From: "Russell King (Oracle)" <linux@armlinux.org.uk>
To: Lukas Funke <lukas.funke-oss@weidmueller.com>
Cc: Andrew Lunn <andrew@lunn.ch>,
Heiner Kallweit <hkallweit1@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Lukas Funke <lukas.funke@weidmueller.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: phy: Fix potential null pointer access
Date: Mon, 20 Nov 2023 13:42:05 +0000 [thread overview]
Message-ID: <ZVtiLUpsOQhd2nm+@shell.armlinux.org.uk> (raw)
In-Reply-To: <2508da6b-a099-4271-a1d0-04cfe5d39daf@weidmueller.com>
On Mon, Nov 20, 2023 at 01:38:06PM +0100, Lukas Funke wrote:
> Hi Russel,
>
> On 20.11.2023 10:51, Russell King (Oracle) wrote:
> > On Mon, Nov 20, 2023 at 10:32:54AM +0100, Lukas Funke wrote:
> > > From: Lukas Funke <lukas.funke@weidmueller.com>
> > >
> > > When there is no driver associated with the phydev, there will be a
> > > nullptr access. The commit checks if the phydev driver is set before
> > > access.
> >
> > What's the call path that we encounter a NULL drv pointer?
>
>
> The patch is a bit older and the path is reconstructed from my memory:
>
> macb_phylink_connect -> phylink_of_phy_connect -> of_phy_connect ->
> phy_connect_direct -> phy_request_interrupt
>
> It happend when we used the Xilinx gmii2rgmii phy driver. We did a
> missconfiguration in the dt and bumped into the nullpointer exception. Since
> other functions like phy_aneg_done() also check for driver existence I
> thought it would be a good addition.
So how does this happen in the path you indicate?
phy_connect_direct() calls phy_attach_direct() before calling
phy_request_interrupt(). If phy_attach_direct() needs to succeed for
us to get to call phy_request_interrupt().
phy_attach_direct() checks to see whether the phydev is bound to a
driver. If it isn't, it binds it to the appropriate genphy driver.
As part of that binding, phydev->drv is guaranteed to be set
(by phy_probe(), which will be called via d->driver->probe() if
using one of the genphy drivers.
You mention using the gmii2rgmii driver, which does mess with
phydev->drv, but I can't see a way in that driver where we would
end up with a NULL pointer there.
I think a bit mroe information is needed to describe how this comes
about - and that needs to go in the commit message, so the reason
for this patch is properly documented.
Thanks.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
prev parent reply other threads:[~2023-11-20 13:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-20 9:32 [PATCH] net: phy: Fix potential null pointer access Lukas Funke
2023-11-20 9:51 ` Russell King (Oracle)
2023-11-20 12:38 ` Lukas Funke
2023-11-20 13:42 ` Russell King (Oracle) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZVtiLUpsOQhd2nm+@shell.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hkallweit1@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.funke-oss@weidmueller.com \
--cc=lukas.funke@weidmueller.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.