Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp6243882imb;
        Fri, 8 Mar 2019 12:43:23 -0800 (PST)
X-Google-Smtp-Source: APXvYqxaDcnQJNBr+VdF/qPAkvhwrhcszwXS8sh0EYCiTcvsNGi0XzfgQy1PSmNhZDjNYlA/1kjL
X-Received: by 2002:a63:d64:: with SMTP id 36mr18051122pgn.360.1552077803561;
        Fri, 08 Mar 2019 12:43:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1552077803; cv=none;
        d=google.com; s=arc-20160816;
        b=ndAk6m/BNzhIT15ppmgyBhKvzFE9NdV/WD21174OEQwBXWrZa4GAZNNZMvruFizaTX
         yanZU7UfTfofhgqzY7WUV1HbtFrDRnQ7b8s0TExR7ZpBr8379pjsEf/poLM69nDTWDSi
         +BjddBgmlK24Uqvtuim30ddctxn4Bg5KfYSXP1O4mKRR4MFy/ocFbgNk1BPYE73gvtM7
         kyObsyXrE17lILOLFCpKcxe8p6EJZlmj50OHdDgM7tRQWaJiIe7hnYXOCCvS+xhho85d
         2J7ByxRBX1o7e2PLG1178uDPisoGdhT2P9lrgI6exy6EtI6DyHWXoVREYJeDKjLX9jiO
         z13g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=W8lGUjPbEQu9teMV5ANl/o9Y/y98QBUqlnzMraiGkKY=;
        b=JOS4Gzp/rMBL052ksadHokl2yOqfu1uQkaYeEBFnbn9yz7skTMb62FkHWOCNDs90uR
         9czNiiuVpZB+5GgWI0N9cHdcPq8H6ABIeMO69wa7k40uy40x52jXfvHjD/G8IsY6ebHF
         RN7+aLbCFl4ENY4dA9zApBEx+kMUWsSGxCFDYTSOeRhrHXDzjNMpeVEepD8QDT/UPtIa
         IFgLJZiIhGo4UsojdDcM3lZeAc60DuV8MfhyFNUE/emmZPjSN3XKcNqlRFyROWFo+/od
         fa39gJ7B7ssvYBFCzDKL/ItBah+pOqJJ8l5lZL2IWdNxKO78oELr5hhXAP+vLDsW9MCg
         5TVg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=jOblogg6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n10si7123599pgm.181.2019.03.08.12.43.07;
        Fri, 08 Mar 2019 12:43:23 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=jOblogg6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727123AbfCHUmR (ORCPT <rfc822;saikripd@gmail.com> + 99 others);
        Fri, 8 Mar 2019 15:42:17 -0500
Received: from mail-oi1-f196.google.com ([209.85.167.196]:39711 "EHLO
        mail-oi1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726960AbfCHUmR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Mar 2019 15:42:17 -0500
Received: by mail-oi1-f196.google.com with SMTP id b4so16898578oif.6;
        Fri, 08 Mar 2019 12:42:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=W8lGUjPbEQu9teMV5ANl/o9Y/y98QBUqlnzMraiGkKY=;
        b=jOblogg6CbTKYY5Nv0RFNqyTUXdiwZJoHog18g8fW6tvjt1+mTX4BoHWP+g9jL8qK8
         X2W5C2Pygzq7iF4Ot4OXxPwbcnMi5O74064pFpcRh+nw/hM11SFQ61zITr7rzdQmd9+I
         y1+Rf8Zg1008v9ZtvCs4JmKtehwj6857zWtHZrW1Eq+UT0gYH4f0X9qlBXaAoQwsAm6B
         /L002wT9h+/V6zVBrQIZ38CJTYYUZN5Y8VixBNCR5Pi8QKV1PZcAVVoepWSJR0j4GeDw
         /mnS6c/I0B1kT8gnA0+XOwq71pYsQ/x9gzfqHPm2+Mju4m9VgB13AySp+xs/yilSS+ZH
         xhNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=W8lGUjPbEQu9teMV5ANl/o9Y/y98QBUqlnzMraiGkKY=;
        b=gFWE8W29cAa3xdJvADAeGytiqMeEGkfrQBSCgOupudOJH5epIb6Dy3WBcx5ssUSAAT
         Dacfd8Wde75uDdTrzh88thdGyxU89iHD4Or9e0DCQQQ+MhLMCKjCT8fkItvhm4kn21vQ
         5At2T4Yjp4c7YSSM38TqFWIo2pcWdfHEYRHAygGLF6pxY1jtdaZQ3Qo66Zhm3nE9OVFe
         qgZmjpzySAsbst2IQGzsLid6QmghVRziVTriPg0k+0Gg9JxFLZcI8/jjqVBzRDAXJaGo
         20eAdUv+SuVNVVAUbJlqKJehB+tkpCl1Jv3xL29Pymzdnl0ra+gjcJpqvPfENMdygWyP
         Tv+Q==
X-Gm-Message-State: APjAAAU3vaGHgKZevGsl3B64GeHQYCh2jdoSDnXbqqG2GbOXwMtq2Edi
        8vjIKEBEpAqy/Bo+ILF8O4tkmNAHmwhQ2igkxRQ=
X-Received: by 2002:aca:5d0a:: with SMTP id r10mr9030356oib.92.1552077735703;
 Fri, 08 Mar 2019 12:42:15 -0800 (PST)
MIME-Version: 1.0
References: <20190308175935.21904-1-TheSven73@gmail.com> <20190308202936.GA32641@arch>
In-Reply-To: <20190308202936.GA32641@arch>
From:   Sven Van Asbroeck <thesven73@gmail.com>
Date:   Fri, 8 Mar 2019 15:42:04 -0500
Message-ID: <CAGngYiVgEDTQxynjPDMO_ZApAX6uyvUL+iqyK-QHnhDz=E4eCw@mail.gmail.com>
Subject: Re: [PATCH v2] iio: proximity: as3935: fix use-after-free on device remove
To:     Tomasz Duszynski <tduszyns@gmail.com>
Cc:     Jonathan Cameron <jic23@kernel.org>,
        Jonathan Cameron <jonathan.cameron@huawei.com>,
        Hartmut Knaack <knaack.h@gmx.de>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Peter Meerwald-Stadler <pmeerw@pmeerw.net>,
        linux-iio@vger.kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Matt Ranostay <matt.ranostay@konsulko.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Mar 8, 2019 at 3:30 PM Tomasz Duszynski <tduszyns@gmail.com> wrote:
>
> > @@ -368,7 +376,6 @@ static int as3935_probe(struct spi_device *spi)
> >
> >       spi_set_drvdata(spi, indio_dev);
> >       mutex_init(&st->lock);
> > -     INIT_DELAYED_WORK(&st->work, as3935_event_work);
>
> Any specific reason for moving this elsewhere?

Yes. On the remove path, cancel_delayed_work_sync() should execute after
free_irq(), but before triggered_buffer_cleanup(). So the devm_add_action()
must run right before devm_request_irq(). I figured it would make sense to
group the devm_add_action() and INIT_WORK() together, as they are
related. This also makes it easier to understand the probe/remove order
when reading the code.

> >
> >       ret = of_property_read_u32(np,
> >                       "ams,tuning-capacitor-pf", &st->tune_cap);
> > @@ -414,22 +421,27 @@ static int as3935_probe(struct spi_device *spi)
> >       iio_trigger_set_drvdata(trig, indio_dev);
> >       trig->ops = &iio_interrupt_trigger_ops;
> >
> > -     ret = iio_trigger_register(trig);
> > +     ret = devm_iio_trigger_register(&spi->dev, trig);
> >       if (ret) {
> >               dev_err(&spi->dev, "failed to register trigger\n");
> >               return ret;
> >       }
> >
> > -     ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time,
> > -             &as3935_trigger_handler, NULL);
> > +     ret = devm_iio_triggered_buffer_setup(&spi->dev, indio_dev,
> > +             iio_pollfunc_store_time, as3935_trigger_handler, NULL);
>
> You can fix arguments alignment while you are at it.
>

What type of alignment would you prefer? This?

        ret = devm_iio_triggered_buffer_setup(&spi->dev, indio_dev,
                                              iio_pollfunc_store_time,
                                              as3935_trigger_handler, NULL);