[PATCH v3 03/10] i2c: core: fix NULL-deref on adapter registration failure

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Johan Hovold <johan@kernel.org>
To: Wolfram Sang <wsa+renesas@sang-engineering.com>
Cc: Andi Shyti <andi.shyti@kernel.org>,
	linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
	Johan Hovold <johan@kernel.org>,
	stable@vger.kernel.org, Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Subject: [PATCH v3 03/10] i2c: core: fix NULL-deref on adapter registration failure
Date: Mon, 11 May 2026 16:37:08 +0200	[thread overview]
Message-ID: <20260511143715.729714-4-johan@kernel.org> (raw)
In-Reply-To: <20260511143715.729714-1-johan@kernel.org>

If adapter registration ever fails the release callback would trigger a
NULL-pointer dereference as the completion struct has not been
initialised.

Note that before the offending commit this would instead have resulted
in a minor memory leak of the adapter name.

Fixes: 3f8c4f5e9a57 ("i2c: core: fix reference leak in i2c_register_adapter()")
Cc: stable@vger.kernel.org
Cc: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/i2c/i2c-core-base.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index e42851a10098..fa9db415e219 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1574,8 +1574,7 @@ static int i2c_register_adapter(struct i2c_adapter *adap)
 	res = device_add(&adap->dev);
 	if (res) {
 		pr_err("adapter '%s': can't register device (%d)\n", adap->name, res);
-		put_device(&adap->dev);
-		goto err_remove_irq_domain;
+		goto err_put_adap;
 	}
 
 	adap->debugfs = debugfs_create_dir(dev_name(&adap->dev), i2c_debugfs_root);
@@ -1608,10 +1607,12 @@ static int i2c_register_adapter(struct i2c_adapter *adap)
 out_reg:
 	i2c_deregister_clients(adap);
 	debugfs_remove_recursive(adap->debugfs);
+	device_del(&adap->dev);
+err_put_adap:
 	init_completion(&adap->dev_released);
-	device_unregister(&adap->dev);
+	put_device(&adap->dev);
 	wait_for_completion(&adap->dev_released);
-err_remove_irq_domain:
+
 	i2c_host_notify_irq_teardown(adap);
 out_list:
 	mutex_lock(&core_lock);
-- 
2.53.0

next prev parent reply	other threads:[~2026-05-11 14:37 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-11 14:37 [PATCH v3 00/10] i2c: core: adapter registration fixes Johan Hovold
2026-05-11 14:37 ` [PATCH v3 01/10] i2c: core: fix irq domain leak on adapter registration failure Johan Hovold
2026-06-03  9:16   ` Wolfram Sang
2026-05-11 14:37 ` [PATCH v3 02/10] i2c: core: fix hang " Johan Hovold
2026-06-03  9:19   ` Wolfram Sang
2026-05-11 14:37 ` Johan Hovold [this message]
2026-06-03  9:27   ` [PATCH v3 03/10] i2c: core: fix NULL-deref " Wolfram Sang
2026-05-11 14:37 ` [PATCH v3 04/10] i2c: core: fix adapter probe deferral loop Johan Hovold
2026-06-03  9:32   ` Wolfram Sang
2026-05-11 14:37 ` [PATCH v3 05/10] i2c: core: fix adapter debugfs creation Johan Hovold
2026-06-03 13:14   ` Wolfram Sang
2026-05-11 14:37 ` [PATCH v3 06/10] i2c: core: disable runtime PM on adapter registration failure Johan Hovold
2026-06-03 13:19   ` Wolfram Sang
2026-05-11 14:37 ` [PATCH v3 07/10] i2c: core: fix adapter registration race Johan Hovold
2026-06-04  8:50   ` Wolfram Sang
2026-05-11 14:37 ` [PATCH v3 08/10] i2c: core: fix adapter deregistration race Johan Hovold
2026-06-04  8:50   ` Wolfram Sang
2026-05-11 14:37 ` [PATCH v3 09/10] i2c: core: clean up bus id allocation Johan Hovold
2026-06-04  9:55   ` Wolfram Sang
2026-05-11 14:37 ` [PATCH v3 10/10] i2c: core: clean up adapter registration error label Johan Hovold
2026-06-04  9:55   ` Wolfram Sang
2026-05-11 16:35 ` [PATCH v3 00/10] i2c: core: adapter registration fixes Wolfram Sang
2026-05-11 17:49   ` Johan Hovold

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e42851a1009 dfblob:fa9db415e21 )
 OR (
bs:"[PATCH v3 03/10] i2c: core: fix NULL-deref on adapter registration failure" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260511143715.729714-4-johan@kernel.org \
    --to=johan@kernel.org \
    --cc=andi.shyti@kernel.org \
    --cc=joe@pf.is.s.u-tokyo.ac.jp \
    --cc=linux-i2c@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=wsa+renesas@sang-engineering.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.