On reworking and splitting the at803x driver, in splitting function of at803x PHYs it was added a NULL dereference bug where priv is referenced before it's actually allocated and then is tried to write to for the is_1000basex and is_fiber variables in the case of at8031, writing on the wrong address.
Fix this by correctly setting priv local variable only after at803x_probe is called and actually allocates priv in the phydev struct.
Reported-by: William Wortel wwortel@dorpstraat.com Cc: stable@vger.kernel.org Fixes: 25d2ba94005f ("net: phy: at803x: move specific at8031 probe mode check to dedicated probe") Signed-off-by: Christian Marangi ansuelsmth@gmail.com --- drivers/net/phy/qcom/at803x.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/qcom/at803x.c b/drivers/net/phy/qcom/at803x.c index 4717c59d51d0..e79657f76bea 100644 --- a/drivers/net/phy/qcom/at803x.c +++ b/drivers/net/phy/qcom/at803x.c @@ -797,7 +797,7 @@ static int at8031_parse_dt(struct phy_device *phydev)
static int at8031_probe(struct phy_device *phydev) { - struct at803x_priv *priv = phydev->priv; + struct at803x_priv *priv; int mode_cfg; int ccr; int ret; @@ -806,6 +806,8 @@ static int at8031_probe(struct phy_device *phydev) if (ret) return ret;
+ priv = phydev->priv; + /* Only supported on AR8031/AR8033, the AR8030/AR8035 use strapping * options. */
On Mon, Mar 25, 2024 at 08:06:19PM +0100, Christian Marangi wrote:
On reworking and splitting the at803x driver, in splitting function of at803x PHYs it was added a NULL dereference bug where priv is referenced before it's actually allocated and then is tried to write to for the is_1000basex and is_fiber variables in the case of at8031, writing on the wrong address.
Fix this by correctly setting priv local variable only after at803x_probe is called and actually allocates priv in the phydev struct.
Reported-by: William Wortel wwortel@dorpstraat.com Cc: stable@vger.kernel.org Fixes: 25d2ba94005f ("net: phy: at803x: move specific at8031 probe mode check to dedicated probe") Signed-off-by: Christian Marangi ansuelsmth@gmail.com
Reviewed-by: Andrew Lunn andrew@lunn.ch
Andrew
Hello:
This patch was applied to netdev/net.git (main) by Paolo Abeni pabeni@redhat.com:
On Mon, 25 Mar 2024 20:06:19 +0100 you wrote:
On reworking and splitting the at803x driver, in splitting function of at803x PHYs it was added a NULL dereference bug where priv is referenced before it's actually allocated and then is tried to write to for the is_1000basex and is_fiber variables in the case of at8031, writing on the wrong address.
Fix this by correctly setting priv local variable only after at803x_probe is called and actually allocates priv in the phydev struct.
[...]
Here is the summary with links: - [net] net: phy: qcom: at803x: fix kernel panic with at8031_probe https://git.kernel.org/netdev/net/c/6a4aee277740
You are awesome, thank you!
linux-stable-mirror@lists.linaro.org
-
Andrew Lunn -
Christian Marangi -
patchwork-bot+netdevbpf@kernel.org