From: sashiko-bot@kernel.org
To: "Vladimir Oltean" <vladimir.oltean@nxp.com>
Cc: vkoul@kernel.org, linux-phy@lists.infradead.org,
olteanv@gmail.com, neil.armstrong@linaro.org
Subject: Re: [PATCH v4 phy-next 01/16] phy: lynx-28g: avoid returning NULL in of_xlate() function
Date: Mon, 08 Jun 2026 22:26:46 +0000 [thread overview]
Message-ID: <20260608222646.F27191F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608221710.1572971-2-vladimir.oltean@nxp.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] A concurrent unbind of the PHY provider can cause a Use-After-Free when accessing the `phy` pointer in `of_phy_get()`.
--
commit 33b5ab7917964ed203a6c538e1528b54f76fa1e5
Author: Vladimir Oltean <vladimir.oltean@nxp.com>
phy: lynx-28g: avoid returning NULL in of_xlate() function
Sashiko points out that _of_phy_get() does not support a NULL returned
output from phy_provider->of_xlate(), just a valid pointer or a
pointer-encoded error.
> diff --git a/drivers/phy/freescale/phy-fsl-lynx-28g.c b/drivers/phy/freescale/phy-fsl-lynx-28g.c
> --- a/drivers/phy/freescale/phy-fsl-lynx-28g.c
> +++ b/drivers/phy/freescale/phy-fsl-lynx-28g.c
> @@ -1435,7 +1435,7 @@ static struct phy *lynx_28g_xlate(struct device *dev,
> idx < priv->info->first_lane))
> return ERR_PTR(-EINVAL);
>
> - return priv->lane[idx].phy;
> + return priv->lane[idx].phy ?: ERR_PTR(-ENODEV);
> }
[Severity: High]
This is a pre-existing issue, but looking at how the xlate callbacks are
consumed in the PHY core, could there be a use-after-free race condition
during device unbind?
In drivers/phy/phy-core.c:of_phy_get(), the provider's xlate callback is
invoked via _of_phy_get():
phy = _of_phy_get(np, index);
if (IS_ERR(phy))
return phy;
if (!try_module_get(phy->ops->owner))
return ERR_PTR(-EPROBE_DEFER);
get_device(&phy->dev);
Since _of_phy_get() drops the phy_provider_mutex before returning the raw,
unreferenced phy pointer, what prevents a concurrent unbind of the PHY
provider from freeing the phy memory before the pointer is dereferenced via
phy->ops->owner?
If the provider is unregistered (e.g., via sysfs) and phy_destroy() drops
the PHY device's reference count to zero precisely after _of_phy_get()
returns, would this result in accessing freed memory?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608221710.1572971-1-vladimir.oltean@nxp.com?part=1
--
linux-phy mailing list
linux-phy@lists.infradead.org
https://lists.infradead.org/mailman/listinfo/linux-phy
next prev parent reply other threads:[~2026-06-08 22:26 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 22:16 [PATCH v4 phy-next 00/16] New Generic PHY driver for Lynx 10G SerDes Vladimir Oltean
2026-06-08 22:16 ` Vladimir Oltean
2026-06-08 22:16 ` [PATCH v4 phy-next 01/16] phy: lynx-28g: avoid returning NULL in of_xlate() function Vladimir Oltean
2026-06-08 22:16 ` Vladimir Oltean
2026-06-08 22:26 ` sashiko-bot [this message]
2026-06-08 22:16 ` [PATCH v4 phy-next 02/16] phy: lynx-28g: reject probing on devices with unsupported OF nodes Vladimir Oltean
2026-06-08 22:16 ` Vladimir Oltean
2026-06-08 22:16 ` [PATCH v4 phy-next 03/16] phy: lynx-28g: move lane mode helpers to new core module Vladimir Oltean
2026-06-08 22:16 ` Vladimir Oltean
2026-06-08 22:24 ` sashiko-bot
2026-06-08 22:16 ` [PATCH v4 phy-next 04/16] phy: lynx-28g: move data structures to core Vladimir Oltean
2026-06-08 22:16 ` Vladimir Oltean
2026-06-08 22:16 ` [PATCH v4 phy-next 05/16] phy: lynx-28g: common lynx_pll_get() Vladimir Oltean
2026-06-08 22:16 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 06/16] phy: lynx-28g: generalize protocol converter accessors Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 07/16] phy: lynx-28g: provide default lynx_lane_supports_mode() implementation Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 08/16] phy: lynx-28g: move struct lynx_info definitions downwards Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 09/16] phy: lynx-28g: make lynx_28g_pll_read_configuration() callable per PLL Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 10/16] phy: lynx-28g: common probe() and remove() Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 11/16] phy: lynx-28g: add support for big endian register maps Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 12/16] phy: lynx-28g: optimize read-modify-write operation Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 13/16] phy: lynx-28g: improve phy_validate() procedure Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:17 ` [PATCH v4 phy-next 14/16] dt-bindings: phy: lynx-10g: initial document Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:27 ` sashiko-bot
2026-06-08 22:27 ` sashiko-bot
2026-06-09 16:26 ` Conor Dooley
2026-06-09 16:26 ` Conor Dooley
2026-06-08 22:17 ` [PATCH v4 phy-next 15/16] phy: lynx-10g: new driver Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
2026-06-08 22:33 ` sashiko-bot
2026-06-08 22:33 ` sashiko-bot
2026-06-08 22:17 ` [PATCH v4 phy-next 16/16] MAINTAINERS: expand Lynx 28G entry to cover Lynx 10G SerDes Vladimir Oltean
2026-06-08 22:17 ` Vladimir Oltean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608222646.F27191F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-phy@lists.infradead.org \
--cc=neil.armstrong@linaro.org \
--cc=olteanv@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
--cc=vladimir.oltean@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.