From nobody Sat Feb  7 11:38:21 2026
Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com
 [209.85.210.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CC45433375D
	for <linux-kernel@vger.kernel.org>; Mon,  5 Jan 2026 12:00:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767614445; cv=none;
 b=Xcdl3knwC3s26ECypkmU5UNcHSdaG79cIXrwZ1ltbiHApFaJZp3E5vyKimuG/irwiYqjow9Q5OXKYuWT5IAgwDjr3zXAaT9Pt17rdXIhSeGT2+EsCxcRNE0/FHz8vtj6oyiyU76o+KHLBjjgiKSjHb518R1wlA7Rs94vqqHiF9I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767614445; c=relaxed/simple;
	bh=ofkk3fDMXfaDqdL6mAbClhIKaLqJwPvhJFxDHVlpUhM=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
 b=NLS9w9Jds7T8lwE+eBGKfNEWI5j9Bb50ih2Mjq7I3ESUjD3mKOZyOJmZIxu/Vc06pTWQZToT6vucdYqYV+7X9+UzpZhB0qyTSZ3rZFR5lmj93gawS2jkGVxUXhD9MKdp6zHUWq1dY9J2PqfBCQIEDycfDGAu8MP8fKBh9Bevp0c=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=debian.org;
 spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.210.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=debian.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Received: by mail-ot1-f49.google.com with SMTP id
 46e09a7af769-7c7660192b0so9590673a34.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 05 Jan 2026 04:00:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767614442; x=1768219242;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+nGI90FgNg6Orxw3QE9KbiBZzXhpcXBalJ+YBtICfE0=;
        b=eZd9877QAjv9mcaXRxH1dq9oS3SH3jb/Ep1+t6KBneTieHson8yDWDuP06bnmxDJ4A
         YFSeIix1X+VqReg4H5KIsqfWJ94AukfLCXvErYn5S4jn6Pl1EQMXhvA/16OMIyIOUmAD
         YP7+lJe0E7tTvNnmp8emnOvvUfxIAXwJqtoy/3ASu142jvXNNMyUKjVRNG/+Zp8l+j06
         SfzvparWxG9dmFGR7/5CGQ1jUcBNvgdFCpn85ca3jDNWaZ+o2enyusAM5pRKVkciax6B
         WKpQPmSudT33yDbthLvkyedCxYxGPXnsSOyrE7U5aoOu/tU5qu4y5My1Oy5SRAfG/QZs
         POQg==
X-Forwarded-Encrypted: i=1;
 AJvYcCULuh7ykVW59n4wUFnxo+ljieVNEyzSJyTGdhiESWT0+fHgt2+YukKi+NqUXgMBAn9/iLgrcfkqjhP2cvU=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzmil5rRVEbucdnADwjzALG8vqfp35H7qYH07shC2BKFzTuJYc4
	EY09WPG+qCTrjOYhk7vQFMiTHx++1jdHljteC4JAMdEz/6Ty3a+97XwZ
X-Gm-Gg: AY/fxX7PUp/f9igUs2Nr8lclLEJpqA8Y+iNZQAF6Xz4LrJOZNQRvHAjIntrkHm36nx3
	YihcpkiH+oi09B4w9IefXmz3WJJ2x0KVgEEhFGDX4EW4j66646DDVWvtbYy5FUOYqvF1IRvflBs
	/p2U2FxQ7utAypV5gb8+gnSnxC2HCM1xIcRvuB7EnJ3Y8UVyUQdpkPlYzTnw5Sa7Pr5TQfdJlcn
	iLQ5w7lsxW6xmPt3H0NEhACEqG6X9FEqy7kXbL33QuXGt8Tx3ixx+DB0KYh63S0RWuDMH/9lBx/
	gQFMmNiOlBLKGEsUUrV2vsGtGztauf0oZ7dCGjkqtkte1ZZ4nFz6fXwgV4TVjVPWLZowfZ4M4zp
	W50mVyUGitjrFKZ2TOGaSa39ZS9Va6rvilwD9Ceg4FPYqd89OO3OLmnvm3mWjwwlP0dLNot688l
	NzhYU6iYsV5fa4
X-Google-Smtp-Source: 
 AGHT+IH8deTVPke2vXyRK4ncJdp0pK2ey5NcMLE1Kk9Y3AUkKsrGoLMbt59kO3J3OMAbGgUYNScKQg==
X-Received: by 2002:a05:6830:4119:b0:7c6:a2da:ce4b with SMTP id
 46e09a7af769-7cc668a4bb0mr26188912a34.5.1767614440673;
        Mon, 05 Jan 2026 04:00:40 -0800 (PST)
Received: from localhost ([2a03:2880:10ff:5::])
        by smtp.gmail.com with ESMTPSA id
 46e09a7af769-7cc667fa674sm32887148a34.29.2026.01.05.04.00.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Jan 2026 04:00:40 -0800 (PST)
From: Breno Leitao <leitao@debian.org>
Date: Mon, 05 Jan 2026 04:00:16 -0800
Subject: [PATCH net v2] bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable
 during error cleanup
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260105-bnxt-v2-1-9ac69edef726@debian.org>
X-B4-Tracking: v=1; b=H4sIANCnW2kC/1XNyw6CMBCF4VdpZk2NUy4WVr6HYUHbKYyLYtpKM
 IR3N+DK7cmf72yQKDIl6MQGkRZOPAfohCoE2GkII0l20AlQV1WjKlGasGZp68qVeHPaeIJCwCu
 S5/VkHhAoQ/8b09s8yeYDOLKJU57j5zxb8Iz/3QUlSu1b66hpWm2quyPDQ7jMcYR+3/cvpkq7k
 LAAAAA=
X-Change-ID: 20251231-bnxt-c54d317d8bfe
To: Michael Chan <michael.chan@broadcom.com>,
 Pavan Chebbi <pavan.chebbi@broadcom.com>,
 Andrew Lunn <andrew+netdev@lunn.ch>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Richard Cochran <richardcochran@gmail.com>,
 "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>,
 Vadim Fedorenko <vadim.fedorenko@linux.dev>,
 Vladimir Oltean <vladimir.oltean@nxp.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
 kernel-team@meta.com, Breno Leitao <leitao@debian.org>,
 stable@vger.kernel.org
X-Mailer: b4 0.15-dev-47773
X-Developer-Signature: v=1; a=openpgp-sha256; l=2959; i=leitao@debian.org;
 h=from:subject:message-id; bh=ofkk3fDMXfaDqdL6mAbClhIKaLqJwPvhJFxDHVlpUhM=;
 b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpW6fnW7MzHTVeSjf5pSIQjcuOIopl/jVai0jMP
 G7iyXAaFYaJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaVun5wAKCRA1o5Of/Hh3
 bWsWD/9JLfEicI2+EMVUr7Q2qY/ChMUsiCsxDBicYYI8wwK9tpyNuyFextX2bXbYY8obVfl3FD1
 a3Nah9zOpJ03BQhU7huiSbEMG58BVvbuuxFuZSq5jHuSbXwTdhje1+4KGuTMH9+uRekVWzVIUME
 mcX47ZVNQ5yLG4jks86VO9l35fXl9KNjRIq/6s04yhAXFqC9/qcBQD5VWsp0thLEfwv3ii95GrY
 7ew+PhHMsfJORRW8aVGkAkbMkYzXzoCBkpMa4aSCnmPLvASLWaURTAkOMQwYpKMjv29PcvVCM2p
 9a6Xpx0Hqj8zW3Rp1M05eJg/mHb7Teho44fGLOR3okE4SGx2JJA5w8Srz2Cr7/8I6l6D8b3S6MW
 HCzslV+zyzazoCFBO+V39CqrNrqx6mP/Jj2442rbHNoJVeh4pdmokF1HljLpeloJhJ+rK48nqJ7
 +9NmdtDxtot9HoBcDnAyjGyCGFOeXxOsibTMkHyTRljahrBXmkVBLzGSUFg2EvpIZIVdOfjegoA
 kKswRQQqv4LO1+5qy/OseXyXYNXAPdGIzDi4D23e/IntHd7sNjAVtGDeyNGL5rsNis4tw2yNatk
 1J0eyxXTDax4ZasCYGekoIW1kC4zsh2OgegB1VRTBWWqqLuGiZQQVKBo6+xKKwBd+CI7BaQoUEf
 xYHV0cjCWwncmRQ==
X-Developer-Key: i=leitao@debian.org; a=openpgp;
 fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D

