Re: [PATCH] net: fix uninitialised access in mii_nway_restart() and cleanup error handling

[Simon Horman <horms@kernel.org>]

On Tue, Mar 11, 2025 at 04:11:57PM +0000, Qasim Ijaz wrote:
> In mii_nway_restart() during the line:
> 
>         bmcr = mii->mdio_read(mii->dev, mii->phy_id, MII_BMCR);
> 
> The code attempts to call mii->mdio_read which is ch9200_mdio_read().
> 
> ch9200_mdio_read() utilises a local buffer, which is initialised
> with control_read():
> 
>         unsigned char buff[2];
> 
> However buff is conditionally initialised inside control_read():
> 
>         if (err == size) {
>                 memcpy(data, buf, size);
>         }
> 
> If the condition of "err == size" is not met, then buff remains
> uninitialised. Once this happens the uninitialised buff is accessed
> and returned during ch9200_mdio_read():
> 
>         return (buff[0] | buff[1] << 8);
> 
> The problem stems from the fact that ch9200_mdio_read() ignores the
> return value of control_read(), leading to uinit-access of buff.
> 
> To fix this we should check the return value of control_read()
> and return early on error.
> 
> Furthermore the get_mac_address() function has a similar problem where
> it does not directly check the return value of each control_read(),
> instead it sums up the return values and checks them all at the end
> which means if any call to control_read() fails the function just 
> continues on.
> 
> Handle this by validating the return value of each call and fail fast
> and early instead of continuing.
> 
> Lastly ch9200_bind() ignores the return values of multiple 
> control_write() calls.
> 
> Validate each control_write() call to ensure it succeeds before
> continuing with the next call.

Hi Qasim,

I see that these problems are related, but this is quite a lot
of fixes for one patch: the rule of thumb is one fix per patch.
Could you consider splitting it up along those lines?

> 
> Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9
> Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
> Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices")
> Cc: stable@vger.kernel.org
> Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>

...

> diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c
> index f69d9b902da0..e938501a1fc8 100644
> --- a/drivers/net/usb/ch9200.c
> +++ b/drivers/net/usb/ch9200.c
> @@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc)
>  {
>  	struct usbnet *dev = netdev_priv(netdev);
>  	unsigned char buff[2];
> +	int ret;
>  
>  	netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n",
>  		   __func__, phy_id, loc);
> @@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc)
>  	if (phy_id != 0)
>  		return -ENODEV;
>  
> -	control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02,
> -		     CONTROL_TIMEOUT_MS);
> +	ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02,
> +			   CONTROL_TIMEOUT_MS);
> +	if (ret != 2)
> +		return ret;

If I understand things correctly, control_read() can (only) return:

* 2: success
* negative error value: a different failure mode

If so, I think it would be more idiomatic to write this as:

	if (ret < 0)
		return ret;

This makes it easier for those reading the code to see that
an error value is being returns on error.

Likewise elsewhere in this patch.

>  
>  	return (buff[0] | buff[1] << 8);
>  }

...