From: Simon Horman <horms@kernel.org>
To: Yao Zi <ziyao@disroot.org>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>,
Jonas Karlman <jonas@kwiboo.se>,
David Wu <david.wu@rock-chips.com>,
Chaoyi Chen <chaoyi.chen@rock-chips.com>,
netdev@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-rockchip@lists.infradead.org
Subject: Re: [PATCH net] net: stmmac: dwmac-rk: Ensure clk_phy doesn't contain invalid address
Date: Thu, 4 Sep 2025 11:34:43 +0100 [thread overview]
Message-ID: <20250904103443.GH372207@horms.kernel.org> (raw)
In-Reply-To: <20250904031222.40953-3-ziyao@disroot.org>
On Thu, Sep 04, 2025 at 03:12:24AM +0000, Yao Zi wrote:
> We must set the clk_phy pointer to NULL to indicating it isn't available
> if the optional phy clock couldn't be obtained. Otherwise the error code
> returned by of_clk_get() could be wrongly taken as an address, causing
> invalid pointer dereference when later clk_phy is passed to
> clk_prepare_enable().
>
> Fixes: da114122b831 ("net: ethernet: stmmac: dwmac-rk: Make the clk_phy could be used for external phy")
> Signed-off-by: Yao Zi <ziyao@disroot.org>
> ---
> drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> On next-20250903, the fixed commit causes NULL pointer dereference on
> Radxa E20C during probe of dwmac-rk, a typical dmesg looks like
>
> [ 0.273324] rk_gmac-dwmac ffbe0000.ethernet: IRQ eth_lpi not found
> [ 0.273888] rk_gmac-dwmac ffbe0000.ethernet: IRQ sfty not found
> [ 0.274520] rk_gmac-dwmac ffbe0000.ethernet: PTP uses main clock
> [ 0.275226] rk_gmac-dwmac ffbe0000.ethernet: clock input or output? (output).
> [ 0.275867] rk_gmac-dwmac ffbe0000.ethernet: Can not read property: tx_delay.
> [ 0.276491] rk_gmac-dwmac ffbe0000.ethernet: set tx_delay to 0x30
> [ 0.277026] rk_gmac-dwmac ffbe0000.ethernet: Can not read property: rx_delay.
> [ 0.278086] rk_gmac-dwmac ffbe0000.ethernet: set rx_delay to 0x10
> [ 0.278658] rk_gmac-dwmac ffbe0000.ethernet: integrated PHY? (no).
> [ 0.279249] Unable to handle kernel paging request at virtual address fffffffffffffffe
> [ 0.279948] Mem abort info:
> [ 0.280195] ESR = 0x000000096000006
> [ 0.280523] EC = 0x25: DABT (current EL), IL = 32 bits
> [ 0.280989] SET = 0, FnV = 0
> [ 0.281287] EA = 0, S1PTW = 0
> [ 0.281574] FSC = 0x06: level 2 translation fault
>
> where the invalid address is just -ENOENT (-2).
>
> diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
> index cf619a428664..26ec8ae662a6 100644
> --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
> +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
> @@ -1414,11 +1414,17 @@ static int rk_gmac_clk_init(struct plat_stmmacenet_data *plat)
> if (plat->phy_node) {
> bsp_priv->clk_phy = of_clk_get(plat->phy_node, 0);
> ret = PTR_ERR_OR_ZERO(bsp_priv->clk_phy);
> - /* If it is not integrated_phy, clk_phy is optional */
> + /*
> + * If it is not integrated_phy, clk_phy is optional. But we must
> + * set bsp_priv->clk_phy to NULL if clk_phy isn't proivded, or
> + * the error code could be wrongly taken as an invalid pointer.
> + */
> if (bsp_priv->integrated_phy) {
> if (ret)
> return dev_err_probe(dev, ret, "Cannot get PHY clock\n");
> clk_set_rate(bsp_priv->clk_phy, 50000000);
> + } else if (ret) {
> + bsp_priv->clk_phy = NULL;
> }
> }
Thanks, and sorry for my early confusion about applying this patch.
I agree that the bug you point out is addressed by this patch.
Although I wonder if it is cleaner not to set bsp_priv->clk_phy
unless there is no error, rather than setting it then resetting
it if there is an error.
More importantly, I wonder if there is another bug: does clk_set_rate need
to be called in the case where there is no error and bsp_priv->integrated_phy
is false?
So I am wondering if it makes sense to go with something like this.
(Compile tested only!)
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
index 266c53379236..a25816af2c37 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
@@ -1411,12 +1411,16 @@ static int rk_gmac_clk_init(struct plat_stmmacenet_data *plat)
}
if (plat->phy_node) {
- bsp_priv->clk_phy = of_clk_get(plat->phy_node, 0);
- ret = PTR_ERR_OR_ZERO(bsp_priv->clk_phy);
- /* If it is not integrated_phy, clk_phy is optional */
- if (bsp_priv->integrated_phy) {
- if (ret)
+ struct clk *clk_phy;
+
+ clk_phy = of_clk_get(plat->phy_node, 0);
+ ret = PTR_ERR_OR_ZERO(clk_phy);
+ if (ret) {
+ /* If it is not integrated_phy, clk_phy is optional */
+ if (bsp_priv->integrated_phy)
return dev_err_probe(dev, ret, "Cannot get PHY clock\n");
+ } else {
+ bsp_priv->clk_phy = clk_phy;
clk_set_rate(bsp_priv->clk_phy, 50000000);
}
}
Please note: if you send an updated patch (against net) please
make sure you wait 24h before the original post.
See: https://docs.kernel.org/process/maintainer-netdev.html
WARNING: multiple messages have this Message-ID (diff)
From: Simon Horman <horms@kernel.org>
To: Yao Zi <ziyao@disroot.org>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>,
Jonas Karlman <jonas@kwiboo.se>,
David Wu <david.wu@rock-chips.com>,
Chaoyi Chen <chaoyi.chen@rock-chips.com>,
netdev@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-rockchip@lists.infradead.org
Subject: Re: [PATCH net] net: stmmac: dwmac-rk: Ensure clk_phy doesn't contain invalid address
Date: Thu, 4 Sep 2025 11:34:43 +0100 [thread overview]
Message-ID: <20250904103443.GH372207@horms.kernel.org> (raw)
In-Reply-To: <20250904031222.40953-3-ziyao@disroot.org>
On Thu, Sep 04, 2025 at 03:12:24AM +0000, Yao Zi wrote:
> We must set the clk_phy pointer to NULL to indicating it isn't available
> if the optional phy clock couldn't be obtained. Otherwise the error code
> returned by of_clk_get() could be wrongly taken as an address, causing
> invalid pointer dereference when later clk_phy is passed to
> clk_prepare_enable().
>
> Fixes: da114122b831 ("net: ethernet: stmmac: dwmac-rk: Make the clk_phy could be used for external phy")
> Signed-off-by: Yao Zi <ziyao@disroot.org>
> ---
> drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> On next-20250903, the fixed commit causes NULL pointer dereference on
> Radxa E20C during probe of dwmac-rk, a typical dmesg looks like
>
> [ 0.273324] rk_gmac-dwmac ffbe0000.ethernet: IRQ eth_lpi not found
> [ 0.273888] rk_gmac-dwmac ffbe0000.ethernet: IRQ sfty not found
> [ 0.274520] rk_gmac-dwmac ffbe0000.ethernet: PTP uses main clock
> [ 0.275226] rk_gmac-dwmac ffbe0000.ethernet: clock input or output? (output).
> [ 0.275867] rk_gmac-dwmac ffbe0000.ethernet: Can not read property: tx_delay.
> [ 0.276491] rk_gmac-dwmac ffbe0000.ethernet: set tx_delay to 0x30
> [ 0.277026] rk_gmac-dwmac ffbe0000.ethernet: Can not read property: rx_delay.
> [ 0.278086] rk_gmac-dwmac ffbe0000.ethernet: set rx_delay to 0x10
> [ 0.278658] rk_gmac-dwmac ffbe0000.ethernet: integrated PHY? (no).
> [ 0.279249] Unable to handle kernel paging request at virtual address fffffffffffffffe
> [ 0.279948] Mem abort info:
> [ 0.280195] ESR = 0x000000096000006
> [ 0.280523] EC = 0x25: DABT (current EL), IL = 32 bits
> [ 0.280989] SET = 0, FnV = 0
> [ 0.281287] EA = 0, S1PTW = 0
> [ 0.281574] FSC = 0x06: level 2 translation fault
>
> where the invalid address is just -ENOENT (-2).
>
> diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
> index cf619a428664..26ec8ae662a6 100644
> --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
> +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
> @@ -1414,11 +1414,17 @@ static int rk_gmac_clk_init(struct plat_stmmacenet_data *plat)
> if (plat->phy_node) {
> bsp_priv->clk_phy = of_clk_get(plat->phy_node, 0);
> ret = PTR_ERR_OR_ZERO(bsp_priv->clk_phy);
> - /* If it is not integrated_phy, clk_phy is optional */
> + /*
> + * If it is not integrated_phy, clk_phy is optional. But we must
> + * set bsp_priv->clk_phy to NULL if clk_phy isn't proivded, or
> + * the error code could be wrongly taken as an invalid pointer.
> + */
> if (bsp_priv->integrated_phy) {
> if (ret)
> return dev_err_probe(dev, ret, "Cannot get PHY clock\n");
> clk_set_rate(bsp_priv->clk_phy, 50000000);
> + } else if (ret) {
> + bsp_priv->clk_phy = NULL;
> }
> }
Thanks, and sorry for my early confusion about applying this patch.
I agree that the bug you point out is addressed by this patch.
Although I wonder if it is cleaner not to set bsp_priv->clk_phy
unless there is no error, rather than setting it then resetting
it if there is an error.
More importantly, I wonder if there is another bug: does clk_set_rate need
to be called in the case where there is no error and bsp_priv->integrated_phy
is false?
So I am wondering if it makes sense to go with something like this.
(Compile tested only!)
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
index 266c53379236..a25816af2c37 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
@@ -1411,12 +1411,16 @@ static int rk_gmac_clk_init(struct plat_stmmacenet_data *plat)
}
if (plat->phy_node) {
- bsp_priv->clk_phy = of_clk_get(plat->phy_node, 0);
- ret = PTR_ERR_OR_ZERO(bsp_priv->clk_phy);
- /* If it is not integrated_phy, clk_phy is optional */
- if (bsp_priv->integrated_phy) {
- if (ret)
+ struct clk *clk_phy;
+
+ clk_phy = of_clk_get(plat->phy_node, 0);
+ ret = PTR_ERR_OR_ZERO(clk_phy);
+ if (ret) {
+ /* If it is not integrated_phy, clk_phy is optional */
+ if (bsp_priv->integrated_phy)
return dev_err_probe(dev, ret, "Cannot get PHY clock\n");
+ } else {
+ bsp_priv->clk_phy = clk_phy;
clk_set_rate(bsp_priv->clk_phy, 50000000);
}
}
Please note: if you send an updated patch (against net) please
make sure you wait 24h before the original post.
See: https://docs.kernel.org/process/maintainer-netdev.html
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
next prev parent reply other threads:[~2025-09-04 11:41 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-04 3:12 [PATCH net] net: stmmac: dwmac-rk: Ensure clk_phy doesn't contain invalid address Yao Zi
2025-09-04 3:12 ` Yao Zi
2025-09-04 9:54 ` Simon Horman
2025-09-04 9:54 ` Simon Horman
2025-09-04 9:56 ` Simon Horman
2025-09-04 9:56 ` Simon Horman
2025-09-04 10:10 ` Yao Zi
2025-09-04 10:10 ` Yao Zi
2025-09-04 10:28 ` Simon Horman
2025-09-04 10:28 ` Simon Horman
2025-09-04 10:34 ` Simon Horman [this message]
2025-09-04 10:34 ` Simon Horman
2025-09-04 10:49 ` Russell King (Oracle)
2025-09-04 10:49 ` Russell King (Oracle)
2025-09-04 10:58 ` Chaoyi Chen
2025-09-04 10:58 ` Chaoyi Chen
2025-09-04 11:20 ` Yao Zi
2025-09-04 11:20 ` Yao Zi
2025-09-04 11:13 ` Yao Zi
2025-09-04 11:13 ` Yao Zi
2025-09-04 10:58 ` Russell King (Oracle)
2025-09-04 10:58 ` Russell King (Oracle)
2025-09-04 11:03 ` Chaoyi Chen
2025-09-04 11:03 ` Chaoyi Chen
2025-09-04 11:05 ` Russell King (Oracle)
2025-09-04 11:05 ` Russell King (Oracle)
2025-09-04 11:07 ` Russell King (Oracle)
2025-09-04 11:07 ` Russell King (Oracle)
2025-09-06 5:36 ` Yao Zi
2025-09-06 5:36 ` Yao Zi
2025-09-06 6:26 ` Chaoyi Chen
2025-09-06 6:26 ` Chaoyi Chen
2025-09-06 20:25 ` Sebastian Reichel
2025-09-06 20:25 ` Sebastian Reichel
2025-09-15 3:38 ` Chaoyi Chen
2025-09-15 3:38 ` Chaoyi Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250904103443.GH372207@horms.kernel.org \
--to=horms@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=chaoyi.chen@rock-chips.com \
--cc=davem@davemloft.net \
--cc=david.wu@rock-chips.com \
--cc=edumazet@google.com \
--cc=jonas@kwiboo.se \
--cc=kuba@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rmk+kernel@armlinux.org.uk \
--cc=ziyao@disroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.