On Tue, Feb 05, 2019 at 12:18:46AM -0800, Dmitry Torokhov wrote: > Hi Sven, > > On Mon, Feb 04, 2019 at 05:09:52PM -0500, Sven Van Asbroeck wrote: > > The work which is scheduled by led_classdev->brightness_set() is > > potentially left pending or running until after the driver module > > is unloaded. > > > > Fix by using resource-controlled version of INIT_WORK(). > > I believe this is wrong way of fixing this. The LED classdev objects are > refcounted, and may live beyond the point where we unwibd devm stack, > so we are still left with the same use-after-free that we currently > have.
Hmm, I take it back, it looks like the lifetime of the outer structure is limited to the time while driver is bound. I still wonder if using set_brightness_blocking() would be better fix? > > This is a general issue with LED subsystem as it provides no callback > for properly tearing down device structures, but I think in this > particular case we can simply switch from set_brightness() to > set_brightness_blocking() which will use the work item internal to the > LED classdev and that one is being shut down properly. > > Jacek, does the above sound right? > -- Dmitry
