[PATCH 1/2] net: phy: fix NULL pointer dereference in phy_polling

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/2] net: phy: fix NULL pointer dereference in phy_polling_mode()
@ 2025-08-06  8:25 Xu Yang
  2025-08-06  8:44 ` Russell King (Oracle)
  0 siblings, 1 reply; 2+ messages in thread
From: Xu Yang @ 2025-08-06  8:25 UTC (permalink / raw)
  To: andrew, hkallweit1, linux, o.rempel, pabeni; +Cc: netdev, imx, linux-kernel

Not all phy devices have phy driver attached, so fix the NULL pointer
dereference issue in phy_polling_mode() which was observed on USB net
devices.

[   31.494735] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001b8
[   31.503512] Mem abort info:
[   31.506298]   ESR = 0x0000000096000004
[   31.510054]   EC = 0x25: DABT (current EL), IL = 32 bits
[   31.515355]   SET = 0, FnV = 0
[   31.518408]   EA = 0, S1PTW = 0
[   31.521543]   FSC = 0x04: level 0 translation fault
[   31.526420] Data abort info:
[   31.529300]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[   31.534778]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   31.539823]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   31.545125] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000085a33000
[   31.551558] [00000000000001b8] pgd=0000000000000000, p4d=0000000000000000
[   31.558345] Internal error: Oops: 0000000096000004 [#1]  SMP
[   31.563987] Modules linked in:
[   31.567032] CPU: 1 UID: 0 PID: 38 Comm: kworker/u8:1 Not tainted 6.15.0-rc7-next-20250523-06662-gdb11f7daf2b1-dirty #300 PREEMPT
[   31.578659] Hardware name: NXP i.MX93 11X11 EVK board (DT)
[   31.584129] Workqueue: events_power_efficient phy_state_machine
[   31.590048] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   31.596998] pc : _phy_state_machine+0x120/0x310
[   31.601513] lr : _phy_state_machine+0xc8/0x310
[   31.605942] sp : ffff8000827ebd20
[   31.609244] x29: ffff8000827ebd30 x28: 0000000000000000 x27: 0000000000000000
[   31.616368] x26: ffff000004014028 x25: ffff000004c24b80 x24: ffff000004013a05
[   31.623492] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
[   31.630616] x20: ffff00000881fea0 x19: ffff000008515000 x18: 0000000000000006
[   31.637740] x17: 3a76726420303030 x16: 35313538303a7665 x15: 647968702030303a
[   31.644864] x14: ffff000004ea9200 x13: 3030303030303030 x12: ffff800082057068
[   31.651988] x11: 0000000000000058 x10: 000001067f7cd7af x9 : ffff000004ea9200
[   31.659112] x8 : 000000000004341b x7 : ffff000004ea9200 x6 : 00000000000002d6
[   31.666236] x5 : ffff00007fb99308 x4 : 0000000000000000 x3 : 0000000000000000
[   31.673360] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
[   31.680485] Call trace:
[   31.682920]  _phy_state_machine+0x120/0x310 (P)
[   31.687444]  phy_state_machine+0x2c/0x80
[   31.691360]  process_one_work+0x148/0x290
[   31.695364]  worker_thread+0x2c8/0x3e4
[   31.699108]  kthread+0x12c/0x204
[   31.702333]  ret_from_fork+0x10/0x20
[   31.705906] Code: f941be60 b9442261 71001c3f 54000d00 (f940dc02)

Fixes: f2bc1c265572 ("net: phy: introduce optional polling interface for PHY statistics")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
---
 include/linux/phy.h | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/linux/phy.h b/include/linux/phy.h
index 4c2b8b6e7187..068071646a8b 100644
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -1632,12 +1632,14 @@ static inline bool phy_interrupt_is_valid(struct phy_device *phydev)
  */
 static inline bool phy_polling_mode(struct phy_device *phydev)
 {
-	if (phydev->state == PHY_CABLETEST)
-		if (phydev->drv->flags & PHY_POLL_CABLE_TEST)
-			return true;
+	if (phydev->drv) {
+		if (phydev->state == PHY_CABLETEST)
+			if (phydev->drv->flags & PHY_POLL_CABLE_TEST)
+				return true;
 
-	if (phydev->drv->update_stats)
-		return true;
+		if (phydev->drv->update_stats)
+			return true;
+	}
 
 	return phydev->irq == PHY_POLL;
 }
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 1/2] net: phy: fix NULL pointer dereference in phy_polling_mode()
  2025-08-06  8:25 [PATCH 1/2] net: phy: fix NULL pointer dereference in phy_polling_mode() Xu Yang
@ 2025-08-06  8:44 ` Russell King (Oracle)
  0 siblings, 0 replies; 2+ messages in thread
From: Russell King (Oracle) @ 2025-08-06  8:44 UTC (permalink / raw)
  To: Xu Yang; +Cc: andrew, hkallweit1, o.rempel, pabeni, netdev, imx, linux-kernel

On Wed, Aug 06, 2025 at 04:25:12PM +0800, Xu Yang wrote:
> Not all phy devices have phy driver attached, so fix the NULL pointer
> dereference issue in phy_polling_mode() which was observed on USB net
> devices.

When the network device bound to the PHY, either it will be bound to its
PHY driver, or to one of the two genphy drivers. So, this shouldn't
happen. Please explain how to reproduce this.

Thanks.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-08-06  8:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-06  8:25 [PATCH 1/2] net: phy: fix NULL pointer dereference in phy_polling_mode() Xu Yang
2025-08-06  8:44 ` Russell King (Oracle)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).