[Kernel] Nuvoton NPCM7xx unbind FIU issue

George Hung (洪忠敬) George.Hung at quantatw.com
Wed Apr 28 11:15:04 AEST 2021 

Hi Joel,

For kernel v5.x, we found that when we unbind FIU module at the first time, it would cause kernel warning like that:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 2174 at lib/refcount.c:190 refcount_sub_and_test_checked+0x60/0xbc
refcount_t: underflow; use-after-free.
Modules linked in:
CPU: 0 PID: 2174 Comm: gbs-sysinit.sh Not tainted 5.4.80-ebad8cd-dirty-c46444d #1 Hardware name: NPCM7XX Chip family
Backtrace:
[<b0107c6c>] (dump_backtrace) from [<b0108278>] (show_stack+0x20/0x24) r7:000000be r6:60000013 r5:00000000 r4:b0b5c1d8 [<b0108258>]
(show_stack) from [<b0796950>] (dump_stack+0x94/0xa8) [<b07968bc>]
(dump_stack) from [<b011755c>] (__warn+0xec/0x108)  r7:000000be r6:b0429eac r5:00000009 r4:b092c604 [<b0117470>] (__warn) from [<b0117924>] (warn_slowpath_fmt+0xa8/0xcc)  r7:b0429eac r6:000000be
r5:b092c604 r4:b092c670 [<b0117880>] (warn_slowpath_fmt) from [<b0429eac>]
(refcount_sub_and_test_checked+0x60/0xbc)
 r8:0000000a r7:eea44c10 r6:ebfc7e04 r5:eedcf800 r4:00000000 [<b0429e4c>] (refcount_sub_and_test_checked) from [<b0429f20>]
(refcount_dec_and_test_checked+0x18/0x1c)
 r5:eedcf800 r4:eeddd800
[<b0429f08>] (refcount_dec_and_test_checked) from [<b079c134>]
(kobject_put+0x50/0x68)
[<b079c0e4>] (kobject_put) from [<b04b56a8>] (put_device+0x20/0x24)
 r4:eedcf780
[<b04b5688>] (put_device) from [<b0519f3c>]
(devm_spi_release_controller+0x24/0x28)
[<b0519f18>] (devm_spi_release_controller) from [<b04c08b0>]
(release_nodes+0x84/0xc4)
[<b04c082c>] (release_nodes) from [<b04c17c4>]
(devres_release_all+0x5c/0x60)
 r8:eea3b254 r7:b0b43fc0 r6:eea3b210 r5:b0b43fc0 r4:eea44c10 [<b04c1768>] (devres_release_all) from [<b04bb59c>]
(__device_release_driver+0x15c/0x210)
 r5:b0b43fc0 r4:eea44c10
[<b04bb440>] (__device_release_driver) from [<b04bc8f4>]
(device_driver_detach+0x84/0xa0)
 r9:00000000 r8:00000000 r7:b0b43fc0 r6:eea44c54 r5:eea3b210
r4:eea44c10 [<b04bc870>] (device_driver_detach) from [<b04ba480>]
(unbind_store+0xe4/0xf8)
 r7:b0b43fc0 r6:0000000d r5:eea44c10 r4:b0b3e2b0 [<b04ba39c>]
(unbind_store) from [<b04b9324>] (drv_attr_store+0x34/0x40)
 r7:ebfc7f68 r6:eba266c0 r5:ec0cfe80 r4:b04ba39c [<b04b92f0>]
(drv_attr_store) from [<b02da618>] (sysfs_kf_write+0x48/0x54)
 r5:ec0cfe80 r4:b04b92f0
[<b02da5d0>] (sysfs_kf_write) from [<b02d9704>]
(kernfs_fop_write+0x158/0x234)
 r5:ec0cfe80 r4:0000000d
[<b02d95ac>] (kernfs_fop_write) from [<b02527b4>]
(__vfs_write+0x28/0x48)
 r10:00000004 r9:ebfc6000 r8:00000000 r7:ebfc7f68 r6:0013d748
r5:ebf87480  r4:b02d95ac [<b025278c>] (__vfs_write) from [<b0254d3c>]
(vfs_write+0xc4/0x184)
 r5:ebf87480 r4:0000000d
[<b0254c78>] (vfs_write) from [<b0254fc8>] (ksys_write+0x74/0xe8)
 r8:b0101204 r7:00000000 r6:00000000 r5:ebf87480 r4:ebf87480 [<b0254f54>] (ksys_write) from [<b0255054>] (sys_write+0x18/0x1c)
 r7:00000004 r6:4f063018 r5:0013d748 r4:0000000d [<b025503c>]
(sys_write) from [<b0101000>] (ret_fast_syscall+0x0/0x54) Exception
stack(0xebfc7fa8 to 0xebfc7ff0)
7fa0:                   0000000d 0013d748 00000001 0013d748
0000000d 00000000
7fc0: 0000000d 0013d748 4f063018 00000004 a6faef80 4f06313c 00000000
00000000
7fe0: 0000000a aeabbb60 4ef8c990 4efe73a0 ---[ end trace f9eca40acb37981d ]---


And there's a fix on kernel github for now: https://github.com/torvalds/linux/commit/794aaf01444d4e765e2b067cba01cc69c1c68ed9

Could you help to pull this fix to current OpenBMC kernel repo. to fix this issue ?

Thanks.

Best Regards 
George Hung

More information about the openbmc mailing list