[PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver removal with active read or write operations

[PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver removal with active read or write operations

[Khairul Anuar Romli]

From: kromli <khairul.anuar.romli@altera.com>

Ensure that the pointer passed to module_put() in spi_nor_put_device() is
not NULL before use. This change adds a guard clause to return early,
preventing the kernel crash below when the cadence-qspi driver is removed
during a dd operation:

[  200.448732] Unable to handle kernel NULL pointer deref
erence at virtual address 0000000000000010
[  200.457576] Mem abort info:
[  200.460370]   ESR = 0x0000000096000004
[  200.464136]   EC = 0x25: DABT (current EL), IL = 32 bits
[  200.469527]   SET = 0, FnV = 0
[  200.472609]   EA = 0, S1PTW = 0
[  200.475904]   FSC = 0x04: level 0 translation fault
[  200.480786] Data abort info:
[  200.483659]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[  200.489141]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[  200.494189]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[  200.499500] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000185df8000
[  200.505932] [0000000000000010] pgd=0000000000000000, p4d=0000000000000000
[  200.512720] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[  200.518968] Modules linked in: 8021q garp mrp stp llc bluetooth ecdh_generic
ecc rfkill crct10dif_ce rtc_ds1307 at24 stratix10_soc soc64_hwmon gpio_altera of
_fpga_region fpga_region fpga_bridge uio_pdrv_genirq uio fuse drm backlight ipv6
[  200.540016] CPU: 0 UID: 0 PID: 372 Comm: dd Not tainted 6.12.19-altera-gb6b26
c4179a6 #1
[  200.547996] Hardware name: SoCFPGA Stratix 10 SoCDK (DT)
[  200.553292] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  200.560234] pc : spi_nor_put_device+0x30/0x60
[  200.564594] lr : __put_mtd_device+0x8c/0x120
[  200.568856] sp : ffff80008411bc20
[  200.572161] x29: ffff80008411bc20 x28: ffff000185e2c500 x27: 0000000000000000
[  200.579282] x26: 0000000000000000 x25: ffff000185e2cb00 x24: ffff000185e2cc88
[  200.586404] x23: ffff00018034c620 x22: 0000000000000001 x21: ffff00018873e080
[  200.593524] x20: 0000000000000000 x19: ffff00018873e080 x18: ffffffffffffffff
[  200.600645] x17: 0030393d524f4a41 x16: 4d0064746d3d4d45 x15: ffff000185757700
[  200.607767] x14: 0000000000000000 x13: ffff000180045010 x12: ffff0001857576c0
[  200.614888] x11: 000000000000003a x10: ffff000180045018 x9 : ffff000180045010
[  200.622009] x8 : ffff80008411bb70 x7 : 0000000000000000 x6 : ffff000181325048
[  200.629129] x5 : 00000000820001cf x4 : fffffdffc60095e0 x3 : 0000000000000000
[  200.636250] x2 : 0000000000000000 x1 : ffff00018873e080 x0 : 0000000000000000
[  200.643371] Call trace:
[  200.645811]  spi_nor_put_device+0x30/0x60
[  200.649816]  __put_mtd_device+0x8c/0x120
[  200.653731]  put_mtd_device+0x30/0x48
[  200.657387]  mtdchar_close+0x30/0x78
[  200.660958]  __fput+0xc8/0x2d0
[  200.664011]  ____fput+0x14/0x20
[  200.667146]  task_work_run+0x70/0xdc
[  200.670718]  do_exit+0x2b4/0x8e4
[  200.673944]  do_group_exit+0x34/0x90
[  200.677512]  pid_child_should_wake+0x0/0x60
[  200.681686]  invoke_syscall+0x48/0x104
[  200.685432]  el0_svc_common.constprop.0+0xc0/0xe0
[  200.690128]  do_el0_svc+0x1c/0x28
[  200.693439]  el0_svc+0x30/0xcc
[  200.696454] dw_mmc ff808000.mmc: Unexpected interrupt latency
[  200.696485]  el0t_64_sync_handler+0x120/0x12c
[  200.706552]  el0t_64_sync+0x190/0x194
[  200.710213] Code: f9400000 f9417c00 f9402000 f9403400 (f9400800)
[  200.716290] ---[ end trace 0000000000000000 ]---
[  200.720948] Fixing recursive fault but reboot is needed!

