From: Carlo Szelinsky <github@szelinsky.de>
To: Simon Horman <horms@kernel.org>
Cc: Oleksij Rempel <o.rempel@pengutronix.de>,
Kory Maincent <kory.maincent@bootlin.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Carlo Szelinsky <github@szelinsky.de>
Subject: Re: [PATCH net 1/2] net: pse-pd: disable IRQ before freeing PI data in unregister
Date: Sat, 30 May 2026 12:50:31 +0200 [thread overview]
Message-ID: <20260530105031.3274303-1-github@szelinsky.de> (raw)
In-Reply-To: <20260527125551.2425511-3-horms@kernel.org>
Hi Simon,
Thanks for the review.
> pse_flush_pw_ds() runs before disable_irq(), so an interrupt could
> hit a freed regulator.
Correct, and it's the same bug. I moved disable_irq() above
pse_release_pis(), but pse_flush_pw_ds() still runs while the IRQ is
live, and it can free pw_d->supply. The ISR uses that supply via
pse_pi_deallocate_pw_budget(). So the race stays open.
Fix: disable the IRQ (and cancel the poll work) before
pse_flush_pw_ds() too. I'll fold that into patch 1 for v2.
> cancel_work_sync() after pse_release_pis() may use freed pcdev->pi.
I don't think so. The worker only touches the kfifo and the
pse_control list, not pcdev->pi. The patch 1 message says this.
Did I miss a path where the worker reaches pcdev->pi?
> Regulator ops still reachable after pcdev->pi is freed.
That is what patch 2 fixes for the disable path. Are you pointing at
a different path than the regulator_unregister() disable flush?
> device still in the list / external consumers / power domain tied to
> devm lifetime.
These look pre-existing and not part of this series. Do you agree, or
do you see one of them as caused by this series?
The pre-existing items above (list, consumers, devm lifetime) - would
you want them fixed inside this net series, or handled separately on
top? So I know what to do before sending v2.
Thanks,
Carlo
next prev parent reply other threads:[~2026-05-30 10:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-24 22:33 [PATCH net 0/2] net: pse-pd: fix use-after-free of PI array on controller teardown Carlo Szelinsky
2026-05-24 22:33 ` [PATCH net 1/2] net: pse-pd: disable IRQ before freeing PI data in unregister Carlo Szelinsky
2026-05-27 12:55 ` Simon Horman
2026-05-30 10:50 ` Carlo Szelinsky [this message]
2026-06-01 16:25 ` Simon Horman
2026-05-24 22:33 ` [PATCH net 2/2] net: pse-pd: guard against freed PI data on regulator disable Carlo Szelinsky
2026-05-27 12:24 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530105031.3274303-1-github@szelinsky.de \
--to=github@szelinsky.de \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kory.maincent@bootlin.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.