[RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Xu Yang]

Not all phy devices have phy driver attached, so fix the NULL pointer
dereference issue in phy_polling_mode() which was observed on USB net
devices.

[   31.494735] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001b8
[   31.503512] Mem abort info:
[   31.506298]   ESR = 0x0000000096000004
[   31.510054]   EC = 0x25: DABT (current EL), IL = 32 bits
[   31.515355]   SET = 0, FnV = 0
[   31.518408]   EA = 0, S1PTW = 0
[   31.521543]   FSC = 0x04: level 0 translation fault
[   31.526420] Data abort info:
[   31.529300]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[   31.534778]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   31.539823]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   31.545125] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000085a33000
[   31.551558] [00000000000001b8] pgd=0000000000000000, p4d=0000000000000000
[   31.558345] Internal error: Oops: 0000000096000004 [#1]  SMP
[   31.563987] Modules linked in:
[   31.567032] CPU: 1 UID: 0 PID: 38 Comm: kworker/u8:1 Not tainted 6.15.0-rc7-next-20250523-06662-gdb11f7daf2b1-dirty #300 PREEMPT
[   31.578659] Hardware name: NXP i.MX93 11X11 EVK board (DT)
[   31.584129] Workqueue: events_power_efficient phy_state_machine
[   31.590048] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   31.596998] pc : _phy_state_machine+0x120/0x310
[   31.601513] lr : _phy_state_machine+0xc8/0x310
[   31.605942] sp : ffff8000827ebd20
[   31.609244] x29: ffff8000827ebd30 x28: 0000000000000000 x27: 0000000000000000
[   31.616368] x26: ffff000004014028 x25: ffff000004c24b80 x24: ffff000004013a05
[   31.623492] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
[   31.630616] x20: ffff00000881fea0 x19: ffff000008515000 x18: 0000000000000006
[   31.637740] x17: 3a76726420303030 x16: 35313538303a7665 x15: 647968702030303a
[   31.644864] x14: ffff000004ea9200 x13: 3030303030303030 x12: ffff800082057068
[   31.651988] x11: 0000000000000058 x10: 000001067f7cd7af x9 : ffff000004ea9200
[   31.659112] x8 : 000000000004341b x7 : ffff000004ea9200 x6 : 00000000000002d6
[   31.666236] x5 : ffff00007fb99308 x4 : 0000000000000000 x3 : 0000000000000000
[   31.673360] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
[   31.680485] Call trace:
[   31.682920]  _phy_state_machine+0x120/0x310 (P)
[   31.687444]  phy_state_machine+0x2c/0x80
[   31.691360]  process_one_work+0x148/0x290
[   31.695364]  worker_thread+0x2c8/0x3e4
[   31.699108]  kthread+0x12c/0x204
[   31.702333]  ret_from_fork+0x10/0x20
[   31.705906] Code: f941be60 b9442261 71001c3f 54000d00 (f940dc02)

Fixes: f2bc1c265572 ("net: phy: introduce optional polling interface for PHY statistics")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
---
 include/linux/phy.h | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/linux/phy.h b/include/linux/phy.h
index 4c2b8b6e7187..068071646a8b 100644
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -1632,12 +1632,14 @@ static inline bool phy_interrupt_is_valid(struct phy_device *phydev)
  */
 static inline bool phy_polling_mode(struct phy_device *phydev)
 {
-	if (phydev->state == PHY_CABLETEST)
-		if (phydev->drv->flags & PHY_POLL_CABLE_TEST)
-			return true;
+	if (phydev->drv) {
+		if (phydev->state == PHY_CABLETEST)
+			if (phydev->drv->flags & PHY_POLL_CABLE_TEST)
+				return true;
 
-	if (phydev->drv->update_stats)
-		return true;
+		if (phydev->drv->update_stats)
+			return true;
+	}
 
 	return phydev->irq == PHY_POLL;
 }
-- 
2.34.1

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Russell King (Oracle)]

On Wed, Aug 06, 2025 at 04:29:31PM +0800, Xu Yang wrote:
> Not all phy devices have phy driver attached, so fix the NULL pointer
> dereference issue in phy_polling_mode() which was observed on USB net
> devices.

See my comments in response to your first posting.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Xu Yang]

Hi Russell,

On Wed, Aug 06, 2025 at 09:45:01AM +0100, Russell King (Oracle) wrote:
> On Wed, Aug 06, 2025 at 04:29:31PM +0800, Xu Yang wrote:
> > Not all phy devices have phy driver attached, so fix the NULL pointer
> > dereference issue in phy_polling_mode() which was observed on USB net
> > devices.
> 
> See my comments in response to your first posting.

Thanks for the comments!

Reproduce step is simple:

1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
   DUB-E100 Fast Ethernet Adapter".
2. the asix driver (drivers/net/usb/asix_devices.c) will bind to this USB
   device.

root@imx95evk:~# lsusb -t
/:  Bus 001.Port 001: Dev 001, Class=root_hub, Driver=ci_hdrc/1p, 480M
    |__ Port 001: Dev 003, If 0, Class=Vendor Specific Class, Driver=asix, 480M

3. then the driver will create many mdio devices. 

root@imx95evk:/sys/bus/mdio_bus# ls -d devices/usb*
devices/usb-001:005:00  devices/usb-001:005:04  devices/usb-001:005:08  devices/usb-001:005:0c  devices/usb-001:005:10  devices/usb-001:005:14  devices/usb-001:005:18  devices/usb-001:005:1c
devices/usb-001:005:01  devices/usb-001:005:05  devices/usb-001:005:09  devices/usb-001:005:0d  devices/usb-001:005:11  devices/usb-001:005:15  devices/usb-001:005:19  devices/usb-001:005:1d
devices/usb-001:005:02  devices/usb-001:005:06  devices/usb-001:005:0a  devices/usb-001:005:0e  devices/usb-001:005:12  devices/usb-001:005:16  devices/usb-001:005:1a  devices/usb-001:005:1e
devices/usb-001:005:03  devices/usb-001:005:07  devices/usb-001:005:0b  devices/usb-001:005:0f  devices/usb-001:005:13  devices/usb-001:005:17  devices/usb-001:005:1b  devices/usb-001:005:1f

4. but only usb-001:005:03 is bind to genphy drivers.

root@imx95evk:/sys/bus/mdio_bus# ls drivers/'Generic PHY'/
bind  uevent  unbind  usb-001:005:03

5. just do system suspend and resume test, a lot of kernel dump happens.

Thanks,
Xu Yang

> 
> -- 
> RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
> FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Russell King (Oracle)]

On Wed, Aug 06, 2025 at 04:56:58PM +0800, Xu Yang wrote:
> Hi Russell,
> 
> On Wed, Aug 06, 2025 at 09:45:01AM +0100, Russell King (Oracle) wrote:
> > On Wed, Aug 06, 2025 at 04:29:31PM +0800, Xu Yang wrote:
> > > Not all phy devices have phy driver attached, so fix the NULL pointer
> > > dereference issue in phy_polling_mode() which was observed on USB net
> > > devices.
> > 
> > See my comments in response to your first posting.
> 
> Thanks for the comments!
> 
> Reproduce step is simple:
> 
> 1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
>    DUB-E100 Fast Ethernet Adapter".
> 2. the asix driver (drivers/net/usb/asix_devices.c) will bind to this USB
>    device.
> 
> root@imx95evk:~# lsusb -t
> /:  Bus 001.Port 001: Dev 001, Class=root_hub, Driver=ci_hdrc/1p, 480M
>     |__ Port 001: Dev 003, If 0, Class=Vendor Specific Class, Driver=asix, 480M
> 
> 3. then the driver will create many mdio devices. 
> 
> root@imx95evk:/sys/bus/mdio_bus# ls -d devices/usb*
> devices/usb-001:005:00  devices/usb-001:005:04  devices/usb-001:005:08  devices/usb-001:005:0c  devices/usb-001:005:10  devices/usb-001:005:14  devices/usb-001:005:18  devices/usb-001:005:1c
> devices/usb-001:005:01  devices/usb-001:005:05  devices/usb-001:005:09  devices/usb-001:005:0d  devices/usb-001:005:11  devices/usb-001:005:15  devices/usb-001:005:19  devices/usb-001:005:1d
> devices/usb-001:005:02  devices/usb-001:005:06  devices/usb-001:005:0a  devices/usb-001:005:0e  devices/usb-001:005:12  devices/usb-001:005:16  devices/usb-001:005:1a  devices/usb-001:005:1e
> devices/usb-001:005:03  devices/usb-001:005:07  devices/usb-001:005:0b  devices/usb-001:005:0f  devices/usb-001:005:13  devices/usb-001:005:17  devices/usb-001:005:1b  devices/usb-001:005:1f

This looks broken - please check what
/sys/bus/mdio_bus/devices/usb*/phy_id contains.

However, this patch should stop the oops. Please test and let me know
whether it works. Thanks.

diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 7556aa3dd7ee..e6a673faabe6 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -288,7 +288,7 @@ static bool phy_uses_state_machine(struct phy_device *phydev)
 		return phydev->attached_dev && phydev->adjust_link;
 
 	/* phydev->phy_link_change is implicitly phylink_phy_change() */
-	return true;
+	return !!phydev->phy_link_change;
 }
 
 static bool mdio_bus_phy_may_suspend(struct phy_device *phydev)
-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Xu Yang]

Hi Russell,

On Wed, Aug 06, 2025 at 02:01:01PM +0100, Russell King (Oracle) wrote:
> On Wed, Aug 06, 2025 at 04:56:58PM +0800, Xu Yang wrote:
> > Hi Russell,
> > 
> > On Wed, Aug 06, 2025 at 09:45:01AM +0100, Russell King (Oracle) wrote:
> > > On Wed, Aug 06, 2025 at 04:29:31PM +0800, Xu Yang wrote:
> > > > Not all phy devices have phy driver attached, so fix the NULL pointer
> > > > dereference issue in phy_polling_mode() which was observed on USB net
> > > > devices.
> > > 
> > > See my comments in response to your first posting.
> > 
> > Thanks for the comments!
> > 
> > Reproduce step is simple:
> > 
> > 1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
> >    DUB-E100 Fast Ethernet Adapter".
> > 2. the asix driver (drivers/net/usb/asix_devices.c) will bind to this USB
> >    device.
> > 
> > root@imx95evk:~# lsusb -t
> > /:  Bus 001.Port 001: Dev 001, Class=root_hub, Driver=ci_hdrc/1p, 480M
> >     |__ Port 001: Dev 003, If 0, Class=Vendor Specific Class, Driver=asix, 480M
> > 
> > 3. then the driver will create many mdio devices. 
> > 
> > root@imx95evk:/sys/bus/mdio_bus# ls -d devices/usb*
> > devices/usb-001:005:00  devices/usb-001:005:04  devices/usb-001:005:08  devices/usb-001:005:0c  devices/usb-001:005:10  devices/usb-001:005:14  devices/usb-001:005:18  devices/usb-001:005:1c
> > devices/usb-001:005:01  devices/usb-001:005:05  devices/usb-001:005:09  devices/usb-001:005:0d  devices/usb-001:005:11  devices/usb-001:005:15  devices/usb-001:005:19  devices/usb-001:005:1d
> > devices/usb-001:005:02  devices/usb-001:005:06  devices/usb-001:005:0a  devices/usb-001:005:0e  devices/usb-001:005:12  devices/usb-001:005:16  devices/usb-001:005:1a  devices/usb-001:005:1e
> > devices/usb-001:005:03  devices/usb-001:005:07  devices/usb-001:005:0b  devices/usb-001:005:0f  devices/usb-001:005:13  devices/usb-001:005:17  devices/usb-001:005:1b  devices/usb-001:005:1f
> 
> This looks broken - please check what
> /sys/bus/mdio_bus/devices/usb*/phy_id contains.

root@imx95evk:~# cat /sys/bus/mdio_bus/devices/usb*/phy_id
0x00000000
0x00000000
0x00000000
0x02430c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54
0x0c540c54

> 
> However, this patch should stop the oops. Please test and let me know
> whether it works. Thanks.
> 
> diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
> index 7556aa3dd7ee..e6a673faabe6 100644
> --- a/drivers/net/phy/phy_device.c
> +++ b/drivers/net/phy/phy_device.c
> @@ -288,7 +288,7 @@ static bool phy_uses_state_machine(struct phy_device *phydev)
>  		return phydev->attached_dev && phydev->adjust_link;
>  
>  	/* phydev->phy_link_change is implicitly phylink_phy_change() */
> -	return true;
> +	return !!phydev->phy_link_change;
>  }
>  
>  static bool mdio_bus_phy_may_suspend(struct phy_device *phydev)

It works for me.

Thanks,
Xu Yang

> -- 
> RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
> FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Andrew Lunn]

> > > Reproduce step is simple:
> > > 
> > > 1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
> > >    DUB-E100 Fast Ethernet Adapter".

static const struct driver_info dlink_dub_e100_info = {
        .description = "DLink DUB-E100 USB Ethernet",
        .bind = ax88172_bind,
        .status = asix_status,
        .link_reset = ax88172_link_reset,
        .reset = ax88172_link_reset,
        .flags =  FLAG_ETHER | FLAG_LINK_INTR,
        .data = 0x009f9d9f,
};

{
        // DLink DUB-E100
        USB_DEVICE (0x2001, 0x1a00),
        .driver_info =  (unsigned long) &dlink_dub_e100_info,
}, {

Is this the device you have?

> > > 2. the asix driver (drivers/net/usb/asix_devices.c) will bind to this USB
> > >    device.
> > > 
> > > root@imx95evk:~# lsusb -t
> > > /:  Bus 001.Port 001: Dev 001, Class=root_hub, Driver=ci_hdrc/1p, 480M
> > >     |__ Port 001: Dev 003, If 0, Class=Vendor Specific Class, Driver=asix, 480M
> > > 
> > > 3. then the driver will create many mdio devices. 
> > > 
> > > root@imx95evk:/sys/bus/mdio_bus# ls -d devices/usb*
> > > devices/usb-001:005:00  devices/usb-001:005:04  devices/usb-001:005:08  devices/usb-001:005:0c  devices/usb-001:005:10  devices/usb-001:005:14  devices/usb-001:005:18  devices/usb-001:005:1c
> > > devices/usb-001:005:01  devices/usb-001:005:05  devices/usb-001:005:09  devices/usb-001:005:0d  devices/usb-001:005:11  devices/usb-001:005:15  devices/usb-001:005:19  devices/usb-001:005:1d
> > > devices/usb-001:005:02  devices/usb-001:005:06  devices/usb-001:005:0a  devices/usb-001:005:0e  devices/usb-001:005:12  devices/usb-001:005:16  devices/usb-001:005:1a  devices/usb-001:005:1e
> > > devices/usb-001:005:03  devices/usb-001:005:07  devices/usb-001:005:0b  devices/usb-001:005:0f  devices/usb-001:005:13  devices/usb-001:005:17  devices/usb-001:005:1b  devices/usb-001:005:1f
> > 
> > This looks broken - please check what
> > /sys/bus/mdio_bus/devices/usb*/phy_id contains.
> 
> root@imx95evk:~# cat /sys/bus/mdio_bus/devices/usb*/phy_id
> 0x00000000
> 0x00000000
> 0x00000000
> 0x02430c54
> 0x0c540c54
> 0x0c540c54
> 0x0c540c54
> 0x0c540c54

This suggests which version of the asix device has broken MDIO bus
access.

The first three 0x00000000 are odd. If there is no device at an
address you expect to read 0xffffffff. phylib will ignore 0xffffffff
and not create a device. 0x00000000 suggests something actually is on
the bus, and is responding to reads of registers 2 and 3, but
returning 0x0000 is not expected.

And then 0x02430c54 for all other addresses suggests the device is not
correctly handling the bus address, and is mapping the address
parameter to a single bus address.

What does asix_read_phy_addr() return?

This is completely untested, not even compiled:

diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index 9b0318fb50b5..e136b25782d9 100644
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -260,13 +260,20 @@ static int ax88172_bind(struct usbnet *dev, struct usb_interface *intf)
        dev->mii.dev = dev->net;
        dev->mii.mdio_read = asix_mdio_read;
        dev->mii.mdio_write = asix_mdio_write;
-       dev->mii.phy_id_mask = 0x3f;
        dev->mii.reg_num_mask = 0x1f;
 
        dev->mii.phy_id = asix_read_phy_addr(dev, true);
        if (dev->mii.phy_id < 0)
                return dev->mii.phy_id;
 
+       if (dev->mii.phy_id > 31) {
+               netdev_err(dev->net, "Invalid PHY address %d\n",
+                          dev->mii.phy_id);
+               return -EINVAL;
+       }
+
+       dev->mii.phy_id_mask = BIT(dev->mii.phy_id);
+
        dev->net->netdev_ops = &ax88172_netdev_ops;
        dev->net->ethtool_ops = &ax88172_ethtool_ops;
        dev->net->needed_headroom = 4; /* cf asix_tx_fixup() */

The idea is to limit the scanning of the bus to just the address where
we expect the PHY to be.  See if this gives you a single PHY, and that
PHY actually works.

	Andrew

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Russell King (Oracle)]

On Wed, Aug 06, 2025 at 05:01:22PM +0200, Andrew Lunn wrote:
> > > > Reproduce step is simple:
> > > > 
> > > > 1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
> > > >    DUB-E100 Fast Ethernet Adapter".
> 
> static const struct driver_info dlink_dub_e100_info = {
>         .description = "DLink DUB-E100 USB Ethernet",
>         .bind = ax88172_bind,
>         .status = asix_status,
>         .link_reset = ax88172_link_reset,
>         .reset = ax88172_link_reset,
>         .flags =  FLAG_ETHER | FLAG_LINK_INTR,
>         .data = 0x009f9d9f,
> };
> 
> {
>         // DLink DUB-E100
>         USB_DEVICE (0x2001, 0x1a00),
>         .driver_info =  (unsigned long) &dlink_dub_e100_info,
> }, {
> 
> Is this the device you have?
> 
> > > > 2. the asix driver (drivers/net/usb/asix_devices.c) will bind to this USB
> > > >    device.
> > > > 
> > > > root@imx95evk:~# lsusb -t
> > > > /:  Bus 001.Port 001: Dev 001, Class=root_hub, Driver=ci_hdrc/1p, 480M
> > > >     |__ Port 001: Dev 003, If 0, Class=Vendor Specific Class, Driver=asix, 480M
> > > > 
> > > > 3. then the driver will create many mdio devices. 
> > > > 
> > > > root@imx95evk:/sys/bus/mdio_bus# ls -d devices/usb*
> > > > devices/usb-001:005:00  devices/usb-001:005:04  devices/usb-001:005:08  devices/usb-001:005:0c  devices/usb-001:005:10  devices/usb-001:005:14  devices/usb-001:005:18  devices/usb-001:005:1c
> > > > devices/usb-001:005:01  devices/usb-001:005:05  devices/usb-001:005:09  devices/usb-001:005:0d  devices/usb-001:005:11  devices/usb-001:005:15  devices/usb-001:005:19  devices/usb-001:005:1d
> > > > devices/usb-001:005:02  devices/usb-001:005:06  devices/usb-001:005:0a  devices/usb-001:005:0e  devices/usb-001:005:12  devices/usb-001:005:16  devices/usb-001:005:1a  devices/usb-001:005:1e
> > > > devices/usb-001:005:03  devices/usb-001:005:07  devices/usb-001:005:0b  devices/usb-001:005:0f  devices/usb-001:005:13  devices/usb-001:005:17  devices/usb-001:005:1b  devices/usb-001:005:1f
> > > 
> > > This looks broken - please check what
> > > /sys/bus/mdio_bus/devices/usb*/phy_id contains.
> > 
> > root@imx95evk:~# cat /sys/bus/mdio_bus/devices/usb*/phy_id
> > 0x00000000
> > 0x00000000
> > 0x00000000
> > 0x02430c54
> > 0x0c540c54
> > 0x0c540c54
> > 0x0c540c54
> > 0x0c540c54
> 
> This suggests which version of the asix device has broken MDIO bus
> access.
> 
> The first three 0x00000000 are odd. If there is no device at an
> address you expect to read 0xffffffff. phylib will ignore 0xffffffff
> and not create a device. 0x00000000 suggests something actually is on
> the bus, and is responding to reads of registers 2 and 3, but
> returning 0x0000 is not expected.
> 
> And then 0x02430c54 for all other addresses suggests the device is not
> correctly handling the bus address, and is mapping the address
> parameter to a single bus address.

Notice that the following return the PHY 3 register 3 value, so
I suspect for anything that isn't PHY 3, it just returns whatever
data was last read from PHY 3. This makes it an incredibly buggy
USB device.

Looking at usbnet_read_cmd(), the above can be the only explanation,
as usbnet_read_cmd() memcpy()'s the data into &res, so the value
in the kmalloc()'d buf (which likely be poisoned on free, or if not
unlikely to reallocate the same memory - that needs to be verified)
must be coming from firmware on the device itself.

asix_read_cmd() will catch a short read, and usbnet_read_cmd() will
catch a zero-length read as invalid.

