Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp3052597lqo; Tue, 21 May 2024 05:44:00 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU/DHsG0N00GNsp77O71F7aXKxl3RWpLbDI6h6PtjPdhXZgSpHUsVMCEabCENDxMzhuyewhjgptBbL4LGbYo/8HOPI0QVNh7Rnrp61ZFQ== X-Google-Smtp-Source: AGHT+IFFAyDP2SGsnlyLVqdKJj5Raz/dWu2DJjLhOoWpksUsBnzpy5xY/dlQFA6mSJS39aYP48k0 X-Received: by 2002:a05:6512:3605:b0:51f:b781:729d with SMTP id 2adb3069b0e04-5220fd7acf5mr17080613e87.38.1716295439982; Tue, 21 May 2024 05:43:59 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716295439; cv=pass; d=google.com; s=arc-20160816; b=P2M2GZ/b3zlOpzWG02Uqo7S84YEzOPYOTZk016wVF/H5t0ib08zfi7Cs+vyM1RMS18 HR5nMBKxdPUbMqAqr4cQqhB4NFFIlLcPU4zOLIOPvHgztUVQdkULSBEx3uKzw7Q+pu2H L6Xi/vRqAp2eN4jp7atfbOFhwHYb2lFA/X0AUpVfnDt0dLwVYBkJjOZ9HdQ2Ve5u/knI Qaw9F++nuijbeVma4PeG67CzI1Fl11o66cdDuSWVviRqnj25vyCKSbjFM9d+4D2rCR3X bkH4bTItteovQ1LkIPJ3iDYhm+pFZ8zHzgn8vZ7USTe7wA6zmycy/mJQCChUmP64tpDt k8NA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:message-id:content-transfer-encoding:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:subject:date :from:dkim-signature; bh=sBHQDVV1jw6tvsDFIyAbBrREYTF4ioSRIEty/E5nqPU=; fh=zVdTXtqjCPDwUhAubQQtLnL2ZEWljZSBYwb+o7chX+k=; b=myvrV6Dn/G9p6QhuSAbv0xjIO87JmWt8UQs16AU26WA2oEoeK7CVI13+0b7FgXsYu1 Aoui/lsVvYqBgnT+dm6rPxj5atp6PH7JeAlcnMIF1I4D8Xu2/GkkpxRwJvXIJkh7TnpX FUzwbPKa9Ec4zivbLc28FBSTh5fA+RIe9NUYXv7yHtU+pMvBJ9P22VOs5qguCLqs6Jj7 2LHnspczPwjRStmjYlAqx2Qjf9noCniDJJn5/e+26b8QonCLV7YUxCI3bLgN3tmLrzSE tr/BZ25wZPWENUmlhl66bQ5/v/YdGVIkPobAEi+0kNwrj2EVoz/sLZXi5TjTtn46FUqV EfiA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=T0TPkoOP; arc=pass (i=1 spf=pass spfdomain=bootlin.com dkim=pass dkdomain=bootlin.com dmarc=pass fromdomain=bootlin.com); spf=pass (google.com: domain of linux-kernel+bounces-184957-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-184957-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bootlin.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5733c2d5655si14082811a12.249.2024.05.21.05.43.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 05:43:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-184957-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=T0TPkoOP; arc=pass (i=1 spf=pass spfdomain=bootlin.com dkim=pass dkdomain=bootlin.com dmarc=pass fromdomain=bootlin.com); spf=pass (google.com: domain of linux-kernel+bounces-184957-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-184957-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bootlin.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 9DB161F231CF for ; Tue, 21 May 2024 12:43:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 66CDB770F0; Tue, 21 May 2024 12:43:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b="T0TPkoOP" Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F36D428E7; Tue, 21 May 2024 12:43:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.200 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716295428; cv=none; b=Y3oOMtxWyvR2bDzxBzF10HjwRLnfHc2d3htezVCWPUu5cMMwkLm/knt60fzHIeI1vPyhcRNZPYka0qoTq3v4Rn8BxCrsO61/KIMDEJXrkkvPLtNuEr/sg8XejYwNnmiQxNlhlj7sNIj1i20pVGvkwUW72wvd2Ke527xEf7iEU8Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716295428; c=relaxed/simple; bh=De/fD9//lDT8ckW0UEfL/y/2vXEAMHB5t/X7InMzgMc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=J+spu9DUGdMtd3CGqI/Me2G5OVeBLqW2C4jG63mVQygRrwiAQ4eQ/p+TGjvnppIEuwl38Ar8YXw2HdsEzU3K3xuBHts/AXiWJm2LOk92izSgE2u9ylzWYmxN6A2oPbv6DVpBkAgAKX7U3quf8vUgoeA0eUpvi0lFCGRQSu3DkB0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com; spf=pass smtp.mailfrom=bootlin.com; dkim=pass (2048-bit key) header.d=bootlin.com header.i=@bootlin.com header.b=T0TPkoOP; arc=none smtp.client-ip=217.70.183.200 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=bootlin.