Fixes: be94215be1ab ("mtd: spi-nor: core: Fix an issue of releasing resources during read/write")
CC: stable@vger.kernel.org # 6.12+
Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com>
---
Changes in v3:
    - exclude !dev && !dev->driver check in spi_nor_get_device to
      resolve kernel test robot smatchwarnings.
Changes in v2:
    - Move the null check prior to try_module_get().
---
 drivers/mtd/spi-nor/core.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
index ac4b960101cc..eb21d660036b 100644
--- a/drivers/mtd/spi-nor/core.c
+++ b/drivers/mtd/spi-nor/core.c
@@ -3210,6 +3210,9 @@ static int spi_nor_get_device(struct mtd_info *mtd)
 	else
 		dev = nor->dev;
 
+	if (!dev->driver->owner)
+		return -EINVAL;
+
 	if (!try_module_get(dev->driver->owner))
 		return -ENODEV;
 
@@ -3227,7 +3230,8 @@ static void spi_nor_put_device(struct mtd_info *mtd)
 	else
 		dev = nor->dev;
 
-	module_put(dev->driver->owner);
+	if (dev && dev->driver && dev->driver->owner)
+		module_put(dev->driver->owner);
 }
 
 static void spi_nor_restore(struct spi_nor *nor)
-- 
2.35.3

Re: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver removal with active read or write operations

[Michael Walle]

[-- Attachment #1: Type: text/plain, Size: 5141 bytes --]

Hi,

On Wed Jul 30, 2025 at 3:39 AM CEST, Khairul Anuar Romli wrote:
> From: kromli <khairul.anuar.romli@altera.com>
>
> Ensure that the pointer passed to module_put() in spi_nor_put_device() is
> not NULL before use. This change adds a guard clause to return early,
> preventing the kernel crash below when the cadence-qspi driver is removed
> during a dd operation:

As already asked in v2. This needs a (more detailed) description
what is going on and what is going wrong.

-michael

> [  200.448732] Unable to handle kernel NULL pointer deref
> erence at virtual address 0000000000000010
> [  200.457576] Mem abort info:
> [  200.460370]   ESR = 0x0000000096000004
> [  200.464136]   EC = 0x25: DABT (current EL), IL = 32 bits
> [  200.469527]   SET = 0, FnV = 0
> [  200.472609]   EA = 0, S1PTW = 0
> [  200.475904]   FSC = 0x04: level 0 translation fault
> [  200.480786] Data abort info:
> [  200.483659]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> [  200.489141]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> [  200.494189]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [  200.499500] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000185df8000
> [  200.505932] [0000000000000010] pgd=0000000000000000, p4d=0000000000000000
> [  200.512720] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
> [  200.518968] Modules linked in: 8021q garp mrp stp llc bluetooth ecdh_generic
> ecc rfkill crct10dif_ce rtc_ds1307 at24 stratix10_soc soc64_hwmon gpio_altera of
> _fpga_region fpga_region fpga_bridge uio_pdrv_genirq uio fuse drm backlight ipv6
> [  200.540016] CPU: 0 UID: 0 PID: 372 Comm: dd Not tainted 6.12.19-altera-gb6b26
> c4179a6 #1
> [  200.547996] Hardware name: SoCFPGA Stratix 10 SoCDK (DT)
> [  200.553292] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [  200.560234] pc : spi_nor_put_device+0x30/0x60
> [  200.564594] lr : __put_mtd_device+0x8c/0x120
> [  200.568856] sp : ffff80008411bc20
> [  200.572161] x29: ffff80008411bc20 x28: ffff000185e2c500 x27: 0000000000000000
> [  200.579282] x26: 0000000000000000 x25: ffff000185e2cb00 x24: ffff000185e2cc88
> [  200.586404] x23: ffff00018034c620 x22: 0000000000000001 x21: ffff00018873e080
> [  200.593524] x20: 0000000000000000 x19: ffff00018873e080 x18: ffffffffffffffff
> [  200.600645] x17: 0030393d524f4a41 x16: 4d0064746d3d4d45 x15: ffff000185757700
> [  200.607767] x14: 0000000000000000 x13: ffff000180045010 x12: ffff0001857576c0
> [  200.614888] x11: 000000000000003a x10: ffff000180045018 x9 : ffff000180045010
> [  200.622009] x8 : ffff80008411bb70 x7 : 0000000000000000 x6 : ffff000181325048
> [  200.629129] x5 : 00000000820001cf x4 : fffffdffc60095e0 x3 : 0000000000000000
> [  200.636250] x2 : 0000000000000000 x1 : ffff00018873e080 x0 : 0000000000000000
> [  200.643371] Call trace:
> [  200.645811]  spi_nor_put_device+0x30/0x60
> [  200.649816]  __put_mtd_device+0x8c/0x120
> [  200.653731]  put_mtd_device+0x30/0x48
> [  200.657387]  mtdchar_close+0x30/0x78
> [  200.660958]  __fput+0xc8/0x2d0
> [  200.664011]  ____fput+0x14/0x20
> [  200.667146]  task_work_run+0x70/0xdc
> [  200.670718]  do_exit+0x2b4/0x8e4
> [  200.673944]  do_group_exit+0x34/0x90
> [  200.677512]  pid_child_should_wake+0x0/0x60
> [  200.681686]  invoke_syscall+0x48/0x104
> [  200.685432]  el0_svc_common.constprop.0+0xc0/0xe0
> [  200.690128]  do_el0_svc+0x1c/0x28
> [  200.693439]  el0_svc+0x30/0xcc
> [  200.696454] dw_mmc ff808000.mmc: Unexpected interrupt latency
> [  200.696485]  el0t_64_sync_handler+0x120/0x12c
> [  200.706552]  el0t_64_sync+0x190/0x194
> [  200.710213] Code: f9400000 f9417c00 f9402000 f9403400 (f9400800)
> [  200.716290] ---[ end trace 0000000000000000 ]---
> [  200.720948] Fixing recursive fault but reboot is needed!
>
> Fixes: be94215be1ab ("mtd: spi-nor: core: Fix an issue of releasing resources during read/write")
> CC: stable@vger.kernel.org # 6.12+
> Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
> Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com>
> ---
> Changes in v3:
>     - exclude !dev && !dev->driver check in spi_nor_get_device to
>       resolve kernel test robot smatchwarnings.
> Changes in v2:
>     - Move the null check prior to try_module_get().
> ---
>  drivers/mtd/spi-nor/core.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
> index ac4b960101cc..eb21d660036b 100644
> --- a/drivers/mtd/spi-nor/core.c
> +++ b/drivers/mtd/spi-nor/core.c
> @@ -3210,6 +3210,9 @@ static int spi_nor_get_device(struct mtd_info *mtd)
>  	else
>  		dev = nor->dev;
>  
> +	if (!dev->driver->owner)
> +		return -EINVAL;
> +
>  	if (!try_module_get(dev->driver->owner))
>  		return -ENODEV;
>  
> @@ -3227,7 +3230,8 @@ static void spi_nor_put_device(struct mtd_info *mtd)
>  	else
>  		dev = nor->dev;
>  
> -	module_put(dev->driver->owner);
> +	if (dev && dev->driver && dev->driver->owner)
> +		module_put(dev->driver->owner);
>  }
>  
>  static void spi_nor_restore(struct spi_nor *nor)


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 297 bytes --]

RE: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver removal with active read or write operations

[Romli, Khairul Anuar]

> -----Original Message-----
> From: Michael Walle <mwalle@kernel.org>
> Sent: Wednesday, 30 July, 2025 3:30 PM
> To: Romli, Khairul Anuar <khairul.anuar.romli@altera.com>; Tudor Ambarus
> <tudor.ambarus@linaro.org>; Pratyush Yadav <pratyush@kernel.org>; Miquel
> Raynal <miquel.raynal@bootlin.com>; Richard Weinberger <richard@nod.at>;
> Vignesh Raghavendra <vigneshr@ti.com>; open list:SPI NOR SUBSYSTEM
> <linux-mtd@lists.infradead.org>; open list <linux-kernel@vger.kernel.org>;
> Gerlach, Matthew <matthew.gerlach@altera.com>
> Subject: Re: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver
> removal with active read or write operations
> 
> Hi,
> 
> On Wed Jul 30, 2025 at 3:39 AM CEST, Khairul Anuar Romli wrote:
> > From: kromli <khairul.anuar.romli@altera.com>
> >
> > Ensure that the pointer passed to module_put() in spi_nor_put_device()
> > is not NULL before use. This change adds a guard clause to return
> > early, preventing the kernel crash below when the cadence-qspi driver
> > is removed during a dd operation:
> 
> As already asked in v2. This needs a (more detailed) description what is going
> on and what is going wrong.
> 
> -michael

Hi,

We just run the following test we observe the crash. 

time dd if=/dev/mtd1 of=out.img bs=1MB count=1000 &
echo spi0.0 > /sys/bus/spi/drivers/spi-nor/unbind
echo spi0.0 > /sys/bus/spi/drivers/spi-nor/bind

From the observation, the dd is not entirely terminated when the unbind took place.
Maybe there is other changes require to ensure the dd operation gets terminated 
when driver unbind/remove.

> > [  200.448732] Unable to handle kernel NULL pointer deref erence at
> > virtual address 0000000000000010 [  200.457576] Mem abort info:
> > [  200.460370]   ESR = 0x0000000096000004
> > [  200.464136]   EC = 0x25: DABT (current EL), IL = 32 bits
> > [  200.469527]   SET = 0, FnV = 0
> > [  200.472609]   EA = 0, S1PTW = 0
> > [  200.475904]   FSC = 0x04: level 0 translation fault
> > [  200.480786] Data abort info:
> > [  200.483659]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> > [  200.489141]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> > [  200.494189]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> > [  200.499500] user pgtable: 4k pages, 48-bit VAs,
> > pgdp=0000000185df8000 [  200.505932] [0000000000000010]
> > pgd=0000000000000000, p4d=0000000000000000 [  200.512720]
> Internal
> > error: Oops: 0000000096000004 [#1] PREEMPT SMP [  200.518968]
> Modules
> > linked in: 8021q garp mrp stp llc bluetooth ecdh_generic ecc rfkill
> > crct10dif_ce rtc_ds1307 at24 stratix10_soc soc64_hwmon gpio_altera of
> > _fpga_region fpga_region fpga_bridge uio_pdrv_genirq uio fuse drm
> > backlight ipv6 [  200.540016] CPU: 0 UID: 0 PID: 372 Comm: dd Not
> > tainted 6.12.19-altera-gb6b26
> > c4179a6 #1
> > [  200.547996] Hardware name: SoCFPGA Stratix 10 SoCDK (DT) [
> > 200.553292] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS
> > BTYPE=--) [  200.560234] pc : spi_nor_put_device+0x30/0x60 [
> > 200.564594] lr : __put_mtd_device+0x8c/0x120 [  200.568856] sp :
> > ffff80008411bc20 [  200.572161] x29: ffff80008411bc20 x28:
> > ffff000185e2c500 x27: 0000000000000000 [  200.579282] x26:
> > 0000000000000000 x25: ffff000185e2cb00 x24: ffff000185e2cc88 [
> > 200.586404] x23: ffff00018034c620 x22: 0000000000000001 x21:
> > ffff00018873e080 [  200.593524] x20: 0000000000000000 x19:
> > ffff00018873e080 x18: ffffffffffffffff [  200.600645] x17:
> > 0030393d524f4a41 x16: 4d0064746d3d4d45 x15: ffff000185757700 [
> > 200.607767] x14: 0000000000000000 x13: ffff000180045010 x12:
> > ffff0001857576c0 [  200.614888] x11: 000000000000003a x10:
> > ffff000180045018 x9 : ffff000180045010 [  200.622009] x8 :
> > ffff80008411bb70 x7 : 0000000000000000 x6 : ffff000181325048 [
> > 200.629129] x5 : 00000000820001cf x4 : fffffdffc60095e0 x3 :
> 0000000000000000 [  200.636250] x2 : 0000000000000000 x1 :
> ffff00018873e080 x0 : 0000000000000000 [  200.643371] Call trace:
> > [  200.645811]  spi_nor_put_device+0x30/0x60 [  200.649816]
> > __put_mtd_device+0x8c/0x120 [  200.653731]
> put_mtd_device+0x30/0x48 [
> > 200.657387]  mtdchar_close+0x30/0x78 [  200.660958]
> __fput+0xc8/0x2d0
> > [  200.664011]  ____fput+0x14/0x20 [  200.667146]
> > task_work_run+0x70/0xdc [  200.670718]  do_exit+0x2b4/0x8e4 [
> > 200.673944]  do_group_exit+0x34/0x90 [  200.677512]
> > pid_child_should_wake+0x0/0x60 [  200.681686]
> > invoke_syscall+0x48/0x104 [  200.685432]
> > el0_svc_common.constprop.0+0xc0/0xe0
> > [  200.690128]  do_el0_svc+0x1c/0x28
> > [  200.693439]  el0_svc+0x30/0xcc
> > [  200.696454] dw_mmc ff808000.mmc: Unexpected interrupt latency [
> > 200.696485]  el0t_64_sync_handler+0x120/0x12c [  200.706552]
> > el0t_64_sync+0x190/0x194 [  200.710213] Code: f9400000 f9417c00
> > f9402000 f9403400 (f9400800) [  200.716290] ---[ end trace
> > 0000000000000000 ]--- [  200.720948] Fixing recursive fault but reboot
> > is needed!
> >
> > Fixes: be94215be1ab ("mtd: spi-nor: core: Fix an issue of releasing
> > resources during read/write")
> > CC: stable@vger.kernel.org # 6.12+
> > Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@altera.com>
> > Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com>
> > ---
> > Changes in v3:
> >     - exclude !dev && !dev->driver check in spi_nor_get_device to
> >       resolve kernel test robot smatchwarnings.
> > Changes in v2:
> >     - Move the null check prior to try_module_get().
> > ---
> >  drivers/mtd/spi-nor/core.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
> > index ac4b960101cc..eb21d660036b 100644
> > --- a/drivers/mtd/spi-nor/core.c
> > +++ b/drivers/mtd/spi-nor/core.c
> > @@ -3210,6 +3210,9 @@ static int spi_nor_get_device(struct mtd_info
> *mtd)
> >  	else
> >  		dev = nor->dev;
> >
> > +	if (!dev->driver->owner)
> > +		return -EINVAL;
> > +
> >  	if (!try_module_get(dev->driver->owner))
> >  		return -ENODEV;
> >
> > @@ -3227,7 +3230,8 @@ static void spi_nor_put_device(struct mtd_info
> *mtd)
> >  	else
> >  		dev = nor->dev;
> >
> > -	module_put(dev->driver->owner);
> > +	if (dev && dev->driver && dev->driver->owner)
> > +		module_put(dev->driver->owner);
> >  }
> >
> >  static void spi_nor_restore(struct spi_nor *nor)

Re: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver removal with active read or write operations

[Michael Walle]

[-- Attachment #1: Type: text/plain, Size: 1104 bytes --]

Hi,

> > On Wed Jul 30, 2025 at 3:39 AM CEST, Khairul Anuar Romli wrote:
> > > From: kromli <khairul.anuar.romli@altera.com>
> > >
> > > Ensure that the pointer passed to module_put() in spi_nor_put_device()
> > > is not NULL before use. This change adds a guard clause to return
> > > early, preventing the kernel crash below when the cadence-qspi driver
> > > is removed during a dd operation:
> > 
> > As already asked in v2. This needs a (more detailed) description what is going
> > on and what is going wrong.
> > 
> > -michael
>
> Hi,
>
> We just run the following test we observe the crash. 
>
> time dd if=/dev/mtd1 of=out.img bs=1MB count=1000 &
> echo spi0.0 > /sys/bus/spi/drivers/spi-nor/unbind
> echo spi0.0 > /sys/bus/spi/drivers/spi-nor/bind
>
> From the observation, the dd is not entirely terminated when the unbind took place.
> Maybe there is other changes require to ensure the dd operation gets terminated 
> when driver unbind/remove.

I'd expect an analysis what's going wrong in the kernel to judge the
correctness of the patch.

Thanks,
-michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 297 bytes --]

RE: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver removal with active read or write operations

[Romli, Khairul Anuar]

Hi Michael,

Sorry for taking very long time to reply. Could you advise me what kind of analysis do you want me to provide?

Thanks.

Regards,
Khairul

> -----Original Message-----
> From: Michael Walle <mwalle@kernel.org>
> Sent: Wednesday, 30 July, 2025 3:50 PM
> To: Romli, Khairul Anuar <khairul.anuar.romli@altera.com>; Tudor Ambarus
> <tudor.ambarus@linaro.org>; Pratyush Yadav <pratyush@kernel.org>; Miquel
> Raynal <miquel.raynal@bootlin.com>; Richard Weinberger <richard@nod.at>;
> Vignesh Raghavendra <vigneshr@ti.com>; open list:SPI NOR SUBSYSTEM
> <linux-mtd@lists.infradead.org>; open list <linux-kernel@vger.kernel.org>;
> Gerlach, Matthew <matthew.gerlach@altera.com>
> Subject: Re: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver
> removal with active read or write operations
> 
> Hi,
> 
> > > On Wed Jul 30, 2025 at 3:39 AM CEST, Khairul Anuar Romli wrote:
> > > > From: kromli <khairul.anuar.romli@altera.com>
> > > >
> > > > Ensure that the pointer passed to module_put() in
> > > > spi_nor_put_device() is not NULL before use. This change adds a
> > > > guard clause to return early, preventing the kernel crash below
> > > > when the cadence-qspi driver is removed during a dd operation:
> > >
> > > As already asked in v2. This needs a (more detailed) description
> > > what is going on and what is going wrong.
> > >
> > > -michael
> >
> > Hi,
> >
> > We just run the following test we observe the crash.
> >
> > time dd if=/dev/mtd1 of=out.img bs=1MB count=1000 & echo spi0.0 >
> > /sys/bus/spi/drivers/spi-nor/unbind
> > echo spi0.0 > /sys/bus/spi/drivers/spi-nor/bind
> >
> > From the observation, the dd is not entirely terminated when the unbind
> took place.
> > Maybe there is other changes require to ensure the dd operation gets
> > terminated when driver unbind/remove.
> 
> I'd expect an analysis what's going wrong in the kernel to judge the correctness
> of the patch.
> 
> Thanks,
> -michael

Re: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver removal with active read or write operations

[Michael Walle]

[-- Attachment #1: Type: text/plain, Size: 2433 bytes --]

Hi,

On Thu Aug 21, 2025 at 2:32 AM CEST, Khairul Anuar Romli wrote:
> Sorry for taking very long time to reply. Could you advise me what
> kind of analysis do you want me to provide?

Please don't top-post, see [1]. An explanation what is going wrong
and why (and no, a backtrace is not an explanation). Why is
dev->driver->owner NULL? Shouldn't it be guarded by a lock or
something? And esp. why is owner NULL in put_device().

-michael

>
> > -----Original Message-----
> > From: Michael Walle <mwalle@kernel.org>
> > Sent: Wednesday, 30 July, 2025 3:50 PM
> > To: Romli, Khairul Anuar <khairul.anuar.romli@altera.com>; Tudor Ambarus
> > <tudor.ambarus@linaro.org>; Pratyush Yadav <pratyush@kernel.org>; Miquel
> > Raynal <miquel.raynal@bootlin.com>; Richard Weinberger <richard@nod.at>;
> > Vignesh Raghavendra <vigneshr@ti.com>; open list:SPI NOR SUBSYSTEM
> > <linux-mtd@lists.infradead.org>; open list <linux-kernel@vger.kernel.org>;
> > Gerlach, Matthew <matthew.gerlach@altera.com>
> > Subject: Re: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver
> > removal with active read or write operations
> > 
> > Hi,
> > 
> > > > On Wed Jul 30, 2025 at 3:39 AM CEST, Khairul Anuar Romli wrote:
> > > > > From: kromli <khairul.anuar.romli@altera.com>
> > > > >
> > > > > Ensure that the pointer passed to module_put() in
> > > > > spi_nor_put_device() is not NULL before use. This change adds a
> > > > > guard clause to return early, preventing the kernel crash below
> > > > > when the cadence-qspi driver is removed during a dd operation:
> > > >
> > > > As already asked in v2. This needs a (more detailed) description
> > > > what is going on and what is going wrong.
> > > >
> > > > -michael
> > >
> > > Hi,
> > >
> > > We just run the following test we observe the crash.
> > >
> > > time dd if=/dev/mtd1 of=out.img bs=1MB count=1000 & echo spi0.0 >
> > > /sys/bus/spi/drivers/spi-nor/unbind
> > > echo spi0.0 > /sys/bus/spi/drivers/spi-nor/bind
> > >
> > > From the observation, the dd is not entirely terminated when the unbind
> > took place.
> > > Maybe there is other changes require to ensure the dd operation gets
> > > terminated when driver unbind/remove.
> > 
> > I'd expect an analysis what's going wrong in the kernel to judge the correctness
> > of the patch.
> > 
> > Thanks,
> > -michael

[1] https://subspace.kernel.org/etiquette.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 297 bytes --]