Re: [PATCH net] net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect

[Heiner Kallweit <hkallweit1@gmail.com>]

On 7/31/2025 10:58 AM, Dawid Osuchowski wrote:
> On 2025-07-30 10:23 PM, Heiner Kallweit wrote:
>> After the call to phy_disconnect() netdev->phydev is reset to NULL.
> 
> phy_disconnect() in its flow does not set phydev to NULL, if anywhere it happens in of_phy_deregister_fixed_link(), which already calls fixed_phy_unregister() before setting phydev to NULL

I can't follow this argumentation. Look at phy_detach(), there we have:
if (phydev->attached_dev)
	phydev->attached_dev->phydev = NULL;
So netdev->phydev is NULL after the call to phy_disconnect, provided that the PHY was attached to the netdev before.
If use_ncsi is true, then fixed_phy_unregister() will be called with a NULL argument.

This is independent of whether of_phy_is_fixed_link() is true or not.
Very likely it's false in the NCSI case.

> 
> From my understanding (which very much could be wrong) of ftgmac100_probe(), these two cases are mutually exclusive. The device either uses NCSI or will use a phy based on the DT "fixed-link" property

>> So fixed_phy_unregister() would be called with a NULL pointer as argument.
> 
> Given my analysis above, I don't think this case is possible.
> 
> Best regards,
> Dawid
>> Therefore cache the phy_device before this call.
>>
>> Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
>> ---
>>   drivers/net/ethernet/faraday/ftgmac100.c | 7 ++++---
>>   1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
>> index 5d0c09068..a863f7841 100644
>> --- a/drivers/net/ethernet/faraday/ftgmac100.c
>> +++ b/drivers/net/ethernet/faraday/ftgmac100.c
>> @@ -1750,16 +1750,17 @@ static int ftgmac100_setup_mdio(struct net_device *netdev)
>>   static void ftgmac100_phy_disconnect(struct net_device *netdev)
>>   {
>>       struct ftgmac100 *priv = netdev_priv(netdev);
>> +    struct phy_device *phydev = netdev->phydev;
>>   -    if (!netdev->phydev)
>> +    if (!phydev)
>>           return;
>>   -    phy_disconnect(netdev->phydev);
>> +    phy_disconnect(phydev);
>>       if (of_phy_is_fixed_link(priv->dev->of_node))
>>           of_phy_deregister_fixed_link(priv->dev->of_node);
>>         if (priv->use_ncsi)
>> -        fixed_phy_unregister(netdev->phydev);
>> +        fixed_phy_unregister(phydev);
>>   }
>>     static void ftgmac100_destroy_mdio(struct net_device *netdev)
>