1. Patchew
  2. linux
  3. View series

[PATCH v2] enclosure: bound sysfs link name construction

Pengpeng Hou posted 1 patch 4 days, 3 hours ago 
drivers/misc/enclosure.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH v2] enclosure: bound sysfs link name construction
Posted by Pengpeng Hou 4 days, 3 hours ago 
enclosure_link_name() prefixes the component device name with
"enclosure_device:" in a fixed 64-byte stack buffer. The helper
currently uses strcpy() and strcat() with no remaining-space check.

enclosure_component_alloc() stores component names in a 64-byte buffer
and then uses dev_set_name() on that result, so dev_name(&cdev->cdev)
can already reach 63 characters. Prefixing that with the 17-byte
"enclosure_device:" string overflows the 64-byte link-name buffer.

Use snprintf() so link-name construction stays within
ENCLOSURE_NAME_SIZE without changing the existing callers.

Fixes: cb6b7f40630f ("[SCSI] ses: fix up functionality after class_device->device conversion")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v2:
- wrap the changelog at 72 columns
- keep the fix to bounded link-name construction only

 drivers/misc/enclosure.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c
index cf6382981777..de457378c501 100644
--- a/drivers/misc/enclosure.c
+++ b/drivers/misc/enclosure.c
@@ -184,8 +184,8 @@ EXPORT_SYMBOL_GPL(enclosure_unregister);
 
 static void enclosure_link_name(struct enclosure_component *cdev, char *name)
 {
-	strcpy(name, "enclosure_device:");
-	strcat(name, dev_name(&cdev->cdev));
+	snprintf(name, ENCLOSURE_NAME_SIZE, "enclosure_device:%s",
+		 dev_name(&cdev->cdev));
 }
 
 static void enclosure_remove_links(struct enclosure_component *cdev)
-- 
2.50.1 (Apple Git-155)
Re: [PATCH v2] enclosure: bound sysfs link name construction
Posted by Greg KH 4 days, 3 hours ago 
On Sun, Mar 29, 2026 at 03:39:28PM +0800, Pengpeng Hou wrote:
> enclosure_link_name() prefixes the component device name with
> "enclosure_device:" in a fixed 64-byte stack buffer. The helper
> currently uses strcpy() and strcat() with no remaining-space check.
> 
> enclosure_component_alloc() stores component names in a 64-byte buffer
> and then uses dev_set_name() on that result, so dev_name(&cdev->cdev)
> can already reach 63 characters. Prefixing that with the 17-byte
> "enclosure_device:" string overflows the 64-byte link-name buffer.
> 
> Use snprintf() so link-name construction stays within
> ENCLOSURE_NAME_SIZE without changing the existing callers.
> 
> Fixes: cb6b7f40630f ("[SCSI] ses: fix up functionality after class_device->device conversion")
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
> v2:
> - wrap the changelog at 72 columns
> - keep the fix to bounded link-name construction only

That is not what I suggested that you do at all, sorry.  Please go and
re-read my last review.

thanks,

greg k-h

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.