Re: [RFC v1 0/3] Address potential user-after-free on module unload

[Sven Van Asbroeck]

On Tue, Feb 5, 2019 at 1:43 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
>
> It really should happen when the device is removed (if it is a driver
> that binds to a device.)

Absolutely. That's why I'm advocating adding a devm_init_work(),
which will take care of this automatically.

But it's of course not universally applicable. Not all drivers use devm.

> If this is not a driver, then there should be
> some way to scan that cancel_work_sync() is never called or not, right?

Are you saying the same thing as Kees, that ideally there should be
infrastructure that WARN()s if work isn't cleaned up properly?

I guess for that to work, the code would need to 'know' what resources
the work function is touching. And warn if one of the resources is freed
without cancelling the work.

Also, cancel_work_sync() is only really needed when running the work
on a global or shared workqueue. If it's a private one, then destroy_workqueue()
is good enough to cancel the work.

Sounds like more of a job for static code analysis? Coccinelle?