Re: NPD in phy_led_set_brightness+0x3c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/7/23 18:30, Andrew Lunn wrote:

(gdb) print /x (int)&((struct phy_driver *)0)->led_brightness_set
$1 = 0x1f0

so this would indeed look like an use-after-free here. If you tested with a
PHYLINK enabled driver you might have no seen due to
phylink_disconnect_phy() being called with RTNL held?


Yes, i've been testing with mvneta, which is phylink.
Humm, this is really puzzling because we have the below call trace as to where we call schedule_work() which is in led_set_brightness_nopm() however we have led_classdev_unregister() call flush_work() to ensure the workqueue completed. Is there something else in that call stack that prevents the system workqueue from running? 

[  280.663384] ------------[ cut here ]------------
[ 280.668038] WARNING: CPU: 3 PID: 1497 at drivers/leds/led-core.c:333 led_set_brightness_nopm+0x68/0xf8 
[  280.677378] Modules linked in: bdc udc_core
[ 280.681585] CPU: 3 PID: 1497 Comm: reboot Not tainted 6.4.0-rc5-next-20230607-g27d73db94b91 #94 
[  280.690304] Hardware name: BCM972180HB_V20 (DT)
[ 280.694845] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) 
[  280.701824] pc : led_set_brightness_nopm+0x68/0xf8
[  280.706628] lr : led_set_brightness_nosleep+0x2c/0x38
[  280.711691] sp : ffffffc082ddb7b0
[ 280.715012] x29: ffffffc082ddb7b0 x28: ffffff8007a55780 x27: 0000000000000000 [ 280.722168] x26: ffffff8002fdcc90 x25: 0000000000000001 x24: 0000000000000000 [ 280.729323] x23: ffffff8002e6b000 x22: ffffffc082ddb898 x21: ffffffc080c4b676 [ 280.736480] x20: ffffff800792b990 x19: ffffff800792b898 x18: 0000000000000000 [ 280.743636] x17: 74656e2f74656e72 x16: 656874652e303030 x15: 303066382f626472 [ 280.750791] x14: ffffff8004a6ccd8 x13: 6e69622f7273752f x12: 0000000000000000 [ 280.757948] x11: ffffff8002d1c710 x10: ffffff8002e6b2a0 x9 : ffffffc0807ad6c0 [ 280.765103] x8 : ffffffc080595964 x7 : ffffffc08059550c x6 : ffffff8002e6b2a0 [ 280.772258] x5 : 0000000000000000 x4 : ffffff800792b8b0 x3 : ffffff800792b8b0 [ 280.779414] x2 : ffffff800792b898 x1 : 0000000000000000 x0 : 0000000000000040 
[  280.786570] Call trace:
[  280.789021]  led_set_brightness_nopm+0x68/0xf8
[  280.793476]  led_set_brightness_nosleep+0x2c/0x38
[  280.798192]  led_set_brightness+0x9c/0xa0
[  280.802210]  led_classdev_unregister+0x78/0xd0
[  280.806665]  devm_led_classdev_release+0x18/0x20
[  280.811294]  release_nodes+0x70/0x84
[  280.814884]  devres_release_all+0xa0/0xd4
[  280.818905]  device_unbind_cleanup+0x1c/0x60
[  280.823189]  device_release_driver_internal+0xa8/0x128
[  280.828341]  device_release_driver+0x1c/0x24
[  280.832622]  bus_remove_device+0x108/0x12c
[  280.836731]  device_del+0x194/0x2ec
[  280.840230]  phy_device_remove+0x1c/0x3c
[  280.844167]  phy_mdio_device_remove+0x14/0x1c
[  280.848537]  mdiobus_unregister+0x6c/0xa0
[  280.852560]  unimac_mdio_remove+0x20/0x4c
[  280.856582]  platform_remove+0x50/0x68
[  280.860342]  device_remove+0x50/0x74
[  280.863929]  device_release_driver_internal+0x80/0x128
[  280.869079]  device_release_driver+0x1c/0x24
[  280.873360]  bus_remove_device+0x108/0x12c
[  280.877471]  device_del+0x194/0x2ec
[  280.880969]  platform_device_del+0x2c/0x90
[  280.885077]  platform_device_unregister+0x1c/0x30
