diff mbox series

[net,1/2] net: phy: Avoid NPD upon phy_detach() when driver is unbound

Message ID 20200917034310.2360488-2-f.fainelli@gmail.com
State Accepted
Delegated to: David Miller
Headers show
Series net: phy: Unbind fixes | expand

Commit Message

Florian Fainelli Sept. 17, 2020, 3:43 a.m. UTC 
If we have unbound the PHY driver prior to calling phy_detach() (often
via phy_disconnect()) then we can cause a NULL pointer de-reference
accessing the driver owner member. The steps to reproduce are:

echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind
ip link set eth0 down

Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
---
 drivers/net/phy/phy_device.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Andrew Lunn Sept. 17, 2020, 1:15 p.m. UTC | #1 
On Wed, Sep 16, 2020 at 08:43:09PM -0700, Florian Fainelli wrote:
> If we have unbound the PHY driver prior to calling phy_detach() (often
> via phy_disconnect()) then we can cause a NULL pointer de-reference
> accessing the driver owner member. The steps to reproduce are:
> 
> echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind
> ip link set eth0 down

Hi Florian

How forceful is this unbind? Can we actually block it while the
interface is up? Or returning -EBUSY would make sense.

	  Andrew
Florian Fainelli Sept. 17, 2020, 4:32 p.m. UTC | #2 
On 9/17/2020 6:15 AM, Andrew Lunn wrote:
> On Wed, Sep 16, 2020 at 08:43:09PM -0700, Florian Fainelli wrote:
>> If we have unbound the PHY driver prior to calling phy_detach() (often
>> via phy_disconnect()) then we can cause a NULL pointer de-reference
>> accessing the driver owner member. The steps to reproduce are:
>>
>> echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind
>> ip link set eth0 down
> 
> Hi Florian
> 
> How forceful is this unbind? Can we actually block it while the
> interface is up? Or returning -EBUSY would make sense.

It it not forceful, you can unbind the PHY driver from underneath the 
net_device and nothing bad happens, really. This is not a very realistic 
or practical use case, but several years ago, I went into making sure we 
would not create NPD if that happened.
Andrew Lunn Sept. 17, 2020, 5:28 p.m. UTC | #3 
On Wed, Sep 16, 2020 at 08:43:09PM -0700, Florian Fainelli wrote:
> If we have unbound the PHY driver prior to calling phy_detach() (often
> via phy_disconnect()) then we can cause a NULL pointer de-reference
> accessing the driver owner member. The steps to reproduce are:
> 
> echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind
> ip link set eth0 down
> 
> Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver")
> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>

Reviewed-by: Andrew Lunn <andrew@lunn.ch>

    Andrew
diff mbox series

Patch

diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 8adfbad0a1e8..81eb76a8295b 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -1682,7 +1682,8 @@  void phy_detach(struct phy_device *phydev)
 
 	phy_led_triggers_unregister(phydev);
 
-	module_put(phydev->mdio.dev.driver->owner);
+	if (phydev->mdio.dev.driver)
+		module_put(phydev->mdio.dev.driver->owner);
 
 	/* If the device had no specific driver before (i.e. - it
 	 * was using the generic driver), we unbind the device