range [-2147483647, 2147483647]
     496 |         sprintf(boardname, "fealnx%d", card_idx);
         |                            ^~~~~~~~~~
   drivers/net/ethernet/fealnx.c:496:9: note: 'sprintf' output between 8 and 18 bytes into a destination of size 12
     496 |         sprintf(boardname, "fealnx%d", card_idx);
         |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Although I think these new warnings are not strictly for problems
introduced by this patch. They do make me wonder
if it would be best to cap card_index MAX_UNITS and
return an error if that limit is exceeded.
The code seems to be written allowing for more than MAX_UNITS 'units'.

Actually it all looks pretty broken to me...
'card_idx' is incremented by every call to fealnx_init_one().
That is the pci_driver.probe() function.
So every card remove and rescan will increment it.
(Is the .probe() even serialised? I can't remember...)

Then there is the MODULE_PARAM_DESC() that states that bit 17 of 'options'
is the 'full duplex' flag, but the code checks 'options & 0x200'.

And I just don't understand the assignment: option = dev->mem_start;

The code was like this when Linux created git.

	David
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help