From nobody Fri Dec 19 05:26:51 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 184A2C4167D
	for <linux-kernel@archiver.kernel.org>; Wed, 13 Dec 2023 16:43:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1378964AbjLMQnU (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 13 Dec 2023 11:43:20 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56096 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1378717AbjLMQnH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Dec 2023 11:43:07 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76EE1131
        for <linux-kernel@vger.kernel.org>;
 Wed, 13 Dec 2023 08:43:09 -0800 (PST)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D86EBC433C7;
        Wed, 13 Dec 2023 16:43:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1702485789;
        bh=eLWrh4gbs4DcaBLf4i76cdivQmYRUAp1gaa0fV8JwXw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=s5POMpwF4g/+L+e0t+RJluUkXzT6P0t/scdPvMetcvqrR2qcjlHQ0gsufUTYctXgB
         lSPqc+ax0QAqNO/Fvs4PQXgcAVESVwrZ/wMDpBOOEkXKqmspF3B6Fd+XHKxXxS2ldo
         V7qTP8J32YULRzP7Vz4AK6a9hZMIaibvgmJy4yWOKX6g+urv6C5SjGsITw7idg+K4W
         4ncw+Dgk73yvlwMWwwpV1BihVy3ETMwRrYcMviR200Y4FK21ZelHA1weJ+z0XhKZLL
         9p4d9avBRSQPWvLY5E969cIvXP0HWb7cXsoqQszDAU8Y49209iqqnxyxDwqW23/kmW
         oMUBpGyObWFVA==
From: Lee Jones <lee@kernel.org>
To: lee@kernel.org, gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        Pawel Laszczak <pawell@cadence.com>
Subject: [PATCH 06/12] usb: cdns2: Replace snprintf() with the safer
 scnprintf() variant
Date: Wed, 13 Dec 2023 16:42:35 +0000
Message-ID: <20231213164246.1021885-7-lee@kernel.org>
X-Mailer: git-send-email 2.43.0.472.g3155946c3a-goog
In-Reply-To: <20231213164246.1021885-1-lee@kernel.org>
References: <20231213164246.1021885-1-lee@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

There is a general misunderstanding amongst engineers that {v}snprintf()
returns the length of the data *actually* encoded into the destination
array.  However, as per the C99 standard {v}snprintf() really returns
the length of the data that *would have been* written if there were
enough space for it.  This misunderstanding has led to buffer-overruns
in the past.  It's generally considered safer to use the {v}scnprintf()
variants in their place (or even sprintf() in simple cases).  So let's
do that.

Link: https://lwn.net/Articles/69419/
Link: https://github.com/KSPP/linux/issues/105
Cc: Pawel Laszczak <pawell@cadence.com>
Signed-off-by: Lee Jones <lee@kernel.org>
---
 drivers/usb/gadget/udc/cdns2/cdns2-debug.h | 138 ++++++++++-----------
 1 file changed, 69 insertions(+), 69 deletions(-)

diff --git a/drivers/usb/gadget/udc/cdns2/cdns2-debug.h b/drivers/usb/gadge=
t/udc/cdns2/cdns2-debug.h
index be9ae0d28a409..f5f330004190e 100644
--- a/drivers/usb/gadget/udc/cdns2/cdns2-debug.h
+++ b/drivers/usb/gadget/udc/cdns2/cdns2-debug.h
@@ -16,34 +16,34 @@ static inline const char *cdns2_decode_usb_irq(char *st=
r, size_t size,
 {
 	int ret;
=20
-	ret =3D snprintf(str, size, "usbirq: 0x%02x - ", usb_irq);
+	ret =3D scnprintf(str, size, "usbirq: 0x%02x - ", usb_irq);
=20
 	if (usb_irq & USBIRQ_SOF)
-		ret +=3D snprintf(str + ret, size - ret, "SOF ");
+		ret +=3D scnprintf(str + ret, size - ret, "SOF ");
 	if (usb_irq & USBIRQ_SUTOK)
-		ret +=3D snprintf(str + ret, size - ret, "SUTOK ");
+		ret +=3D scnprintf(str + ret, size - ret, "SUTOK ");
 	if (usb_irq & USBIRQ_SUDAV)
-		ret +=3D snprintf(str + ret, size - ret, "SETUP ");
+		ret +=3D scnprintf(str + ret, size - ret, "SETUP ");
 	if (usb_irq & USBIRQ_SUSPEND)
-		ret +=3D snprintf(str + ret, size - ret, "Suspend ");
+		ret +=3D scnprintf(str + ret, size - ret, "Suspend ");
 	if (usb_irq & USBIRQ_URESET)
-		ret +=3D snprintf(str + ret, size - ret, "Reset ");
+		ret +=3D scnprintf(str + ret, size - ret, "Reset ");
 	if (usb_irq & USBIRQ_HSPEED)
-		ret +=3D snprintf(str + ret, size - ret, "HS ");
+		ret +=3D scnprintf(str + ret, size - ret, "HS ");
 	if (usb_irq & USBIRQ_LPM)
-		ret +=3D snprintf(str + ret, size - ret, "LPM ");
+		ret +=3D scnprintf(str + ret, size - ret, "LPM ");
=20
-	ret +=3D snprintf(str + ret, size - ret, ", EXT: 0x%02x - ", ext_irq);
+	ret +=3D scnprintf(str + ret, size - ret, ", EXT: 0x%02x - ", ext_irq);
=20
 	if (ext_irq & EXTIRQ_WAKEUP)
-		ret +=3D snprintf(str + ret, size - ret, "Wakeup ");
+		ret +=3D scnprintf(str + ret, size - ret, "Wakeup ");
 	if (ext_irq & EXTIRQ_VBUSFAULT_FALL)
-		ret +=3D snprintf(str + ret, size - ret, "VBUS_FALL ");
+		ret +=3D scnprintf(str + ret, size - ret, "VBUS_FALL ");
 	if (ext_irq & EXTIRQ_VBUSFAULT_RISE)
-		ret +=3D snprintf(str + ret, size - ret, "VBUS_RISE ");
+		ret +=3D scnprintf(str + ret, size - ret, "VBUS_RISE ");
=20
-	if (ret >=3D size)
-		pr_info("CDNS2: buffer overflowed.\n");
+	if (ret =3D=3D size - 1)
+		pr_info("CDNS2: buffer may be truncated.\n");
=20
 	return str;
 }
@@ -54,28 +54,28 @@ static inline const char *cdns2_decode_dma_irq(char *st=
r, size_t size,
 {
 	int ret;
=20
-	ret =3D snprintf(str, size, "ISTS: %08x, %s: %08x ",
-		       ep_ists, ep_name, ep_sts);
+	ret =3D scnprintf(str, size, "ISTS: %08x, %s: %08x ",
+			ep_ists, ep_name, ep_sts);
=20
 	if (ep_sts & DMA_EP_STS_IOC)
-		ret +=3D snprintf(str + ret, size - ret, "IOC ");
+		ret +=3D scnprintf(str + ret, size - ret, "IOC ");
 	if (ep_sts & DMA_EP_STS_ISP)
-		ret +=3D snprintf(str + ret, size - ret, "ISP ");
