| Message ID | 20240725022942.1720199-1-make24@iscas.ac.cn (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 08f3a5c38087d1569e982a121aad1e6acbf145ce |
| Headers | show |
| Series | [net,v4] net: usb: sr9700: fix uninitialized variable use in sr_mdio_read | expand |
On Thu, 25 Jul 2024 10:29:42 +0800, Ma Ke wrote: > It could lead to error happen because the variable res is not updated if > the call to sr_share_read_word returns an error. In this particular case > error code was returned and res stayed uninitialized. Same issue also > applies to sr_read_reg. > > This can be avoided by checking the return value of sr_share_read_word > and sr_read_reg, and propagating the error if the read operation failed. > > Found by code review. > > Cc: stable@vger.kernel.org > Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") > Signed-off-by: Ma Ke <make24@iscas.ac.cn> I did a quick check for sr9700.c and there seems to be other suspicious usage of sr_read_reg(). But, for sr_mdio_read(), I think the patch is sufficient. Reviewed-by: Shigeru Yoshida <syoshida@redhat.com> > --- > Changes in v4: > - added a check for sr_read_reg() as suggestions. > Changes in v3: > - added Cc stable line as suggestions. > Changes in v2: > - modified the subject as suggestions. > --- > drivers/net/usb/sr9700.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c > index 0a662e42ed96..cb7d2f798fb4 100644 > --- a/drivers/net/usb/sr9700.c > +++ b/drivers/net/usb/sr9700.c > @@ -179,6 +179,7 @@ static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc) > struct usbnet *dev = netdev_priv(netdev); > __le16 res; > int rc = 0; > + int err; > > if (phy_id) { > netdev_dbg(netdev, "Only internal phy supported\n"); > @@ -189,11 +190,17 @@ static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc) > if (loc == MII_BMSR) { > u8 value; > > - sr_read_reg(dev, SR_NSR, &value); > + err = sr_read_reg(dev, SR_NSR, &value); > + if (err < 0) > + return err; > + > if (value & NSR_LINKST) > rc = 1; > } > - sr_share_read_word(dev, 1, loc, &res); > + err = sr_share_read_word(dev, 1, loc, &res); > + if (err < 0) > + return err; > + > if (rc == 1) > res = le16_to_cpu(res) | BMSR_LSTATUS; > else > -- > 2.25.1 >
On 2024-07-25 at 08:31:00, Shigeru Yoshida (syoshida@redhat.com) wrote: > On Thu, 25 Jul 2024 10:29:42 +0800, Ma Ke wrote: > > It could lead to error happen because the variable res is not updated if > > the call to sr_share_read_word returns an error. In this particular case > > error code was returned and res stayed uninitialized. Same issue also > > applies to sr_read_reg. > > > > This can be avoided by checking the return value of sr_share_read_word > > and sr_read_reg, and propagating the error if the read operation failed. > > > > Found by code review. > > > > Cc: stable@vger.kernel.org > > Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") > > Signed-off-by: Ma Ke <make24@iscas.ac.cn> > > I did a quick check for sr9700.c and there seems to be other > suspicious usage of sr_read_reg(). But, for sr_mdio_read(), I think > the patch is sufficient. > > Reviewed-by: Shigeru Yoshida <syoshida@redhat.com> > > Agree with Shigeru, may be you can submit another patch addressing > "suspicious usage of sr_read_reg" this patch looks good Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Thu, 25 Jul 2024 10:29:42 +0800 you wrote: > It could lead to error happen because the variable res is not updated if > the call to sr_share_read_word returns an error. In this particular case > error code was returned and res stayed uninitialized. Same issue also > applies to sr_read_reg. > > This can be avoided by checking the return value of sr_share_read_word > and sr_read_reg, and propagating the error if the read operation failed. > > [...] Here is the summary with links: - [net,v4] net: usb: sr9700: fix uninitialized variable use in sr_mdio_read https://git.kernel.org/netdev/net/c/08f3a5c38087 You are awesome, thank you!
diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c index 0a662e42ed96..cb7d2f798fb4 100644 --- a/drivers/net/usb/sr9700.c +++ b/drivers/net/usb/sr9700.c @@ -179,6 +179,7 @@ static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc) struct usbnet *dev = netdev_priv(netdev); __le16 res; int rc = 0; + int err; if (phy_id) { netdev_dbg(netdev, "Only internal phy supported\n"); @@ -189,11 +190,17 @@ static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc) if (loc == MII_BMSR) { u8 value; - sr_read_reg(dev, SR_NSR, &value); + err = sr_read_reg(dev, SR_NSR, &value); + if (err < 0) + return err; + if (value & NSR_LINKST) rc = 1; } - sr_share_read_word(dev, 1, loc, &res); + err = sr_share_read_word(dev, 1, loc, &res); + if (err < 0) + return err; + if (rc == 1) res = le16_to_cpu(res) | BMSR_LSTATUS; else
It could lead to error happen because the variable res is not updated if the call to sr_share_read_word returns an error. In this particular case error code was returned and res stayed uninitialized. Same issue also applies to sr_read_reg. This can be avoided by checking the return value of sr_share_read_word and sr_read_reg, and propagating the error if the read operation failed. Found by code review. Cc: stable@vger.kernel.org Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") Signed-off-by: Ma Ke <make24@iscas.ac.cn> --- Changes in v4: - added a check for sr_read_reg() as suggestions. Changes in v3: - added Cc stable line as suggestions. Changes in v2: - modified the subject as suggestions. --- drivers/net/usb/sr9700.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)