From nobody Tue Dec 30 12:49:30 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2AE7C197A0 for ; Thu, 16 Nov 2023 11:10:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345119AbjKPLKB (ORCPT ); Thu, 16 Nov 2023 06:10:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44518 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345095AbjKPLJw (ORCPT ); Thu, 16 Nov 2023 06:09:52 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFBB6D5E for ; Thu, 16 Nov 2023 03:09:46 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AB33BC433C9; Thu, 16 Nov 2023 11:09:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1700132986; bh=raNlC7mrg2U1+Ov9wD9k3ulfQ5++HiMipSCqEUSd0ps=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H7msaxSJtY7XzfGBAnzqpYomoYWyfJtUrleurQwz6tUaxdw8lTJE1j5Y9U8h/lifh 1idk7gqSwGmAMvolZlv/8LM2XIGgQEjcGVJno+zPdhkIuQiAv0++/u5B+fjm19SQDa z/XvVDW/viuMsKSmyq5qtzrSWoxLBbDvrRVogEAHCw0oMjyCGal64HTD14TEA4xPqJ /tS8lNO3p3TxWchxd60yiTs/qJhavMBk2V8qtcRMG+bjOFqko2cBNAFbe0M2OB8rhV kwy8+tGGcPHdGVPtkPGPcJlVMIT5XJGWQ7tnSdykn061bgUY+ZIqtbMDD+eAz9qGYu TJP01TTVz73RA== From: Roger Quadros To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: vladimir.oltean@nxp.com, s-vadapalli@ti.com, r-gunasekaran@ti.com, vigneshr@ti.com, srk@ti.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Roger Quadros Subject: [PATCH net 2/2] net: ti: am65-cpsw-nuss: Fix NULL pointer dereference at module removal Date: Thu, 16 Nov 2023 13:09:30 +0200 Message-Id: <20231116110930.36244-3-rogerq@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231116110930.36244-1-rogerq@kernel.org> References: <20231116110930.36244-1-rogerq@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The NULL pointer derefernce error seems to come from the list_for_each_entry_safe() helper in free_netdev(). It looks like the napi pointers are stale contents but I coudn't figure out why. An easy fix is to not use the devm variant of alloc_etherdev_mqs() and call free_netdev() ourselves at .remove(). Gets rid of below NULL pointer dereference at module removal. [ 19.954962] Unable to handle kernel NULL pointer dereference at virtual = address 0000000000000000 [ 19.963798] Mem abort info: [ 19.966582] ESR =3D 0x0000000096000006 [ 19.970343] EC =3D 0x25: DABT (current EL), IL =3D 32 bits [ 19.975660] SET =3D 0, FnV =3D 0 [ 19.978709] EA =3D 0, S1PTW =3D 0 [ 19.981850] FSC =3D 0x06: level 2 translation fault [ 19.986726] Data abort info: [ 19.989606] ISV =3D 0, ISS =3D 0x00000006, ISS2 =3D 0x00000000 [ 19.995116] CM =3D 0, WnR =3D 0, TnD =3D 0, TagAccess =3D 0 [ 20.000174] GCS =3D 0, Overlay =3D 0, DirtyBit =3D 0, Xs =3D 0 [ 20.005486] user pgtable: 4k pages, 48-bit VAs, pgdp=3D0000000083f69000 [ 20.011925] [0000000000000000] pgd=3D08000000855b8003, p4d=3D08000000855= b8003, pud=3D08000000855b9003, pmd=3D0000000000000000 [ 20.022538] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP [ 20.028792] Modules linked in: overlay xhci_plat_hcd cfg80211 rfkill dwc= 3 snd_soc_hdmi_codec snd_soc_simple_card crct10dif_ce snd_soc_simple_card_u= tils rtc_ti_k3 dwc3_am62 k3_j72xx_bandgap rti_wdt tidss ti_am65_cpsw_nuss(-= ) snd_soc_d6 [ 20.072087] CPU: 2 PID: 675 Comm: modprobe Not tainted 6.6.0-15864-g2888= b90a5073 #540 [ 20.079902] Hardware name: Texas Instruments AM625 SK (DT) [ 20.085375] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE= =3D--) [ 20.092323] pc : free_netdev+0xac/0x190 [ 20.096162] lr : free_netdev+0xa4/0x190 [ 20.099988] sp : ffff8000827c3bd0 [ 20.103291] x29: ffff8000827c3bd0 x28: ffff0000044263c0 x27: 00000000000= 00000 [ 20.110417] x26: 0000000000000000 x25: 0000000000000000 x24: ffff000000d= bdab8 [ 20.117542] x23: ffff000000dbdac0 x22: ffff000000dbd810 x21: ffff000003d= fb050 [ 20.124667] x20: ffff000003dfb000 x19: fffffffffffffe98 x18: 00000000000= 00000 [ 20.131791] x17: 0000000000000000 x16: 0000000000000000 x15: 00000000000= 00000 [ 20.138916] x14: 000000000000027d x13: 0000000000000000 x12: 00000000000= 00001 [ 20.146040] x11: 0000000000000000 x10: 00000000000009b0 x9 : ffff8000827= c3910 [ 20.153165] x8 : ffff000004426dd0 x7 : ffff000003c9c880 x6 : ffff000003c= 9c800 [ 20.160290] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 00000000000= 00001 [ 20.167415] x2 : 0000000000000000 x1 : 0000000000000000 x0 : fffffffffff= ffe98 [ 20.174540] Call trace: [ 20.176978] free_netdev+0xac/0x190 [ 20.180459] devm_free_netdev+0x14/0x20 [ 20.184291] release_nodes+0x3c/0x68 [ 20.187863] devres_release_all+0x8c/0xdc [ 20.191868] device_unbind_cleanup+0x18/0x68 [ 20.196128] device_release_driver_internal+0xf8/0x178 [ 20.201255] driver_detach+0x50/0x9c [ 20.204822] bus_remove_driver+0x6c/0xbc [ 20.208735] driver_unregister+0x30/0x60 [ 20.212650] platform_driver_unregister+0x14/0x20 [ 20.217344] am65_cpsw_nuss_driver_exit+0x18/0xcc4 [ti_am65_cpsw_nuss] [ 20.223887] __arm64_sys_delete_module+0x17c/0x25c [ 20.228673] invoke_syscall+0x44/0x104 [ 20.232419] el0_svc_common.constprop.0+0xc0/0xe0 [ 20.237114] do_el0_svc+0x1c/0x28 [ 20.240423] el0_svc+0x34/0xb8 [ 20.243474] el0t_64_sync_handler+0xc0/0xc4 [ 20.247649] el0t_64_sync+0x190/0x194 [ 20.251309] Code: 97fffdee 97fffaf9 9105a261 aa1303e0 (f940b673) [ 20.257390] ---[ end trace 0000000000000000 ]--- Signed-off-by: Roger Quadros --- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/etherne= t/ti/am65-cpsw-nuss.c index cbbede094b2c..830c0c1825d9 100644 --- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c +++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c @@ -2149,10 +2149,9 @@ am65_cpsw_nuss_init_port_ndev(struct am65_cpsw_commo= n *common, u32 port_idx) return 0; =20 /* alloc netdev */ - port->ndev =3D devm_alloc_etherdev_mqs(common->dev, - sizeof(struct am65_cpsw_ndev_priv), - AM65_CPSW_MAX_TX_QUEUES, - AM65_CPSW_MAX_RX_QUEUES); + port->ndev =3D alloc_etherdev_mqs(sizeof(struct am65_cpsw_ndev_priv), + AM65_CPSW_MAX_TX_QUEUES, + AM65_CPSW_MAX_RX_QUEUES); if (!port->ndev) { dev_err(dev, "error allocating slave net_device %u\n", port->port_id); @@ -2266,6 +2265,8 @@ static void am65_cpsw_nuss_cleanup_ndev(struct am65_c= psw_common *common) port =3D &common->ports[i]; if (port->ndev && port->ndev->reg_state =3D=3D NETREG_REGISTERED) unregister_netdev(port->ndev); + + free_netdev(port->ndev); } } =20 --=20 2.34.1