Public bug reported:
[ Impact ]
genphy_config_eee_advert() was removed in "net: phy: remove
genphy_config_eee_advert"[1] before the phydev->eee_broken_modes was
converted from a u32 to bitmap (underlyingly an array of unsigned long)
in "net: phy: switch eee_broken_modes to linkmode bitmap and add
accessor"[2]. The later one was backported to the OEM 6.11 kernel, but
the former one wasn't.
In the remaining genphy_config_eee_advert() in the OEM kernel, it will
pass phy_device->eee_broken_modes to phy_modify_mmd_changed(), which
assumes that eee_broken_modes is still an integer, leading to a bug that
converts a pointer to an integer.
gcc 13.3 will emit warning, while clang 18.1.3 and gcc 14 catch this
error:
drivers/net/phy/phy_device.c:2196:15: warning: address of array
'phydev->eee_broken_modes' will always evaluate to 'true'
[-Wpointer-bool-conversion]
2196 | if (!phydev->eee_broken_modes)
| ~~~~~~~~~^~~~~~~~~~~~~~~~
drivers/net/phy/phy_device.c:2200:10: error: incompatible pointer to integer
conversion passing 'unsigned long[2]' to parameter of type 'u16' (aka 'unsigned
short') [-Wint-conversion]
2200 | phydev->eee_broken_modes, 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/phy.h:1438:11: note: passing argument to parameter 'mask' here
1438 | u16 mask, u16 set);
| ^
1 warning and 1 error generated.
This can be resolved by backporting [1] that fully replaces the
genphy_config_eee_advert() in the 6.11 oem kernel.
[ Test plan ]
Compile the relevant part by the said compilers. For example on Noble:
$ make LLVM=1 drivers/net/phy/
The above error/warning message shouldn’t appear.
This was introduced only in the 6.11 OEM kernel, which is intended for
PCs under Noble certification. According to records from the
certification team website, currently there’s no PC with Broadcom
ethernet devices under certification, so in theory there’s no actual
user for the relevant code.
[ Where the problems could occur ]
This access pattern to the phydev->eee_broken_modes happens only in
genphy_config_eee_advert() in drivers/net/phy/bcm-phy-lib.c, which is
also its only user. There’s only one place in the code where this
function is used, and from the record on the certification website there
hasn’t been any PC with Broadcom components undergoing Noble
certification. So the impact should be limited.
[1]
https://lore.kernel.org/all/69d22b31-57d1-4b01-bfde-0c6a1df1e...@gmail.com/#r
[2]
https://lore.kernel.org/all/405734c5-0ed4-40e4-9ac9-91084b953...@gmail.com/#r
** Affects: linux-oem-6.11 (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux-oem-6.11 (Ubuntu Noble)
Importance: Undecided
Assignee: Leo Lin (0xff07)
Status: In Progress
** Also affects: linux-oem-6.11 (Ubuntu Noble)
Importance: Undecided
Status: New
** Changed in: linux-oem-6.11 (Ubuntu Noble)
Assignee: (unassigned) => Leo Lin (0xff07)
** Changed in: linux-oem-6.11 (Ubuntu Noble)
Status: New => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-oem-6.11 in Ubuntu.
https://bugs.launchpad.net/bugs/2098171
Title:
Remove genphy_config_eee_advert() that accesses eee_broken_modes in
buggy manners
Status in linux-oem-6.11 package in Ubuntu:
New
Status in linux-oem-6.11 source package in Noble:
In Progress
Bug description:
[ Impact ]
genphy_config_eee_advert() was removed in "net: phy: remove
genphy_config_eee_advert"[1] before the phydev->eee_broken_modes was
converted from a u32 to bitmap (underlyingly an array of unsigned
long) in "net: phy: switch eee_broken_modes to linkmode bitmap and add
accessor"[2]. The later one was backported to the OEM 6.11 kernel, but
the former one wasn't.
In the remaining genphy_config_eee_advert() in the OEM kernel, it will
pass phy_device->eee_broken_modes to phy_modify_mmd_changed(), which
assumes that eee_broken_modes is still an integer, leading to a bug
that converts a pointer to an integer.
gcc 13.3 will emit warning, while clang 18.1.3 and gcc 14 catch this
error:
drivers/net/phy/phy_device.c:2196:15: warning: address of array
'phydev->eee_broken_modes' will always evaluate to 'true'
[-Wpointer-bool-conversion]
2196 | if (!phydev->eee_broken_modes)
| ~~~~~~~~~^~~~~~~~~~~~~~~~
drivers/net/phy/phy_device.c:2200:10: error: incompatible pointer to integer
conversion passing 'unsigned long[2]' to parameter of type 'u16' (aka 'unsigned
short') [-Wint-conversion]
2200 | phydev->eee_broken_modes, 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/phy.h:1438:11: note: passing argument to parameter 'mask' here
1438 | u16 mask, u16 set);
| ^
1 warning and 1 error generated.
This can be resolved by backporting [1] that fully replaces the
genphy_config_eee_advert() in the 6.11 oem kernel.
[ Test plan ]
Compile the relevant part by the said compilers. For example on Noble:
$ make LLVM=1 drivers/net/phy/
The above error/warning message shouldn’t appear.
This was introduced only in the 6.11 OEM kernel, which is intended for
PCs under Noble certification. According to records from the
certification team website, currently there’s no PC with Broadcom
ethernet devices under certification, so in theory there’s no actual
user for the relevant code.
[ Where the problems could occur ]
This access pattern to the phydev->eee_broken_modes happens only in
genphy_config_eee_advert() in drivers/net/phy/bcm-phy-lib.c, which is
also its only user. There’s only one place in the code where this
function is used, and from the record on the certification website
there hasn’t been any PC with Broadcom components undergoing Noble
certification. So the impact should be limited.
[1]
https://lore.kernel.org/all/69d22b31-57d1-4b01-bfde-0c6a1df1e...@gmail.com/#r
[2]
https://lore.kernel.org/all/405734c5-0ed4-40e4-9ac9-91084b953...@gmail.com/#r
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-oem-6.11/+bug/2098171/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
