releases/5.10.96/phylib-fix-potential-use-after-free.patch

   1 From 6de30fa9221fa5af7d03c1ab3fb477a747fbf4a6 Mon Sep 17 00:00:00 2001
   2 From: Sasha Levin <sashal@kernel.org>
   3 Date: Wed, 19 Jan 2022 17:27:48 +0100
   4 Subject: phylib: fix potential use-after-free
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 From: Marek Behún <kabel@kernel.org>
  10
  11 [ Upstream commit cbda1b16687580d5beee38273f6241ae3725960c ]
  12
  13 Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call
  14 to phy_device_reset(phydev) after the put_device() call in phy_detach().
  15
  16 The comment before the put_device() call says that the phydev might go
  17 away with put_device().
  18
  19 Fix potential use-after-free by calling phy_device_reset() before
  20 put_device().
  21
  22 Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support")
  23 Signed-off-by: Marek Behún <kabel@kernel.org>
  24 Reviewed-by: Andrew Lunn <andrew@lunn.ch>
  25 Link: https://lore.kernel.org/r/20220119162748.32418-1-kabel@kernel.org
  26 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
  27 Signed-off-by: Sasha Levin <sashal@kernel.org>
  28 ---
  29  drivers/net/phy/phy_device.c | 6 +++---
  30  1 file changed, 3 insertions(+), 3 deletions(-)
  31
  32 diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
  33 index 85f3cde5ffd09..d2f6d8107595a 100644
  34 --- a/drivers/net/phy/phy_device.c
  35 +++ b/drivers/net/phy/phy_device.c
  36 @@ -1682,6 +1682,9 @@ void phy_detach(struct phy_device *phydev)
  37             phy_driver_is_genphy_10g(phydev))
  38                 device_release_driver(&phydev->mdio.dev);
  39
  40 +       /* Assert the reset signal */
  41 +       phy_device_reset(phydev, 1);
  42 +
  43         /*
  44          * The phydev might go away on the put_device() below, so avoid
  45          * a use-after-free bug by reading the underlying bus first.
  46 @@ -1693,9 +1696,6 @@ void phy_detach(struct phy_device *phydev)
  47                 ndev_owner = dev->dev.parent->driver->owner;
  48         if (ndev_owner != bus->owner)
  49                 module_put(bus->owner);
  50 -
  51 -       /* Assert the reset signal */
  52 -       phy_device_reset(phydev, 1);
  53  }
  54  EXPORT_SYMBOL(phy_detach);
  55
  56 --
  57 2.34.1
  58