From: Romain Gantois <romain.gantois@bootlin.com>
To: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
Kory Maincent <kory.maincent@bootlin.com>,
linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
devicetree@vger.kernel.org, linux-media@vger.kernel.org,
linux-gpio@vger.kernel.org,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Luca Ceresoli <luca.ceresoli@bootlin.com>,
Andi Shyti <andi.shyti@kernel.org>, Rob Herring <robh@kernel.org>,
Krzysztof Kozlowski <krzk+dt@kernel.org>,
Conor Dooley <conor+dt@kernel.org>,
Derek Kiernan <derek.kiernan@amd.com>,
Dragan Cvetic <dragan.cvetic@amd.com>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Linus Walleij <linus.walleij@linaro.org>,
Bartosz Golaszewski <brgl@bgdev.pl>,
Cosmin Tanislav <demonsingur@gmail.com>
Subject: Re: [PATCH v3 8/9] i2c: Support dynamic address translation
Date: Mon, 09 Dec 2024 13:42:29 +0100 [thread overview]
Message-ID: <3255950.5fSG56mABF@fw-rgant> (raw)
In-Reply-To: <141bbac1-5289-4335-a566-387721439bef@ideasonboard.com>
Hi Tomi,
On vendredi 29 novembre 2024 10:54:35 heure normale d’Europe centrale Tomi
Valkeinen wrote:
> Hi Romain,
>
> On 25/11/2024 10:45, Romain Gantois wrote:
> > The i2c-atr module keeps a list of associations between I2C client aliases
...
> > i2c_atr_dynamic_attach/detach_addr from racing with the bus notifier
> > handler to modify alias_list.
> >
> > Signed-off-by: Romain Gantois <romain.gantois@bootlin.com>
> > ---
> >
> > drivers/i2c/i2c-atr.c | 244
> > ++++++++++++++++++++++++++++++++----------
> > drivers/media/i2c/ds90ub960.c | 2 +-
> > include/linux/i2c-atr.h | 13 ++-
> > 3 files changed, 202 insertions(+), 57 deletions(-)
>
> This fails with:
>
> WARNING: CPU: 1 PID: 360 at lib/list_debug.c:35
> __list_add_valid_or_report+0xe4/0x100
>
> as the i2c_atr_create_c2a() calls list_add(), but i2c_atr_attach_addr(),
> which is changed to use i2c_atr_create_c2a(), also calls list_add().
>
> Also, if you add i2c_atr_create_c2a() which hides the allocation and
> list_add, I think it makes sense to add a i2c_atr_destroy_c2a() to
> revert that.
>
> There's also a memory error "BUG: KASAN: slab-use-after-free in
> __lock_acquire+0xc4/0x375c" (see below) when unloading the ub960 or
> ub953 driver. I haven't looked at that yet.
I think I've found what's causing this KASAN splat. i2c_atr_del_adapter is
freeing it's alias pool before setting atr->adapter[chan_id] to NULL. So
there's a time window during which bus notifications can trigger a call
to i2c_atr_attach_addr, leading to a UAF on the alias pool struct.
I'll fix this in v4.
Thanks,
--
Romain Gantois, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2024-12-09 12:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-25 8:45 [PATCH v3 0/9] misc: Support TI FPC202 dual-port controller Romain Gantois
2024-11-25 8:45 ` [PATCH v3 1/9] dt-bindings: misc: Describe TI FPC202 dual port controller Romain Gantois
2024-11-25 18:26 ` Conor Dooley
2024-11-26 8:05 ` Romain Gantois
2024-11-26 18:09 ` Conor Dooley
2024-11-27 8:20 ` Romain Gantois
2024-11-25 8:45 ` [PATCH v3 2/9] media: i2c: ds90ub960: Replace aliased clients list with bitmap Romain Gantois
2024-11-29 13:46 ` Tomi Valkeinen
2024-12-03 8:48 ` Romain Gantois
2024-11-25 8:45 ` [PATCH v3 3/9] media: i2c: ds90ub960: Protect alias_use_mask with a mutex Romain Gantois
2024-11-25 8:45 ` [PATCH v3 4/9] i2c: use client addresses directly in ATR interface Romain Gantois
2024-11-25 8:45 ` [PATCH v3 5/9] i2c: move ATR alias pool to a separate struct Romain Gantois
2024-11-25 8:45 ` [PATCH v3 6/9] i2c: rename field 'alias_list' of struct i2c_atr_chan to 'alias_pairs' Romain Gantois
2024-11-25 8:45 ` [PATCH v3 7/9] i2c: support per-channel ATR alias pools Romain Gantois
2024-11-25 8:45 ` [PATCH v3 8/9] i2c: Support dynamic address translation Romain Gantois
2024-11-29 9:54 ` Tomi Valkeinen
2024-12-03 8:59 ` Romain Gantois
2024-12-09 12:42 ` Romain Gantois [this message]
2024-12-10 15:21 ` Romain Gantois
2024-11-25 8:45 ` [PATCH v3 9/9] misc: add FPC202 dual port controller driver Romain Gantois
2024-11-29 12:01 ` [PATCH v3 0/9] misc: Support TI FPC202 dual-port controller Tomi Valkeinen
2024-12-03 8:42 ` Romain Gantois
2024-12-03 9:36 ` Luca Ceresoli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3255950.5fSG56mABF@fw-rgant \
--to=romain.gantois@bootlin.com \
--cc=andi.shyti@kernel.org \
--cc=arnd@arndb.de \
--cc=brgl@bgdev.pl \
--cc=conor+dt@kernel.org \
--cc=demonsingur@gmail.com \
--cc=derek.kiernan@amd.com \
--cc=devicetree@vger.kernel.org \
--cc=dragan.cvetic@amd.com \
--cc=gregkh@linuxfoundation.org \
--cc=kory.maincent@bootlin.com \
--cc=krzk+dt@kernel.org \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=luca.ceresoli@bootlin.com \
--cc=mchehab@kernel.org \
--cc=robh@kernel.org \
--cc=thomas.petazzoni@bootlin.com \
--cc=tomi.valkeinen@ideasonboard.com \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.