| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3mkwdhodm4zl3t6zsavcrrkuawvd3qjxtdvhxwi6gwe42ic7rs@tevlpedpwlag>
Date: Thu, 7 Aug 2025 19:21:46 +0800
From: Xu Yang <xu.yang_2@....com>
To: "Russell King (Oracle)" <linux@...linux.org.uk>
Cc: Andrew Lunn <andrew@...n.ch>, hkallweit1@...il.com,
o.rempel@...gutronix.de, pabeni@...hat.com, netdev@...r.kernel.org, imx@...ts.linux.dev,
linux-kernel@...r.kernel.org
Subject: Re: [RESEND] net: phy: fix NULL pointer dereference in
phy_polling_mode()
Hi Russell and Andrew,
On Thu, Aug 07, 2025 at 05:23:24PM +0800, Xu Yang wrote:
> On Wed, Aug 06, 2025 at 05:47:53PM +0100, Russell King (Oracle) wrote:
> > On Wed, Aug 06, 2025 at 05:01:22PM +0200, Andrew Lunn wrote:
> > > > > > Reproduce step is simple:
> > > > > >
> > > > > > 1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
> > > > > > DUB-E100 Fast Ethernet Adapter".
> > >
> > > static const struct driver_info dlink_dub_e100_info = {
> > > .description = "DLink DUB-E100 USB Ethernet",
> > > .bind = ax88172_bind,
> > > .status = asix_status,
> > > .link_reset = ax88172_link_reset,
> > > .reset = ax88172_link_reset,
> > > .flags = FLAG_ETHER | FLAG_LINK_INTR,
> > > .data = 0x009f9d9f,
> > > };
> > >
>
> [...]
>
> >
> > Notice that the following return the PHY 3 register 3 value, so
> > I suspect for anything that isn't PHY 3, it just returns whatever
> > data was last read from PHY 3. This makes it an incredibly buggy
> > USB device.
> >
> > Looking at usbnet_read_cmd(), the above can be the only explanation,
> > as usbnet_read_cmd() memcpy()'s the data into &res, so the value
> > in the kmalloc()'d buf (which likely be poisoned on free, or if not
> > unlikely to reallocate the same memory - that needs to be verified)
> > must be coming from firmware on the device itself.
>
> I confirm it's returned by the device. I capture the USB transfer with
> an USB analyzer too.
>
> >
> > asix_read_cmd() will catch a short read, and usbnet_read_cmd() will
> > catch a zero-length read as invalid.
> >
> > So, my conclusion is... broken firmware on this device.
>
> The data transfer function works fine on my side. And even if something
> is wrong with this device, the linux system shouldn't be broken down
> because of this.
Thanks for your review!
With more debug on why asix_devices.c driver is creating so many mdio devices,
I found the mdio->phy_mask setting may be missing.
When I add mdio->phy_mask setting, only one mdio device is created and the NULL
pointer dereference issue is gone too.
root@...95evk:~# ls /sys/bus/mdio_bus/devices/
usb-001:003:03
root@...95evk:~# cat /sys/bus/mdio_bus/devices/usb-001:003:03/phy_id
0x02430c54
diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index 9b0318fb50b5..9fba1cb17134 100644
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
priv->mdio->read = &asix_mdio_bus_read;
priv->mdio->write = &asix_mdio_bus_write;
priv->mdio->name = "Asix MDIO Bus";
+ priv->mdio->phy_mask = ~BIT(priv->phy_addr);
/* mii bus name is usb-<usb bus number>-<usb device number> */
snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
dev->udev->bus->busnum, dev->udev->devnum);
Is this the right thing to do?
Thanks,
Xu Yang
>
> Thanks,
> Xu Yang
>
> >
> > --
> > RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
> > FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
Powered by blists - more mailing lists