Re: [PATCH] iio:proximity:hx9031as: Add TYHX HX9031AS/HX9023S sensor driver

From: Dan Carpenter
Date: Thu May 23 2024 - 08:42:40 EST

Hi Yasin,

kernel test robot noticed the following build warnings:

https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Yasin-Lee/iio-proximity-hx9031as-Add-TYHX-HX9031AS-HX9023S-sensor-driver/20240515-083021
base: https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio.git togreg
patch link: https://lore.kernel.org/r/SN7PR12MB8101EDFA7F91A59761095A28A4E72%40SN7PR12MB8101.namprd12.prod.outlook.com
patch subject: [PATCH] iio:proximity:hx9031as: Add TYHX HX9031AS/HX9023S sensor driver
config: alpha-randconfig-r081-20240516 (https://download.01.org/0day-ci/archive/20240517/202405170824.uhEslLI0-lkp@xxxxxxxxx/config)
compiler: alpha-linux-gcc (GCC) 13.2.0

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
| Closes: https://lore.kernel.org/r/202405170824.uhEslLI0-lkp@xxxxxxxxx/

smatch warnings:
drivers/iio/proximity/hx9031as.c:1118 hx9031as_raw_data_show() error: snprintf() is printing too much 8192 vs 512
drivers/iio/proximity/hx9031as.c:1240 hx9031as_channel_en_show() error: snprintf() is printing too much 8192 vs 512
drivers/iio/proximity/hx9031as.c:1466 hx9031as_threshold_show() error: snprintf() is printing too much 8192 vs 512
drivers/iio/proximity/hx9031as.c:1491 hx9031as_dump_show() error: snprintf() is printing too much 8192 vs 1024
drivers/iio/proximity/hx9031as.c:1513 hx9031as_offset_dac_show() error: snprintf() is printing too much 8192 vs 512

vim +1118 drivers/iio/proximity/hx9031as.c

5e5a419c9407f6 Yasin Lee 2024-05-10 1110 static ssize_t hx9031as_raw_data_show(struct file *file, char __user *user_buf, size_t count, loff_t *ppos)
5e5a419c9407f6 Yasin Lee 2024-05-10 1111 {
5e5a419c9407f6 Yasin Lee 2024-05-10 1112 char buf[BUF_SIZE] = {0};
5e5a419c9407f6 Yasin Lee 2024-05-10 1113 char *p = buf;
5e5a419c9407f6 Yasin Lee 2024-05-10 1114 int ii = 0;
5e5a419c9407f6 Yasin Lee 2024-05-10 1115
5e5a419c9407f6 Yasin Lee 2024-05-10 1116 hx9031as_sample();
5e5a419c9407f6 Yasin Lee 2024-05-10 1117 for (ii = 0; ii < HX9031AS_CH_NUM; ii++) {
5e5a419c9407f6 Yasin Lee 2024-05-10 @1118 p += snprintf(p, PAGE_SIZE, "ch[%d]: DIFF=%-8d, RAW=%-8d, OFFSET=%-8d, BL=%-8d, LP=%-8d\n",
^^^^^^^^^
This doesn't work at all. It should be BUF_SIZE instead of PAGE_SIZE
but also PAGE_SIZE is a fixed size where the number of bytes remaining
should get smaller as we write further into the buffer.

Also use scnprintf() instead of snprintf() unless you need to check the
results. The normal way to write this is:

int off = 0;

hx9031as_sample();
for (ii = 0; ii < HX9031AS_CH_NUM; ii++) {
off += scnprintf(buf + off, BUF_SIZE - off,
^^^^^^^^^ ^^^^^^^^^^^^^^

"ch[%d]: DIFF=%-8d, RAW=%-8d, OFFSET=%-8d, BL=%-8d, LP=%-8d\n",
ii, hx9031as_pdata.diff[ii], hx9031as_pdata.raw[ii], ...

5e5a419c9407f6 Yasin Lee 2024-05-10 1119 ii, hx9031as_pdata.diff[ii], hx9031as_pdata.raw[ii], hx9031as_pdata.dac[ii],
5e5a419c9407f6 Yasin Lee 2024-05-10 1120 hx9031as_pdata.bl[ii], hx9031as_pdata.lp[ii]);
5e5a419c9407f6 Yasin Lee 2024-05-10 1121 }
5e5a419c9407f6 Yasin Lee 2024-05-10 1122
5e5a419c9407f6 Yasin Lee 2024-05-10 1123 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
5e5a419c9407f6 Yasin Lee 2024-05-10 1124 }
5e5a419c9407f6 Yasin Lee 2024-05-10 1125
5e5a419c9407f6 Yasin Lee 2024-05-10 1126 static const struct file_operations hx9031as_raw_data_fops = {
5e5a419c9407f6 Yasin Lee 2024-05-10 1127 .read = hx9031as_raw_data_show,
5e5a419c9407f6 Yasin Lee 2024-05-10 1128 };
5e5a419c9407f6 Yasin Lee 2024-05-10 1129
5e5a419c9407f6 Yasin Lee 2024-05-10 1130 static ssize_t hx9031as_reg_write_store(struct file *file, const char __user *user_buf, size_t count, loff_t *ppos)
5e5a419c9407f6 Yasin Lee 2024-05-10 1131 {
5e5a419c9407f6 Yasin Lee 2024-05-10 1132 int ret = -1;
5e5a419c9407f6 Yasin Lee 2024-05-10 1133 unsigned int reg_address = 0;
5e5a419c9407f6 Yasin Lee 2024-05-10 1134 unsigned int val = 0;
5e5a419c9407f6 Yasin Lee 2024-05-10 1135 uint8_t addr = 0;
5e5a419c9407f6 Yasin Lee 2024-05-10 1136 uint8_t tx_buf[1] = {0};
5e5a419c9407f6 Yasin Lee 2024-05-10 1137 char buf[BUF_SIZE];
5e5a419c9407f6 Yasin Lee 2024-05-10 1138
5e5a419c9407f6 Yasin Lee 2024-05-10 1139 ENTER;
5e5a419c9407f6 Yasin Lee 2024-05-10 1140 if (count > BUF_SIZE)
5e5a419c9407f6 Yasin Lee 2024-05-10 1141 return -EINVAL;
5e5a419c9407f6 Yasin Lee 2024-05-10 1142
5e5a419c9407f6 Yasin Lee 2024-05-10 1143 if (copy_from_user(buf, user_buf, count))

We don't know that this is NUL terminated. What about if count == 1
and the rest of the buffer is uninitialized. Same issues in other
functions as well.

5e5a419c9407f6 Yasin Lee 2024-05-10 1144 return -EFAULT;
5e5a419c9407f6 Yasin Lee 2024-05-10 1145
5e5a419c9407f6 Yasin Lee 2024-05-10 1146 if (sscanf(buf, "%x,%x", &reg_address, &val) != 2) {
5e5a419c9407f6 Yasin Lee 2024-05-10 1147 PRINT_ERR("please input two HEX numbers: aa,bb (aa: reg_address, bb: value_to_be_set)\n");
5e5a419c9407f6 Yasin Lee 2024-05-10 1148 return -EINVAL;
5e5a419c9407f6 Yasin Lee 2024-05-10 1149 }
5e5a419c9407f6 Yasin Lee 2024-05-10 1150
5e5a419c9407f6 Yasin Lee 2024-05-10 1151 addr = (uint8_t)reg_address;
5e5a419c9407f6 Yasin Lee 2024-05-10 1152 tx_buf[0] = (uint8_t)val;
5e5a419c9407f6 Yasin Lee 2024-05-10 1153
5e5a419c9407f6 Yasin Lee 2024-05-10 1154 ret = hx9031as_write(addr, tx_buf, 1);
5e5a419c9407f6 Yasin Lee 2024-05-10 1155 if (ret != 0)
5e5a419c9407f6 Yasin Lee 2024-05-10 1156 PRINT_ERR("hx9031as_write failed\n");
5e5a419c9407f6 Yasin Lee 2024-05-10 1157
5e5a419c9407f6 Yasin Lee 2024-05-10 1158 PRINT_INF("WRITE:Reg0x%02X=0x%02X\n", addr, tx_buf[0]);
5e5a419c9407f6 Yasin Lee 2024-05-10 1159 return count;
5e5a419c9407f6 Yasin Lee 2024-05-10 1160 }

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki