ethtool: eeprom: add more safeties to EEPROM Netlink fallback

The Netlink fallback path for reading module EEPROM
(fallback_set_params()) validates that offset < eeprom_len,
but does not check that offset + length stays within eeprom_len.
The ioctl equivalent (ethtool_get_any_eeprom() in ioctl.c) has
always enforced both bounds:

  if (eeprom.offset + eeprom.len > total_len)
      return -EINVAL;

This could lead to surprises in both drivers and device FW.
Add the missing offset + length validation to fallback_set_params(),
mirroring the ioctl.

Similarly - ethtool core in general, and ethtool_get_any_eeprom()
in particular tries to zero-init all buffers passed to the drivers
to avoid any extra work of zeroing things out. eeprom_fallback()
uses a plain kmalloc(), change it to zalloc.

Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-11-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c
index 836316df3092c3efe5f84e2914685b3ed28193e6..0b8cfeddb014c6c975f1976f3ece077448fa39e2 100644 (file)
--- a/net/ethtool/eeprom.c
+++ b/net/ethtool/eeprom.c
@@ -44,6 +44,9 @@ static int fallback_set_params(struct eeprom_req_info *request,
        if (offset >= modinfo->eeprom_len)
                return -EINVAL;
 
+       if (length > modinfo->eeprom_len - offset)
+               return -EINVAL;
+
        eeprom->cmd = ETHTOOL_GMODULEEEPROM;
        eeprom->len = length;
        eeprom->offset = offset;
@@ -69,7 +72,7 @@ static int eeprom_fallback(struct eeprom_req_info *request,
        if (err < 0)
                return err;
 
-       data = kmalloc(eeprom.len, GFP_KERNEL);
+       data = kzalloc(eeprom.len, GFP_KERNEL);
        if (!data)
                return -ENOMEM;
        err = ethtool_get_module_eeprom_call(dev, &eeprom, data);