From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc: Robin van der Gracht <robin@protonic.nl>,
Sven Van Asbroeck <thesven73@gmail.com>,
Tejun Heo <tj@kernel.org>, Lai Jiangshan <jiangshanlai@gmail.com>,
Sebastian Reichel <sre@kernel.org>,
Kees Cook <keescook@chromium.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] auxdisplay: ht16k33: fix potential user-after-free on module unload
Date: Sat, 9 Feb 2019 08:52:51 -0800 [thread overview]
Message-ID: <20190209165251.GC197782@dtor-ws> (raw)
In-Reply-To: <20190209001522.GA11769@gmail.com>
On Sat, Feb 09, 2019 at 01:15:22AM +0100, Miguel Ojeda wrote:
> On module unload/remove, we need to ensure that work does not run
> after we have freed resources. Concretely, cancel_delayed_work()
> may return while the callback function is still running.
>
> From kernel/workqueue.c:
>
> The work callback function may still be running on return,
> unless it returns true and the work doesn't re-arm itself.
> Explicitly flush or use cancel_delayed_work_sync() to wait on it.
>
> Link: https://lore.kernel.org/lkml/20190204220952.30761-1-TheSven73@googlemail.com/
> Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
> Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> ---
> drivers/auxdisplay/ht16k33.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c
> index a43276c76fc6..21393ec3b9a4 100644
> --- a/drivers/auxdisplay/ht16k33.c
> +++ b/drivers/auxdisplay/ht16k33.c
> @@ -509,7 +509,7 @@ static int ht16k33_remove(struct i2c_client *client)
> struct ht16k33_priv *priv = i2c_get_clientdata(client);
> struct ht16k33_fbdev *fbdev = &priv->fbdev;
>
> - cancel_delayed_work(&fbdev->work);
> + cancel_delayed_work_sync(&fbdev->work);
> unregister_framebuffer(fbdev->info);
> framebuffer_release(fbdev->info);
> free_page((unsigned long) fbdev->buffer);
> --
> 2.17.1
>
--
Dmitry
next prev parent reply other threads:[~2019-02-09 16:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-09 0:15 [PATCH] auxdisplay: ht16k33: fix potential user-after-free on module unload Miguel Ojeda
2019-02-09 16:52 ` Dmitry Torokhov [this message]
2019-02-10 22:03 ` Sven Van Asbroeck
2019-02-11 7:26 ` Robin van der Gracht
2019-02-14 1:12 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190209165251.GC197782@dtor-ws \
--to=dmitry.torokhov@gmail.com \
--cc=jiangshanlai@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=robin@protonic.nl \
--cc=sre@kernel.org \
--cc=thesven73@gmail.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.