On execution path with raised B44_FLAG_EXTERNAL_PHY, b44_readphy()
leaves bmcr value uninitialized and it is used later in the code.

Add check of this flag at the beginning of the b44_nway_reset() and
exit early of the function if an external PHY is used, that would
also correspond to other b44_readphy() call sites.

Found by Linux Verification Center (linuxtesting.org) with Svace.

Fixes: 753f492093da ("[B44]: port to native ssb support")
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
---
 drivers/net/ethernet/broadcom/b44.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/broadcom/b44.c b/drivers/net/ethernet/broadcom/b44.c
index 0353359c3fe9..cbfd65881326 100644
--- a/drivers/net/ethernet/broadcom/b44.c
+++ b/drivers/net/ethernet/broadcom/b44.c
@@ -1789,6 +1789,9 @@ static int b44_nway_reset(struct net_device *dev)
 	u32 bmcr;
 	int r;
 
+	if (bp->flags & B44_FLAG_EXTERNAL_PHY)
+		return 0;
+
 	spin_lock_irq(&bp->lock);
 	b44_readphy(bp, MII_BMCR, &bmcr);
 	b44_readphy(bp, MII_BMCR, &bmcr);
-- 
2.34.1

Hi,

On 12/4/25 06:22, Alexey Simakov wrote:
> On execution path with raised B44_FLAG_EXTERNAL_PHY, b44_readphy()
> leaves bmcr value uninitialized and it is used later in the code.
> 
> Add check of this flag at the beginning of the b44_nway_reset() and
> exit early of the function if an external PHY is used, that would
> also correspond to other b44_readphy() call sites.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Fixes: 753f492093da ("[B44]: port to native ssb support")
> Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
> ---
>  drivers/net/ethernet/broadcom/b44.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/net/ethernet/broadcom/b44.c b/drivers/net/ethernet/broadcom/b44.c
> index 0353359c3fe9..cbfd65881326 100644
> --- a/drivers/net/ethernet/broadcom/b44.c
> +++ b/drivers/net/ethernet/broadcom/b44.c
> @@ -1789,6 +1789,9 @@ static int b44_nway_reset(struct net_device *dev)
>  	u32 bmcr;
>  	int r;
>  
> +	if (bp->flags & B44_FLAG_EXTERNAL_PHY)
> +		return 0;

Wouldn't the right fix here to call phy_ethtool_nway_reset(dev->phydev); instead
of just returning 0? That way it properly restarts auto-negotiation even in this
case.

> +
>  	spin_lock_irq(&bp->lock);
>  	b44_readphy(bp, MII_BMCR, &bmcr);
>  	b44_readphy(bp, MII_BMCR, &bmcr);

Best regards,
Jonas

> > +++ b/drivers/net/ethernet/broadcom/b44.c
> > @@ -1789,6 +1789,9 @@ static int b44_nway_reset(struct net_device *dev)
> >  	u32 bmcr;
> >  	int r;
> >  
> > +	if (bp->flags & B44_FLAG_EXTERNAL_PHY)
> > +		return 0;
> 
> Wouldn't the right fix here to call phy_ethtool_nway_reset(dev->phydev); instead
> of just returning 0? That way it properly restarts auto-negotiation even in this
> case.

Actually, yes. ksettings_set() etc do exactly that. Let me change my
Reviewed by into a Change Request.

Thanks
    Andrew

---
pw-bot: cr

On Thu, Dec 04, 2025 at 08:22:43AM +0300, Alexey Simakov wrote:
> On execution path with raised B44_FLAG_EXTERNAL_PHY, b44_readphy()
> leaves bmcr value uninitialized and it is used later in the code.
> 
> Add check of this flag at the beginning of the b44_nway_reset() and
> exit early of the function if an external PHY is used, that would
> also correspond to other b44_readphy() call sites.
> 
> Found by Linux Verification Center (linuxtesting.org) with Svace.
> 
> Fixes: 753f492093da ("[B44]: port to native ssb support")
> Signed-off-by: Alexey Simakov <bigalex934@gmail.com>

Reviewed-by: Andrew Lunn <andrew@lunn.ch>

    Andrew