Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2281214imj;
        Sun, 10 Feb 2019 23:26:42 -0800 (PST)
X-Google-Smtp-Source: AHgI3IbAv4TxWV7xVqoPWN+v1d72RC/ldmlEFXaDcXiT0WRBRUbr7bHT2KUIVs8eiSicoHHle4U2
X-Received: by 2002:a17:902:8504:: with SMTP id bj4mr27218405plb.200.1549870002742;
        Sun, 10 Feb 2019 23:26:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549870002; cv=none;
        d=google.com; s=arc-20160816;
        b=MfcITrit0t9ijYbb3NaFeuqiuyW3ED5DxVeiPvyso5iOejbBBzj2zI55u9z3DWvj6W
         ZA0ghvKCTfm98tgZ3xNL7t0KXMmR+kLEa9Osp+Mxu5Iy89RwdwvRpJViQQRD60zTVFJ0
         HC1mUBcSXkVTc5Yn4HeK36BmBJFr1nTtSm7siBhshvlIobPTKCmlj6zmgpnTJIwSg/2r
         yrPlpDGnXFVCgqrox2n8qno9T2+b5qdjHSB94LogeFWynrEW4SjT7bMybGV/LSlrwCAE
         FMiTJrl6ltw44C7OiHSTf5LJVZAJzrh/6VX5dae/k+pUkQe5L5VdFh1SsB71oQ61KhGi
         1UNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :organization:references:in-reply-to:message-id:subject:cc:to:from
         :date;
        bh=NmgGYt7EPC+d2FwxvFdL1ibCW0f4Tc5eI7miiRWkvKc=;
        b=du6atA3SfVJk9/0/VYtDoalRr9jJ7p1WnKx9eHkenLYPyEw4fBPTBRqIjK8nMIYTBf
         ZRSdLzmXMCV19PhTYO2H7UTJwbT0ZS+3fD7Bp1wmjZiHFt+HFNVCzbgnHI2lhF7EYsYL
         MxlyDxQEiAMEEmITVWMa0HDh1nMmqPviRYqoaCLc82SJ626ijfk+V7CktRSZ2zy1ZpSl
         9vVvJoMFWIdSxAxjwqOv2Y/IUSM1lNo5R1uGKo16D1+MI3/GGUeEqJTCk4GRkwQ3OXZ5
         k7Ba/qe9bLdTx+/CFtm7GGQFfhwhReRQPcyc0Hug7M2WcMizLNKLp0K70ej4ReNtWQkA
         mYBA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l3si7896277pgp.285.2019.02.10.23.26.26;
        Sun, 10 Feb 2019 23:26:42 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726025AbfBKH0V (ORCPT <rfc822;jekfish0@gmail.com> + 99 others);
        Mon, 11 Feb 2019 02:26:21 -0500
Received: from protonic.xs4all.nl ([83.163.252.89]:38889 "EHLO protonic.nl"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1725939AbfBKH0V (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Feb 2019 02:26:21 -0500
Received: from erd987 (erd987.prtnl [192.168.237.3])
        by sparta (Postfix) with ESMTP id 2CA3F44A00D2;
        Mon, 11 Feb 2019 08:27:36 +0100 (CET)
Date:   Mon, 11 Feb 2019 08:26:19 +0100
From:   Robin van der Gracht <robin@protonic.nl>
To:     Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc:     Sven Van Asbroeck <thesven73@gmail.com>, Tejun Heo <tj@kernel.org>,
        Lai Jiangshan <jiangshanlai@gmail.com>,
        Sebastian Reichel <sre@kernel.org>,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>,
        Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] auxdisplay: ht16k33: fix potential user-after-free on
 module unload
Message-ID: <20190211082619.14d3f6f1@erd987>
In-Reply-To: <20190209001522.GA11769@gmail.com>
References: <20190209001522.GA11769@gmail.com>
Organization: Protonic Holland
X-Mailer: Claws Mail 3.17.1 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, 9 Feb 2019 01:15:22 +0100
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote:

> On module unload/remove, we need to ensure that work does not run
> after we have freed resources. Concretely, cancel_delayed_work()
> may return while the callback function is still running.
> 
> From kernel/workqueue.c:
> 
>     The work callback function may still be running on return,
>     unless it returns true and the work doesn't re-arm itself.
>     Explicitly flush or use cancel_delayed_work_sync() to wait on it.
> 
> Link: https://lore.kernel.org/lkml/20190204220952.30761-1-TheSven73@googlemail.com/
> Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
> Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
> ---
>  drivers/auxdisplay/ht16k33.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c
> index a43276c76fc6..21393ec3b9a4 100644
> --- a/drivers/auxdisplay/ht16k33.c
> +++ b/drivers/auxdisplay/ht16k33.c
> @@ -509,7 +509,7 @@ static int ht16k33_remove(struct i2c_client *client)
>  	struct ht16k33_priv *priv = i2c_get_clientdata(client);
>  	struct ht16k33_fbdev *fbdev = &priv->fbdev;
>  
> -	cancel_delayed_work(&fbdev->work);
> +	cancel_delayed_work_sync(&fbdev->work);
>  	unregister_framebuffer(fbdev->info);
>  	framebuffer_release(fbdev->info);
>  	free_page((unsigned long) fbdev->buffer);

Looks good

Acked-by: Robin van der Gracht <robin@protonic.nl>