Received: by 2002:ac0:8c9a:0:0:0:0:0 with SMTP id r26csp5445777ima; Tue, 5 Feb 2019 11:56:00 -0800 (PST) X-Google-Smtp-Source: AHgI3IYSFhBA2+VfvVMFujz7akaql9Lyyvgv4rtCfc3W6mAZ+MvKjI5UlHDdESbIJx+dxvU1ej/i X-Received: by 2002:a17:902:aa82:: with SMTP id d2mr6821208plr.153.1549396559958; Tue, 05 Feb 2019 11:55:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549396559; cv=none; d=google.com; s=arc-20160816; b=MdGJn8K7X6pQ4XNR9Gk/wv/bOyYfqcrrnEC0uXgGMNhAXG7bbfRr/TlJPpxqa15X8g fI2kkcREtxU1eyFpijVY5+bWV5h1vBeZQbjEFDSZQGeelAZksS4iHg+9GMdGGt0t3ZOc kmxwleBd/22PzHI+df0fvxzMS5Pde2QfNmGVJZ+LsiUW4QP5wd2fADzb8+K523wbVFaw kvqpzkxxwigoU5kzND5CPx7/l8oK/E/aV7MNxnSU2+9Aflju7fFRTZinU1KXHjpMgDto iJD0R5UkAQGOux/BqaxcNy/MtWD/hR733TCuJ4LhVWD++V/V4mrWT/HmLqLEhTlqGDHR 4RqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=IQR0sfSThGdJf7JiIGKx9tMd5nrBfoTCzFkFA6biSt0=; b=CZxYnkD+k4pTqlH6NmSGgkmO0AeYj1SKJUD9E+7Z2xA7D++a0Q1A45yTSizbBoP7ym 6cXOjcNEKHmkt18KWCESNdevZWUaUyJjOPwNYIamKZfuB8wPDCTnBNHz2Xvt0mLiPuxw nSiqPY1vSzTbbsttbBgAb15m06AZocdPvHWim7TqYj/K21bCp6GBygnGYi1tvD1/ptK+ 9l7dG4HY0ZLtv37WSv3HAYxkgxpCLTYNAbF2fJsyMVJGWnWsVRqzXoeJQZhCDcPhsFg6 679lw0+OMDQhjv2Vj6yv4eZETJ2vkSeIiC7+83isjhdNa/jrB365Im6b/9ncgApzplJV 4DPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FYri8D4s; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3si3656789pgc.365.2019.02.05.11.55.03; Tue, 05 Feb 2019 11:55:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FYri8D4s; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727756AbfBETMn (ORCPT + 99 others); Tue, 5 Feb 2019 14:12:43 -0500 Received: from mail-ot1-f67.google.com ([209.85.210.67]:45253 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726114AbfBETMn (ORCPT ); Tue, 5 Feb 2019 14:12:43 -0500 Received: by mail-ot1-f67.google.com with SMTP id 32so7598500ota.12 for ; Tue, 05 Feb 2019 11:12:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IQR0sfSThGdJf7JiIGKx9tMd5nrBfoTCzFkFA6biSt0=; b=FYri8D4sHeg6mx7W7/Xy00rPudH/SzGGgldFZDshCaNudomF3JUNib7ba+L3BplJJf Z7j3p94FIUN4+Ojdye8EsTy4xh2SIfa7tQQVvbLkFgl4ZH7X7aqHKFWxCnRA1cbZSaor qfCDk1X9Ly3OZ4UvmP05httMr9Jn9c7GWfRj/L1FFrYRncmMo/0LEWdg46oeq5XNSGNR kn2NkJ2e4osrAPKjFEk9dl/TUwY+uFUJZ0qkfTwYBxgkTjptzdpDbTqxBfxn9qH6c+Df 9UEWz84rNjqcl5FBZb923lvN406zpjmnbr3IowbpB+WkBuur/VmqODTL25lrDriCeE1/ bYmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IQR0sfSThGdJf7JiIGKx9tMd5nrBfoTCzFkFA6biSt0=; b=L88CHlGEaHC6H8zimiBK1BnfWmiU3xm2DaK2hIMoXfUiAbhHkFhonWu+8kHdDVn00J wWUts+uKHH4EWUVkThy6E6k6vtf1mdM0JVJD+n2O+cB9T17eEyzv4NjlY6rHshXvTtti glfmNzCOqQ/c+F00Mh1/4lvwpkU9lnvqc5eohxhj7fOk8LkobnQA4LZbOCv/Twtb2X1K 7sTOrEyjO3kC3pK3Z0in1aOifRLFxAJgUAOYVm1zyYoO7yp6geNTwhRPXfG27svnf4oa C/322Y8hvUHobRsU2jFDNLHeu1DxCS901wrgpOSK+2kq5Mk2NXCDUTC0dcDibHU+Kiyq pAGA== X-Gm-Message-State: AHQUAuZ4aqa8/3EeCNpfh/DQxjaT4LLuDEs8Uf2r7OS5JCc6Qk/8GuBE EnwtHKAyyhZgHdUezstZsevJzb7fmmOGbq11mUw= X-Received: by 2002:aca:d705:: with SMTP id o5mr3278441oig.124.1549393962349; Tue, 05 Feb 2019 11:12:42 -0800 (PST) MIME-Version: 1.0 References: <20190204220952.30761-1-TheSven73@googlemail.com> <20190205184355.GC22198@kroah.com> In-Reply-To: <20190205184355.GC22198@kroah.com> From: Sven Van Asbroeck Date: Tue, 5 Feb 2019 14:12:31 -0500 Message-ID: Subject: Re: [RFC v1 0/3] Address potential user-after-free on module unload To: Greg KH Cc: Kees Cook , Tejun Heo , Lai Jiangshan , LKML , Sebastian Reichel , Dmitry Torokhov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 5, 2019 at 1:43 PM Greg KH wrote: > > > It really should happen when the device is removed (if it is a driver > that binds to a device.) Absolutely. That's why I'm advocating adding a devm_init_work(), which will take care of this automatically. But it's of course not universally applicable. Not all drivers use devm. > If this is not a driver, then there should be > some way to scan that cancel_work_sync() is never called or not, right? Are you saying the same thing as Kees, that ideally there should be infrastructure that WARN()s if work isn't cleaned up properly? I guess for that to work, the code would need to 'know' what resources the work function is touching. And warn if one of the resources is freed without cancelling the work. Also, cancel_work_sync() is only really needed when running the work on a global or shared workqueue. If it's a private one, then destroy_workqueue() is good enough to cancel the work. Sounds like more of a job for static code analysis? Coccinelle?