From: sashiko-bot@kernel.org
To: "Christian Marangi" <ansuelsmth@gmail.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH net-next v7 05/12] net: phylink: support late PCS provider attach
Date: Tue, 16 Jun 2026 14:32:18 +0000 [thread overview]
Message-ID: <20260616143219.96F321F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260615122950.22281-6-ansuelsmth@gmail.com>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
- [High] Use-After-Free in PCS global notifier list due to missing unregister in `phylink_create()` error paths.
- [High] NULL pointer dereference due to uninitialized `pl->config` in the PCS notifier callback.
- [High] List corruption race between `phylink_create()` and `fwnode_pcs_add_provider()`.
- [High] Use-After-Free of `phylink_pcs` structure in `pcs_provider_notify()` due to missing reference counting.
- [Medium] TOCTOU race condition in `phylink_create()` causes missed PCS attachments.
--
commit e3c74d4cdf92d51d1f16bc8736f6fb1e1800f91d
Author: Christian Marangi <ansuelsmth@gmail.com>
net: phylink: support late PCS provider attach
This patch adds support for late PCS provider attachment by introducing a
global notifier. Phylink instances subscribe to this notifier and react to
FWNODE_PCS_PROVIDER_ADD events by linking the new PCS and refreshing
supported interfaces.
> diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
> index ca4dad4b140a0..0734c98498a99 100644
> --- a/drivers/net/phy/phylink.c
> +++ b/drivers/net/phy/phylink.c
[ ... ]
> @@ -1997,6 +1999,51 @@ static int phylink_fill_available_pcs(struct phylink *pl,
> return ret;
> }
>
> +static int pcs_provider_notify(struct notifier_block *self,
> + unsigned long val, void *data)
> +{
> + struct phylink *pl = container_of(self, struct phylink, fwnode_pcs_nb);
> + struct fwnode_handle *pcs_fwnode = data;
> + struct phylink_pcs *pcs;
> +
> + /* Check if the just added PCS provider is
> + * in the phylink instance pcs-handle property.
> + */
> + pcs = fwnode_phylink_pcs_get_from_fwnode(dev_fwnode(pl->config->dev),
> + pcs_fwnode);
[Severity: High]
Could this cause a NULL pointer dereference?
The notifier is registered in phylink_create() before pl->config is
initialized. If a concurrent thread adds a PCS provider immediately after
registration, won't pcs_provider_notify() attempt to access pl->config->dev
while it is still NULL?
> + if (IS_ERR(pcs))
> + return NOTIFY_DONE;
> +
> + /* Add the PCS */
> + rtnl_lock();
[Severity: High]
Does this code risk a use-after-free?
The phylink_pcs pointer is retrieved without incrementing a reference count,
and then the thread can sleep while waiting for rtnl_lock().
If the module providing the PCS is concurrently unbound during this wait,
freeing the phylink_pcs structure, will this code dereference the freed
pointer once the lock is acquired?
> +
> + mutex_lock(&pl->state_mutex);
> +
> + /* Link PCS with phylink */
> + list_add(&pcs->list, &pl->pcs_list);
[Severity: High]
Is it possible for the list to become corrupted here?
If phylink_fill_available_pcs() finds the newly added PCS and links it to
pl->pcs_list during phylink_create(), and then the delayed
FWNODE_PCS_PROVIDER_ADD notification fires right after, won't
pcs_provider_notify() unconditionally add the exact same pcs structure
to the list again?
[ ... ]
> @@ -2068,6 +2115,12 @@ struct phylink *phylink_create(struct phylink_config *config,
> pl->supported_interfaces,
> pcs->supported_interfaces);
>
> + /* Register notifier for late PCS attach */
> + if (!phy_interface_empty(config->pcs_interfaces)) {
> + pl->fwnode_pcs_nb.notifier_call = pcs_provider_notify;
> + register_fwnode_pcs_notifier(&pl->fwnode_pcs_nb);
> + }
> +
[Severity: Medium]
Is there a race condition window here?
If a new PCS provider is added concurrently between the earlier call to
phylink_fill_available_pcs() and the registration of the notifier here,
will the FWNODE_PCS_PROVIDER_ADD event fire before the notifier is active,
causing the PCS to be permanently missed?
> pl->config = config;
> if (config->type == PHYLINK_NETDEV) {
> pl->netdev = to_net_dev(config->dev);
[Severity: High]
If phylink_create() encounters an error later in the function (like an
invalid config->type or phylink_parse_mode() failing), does this leave
a dangling pointer in the global notifier chain since
unregister_fwnode_pcs_notifier() isn't called before kfree(pl)?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260615122950.22281-1-ansuelsmth@gmail.com?part=5
next prev parent reply other threads:[~2026-06-16 14:32 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 12:29 [PATCH net-next v7 00/12] net: pcs: Introduce support for fwnode PCS Christian Marangi
2026-06-15 12:29 ` [PATCH net-next v7 01/12] net: phylink: keep and use MAC supported_interfaces in phylink struct Christian Marangi
2026-06-15 13:33 ` Maxime Chevallier
2026-06-15 14:18 ` Christian Marangi
2026-06-16 14:32 ` sashiko-bot
2026-06-15 12:29 ` [PATCH net-next v7 02/12] net: phylink: introduce internal phylink PCS handling Christian Marangi
2026-06-15 13:31 ` Maxime Chevallier
2026-06-15 14:17 ` Christian Marangi
2026-06-16 14:32 ` sashiko-bot
2026-06-15 12:29 ` [PATCH net-next v7 03/12] net: phylink: add phylink_release_pcs() to externally release a PCS Christian Marangi
2026-06-16 14:32 ` sashiko-bot
2026-06-15 12:29 ` [PATCH net-next v7 04/12] net: pcs: implement Firmware node support for PCS driver Christian Marangi
2026-06-16 14:32 ` sashiko-bot
2026-06-15 12:29 ` [PATCH net-next v7 05/12] net: phylink: support late PCS provider attach Christian Marangi
2026-06-15 14:07 ` Maxime Chevallier
2026-06-15 14:10 ` Christian Marangi
2026-06-15 14:29 ` Maxime Chevallier
2026-06-15 14:35 ` Christian Marangi
2026-06-15 14:44 ` Maxime Chevallier
2026-06-16 14:32 ` sashiko-bot [this message]
2026-06-15 12:29 ` [PATCH net-next v7 06/12] net: Document PCS subsystem Christian Marangi
2026-06-16 14:32 ` sashiko-bot
2026-06-15 12:29 ` [PATCH net-next v7 07/12] MAINTAINERS: add myself as PCS subsystem maintainer Christian Marangi
2026-06-15 12:29 ` [PATCH net-next v7 08/12] of: property: fw_devlink: Add support for "pcs-handle" Christian Marangi
2026-06-15 12:29 ` [PATCH net-next v7 09/12] net: phylink: add .pcs_link_down PCS OP Christian Marangi
2026-06-16 14:32 ` sashiko-bot
2026-06-15 12:29 ` [PATCH net-next v7 10/12] dt-bindings: net: pcs: Document support for Airoha Ethernet PCS Christian Marangi
2026-06-15 12:29 ` [PATCH net-next v7 11/12] net: pcs: airoha: add PCS driver for Airoha AN7581 SoC Christian Marangi
2026-06-15 16:31 ` Benjamin Larsson
2026-06-16 14:32 ` sashiko-bot
2026-06-15 12:29 ` [PATCH net-next v7 12/12] net: airoha: add phylink support Christian Marangi
2026-06-15 16:07 ` Benjamin Larsson
2026-06-16 14:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616143219.96F321F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=ansuelsmth@gmail.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.