net: usb: asix: validate PHY address before use

[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]

The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():

  addr 207 out of range
  WARNING: drivers/net/phy/mdio_bus.c:76

Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.

Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
index 00c23f1d1c946789e627ed00e0102789d20ba739..8c613e3ea05ac27aa46eb185839c1179a2a5cc2b 100644 (file)
--- a/drivers/net/usb/asix_common.c
+++ b/drivers/net/usb/asix_common.c
@@ -333,6 +333,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
        offset = (internal ? 1 : 0);
        ret = buf[offset];
 
+       if (ret >= PHY_MAX_ADDR) {
+               netdev_err(dev->net, "invalid PHY address: %d\n", ret);
+               return -ENODEV;
+       }
+
        netdev_dbg(dev->net, "%s PHY address 0x%x\n",
                   internal ? "internal" : "external", ret);