.../greybus/Documentation/firmware/firmware.c | 12 ++++++------ drivers/staging/greybus/greybus_firmware.h | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-)
Increase the size of firmware_tag arrays in the following structs from
GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to
accommodate null termination:
- fw_mgmt_ioc_intf_load_and_validate
- fw_mgmt_ioc_get_backend_version
- fw_mgmt_ioc_backend_fw_update
- fw_mgmt_ioc_get_intf_version
Replace strncpy() with strscpy() to ensure proper null termination as
firmware_tag is interpreted as a null-terminated string
and printed with %s.
Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
---
.../greybus/Documentation/firmware/firmware.c | 12 ++++++------
drivers/staging/greybus/greybus_firmware.h | 8 ++++----
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c
index 765d69faa9cc..3b4061f4b34a 100644
--- a/drivers/staging/greybus/Documentation/firmware/firmware.c
+++ b/drivers/staging/greybus/Documentation/firmware/firmware.c
@@ -63,8 +63,8 @@ static int update_intf_firmware(int fd)
intf_load.major = 0;
intf_load.minor = 0;
- strncpy((char *)&intf_load.firmware_tag, firmware_tag,
- GB_FIRMWARE_U_TAG_MAX_SIZE);
+ strscpy((char *)&intf_load.firmware_tag, firmware_tag,
+ GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load);
if (ret < 0) {
@@ -101,8 +101,8 @@ static int update_backend_firmware(int fd)
/* Get Backend Firmware Version */
printf("Getting Backend Firmware Version\n");
- strncpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
- GB_FIRMWARE_U_TAG_MAX_SIZE);
+ strscpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
+ GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
retry_fw_version:
ret = ioctl(fd, FW_MGMT_IOC_GET_BACKEND_FW, &backend_fw_info);
@@ -129,8 +129,8 @@ static int update_backend_firmware(int fd)
/* Try Backend Firmware Update over Unipro */
printf("Updating Backend Firmware\n");
- strncpy((char *)&backend_update.firmware_tag, firmware_tag,
- GB_FIRMWARE_U_TAG_MAX_SIZE);
+ strscpy((char *)&backend_update.firmware_tag, firmware_tag,
+ GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
retry_fw_update:
backend_update.status = 0;
diff --git a/drivers/staging/greybus/greybus_firmware.h b/drivers/staging/greybus/greybus_firmware.h
index b6042a82ada4..ad5b2c8a6461 100644
--- a/drivers/staging/greybus/greybus_firmware.h
+++ b/drivers/staging/greybus/greybus_firmware.h
@@ -38,20 +38,20 @@
/* IOCTL support */
struct fw_mgmt_ioc_get_intf_version {
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
+ __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
__u16 major;
__u16 minor;
} __packed;
struct fw_mgmt_ioc_get_backend_version {
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
+ __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
__u16 major;
__u16 minor;
__u8 status;
} __packed;
struct fw_mgmt_ioc_intf_load_and_validate {
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
+ __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
__u8 load_method;
__u8 status;
__u16 major;
@@ -59,7 +59,7 @@ struct fw_mgmt_ioc_intf_load_and_validate {
} __packed;
struct fw_mgmt_ioc_backend_fw_update {
- __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
+ __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
__u8 status;
} __packed;
--
2.49.0On Tue, Jun 17, 2025 at 06:21:37PM +0530, Pranav Tyagi wrote: > Increase the size of firmware_tag arrays in the following structs from > GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to > accommodate null termination: > - fw_mgmt_ioc_intf_load_and_validate > - fw_mgmt_ioc_get_backend_version > - fw_mgmt_ioc_backend_fw_update > - fw_mgmt_ioc_get_intf_version > > Replace strncpy() with strscpy() to ensure proper null termination as > firmware_tag is interpreted as a null-terminated string > and printed with %s. > > Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com> > --- > .../greybus/Documentation/firmware/firmware.c | 12 ++++++------ > drivers/staging/greybus/greybus_firmware.h | 8 ++++---- > 2 files changed, 10 insertions(+), 10 deletions(-) > > diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c > index 765d69faa9cc..3b4061f4b34a 100644 > --- a/drivers/staging/greybus/Documentation/firmware/firmware.c > +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c > @@ -63,8 +63,8 @@ static int update_intf_firmware(int fd) > intf_load.major = 0; > intf_load.minor = 0; > > - strncpy((char *)&intf_load.firmware_tag, firmware_tag, > - GB_FIRMWARE_U_TAG_MAX_SIZE); > + strscpy((char *)&intf_load.firmware_tag, firmware_tag, > + GB_FIRMWARE_U_TAG_MAX_SIZE + 1); This is in the Documentation/ directory. It's sample userspace code. Userspace code doesn't have strscpy() so this won't compile. regards, dan carpenter
On Tue, Jun 17, 2025 at 06:21:37PM +0530, Pranav Tyagi wrote:
> Increase the size of firmware_tag arrays in the following structs from
> GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to
> accommodate null termination:
> - fw_mgmt_ioc_intf_load_and_validate
> - fw_mgmt_ioc_get_backend_version
> - fw_mgmt_ioc_backend_fw_update
> - fw_mgmt_ioc_get_intf_version
>
> Replace strncpy() with strscpy() to ensure proper null termination as
> firmware_tag is interpreted as a null-terminated string
> and printed with %s.
>
> Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> ---
> .../greybus/Documentation/firmware/firmware.c | 12 ++++++------
> drivers/staging/greybus/greybus_firmware.h | 8 ++++----
> 2 files changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c
> index 765d69faa9cc..3b4061f4b34a 100644
> --- a/drivers/staging/greybus/Documentation/firmware/firmware.c
> +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c
> @@ -63,8 +63,8 @@ static int update_intf_firmware(int fd)
> intf_load.major = 0;
> intf_load.minor = 0;
>
> - strncpy((char *)&intf_load.firmware_tag, firmware_tag,
> - GB_FIRMWARE_U_TAG_MAX_SIZE);
> + strscpy((char *)&intf_load.firmware_tag, firmware_tag,
> + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
>
> ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load);
> if (ret < 0) {
> @@ -101,8 +101,8 @@ static int update_backend_firmware(int fd)
> /* Get Backend Firmware Version */
> printf("Getting Backend Firmware Version\n");
>
> - strncpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
> - GB_FIRMWARE_U_TAG_MAX_SIZE);
> + strscpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
> + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
>
> retry_fw_version:
> ret = ioctl(fd, FW_MGMT_IOC_GET_BACKEND_FW, &backend_fw_info);
> @@ -129,8 +129,8 @@ static int update_backend_firmware(int fd)
> /* Try Backend Firmware Update over Unipro */
> printf("Updating Backend Firmware\n");
>
> - strncpy((char *)&backend_update.firmware_tag, firmware_tag,
> - GB_FIRMWARE_U_TAG_MAX_SIZE);
> + strscpy((char *)&backend_update.firmware_tag, firmware_tag,
> + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
>
> retry_fw_update:
> backend_update.status = 0;
> diff --git a/drivers/staging/greybus/greybus_firmware.h b/drivers/staging/greybus/greybus_firmware.h
> index b6042a82ada4..ad5b2c8a6461 100644
> --- a/drivers/staging/greybus/greybus_firmware.h
> +++ b/drivers/staging/greybus/greybus_firmware.h
> @@ -38,20 +38,20 @@
>
> /* IOCTL support */
> struct fw_mgmt_ioc_get_intf_version {
> - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> __u16 major;
> __u16 minor;
> } __packed;
>
> struct fw_mgmt_ioc_get_backend_version {
> - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> __u16 major;
> __u16 minor;
> __u8 status;
> } __packed;
>
> struct fw_mgmt_ioc_intf_load_and_validate {
> - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> __u8 load_method;
> __u8 status;
> __u16 major;
> @@ -59,7 +59,7 @@ struct fw_mgmt_ioc_intf_load_and_validate {
> } __packed;
>
> struct fw_mgmt_ioc_backend_fw_update {
> - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> __u8 status;
> } __packed;
>
You are changing the size of a userspace structure here, are you SURE
this is allowed?
How was this tested?
thanks,
greg k-h
On Tue, Jun 17, 2025 at 6:46 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Tue, Jun 17, 2025 at 06:21:37PM +0530, Pranav Tyagi wrote:
> > Increase the size of firmware_tag arrays in the following structs from
> > GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to
> > accommodate null termination:
> > - fw_mgmt_ioc_intf_load_and_validate
> > - fw_mgmt_ioc_get_backend_version
> > - fw_mgmt_ioc_backend_fw_update
> > - fw_mgmt_ioc_get_intf_version
> >
> > Replace strncpy() with strscpy() to ensure proper null termination as
> > firmware_tag is interpreted as a null-terminated string
> > and printed with %s.
> >
> > Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> > ---
> > .../greybus/Documentation/firmware/firmware.c | 12 ++++++------
> > drivers/staging/greybus/greybus_firmware.h | 8 ++++----
> > 2 files changed, 10 insertions(+), 10 deletions(-)
> >
> > diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c
> > index 765d69faa9cc..3b4061f4b34a 100644
> > --- a/drivers/staging/greybus/Documentation/firmware/firmware.c
> > +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c
> > @@ -63,8 +63,8 @@ static int update_intf_firmware(int fd)
> > intf_load.major = 0;
> > intf_load.minor = 0;
> >
> > - strncpy((char *)&intf_load.firmware_tag, firmware_tag,
> > - GB_FIRMWARE_U_TAG_MAX_SIZE);
> > + strscpy((char *)&intf_load.firmware_tag, firmware_tag,
> > + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
> >
> > ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load);
> > if (ret < 0) {
> > @@ -101,8 +101,8 @@ static int update_backend_firmware(int fd)
> > /* Get Backend Firmware Version */
> > printf("Getting Backend Firmware Version\n");
> >
> > - strncpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
> > - GB_FIRMWARE_U_TAG_MAX_SIZE);
> > + strscpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
> > + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
> >
> > retry_fw_version:
> > ret = ioctl(fd, FW_MGMT_IOC_GET_BACKEND_FW, &backend_fw_info);
> > @@ -129,8 +129,8 @@ static int update_backend_firmware(int fd)
> > /* Try Backend Firmware Update over Unipro */
> > printf("Updating Backend Firmware\n");
> >
> > - strncpy((char *)&backend_update.firmware_tag, firmware_tag,
> > - GB_FIRMWARE_U_TAG_MAX_SIZE);
> > + strscpy((char *)&backend_update.firmware_tag, firmware_tag,
> > + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
> >
> > retry_fw_update:
> > backend_update.status = 0;
> > diff --git a/drivers/staging/greybus/greybus_firmware.h b/drivers/staging/greybus/greybus_firmware.h
> > index b6042a82ada4..ad5b2c8a6461 100644
> > --- a/drivers/staging/greybus/greybus_firmware.h
> > +++ b/drivers/staging/greybus/greybus_firmware.h
> > @@ -38,20 +38,20 @@
> >
> > /* IOCTL support */
> > struct fw_mgmt_ioc_get_intf_version {
> > - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> > + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> > __u16 major;
> > __u16 minor;
> > } __packed;
> >
> > struct fw_mgmt_ioc_get_backend_version {
> > - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> > + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> > __u16 major;
> > __u16 minor;
> > __u8 status;
> > } __packed;
> >
> > struct fw_mgmt_ioc_intf_load_and_validate {
> > - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> > + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> > __u8 load_method;
> > __u8 status;
> > __u16 major;
> > @@ -59,7 +59,7 @@ struct fw_mgmt_ioc_intf_load_and_validate {
> > } __packed;
> >
> > struct fw_mgmt_ioc_backend_fw_update {
> > - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> > + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> > __u8 status;
> > } __packed;
> >
>
> You are changing the size of a userspace structure here, are you SURE
> this is allowed?
>
> How was this tested?
>
> thanks,
>
> greg k-h
Hi,
You're absolutely right — changing the size of a userspace-visible
structure like this is not allowed and I apologize for the oversight.
I did compile and boot the kernel with the patch applied, but I now
realize that I should have also tested it against the actual userspace
tooling to validate ABI compatibility — which I didn’t do. That was a
miss on my part.
Thanks for the review and the guidance. I’ll fix the patch to preserve
structure sizes and ensure safe null termination without breaking the
ABI — likely by using strscpy() with size - 1 and setting the last
byte explicitly if needed.
Apologies for the oversight.
Regards
Pranav Tyagi
© 2016 - 2025 Red Hat, Inc.