diff mbox series

[net] net: phy: Fix possible NULL pointer dereference issues caused by phy_attached_info_irq

Message ID 20240112095724.154197-1-chentao@kylinos.cn (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net] net: phy: Fix possible NULL pointer dereference issues caused by phy_attached_info_irq | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success SINGLE THREAD; Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1081 this patch: 1081
netdev/cc_maintainers success CCed 0 of 0 maintainers
netdev/build_clang success Errors and warnings before: 1096 this patch: 1096
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1096 this patch: 1096
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 17 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Kunwu Jan. 12, 2024, 9:57 a.m. UTC 
kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure. Ensure the allocation was successful
by checking the pointer validity.

Fixes: e27f178793de ("net: phy: Added IRQ print to phylink_bringup_phy()")
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
---
 drivers/net/phy/phy_device.c | 3 +++
 drivers/net/phy/phylink.c    | 2 ++
 2 files changed, 5 insertions(+)

Comments

Andrew Lunn Jan. 12, 2024, 3:32 p.m. UTC | #1 
On Fri, Jan 12, 2024 at 05:57:24PM +0800, Kunwu Chan wrote:
> kasprintf() returns a pointer to dynamically allocated memory
> which can be NULL upon failure. Ensure the allocation was successful
> by checking the pointer validity.
> 
> Fixes: e27f178793de ("net: phy: Added IRQ print to phylink_bringup_phy()")
> Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
> ---
>  drivers/net/phy/phy_device.c | 3 +++
>  drivers/net/phy/phylink.c    | 2 ++
>  2 files changed, 5 insertions(+)
> 
> diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
> index 3611ea64875e..10fa99d957c0 100644
> --- a/drivers/net/phy/phy_device.c
> +++ b/drivers/net/phy/phy_device.c
> @@ -1299,6 +1299,9 @@ void phy_attached_print(struct phy_device *phydev, const char *fmt, ...)
>  	const char *unbound = phydev->drv ? "" : "[unbound] ";
>  	char *irq_str = phy_attached_info_irq(phydev);
>  
> +	if (!irq_str)
> +		return;
> +
>  	if (!fmt) {
>  		phydev_info(phydev, ATTACHED_FMT "\n", unbound,
>  			    phydev_name(phydev), irq_str);

This part looks O.K.

> diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
> index ed0b4ccaa6a6..db0a545c9468 100644
> --- a/drivers/net/phy/phylink.c
> +++ b/drivers/net/phy/phylink.c
> @@ -1884,6 +1884,8 @@ static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy,
>  	phy->phy_link_change = phylink_phy_change;
>  
>  	irq_str = phy_attached_info_irq(phy);
> +	if (!irq_str)
> +		return -ENOMEM;

Here, i would just skip the print and continue with the reset of the
function. The print is just useful information, its not a big problem
if its not printed. However, if this function does not complete, the
network interface is likely to be dead.

	Andrew
Kunwu Jan. 15, 2024, 3:02 a.m. UTC | #2 
Thanks for your reply.

On 2024/1/12 23:32, Andrew Lunn wrote:
> On Fri, Jan 12, 2024 at 05:57:24PM +0800, Kunwu Chan wrote:
>> kasprintf() returns a pointer to dynamically allocated memory
>> which can be NULL upon failure. Ensure the allocation was successful
>> by checking the pointer validity.
>>
>> Fixes: e27f178793de ("net: phy: Added IRQ print to phylink_bringup_phy()")
>> Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
>> ---
>>   drivers/net/phy/phy_device.c | 3 +++
>>   drivers/net/phy/phylink.c    | 2 ++
>>   2 files changed, 5 insertions(+)
>>
>> diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
>> index 3611ea64875e..10fa99d957c0 100644
>> --- a/drivers/net/phy/phy_device.c
>> +++ b/drivers/net/phy/phy_device.c
>> @@ -1299,6 +1299,9 @@ void phy_attached_print(struct phy_device *phydev, const char *fmt, ...)
>>   	const char *unbound = phydev->drv ? "" : "[unbound] ";
>>   	char *irq_str = phy_attached_info_irq(phydev);
>>   
>> +	if (!irq_str)
>> +		return;
>> +
>>   	if (!fmt) {
>>   		phydev_info(phydev, ATTACHED_FMT "\n", unbound,
>>   			    phydev_name(phydev), irq_str);
> 
> This part looks O.K.
> 
>> diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
>> index ed0b4ccaa6a6..db0a545c9468 100644
>> --- a/drivers/net/phy/phylink.c
>> +++ b/drivers/net/phy/phylink.c
>> @@ -1884,6 +1884,8 @@ static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy,
>>   	phy->phy_link_change = phylink_phy_change;
>>   
>>   	irq_str = phy_attached_info_irq(phy);
>> +	if (!irq_str)
>> +		return -ENOMEM;
> 
> Here, i would just skip the print and continue with the reset of the
> function. The print is just useful information, its not a big problem
> if its not printed. However, if this function does not complete, the
> network interface is likely to be dead.
Thanks for the reminder.
The second part doesn't look so perfect, can we just print an empty 
string when the irq_str is empty?

--- a/drivers/net/phy/phylink.c
+++ b/drivers/net/phy/phylink.c
@@ -1886,7 +1886,7 @@ static int phylink_bringup_phy(struct phylink *pl, 
struct phy_device *phy,
         irq_str = phy_attached_info_irq(phy);
         phylink_info(pl,
                      "PHY [%s] driver [%s] (irq=%s)\n",
-                    dev_name(&phy->mdio.dev), phy->drv->name, irq_str);
+                    dev_name(&phy->mdio.dev), phy->drv->name, irq_str ? 
irq_str : "");
         kfree(irq_str);

> 
> 	Andrew
Andrew Lunn Jan. 15, 2024, 3:45 a.m. UTC | #3 
> > Here, i would just skip the print and continue with the reset of the
> > function. The print is just useful information, its not a big problem
> > if its not printed. However, if this function does not complete, the
> > network interface is likely to be dead.
> Thanks for the reminder.
> The second part doesn't look so perfect, can we just print an empty string
> when the irq_str is empty?
> 
> --- a/drivers/net/phy/phylink.c
> +++ b/drivers/net/phy/phylink.c
> @@ -1886,7 +1886,7 @@ static int phylink_bringup_phy(struct phylink *pl,
> struct phy_device *phy,
>         irq_str = phy_attached_info_irq(phy);
>         phylink_info(pl,
>                      "PHY [%s] driver [%s] (irq=%s)\n",
> -                    dev_name(&phy->mdio.dev), phy->drv->name, irq_str);
> +                    dev_name(&phy->mdio.dev), phy->drv->name, irq_str ?
> irq_str : "");
>         kfree(irq_str);

That is O.K, or skip the whole phylink_info().

     Andrew
Kunwu Jan. 15, 2024, 7:28 a.m. UTC | #4 
On 2024/1/15 11:45, Andrew Lunn wrote:
>>> Here, i would just skip the print and continue with the reset of the
>>> function. The print is just useful information, its not a big problem
>>> if its not printed. However, if this function does not complete, the
>>> network interface is likely to be dead.
>> Thanks for the reminder.
>> The second part doesn't look so perfect, can we just print an empty string
>> when the irq_str is empty?
>>
>> --- a/drivers/net/phy/phylink.c
>> +++ b/drivers/net/phy/phylink.c
>> @@ -1886,7 +1886,7 @@ static int phylink_bringup_phy(struct phylink *pl,
>> struct phy_device *phy,
>>          irq_str = phy_attached_info_irq(phy);
>>          phylink_info(pl,
>>                       "PHY [%s] driver [%s] (irq=%s)\n",
>> -                    dev_name(&phy->mdio.dev), phy->drv->name, irq_str);
>> +                    dev_name(&phy->mdio.dev), phy->drv->name, irq_str ?
>> irq_str : "");
>>          kfree(irq_str);
> 
> That is O.K, or skip the whole phylink_info().
> 
>       Andrew

Thanks, I will update it in v2 patch. Personal view, print a msg is good 
for debug.
diff mbox series

Patch

diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 3611ea64875e..10fa99d957c0 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1299,6 +1299,9 @@  void phy_attached_print(struct phy_device *phydev, const char *fmt, ...)
 	const char *unbound = phydev->drv ? "" : "[unbound] ";
 	char *irq_str = phy_attached_info_irq(phydev);
 
+	if (!irq_str)
+		return;
+
 	if (!fmt) {
 		phydev_info(phydev, ATTACHED_FMT "\n", unbound,
 			    phydev_name(phydev), irq_str);
diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
index ed0b4ccaa6a6..db0a545c9468 100644
--- a/drivers/net/phy/phylink.c
+++ b/drivers/net/phy/phylink.c
@@ -1884,6 +1884,8 @@  static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy,
 	phy->phy_link_change = phylink_phy_change;
 
 	irq_str = phy_attached_info_irq(phy);
+	if (!irq_str)
+		return -ENOMEM;
 	phylink_info(pl,
 		     "PHY [%s] driver [%s] (irq=%s)\n",
 		     dev_name(&phy->mdio.dev), phy->drv->name, irq_str);