Re: [RFC v1 3/3] cap11xx: fix potential user-after-free on module unload

From: Dmitry Torokhov
Date: Tue Feb 05 2019 - 03:18:51 EST

Next message: John Hubbard: "Re: [PATCH 0/6] RFC v2: mm: gup/dma tracking"
Previous message: Ulf Hansson: "Re: [PATCH v2 0/9] driver core: Fix some device links issues and add "consumer autoprobe" flag"
In reply to: Sven Van Asbroeck: "[RFC v1 3/3] cap11xx: fix potential user-after-free on module unload"
Next in thread: Dmitry Torokhov: "Re: [RFC v1 3/3] cap11xx: fix potential user-after-free on module unload"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Sven,

On Mon, Feb 04, 2019 at 05:09:52PM -0500, Sven Van Asbroeck wrote:
> The work which is scheduled by led_classdev->brightness_set() is
> potentially left pending or running until after the driver module
> is unloaded.
>
> Fix by using resource-controlled version of INIT_WORK().

I believe this is wrong way of fixing this. The LED classdev objects are
refcounted, and may live beyond the point where we unwibd devm stack,
so we are still left with the same use-after-free that we currently
have.

This is a general issue with LED subsystem as it provides no callback
for properly tearing down device structures, but I think in this
particular case we can simply switch from set_brightness() to
set_brightness_blocking() which will use the work item internal to the
LED classdev and that one is being shut down properly.

Jacek, does the above sound right?

Thanks.

--
Dmitry

Next message: John Hubbard: "Re: [PATCH 0/6] RFC v2: mm: gup/dma tracking"
Previous message: Ulf Hansson: "Re: [PATCH v2 0/9] driver core: Fix some device links issues and add "consumer autoprobe" flag"
In reply to: Sven Van Asbroeck: "[RFC v1 3/3] cap11xx: fix potential user-after-free on module unload"
Next in thread: Dmitry Torokhov: "Re: [RFC v1 3/3] cap11xx: fix potential user-after-free on module unload"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]