* [PATCH master] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove
@ 2026-01-26 10:41 Ahmad Fatoum
2026-01-27 7:57 ` Sascha Hauer
0 siblings, 1 reply; 2+ messages in thread
From: Ahmad Fatoum @ 2026-01-26 10:41 UTC (permalink / raw)
To: barebox; +Cc: Ahmad Fatoum
devfs_remove acces struct cdev::name to do an unlink on the path in
/dev. This leads to a use-after-free inside mdio_bus_remove.
Reorder the free after devfs_remove to fix this. This is the way that
other drivers in tree that have /free.*cdev(\.|->)name/ do it.
Issue was detected by KASAN being active during kernel boot.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
drivers/net/phy/mdio_bus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index a7eda3f84a11..1381f70f1cf8 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -610,8 +610,8 @@ static void mdio_bus_remove(struct device *_dev)
if (drv->remove)
drv->remove(dev);
- free(dev->cdev.name);
devfs_remove(&dev->cdev);
+ free(dev->cdev.name);
bus->phy_map[dev->addr] = NULL;
}
--
2.47.3
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-01-27 7:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-26 10:41 [PATCH master] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove Ahmad Fatoum
2026-01-27 7:57 ` Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox