Re: [PATCH] i2c: core: move idr_remove() in i2c_del_adapter() before device_unregister()

[Wolfram Sang <wsa+renesas@sang-engineering.com>]

[-- Attachment #1: Type: text/plain, Size: 2162 bytes --]

On Fri, Jun 19, 2026 at 12:16:10AM +0530, Tejas Mutalikdesai wrote:
> There is a race between i2c_del_adapter() and i2c_get_adapter() that
> can trigger a "refcount_t: addition on 0; use-after-free" warning.
> 
> The sequence is:
> 
>   1. i2c_del_adapter() calls device_unregister(), which drops the
>      device refcount to zero (the adapter's release callback fires
>      and signals dev_released).
> 
>   2. The adapter is still in i2c_adapter_idr because idr_remove()
>      hasn't been called yet.
> 
>   3. A concurrent i2c_get_adapter() calls idr_find() under core_lock
>      and finds the adapter.  try_module_get() succeeds because the
>      owning module is still MODULE_STATE_LIVE (this is a hot-remove
>      path, not a module unload).
> 
>   4. get_device() is called on a kobject whose refcount is already
>      zero, triggering refcount_warn_saturate() with REFCOUNT_ADD_UAF.
> 
> Fixing this by moving the idr_remove() call to before device_unregister().
> Once the adapter is removed from the IDR, any concurrent
> i2c_get_adapter() will get NULL from idr_find() and return -ENODEV.
> Callers that already hold a device reference are unaffected:
> wait_for_completion() correctly waits for them to release it via
> i2c_put_adapter().
> 
> REPRODUCTION AND VALIDATION: Tested by inserting a msleep(500) after wait_for_completion() to widen
> the race window, and using a kernel module that spawns two kthreads: one
> calling i2c_del_adapter() and another calling i2c_get_adapter()
> concurrently while the module remains MODULE_STATE_LIVE.  Without the
> fix, the WARNING fires reliably.  With the fix, i2c_get_adapter()
> returns NULL and no WARNING is observed.
> 
> Reported-by: syzbot+c0291c8c9aaa473c7721@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c0291c8c9aaa473c7721
> Fixes: 611e12ea0f12 ("i2c: core: manage i2c bus device refcount in i2c_[get|put]_adapter")
> Signed-off-by: Tejas Mutalikdesai <tejasmutalikdesai@gmail.com>

I'd think this is fixed with b1a58ed9eab1 ("i2c: core: fix adapter
deregistration race") which went upstream this merge window.


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]