* [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow
@ 2019-01-12 15:28 Willy Tarreau
2019-01-12 15:28 ` [PATCH 2/8] libertas: " Willy Tarreau
` (8 more replies)
0 siblings, 9 replies; 36+ messages in thread
From: Willy Tarreau @ 2019-01-12 15:28 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, Dan Carpenter, Kees Cook, Will Deacon, Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
drivers/misc/lkdtm/core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 2837dc77478e..610aa3bfe630 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -347,9 +347,9 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
if (buf == NULL)
return -ENOMEM;
- n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
+ n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n");
for (i = 0; i < ARRAY_SIZE(crashtypes); i++) {
- n += snprintf(buf + n, PAGE_SIZE - n, "%s\n",
+ n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n",
crashtypes[i].name);
}
buf[n] = '\0';
--
2.19.2
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH 2/8] libertas: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
@ 2019-01-12 15:28 ` Willy Tarreau
2019-01-15 1:09 ` Kees Cook
2019-01-15 5:55 ` Kalle Valo
2019-01-12 15:28 ` [PATCH 3/8] ocfs2: " Willy Tarreau
` (7 subsequent siblings)
8 siblings, 2 replies; 36+ messages in thread
From: Willy Tarreau @ 2019-01-12 15:28 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, Kalle Valo, Dan Carpenter, Kees Cook, Will Deacon, Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
drivers/net/wireless/marvell/libertas/debugfs.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/marvell/libertas/debugfs.c b/drivers/net/wireless/marvell/libertas/debugfs.c
index c83f44f9ddf1..ec73bd3a10db 100644
--- a/drivers/net/wireless/marvell/libertas/debugfs.c
+++ b/drivers/net/wireless/marvell/libertas/debugfs.c
@@ -41,9 +41,9 @@ static ssize_t lbs_dev_info(struct file *file, char __user *userbuf,
if (!buf)
return -ENOMEM;
- pos += snprintf(buf+pos, len-pos, "state = %s\n",
+ pos += scnprintf(buf+pos, len-pos, "state = %s\n",
szStates[priv->connect_status]);
- pos += snprintf(buf+pos, len-pos, "region_code = %02x\n",
+ pos += scnprintf(buf+pos, len-pos, "region_code = %02x\n",
(u32) priv->regioncode);
res = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
@@ -105,7 +105,7 @@ static ssize_t lbs_sleepparams_read(struct file *file, char __user *userbuf,
if (ret)
goto out_unlock;
- pos += snprintf(buf, len, "%d %d %d %d %d %d\n", sp.sp_error,
+ pos += scnprintf(buf, len, "%d %d %d %d %d %d\n", sp.sp_error,
sp.sp_offset, sp.sp_stabletime,
sp.sp_calcontrol, sp.sp_extsleepclk,
sp.sp_reserved);
@@ -170,7 +170,7 @@ static ssize_t lbs_host_sleep_read(struct file *file, char __user *userbuf,
if (!buf)
return -ENOMEM;
- pos += snprintf(buf, len, "%d\n", priv->is_host_sleep_activated);
+ pos += scnprintf(buf, len, "%d\n", priv->is_host_sleep_activated);
ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
@@ -251,7 +251,7 @@ static ssize_t lbs_threshold_read(uint16_t tlv_type, uint16_t event_mask,
freq = got->freq;
events = le16_to_cpu(subscribed->events);
- pos += snprintf(buf, len, "%d %d %d\n", value, freq,
+ pos += scnprintf(buf, len, "%d %d %d\n", value, freq,
!!(events & event_mask));
}
@@ -446,7 +446,7 @@ static ssize_t lbs_rdmac_read(struct file *file, char __user *userbuf,
ret = lbs_get_reg(priv, CMD_MAC_REG_ACCESS, priv->mac_offset, &val);
mdelay(10);
if (!ret) {
- pos = snprintf(buf, len, "MAC[0x%x] = 0x%08x\n",
+ pos = scnprintf(buf, len, "MAC[0x%x] = 0x%08x\n",
priv->mac_offset, val);
ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
}
@@ -516,7 +516,7 @@ static ssize_t lbs_rdbbp_read(struct file *file, char __user *userbuf,
ret = lbs_get_reg(priv, CMD_BBP_REG_ACCESS, priv->bbp_offset, &val);
mdelay(10);
if (!ret) {
- pos = snprintf(buf, len, "BBP[0x%x] = 0x%08x\n",
+ pos = scnprintf(buf, len, "BBP[0x%x] = 0x%08x\n",
priv->bbp_offset, val);
ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
}
@@ -588,7 +588,7 @@ static ssize_t lbs_rdrf_read(struct file *file, char __user *userbuf,
ret = lbs_get_reg(priv, CMD_RF_REG_ACCESS, priv->rf_offset, &val);
mdelay(10);
if (!ret) {
- pos = snprintf(buf, len, "RF[0x%x] = 0x%08x\n",
+ pos = scnprintf(buf, len, "RF[0x%x] = 0x%08x\n",
priv->rf_offset, val);
ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
}
--
2.19.2
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH 3/8] ocfs2: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
2019-01-12 15:28 ` [PATCH 2/8] libertas: " Willy Tarreau
@ 2019-01-12 15:28 ` Willy Tarreau
2019-01-15 1:14 ` Kees Cook
2019-01-12 15:28 ` [PATCH 4/8] ASoC: " Willy Tarreau
` (6 subsequent siblings)
8 siblings, 1 reply; 36+ messages in thread
From: Willy Tarreau @ 2019-01-12 15:28 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, Mark Fasheh, Joel Becker, Dan Carpenter, Kees Cook,
Will Deacon, Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
fs/ocfs2/cluster/heartbeat.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c
index 9b2ed62dd638..2a0af0887ba0 100644
--- a/fs/ocfs2/cluster/heartbeat.c
+++ b/fs/ocfs2/cluster/heartbeat.c
@@ -1324,7 +1324,7 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
case O2HB_DB_TYPE_REGION_NUMBER:
reg = (struct o2hb_region *)db->db_data;
- out += snprintf(buf + out, PAGE_SIZE - out, "%d\n",
+ out += scnprintf(buf + out, PAGE_SIZE - out, "%d\n",
reg->hr_region_num);
goto done;
@@ -1334,12 +1334,12 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
/* If 0, it has never been set before */
if (lts)
lts = jiffies_to_msecs(jiffies - lts);
- out += snprintf(buf + out, PAGE_SIZE - out, "%lu\n", lts);
+ out += scnprintf(buf + out, PAGE_SIZE - out, "%lu\n", lts);
goto done;
case O2HB_DB_TYPE_REGION_PINNED:
reg = (struct o2hb_region *)db->db_data;
- out += snprintf(buf + out, PAGE_SIZE - out, "%u\n",
+ out += scnprintf(buf + out, PAGE_SIZE - out, "%u\n",
!!reg->hr_item_pinned);
goto done;
@@ -1348,8 +1348,8 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
}
while ((i = find_next_bit(map, db->db_len, i + 1)) < db->db_len)
- out += snprintf(buf + out, PAGE_SIZE - out, "%d ", i);
- out += snprintf(buf + out, PAGE_SIZE - out, "\n");
+ out += scnprintf(buf + out, PAGE_SIZE - out, "%d ", i);
+ out += scnprintf(buf + out, PAGE_SIZE - out, "\n");
done:
i_size_write(inode, out);
--
2.19.2
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH 4/8] ASoC: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
2019-01-12 15:28 ` [PATCH 2/8] libertas: " Willy Tarreau
2019-01-12 15:28 ` [PATCH 3/8] ocfs2: " Willy Tarreau
@ 2019-01-12 15:28 ` Willy Tarreau
2019-01-15 1:13 ` Kees Cook
2019-01-15 1:25 ` Nicolin Chen
2019-01-12 15:28 ` [PATCH 5/8] scsi: lpfc: " Willy Tarreau
` (5 subsequent siblings)
8 siblings, 2 replies; 36+ messages in thread
From: Willy Tarreau @ 2019-01-12 15:28 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, Timur Tabi, Nicolin Chen, Xiubo Li, Fabio Estevam,
Dan Carpenter, Kees Cook, Will Deacon, Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Timur Tabi <timur@kernel.org>
Cc: Nicolin Chen <nicoleotsuka@gmail.com>
Cc: Xiubo Li <Xiubo.Lee@gmail.com>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c
index 392d5eef356d..99e07b01a2ce 100644
--- a/sound/soc/fsl/imx-audmux.c
+++ b/sound/soc/fsl/imx-audmux.c
@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf,
if (!buf)
return -ENOMEM;
- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
+ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
pdcr, ptcr);
if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxFS output from %s, ",
audmux_port_string((ptcr >> 27) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxFS input, ");
if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxClk output from %s",
audmux_port_string((ptcr >> 22) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxClk input");
- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) {
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"Port is symmetric");
} else {
if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxFS output from %s, ",
audmux_port_string((ptcr >> 17) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxFS input, ");
if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxClk output from %s",
audmux_port_string((ptcr >> 12) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxClk input");
}
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"\nData received from %s\n",
audmux_port_string((pdcr >> 13) & 0x7));
--
2.19.2
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH 5/8] scsi: lpfc: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
` (2 preceding siblings ...)
2019-01-12 15:28 ` [PATCH 4/8] ASoC: " Willy Tarreau
@ 2019-01-12 15:28 ` Willy Tarreau
2019-01-15 1:15 ` Kees Cook
2019-01-12 15:28 ` [PATCH 6/8] ASoC: intel: skylake: " Willy Tarreau
` (4 subsequent siblings)
8 siblings, 1 reply; 36+ messages in thread
From: Willy Tarreau @ 2019-01-12 15:28 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, James Smart, Dick Kennedy, Dan Carpenter,
Kees Cook, Will Deacon, Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: James Smart <james.smart@broadcom.com>
Cc: Dick Kennedy <dick.kennedy@broadcom.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 450 +++++++++++++++----------------
1 file changed, 225 insertions(+), 225 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 34d311a7dbef..218a74b9297a 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -170,7 +170,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size)
snprintf(buffer,
LPFC_DEBUG_TRC_ENTRY_SIZE, "%010d:%010d ms:%s\n",
dtp->seq_cnt, ms, dtp->fmt);
- len += snprintf(buf+len, size-len, buffer,
+ len += scnprintf(buf+len, size-len, buffer,
dtp->data1, dtp->data2, dtp->data3);
}
for (i = 0; i < index; i++) {
@@ -181,7 +181,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size)
snprintf(buffer,
LPFC_DEBUG_TRC_ENTRY_SIZE, "%010d:%010d ms:%s\n",
dtp->seq_cnt, ms, dtp->fmt);
- len += snprintf(buf+len, size-len, buffer,
+ len += scnprintf(buf+len, size-len, buffer,
dtp->data1, dtp->data2, dtp->data3);
}
@@ -236,7 +236,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size)
snprintf(buffer,
LPFC_DEBUG_TRC_ENTRY_SIZE, "%010d:%010d ms:%s\n",
dtp->seq_cnt, ms, dtp->fmt);
- len += snprintf(buf+len, size-len, buffer,
+ len += scnprintf(buf+len, size-len, buffer,
dtp->data1, dtp->data2, dtp->data3);
}
for (i = 0; i < index; i++) {
@@ -247,7 +247,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size)
snprintf(buffer,
LPFC_DEBUG_TRC_ENTRY_SIZE, "%010d:%010d ms:%s\n",
dtp->seq_cnt, ms, dtp->fmt);
- len += snprintf(buf+len, size-len, buffer,
+ len += scnprintf(buf+len, size-len, buffer,
dtp->data1, dtp->data2, dtp->data3);
}
@@ -307,7 +307,7 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
i = lpfc_debugfs_last_hbq;
- len += snprintf(buf+len, size-len, "HBQ %d Info\n", i);
+ len += scnprintf(buf+len, size-len, "HBQ %d Info\n", i);
hbqs = &phba->hbqs[i];
posted = 0;
@@ -315,21 +315,21 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
posted++;
hip = lpfc_hbq_defs[i];
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"idx:%d prof:%d rn:%d bufcnt:%d icnt:%d acnt:%d posted %d\n",
hip->hbq_index, hip->profile, hip->rn,
hip->buffer_count, hip->init_count, hip->add_count, posted);
raw_index = phba->hbq_get[i];
getidx = le32_to_cpu(raw_index);
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"entries:%d bufcnt:%d Put:%d nPut:%d localGet:%d hbaGet:%d\n",
hbqs->entry_count, hbqs->buffer_count, hbqs->hbqPutIdx,
hbqs->next_hbqPutIdx, hbqs->local_hbqGetIdx, getidx);
hbqe = (struct lpfc_hbq_entry *) phba->hbqs[i].hbq_virt;
for (j=0; j<hbqs->entry_count; j++) {
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"%03d: %08x %04x %05x ", j,
le32_to_cpu(hbqe->bde.addrLow),
le32_to_cpu(hbqe->bde.tus.w),
@@ -341,14 +341,14 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
low = hbqs->hbqPutIdx - posted;
if (low >= 0) {
if ((j >= hbqs->hbqPutIdx) || (j < low)) {
- len += snprintf(buf+len, size-len, "Unused\n");
+ len += scnprintf(buf+len, size-len, "Unused\n");
goto skipit;
}
}
else {
if ((j >= hbqs->hbqPutIdx) &&
(j < (hbqs->entry_count+low))) {
- len += snprintf(buf+len, size-len, "Unused\n");
+ len += scnprintf(buf+len, size-len, "Unused\n");
goto skipit;
}
}
@@ -358,7 +358,7 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
hbq_buf = container_of(d_buf, struct hbq_dmabuf, dbuf);
phys = ((uint64_t)hbq_buf->dbuf.phys & 0xffffffff);
if (phys == le32_to_cpu(hbqe->bde.addrLow)) {
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"Buf%d: %p %06x\n", i,
hbq_buf->dbuf.virt, hbq_buf->tag);
found = 1;
@@ -367,7 +367,7 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
i++;
}
if (!found) {
- len += snprintf(buf+len, size-len, "No DMAinfo?\n");
+ len += scnprintf(buf+len, size-len, "No DMAinfo?\n");
}
skipit:
hbqe++;
@@ -413,7 +413,7 @@ lpfc_debugfs_dumpHBASlim_data(struct lpfc_hba *phba, char *buf, int size)
off = 0;
spin_lock_irq(&phba->hbalock);
- len += snprintf(buf+len, size-len, "HBA SLIM\n");
+ len += scnprintf(buf+len, size-len, "HBA SLIM\n");
lpfc_memcpy_from_slim(buffer,
phba->MBslimaddr + lpfc_debugfs_last_hba_slim_off, 1024);
@@ -427,7 +427,7 @@ lpfc_debugfs_dumpHBASlim_data(struct lpfc_hba *phba, char *buf, int size)
i = 1024;
while (i > 0) {
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"%08x: %08x %08x %08x %08x %08x %08x %08x %08x\n",
off, *ptr, *(ptr+1), *(ptr+2), *(ptr+3), *(ptr+4),
*(ptr+5), *(ptr+6), *(ptr+7));
@@ -471,11 +471,11 @@ lpfc_debugfs_dumpHostSlim_data(struct lpfc_hba *phba, char *buf, int size)
off = 0;
spin_lock_irq(&phba->hbalock);
- len += snprintf(buf+len, size-len, "SLIM Mailbox\n");
+ len += scnprintf(buf+len, size-len, "SLIM Mailbox\n");
ptr = (uint32_t *)phba->slim2p.virt;
i = sizeof(MAILBOX_t);
while (i > 0) {
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"%08x: %08x %08x %08x %08x %08x %08x %08x %08x\n",
off, *ptr, *(ptr+1), *(ptr+2), *(ptr+3), *(ptr+4),
*(ptr+5), *(ptr+6), *(ptr+7));
@@ -484,11 +484,11 @@ lpfc_debugfs_dumpHostSlim_data(struct lpfc_hba *phba, char *buf, int size)
off += (8 * sizeof(uint32_t));
}
- len += snprintf(buf+len, size-len, "SLIM PCB\n");
+ len += scnprintf(buf+len, size-len, "SLIM PCB\n");
ptr = (uint32_t *)phba->pcb;
i = sizeof(PCB_t);
while (i > 0) {
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"%08x: %08x %08x %08x %08x %08x %08x %08x %08x\n",
off, *ptr, *(ptr+1), *(ptr+2), *(ptr+3), *(ptr+4),
*(ptr+5), *(ptr+6), *(ptr+7));
@@ -501,7 +501,7 @@ lpfc_debugfs_dumpHostSlim_data(struct lpfc_hba *phba, char *buf, int size)
for (i = 0; i < 4; i++) {
pgpp = &phba->port_gp[i];
pring = &psli->sli3_ring[i];
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"Ring %d: CMD GetInx:%d "
"(Max:%d Next:%d "
"Local:%d flg:x%x) "
@@ -518,7 +518,7 @@ lpfc_debugfs_dumpHostSlim_data(struct lpfc_hba *phba, char *buf, int size)
word1 = readl(phba->CAregaddr);
word2 = readl(phba->HSregaddr);
word3 = readl(phba->HCregaddr);
- len += snprintf(buf+len, size-len, "HA:%08x CA:%08x HS:%08x "
+ len += scnprintf(buf+len, size-len, "HA:%08x CA:%08x HS:%08x "
"HC:%08x\n", word0, word1, word2, word3);
}
spin_unlock_irq(&phba->hbalock);
@@ -556,12 +556,12 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
cnt = (LPFC_NODELIST_SIZE / LPFC_NODELIST_ENTRY_SIZE);
outio = 0;
- len += snprintf(buf+len, size-len, "\nFCP Nodelist Entries ...\n");
+ len += scnprintf(buf+len, size-len, "\nFCP Nodelist Entries ...\n");
spin_lock_irq(shost->host_lock);
list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
iocnt = 0;
if (!cnt) {
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"Missing Nodelist Entries\n");
break;
}
@@ -599,61 +599,61 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
default:
statep = "UNKNOWN";
}
- len += snprintf(buf+len, size-len, "%s DID:x%06x ",
+ len += scnprintf(buf+len, size-len, "%s DID:x%06x ",
statep, ndlp->nlp_DID);
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"WWPN x%llx ",
wwn_to_u64(ndlp->nlp_portname.u.wwn));
- len += snprintf(buf+len, size-len,
+ len += scnprintf(buf+len, size-len,
"WWNN x%llx ",
wwn_to_u64(ndlp->nlp_nodename.u.wwn));
if (ndlp->nlp_flag & NLP_RPI_REGISTERED)
- len += snprintf(buf+len, size-len, "RPI:%03d ",
+ len += scnprintf(buf+len, size-len, "RPI:%03d ",
ndlp->nlp_rpi);
else
- len += snprintf(buf+len, size-len, "RPI:none ");
- len += snprintf(buf+len, size-len, "flag:x%08x ",
+ len += scnprintf(buf+len, size-len, "RPI:none ");
+ len += scnprintf(buf+len, size-len, "flag:x%08x ",
ndlp->nlp_flag);
if (!ndlp->nlp_type)
- len += snprintf(buf+len, size-len, "UNKNOWN_TYPE ");
+ len += scnprintf(buf+len, size-len, "UNKNOWN_TYPE ");
if (ndlp->nlp_type & NLP_FC_NODE)
- len += snprintf(buf+len, size-len, "FC_NODE ");
+ len += scnprintf(buf+len, size-len, "FC_NODE ");
if (ndlp->nlp_type & NLP_FABRIC) {
- len += snprintf(buf+len, size-len, "FABRIC ");
+ len += scnprintf(buf+len, size-len, "FABRIC ");
iocnt = 0;
}
if (ndlp->nlp_type & NLP_FCP_TARGET)
- len += snprintf(buf+len, size-len, "FCP_TGT sid:%d ",
+ len += scnprintf(buf+len, size-len, "FCP_TGT sid:%d ",
ndlp->nlp_sid);
if (ndlp->nlp_type & NLP_FCP_INITIATOR)
- len += snprintf(buf+len, size-len, "FCP_INITIATOR ");
+ len += scnprintf(buf+len, size-len, "FCP_INITIATOR ");
if (ndlp->nlp_type & NLP_NVME_TARGET)
- len += snprintf(buf + len,
+ len += scnprintf(buf + len,
size - len, "NVME_TGT sid:%d ",
NLP_NO_SID);
if (ndlp->nlp_type & NLP_NVME_INITIATOR)
- len += snprintf(buf + len,
+ len += scnprintf(buf + len,
size - len, "NVME_INITIATOR ");
- len += snprintf(buf+len, size-len, "usgmap:%x ",
+ len += scnprintf(buf+len, size-len, "usgmap:%x ",
ndlp->nlp_usg_map);
- len += snprintf(buf+len, size-len, "refcnt:%x",
+ len += scnprintf(buf+len, size-len, "refcnt:%x",
kref_read(&ndlp->kref));
if (iocnt) {
i = atomic_read(&ndlp->cmd_pending);
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
" OutIO:x%x Qdepth x%x",
i, ndlp->cmd_qdepth);
outio += i;
}
- len += snprintf(buf+len, size-len, "\n");
+ len += scnprintf(buf+len, size-len, "\n");
}
spin_unlock_irq(shost->host_lock);
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"\nOutstanding IO x%x\n", outio);
if (phba->nvmet_support && phba->targetport && (vport == phba->pport)) {
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"\nNVME Targetport Entry ...\n");
/* Port state is only one of two values for now. */
@@ -661,18 +661,18 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
statep = "REGISTERED";
else
statep = "INIT";
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"TGT WWNN x%llx WWPN x%llx State %s\n",
wwn_to_u64(vport->fc_nodename.u.wwn),
wwn_to_u64(vport->fc_portname.u.wwn),
statep);
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
" Targetport DID x%06x\n",
phba->targetport->port_id);
goto out_exit;
}
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"\nNVME Lport/Rport Entries ...\n");
localport = vport->localport;
@@ -687,11 +687,11 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
else
statep = "UNKNOWN ";
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Lport DID x%06x PortState %s\n",
localport->port_id, statep);
- len += snprintf(buf + len, size - len, "\tRport List:\n");
+ len += scnprintf(buf + len, size - len, "\tRport List:\n");
list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
/* local short-hand pointer. */
spin_lock(&phba->hbalock);
@@ -718,32 +718,32 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
}
/* Tab in to show lport ownership. */
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"\t%s Port ID:x%06x ",
statep, nrport->port_id);
- len += snprintf(buf + len, size - len, "WWPN x%llx ",
+ len += scnprintf(buf + len, size - len, "WWPN x%llx ",
nrport->port_name);
- len += snprintf(buf + len, size - len, "WWNN x%llx ",
+ len += scnprintf(buf + len, size - len, "WWNN x%llx ",
nrport->node_name);
/* An NVME rport can have multiple roles. */
if (nrport->port_role & FC_PORT_ROLE_NVME_INITIATOR)
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"INITIATOR ");
if (nrport->port_role & FC_PORT_ROLE_NVME_TARGET)
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"TARGET ");
if (nrport->port_role & FC_PORT_ROLE_NVME_DISCOVERY)
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"DISCSRVC ");
if (nrport->port_role & ~(FC_PORT_ROLE_NVME_INITIATOR |
FC_PORT_ROLE_NVME_TARGET |
FC_PORT_ROLE_NVME_DISCOVERY))
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"UNKNOWN ROLE x%x",
nrport->port_role);
/* Terminate the string. */
- len += snprintf(buf + len, size - len, "\n");
+ len += scnprintf(buf + len, size - len, "\n");
}
spin_unlock_irq(shost->host_lock);
@@ -782,35 +782,35 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
if (!phba->targetport)
return len;
tgtp = (struct lpfc_nvmet_tgtport *)phba->targetport->private;
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"\nNVME Targetport Statistics\n");
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"LS: Rcv %08x Drop %08x Abort %08x\n",
atomic_read(&tgtp->rcv_ls_req_in),
atomic_read(&tgtp->rcv_ls_req_drop),
atomic_read(&tgtp->xmt_ls_abort));
if (atomic_read(&tgtp->rcv_ls_req_in) !=
atomic_read(&tgtp->rcv_ls_req_out)) {
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Rcv LS: in %08x != out %08x\n",
atomic_read(&tgtp->rcv_ls_req_in),
atomic_read(&tgtp->rcv_ls_req_out));
}
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"LS: Xmt %08x Drop %08x Cmpl %08x\n",
atomic_read(&tgtp->xmt_ls_rsp),
atomic_read(&tgtp->xmt_ls_drop),
atomic_read(&tgtp->xmt_ls_rsp_cmpl));
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"LS: RSP Abort %08x xb %08x Err %08x\n",
atomic_read(&tgtp->xmt_ls_rsp_aborted),
atomic_read(&tgtp->xmt_ls_rsp_xb_set),
atomic_read(&tgtp->xmt_ls_rsp_error));
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"FCP: Rcv %08x Defer %08x Release %08x "
"Drop %08x\n",
atomic_read(&tgtp->rcv_fcp_cmd_in),
@@ -820,13 +820,13 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
if (atomic_read(&tgtp->rcv_fcp_cmd_in) !=
atomic_read(&tgtp->rcv_fcp_cmd_out)) {
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Rcv FCP: in %08x != out %08x\n",
atomic_read(&tgtp->rcv_fcp_cmd_in),
atomic_read(&tgtp->rcv_fcp_cmd_out));
}
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"FCP Rsp: read %08x readrsp %08x "
"write %08x rsp %08x\n",
atomic_read(&tgtp->xmt_fcp_read),
@@ -834,31 +834,31 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
atomic_read(&tgtp->xmt_fcp_write),
atomic_read(&tgtp->xmt_fcp_rsp));
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"FCP Rsp Cmpl: %08x err %08x drop %08x\n",
atomic_read(&tgtp->xmt_fcp_rsp_cmpl),
atomic_read(&tgtp->xmt_fcp_rsp_error),
atomic_read(&tgtp->xmt_fcp_rsp_drop));
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"FCP Rsp Abort: %08x xb %08x xricqe %08x\n",
atomic_read(&tgtp->xmt_fcp_rsp_aborted),
atomic_read(&tgtp->xmt_fcp_rsp_xb_set),
atomic_read(&tgtp->xmt_fcp_xri_abort_cqe));
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"ABORT: Xmt %08x Cmpl %08x\n",
atomic_read(&tgtp->xmt_fcp_abort),
atomic_read(&tgtp->xmt_fcp_abort_cmpl));
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"ABORT: Sol %08x Usol %08x Err %08x Cmpl %08x",
atomic_read(&tgtp->xmt_abort_sol),
atomic_read(&tgtp->xmt_abort_unsol),
atomic_read(&tgtp->xmt_abort_rsp),
atomic_read(&tgtp->xmt_abort_rsp_error));
- len += snprintf(buf + len, size - len, "\n");
+ len += scnprintf(buf + len, size - len, "\n");
cnt = 0;
spin_lock(&phba->sli4_hba.abts_nvme_buf_list_lock);
@@ -869,7 +869,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
}
spin_unlock(&phba->sli4_hba.abts_nvme_buf_list_lock);
if (cnt) {
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"ABORT: %d ctx entries\n", cnt);
spin_lock(&phba->sli4_hba.abts_nvme_buf_list_lock);
list_for_each_entry_safe(ctxp, next_ctxp,
@@ -877,7 +877,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
list) {
if (len >= (size - LPFC_DEBUG_OUT_LINE_SZ))
break;
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Entry: oxid %x state %x "
"flag %x\n",
ctxp->oxid, ctxp->state,
@@ -891,7 +891,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
tot += atomic_read(&tgtp->xmt_fcp_release);
tot = atomic_read(&tgtp->rcv_fcp_cmd_in) - tot;
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"IO_CTX: %08x WAIT: cur %08x tot %08x\n"
"CTX Outstanding %08llx\n",
phba->sli4_hba.nvmet_xri_cnt,
@@ -909,10 +909,10 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
if (!lport)
return len;
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"\nNVME Lport Statistics\n");
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"LS: Xmt %016x Cmpl %016x\n",
atomic_read(&lport->fc4NvmeLsRequests),
atomic_read(&lport->fc4NvmeLsCmpls));
@@ -936,20 +936,20 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
if (i >= 32)
continue;
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"FCP (%d): Rd %016llx Wr %016llx "
"IO %016llx ",
i, data1, data2, data3);
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"Cmpl %016llx OutIO %016llx\n",
tot, ((data1 + data2 + data3) - tot));
}
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"Total FCP Cmpl %016llx Issue %016llx "
"OutIO %016llx\n",
totin, totout, totout - totin);
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"LS Xmt Err: Abrt %08x Err %08x "
"Cmpl Err: xb %08x Err %08x\n",
atomic_read(&lport->xmt_ls_abort),
@@ -957,7 +957,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
atomic_read(&lport->cmpl_ls_xb),
atomic_read(&lport->cmpl_ls_err));
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"FCP Xmt Err: noxri %06x nondlp %06x "
"qdepth %06x wqerr %06x err %06x Abrt %06x\n",
atomic_read(&lport->xmt_fcp_noxri),
@@ -967,7 +967,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
atomic_read(&lport->xmt_fcp_err),
atomic_read(&lport->xmt_fcp_abort));
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"FCP Cmpl Err: xb %08x Err %08x\n",
atomic_read(&lport->cmpl_fcp_xb),
atomic_read(&lport->cmpl_fcp_err));
@@ -999,58 +999,58 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
if (phba->nvmet_support == 0) {
/* NVME Initiator */
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"ktime %s: Total Samples: %lld\n",
(phba->ktime_on ? "Enabled" : "Disabled"),
phba->ktime_data_samples);
if (phba->ktime_data_samples == 0)
return len;
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"Segment 1: Last NVME Cmd cmpl "
"done -to- Start of next NVME cnd (in driver)\n");
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg1_total,
phba->ktime_data_samples),
phba->ktime_seg1_min,
phba->ktime_seg1_max);
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"Segment 2: Driver start of NVME cmd "
"-to- Firmware WQ doorbell\n");
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg2_total,
phba->ktime_data_samples),
phba->ktime_seg2_min,
phba->ktime_seg2_max);
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"Segment 3: Firmware WQ doorbell -to- "
"MSI-X ISR cmpl\n");
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg3_total,
phba->ktime_data_samples),
phba->ktime_seg3_min,
phba->ktime_seg3_max);
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"Segment 4: MSI-X ISR cmpl -to- "
"NVME cmpl done\n");
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg4_total,
phba->ktime_data_samples),
phba->ktime_seg4_min,
phba->ktime_seg4_max);
- len += snprintf(
+ len += scnprintf(
buf + len, PAGE_SIZE - len,
"Total IO avg time: %08lld\n",
div_u64(phba->ktime_seg1_total +
@@ -1062,7 +1062,7 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
}
/* NVME Target */
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"ktime %s: Total Samples: %lld %lld\n",
(phba->ktime_on ? "Enabled" : "Disabled"),
phba->ktime_data_samples,
@@ -1070,46 +1070,46 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
if (phba->ktime_data_samples == 0)
return len;
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 1: MSI-X ISR Rcv cmd -to- "
"cmd pass to NVME Layer\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg1_total,
phba->ktime_data_samples),
phba->ktime_seg1_min,
phba->ktime_seg1_max);
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 2: cmd pass to NVME Layer- "
"-to- Driver rcv cmd OP (action)\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg2_total,
phba->ktime_data_samples),
phba->ktime_seg2_min,
phba->ktime_seg2_max);
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 3: Driver rcv cmd OP -to- "
"Firmware WQ doorbell: cmd\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg3_total,
phba->ktime_data_samples),
phba->ktime_seg3_min,
phba->ktime_seg3_max);
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 4: Firmware WQ doorbell: cmd "
"-to- MSI-X ISR for cmd cmpl\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg4_total,
phba->ktime_data_samples),
phba->ktime_seg4_min,
phba->ktime_seg4_max);
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 5: MSI-X ISR for cmd cmpl "
"-to- NVME layer passed cmd done\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg5_total,
phba->ktime_data_samples),
@@ -1117,10 +1117,10 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
phba->ktime_seg5_max);
if (phba->ktime_status_samples == 0) {
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Total: cmd received by MSI-X ISR "
"-to- cmd completed on wire\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld "
"max %08lld\n",
div_u64(phba->ktime_seg10_total,
@@ -1130,46 +1130,46 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
return len;
}
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 6: NVME layer passed cmd done "
"-to- Driver rcv rsp status OP\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg6_total,
phba->ktime_status_samples),
phba->ktime_seg6_min,
phba->ktime_seg6_max);
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 7: Driver rcv rsp status OP "
"-to- Firmware WQ doorbell: status\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg7_total,
phba->ktime_status_samples),
phba->ktime_seg7_min,
phba->ktime_seg7_max);
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 8: Firmware WQ doorbell: status"
" -to- MSI-X ISR for status cmpl\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg8_total,
phba->ktime_status_samples),
phba->ktime_seg8_min,
phba->ktime_seg8_max);
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Segment 9: MSI-X ISR for status cmpl "
"-to- NVME layer passed status done\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg9_total,
phba->ktime_status_samples),
phba->ktime_seg9_min,
phba->ktime_seg9_max);
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"Total: cmd received by MSI-X ISR -to- "
"cmd completed on wire\n");
- len += snprintf(buf + len, PAGE_SIZE-len,
+ len += scnprintf(buf + len, PAGE_SIZE-len,
"avg:%08lld min:%08lld max %08lld\n",
div_u64(phba->ktime_seg10_total,
phba->ktime_status_samples),
@@ -1204,7 +1204,7 @@ lpfc_debugfs_nvmeio_trc_data(struct lpfc_hba *phba, char *buf, int size)
(phba->nvmeio_trc_size - 1);
skip = phba->nvmeio_trc_output_idx;
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"%s IO Trace %s: next_idx %d skip %d size %d\n",
(phba->nvmet_support ? "NVME" : "NVMET"),
(state ? "Enabled" : "Disabled"),
@@ -1226,18 +1226,18 @@ lpfc_debugfs_nvmeio_trc_data(struct lpfc_hba *phba, char *buf, int size)
if (!dtp->fmt)
continue;
- len += snprintf(buf + len, size - len, dtp->fmt,
+ len += scnprintf(buf + len, size - len, dtp->fmt,
dtp->data1, dtp->data2, dtp->data3);
if (phba->nvmeio_trc_output_idx >= phba->nvmeio_trc_size) {
phba->nvmeio_trc_output_idx = 0;
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Trace Complete\n");
goto out;
}
if (len >= (size - LPFC_DEBUG_OUT_LINE_SZ)) {
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Trace Continue (%d of %d)\n",
phba->nvmeio_trc_output_idx,
phba->nvmeio_trc_size);
@@ -1255,18 +1255,18 @@ lpfc_debugfs_nvmeio_trc_data(struct lpfc_hba *phba, char *buf, int size)
if (!dtp->fmt)
continue;
- len += snprintf(buf + len, size - len, dtp->fmt,
+ len += scnprintf(buf + len, size - len, dtp->fmt,
dtp->data1, dtp->data2, dtp->data3);
if (phba->nvmeio_trc_output_idx >= phba->nvmeio_trc_size) {
phba->nvmeio_trc_output_idx = 0;
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Trace Complete\n");
goto out;
}
if (len >= (size - LPFC_DEBUG_OUT_LINE_SZ)) {
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Trace Continue (%d of %d)\n",
phba->nvmeio_trc_output_idx,
phba->nvmeio_trc_size);
@@ -1274,7 +1274,7 @@ lpfc_debugfs_nvmeio_trc_data(struct lpfc_hba *phba, char *buf, int size)
}
}
- len += snprintf(buf + len, size - len,
+ len += scnprintf(buf + len, size - len,
"Trace Done\n");
out:
return len;
@@ -1306,39 +1306,39 @@ lpfc_debugfs_cpucheck_data(struct lpfc_vport *vport, char *buf, int size)
if (phba->nvmet_support == 0) {
/* NVME Initiator */
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"CPUcheck %s\n",
(phba->cpucheck_on & LPFC_CHECK_NVME_IO ?
"Enabled" : "Disabled"));
for (i = 0; i < phba->sli4_hba.num_present_cpu; i++) {
if (i >= LPFC_CHECK_CPU_CNT)
break;
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"%02d: xmit x%08x cmpl x%08x\n",
i, phba->cpucheck_xmt_io[i],
phba->cpucheck_cmpl_io[i]);
tot_xmt += phba->cpucheck_xmt_io[i];
tot_cmpl += phba->cpucheck_cmpl_io[i];
}
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"tot:xmit x%08x cmpl x%08x\n",
tot_xmt, tot_cmpl);
return len;
}
/* NVME Target */
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"CPUcheck %s ",
(phba->cpucheck_on & LPFC_CHECK_NVMET_IO ?
"IO Enabled - " : "IO Disabled - "));
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"%s\n",
(phba->cpucheck_on & LPFC_CHECK_NVMET_RCV ?
"Rcv Enabled\n" : "Rcv Disabled\n"));
for (i = 0; i < phba->sli4_hba.num_present_cpu; i++) {
if (i >= LPFC_CHECK_CPU_CNT)
break;
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"%02d: xmit x%08x ccmpl x%08x "
"cmpl x%08x rcv x%08x\n",
i, phba->cpucheck_xmt_io[i],
@@ -1350,7 +1350,7 @@ lpfc_debugfs_cpucheck_data(struct lpfc_vport *vport, char *buf, int size)
tot_cmpl += phba->cpucheck_cmpl_io[i];
tot_ccmpl += phba->cpucheck_ccmpl_io[i];
}
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"tot:xmit x%08x ccmpl x%08x cmpl x%08x rcv x%08x\n",
tot_xmt, tot_ccmpl, tot_cmpl, tot_rcv);
return len;
@@ -1795,28 +1795,28 @@ lpfc_debugfs_dif_err_read(struct file *file, char __user *buf,
int cnt = 0;
if (dent == phba->debug_writeGuard)
- cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wgrd_cnt);
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wgrd_cnt);
else if (dent == phba->debug_writeApp)
- cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wapp_cnt);
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wapp_cnt);
else if (dent == phba->debug_writeRef)
- cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wref_cnt);
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wref_cnt);
else if (dent == phba->debug_readGuard)
- cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rgrd_cnt);
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rgrd_cnt);
else if (dent == phba->debug_readApp)
- cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rapp_cnt);
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rapp_cnt);
else if (dent == phba->debug_readRef)
- cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rref_cnt);
+ cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rref_cnt);
else if (dent == phba->debug_InjErrNPortID)
- cnt = snprintf(cbuf, 32, "0x%06x\n", phba->lpfc_injerr_nportid);
+ cnt = scnprintf(cbuf, 32, "0x%06x\n", phba->lpfc_injerr_nportid);
else if (dent == phba->debug_InjErrWWPN) {
memcpy(&tmp, &phba->lpfc_injerr_wwpn, sizeof(struct lpfc_name));
tmp = cpu_to_be64(tmp);
- cnt = snprintf(cbuf, 32, "0x%016llx\n", tmp);
+ cnt = scnprintf(cbuf, 32, "0x%016llx\n", tmp);
} else if (dent == phba->debug_InjErrLBA) {
if (phba->lpfc_injerr_lba == (sector_t)(-1))
- cnt = snprintf(cbuf, 32, "off\n");
+ cnt = scnprintf(cbuf, 32, "off\n");
else
- cnt = snprintf(cbuf, 32, "0x%llx\n",
+ cnt = scnprintf(cbuf, 32, "0x%llx\n",
(uint64_t) phba->lpfc_injerr_lba);
} else
lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
@@ -2622,17 +2622,17 @@ lpfc_idiag_pcicfg_read(struct file *file, char __user *buf, size_t nbytes,
switch (count) {
case SIZE_U8: /* byte (8 bits) */
pci_read_config_byte(pdev, where, &u8val);
- len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
"%03x: %02x\n", where, u8val);
break;
case SIZE_U16: /* word (16 bits) */
pci_read_config_word(pdev, where, &u16val);
- len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
"%03x: %04x\n", where, u16val);
break;
case SIZE_U32: /* double word (32 bits) */
pci_read_config_dword(pdev, where, &u32val);
- len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
"%03x: %08x\n", where, u32val);
break;
case LPFC_PCI_CFG_BROWSE: /* browse all */
@@ -2652,25 +2652,25 @@ lpfc_idiag_pcicfg_read(struct file *file, char __user *buf, size_t nbytes,
offset = offset_label;
/* Read PCI config space */
- len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
"%03x: ", offset_label);
while (index > 0) {
pci_read_config_dword(pdev, offset, &u32val);
- len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
"%08x ", u32val);
offset += sizeof(uint32_t);
if (offset >= LPFC_PCI_CFG_SIZE) {
- len += snprintf(pbuffer+len,
+ len += scnprintf(pbuffer+len,
LPFC_PCI_CFG_SIZE-len, "\n");
break;
}
index -= sizeof(uint32_t);
if (!index)
- len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
"\n");
else if (!(index % (8 * sizeof(uint32_t)))) {
offset_label += (8 * sizeof(uint32_t));
- len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
"\n%03x: ", offset_label);
}
}
@@ -2941,7 +2941,7 @@ lpfc_idiag_baracc_read(struct file *file, char __user *buf, size_t nbytes,
if (acc_range == SINGLE_WORD) {
offset_run = offset;
u32val = readl(mem_mapped_bar + offset_run);
- len += snprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
"%05x: %08x\n", offset_run, u32val);
} else
goto baracc_browse;
@@ -2955,35 +2955,35 @@ lpfc_idiag_baracc_read(struct file *file, char __user *buf, size_t nbytes,
offset_run = offset_label;
/* Read PCI bar memory mapped space */
- len += snprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
"%05x: ", offset_label);
index = LPFC_PCI_BAR_RD_SIZE;
while (index > 0) {
u32val = readl(mem_mapped_bar + offset_run);
- len += snprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
"%08x ", u32val);
offset_run += sizeof(uint32_t);
if (acc_range == LPFC_PCI_BAR_BROWSE) {
if (offset_run >= bar_size) {
- len += snprintf(pbuffer+len,
+ len += scnprintf(pbuffer+len,
LPFC_PCI_BAR_RD_BUF_SIZE-len, "\n");
break;
}
} else {
if (offset_run >= offset +
(acc_range * sizeof(uint32_t))) {
- len += snprintf(pbuffer+len,
+ len += scnprintf(pbuffer+len,
LPFC_PCI_BAR_RD_BUF_SIZE-len, "\n");
break;
}
}
index -= sizeof(uint32_t);
if (!index)
- len += snprintf(pbuffer+len,
+ len += scnprintf(pbuffer+len,
LPFC_PCI_BAR_RD_BUF_SIZE-len, "\n");
else if (!(index % (8 * sizeof(uint32_t)))) {
offset_label += (8 * sizeof(uint32_t));
- len += snprintf(pbuffer+len,
+ len += scnprintf(pbuffer+len,
LPFC_PCI_BAR_RD_BUF_SIZE-len,
"\n%05x: ", offset_label);
}
@@ -3156,19 +3156,19 @@ __lpfc_idiag_print_wq(struct lpfc_queue *qp, char *wqtype,
if (!qp)
return len;
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"\t\t%s WQ info: ", wqtype);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"AssocCQID[%04d]: WQ-STAT[oflow:x%x posted:x%llx]\n",
qp->assoc_qid, qp->q_cnt_1,
(unsigned long long)qp->q_cnt_4);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"\t\tWQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
"HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]",
qp->queue_id, qp->entry_count,
qp->entry_size, qp->host_index,
qp->hba_index, qp->entry_repost);
- len += snprintf(pbuffer + len,
+ len += scnprintf(pbuffer + len,
LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
return len;
}
@@ -3206,21 +3206,21 @@ __lpfc_idiag_print_cq(struct lpfc_queue *qp, char *cqtype,
if (!qp)
return len;
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"\t%s CQ info: ", cqtype);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"AssocEQID[%02d]: CQ STAT[max:x%x relw:x%x "
"xabt:x%x wq:x%llx]\n",
qp->assoc_qid, qp->q_cnt_1, qp->q_cnt_2,
qp->q_cnt_3, (unsigned long long)qp->q_cnt_4);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"\tCQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
"HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]",
qp->queue_id, qp->entry_count,
qp->entry_size, qp->host_index,
qp->hba_index, qp->entry_repost);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
return len;
}
@@ -3232,19 +3232,19 @@ __lpfc_idiag_print_rqpair(struct lpfc_queue *qp, struct lpfc_queue *datqp,
if (!qp || !datqp)
return len;
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"\t\t%s RQ info: ", rqtype);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"AssocCQID[%02d]: RQ-STAT[nopost:x%x nobuf:x%x "
"posted:x%x rcv:x%llx]\n",
qp->assoc_qid, qp->q_cnt_1, qp->q_cnt_2,
qp->q_cnt_3, (unsigned long long)qp->q_cnt_4);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"\t\tHQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
"HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]\n",
qp->queue_id, qp->entry_count, qp->entry_size,
qp->host_index, qp->hba_index, qp->entry_repost);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"\t\tDQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
"HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]\n",
datqp->queue_id, datqp->entry_count,
@@ -3329,17 +3329,17 @@ __lpfc_idiag_print_eq(struct lpfc_queue *qp, char *eqtype,
if (!qp)
return len;
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"\n%s EQ info: EQ-STAT[max:x%x noE:x%x "
"cqe_proc:x%x eqe_proc:x%llx eqd %d]\n",
eqtype, qp->q_cnt_1, qp->q_cnt_2, qp->q_cnt_3,
(unsigned long long)qp->q_cnt_4, qp->q_mode);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"EQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
"HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]",
qp->queue_id, qp->entry_count, qp->entry_size,
qp->host_index, qp->hba_index, qp->entry_repost);
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
return len;
}
@@ -3397,7 +3397,7 @@ lpfc_idiag_queinfo_read(struct file *file, char __user *buf, size_t nbytes,
if (phba->cfg_fof == 0)
phba->lpfc_idiag_last_eq = 0;
- len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
"EQ %d out of %d HBA EQs\n",
x, phba->io_channel_irqs);
@@ -3510,7 +3510,7 @@ lpfc_idiag_queinfo_read(struct file *file, char __user *buf, size_t nbytes,
return simple_read_from_buffer(buf, nbytes, ppos, pbuffer, len);
too_big:
- len += snprintf(pbuffer + len,
+ len += scnprintf(pbuffer + len,
LPFC_QUE_INFO_GET_BUF_SIZE - len, "Truncated ...\n");
out:
spin_unlock_irq(&phba->hbalock);
@@ -3566,22 +3566,22 @@ lpfc_idiag_queacc_read_qe(char *pbuffer, int len, struct lpfc_queue *pque,
return 0;
esize = pque->entry_size;
- len += snprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len,
"QE-INDEX[%04d]:\n", index);
offset = 0;
pentry = pque->qe[index].address;
while (esize > 0) {
- len += snprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len,
"%08x ", *pentry);
pentry++;
offset += sizeof(uint32_t);
esize -= sizeof(uint32_t);
if (esize > 0 && !(offset % (4 * sizeof(uint32_t))))
- len += snprintf(pbuffer+len,
+ len += scnprintf(pbuffer+len,
LPFC_QUE_ACC_BUF_SIZE-len, "\n");
}
- len += snprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len, "\n");
+ len += scnprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len, "\n");
return len;
}
@@ -3987,27 +3987,27 @@ lpfc_idiag_drbacc_read_reg(struct lpfc_hba *phba, char *pbuffer,
switch (drbregid) {
case LPFC_DRB_EQ:
- len += snprintf(pbuffer + len, LPFC_DRB_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer + len, LPFC_DRB_ACC_BUF_SIZE-len,
"EQ-DRB-REG: 0x%08x\n",
readl(phba->sli4_hba.EQDBregaddr));
break;
case LPFC_DRB_CQ:
- len += snprintf(pbuffer + len, LPFC_DRB_ACC_BUF_SIZE - len,
+ len += scnprintf(pbuffer + len, LPFC_DRB_ACC_BUF_SIZE - len,
"CQ-DRB-REG: 0x%08x\n",
readl(phba->sli4_hba.CQDBregaddr));
break;
case LPFC_DRB_MQ:
- len += snprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
"MQ-DRB-REG: 0x%08x\n",
readl(phba->sli4_hba.MQDBregaddr));
break;
case LPFC_DRB_WQ:
- len += snprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
"WQ-DRB-REG: 0x%08x\n",
readl(phba->sli4_hba.WQDBregaddr));
break;
case LPFC_DRB_RQ:
- len += snprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
"RQ-DRB-REG: 0x%08x\n",
readl(phba->sli4_hba.RQDBregaddr));
break;
@@ -4197,37 +4197,37 @@ lpfc_idiag_ctlacc_read_reg(struct lpfc_hba *phba, char *pbuffer,
switch (ctlregid) {
case LPFC_CTL_PORT_SEM:
- len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
"Port SemReg: 0x%08x\n",
readl(phba->sli4_hba.conf_regs_memmap_p +
LPFC_CTL_PORT_SEM_OFFSET));
break;
case LPFC_CTL_PORT_STA:
- len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
"Port StaReg: 0x%08x\n",
readl(phba->sli4_hba.conf_regs_memmap_p +
LPFC_CTL_PORT_STA_OFFSET));
break;
case LPFC_CTL_PORT_CTL:
- len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
"Port CtlReg: 0x%08x\n",
readl(phba->sli4_hba.conf_regs_memmap_p +
LPFC_CTL_PORT_CTL_OFFSET));
break;
case LPFC_CTL_PORT_ER1:
- len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
"Port Er1Reg: 0x%08x\n",
readl(phba->sli4_hba.conf_regs_memmap_p +
LPFC_CTL_PORT_ER1_OFFSET));
break;
case LPFC_CTL_PORT_ER2:
- len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
"Port Er2Reg: 0x%08x\n",
readl(phba->sli4_hba.conf_regs_memmap_p +
LPFC_CTL_PORT_ER2_OFFSET));
break;
case LPFC_CTL_PDEV_CTL:
- len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
"PDev CtlReg: 0x%08x\n",
readl(phba->sli4_hba.conf_regs_memmap_p +
LPFC_CTL_PDEV_CTL_OFFSET));
@@ -4420,13 +4420,13 @@ lpfc_idiag_mbxacc_get_setup(struct lpfc_hba *phba, char *pbuffer)
mbx_dump_cnt = idiag.cmd.data[IDIAG_MBXACC_DPCNT_INDX];
mbx_word_cnt = idiag.cmd.data[IDIAG_MBXACC_WDCNT_INDX];
- len += snprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
"mbx_dump_map: 0x%08x\n", mbx_dump_map);
- len += snprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
"mbx_dump_cnt: %04d\n", mbx_dump_cnt);
- len += snprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
"mbx_word_cnt: %04d\n", mbx_word_cnt);
- len += snprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
"mbx_mbox_cmd: 0x%02x\n", mbx_mbox_cmd);
return len;
@@ -4575,35 +4575,35 @@ lpfc_idiag_extacc_avail_get(struct lpfc_hba *phba, char *pbuffer, int len)
{
uint16_t ext_cnt, ext_size;
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\nAvailable Extents Information:\n");
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tPort Available VPI extents: ");
lpfc_sli4_get_avail_extnt_rsrc(phba, LPFC_RSC_TYPE_FCOE_VPI,
&ext_cnt, &ext_size);
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"Count %3d, Size %3d\n", ext_cnt, ext_size);
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tPort Available VFI extents: ");
lpfc_sli4_get_avail_extnt_rsrc(phba, LPFC_RSC_TYPE_FCOE_VFI,
&ext_cnt, &ext_size);
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"Count %3d, Size %3d\n", ext_cnt, ext_size);
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tPort Available RPI extents: ");
lpfc_sli4_get_avail_extnt_rsrc(phba, LPFC_RSC_TYPE_FCOE_RPI,
&ext_cnt, &ext_size);
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"Count %3d, Size %3d\n", ext_cnt, ext_size);
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tPort Available XRI extents: ");
lpfc_sli4_get_avail_extnt_rsrc(phba, LPFC_RSC_TYPE_FCOE_XRI,
&ext_cnt, &ext_size);
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"Count %3d, Size %3d\n", ext_cnt, ext_size);
return len;
@@ -4627,55 +4627,55 @@ lpfc_idiag_extacc_alloc_get(struct lpfc_hba *phba, char *pbuffer, int len)
uint16_t ext_cnt, ext_size;
int rc;
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\nAllocated Extents Information:\n");
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tHost Allocated VPI extents: ");
rc = lpfc_sli4_get_allocated_extnts(phba, LPFC_RSC_TYPE_FCOE_VPI,
&ext_cnt, &ext_size);
if (!rc)
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"Port %d Extent %3d, Size %3d\n",
phba->brd_no, ext_cnt, ext_size);
else
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"N/A\n");
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tHost Allocated VFI extents: ");
rc = lpfc_sli4_get_allocated_extnts(phba, LPFC_RSC_TYPE_FCOE_VFI,
&ext_cnt, &ext_size);
if (!rc)
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"Port %d Extent %3d, Size %3d\n",
phba->brd_no, ext_cnt, ext_size);
else
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"N/A\n");
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tHost Allocated RPI extents: ");
rc = lpfc_sli4_get_allocated_extnts(phba, LPFC_RSC_TYPE_FCOE_RPI,
&ext_cnt, &ext_size);
if (!rc)
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"Port %d Extent %3d, Size %3d\n",
phba->brd_no, ext_cnt, ext_size);
else
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"N/A\n");
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tHost Allocated XRI extents: ");
rc = lpfc_sli4_get_allocated_extnts(phba, LPFC_RSC_TYPE_FCOE_XRI,
&ext_cnt, &ext_size);
if (!rc)
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"Port %d Extent %3d, Size %3d\n",
phba->brd_no, ext_cnt, ext_size);
else
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"N/A\n");
return len;
@@ -4699,49 +4699,49 @@ lpfc_idiag_extacc_drivr_get(struct lpfc_hba *phba, char *pbuffer, int len)
struct lpfc_rsrc_blks *rsrc_blks;
int index;
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\nDriver Extents Information:\n");
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tVPI extents:\n");
index = 0;
list_for_each_entry(rsrc_blks, &phba->lpfc_vpi_blk_list, list) {
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\t\tBlock %3d: Start %4d, Count %4d\n",
index, rsrc_blks->rsrc_start,
rsrc_blks->rsrc_size);
index++;
}
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tVFI extents:\n");
index = 0;
list_for_each_entry(rsrc_blks, &phba->sli4_hba.lpfc_vfi_blk_list,
list) {
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\t\tBlock %3d: Start %4d, Count %4d\n",
index, rsrc_blks->rsrc_start,
rsrc_blks->rsrc_size);
index++;
}
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tRPI extents:\n");
index = 0;
list_for_each_entry(rsrc_blks, &phba->sli4_hba.lpfc_rpi_blk_list,
list) {
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\t\tBlock %3d: Start %4d, Count %4d\n",
index, rsrc_blks->rsrc_start,
rsrc_blks->rsrc_size);
index++;
}
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\tXRI extents:\n");
index = 0;
list_for_each_entry(rsrc_blks, &phba->sli4_hba.lpfc_xri_blk_list,
list) {
- len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
"\t\tBlock %3d: Start %4d, Count %4d\n",
index, rsrc_blks->rsrc_start,
rsrc_blks->rsrc_size);
@@ -5135,11 +5135,11 @@ lpfc_idiag_mbxacc_dump_bsg_mbox(struct lpfc_hba *phba, enum nemb_type nemb_tp,
if (i != 0)
pr_err("%s\n", line_buf);
len = 0;
- len += snprintf(line_buf+len,
+ len += scnprintf(line_buf+len,
LPFC_MBX_ACC_LBUF_SZ-len,
"%03d: ", i);
}
- len += snprintf(line_buf+len, LPFC_MBX_ACC_LBUF_SZ-len,
+ len += scnprintf(line_buf+len, LPFC_MBX_ACC_LBUF_SZ-len,
"%08x ", (uint32_t)*pword);
pword++;
}
@@ -5202,11 +5202,11 @@ lpfc_idiag_mbxacc_dump_issue_mbox(struct lpfc_hba *phba, MAILBOX_t *pmbox)
pr_err("%s\n", line_buf);
len = 0;
memset(line_buf, 0, LPFC_MBX_ACC_LBUF_SZ);
- len += snprintf(line_buf+len,
+ len += scnprintf(line_buf+len,
LPFC_MBX_ACC_LBUF_SZ-len,
"%03d: ", i);
}
- len += snprintf(line_buf+len, LPFC_MBX_ACC_LBUF_SZ-len,
+ len += scnprintf(line_buf+len, LPFC_MBX_ACC_LBUF_SZ-len,
"%08x ",
((uint32_t)*pword) & 0xffffffff);
pword++;
@@ -5225,18 +5225,18 @@ lpfc_idiag_mbxacc_dump_issue_mbox(struct lpfc_hba *phba, MAILBOX_t *pmbox)
pr_err("%s\n", line_buf);
len = 0;
memset(line_buf, 0, LPFC_MBX_ACC_LBUF_SZ);
- len += snprintf(line_buf+len,
+ len += scnprintf(line_buf+len,
LPFC_MBX_ACC_LBUF_SZ-len,
"%03d: ", i);
}
for (j = 0; j < 4; j++) {
- len += snprintf(line_buf+len,
+ len += scnprintf(line_buf+len,
LPFC_MBX_ACC_LBUF_SZ-len,
"%02x",
((uint8_t)*pbyte) & 0xff);
pbyte++;
}
- len += snprintf(line_buf+len,
+ len += scnprintf(line_buf+len,
LPFC_MBX_ACC_LBUF_SZ-len, " ");
}
if ((i - 1) % 8)
--
2.19.2
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH 6/8] ASoC: intel: skylake: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
` (3 preceding siblings ...)
2019-01-12 15:28 ` [PATCH 5/8] scsi: lpfc: " Willy Tarreau
@ 2019-01-12 15:28 ` Willy Tarreau
2019-01-15 1:12 ` Kees Cook
2019-01-16 18:41 ` Kees Cook
2019-01-12 15:28 ` [PATCH 7/8] ASoC: dapm: " Willy Tarreau
` (3 subsequent siblings)
8 siblings, 2 replies; 36+ messages in thread
From: Willy Tarreau @ 2019-01-12 15:28 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, Pierre-Louis Bossart, Liam Girdwood, Jie Yang,
Dan Carpenter, Kees Cook, Will Deacon, Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Cc: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Cc: Jie Yang <yang.jie@linux.intel.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
sound/soc/intel/skylake/skl-debug.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/sound/soc/intel/skylake/skl-debug.c b/sound/soc/intel/skylake/skl-debug.c
index 5d7ac2ee7a3c..bb28db734fb7 100644
--- a/sound/soc/intel/skylake/skl-debug.c
+++ b/sound/soc/intel/skylake/skl-debug.c
@@ -43,7 +43,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
ssize_t ret = 0;
for (i = 0; i < max_pin; i++)
- ret += snprintf(buf + size, MOD_BUF - size,
+ ret += scnprintf(buf + size, MOD_BUF - size,
"%s %d\n\tModule %d\n\tInstance %d\n\t"
"In-used %s\n\tType %s\n"
"\tState %d\n\tIndex %d\n",
@@ -59,7 +59,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
static ssize_t skl_print_fmt(struct skl_module_fmt *fmt, char *buf,
ssize_t size, bool direction)
{
- return snprintf(buf + size, MOD_BUF - size,
+ return scnprintf(buf + size, MOD_BUF - size,
"%s\n\tCh %d\n\tFreq %d\n\tBit depth %d\n\t"
"Valid bit depth %d\n\tCh config %#x\n\tInterleaving %d\n\t"
"Sample Type %d\n\tCh Map %#x\n",
@@ -81,16 +81,16 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
if (!buf)
return -ENOMEM;
- ret = snprintf(buf, MOD_BUF, "Module:\n\tUUID %pUL\n\tModule id %d\n"
+ ret = scnprintf(buf, MOD_BUF, "Module:\n\tUUID %pUL\n\tModule id %d\n"
"\tInstance id %d\n\tPvt_id %d\n", mconfig->guid,
mconfig->id.module_id, mconfig->id.instance_id,
mconfig->id.pvt_id);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"Resources:\n\tMCPS %#x\n\tIBS %#x\n\tOBS %#x\t\n",
mconfig->mcps, mconfig->ibs, mconfig->obs);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"Module data:\n\tCore %d\n\tIn queue %d\n\t"
"Out queue %d\n\tType %s\n",
mconfig->core_id, mconfig->max_in_queue,
@@ -100,38 +100,38 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
ret += skl_print_fmt(mconfig->in_fmt, buf, ret, true);
ret += skl_print_fmt(mconfig->out_fmt, buf, ret, false);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"Fixup:\n\tParams %#x\n\tConverter %#x\n",
mconfig->params_fixup, mconfig->converter);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"Module Gateway:\n\tType %#x\n\tVbus %#x\n\tHW conn %#x\n\tSlot %#x\n",
mconfig->dev_type, mconfig->vbus_id,
mconfig->hw_conn_type, mconfig->time_slot);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"Pipeline:\n\tID %d\n\tPriority %d\n\tConn Type %d\n\t"
"Pages %#x\n", mconfig->pipe->ppl_id,
mconfig->pipe->pipe_priority, mconfig->pipe->conn_type,
mconfig->pipe->memory_pages);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"\tParams:\n\t\tHost DMA %d\n\t\tLink DMA %d\n",
mconfig->pipe->p_params->host_dma_id,
mconfig->pipe->p_params->link_dma_id);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"\tPCM params:\n\t\tCh %d\n\t\tFreq %d\n\t\tFormat %d\n",
mconfig->pipe->p_params->ch,
mconfig->pipe->p_params->s_freq,
mconfig->pipe->p_params->s_fmt);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"\tLink %#x\n\tStream %#x\n",
mconfig->pipe->p_params->linktype,
mconfig->pipe->p_params->stream);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"\tState %d\n\tPassthru %s\n",
mconfig->pipe->state,
mconfig->pipe->passthru ? "true" : "false");
@@ -141,7 +141,7 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
ret += skl_print_pins(mconfig->m_out_pin, buf,
mconfig->max_out_queue, ret, false);
- ret += snprintf(buf + ret, MOD_BUF - ret,
+ ret += scnprintf(buf + ret, MOD_BUF - ret,
"Other:\n\tDomain %d\n\tHomogeneous Input %s\n\t"
"Homogeneous Output %s\n\tIn Queue Mask %d\n\t"
"Out Queue Mask %d\n\tDMA ID %d\n\tMem Pages %d\n\t"
@@ -199,7 +199,7 @@ static ssize_t fw_softreg_read(struct file *file, char __user *user_buf,
__iowrite32_copy(d->fw_read_buff, fw_reg_addr, w0_stat_sz >> 2);
for (offset = 0; offset < FW_REG_SIZE; offset += 16) {
- ret += snprintf(tmp + ret, FW_REG_BUF - ret, "%#.4x: ", offset);
+ ret += scnprintf(tmp + ret, FW_REG_BUF - ret, "%#.4x: ", offset);
hex_dump_to_buffer(d->fw_read_buff + offset, 16, 16, 4,
tmp + ret, FW_REG_BUF - ret, 0);
ret += strlen(tmp + ret);
--
2.19.2
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH 7/8] ASoC: dapm: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
` (4 preceding siblings ...)
2019-01-12 15:28 ` [PATCH 6/8] ASoC: intel: skylake: " Willy Tarreau
@ 2019-01-12 15:28 ` Willy Tarreau
2019-01-14 14:56 ` Mark Brown
2019-01-12 15:28 ` [PATCH 8/8] spi: dw: " Willy Tarreau
` (2 subsequent siblings)
8 siblings, 1 reply; 36+ messages in thread
From: Willy Tarreau @ 2019-01-12 15:28 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, Liam Girdwood, Mark Brown, Dan Carpenter,
Kees Cook, Will Deacon, Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
sound/soc/soc-dapm.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index a5178845065b..2c4c13419539 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -2019,19 +2019,19 @@ static ssize_t dapm_widget_power_read_file(struct file *file,
out = is_connected_output_ep(w, NULL, NULL);
}
- ret = snprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d",
+ ret = scnprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d",
w->name, w->power ? "On" : "Off",
w->force ? " (forced)" : "", in, out);
if (w->reg >= 0)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
" - R%d(0x%x) mask 0x%x",
w->reg, w->reg, w->mask << w->shift);
- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
if (w->sname)
- ret += snprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n",
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n",
w->sname,
w->active ? "active" : "inactive");
@@ -2044,7 +2044,7 @@ static ssize_t dapm_widget_power_read_file(struct file *file,
if (!p->connect)
continue;
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
" %s \"%s\" \"%s\"\n",
(rdir == SND_SOC_DAPM_DIR_IN) ? "in" : "out",
p->name ? p->name : "static",
--
2.19.2
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [PATCH 8/8] spi: dw: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
` (5 preceding siblings ...)
2019-01-12 15:28 ` [PATCH 7/8] ASoC: dapm: " Willy Tarreau
@ 2019-01-12 15:28 ` Willy Tarreau
2019-01-15 1:09 ` Kees Cook
2019-01-15 1:02 ` [PATCH 1/8] lkdtm: " Kees Cook
2019-01-15 20:47 ` Kees Cook
8 siblings, 1 reply; 36+ messages in thread
From: Willy Tarreau @ 2019-01-12 15:28 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, Mark Brown, Dan Carpenter, Kees Cook, Will Deacon, Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
drivers/spi/spi-dw.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
index b705f2bdb8b9..008d52d37439 100644
--- a/drivers/spi/spi-dw.c
+++ b/drivers/spi/spi-dw.c
@@ -54,41 +54,41 @@ static ssize_t dw_spi_show_regs(struct file *file, char __user *user_buf,
if (!buf)
return 0;
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"%s registers:\n", dev_name(&dws->master->dev));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"=================================\n");
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"CTRL0: \t\t0x%08x\n", dw_readl(dws, DW_SPI_CTRL0));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"CTRL1: \t\t0x%08x\n", dw_readl(dws, DW_SPI_CTRL1));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"SSIENR: \t0x%08x\n", dw_readl(dws, DW_SPI_SSIENR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"SER: \t\t0x%08x\n", dw_readl(dws, DW_SPI_SER));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"BAUDR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_BAUDR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"TXFTLR: \t0x%08x\n", dw_readl(dws, DW_SPI_TXFLTR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"RXFTLR: \t0x%08x\n", dw_readl(dws, DW_SPI_RXFLTR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"TXFLR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_TXFLR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"RXFLR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_RXFLR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"SR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_SR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"IMR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_IMR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"ISR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_ISR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"DMACR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_DMACR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"DMATDLR: \t0x%08x\n", dw_readl(dws, DW_SPI_DMATDLR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"DMARDLR: \t0x%08x\n", dw_readl(dws, DW_SPI_DMARDLR));
- len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
"=================================\n");
ret = simple_read_from_buffer(user_buf, count, ppos, buf, len);
--
2.19.2
^ permalink raw reply related [flat|nested] 36+ messages in thread
* Re: [PATCH 7/8] ASoC: dapm: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 7/8] ASoC: dapm: " Willy Tarreau
@ 2019-01-14 14:56 ` Mark Brown
2019-01-15 3:16 ` Willy Tarreau
0 siblings, 1 reply; 36+ messages in thread
From: Mark Brown @ 2019-01-14 14:56 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, linux-kernel, Liam Girdwood, Dan Carpenter,
Kees Cook, Will Deacon, Greg KH
[-- Attachment #1: Type: text/plain, Size: 332 bytes --]
On Sat, Jan 12, 2019 at 04:28:43PM +0100, Willy Tarreau wrote:
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
I don't have a cover letter or anything before this in the series.
What's going on with dependencies here?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
` (6 preceding siblings ...)
2019-01-12 15:28 ` [PATCH 8/8] spi: dw: " Willy Tarreau
@ 2019-01-15 1:02 ` Kees Cook
2019-01-15 1:07 ` Kees Cook
2019-01-15 3:12 ` Willy Tarreau
2019-01-15 20:47 ` Kees Cook
8 siblings, 2 replies; 36+ messages in thread
From: Kees Cook @ 2019-01-15 1:02 UTC (permalink / raw)
To: Willy Tarreau; +Cc: Silvio Cesare, LKML, Dan Carpenter, Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
(I didn't find a 0/8 cover letter, so I'm replying here...)
Many of these fixes are just robustness updates (e.g. the lkdtm case
below is not current a problem: the size of the static array getting
displayed is less than PAGE_SIZE). It might be worth noting which are
actually problems (and include the appropriate Cc: and Fixes: lines).
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
Are these changes going into someone's single tree, or are they
intended for individual maintainers to pick up?
Acked-by: Kees Cook <keescook@chromium.org>
-Kees
>
> ---
> drivers/misc/lkdtm/core.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
> index 2837dc77478e..610aa3bfe630 100644
> --- a/drivers/misc/lkdtm/core.c
> +++ b/drivers/misc/lkdtm/core.c
> @@ -347,9 +347,9 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
> if (buf == NULL)
> return -ENOMEM;
>
> - n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
> + n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n");
> for (i = 0; i < ARRAY_SIZE(crashtypes); i++) {
> - n += snprintf(buf + n, PAGE_SIZE - n, "%s\n",
> + n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n",
> crashtypes[i].name);
> }
> buf[n] = '\0';
> --
> 2.19.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow
2019-01-15 1:02 ` [PATCH 1/8] lkdtm: " Kees Cook
@ 2019-01-15 1:07 ` Kees Cook
2019-01-15 3:12 ` Willy Tarreau
1 sibling, 0 replies; 36+ messages in thread
From: Kees Cook @ 2019-01-15 1:07 UTC (permalink / raw)
To: Willy Tarreau; +Cc: Silvio Cesare, LKML, Dan Carpenter, Will Deacon, Greg KH
On Mon, Jan 14, 2019 at 5:02 PM Kees Cook <keescook@chromium.org> wrote:
> On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
> > From: Silvio Cesare <silvio.cesare@gmail.com>
> > Change snprintf to scnprintf. There are generally two cases where using
> > snprintf causes problems.
>
> (I didn't find a 0/8 cover letter, so I'm replying here...)
I forgot to mention: can we please get a Coccinelle rule added to
catch these cases in the future? (And make sure sfr is running it? :)
)
My attempt at it was:
@@
expression LEN, BUF, SIZE;
identifier FUNC;
@@
LEN += snprintf(BUF + LEN, SIZE - LEN, ...);
... when != LEN > SIZE
when != LEN >= SIZE
* FUNC(..., LEN, ...)
But this needs adjustment to deal with some false positives (like using min()).
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 2/8] libertas: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 2/8] libertas: " Willy Tarreau
@ 2019-01-15 1:09 ` Kees Cook
2019-01-15 5:55 ` Kalle Valo
1 sibling, 0 replies; 36+ messages in thread
From: Kees Cook @ 2019-01-15 1:09 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, LKML, Kalle Valo, Dan Carpenter, Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Kalle Valo <kvalo@codeaurora.org>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
>
> ---
> drivers/net/wireless/marvell/libertas/debugfs.c | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/wireless/marvell/libertas/debugfs.c b/drivers/net/wireless/marvell/libertas/debugfs.c
> index c83f44f9ddf1..ec73bd3a10db 100644
> --- a/drivers/net/wireless/marvell/libertas/debugfs.c
> +++ b/drivers/net/wireless/marvell/libertas/debugfs.c
> @@ -41,9 +41,9 @@ static ssize_t lbs_dev_info(struct file *file, char __user *userbuf,
> if (!buf)
> return -ENOMEM;
>
> - pos += snprintf(buf+pos, len-pos, "state = %s\n",
> + pos += scnprintf(buf+pos, len-pos, "state = %s\n",
> szStates[priv->connect_status]);
> - pos += snprintf(buf+pos, len-pos, "region_code = %02x\n",
> + pos += scnprintf(buf+pos, len-pos, "region_code = %02x\n",
> (u32) priv->regioncode);
>
> res = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
> @@ -105,7 +105,7 @@ static ssize_t lbs_sleepparams_read(struct file *file, char __user *userbuf,
> if (ret)
> goto out_unlock;
>
> - pos += snprintf(buf, len, "%d %d %d %d %d %d\n", sp.sp_error,
> + pos += scnprintf(buf, len, "%d %d %d %d %d %d\n", sp.sp_error,
> sp.sp_offset, sp.sp_stabletime,
> sp.sp_calcontrol, sp.sp_extsleepclk,
> sp.sp_reserved);
> @@ -170,7 +170,7 @@ static ssize_t lbs_host_sleep_read(struct file *file, char __user *userbuf,
> if (!buf)
> return -ENOMEM;
>
> - pos += snprintf(buf, len, "%d\n", priv->is_host_sleep_activated);
> + pos += scnprintf(buf, len, "%d\n", priv->is_host_sleep_activated);
>
> ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
>
> @@ -251,7 +251,7 @@ static ssize_t lbs_threshold_read(uint16_t tlv_type, uint16_t event_mask,
> freq = got->freq;
> events = le16_to_cpu(subscribed->events);
>
> - pos += snprintf(buf, len, "%d %d %d\n", value, freq,
> + pos += scnprintf(buf, len, "%d %d %d\n", value, freq,
> !!(events & event_mask));
> }
>
> @@ -446,7 +446,7 @@ static ssize_t lbs_rdmac_read(struct file *file, char __user *userbuf,
> ret = lbs_get_reg(priv, CMD_MAC_REG_ACCESS, priv->mac_offset, &val);
> mdelay(10);
> if (!ret) {
> - pos = snprintf(buf, len, "MAC[0x%x] = 0x%08x\n",
> + pos = scnprintf(buf, len, "MAC[0x%x] = 0x%08x\n",
> priv->mac_offset, val);
> ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
> }
> @@ -516,7 +516,7 @@ static ssize_t lbs_rdbbp_read(struct file *file, char __user *userbuf,
> ret = lbs_get_reg(priv, CMD_BBP_REG_ACCESS, priv->bbp_offset, &val);
> mdelay(10);
> if (!ret) {
> - pos = snprintf(buf, len, "BBP[0x%x] = 0x%08x\n",
> + pos = scnprintf(buf, len, "BBP[0x%x] = 0x%08x\n",
> priv->bbp_offset, val);
> ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
> }
> @@ -588,7 +588,7 @@ static ssize_t lbs_rdrf_read(struct file *file, char __user *userbuf,
> ret = lbs_get_reg(priv, CMD_RF_REG_ACCESS, priv->rf_offset, &val);
> mdelay(10);
> if (!ret) {
> - pos = snprintf(buf, len, "RF[0x%x] = 0x%08x\n",
> + pos = scnprintf(buf, len, "RF[0x%x] = 0x%08x\n",
> priv->rf_offset, val);
> ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
> }
> --
> 2.19.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 8/8] spi: dw: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 8/8] spi: dw: " Willy Tarreau
@ 2019-01-15 1:09 ` Kees Cook
0 siblings, 0 replies; 36+ messages in thread
From: Kees Cook @ 2019-01-15 1:09 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, LKML, Mark Brown, Dan Carpenter, Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Mark Brown <broonie@kernel.org>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
>
> ---
> drivers/spi/spi-dw.c | 36 ++++++++++++++++++------------------
> 1 file changed, 18 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
> index b705f2bdb8b9..008d52d37439 100644
> --- a/drivers/spi/spi-dw.c
> +++ b/drivers/spi/spi-dw.c
> @@ -54,41 +54,41 @@ static ssize_t dw_spi_show_regs(struct file *file, char __user *user_buf,
> if (!buf)
> return 0;
>
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "%s registers:\n", dev_name(&dws->master->dev));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "=================================\n");
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "CTRL0: \t\t0x%08x\n", dw_readl(dws, DW_SPI_CTRL0));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "CTRL1: \t\t0x%08x\n", dw_readl(dws, DW_SPI_CTRL1));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "SSIENR: \t0x%08x\n", dw_readl(dws, DW_SPI_SSIENR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "SER: \t\t0x%08x\n", dw_readl(dws, DW_SPI_SER));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "BAUDR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_BAUDR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "TXFTLR: \t0x%08x\n", dw_readl(dws, DW_SPI_TXFLTR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "RXFTLR: \t0x%08x\n", dw_readl(dws, DW_SPI_RXFLTR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "TXFLR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_TXFLR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "RXFLR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_RXFLR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "SR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_SR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "IMR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_IMR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "ISR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_ISR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "DMACR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_DMACR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "DMATDLR: \t0x%08x\n", dw_readl(dws, DW_SPI_DMATDLR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "DMARDLR: \t0x%08x\n", dw_readl(dws, DW_SPI_DMARDLR));
> - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len,
> + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len,
> "=================================\n");
>
> ret = simple_read_from_buffer(user_buf, count, ppos, buf, len);
> --
> 2.19.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 6/8] ASoC: intel: skylake: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 6/8] ASoC: intel: skylake: " Willy Tarreau
@ 2019-01-15 1:12 ` Kees Cook
2019-01-16 18:41 ` Kees Cook
1 sibling, 0 replies; 36+ messages in thread
From: Kees Cook @ 2019-01-15 1:12 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, LKML, Pierre-Louis Bossart, Liam Girdwood,
Jie Yang, Dan Carpenter, Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
> Cc: Liam Girdwood <liam.r.girdwood@linux.intel.com>
> Cc: Jie Yang <yang.jie@linux.intel.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
This should get a Cc: stable, IMO.
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
>
> ---
> sound/soc/intel/skylake/skl-debug.c | 28 ++++++++++++++--------------
> 1 file changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/sound/soc/intel/skylake/skl-debug.c b/sound/soc/intel/skylake/skl-debug.c
> index 5d7ac2ee7a3c..bb28db734fb7 100644
> --- a/sound/soc/intel/skylake/skl-debug.c
> +++ b/sound/soc/intel/skylake/skl-debug.c
> @@ -43,7 +43,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
> ssize_t ret = 0;
>
> for (i = 0; i < max_pin; i++)
> - ret += snprintf(buf + size, MOD_BUF - size,
> + ret += scnprintf(buf + size, MOD_BUF - size,
> "%s %d\n\tModule %d\n\tInstance %d\n\t"
> "In-used %s\n\tType %s\n"
> "\tState %d\n\tIndex %d\n",
> @@ -59,7 +59,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
> static ssize_t skl_print_fmt(struct skl_module_fmt *fmt, char *buf,
> ssize_t size, bool direction)
> {
> - return snprintf(buf + size, MOD_BUF - size,
> + return scnprintf(buf + size, MOD_BUF - size,
> "%s\n\tCh %d\n\tFreq %d\n\tBit depth %d\n\t"
> "Valid bit depth %d\n\tCh config %#x\n\tInterleaving %d\n\t"
> "Sample Type %d\n\tCh Map %#x\n",
> @@ -81,16 +81,16 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
> if (!buf)
> return -ENOMEM;
>
> - ret = snprintf(buf, MOD_BUF, "Module:\n\tUUID %pUL\n\tModule id %d\n"
> + ret = scnprintf(buf, MOD_BUF, "Module:\n\tUUID %pUL\n\tModule id %d\n"
> "\tInstance id %d\n\tPvt_id %d\n", mconfig->guid,
> mconfig->id.module_id, mconfig->id.instance_id,
> mconfig->id.pvt_id);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "Resources:\n\tMCPS %#x\n\tIBS %#x\n\tOBS %#x\t\n",
> mconfig->mcps, mconfig->ibs, mconfig->obs);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "Module data:\n\tCore %d\n\tIn queue %d\n\t"
> "Out queue %d\n\tType %s\n",
> mconfig->core_id, mconfig->max_in_queue,
> @@ -100,38 +100,38 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
> ret += skl_print_fmt(mconfig->in_fmt, buf, ret, true);
> ret += skl_print_fmt(mconfig->out_fmt, buf, ret, false);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "Fixup:\n\tParams %#x\n\tConverter %#x\n",
> mconfig->params_fixup, mconfig->converter);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "Module Gateway:\n\tType %#x\n\tVbus %#x\n\tHW conn %#x\n\tSlot %#x\n",
> mconfig->dev_type, mconfig->vbus_id,
> mconfig->hw_conn_type, mconfig->time_slot);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "Pipeline:\n\tID %d\n\tPriority %d\n\tConn Type %d\n\t"
> "Pages %#x\n", mconfig->pipe->ppl_id,
> mconfig->pipe->pipe_priority, mconfig->pipe->conn_type,
> mconfig->pipe->memory_pages);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "\tParams:\n\t\tHost DMA %d\n\t\tLink DMA %d\n",
> mconfig->pipe->p_params->host_dma_id,
> mconfig->pipe->p_params->link_dma_id);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "\tPCM params:\n\t\tCh %d\n\t\tFreq %d\n\t\tFormat %d\n",
> mconfig->pipe->p_params->ch,
> mconfig->pipe->p_params->s_freq,
> mconfig->pipe->p_params->s_fmt);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "\tLink %#x\n\tStream %#x\n",
> mconfig->pipe->p_params->linktype,
> mconfig->pipe->p_params->stream);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "\tState %d\n\tPassthru %s\n",
> mconfig->pipe->state,
> mconfig->pipe->passthru ? "true" : "false");
> @@ -141,7 +141,7 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
> ret += skl_print_pins(mconfig->m_out_pin, buf,
> mconfig->max_out_queue, ret, false);
>
> - ret += snprintf(buf + ret, MOD_BUF - ret,
> + ret += scnprintf(buf + ret, MOD_BUF - ret,
> "Other:\n\tDomain %d\n\tHomogeneous Input %s\n\t"
> "Homogeneous Output %s\n\tIn Queue Mask %d\n\t"
> "Out Queue Mask %d\n\tDMA ID %d\n\tMem Pages %d\n\t"
> @@ -199,7 +199,7 @@ static ssize_t fw_softreg_read(struct file *file, char __user *user_buf,
> __iowrite32_copy(d->fw_read_buff, fw_reg_addr, w0_stat_sz >> 2);
>
> for (offset = 0; offset < FW_REG_SIZE; offset += 16) {
> - ret += snprintf(tmp + ret, FW_REG_BUF - ret, "%#.4x: ", offset);
> + ret += scnprintf(tmp + ret, FW_REG_BUF - ret, "%#.4x: ", offset);
> hex_dump_to_buffer(d->fw_read_buff + offset, 16, 16, 4,
> tmp + ret, FW_REG_BUF - ret, 0);
> ret += strlen(tmp + ret);
> --
> 2.19.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 4/8] ASoC: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 4/8] ASoC: " Willy Tarreau
@ 2019-01-15 1:13 ` Kees Cook
2019-01-15 1:25 ` Nicolin Chen
1 sibling, 0 replies; 36+ messages in thread
From: Kees Cook @ 2019-01-15 1:13 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, LKML, Timur Tabi, Nicolin Chen, Xiubo Li,
Fabio Estevam, Dan Carpenter, Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Timur Tabi <timur@kernel.org>
> Cc: Nicolin Chen <nicoleotsuka@gmail.com>
> Cc: Xiubo Li <Xiubo.Lee@gmail.com>
> Cc: Fabio Estevam <fabio.estevam@nxp.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
>
> ---
> sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c
> index 392d5eef356d..99e07b01a2ce 100644
> --- a/sound/soc/fsl/imx-audmux.c
> +++ b/sound/soc/fsl/imx-audmux.c
> @@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf,
> if (!buf)
> return -ENOMEM;
>
> - ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
> + ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
> pdcr, ptcr);
>
> if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR)
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "TxFS output from %s, ",
> audmux_port_string((ptcr >> 27) & 0x7));
> else
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "TxFS input, ");
>
> if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR)
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "TxClk output from %s",
> audmux_port_string((ptcr >> 22) & 0x7));
> else
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "TxClk input");
>
> - ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
>
> if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) {
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "Port is symmetric");
> } else {
> if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR)
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "RxFS output from %s, ",
> audmux_port_string((ptcr >> 17) & 0x7));
> else
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "RxFS input, ");
>
> if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR)
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "RxClk output from %s",
> audmux_port_string((ptcr >> 12) & 0x7));
> else
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "RxClk input");
> }
>
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "\nData received from %s\n",
> audmux_port_string((pdcr >> 13) & 0x7));
>
> --
> 2.19.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 3/8] ocfs2: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 3/8] ocfs2: " Willy Tarreau
@ 2019-01-15 1:14 ` Kees Cook
0 siblings, 0 replies; 36+ messages in thread
From: Kees Cook @ 2019-01-15 1:14 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, LKML, Mark Fasheh, Joel Becker, Dan Carpenter,
Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Mark Fasheh <mark@fasheh.com>
> Cc: Joel Becker <jlbec@evilplan.org>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
>
> ---
> fs/ocfs2/cluster/heartbeat.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c
> index 9b2ed62dd638..2a0af0887ba0 100644
> --- a/fs/ocfs2/cluster/heartbeat.c
> +++ b/fs/ocfs2/cluster/heartbeat.c
> @@ -1324,7 +1324,7 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
>
> case O2HB_DB_TYPE_REGION_NUMBER:
> reg = (struct o2hb_region *)db->db_data;
> - out += snprintf(buf + out, PAGE_SIZE - out, "%d\n",
> + out += scnprintf(buf + out, PAGE_SIZE - out, "%d\n",
> reg->hr_region_num);
> goto done;
>
> @@ -1334,12 +1334,12 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
> /* If 0, it has never been set before */
> if (lts)
> lts = jiffies_to_msecs(jiffies - lts);
> - out += snprintf(buf + out, PAGE_SIZE - out, "%lu\n", lts);
> + out += scnprintf(buf + out, PAGE_SIZE - out, "%lu\n", lts);
> goto done;
>
> case O2HB_DB_TYPE_REGION_PINNED:
> reg = (struct o2hb_region *)db->db_data;
> - out += snprintf(buf + out, PAGE_SIZE - out, "%u\n",
> + out += scnprintf(buf + out, PAGE_SIZE - out, "%u\n",
> !!reg->hr_item_pinned);
> goto done;
>
> @@ -1348,8 +1348,8 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
> }
>
> while ((i = find_next_bit(map, db->db_len, i + 1)) < db->db_len)
> - out += snprintf(buf + out, PAGE_SIZE - out, "%d ", i);
> - out += snprintf(buf + out, PAGE_SIZE - out, "\n");
> + out += scnprintf(buf + out, PAGE_SIZE - out, "%d ", i);
> + out += scnprintf(buf + out, PAGE_SIZE - out, "\n");
>
> done:
> i_size_write(inode, out);
> --
> 2.19.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 5/8] scsi: lpfc: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 5/8] scsi: lpfc: " Willy Tarreau
@ 2019-01-15 1:15 ` Kees Cook
2019-01-15 22:41 ` James Smart
0 siblings, 1 reply; 36+ messages in thread
From: Kees Cook @ 2019-01-15 1:15 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, LKML, James Smart, Dick Kennedy, Dan Carpenter,
Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 7:29 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: James Smart <james.smart@broadcom.com>
> Cc: Dick Kennedy <dick.kennedy@broadcom.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
I think this needs Cc: stable.
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
>
> ---
> drivers/scsi/lpfc/lpfc_debugfs.c | 450 +++++++++++++++----------------
> 1 file changed, 225 insertions(+), 225 deletions(-)
>
> diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
> index 34d311a7dbef..218a74b9297a 100644
> --- a/drivers/scsi/lpfc/lpfc_debugfs.c
> +++ b/drivers/scsi/lpfc/lpfc_debugfs.c
> @@ -170,7 +170,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size)
> snprintf(buffer,
> LPFC_DEBUG_TRC_ENTRY_SIZE, "%010d:%010d ms:%s\n",
> dtp->seq_cnt, ms, dtp->fmt);
> - len += snprintf(buf+len, size-len, buffer,
> + len += scnprintf(buf+len, size-len, buffer,
> dtp->data1, dtp->data2, dtp->data3);
> }
> for (i = 0; i < index; i++) {
> @@ -181,7 +181,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size)
> snprintf(buffer,
> LPFC_DEBUG_TRC_ENTRY_SIZE, "%010d:%010d ms:%s\n",
> dtp->seq_cnt, ms, dtp->fmt);
> - len += snprintf(buf+len, size-len, buffer,
> + len += scnprintf(buf+len, size-len, buffer,
> dtp->data1, dtp->data2, dtp->data3);
> }
>
> @@ -236,7 +236,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size)
> snprintf(buffer,
> LPFC_DEBUG_TRC_ENTRY_SIZE, "%010d:%010d ms:%s\n",
> dtp->seq_cnt, ms, dtp->fmt);
> - len += snprintf(buf+len, size-len, buffer,
> + len += scnprintf(buf+len, size-len, buffer,
> dtp->data1, dtp->data2, dtp->data3);
> }
> for (i = 0; i < index; i++) {
> @@ -247,7 +247,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size)
> snprintf(buffer,
> LPFC_DEBUG_TRC_ENTRY_SIZE, "%010d:%010d ms:%s\n",
> dtp->seq_cnt, ms, dtp->fmt);
> - len += snprintf(buf+len, size-len, buffer,
> + len += scnprintf(buf+len, size-len, buffer,
> dtp->data1, dtp->data2, dtp->data3);
> }
>
> @@ -307,7 +307,7 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
>
> i = lpfc_debugfs_last_hbq;
>
> - len += snprintf(buf+len, size-len, "HBQ %d Info\n", i);
> + len += scnprintf(buf+len, size-len, "HBQ %d Info\n", i);
>
> hbqs = &phba->hbqs[i];
> posted = 0;
> @@ -315,21 +315,21 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
> posted++;
>
> hip = lpfc_hbq_defs[i];
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "idx:%d prof:%d rn:%d bufcnt:%d icnt:%d acnt:%d posted %d\n",
> hip->hbq_index, hip->profile, hip->rn,
> hip->buffer_count, hip->init_count, hip->add_count, posted);
>
> raw_index = phba->hbq_get[i];
> getidx = le32_to_cpu(raw_index);
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "entries:%d bufcnt:%d Put:%d nPut:%d localGet:%d hbaGet:%d\n",
> hbqs->entry_count, hbqs->buffer_count, hbqs->hbqPutIdx,
> hbqs->next_hbqPutIdx, hbqs->local_hbqGetIdx, getidx);
>
> hbqe = (struct lpfc_hbq_entry *) phba->hbqs[i].hbq_virt;
> for (j=0; j<hbqs->entry_count; j++) {
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "%03d: %08x %04x %05x ", j,
> le32_to_cpu(hbqe->bde.addrLow),
> le32_to_cpu(hbqe->bde.tus.w),
> @@ -341,14 +341,14 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
> low = hbqs->hbqPutIdx - posted;
> if (low >= 0) {
> if ((j >= hbqs->hbqPutIdx) || (j < low)) {
> - len += snprintf(buf+len, size-len, "Unused\n");
> + len += scnprintf(buf+len, size-len, "Unused\n");
> goto skipit;
> }
> }
> else {
> if ((j >= hbqs->hbqPutIdx) &&
> (j < (hbqs->entry_count+low))) {
> - len += snprintf(buf+len, size-len, "Unused\n");
> + len += scnprintf(buf+len, size-len, "Unused\n");
> goto skipit;
> }
> }
> @@ -358,7 +358,7 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
> hbq_buf = container_of(d_buf, struct hbq_dmabuf, dbuf);
> phys = ((uint64_t)hbq_buf->dbuf.phys & 0xffffffff);
> if (phys == le32_to_cpu(hbqe->bde.addrLow)) {
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "Buf%d: %p %06x\n", i,
> hbq_buf->dbuf.virt, hbq_buf->tag);
> found = 1;
> @@ -367,7 +367,7 @@ lpfc_debugfs_hbqinfo_data(struct lpfc_hba *phba, char *buf, int size)
> i++;
> }
> if (!found) {
> - len += snprintf(buf+len, size-len, "No DMAinfo?\n");
> + len += scnprintf(buf+len, size-len, "No DMAinfo?\n");
> }
> skipit:
> hbqe++;
> @@ -413,7 +413,7 @@ lpfc_debugfs_dumpHBASlim_data(struct lpfc_hba *phba, char *buf, int size)
> off = 0;
> spin_lock_irq(&phba->hbalock);
>
> - len += snprintf(buf+len, size-len, "HBA SLIM\n");
> + len += scnprintf(buf+len, size-len, "HBA SLIM\n");
> lpfc_memcpy_from_slim(buffer,
> phba->MBslimaddr + lpfc_debugfs_last_hba_slim_off, 1024);
>
> @@ -427,7 +427,7 @@ lpfc_debugfs_dumpHBASlim_data(struct lpfc_hba *phba, char *buf, int size)
>
> i = 1024;
> while (i > 0) {
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "%08x: %08x %08x %08x %08x %08x %08x %08x %08x\n",
> off, *ptr, *(ptr+1), *(ptr+2), *(ptr+3), *(ptr+4),
> *(ptr+5), *(ptr+6), *(ptr+7));
> @@ -471,11 +471,11 @@ lpfc_debugfs_dumpHostSlim_data(struct lpfc_hba *phba, char *buf, int size)
> off = 0;
> spin_lock_irq(&phba->hbalock);
>
> - len += snprintf(buf+len, size-len, "SLIM Mailbox\n");
> + len += scnprintf(buf+len, size-len, "SLIM Mailbox\n");
> ptr = (uint32_t *)phba->slim2p.virt;
> i = sizeof(MAILBOX_t);
> while (i > 0) {
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "%08x: %08x %08x %08x %08x %08x %08x %08x %08x\n",
> off, *ptr, *(ptr+1), *(ptr+2), *(ptr+3), *(ptr+4),
> *(ptr+5), *(ptr+6), *(ptr+7));
> @@ -484,11 +484,11 @@ lpfc_debugfs_dumpHostSlim_data(struct lpfc_hba *phba, char *buf, int size)
> off += (8 * sizeof(uint32_t));
> }
>
> - len += snprintf(buf+len, size-len, "SLIM PCB\n");
> + len += scnprintf(buf+len, size-len, "SLIM PCB\n");
> ptr = (uint32_t *)phba->pcb;
> i = sizeof(PCB_t);
> while (i > 0) {
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "%08x: %08x %08x %08x %08x %08x %08x %08x %08x\n",
> off, *ptr, *(ptr+1), *(ptr+2), *(ptr+3), *(ptr+4),
> *(ptr+5), *(ptr+6), *(ptr+7));
> @@ -501,7 +501,7 @@ lpfc_debugfs_dumpHostSlim_data(struct lpfc_hba *phba, char *buf, int size)
> for (i = 0; i < 4; i++) {
> pgpp = &phba->port_gp[i];
> pring = &psli->sli3_ring[i];
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "Ring %d: CMD GetInx:%d "
> "(Max:%d Next:%d "
> "Local:%d flg:x%x) "
> @@ -518,7 +518,7 @@ lpfc_debugfs_dumpHostSlim_data(struct lpfc_hba *phba, char *buf, int size)
> word1 = readl(phba->CAregaddr);
> word2 = readl(phba->HSregaddr);
> word3 = readl(phba->HCregaddr);
> - len += snprintf(buf+len, size-len, "HA:%08x CA:%08x HS:%08x "
> + len += scnprintf(buf+len, size-len, "HA:%08x CA:%08x HS:%08x "
> "HC:%08x\n", word0, word1, word2, word3);
> }
> spin_unlock_irq(&phba->hbalock);
> @@ -556,12 +556,12 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
> cnt = (LPFC_NODELIST_SIZE / LPFC_NODELIST_ENTRY_SIZE);
> outio = 0;
>
> - len += snprintf(buf+len, size-len, "\nFCP Nodelist Entries ...\n");
> + len += scnprintf(buf+len, size-len, "\nFCP Nodelist Entries ...\n");
> spin_lock_irq(shost->host_lock);
> list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
> iocnt = 0;
> if (!cnt) {
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "Missing Nodelist Entries\n");
> break;
> }
> @@ -599,61 +599,61 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
> default:
> statep = "UNKNOWN";
> }
> - len += snprintf(buf+len, size-len, "%s DID:x%06x ",
> + len += scnprintf(buf+len, size-len, "%s DID:x%06x ",
> statep, ndlp->nlp_DID);
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "WWPN x%llx ",
> wwn_to_u64(ndlp->nlp_portname.u.wwn));
> - len += snprintf(buf+len, size-len,
> + len += scnprintf(buf+len, size-len,
> "WWNN x%llx ",
> wwn_to_u64(ndlp->nlp_nodename.u.wwn));
> if (ndlp->nlp_flag & NLP_RPI_REGISTERED)
> - len += snprintf(buf+len, size-len, "RPI:%03d ",
> + len += scnprintf(buf+len, size-len, "RPI:%03d ",
> ndlp->nlp_rpi);
> else
> - len += snprintf(buf+len, size-len, "RPI:none ");
> - len += snprintf(buf+len, size-len, "flag:x%08x ",
> + len += scnprintf(buf+len, size-len, "RPI:none ");
> + len += scnprintf(buf+len, size-len, "flag:x%08x ",
> ndlp->nlp_flag);
> if (!ndlp->nlp_type)
> - len += snprintf(buf+len, size-len, "UNKNOWN_TYPE ");
> + len += scnprintf(buf+len, size-len, "UNKNOWN_TYPE ");
> if (ndlp->nlp_type & NLP_FC_NODE)
> - len += snprintf(buf+len, size-len, "FC_NODE ");
> + len += scnprintf(buf+len, size-len, "FC_NODE ");
> if (ndlp->nlp_type & NLP_FABRIC) {
> - len += snprintf(buf+len, size-len, "FABRIC ");
> + len += scnprintf(buf+len, size-len, "FABRIC ");
> iocnt = 0;
> }
> if (ndlp->nlp_type & NLP_FCP_TARGET)
> - len += snprintf(buf+len, size-len, "FCP_TGT sid:%d ",
> + len += scnprintf(buf+len, size-len, "FCP_TGT sid:%d ",
> ndlp->nlp_sid);
> if (ndlp->nlp_type & NLP_FCP_INITIATOR)
> - len += snprintf(buf+len, size-len, "FCP_INITIATOR ");
> + len += scnprintf(buf+len, size-len, "FCP_INITIATOR ");
> if (ndlp->nlp_type & NLP_NVME_TARGET)
> - len += snprintf(buf + len,
> + len += scnprintf(buf + len,
> size - len, "NVME_TGT sid:%d ",
> NLP_NO_SID);
> if (ndlp->nlp_type & NLP_NVME_INITIATOR)
> - len += snprintf(buf + len,
> + len += scnprintf(buf + len,
> size - len, "NVME_INITIATOR ");
> - len += snprintf(buf+len, size-len, "usgmap:%x ",
> + len += scnprintf(buf+len, size-len, "usgmap:%x ",
> ndlp->nlp_usg_map);
> - len += snprintf(buf+len, size-len, "refcnt:%x",
> + len += scnprintf(buf+len, size-len, "refcnt:%x",
> kref_read(&ndlp->kref));
> if (iocnt) {
> i = atomic_read(&ndlp->cmd_pending);
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> " OutIO:x%x Qdepth x%x",
> i, ndlp->cmd_qdepth);
> outio += i;
> }
> - len += snprintf(buf+len, size-len, "\n");
> + len += scnprintf(buf+len, size-len, "\n");
> }
> spin_unlock_irq(shost->host_lock);
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "\nOutstanding IO x%x\n", outio);
>
> if (phba->nvmet_support && phba->targetport && (vport == phba->pport)) {
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "\nNVME Targetport Entry ...\n");
>
> /* Port state is only one of two values for now. */
> @@ -661,18 +661,18 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
> statep = "REGISTERED";
> else
> statep = "INIT";
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "TGT WWNN x%llx WWPN x%llx State %s\n",
> wwn_to_u64(vport->fc_nodename.u.wwn),
> wwn_to_u64(vport->fc_portname.u.wwn),
> statep);
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> " Targetport DID x%06x\n",
> phba->targetport->port_id);
> goto out_exit;
> }
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "\nNVME Lport/Rport Entries ...\n");
>
> localport = vport->localport;
> @@ -687,11 +687,11 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
> else
> statep = "UNKNOWN ";
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Lport DID x%06x PortState %s\n",
> localport->port_id, statep);
>
> - len += snprintf(buf + len, size - len, "\tRport List:\n");
> + len += scnprintf(buf + len, size - len, "\tRport List:\n");
> list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
> /* local short-hand pointer. */
> spin_lock(&phba->hbalock);
> @@ -718,32 +718,32 @@ lpfc_debugfs_nodelist_data(struct lpfc_vport *vport, char *buf, int size)
> }
>
> /* Tab in to show lport ownership. */
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "\t%s Port ID:x%06x ",
> statep, nrport->port_id);
> - len += snprintf(buf + len, size - len, "WWPN x%llx ",
> + len += scnprintf(buf + len, size - len, "WWPN x%llx ",
> nrport->port_name);
> - len += snprintf(buf + len, size - len, "WWNN x%llx ",
> + len += scnprintf(buf + len, size - len, "WWNN x%llx ",
> nrport->node_name);
>
> /* An NVME rport can have multiple roles. */
> if (nrport->port_role & FC_PORT_ROLE_NVME_INITIATOR)
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "INITIATOR ");
> if (nrport->port_role & FC_PORT_ROLE_NVME_TARGET)
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "TARGET ");
> if (nrport->port_role & FC_PORT_ROLE_NVME_DISCOVERY)
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "DISCSRVC ");
> if (nrport->port_role & ~(FC_PORT_ROLE_NVME_INITIATOR |
> FC_PORT_ROLE_NVME_TARGET |
> FC_PORT_ROLE_NVME_DISCOVERY))
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "UNKNOWN ROLE x%x",
> nrport->port_role);
> /* Terminate the string. */
> - len += snprintf(buf + len, size - len, "\n");
> + len += scnprintf(buf + len, size - len, "\n");
> }
>
> spin_unlock_irq(shost->host_lock);
> @@ -782,35 +782,35 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> if (!phba->targetport)
> return len;
> tgtp = (struct lpfc_nvmet_tgtport *)phba->targetport->private;
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "\nNVME Targetport Statistics\n");
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "LS: Rcv %08x Drop %08x Abort %08x\n",
> atomic_read(&tgtp->rcv_ls_req_in),
> atomic_read(&tgtp->rcv_ls_req_drop),
> atomic_read(&tgtp->xmt_ls_abort));
> if (atomic_read(&tgtp->rcv_ls_req_in) !=
> atomic_read(&tgtp->rcv_ls_req_out)) {
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Rcv LS: in %08x != out %08x\n",
> atomic_read(&tgtp->rcv_ls_req_in),
> atomic_read(&tgtp->rcv_ls_req_out));
> }
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "LS: Xmt %08x Drop %08x Cmpl %08x\n",
> atomic_read(&tgtp->xmt_ls_rsp),
> atomic_read(&tgtp->xmt_ls_drop),
> atomic_read(&tgtp->xmt_ls_rsp_cmpl));
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "LS: RSP Abort %08x xb %08x Err %08x\n",
> atomic_read(&tgtp->xmt_ls_rsp_aborted),
> atomic_read(&tgtp->xmt_ls_rsp_xb_set),
> atomic_read(&tgtp->xmt_ls_rsp_error));
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "FCP: Rcv %08x Defer %08x Release %08x "
> "Drop %08x\n",
> atomic_read(&tgtp->rcv_fcp_cmd_in),
> @@ -820,13 +820,13 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
>
> if (atomic_read(&tgtp->rcv_fcp_cmd_in) !=
> atomic_read(&tgtp->rcv_fcp_cmd_out)) {
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Rcv FCP: in %08x != out %08x\n",
> atomic_read(&tgtp->rcv_fcp_cmd_in),
> atomic_read(&tgtp->rcv_fcp_cmd_out));
> }
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "FCP Rsp: read %08x readrsp %08x "
> "write %08x rsp %08x\n",
> atomic_read(&tgtp->xmt_fcp_read),
> @@ -834,31 +834,31 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> atomic_read(&tgtp->xmt_fcp_write),
> atomic_read(&tgtp->xmt_fcp_rsp));
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "FCP Rsp Cmpl: %08x err %08x drop %08x\n",
> atomic_read(&tgtp->xmt_fcp_rsp_cmpl),
> atomic_read(&tgtp->xmt_fcp_rsp_error),
> atomic_read(&tgtp->xmt_fcp_rsp_drop));
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "FCP Rsp Abort: %08x xb %08x xricqe %08x\n",
> atomic_read(&tgtp->xmt_fcp_rsp_aborted),
> atomic_read(&tgtp->xmt_fcp_rsp_xb_set),
> atomic_read(&tgtp->xmt_fcp_xri_abort_cqe));
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "ABORT: Xmt %08x Cmpl %08x\n",
> atomic_read(&tgtp->xmt_fcp_abort),
> atomic_read(&tgtp->xmt_fcp_abort_cmpl));
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "ABORT: Sol %08x Usol %08x Err %08x Cmpl %08x",
> atomic_read(&tgtp->xmt_abort_sol),
> atomic_read(&tgtp->xmt_abort_unsol),
> atomic_read(&tgtp->xmt_abort_rsp),
> atomic_read(&tgtp->xmt_abort_rsp_error));
>
> - len += snprintf(buf + len, size - len, "\n");
> + len += scnprintf(buf + len, size - len, "\n");
>
> cnt = 0;
> spin_lock(&phba->sli4_hba.abts_nvme_buf_list_lock);
> @@ -869,7 +869,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> }
> spin_unlock(&phba->sli4_hba.abts_nvme_buf_list_lock);
> if (cnt) {
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "ABORT: %d ctx entries\n", cnt);
> spin_lock(&phba->sli4_hba.abts_nvme_buf_list_lock);
> list_for_each_entry_safe(ctxp, next_ctxp,
> @@ -877,7 +877,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> list) {
> if (len >= (size - LPFC_DEBUG_OUT_LINE_SZ))
> break;
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Entry: oxid %x state %x "
> "flag %x\n",
> ctxp->oxid, ctxp->state,
> @@ -891,7 +891,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> tot += atomic_read(&tgtp->xmt_fcp_release);
> tot = atomic_read(&tgtp->rcv_fcp_cmd_in) - tot;
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "IO_CTX: %08x WAIT: cur %08x tot %08x\n"
> "CTX Outstanding %08llx\n",
> phba->sli4_hba.nvmet_xri_cnt,
> @@ -909,10 +909,10 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> if (!lport)
> return len;
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "\nNVME Lport Statistics\n");
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "LS: Xmt %016x Cmpl %016x\n",
> atomic_read(&lport->fc4NvmeLsRequests),
> atomic_read(&lport->fc4NvmeLsCmpls));
> @@ -936,20 +936,20 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> if (i >= 32)
> continue;
>
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "FCP (%d): Rd %016llx Wr %016llx "
> "IO %016llx ",
> i, data1, data2, data3);
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "Cmpl %016llx OutIO %016llx\n",
> tot, ((data1 + data2 + data3) - tot));
> }
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "Total FCP Cmpl %016llx Issue %016llx "
> "OutIO %016llx\n",
> totin, totout, totout - totin);
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "LS Xmt Err: Abrt %08x Err %08x "
> "Cmpl Err: xb %08x Err %08x\n",
> atomic_read(&lport->xmt_ls_abort),
> @@ -957,7 +957,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> atomic_read(&lport->cmpl_ls_xb),
> atomic_read(&lport->cmpl_ls_err));
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "FCP Xmt Err: noxri %06x nondlp %06x "
> "qdepth %06x wqerr %06x err %06x Abrt %06x\n",
> atomic_read(&lport->xmt_fcp_noxri),
> @@ -967,7 +967,7 @@ lpfc_debugfs_nvmestat_data(struct lpfc_vport *vport, char *buf, int size)
> atomic_read(&lport->xmt_fcp_err),
> atomic_read(&lport->xmt_fcp_abort));
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "FCP Cmpl Err: xb %08x Err %08x\n",
> atomic_read(&lport->cmpl_fcp_xb),
> atomic_read(&lport->cmpl_fcp_err));
> @@ -999,58 +999,58 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
>
> if (phba->nvmet_support == 0) {
> /* NVME Initiator */
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "ktime %s: Total Samples: %lld\n",
> (phba->ktime_on ? "Enabled" : "Disabled"),
> phba->ktime_data_samples);
> if (phba->ktime_data_samples == 0)
> return len;
>
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "Segment 1: Last NVME Cmd cmpl "
> "done -to- Start of next NVME cnd (in driver)\n");
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg1_total,
> phba->ktime_data_samples),
> phba->ktime_seg1_min,
> phba->ktime_seg1_max);
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "Segment 2: Driver start of NVME cmd "
> "-to- Firmware WQ doorbell\n");
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg2_total,
> phba->ktime_data_samples),
> phba->ktime_seg2_min,
> phba->ktime_seg2_max);
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "Segment 3: Firmware WQ doorbell -to- "
> "MSI-X ISR cmpl\n");
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg3_total,
> phba->ktime_data_samples),
> phba->ktime_seg3_min,
> phba->ktime_seg3_max);
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "Segment 4: MSI-X ISR cmpl -to- "
> "NVME cmpl done\n");
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg4_total,
> phba->ktime_data_samples),
> phba->ktime_seg4_min,
> phba->ktime_seg4_max);
> - len += snprintf(
> + len += scnprintf(
> buf + len, PAGE_SIZE - len,
> "Total IO avg time: %08lld\n",
> div_u64(phba->ktime_seg1_total +
> @@ -1062,7 +1062,7 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
> }
>
> /* NVME Target */
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "ktime %s: Total Samples: %lld %lld\n",
> (phba->ktime_on ? "Enabled" : "Disabled"),
> phba->ktime_data_samples,
> @@ -1070,46 +1070,46 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
> if (phba->ktime_data_samples == 0)
> return len;
>
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 1: MSI-X ISR Rcv cmd -to- "
> "cmd pass to NVME Layer\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg1_total,
> phba->ktime_data_samples),
> phba->ktime_seg1_min,
> phba->ktime_seg1_max);
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 2: cmd pass to NVME Layer- "
> "-to- Driver rcv cmd OP (action)\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg2_total,
> phba->ktime_data_samples),
> phba->ktime_seg2_min,
> phba->ktime_seg2_max);
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 3: Driver rcv cmd OP -to- "
> "Firmware WQ doorbell: cmd\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg3_total,
> phba->ktime_data_samples),
> phba->ktime_seg3_min,
> phba->ktime_seg3_max);
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 4: Firmware WQ doorbell: cmd "
> "-to- MSI-X ISR for cmd cmpl\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg4_total,
> phba->ktime_data_samples),
> phba->ktime_seg4_min,
> phba->ktime_seg4_max);
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 5: MSI-X ISR for cmd cmpl "
> "-to- NVME layer passed cmd done\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg5_total,
> phba->ktime_data_samples),
> @@ -1117,10 +1117,10 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
> phba->ktime_seg5_max);
>
> if (phba->ktime_status_samples == 0) {
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Total: cmd received by MSI-X ISR "
> "-to- cmd completed on wire\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld "
> "max %08lld\n",
> div_u64(phba->ktime_seg10_total,
> @@ -1130,46 +1130,46 @@ lpfc_debugfs_nvmektime_data(struct lpfc_vport *vport, char *buf, int size)
> return len;
> }
>
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 6: NVME layer passed cmd done "
> "-to- Driver rcv rsp status OP\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg6_total,
> phba->ktime_status_samples),
> phba->ktime_seg6_min,
> phba->ktime_seg6_max);
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 7: Driver rcv rsp status OP "
> "-to- Firmware WQ doorbell: status\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg7_total,
> phba->ktime_status_samples),
> phba->ktime_seg7_min,
> phba->ktime_seg7_max);
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 8: Firmware WQ doorbell: status"
> " -to- MSI-X ISR for status cmpl\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg8_total,
> phba->ktime_status_samples),
> phba->ktime_seg8_min,
> phba->ktime_seg8_max);
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Segment 9: MSI-X ISR for status cmpl "
> "-to- NVME layer passed status done\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg9_total,
> phba->ktime_status_samples),
> phba->ktime_seg9_min,
> phba->ktime_seg9_max);
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "Total: cmd received by MSI-X ISR -to- "
> "cmd completed on wire\n");
> - len += snprintf(buf + len, PAGE_SIZE-len,
> + len += scnprintf(buf + len, PAGE_SIZE-len,
> "avg:%08lld min:%08lld max %08lld\n",
> div_u64(phba->ktime_seg10_total,
> phba->ktime_status_samples),
> @@ -1204,7 +1204,7 @@ lpfc_debugfs_nvmeio_trc_data(struct lpfc_hba *phba, char *buf, int size)
> (phba->nvmeio_trc_size - 1);
> skip = phba->nvmeio_trc_output_idx;
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "%s IO Trace %s: next_idx %d skip %d size %d\n",
> (phba->nvmet_support ? "NVME" : "NVMET"),
> (state ? "Enabled" : "Disabled"),
> @@ -1226,18 +1226,18 @@ lpfc_debugfs_nvmeio_trc_data(struct lpfc_hba *phba, char *buf, int size)
> if (!dtp->fmt)
> continue;
>
> - len += snprintf(buf + len, size - len, dtp->fmt,
> + len += scnprintf(buf + len, size - len, dtp->fmt,
> dtp->data1, dtp->data2, dtp->data3);
>
> if (phba->nvmeio_trc_output_idx >= phba->nvmeio_trc_size) {
> phba->nvmeio_trc_output_idx = 0;
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Trace Complete\n");
> goto out;
> }
>
> if (len >= (size - LPFC_DEBUG_OUT_LINE_SZ)) {
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Trace Continue (%d of %d)\n",
> phba->nvmeio_trc_output_idx,
> phba->nvmeio_trc_size);
> @@ -1255,18 +1255,18 @@ lpfc_debugfs_nvmeio_trc_data(struct lpfc_hba *phba, char *buf, int size)
> if (!dtp->fmt)
> continue;
>
> - len += snprintf(buf + len, size - len, dtp->fmt,
> + len += scnprintf(buf + len, size - len, dtp->fmt,
> dtp->data1, dtp->data2, dtp->data3);
>
> if (phba->nvmeio_trc_output_idx >= phba->nvmeio_trc_size) {
> phba->nvmeio_trc_output_idx = 0;
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Trace Complete\n");
> goto out;
> }
>
> if (len >= (size - LPFC_DEBUG_OUT_LINE_SZ)) {
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Trace Continue (%d of %d)\n",
> phba->nvmeio_trc_output_idx,
> phba->nvmeio_trc_size);
> @@ -1274,7 +1274,7 @@ lpfc_debugfs_nvmeio_trc_data(struct lpfc_hba *phba, char *buf, int size)
> }
> }
>
> - len += snprintf(buf + len, size - len,
> + len += scnprintf(buf + len, size - len,
> "Trace Done\n");
> out:
> return len;
> @@ -1306,39 +1306,39 @@ lpfc_debugfs_cpucheck_data(struct lpfc_vport *vport, char *buf, int size)
>
> if (phba->nvmet_support == 0) {
> /* NVME Initiator */
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "CPUcheck %s\n",
> (phba->cpucheck_on & LPFC_CHECK_NVME_IO ?
