From: sashiko-bot@kernel.org
To: "Jonas Jelonek" <jelonek.jonas@gmail.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH net-next v3 2/2] net: pse-pd: add Realtek/Broadcom PSE MCU driver
Date: Mon, 29 Jun 2026 22:27:25 +0000 [thread overview]
Message-ID: <20260629222726.00C801F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260628222705.4052815-3-jelonek.jonas@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Incorrect module owner assignment in `rtpse_mcu_register` allows the transport module to be unloaded while active, leading to Use-After-Free.
--
commit 7bb530c7721986789a60e3b5029b0d7f2ddc58d4
Author: Jonas Jelonek <jelonek.jonas@gmail.com>
net: pse-pd: add Realtek/Broadcom PSE MCU driver
This commit adds a driver for the microcontroller that fronts Realtek and
Broadcom PSE chips. It splits the implementation into a shared core module
and separate I2C and UART transport modules.
> diff --git a/drivers/net/pse-pd/realtek-pse-mcu-core.c b/drivers/net/pse-pd/realtek-pse-mcu-core.c
> new file mode 100644
> index 0000000000000..718788d13d90e
> --- /dev/null
> +++ b/drivers/net/pse-pd/realtek-pse-mcu-core.c
[ ... ]
> +int rtpse_mcu_register(struct rtpse_mcu_ctrl *pse)
> +{
[ ... ]
> + /*
> + * Depending on the MCU firmware configuration (which might be different
> + * for every board), it isn't known whether the PoE subsystem is active or
> + * inactive by default. At this stage, the PSE chips might already deliver
> + * power to PDs without any explicit enable.
> + */
> +
> + pse->pcdev.owner = THIS_MODULE;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Severity: High]
Does this assign the core module as the owner instead of the calling transport
module? Since this executes in realtek-pse-mcu-core.c, THIS_MODULE resolves
to the core module, leaving the transport module (e.g., realtek-pse-mcu-i2c)
unpinned.
When a consumer gets a reference to the PSE controller, it pins the core
module, but an administrator can still unload the active transport module.
Unloading the transport module triggers device unbinding and devm resource
cleanup, which frees the pse structure while it is still active, leading to
a use-after-free on subsequent PSE operations.
> + pse->pcdev.ops = &rtpse_mcu_ops;
> + pse->pcdev.dev = pse->dev;
> + pse->pcdev.types = ETHTOOL_PSE_C33;
> + pse->pcdev.nr_lines = info.max_ports;
> + pse->pcdev.pis_prio_max = RTPSE_MCU_PORT_MAX_PRIORITY;
> + pse->pcdev.supp_budget_eval_strategies = PSE_BUDGET_EVAL_STRAT_DYNAMIC;
> +
> + return devm_pse_controller_register(pse->dev, &pse->pcdev);
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260628222705.4052815-1-jelonek.jonas@gmail.com?part=2
next prev parent reply other threads:[~2026-06-29 22:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 22:27 [PATCH net-next v3 0/2] net: pse-pd: add Realtek/Broadcom PSE MCU support Jonas Jelonek
2026-06-28 22:27 ` [PATCH net-next v3 1/2] dt-bindings: net: pse-pd: add bindings for Realtek/Broadcom PSE MCU Jonas Jelonek
2026-06-28 22:27 ` [PATCH net-next v3 2/2] net: pse-pd: add Realtek/Broadcom PSE MCU driver Jonas Jelonek
2026-06-29 22:27 ` sashiko-bot [this message]
2026-06-29 23:06 ` [PATCH net-next v3 0/2] net: pse-pd: add Realtek/Broadcom PSE MCU support Jakub Kicinski
2026-06-29 23:29 ` Jonas Jelonek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629222726.00C801F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=jelonek.jonas@gmail.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox