From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Yang Yingliang <yangyingliang@huawei.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 39/62] net: phy: fix null-ptr-deref while probe() failed
Date: Mon, 5 Dec 2022 20:09:36 +0100 [thread overview]
Message-ID: <20221205190759.569905994@linuxfoundation.org> (raw)
In-Reply-To: <20221205190758.073114639@linuxfoundation.org>
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ]
I got a null-ptr-deref report as following when doing fault injection test:
BUG: kernel NULL pointer dereference, address: 0000000000000058
Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:klist_put+0x2d/0xd0
Call Trace:
<TASK>
klist_remove+0xf1/0x1c0
device_release_driver_internal+0x23e/0x2d0
bus_remove_device+0x1bd/0x240
device_del+0x357/0x770
phy_device_remove+0x11/0x30
mdiobus_unregister+0xa5/0x140
release_nodes+0x6a/0xa0
devres_release_all+0xf8/0x150
device_unbind_cleanup+0x19/0xd0
//probe path:
phy_device_register()
device_add()
phy_connect
phy_attach_direct() //set device driver
probe() //it's failed, driver is not bound
device_bind_driver() // probe failed, it's not called
//remove path:
phy_device_remove()
device_del()
device_release_driver_internal()
__device_release_driver() //dev->drv is not NULL
klist_remove() <- knode_driver is not added yet, cause null-ptr-deref
In phy_attach_direct(), after setting the 'dev->driver', probe() fails,
device_bind_driver() is not called, so the knode_driver->n_klist is not
set, then it causes null-ptr-deref in __device_release_driver() while
deleting device. Fix this by setting dev->driver to NULL in the error
path in phy_attach_direct().
Fixes: e13934563db0 ("[PATCH] PHY Layer fixup")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index a3ba95e96695..90dbf1b2a33a 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -948,6 +948,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev,
error_module_put:
module_put(d->driver->owner);
+ d->driver = NULL;
error_put_device:
put_device(d);
if (ndev_owner != bus->owner)
--
2.35.1
next prev parent reply other threads:[~2022-12-05 19:13 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-05 19:08 [PATCH 4.9 00/62] 4.9.335-rc1 review Greg Kroah-Hartman
2022-12-05 19:08 ` [PATCH 4.9 01/62] wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support Greg Kroah-Hartman
2022-12-05 19:08 ` [PATCH 4.9 02/62] audit: fix undefined behavior in bit shift for AUDIT_BIT Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 03/62] wifi: mac80211: Fix ack frame idr leak when mesh has no route Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 04/62] MIPS: pic32: treat port as signed integer Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 05/62] af_key: Fix send_acquire race with pfkey_register Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 06/62] bus: sunxi-rsb: Support atomic transfers Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 07/62] ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl Greg Kroah-Hartman
2022-12-05 19:09 ` Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 08/62] nfc/nci: fix race with opening and closing Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 09/62] net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 10/62] 9p/fd: fix issue of list_del corruption in p9_fd_cancel() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 11/62] ARM: mxs: fix memory leak in mxs_machine_init() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 12/62] net/mlx4: Check retval of mlx4_bitmap_init Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 13/62] net/qla3xxx: fix potential memleak in ql3xxx_send() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 14/62] xfrm: Fix ignored return value in xfrm6_init() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 15/62] NFC: nci: fix memory leak in nci_rx_data_packet() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 16/62] nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 17/62] nfc: st-nci: fix memory leaks " Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 18/62] net: thunderx: Fix the ACPI memory leak Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 19/62] s390/crashdump: fix TOD programmable field size Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 20/62] iio: light: apds9960: fix wrong register for gesture gain Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 21/62] iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 22/62] kconfig: display recursive dependency resolution hint just once Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 23/62] nios2: add FORCE for vmlinuz.gz Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 24/62] nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 25/62] serial: 8250: 8250_omap: Avoid RS485 RTS glitch on ->set_termios() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 26/62] xen/platform-pci: add missing free_irq() in error path Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 27/62] platform/x86: asus-wmi: add missing pci_dev_put() in asus_wmi_set_xusb2pr() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 28/62] tcp: configurable source port perturb table size Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 29/62] net: usb: qmi_wwan: add Telit 0x103a composition Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 30/62] drm/amdgpu: always register an MMU notifier for userptr Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 31/62] iio: health: afe4403: Fix oob read in afe4403_read_raw Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 32/62] iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 33/62] hwmon: (i5500_temp) fix missing pci_disable_device() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 34/62] hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 35/62] net/mlx5: Fix uninitialized variable bug in outlen_write() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 36/62] can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 37/62] can: cc770: cc770_isa_probe(): add missing free_cc770dev() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 38/62] qlcnic: fix sleep-in-atomic-context bugs caused by msleep Greg Kroah-Hartman
2022-12-06 12:51 ` Pavel Machek
2022-12-05 19:09 ` Greg Kroah-Hartman [this message]
2022-12-05 19:09 ` [PATCH 4.9 40/62] net: net_netdev: Fix error handling in ntb_netdev_init_module() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 41/62] net/9p: Fix a potential socket leak in p9_socket_open Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 42/62] net: hsr: Fix potential use-after-free Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 43/62] packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 44/62] net: ethernet: renesas: ravb: Fix promiscuous mode after system resumed Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 45/62] hwmon: (coretemp) Check for null before removing sysfs attrs Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 46/62] hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 47/62] btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 48/62] tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep" Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 49/62] nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 50/62] arm64: Fix panic() when Spectre-v2 causes Spectre-BHB to re-allocate KVM vectors Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 51/62] arm64: errata: Fix KVM Spectre-v2 mitigation selection for Cortex-A57/A72 Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 52/62] ASoC: ops: Fix bounds check for _sx controls Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 53/62] pinctrl: single: Fix potential division by zero Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 54/62] iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 55/62] tcp/udp: Fix memory leak in ipv6_renew_options() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 56/62] Revert "fbdev: fb_pm2fb: Avoid potential divide by zero error" Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 57/62] x86/tsx: Add a feature bit for TSX control MSR support Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 58/62] x86/pm: Add enumeration check before spec MSRs save/restore setup Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 59/62] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 60/62] x86/ioremap: Fix page aligned size calculation in __ioremap_caller() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 61/62] mmc: sdhci: use FIELD_GET for preset value bit masks Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 62/62] mmc: sdhci: Fix voltage switch delay Greg Kroah-Hartman
2022-12-05 22:28 ` [PATCH 4.9 00/62] 4.9.335-rc1 review Jon Hunter
2022-12-05 22:48 ` Florian Fainelli
2022-12-06 0:11 ` Florian Fainelli
2022-12-06 9:23 ` Adrian Hunter
2022-12-06 11:37 ` Greg Kroah-Hartman
2022-12-06 2:51 ` Shuah Khan
2022-12-06 10:31 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221205190759.569905994@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.