1. Patchew
  2. linux
  3. View series

[PATCH] scsi: hpsa: use bounded formatting for controller and IRQ names

Pengpeng Hou posted 1 patch 4 days, 7 hours ago 
drivers/scsi/hpsa.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
[PATCH] scsi: hpsa: use bounded formatting for controller and IRQ names
Posted by Pengpeng Hou 4 days, 7 hours ago 
hpsa stores the controller name in h->devname[8] and derives fixed
16-byte interrupt names from it with sprintf(). Once host_no reaches
four digits, h->devname no longer fits and the derived IRQ names then
build on top of that already overlong string.

Switch these name builders to scnprintf() so they stay inside the fixed buffers.

Fixes: 2946e82bdd76 ("hpsa: use scsi host_no as hpsa controller number")
Fixes: 8b47004a5512 ("hpsa: add interrupt number to /proc/interrupts interrupt name")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/scsi/hpsa.c | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index a1b116cd4723..479abb23c536 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -8100,16 +8100,16 @@ static int hpsa_request_irqs(struct ctlr_info *h,
 	if (h->intr_mode == PERF_MODE_INT && h->msix_vectors > 0) {
 		/* If performant mode and MSI-X, use multiple reply queues */
 		for (i = 0; i < h->msix_vectors; i++) {
-			sprintf(h->intrname[i], "%s-msix%d", h->devname, i);
+			scnprintf(h->intrname[i], sizeof(h->intrname[i]),
+				  "%s-msix%d", h->devname, i);
 			rc = request_irq(pci_irq_vector(h->pdev, i), msixhandler,
-					0, h->intrname[i],
-					&h->q[i]);
+					 0, h->intrname[i], &h->q[i]);
 			if (rc) {
 				int j;
 
 				dev_err(&h->pdev->dev,
 					"failed to get irq %d for %s\n",
-				       pci_irq_vector(h->pdev, i), h->devname);
+					pci_irq_vector(h->pdev, i), h->devname);
 				for (j = 0; j < i; j++) {
 					free_irq(pci_irq_vector(h->pdev, j), &h->q[j]);
 					h->q[j] = 0;
@@ -8122,19 +8122,19 @@ static int hpsa_request_irqs(struct ctlr_info *h,
 	} else {
 		/* Use single reply pool */
 		if (h->msix_vectors > 0 || h->pdev->msi_enabled) {
-			sprintf(h->intrname[0], "%s-msi%s", h->devname,
-				h->msix_vectors ? "x" : "");
+			scnprintf(h->intrname[0], sizeof(h->intrname[0]),
+				  "%s-msi%s", h->devname,
+				  h->msix_vectors ? "x" : "");
 			rc = request_irq(pci_irq_vector(h->pdev, irq_vector),
-				msixhandler, 0,
-				h->intrname[0],
-				&h->q[h->intr_mode]);
+					 msixhandler, 0, h->intrname[0],
+					 &h->q[h->intr_mode]);
 		} else {
-			sprintf(h->intrname[h->intr_mode],
-				"%s-intx", h->devname);
+			scnprintf(h->intrname[h->intr_mode],
+				  sizeof(h->intrname[h->intr_mode]),
+				  "%s-intx", h->devname);
 			rc = request_irq(pci_irq_vector(h->pdev, irq_vector),
-				intxhandler, IRQF_SHARED,
-				h->intrname[0],
-				&h->q[h->intr_mode]);
+					 intxhandler, IRQF_SHARED,
+					 h->intrname[0], &h->q[h->intr_mode]);
 		}
 	}
 	if (rc) {
@@ -8715,7 +8715,8 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
 	if (rc)
 		goto clean2_5;	/* pci, lu, aer/h */
 
-	sprintf(h->devname, HPSA "%d", h->scsi_host->host_no);
+	scnprintf(h->devname, sizeof(h->devname), HPSA "%d",
+		  h->scsi_host->host_no);
 	h->ctlr = number_of_controllers;
 	number_of_controllers++;
 
-- 
2.50.1 (Apple Git-155)
[PATCH v2] scsi: hpsa: enlarge controller and IRQ name buffers
Posted by Pengpeng Hou 22 hours ago 
hpsa formats the controller name into h->devname[8] and derives
interrupt names from it in h->intrname[][16]. Once host_no reaches four
digits, "hpsa%d" no longer fits in devname, and the derived IRQ names
can then overrun the interrupt-name buffers as well.

The previous fix switched these builders to bounded formatting, but that
would truncate user-visible controller and IRQ names. Keep the existing
names intact instead by enlarging the fixed buffers to cover the current
formatted strings.

Fixes: 2946e82bdd76 ("hpsa: use scsi host_no as hpsa controller number")
Fixes: 8b47004a5512 ("hpsa: add interrupt number to /proc/interrupts interrupt name")
Acked-by: Don Brace <don.brace@microchip.com>
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v2:
- enlarge the fixed buffers instead of truncating the formatted names
- drop the mixed formatting-only changes

 drivers/scsi/hpsa.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
index 99b0750850b2..bf33868a63d9 100644
--- a/drivers/scsi/hpsa.h
+++ b/drivers/scsi/hpsa.h
@@ -164,7 +164,7 @@ struct bmic_controller_parameters {
 struct ctlr_info {
 	unsigned int *reply_map;
 	int	ctlr;
-	char	devname[8];
+	char	devname[16];
 	char    *product_name;
 	struct pci_dev *pdev;
 	u32	board_id;
@@ -255,7 +255,7 @@ struct ctlr_info {
 	int remove_in_progress;
 	/* Address of h->q[x] is passed to intr handler to know which queue */
 	u8 q[MAX_REPLY_QUEUES];
-	char intrname[MAX_REPLY_QUEUES][16];	/* "hpsa0-msix00" names */
+	char intrname[MAX_REPLY_QUEUES][32];	/* controller and IRQ names */
 	u32 TMFSupportFlags; /* cache what task mgmt funcs are supported. */
 #define HPSATMF_BITS_SUPPORTED  (1 << 0)
 #define HPSATMF_PHYS_LUN_RESET  (1 << 1)
-- 
2.50.1 (Apple Git-155)

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.