[  280.889793]  bcmgenet_mii_exit+0x40/0x4c
[  280.893728]  bcmgenet_remove+0x2c/0x44
[  280.897489]  bcmgenet_shutdown+0x14/0x1c
[  280.901422]  platform_shutdown+0x28/0x34
[  280.905355]  device_shutdown+0x158/0x1d8
[  280.909290]  kernel_restart_prepare+0x3c/0x44
[  280.913661]  kernel_restart+0x1c/0x7c
[  280.917332]  __do_sys_reboot+0x170/0x1f4
[  280.921265]  __arm64_sys_reboot+0x24/0x2c
[  280.925286]  invoke_syscall+0x80/0x114
[  280.929047]  el0_svc_common.constprop.1+0xb8/0xe4
[  280.933762]  do_el0_svc+0x90/0x9c
[  280.937086]  el0_svc+0x1c/0x44
[  280.940154]  el0t_64_sync_handler+0x100/0x150
[  280.944524]  el0t_64_sync+0x14c/0x150
[  280.948198] ---[ end trace 0000000000000000 ]---
[ 280.952885] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001f0 
[  280.961697] Mem abort info:
[  280.964502]   ESR = 0x0000000096000005
[  280.968264]   EC = 0x25: DABT (current EL), IL = 32 bits
[  280.973594]   SET = 0, FnV = 0
[  280.976661]   EA = 0, S1PTW = 0
[  280.979815]   FSC = 0x05: level 1 translation fault
[  280.984708] Data abort info:
[  280.987600]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[  280.993101]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[  280.998170]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[  281.003500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000045cde000
[ 281.009960] [00000000000001f0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 
[  281.018691] Internal error: Oops: 0000000096000005 [#1] SMP
[  281.024280] Modules linked in: bdc udc_core
[ 281.028480] CPU: 3 PID: 817 Comm: kworker/3:2 Tainted: G W 6.4.0-rc5-next-20230607-g27d73db94b91 #94 
[  281.039024] Hardware name: BCM972180HB_V20 (DT)
[  281.043565] Workqueue: events set_brightness_delayed
[ 281.048543] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) 
[  281.055520] pc : phy_led_set_brightness+0x3c/0x68
[  281.060238] lr : phy_led_set_brightness+0x30/0x68
[  281.064955] sp : ffffffc0845bbd20
[ 281.068276] x29: ffffffc0845bbd20 x28: 0000000000000000 x27: 0000000000000000 [ 281.075432] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff807dbcc40d [ 281.082587] x23: ffffff800792b960 x22: 0000000000000000 x21: ffffff800792b880 [ 281.089743] x20: ffffff8002e6b520 x19: ffffff8002e6b000 x18: 0000000000000000 [ 281.096899] x17: 74656e2f74656e72 x16: 656874652e303030 x15: 303066382f626472 [ 281.104054] x14: ffffff8004a6ccd8 x13: 6e69622f7273752f x12: 0000000000000000 [ 281.111209] x11: ffffff8002d1c710 x10: 0000000000000870 x9 : ffffffc080663bd0 [ 281.118364] x8 : ffffff80065f1a80 x7 : fefefefefefefeff x6 : 000073746e657665 [ 281.125519] x5 : ffffff80065f1a80 x4 : 0000000000000000 x3 : 0000000000000000 [ 281.132676] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 
[  281.139831] Call trace:
[  281.142283]  phy_led_set_brightness+0x3c/0x68
[  281.146652]  set_brightness_delayed_set_brightness+0x44/0x7c
[  281.152328]  set_brightness_delayed+0xc4/0x1a4
[  281.156783]  process_one_work+0x1c0/0x284
[  281.160806]  process_scheduled_works+0x44/0x48
[  281.165263]  worker_thread+0x1e8/0x264
[  281.169023]  kthread+0xcc/0xdc
[  281.172089]  ret_from_fork+0x10/0x20
[  281.175678] Code: 940edf9f f941a660 2a1603e2 3946c2a1 (f940f803)
[  281.181786] ---[ end trace 0000000000000000 ]---

--
Florian
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux