Re: [PATCH net 3/3] e1000e: fix endianness conversion of uninitialized words

[Tony Nguyen]

On 3/18/2026 5:05 AM, Agalakov Daniil wrote:
> [Why]
> In e1000_set_eeprom(), the eeprom_buff is allocated to hold a range of
> words. However, only the boundary words (the first and the last) are
> populated from the EEPROM if the write request is not word-aligned.
> The words in the middle of the buffer remain uninitialized because they
> are intended to be completely overwritten by the new data via memcpy().
>
> The previous implementation had a loop that performed le16_to_cpus()
> on the entire buffer. This resulted in endianness conversion being
> performed on uninitialized memory for all interior words.
>
> Fix this by converting the endianness only for the boundary words
> immediately after they are successfully read from the EEPROM.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

AI Review reports:

The commit message cites the initial git repository commit 1da177e4c3f4
("Linux-2.6.12-rc2") from 2005 as the source of the bug. However, the
e1000e driver wasn't introduced until 2007 in commit bc7f75fa9788
("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices
only)"). While the e1000 driver did have this bug pattern in the initial
commit, this patch fixes the e1000e driver, which is a separate driver.

Should the Fixes: tag reference bc7f75fa9788 instead, since that's when
the buggy pattern was first introduced in e1000e?

Also, the same comment from the e1000 patch applies here. I think this 
patch should be split like the e1000 ones with the return value going to 
*-net and the endian to *-next.

Thanks,
Tony


> Co-developed-by: Iskhakov Daniil <dish@xxxxxxxxx>
> Signed-off-by: Iskhakov Daniil <dish@xxxxxxxxx>
> Signed-off-by: Agalakov Daniil <ade@xxxxxxxxx>
> ---
>   drivers/net/ethernet/intel/e1000e/ethtool.c | 19 ++++++++++++-------
>   1 file changed, 12 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c
> index dbed30943ef4..a8b35ae41141 100644
> --- a/drivers/net/ethernet/intel/e1000e/ethtool.c
> +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
> @@ -583,20 +583,25 @@ static int e1000_set_eeprom(struct net_device *netdev,
>   		/* need read/modify/write of first changed EEPROM word */
>   		/* only the second byte of the word is being modified */
>   		ret_val = e1000_read_nvm(hw, first_word, 1, &eeprom_buff[0]);
> +		if (ret_val)
> +			goto out;
> +
> +		/* Device's eeprom is always little-endian, word addressable */
> +		le16_to_cpus(&eeprom_buff[0]);
> +
>   		ptr++;
>   	}
> -	if (((eeprom->offset + eeprom->len) & 1) && (!ret_val))
> +	if ((eeprom->offset + eeprom->len) & 1) {
>   		/* need read/modify/write of last changed EEPROM word */
>   		/* only the first byte of the word is being modified */
>   		ret_val = e1000_read_nvm(hw, last_word, 1,
>   					 &eeprom_buff[last_word - first_word]);
> +		if (ret_val)
> +			goto out;
>   
> -	if (ret_val)
> -		goto out;
> -
> -	/* Device's eeprom is always little-endian, word addressable */
> -	for (i = 0; i < last_word - first_word + 1; i++)
> -		le16_to_cpus(&eeprom_buff[i]);
> +		/* Device's eeprom is always little-endian, word addressable */
> +		le16_to_cpus(&eeprom_buff[last_word - first_word]);
> +	}
>   
>   	memcpy(ptr, bytes, eeprom->len);
>