diff mbox series

[net] phylib: fix potential use-after-free

Message ID 20220119162748.32418-1-kabel@kernel.org (mailing list archive)
State Accepted
Commit cbda1b16687580d5beee38273f6241ae3725960c
Delegated to: Netdev Maintainers
Headers show
Series [net] phylib: fix potential use-after-free | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers fail 2 blamed authors not CCed: robh@kernel.org geert+renesas@glider.be; 5 maintainers not CCed: kuba@kernel.org robh@kernel.org geert+renesas@glider.be linux@armlinux.org.uk hkallweit1@gmail.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 18 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Marek Behún Jan. 19, 2022, 4:27 p.m. UTC 
Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call
to phy_device_reset(phydev) after the put_device() call in phy_detach().

The comment before the put_device() call says that the phydev might go
away with put_device().

Fix potential use-after-free by calling phy_device_reset() before
put_device().

Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support")
Signed-off-by: Marek Behún <kabel@kernel.org>
---
 drivers/net/phy/phy_device.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Andrew Lunn Jan. 20, 2022, 12:27 a.m. UTC | #1 
On Wed, Jan 19, 2022 at 05:27:48PM +0100, Marek Behún wrote:
> Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call
> to phy_device_reset(phydev) after the put_device() call in phy_detach().
> 
> The comment before the put_device() call says that the phydev might go
> away with put_device().
> 
> Fix potential use-after-free by calling phy_device_reset() before
> put_device().
> 
> Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support")
> Signed-off-by: Marek Behún <kabel@kernel.org>

Reviewed-by: Andrew Lunn <andrew@lunn.ch>

    Andrew
patchwork-bot+netdevbpf@kernel.org Jan. 21, 2022, 6 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 19 Jan 2022 17:27:48 +0100 you wrote:
> Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call
> to phy_device_reset(phydev) after the put_device() call in phy_detach().
> 
> The comment before the put_device() call says that the phydev might go
> away with put_device().
> 
> Fix potential use-after-free by calling phy_device_reset() before
> put_device().
> 
> [...]

Here is the summary with links:
  - [net] phylib: fix potential use-after-free
    https://git.kernel.org/netdev/net/c/cbda1b166875

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 74d8e1dc125f..ce0bb5951b81 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1746,6 +1746,9 @@  void phy_detach(struct phy_device *phydev)
 	    phy_driver_is_genphy_10g(phydev))
 		device_release_driver(&phydev->mdio.dev);
 
+	/* Assert the reset signal */
+	phy_device_reset(phydev, 1);
+
 	/*
 	 * The phydev might go away on the put_device() below, so avoid
 	 * a use-after-free bug by reading the underlying bus first.
@@ -1757,9 +1760,6 @@  void phy_detach(struct phy_device *phydev)
 		ndev_owner = dev->dev.parent->driver->owner;
 	if (ndev_owner != bus->owner)
 		module_put(bus->owner);
-
-	/* Assert the reset signal */
-	phy_device_reset(phydev, 1);
 }
 EXPORT_SYMBOL(phy_detach);