From nobody Sun Jun 14 19:03:03 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 912E55B21A; Sun, 5 Apr 2026 02:32:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356334; cv=none; b=n0hySNo3DOqXUer3TjF2qTEPBkKlzGLA7lCfaOdPiaJ2SZNhzm1pNcG1La2UVbNx8VpzIWr2MoVSJ0ola61NKNW51FFyH6V5zsQH24JXgTmpJMWbSVBTcJetrNCRYhYHpOG5Nwgeqb2ittRJCB0IfdypkK3lmYjo+Cs651AMRFI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356334; c=relaxed/simple; bh=v3B7nEQsjXMP6J+5qQ0xcdjje6RSyDrMaKEvBLvBuRM=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=CSfUNC9m/sy18yL9QAP+KvQhPjLrpS7QTmUkr71nqN6Ow7dxyDMYLnke9pbzR01gGROFMI6hzChPOqzrnu2yI2BOHZi32/n1ocbmjGAko3S9/jtQL2jCAmiAzO4LnnPmXIrVcMab1IvGmrMZlmYpjZOvmZ6GsUze6J6jE733RZo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0001-MIPS-dec-bound-PROM-command-line-appends.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowAAXwWypydFpQFU5DA--.13509S2; Sun, 05 Apr 2026 10:32:10 +0800 (CST) From: Pengpeng Hou Date: Sat, 4 Apr 2026 22:06:16 +0800 Message-ID: <20260405102001.1-mips-cmdline-pengpeng@iscas.ac.cn> To: Thomas Bogendoerfer , "Maciej W. Rozycki" Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn In-Reply-To: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> References: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> Subject: [PATCH 1/8] MIPS: dec: bound PROM command-line appends X-CM-TRANSID: qwCowAAXwWypydFpQFU5DA--.13509S2 X-Coremail-Antispam: 1UD129KBjvJXoW7XryUAF47AF4DAw48Kw1DAwb_yoW8Jr4Upa yYkanxWF1rur47J3s8ZFW5Xay8Zas5WwsI9r1jq34xu3WrXFn5Wr4Fgrs8ur18JrWIvFyx ZF429ryUJFyxZaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvC14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2jI8I6cxK6x804I0_Grv_XF1l8cAvFVAK0II2c7 xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE 2Ix0cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4 vEx4A2jsIEc7CjxVAFwI0_Cr1j6rxdM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVAC Y4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJV W8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAG YxC7MxkF7I0En4kS14v26r126r1DMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r 1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE b7AF67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0x vE2Ix0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI cVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2Kf nxnUUI43ZEXa7VUbhvttUUUUU== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" prom_init_cmdline() appends raw firmware arguments into the fixed arcs_cmdline buffer with strcat() and adds spaces with another unchecked strcat(). A long enough argument list can therefore run past the end of the command-line buffer during early boot. Switch the appends to bounded concatenation so the PROM argument scan cannot overflow arcs_cmdline. Signed-off-by: Pengpeng Hou --- arch/mips/dec/prom/cmdline.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/arch/mips/dec/prom/cmdline.c b/arch/mips/dec/prom/cmdline.c index 3ed63280ae29..954b14c103d2 100644 --- a/arch/mips/dec/prom/cmdline.c +++ b/arch/mips/dec/prom/cmdline.c @@ -29,9 +29,13 @@ void __init prom_init_cmdline(s32 argc, s32 *argv, u32 m= agic) start_arg =3D 2; for (i =3D start_arg; i < argc; i++) { arg =3D (void *)(long)(argv[i]); - strcat(arcs_cmdline, arg); - if (i < (argc - 1)) - strcat(arcs_cmdline, " "); + if (strlcat(arcs_cmdline, arg, COMMAND_LINE_SIZE) >=3D + COMMAND_LINE_SIZE) + break; + if (i < (argc - 1) && + strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE) >=3D + COMMAND_LINE_SIZE) + break; } =20 #ifdef PROM_DEBUG --=20 2.50.1 (Apple Git-155) From nobody Sun Jun 14 19:03:03 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C0F9C1FF7C8; Sun, 5 Apr 2026 02:32:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356334; cv=none; b=oeAaU2rmAzGFqEumRXhExY9l7fMvheGgT4hoI+3NyQYkYTvNcnx0aglgdpQ08FZ6d88/Oaq06TD3DM8zfad6ZdARcfbK3eNyF33vcZguyr1vlbT7pkkak+RBHXS0bfZisY/tI4MLv9twdCVfqSc7b8EWjDflIKx1L4kLjGEbRQw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356334; c=relaxed/simple; bh=Q84Y8fu+kq+dKV65V1nC7y2jkclD1Fyfp2VvcEVqDFQ=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=Zovxu0a4tJ9iMRqmwM//k5ZHHSOM9L9Npxki74AQ/DItnAIXh5anndx/6iPEiVfOVXecb1XopTelrV8T6JlYZGqOrq9mtoK0XQf7ZiikItEQ/hbgRCM1B+ulVN7USA7z5x/+HIIUAnTb2xrqujEBZ4IVCYUgOui4IT247F7l2mc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0002-MIPS-sni-bound-PROM-command-line-appends.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowACnTGiqydFpTVU5DA--.4655S2; Sun, 05 Apr 2026 10:32:10 +0800 (CST) From: Pengpeng Hou Date: Sat, 4 Apr 2026 22:06:16 +0800 Message-ID: <20260405102002.2-mips-cmdline-pengpeng@iscas.ac.cn> To: Thomas Bogendoerfer , "Maciej W. Rozycki" Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn In-Reply-To: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> References: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> Subject: [PATCH 2/8] MIPS: sni: bound PROM command-line appends X-CM-TRANSID: qwCowACnTGiqydFpTVU5DA--.4655S2 X-Coremail-Antispam: 1UD129KBjvdXoW7JFWrXr45ZFW5urW3Ww1kGrg_yoWkZFcE9r 90g3WrZrWfWFnrXan3u34Fqryava98KF9xtrs8tryrAry3Aa1fGrWrGrWfZr4UGr97Cr15 tFn7Jr1ayr1akjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbVxFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M280x2IEY4vE77IFxVW8XVW5AwA2ocxC64kIII0Yj4 1l84x0c7CEw4AK67xGY2AK021l84ACjcxK6xIIjxv20xvE14v26r4j6ryUM28EF7xvwVC0 I7IYx2IY6xkF7I0E14v26r4j6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwV C2z280aVCY1x0267AKxVWxJr0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xv F2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_Jrv_JF1lYx0Ex4A2jsIE14v26r1j6r 4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v 4I1lc7CjxVAaw2AFwI0_JF0_Jw1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr 0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY 17CE14v26r126r1DMIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcV C0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY 6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa 73UjIFyTuYvjfU5oGQDUUUU X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" prom_init() copies SNI PROM arguments into arcs_cmdline with unchecked strcat() calls for both the argument text and the separating spaces. A long enough PROM command line can therefore overflow the fixed kernel command-line buffer during boot. Use bounded concatenation for the copied arguments and separators. Signed-off-by: Pengpeng Hou --- arch/mips/fw/sni/sniprom.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/arch/mips/fw/sni/sniprom.c b/arch/mips/fw/sni/sniprom.c index 74975e115950..61f4b9f70d30 100644 --- a/arch/mips/fw/sni/sniprom.c +++ b/arch/mips/fw/sni/sniprom.c @@ -142,8 +142,12 @@ void __init prom_init(void) =20 /* copy prom cmdline parameters to kernel cmdline */ for (i =3D 1; i < argc; i++) { - strcat(arcs_cmdline, (char *)CKSEG0ADDR(argv[i])); - if (i < (argc - 1)) - strcat(arcs_cmdline, " "); + if (strlcat(arcs_cmdline, (char *)CKSEG0ADDR(argv[i]), + COMMAND_LINE_SIZE) >=3D COMMAND_LINE_SIZE) + break; + if (i < (argc - 1) && + strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE) >=3D + COMMAND_LINE_SIZE) + break; } } --=20 2.50.1 (Apple Git-155) From nobody Sun Jun 14 19:03:03 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DCAB82571DD; Sun, 5 Apr 2026 02:32:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356334; cv=none; b=LwJaPpd8PgPOWkvn17LwnqOoYy1G17LH7V+bh52uG+FtbG0A7o1P6+symYDaOJ6e1NWA032tcl3DL4g3CGSuz3Nj7daWq/B7x2Krn+RAHX0ewySQqTkQHFplr5vNY5y4tlZ09zt+mXptdZ6NwyuvY6oJRg9zb1YJeYbTALnuNGU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356334; c=relaxed/simple; bh=+qDJvmWI/hbndZ5CqifX8okTd3ayl7svYuprOU7VwMA=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=hPbZ3OmnT8tt9cGxDnizZT1U8Vd3PWC6K4BLm30ZGIYfTwLr9G0EOPApnjtbjZ2Dn62VSSZFFos1TcQiY6UhLurZfTgAM5TPJUeec3gDwUCwm9q9alb0vNaXd/yWVy11xFWyMxSRYIothLKzXc77Nz5z+zuULR6MSHbEYV3T/KY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0003-MIPS-lemote-2f-bound-machtype-command-line-append.