lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <e6f9ee03-91d8-4d3d-bf9b-c08ffa991c01@lunn.ch>
Date: Sat, 24 Jan 2026 20:31:45 +0100
From: Andrew Lunn <andrew@...n.ch>
To: Jacky Chou <jacky_chou@...eedtech.com>
Cc: Simon Horman <horms@...nel.org>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"edumazet@...gle.com" <edumazet@...gle.com>,
	"andrew+netdev@...n.ch" <andrew+netdev@...n.ch>,
	"kuba@...nel.org" <kuba@...nel.org>,
	"pabeni@...hat.com" <pabeni@...hat.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [net-next,v2,09/15] net: ftgmac100: Always register the MDIO bus
 when it exists

> > > > diff --git a/drivers/net/ethernet/faraday/ftgmac100.c
> > > > b/drivers/net/ethernet/faraday/ftgmac100.c
> > > > index f1cb5dc37919..931fdf3d07d1 100644
> > > > --- a/drivers/net/ethernet/faraday/ftgmac100.c
> > > > +++ b/drivers/net/ethernet/faraday/ftgmac100.c
> > > > @@ -1957,6 +1957,14 @@ static int ftgmac100_probe(struct
> > platform_device *pdev)
> > > >  		priv->txdes0_edotr_mask = BIT(15);
> > > >  	}
> > > >
> > > > +	if (priv->mac_id == FTGMAC100_FARADAY ||
> > > > +	    priv->mac_id == FTGMAC100_AST2400 ||
> > > > +	    priv->mac_id == FTGMAC100_AST2500) {
> > > > +		err = ftgmac100_setup_mdio(netdev);
> > > > +		if (err)
> > > > +			goto err_phy_connect;
> > > > +	}
> > >
> > > If ftgmac100_setup_mdio() fails after of_mdiobus_register() returns an
> > > error, it calls mdiobus_free(priv->mii_bus) but does not set
> > > priv->mii_bus to NULL. The goto err_phy_connect then leads to
> > > ftgmac100_destroy_mdio() which checks if (!priv->mii_bus) but finds a
> > > dangling pointer, resulting in mdiobus_unregister() on freed memory
> > followed by a double free.

I took another look at this. The goto err_phy_connect is wrong.  At
this point, if there is an error nothing else needs cleaning up, so
the goto should be replaced with a return err;

It is not however the full solution. If ftgmac100_probe_ncsi() fails,
it jumps to err_setup_mdio, which currently just does a return,
leaking the mdiobus. The ftgmac100_destroy_mdio() call needs moving
after the err_setup_mdio: label.

This is one of the problems with this driver. The labels are not
consistent. Some label names indicate what failed, others indicate
what needs cleaning up. The later patches solve this by using devm_ so
removing all these labels.

	 Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