Hi Sven, On Mon, Feb 04, 2019 at 05:09:52PM -0500, Sven Van Asbroeck wrote: > The work which is scheduled by led_classdev->brightness_set() is > potentially left pending or running until after the driver module > is unloaded. > > Fix by using resource-controlled version of INIT_WORK().
I believe this is wrong way of fixing this. The LED classdev objects are refcounted, and may live beyond the point where we unwibd devm stack, so we are still left with the same use-after-free that we currently have. This is a general issue with LED subsystem as it provides no callback for properly tearing down device structures, but I think in this particular case we can simply switch from set_brightness() to set_brightness_blocking() which will use the work item internal to the LED classdev and that one is being shut down properly. Jacek, does the above sound right? Thanks. -- Dmitry