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowACXPWmqydFpUFU5DA--.5750S2; Sun, 05 Apr 2026 10:32:10 +0800 (CST) From: Pengpeng Hou Date: Sat, 4 Apr 2026 22:06:16 +0800 Message-ID: <20260405102003.3-mips-cmdline-pengpeng@iscas.ac.cn> To: Thomas Bogendoerfer , "Maciej W. Rozycki" Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn In-Reply-To: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> References: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> Subject: [PATCH 3/8] MIPS: lemote-2f: bound machtype command-line append X-CM-TRANSID: qwCowACXPWmqydFpUFU5DA--.5750S2 X-Coremail-Antispam: 1UD129KBjvJXoW7Xr4kXFy3Gr4fArWkWr43Awb_yoW8Jr1UpF y3uanxWF45Zw47G347uFy5Xw1fu395XwnxZr1avw1Yg3WUWryUWr1rCryDXr48Jr47Za4r u3y0kF1UXa47u3JanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvC14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2jI8I6cxK6x804I0_Grv_XF1l8cAvFVAK0II2c7 xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE 2Ix0cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4 vEx4A2jsIEc7CjxVAFwI0_Cr1j6rxdM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVAC Y4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1Y6r17McIj6I8E87Iv67AKxVWUJV W8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAG YxC7MxkF7I0En4kS14v26r126r1DMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r 1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE b7AF67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0x vE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI cVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2Kf nxnUUI43ZEXa7VUbb_-PUUUUU== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" mach_prom_init_machtype() appends the synthesized machtype argument to the fixed arcs_cmdline buffer with a chain of unchecked strcat() calls. If the PROM command line is already near full, the extra machtype text can run past the end of the buffer. Switch the append steps to bounded concatenation. Signed-off-by: Pengpeng Hou --- arch/mips/loongson2ef/lemote-2f/machtype.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/arch/mips/loongson2ef/lemote-2f/machtype.c b/arch/mips/loongso= n2ef/lemote-2f/machtype.c index 9462a3ab57be..359fe7f826b8 100644 --- a/arch/mips/loongson2ef/lemote-2f/machtype.c +++ b/arch/mips/loongson2ef/lemote-2f/machtype.c @@ -34,8 +34,10 @@ void __init mach_prom_init_machtype(void) else mips_machtype =3D MACH_LEMOTE_NAS; =20 - strcat(arcs_cmdline, " machtype=3D"); - strcat(arcs_cmdline, get_system_type()); - strcat(arcs_cmdline, " "); - } + strlcat(arcs_cmdline, " machtype=3D", + COMMAND_LINE_SIZE); + strlcat(arcs_cmdline, get_system_type(), + COMMAND_LINE_SIZE); + strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE); + } } --=20 2.50.1 (Apple Git-155) From nobody Sun Jun 14 19:03:03 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1182A2641C6; Sun, 5 Apr 2026 02:32:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356334; cv=none; b=Q7WQuQ2RLs+qZfcRJ9y0Yys9VAqVKfvFlYBr7W+DPc9wYCgyD6BckSw5QKG746OFXRzmNDjOBTWt89JTuf/VvBRpY6hlZZJAPmVIg+KVl0cclpLOnw5Xd07KQNBGki+QkfJ8GzGEPt5tn3+W4+fqioSNoOkAWOxk5wx5DBrE5Ow= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356334; c=relaxed/simple; bh=dU7kRVF+PLNa+buREvTTzyrlAeJqIaW1tb+vVqy2+KU=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=fifjdr/nyh4/PBZYLDWM2yFmuhz8lsR2DY+4q3fpLh2tPVHT1bSdmUjsYvgUH0tQF4JMt3bGxFcEoOq2wTrPVVkGgNAW98NoAIgBLekEozN+22Z43/k59Cr4H8+Gkry3oWrk8cEe8TzLgI/7m6UTHEGrnV5Bmx3ncrcyRPS/01o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0004-MIPS-txx9-bound-command-line-reconstruction.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowAB3IW2qydFpWVU5DA--.1593S2; Sun, 05 Apr 2026 10:32:10 +0800 (CST) From: Pengpeng Hou Date: Sat, 4 Apr 2026 22:06:17 +0800 Message-ID: <20260405102004.4-mips-cmdline-pengpeng@iscas.ac.cn> To: Thomas Bogendoerfer , "Maciej W. Rozycki" Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn In-Reply-To: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> References: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> Subject: [PATCH 4/8] MIPS: txx9: bound command-line reconstruction X-CM-TRANSID: qwCowAB3IW2qydFpWVU5DA--.1593S2 X-Coremail-Antispam: 1UD129KBjvJXoW7WFyUJFW8JFW8tF45WFykKrg_yoW8Ar13pF WUuanxWF1ruw4xJay8Za98Xw43Zwn3XwsIvw1Yqw4Dua1UAr1xCr4Fgw48Zrn7Jay8uF4r ZF43KF1jqF1xuaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvC14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2jI8I6cxK6x804I0_Grv_XF1l8cAvFVAK0II2c7 xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE 2Ix0cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4 vEx4A2jsIEc7CjxVAFwI0_Cr1j6rxdM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVAC Y4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r126r1DMcIj6I8E87Iv67AKxVW8JV WxJwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAG YxC7MxkF7I0En4kS14v26r126r1DMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r 1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE b7AF67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0x vE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI cVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2Kf nxnUUI43ZEXa7VUj2YLDUUUUU== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The early txx9 command-line builders rebuild arcs_cmdline with repeated strcat() calls when quoting PROM arguments and when reinserting filtered arguments after preprocessing. Those append chains do not track the remaining space in the fixed command-line buffer. Convert the rebuild steps to bounded concatenation so long firmware arguments cannot overflow arcs_cmdline. Signed-off-by: Pengpeng Hou --- arch/mips/txx9/generic/setup.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/arch/mips/txx9/generic/setup.c b/arch/mips/txx9/generic/setup.c index 6c5025806914..715059d5101e 100644 --- a/arch/mips/txx9/generic/setup.c +++ b/arch/mips/txx9/generic/setup.c @@ -128,13 +128,13 @@ static void __init prom_init_cmdline(void) for (i =3D 1; i < argc; i++) { char *str =3D (char *)(long)argv32[i]; if (i !=3D 1) - strcat(arcs_cmdline, " "); + strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE); if (strchr(str, ' ')) { - strcat(arcs_cmdline, "\""); - strcat(arcs_cmdline, str); - strcat(arcs_cmdline, "\""); + strlcat(arcs_cmdline, "\"", COMMAND_LINE_SIZE); + strlcat(arcs_cmdline, str, COMMAND_LINE_SIZE); + strlcat(arcs_cmdline, "\"", COMMAND_LINE_SIZE); } else - strcat(arcs_cmdline, str); + strlcat(arcs_cmdline, str, COMMAND_LINE_SIZE); } } =20 @@ -227,8 +227,8 @@ static void __init preprocess_cmdline(void) continue; } if (arcs_cmdline[0]) - strcat(arcs_cmdline, " "); - strcat(arcs_cmdline, str); + strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE); + strlcat(arcs_cmdline, str, COMMAND_LINE_SIZE); } =20 txx9_cache_fixup(); --=20 2.50.1 (Apple Git-155) From nobody Sun Jun 14 19:03:03 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2519A30FC12; Sun, 5 Apr 2026 02:32:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356336; cv=none; b=Ydzl5n4FcuNBvQJt8mEOjiaQ19SSBFuvu+At62QGVsYGufmhtKqMA4MGyNwtECEjs9b26Vu3gbHcWqgyLMa4vGq7d6C8Eva3hBizwIiFxKByOZAzF6dPbYjDWz58RAsQFioluvMnUw2540TeZ0OfM7aJUMyqQgZipsdvMc2SRfQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356336; c=relaxed/simple; bh=sTXUOUClMvg0T7pH9rjB7D/Fh8Z746/uk+ulE+Rxn0w=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=MfPlLmxqiklwTFa/4wT5pJoqFpsz29qzJwBa9HSdGmGju2RcKTRGxijrgb5z2CezDldHV+GhpCbu/pT4wT40xmnsRu1S+tUlytiYJcovZ2egsx87oKh9+7WuyOeptXQ6GHbicQYAF7W8S7p3bAYlpFCt3dyJe3LAN5WjpPspzsE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0005-MIPS-arc-bound-firmware-command-line-construction.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowABn026qydFpW1U5DA--.24319S2; Sun, 05 Apr 2026 10:32:11 +0800 (CST) From: Pengpeng Hou Date: Sat, 4 Apr 2026 22:06:17 +0800 Message-ID: <20260405102005.5-mips-cmdline-pengpeng@iscas.ac.cn> To: Thomas Bogendoerfer , "Maciej W. Rozycki" Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn In-Reply-To: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> References: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> Subject: [PATCH 5/8] MIPS: arc: bound firmware command-line construction X-CM-TRANSID: qwCowABn026qydFpW1U5DA--.24319S2 X-Coremail-Antispam: 1UD129KBjvJXoW7ur1rAFy5Zr43Kr18WFyUZFb_yoW8CrWUpF 12vwsxJF1rXw4jya4UCFW5Z39xuwn5Xw4a93Wjg3yfWF4UJF1rGr4rW39Y9r47Aa4ruFWx XF42g3WDJFsavrJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvC14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2jI8I6cxK6x804I0_Grv_XF1l8cAvFVAK0II2c7 xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE 2Ix0cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4 vEx4A2jsIEc7CjxVAFwI0_Cr1j6rxdM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVAC Y4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r126r1DMcIj6I8E87Iv67AKxVW8JV WxJwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAG YxC7MxkF7I0En4kS14v26r126r1DMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r 1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE b7AF67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1I6r4UMIIF0x vE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI cVC2z280aVAFwI0_Gr0_Cr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2Kf nxnUUI43ZEXa7VUj2YLDUUUUU== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The ARC PROM command-line path appends translated firmware variables and raw arguments into arcs_cmdline with unchecked pointer arithmetic and memcpy(). A long enough firmware argument set can overrun the fixed kernel command-line buffer before boot completes. Use bounded concatenation for both the rewritten ARC variables and the remaining PROM arguments. Signed-off-by: Pengpeng Hou --- arch/mips/fw/arc/cmdline.c | 23 +++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/arch/mips/fw/arc/cmdline.c b/arch/mips/fw/arc/cmdline.c index 86b0e377b713..d66a6b8216f2 100644 --- a/arch/mips/fw/arc/cmdline.c +++ b/arch/mips/fw/arc/cmdline.c @@ -51,18 +51,20 @@ len =3D strlen(used_arc[i][0]); =20 if (!strncmp(prom_argv(actr), used_arc[i][0], len)) { - /* Ok, we want it. First append the replacement... */ - strcat(cp, used_arc[i][1]); - cp +=3D strlen(used_arc[i][1]); + /* Ok, we want it. First append the replacement... */ + strlcat(arcs_cmdline, used_arc[i][1], + COMMAND_LINE_SIZE); + cp =3D arcs_cmdline + strlen(arcs_cmdline); /* ... and now the argument */ s =3D strchr(prom_argv(actr), '=3D'); if (s) { s++; - len =3D strlen(s); - memcpy(cp, s, len + 1); - cp +=3D len; + strlcat(arcs_cmdline, s, + COMMAND_LINE_SIZE); + cp =3D arcs_cmdline + strlen(arcs_cmdline); } - *cp++ =3D ' '; + strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE); + cp =3D arcs_cmdline + strlen(arcs_cmdline); break; } } @@ -95,10 +97,9 @@ } =20 /* Ok, we want it. */ - len =3D strlen(prom_argv(actr)); - memcpy(cp, prom_argv(actr), len + 1); - cp +=3D len; - *cp++ =3D ' '; + strlcat(arcs_cmdline, prom_argv(actr), COMMAND_LINE_SIZE); + strlcat(arcs_cmdline, " ", COMMAND_LINE_SIZE); + cp =3D arcs_cmdline + strlen(arcs_cmdline); =20 pic_cont: actr++; --=20 2.50.1 (Apple Git-155) From nobody Sun Jun 14 19:03:03 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5AD7E2E54BD; Sun, 5 Apr 2026 02:32:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356335; cv=none; b=u8Co+djHrnOJwPitULGgxfpWX6Lm9bxYcUGZ9Zs3r1qdYW0fIt3eWxE1vaFWunsso8rIU8VHZ4DKqDycmn2IIfTVvJBb47OwsQ7iChUo6cs/Gimck4+QgBp9kDTCUbi3hpUKBEuYvQaQa4M6VohWfkScFiUhWxq56xdNfmoXgaM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356335; c=relaxed/simple; bh=o8tpt0xiu/9W7EHac9jvTdqQn69rVebqf9ZyZpFccG8=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=XSTAeWY4fG9BPwcDoKdXyI5ACyEuxaNItjXZ941UaxH4AMAr9gOfTE5Z09o8VE72ISTTZ9WKIuhv9CYT8z9lvbqkzQIJrPgWl0LANsRJBAi0bk0vM0TgjiBra90RT2V3vr9Pnq0+/4if7NNFM6wgK3qxAoG8ZNullLSP5AY1QPA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0006-MIPS-cavium-octeon-bound-default-console-command-lin.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowADnkGyrydFpX1U5DA--.16555S2; Sun, 05 Apr 2026 10:32:11 +0800 (CST) From: Pengpeng Hou Date: Sat, 4 Apr 2026 22:06:17 +0800 Message-ID: <20260405102006.6-mips-cmdline-pengpeng@iscas.ac.cn> To: Thomas Bogendoerfer , "Maciej W. Rozycki" Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn In-Reply-To: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> References: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> Subject: [PATCH 6/8] MIPS: cavium-octeon: bound default console command-line append X-CM-TRANSID: qwCowADnkGyrydFpX1U5DA--.16555S2 X-Coremail-Antispam: 1UD129KBjvdXoWrZFWUKw18uw43Xr45ArW3Awb_yoWktFcEqr 9Ikay5AFW5Ja429F4xWryrt3yIk3yjq3Z3Jr1jyr4Fy3srJwsxCFZ5KFZ5Jr4jkFsrGr4f C3yDAr47AFsF9jkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbVxFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M280x2IEY4vE77IFxVW8XVW5AwA2ocxC64kIII0Yj4 1l84x0c7CEw4AK67xGY2AK021l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0 I7IYx2IY6xkF7I0E14v26r4j6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwV C2z280aVCY1x0267AKxVWxJr0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xv F2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_JF0_Jw1lYx0Ex4A2jsIE14v26r4j6F 4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v 4I1lc7CjxVAaw2AFwI0_JF0_Jw1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr 0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY 17CE14v26r126r1DMIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_JFI_Gr1lIxAIcV C0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY 6I8E87Iv67AKxVW8JVWxJwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa 73UjIFyTuYvjfU089NUUUUU X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" setup_octeon_cmdline() already bounds most copied firmware arguments, but the fallback default console append still uses unchecked strcat(). If the command line is already near the end of the fixed buffer, the default console string can run past the buffer boundary. Use bounded concatenation for the default console fallback. Signed-off-by: Pengpeng Hou --- arch/mips/cavium-octeon/setup.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/mips/cavium-octeon/setup.c b/arch/mips/cavium-octeon/setu= p.c index 1ad2602a0383..87f34bc20896 100644 --- a/arch/mips/cavium-octeon/setup.c +++ b/arch/mips/cavium-octeon/setup.c @@ -898,9 +898,11 @@ void __init prom_init(void) =20 if (strstr(arcs_cmdline, "console=3D") =3D=3D NULL) { if (octeon_uart =3D=3D 1) - strcat(arcs_cmdline, " console=3DttyS1,115200"); + strlcat(arcs_cmdline, " console=3DttyS1,115200", + COMMAND_LINE_SIZE); else - strcat(arcs_cmdline, " console=3DttyS0,115200"); + strlcat(arcs_cmdline, " console=3DttyS0,115200", + COMMAND_LINE_SIZE); } =20 mips_hpt_frequency =3D octeon_get_clock_rate(); --=20 2.50.1 (Apple Git-155) From nobody Sun Jun 14 19:03:03 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E5682F0C7E; Sun, 5 Apr 2026 02:32:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356335; cv=none; b=L4MJxzBCMToj3xmXfWZRjcf89KIpKyzJwy/2q8whOIS6Ax5S5bwjnUIqMn4CIrxe1PxUgd1+NlCGGZKSvqFxAFsqiW1rN1Mvhpl29/BCAm1B9LjtiqRVTYHSysgTM7ffd1yEbrF4BcAA8ypDArlmR1Jg+5ktvseJUuiRYPQ3VYQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356335; c=relaxed/simple; bh=d4etwWXMhDwgGLFSO6gPnnoGiL4LwaiZ9KNe8jnrALA=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=d6lFhkrYXmouWuXKNmPvy+c3FLihNHRhFtsVw5waVVtX1XYVtejxybBvk4CmrpgN3Nxbi+DNNOiWgWaF+82lHsVQYxhM8PAxoF41WvOytVj+/RtbxNovavDyKwL0gXQ7bNojwjfqm7lziKSQO+ZA6L9kCZJRFRxf32dCOhSX9Kc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0007-MIPS-malta-init-bound-default-console-command-line-a.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowAD3oGyrydFpYVU5DA--.18667S2; Sun, 05 Apr 2026 10:32:11 +0800 (CST) From: Pengpeng Hou Date: Sat, 4 Apr 2026 22:06:17 +0800 Message-ID: <20260405102007.7-mips-cmdline-pengpeng@iscas.ac.cn> To: Thomas Bogendoerfer , "Maciej W. Rozycki" Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn In-Reply-To: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> References: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> Subject: [PATCH 7/8] MIPS: malta-init: bound default console command-line append X-CM-TRANSID: qwCowAD3oGyrydFpYVU5DA--.18667S2 X-Coremail-Antispam: 1UD129KBjvJXoW7Kw47ur48ZrWkJFykXFyUtrb_yoW8Gw4kpF 4qyFnxK34rXFyY9a43ZFy8Xr1rCasYy343tF1Yyw4xW3ZxAFW0van3Gw45Z3yUXr48G3W8 CFZ0qFy7Ca13Ar7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvK14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2jI8I6cxK6x804I0_Grv_XF1l8cAvFVAK0II2c7 xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW5JVW7JwA2z4x0Y4vE 2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1l84ACjcxK6I8E87Iv67AKxVWxJr0_GcWl84ACjc xK6I8E87Iv6xkF7I0E14v26F4UJVW0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40E FcxC0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUAVWUtwAv7VC2z280aVAFwI0_Gr 0_Cr1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcVAKI48JM4x0x7Aq67IIx4CEVc8vx2IE rcIFxwCY1x0262kKe7AKxVWUAVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbV WUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF 67kF1VAFwI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42 IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF 0xvEx4A2jsIE14v26r4j6F4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxh VjvjDU0xZFpf9x0JUxcTPUUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" console_config() appends a synthesized console=3D option to fw_getcmdline() with unchecked strcat() when the firmware command line does not already provide one. If the existing command line is near full, that append can overflow the fixed command-line buffer. Switch the default console append to bounded concatenation. Signed-off-by: Pengpeng Hou --- arch/mips/mti-malta/malta-init.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/arch/mips/mti-malta/malta-init.c b/arch/mips/mti-malta/malta-i= nit.c index 82b0fd8576a2..fb782b1a3f6e 100644 --- a/arch/mips/mti-malta/malta-init.c +++ b/arch/mips/mti-malta/malta-init.c @@ -78,13 +78,14 @@ static void __init console_config(void) setup_earlycon(console_string); } =20 - if ((strstr(fw_getcmdline(), "console=3D")) =3D=3D NULL) { - sprintf(console_string, " console=3DttyS0,%d%c%c%c", baud, - parity, bits, flow); - strcat(fw_getcmdline(), console_string); - pr_info("Config serial console:%s\n", console_string); + if ((strstr(fw_getcmdline(), "console=3D")) =3D=3D NULL) { + sprintf(console_string, " console=3DttyS0,%d%c%c%c", baud, + parity, bits, flow); + strlcat(fw_getcmdline(), console_string, + COMMAND_LINE_SIZE); + pr_info("Config serial console:%s\n", console_string); + } } -} #endif =20 static