realtek: pcs: fix use after free

In rtpcs_probe_serdes_bus(), the code manages the device
tree node reference incorrectly:

- It acquires a node pointer np via of_find_compatible_node(),
  which increments the reference count.

- It calls of_mdio_find_bus(np) to locate the bus.

- It calls of_node_put(np), which decrements the reference
  count. If this was the last reference, the node is freed.

- It then attempts to check if (!of_device_is_available(np)).

The pointer np is used after its reference has been released.
This can lead to a kernel oops or unpredictable behavior if
the memory has been reclaimed.

Fixes: fe27cce1e ("realtek: add SerDes PCS driver")
Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
Link: https://github.com/openwrt/openwrt/pull/23391
Signed-off-by: Robert Marko <robimarko@gmail.com>

diff --git a/target/linux/realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c b/target/linux/realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c
index 0e4c31ae493b208c193172d4544f5c4f24f0e62a..e3f5921158017145c0b10ab5a9a1069ccd9207c1 100644 (file)
--- a/target/linux/realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c
+++ b/target/linux/realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c
@@ -4143,6 +4143,12 @@ static struct mii_bus *rtpcs_probe_serdes_bus(struct rtpcs_ctrl *ctrl)
                return ERR_PTR(-ENODEV);
        }
 
+       if (!of_device_is_available(np)) {
+               dev_err(ctrl->dev, "SerDes mdio bus not usable");
+               of_node_put(np);
+               return ERR_PTR(-ENODEV);
+       }
+
        bus = of_mdio_find_bus(np);
        of_node_put(np);
        if (!bus) {
@@ -4150,11 +4156,6 @@ static struct mii_bus *rtpcs_probe_serdes_bus(struct rtpcs_ctrl *ctrl)
                return ERR_PTR(-EPROBE_DEFER);
        }
 
-       if (!of_device_is_available(np)) {
-               dev_err(ctrl->dev, "SerDes mdio bus not usable");
-               return ERR_PTR(-ENODEV);
-       }
-
        return bus;
 }