On Tue, 23 Jul 2024 22:04:34 +0800, Ma Ke wrote:
> It could lead to error happen because the variable res is not updated if
> the call to sr_share_read_word returns an error. In this particular case
> error code was returned and res stayed uninitialized.
>
> This can be avoided by checking the return value of sr_share_read_word
> and propagating the error if the read operation failed.
>
> Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
> Signed-off-by: Ma Ke <make24@xxxxxxxxxxx>
> ---
> drivers/net/usb/sr9700.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
> index 0a662e42ed96..d5bc596f4521 100644
> --- a/drivers/net/usb/sr9700.c
> +++ b/drivers/net/usb/sr9700.c
> @@ -179,6 +179,7 @@ static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc)
> struct usbnet *dev = netdev_priv(netdev);
> __le16 res;
> int rc = 0;
> + int err;
>
> if (phy_id) {
> netdev_dbg(netdev, "Only internal phy supported\n");
> @@ -193,7 +194,10 @@ static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc)
> if (value & NSR_LINKST)
> rc = 1;
> }
> - sr_share_read_word(dev, 1, loc, &res);
> + err = sr_share_read_word(dev, 1, loc, &res);
> + if (err < 0)
> + return err;
> +
The patch looks good to me. But I think the following sr_read_reg()
has the same uninit-value access issue. If sr_read_reg() returns an
error, value may be uninitialized:
static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc)
{
[...]
/* Access NSR_LINKST bit for link status instead of MII_BMSR */
if (loc == MII_BMSR) {
u8 value;
sr_read_reg(dev, SR_NSR, &value);
if (value & NSR_LINKST)
rc = 1;
}
Why don't we fix it together?
Thanks,
Shigeru
> if (rc == 1)
> res = le16_to_cpu(res) | BMSR_LSTATUS;
> else
> --
> 2.25.1
>
>
