From nobody Sun Feb 8 18:44:08 2026 Received: from unicom145.biz-email.net (unicom145.biz-email.net [210.51.26.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E691136351 for ; Tue, 30 Dec 2025 12:48:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=210.51.26.145 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767098901; cv=none; b=mdCey8iIODHLDnP5BLwbFu7DWHQJ2K6v6iqzbJJMhDRhD9uhV4cjytl39fLjcxqbReJRBzgWEsgTedTg4MSA0kuprT+BC150yrwuX4NSyU49N663kaKStdg3fiGepcN/+DyKEODf3PZHOEwZR2WZzXyGdqLjrpXiWZiLVV9tQFY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767098901; c=relaxed/simple; bh=p1EnAAUx0r3Azj3piUJOBv2iasvWY5lT3gQK/2IX6bg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=TrD6FlsTgv58biVFKOmfj9RCSsK3Nrlz68Bqm7QEpQpX98Wp+CnK2Ytm/XhyFTapHbMF5v0vl8KeW0bsZXTtjXmTO3WCZgXZfQ+XRjqz83U+YjBa6uJvqNmgDi05HngrdoMun5XT5gQSGyAOPdsF3vioy3jkknv/umdGGxXTrxU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=inspur.com; spf=pass smtp.mailfrom=inspur.com; arc=none smtp.client-ip=210.51.26.145 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=inspur.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=inspur.com Received: from inspur.com by unicom145.biz-email.net ((D)) with ESMTP id 202512302046590306 for ; Tue, 30 Dec 2025 20:46:59 +0800 Received: from anolis.. (unknown [10.94.7.65]) by app5 (Coremail) with SMTP id bQJkCsDwM0vCyVNpOZ4PAA--.3236S2; Tue, 30 Dec 2025 20:46:59 +0800 (CST) From: yangqixiao To: jdmason@kudzu.us, dave.jiang@intel.com Cc: allenbh@gmail.com, linux-kernel@vger.kernel.org, yangqixiao Subject: [PATCH v1] ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write Date: Tue, 30 Dec 2025 20:46:56 +0800 Message-ID: <20251230124656.4709-1-yangqixiao@inspur.com> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: bQJkCsDwM0vCyVNpOZ4PAA--.3236S2 X-Coremail-Antispam: 1UD129KBjvJXoW7tF4fCF4Dtr4UCr1rZF43KFg_yoW8GryDpF 45C3y0k3y8XFnrJ3srtw4DZa4rJ3Z7Aay7CFWfGrya9F4UXF109Fy5GayFqFyIvr4kXF43 Aa98Jry5KwnrAaDanT9S1TB71UUUUUJqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvS14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26rxl 6s0DM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s 0DM2kKe7AKxVWUXVWUAwAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAq x4xG6I80ewAv7VC0I7IYx2IY67AKxVWUAVWUtwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6x CaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCY 1x0262kKe7AKxVWUAVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8Jw C20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAF wI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjx v20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2 jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43 ZEXa7VUjhZ2DUUUUU== X-CM-SenderInfo: 51dqw15l0lt0o6lq211xuou0bp/ tUid: 202512302046593e957a74bf50c9a4a8e92f5a732564fd X-Abuse-Reports-To: service@corp-email.com Abuse-Reports-To: service@corp-email.com X-Complaints-To: service@corp-email.com X-Report-Abuse-To: service@corp-email.com Content-Type: text/plain; charset="utf-8" The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse user input into 'u64 addr' and 'size_t wsize'. This is incorrect: - "%lli" expects a signed long long *, but 'addr' is u64 (unsigned). Input like "0x8000000000000000" is misinterpreted as negative, leading to corrupted address values. - "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned). Input of "-1" is successfully parsed and stored as SIZE_MAX (e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows or infinite loops in subsequent memory operations. Fix by using format specifiers that match the actual variable types: - "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing) - "%zu" for size_t (standard and safe; rejects negative input) Signed-off-by: yangqixiao Reviewed-by: Dave Jiang --- drivers/ntb/test/ntb_tool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c index 641cb7e05a47..06881047f5bc 100644 --- a/drivers/ntb/test/ntb_tool.c +++ b/drivers/ntb/test/ntb_tool.c @@ -936,7 +936,7 @@ static ssize_t tool_peer_mw_trans_write(struct file *fi= lep, =20 buf[buf_size] =3D '\0'; =20 - n =3D sscanf(buf, "%lli:%zi", &addr, &wsize); + n =3D sscanf(buf, "%llu:%zu", &addr, &wsize); if (n !=3D 2) return -EINVAL; =20 --=20 2.47.3