On Tue, May 26, 2020 at 10:35:46AM -0500, Jeremy Linton wrote:
> Hi,
>
> On 5/26/20 9:31 AM, Russell King wrote:
> > Expand the device_ids[] array to allow all MMD IDs to be read rather
> > than just the first 8 MMDs, but only read the ID if the MDIO_STAT2
> > register reports that a device really is present here for these new
> > devices to maintain compatibility with our current behaviour.
> >
> > 88X3310 PHY vendor MMDs do are marked as present in the
> > devices_in_package, but do not contain IEE 802.3 compatible register
> > sets in their lower space. This avoids reading incorrect values as MMD
> > identifiers.
> >
> > Signed-off-by: Russell King <rmk+ker...@armlinux.org.uk>
> > ---
> > drivers/net/phy/phy_device.c | 14 ++++++++++++++
> > include/linux/phy.h | 2 +-
> > 2 files changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
> > index 1c948bbf4fa0..92742c7be80f 100644
> > --- a/drivers/net/phy/phy_device.c
> > +++ b/drivers/net/phy/phy_device.c
> > @@ -773,6 +773,20 @@ static int get_phy_c45_ids(struct mii_bus *bus, int
> > addr, u32 *phy_id,
> > if (!(devs_in_pkg & (1 << i)))
> > continue;
> > + if (i >= 8) {
> > + /* Only probe the MMD ID for MMDs >= 8 if they report
> > + * that they are present. We have at least one PHY that
> > + * reports MMD presence in devs_in_pkg, but does not
> > + * contain valid IEEE 802.3 ID registers in some MMDs.
> > + */
> > + ret = phy_c45_probe_present(bus, addr, i);
> > + if (ret < 0)
> > + return ret;
> > +
> > + if (!ret)
> > + continue;
> > + }
> > +
> > phy_reg = mdiobus_c45_read(bus, addr, i, MII_PHYSID1);
> > if (phy_reg < 0)
> > return -EIO;
> > diff --git a/include/linux/phy.h b/include/linux/phy.h
> > index 0d41c710339a..3325dd8fb9ac 100644
> > --- a/include/linux/phy.h
> > +++ b/include/linux/phy.h
> > @@ -361,7 +361,7 @@ enum phy_state {
> > struct phy_c45_device_ids {
> > u32 devices_in_package;
> > u32 mmds_present;
> > - u32 device_ids[8];
> > + u32 device_ids[MDIO_MMD_NUM];
>
> You have a array overflow/invalid access if you don't do this earlier in
> 4/7.
I'm very sorry, but you are mistaken - there is no overflow.
The overflow would happen if I'd changed the _second_ loop in
get_phy_c45_ids(), but that still relies upon the size of this
array. In fact, everywhere that the device_ids array is indexed
with a for() loop, the maximum bound is defined by the element
size of the array.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTC for 0.8m (est. 1762m) line in suburbia: sync at 13.1Mbps down 424kbps up