So, my conclusion is... broken firmware on this device.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Xu Yang]

[-- Attachment #1: Type: text/plain, Size: 5977 bytes --]

Hi Andrew,

On Wed, Aug 06, 2025 at 05:01:22PM +0200, Andrew Lunn wrote:
> > > > Reproduce step is simple:
> > > > 
> > > > 1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
> > > >    DUB-E100 Fast Ethernet Adapter".
> 
> static const struct driver_info dlink_dub_e100_info = {
>         .description = "DLink DUB-E100 USB Ethernet",
>         .bind = ax88172_bind,
>         .status = asix_status,
>         .link_reset = ax88172_link_reset,
>         .reset = ax88172_link_reset,
>         .flags =  FLAG_ETHER | FLAG_LINK_INTR,
>         .data = 0x009f9d9f,
> };
> 
> {
>         // DLink DUB-E100
>         USB_DEVICE (0x2001, 0x1a00),
>         .driver_info =  (unsigned long) &dlink_dub_e100_info,
> }, {
> 
> Is this the device you have?

static const struct driver_info ax88772_info = {
	.description = "ASIX AX88772 USB 2.0 Ethernet",
	.bind = ax88772_bind,
	.unbind = ax88772_unbind,
	.reset = ax88772_reset,
	.stop = ax88772_stop,
	.flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_MULTI_PACKET,
	.rx_fixup = asix_rx_fixup_common,
	.tx_fixup = asix_tx_fixup,
};

}
	// DLink DUB-E100 H/W Ver B1
	USB_DEVICE (0x07d1, 0x3c05),
	.driver_info = (unsigned long) &ax88772_info,
}

This one.

> 
> > > > 2. the asix driver (drivers/net/usb/asix_devices.c) will bind to this USB
> > > >    device.
> > > > 
> > > > root@imx95evk:~# lsusb -t
> > > > /:  Bus 001.Port 001: Dev 001, Class=root_hub, Driver=ci_hdrc/1p, 480M
> > > >     |__ Port 001: Dev 003, If 0, Class=Vendor Specific Class, Driver=asix, 480M
> > > > 
> > > > 3. then the driver will create many mdio devices. 
> > > > 
> > > > root@imx95evk:/sys/bus/mdio_bus# ls -d devices/usb*
> > > > devices/usb-001:005:00  devices/usb-001:005:04  devices/usb-001:005:08  devices/usb-001:005:0c  devices/usb-001:005:10  devices/usb-001:005:14  devices/usb-001:005:18  devices/usb-001:005:1c
> > > > devices/usb-001:005:01  devices/usb-001:005:05  devices/usb-001:005:09  devices/usb-001:005:0d  devices/usb-001:005:11  devices/usb-001:005:15  devices/usb-001:005:19  devices/usb-001:005:1d
> > > > devices/usb-001:005:02  devices/usb-001:005:06  devices/usb-001:005:0a  devices/usb-001:005:0e  devices/usb-001:005:12  devices/usb-001:005:16  devices/usb-001:005:1a  devices/usb-001:005:1e
> > > > devices/usb-001:005:03  devices/usb-001:005:07  devices/usb-001:005:0b  devices/usb-001:005:0f  devices/usb-001:005:13  devices/usb-001:005:17  devices/usb-001:005:1b  devices/usb-001:005:1f
> > > 
> > > This looks broken - please check what
> > > /sys/bus/mdio_bus/devices/usb*/phy_id contains.
> > 
> > root@imx95evk:~# cat /sys/bus/mdio_bus/devices/usb*/phy_id
> > 0x00000000
> > 0x00000000
> > 0x00000000
> > 0x02430c54
> > 0x0c540c54
> > 0x0c540c54
> > 0x0c540c54
> > 0x0c540c54
> 
> This suggests which version of the asix device has broken MDIO bus
> access.
> 
> The first three 0x00000000 are odd. If there is no device at an
> address you expect to read 0xffffffff. phylib will ignore 0xffffffff
> and not create a device. 0x00000000 suggests something actually is on
> the bus, and is responding to reads of registers 2 and 3, but
> returning 0x0000 is not expected.
> 
> And then 0x02430c54 for all other addresses suggests the device is not
> correctly handling the bus address, and is mapping the address
> parameter to a single bus address.

I attach the usb bus data about this USB device for reference.

If you search "1:002:0 s c0 07", you will locate AX_CMD_READ_MII_REG (0x07)
transfer.

For address 0x00:

ffff00008598c780 71304432 S Ci:1:002:0 s c0 07 0000 0002 0002 2 <
ffff00008598c780 71304609 C Ci:1:002:0 0 2 = 0000

ffff00008598c780 71306137 S Ci:1:002:0 s c0 07 0000 0003 0002 2 <
ffff00008598c780 71306359 C Ci:1:002:0 0 2 = 0000

...

For address 0x03:

ffff00008598c780 71335993 S Ci:1:002:0 s c0 07 0003 0002 0002 2 <
ffff00008598c780 71336203 C Ci:1:002:0 0 2 = 4302

ffff00008598c780 71337758 S Ci:1:002:0 s c0 07 0003 0003 0002 2 <
ffff00008598c780 71337942 C Ci:1:002:0 0 2 = 540c

...

For address 0x04:


ffff00008598c780 71346488 S Ci:1:002:0 s c0 07 0004 0002 0002 2 <
ffff00008598c780 71346706 C Ci:1:002:0 0 2 = 540c

ffff00008598c780 71348311 S Ci:1:002:0 s c0 07 0004 0003 0002 2 <
ffff00008598c780 71348541 C Ci:1:002:0 0 2 = 540c

So it is indeed returned by this device.

> 
> What does asix_read_phy_addr() return?

If you search "1:002:0 s c0 19", you will locate AX_CMD_READ_PHY_ID (0x19) transfer.

ffff00008598c780 71134999 S Ci:1:002:0 s c0 19 0000 0000 0002 2 <
ffff00008598c780 71135082 C Ci:1:002:0 0 2 = e003

So it returns 'e0 03'.

> 
> This is completely untested, not even compiled:
> 
> diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
> index 9b0318fb50b5..e136b25782d9 100644
> --- a/drivers/net/usb/asix_devices.c
> +++ b/drivers/net/usb/asix_devices.c
> @@ -260,13 +260,20 @@ static int ax88172_bind(struct usbnet *dev, struct usb_interface *intf)
>         dev->mii.dev = dev->net;
>         dev->mii.mdio_read = asix_mdio_read;
>         dev->mii.mdio_write = asix_mdio_write;
> -       dev->mii.phy_id_mask = 0x3f;
>         dev->mii.reg_num_mask = 0x1f;
>  
>         dev->mii.phy_id = asix_read_phy_addr(dev, true);
>         if (dev->mii.phy_id < 0)
>                 return dev->mii.phy_id;
>  
> +       if (dev->mii.phy_id > 31) {
> +               netdev_err(dev->net, "Invalid PHY address %d\n",
> +                          dev->mii.phy_id);
> +               return -EINVAL;
> +       }
> +
> +       dev->mii.phy_id_mask = BIT(dev->mii.phy_id);
> +
>         dev->net->netdev_ops = &ax88172_netdev_ops;
>         dev->net->ethtool_ops = &ax88172_ethtool_ops;
>         dev->net->needed_headroom = 4; /* cf asix_tx_fixup() */
> 
> The idea is to limit the scanning of the bus to just the address where
> we expect the PHY to be.  See if this gives you a single PHY, and that
> PHY actually works.

Because it's ax88772_bind(), so I can't test this. Sorry for this.

Thanks,
Xu Yang

> 
> 	Andrew

[-- Attachment #2: usbnet.log --]
[-- Type: text/plain, Size: 49219 bytes --]

ffff00008598c240 70725746 S Ci:1:001:0 s a3 00 0000 0001 0004 4 <
ffff00008598c240 70725823 C Ci:1:001:0 0 4 = 01010100
ffff00008598c240 70725852 S Co:1:001:0 s 23 01 0010 0001 0000 0
ffff00008598c240 70725871 C Co:1:001:0 0 0
ffff00008182d000 70832071 S Ii:1:001:1 -115:2048 4 <
ffff00008598c240 70832119 S Ci:1:001:0 s a3 00 0000 0001 0004 4 <
ffff00008598c240 70832157 C Ci:1:001:0 0 4 = 01010000
ffff00008598c240 70832216 S Co:1:001:0 s 23 03 0004 0001 0000 0
ffff00008598c240 70832238 C Co:1:001:0 0 0
ffff00008182d000 70887306 C Ii:1:001:1 0:2048 1 = 02
ffff00008182d000 70887351 S Ii:1:001:1 -115:2048 4 <
ffff00008598c240 70896181 S Ci:1:001:0 s a3 00 0000 0001 0004 4 <
ffff00008598c240 70896231 C Ci:1:001:0 0 4 = 03051000
ffff00008598c240 70896255 S Co:1:001:0 s 23 01 0014 0001 0000 0
ffff00008598c240 70896274 C Co:1:001:0 0 0
ffff00008598c240 70962628 S Ci:1:000:0 s 80 06 0100 0000 0040 64 <
ffff00008598c240 70964599 C Ci:1:000:0 0 18 = 12010002 ffff0040 0120053c 01000102 0301
ffff00008598c240 70964714 S Co:1:001:0 s 23 03 0004 0001 0000 0
ffff00008598c240 70964757 C Co:1:001:0 0 0
ffff00008182d000 71019703 C Ii:1:001:1 0:2048 1 = 02
ffff00008182d000 71019720 S Ii:1:001:1 -115:2048 4 <
ffff00008598c240 71032106 S Ci:1:001:0 s a3 00 0000 0001 0004 4 <
ffff00008598c240 71032158 C Ci:1:001:0 0 4 = 03051000
ffff00008598c240 71032187 S Co:1:001:0 s 23 01 0014 0001 0000 0
ffff00008598c240 71032208 C Co:1:001:0 0 0
ffff00008598c240 71092077 S Co:1:000:0 s 00 05 0002 0000 0000 0
ffff00008598c240 71092415 C Co:1:000:0 0 0
ffff00008598c780 71116241 S Ci:1:002:0 s 80 06 0100 0000 0012 18 <
ffff00008598c780 71118141 C Ci:1:002:0 0 18 = 12010002 ffff0040 0120053c 01000102 0301
ffff00008598c780 71118214 S Ci:1:002:0 s 80 06 0200 0000 0009 9 <
ffff00008598c780 71119372 C Ci:1:002:0 0 9 = 09022700 01010480 7d
ffff00008598c780 71119420 S Ci:1:002:0 s 80 06 0200 0000 0027 39 <
ffff00008598c780 71123363 C Ci:1:002:0 0 39 = 09022700 01010480 7d090400 0003ffff 00070705 81030800 0b070582 02000200
ffff00008598c780 71123425 S Ci:1:002:0 s 80 06 0300 0000 00ff 255 <
ffff00008598c780 71123612 C Ci:1:002:0 0 4 = 04030904
ffff00008598c780 71123650 S Ci:1:002:0 s 80 06 0302 0409 00ff 255 <
ffff00008598c780 71125581 C Ci:1:002:0 0 18 = 12034400 55004200 2d004500 31003000 3000
ffff00008598c780 71125678 S Ci:1:002:0 s 80 06 0301 0409 00ff 255 <
ffff00008598c780 71129355 C Ci:1:002:0 0 38 = 26034400 2d004c00 69006e00 6b002000 43006f00 72007000 6f007200 61007400
ffff00008598c780 71129410 S Ci:1:002:0 s 80 06 0303 0409 00ff 255 <
ffff00008598c780 71130851 C Ci:1:002:0 0 14 = 0e033000 30003000 30003000 3100
ffff00008598c780 71131678 S Co:1:002:0 s 00 09 0001 0000 0000 0
ffff00008598c780 71131854 C Co:1:002:0 0 0
ffff00008598c780 71132791 S Ci:1:002:0 s 80 06 0304 0409 00ff 255 <
ffff00008598c780 71133363 C Ci:1:002:0 0 4 = 04033000
ffff00008598c780 71133542 S Ci:1:002:0 s 80 06 0307 0409 00ff 255 <
ffff00008598c780 71134104 C Ci:1:002:0 0 4 = 04033000
ffff00008598c780 71134430 S Co:1:002:0 s 01 0b 0000 0000 0000 0
ffff00008598c780 71134595 C Co:1:002:0 0 0
ffff00008598c780 71134850 S Ci:1:002:0 s c0 13 0000 0000 0006 6 <
ffff00008598c780 71134961 C Ci:1:002:0 0 6 = fc7516cf 6bfe
ffff00008598c780 71134999 S Ci:1:002:0 s c0 19 0000 0000 0002 2 <
ffff00008598c780 71135082 C Ci:1:002:0 0 2 = e003
ffff00008598c780 71135112 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71135206 C Ci:1:002:0 0 1 = 00
ffff00008598c780 71135237 S Co:1:002:0 s 40 1f 00b0 0000 0000 0
ffff00008598c780 71135322 C Co:1:002:0 0 0
ffff00008598c780 71144057 S Co:1:002:0 s 40 22 0000 0000 0000 0
ffff00008598c780 71144209 C Co:1:002:0 0 0
ffff00008598c780 71144234 S Co:1:002:0 s 40 20 0048 0000 0000 0
ffff00008598c780 71144315 C Co:1:002:0 0 0
ffff00008598c780 71300226 S Co:1:002:0 s 40 10 0088 0000 0000 0
ffff00008598c780 71300532 C Co:1:002:0 0 0
ffff00008598c780 71300588 S Co:1:002:0 s 40 1b 0306 0000 0000 0
ffff00008598c780 71300756 C Co:1:002:0 0 0
ffff00008598c780 71300812 S Co:1:002:0 s 40 12 001d 0012 0000 0
ffff00008598c780 71300999 C Co:1:002:0 0 0
ffff00008598c780 71301053 S Co:1:002:0 s 40 14 0000 0000 0006 6 = fc7516cf 6bfe
ffff00008598c780 71301256 C Co:1:002:0 0 6 >
ffff00008598c780 71301308 S Co:1:002:0 s 40 10 0088 0000 0000 0
ffff00008598c780 71301494 C Co:1:002:0 0 0
ffff00008598c780 71301544 S Ci:1:002:0 s c0 0f 0000 0000 0002 2 <
ffff00008598c780 71301756 C Ci:1:002:0 0 2 = 8800
ffff00008598c780 71301807 S Ci:1:002:0 s c0 1a 0000 0000 0002 2 <
ffff00008598c780 71302005 C Ci:1:002:0 0 2 = 0603
ffff00008598c780 71302858 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71302996 C Co:1:002:0 0 0
ffff00008598c780 71304193 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71304382 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71304432 S Ci:1:002:0 s c0 07 0000 0002 0002 2 <
ffff00008598c780 71304609 C Ci:1:002:0 0 2 = 0000
ffff00008598c780 71304640 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71304727 C Co:1:002:0 0 0
ffff00008598c780 71304756 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71304851 C Co:1:002:0 0 0
ffff00008598c780 71305997 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71306110 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71306137 S Ci:1:002:0 s c0 07 0000 0003 0002 2 <
ffff00008598c780 71306359 C Ci:1:002:0 0 2 = 0000
ffff00008598c780 71306406 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71306477 C Co:1:002:0 0 0
ffff00008598c780 71313142 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71313363 C Co:1:002:0 0 0
ffff00008598c780 71316290 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71316488 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71316515 S Ci:1:002:0 s c0 07 0001 0002 0002 2 <
ffff00008598c780 71316718 C Ci:1:002:0 0 2 = 0000
ffff00008598c780 71316739 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71316834 C Co:1:002:0 0 0
ffff00008598c780 71316856 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71316956 C Co:1:002:0 0 0
ffff00008598c780 71318085 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71318210 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71318229 S Ci:1:002:0 s c0 07 0001 0003 0002 2 <
ffff00008598c780 71318458 C Ci:1:002:0 0 2 = 0000
ffff00008598c780 71318475 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71318577 C Co:1:002:0 0 0
ffff00008598c780 71324727 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71324856 C Co:1:002:0 0 0
ffff00008598c780 71326978 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71327111 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71327153 S Ci:1:002:0 s c0 07 0002 0002 0002 2 <
ffff00008598c780 71327339 C Ci:1:002:0 0 2 = 0000
ffff00008598c780 71327371 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71327451 C Co:1:002:0 0 0
ffff00008598c780 71327479 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71327573 C Co:1:002:0 0 0
ffff00008598c780 71328729 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71328849 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71328877 S Ci:1:002:0 s c0 07 0002 0003 0002 2 <
ffff00008598c780 71329093 C Ci:1:002:0 0 2 = 0000
ffff00008598c780 71329138 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71329314 C Co:1:002:0 0 0
ffff00008598c780 71334244 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71334336 C Co:1:002:0 0 0
ffff00008598c780 71335860 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71335962 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71335993 S Ci:1:002:0 s c0 07 0003 0002 0002 2 <
ffff00008598c780 71336203 C Ci:1:002:0 0 2 = 4302
ffff00008598c780 71336229 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71336309 C Co:1:002:0 0 0
ffff00008598c780 71336331 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71336432 C Co:1:002:0 0 0
ffff00008598c780 71337573 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71337714 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71337758 S Ci:1:002:0 s c0 07 0003 0003 0002 2 <
ffff00008598c780 71337942 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71337969 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71338058 C Co:1:002:0 0 0
ffff00008598c780 71344959 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71345079 C Co:1:002:0 0 0
ffff00008598c780 71346264 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71346450 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71346488 S Ci:1:002:0 s c0 07 0004 0002 0002 2 <
ffff00008598c780 71346706 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71346758 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71346918 C Co:1:002:0 0 0
ffff00008598c780 71346937 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71347040 C Co:1:002:0 0 0
ffff00008598c780 71348166 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71348295 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71348311 S Ci:1:002:0 s c0 07 0004 0003 0002 2 <
ffff00008598c780 71348541 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71348555 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71348660 C Co:1:002:0 0 0
ffff00008598c780 71352858 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71353054 C Co:1:002:0 0 0
ffff00008598c780 71354192 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71354301 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71354321 S Ci:1:002:0 s c0 07 0005 0002 0002 2 <
ffff00008598c780 71354539 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71354555 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71354655 C Co:1:002:0 0 0
ffff00008598c780 71354670 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71354801 C Co:1:002:0 0 0
ffff00008598c780 71355962 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71356047 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71356075 S Ci:1:002:0 s c0 07 0005 0003 0002 2 <
ffff00008598c780 71356293 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71356319 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71356408 C Co:1:002:0 0 0
ffff00008598c780 71363244 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71363420 C Co:1:002:0 0 0
ffff00008598c780 71364563 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71364669 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71364694 S Ci:1:002:0 s c0 07 0006 0002 0002 2 <
ffff00008598c780 71364913 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71364935 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71365022 C Co:1:002:0 0 0
ffff00008598c780 71365043 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71365144 C Co:1:002:0 0 0
ffff00008598c780 71366271 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71366397 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71366414 S Ci:1:002:0 s c0 07 0006 0003 0002 2 <
ffff00008598c780 71366647 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71366664 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71366764 C Co:1:002:0 0 0
ffff00008598c780 71371580 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71371783 C Co:1:002:0 0 0
ffff00008598c780 71372923 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71373033 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71373058 S Ci:1:002:0 s c0 07 0007 0002 0002 2 <
ffff00008598c780 71373276 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71373299 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71373385 C Co:1:002:0 0 0
ffff00008598c780 71373405 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71373508 C Co:1:002:0 0 0
ffff00008598c780 71374636 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71374762 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71374779 S Ci:1:002:0 s c0 07 0007 0003 0002 2 <
ffff00008598c780 71375010 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71375027 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71375128 C Co:1:002:0 0 0
ffff00008598c780 71380087 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71380272 C Co:1:002:0 0 0
ffff00008598c780 71381413 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71381522 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71381548 S Ci:1:002:0 s c0 07 0008 0002 0002 2 <
ffff00008598c780 71381764 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71381790 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71381874 C Co:1:002:0 0 0
ffff00008598c780 71381896 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71381996 C Co:1:002:0 0 0
ffff00008598c780 71383126 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71383250 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71383271 S Ci:1:002:0 s c0 07 0008 0003 0002 2 <
ffff00008598c780 71383500 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71383518 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71383618 C Co:1:002:0 0 0
ffff00008598c780 71388660 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71388764 C Co:1:002:0 0 0
ffff00008598c780 71389908 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71390011 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71390036 S Ci:1:002:0 s c0 07 0009 0002 0002 2 <
ffff00008598c780 71390251 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71390271 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71390360 C Co:1:002:0 0 0
ffff00008598c780 71390379 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71390484 C Co:1:002:0 0 0
ffff00008598c780 71391612 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71391739 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71391756 S Ci:1:002:0 s c0 07 0009 0003 0002 2 <
ffff00008598c780 71391987 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71392018 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71392106 C Co:1:002:0 0 0
ffff00008598c780 71397350 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71397505 C Co:1:002:0 0 0
ffff00008598c780 71398663 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71398871 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71398900 S Ci:1:002:0 s c0 07 000a 0002 0002 2 <
ffff00008598c780 71399114 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71399140 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71399229 C Co:1:002:0 0 0
ffff00008598c780 71399256 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71399353 C Co:1:002:0 0 0
ffff00008598c780 71400500 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71400612 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71400638 S Ci:1:002:0 s c0 07 000a 0003 0002 2 <
ffff00008598c780 71400860 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71400886 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71400976 C Co:1:002:0 0 0
ffff00008598c780 71407637 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71407747 C Co:1:002:0 0 0
ffff00008598c780 71408909 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71409113 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71409144 S Ci:1:002:0 s c0 07 000b 0002 0002 2 <
ffff00008598c780 71409351 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71409378 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71409465 C Co:1:002:0 0 0
ffff00008598c780 71409493 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71409590 C Co:1:002:0 0 0
ffff00008598c780 71410735 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71410847 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71410874 S Ci:1:002:0 s c0 07 000b 0003 0002 2 <
ffff00008598c780 71411096 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71411121 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71411212 C Co:1:002:0 0 0
ffff00008598c780 71418044 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71418230 C Co:1:002:0 0 0
ffff00008598c780 71419388 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71419595 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71419623 S Ci:1:002:0 s c0 07 000c 0002 0002 2 <
ffff00008598c780 71419836 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71419864 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71419951 C Co:1:002:0 0 0
ffff00008598c780 71419979 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71420077 C Co:1:002:0 0 0
ffff00008598c780 71421214 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71421325 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71421343 S Ci:1:002:0 s c0 07 000c 0003 0002 2 <
ffff00008598c780 71421574 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71421590 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71421693 C Co:1:002:0 0 0
ffff00008598c780 71426783 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71426963 C Co:1:002:0 0 0
ffff00008598c780 71428041 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71428205 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71428228 S Ci:1:002:0 s c0 07 000d 0002 0002 2 <
ffff00008598c780 71428446 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71428468 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71428560 C Co:1:002:0 0 0
ffff00008598c780 71428578 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71428684 C Co:1:002:0 0 0
