Re: [PATCH net-next v7 2/2] net: sfp: extend SMBus support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <horms@kernel.org>
To: Jonas Jelonek <jelonek.jonas@gmail.com>
Cc: linux@armlinux.org.uk, andrew@lunn.ch, hkallweit1@gmail.com,
	davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, maxime.chevallier@bootlin.com,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	bjorn@mork.no
Subject: Re: [PATCH net-next v7 2/2] net: sfp: extend SMBus support
Date: Fri, 15 May 2026 17:40:22 +0100	[thread overview]
Message-ID: <20260515164022.GD227382@horms.kernel.org> (raw)
In-Reply-To: <d2a56757-8e57-4c06-91e0-dfd33855ad86@gmail.com>

On Fri, May 15, 2026 at 03:55:22PM +0200, Jonas Jelonek wrote:
> Hi,
> 
> On 10.05.26 18:47, Simon Horman wrote:
> > From: 'Simon Horman' <horms@kernel.org>
> >
> > [ ... ]
> >> @@ -756,50 +757,110 @@ static int sfp_i2c_write(struct sfp *sfp, bool a2, u8 dev_addr, void *buf,
> > [ ... ]
> >> +static int sfp_smbus_read(struct sfp *sfp, bool a2, u8 dev_addr, void *buf,
> >> +			  size_t len)
> >> +{
> >> +	union i2c_smbus_data smbus_data;
> >> +	u8 bus_addr = a2 ? 0x51 : 0x50;
> >> +	size_t this_len, transferred;
> >> +	u32 functionality;
> >> +	u8 *data = buf;
> >> +	int ret;
> >> +
> >> +	functionality = i2c_get_functionality(sfp->i2c);
> >> +
> >> +	while (len) {
> >> +		this_len = min(len, sfp->i2c_block_size);
> >> +
> >> +		if (functionality & I2C_FUNC_SMBUS_READ_I2C_BLOCK) {
> >> +			smbus_data.block[0] = this_len;
> >> +			ret = i2c_smbus_xfer(sfp->i2c, bus_addr, 0,
> >> +					     I2C_SMBUS_READ, dev_addr,
> >> +					     I2C_SMBUS_I2C_BLOCK_DATA, &smbus_data);
> >> +			if (ret < 0)
> >> +				return ret;
> >> +
> >> +			memcpy(data, &smbus_data.block[1], this_len);
> > Can this sequence leak uninitialized kernel stack memory to the output buffer?
> >
> > When performing an I2C_SMBUS_I2C_BLOCK_DATA transfer, i2c_smbus_xfer()
> > updates smbus_data.block[0] with the actual number of bytes read from the
> > bus upon success.
> >
> > If the adapter or device returns fewer bytes than requested (a short read),
> > smbus_data.block[0] will be less than this_len. Because memcpy()
> > unconditionally copies this_len bytes, it appears it would overrun the valid
> > data and copy uninitialized memory from the smbus_data stack variable.
> >
> > Since the SFP EEPROM data is accessible to userspace via ethtool, could this
> > expose uninitialized kernel stack memory to userspace?
> >
> > Should the code verify that smbus_data.block[0] == this_len, or use
> > smbus_data.block[0] as the actual transferred length?
> 
> Valid point, indeed uninitialized memory might be leaked here. I wouldn't
> use the proposed fix though. Maybe I missed it but It doesn't seem to be
> the contract that I2C/SMBus drivers need to update that field after read.
> So using that for a check seems wrong. As a fix I will just make sure no
> uninitialized memory is leaked.

Yes, that sounds good to me.

> 
> If there are other suggestions please raise your hand, otherwise I'll
> sned the follow-up soon.
> 
> Regards,
> Jonas Jelonek
>

next prev parent reply	other threads:[~2026-05-15 16:40 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-07  9:32 [PATCH net-next v7 0/2] net: sfp: extend SMBus support Jonas Jelonek
2026-05-07  9:33 ` [PATCH net-next v7 1/2] net: sfp: apply I2C adapter quirks to limit block size Jonas Jelonek
2026-05-10 16:47   ` Simon Horman
2026-05-14 14:33     ` Jonas Jelonek
2026-05-15 16:42       ` Simon Horman
2026-05-07  9:33 ` [PATCH net-next v7 2/2] net: sfp: extend SMBus support Jonas Jelonek
2026-05-07 20:45   ` Maxime Chevallier
2026-05-10 16:47   ` Simon Horman
2026-05-15 13:55     ` Jonas Jelonek
2026-05-15 16:40       ` Simon Horman [this message]
2026-05-15  7:33   ` Maxime Chevallier
2026-05-15  8:00     ` Jonas Jelonek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260515164022.GD227382@horms.kernel.org \
    --to=horms@kernel.org \
    --cc=andrew@lunn.ch \
    --cc=bjorn@mork.no \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=hkallweit1@gmail.com \
    --cc=jelonek.jonas@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@armlinux.org.uk \
    --cc=maxime.chevallier@bootlin.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.