From: Jakub Kicinski <kuba@kernel.org>
To: "Lucien.Jheng" <lucienzx159@gmail.com>
Cc: andrew@lunn.ch, hkallweit1@gmail.com, linux@armlinux.org.uk,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
bjorn@mork.no, ericwouds@gmail.com, frank-w@public-files.de,
daniel@makrotopia.org, lucien.jheng@airoha.com,
albert-al.lee@airoha.com
Subject: Re: [PATCH v5] net: phy: air_en8811h: add AN8811HB MCU assert/deassert support
Date: Wed, 20 May 2026 16:54:24 -0700 [thread overview]
Message-ID: <20260520165424.5e61d5d9@kernel.org> (raw)
In-Reply-To: <20260517065041.50155-1-lucienzx159@gmail.com>
On Sun, 17 May 2026 14:50:41 +0800 Lucien.Jheng wrote:
> +static int __air_pbus_reg_write(struct mdio_device *mdiodev,
> + u32 pbus_reg, u32 pbus_data)
> +{
> + int ret;
> +
> + ret = __mdiobus_write(mdiodev->bus, mdiodev->addr, AIR_EXT_PAGE_ACCESS,
> + upper_16_bits(pbus_reg));
> + if (ret < 0)
> + return ret;
> +
> + ret = __mdiobus_write(mdiodev->bus, mdiodev->addr, AIR_PBUS_ADDR_HIGH,
> + (pbus_reg & GENMASK(15, 6)) >> 6);
> + if (ret < 0)
> + return ret;
> +
> + ret = __mdiobus_write(mdiodev->bus, mdiodev->addr,
> + (pbus_reg & GENMASK(5, 2)) >> 2,
> + lower_16_bits(pbus_data));
Please add proper defines for these GENMASK'ed fields and use
FIELD_GET() to access the fields?
> + if (ret < 0)
> + return ret;
> +
> + return __mdiobus_write(mdiodev->bus, mdiodev->addr, AIR_PBUS_DATA_HIGH,
> + upper_16_bits(pbus_data));
> +}
> @@ -1175,10 +1281,21 @@ static int an8811hb_probe(struct phy_device *phydev)
> return -ENOMEM;
> phydev->priv = priv;
>
> + mdiodev = mdio_device_create(phydev->mdio.bus,
> + phydev->mdio.addr + EN8811H_PBUS_ADDR_OFFS);
AI says:
What happens when phydev->mdio.addr is in the range 24..31?
MDIO addresses 0..31 are all valid 5-bit hardware addresses, so a
strap-selected AN8811HB at address >= 24 makes
phydev->mdio.addr + EN8811H_PBUS_ADDR_OFFS land in 32..39. struct
mii_bus has mdio_map[PHY_MAX_ADDR] with PHY_MAX_ADDR == 32, and
mdiobus_register_device() does:
if (mdiodev->bus->mdio_map[mdiodev->addr])
return -EBUSY;
...
mdiodev->bus->mdio_map[mdiodev->addr] = mdiodev;
with no bounds check on mdiodev->addr. The OOB read from
mdio_map[32..39] may return garbage that happens to be non-NULL
(probe fails with -EBUSY) or NULL (the OOB store overwrites adjacent
fields of struct mii_bus such as phy_mask, phy_ignore_ta_mask, or
the irq[] array).
Even without corruption, every later __air_pbus_reg_write() goes
through __mdiobus_write(), which has:
if (addr >= PHY_MAX_ADDR)
return -ENXIO;
so each MCU assert/deassert silently fails with -ENXIO, which seems
to contradict the commit message:
so every firmware load or MCU restart on AN8811HB correctly
sequences the reset control registers.
Should an8811hb_probe() reject configurations where
phydev->mdio.addr + EN8811H_PBUS_ADDR_OFFS >= PHY_MAX_ADDR, or
otherwise enforce the assumed strap-pin constraint?
--
pw-bot: cr
prev parent reply other threads:[~2026-05-20 23:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 6:50 [PATCH v5] net: phy: air_en8811h: add AN8811HB MCU assert/deassert support Lucien.Jheng
2026-05-20 23:54 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520165424.5e61d5d9@kernel.org \
--to=kuba@kernel.org \
--cc=albert-al.lee@airoha.com \
--cc=andrew@lunn.ch \
--cc=bjorn@mork.no \
--cc=daniel@makrotopia.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ericwouds@gmail.com \
--cc=frank-w@public-files.de \
--cc=hkallweit1@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=lucien.jheng@airoha.com \
--cc=lucienzx159@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox