We init work_struct within tpacpi_leds, and we should free tpacpi_leds after
the workqueue is empty, in case of the work_struct is referenced after free.
This script could trigger the OOPS:
#!/bin/sh
while true
do
modprobe -r thinkpad_acpi
modprobe thinkpad_acpi
done
And the OOPS looks like this:
[ 73.863557] BUG: unable to handle kernel paging request at
45440000
[ 73.863925] IP: [<
c1051d65>] process_one_work+0x25/0x3b0
[ 73.864749] *pde =
00000000
[ 73.865571] Oops: 0000 [#1] PREEMPT SMP
[ 73.866443] Modules linked in: thinkpad_acpi(-) nvram netconsole configfs
aes_i586 cryptd aes_generic joydev btusb bluetooth arc4 snd_hda_codec_analog
iwl4965 uhci_hcd pcmcia microcode iwlegacy mac80211 cfg80211 firewire_ohci
firewire_core kvm_intel kvm snd_hda_intel acpi_cpufreq mperf ehci_hcd yenta_socket
pcmcia_rsrc crc_itu_t sr_mod snd_hda_codec processor pcmcia_core i2c_i801 usbcore
lpc_ich cdrom serio_raw psmouse coretemp rfkill e1000e snd_pcm snd_page_alloc
snd_hwdep snd_timer snd pcspkr evdev ac battery thermal soundcore usb_common
intel_agp intel_gtt tp_smapi(O) thinkpad_ec(O) ext4 crc16 jbd2 mbcache sd_mod
ata_piix ahci libahci libata scsi_mod nouveau button video mxm_wmi wmi
i2c_algo_bit drm_kms_helper ttm drm agpgart i2c_core [last unloaded: nvram]
[ 73.866676]
[ 73.866676] Pid: 62, comm: kworker/u:4 Tainted: G O 3.5.0-1-ARCH
#1 LENOVO 7662CTO/7662CTO
[ 73.866676] EIP: 0060:[<
c1051d65>] EFLAGS:
00010002 CPU: 1
[ 73.866676] EIP is at process_one_work+0x25/0x3b0
[ 73.866676] EAX:
45440065 EBX:
f5545090 ECX:
00000088 EDX:
45440000
[ 73.866676] ESI:
f568ff40 EDI:
c164dd40 EBP:
f5705f98 ESP:
f5705f68
[ 73.866676] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 73.866676] CR0:
8005003b CR2:
45440000 CR3:
357ed000 CR4:
000007d0
[ 73.866676] DR0:
00000000 DR1:
00000000 DR2:
00000000 DR3:
00000000
[ 73.866676] DR6:
ffff0ff0 DR7:
00000400
[ 73.866676] Process kworker/u:4 (pid: 62, ti=
f5704000 task=
f5700540 task.ti=
f5704000)
[ 73.866676] Stack:
[ 73.866676]
f56fbf24 00000001 f5705f78 c10683e0 c1294950 00000000 00000000 f568ff40
[ 73.866676]
00000000 f568ff40 f568ff50 c164dd40 f5705fb8 c1052589 c1060c7e c15b9300
[ 73.866676]
c164dd40 00000000 f568ff40 c1052490 f5705fe4 c10570b2 00000000 f568ff40
[ 73.866676] Call Trace:
[ 73.866676] [<
c10683e0>] ? default_wake_function+0x10/0x20
[ 73.866676] [<
c1294950>] ? dev_get_drvdata+0x20/0x20
[ 73.866676] [<
c1052589>] worker_thread+0xf9/0x280
[ 73.866676] [<
c1060c7e>] ? complete+0x4e/0x60
[ 73.866676] [<
c1052490>] ? manage_workers.isra.24+0x1c0/0x1c0
[ 73.866676] [<
c10570b2>] kthread+0x72/0x80
[ 73.866676] [<
c1057040>] ? kthread_freezable_should_stop+0x50/0x50
[ 73.866676] [<
c13c20fe>] kernel_thread_helper+0x6/0x10
[ 73.866676] Code: bc 27 00 00 00 00 55 89 e5 57 56 53 83 ec 24 3e 8d 74 26
00 89 c6 8b 02 89 d3 c7 45 f0 00 00 00 00 89 c2 30 d2 a8 04 0f 44 55 f0 <8b> 02 89 55 f0 89 da c1 ea
0a 89 45 ec 89 d8 8b 4d ec c1 e8 04
[ 73.866676] EIP: [<
c1051d65>] process_one_work+0x25/0x3b0 SS:ESP 0068:
f5705f68
[ 73.866676] CR2:
0000000045440000
[ 73.866676] ---[ end trace
4d8a1887edca08c5 ]---
[ 73.866676] note: kworker/u:4[62] exited with preempt_count 1
Signed-off-by: Li Dongyang <Jerry87905@gmail.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>