[PATCH master] net: phy: mdio_bus: fix freeing of cdev name before devfs

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

* [PATCH master] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove
@ 2026-01-26 10:41 Ahmad Fatoum
  2026-01-27  7:57 ` Sascha Hauer
  0 siblings, 1 reply; 2+ messages in thread
From: Ahmad Fatoum @ 2026-01-26 10:41 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum

devfs_remove acces struct cdev::name to do an unlink on the path in
/dev. This leads to a use-after-free inside mdio_bus_remove.

Reorder the free after devfs_remove to fix this. This is the way that
other drivers in tree that have /free.*cdev(\.|->)name/ do it.

Issue was detected by KASAN being active during kernel boot.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/net/phy/mdio_bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index a7eda3f84a11..1381f70f1cf8 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -610,8 +610,8 @@ static void mdio_bus_remove(struct device *_dev)
 	if (drv->remove)
 		drv->remove(dev);
 
-	free(dev->cdev.name);
 	devfs_remove(&dev->cdev);
+	free(dev->cdev.name);
 	bus->phy_map[dev->addr] = NULL;
 }
 
-- 
2.47.3




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH master] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove
  2026-01-26 10:41 [PATCH master] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove Ahmad Fatoum
@ 2026-01-27  7:57 ` Sascha Hauer
  0 siblings, 0 replies; 2+ messages in thread
From: Sascha Hauer @ 2026-01-27  7:57 UTC (permalink / raw)
  To: barebox, Ahmad Fatoum


On Mon, 26 Jan 2026 11:41:37 +0100, Ahmad Fatoum wrote:
> devfs_remove acces struct cdev::name to do an unlink on the path in
> /dev. This leads to a use-after-free inside mdio_bus_remove.
> 
> Reorder the free after devfs_remove to fix this. This is the way that
> other drivers in tree that have /free.*cdev(\.|->)name/ do it.
> 
> Issue was detected by KASAN being active during kernel boot.
> 
> [...]

Applied, thanks!

[1/1] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove
      https://git.pengutronix.de/cgit/barebox/commit/?id=0a67f4f35d64 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-01-27  7:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-26 10:41 [PATCH master] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove Ahmad Fatoum
2026-01-27  7:57 ` Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox