The kernel allocates a buffer of size ops->get_regs_len(), and pass it to the kernel driver via ops->get_regs() for filling.
There is no restriction about what the kernel drivers can or cannot do with the regs->len member. Drivers usually ignore it or set the same size again. However, ethtool_get_regs() must not use this value when copying the buffer back to the user, because userspace may have allocated a smaller buffer. For instance ethtool does that when dumping the raw registers directly into a fixed-size file. Software may still make use of the regs->len value updated by the kernel driver, but ethtool_get_regs() must use the original regs->len given by userspace, up to ops->get_regs_len(), when copying the buffer. Also no need to check regbuf twice. Signed-off-by: Vivien Didelot <vivien.dide...@gmail.com> --- net/core/ethtool.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/ethtool.c b/net/core/ethtool.c index 4a593853cbf2..8f95c7b7cafe 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -1338,38 +1338,40 @@ static noinline_for_stack int ethtool_set_rxfh(struct net_device *dev, static int ethtool_get_regs(struct net_device *dev, char __user *useraddr) { struct ethtool_regs regs; const struct ethtool_ops *ops = dev->ethtool_ops; void *regbuf; int reglen, ret; if (!ops->get_regs || !ops->get_regs_len) return -EOPNOTSUPP; if (copy_from_user(®s, useraddr, sizeof(regs))) return -EFAULT; reglen = ops->get_regs_len(dev); if (reglen <= 0) return reglen; if (regs.len > reglen) regs.len = reglen; + else + reglen = regs.len; regbuf = vzalloc(reglen); if (!regbuf) return -ENOMEM; ops->get_regs(dev, ®s, regbuf); ret = -EFAULT; if (copy_to_user(useraddr, ®s, sizeof(regs))) goto out; useraddr += offsetof(struct ethtool_regs, data); - if (regbuf && copy_to_user(useraddr, regbuf, regs.len)) + if (copy_to_user(useraddr, regbuf, reglen)) goto out; ret = 0; out: vfree(regbuf); return ret; } -- 2.21.0