[PATCH net] net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect

[PATCH net] net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect

[Heiner Kallweit]

After the call to phy_disconnect() netdev->phydev is reset to NULL.
So fixed_phy_unregister() would be called with a NULL pointer as argument.
Therefore cache the phy_device before this call.

Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI")
Cc: stable@vger.kernel.org
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
---
 drivers/net/ethernet/faraday/ftgmac100.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
index 5d0c09068..a863f7841 100644
--- a/drivers/net/ethernet/faraday/ftgmac100.c
+++ b/drivers/net/ethernet/faraday/ftgmac100.c
@@ -1750,16 +1750,17 @@ static int ftgmac100_setup_mdio(struct net_device *netdev)
 static void ftgmac100_phy_disconnect(struct net_device *netdev)
 {
 	struct ftgmac100 *priv = netdev_priv(netdev);
+	struct phy_device *phydev = netdev->phydev;
 
-	if (!netdev->phydev)
+	if (!phydev)
 		return;
 
-	phy_disconnect(netdev->phydev);
+	phy_disconnect(phydev);
 	if (of_phy_is_fixed_link(priv->dev->of_node))
 		of_phy_deregister_fixed_link(priv->dev->of_node);
 
 	if (priv->use_ncsi)
-		fixed_phy_unregister(netdev->phydev);
+		fixed_phy_unregister(phydev);
 }
 
 static void ftgmac100_destroy_mdio(struct net_device *netdev)
-- 
2.50.1

Re: [PATCH net] net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect

[Dawid Osuchowski]

On 2025-07-30 10:23 PM, Heiner Kallweit wrote:
> After the call to phy_disconnect() netdev->phydev is reset to NULL.

phy_disconnect() in its flow does not set phydev to NULL, if anywhere it 
happens in of_phy_deregister_fixed_link(), which already calls 
fixed_phy_unregister() before setting phydev to NULL

 From my understanding (which very much could be wrong) of 
ftgmac100_probe(), these two cases are mutually exclusive. The device 
either uses NCSI or will use a phy based on the DT "fixed-link" property
> So fixed_phy_unregister() would be called with a NULL pointer as argument.

Given my analysis above, I don't think this case is possible.

Best regards,
Dawid
> Therefore cache the phy_device before this call.
> 
> Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI")
> Cc: stable@vger.kernel.org
> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
> ---
>   drivers/net/ethernet/faraday/ftgmac100.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
> index 5d0c09068..a863f7841 100644
> --- a/drivers/net/ethernet/faraday/ftgmac100.c
> +++ b/drivers/net/ethernet/faraday/ftgmac100.c
> @@ -1750,16 +1750,17 @@ static int ftgmac100_setup_mdio(struct net_device *netdev)
>   static void ftgmac100_phy_disconnect(struct net_device *netdev)
>   {
>   	struct ftgmac100 *priv = netdev_priv(netdev);
> +	struct phy_device *phydev = netdev->phydev;
>   
> -	if (!netdev->phydev)
> +	if (!phydev)
>   		return;
>   
> -	phy_disconnect(netdev->phydev);
> +	phy_disconnect(phydev);
>   	if (of_phy_is_fixed_link(priv->dev->of_node))
>   		of_phy_deregister_fixed_link(priv->dev->of_node);
>   
>   	if (priv->use_ncsi)
> -		fixed_phy_unregister(netdev->phydev);
> +		fixed_phy_unregister(phydev);
>   }
>   
>   static void ftgmac100_destroy_mdio(struct net_device *netdev)

Re: [PATCH net] net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect

[Heiner Kallweit]

On 7/31/2025 10:58 AM, Dawid Osuchowski wrote:
> On 2025-07-30 10:23 PM, Heiner Kallweit wrote:
>> After the call to phy_disconnect() netdev->phydev is reset to NULL.
> 
> phy_disconnect() in its flow does not set phydev to NULL, if anywhere it happens in of_phy_deregister_fixed_link(), which already calls fixed_phy_unregister() before setting phydev to NULL

I can't follow this argumentation. Look at phy_detach(), there we have:
if (phydev->attached_dev)
	phydev->attached_dev->phydev = NULL;
So netdev->phydev is NULL after the call to phy_disconnect, provided that the PHY was attached to the netdev before.
If use_ncsi is true, then fixed_phy_unregister() will be called with a NULL argument.

This is independent of whether of_phy_is_fixed_link() is true or not.
Very likely it's false in the NCSI case.

> 
> From my understanding (which very much could be wrong) of ftgmac100_probe(), these two cases are mutually exclusive. The device either uses NCSI or will use a phy based on the DT "fixed-link" property

>> So fixed_phy_unregister() would be called with a NULL pointer as argument.
> 
> Given my analysis above, I don't think this case is possible.
> 
> Best regards,
> Dawid
>> Therefore cache the phy_device before this call.
>>
>> Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
>> ---
>>   drivers/net/ethernet/faraday/ftgmac100.c | 7 ++++---
>>   1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
>> index 5d0c09068..a863f7841 100644
>> --- a/drivers/net/ethernet/faraday/ftgmac100.c
>> +++ b/drivers/net/ethernet/faraday/ftgmac100.c
>> @@ -1750,16 +1750,17 @@ static int ftgmac100_setup_mdio(struct net_device *netdev)
>>   static void ftgmac100_phy_disconnect(struct net_device *netdev)
>>   {
>>       struct ftgmac100 *priv = netdev_priv(netdev);
>> +    struct phy_device *phydev = netdev->phydev;
>>   -    if (!netdev->phydev)
>> +    if (!phydev)
>>           return;
>>   -    phy_disconnect(netdev->phydev);
>> +    phy_disconnect(phydev);
>>       if (of_phy_is_fixed_link(priv->dev->of_node))
>>           of_phy_deregister_fixed_link(priv->dev->of_node);
>>         if (priv->use_ncsi)
>> -        fixed_phy_unregister(netdev->phydev);
>> +        fixed_phy_unregister(phydev);
>>   }
>>     static void ftgmac100_destroy_mdio(struct net_device *netdev)
> 

Re: [PATCH net] net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect

[Dawid Osuchowski]

On 2025-07-31 9:22 PM, Heiner Kallweit wrote:
> On 7/31/2025 10:58 AM, Dawid Osuchowski wrote:
>> On 2025-07-30 10:23 PM, Heiner Kallweit wrote:
>>> After the call to phy_disconnect() netdev->phydev is reset to NULL.
>>
>> phy_disconnect() in its flow does not set phydev to NULL, if anywhere it happens in of_phy_deregister_fixed_link(), which already calls fixed_phy_unregister() before setting phydev to NULL
> 
> I can't follow this argumentation. Look at phy_detach(), there we have:
> if (phydev->attached_dev)
> 	phydev->attached_dev->phydev = NULL;
> So netdev->phydev is NULL after the call to phy_disconnect, provided that the PHY was attached to the netdev before.
> If use_ncsi is true, then fixed_phy_unregister() will be called with a NULL argument.

You are absolutely correct. Somehow I missed that and I apologize for 
the confusion on my side.

With that cleared up:

Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>

Thanks,
Dawid
> 
> This is independent of whether of_phy_is_fixed_link() is true or not.
> Very likely it's false in the NCSI case.
> 
>>
>>  From my understanding (which very much could be wrong) of ftgmac100_probe(), these two cases are mutually exclusive. The device either uses NCSI or will use a phy based on the DT "fixed-link" property
> 
>>> So fixed_phy_unregister() would be called with a NULL pointer as argument.
>>
>> Given my analysis above, I don't think this case is possible.
>>
>> Best regards,
>> Dawid
>>> Therefore cache the phy_device before this call.
>>>
>>> Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI")
>>> Cc: stable@vger.kernel.org
>>> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
>>> ---
>>>    drivers/net/ethernet/faraday/ftgmac100.c | 7 ++++---
>>>    1 file changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
>>> index 5d0c09068..a863f7841 100644
>>> --- a/drivers/net/ethernet/faraday/ftgmac100.c
>>> +++ b/drivers/net/ethernet/faraday/ftgmac100.c
>>> @@ -1750,16 +1750,17 @@ static int ftgmac100_setup_mdio(struct net_device *netdev)
>>>    static void ftgmac100_phy_disconnect(struct net_device *netdev)
>>>    {
>>>        struct ftgmac100 *priv = netdev_priv(netdev);
>>> +    struct phy_device *phydev = netdev->phydev;
>>>    -    if (!netdev->phydev)
>>> +    if (!phydev)
>>>            return;
>>>    -    phy_disconnect(netdev->phydev);
>>> +    phy_disconnect(phydev);
>>>        if (of_phy_is_fixed_link(priv->dev->of_node))
>>>            of_phy_deregister_fixed_link(priv->dev->of_node);
>>>          if (priv->use_ncsi)
>>> -        fixed_phy_unregister(netdev->phydev);
>>> +        fixed_phy_unregister(phydev);
>>>    }
>>>      static void ftgmac100_destroy_mdio(struct net_device *netdev)
>>
> 

Re: [PATCH net] net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 30 Jul 2025 22:23:23 +0200 you wrote:
> After the call to phy_disconnect() netdev->phydev is reset to NULL.
> So fixed_phy_unregister() would be called with a NULL pointer as argument.
> Therefore cache the phy_device before this call.
> 
> Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI")
> Cc: stable@vger.kernel.org
> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
> 
> [...]

Here is the summary with links:
  - [net] net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect
    https://git.kernel.org/netdev/net/c/e88fbc30dda1

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html