From patchwork Tue May 21 12:44:11 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Romain Gantois <romain.gantois@bootlin.com>
X-Patchwork-Id: 13669398
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 82CEFC25B74
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue, 21 May 2024 12:44:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:Message-Id:MIME-Version:Subject:
	Date:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=i0a1cxZZJ37U5CYJjPiWX3nXKQEEI0Twyo0zgbJWcT0=; b=cSmDMpiSe3I4j4
	JA7DqGR+LNwjy4O4HCF74zR+JUs2SAV4G3A8Pc6z2z450rhwxxiLDtrSzBDHQ+R3DXHF38lh4B+a2
	4VGDVfGFHLQUzWi3uD4iHoc9asfa/1KtFhJk3cWC7gFbI8iEa9/vN66GQSyhmbl0n2B4chMn1XjJh
	yY676ny30JyySctTER59uUvUlt+eZOXfC1/+pVNpgkKNtcRQ4GRq0odfdSKyYZyk0Wmqa6F7I1zk2
	1qcsNz4irDXFt4o5M4qWnjIHRWXVq6lOYu3T7vOXIM3B++B3PMlLd2XVGbNbWg0xqV1Aq5rLxcmU3
	KP6BkSkl0T6meE2sbi3A==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux))
	id 1s9OqQ-0000000HTea-1DCv;
	Tue, 21 May 2024 12:43:54 +0000
Received: from relay7-d.mail.gandi.net ([2001:4b98:dc4:8::227])
	by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux))
	id 1s9OqM-0000000HTe0-0Rxt
	for linux-arm-kernel@lists.infradead.org;
	Tue, 21 May 2024 12:43:52 +0000
Received: by mail.gandi.net (Postfix) with ESMTPSA id C39972000D;
	Tue, 21 May 2024 12:43:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1;
	t=1716295423;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=sBHQDVV1jw6tvsDFIyAbBrREYTF4ioSRIEty/E5nqPU=;
	b=T0TPkoOP0Oln6RdV1lZQCjpQhTbgt3GaQ2j94Yw+Z8ea1ETp/x9tnsAhm4sBjHTyc6FJgn
	ytWWeoxfxTEk9DRNo9H0PwHB7pR2Pneu3gAkZMBkMNmRjUKRSysG1FysIfeyhisO+FGl/C
	1M0B2q6KFUg4mUr/1La3Z1dM/N8QS2k8w0lqGNJNER9rQ48bQBD3G7P1A2yjXX43m5bIiF
	PPYfG4iD+8h8bvYfzF+aqwAynnJ4FrKOTo9mpAs0uERH4ylCAm5P8jy+o+JUEya2/dc16T
	04ABdjNOV7G8j+J1cf9hnRsL52YYj1FjUXuFLcv32oLzhnCOb8y2jKxLCeGxXA==
From: Romain Gantois <romain.gantois@bootlin.com>
Date: Tue, 21 May 2024 14:44:11 +0200
Subject: [PATCH net] net: ti: icssg_prueth: Fix NULL pointer dereference in
 prueth_probe()
MIME-Version: 1.0
Message-Id: <20240521-icssg-prueth-fix-v1-1-b4b17b1433e9@bootlin.com>
X-B4-Tracking: v=1; b=H4sIABqXTGYC/x2MQQ5AQAwAvyI9a1K7y8FXxIFV9LJki0jE3zWOM
 8nMA8pZWKEtHsh8icqWDKqygLgOaWGUyRgcuUC1q1Ci6oJ7PvlYcZYbyY/kqQmxjgyW7ZlN/8s
 OEh/Qv+8HZjSKXWcAAAA=
To: MD Danish Anwar <danishanwar@ti.com>, Roger Quadros <rogerq@kernel.org>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
 linux-arm-kernel@lists.infradead.org, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, stable@vger.kernel.org,
 Romain Gantois <romain.gantois@bootlin.com>
X-Mailer: b4 0.13.0
X-GND-Sasl: romain.gantois@bootlin.com
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20240521_054350_615640_9DF9C78D 
X-CRM114-Status: GOOD (  15.68  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

In the prueth_probe() function, if one of the calls to emac_phy_connect()
fails due to of_phy_connect() returning NULL, then the subsequent call to
phy_attached_info() will dereference a NULL pointer.

Check the return code of emac_phy_connect and fail cleanly if there is an
error.

Fixes: 128d5874c082 ("net: ti: icssg-prueth: Add ICSSG ethernet driver")
Cc: stable@vger.kernel.org
Signed-off-by: Romain Gantois <romain.gantois@bootlin.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: MD Danish Anwar <danishanwar@ti.com>
---
Hello everyone,

There is a possible NULL pointer dereference in the prueth_probe() function of
the icssg_prueth driver. I discovered this while testing a platform with one
PRUETH MAC enabled out of the two available.

These are the requirements to reproduce the bug:

prueth_probe() is called
either eth0_node or eth1_node is not NULL
in emac_phy_connect: of_phy_connect() returns NULL

Then, the following leads to the NULL pointer dereference:

prueth->emac[PRUETH_MAC0]->ndev->phydev is set to NULL
prueth->emac[PRUETH_MAC0]->ndev->phydev is passed to phy_attached_info()
-> phy_attached_print() dereferences phydev which is NULL

This series provides a fix by checking the return code of emac_phy_connect().

Best Regards,

Romain
---
 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)


---
base-commit: e4a87abf588536d1cdfb128595e6e680af5cf3ed
change-id: 20240521-icssg-prueth-fix-03b03064c5ce

Best regards,

diff --git a/drivers/net/ethernet/ti/icssg/icssg_prueth.c b/drivers/net/ethernet/ti/icssg/icssg_prueth.c
index 7c9e9518f555a..1ea3fbd5e954e 100644
--- a/drivers/net/ethernet/ti/icssg/icssg_prueth.c
+++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.c
@@ -1039,7 +1039,12 @@ static int prueth_probe(struct platform_device *pdev)
 
 		prueth->registered_netdevs[PRUETH_MAC0] = prueth->emac[PRUETH_MAC0]->ndev;
 
-		emac_phy_connect(prueth->emac[PRUETH_MAC0]);
+		ret = emac_phy_connect(prueth->emac[PRUETH_MAC0]);
+		if (ret) {
+			dev_err(dev,
+				"can't connect to MII0 PHY, error -%d", ret);
+			goto netdev_unregister;
+		}
 		phy_attached_info(prueth->emac[PRUETH_MAC0]->ndev->phydev);
 	}
 
@@ -1051,7 +1056,12 @@ static int prueth_probe(struct platform_device *pdev)
 		}
 
 		prueth->registered_netdevs[PRUETH_MAC1] = prueth->emac[PRUETH_MAC1]->ndev;
-		emac_phy_connect(prueth->emac[PRUETH_MAC1]);
+		ret = emac_phy_connect(prueth->emac[PRUETH_MAC1]);
+		if (ret) {
+			dev_err(dev,
+				"can't connect to MII1 PHY, error %d", ret);
+			goto netdev_unregister;
+		}
 		phy_attached_info(prueth->emac[PRUETH_MAC1]->ndev->phydev);
 	}