On Fri, Jun 1, 2018 at 7:03 PM, Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx> wrote: > Immediately after the platform_device_unregister() the device will be cleaned up. > Accessing the freed pointer immediately after that will crash the system. > > Found this bug when kernel is built with CONFIG_PAGE_POISONING and testing > loading/unloading audio drivers in a loop on Qcom platforms. Curious, does the unittest not catch this too? > > Fix this by removing accessing the dev pointer. > Below is the carsh trace: s/carsh/crash/ [...] > diff --git a/drivers/of/platform.c b/drivers/of/platform.c > index c00d81dfac0b..84c5c899187b 100644 > --- a/drivers/of/platform.c > +++ b/drivers/of/platform.c > @@ -529,10 +529,13 @@ arch_initcall_sync(of_platform_default_populate_init); > > int of_platform_device_destroy(struct device *dev, void *data) > { > + struct device_node *np; > + > /* Do not touch devices not populated from the device tree */ > if (!dev->of_node || !of_node_check_flag(dev->of_node, OF_POPULATED)) > return 0; > > + np = dev->of_node; > /* Recurse for any nodes that were treated as busses */ > if (of_node_check_flag(dev->of_node, OF_POPULATED_BUS)) > device_for_each_child(dev, NULL, of_platform_device_destroy); > @@ -544,8 +547,8 @@ int of_platform_device_destroy(struct device *dev, void *data) > amba_device_unregister(to_amba_device(dev)); > #endif > > - of_node_clear_flag(dev->of_node, OF_POPULATED); > - of_node_clear_flag(dev->of_node, OF_POPULATED_BUS); Just move these 2 lines to before unregister calls. > + of_node_clear_flag(np, OF_POPULATED); > + of_node_clear_flag(np, OF_POPULATED_BUS); > return 0; > } > EXPORT_SYMBOL_GPL(of_platform_device_destroy); > -- > 2.16.2 > -- To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html