Message ID | 20200917034310.2360488-2-f.fainelli@gmail.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | net: phy: Unbind fixes | expand |
On Wed, Sep 16, 2020 at 08:43:09PM -0700, Florian Fainelli wrote: > If we have unbound the PHY driver prior to calling phy_detach() (often > via phy_disconnect()) then we can cause a NULL pointer de-reference > accessing the driver owner member. The steps to reproduce are: > > echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind > ip link set eth0 down Hi Florian How forceful is this unbind? Can we actually block it while the interface is up? Or returning -EBUSY would make sense. Andrew
On 9/17/2020 6:15 AM, Andrew Lunn wrote: > On Wed, Sep 16, 2020 at 08:43:09PM -0700, Florian Fainelli wrote: >> If we have unbound the PHY driver prior to calling phy_detach() (often >> via phy_disconnect()) then we can cause a NULL pointer de-reference >> accessing the driver owner member. The steps to reproduce are: >> >> echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind >> ip link set eth0 down > > Hi Florian > > How forceful is this unbind? Can we actually block it while the > interface is up? Or returning -EBUSY would make sense. It it not forceful, you can unbind the PHY driver from underneath the net_device and nothing bad happens, really. This is not a very realistic or practical use case, but several years ago, I went into making sure we would not create NPD if that happened.
On Wed, Sep 16, 2020 at 08:43:09PM -0700, Florian Fainelli wrote: > If we have unbound the PHY driver prior to calling phy_detach() (often > via phy_disconnect()) then we can cause a NULL pointer de-reference > accessing the driver owner member. The steps to reproduce are: > > echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind > ip link set eth0 down > > Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver") > Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Andrew
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c index 8adfbad0a1e8..81eb76a8295b 100644 --- a/drivers/net/phy/phy_device.c +++ b/drivers/net/phy/phy_device.c @@ -1682,7 +1682,8 @@ void phy_detach(struct phy_device *phydev) phy_led_triggers_unregister(phydev); - module_put(phydev->mdio.dev.driver->owner); + if (phydev->mdio.dev.driver) + module_put(phydev->mdio.dev.driver->owner); /* If the device had no specific driver before (i.e. - it * was using the generic driver), we unbind the device
If we have unbound the PHY driver prior to calling phy_detach() (often via phy_disconnect()) then we can cause a NULL pointer de-reference accessing the driver owner member. The steps to reproduce are: echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind ip link set eth0 down Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver") Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> --- drivers/net/phy/phy_device.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)