In mlx5_pps_event(), ptp_event is not zero-initialized. Since it contains a union, partial assignment can leave stale stack data in unused members. Also, clock->ptp may be NULL if ptp_clock_register() fails. Fix by zero-initializing ptp_event, using a local timestamp variable for event data assignment, and guarding ptp_clock_event() with a NULL check. Fixes: 7c39afb394c7 ("net/mlx5: PTP code migration to driver core section") Signed-off-by: Prathamesh Deshpande --- v5: - Drop MAX_PIN_NUM check per review. - Drop pin_config local guard to keep this revision narrowly scoped. v4: - Validate pin index against MAX_PIN_NUM instead of n_pins. v3: - Fix union corruption by using a local timestamp variable. - Validate pin index against n_pins with WARN_ON_ONCE. - Remove redundant pin < 0 check and cleanup TODO comment. v2: - Zero-initialize ptp_event to prevent stack information leak. - Add bounds check for hardware pin index to prevent OOB access. - Add NULL guard for pin_config to handle initialization failures. - Add NULL check for clock->ptp as originally intended. drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c index bd4e042077af..77d7b81a0a25 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c @@ -1164,7 +1164,7 @@ static int mlx5_pps_event(struct notifier_block *nb, pps_nb); struct mlx5_core_dev *mdev = clock_state->mdev; struct mlx5_clock *clock = mdev->clock; - struct ptp_clock_event ptp_event; + struct ptp_clock_event ptp_event = {}; struct mlx5_eqe *eqe = data; int pin = eqe->data.pps.pin; unsigned long flags; @@ -1173,7 +1173,7 @@ static int mlx5_pps_event(struct notifier_block *nb, switch (clock->ptp_info.pin_config[pin].func) { case PTP_PF_EXTTS: ptp_event.index = pin; - ptp_event.timestamp = mlx5_real_time_mode(mdev) ? + ns = mlx5_real_time_mode(mdev) ? mlx5_real_time_cyc2time(clock, be64_to_cpu(eqe->data.pps.time_stamp)) : mlx5_timecounter_cyc2time(clock, @@ -1181,12 +1181,13 @@ static int mlx5_pps_event(struct notifier_block *nb, if (clock->pps_info.enabled) { ptp_event.type = PTP_CLOCK_PPSUSR; ptp_event.pps_times.ts_real = - ns_to_timespec64(ptp_event.timestamp); + ns_to_timespec64(ns); } else { ptp_event.type = PTP_CLOCK_EXTTS; + ptp_event.timestamp = ns; } - /* TODOL clock->ptp can be NULL if ptp_clock_register fails */ - ptp_clock_event(clock->ptp, &ptp_event); + if (clock->ptp) + ptp_clock_event(clock->ptp, &ptp_event); break; case PTP_PF_PEROUT: if (clock->shared) { -- 2.43.0