auxdisplay: ht16k33: fix potential user-after-free on module unload

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

On module unload/remove, we need to ensure that work does not run
after we have freed resources. Concretely, cancel_delayed_work()
may return while the callback function is still running.

From kernel/workqueue.c:

The work callback function may still be running on return,
unless it returns true and the work doesn't re-arm itself.
Explicitly flush or use cancel_delayed_work_sync() to wait on it.

Link: https://lore.kernel.org/lkml/20190204220952.30761-1-TheSven73@googlemail.com/
Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Sven Van Asbroeck <TheSven73@gmail.com>
Acked-by: Robin van der Gracht <robin@protonic.nl>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>

Miguel Ojeda 7 years ago 69ef9bc5 8834f560

+1 -1

1 changed file

expand all

drivers

auxdisplay

ht16k33.c

+1 -1

drivers/auxdisplay/ht16k33.c

··· 509 509 struct ht16k33_priv *priv = i2c_get_clientdata(client); 510 510 struct ht16k33_fbdev *fbdev = &priv->fbdev; 511 511 512 - cancel_delayed_work(&fbdev->work); 512 + cancel_delayed_work_sync(&fbdev->work); 513 513 unregister_framebuffer(fbdev->info); 514 514 framebuffer_release(fbdev->info); 515 515 free_page((unsigned long) fbdev->buffer);