ffff00008598c780 71429810 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71429939 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71429956 S Ci:1:002:0 s c0 07 000d 0003 0002 2 <
ffff00008598c780 71430188 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71430204 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71430306 C Co:1:002:0 0 0
ffff00008598c780 71435263 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71435452 C Co:1:002:0 0 0
ffff00008598c780 71436592 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71436694 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71436716 S Ci:1:002:0 s c0 07 000e 0002 0002 2 <
ffff00008598c780 71436932 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71436952 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71437048 C Co:1:002:0 0 0
ffff00008598c780 71437067 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71437173 C Co:1:002:0 0 0
ffff00008598c780 71438299 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71438426 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71438443 S Ci:1:002:0 s c0 07 000e 0003 0002 2 <
ffff00008598c780 71438676 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71438692 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71438795 C Co:1:002:0 0 0
ffff00008598c780 71443773 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71443944 C Co:1:002:0 0 0
ffff00008598c780 71445085 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71445180 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71445200 S Ci:1:002:0 s c0 07 000f 0002 0002 2 <
ffff00008598c780 71445421 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71445441 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71445538 C Co:1:002:0 0 0
ffff00008598c780 71445555 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71445662 C Co:1:002:0 0 0
ffff00008598c780 71446788 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71446915 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71446932 S Ci:1:002:0 s c0 07 000f 0003 0002 2 <
ffff00008598c780 71447166 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71447183 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71447284 C Co:1:002:0 0 0
ffff00008598c780 71452143 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71452305 C Co:1:002:0 0 0
ffff00008598c780 71453452 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71453544 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71453566 S Ci:1:002:0 s c0 07 0010 0002 0002 2 <
ffff00008598c780 71453786 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71453807 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71453901 C Co:1:002:0 0 0
ffff00008598c780 71453921 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71454026 C Co:1:002:0 0 0
ffff00008598c780 71455155 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71455280 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71455298 S Ci:1:002:0 s c0 07 0010 0003 0002 2 <
ffff00008598c780 71455530 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71455548 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71455648 C Co:1:002:0 0 0
ffff00008598c780 71460735 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71460917 C Co:1:002:0 0 0
ffff00008598c780 71462058 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71462156 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71462179 S Ci:1:002:0 s c0 07 0011 0002 0002 2 <
ffff00008598c780 71462398 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71462419 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71462515 C Co:1:002:0 0 0
ffff00008598c780 71462536 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71462639 C Co:1:002:0 0 0
ffff00008598c780 71463768 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71463894 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71463912 S Ci:1:002:0 s c0 07 0011 0003 0002 2 <
ffff00008598c780 71464143 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71464163 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71464262 C Co:1:002:0 0 0
ffff00008598c780 71469809 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71469916 C Co:1:002:0 0 0
ffff00008598c780 71471073 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71471278 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71471311 S Ci:1:002:0 s c0 07 0012 0002 0002 2 <
ffff00008598c780 71471518 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71471547 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71471635 C Co:1:002:0 0 0
ffff00008598c780 71471664 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71471759 C Co:1:002:0 0 0
ffff00008598c780 71472907 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71473016 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71473045 S Ci:1:002:0 s c0 07 0012 0003 0002 2 <
ffff00008598c780 71473264 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71473292 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71473382 C Co:1:002:0 0 0
ffff00008598c780 71480109 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71480277 C Co:1:002:0 0 0
ffff00008598c780 71481443 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71481639 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71481671 S Ci:1:002:0 s c0 07 0013 0002 0002 2 <
ffff00008598c780 71481881 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71481912 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71481996 C Co:1:002:0 0 0
ffff00008598c780 71482026 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71482120 C Co:1:002:0 0 0
ffff00008598c780 71483266 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71483378 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71483407 S Ci:1:002:0 s c0 07 0013 0003 0002 2 <
ffff00008598c780 71483627 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71483655 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71483743 C Co:1:002:0 0 0
ffff00008598c780 71490672 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71490887 C Co:1:002:0 0 0
ffff00008598c780 71492049 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71492253 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71492287 S Ci:1:002:0 s c0 07 0014 0002 0002 2 <
ffff00008598c780 71492508 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71492528 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71492601 C Co:1:002:0 0 0
ffff00008598c780 71492621 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71492725 C Co:1:002:0 0 0
ffff00008598c780 71493855 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71493980 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71493998 S Ci:1:002:0 s c0 07 0014 0003 0002 2 <
ffff00008598c780 71494229 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71494247 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71494348 C Co:1:002:0 0 0
ffff00008598c780 71499382 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71499494 C Co:1:002:0 0 0
ffff00008598c780 71500670 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71500861 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71500884 S Ci:1:002:0 s c0 07 0015 0002 0002 2 <
ffff00008598c780 71501101 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71501121 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71501215 C Co:1:002:0 0 0
ffff00008598c780 71501235 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71501339 C Co:1:002:0 0 0
ffff00008598c780 71502444 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71502593 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71502612 S Ci:1:002:0 s c0 07 0015 0003 0002 2 <
ffff00008598c780 71502843 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71502861 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71502961 C Co:1:002:0 0 0
ffff00008598c780 71507824 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71507980 C Co:1:002:0 0 0
ffff00008598c780 71509166 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71509349 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71509374 S Ci:1:002:0 s c0 07 0016 0002 0002 2 <
ffff00008598c780 71509590 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71509612 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71509704 C Co:1:002:0 0 0
ffff00008598c780 71509724 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71509828 C Co:1:002:0 0 0
ffff00008598c780 71510958 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71511083 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71511102 S Ci:1:002:0 s c0 07 0016 0003 0002 2 <
ffff00008598c780 71511332 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71511351 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71511451 C Co:1:002:0 0 0
ffff00008598c780 71516490 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71516599 C Co:1:002:0 0 0
ffff00008598c780 71517768 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71517961 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71517984 S Ci:1:002:0 s c0 07 0017 0002 0002 2 <
ffff00008598c780 71518201 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71518220 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71518317 C Co:1:002:0 0 0
ffff00008598c780 71518335 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71518441 C Co:1:002:0 0 0
ffff00008598c780 71519567 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71519696 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71519713 S Ci:1:002:0 s c0 07 0017 0003 0002 2 <
ffff00008598c780 71519945 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71519962 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71520064 C Co:1:002:0 0 0
ffff00008598c780 71525042 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71525211 C Co:1:002:0 0 0
ffff00008598c780 71526387 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71526577 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71526600 S Ci:1:002:0 s c0 07 0018 0002 0002 2 <
ffff00008598c780 71526814 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71526832 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71526930 C Co:1:002:0 0 0
ffff00008598c780 71526948 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71527055 C Co:1:002:0 0 0
ffff00008598c780 71528183 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71528311 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71528328 S Ci:1:002:0 s c0 07 0018 0003 0002 2 <
ffff00008598c780 71528559 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71528576 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71528678 C Co:1:002:0 0 0
ffff00008598c780 71533509 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71533698 C Co:1:002:0 0 0
ffff00008598c780 71534845 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71534939 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71534960 S Ci:1:002:0 s c0 07 0019 0002 0002 2 <
ffff00008598c780 71535179 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71535198 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71535294 C Co:1:002:0 0 0
ffff00008598c780 71535313 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71535419 C Co:1:002:0 0 0
ffff00008598c780 71536548 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71536675 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71536693 S Ci:1:002:0 s c0 07 0019 0003 0002 2 <
ffff00008598c780 71536924 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71536940 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71537042 C Co:1:002:0 0 0
ffff00008598c780 71542204 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71542309 C Co:1:002:0 0 0
ffff00008598c780 71543446 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71543552 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71543572 S Ci:1:002:0 s c0 07 001a 0002 0002 2 <
ffff00008598c780 71543795 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71543814 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71543909 C Co:1:002:0 0 0
ffff00008598c780 71543927 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71544033 C Co:1:002:0 0 0
ffff00008598c780 71545177 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71545291 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71545310 S Ci:1:002:0 s c0 07 001a 0003 0002 2 <
ffff00008598c780 71545539 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71545558 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71545657 C Co:1:002:0 0 0
ffff00008598c780 71550695 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71550807 C Co:1:002:0 0 0
ffff00008598c780 71552325 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71552430 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71552480 S Ci:1:002:0 s c0 07 001b 0002 0002 2 <
ffff00008598c780 71552667 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71552698 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71552779 C Co:1:002:0 0 0
ffff00008598c780 71552808 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71552904 C Co:1:002:0 0 0
ffff00008598c780 71554045 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71554161 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71554187 S Ci:1:002:0 s c0 07 001b 0003 0002 2 <
ffff00008598c780 71554410 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71554435 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71554525 C Co:1:002:0 0 0
ffff00008598c780 71561222 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71561409 C Co:1:002:0 0 0
ffff00008598c780 71563954 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71564165 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71564189 S Ci:1:002:0 s c0 07 001c 0002 0002 2 <
ffff00008598c780 71564391 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71564409 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71564507 C Co:1:002:0 0 0
ffff00008598c780 71564525 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71564631 C Co:1:002:0 0 0
ffff00008598c780 71565759 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71565887 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71565905 S Ci:1:002:0 s c0 07 001c 0003 0002 2 <
ffff00008598c780 71566135 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71566152 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71566254 C Co:1:002:0 0 0
ffff00008598c780 71572554 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71572653 C Co:1:002:0 0 0
ffff00008598c780 71574649 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71574785 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71574837 S Ci:1:002:0 s c0 07 001d 0002 0002 2 <
ffff00008598c780 71575013 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71575042 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71575124 C Co:1:002:0 0 0
ffff00008598c780 71575152 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71575248 C Co:1:002:0 0 0
ffff00008598c780 71576406 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71576503 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71576537 S Ci:1:002:0 s c0 07 001d 0003 0002 2 <
ffff00008598c780 71576748 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71576765 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71576866 C Co:1:002:0 0 0
ffff00008598c780 71581975 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71582143 C Co:1:002:0 0 0
ffff00008598c780 71583648 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71583762 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71583788 S Ci:1:002:0 s c0 07 001e 0002 0002 2 <
ffff00008598c780 71583988 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71584031 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71584108 C Co:1:002:0 0 0
ffff00008598c780 71584126 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71584231 C Co:1:002:0 0 0
ffff00008598c780 71585368 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71585487 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71585507 S Ci:1:002:0 s c0 07 001e 0003 0002 2 <
ffff00008598c780 71585736 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71585756 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71585855 C Co:1:002:0 0 0
ffff00008598c780 71590729 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71590878 C Co:1:002:0 0 0
ffff00008598c780 71592045 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71592246 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71592274 S Ci:1:002:0 s c0 07 001f 0002 0002 2 <
ffff00008598c780 71592481 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71592502 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71592595 C Co:1:002:0 0 0
ffff00008598c780 71592615 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71592720 C Co:1:002:0 0 0
ffff00008598c780 71593846 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71593974 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71593991 S Ci:1:002:0 s c0 07 001f 0003 0002 2 <
ffff00008598c780 71594223 C Ci:1:002:0 0 2 = 540c
ffff00008598c780 71594240 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71594342 C Co:1:002:0 0 0
ffff00008598c780 71599416 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71599612 C Co:1:002:0 0 0
ffff00008598c780 71600757 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71600853 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71600878 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff00008598c780 71601093 C Ci:1:002:0 0 2 = 4978
ffff00008598c780 71601114 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71601209 C Co:1:002:0 0 0
ffff00008598c780 71601230 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71601333 C Co:1:002:0 0 0
ffff00008598c780 71602463 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71602588 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71602607 S Co:1:002:0 s 40 08 0003 000d 0002 2 = 0300
ffff00008598c780 71602836 C Co:1:002:0 0 2 >
ffff00008598c780 71602854 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71602956 C Co:1:002:0 0 0
ffff00008598c780 71602975 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71603082 C Co:1:002:0 0 0
ffff00008598c780 71604211 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71604336 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71604355 S Co:1:002:0 s 40 08 0003 000e 0002 2 = 1400
ffff00008598c780 71604584 C Co:1:002:0 0 2 >
ffff00008598c780 71604602 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71604704 C Co:1:002:0 0 0
ffff00008598c780 71604722 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71604829 C Co:1:002:0 0 0
ffff00008598c780 71605959 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71606083 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71606102 S Co:1:002:0 s 40 08 0003 000d 0002 2 = 0340
ffff00008598c780 71606332 C Co:1:002:0 0 2 >
ffff00008598c780 71606350 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71606452 C Co:1:002:0 0 0
ffff00008598c780 71606471 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71606577 C Co:1:002:0 0 0
ffff00008598c780 71607707 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71607831 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71607851 S Ci:1:002:0 s c0 07 0003 000e 0002 2 <
ffff00008598c780 71608081 C Ci:1:002:0 0 2 = 4978
ffff00008598c780 71608101 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71608200 C Co:1:002:0 0 0
ffff00008598c780 71608338 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71608453 C Co:1:002:0 0 0
ffff00008598c780 71609841 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71609983 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71610092 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff00008598c780 71610343 C Ci:1:002:0 0 2 = 0031
ffff00008598c780 71610374 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71610453 C Co:1:002:0 0 0
ffff00008598c780 71620994 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71621069 C Co:1:002:0 0 0
ffff00008598c780 71622197 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71622310 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71622326 S Co:1:002:0 s 40 08 0003 000d 0002 2 = 0300
ffff00008598c780 71622557 C Co:1:002:0 0 2 >
ffff00008598c780 71622570 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71622678 C Co:1:002:0 0 0
ffff00008598c780 71622691 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71622803 C Co:1:002:0 0 0
ffff00008598c780 71623923 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71624058 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71624323 S Co:1:002:0 s 40 08 0003 000e 0002 2 = 0100
ffff00008598c780 71624560 C Co:1:002:0 0 2 >
ffff00008598c780 71624578 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71624677 C Co:1:002:0 0 0
ffff00008598c780 71624693 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71624801 C Co:1:002:0 0 0
ffff00008598c780 71625925 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71626055 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71626071 S Co:1:002:0 s 40 08 0003 000d 0002 2 = 0340
ffff00008598c780 71626303 C Co:1:002:0 0 2 >
ffff00008598c780 71626318 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71626424 C Co:1:002:0 0 0
ffff00008598c780 71626438 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71626548 C Co:1:002:0 0 0
ffff00008598c780 71627672 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71627802 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71627817 S Ci:1:002:0 s c0 07 0003 000e 0002 2 <
ffff00008598c780 71628051 C Ci:1:002:0 0 2 = 0031
ffff00008598c780 71628067 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71628172 C Co:1:002:0 0 0
ffff00008598c780 71628191 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71628296 C Co:1:002:0 0 0
ffff00008598c780 71629428 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71629580 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71629632 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff00008598c780 71629826 C Ci:1:002:0 0 2 = 0031
ffff00008598c780 71629873 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71630066 C Co:1:002:0 0 0
ffff00008598c780 71630116 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598c780 71630197 C Co:1:002:0 0 0
ffff00008598c780 71631443 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598c780 71631576 C Ci:1:002:0 0 1 = 01
ffff00008598c780 71631626 S Co:1:002:0 s 40 08 0003 0000 0002 2 = 0039
ffff00008598c780 71631822 C Co:1:002:0 0 2 >
ffff00008598c780 71631865 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598c780 71631937 C Co:1:002:0 0 0
ffff0000858470c0 71643333 S Co:1:002:0 s 40 14 0000 0000 0006 6 = fc7516cf 6bfe
ffff0000858470c0 71652526 C Co:1:002:0 0 6 >
ffff0000858470c0 71652557 S Co:1:002:0 s 40 10 0088 0000 0000 0
ffff0000858470c0 71652689 C Co:1:002:0 0 0
ffff0000858470c0 71652709 S Co:1:002:0 s 40 1b 0306 0000 0000 0
ffff0000858470c0 71652771 C Co:1:002:0 0 0
ffff00008598cc00 71653305 S Ci:1:001:0 s a3 00 0000 0001 0004 4 <
ffff00008598cc00 71653344 C Ci:1:001:0 0 4 = 03050000
ffff0000858470c0 71658923 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff0000858470c0 71659032 C Co:1:002:0 0 0
ffff0000858470c0 71660170 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff0000858470c0 71660268 C Ci:1:002:0 0 1 = 01
ffff0000858470c0 71660287 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff0000858470c0 71660512 C Ci:1:002:0 0 2 = 0039
ffff0000858470c0 71660529 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff0000858470c0 71660629 C Co:1:002:0 0 0
ffff0000858470c0 71660646 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff0000858470c0 71660753 C Co:1:002:0 0 0
ffff0000858470c0 71661882 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff0000858470c0 71662016 C Ci:1:002:0 0 1 = 01
ffff0000858470c0 71662036 S Co:1:002:0 s 40 08 0003 0000 0002 2 = 0031
ffff0000858470c0 71662257 C Co:1:002:0 0 2 >
ffff0000858470c0 71662272 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff0000858470c0 71662377 C Co:1:002:0 0 0
ffff0000858470c0 71662411 S Co:1:002:0 s 40 16 0000 0000 0008 8 = 00000000 00000040
ffff000084a45f00 71662420 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000085847000 71662433 S Co:1:002:0 s 40 10 0098 0000 0000 0
ffff0000858470c0 71662512 C Co:1:002:0 0 8 >
ffff000085847000 71662520 C Co:1:002:0 0 0
ffff000084a45f00 71662524 C Co:1:002:0 0 0
ffff000085847300 71662631 S Co:1:002:0 s 40 16 0000 0000 0008 8 = 00000080 00000040
ffff000085847000 71662655 S Co:1:002:0 s 40 10 0098 0000 0000 0
ffff000085847300 71662773 C Co:1:002:0 0 8 >
ffff000085847000 71662782 C Co:1:002:0 0 0
ffff000085552d80 71663686 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000085552d80 71663929 C Ci:1:002:0 0 1 = 01
ffff00008598cc00 71664546 S Ci:1:002:0 s c0 07 0003 0004 0002 2 <
ffff00008598cc00 71664792 C Ci:1:002:0 0 2 = e101
ffff00008598cc00 71664820 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598cc00 71664881 C Co:1:002:0 0 0
ffff00008598cc00 71664902 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598cc00 71665004 C Co:1:002:0 0 0
ffff00008598cc00 71666138 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598cc00 71666259 C Ci:1:002:0 0 1 = 01
ffff00008598cc00 71666277 S Co:1:002:0 s 40 08 0003 0004 0002 2 = e10d
ffff00008598cc00 71666503 C Co:1:002:0 0 2 >
ffff00008598cc00 71666519 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598cc00 71666623 C Co:1:002:0 0 0
ffff00008598cc00 71666640 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598cc00 71666748 C Co:1:002:0 0 0
ffff00008598cc00 71667873 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598cc00 71668022 C Ci:1:002:0 0 1 = 01
ffff00008598cc00 71668045 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff00008598cc00 71668255 C Ci:1:002:0 0 2 = 4978
ffff00008598cc00 71668275 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598cc00 71668372 C Co:1:002:0 0 0
ffff00008598cc00 71668391 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598cc00 71668496 C Co:1:002:0 0 0
ffff00008598cc00 71669624 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598cc00 71669750 C Ci:1:002:0 0 1 = 01
ffff00008598cc00 71669767 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff00008598cc00 71670000 C Ci:1:002:0 0 2 = 0031
ffff00008598cc00 71670017 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598cc00 71670119 C Co:1:002:0 0 0
ffff00008598cc00 71670136 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598cc00 71670244 C Co:1:002:0 0 0
ffff00008598cc00 71671370 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598cc00 71671498 C Ci:1:002:0 0 1 = 01
ffff00008598cc00 71671515 S Co:1:002:0 s 40 08 0003 0000 0002 2 = 0033
ffff00008598cc00 71671746 C Co:1:002:0 0 2 >
ffff00008598cc00 71671763 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598cc00 71671866 C Co:1:002:0 0 0
ffff00008598cc00 71671885 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598cc00 71671991 C Co:1:002:0 0 0
ffff00008598cc00 71673124 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598cc00 71673243 C Ci:1:002:0 0 1 = 01
ffff00008598cc00 71673258 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff00008598cc00 71673492 C Ci:1:002:0 0 2 = 0031
ffff00008598cc00 71673506 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598cc00 71673612 C Co:1:002:0 0 0
ffff00008598cc00 71673626 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598cc00 71673737 C Co:1:002:0 0 0
ffff00008598cc00 71674857 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598cc00 71674991 C Ci:1:002:0 0 1 = 01
ffff00008598cc00 71675005 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff00008598cc00 71675242 C Ci:1:002:0 0 2 = 4978
ffff00008598cc00 71675256 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598cc00 71675361 C Co:1:002:0 0 0
ffff00008598cc00 71675374 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff00008598cc00 71675484 C Co:1:002:0 0 0
ffff00008598cc00 71676610 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff00008598cc00 71676744 C Ci:1:002:0 0 1 = 01
ffff00008598cc00 71676759 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff00008598cc00 71676989 C Ci:1:002:0 0 2 = 4978
ffff00008598cc00 71677004 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff00008598cc00 71677108 C Co:1:002:0 0 0
ffff000084a45f00 71723211 S Co:1:002:0 s 40 16 0000 0000 0008 8 = 00000080 00000040
ffff000084a459c0 71723278 S Co:1:002:0 s 40 10 0098 0000 0000 0
ffff000084a45f00 71723494 C Co:1:002:0 0 8 >
ffff000084a459c0 71723522 C Co:1:002:0 0 0
ffff000085552f00 72704172 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000085552f00 72704538 C Co:1:002:0 0 0
ffff000085552f00 72705838 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000085552f00 72706026 C Ci:1:002:0 0 1 = 01
ffff000085552f00 72706088 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff000085552f00 72706269 C Ci:1:002:0 0 2 = 0031
ffff000085552f00 72706326 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000085552f00 72706505 C Co:1:002:0 0 0
ffff000085552f00 72706562 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000085552f00 72706753 C Co:1:002:0 0 0
ffff000085552f00 72707955 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000085552f00 72708138 C Ci:1:002:0 0 1 = 01
ffff000085552f00 72708181 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff000085552f00 72708388 C Ci:1:002:0 0 2 = 4978
ffff000085552f00 72708446 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000085552f00 72708626 C Co:1:002:0 0 0
ffff000085552f00 72708681 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000085552f00 72708875 C Co:1:002:0 0 0
ffff000085552f00 72710059 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000085552f00 72710262 C Ci:1:002:0 0 1 = 01
ffff000085552f00 72710317 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff000085552f00 72710523 C Ci:1:002:0 0 2 = 4978
ffff000085552f00 72710580 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000085552f00 72710748 C Co:1:002:0 0 0
ffff000085552f00 73724193 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000085552f00 73724515 C Co:1:002:0 0 0
ffff000085552f00 73725816 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000085552f00 73726004 C Ci:1:002:0 0 1 = 01
ffff000085552f00 73726068 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff000085552f00 73726370 C Ci:1:002:0 0 2 = 0031
ffff000085552f00 73726434 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000085552f00 73726605 C Co:1:002:0 0 0
ffff000085552f00 73726667 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000085552f00 73726855 C Co:1:002:0 0 0
ffff000085552f00 73728114 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000085552f00 73728241 C Ci:1:002:0 0 1 = 01
ffff000085552f00 73728287 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff000085552f00 73728500 C Ci:1:002:0 0 2 = 4978
ffff000084a45c00 73728549 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000084a45c00 73728715 C Co:1:002:0 0 0
ffff000084a45c00 73728749 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000084a45c00 73728838 C Co:1:002:0 0 0
ffff000084a45c00 73729984 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000084a45c00 73730095 C Ci:1:002:0 0 1 = 01
ffff000084a45c00 73730128 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff000084a45c00 73730344 C Ci:1:002:0 0 2 = 4978
ffff000084a45c00 73730375 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000084a45c00 73730462 C Co:1:002:0 0 0
ffff000084a45c00 74748099 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000084a45c00 74748445 C Co:1:002:0 0 0
ffff000084a45c00 74749636 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000084a45c00 74749809 C Ci:1:002:0 0 1 = 01
ffff000084a45c00 74749867 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff000084a45c00 74750050 C Ci:1:002:0 0 2 = 0031
ffff000084a45c00 74750107 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000084a45c00 74750286 C Co:1:002:0 0 0
ffff000084a45c00 74750340 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000084a45c00 74750534 C Co:1:002:0 0 0
ffff000084a45c00 74751711 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000084a45c00 74751921 C Ci:1:002:0 0 1 = 01
ffff000084a45c00 74751977 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff000084a45c00 74752295 C Ci:1:002:0 0 2 = 4978
ffff000084a45c00 74752350 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000084a45c00 74752531 C Co:1:002:0 0 0
ffff000084a45c00 74752603 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000084a45c00 74752782 C Co:1:002:0 0 0
ffff000084a45c00 74753952 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000084a45c00 74754150 C Ci:1:002:0 0 1 = 01
ffff000084a45c00 74754182 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff000084a45c00 74754399 C Ci:1:002:0 0 2 = 4978
ffff000084a45c00 74754430 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000084a45c00 74754515 C Co:1:002:0 0 0
ffff000084a45c00 75772099 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000084a45c00 75772446 C Co:1:002:0 0 0
ffff000084a45c00 75773623 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000084a45c00 75773820 C Ci:1:002:0 0 1 = 01
ffff000084a45c00 75773880 S Ci:1:002:0 s c0 07 0003 0000 0002 2 <
ffff000084a45c00 75774179 C Ci:1:002:0 0 2 = 0031
ffff000084a45c00 75774236 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000084a45c00 75774413 C Co:1:002:0 0 0
ffff000084a45c00 75774472 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000084a45c00 75774661 C Co:1:002:0 0 0
ffff000084a45c00 75775841 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000084a45c00 75776046 C Ci:1:002:0 0 1 = 01
ffff000084a45c00 75776109 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff000084a45c00 75776296 C Ci:1:002:0 0 2 = 4978
ffff000084a45c00 75776336 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000084a45c00 75776525 C Co:1:002:0 0 0
ffff000084a45c00 75776561 S Co:1:002:0 s 40 06 0000 0000 0000 0
ffff000084a45c00 75776648 C Co:1:002:0 0 0
ffff000084a45c00 75777808 S Ci:1:002:0 s c0 09 0000 0000 0001 1 <
ffff000084a45c00 75777910 C Ci:1:002:0 0 1 = 01
ffff000084a45c00 75777947 S Ci:1:002:0 s c0 07 0003 0001 0002 2 <
ffff000084a45c00 75778159 C Ci:1:002:0 0 2 = 4978
ffff000084a45c00 75778194 S Co:1:002:0 s 40 0a 0000 0000 0000 0
ffff000084a45c00 75778271 C Co:1:002:0 0 0

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Xu Yang]

On Wed, Aug 06, 2025 at 05:47:53PM +0100, Russell King (Oracle) wrote:
> On Wed, Aug 06, 2025 at 05:01:22PM +0200, Andrew Lunn wrote:
> > > > > Reproduce step is simple:
> > > > > 
> > > > > 1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
> > > > >    DUB-E100 Fast Ethernet Adapter".
> > 
> > static const struct driver_info dlink_dub_e100_info = {
> >         .description = "DLink DUB-E100 USB Ethernet",
> >         .bind = ax88172_bind,
> >         .status = asix_status,
> >         .link_reset = ax88172_link_reset,
> >         .reset = ax88172_link_reset,
> >         .flags =  FLAG_ETHER | FLAG_LINK_INTR,
> >         .data = 0x009f9d9f,
> > };
> > 

[...]

> 
> Notice that the following return the PHY 3 register 3 value, so
> I suspect for anything that isn't PHY 3, it just returns whatever
> data was last read from PHY 3. This makes it an incredibly buggy
> USB device.
> 
> Looking at usbnet_read_cmd(), the above can be the only explanation,
> as usbnet_read_cmd() memcpy()'s the data into &res, so the value
> in the kmalloc()'d buf (which likely be poisoned on free, or if not
> unlikely to reallocate the same memory - that needs to be verified)
> must be coming from firmware on the device itself.

I confirm it's returned by the device. I capture the USB transfer with
an USB analyzer too.

> 
> asix_read_cmd() will catch a short read, and usbnet_read_cmd() will
> catch a zero-length read as invalid.
> 
> So, my conclusion is... broken firmware on this device.

The data transfer function works fine on my side. And even if something
is wrong with this device, the linux system shouldn't be broken down
because of this.

Thanks,
Xu Yang

> 
> -- 
> RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
> FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Xu Yang]

Hi Russell and Andrew,

On Thu, Aug 07, 2025 at 05:23:24PM +0800, Xu Yang wrote:
> On Wed, Aug 06, 2025 at 05:47:53PM +0100, Russell King (Oracle) wrote:
> > On Wed, Aug 06, 2025 at 05:01:22PM +0200, Andrew Lunn wrote:
> > > > > > Reproduce step is simple:
> > > > > > 
> > > > > > 1. connect an USB to Ethernet device to USB port, I'm using "D-Link Corp.
> > > > > >    DUB-E100 Fast Ethernet Adapter".
> > > 
> > > static const struct driver_info dlink_dub_e100_info = {
> > >         .description = "DLink DUB-E100 USB Ethernet",
> > >         .bind = ax88172_bind,
> > >         .status = asix_status,
> > >         .link_reset = ax88172_link_reset,
> > >         .reset = ax88172_link_reset,
> > >         .flags =  FLAG_ETHER | FLAG_LINK_INTR,
> > >         .data = 0x009f9d9f,
> > > };
> > > 
> 
> [...]
> 
> > 
> > Notice that the following return the PHY 3 register 3 value, so
> > I suspect for anything that isn't PHY 3, it just returns whatever
> > data was last read from PHY 3. This makes it an incredibly buggy
> > USB device.
> > 
> > Looking at usbnet_read_cmd(), the above can be the only explanation,
> > as usbnet_read_cmd() memcpy()'s the data into &res, so the value
> > in the kmalloc()'d buf (which likely be poisoned on free, or if not
> > unlikely to reallocate the same memory - that needs to be verified)
> > must be coming from firmware on the device itself.
> 
> I confirm it's returned by the device. I capture the USB transfer with
> an USB analyzer too.
> 
> > 
> > asix_read_cmd() will catch a short read, and usbnet_read_cmd() will
> > catch a zero-length read as invalid.
> > 
> > So, my conclusion is... broken firmware on this device.
> 
> The data transfer function works fine on my side. And even if something
> is wrong with this device, the linux system shouldn't be broken down
> because of this.

Thanks for your review!

With more debug on why asix_devices.c driver is creating so many mdio devices,
I found the mdio->phy_mask setting may be missing.

When I add mdio->phy_mask setting, only one mdio device is created and the NULL
pointer dereference issue is gone too.

root@imx95evk:~# ls /sys/bus/mdio_bus/devices/
usb-001:003:03

root@imx95evk:~# cat /sys/bus/mdio_bus/devices/usb-001:003:03/phy_id
0x02430c54

diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index 9b0318fb50b5..9fba1cb17134 100644
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
        priv->mdio->read = &asix_mdio_bus_read;
        priv->mdio->write = &asix_mdio_bus_write;
        priv->mdio->name = "Asix MDIO Bus";
+       priv->mdio->phy_mask = ~BIT(priv->phy_addr);
        /* mii bus name is usb-<usb bus number>-<usb device number> */
        snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
                 dev->udev->bus->busnum, dev->udev->devnum);

Is this the right thing to do?

Thanks,
Xu Yang

> 
> Thanks,
> Xu Yang
> 
> > 
> > -- 
> > RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
> > FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Russell King (Oracle)]

On Thu, Aug 07, 2025 at 07:21:46PM +0800, Xu Yang wrote:
> Hi Russell and Andrew,
> 
> With more debug on why asix_devices.c driver is creating so many mdio devices,
> I found the mdio->phy_mask setting may be missing.

mdio->phy_mask is really only a workaround/optimisation to prevent
the automatic scanning of the MDIO bus.

