Re: [RFC v1 3/3] cap11xx: fix potential user-after-free on module unload

[Dmitry Torokhov]

On Tue, Feb 05, 2019 at 12:18:46AM -0800, Dmitry Torokhov wrote:
> Hi Sven,
> 
> On Mon, Feb 04, 2019 at 05:09:52PM -0500, Sven Van Asbroeck wrote:
> > The work which is scheduled by led_classdev->brightness_set() is
> > potentially left pending or running until after the driver module
> > is unloaded.
> > 
> > Fix by using resource-controlled version of INIT_WORK().
> 
> I believe this is wrong way of fixing this. The LED classdev objects are
> refcounted, and may live beyond the point where we unwibd devm stack,
> so we are still left with the same use-after-free that we currently
> have.

Hmm, I take it back, it looks like the lifetime of the outer structure
is limited to the time while driver is bound. I still wonder if using
set_brightness_blocking() would be better fix?

> 
> This is a general issue with LED subsystem as it provides no callback
> for properly tearing down device structures, but I think in this
> particular case we can simply switch from set_brightness() to
> set_brightness_blocking() which will use the work item internal to the
> LED classdev and that one is being shut down properly.
> 
> Jacek, does the above sound right?
> 

-- 
Dmitry