Re: [PATCH v3] net: caif: fix stack out-of-bounds write in cfctrl_link_setup()

[kernel test robot]

Hi Kangzheng,

kernel test robot noticed the following build warnings:

[auto build test WARNING on net-next/main]
[also build test WARNING on net/main soc/for-next linus/master v7.0-rc6 next-20260327]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Kangzheng-Gu/net-caif-fix-stack-out-of-bounds-write-in-cfctrl_link_setup/20260330-163130
base:   net-next/main
patch link:    https://lore.kernel.org/r/20260329190350.19065-1-xiaoguai0992%40gmail.com
patch subject: [PATCH v3] net: caif: fix stack out-of-bounds write in cfctrl_link_setup()
config: um-randconfig-r073-20260330 (https://download.01.org/0day-ci/archive/20260330/202603302327.ZnK21mik-lkp@xxxxxxxxx/config)
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
smatch: v0.5.0-9004-gb810ac53
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260330/202603302327.ZnK21mik-lkp@xxxxxxxxx/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603302327.ZnK21mik-lkp@xxxxxxxxx/

All warnings (new ones prefixed by >>):

>> net/caif/cfctrl.c:423:6: warning: format specifies type 'unsigned long' but the argument has type 'unsigned int' [-Wformat]
     422 |                                 pr_warn("Request reject, volume name length exceeds %lu\n",
         |                                                                                     ~~~
         |                                                                                     %u
     423 |                                         sizeof(linkparam.u.rfm.volume));
         |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/printk.h:564:37: note: expanded from macro 'pr_warn'
     564 |         printk(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
         |                                    ~~~     ^~~~~~~~~~~
   include/linux/printk.h:511:60: note: expanded from macro 'printk'
     511 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
         |                                                     ~~~    ^~~~~~~~~~~
   include/linux/printk.h:483:19: note: expanded from macro 'printk_index_wrap'
     483 |                 _p_func(_fmt, ##__VA_ARGS__);                           \
         |                         ~~~~    ^~~~~~~~~~~
   1 warning generated.


vim +423 net/caif/cfctrl.c

   351	
   352	static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp)
   353	{
   354		u8 len;
   355		u8 linkid = 0;
   356		enum cfctrl_srv serv;
   357		enum cfctrl_srv servtype;
   358		u8 endpoint;
   359		u8 physlinkid;
   360		u8 prio;
   361		u8 tmp;
   362		u8 *cp;
   363		int i;
   364		struct cfctrl_link_param linkparam;
   365		struct cfctrl_request_info rsp, *req;
   366	
   367		memset(&linkparam, 0, sizeof(linkparam));
   368	
   369		tmp = cfpkt_extr_head_u8(pkt);
   370	
   371		serv = tmp & CFCTRL_SRV_MASK;
   372		linkparam.linktype = serv;
   373	
   374		servtype = tmp >> 4;
   375		linkparam.chtype = servtype;
   376	
   377		tmp = cfpkt_extr_head_u8(pkt);
   378		physlinkid = tmp & 0x07;
   379		prio = tmp >> 3;
   380	
   381		linkparam.priority = prio;
   382		linkparam.phyid = physlinkid;
   383		endpoint = cfpkt_extr_head_u8(pkt);
   384		linkparam.endpoint = endpoint & 0x03;
   385	
   386		switch (serv) {
   387		case CFCTRL_SRV_VEI:
   388		case CFCTRL_SRV_DBG:
   389			if (CFCTRL_ERR_BIT & cmdrsp)
   390				break;
   391			/* Link ID */
   392			linkid = cfpkt_extr_head_u8(pkt);
   393			break;
   394		case CFCTRL_SRV_VIDEO:
   395			tmp = cfpkt_extr_head_u8(pkt);
   396			linkparam.u.video.connid = tmp;
   397			if (CFCTRL_ERR_BIT & cmdrsp)
   398				break;
   399			/* Link ID */
   400			linkid = cfpkt_extr_head_u8(pkt);
   401			break;
   402	
   403		case CFCTRL_SRV_DATAGRAM:
   404			linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt);
   405			if (CFCTRL_ERR_BIT & cmdrsp)
   406				break;
   407			/* Link ID */
   408			linkid = cfpkt_extr_head_u8(pkt);
   409			break;
   410		case CFCTRL_SRV_RFM:
   411			/* Construct a frame, convert
   412			 * DatagramConnectionID
   413			 * to network format long and copy it out...
   414			 */
   415			linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt);
   416			cp = (u8 *) linkparam.u.rfm.volume;
   417			for (tmp = cfpkt_extr_head_u8(pkt);
   418			     cfpkt_more(pkt) && tmp != '\0';
   419			     tmp = cfpkt_extr_head_u8(pkt)) {
   420				if (cp >= (u8 *)linkparam.u.rfm.volume +
   421				    sizeof(linkparam.u.rfm.volume) - 1) {
   422					pr_warn("Request reject, volume name length exceeds %lu\n",
 > 423						sizeof(linkparam.u.rfm.volume));
   424					cmdrsp |= CFCTRL_ERR_BIT;
   425					break;
   426				}
   427				*cp++ = tmp;
   428			}
   429			*cp = '\0';
   430	
   431			if (CFCTRL_ERR_BIT & cmdrsp)
   432				break;
   433			/* Link ID */
   434			linkid = cfpkt_extr_head_u8(pkt);
   435	
   436			break;
   437		case CFCTRL_SRV_UTIL:
   438			/* Construct a frame, convert
   439			 * DatagramConnectionID
   440			 * to network format long and copy it out...
   441			 */
   442			/* Fifosize KB */
   443			linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt);
   444			/* Fifosize bufs */
   445			linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt);
   446			/* name */
   447			cp = (u8 *) linkparam.u.utility.name;
   448			caif_assert(sizeof(linkparam.u.utility.name)
   449				     >= UTILITY_NAME_LENGTH);
   450			for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) {
   451				tmp = cfpkt_extr_head_u8(pkt);
   452				*cp++ = tmp;
   453			}
   454			/* Length */
   455			len = cfpkt_extr_head_u8(pkt);
   456			linkparam.u.utility.paramlen = len;
   457			/* Param Data */
   458			cp = linkparam.u.utility.params;
   459			while (cfpkt_more(pkt) && len--) {
   460				tmp = cfpkt_extr_head_u8(pkt);
   461				*cp++ = tmp;
   462			}
   463			if (CFCTRL_ERR_BIT & cmdrsp)
   464				break;
   465			/* Link ID */
   466			linkid = cfpkt_extr_head_u8(pkt);
   467			/* Length */
   468			len = cfpkt_extr_head_u8(pkt);
   469			/* Param Data */
   470			cfpkt_extr_head(pkt, NULL, len);
   471			break;
   472		default:
   473			pr_warn("Request setup, invalid type (%d)\n", serv);
   474			return -1;
   475		}
   476	
   477		rsp.cmd = CFCTRL_CMD_LINK_SETUP;
   478		rsp.param = linkparam;
   479		spin_lock_bh(&cfctrl->info_list_lock);
   480		req = cfctrl_remove_req(cfctrl, &rsp);
   481	
   482		if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
   483			cfpkt_erroneous(pkt)) {
   484			pr_err("Invalid O/E bit or parse error "
   485					"on CAIF control channel\n");
   486			cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0,
   487					       req ? req->client_layer : NULL);
   488		} else {
   489			cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid,
   490						  serv, physlinkid,
   491						  req ?  req->client_layer : NULL);
   492		}
   493	
   494		kfree(req);
   495	
   496		spin_unlock_bh(&cfctrl->info_list_lock);
   497	
   498		return 0;
   499	}
   500	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki