From 410cc636d7219d23621d3e1e6d24c69ead675ec6 Mon Sep 17 00:00:00 2001 From: Markus Stockhausen Date: Fri, 15 May 2026 21:42:19 +0200 Subject: [PATCH] realtek: pcs: fix use after free In rtpcs_probe_serdes_bus(), the code manages the device tree node reference incorrectly: - It acquires a node pointer np via of_find_compatible_node(), which increments the reference count. - It calls of_mdio_find_bus(np) to locate the bus. - It calls of_node_put(np), which decrements the reference count. If this was the last reference, the node is freed. - It then attempts to check if (!of_device_is_available(np)). The pointer np is used after its reference has been released. This can lead to a kernel oops or unpredictable behavior if the memory has been reclaimed. Fixes: fe27cce1e ("realtek: add SerDes PCS driver") Signed-off-by: Markus Stockhausen Link: https://github.com/openwrt/openwrt/pull/23391 Signed-off-by: Robert Marko --- .../realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/target/linux/realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c b/target/linux/realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c index 0e4c31ae493..e3f59211580 100644 --- a/target/linux/realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c +++ b/target/linux/realtek/files-6.18/drivers/net/pcs/pcs-rtl-otto.c @@ -4143,6 +4143,12 @@ static struct mii_bus *rtpcs_probe_serdes_bus(struct rtpcs_ctrl *ctrl) return ERR_PTR(-ENODEV); } + if (!of_device_is_available(np)) { + dev_err(ctrl->dev, "SerDes mdio bus not usable"); + of_node_put(np); + return ERR_PTR(-ENODEV); + } + bus = of_mdio_find_bus(np); of_node_put(np); if (!bus) { @@ -4150,11 +4156,6 @@ static struct mii_bus *rtpcs_probe_serdes_bus(struct rtpcs_ctrl *ctrl) return ERR_PTR(-EPROBE_DEFER); } - if (!of_device_is_available(np)) { - dev_err(ctrl->dev, "SerDes mdio bus not usable"); - return ERR_PTR(-ENODEV); - } - return bus; }