Re: [net-next,10/11] netdevsim: Add module EEPROM simulation via debugfs
From: Jakub Kicinski <kuba@kernel.org>
Date: 2026-03-12 02:52:20
Also in:
linux-kselftest, linux-rdma, lkml
This is an AI-generated review of your patch. The human sending this email has considered the AI review valid, or at least plausible. For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html --- netdevsim: Add module EEPROM simulation via debugfs This patch adds get/set_module_eeprom_by_page ethtool ops to netdevsim for testing kernel features that depend on module EEPROM access. The EEPROM is backed by a 256-page x 128-byte array exposed via debugfs.
quoted hunk ↗ jump to hunk
diff --git a/drivers/net/netdevsim/ethtool.c b/drivers/net/netdevsim/ethtool.c index 84bc025885f7..7ef96a747643 100644 --- a/drivers/net/netdevsim/ethtool.c +++ b/drivers/net/netdevsim/ethtool.c@@ -247,6 +247,68 @@ static int nsim_set_loopback(struct net_device *dev, return 1; } +static u8 *nsim_module_eeprom_ptr(struct netdevsim *ns, + const struct ethtool_module_eeprom *page_data, + u32 *len) +{ + u32 offset; + u8 page; + + if (page_data->offset < NSIM_MODULE_EEPROM_PAGE_LEN) { + page = 0; + offset = page_data->offset; + } else { + page = page_data->page;
^^^^
Does this need bounds checking? The page_data->page value comes from userspace
via ethtool and is used directly as an array index at the return statement
below. The module.pages array is defined as:
u8 pages[NSIM_MODULE_EEPROM_PAGES][NSIM_MODULE_EEPROM_PAGE_LEN]
where NSIM_MODULE_EEPROM_PAGES is 256. A userspace caller could provide a page
number >= 256, leading to an out-of-bounds access:
return ns->ethtool.module.pages[page] + offset;
This can result in reading or writing (via nsim_set_module_eeprom_by_page)
adjacent kernel memory.
+ offset = page_data->offset - NSIM_MODULE_EEPROM_PAGE_LEN; + } + + *len = min_t(u32, page_data->length, + NSIM_MODULE_EEPROM_PAGE_LEN - offset);
^^^^^^
Can offset exceed NSIM_MODULE_EEPROM_PAGE_LEN here? When page_data->offset >=
128, the code calculates:
offset = page_data->offset - NSIM_MODULE_EEPROM_PAGE_LEN
If page_data->offset is large (e.g., 300), the resulting offset would be 172.
At the min_t calculation:
NSIM_MODULE_EEPROM_PAGE_LEN - offset = 128 - 172 = -44
This underflows when cast to u32, becoming a large unsigned value. The return
statement then accesses:
ns->ethtool.module.pages[page] + offset
where offset can be > 128, reading past the page boundary. Each page is only
NSIM_MODULE_EEPROM_PAGE_LEN (128) bytes, but offset isn't validated to be
within this range.
+ return ns->ethtool.module.pages[page] + offset;
+}
+
+static int
+nsim_get_module_eeprom_by_page(struct net_device *dev,
+ const struct ethtool_module_eeprom *page_data,
+ struct netlink_ext_ack *extack)
+{
+ struct netdevsim *ns = netdev_priv(dev);
+ u32 len;
+ u8 *ptr;
+
+ if (ns->ethtool.module.get_err)
+ return -ns->ethtool.module.get_err;
+
+ ptr = nsim_module_eeprom_ptr(ns, page_data, &len);
+ if (!ptr)
+ return -EINVAL;
+
+ memcpy(page_data->data, ptr, len);
+
+ return len;
+}
+
+static int
+nsim_set_module_eeprom_by_page(struct net_device *dev,
+ const struct ethtool_module_eeprom *page_data,
+ struct netlink_ext_ack *extack)
+{
+ struct netdevsim *ns = netdev_priv(dev);
+ u32 len;
+ u8 *ptr;
+
+ if (ns->ethtool.module.set_err)
+ return -ns->ethtool.module.set_err;
+
+ ptr = nsim_module_eeprom_ptr(ns, page_data, &len);
+ if (!ptr)
+ return -EINVAL;
+
+ memcpy(ptr, page_data->data, len);
+
+ return 0;
+}[ ... ]
quoted hunk ↗ jump to hunk
diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h index 2e322b9410d2..f6b2063d41c9 100644 --- a/drivers/net/netdevsim/netdevsim.h +++ b/drivers/net/netdevsim/netdevsim.h@@ -82,6 +82,16 @@ struct nsim_ethtool_pauseparam { bool report_stats_tx; }; +#define NSIM_MODULE_EEPROM_PAGES 256 +#define NSIM_MODULE_EEPROM_PAGE_LEN 128 + +struct nsim_ethtool_module { + u32 get_err; + u32 set_err; + u8 pages[NSIM_MODULE_EEPROM_PAGES][NSIM_MODULE_EEPROM_PAGE_LEN]; + struct debugfs_blob_wrapper page_blobs[NSIM_MODULE_EEPROM_PAGES]; +};
[ ... ]