Re: [PATCH] i2c: core: prevent use-after-free in i2c_get_adapter by removing adapter from IDR earlier

[Wolfram Sang <wsa+renesas@sang-engineering.com>]

[-- Attachment #1: Type: text/plain, Size: 2387 bytes --]

Hi,

thanks for tackling this syzkaller report!

On Mon, Nov 17, 2025 at 09:11:50AM +0530, Sameeksha Sankpal wrote:
> i2c_del_adapter() currently removes the adapter from i2c_adapter_idr
> after device_unregister(&adap->dev). This leaves a window where
> i2c_get_adapter() may still find the adapter and call get_device(),
> which WARNs because the kobject refcount is already zero.
> 
> Fix by removing the adapter from the IDR before unregistering the device.
> This prevents new lookups while the device is being torn down.
> 
> Reported-by: syzbot+76501d32a94a432940a8@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=76501d32a94a432940a8

Seems reasonable, but to get more confidence, could you tell me how you
debugged this? There is no reproducer in the syzkaller report, so how
did you ensure this patch fixes this issue?

Happy hacking,

   Wolfram

> Signed-off-by: Sameeksha Sankpal <sameekshasankpal@gmail.com>
> ---
>  drivers/i2c/i2c-core-base.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
> index ae7e9c8b65a6..229158401d54 100644
> --- a/drivers/i2c/i2c-core-base.c
> +++ b/drivers/i2c/i2c-core-base.c
> @@ -1773,6 +1773,15 @@ void i2c_del_adapter(struct i2c_adapter *adap)
>  			       __process_removed_adapter);
>  	mutex_unlock(&core_lock);
>  
> +	/*
> +	 * Stop publishing the adapter before tearing down its device/kobject.
> +	 * Otherwise i2c_get_adapter() may still find it in the IDR and then
> +	 * get_device() will WARN because the kobject is already at 0.
> +	 */
> +	mutex_lock(&core_lock);
> +	idr_remove(&i2c_adapter_idr, adap->nr);
> +	mutex_unlock(&core_lock);
> +
>  	/* Remove devices instantiated from sysfs */
>  	mutex_lock_nested(&adap->userspace_clients_lock,
>  			  i2c_adapter_depth(adap));
> @@ -1813,10 +1822,7 @@ void i2c_del_adapter(struct i2c_adapter *adap)
>  	device_unregister(&adap->dev);
>  	wait_for_completion(&adap->dev_released);
>  
> -	/* free bus id */
> -	mutex_lock(&core_lock);
> -	idr_remove(&i2c_adapter_idr, adap->nr);
> -	mutex_unlock(&core_lock);
> +	/* IDR entry already removed above; no new lookups are possible now. */
>  
>  	/* Clear the device structure in case this adapter is ever going to be
>  	   added again */

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]