Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp933194imj; Thu, 7 Feb 2019 14:21:51 -0800 (PST) X-Google-Smtp-Source: AHgI3IYNaYUREEUNIU2q+GJwIBSncn922B7LBUMm0ofpGQntnuK/rBjMkmBrUixPoflz1Y2TJRRp X-Received: by 2002:a17:902:6b46:: with SMTP id g6mr18960993plt.21.1549578110884; Thu, 07 Feb 2019 14:21:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549578110; cv=none; d=google.com; s=arc-20160816; b=0iX/M9ONeSP6MKg0V6RPLJdBM+3Lx8HaV94hZLSB7iuzYMhYCM7qwegD4qz5awy7yr WFtYyvV+WtxV7YNa294i9HE7A+Pij3UiOqDBKtqP970FChdD2uAOYaynR0dot1jL122n cyGBTsMAU2AnPmXUbl9KAZQjCejrm5aOWtSpmrCUHaHz3UeRJtmlFDWag8Md4dAypuK5 3Cjy/td2VaffIk8ViZdrdsCXhOU1eTnA7mbNkPq+3JJRWXo6p+eHNi+N5PsiwRHFJjBX BFC9hpHg2XoTVWuvSVVvydV0cAsWk83Zn5APOQZLQ1lq5/lcYRIwauzRdrIIE85nzVF3 +94Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=pKsBxsWR/J+240SiNiY4Qs+vDGzoY3yXotB7sDm4IHQ=; b=HWlmgZkzMNtZPNG2ybaML1n5hwsoOeQGJ3HjZz9R6HSfsjJ17NXczyJzySGGCzV7S5 MLfvFTanzo2D/j3sLc7PRyV8TI+6v+0+HV3M/bAoFU3p+X73g2yrmR8qVt4Csp8MVDg4 aMFCkO8FLuWvIXiVhq3jmL5hA1jJRR84Vc+rAwSKS70pdAnWxUDQZ1NJbDg0jqmMIr3u MeNApL4DS1gXVCFikgwXo2wWHVxK3WzBc3A/GS5jn81DN1p63Dpmh8/WT8A4atCIObbU kYbQT5RN6RovANeZzLQ/3nsNW73uJt9oAJZgrw7uJoKEe60FefL0cZnQyHr7OTsFiFpO WglQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=lg35bS8b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w16si197724plp.321.2019.02.07.14.21.35; Thu, 07 Feb 2019 14:21:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=lg35bS8b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726905AbfBGWVK (ORCPT + 99 others); Thu, 7 Feb 2019 17:21:10 -0500 Received: from mail-it1-f195.google.com ([209.85.166.195]:35959 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726675AbfBGWVJ (ORCPT ); Thu, 7 Feb 2019 17:21:09 -0500 Received: by mail-it1-f195.google.com with SMTP id c9so4105605itj.1 for ; Thu, 07 Feb 2019 14:21:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pKsBxsWR/J+240SiNiY4Qs+vDGzoY3yXotB7sDm4IHQ=; b=lg35bS8bFMbKIWDyeWpZkVVJZqHBr75afgnj1yduN6qko4DVFkIf+2bnkyb5chMlPh 0lpT1j28PzZTHaSMeeghZV0anOec2y5Ka42TX1qCoahTXO3+NZ9jemwtRnS+4cIiHCAi 69ck/lTCXv8jpUV8SY6TjHi2By3DREgzC1bnAS0aYnupsuO9Y3jKw4R1SeDQLp8wX7EF PaC3l6DSnkgrM111jFcbfciGwY8pVU4ygEDj20a65/p26uC3i0NMlzj7q85IeR14eIN2 yjwVQyJ2bKdGI8ytHt8Yly4Nxu2MNEV6rgs+eitMYhlLfvWjq2n/Btwi/rrAURQw6iIZ 4t1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pKsBxsWR/J+240SiNiY4Qs+vDGzoY3yXotB7sDm4IHQ=; b=eY8v39D8pwlaUN6gCM+HZnpiE+SI8pKeU+Lew0CsKdUoignYftarQfMIxOYSwVsI/d TlrIlOw5/LZgAIeUQkDTFIKrTl5R52eUdkdA3pA6XA9ahwQ77aw0svgoBfWhc0vA+xMu +ZjVdr7dpvLL79YDGUM5JpnBRSK09sj7jJPJ7+ROqwEiHmCi4lzfuwjmXbEsqm8rDICY l5Tw9dfl+aY6G67sDme4NaQli/NCNRGDFzO6c7Il7zzXXI6hEtN3vXaYtJYKseTRtW1Z FsEPdeqdj2bCy65bOT1MsLPWSZ4FzqPFkwR+R7AyEO10lVD+T6h+DIpY968nd0vKMbVv JBSw== X-Gm-Message-State: AHQUAubm+5/tWPrSQhiwO+LljKJfZdCB5uMB4QGF9ARcXDg7iUVV0BtR VH7Yzh6REdCqBIXcN5yCcLjSsj69TNu2TZXAsAKw1zAq X-Received: by 2002:a02:1217:: with SMTP id i23mr10414278jad.53.1549578068064; Thu, 07 Feb 2019 14:21:08 -0800 (PST) MIME-Version: 1.0 References: <20190204220952.30761-1-TheSven73@googlemail.com> In-Reply-To: From: Dmitry Torokhov Date: Thu, 7 Feb 2019 14:20:56 -0800 Message-ID: Subject: Re: [RFC v1 0/3] Address potential user-after-free on module unload To: Sven Van Asbroeck Cc: Kees Cook , Tejun Heo , Lai Jiangshan , LKML , Sebastian Reichel , Greg KH Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Sven, On Thu, Feb 7, 2019 at 1:49 PM Sven Van Asbroeck wrote: > > On Tue, Feb 5, 2019 at 9:57 AM Kees Cook wrote: > > > > Can a Coccinelle script get written to find module-use of the non-devm > > work init? > > Ok so I hacked together a Coccinelle script to find these > user-after-free issues, > related to work left running when the device or module is removed. > > As far as I can see, these issues may crash/corrupt the kernel even on > _device_ remove/unplug. Users don't need root for that... > > I got 71 hits. At least one is a false positive. > 34 out of 71 could benefit from devm_init_work(). ... > ./drivers//input/serio/ps2-gpio.c:412:1-18: missing clean-up of > INIT_WORK/INIT_DELAYED_WORK initialized here (maybe use devm_) OK, this seems to be a real issue. We need to make sure we flush the TX work inside ps2_gpio_close(). > ./drivers//input/keyboard/matrix_keypad.c:512:1-18: missing clean-up > of INIT_WORK/INIT_DELAYED_WORK initialized here This is not as simple. The work in question is scheduled from matrix_keypad_start() and matrix_keypad_stop() uses flush_work() to make sure currently running instance completes after making sure that it will not be rescheduled. And matrix_keypad_stop() is guaranteed to be called by input core when input device is being unregistered if input device was opened. So in effect we do not actually leak work past driver remove(). Thanks. -- Dmitry