mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-25 05:04:09 +08:00
51c96a561f
When get_module_eeprom_by_page() is not implemented by the driver, NULL
pointer dereference can occur [1].
Fix by testing if get_module_eeprom_by_page() is implemented instead of
get_module_info().
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
CPU: 0 PID: 251 Comm: ethtool Not tainted 5.13.0-rc3-custom-00940-g3822d0670c9d #989
Call Trace:
eeprom_prepare_data+0x101/0x2d0
ethnl_default_doit+0xc2/0x290
genl_family_rcv_msg_doit+0xdc/0x140
genl_rcv_msg+0xd7/0x1d0
netlink_rcv_skb+0x49/0xf0
genl_rcv+0x1f/0x30
netlink_unicast+0x1f6/0x2c0
netlink_sendmsg+0x1f9/0x400
__sys_sendto+0xe1/0x130
__x64_sys_sendto+0x1b/0x20
do_syscall_64+0x3a/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xae
Fixes: c97a31f66e
("ethtool: wire in generic SFP module access")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
247 lines
7.0 KiB
C
247 lines
7.0 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
#include <linux/ethtool.h>
|
|
#include <linux/sfp.h>
|
|
#include "netlink.h"
|
|
#include "common.h"
|
|
|
|
struct eeprom_req_info {
|
|
struct ethnl_req_info base;
|
|
u32 offset;
|
|
u32 length;
|
|
u8 page;
|
|
u8 bank;
|
|
u8 i2c_address;
|
|
};
|
|
|
|
struct eeprom_reply_data {
|
|
struct ethnl_reply_data base;
|
|
u32 length;
|
|
u8 *data;
|
|
};
|
|
|
|
#define MODULE_EEPROM_REQINFO(__req_base) \
|
|
container_of(__req_base, struct eeprom_req_info, base)
|
|
|
|
#define MODULE_EEPROM_REPDATA(__reply_base) \
|
|
container_of(__reply_base, struct eeprom_reply_data, base)
|
|
|
|
static int fallback_set_params(struct eeprom_req_info *request,
|
|
struct ethtool_modinfo *modinfo,
|
|
struct ethtool_eeprom *eeprom)
|
|
{
|
|
u32 offset = request->offset;
|
|
u32 length = request->length;
|
|
|
|
if (request->page)
|
|
offset = request->page * ETH_MODULE_EEPROM_PAGE_LEN + offset;
|
|
|
|
if (modinfo->type == ETH_MODULE_SFF_8079 &&
|
|
request->i2c_address == 0x51)
|
|
offset += ETH_MODULE_EEPROM_PAGE_LEN * 2;
|
|
|
|
if (offset >= modinfo->eeprom_len)
|
|
return -EINVAL;
|
|
|
|
eeprom->cmd = ETHTOOL_GMODULEEEPROM;
|
|
eeprom->len = length;
|
|
eeprom->offset = offset;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int eeprom_fallback(struct eeprom_req_info *request,
|
|
struct eeprom_reply_data *reply,
|
|
struct genl_info *info)
|
|
{
|
|
struct net_device *dev = reply->base.dev;
|
|
struct ethtool_modinfo modinfo = {0};
|
|
struct ethtool_eeprom eeprom = {0};
|
|
u8 *data;
|
|
int err;
|
|
|
|
modinfo.cmd = ETHTOOL_GMODULEINFO;
|
|
err = ethtool_get_module_info_call(dev, &modinfo);
|
|
if (err < 0)
|
|
return err;
|
|
|
|
err = fallback_set_params(request, &modinfo, &eeprom);
|
|
if (err < 0)
|
|
return err;
|
|
|
|
data = kmalloc(eeprom.len, GFP_KERNEL);
|
|
if (!data)
|
|
return -ENOMEM;
|
|
err = ethtool_get_module_eeprom_call(dev, &eeprom, data);
|
|
if (err < 0)
|
|
goto err_out;
|
|
|
|
reply->data = data;
|
|
reply->length = eeprom.len;
|
|
|
|
return 0;
|
|
|
|
err_out:
|
|
kfree(data);
|
|
return err;
|
|
}
|
|
|
|
static int get_module_eeprom_by_page(struct net_device *dev,
|
|
struct ethtool_module_eeprom *page_data,
|
|
struct netlink_ext_ack *extack)
|
|
{
|
|
const struct ethtool_ops *ops = dev->ethtool_ops;
|
|
|
|
if (dev->sfp_bus)
|
|
return sfp_get_module_eeprom_by_page(dev->sfp_bus, page_data, extack);
|
|
|
|
if (ops->get_module_eeprom_by_page)
|
|
return ops->get_module_eeprom_by_page(dev, page_data, extack);
|
|
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static int eeprom_prepare_data(const struct ethnl_req_info *req_base,
|
|
struct ethnl_reply_data *reply_base,
|
|
struct genl_info *info)
|
|
{
|
|
struct eeprom_reply_data *reply = MODULE_EEPROM_REPDATA(reply_base);
|
|
struct eeprom_req_info *request = MODULE_EEPROM_REQINFO(req_base);
|
|
struct ethtool_module_eeprom page_data = {0};
|
|
struct net_device *dev = reply_base->dev;
|
|
int ret;
|
|
|
|
page_data.offset = request->offset;
|
|
page_data.length = request->length;
|
|
page_data.i2c_address = request->i2c_address;
|
|
page_data.page = request->page;
|
|
page_data.bank = request->bank;
|
|
page_data.data = kmalloc(page_data.length, GFP_KERNEL);
|
|
if (!page_data.data)
|
|
return -ENOMEM;
|
|
|
|
ret = ethnl_ops_begin(dev);
|
|
if (ret)
|
|
goto err_free;
|
|
|
|
ret = get_module_eeprom_by_page(dev, &page_data, info->extack);
|
|
if (ret < 0)
|
|
goto err_ops;
|
|
|
|
reply->length = ret;
|
|
reply->data = page_data.data;
|
|
|
|
ethnl_ops_complete(dev);
|
|
return 0;
|
|
|
|
err_ops:
|
|
ethnl_ops_complete(dev);
|
|
err_free:
|
|
kfree(page_data.data);
|
|
|
|
if (ret == -EOPNOTSUPP)
|
|
return eeprom_fallback(request, reply, info);
|
|
return ret;
|
|
}
|
|
|
|
static int eeprom_parse_request(struct ethnl_req_info *req_info, struct nlattr **tb,
|
|
struct netlink_ext_ack *extack)
|
|
{
|
|
struct eeprom_req_info *request = MODULE_EEPROM_REQINFO(req_info);
|
|
|
|
if (!tb[ETHTOOL_A_MODULE_EEPROM_OFFSET] ||
|
|
!tb[ETHTOOL_A_MODULE_EEPROM_LENGTH] ||
|
|
!tb[ETHTOOL_A_MODULE_EEPROM_PAGE] ||
|
|
!tb[ETHTOOL_A_MODULE_EEPROM_I2C_ADDRESS])
|
|
return -EINVAL;
|
|
|
|
request->i2c_address = nla_get_u8(tb[ETHTOOL_A_MODULE_EEPROM_I2C_ADDRESS]);
|
|
request->offset = nla_get_u32(tb[ETHTOOL_A_MODULE_EEPROM_OFFSET]);
|
|
request->length = nla_get_u32(tb[ETHTOOL_A_MODULE_EEPROM_LENGTH]);
|
|
|
|
if (!request->length)
|
|
return -EINVAL;
|
|
|
|
/* The following set of conditions limit the API to only dump 1/2
|
|
* EEPROM page without crossing low page boundary located at offset 128.
|
|
* This means user may only request dumps of length limited to 128 from
|
|
* either low 128 bytes or high 128 bytes.
|
|
* For pages higher than 0 only high 128 bytes are accessible.
|
|
*/
|
|
request->page = nla_get_u8(tb[ETHTOOL_A_MODULE_EEPROM_PAGE]);
|
|
if (request->page && request->offset < ETH_MODULE_EEPROM_PAGE_LEN) {
|
|
NL_SET_ERR_MSG_ATTR(extack, tb[ETHTOOL_A_MODULE_EEPROM_PAGE],
|
|
"reading from lower half page is allowed for page 0 only");
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (request->offset < ETH_MODULE_EEPROM_PAGE_LEN &&
|
|
request->offset + request->length > ETH_MODULE_EEPROM_PAGE_LEN) {
|
|
NL_SET_ERR_MSG_ATTR(extack, tb[ETHTOOL_A_MODULE_EEPROM_LENGTH],
|
|
"reading cross half page boundary is illegal");
|
|
return -EINVAL;
|
|
} else if (request->offset >= ETH_MODULE_EEPROM_PAGE_LEN * 2) {
|
|
NL_SET_ERR_MSG_ATTR(extack, tb[ETHTOOL_A_MODULE_EEPROM_OFFSET],
|
|
"offset is out of bounds");
|
|
return -EINVAL;
|
|
} else if (request->offset + request->length > ETH_MODULE_EEPROM_PAGE_LEN * 2) {
|
|
NL_SET_ERR_MSG_ATTR(extack, tb[ETHTOOL_A_MODULE_EEPROM_LENGTH],
|
|
"reading cross page boundary is illegal");
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (tb[ETHTOOL_A_MODULE_EEPROM_BANK])
|
|
request->bank = nla_get_u8(tb[ETHTOOL_A_MODULE_EEPROM_BANK]);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int eeprom_reply_size(const struct ethnl_req_info *req_base,
|
|
const struct ethnl_reply_data *reply_base)
|
|
{
|
|
const struct eeprom_req_info *request = MODULE_EEPROM_REQINFO(req_base);
|
|
|
|
return nla_total_size(sizeof(u8) * request->length); /* _EEPROM_DATA */
|
|
}
|
|
|
|
static int eeprom_fill_reply(struct sk_buff *skb,
|
|
const struct ethnl_req_info *req_base,
|
|
const struct ethnl_reply_data *reply_base)
|
|
{
|
|
struct eeprom_reply_data *reply = MODULE_EEPROM_REPDATA(reply_base);
|
|
|
|
return nla_put(skb, ETHTOOL_A_MODULE_EEPROM_DATA, reply->length, reply->data);
|
|
}
|
|
|
|
static void eeprom_cleanup_data(struct ethnl_reply_data *reply_base)
|
|
{
|
|
struct eeprom_reply_data *reply = MODULE_EEPROM_REPDATA(reply_base);
|
|
|
|
kfree(reply->data);
|
|
}
|
|
|
|
const struct ethnl_request_ops ethnl_module_eeprom_request_ops = {
|
|
.request_cmd = ETHTOOL_MSG_MODULE_EEPROM_GET,
|
|
.reply_cmd = ETHTOOL_MSG_MODULE_EEPROM_GET_REPLY,
|
|
.hdr_attr = ETHTOOL_A_MODULE_EEPROM_HEADER,
|
|
.req_info_size = sizeof(struct eeprom_req_info),
|
|
.reply_data_size = sizeof(struct eeprom_reply_data),
|
|
|
|
.parse_request = eeprom_parse_request,
|
|
.prepare_data = eeprom_prepare_data,
|
|
.reply_size = eeprom_reply_size,
|
|
.fill_reply = eeprom_fill_reply,
|
|
.cleanup_data = eeprom_cleanup_data,
|
|
};
|
|
|
|
const struct nla_policy ethnl_module_eeprom_get_policy[] = {
|
|
[ETHTOOL_A_MODULE_EEPROM_HEADER] = NLA_POLICY_NESTED(ethnl_header_policy),
|
|
[ETHTOOL_A_MODULE_EEPROM_OFFSET] = { .type = NLA_U32 },
|
|
[ETHTOOL_A_MODULE_EEPROM_LENGTH] = { .type = NLA_U32 },
|
|
[ETHTOOL_A_MODULE_EEPROM_PAGE] = { .type = NLA_U8 },
|
|
[ETHTOOL_A_MODULE_EEPROM_BANK] = { .type = NLA_U8 },
|
|
[ETHTOOL_A_MODULE_EEPROM_I2C_ADDRESS] =
|
|
NLA_POLICY_RANGE(NLA_U8, 0, ETH_MODULE_MAX_I2C_ADDRESS),
|
|
};
|
|
|