+		ret +=3D scnprintf(str + ret, size - ret, "ISP ");
 	if (ep_sts & DMA_EP_STS_DESCMIS)
-		ret +=3D snprintf(str + ret, size - ret, "DESCMIS ");
+		ret +=3D scnprintf(str + ret, size - ret, "DESCMIS ");
 	if (ep_sts & DMA_EP_STS_TRBERR)
-		ret +=3D snprintf(str + ret, size - ret, "TRBERR ");
+		ret +=3D scnprintf(str + ret, size - ret, "TRBERR ");
 	if (ep_sts & DMA_EP_STS_OUTSMM)
-		ret +=3D snprintf(str + ret, size - ret, "OUTSMM ");
+		ret +=3D scnprintf(str + ret, size - ret, "OUTSMM ");
 	if (ep_sts & DMA_EP_STS_ISOERR)
-		ret +=3D snprintf(str + ret, size - ret, "ISOERR ");
+		ret +=3D scnprintf(str + ret, size - ret, "ISOERR ");
 	if (ep_sts & DMA_EP_STS_DBUSY)
-		ret +=3D snprintf(str + ret, size - ret, "DBUSY ");
+		ret +=3D scnprintf(str + ret, size - ret, "DBUSY ");
 	if (DMA_EP_STS_CCS(ep_sts))
-		ret +=3D snprintf(str + ret, size - ret, "CCS ");
+		ret +=3D scnprintf(str + ret, size - ret, "CCS ");
=20
-	if (ret >=3D size)
-		pr_info("CDNS2: buffer overflowed.\n");
+	if (ret =3D=3D size - 1)
+		pr_info("CDNS2: buffer may be truncated.\n");
=20
 	return str;
 }
@@ -105,43 +105,43 @@ static inline const char *cdns2_raw_ring(struct cdns2=
_endpoint *pep,
 	int ret;
 	int i;
=20
-	ret =3D snprintf(str, size, "\n\t\tTR for %s:", pep->name);
+	ret =3D scnprintf(str, size, "\n\t\tTR for %s:", pep->name);
=20
 	trb =3D &trbs[ring->dequeue];
 	dma =3D cdns2_trb_virt_to_dma(pep, trb);
-	ret +=3D snprintf(str + ret, size - ret,
-			"\n\t\tRing deq index: %d, trb: V=3D%p, P=3D0x%pad\n",
-			ring->dequeue, trb, &dma);
+	ret +=3D scnprintf(str + ret, size - ret,
+			 "\n\t\tRing deq index: %d, trb: V=3D%p, P=3D0x%pad\n",
+			 ring->dequeue, trb, &dma);
=20
 	trb =3D &trbs[ring->enqueue];
 	dma =3D cdns2_trb_virt_to_dma(pep, trb);
-	ret +=3D snprintf(str + ret, size - ret,
-			"\t\tRing enq index: %d, trb: V=3D%p, P=3D0x%pad\n",
-			ring->enqueue, trb, &dma);
+	ret +=3D scnprintf(str + ret, size - ret,
+			 "\t\tRing enq index: %d, trb: V=3D%p, P=3D0x%pad\n",
+			 ring->enqueue, trb, &dma);
=20
-	ret +=3D snprintf(str + ret, size - ret,
-			"\t\tfree trbs: %d, CCS=3D%d, PCS=3D%d\n",
-			ring->free_trbs, ring->ccs, ring->pcs);
+	ret +=3D scnprintf(str + ret, size - ret,
+			 "\t\tfree trbs: %d, CCS=3D%d, PCS=3D%d\n",
+			 ring->free_trbs, ring->ccs, ring->pcs);
=20
 	if (TRBS_PER_SEGMENT > 40) {
-		ret +=3D snprintf(str + ret, size - ret,
-				"\t\tTransfer ring %d too big\n", TRBS_PER_SEGMENT);
+		ret +=3D scnprintf(str + ret, size - ret,
+				 "\t\tTransfer ring %d too big\n", TRBS_PER_SEGMENT);
 		return str;
 	}
=20
 	dma =3D ring->dma;
 	for (i =3D 0; i < TRBS_PER_SEGMENT; ++i) {
 		trb =3D &trbs[i];
-		ret +=3D snprintf(str + ret, size - ret,
-				"\t\t@%pad %08x %08x %08x\n", &dma,
-				le32_to_cpu(trb->buffer),
-				le32_to_cpu(trb->length),
-				le32_to_cpu(trb->control));
+		ret +=3D scnprintf(str + ret, size - ret,
+				 "\t\t@%pad %08x %08x %08x\n", &dma,
+				 le32_to_cpu(trb->buffer),
+				 le32_to_cpu(trb->length),
+				 le32_to_cpu(trb->control));
 		dma +=3D sizeof(*trb);
 	}
=20
-	if (ret >=3D size)
-		pr_info("CDNS2: buffer overflowed.\n");
+	if (ret =3D=3D size - 1)
+		pr_info("CDNS2: buffer may be truncated.\n");
=20
 	return str;
 }
@@ -166,36 +166,36 @@ static inline const char *cdns2_decode_trb(char *str,=
 size_t size, u32 flags,
=20
 	switch (type) {
 	case TRB_LINK:
-		ret =3D snprintf(str, size,
-			       "LINK %08x type '%s' flags %c:%c:%c%c:%c",
-			       buffer, cdns2_trb_type_string(type),
-			       flags & TRB_CYCLE ? 'C' : 'c',
-			       flags & TRB_TOGGLE ? 'T' : 't',
-			       flags & TRB_CHAIN ? 'C' : 'c',
-			       flags & TRB_CHAIN ? 'H' : 'h',
-			       flags & TRB_IOC ? 'I' : 'i');
+		ret =3D scnprintf(str, size,
+				"LINK %08x type '%s' flags %c:%c:%c%c:%c",
+				buffer, cdns2_trb_type_string(type),
+				flags & TRB_CYCLE ? 'C' : 'c',
+				flags & TRB_TOGGLE ? 'T' : 't',
+				flags & TRB_CHAIN ? 'C' : 'c',
+				flags & TRB_CHAIN ? 'H' : 'h',
+				flags & TRB_IOC ? 'I' : 'i');
 		break;
 	case TRB_NORMAL:
-		ret =3D snprintf(str, size,
-			       "type: '%s', Buffer: %08x, length: %ld, burst len: %ld, "
-			       "flags %c:%c:%c%c:%c",
-			       cdns2_trb_type_string(type),
-			       buffer, TRB_LEN(length),
-			       TRB_FIELD_TO_BURST(length),
-			       flags & TRB_CYCLE ? 'C' : 'c',
-			       flags & TRB_ISP ? 'I' : 'i',
-			       flags & TRB_CHAIN ? 'C' : 'c',
-			       flags & TRB_CHAIN ? 'H' : 'h',
-			       flags & TRB_IOC ? 'I' : 'i');
+		ret =3D scnprintf(str, size,
+				"type: '%s', Buffer: %08x, length: %ld, burst len: %ld, "
+				"flags %c:%c:%c%c:%c",
+				cdns2_trb_type_string(type),
+				buffer, TRB_LEN(length),
+				TRB_FIELD_TO_BURST(length),
+				flags & TRB_CYCLE ? 'C' : 'c',
+				flags & TRB_ISP ? 'I' : 'i',
+				flags & TRB_CHAIN ? 'C' : 'c',
+				flags & TRB_CHAIN ? 'H' : 'h',
+				flags & TRB_IOC ? 'I' : 'i');
 		break;
 	default:
-		ret =3D snprintf(str, size, "type '%s' -> raw %08x %08x %08x",
-			       cdns2_trb_type_string(type),
-			       buffer, length, flags);
+		ret =3D scnprintf(str, size, "type '%s' -> raw %08x %08x %08x",
+				cdns2_trb_type_string(type),
+				buffer, length, flags);
 	}
=20
-	if (ret >=3D size)
-		pr_info("CDNS2: buffer overflowed.\n");
+	if (ret =3D=3D size - 1)
+		pr_info("CDNS2: buffer may be truncated.\n");
=20
 	return str;
 }
--=20
2.43.0.472.g3155946c3a-goog