Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2293762imm;
        Wed, 16 May 2018 10:37:39 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZp619XQBCyp93dPSYfe5Rakyr+039uY6vYvtVZa8ihVDJVWcJwjtME+yhgeMe5/5ufQZS2o
X-Received: by 2002:a17:902:7782:: with SMTP id o2-v6mr1877613pll.247.1526492259454;
        Wed, 16 May 2018 10:37:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526492259; cv=none;
        d=google.com; s=arc-20160816;
        b=jovHsjdIXHQ7FyWZ1FwBGgK+XU7a7Dsfyvt6v9DKZfKfPIXgb9GFA5wLN0pF15yVaz
         ngyvBqfMygl+iFVslOEnK3FOQMC36q9j7lSP68yeeK6XJTT1/XlmA1B31gAUxuZ6ht7J
         RpQuI0bmcX6kip+Mw8TtVkvEXOqgTUOHiOG8MduBaMbPJwbMUGuo2jhfHlfwcVyZ1L83
         6CCjGWZuGuzv26fsSKbvSbYaLsTAH783JX/w9QJJt6u1HgreEkVJ10tHV7/LUh/0Xtb6
         pnpcjgi5qgGPq35kbeLtqjCwP6+f+e0Ory5jq3yzhKcptsYlppFeMLirAxNUYhA1Gkr2
         aorQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=yBS51nUeNaW0rLKF4Tj9PheSYDjDLFvIk86Uhpd1gLo=;
        b=NBC32Hzo5DipH6HhOnQ/SoY57y2g+IvIZCL1JIXswK/YDulKnKS6uiF7W8JpqjoiCM
         xrg+uJmnu01THrYTHChxwQ24yA0kDDwQuIRWWxBuB24yNLuwoFLJr77p8u93TX2B4gl4
         hF3Ghlvafa1jqd/mC72ubTb2qKd+33hgOIlYe25xOes8JvhuIUV7moL1b0SfLikdgx1b
         ieIMu8zsXLOhvP9K/41s3h15eiL+WdvnYnZOuN0ST7H/1Lbo5SPocN31oz29rHd03yNp
         8PYoMGd2gwPO91/gGaBov+ka1AGoVm3tSp6pjbvu8kVvd+27hRJLqx47HzewE3yeetM7
         ZreQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m12-v6si2460537pgr.506.2018.05.16.10.37.20;
        Wed, 16 May 2018 10:37:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751307AbeEPRhF (ORCPT <rfc822;zffurovfq63@gmail.com>
        + 99 others); Wed, 16 May 2018 13:37:05 -0400
Received: from lithops.sigma-star.at ([195.201.40.130]:34540 "EHLO
        lithops.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751130AbeEPRhE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 May 2018 13:37:04 -0400
Received: from localhost (localhost [127.0.0.1])
        by lithops.sigma-star.at (Postfix) with ESMTP id 30AB06094C35;
        Wed, 16 May 2018 19:37:03 +0200 (CEST)
Received: from lithops.sigma-star.at ([127.0.0.1])
        by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id mjsJTVvZA59D; Wed, 16 May 2018 19:37:03 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
        by lithops.sigma-star.at (Postfix) with ESMTP id E8D2A60B6EB9;
        Wed, 16 May 2018 19:37:02 +0200 (CEST)
Received: from lithops.sigma-star.at ([127.0.0.1])
        by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id 7ttq5fbyfGgA; Wed, 16 May 2018 19:37:02 +0200 (CEST)
Received: from blindfold.localnet (213-47-184-186.cable.dynamic.surfer.at [213.47.184.186])
        by lithops.sigma-star.at (Postfix) with ESMTPSA id C2FAE6094C35;
        Wed, 16 May 2018 19:37:02 +0200 (CEST)
From:   Richard Weinberger <richard@nod.at>
To:     Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc:     Martin Townsend <mtownsend1973@gmail.com>, stable@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4.4 23/97] ubi: fastmap: Dont flush fastmap work on detach
Date:   Wed, 16 May 2018 19:37:01 +0200
Message-ID: <2235171.AyZ2c50PG7@blindfold>
In-Reply-To: <1526489629.9159.147.camel@codethink.co.uk>
References: <20180422135304.577223025@linuxfoundation.org> <20180422135306.338619311@linuxfoundation.org> <1526489629.9159.147.camel@codethink.co.uk>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Ben,

Am Mittwoch, 16. Mai 2018, 18:53:49 CEST schrieb Ben Hutchings:
> I don't see how this change can fix a use-after-free.  If this function
> can be called with *ubi already freed, then the rest of the function
> body is also not safe to run.  But I don't think that is the case.

thanks a lot for digging into this!
It is not about ubi (struct ubi_device) being free()'d, it is about
ubi->volumes[].

> ubi->fm_work doesn't depend on any other structure (except a global
> workqueue, which won't go away).
> 
> It seems to me that the bug is really a race condition, and removing
> the flush_work() makes it harder to hit that condition.  The proper fix
> would be to call flush_work() (or cancel_work_sync()) before the UBI
> volumes are freed.

That's a very valid point.
I think cancel_work_sync() is the right thing to do.

Thanks,
//richard