The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: Carlo Szelinsky <github@szelinsky.de>
To: Paolo Abeni <pabeni@redhat.com>
Cc: Oleksij Rempel <o.rempel@pengutronix.de>,
	Kory Maincent <kory.maincent@bootlin.com>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	Heiner Kallweit <hkallweit1@gmail.com>,
	Russell King <linux@armlinux.org.uk>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Simon Horman <horms@kernel.org>,
	Corey Leavitt <corey@leavitt.info>,
	Jonas Jelonek <jelonek.jonas@gmail.com>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Carlo Szelinsky <github@szelinsky.de>
Subject: Re: [PATCH net-next v4 3/3] net: phy: own phydev->psec via PSE notifier and remove fwnode_mdio hook
Date: Fri,  3 Jul 2026 23:06:51 +0200	[thread overview]
Message-ID: <20260703210651.63197-1-github@szelinsky.de> (raw)
In-Reply-To: <20260703071025.100797-1-pabeni@redhat.com>

Hi Paolo,

Thanks, I traced this and I think the review is right.

A phy that has been device_del()'d but is still pinned (an attached
netdev holds a get_device() from phy_attach_direct()) is off the
mdio_bus_type klist, so the PSE_UNREGISTERED walk (bus_for_each_dev)
does not see it and phy_pse_detach_one() never clears its phydev->psec.
When it is finally released, after pse_release_pis() has already freed
pcdev->pi, __pse_control_release() reads pcdev->pi[] and pcdev->owner
-> use-after-free. So the commit message is wrong for the off-klist
case: bus_for_each_dev() only defers the release for phys it can still
reach.

A few questions so I fix it the right way:

1. The trigger I can see is unbinding the MDIO bus while a netdev still
   has the phy attached (mdiobus_unregister -> phy_device_remove ->
   device_del, and the phy stays alive on the netdev's reference), and
   then the PSE controller unbinds. Is that the path you have in mind,
   or is there an easier one I am missing?

2. On keeping pse_control_put() in phy_device_remove(): wouldn't that
   bring back the reason it was moved out? phy_device_remove() and the
   walk's phy_pse_detach_one() would both touch phydev->psec, and
   serializing them means taking rtnl in phy_device_remove() - which
   the sfp caller already holds, so it would deadlock. Did you mean a
   plain put there, or something narrower?

3. Simon raised the same psec-vs-pcdev lifetime on the net regulator
   patch [1] and suggested either draining the references on unregister
   or having pse_control hold a refcount on pcdev. This series does the
   drain, which (as you show) misses off-klist phys. Would having
   pse_control pin pcdev; so pcdev->pi and pcdev->owner cannot be
   freed while any pse_control is still out... be the direction you
   prefer? That makes the deferred put safe no matter what the klist
   walk sees.

I'll send a v5 once the direction is clear.

Thanks,
Carlo

[1] https://lore.kernel.org/netdev/20260624151251.1137250-1-horms@kernel.org/

      reply	other threads:[~2026-07-03 21:07 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30  9:11 [PATCH net-next v4 0/3] net: pse-pd: decouple controller lookup from MDIO probe Carlo Szelinsky
2026-06-30  9:11 ` [PATCH net-next v4 1/3] net: pse-pd: add notifier chain for controller lifecycle events Carlo Szelinsky
2026-06-30  9:11 ` [PATCH net-next v4 2/3] net: pse-pd: fire lifecycle events on controller register/unregister Carlo Szelinsky
2026-06-30  9:11 ` [PATCH net-next v4 3/3] net: phy: own phydev->psec via PSE notifier and remove fwnode_mdio hook Carlo Szelinsky
2026-07-03  7:10   ` Paolo Abeni
2026-07-03 21:06     ` Carlo Szelinsky [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703210651.63197-1-github@szelinsky.de \
    --to=github@szelinsky.de \
    --cc=andrew+netdev@lunn.ch \
    --cc=corey@leavitt.info \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=hkallweit1@gmail.com \
    --cc=horms@kernel.org \
    --cc=jelonek.jonas@gmail.com \
    --cc=kory.maincent@bootlin.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@armlinux.org.uk \
    --cc=netdev@vger.kernel.org \
    --cc=o.rempel@pengutronix.de \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox