On 6/7/23 14:32, Andrew Lunn wrote:
There is no trigger being configured for either LED therefore it is not
clear to me why the workqueue is being kicked in the first place?
Since setting LEDs is a sleepable action, it gets offloaded to a
workqueue.
My guess is, something in led_classdev_unregister() is triggering it,
maybe to put the LED into a known state before pulling the
plug. However, i don't see what.
I'm also wondering about ordering. The LED is registered with
devm_led_classdev_register_ext(). So maybe led_classdev_unregister()
is getting called too late? So maybe we need to replace devm_ with
manual cleanup.
However, i've done lots of reboots while developing this code, so its
interesting you can trigger this, and i've not seen it.
led_brightness_set is the member of phydev->drv which has become NULL:
(gdb) print /x (int)&((struct phy_driver *)0)->led_brightness_set
$1 = 0x1f0
so this would indeed look like an use-after-free here. If you tested
with a PHYLINK enabled driver you might have no seen due to
phylink_disconnect_phy() being called with RTNL held?
--
Florian