void __init mips_nmi_setup(void) --=20 2.50.1 (Apple Git-155) From nobody Sun Jun 14 19:03:03 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B50EA2FFFB8; Sun, 5 Apr 2026 02:32:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356335; cv=none; b=B81eKvYNgmfLUPKfrHREiycsgeV0q3QF3l/3YsnoNGt5rgMmetl6uCvb60Qs+VnkrespCRfd2WYSTeCOE5Zx2esHWw00QQe4EyU/QJ4ZEIHqGz6txZANX72a8QF0j9167C8Cb6jb9HSSdL5Yt6PpJI3zt6hEgBPUo73bxSNVJWY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775356335; c=relaxed/simple; bh=Mr+6b5g1Ee3oIEHsmF0nsppOaXNvVIK2S2qJQOH2jvU=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=Lb07XBXhaGa6AEiEBXd5Rg4/BDlDn9zjJnTwtUJGIO2dyclQ7iB8RHAWboqCIjMiNg+X0Me1fO3IAXOpSK4E3g/RGCJOv+SHqj8w/+Yrb3zXgeu3pgSiqAYqE1vKuOO/riJzCPPz6F5uzCy5CJB/CzAo5hsoZSzot1ohYGbU5Z0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0008-MIPS-malta-setup-bound-pci_clock-command-line-append.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowAAXwWyrydFpYlU5DA--.13510S2; Sun, 05 Apr 2026 10:32:11 +0800 (CST) From: Pengpeng Hou Date: Sat, 4 Apr 2026 22:06:17 +0800 Message-ID: <20260405102008.8-mips-cmdline-pengpeng@iscas.ac.cn> To: Thomas Bogendoerfer , "Maciej W. Rozycki" Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn In-Reply-To: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> References: <20260405102000.0-mips-cmdline-series-pengpeng@iscas.ac.cn> Subject: [PATCH 8/8] MIPS: malta-setup: bound pci_clock command-line append X-CM-TRANSID: qwCowAAXwWyrydFpYlU5DA--.13510S2 X-Coremail-Antispam: 1UD129KBjvJXoWruw4xXFyDXrWfAr1UCFWDCFg_yoW8Jryfpw 1Y93Wxtwsaq3Wq9a12v3y8XFn09wn5Cryaka4jyayDCa13XF10g3WrKF9FvryUXF4Ivw1U XFWqvFyrCF4YvF7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvK14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2jI8I6cxK6x804I0_Grv_XF1l8cAvFVAK0II2c7 xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW5JVW7JwA2z4x0Y4vE 2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1l84ACjcxK6I8E87Iv67AKxVWxJr0_GcWl84ACjc xK6I8E87Iv6xkF7I0E14v26F4UJVW0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40E FcxC0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUtVWrXwAv7VC2z280aVAFwI0_Gr 0_Cr1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcVAKI48JM4x0x7Aq67IIx4CEVc8vx2IE rcIFxwCY1x0262kKe7AKxVWUAVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbV WUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF 67kF1VAFwI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42 IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF 0xvEx4A2jsIE14v26r4j6F4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxh VjvjDU0xZFpf9x0JU2Q6JUUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" pci_clock_check() appends a synthesized pci_clock=3D option by advancing to the end of fw_getcmdline() and calling sprintf() in place. If the command line is already near full, that write can run past the fixed boot command-line buffer. Format the option into a small temporary buffer and append it with bounded concatenation instead. Signed-off-by: Pengpeng Hou --- arch/mips/mti-malta/malta-setup.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/mips/mti-malta/malta-setup.c b/arch/mips/mti-malta/malta-= setup.c index 816570514c37..07c9f1b9bed7 100644 --- a/arch/mips/mti-malta/malta-setup.c +++ b/arch/mips/mti-malta/malta-setup.c @@ -148,10 +148,12 @@ static void __init pci_clock_check(void) return; =20 if (pciclock !=3D 33) { + char arg[24]; + pr_warn("WARNING: PCI clock is %dMHz, setting pci_clock\n", pciclock); - argptr +=3D strlen(argptr); - sprintf(argptr, " pci_clock=3D%d", pciclock); + snprintf(arg, sizeof(arg), " pci_clock=3D%d", pciclock); + strlcat(argptr, arg, COMMAND_LINE_SIZE); if (pciclock < 20 || pciclock > 66) pr_warn("WARNING: IDE timing calculations will be " "incorrect\n"); --=20 2.50.1 (Apple Git-155)