From: Romain Gantois <romain.gantois@bootlin.com>
To: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
Kory Maincent <kory.maincent@bootlin.com>,
linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org,
devicetree@vger.kernel.org, linux-media@vger.kernel.org,
linux-gpio@vger.kernel.org,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Luca Ceresoli <luca.ceresoli@bootlin.com>,
Andi Shyti <andi.shyti@kernel.org>, Rob Herring <robh@kernel.org>,
Krzysztof Kozlowski <krzk+dt@kernel.org>,
Conor Dooley <conor+dt@kernel.org>,
Derek Kiernan <derek.kiernan@amd.com>,
Dragan Cvetic <dragan.cvetic@amd.com>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Linus Walleij <linus.walleij@linaro.org>,
Bartosz Golaszewski <brgl@bgdev.pl>,
Cosmin Tanislav <demonsingur@gmail.com>
Subject: Re: [PATCH v3 8/9] i2c: Support dynamic address translation
Date: Mon, 09 Dec 2024 13:42:29 +0100 [thread overview]
Message-ID: <3255950.5fSG56mABF@fw-rgant> (raw)
In-Reply-To: <141bbac1-5289-4335-a566-387721439bef@ideasonboard.com>
Hi Tomi,
On vendredi 29 novembre 2024 10:54:35 heure normale d’Europe centrale Tomi
Valkeinen wrote:
> Hi Romain,
>
> On 25/11/2024 10:45, Romain Gantois wrote:
> > The i2c-atr module keeps a list of associations between I2C client aliases
...
> > i2c_atr_dynamic_attach/detach_addr from racing with the bus notifier
> > handler to modify alias_list.
> >
> > Signed-off-by: Romain Gantois <romain.gantois@bootlin.com>
> > ---
> >
> > drivers/i2c/i2c-atr.c | 244
> > ++++++++++++++++++++++++++++++++----------
> > drivers/media/i2c/ds90ub960.c | 2 +-
> > include/linux/i2c-atr.h | 13 ++-
> > 3 files changed, 202 insertions(+), 57 deletions(-)
>
> This fails with:
>
> WARNING: CPU: 1 PID: 360 at lib/list_debug.c:35
> __list_add_valid_or_report+0xe4/0x100
>
> as the i2c_atr_create_c2a() calls list_add(), but i2c_atr_attach_addr(),
> which is changed to use i2c_atr_create_c2a(), also calls list_add().
>
> Also, if you add i2c_atr_create_c2a() which hides the allocation and
> list_add, I think it makes sense to add a i2c_atr_destroy_c2a() to
> revert that.
>
> There's also a memory error "BUG: KASAN: slab-use-after-free in
> __lock_acquire+0xc4/0x375c" (see below) when unloading the ub960 or
> ub953 driver. I haven't looked at that yet.
I think I've found what's causing this KASAN splat. i2c_atr_del_adapter is
freeing it's alias pool before setting atr->adapter[chan_id] to NULL. So
there's a time window during which bus notifications can trigger a call
to i2c_atr_attach_addr, leading to a UAF on the alias pool struct.
I'll fix this in v4.
Thanks,
--
Romain Gantois, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2024-12-09 12:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-25 8:45 [PATCH v3 0/9] misc: Support TI FPC202 dual-port controller Romain Gantois
2024-11-25 8:45 ` [PATCH v3 1/9] dt-bindings: misc: Describe TI FPC202 dual port controller Romain Gantois
2024-11-25 18:26 ` Conor Dooley
2024-11-26 8:05 ` Romain Gantois
2024-11-26 18:09 ` Conor Dooley
2024-11-27 8:20 ` Romain Gantois
2024-11-25 8:45 ` [PATCH v3 2/9] media: i2c: ds90ub960: Replace aliased clients list with bitmap Romain Gantois
2024-11-29 13:46 ` Tomi Valkeinen
2024-12-03 8:48 ` Romain Gantois
2024-11-25 8:45 ` [PATCH v3 3/9] media: i2c: ds90ub960: Protect alias_use_mask with a mutex Romain Gantois
2024-11-25 8:45 ` [PATCH v3 4/9] i2c: use client addresses directly in ATR interface Romain Gantois
2024-11-25 8:45 ` [PATCH v3 5/9] i2c: move ATR alias pool to a separate struct Romain Gantois
2024-11-25 8:45 ` [PATCH v3 6/9] i2c: rename field 'alias_list' of struct i2c_atr_chan to 'alias_pairs' Romain Gantois
2024-11-25 8:45 ` [PATCH v3 7/9] i2c: support per-channel ATR alias pools Romain Gantois
2024-11-25 8:45 ` [PATCH v3 8/9] i2c: Support dynamic address translation Romain Gantois
2024-11-29 9:54 ` Tomi Valkeinen
2024-12-03 8:59 ` Romain Gantois
2024-12-09 12:42 ` Romain Gantois [this message]
2024-12-10 15:21 ` Romain Gantois
2024-11-25 8:45 ` [PATCH v3 9/9] misc: add FPC202 dual port controller driver Romain Gantois
2024-11-29 12:01 ` [PATCH v3 0/9] misc: Support TI FPC202 dual-port controller Tomi Valkeinen
2024-12-03 8:42 ` Romain Gantois
2024-12-03 9:36 ` Luca Ceresoli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3255950.5fSG56mABF@fw-rgant \
--to=romain.gantois@bootlin.com \
--cc=andi.shyti@kernel.org \
--cc=arnd@arndb.de \
--cc=brgl@bgdev.pl \
--cc=conor+dt@kernel.org \
--cc=demonsingur@gmail.com \
--cc=derek.kiernan@amd.com \
--cc=devicetree@vger.kernel.org \
--cc=dragan.cvetic@amd.com \
--cc=gregkh@linuxfoundation.org \
--cc=kory.maincent@bootlin.com \
--cc=krzk+dt@kernel.org \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=luca.ceresoli@bootlin.com \
--cc=mchehab@kernel.org \
--cc=robh@kernel.org \
--cc=thomas.petazzoni@bootlin.com \
--cc=tomi.valkeinen@ideasonboard.com \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox