* [PATCH net-next v1 1/1] net: usb: lan78xx: fix possible NULL pointer dereference in lan78xx_phy_init()
@ 2025-06-26 10:37 Oleksij Rempel
2025-07-01 9:15 ` Paolo Abeni
2025-07-01 10:50 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 4+ messages in thread
From: Oleksij Rempel @ 2025-06-26 10:37 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Woojung Huh, Andrew Lunn, Russell King, Thangaraj Samynathan,
Rengarajan Sundararajan
Cc: Oleksij Rempel, Dan Carpenter, kernel, linux-kernel, netdev,
UNGLinuxDriver, Phil Elwell, Maxime Chevallier, Simon Horman
If no PHY device is found (e.g., for LAN7801 in fixed-link mode),
lan78xx_phy_init() may proceed to dereference a NULL phydev pointer,
leading to a crash.
Update the logic to perform MAC configuration first, then check for the presence
of a PHY. For the fixed-link case, set up the fixed link and return early,
bypassing any code that assumes a valid phydev pointer.
It is safe to move lan78xx_mac_prepare_for_phy() earlier because this function
only uses information from dev->interface, which is configured by
lan78xx_get_phy() beforehand. The function does not access phydev or any data
set up by later steps.
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
---
drivers/net/usb/lan78xx.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index ae37cd235526..6e9dc30b50f9 100644
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -2831,6 +2831,10 @@ static int lan78xx_phy_init(struct lan78xx_net *dev)
if (ret < 0)
return ret;
+ ret = lan78xx_mac_prepare_for_phy(dev);
+ if (ret < 0)
+ goto phylink_uninit;
+
/* If no PHY is found, set up a fixed link. It is very specific to
* the LAN7801 and is used in special cases like EVB-KSZ9897-1 where
* LAN7801 acts as a USB-to-Ethernet interface to a switch without
@@ -2840,11 +2844,12 @@ static int lan78xx_phy_init(struct lan78xx_net *dev)
ret = lan78xx_set_fixed_link(dev);
if (ret < 0)
goto phylink_uninit;
- }
- ret = lan78xx_mac_prepare_for_phy(dev);
- if (ret < 0)
- goto phylink_uninit;
+ /* No PHY found, so set up a fixed link and return early.
+ * No need to configure PHY IRQ or attach to phylink.
+ */
+ return 0;
+ }
/* if phyirq is not set, use polling mode in phylib */
if (dev->domain_data.phyirq > 0)
--
2.39.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net-next v1 1/1] net: usb: lan78xx: fix possible NULL pointer dereference in lan78xx_phy_init()
2025-06-26 10:37 [PATCH net-next v1 1/1] net: usb: lan78xx: fix possible NULL pointer dereference in lan78xx_phy_init() Oleksij Rempel
@ 2025-07-01 9:15 ` Paolo Abeni
2025-07-01 9:28 ` Oleksij Rempel
2025-07-01 10:50 ` patchwork-bot+netdevbpf
1 sibling, 1 reply; 4+ messages in thread
From: Paolo Abeni @ 2025-07-01 9:15 UTC (permalink / raw)
To: Oleksij Rempel, David S. Miller, Eric Dumazet, Jakub Kicinski,
Woojung Huh, Andrew Lunn, Russell King, Thangaraj Samynathan,
Rengarajan Sundararajan
Cc: Dan Carpenter, kernel, linux-kernel, netdev, UNGLinuxDriver,
Phil Elwell, Maxime Chevallier, Simon Horman
On 6/26/25 12:37 PM, Oleksij Rempel wrote:
> If no PHY device is found (e.g., for LAN7801 in fixed-link mode),
> lan78xx_phy_init() may proceed to dereference a NULL phydev pointer,
> leading to a crash.
>
> Update the logic to perform MAC configuration first, then check for the presence
> of a PHY. For the fixed-link case, set up the fixed link and return early,
> bypassing any code that assumes a valid phydev pointer.
>
> It is safe to move lan78xx_mac_prepare_for_phy() earlier because this function
> only uses information from dev->interface, which is configured by
> lan78xx_get_phy() beforehand. The function does not access phydev or any data
> set up by later steps.
>
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Looks good, but this IMHO deserves a Fixes tag - yep, even for net-next!
Could you please share it?
Thanks,
Paolo
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net-next v1 1/1] net: usb: lan78xx: fix possible NULL pointer dereference in lan78xx_phy_init()
2025-07-01 9:15 ` Paolo Abeni
@ 2025-07-01 9:28 ` Oleksij Rempel
0 siblings, 0 replies; 4+ messages in thread
From: Oleksij Rempel @ 2025-07-01 9:28 UTC (permalink / raw)
To: Paolo Abeni
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Woojung Huh,
Andrew Lunn, Russell King, Thangaraj Samynathan,
Rengarajan Sundararajan, Dan Carpenter, kernel, linux-kernel,
netdev, UNGLinuxDriver, Phil Elwell, Maxime Chevallier,
Simon Horman
On Tue, Jul 01, 2025 at 11:15:29AM +0200, Paolo Abeni wrote:
> On 6/26/25 12:37 PM, Oleksij Rempel wrote:
> > If no PHY device is found (e.g., for LAN7801 in fixed-link mode),
> > lan78xx_phy_init() may proceed to dereference a NULL phydev pointer,
> > leading to a crash.
> >
> > Update the logic to perform MAC configuration first, then check for the presence
> > of a PHY. For the fixed-link case, set up the fixed link and return early,
> > bypassing any code that assumes a valid phydev pointer.
> >
> > It is safe to move lan78xx_mac_prepare_for_phy() earlier because this function
> > only uses information from dev->interface, which is configured by
> > lan78xx_get_phy() beforehand. The function does not access phydev or any data
> > set up by later steps.
> >
> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
>
> Looks good, but this IMHO deserves a Fixes tag - yep, even for net-next!
>
> Could you please share it?
Fixes: e110bc825897 ("net: usb: lan78xx: Convert to PHYLINK for improved PHY and MAC management")
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net-next v1 1/1] net: usb: lan78xx: fix possible NULL pointer dereference in lan78xx_phy_init()
2025-06-26 10:37 [PATCH net-next v1 1/1] net: usb: lan78xx: fix possible NULL pointer dereference in lan78xx_phy_init() Oleksij Rempel
2025-07-01 9:15 ` Paolo Abeni
@ 2025-07-01 10:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-07-01 10:50 UTC (permalink / raw)
To: Oleksij Rempel
Cc: davem, edumazet, kuba, pabeni, woojung.huh, andrew+netdev,
rmk+kernel, Thangaraj.S, Rengarajan.S, dan.carpenter, kernel,
linux-kernel, netdev, UNGLinuxDriver, phil, maxime.chevallier,
horms
Hello:
This patch was applied to netdev/net-next.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Thu, 26 Jun 2025 12:37:31 +0200 you wrote:
> If no PHY device is found (e.g., for LAN7801 in fixed-link mode),
> lan78xx_phy_init() may proceed to dereference a NULL phydev pointer,
> leading to a crash.
>
> Update the logic to perform MAC configuration first, then check for the presence
> of a PHY. For the fixed-link case, set up the fixed link and return early,
> bypassing any code that assumes a valid phydev pointer.
>
> [...]
Here is the summary with links:
- [net-next,v1,1/1] net: usb: lan78xx: fix possible NULL pointer dereference in lan78xx_phy_init()
https://git.kernel.org/netdev/net-next/c/c22f056e49d9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-01 10:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-26 10:37 [PATCH net-next v1 1/1] net: usb: lan78xx: fix possible NULL pointer dereference in lan78xx_phy_init() Oleksij Rempel
2025-07-01 9:15 ` Paolo Abeni
2025-07-01 9:28 ` Oleksij Rempel
2025-07-01 10:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).