tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on destroy

The mv88e6xxx has an internal PPU that polls PHY state. If we want to
access the internal PHYs, we need to disable the PPU first. Because
that is a slow operation, a 10ms timer is used to re-enable it,
canceled with every access, so bulk operations effectively only
disable it once and re-enable it some 10ms after the last access.

If a PHY is accessed and then the mv88e6xxx module is removed before
the 10ms are up, the PPU re-enable ends up accessing a dangling pointer.

This especially affects probing during bootup. The MDIO bus and PHY
registration may succeed, but registration with the DSA framework
may fail later on (e.g. because the CPU port depends on another,
very slow device that isn't done probing yet, returning -EPROBE_DEFER).
In this case, probe() fails, but the MDIO subsystem may already have
accessed the MIDO bus or PHYs, arming the timer.

This is fixed as follows:
- If probe fails after mv88e6xxx_phy_init(), make sure we also call
mv88e6xxx_phy_destroy() before returning
- In mv88e6xxx_remove(), make sure we do the teardown in the correct
order, calling mv88e6xxx_phy_destroy() after unregistering the
switch device.
- In mv88e6xxx_phy_destroy(), destroy both the timer and the work item
that the timer might schedule, synchronously waiting in case one of
the callbacks already fired and destroying the timer first, before
waiting for the work item.
- Access to the PPU is guarded by a mutex, the worker acquires it
with a mutex_trylock(), not proceeding with the expensive shutdown
if that fails. We grab the mutex in mv88e6xxx_phy_destroy() to make
sure the slow PPU shutdown is already done or won't even enter, when
we wait for the work item.

Fixes: 2e5f032095ff ("dsa: add support for the Marvell 88E6131 switch chip")
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://patch.msgid.link/20250401135705.92760-1-david.oberhollenzer@sigma-star.at
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

David Oberhollenzer and committed by
Jakub Kicinski a58d8828 40eb4a04

+10 -4
+7 -4
drivers/net/dsa/mv88e6xxx/chip.c
··· 7350 7350 err = mv88e6xxx_switch_reset(chip); 7351 7351 mv88e6xxx_reg_unlock(chip); 7352 7352 if (err) 7353 - goto out; 7353 + goto out_phy; 7354 7354 7355 7355 if (np) { 7356 7356 chip->irq = of_irq_get(np, 0); 7357 7357 if (chip->irq == -EPROBE_DEFER) { 7358 7358 err = chip->irq; 7359 - goto out; 7359 + goto out_phy; 7360 7360 } 7361 7361 } 7362 7362 ··· 7375 7375 mv88e6xxx_reg_unlock(chip); 7376 7376 7377 7377 if (err) 7378 - goto out; 7378 + goto out_phy; 7379 7379 7380 7380 if (chip->info->g2_irqs > 0) { 7381 7381 err = mv88e6xxx_g2_irq_setup(chip); ··· 7409 7409 mv88e6xxx_g1_irq_free(chip); 7410 7410 else 7411 7411 mv88e6xxx_irq_poll_free(chip); 7412 + out_phy: 7413 + mv88e6xxx_phy_destroy(chip); 7412 7414 out: 7413 7415 if (pdata) 7414 7416 dev_put(pdata->netdev); ··· 7433 7431 mv88e6xxx_ptp_free(chip); 7434 7432 } 7435 7433 7436 - mv88e6xxx_phy_destroy(chip); 7437 7434 mv88e6xxx_unregister_switch(chip); 7438 7435 7439 7436 mv88e6xxx_g1_vtu_prob_irq_free(chip); ··· 7445 7444 mv88e6xxx_g1_irq_free(chip); 7446 7445 else 7447 7446 mv88e6xxx_irq_poll_free(chip); 7447 + 7448 + mv88e6xxx_phy_destroy(chip); 7448 7449 } 7449 7450 7450 7451 static void mv88e6xxx_shutdown(struct mdio_device *mdiodev)
+3
drivers/net/dsa/mv88e6xxx/phy.c
··· 229 229 230 230 static void mv88e6xxx_phy_ppu_state_destroy(struct mv88e6xxx_chip *chip) 231 231 { 232 + mutex_lock(&chip->ppu_mutex); 232 233 del_timer_sync(&chip->ppu_timer); 234 + cancel_work_sync(&chip->ppu_work); 235 + mutex_unlock(&chip->ppu_mutex); 233 236 } 234 237 235 238 int mv88e6185_phy_ppu_read(struct mv88e6xxx_chip *chip, struct mii_bus *bus,