When get_registers() fails, in set_ethernet_addr(),the uninitialized
value of node_id gets copied as the address. This can be considered as
set_ethernet_addr() itself failing.
The return type of set_ethernet_addr() is modified to indicate if it
failed or not, and return values are appropriately checked by caller.
When set_ethernet_addr() fails, a randomly generated MAC address is set
as the MAC address instead.
On the other hand, for the case when get_registers() does succeed,
set_ethernet_addr() has been updated to use ether_addr_copy() to copy
the address, instead of memcpy().
Reported-by: syzbot+abbc768b560c84d92fd3@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: syzbot+abbc768b560c84d92fd3@xxxxxxxxxxxxxxxxxxxxxxxxx
Acked-by: Petko Manolov <petkan@xxxxxxxxxxxxx>
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@xxxxxxxxx>
---
Changes in v3:
* Set a random MAC address to the device rather than making
the device not work at all in the even set_ethernet_addr()
fails. (Suggested by David Miller <davem@xxxxxxxxxxxxx>)
* Update set_ethernet_addr() to use ether_addr_copy() to copy
the MAC Address (instead of using memcpy() for that same).
(Suggested by Joe Perches <joe@xxxxxxxxxxx>)
Changes in v2:
* Modified condition checking get_registers()'s return value to
ret == sizeof(node_id)
for stricter checking in compliance with the new usb_control_msg_recv()
API
* Added Acked-by: Petko Manolov
drivers/net/usb/rtl8150.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 733f120c852b..bbd49ebdf095 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -274,12 +274,17 @@ static int write_mii_word(rtl8150_t * dev, u8 phy, __u8 indx, u16 reg)
return 1;
}
-static inline void set_ethernet_addr(rtl8150_t * dev)
+static bool set_ethernet_addr(rtl8150_t *dev)
{
- u8 node_id[6];
+ u8 node_id[ETH_ALEN];
+ int ret;
- get_registers(dev, IDR, sizeof(node_id), node_id);
- memcpy(dev->netdev->dev_addr, node_id, sizeof(node_id));
+ ret = get_registers(dev, IDR, sizeof(node_id), node_id);
+ if (ret == sizeof(node_id)) {
+ ether_addr_copy(dev->netdev->dev_addr, node_id);
+ return true;
+ }
+ return false;
}
static int rtl8150_set_mac_address(struct net_device *netdev, void *p)
@@ -909,7 +914,10 @@ static int rtl8150_probe(struct usb_interface *intf,
goto out1;
}
fill_skb_pool(dev);
- set_ethernet_addr(dev);
+ if (!set_ethernet_addr(dev)) {
+ dev_err(&intf->dev, "assigining a random MAC address\n");
+ eth_hw_addr_random(dev->netdev);
+ }
usb_set_intfdata(intf, dev);
SET_NETDEV_DEV(netdev, &intf->dev);
--
2.25.1
