lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aLb6puGVzR29GpPx@shell.armlinux.org.uk>
Date: Tue, 2 Sep 2025 15:09:42 +0100
From: "Russell King (Oracle)" <linux@...linux.org.uk>
To: Vladimir Oltean <vladimir.oltean@....com>
Cc: netdev@...r.kernel.org, Andrew Lunn <andrew@...n.ch>,
	Heiner Kallweit <hkallweit1@...il.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH net] net: phy: transfer phy_config_inband() locking
 responsibility to phylink

On Tue, Sep 02, 2025 at 04:41:41PM +0300, Vladimir Oltean wrote:
> diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
> index c7f867b361dd..350905928d46 100644
> --- a/drivers/net/phy/phylink.c
> +++ b/drivers/net/phy/phylink.c
> @@ -1580,10 +1585,13 @@ static void phylink_resolve(struct work_struct *w)
>  {
>  	struct phylink *pl = container_of(w, struct phylink, resolve);
>  	struct phylink_link_state link_state;
> +	struct phy_device *phy = pl->phydev;
>  	bool mac_config = false;
>  	bool retrigger = false;
>  	bool cur_link_state;
>  
> +	if (phy)
> +		mutex_lock(&phy->lock);

I don't think this is safe.

The addition and removal of PHYs is protected by two locks:

1. RTNL, to prevent ethtool operations running concurrently with the
   addition or removal of PHYs.

2. The state_mutex which protects the resolver which doesn't take the
   RTNL.

Given that the RTNL is not held in this path, dereferencing pl->phydev
is unsafe as the PHY may go away (through e.g. SFP module removal)
which means this mutex_lock() may end up operating on free'd memory.

I'm not sure we want to be taking the RTNL on this path.

At the moment, I'm not sure what the solution is here.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