Increase the size of firmware_tag arrays in the following structs from GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to accommodate null termination: - fw_mgmt_ioc_intf_load_and_validate - fw_mgmt_ioc_get_backend_version - fw_mgmt_ioc_backend_fw_update - fw_mgmt_ioc_get_intf_version
Replace strncpy() with strscpy() to ensure proper null termination as firmware_tag is interpreted as a null-terminated string and printed with %s.
Signed-off-by: Pranav Tyagi pranav.tyagi03@gmail.com --- .../greybus/Documentation/firmware/firmware.c | 12 ++++++------ drivers/staging/greybus/greybus_firmware.h | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c index 765d69faa9cc..3b4061f4b34a 100644 --- a/drivers/staging/greybus/Documentation/firmware/firmware.c +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c @@ -63,8 +63,8 @@ static int update_intf_firmware(int fd) intf_load.major = 0; intf_load.minor = 0;
- strncpy((char *)&intf_load.firmware_tag, firmware_tag, - GB_FIRMWARE_U_TAG_MAX_SIZE); + strscpy((char *)&intf_load.firmware_tag, firmware_tag, + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load); if (ret < 0) { @@ -101,8 +101,8 @@ static int update_backend_firmware(int fd) /* Get Backend Firmware Version */ printf("Getting Backend Firmware Version\n");
- strncpy((char *)&backend_fw_info.firmware_tag, firmware_tag, - GB_FIRMWARE_U_TAG_MAX_SIZE); + strscpy((char *)&backend_fw_info.firmware_tag, firmware_tag, + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
retry_fw_version: ret = ioctl(fd, FW_MGMT_IOC_GET_BACKEND_FW, &backend_fw_info); @@ -129,8 +129,8 @@ static int update_backend_firmware(int fd) /* Try Backend Firmware Update over Unipro */ printf("Updating Backend Firmware\n");
- strncpy((char *)&backend_update.firmware_tag, firmware_tag, - GB_FIRMWARE_U_TAG_MAX_SIZE); + strscpy((char *)&backend_update.firmware_tag, firmware_tag, + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
retry_fw_update: backend_update.status = 0; diff --git a/drivers/staging/greybus/greybus_firmware.h b/drivers/staging/greybus/greybus_firmware.h index b6042a82ada4..ad5b2c8a6461 100644 --- a/drivers/staging/greybus/greybus_firmware.h +++ b/drivers/staging/greybus/greybus_firmware.h @@ -38,20 +38,20 @@
/* IOCTL support */ struct fw_mgmt_ioc_get_intf_version { - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE]; + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u16 major; __u16 minor; } __packed;
struct fw_mgmt_ioc_get_backend_version { - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE]; + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u16 major; __u16 minor; __u8 status; } __packed;
struct fw_mgmt_ioc_intf_load_and_validate { - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE]; + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u8 load_method; __u8 status; __u16 major; @@ -59,7 +59,7 @@ struct fw_mgmt_ioc_intf_load_and_validate { } __packed;
struct fw_mgmt_ioc_backend_fw_update { - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE]; + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u8 status; } __packed;
On Tue, Jun 17, 2025 at 06:21:37PM +0530, Pranav Tyagi wrote:
Increase the size of firmware_tag arrays in the following structs from GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to accommodate null termination:
- fw_mgmt_ioc_intf_load_and_validate
- fw_mgmt_ioc_get_backend_version
- fw_mgmt_ioc_backend_fw_update
- fw_mgmt_ioc_get_intf_version
Replace strncpy() with strscpy() to ensure proper null termination as firmware_tag is interpreted as a null-terminated string and printed with %s.
Signed-off-by: Pranav Tyagi pranav.tyagi03@gmail.com
.../greybus/Documentation/firmware/firmware.c | 12 ++++++------ drivers/staging/greybus/greybus_firmware.h | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c index 765d69faa9cc..3b4061f4b34a 100644 --- a/drivers/staging/greybus/Documentation/firmware/firmware.c +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c @@ -63,8 +63,8 @@ static int update_intf_firmware(int fd) intf_load.major = 0; intf_load.minor = 0;
- strncpy((char *)&intf_load.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE);
- strscpy((char *)&intf_load.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE + 1);ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load); if (ret < 0) { @@ -101,8 +101,8 @@ static int update_backend_firmware(int fd) /* Get Backend Firmware Version */ printf("Getting Backend Firmware Version\n");
- strncpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE);
- strscpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE + 1);retry_fw_version: ret = ioctl(fd, FW_MGMT_IOC_GET_BACKEND_FW, &backend_fw_info); @@ -129,8 +129,8 @@ static int update_backend_firmware(int fd) /* Try Backend Firmware Update over Unipro */ printf("Updating Backend Firmware\n");
- strncpy((char *)&backend_update.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE);
- strscpy((char *)&backend_update.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE + 1);retry_fw_update: backend_update.status = 0; diff --git a/drivers/staging/greybus/greybus_firmware.h b/drivers/staging/greybus/greybus_firmware.h index b6042a82ada4..ad5b2c8a6461 100644 --- a/drivers/staging/greybus/greybus_firmware.h +++ b/drivers/staging/greybus/greybus_firmware.h @@ -38,20 +38,20 @@ /* IOCTL support */ struct fw_mgmt_ioc_get_intf_version {
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u16 major; __u16 minor;
} __packed; struct fw_mgmt_ioc_get_backend_version {
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u16 major; __u16 minor; __u8 status;
} __packed; struct fw_mgmt_ioc_intf_load_and_validate {
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u8 load_method; __u8 status; __u16 major;
@@ -59,7 +59,7 @@ struct fw_mgmt_ioc_intf_load_and_validate { } __packed; struct fw_mgmt_ioc_backend_fw_update {
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u8 status;
} __packed;
You are changing the size of a userspace structure here, are you SURE this is allowed?
