[Why] In e1000_set_eeprom(), the eeprom_buff is allocated to hold a range of words. However, only the boundary words (the first and the last) are populated from the EEPROM if the write request is not word-aligned. The words in the middle of the buffer remain uninitialized because they are intended to be completely overwritten by the new data via memcpy(). The previous implementation had a loop that performed le16_to_cpus() on the entire buffer. This resulted in endianness conversion being performed on uninitialized memory for all interior words. Fix this by converting the endianness only for the boundary words immediately after they are successfully read from the EEPROM. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Co-developed-by: Iskhakov Daniil Signed-off-by: Iskhakov Daniil Signed-off-by: Agalakov Daniil --- drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c index 4dcbeabb3ad2..c15ad95c63c1 100644 --- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c @@ -499,6 +499,9 @@ static int e1000_set_eeprom(struct net_device *netdev, if (ret_val) goto out; + /* Device's eeprom is always little-endian, word addressable */ + le16_to_cpus(&eeprom_buff[0]); + ptr++; } if ((eeprom->offset + eeprom->len) & 1) { @@ -509,11 +512,10 @@ static int e1000_set_eeprom(struct net_device *netdev, &eeprom_buff[last_word - first_word]); if (ret_val) goto out; - } - /* Device's eeprom is always little-endian, word addressable */ - for (i = 0; i < last_word - first_word + 1; i++) - le16_to_cpus(&eeprom_buff[i]); + /* Device's eeprom is always little-endian, word addressable */ + le16_to_cpus(&eeprom_buff[last_word - first_word]); + } memcpy(ptr, bytes, eeprom->len); -- 2.51.0