On Thu, Jun 08, 2023 at 10:33:30AM -0700, Florian Fainelli wrote: > On 6/7/23 18:30, Andrew Lunn wrote: > > > (gdb) print /x (int)&((struct phy_driver *)0)->led_brightness_set > > > $1 = 0x1f0 > > > > > > so this would indeed look like an use-after-free here. If you tested with a > > > PHYLINK enabled driver you might have no seen due to > > > phylink_disconnect_phy() being called with RTNL held? > > > > Yes, i've been testing with mvneta, which is phylink. > > Humm, this is really puzzling because we have the below call trace as to > where we call schedule_work() which is in led_set_brightness_nopm() however > we have led_classdev_unregister() call flush_work() to ensure the workqueue > completed. Is there something else in that call stack that prevents the > system workqueue from running? Has phy_remove() already been called? Last thing it does is: phydev->drv = NULL; This is one of the differences between my system and yours. With mvneta, the mdio bus driver is an independent device. You have a combined MAC and MDIO bus driver. Andrew
