Commit a1e077a3 authored Dec 18, 2025 by Deepanshu Kartikey Committed by Paolo Abeni Dec 28, 2025

net: usb: asix: validate PHY address before use



The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():

  addr 207 out of range
  WARNING: drivers/net/phy/mdio_bus.c:76

Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.

Reported-by:  <syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232


Tested-by:  <syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com>
Fixes: 7e88b11a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/

 [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent a4f800c4

drivers/net/usb/asix_common.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
		offset = (internal ? 1 : 0);
		ret = buf[offset];

		if (ret >= PHY_MAX_ADDR) {
		netdev_err(dev->net, "invalid PHY address: %d\n", ret);
		return -ENODEV;
		}

		netdev_dbg(dev->net, "%s PHY address 0x%x\n",
		internal ? "internal" : "external", ret);

drivers/net/usb/ax88172a.c

+1 −5

Original line number	Diff line number	Diff line
		@@ -210,11 +210,7 @@ static int ax88172a_bind(struct usbnet dev, struct usb_interface intf)
		ret = asix_read_phy_addr(dev, priv->use_embdphy);
		if (ret < 0)
		goto free;
		if (ret >= PHY_MAX_ADDR) {
		netdev_err(dev->net, "Invalid PHY address %#x\n", ret);
		ret = -ENODEV;
		goto free;
		}

		priv->phy_addr = ret;

		ax88172a_reset_phy(dev, priv->use_embdphy);