Message ID | 20201001073221.239618-1-anant.thazhemadam@gmail.com |
---|---|
State | New |
Headers | show |
Series | [Linux-kernel-mentees,v2] net: usb: rtl8150: prevent set_ethernet_addr from setting uninit address | expand |
On Fri, Oct 02, 2020 at 05:04:13PM +0530, Anant Thazhemadam wrote: > > On 02/10/20 7:45 am, David Miller wrote: > > From: Anant Thazhemadam <anant.thazhemadam@gmail.com> > > Date: Thu, 1 Oct 2020 13:02:20 +0530 > > > >> When get_registers() fails (which happens when usb_control_msg() fails) > >> in set_ethernet_addr(), the uninitialized value of node_id gets copied > >> as the address. > >> > >> Checking for the return values appropriately, and handling the case > >> wherein set_ethernet_addr() fails like this, helps in avoiding the > >> mac address being incorrectly set in this manner. > >> > >> Reported-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com > >> Tested-by: syzbot+abbc768b560c84d92fd3@syzkaller.appspotmail.com > >> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> > >> Acked-by: Petko Manolov <petkan@nucleusys.com> > > First, please remove "Linux-kernel-mentees" from the Subject line. > > > > All patch submitters should have their work judged equally, whoever > > they are. So this Subject text gives no extra information, and it > > simply makes scanning Subject lines in one's mailer more difficult. > I will keep that in mind for all future submissions. Thank you. > > > Second, when a MAC address fails to probe a random MAC address should > > be selected. We have helpers for this. This way an interface still > > comes up and is usable, even in the event of a failed MAC address > > probe. > > Okay... I see. > But this patch is about ensuring that an uninitialized variable's > value (whatever that may be) is not set as the ethernet address > blindly (without any form of checking if get_registers() worked > as expected, or not). And I didn't think uninitialized values being > set as MAC address was considered a good outcome (after all, it > seemed to have triggered a bug), especially when it could have > been avoided by introducing a simple check that doesn't break > anything. If the read from the device for the MAC address fails, don't abort the whole probe process and make the device not work at all, call the networking core to assign a random MAC address. > However, if I was mistaken, and if that is something that we can live > with after all, then I don't really see the understand the purpose of > similar checks being made (in all the many places that the return > value of get_registers() (or a similar function gets checked) in the first > place at all. Different values and registers determine what should be done with an error. It's all relative. For this type of error, we should gracefully recover and keep on going. For others, maybe we just ignore the issue, or log it, or something else, it all depends. hope this helps, greg k-h
On Thu, 2020-10-01 at 13:02 +0530, Anant Thazhemadam wrote: > When get_registers() fails (which happens when usb_control_msg() fails) > in set_ethernet_addr(), the uninitialized value of node_id gets copied > as the address. unrelated trivia: > diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c [] > @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg) > return 1; > } > > -static inline void set_ethernet_addr(rtl8150_t * dev) > +static bool set_ethernet_addr(rtl8150_t *dev) > { > u8 node_id[6]; This might be better as: u8 node_id[ETH_ALEN]; > + int ret; > > - get_registers(dev, IDR, sizeof(node_id), node_id); > - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); > + ret = get_registers(dev, IDR, sizeof(node_id), node_id); > + if (ret == sizeof(node_id)) { > + memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); and ether_addr_copy(dev->netdev->dev_addr, node_id);
On 04/10/20 1:08 am, Joe Perches wrote: > On Thu, 2020-10-01 at 13:02 +0530, Anant Thazhemadam wrote: >> When get_registers() fails (which happens when usb_control_msg() fails) >> in set_ethernet_addr(), the uninitialized value of node_id gets copied >> as the address. > unrelated trivia: > >> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c > [] >> @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg) >> return 1; >> } >> >> -static inline void set_ethernet_addr(rtl8150_t * dev) >> +static bool set_ethernet_addr(rtl8150_t *dev) >> { >> u8 node_id[6]; > This might be better as: > > u8 node_id[ETH_ALEN]; > >> + int ret; >> >> - get_registers(dev, IDR, sizeof(node_id), node_id); >> - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); >> + ret = get_registers(dev, IDR, sizeof(node_id), node_id); >> + if (ret == sizeof(node_id)) { >> + memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); > and > ether_addr_copy(dev->netdev->dev_addr, node_id); > > I will include this change as well, in the v3. Thank you for pointing that out. Thanks, Anant
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c index 733f120c852b..e542a9ab2ff8 100644 --- a/drivers/net/usb/rtl8150.c +++ b/drivers/net/usb/rtl8150.c @@ -150,7 +150,7 @@ static const char driver_name [] = "rtl8150"; ** device related part of the code ** */ -static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data) +static int get_registers(rtl8150_t *dev, u16 indx, u16 size, void *data) { void *buf; int ret; @@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg) return 1; } -static inline void set_ethernet_addr(rtl8150_t * dev) +static bool set_ethernet_addr(rtl8150_t *dev) { u8 node_id[6]; + int ret; - get_registers(dev, IDR, sizeof(node_id), node_id); - memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); + ret = get_registers(dev, IDR, sizeof(node_id), node_id); + if (ret == sizeof(node_id)) { + memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id)); + return true; + } + return false; } static int rtl8150_set_mac_address(struct net_device *netdev, void *p) @@ -909,21 +914,24 @@ static int rtl8150_probe(struct usb_interface *intf, goto out1; } fill_skb_pool(dev); - set_ethernet_addr(dev); - + if (!set_ethernet_addr(dev)) { + dev_err(&intf->dev, "couldn't set the ethernet address for the device\n"); + goto out2; + } usb_set_intfdata(intf, dev); SET_NETDEV_DEV(netdev, &intf->dev); if (register_netdev(netdev) != 0) { dev_err(&intf->dev, "couldn't register the device\n"); - goto out2; + goto out3; } dev_info(&intf->dev, "%s: rtl8150 is detected\n", netdev->name); return 0; -out2: +out3: usb_set_intfdata(intf, NULL); +out2: free_skb_pool(dev); out1: free_all_urbs(dev);