From patchwork Wed Dec 17 02:29:46 2008
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Krzysztof Halasa <khc@pm.waw.pl>
X-Patchwork-Id: 14408
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 11E33DDF4E
	for <patchwork-incoming@ozlabs.org>;
	Wed, 17 Dec 2008 13:29:55 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752881AbYLQC3t (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 16 Dec 2008 21:29:49 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751473AbYLQC3t
	(ORCPT <rfc822; netdev-outgoing>); Tue, 16 Dec 2008 21:29:49 -0500
Received: from khc.piap.pl ([195.187.100.11]:34004 "EHLO khc.piap.pl"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752534AbYLQC3s (ORCPT <rfc822;netdev@vger.kernel.org>);
	Tue, 16 Dec 2008 21:29:48 -0500
Received: by khc.piap.pl (Postfix, from userid 500)
	id 132536FF66; Wed, 17 Dec 2008 03:29:46 +0100 (CET)
To: Lennert Buytenhek <buytenh@wantstofly.org>
Cc: David Miller <davem@davemloft.net>, <netdev@vger.kernel.org>
Subject: kernel BUG at drivers/net/phy/mdio_bus.c:165!
From: Krzysztof Halasa <khc@pm.waw.pl>
Date: Wed, 17 Dec 2008 03:29:46 +0100
Message-ID: <m3ej07zg85.fsf@maximus.localdomain>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

kernel BUG at drivers/net/phy/mdio_bus.c:165!
Unable to handle kernel NULL pointer dereference at virtual address 00000000

How?

mdiobus_alloc() sets bus->state = MDIOBUS_ALLOCATED.

mdiobus_register() sets bus->state = MDIOBUS_REGISTERED but then can
   fail (mdiobus_scan()) returning an error to the caller.

The caller aborts correctly with mdiobus_free() which does:
        if (bus->state == MDIOBUS_ALLOCATED) {
                kfree(bus);
                return;
        }

        BUG_ON(bus->state != MDIOBUS_UNREGISTERED);

Signed-off-by: Krzysztof Halasa <khc@pm.waw.pl>

--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -105,8 +105,6 @@ int mdiobus_register(struct mii_bus *bus)
 		return -EINVAL;
 	}
 
-	bus->state = MDIOBUS_REGISTERED;
-
 	mutex_init(&bus->mdio_lock);
 
 	if (bus->reset)
@@ -123,6 +121,9 @@ int mdiobus_register(struct mii_bus *bus)
 		}
 	}
 
+	if (!err)
+		bus->state = MDIOBUS_REGISTERED;
+
 	pr_info("%s: probed\n", bus->name);
 
 	return err;