Hi Sven,
On Sun, Feb 10, 2019 at 12:43:21PM -0500, Sven Van Asbroeck wrote:
> Hi Dmitry,
>
> On Thu, Feb 7, 2019 at 5:46 PM Dmitry Torokhov
> <dmitry.torokhov@xxxxxxxxx> wrote:
> >
> > We should be using flush_delayed_work() instead of flush_work() in
> > matrix_keypad_stop() to ensure that we are not missing work that is
> > scheduled but not yet put in the workqueue (i.e. its delay timer has not
> > expired yet).
> >
>
> Could the following scenario cause a use-after-free?
> (I am adding comments on lines starting with -->)
>
> a) user closes the device handle:
>
> static void matrix_keypad_stop(struct input_dev *dev)
> {
> struct matrix_keypad *keypad = input_get_drvdata(dev);
>
> spin_lock_irq(&keypad->lock);
> keypad->stopped = true;
> spin_unlock_irq(&keypad->lock);
>
> flush_work(&keypad->work.work);
> -->
> --> new interrupt comes in, and schedules new delayed keypad->work (1)
It will not schedule new work because we check keypad->stopped flag
in ISR.
Thanks.
--
Dmitry