When bnxt_init_one() fails during initialization (e.g.,
bnxt_init_int_mode returns -ENODEV), the error path calls
bnxt_free_hwrm_resources() which destroys the DMA pool and sets
bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called,
which invokes ptp_clock_unregister().

Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to
disable events"), ptp_clock_unregister() now calls
ptp_disable_all_events(), which in turn invokes the driver's .enable()
callback (bnxt_ptp_enable()) to disable PTP events before completing the
unregistration.

bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin()
and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This
function tries to allocate from bp->hwrm_dma_pool, causing a NULL
pointer dereference:

  bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_=
mode err: ffffffed
  KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
  Call Trace:
   __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)
   bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drive=
rs/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)
   ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)
   ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)
   bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)
   bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)

Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3")

Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before
freeing HWRM resources.

Suggested-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
Fixes: a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events")
Cc: stable@vger.kernel.org
---
Changes in v2:
- Instead of checking for HWRM resources in bnxt_ptp_enable(), call it
  when HWRM resources are availble (Pavan Chebbi)
- Link to v1: https://patch.msgid.link/20251231-bnxt-v1-1-8f9cde6698b4@debi=
an.org
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethern=
et/broadcom/bnxt/bnxt.c
index d160e54ac121..5a4af8abf848 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -16891,11 +16891,11 @@ static int bnxt_init_one(struct pci_dev *pdev, co=
nst struct pci_device_id *ent)
=20
 init_err_pci_clean:
 	bnxt_hwrm_func_drv_unrgtr(bp);
+	bnxt_ptp_clear(bp);
+	kfree(bp->ptp_cfg);
 	bnxt_free_hwrm_resources(bp);
 	bnxt_hwmon_uninit(bp);
 	bnxt_ethtool_free(bp);
-	bnxt_ptp_clear(bp);
-	kfree(bp->ptp_cfg);
 	bp->ptp_cfg =3D NULL;
 	kfree(bp->fw_health);
 	bp->fw_health =3D NULL;

---
base-commit: e146b276a817807b8f4a94b5781bf80c6c00601b
change-id: 20251231-bnxt-c54d317d8bfe

Best regards,
-- =20
Breno Leitao <leitao@debian.org>