Commit 7abf400b authored by Milo Kim's avatar Milo Kim Committed by Kleber Sacilotto de Souza

leds: turn off the LED and wait for completion on unregistering LED class device

BugLink: https://bugs.launchpad.net/bugs/1811077

commit d1aa577f upstream.

Workqueue, 'set_brightness_work' is used for scheduling brightness control.
This workqueue is canceled when the LED class device is unregistered.
Currently, LED subsystem handles like below.

  cancel_work_sync(&led_cdev->set_brightness_work)
  led_set_brightness(led_cdev, LED_OFF)

However, this could be a problem.
Workqueue is going to be canceled but LED device needs to be off.
The worst case is null pointer access due to scheduling a workqueue.

LED module is loaded.
  LED driver private data is allocated by using devm_zalloc().

LED module is unloaded.
  led_classdev_unregister() is called.
    cancel_work_sync()
      led_set_brightness(led_cdev, LED_OFF)
        schedule_work() if LED driver uses brightness_set_blocking()
        In the meantime, driver private data will be freed.

        ..scheduling..

        brightness_set_blocking() callback is invoked.
          For the brightness control, LED driver tries to access private
          data but resource is removed!

To avoid this problem, LED subsystem should turn off the brightness first
and wait for completion.

  led_set_brightness(led_cdev, LED_OFF)
  flush_work(&led_cdev->set_brightness_work)

It guarantees that LED driver turns off the brightness prior to
resource management.

Cc: linux-leds@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: default avatarMilo Kim <milo.kim@ti.com>
Signed-off-by: default avatarJacek Anaszewski <j.anaszewski@samsung.com>
Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 773a3e58
...@@ -247,12 +247,13 @@ void led_classdev_unregister(struct led_classdev *led_cdev) ...@@ -247,12 +247,13 @@ void led_classdev_unregister(struct led_classdev *led_cdev)
up_write(&led_cdev->trigger_lock); up_write(&led_cdev->trigger_lock);
#endif #endif
cancel_work_sync(&led_cdev->set_brightness_work);
/* Stop blinking */ /* Stop blinking */
led_stop_software_blink(led_cdev); led_stop_software_blink(led_cdev);
led_set_brightness(led_cdev, LED_OFF); led_set_brightness(led_cdev, LED_OFF);
flush_work(&led_cdev->set_brightness_work);
device_unregister(led_cdev->dev); device_unregister(led_cdev->dev);
down_write(&leds_list_lock); down_write(&leds_list_lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment