[PATCH 3.18 29/92] sh_eth: Fix ethtool operation crash when net device is down

From: Greg Kroah-Hartman
Date: Wed Aug 09 2017 - 16:39:20 EST

Next message: Greg Kroah-Hartman: "[PATCH 3.18 28/92] net: sctp: fix race for one-to-many sockets in sendmsgs auto associate"
Previous message: Greg Kroah-Hartman: "[PATCH 3.18 27/92] ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc"
In reply to: Greg Kroah-Hartman: "[PATCH 3.18 27/92] ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc"
Next in thread: Greg Kroah-Hartman: "[PATCH 3.18 28/92] net: sctp: fix race for one-to-many sockets in sendmsgs auto associate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.18-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>

commit 4f9dce230b32eec45cec8c28cae61efdfa2f7d57 upstream.

The driver connects and disconnects the PHY device whenever the
net device is brought up and down. The ethtool get_settings,
set_settings and nway_reset operations will dereference a null
or dangling pointer if called while it is down.

I think it would be preferable to keep the PHY connected, but there
may be good reasons not to.

As an immediate fix for this bug:
- Set the phydev pointer to NULL after disconnecting the PHY
- Change those three operations to return -ENODEV while the PHY is
not connected

Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Amit Pundir <amit.pundir@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/net/ethernet/renesas/sh_eth.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -1832,6 +1832,9 @@ static int sh_eth_get_settings(struct ne
unsigned long flags;
int ret;

+ if (!mdp->phydev)
+ return -ENODEV;
+
spin_lock_irqsave(&mdp->lock, flags);
ret = phy_ethtool_gset(mdp->phydev, ecmd);
spin_unlock_irqrestore(&mdp->lock, flags);
@@ -1846,6 +1849,9 @@ static int sh_eth_set_settings(struct ne
unsigned long flags;
int ret;

+ if (!mdp->phydev)
+ return -ENODEV;
+
spin_lock_irqsave(&mdp->lock, flags);

/* disable tx and rx */
@@ -1880,6 +1886,9 @@ static int sh_eth_nway_reset(struct net_
unsigned long flags;
int ret;

+ if (!mdp->phydev)
+ return -ENODEV;
+
spin_lock_irqsave(&mdp->lock, flags);
ret = phy_start_aneg(mdp->phydev);
spin_unlock_irqrestore(&mdp->lock, flags);
@@ -2189,6 +2198,7 @@ static int sh_eth_close(struct net_devic
if (mdp->phydev) {
phy_stop(mdp->phydev);
phy_disconnect(mdp->phydev);
+ mdp->phydev = NULL;
}

free_irq(ndev->irq, ndev);

Next message: Greg Kroah-Hartman: "[PATCH 3.18 28/92] net: sctp: fix race for one-to-many sockets in sendmsgs auto associate"
Previous message: Greg Kroah-Hartman: "[PATCH 3.18 27/92] ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc"
In reply to: Greg Kroah-Hartman: "[PATCH 3.18 27/92] ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc"
Next in thread: Greg Kroah-Hartman: "[PATCH 3.18 28/92] net: sctp: fix race for one-to-many sockets in sendmsgs auto associate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]