How was this tested?
thanks,
greg k-h
On Tue, Jun 17, 2025 at 6:46 PM Greg KH gregkh@linuxfoundation.org wrote:
On Tue, Jun 17, 2025 at 06:21:37PM +0530, Pranav Tyagi wrote:
Increase the size of firmware_tag arrays in the following structs from GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to accommodate null termination: - fw_mgmt_ioc_intf_load_and_validate - fw_mgmt_ioc_get_backend_version - fw_mgmt_ioc_backend_fw_update - fw_mgmt_ioc_get_intf_version
Replace strncpy() with strscpy() to ensure proper null termination as firmware_tag is interpreted as a null-terminated string and printed with %s.
Signed-off-by: Pranav Tyagi pranav.tyagi03@gmail.com
.../greybus/Documentation/firmware/firmware.c | 12 ++++++------ drivers/staging/greybus/greybus_firmware.h | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c index 765d69faa9cc..3b4061f4b34a 100644 --- a/drivers/staging/greybus/Documentation/firmware/firmware.c +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c @@ -63,8 +63,8 @@ static int update_intf_firmware(int fd) intf_load.major = 0; intf_load.minor = 0;
strncpy((char *)&intf_load.firmware_tag, firmware_tag,GB_FIRMWARE_U_TAG_MAX_SIZE);
strscpy((char *)&intf_load.firmware_tag, firmware_tag,GB_FIRMWARE_U_TAG_MAX_SIZE + 1); ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load); if (ret < 0) {@@ -101,8 +101,8 @@ static int update_backend_firmware(int fd) /* Get Backend Firmware Version */ printf("Getting Backend Firmware Version\n");
strncpy((char *)&backend_fw_info.firmware_tag, firmware_tag,GB_FIRMWARE_U_TAG_MAX_SIZE);
strscpy((char *)&backend_fw_info.firmware_tag, firmware_tag,GB_FIRMWARE_U_TAG_MAX_SIZE + 1);retry_fw_version: ret = ioctl(fd, FW_MGMT_IOC_GET_BACKEND_FW, &backend_fw_info); @@ -129,8 +129,8 @@ static int update_backend_firmware(int fd) /* Try Backend Firmware Update over Unipro */ printf("Updating Backend Firmware\n");
strncpy((char *)&backend_update.firmware_tag, firmware_tag,GB_FIRMWARE_U_TAG_MAX_SIZE);
strscpy((char *)&backend_update.firmware_tag, firmware_tag,GB_FIRMWARE_U_TAG_MAX_SIZE + 1);retry_fw_update: backend_update.status = 0; diff --git a/drivers/staging/greybus/greybus_firmware.h b/drivers/staging/greybus/greybus_firmware.h index b6042a82ada4..ad5b2c8a6461 100644 --- a/drivers/staging/greybus/greybus_firmware.h +++ b/drivers/staging/greybus/greybus_firmware.h @@ -38,20 +38,20 @@
/* IOCTL support */ struct fw_mgmt_ioc_get_intf_version {
__u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
__u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u16 major; __u16 minor;} __packed;
struct fw_mgmt_ioc_get_backend_version {
__u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
__u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u16 major; __u16 minor; __u8 status;} __packed;
struct fw_mgmt_ioc_intf_load_and_validate {
__u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
__u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u8 load_method; __u8 status; __u16 major;@@ -59,7 +59,7 @@ struct fw_mgmt_ioc_intf_load_and_validate { } __packed;
struct fw_mgmt_ioc_backend_fw_update {
__u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
__u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1]; __u8 status;} __packed;
You are changing the size of a userspace structure here, are you SURE this is allowed?
How was this tested?
thanks,
greg k-h
Hi,
You're absolutely right — changing the size of a userspace-visible structure like this is not allowed and I apologize for the oversight.
I did compile and boot the kernel with the patch applied, but I now realize that I should have also tested it against the actual userspace tooling to validate ABI compatibility — which I didn’t do. That was a miss on my part.
Thanks for the review and the guidance. I’ll fix the patch to preserve structure sizes and ensure safe null termination without breaking the ABI — likely by using strscpy() with size - 1 and setting the last byte explicitly if needed.
Apologies for the oversight.
Regards Pranav Tyagi
On Tue, Jun 17, 2025 at 06:21:37PM +0530, Pranav Tyagi wrote:
Increase the size of firmware_tag arrays in the following structs from GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to accommodate null termination:
- fw_mgmt_ioc_intf_load_and_validate
- fw_mgmt_ioc_get_backend_version
- fw_mgmt_ioc_backend_fw_update
- fw_mgmt_ioc_get_intf_version
Replace strncpy() with strscpy() to ensure proper null termination as firmware_tag is interpreted as a null-terminated string and printed with %s.
Signed-off-by: Pranav Tyagi pranav.tyagi03@gmail.com
.../greybus/Documentation/firmware/firmware.c | 12 ++++++------ drivers/staging/greybus/greybus_firmware.h | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c index 765d69faa9cc..3b4061f4b34a 100644 --- a/drivers/staging/greybus/Documentation/firmware/firmware.c +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c @@ -63,8 +63,8 @@ static int update_intf_firmware(int fd) intf_load.major = 0; intf_load.minor = 0;
- strncpy((char *)&intf_load.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE);
- strscpy((char *)&intf_load.firmware_tag, firmware_tag,
GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
This is in the Documentation/ directory. It's sample userspace code. Userspace code doesn't have strscpy() so this won't compile.
regards, dan carpenter
-
Dan Carpenter -
Greg KH -
Pranav Tyagi