Received: by 2002:ac0:8c9a:0:0:0:0:0 with SMTP id r26csp4362184ima;
        Mon, 4 Feb 2019 15:14:32 -0800 (PST)
X-Google-Smtp-Source: AHgI3IaADAJT7RniFw0SF/l1qXkSfXIE9iu1Ufibg14PcFBxV8x7XeVN1hTwXe0Hoz8gYmjDZuor
X-Received: by 2002:a63:7c41:: with SMTP id l1mr1685797pgn.45.1549322072405;
        Mon, 04 Feb 2019 15:14:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549322072; cv=none;
        d=google.com; s=arc-20160816;
        b=FJzZRiTJ4Y5ykQd9hf8F7rBsM2FK2rte/Lv+7DJr2Ju/YaY2muae0jWI2GJ0IN2L3A
         1Xm5Xvslc5AdYhmQ0R+z6tUtmrcd3fCAAoYh8gt04iD28HWf3ai1L4KQtlV0PApSOtD6
         2FJaLClaZ9jMm1UUV4m07de+3bQA8URTxjgFpBqWbqyCgHa6pAVhGxpPn/fxQ4TjTvsQ
         IOCx9Eb2ecu81d1cFK/qLMOWqd1KSGEigIietfFaq+vxtjSHfaCe7vyLHPocWcxz5+h5
         u574uQN4Y3vbIN/gtyQBWCLU7Y/e4B3rA/XWCViGXLaXujYou7Ol1i1TrcBiI9ds0D2m
         88Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=0fJCNj7MFD9xvIfs2NID/T373ukM8ea/SKUT6zyDj+o=;
        b=nJtYCz4LYFZ4F2EwKZPk8NKx2UQaMhZ3X25+F9GHe+BEc5E2NI2/ozoh5XncJbhrkW
         o9QP2+EKO62JBDHS7OVe64ORDUqksFUtjmFuX+5S6VMZ7Fi0xyL72zfFQBKTb6ALQ2d2
         I0jPNyxB3/QozQwszqDCJbgfhz7acab4fguiRSco4n2JTAZPTq4AFYfxXFimkE+RJfXe
         bznbZDp4fZf/e1yO/UGjRnbaEHq45hCxaFp/QGrsxFcdvOL2xfZwi8l3YKSXylfB+uPY
         vV6zJftk6rBJzxmGrzB+xKBWungDejKtIkCPn0hbsDxHo3R38J+5lo+CfE4EuTOGvcGA
         0F7w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="FOOSNg//";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j20si1324596pgh.224.2019.02.04.15.14.16;
        Mon, 04 Feb 2019 15:14:32 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="FOOSNg//";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727070AbfBDWKC (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Mon, 4 Feb 2019 17:10:02 -0500
Received: from mail-it1-f193.google.com ([209.85.166.193]:51180 "EHLO
        mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725874AbfBDWJ5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 Feb 2019 17:09:57 -0500
Received: by mail-it1-f193.google.com with SMTP id z7so3766112iti.0
        for <linux-kernel@vger.kernel.org>; Mon, 04 Feb 2019 14:09:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=0fJCNj7MFD9xvIfs2NID/T373ukM8ea/SKUT6zyDj+o=;
        b=FOOSNg//1pQoNLMp5zeZPRgKr+7XT9AnY+QfLxlZikP9ybej7abN8RrYyYAkbAX/83
         mL0v7hQas9VnGkXglhiHYegG1wuHZw8vUC+P5NPshw0o7UbmPz+zvzrL/aRhlmQWjMDs
         k05+lGZb7qkHONSU8gLKIXWqi49na+ZAmW/tokWI7Em/lhSSt4tz99lyf1vQ2rSKKojr
         pQFrv+JGl5R1LjsHnTiEQ8cJ13McgRnNndZjsthFOrpGUXtOpgCFw1s3oXs33qmwgvaR
         7vLfT9POwUzUsya19LcVbdL0/sA6mAhLEpg1FcRGrqinm3Nf7yzU+mZ2Qsh56xj0ueR9
         mJ7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=0fJCNj7MFD9xvIfs2NID/T373ukM8ea/SKUT6zyDj+o=;
        b=NawFgCiVoJExtqu2cW/ikJVWqjjWGrfCtnkpgs1/HIYzZvUmUVhpkfpH8D/YpZrHGT
         3XW+TUi6DuZmb1+Xed5iSHwS5uC+2lWP/ie4z/dWpj2ReqQmLyAjqq2XJ+HLjmuav7/3
         1Vluav9P6rGtwgsEvE8RfVI3e3l8F5eXLjoDCHefzICQ6aVNB0vODjb1EAmTA5tE4KkN
         eNHtR6vkTpAtS1qkTvJwHvR5iSz+M/V2YD9LE9g4lO8kd5owuOqnkYtPYosonIBf7HNY
         aL9u/TYoR4N44ERgUcQqvRBdg/Qhxk4iABbktLoathf8q+5gojNU2TppPZ0np08GO64G
         wZ1A==
X-Gm-Message-State: AHQUAuYEj2KPX/W3J+QifEtUCh8PniBZywRLHAEe6KVahBETdapJe9HY
        /eUbyNJ3XWMeRx8kSxzYQwvP1SM/
X-Received: by 2002:a24:76d0:: with SMTP id z199mr833835itb.165.1549318196499;
        Mon, 04 Feb 2019 14:09:56 -0800 (PST)
Received: from svens-asus.arcx.com ([184.94.50.30])
        by smtp.gmail.com with ESMTPSA id z1sm531602ioi.77.2019.02.04.14.09.55
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 04 Feb 2019 14:09:55 -0800 (PST)
From:   Sven Van Asbroeck <thesven73@gmail.com>
X-Google-Original-From: Sven Van Asbroeck <TheSven73@googlemail.com>
To:     Tejun Heo <tj@kernel.org>
Cc:     Lai Jiangshan <jiangshanlai@gmail.com>,
        linux-kernel@vger.kernel.org, Sebastian Reichel <sre@kernel.org>,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Kees Cook <keescook@chromium.org>
Subject: [RFC v1 0/3] Address potential user-after-free on module unload
Date:   Mon,  4 Feb 2019 17:09:49 -0500
Message-Id: <20190204220952.30761-1-TheSven73@googlemail.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