If we know for certain that we're only interested in a PHY at a
certain set of addresses, then it's appropriate to tell the MDIO/phylib
layer not to bother scanning the other addresses, but this will mean
if the driver uses e.g. phy_find_first(), it will find the first PHY
amongst those that phy_mask allows to be scanned, rather than the first
on the bus.

In other words... it's dependent on the driver.

> diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
> index 9b0318fb50b5..9fba1cb17134 100644
> --- a/drivers/net/usb/asix_devices.c
> +++ b/drivers/net/usb/asix_devices.c
> @@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
>         priv->mdio->read = &asix_mdio_bus_read;
>         priv->mdio->write = &asix_mdio_bus_write;
>         priv->mdio->name = "Asix MDIO Bus";
> +       priv->mdio->phy_mask = ~BIT(priv->phy_addr);
>         /* mii bus name is usb-<usb bus number>-<usb device number> */
>         snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
>                  dev->udev->bus->busnum, dev->udev->devnum);
> 
> Is this the right thing to do?

If we're only expecting a MDIO device at priv->phy_addr, then I
guess it's fine. Looking at the driver, I don't understand the
mixture of dev->mii.* and priv->mdio->*, and sadly I don't have
time to look in depth at this driver to work that out.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Oleksij Rempel]

On Thu, Aug 07, 2025 at 12:47:02PM +0100, Russell King (Oracle) wrote:
> On Thu, Aug 07, 2025 at 07:21:46PM +0800, Xu Yang wrote:
> > Hi Russell and Andrew,
> > 
> > With more debug on why asix_devices.c driver is creating so many mdio devices,
> > I found the mdio->phy_mask setting may be missing.
> 
> mdio->phy_mask is really only a workaround/optimisation to prevent
> the automatic scanning of the MDIO bus.
> 
> If we know for certain that we're only interested in a PHY at a
> certain set of addresses, then it's appropriate to tell the MDIO/phylib
> layer not to bother scanning the other addresses, but this will mean
> if the driver uses e.g. phy_find_first(), it will find the first PHY
> amongst those that phy_mask allows to be scanned, rather than the first
> on the bus.
> 
> In other words... it's dependent on the driver.
> 
> > diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
> > index 9b0318fb50b5..9fba1cb17134 100644
> > --- a/drivers/net/usb/asix_devices.c
> > +++ b/drivers/net/usb/asix_devices.c
> > @@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
> >         priv->mdio->read = &asix_mdio_bus_read;
> >         priv->mdio->write = &asix_mdio_bus_write;
> >         priv->mdio->name = "Asix MDIO Bus";
> > +       priv->mdio->phy_mask = ~BIT(priv->phy_addr);
> >         /* mii bus name is usb-<usb bus number>-<usb device number> */
> >         snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
> >                  dev->udev->bus->busnum, dev->udev->devnum);
> > 
> > Is this the right thing to do?
> 
> If we're only expecting a MDIO device at priv->phy_addr, then I
> guess it's fine. Looking at the driver, I don't understand the
> mixture of dev->mii.* and priv->mdio->*, and sadly I don't have
> time to look in depth at this driver to work that out.

Hm, I guess, with this change there will be a subtile regression.
In case of an external PHYs the ax88772_init_phy() is using PHYlib to
suspend the internal PHY.

May be:
  priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Andrew Lunn]

> diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
> index 9b0318fb50b5..9fba1cb17134 100644
> --- a/drivers/net/usb/asix_devices.c
> +++ b/drivers/net/usb/asix_devices.c
> @@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
>         priv->mdio->read = &asix_mdio_bus_read;
>         priv->mdio->write = &asix_mdio_bus_write;
>         priv->mdio->name = "Asix MDIO Bus";
> +       priv->mdio->phy_mask = ~BIT(priv->phy_addr);
>         /* mii bus name is usb-<usb bus number>-<usb device number> */
>         snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
>                  dev->udev->bus->busnum, dev->udev->devnum);
> 
> Is this the right thing to do?

This is what i was trying to do, i just put it in the wrong place
because i had the wrong device.

ax88772_init_phy() will only use the PHY at address priv->phy_addr, so
this appears to be safe.

The alternative is to have a custom asix_mdio_read() for this device,
which returns -ENODEV if the phy_id being read does not equal
priv->phy_addr. That will also prevent these extra PHYs from being
created.

	Andrew

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Andrew Lunn]

> Hm, I guess, with this change there will be a subtile regression.
> In case of an external PHYs the ax88772_init_phy() is using PHYlib to
> suspend the internal PHY.
> 
> May be:
>   priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));

I looked at that:

	ret = asix_read_phy_addr(dev, true);
	if (ret < 0)
		return ret;

	priv->phy_addr = ret;
	priv->embd_phy = ((priv->phy_addr & 0x1f) == AX_EMBD_PHY_ADDR);

So priv->phy_addr has to be the address of the internal PHY, so this
should just work without anything special for the embedded PHY.

	Andrew

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Oleksij Rempel]

On Thu, Aug 07, 2025 at 02:58:05PM +0200, Andrew Lunn wrote:
> > Hm, I guess, with this change there will be a subtile regression.
> > In case of an external PHYs the ax88772_init_phy() is using PHYlib to
> > suspend the internal PHY.
> > 
> > May be:
> >   priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));
> 
> I looked at that:

Here we read the primary PHY address from the EEPROM. This offset may
contain either the internal or external PHY address. See commit
d0ffff8fddd5 ("USB: asix: Detect internal PHY and enable/use
accordingly")

I need to admit, asix_read_phy_addr(..., bool internal) was originally
designed to distinguish between internal and external PHYs by setting
internal = false.  But in practice, most vendors seem to follow the
existing driver behavior as reference, and only modify the primary PHY
address in the EEPROM.

> 	ret = asix_read_phy_addr(dev, true);
> 	if (ret < 0)
> 		return ret;
> 

At this point, we store the address of the internal or external PHY:

> 	priv->phy_addr = ret;

If the PHY address matches the address of the internal PHY, then
embd_phy is set to true:

> 	priv->embd_phy = ((priv->phy_addr & 0x1f) == AX_EMBD_PHY_ADDR);
> 
> So priv->phy_addr has to be the address of the internal PHY, so this
> should just work without anything special for the embedded PHY.

For most AX88772-based devices, priv->phy_addr is indeed the internal
PHY. However, on devices with an external PHY - like the "Linux
Automation GmbH USB 10Base-T1L" - both internal and external PHYs are
accessible over the MDIO bus.

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Xu Yang]

On Thu, Aug 07, 2025 at 12:47:02PM +0100, Russell King (Oracle) wrote:
> On Thu, Aug 07, 2025 at 07:21:46PM +0800, Xu Yang wrote:
> > Hi Russell and Andrew,
> > 
> > With more debug on why asix_devices.c driver is creating so many mdio devices,
> > I found the mdio->phy_mask setting may be missing.
> 
> mdio->phy_mask is really only a workaround/optimisation to prevent
> the automatic scanning of the MDIO bus.
> 
> If we know for certain that we're only interested in a PHY at a
> certain set of addresses, then it's appropriate to tell the MDIO/phylib
> layer not to bother scanning the other addresses, but this will mean
> if the driver uses e.g. phy_find_first(), it will find the first PHY
> amongst those that phy_mask allows to be scanned, rather than the first
> on the bus.
> 
> In other words... it's dependent on the driver.

Understand.

> 
> > diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
> > index 9b0318fb50b5..9fba1cb17134 100644
> > --- a/drivers/net/usb/asix_devices.c
> > +++ b/drivers/net/usb/asix_devices.c
> > @@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
> >         priv->mdio->read = &asix_mdio_bus_read;
> >         priv->mdio->write = &asix_mdio_bus_write;
> >         priv->mdio->name = "Asix MDIO Bus";
> > +       priv->mdio->phy_mask = ~BIT(priv->phy_addr);
> >         /* mii bus name is usb-<usb bus number>-<usb device number> */
> >         snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
> >                  dev->udev->bus->busnum, dev->udev->devnum);
> > 
> > Is this the right thing to do?
> 
> If we're only expecting a MDIO device at priv->phy_addr, then I
> guess it's fine. Looking at the driver, I don't understand the
> mixture of dev->mii.* and priv->mdio->*, and sadly I don't have
> time to look in depth at this driver to work that out.

Okay. Thanks a lot for your input and time!

Best Regards,
Xu Yang

> 
> -- 
> RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
> FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [RESEND] net: phy: fix NULL pointer dereference in phy_polling_mode()

[Xu Yang]

Hi Oleksij,

On Thu, Aug 07, 2025 at 02:45:04PM +0200, Oleksij Rempel wrote:
> On Thu, Aug 07, 2025 at 12:47:02PM +0100, Russell King (Oracle) wrote:
> > On Thu, Aug 07, 2025 at 07:21:46PM +0800, Xu Yang wrote:
> > > Hi Russell and Andrew,
> > > 
> > > With more debug on why asix_devices.c driver is creating so many mdio devices,
> > > I found the mdio->phy_mask setting may be missing.
> > 
> > mdio->phy_mask is really only a workaround/optimisation to prevent
> > the automatic scanning of the MDIO bus.
> > 
> > If we know for certain that we're only interested in a PHY at a
> > certain set of addresses, then it's appropriate to tell the MDIO/phylib
> > layer not to bother scanning the other addresses, but this will mean
> > if the driver uses e.g. phy_find_first(), it will find the first PHY
> > amongst those that phy_mask allows to be scanned, rather than the first
> > on the bus.
> > 
> > In other words... it's dependent on the driver.
> > 
> > > diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
> > > index 9b0318fb50b5..9fba1cb17134 100644
> > > --- a/drivers/net/usb/asix_devices.c
> > > +++ b/drivers/net/usb/asix_devices.c
> > > @@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
> > >         priv->mdio->read = &asix_mdio_bus_read;
> > >         priv->mdio->write = &asix_mdio_bus_write;
> > >         priv->mdio->name = "Asix MDIO Bus";
> > > +       priv->mdio->phy_mask = ~BIT(priv->phy_addr);
> > >         /* mii bus name is usb-<usb bus number>-<usb device number> */
> > >         snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
> > >                  dev->udev->bus->busnum, dev->udev->devnum);
> > > 
> > > Is this the right thing to do?
> > 
> > If we're only expecting a MDIO device at priv->phy_addr, then I
> > guess it's fine. Looking at the driver, I don't understand the
> > mixture of dev->mii.* and priv->mdio->*, and sadly I don't have
> > time to look in depth at this driver to work that out.
> 
> Hm, I guess, with this change there will be a subtile regression.
> In case of an external PHYs the ax88772_init_phy() is using PHYlib to
> suspend the internal PHY.
> 
> May be:
>   priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));

I test it and it works. I think this one could be the final solution.

If phy_addr is external phy addr, then the driver need create external and
internal phy device.

So mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR)) applies.

If phy_addr is internal phy addr, then the driver need only create internal
phy device.

So mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR)) is equal
to mdio->phy_mask = ~BIT(priv->phy_addr).

Thanks,
Xu Yang

> 
> -- 
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |