[PATCH master] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove

Mon Jan 26 02:41:37 PST 2026

devfs_remove acces struct cdev::name to do an unlink on the path in
/dev. This leads to a use-after-free inside mdio_bus_remove.

Reorder the free after devfs_remove to fix this. This is the way that
other drivers in tree that have /free.*cdev(\.|->)name/ do it.

Issue was detected by KASAN being active during kernel boot.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 drivers/net/phy/mdio_bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index a7eda3f84a11..1381f70f1cf8 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -610,8 +610,8 @@ static void mdio_bus_remove(struct device *_dev)
 	if (drv->remove)
 		drv->remove(dev);
 
-	free(dev->cdev.name);
 	devfs_remove(&dev->cdev);
+	free(dev->cdev.name);
 	bus->phy_map[dev->addr] = NULL;
 }
 
-- 
2.47.3


