[lvc-project] [PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in

David Laight david.laight.linux at gmail.com
Fri Dec 12 20:36:03 MSK 2025 

On Fri, 12 Dec 2025 14:46:03 +0000
Simon Horman <horms at kernel.org> wrote:

> On Fri, Dec 12, 2025 at 07:30:04PM +0800, kernel test robot wrote:
> > Hi Ilya,
> > 
> > kernel test robot noticed the following build warnings:
> > 
> > [auto build test WARNING on net-next/main]
> > [also build test WARNING on net/main linus/master v6.18 next-20251212]
> > [If your patch is applied to the wrong git tree, kindly drop us a note.
> > And when submitting patch, we suggest to use '--base' as documented in
> > https://git-scm.com/docs/git-format-patch#_base_tree_information]
> > 
> > url:    https://github.com/intel-lab-lkp/linux/commits/Ilya-Krutskih/net-fealnx-fix-possible-card_idx-integer-overflow-in/20251212-013335
> > base:   net-next/main
> > patch link:    https://lore.kernel.org/r/20251211173035.852756-1-devsec%40tpz.ru
> > patch subject: [PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in
> > config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20251212/202512121907.n3Bzh2zF-lkp@intel.com/config)
> > compiler: alpha-linux-gcc (GCC) 15.1.0
> > reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251212/202512121907.n3Bzh2zF-lkp@intel.com/reproduce)
> > 
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <lkp at intel.com>
> > | Closes: https://lore.kernel.org/oe-kbuild-all/202512121907.n3Bzh2zF-lkp@intel.com/
> > 
> > All warnings (new ones prefixed by >>):
> > 
> >    drivers/net/ethernet/fealnx.c: In function 'fealnx_init_one':  
> > >> drivers/net/ethernet/fealnx.c:496:35: warning: '%d' directive writing between 1 and 11 bytes into a region of size 6 [-Wformat-overflow=]  
> >      496 |         sprintf(boardname, "fealnx%d", card_idx);
> >          |                                   ^~
> >    drivers/net/ethernet/fealnx.c:496:28: note: directive argument in the range [-2147483647, 2147483647]
> >      496 |         sprintf(boardname, "fealnx%d", card_idx);
> >          |                            ^~~~~~~~~~
> >    drivers/net/ethernet/fealnx.c:496:9: note: 'sprintf' output between 8 and 18 bytes into a destination of size 12
> >      496 |         sprintf(boardname, "fealnx%d", card_idx);
> >          |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
> 
> Although I think these new warnings are not strictly for problems
> introduced by this patch. They do make me wonder
> if it would be best to cap card_index MAX_UNITS and
> return an error if that limit is exceeded.

The code seems to be written allowing for more than MAX_UNITS 'units'.

Actually it all looks pretty broken to me...
'card_idx' is incremented by every call to fealnx_init_one().
That is the pci_driver.probe() function.
So every card remove and rescan will increment it.
(Is the .probe() even serialised? I can't remember...)

Then there is the MODULE_PARAM_DESC() that states that bit 17 of 'options'
is the 'full duplex' flag, but the code checks 'options & 0x200'.

And I just don't understand the assignment: option = dev->mem_start;

The code was like this when Linux created git.

	David

More information about the lvc-project mailing list