leds: turn off the LED and wait for completion on unregistering LED class device
authorMilo Kim <milo.kim@ti.com>
Fri, 20 Nov 2015 08:03:00 +0000 (17:03 +0900)
committerJacek Anaszewski <j.anaszewski@samsung.com>
Mon, 4 Jan 2016 08:57:37 +0000 (09:57 +0100)
commitd1aa577f5e191d77d3ad62da93729b5af9532bb4
tree509709b642037828e9f24ba7d4287bd18a111990
parentabc196359bf91a53392d8fac272a4ea8a9ecc0c4
leds: turn off the LED and wait for completion on unregistering LED class device

Workqueue, 'set_brightness_work' is used for scheduling brightness control.
This workqueue is canceled when the LED class device is unregistered.
Currently, LED subsystem handles like below.

  cancel_work_sync(&led_cdev->set_brightness_work)
  led_set_brightness(led_cdev, LED_OFF)

However, this could be a problem.
Workqueue is going to be canceled but LED device needs to be off.
The worst case is null pointer access due to scheduling a workqueue.

LED module is loaded.
  LED driver private data is allocated by using devm_zalloc().

LED module is unloaded.
  led_classdev_unregister() is called.
    cancel_work_sync()
      led_set_brightness(led_cdev, LED_OFF)
        schedule_work() if LED driver uses brightness_set_blocking()
        In the meantime, driver private data will be freed.

        ..scheduling..

        brightness_set_blocking() callback is invoked.
          For the brightness control, LED driver tries to access private
          data but resource is removed!

To avoid this problem, LED subsystem should turn off the brightness first
and wait for completion.

  led_set_brightness(led_cdev, LED_OFF)
  flush_work(&led_cdev->set_brightness_work)

It guarantees that LED driver turns off the brightness prior to
resource management.

Cc: linux-leds@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Milo Kim <milo.kim@ti.com>
Signed-off-by: Jacek Anaszewski <j.anaszewski@samsung.com>
drivers/leds/led-class.c