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bootlin.com Received: by mail.gandi.net (Postfix) with ESMTPSA id C39972000D; Tue, 21 May 2024 12:43:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1716295423; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sBHQDVV1jw6tvsDFIyAbBrREYTF4ioSRIEty/E5nqPU=; b=T0TPkoOP0Oln6RdV1lZQCjpQhTbgt3GaQ2j94Yw+Z8ea1ETp/x9tnsAhm4sBjHTyc6FJgn ytWWeoxfxTEk9DRNo9H0PwHB7pR2Pneu3gAkZMBkMNmRjUKRSysG1FysIfeyhisO+FGl/C 1M0B2q6KFUg4mUr/1La3Z1dM/N8QS2k8w0lqGNJNER9rQ48bQBD3G7P1A2yjXX43m5bIiF PPYfG4iD+8h8bvYfzF+aqwAynnJ4FrKOTo9mpAs0uERH4ylCAm5P8jy+o+JUEya2/dc16T 04ABdjNOV7G8j+J1cf9hnRsL52YYj1FjUXuFLcv32oLzhnCOb8y2jKxLCeGxXA== From: Romain Gantois Date: Tue, 21 May 2024 14:44:11 +0200 Subject: [PATCH net] net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20240521-icssg-prueth-fix-v1-1-b4b17b1433e9@bootlin.com> X-B4-Tracking: v=1; b=H4sIABqXTGYC/x2MQQ5AQAwAvyI9a1K7y8FXxIFV9LJki0jE3zWOM 8nMA8pZWKEtHsh8icqWDKqygLgOaWGUyRgcuUC1q1Ci6oJ7PvlYcZYbyY/kqQmxjgyW7ZlN/8s OEh/Qv+8HZjSKXWcAAAA= To: MD Danish Anwar , Roger Quadros , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Thomas Petazzoni , linux-arm-kernel@lists.infradead.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Romain Gantois X-Mailer: b4 0.13.0 X-GND-Sasl: romain.gantois@bootlin.com In the prueth_probe() function, if one of the calls to emac_phy_connect() fails due to of_phy_connect() returning NULL, then the subsequent call to phy_attached_info() will dereference a NULL pointer. Check the return code of emac_phy_connect and fail cleanly if there is an error. Fixes: 128d5874c082 ("net: ti: icssg-prueth: Add ICSSG ethernet driver") Cc: stable@vger.kernel.org Signed-off-by: Romain Gantois --- Hello everyone, There is a possible NULL pointer dereference in the prueth_probe() function of the icssg_prueth driver. I discovered this while testing a platform with one PRUETH MAC enabled out of the two available. These are the requirements to reproduce the bug: prueth_probe() is called either eth0_node or eth1_node is not NULL in emac_phy_connect: of_phy_connect() returns NULL Then, the following leads to the NULL pointer dereference: prueth->emac[PRUETH_MAC0]->ndev->phydev is set to NULL prueth->emac[PRUETH_MAC0]->ndev->phydev is passed to phy_attached_info() -> phy_attached_print() dereferences phydev which is NULL This series provides a fix by checking the return code of emac_phy_connect(). Best Regards, Romain --- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/ti/icssg/icssg_prueth.c b/drivers/net/ethernet/ti/icssg/icssg_prueth.c index 7c9e9518f555a..1ea3fbd5e954e 100644 --- a/drivers/net/ethernet/ti/icssg/icssg_prueth.c +++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.c @@ -1039,7 +1039,12 @@ static int prueth_probe(struct platform_device *pdev) prueth->registered_netdevs[PRUETH_MAC0] = prueth->emac[PRUETH_MAC0]->ndev; - emac_phy_connect(prueth->emac[PRUETH_MAC0]); + ret = emac_phy_connect(prueth->emac[PRUETH_MAC0]); + if (ret) { + dev_err(dev, + "can't connect to MII0 PHY, error -%d", ret); + goto netdev_unregister; + } phy_attached_info(prueth->emac[PRUETH_MAC0]->ndev->phydev); } @@ -1051,7 +1056,12 @@ static int prueth_probe(struct platform_device *pdev) } prueth->registered_netdevs[PRUETH_MAC1] = prueth->emac[PRUETH_MAC1]->ndev; - emac_phy_connect(prueth->emac[PRUETH_MAC1]); + ret = emac_phy_connect(prueth->emac[PRUETH_MAC1]); + if (ret) { + dev_err(dev, + "can't connect to MII1 PHY, error %d", ret); + goto netdev_unregister; + } phy_attached_info(prueth->emac[PRUETH_MAC1]->ndev->phydev); } --- base-commit: e4a87abf588536d1cdfb128595e6e680af5cf3ed change-id: 20240521-icssg-prueth-fix-03b03064c5ce Best regards, -- Romain Gantois