> "Enabled" : "Disabled"));
> for (i = 0; i < phba->sli4_hba.num_present_cpu; i++) {
> if (i >= LPFC_CHECK_CPU_CNT)
> break;
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "%02d: xmit x%08x cmpl x%08x\n",
> i, phba->cpucheck_xmt_io[i],
> phba->cpucheck_cmpl_io[i]);
> tot_xmt += phba->cpucheck_xmt_io[i];
> tot_cmpl += phba->cpucheck_cmpl_io[i];
> }
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "tot:xmit x%08x cmpl x%08x\n",
> tot_xmt, tot_cmpl);
> return len;
> }
>
> /* NVME Target */
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "CPUcheck %s ",
> (phba->cpucheck_on & LPFC_CHECK_NVMET_IO ?
> "IO Enabled - " : "IO Disabled - "));
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "%s\n",
> (phba->cpucheck_on & LPFC_CHECK_NVMET_RCV ?
> "Rcv Enabled\n" : "Rcv Disabled\n"));
> for (i = 0; i < phba->sli4_hba.num_present_cpu; i++) {
> if (i >= LPFC_CHECK_CPU_CNT)
> break;
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "%02d: xmit x%08x ccmpl x%08x "
> "cmpl x%08x rcv x%08x\n",
> i, phba->cpucheck_xmt_io[i],
> @@ -1350,7 +1350,7 @@ lpfc_debugfs_cpucheck_data(struct lpfc_vport *vport, char *buf, int size)
> tot_cmpl += phba->cpucheck_cmpl_io[i];
> tot_ccmpl += phba->cpucheck_ccmpl_io[i];
> }
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "tot:xmit x%08x ccmpl x%08x cmpl x%08x rcv x%08x\n",
> tot_xmt, tot_ccmpl, tot_cmpl, tot_rcv);
> return len;
> @@ -1795,28 +1795,28 @@ lpfc_debugfs_dif_err_read(struct file *file, char __user *buf,
> int cnt = 0;
>
> if (dent == phba->debug_writeGuard)
> - cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wgrd_cnt);
> + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wgrd_cnt);
> else if (dent == phba->debug_writeApp)
> - cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wapp_cnt);
> + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wapp_cnt);
> else if (dent == phba->debug_writeRef)
> - cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wref_cnt);
> + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_wref_cnt);
> else if (dent == phba->debug_readGuard)
> - cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rgrd_cnt);
> + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rgrd_cnt);
> else if (dent == phba->debug_readApp)
> - cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rapp_cnt);
> + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rapp_cnt);
> else if (dent == phba->debug_readRef)
> - cnt = snprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rref_cnt);
> + cnt = scnprintf(cbuf, 32, "%u\n", phba->lpfc_injerr_rref_cnt);
> else if (dent == phba->debug_InjErrNPortID)
> - cnt = snprintf(cbuf, 32, "0x%06x\n", phba->lpfc_injerr_nportid);
> + cnt = scnprintf(cbuf, 32, "0x%06x\n", phba->lpfc_injerr_nportid);
> else if (dent == phba->debug_InjErrWWPN) {
> memcpy(&tmp, &phba->lpfc_injerr_wwpn, sizeof(struct lpfc_name));
> tmp = cpu_to_be64(tmp);
> - cnt = snprintf(cbuf, 32, "0x%016llx\n", tmp);
> + cnt = scnprintf(cbuf, 32, "0x%016llx\n", tmp);
> } else if (dent == phba->debug_InjErrLBA) {
> if (phba->lpfc_injerr_lba == (sector_t)(-1))
> - cnt = snprintf(cbuf, 32, "off\n");
> + cnt = scnprintf(cbuf, 32, "off\n");
> else
> - cnt = snprintf(cbuf, 32, "0x%llx\n",
> + cnt = scnprintf(cbuf, 32, "0x%llx\n",
> (uint64_t) phba->lpfc_injerr_lba);
> } else
> lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
> @@ -2622,17 +2622,17 @@ lpfc_idiag_pcicfg_read(struct file *file, char __user *buf, size_t nbytes,
> switch (count) {
> case SIZE_U8: /* byte (8 bits) */
> pci_read_config_byte(pdev, where, &u8val);
> - len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> "%03x: %02x\n", where, u8val);
> break;
> case SIZE_U16: /* word (16 bits) */
> pci_read_config_word(pdev, where, &u16val);
> - len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> "%03x: %04x\n", where, u16val);
> break;
> case SIZE_U32: /* double word (32 bits) */
> pci_read_config_dword(pdev, where, &u32val);
> - len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> "%03x: %08x\n", where, u32val);
> break;
> case LPFC_PCI_CFG_BROWSE: /* browse all */
> @@ -2652,25 +2652,25 @@ lpfc_idiag_pcicfg_read(struct file *file, char __user *buf, size_t nbytes,
> offset = offset_label;
>
> /* Read PCI config space */
> - len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> "%03x: ", offset_label);
> while (index > 0) {
> pci_read_config_dword(pdev, offset, &u32val);
> - len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> "%08x ", u32val);
> offset += sizeof(uint32_t);
> if (offset >= LPFC_PCI_CFG_SIZE) {
> - len += snprintf(pbuffer+len,
> + len += scnprintf(pbuffer+len,
> LPFC_PCI_CFG_SIZE-len, "\n");
> break;
> }
> index -= sizeof(uint32_t);
> if (!index)
> - len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> "\n");
> else if (!(index % (8 * sizeof(uint32_t)))) {
> offset_label += (8 * sizeof(uint32_t));
> - len += snprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_CFG_SIZE-len,
> "\n%03x: ", offset_label);
> }
> }
> @@ -2941,7 +2941,7 @@ lpfc_idiag_baracc_read(struct file *file, char __user *buf, size_t nbytes,
> if (acc_range == SINGLE_WORD) {
> offset_run = offset;
> u32val = readl(mem_mapped_bar + offset_run);
> - len += snprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
> "%05x: %08x\n", offset_run, u32val);
> } else
> goto baracc_browse;
> @@ -2955,35 +2955,35 @@ lpfc_idiag_baracc_read(struct file *file, char __user *buf, size_t nbytes,
> offset_run = offset_label;
>
> /* Read PCI bar memory mapped space */
> - len += snprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
> "%05x: ", offset_label);
> index = LPFC_PCI_BAR_RD_SIZE;
> while (index > 0) {
> u32val = readl(mem_mapped_bar + offset_run);
> - len += snprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_PCI_BAR_RD_BUF_SIZE-len,
> "%08x ", u32val);
> offset_run += sizeof(uint32_t);
> if (acc_range == LPFC_PCI_BAR_BROWSE) {
> if (offset_run >= bar_size) {
> - len += snprintf(pbuffer+len,
> + len += scnprintf(pbuffer+len,
> LPFC_PCI_BAR_RD_BUF_SIZE-len, "\n");
> break;
> }
> } else {
> if (offset_run >= offset +
> (acc_range * sizeof(uint32_t))) {
> - len += snprintf(pbuffer+len,
> + len += scnprintf(pbuffer+len,
> LPFC_PCI_BAR_RD_BUF_SIZE-len, "\n");
> break;
> }
> }
> index -= sizeof(uint32_t);
> if (!index)
> - len += snprintf(pbuffer+len,
> + len += scnprintf(pbuffer+len,
> LPFC_PCI_BAR_RD_BUF_SIZE-len, "\n");
> else if (!(index % (8 * sizeof(uint32_t)))) {
> offset_label += (8 * sizeof(uint32_t));
> - len += snprintf(pbuffer+len,
> + len += scnprintf(pbuffer+len,
> LPFC_PCI_BAR_RD_BUF_SIZE-len,
> "\n%05x: ", offset_label);
> }
> @@ -3156,19 +3156,19 @@ __lpfc_idiag_print_wq(struct lpfc_queue *qp, char *wqtype,
> if (!qp)
> return len;
>
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "\t\t%s WQ info: ", wqtype);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "AssocCQID[%04d]: WQ-STAT[oflow:x%x posted:x%llx]\n",
> qp->assoc_qid, qp->q_cnt_1,
> (unsigned long long)qp->q_cnt_4);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "\t\tWQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
> "HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]",
> qp->queue_id, qp->entry_count,
> qp->entry_size, qp->host_index,
> qp->hba_index, qp->entry_repost);
> - len += snprintf(pbuffer + len,
> + len += scnprintf(pbuffer + len,
> LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
> return len;
> }
> @@ -3206,21 +3206,21 @@ __lpfc_idiag_print_cq(struct lpfc_queue *qp, char *cqtype,
> if (!qp)
> return len;
>
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "\t%s CQ info: ", cqtype);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "AssocEQID[%02d]: CQ STAT[max:x%x relw:x%x "
> "xabt:x%x wq:x%llx]\n",
> qp->assoc_qid, qp->q_cnt_1, qp->q_cnt_2,
> qp->q_cnt_3, (unsigned long long)qp->q_cnt_4);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "\tCQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
> "HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]",
> qp->queue_id, qp->entry_count,
> qp->entry_size, qp->host_index,
> qp->hba_index, qp->entry_repost);
>
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
>
> return len;
> }
> @@ -3232,19 +3232,19 @@ __lpfc_idiag_print_rqpair(struct lpfc_queue *qp, struct lpfc_queue *datqp,
> if (!qp || !datqp)
> return len;
>
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "\t\t%s RQ info: ", rqtype);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "AssocCQID[%02d]: RQ-STAT[nopost:x%x nobuf:x%x "
> "posted:x%x rcv:x%llx]\n",
> qp->assoc_qid, qp->q_cnt_1, qp->q_cnt_2,
> qp->q_cnt_3, (unsigned long long)qp->q_cnt_4);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "\t\tHQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
> "HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]\n",
> qp->queue_id, qp->entry_count, qp->entry_size,
> qp->host_index, qp->hba_index, qp->entry_repost);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "\t\tDQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
> "HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]\n",
> datqp->queue_id, datqp->entry_count,
> @@ -3329,17 +3329,17 @@ __lpfc_idiag_print_eq(struct lpfc_queue *qp, char *eqtype,
> if (!qp)
> return len;
>
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "\n%s EQ info: EQ-STAT[max:x%x noE:x%x "
> "cqe_proc:x%x eqe_proc:x%llx eqd %d]\n",
> eqtype, qp->q_cnt_1, qp->q_cnt_2, qp->q_cnt_3,
> (unsigned long long)qp->q_cnt_4, qp->q_mode);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "EQID[%02d], QE-CNT[%04d], QE-SZ[%04d], "
> "HST-IDX[%04d], PRT-IDX[%04d], PST[%03d]",
> qp->queue_id, qp->entry_count, qp->entry_size,
> qp->host_index, qp->hba_index, qp->entry_repost);
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len, "\n");
>
> return len;
> }
> @@ -3397,7 +3397,7 @@ lpfc_idiag_queinfo_read(struct file *file, char __user *buf, size_t nbytes,
> if (phba->cfg_fof == 0)
> phba->lpfc_idiag_last_eq = 0;
>
> - len += snprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_QUE_INFO_GET_BUF_SIZE - len,
> "EQ %d out of %d HBA EQs\n",
> x, phba->io_channel_irqs);
>
> @@ -3510,7 +3510,7 @@ lpfc_idiag_queinfo_read(struct file *file, char __user *buf, size_t nbytes,
> return simple_read_from_buffer(buf, nbytes, ppos, pbuffer, len);
>
> too_big:
> - len += snprintf(pbuffer + len,
> + len += scnprintf(pbuffer + len,
> LPFC_QUE_INFO_GET_BUF_SIZE - len, "Truncated ...\n");
> out:
> spin_unlock_irq(&phba->hbalock);
> @@ -3566,22 +3566,22 @@ lpfc_idiag_queacc_read_qe(char *pbuffer, int len, struct lpfc_queue *pque,
> return 0;
>
> esize = pque->entry_size;
> - len += snprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len,
> "QE-INDEX[%04d]:\n", index);
>
> offset = 0;
> pentry = pque->qe[index].address;
> while (esize > 0) {
> - len += snprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len,
> "%08x ", *pentry);
> pentry++;
> offset += sizeof(uint32_t);
> esize -= sizeof(uint32_t);
> if (esize > 0 && !(offset % (4 * sizeof(uint32_t))))
> - len += snprintf(pbuffer+len,
> + len += scnprintf(pbuffer+len,
> LPFC_QUE_ACC_BUF_SIZE-len, "\n");
> }
> - len += snprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len, "\n");
> + len += scnprintf(pbuffer+len, LPFC_QUE_ACC_BUF_SIZE-len, "\n");
>
> return len;
> }
> @@ -3987,27 +3987,27 @@ lpfc_idiag_drbacc_read_reg(struct lpfc_hba *phba, char *pbuffer,
>
> switch (drbregid) {
> case LPFC_DRB_EQ:
> - len += snprintf(pbuffer + len, LPFC_DRB_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer + len, LPFC_DRB_ACC_BUF_SIZE-len,
> "EQ-DRB-REG: 0x%08x\n",
> readl(phba->sli4_hba.EQDBregaddr));
> break;
> case LPFC_DRB_CQ:
> - len += snprintf(pbuffer + len, LPFC_DRB_ACC_BUF_SIZE - len,
> + len += scnprintf(pbuffer + len, LPFC_DRB_ACC_BUF_SIZE - len,
> "CQ-DRB-REG: 0x%08x\n",
> readl(phba->sli4_hba.CQDBregaddr));
> break;
> case LPFC_DRB_MQ:
> - len += snprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
> "MQ-DRB-REG: 0x%08x\n",
> readl(phba->sli4_hba.MQDBregaddr));
> break;
> case LPFC_DRB_WQ:
> - len += snprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
> "WQ-DRB-REG: 0x%08x\n",
> readl(phba->sli4_hba.WQDBregaddr));
> break;
> case LPFC_DRB_RQ:
> - len += snprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_DRB_ACC_BUF_SIZE-len,
> "RQ-DRB-REG: 0x%08x\n",
> readl(phba->sli4_hba.RQDBregaddr));
> break;
> @@ -4197,37 +4197,37 @@ lpfc_idiag_ctlacc_read_reg(struct lpfc_hba *phba, char *pbuffer,
>
> switch (ctlregid) {
> case LPFC_CTL_PORT_SEM:
> - len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> "Port SemReg: 0x%08x\n",
> readl(phba->sli4_hba.conf_regs_memmap_p +
> LPFC_CTL_PORT_SEM_OFFSET));
> break;
> case LPFC_CTL_PORT_STA:
> - len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> "Port StaReg: 0x%08x\n",
> readl(phba->sli4_hba.conf_regs_memmap_p +
> LPFC_CTL_PORT_STA_OFFSET));
> break;
> case LPFC_CTL_PORT_CTL:
> - len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> "Port CtlReg: 0x%08x\n",
> readl(phba->sli4_hba.conf_regs_memmap_p +
> LPFC_CTL_PORT_CTL_OFFSET));
> break;
> case LPFC_CTL_PORT_ER1:
> - len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> "Port Er1Reg: 0x%08x\n",
> readl(phba->sli4_hba.conf_regs_memmap_p +
> LPFC_CTL_PORT_ER1_OFFSET));
> break;
> case LPFC_CTL_PORT_ER2:
> - len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> "Port Er2Reg: 0x%08x\n",
> readl(phba->sli4_hba.conf_regs_memmap_p +
> LPFC_CTL_PORT_ER2_OFFSET));
> break;
> case LPFC_CTL_PDEV_CTL:
> - len += snprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_CTL_ACC_BUF_SIZE-len,
> "PDev CtlReg: 0x%08x\n",
> readl(phba->sli4_hba.conf_regs_memmap_p +
> LPFC_CTL_PDEV_CTL_OFFSET));
> @@ -4420,13 +4420,13 @@ lpfc_idiag_mbxacc_get_setup(struct lpfc_hba *phba, char *pbuffer)
> mbx_dump_cnt = idiag.cmd.data[IDIAG_MBXACC_DPCNT_INDX];
> mbx_word_cnt = idiag.cmd.data[IDIAG_MBXACC_WDCNT_INDX];
>
> - len += snprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
> "mbx_dump_map: 0x%08x\n", mbx_dump_map);
> - len += snprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
> "mbx_dump_cnt: %04d\n", mbx_dump_cnt);
> - len += snprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
> "mbx_word_cnt: %04d\n", mbx_word_cnt);
> - len += snprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_MBX_ACC_BUF_SIZE-len,
> "mbx_mbox_cmd: 0x%02x\n", mbx_mbox_cmd);
>
> return len;
> @@ -4575,35 +4575,35 @@ lpfc_idiag_extacc_avail_get(struct lpfc_hba *phba, char *pbuffer, int len)
> {
> uint16_t ext_cnt, ext_size;
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\nAvailable Extents Information:\n");
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tPort Available VPI extents: ");
> lpfc_sli4_get_avail_extnt_rsrc(phba, LPFC_RSC_TYPE_FCOE_VPI,
> &ext_cnt, &ext_size);
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "Count %3d, Size %3d\n", ext_cnt, ext_size);
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tPort Available VFI extents: ");
> lpfc_sli4_get_avail_extnt_rsrc(phba, LPFC_RSC_TYPE_FCOE_VFI,
> &ext_cnt, &ext_size);
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "Count %3d, Size %3d\n", ext_cnt, ext_size);
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tPort Available RPI extents: ");
> lpfc_sli4_get_avail_extnt_rsrc(phba, LPFC_RSC_TYPE_FCOE_RPI,
> &ext_cnt, &ext_size);
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "Count %3d, Size %3d\n", ext_cnt, ext_size);
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tPort Available XRI extents: ");
> lpfc_sli4_get_avail_extnt_rsrc(phba, LPFC_RSC_TYPE_FCOE_XRI,
> &ext_cnt, &ext_size);
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "Count %3d, Size %3d\n", ext_cnt, ext_size);
>
> return len;
> @@ -4627,55 +4627,55 @@ lpfc_idiag_extacc_alloc_get(struct lpfc_hba *phba, char *pbuffer, int len)
> uint16_t ext_cnt, ext_size;
> int rc;
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\nAllocated Extents Information:\n");
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tHost Allocated VPI extents: ");
> rc = lpfc_sli4_get_allocated_extnts(phba, LPFC_RSC_TYPE_FCOE_VPI,
> &ext_cnt, &ext_size);
> if (!rc)
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "Port %d Extent %3d, Size %3d\n",
> phba->brd_no, ext_cnt, ext_size);
> else
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "N/A\n");
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tHost Allocated VFI extents: ");
> rc = lpfc_sli4_get_allocated_extnts(phba, LPFC_RSC_TYPE_FCOE_VFI,
> &ext_cnt, &ext_size);
> if (!rc)
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "Port %d Extent %3d, Size %3d\n",
> phba->brd_no, ext_cnt, ext_size);
> else
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "N/A\n");
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tHost Allocated RPI extents: ");
> rc = lpfc_sli4_get_allocated_extnts(phba, LPFC_RSC_TYPE_FCOE_RPI,
> &ext_cnt, &ext_size);
> if (!rc)
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "Port %d Extent %3d, Size %3d\n",
> phba->brd_no, ext_cnt, ext_size);
> else
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "N/A\n");
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tHost Allocated XRI extents: ");
> rc = lpfc_sli4_get_allocated_extnts(phba, LPFC_RSC_TYPE_FCOE_XRI,
> &ext_cnt, &ext_size);
> if (!rc)
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "Port %d Extent %3d, Size %3d\n",
> phba->brd_no, ext_cnt, ext_size);
> else
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "N/A\n");
>
> return len;
> @@ -4699,49 +4699,49 @@ lpfc_idiag_extacc_drivr_get(struct lpfc_hba *phba, char *pbuffer, int len)
> struct lpfc_rsrc_blks *rsrc_blks;
> int index;
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\nDriver Extents Information:\n");
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tVPI extents:\n");
> index = 0;
> list_for_each_entry(rsrc_blks, &phba->lpfc_vpi_blk_list, list) {
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\t\tBlock %3d: Start %4d, Count %4d\n",
> index, rsrc_blks->rsrc_start,
> rsrc_blks->rsrc_size);
> index++;
> }
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tVFI extents:\n");
> index = 0;
> list_for_each_entry(rsrc_blks, &phba->sli4_hba.lpfc_vfi_blk_list,
> list) {
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\t\tBlock %3d: Start %4d, Count %4d\n",
> index, rsrc_blks->rsrc_start,
> rsrc_blks->rsrc_size);
> index++;
> }
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tRPI extents:\n");
> index = 0;
> list_for_each_entry(rsrc_blks, &phba->sli4_hba.lpfc_rpi_blk_list,
> list) {
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\t\tBlock %3d: Start %4d, Count %4d\n",
> index, rsrc_blks->rsrc_start,
> rsrc_blks->rsrc_size);
> index++;
> }
>
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\tXRI extents:\n");
> index = 0;
> list_for_each_entry(rsrc_blks, &phba->sli4_hba.lpfc_xri_blk_list,
> list) {
> - len += snprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
> "\t\tBlock %3d: Start %4d, Count %4d\n",
> index, rsrc_blks->rsrc_start,
> rsrc_blks->rsrc_size);
> @@ -5135,11 +5135,11 @@ lpfc_idiag_mbxacc_dump_bsg_mbox(struct lpfc_hba *phba, enum nemb_type nemb_tp,
> if (i != 0)
> pr_err("%s\n", line_buf);
> len = 0;
> - len += snprintf(line_buf+len,
> + len += scnprintf(line_buf+len,
> LPFC_MBX_ACC_LBUF_SZ-len,
> "%03d: ", i);
> }
> - len += snprintf(line_buf+len, LPFC_MBX_ACC_LBUF_SZ-len,
> + len += scnprintf(line_buf+len, LPFC_MBX_ACC_LBUF_SZ-len,
> "%08x ", (uint32_t)*pword);
> pword++;
> }
> @@ -5202,11 +5202,11 @@ lpfc_idiag_mbxacc_dump_issue_mbox(struct lpfc_hba *phba, MAILBOX_t *pmbox)
> pr_err("%s\n", line_buf);
> len = 0;
> memset(line_buf, 0, LPFC_MBX_ACC_LBUF_SZ);
> - len += snprintf(line_buf+len,
> + len += scnprintf(line_buf+len,
> LPFC_MBX_ACC_LBUF_SZ-len,
> "%03d: ", i);
> }
> - len += snprintf(line_buf+len, LPFC_MBX_ACC_LBUF_SZ-len,
> + len += scnprintf(line_buf+len, LPFC_MBX_ACC_LBUF_SZ-len,
> "%08x ",
> ((uint32_t)*pword) & 0xffffffff);
> pword++;
> @@ -5225,18 +5225,18 @@ lpfc_idiag_mbxacc_dump_issue_mbox(struct lpfc_hba *phba, MAILBOX_t *pmbox)
> pr_err("%s\n", line_buf);
> len = 0;
> memset(line_buf, 0, LPFC_MBX_ACC_LBUF_SZ);
> - len += snprintf(line_buf+len,
> + len += scnprintf(line_buf+len,
> LPFC_MBX_ACC_LBUF_SZ-len,
> "%03d: ", i);
> }
> for (j = 0; j < 4; j++) {
> - len += snprintf(line_buf+len,
> + len += scnprintf(line_buf+len,
> LPFC_MBX_ACC_LBUF_SZ-len,
> "%02x",
> ((uint8_t)*pbyte) & 0xff);
> pbyte++;
> }
> - len += snprintf(line_buf+len,
> + len += scnprintf(line_buf+len,
> LPFC_MBX_ACC_LBUF_SZ-len, " ");
> }
> if ((i - 1) % 8)
> --
> 2.19.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 4/8] ASoC: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 4/8] ASoC: " Willy Tarreau
2019-01-15 1:13 ` Kees Cook
@ 2019-01-15 1:25 ` Nicolin Chen
2019-01-15 3:18 ` Willy Tarreau
1 sibling, 1 reply; 36+ messages in thread
From: Nicolin Chen @ 2019-01-15 1:25 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, linux-kernel, Timur Tabi, Xiubo Li, Fabio Estevam,
Dan Carpenter, Kees Cook, Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 04:28:40PM +0100, Willy Tarreau wrote:
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Nicolin Chen <nicoleotsuka@gmail.com>
I think you probably need to run get_maintainer.pl for the patch
and should send to Mark Brown and CC alsa-devel. And for subject,
we usually use prefix "ASoC: imx-audmux:". Otherwise,
Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Thanks
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow
2019-01-15 1:02 ` [PATCH 1/8] lkdtm: " Kees Cook
2019-01-15 1:07 ` Kees Cook
@ 2019-01-15 3:12 ` Willy Tarreau
1 sibling, 0 replies; 36+ messages in thread
From: Willy Tarreau @ 2019-01-15 3:12 UTC (permalink / raw)
To: Kees Cook; +Cc: Silvio Cesare, LKML, Dan Carpenter, Will Deacon, Greg KH
Hi Kees,
On Mon, Jan 14, 2019 at 05:02:51PM -0800, Kees Cook wrote:
> On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
> >
> > From: Silvio Cesare <silvio.cesare@gmail.com>
> >
> > Change snprintf to scnprintf. There are generally two cases where using
> > snprintf causes problems.
>
> (I didn't find a 0/8 cover letter, so I'm replying here...)
I didn't add one simply because I didn't have more context info than
the one already present in each of these commits (which were all the
same by the way). These ones were first reported by Silvio on the
security list on November 23rd and came to a stall by lack of proper
Cc and subject lines. So I've ran get_maintainers.pl + git log to
adjust all this and sent them with the available context.
> Many of these fixes are just robustness updates (e.g. the lkdtm case
> below is not current a problem: the size of the static array getting
> displayed is less than PAGE_SIZE). It might be worth noting which are
> actually problems (and include the appropriate Cc: and Fixes: lines).
From what I remember from the thread, these are small bugs causing some
memory disclosure when used with debugfs. I've just found the featured
article :
http://blog.infosectcbr.com.au/2018/11/memory-bugs-in-multiple-linux-kernel.html
> Are these changes going into someone's single tree, or are they
> intended for individual maintainers to pick up?
The goal was to let the maintainers decide based on the commit message.
That's why it's always better when the reporter sends the information
by himself rather than relying on some third party to polish things up
and forward :-/
Cheers,
Willy
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 7/8] ASoC: dapm: change snprintf to scnprintf for possible overflow
2019-01-14 14:56 ` Mark Brown
@ 2019-01-15 3:16 ` Willy Tarreau
2019-01-15 15:44 ` Mark Brown
0 siblings, 1 reply; 36+ messages in thread
From: Willy Tarreau @ 2019-01-15 3:16 UTC (permalink / raw)
To: Mark Brown
Cc: Silvio Cesare, linux-kernel, Liam Girdwood, Dan Carpenter,
Kees Cook, Will Deacon, Greg KH
Hi Mark,
On Mon, Jan 14, 2019 at 02:56:50PM +0000, Mark Brown wrote:
> On Sat, Jan 12, 2019 at 04:28:43PM +0100, Willy Tarreau wrote:
> > From: Silvio Cesare <silvio.cesare@gmail.com>
> >
> > Change snprintf to scnprintf. There are generally two cases where using
> > snprintf causes problems.
>
> I don't have a cover letter or anything before this in the series.
> What's going on with dependencies here?
Sorry for the lack of more context, I was just involved in putting a
subject line on each patch and passing them through get_maintainers.pl.
These ones were sent to the security list after this article was published:
http://blog.infosectcbr.com.au/2018/11/memory-bugs-in-multiple-linux-kernel.html
Thanks,
Willy
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 4/8] ASoC: change snprintf to scnprintf for possible overflow
2019-01-15 1:25 ` Nicolin Chen
@ 2019-01-15 3:18 ` Willy Tarreau
0 siblings, 0 replies; 36+ messages in thread
From: Willy Tarreau @ 2019-01-15 3:18 UTC (permalink / raw)
To: Nicolin Chen
Cc: Silvio Cesare, linux-kernel, Timur Tabi, Xiubo Li, Fabio Estevam,
Dan Carpenter, Kees Cook, Will Deacon, Greg KH
Hi Nicolin,
On Mon, Jan 14, 2019 at 05:25:37PM -0800, Nicolin Chen wrote:
> I think you probably need to run get_maintainer.pl for the patch
That's what I did :-)
> and should send to Mark Brown and CC alsa-devel.
OK, thanks. At first when adding the CC lines I didn't know if the
report was public or not, which is why I didn't add any list.
> And for subject,
> we usually use prefix "ASoC: imx-audmux:". Otherwise,
>
> Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Thanks, I'll adjust this one accordingly and will resend it.
Willy
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 2/8] libertas: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 2/8] libertas: " Willy Tarreau
2019-01-15 1:09 ` Kees Cook
@ 2019-01-15 5:55 ` Kalle Valo
2019-01-15 20:35 ` Willy Tarreau
1 sibling, 1 reply; 36+ messages in thread
From: Kalle Valo @ 2019-01-15 5:55 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, linux-kernel, Dan Carpenter, Kees Cook,
Will Deacon, Greg KH
Willy Tarreau <w@1wt.eu> writes:
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Kalle Valo <kvalo@codeaurora.org>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
I don't see any mention about which tree this should go to. Can I take
this to wireless-drivers-next?
--
Kalle Valo
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 7/8] ASoC: dapm: change snprintf to scnprintf for possible overflow
2019-01-15 3:16 ` Willy Tarreau
@ 2019-01-15 15:44 ` Mark Brown
2019-01-15 15:55 ` Willy Tarreau
0 siblings, 1 reply; 36+ messages in thread
From: Mark Brown @ 2019-01-15 15:44 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, linux-kernel, Liam Girdwood, Dan Carpenter,
Kees Cook, Will Deacon, Greg KH
[-- Attachment #1: Type: text/plain, Size: 709 bytes --]
On Tue, Jan 15, 2019 at 04:16:15AM +0100, Willy Tarreau wrote:
> On Mon, Jan 14, 2019 at 02:56:50PM +0000, Mark Brown wrote:
> > On Sat, Jan 12, 2019 at 04:28:43PM +0100, Willy Tarreau wrote:
> > I don't have a cover letter or anything before this in the series.
> > What's going on with dependencies here?
> Sorry for the lack of more context, I was just involved in putting a
> subject line on each patch and passing them through get_maintainers.pl.
> These ones were sent to the security list after this article was published:
> http://blog.infosectcbr.com.au/2018/11/memory-bugs-in-multiple-linux-kernel.html
So just to confirm it looks like these are just isolated projects with
no interdepencies?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 7/8] ASoC: dapm: change snprintf to scnprintf for possible overflow
2019-01-15 15:44 ` Mark Brown
@ 2019-01-15 15:55 ` Willy Tarreau
0 siblings, 0 replies; 36+ messages in thread
From: Willy Tarreau @ 2019-01-15 15:55 UTC (permalink / raw)
To: Mark Brown
Cc: Silvio Cesare, linux-kernel, Liam Girdwood, Dan Carpenter,
Kees Cook, Will Deacon, Greg KH
On Tue, Jan 15, 2019 at 03:44:36PM +0000, Mark Brown wrote:
> On Tue, Jan 15, 2019 at 04:16:15AM +0100, Willy Tarreau wrote:
> > On Mon, Jan 14, 2019 at 02:56:50PM +0000, Mark Brown wrote:
> > > On Sat, Jan 12, 2019 at 04:28:43PM +0100, Willy Tarreau wrote:
>
> > > I don't have a cover letter or anything before this in the series.
> > > What's going on with dependencies here?
>
> > Sorry for the lack of more context, I was just involved in putting a
> > subject line on each patch and passing them through get_maintainers.pl.
> > These ones were sent to the security list after this article was published:
>
> > http://blog.infosectcbr.com.au/2018/11/memory-bugs-in-multiple-linux-kernel.html
>
> So just to confirm it looks like these are just isolated projects with
> no interdepencies?
That's it : just a series of patches for the same bug in multiple drivers.
Now with your question I understand the confusion, it's caused by me sending
all of them as a single series. I should have sent them individually. My bad.
Regards,
Willy
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 2/8] libertas: change snprintf to scnprintf for possible overflow
2019-01-15 5:55 ` Kalle Valo
@ 2019-01-15 20:35 ` Willy Tarreau
2019-01-16 16:40 ` Kalle Valo
0 siblings, 1 reply; 36+ messages in thread
From: Willy Tarreau @ 2019-01-15 20:35 UTC (permalink / raw)
To: Kalle Valo
Cc: Silvio Cesare, linux-kernel, Dan Carpenter, Kees Cook,
Will Deacon, Greg KH
On Tue, Jan 15, 2019 at 07:55:36AM +0200, Kalle Valo wrote:
> Willy Tarreau <w@1wt.eu> writes:
>
> > From: Silvio Cesare <silvio.cesare@gmail.com>
> >
> > Change snprintf to scnprintf. There are generally two cases where using
> > snprintf causes problems.
> >
> > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> > In this case, if snprintf would have written more characters than what the
> > buffer size (SIZE) is, then size will end up larger than SIZE. In later
> > uses of snprintf, SIZE - size will result in a negative number, leading
> > to problems. Note that size might already be too large by using
> > size = snprintf before the code reaches a case of size += snprintf.
> >
> > 2) If size is ultimately used as a length parameter for a copy back to user
> > space, then it will potentially allow for a buffer overflow and information
> > disclosure when size is greater than SIZE. When the size is used to index
> > the buffer directly, we can have memory corruption. This also means when
> > size = snprintf... is used, it may also cause problems since size may become
> > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> > configuration.
> >
> > The solution to these issues is to use scnprintf which returns the number of
> > characters actually written to the buffer, so the size variable will never
> > exceed SIZE.
> >
> > Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> > Cc: Kalle Valo <kvalo@codeaurora.org>
> > Cc: Dan Carpenter <dan.carpenter@oracle.com>
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Will Deacon <will.deacon@arm.com>
> > Cc: Greg KH <greg@kroah.com>
> > Signed-off-by: Willy Tarreau <w@1wt.eu>
>
> I don't see any mention about which tree this should go to. Can I take
> this to wireless-drivers-next?
Possibly. It addresses a small memory disclosure issue when using debugfs,
and as such it should probably also be submitted to stable branches, so
please use the most suitable tree that doesn't add too much extra delay.
Thanks,
Willy
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
` (7 preceding siblings ...)
2019-01-15 1:02 ` [PATCH 1/8] lkdtm: " Kees Cook
@ 2019-01-15 20:47 ` Kees Cook
2019-01-18 13:06 ` Greg KH
8 siblings, 1 reply; 36+ messages in thread
From: Kees Cook @ 2019-01-15 20:47 UTC (permalink / raw)
To: Greg KH; +Cc: Silvio Cesare, LKML, Dan Carpenter, Will Deacon, Willy Tarreau
On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
It looks like these are going via individual trees. Greg, can you
please take this into your drivers-misc tree for lkdtm?
Acked-by: Kees Cook <keescook@chromium.org>
Thanks!
-Kees
>
> ---
> drivers/misc/lkdtm/core.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
> index 2837dc77478e..610aa3bfe630 100644
> --- a/drivers/misc/lkdtm/core.c
> +++ b/drivers/misc/lkdtm/core.c
> @@ -347,9 +347,9 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
> if (buf == NULL)
> return -ENOMEM;
>
> - n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
> + n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n");
> for (i = 0; i < ARRAY_SIZE(crashtypes); i++) {
> - n += snprintf(buf + n, PAGE_SIZE - n, "%s\n",
> + n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n",
> crashtypes[i].name);
> }
> buf[n] = '\0';
> --
> 2.19.2
>
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 5/8] scsi: lpfc: change snprintf to scnprintf for possible overflow
2019-01-15 1:15 ` Kees Cook
@ 2019-01-15 22:41 ` James Smart
2019-03-20 17:39 ` Greg KH
0 siblings, 1 reply; 36+ messages in thread
From: James Smart @ 2019-01-15 22:41 UTC (permalink / raw)
To: Kees Cook, Willy Tarreau
Cc: Silvio Cesare, LKML, Dick Kennedy, Dan Carpenter, Will Deacon, Greg KH
On 1/14/2019 5:15 PM, Kees Cook wrote:
> On Sat, Jan 12, 2019 at 7:29 AM Willy Tarreau<w@1wt.eu> wrote:
>> From: Silvio Cesare<silvio.cesare@gmail.com>
>>
>> Change snprintf to scnprintf. There are generally two cases where using
>> snprintf causes problems.
>>
>> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
>> In this case, if snprintf would have written more characters than what the
>> buffer size (SIZE) is, then size will end up larger than SIZE. In later
>> uses of snprintf, SIZE - size will result in a negative number, leading
>> to problems. Note that size might already be too large by using
>> size = snprintf before the code reaches a case of size += snprintf.
>>
>> 2) If size is ultimately used as a length parameter for a copy back to user
>> space, then it will potentially allow for a buffer overflow and information
>> disclosure when size is greater than SIZE. When the size is used to index
>> the buffer directly, we can have memory corruption. This also means when
>> size = snprintf... is used, it may also cause problems since size may become
>> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
>> configuration.
>>
>> The solution to these issues is to use scnprintf which returns the number of
>> characters actually written to the buffer, so the size variable will never
>> exceed SIZE.
>>
>> Signed-off-by: Silvio Cesare<silvio.cesare@gmail.com>
>> Cc: James Smart<james.smart@broadcom.com>
>> Cc: Dick Kennedy<dick.kennedy@broadcom.com>
>> Cc: Dan Carpenter<dan.carpenter@oracle.com>
>> Cc: Kees Cook<keescook@chromium.org>
>> Cc: Will Deacon<will.deacon@arm.com>
>> Cc: Greg KH<greg@kroah.com>
>> Signed-off-by: Willy Tarreau<w@1wt.eu>
> I think this needs Cc: stable.
>
> Reviewed-by: Kees Cook<keescook@chromium.org>
>
> -Kees
>
Reviewed-by: James Smart <james.smart@broadcom.com>
-- james
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 2/8] libertas: change snprintf to scnprintf for possible overflow
2019-01-15 20:35 ` Willy Tarreau
@ 2019-01-16 16:40 ` Kalle Valo
2019-01-16 17:02 ` Willy Tarreau
0 siblings, 1 reply; 36+ messages in thread
From: Kalle Valo @ 2019-01-16 16:40 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, linux-kernel, Dan Carpenter, Kees Cook,
Will Deacon, Greg KH
Willy Tarreau <w@1wt.eu> writes:
> On Tue, Jan 15, 2019 at 07:55:36AM +0200, Kalle Valo wrote:
>> Willy Tarreau <w@1wt.eu> writes:
>>
>> > From: Silvio Cesare <silvio.cesare@gmail.com>
>> >
>> > Change snprintf to scnprintf. There are generally two cases where using
>> > snprintf causes problems.
>> >
>> > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
>> > In this case, if snprintf would have written more characters than what the
>> > buffer size (SIZE) is, then size will end up larger than SIZE. In later
>> > uses of snprintf, SIZE - size will result in a negative number, leading
>> > to problems. Note that size might already be too large by using
>> > size = snprintf before the code reaches a case of size += snprintf.
>> >
>> > 2) If size is ultimately used as a length parameter for a copy back to user
>> > space, then it will potentially allow for a buffer overflow and information
>> > disclosure when size is greater than SIZE. When the size is used to index
>> > the buffer directly, we can have memory corruption. This also means when
>> > size = snprintf... is used, it may also cause problems since size may become
>> > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
>> > configuration.
>> >
>> > The solution to these issues is to use scnprintf which returns the number of
>> > characters actually written to the buffer, so the size variable will never
>> > exceed SIZE.
>> >
>> > Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
>> > Cc: Kalle Valo <kvalo@codeaurora.org>
>> > Cc: Dan Carpenter <dan.carpenter@oracle.com>
>> > Cc: Kees Cook <keescook@chromium.org>
>> > Cc: Will Deacon <will.deacon@arm.com>
>> > Cc: Greg KH <greg@kroah.com>
>> > Signed-off-by: Willy Tarreau <w@1wt.eu>
>>
>> I don't see any mention about which tree this should go to. Can I take
>> this to wireless-drivers-next?
>
> Possibly. It addresses a small memory disclosure issue when using debugfs,
> and as such it should probably also be submitted to stable branches, so
> please use the most suitable tree that doesn't add too much extra delay.
Ok, I'll queue this for 5.0 and apply it to wireless-drivers instead.
--
Kalle Valo
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 2/8] libertas: change snprintf to scnprintf for possible overflow
2019-01-16 16:40 ` Kalle Valo
@ 2019-01-16 17:02 ` Willy Tarreau
0 siblings, 0 replies; 36+ messages in thread
From: Willy Tarreau @ 2019-01-16 17:02 UTC (permalink / raw)
To: Kalle Valo
Cc: Silvio Cesare, linux-kernel, Dan Carpenter, Kees Cook,
Will Deacon, Greg KH
On Wed, Jan 16, 2019 at 06:40:29PM +0200, Kalle Valo wrote:
> Ok, I'll queue this for 5.0 and apply it to wireless-drivers instead.
Thank you!
Willy
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 6/8] ASoC: intel: skylake: change snprintf to scnprintf for possible overflow
2019-01-12 15:28 ` [PATCH 6/8] ASoC: intel: skylake: " Willy Tarreau
2019-01-15 1:12 ` Kees Cook
@ 2019-01-16 18:41 ` Kees Cook
2019-01-16 19:35 ` Pierre-Louis Bossart
1 sibling, 1 reply; 36+ messages in thread
From: Kees Cook @ 2019-01-16 18:41 UTC (permalink / raw)
To: Willy Tarreau
Cc: Silvio Cesare, LKML, Pierre-Louis Bossart, Liam Girdwood,
Jie Yang, Dan Carpenter, Will Deacon, Greg KH
On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
> Cc: Liam Girdwood <liam.r.girdwood@linux.intel.com>
> Cc: Jie Yang <yang.jie@linux.intel.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
>
> ---
> sound/soc/intel/skylake/skl-debug.c | 28 ++++++++++++++--------------
> 1 file changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/sound/soc/intel/skylake/skl-debug.c b/sound/soc/intel/skylake/skl-debug.c
> index 5d7ac2ee7a3c..bb28db734fb7 100644
> --- a/sound/soc/intel/skylake/skl-debug.c
> +++ b/sound/soc/intel/skylake/skl-debug.c
> @@ -43,7 +43,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
> ssize_t ret = 0;
>
> for (i = 0; i < max_pin; i++)
> - ret += snprintf(buf + size, MOD_BUF - size,
> + ret += scnprintf(buf + size, MOD_BUF - size,
> "%s %d\n\tModule %d\n\tInstance %d\n\t"
> "In-used %s\n\tType %s\n"
> "\tState %d\n\tIndex %d\n",
>
While working on a Coccinelle script to find more cases of this, I
noticed that this code is buggy: it keeps overwriting the same
position in the buf string: "buf + size" and don't take "ret" into
account at all. This needs to be:
ret += scnprintf(buf + size + ret, MOD_BUF - size - ret,
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 6/8] ASoC: intel: skylake: change snprintf to scnprintf for possible overflow
2019-01-16 18:41 ` Kees Cook
@ 2019-01-16 19:35 ` Pierre-Louis Bossart
2019-01-16 19:51 ` Kees Cook
0 siblings, 1 reply; 36+ messages in thread
From: Pierre-Louis Bossart @ 2019-01-16 19:35 UTC (permalink / raw)
To: Kees Cook, Willy Tarreau
Cc: Silvio Cesare, LKML, Liam Girdwood, Jie Yang, Dan Carpenter,
Will Deacon, Greg KH
>> diff --git a/sound/soc/intel/skylake/skl-debug.c b/sound/soc/intel/skylake/skl-debug.c
>> index 5d7ac2ee7a3c..bb28db734fb7 100644
>> --- a/sound/soc/intel/skylake/skl-debug.c
>> +++ b/sound/soc/intel/skylake/skl-debug.c
>> @@ -43,7 +43,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
>> ssize_t ret = 0;
>>
>> for (i = 0; i < max_pin; i++)
>> - ret += snprintf(buf + size, MOD_BUF - size,
>> + ret += scnprintf(buf + size, MOD_BUF - size,
>> "%s %d\n\tModule %d\n\tInstance %d\n\t"
>> "In-used %s\n\tType %s\n"
>> "\tState %d\n\tIndex %d\n",
>>
> While working on a Coccinelle script to find more cases of this, I
> noticed that this code is buggy: it keeps overwriting the same
> position in the buf string: "buf + size" and don't take "ret" into
> account at all. This needs to be:
>
> ret += scnprintf(buf + size + ret, MOD_BUF - size - ret,
Thanks for the sighting. Indeed this looks like a bug, all other calls
to snprintf use "ret" to modify the destination/length.
The only explanation I have for it not being noticed earlier is that
it's possibly not used - a 5mn test on 2 machines show the loop is
actually not run (max_pin == 0).
It'll take me a bit of time to figure out what exactly this routine is
supposed to do, maybe we should do the cross-tree change first?
-Pierre
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 6/8] ASoC: intel: skylake: change snprintf to scnprintf for possible overflow
2019-01-16 19:35 ` Pierre-Louis Bossart
@ 2019-01-16 19:51 ` Kees Cook
0 siblings, 0 replies; 36+ messages in thread
From: Kees Cook @ 2019-01-16 19:51 UTC (permalink / raw)
To: Pierre-Louis Bossart
Cc: Willy Tarreau, Silvio Cesare, LKML, Liam Girdwood, Jie Yang,
Dan Carpenter, Will Deacon, Greg KH
On Wed, Jan 16, 2019 at 11:35 AM Pierre-Louis Bossart
<pierre-louis.bossart@linux.intel.com> wrote:
>
>
> >> diff --git a/sound/soc/intel/skylake/skl-debug.c b/sound/soc/intel/skylake/skl-debug.c
> >> index 5d7ac2ee7a3c..bb28db734fb7 100644
> >> --- a/sound/soc/intel/skylake/skl-debug.c
> >> +++ b/sound/soc/intel/skylake/skl-debug.c
> >> @@ -43,7 +43,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
> >> ssize_t ret = 0;
> >>
> >> for (i = 0; i < max_pin; i++)
> >> - ret += snprintf(buf + size, MOD_BUF - size,
> >> + ret += scnprintf(buf + size, MOD_BUF - size,
> >> "%s %d\n\tModule %d\n\tInstance %d\n\t"
> >> "In-used %s\n\tType %s\n"
> >> "\tState %d\n\tIndex %d\n",
> >>
> > While working on a Coccinelle script to find more cases of this, I
> > noticed that this code is buggy: it keeps overwriting the same
> > position in the buf string: "buf + size" and don't take "ret" into
> > account at all. This needs to be:
> >
> > ret += scnprintf(buf + size + ret, MOD_BUF - size - ret,
>
> Thanks for the sighting. Indeed this looks like a bug, all other calls
> to snprintf use "ret" to modify the destination/length.
>
> The only explanation I have for it not being noticed earlier is that
> it's possibly not used - a 5mn test on 2 machines show the loop is
> actually not run (max_pin == 0).
>
> It'll take me a bit of time to figure out what exactly this routine is
> supposed to do, maybe we should do the cross-tree change first?
Sounds good to me. These patches are direct at maintainers, so please
apply at will. :)
Thanks!
--
Kees Cook
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow
2019-01-15 20:47 ` Kees Cook
@ 2019-01-18 13:06 ` Greg KH
0 siblings, 0 replies; 36+ messages in thread
From: Greg KH @ 2019-01-18 13:06 UTC (permalink / raw)
To: Kees Cook; +Cc: Silvio Cesare, LKML, Dan Carpenter, Will Deacon, Willy Tarreau
On Tue, Jan 15, 2019 at 12:47:34PM -0800, Kees Cook wrote:
> On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
> >
> > From: Silvio Cesare <silvio.cesare@gmail.com>
> >
> > Change snprintf to scnprintf. There are generally two cases where using
> > snprintf causes problems.
> >
> > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> > In this case, if snprintf would have written more characters than what the
> > buffer size (SIZE) is, then size will end up larger than SIZE. In later
> > uses of snprintf, SIZE - size will result in a negative number, leading
> > to problems. Note that size might already be too large by using
> > size = snprintf before the code reaches a case of size += snprintf.
> >
> > 2) If size is ultimately used as a length parameter for a copy back to user
> > space, then it will potentially allow for a buffer overflow and information
> > disclosure when size is greater than SIZE. When the size is used to index
> > the buffer directly, we can have memory corruption. This also means when
> > size = snprintf... is used, it may also cause problems since size may become
> > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> > configuration.
> >
> > The solution to these issues is to use scnprintf which returns the number of
> > characters actually written to the buffer, so the size variable will never
> > exceed SIZE.
> >
> > Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> > Cc: Dan Carpenter <dan.carpenter@oracle.com>
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Will Deacon <will.deacon@arm.com>
> > Cc: Greg KH <greg@kroah.com>
> > Signed-off-by: Willy Tarreau <w@1wt.eu>
>
> It looks like these are going via individual trees. Greg, can you
> please take this into your drivers-misc tree for lkdtm?
>
> Acked-by: Kees Cook <keescook@chromium.org>
Will do, thanks.
greg k-h
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 5/8] scsi: lpfc: change snprintf to scnprintf for possible overflow
2019-01-15 22:41 ` James Smart
@ 2019-03-20 17:39 ` Greg KH
2019-03-20 20:27 ` James Smart
2019-03-21 0:41 ` James Smart
0 siblings, 2 replies; 36+ messages in thread
From: Greg KH @ 2019-03-20 17:39 UTC (permalink / raw)
To: James Smart
Cc: Kees Cook, Willy Tarreau, Silvio Cesare, LKML, Dick Kennedy,
Dan Carpenter, Will Deacon
On Tue, Jan 15, 2019 at 02:41:17PM -0800, James Smart wrote:
>
> On 1/14/2019 5:15 PM, Kees Cook wrote:
> > On Sat, Jan 12, 2019 at 7:29 AM Willy Tarreau<w@1wt.eu> wrote:
> > > From: Silvio Cesare<silvio.cesare@gmail.com>
> > >
> > > Change snprintf to scnprintf. There are generally two cases where using
> > > snprintf causes problems.
> > >
> > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> > > In this case, if snprintf would have written more characters than what the
> > > buffer size (SIZE) is, then size will end up larger than SIZE. In later
> > > uses of snprintf, SIZE - size will result in a negative number, leading
> > > to problems. Note that size might already be too large by using
> > > size = snprintf before the code reaches a case of size += snprintf.
> > >
> > > 2) If size is ultimately used as a length parameter for a copy back to user
> > > space, then it will potentially allow for a buffer overflow and information
> > > disclosure when size is greater than SIZE. When the size is used to index
> > > the buffer directly, we can have memory corruption. This also means when
> > > size = snprintf... is used, it may also cause problems since size may become
> > > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> > > configuration.
> > >
> > > The solution to these issues is to use scnprintf which returns the number of
> > > characters actually written to the buffer, so the size variable will never
> > > exceed SIZE.
> > >
> > > Signed-off-by: Silvio Cesare<silvio.cesare@gmail.com>
> > > Cc: James Smart<james.smart@broadcom.com>
> > > Cc: Dick Kennedy<dick.kennedy@broadcom.com>
> > > Cc: Dan Carpenter<dan.carpenter@oracle.com>
> > > Cc: Kees Cook<keescook@chromium.org>
> > > Cc: Will Deacon<will.deacon@arm.com>
> > > Cc: Greg KH<greg@kroah.com>
> > > Signed-off-by: Willy Tarreau<w@1wt.eu>
> > I think this needs Cc: stable.
> >
> > Reviewed-by: Kees Cook<keescook@chromium.org>
> >
> > -Kees
> >
>
>
> Reviewed-by: James Smart <james.smart@broadcom.com>
What ever happened to this patch? Did it get dropped somehow?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 5/8] scsi: lpfc: change snprintf to scnprintf for possible overflow
2019-03-20 17:39 ` Greg KH
@ 2019-03-20 20:27 ` James Smart
2019-03-21 0:41 ` James Smart
1 sibling, 0 replies; 36+ messages in thread
From: James Smart @ 2019-03-20 20:27 UTC (permalink / raw)
To: Greg KH
Cc: Kees Cook, Willy Tarreau, Silvio Cesare, LKML, Dick Kennedy,
Dan Carpenter, Will Deacon
On 3/20/2019 10:39 AM, Greg KH wrote:
> On Tue, Jan 15, 2019 at 02:41:17PM -0800, James Smart wrote:
>> On 1/14/2019 5:15 PM, Kees Cook wrote:
>>> On Sat, Jan 12, 2019 at 7:29 AM Willy Tarreau<w@1wt.eu> wrote:
>>>> From: Silvio Cesare<silvio.cesare@gmail.com>
>>>>
>>>> Change snprintf to scnprintf. There are generally two cases where using
>>>> snprintf causes problems.
>>>>
>>>> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
>>>> In this case, if snprintf would have written more characters than what the
>>>> buffer size (SIZE) is, then size will end up larger than SIZE. In later
>>>> uses of snprintf, SIZE - size will result in a negative number, leading
>>>> to problems. Note that size might already be too large by using
>>>> size = snprintf before the code reaches a case of size += snprintf.
>>>>
>>>> 2) If size is ultimately used as a length parameter for a copy back to user
>>>> space, then it will potentially allow for a buffer overflow and information
>>>> disclosure when size is greater than SIZE. When the size is used to index
>>>> the buffer directly, we can have memory corruption. This also means when
>>>> size = snprintf... is used, it may also cause problems since size may become
>>>> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
>>>> configuration.
>>>>
>>>> The solution to these issues is to use scnprintf which returns the number of
>>>> characters actually written to the buffer, so the size variable will never
>>>> exceed SIZE.
>>>>
>>>> Signed-off-by: Silvio Cesare<silvio.cesare@gmail.com>
>>>> Cc: James Smart<james.smart@broadcom.com>
>>>> Cc: Dick Kennedy<dick.kennedy@broadcom.com>
>>>> Cc: Dan Carpenter<dan.carpenter@oracle.com>
>>>> Cc: Kees Cook<keescook@chromium.org>
>>>> Cc: Will Deacon<will.deacon@arm.com>
>>>> Cc: Greg KH<greg@kroah.com>
>>>> Signed-off-by: Willy Tarreau<w@1wt.eu>
>>> I think this needs Cc: stable.
>>>
>>> Reviewed-by: Kees Cook<keescook@chromium.org>
>>>
>>> -Kees
>>>
>>
>> Reviewed-by: James Smart <james.smart@broadcom.com>
> What ever happened to this patch? Did it get dropped somehow?
>
> thanks,
>
> greg k-h
I assume it wasn't pulled in by the scsi maintainers. I'll go ping them.
-- james
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH 5/8] scsi: lpfc: change snprintf to scnprintf for possible overflow
2019-03-20 17:39 ` Greg KH
2019-03-20 20:27 ` James Smart
@ 2019-03-21 0:41 ` James Smart
1 sibling, 0 replies; 36+ messages in thread
From: James Smart @ 2019-03-21 0:41 UTC (permalink / raw)
To: Greg KH
Cc: Kees Cook, Willy Tarreau, Silvio Cesare, LKML, Dick Kennedy,
Dan Carpenter, Will Deacon
On 3/20/2019 10:39 AM, Greg KH wrote:
> On Tue, Jan 15, 2019 at 02:41:17PM -0800, James Smart wrote:
>> On 1/14/2019 5:15 PM, Kees Cook wrote:
>>> On Sat, Jan 12, 2019 at 7:29 AM Willy Tarreau<w@1wt.eu> wrote:
>>>> From: Silvio Cesare<silvio.cesare@gmail.com>
>>>>
>>>> Change snprintf to scnprintf. There are generally two cases where using
>>>> snprintf causes problems.
>>>>
>>>> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
>>>> In this case, if snprintf would have written more characters than what the
>>>> buffer size (SIZE) is, then size will end up larger than SIZE. In later
>>>> uses of snprintf, SIZE - size will result in a negative number, leading
>>>> to problems. Note that size might already be too large by using
>>>> size = snprintf before the code reaches a case of size += snprintf.
>>>>
>>>> 2) If size is ultimately used as a length parameter for a copy back to user
>>>> space, then it will potentially allow for a buffer overflow and information
>>>> disclosure when size is greater than SIZE. When the size is used to index
>>>> the buffer directly, we can have memory corruption. This also means when
>>>> size = snprintf... is used, it may also cause problems since size may become
>>>> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
>>>> configuration.
>>>>
>>>> The solution to these issues is to use scnprintf which returns the number of
>>>> characters actually written to the buffer, so the size variable will never
>>>> exceed SIZE.
>>>>
>>>> Signed-off-by: Silvio Cesare<silvio.cesare@gmail.com>
>>>> Cc: James Smart<james.smart@broadcom.com>
>>>> Cc: Dick Kennedy<dick.kennedy@broadcom.com>
>>>> Cc: Dan Carpenter<dan.carpenter@oracle.com>
>>>> Cc: Kees Cook<keescook@chromium.org>
>>>> Cc: Will Deacon<will.deacon@arm.com>
>>>> Cc: Greg KH<greg@kroah.com>
>>>> Signed-off-by: Willy Tarreau<w@1wt.eu>
>>> I think this needs Cc: stable.
>>>
>>> Reviewed-by: Kees Cook<keescook@chromium.org>
>>>
>>> -Kees
>>>
>>
>> Reviewed-by: James Smart <james.smart@broadcom.com>
> What ever happened to this patch? Did it get dropped somehow?
>
> thanks,
>
> greg k-h
I talked with them and will make sure it's pulled in shortly.
-- james
^ permalink raw reply [flat|nested] 36+ messages in thread
end of thread, other threads:[~2019-03-21 0:41 UTC | newest]
Thread overview: 36+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-12 15:28 [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow Willy Tarreau
2019-01-12 15:28 ` [PATCH 2/8] libertas: " Willy Tarreau
2019-01-15 1:09 ` Kees Cook
2019-01-15 5:55 ` Kalle Valo
2019-01-15 20:35 ` Willy Tarreau
2019-01-16 16:40 ` Kalle Valo
2019-01-16 17:02 ` Willy Tarreau
2019-01-12 15:28 ` [PATCH 3/8] ocfs2: " Willy Tarreau
2019-01-15 1:14 ` Kees Cook
2019-01-12 15:28 ` [PATCH 4/8] ASoC: " Willy Tarreau
2019-01-15 1:13 ` Kees Cook
2019-01-15 1:25 ` Nicolin Chen
2019-01-15 3:18 ` Willy Tarreau
2019-01-12 15:28 ` [PATCH 5/8] scsi: lpfc: " Willy Tarreau
2019-01-15 1:15 ` Kees Cook
2019-01-15 22:41 ` James Smart
2019-03-20 17:39 ` Greg KH
2019-03-20 20:27 ` James Smart
2019-03-21 0:41 ` James Smart
2019-01-12 15:28 ` [PATCH 6/8] ASoC: intel: skylake: " Willy Tarreau
2019-01-15 1:12 ` Kees Cook
2019-01-16 18:41 ` Kees Cook
2019-01-16 19:35 ` Pierre-Louis Bossart
2019-01-16 19:51 ` Kees Cook
2019-01-12 15:28 ` [PATCH 7/8] ASoC: dapm: " Willy Tarreau
2019-01-14 14:56 ` Mark Brown
2019-01-15 3:16 ` Willy Tarreau
2019-01-15 15:44 ` Mark Brown
2019-01-15 15:55 ` Willy Tarreau
2019-01-12 15:28 ` [PATCH 8/8] spi: dw: " Willy Tarreau
2019-01-15 1:09 ` Kees Cook
2019-01-15 1:02 ` [PATCH 1/8] lkdtm: " Kees Cook
2019-01-15 1:07 ` Kees Cook
2019-01-15 3:12 ` Willy Tarreau
2019-01-15 20:47 ` Kees Cook
2019-01-18 13:06 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).