From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ECD5D2F0680 for ; Fri, 8 May 2026 20:01:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778270478; cv=none; b=IQM/DWlL1UlhfBWdHd4bBb8a2mZUQktYPmGt5G0FFLQcliynxc0MLqqUDBGMMKfzJ0R0iSIV3lMbd37Tlm+ebK8h+t9P77xlxZGG8snxHoJ320gfZGvwESKsJUxzETG+MCHgQdnaFI0nJ6w9o8v0CqyQEE2e3aT2QKBnkuYFxaE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778270478; c=relaxed/simple; bh=AedjIHx2h7U8POzEY1YlJLqb4MLGPWsVjlhwxeTXQew=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=A3dEDoqv6sVugwiF3QkJ/cPcNFfcoZZ/K+A7Y/clQMoWj3sXiideiaFq3ARKEBKeNWyqbtpAptA+2ZI3z/+ZeP4Xvwnyv9LMYWvwwAEvcTzhy6lamhBpWnIR3GNxk4d9d1AnDEyi9jjGhYtvW49x6ZAr/InASI1tzeVuf8XOvmg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mKis21Jv; arc=none smtp.client-ip=209.85.221.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mKis21Jv" Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-44b7e8b65faso228328f8f.1 for ; Fri, 08 May 2026 13:01:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778270475; x=1778875275; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=sYQhrTlIzdCXJRNGCpKZc0uS+MwI2bptTg0r3gmq+RE=; b=mKis21Jvh9ANhZ9olZUZQRIMFTixsBZJB9UPS59TLkhVpFx3gHlKX5tlmSpgvaFicp Xbk4QPzEshdt40/jwWxCVaBgIdgmFkzEIGPxs0Z7ejrEp8/w49rUWicjjlY0XNCahnis XrJ4IfflemHpGS3gvBCipYVQUY6SHr0T/4abjxQ0k14F4/6pl6BMoSiQU1ivvQBO+4pL gVCiERVGYPN1oiqnEDARkqsBGdGjP1u7PgYRpzSKDJK90Y70S2ey5ATql3cP7fhHOIwh HtF/I1J//7rayPBJ0el16QyTNa5EdCeEvOYvz/L6jbmC2OBPI95OHtqiDIq+3gko8XWQ mPLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778270475; x=1778875275; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sYQhrTlIzdCXJRNGCpKZc0uS+MwI2bptTg0r3gmq+RE=; b=R0nz2txX0VCuGBysYDXM6b0Dy4viP6A8aPtsh0sQTF5EMvmftfVGaFwaXlOJ6OskqV AOP21j77DqZZntXR3OPZ6sux5X2VNh46NhKNFiLS+azFL+SJUGbpo4Rv+SfNMgOCNEYa eUXHg7B9SSJ3wZVRYOC2rlFXTbO+MicaqCMRq5CnqOHjPZOYO5CvI2XCDLttpYi2f01/ kc5SNq3qcLdtW2i/ReEr6lISdGiQGnLb7j/1nTWSRRp8retEJ8COBjRh7LT01zrxGA+q WAnSH9VEOqLLZ3vTc0F8ch2P7+N9KQWMrCagV7JxzRHObQ2HKen2QVDtRO4fxXT0nfQj 72uA== X-Forwarded-Encrypted: i=1; AFNElJ9CW5J+h0Rmq9eI2zWoTqcYFycPZp1hbAtERxD+J9t+/hHq5k3qP0vnVL+d3Eia8FMyDyswiAFcBes7ScA=@vger.kernel.org X-Gm-Message-State: AOJu0YzBbGbYMdILAzBg/uS2hoBL20VgIbYq951WeGkShgfNFwazzd6d aPit/Jy6rQ+mPKcFqhFRizeOyT+BU8i5XRSHPo+fmRh3grTAJTva920X X-Gm-Gg: AeBDieuajDE0AOz9MfgOYmM8mH4lm2OE0g5p23hGYo3bbxcoW5Obm7xfBdJeYRHgBKq EWg6Aj7Si816INqN5DrMs9bOQf77asYW5OmmmYXNlrkN+EDiLty1j3/zZGtXL+x5350HL23yqxG ZUVuS5iT5kff827d2Y4PF6aCefYZiSTO8qhKPZbb5nvMVr7s1wIEEG9amidzJN60PHNJ+xsQZ7k THYpfMmHFzIB13nUjm75Fk3Gfp428ELRggsBseaNdiYWqATrBSkeZ5pBikZA+GzTwurC7HwAIXF KandsYgMp6NxrxYDlkIgC7bfzITkQc//8CIpOaNJA1HewAueZkTTO+k8liQvlTlAFGGrrJcQtNF hG4hKAOE00pQGw3MqACKVFl/G1EUzDQuniEp8RRqJ3H4sVhbd65wTcEGIVHXdPO85XUS0TzcI0+ 71UsZCo2PV+mR0xrs= X-Received: by 2002:a05:600c:4755:b0:48a:5546:619e with SMTP id 5b1f17b1804b1-48e51f4534amr113202975e9.4.1778270474915; Fri, 08 May 2026 13:01:14 -0700 (PDT) Received: from skbuf ([2a02:2f04:d403:cf00:7892:5318:c552:d08f]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45492271510sm8325074f8f.37.2026.05.08.13.01.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 13:01:13 -0700 (PDT) Date: Fri, 8 May 2026 23:01:11 +0300 From: Vladimir Oltean To: David Carlier Cc: sven@kernel.org, j@jannau.net, neal@gompa.dev, vkoul@kernel.org, neil.armstrong@linaro.org, marcan@marcan.st, p.zabel@pengutronix.de, asahi@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-phy@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] phy: apple: atc: Fix typec switch/mux leak on unbind Message-ID: <20260508200111.kfl2a6u6gzacsvu4@skbuf> References: <20260507163746.108086-1-devnexen@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260507163746.108086-1-devnexen@gmail.com> On Thu, May 07, 2026 at 05:37:46PM +0100, David Carlier wrote: > atcphy_probe_switch() and atcphy_probe_mux() discard the pointers > returned by typec_switch_register() and typec_mux_register(). The > platform driver has no .remove callback, so when the driver unbinds > (e.g. via sysfs unbind) neither typec_switch_unregister() nor > typec_mux_unregister() is called. The framework reference taken in > typec_switch_register() (device_initialize() + device_add() in > drivers/usb/typec/mux.c) is therefore never dropped and the > typec_switch_dev / typec_mux_dev objects stay live forever, with > their sysfs entries under the typec_mux class also left behind. A > subsequent rebind cannot recreate them with the same fwnode-derived > name. > > Save the registered handles and unregister them through > devm_add_action_or_reset() so framework registration is torn down > in step with the driver's other devm-managed state. While here, > drop struct apple_atcphy::sw and ::mux: they were declared with the > consumer-side types (typec_switch *, typec_mux *) instead of the > provider-side types and were never assigned. > > Scope of the fix > ---------------- > This patch fixes the registration leak only. It does not close the > use-after-free window that arises when a consumer that obtained a > reference via fwnode_typec_switch_get() / fwnode_typec_mux_get() > outlives the provider unbind: such consumers keep the underlying > typec_switch_dev / typec_mux_dev alive past device_unregister(), > and a later typec_switch_set() / typec_mux_set() still invokes the > registered atcphy_sw_set() / atcphy_mux_set(), which dereferences > the freed apple_atcphy through typec_{switch,mux}_get_drvdata(). > > On Apple Silicon the relevant consumers are the typec port and the > cd321x controller registered by drivers/usb/typec/tipd/core.c. > Cable plug / orientation events and alt-mode transitions trigger > the .set callbacks via: > > tps6598x_interrupt() drivers/usb/typec/tipd/core.c > tps6598x_handle_plug_event() > tps6598x_connect()/_disconnect() > typec_set_orientation() drivers/usb/typec/class.c > typec_switch_set(port->sw) drivers/usb/typec/mux.c > atcphy_sw_set() drivers/phy/apple/atc.c > > cd321x_update_work() drivers/usb/typec/tipd/core.c > cd321x_typec_update_mode() > typec_mux_set(cd321x->mux) drivers/usb/typec/mux.c > atcphy_mux_set() drivers/phy/apple/atc.c Ok, so the claim from v1 that this patch fixes crashes from these code paths is not correct, since there is nothing that would make the typec port drop its references acquired via typec_switch_get() and typec_mux_get(). > Closing that window requires framework support for invalidating > consumer-held references on provider unbind. The same > consumer-survives-provider pattern has been discussed for the PHY > framework [1] and is out of scope here. > > [1] https://lore.kernel.org/linux-phy/aZejMSJ9qqRWb2pX@google.com/ > > Fixes: 8e98ca1e74db ("phy: apple: Add Apple Type-C PHY") > Signed-off-by: David Carlier > --- The commit message is much better. But there is a checkpatch issue which appears to be valid, see: commit 931d5c36c7369b65adb9e3d197a8d3a8a913db8c Author: Joe Perches Date: Fri Jan 16 09:42:52 2026 -0800 checkpatch: add an invalid patch separator test Some versions of tools that apply patches incorrectly allow lines that start with 3 dashes and have additional content on the same line. Checkpatch will now emit an ERROR on these lines and optionally convert those lines from dashes to equals with --fix. Link: https://lkml.kernel.org/r/6ec1ed08328340db42655287afd5fa4067316b11.camel@perches.com Signed-off-by: Joe Perches Suggested-by: Ian Rogers Cc: Andy Whitcroft Cc: Dwaipayan Ray Cc: Kuan-Wei Chiu Cc: Lukas Bulwahn Cc: Namhyung kim Cc: Stehen Rothwell Signed-off-by: Andrew Morton I don't have such tooling (git am from version 2.43.0 applies the patch without discarding the text beneath "Scope of the fix" just fine), but the commit is from Jan 2026, so that tooling must still exist somewhere. So please resent with different formatting somehow (either a space before the title, or replace the ---- with ==== or ~~~~, whatever). With that addressed, please add: Reviewed-by: Vladimir Oltean