lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <da4f0506-50c9-45a1-8c28-001b0672ef52@lunn.ch>
Date: Thu, 29 Jan 2026 14:06:52 +0100
From: Andrew Lunn <andrew@...n.ch>
To: Jacky Chou <jacky_chou@...eedtech.com>
Cc: Simon Horman <horms@...nel.org>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"edumazet@...gle.com" <edumazet@...gle.com>,
	"andrew+netdev@...n.ch" <andrew+netdev@...n.ch>,
	"kuba@...nel.org" <kuba@...nel.org>,
	"pabeni@...hat.com" <pabeni@...hat.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [net-next,v2,09/15] net: ftgmac100: Always register the MDIO bus
 when it exists

On Thu, Jan 29, 2026 at 06:07:20AM +0000, Jacky Chou wrote:
> > > > > > +	if (priv->mac_id == FTGMAC100_FARADAY ||
> > > > > > +	    priv->mac_id == FTGMAC100_AST2400 ||
> > > > > > +	    priv->mac_id == FTGMAC100_AST2500) {
> > > > > > +		err = ftgmac100_setup_mdio(netdev);
> > > > > > +		if (err)
> > > > > > +			goto err_phy_connect;
> > > > > > +	}
> > > > >
> > > > > If ftgmac100_setup_mdio() fails after of_mdiobus_register()
> > > > > returns an error, it calls mdiobus_free(priv->mii_bus) but does
> > > > > not set
> > > > > priv->mii_bus to NULL. The goto err_phy_connect then leads to
> > > > > ftgmac100_destroy_mdio() which checks if (!priv->mii_bus) but
> > > > > finds a dangling pointer, resulting in mdiobus_unregister() on
> > > > > freed memory
> > > > followed by a double free.
> > 
> > I took another look at this. The goto err_phy_connect is wrong.  At this point,
> > if there is an error nothing else needs cleaning up, so the goto should be
> > replaced with a return err;
> > 
> 
> Agreed.
> When ftgmac100_setup_mdio() fails, the MDIO bus is not registered and the
> probe function returns an error immediately.
> 
> > It is not however the full solution. If ftgmac100_probe_ncsi() fails, it jumps to
> > err_setup_mdio, which currently just does a return, leaking the mdiobus. The
> > ftgmac100_destroy_mdio() call needs moving after the err_setup_mdio: label.
> > 
> 
> In NC-SI mode, MDIO is not required.
> Therefore, always registering the MDIO bus is redundant when the interface
> operates in NC-SI mode.

But it physically exists, and in theory, you could make use of it,
hang an Ethernet switch off it, etc. Linux does not care what MDIO bus
a switch, or a PHY uses. It does not need to be the one directly
associated to the MAC. The 2700 has MDIO in its own address space, its
own driver, with its own life cycle, etc.

This series is all about making probe simpler, ready to make it more
complex again to sort out the problems with RGMII delays. Always
registering the bus just helps reduces the complexity.

	Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