I think there _might_ be potential use-after-free issues on module unload.

They are hard to trigger, but I think I've seen them bring the whole
kernel down when they do occur. Can be triggered by doing an insmod of
a vulnerable module, rapidly followed by an rmmod.

Caused by drivers which schedule work / delayed_work, but do not clean it up
properly on module unload. Which means the work function could run _after_
the module has unloaded.

A quick grep through the kernel sources brings up many instances.
I leave it to people more knowledgeable than me to determine if this problem
is likely to happen, and/or if it can be exploited to become a security risk.

Perhaps developers can be 'nudged' into doing the right thing by using
resource-managed versions of INIT_WORK() / INIT_DELAYED_WORK(), which may
address the issue quite elegantly.

Attached is a proposal patch, followed by sample fixes for two vulnerable
modules. As far as I can tell, many more modules are vulnerable.

Sven Van Asbroeck (3):
  workqueue: Add resource-managed version of INIT_[DELAYED_]WORK()
  max17042_battery: fix potential user-after-free on module unload
  cap11xx: fix potential user-after-free on module unload

 drivers/input/keyboard/cap11xx.c        |  6 ++-
 drivers/power/supply/max17042_battery.c |  5 ++-
 include/linux/workqueue.h               |  7 ++++
 kernel/workqueue.c                      | 54 +++++++++++++++++++++++++
 4 files changed, 70 insertions(+), 2 deletions(-)

-- 
2.17.1