From patchwork Fri Dec 15 12:56:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 13494426 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4D10FC35274 for ; Fri, 15 Dec 2023 12:58:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:From:To: Subject:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=WVCU+ner3FhP1fkbTxyvfsMIjL9DPZlNZtQORiiNDTo=; b=djvqPbiuStP9w7 qkf8oNZOf6RZgG4MCfvD2gHchXxpJk31UOLBfCk/dR41Ks4zlHiAVvH2G5nPKi+8a3F/fhnE+qdg1 q+/5zbSvaEGSOhhGubURUeawE2rA1AyAeo9e89JapXr2G23LoFic4yVpZfwcFvvwyAHyRdJKfs9DR JYSOEMxIyLNs45z9Nex6GWG/01bQsDpxvV2/fTMz0h1T+cmP9x7/vZM7Bw2+hKmXbz9vwikgYzJju bO5sNBQSH6gvk5He4V8q71yOeILcuqldtSxeyP6rS9HqFrIAx84sNwYk8rJwupSZJOcv1+g63rk62 DyVvw0Je0m3+YsjtJkRQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rE7kx-003J4j-1V; Fri, 15 Dec 2023 12:57:31 +0000 Received: from ams.source.kernel.org ([145.40.68.75]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rE7kr-003J1D-2G for linux-arm-kernel@lists.infradead.org; Fri, 15 Dec 2023 12:57:27 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by ams.source.kernel.org (Postfix) with ESMTP id 5830EB8286F; Fri, 15 Dec 2023 12:57:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5DD05C433C7; Fri, 15 Dec 2023 12:57:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1702645043; bh=ATdpL1Gp7MwZtYPXt/XCBLvRCiKw/tB8xp3z3UIw9nI=; h=Subject:To:From:Date:From; b=q0x1+lQY3PTbUErCsRhJbiuHrCpzWkumGBNyyZLoWSsnmcLNnrMSJq50UQTtDoClq z27PVSwVhrzQYb/n/rUAWxPabk5Pux9YlMVhD/WTGxgJN5E2UmKu6mssG7GBb6mwEt +w5mTtNjegedpRxogBB459WiiHa3qpIendPCDWIs= Subject: patch "usb: host: max3421-hcd: Replace snprintf() with the safer scnprintf()" added to usb-testing To: lee@kernel.org,alexandre.belloni@bootlin.com,claudiu.beznea@tuxon.dev,cristian.birsan@microchip.com,gregkh@linuxfoundation.org,linux-arm-kernel@lists.infradead.org,nicolas.ferre@microchip.com From: Date: Fri, 15 Dec 2023 13:56:40 +0100 Message-ID: <2023121539-coerce-federal-430f@gregkh> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231215_045726_047390_B6C3DA2F X-CRM114-Status: GOOD ( 16.23 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This is a note to let you know that I've just added the patch titled usb: host: max3421-hcd: Replace snprintf() with the safer scnprintf() to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the usb-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From a6eef67cdb84e06112fc29176d6c6061d3ea8d79 Mon Sep 17 00:00:00 2001 From: Lee Jones Date: Wed, 13 Dec 2023 16:42:36 +0000 Subject: usb: host: max3421-hcd: Replace snprintf() with the safer scnprintf() variant There is a general misunderstanding amongst engineers that {v}snprintf() returns the length of the data *actually* encoded into the destination array. However, as per the C99 standard {v}snprintf() really returns the length of the data that *would have been* written if there were enough space for it. This misunderstanding has led to buffer-overruns in the past. It's generally considered safer to use the {v}scnprintf() variants in their place (or even sprintf() in simple cases). So let's do that. Link: https://lwn.net/Articles/69419/ Link: https://github.com/KSPP/linux/issues/105 Cc: Cristian Birsan Cc: Nicolas Ferre Cc: Alexandre Belloni Cc: Claudiu Beznea Cc: Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20231213164246.1021885-8-lee@kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/max3421-hcd.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c index d152d72de126..9fe4f48b1898 100644 --- a/drivers/usb/host/max3421-hcd.c +++ b/drivers/usb/host/max3421-hcd.c @@ -1158,12 +1158,12 @@ dump_eps(struct usb_hcd *hcd) end = dp + sizeof(ubuf); *dp = '\0'; list_for_each_entry(urb, &ep->urb_list, urb_list) { - ret = snprintf(dp, end - dp, " %p(%d.%s %d/%d)", urb, - usb_pipetype(urb->pipe), - usb_urb_dir_in(urb) ? "IN" : "OUT", - urb->actual_length, - urb->transfer_buffer_length); - if (ret < 0 || ret >= end - dp) + ret = scnprintf(dp, end - dp, " %p(%d.%s %d/%d)", urb, + usb_pipetype(urb->pipe), + usb_urb_dir_in(urb) ? "IN" : "OUT", + urb->actual_length, + urb->transfer_buffer_length); + if (ret == end - dp - 1) break; /* error or buffer full */ dp += ret; } @@ -1255,9 +1255,9 @@ max3421_handle_irqs(struct usb_hcd *hcd) end = sbuf + sizeof(sbuf); *dp = '\0'; for (i = 0; i < 16; ++i) { - int ret = snprintf(dp, end - dp, " %lu", - max3421_hcd->err_stat[i]); - if (ret < 0 || ret >= end - dp) + int ret = scnprintf(dp, end - dp, " %lu", + max3421_hcd->err_stat[i]); + if (ret == end - dp - 1) break; /* error or buffer full */ dp += ret; }