[{"id":3687573,"web_url":"http://patchwork.ozlabs.org/comment/3687573/","msgid":"<20260507080004.AEE22C2BCC7@smtp.kernel.org>","list_archive_url":null,"date":"2026-05-07T08:00:04","subject":"Re: [PATCH v8 phy-next 16/31] usb: host: tegra: avoid direct\n dereference of phy->dev.of_node","submitter":{"id":93311,"url":"http://patchwork.ozlabs.org/api/people/93311/","name":null,"email":"sashiko-bot@kernel.org"},"content":"Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:\n- [High] This problem wasn't introduced by this patch, but a single `struct notifier_block` instance (`tegra->id_nb`) is registered to multiple USB PHY instances in a loop, causing linked list corruption.\n- [High] This problem wasn't introduced by this patch, but the devm-managed USB PHY notifier unregistration happens after driver remove, allowing `tegra->id_work` to be scheduled after it is canceled.\n--\n\ncommit dc45b6840f6afd2c371e491c07e3f59d5e2f3937\nAuthor: Vladimir Oltean <vladimir.oltean@nxp.com>\n\nusb: host: tegra: avoid direct dereference of phy->dev.of_node\n\nThis commit modifies the Tegra XHCI driver to use a parallel lookup path\nusing the 'phys' phandle to obtain the OF node, avoiding direct\ndereferencing of phy->dev.of_node as the generic PHY subsystem moves to\nopaque pointers.\n\n> diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c\n> index d2214d309e965..6724a777ca2ac 100644\n> --- a/drivers/usb/host/xhci-tegra.c\n> +++ b/drivers/usb/host/xhci-tegra.c\n> @@ -1504,23 +1505,34 @@ static int tegra_xusb_init_usb_phy(struct tegra_xusb *tegra)\n>  \ttegra->otg_usb3_port = -EINVAL;\n>  \n>  \tfor (i = 0; i < tegra->num_usb_phys; i++) {\n\n[ ... ]\n\n> +\t\terr = of_parse_phandle_with_args(np, \"phys\", \"#phy-cells\",\n> +\t\t\t\t\t\t index, &args);\n> +\t\tif (err)\n> +\t\t\tcontinue;\n> +\n> +\t\tusbphy = devm_usb_get_phy_by_node(tegra->dev, args.np,\n> +\t\t\t\t\t\t  &tegra->id_nb);\n\nThis problem wasn't introduced by this patch, but does passing the same\n&tegra->id_nb instance to multiple USB PHYs in this loop cause a linked list\ncorruption?\n\nA struct notifier_block has a single next pointer used to maintain the linked\nlist. Registering the exact same block to multiple different PHY notifier\nchains simultaneously could overwrite its next pointer, cross-linking and\ncorrupting the notifier lists.\n\nAdditionally, is there a risk of a use-after-free during driver removal due\nto how this notifier is managed?\n\nBecause devm_usb_get_phy_by_node() uses devres to manage the PHY and its\nnotifier block, devres cleanup (which unregisters the notifier) runs after\nthe driver's remove() function returns.\n\nIf the notifier callback tegra_xhci_id_notify() schedules tegra->id_work,\ncould a hardware event fire after cancel_work_sync(&tegra->id_work) is\ncalled in remove(), but before devres unregisters the notifier?\n\nIf so, the still-registered callback might execute and re-queue\ntegra->id_work on freed memory.","headers":{"Return-Path":"\n <linux-pci+bounces-54055-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-pci@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=jdWJNOdu;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-pci+bounces-54055-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"jdWJNOdu\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gB4Rq52l0z1yCg\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 07 May 2026 18:00:23 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 0FDB03030115\n\tfor <incoming@patchwork.ozlabs.org>; Thu,  7 May 2026 08:00:16 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 2DCD037B3E4;\n\tThu,  7 May 2026 08:00:07 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2B6F037EFE9\n\tfor <linux-pci@vger.kernel.org>; Thu,  7 May 2026 08:00:05 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id AEE22C2BCC7;\n\tThu,  7 May 2026 08:00:04 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1778140805; cv=none;\n b=exQoNetq9HOryqH5xwACY34hWj/0kW/8iQUvvDUnUcCvxImeLa8daGxAzqkY4T3WFS2XbWdoEk06ji4QKRckEuZkaTrVsP97WnJx5x/GtBj/aD7k6xQnWvDQNBgiHFdjlUIFhuBjQDR1V2V9rJpx5DLrW5SxUFJG3ipJHL5DbPE=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1778140805; c=relaxed/simple;\n\tbh=2sdcOrpVOtgCmnA1ifJT86GNPYBGpN3WZxX/hEB7aZA=;\n\th=From:Subject:To:Cc:In-Reply-To:References:Content-Type:Date:\n\t Message-Id;\n b=X6WPkrFjq4qsPlXFELuPhaTfq3MQtZse/W1uXAy5prupbUh8GIjsjfOzAt7KOV20L/MpuxS4X2Y6YCiRgbmMsfghRc6h6wXP3A20cBMK3r8mlNK+fB7MG5hFZdRZDHfqg9kXv3L9/dRCqCzR9D6/nvzaXiaLYVSMfuBUOOioUJs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=jdWJNOdu; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1778140804;\n\tbh=2sdcOrpVOtgCmnA1ifJT86GNPYBGpN3WZxX/hEB7aZA=;\n\th=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date:From;\n\tb=jdWJNOduZSi8llRb+VyIBtZGJ4BYlhs1Qsb5U1OVLGZ5sQ4DGwwpMFRk4h9aiwXuE\n\t QZ5PH6BOmZmKQpUlZqa2Nwjqn9Xp57GK/cRtIfccWcCx9vyoIzKrztafi+5KywFViu\n\t 4RiuQJ/gStQcQGI9yG1Guy58EKR1aYaItlSBgJ28fW7nou6dnX/ynQAFCL6V/Ae/Kr\n\t e2TK50DwHfiP9iU5jdZOK0IEIPEIepSnasQTS/A3QByc5GymxuN8UAAaAXqS11MDJs\n\t rIpHjz3o9U7edROmrYXDe9dY+7DjenrqDAy80TWXhyKRTAIHiWev+tdhs1it8Utucz\n\t bR5zt05uBvseg==","From":"sashiko-bot@kernel.org","Subject":"Re: [PATCH v8 phy-next 16/31] usb: host: tegra: avoid direct\n dereference of phy->dev.of_node","Reply-To":"sashiko@lists.linux.dev","To":"\"Vladimir Oltean\" <vladimir.oltean@nxp.com>","Cc":"linux-pci@vger.kernel.org, wsa+renesas@sang-engineering.com","In-Reply-To":"<20260505100523.1922388-17-vladimir.oltean@nxp.com>","References":"<20260505100523.1922388-17-vladimir.oltean@nxp.com>","Content-Type":"text/plain; charset=utf-8","Content-Transfer-Encoding":"quoted-printable","Date":"Thu, 07 May 2026 08:00:04 +0000","Message-Id":"<20260507080004.AEE22C2BCC7@smtp.kernel.org>","Precedence":"bulk","X-Mailing-List":"linux-pci@vger.kernel.org","List-Id":"<linux-pci.vger.kernel.org>","List-Subscribe":"<mailto:linux-pci+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-pci+unsubscribe@vger.kernel.org>"}}]