Re: [net-next,10/11] netdevsim: Add module EEPROM simulation via debugfs

Wed, 11 Mar 2026 19:54:10 -0700 

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.

For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
netdevsim: Add module EEPROM simulation via debugfs

This patch adds get/set_module_eeprom_by_page ethtool ops to netdevsim
for testing kernel features that depend on module EEPROM access. The
EEPROM is backed by a 256-page x 128-byte array exposed via debugfs.

> diff --git a/drivers/net/netdevsim/ethtool.c b/drivers/net/netdevsim/ethtool.c
> index 84bc025885f7..7ef96a747643 100644
> --- a/drivers/net/netdevsim/ethtool.c
> +++ b/drivers/net/netdevsim/ethtool.c
> @@ -247,6 +247,68 @@ static int nsim_set_loopback(struct net_device *dev,
>       return 1;
>  }
>
> +static u8 *nsim_module_eeprom_ptr(struct netdevsim *ns,
> +                               const struct ethtool_module_eeprom *page_data,
> +                               u32 *len)
> +{
> +     u32 offset;
> +     u8 page;
> +
> +     if (page_data->offset < NSIM_MODULE_EEPROM_PAGE_LEN) {
> +             page = 0;
> +             offset = page_data->offset;
> +     } else {
> +             page = page_data->page;
                     ^^^^

Does this need bounds checking? The page_data->page value comes from userspace
via ethtool and is used directly as an array index at the return statement
below. The module.pages array is defined as:

    u8 pages[NSIM_MODULE_EEPROM_PAGES][NSIM_MODULE_EEPROM_PAGE_LEN]

where NSIM_MODULE_EEPROM_PAGES is 256. A userspace caller could provide a page
number >= 256, leading to an out-of-bounds access:

    return ns->ethtool.module.pages[page] + offset;

This can result in reading or writing (via nsim_set_module_eeprom_by_page)
adjacent kernel memory.

> +             offset = page_data->offset - NSIM_MODULE_EEPROM_PAGE_LEN;
> +     }
> +
> +     *len = min_t(u32, page_data->length,
> +                  NSIM_MODULE_EEPROM_PAGE_LEN - offset);
                                                  ^^^^^^

Can offset exceed NSIM_MODULE_EEPROM_PAGE_LEN here? When page_data->offset >=
128, the code calculates:

    offset = page_data->offset - NSIM_MODULE_EEPROM_PAGE_LEN

If page_data->offset is large (e.g., 300), the resulting offset would be 172.
At the min_t calculation:

    NSIM_MODULE_EEPROM_PAGE_LEN - offset = 128 - 172 = -44

This underflows when cast to u32, becoming a large unsigned value. The return
statement then accesses:

    ns->ethtool.module.pages[page] + offset

where offset can be > 128, reading past the page boundary. Each page is only
NSIM_MODULE_EEPROM_PAGE_LEN (128) bytes, but offset isn't validated to be
within this range.

> +     return ns->ethtool.module.pages[page] + offset;
> +}
> +
> +static int
> +nsim_get_module_eeprom_by_page(struct net_device *dev,
> +                            const struct ethtool_module_eeprom *page_data,
> +                            struct netlink_ext_ack *extack)
> +{
> +     struct netdevsim *ns = netdev_priv(dev);
> +     u32 len;
> +     u8 *ptr;
> +
> +     if (ns->ethtool.module.get_err)
> +             return -ns->ethtool.module.get_err;
> +
> +     ptr = nsim_module_eeprom_ptr(ns, page_data, &len);
> +     if (!ptr)
> +             return -EINVAL;
> +
> +     memcpy(page_data->data, ptr, len);
> +
> +     return len;
> +}
> +
> +static int
> +nsim_set_module_eeprom_by_page(struct net_device *dev,
> +                            const struct ethtool_module_eeprom *page_data,
> +                            struct netlink_ext_ack *extack)
> +{
> +     struct netdevsim *ns = netdev_priv(dev);
> +     u32 len;
> +     u8 *ptr;
> +
> +     if (ns->ethtool.module.set_err)
> +             return -ns->ethtool.module.set_err;
> +
> +     ptr = nsim_module_eeprom_ptr(ns, page_data, &len);
> +     if (!ptr)
> +             return -EINVAL;
> +
> +     memcpy(ptr, page_data->data, len);
> +
> +     return 0;
> +}

[ ... ]

> diff --git a/drivers/net/netdevsim/netdevsim.h 
> b/drivers/net/netdevsim/netdevsim.h
> index 2e322b9410d2..f6b2063d41c9 100644
> --- a/drivers/net/netdevsim/netdevsim.h
> +++ b/drivers/net/netdevsim/netdevsim.h
> @@ -82,6 +82,16 @@ struct nsim_ethtool_pauseparam {
>       bool report_stats_tx;
>  };
>
> +#define NSIM_MODULE_EEPROM_PAGES     256
> +#define NSIM_MODULE_EEPROM_PAGE_LEN  128
> +
> +struct nsim_ethtool_module {
> +     u32 get_err;
> +     u32 set_err;
> +     u8 pages[NSIM_MODULE_EEPROM_PAGES][NSIM_MODULE_EEPROM_PAGE_LEN];
> +     struct debugfs_blob_wrapper page_blobs[NSIM_MODULE_EEPROM_PAGES];
> +};

[ ... ]

Reply via email to