From: Slawomir Stepien <sst@poczta.fm>
To: Wolfram Sang <wsa@the-dreams.de>
Cc: linux-i2c@vger.kernel.org, krzysztof.adamski@nokia.com,
jakub.lewalski@nokia.com, slawomir.stepien@nokia.com,
alexander.sverdlin@nokia.com
Subject: Re: [RFCv3] i2c: hold the core_lock for the whole execution of i2c_register_adapter()
Date: Fri, 27 Mar 2020 15:01:26 +0100 [thread overview]
Message-ID: <20200327140126.GA2112@t480s.localdomain> (raw)
In-Reply-To: <20200321191532.GF5632@ninjato>
On mar 21, 2020 20:15, Wolfram Sang wrote:
> Hi Slawomir,
Hello Wolfram,
> On Tue, Oct 08, 2019 at 06:39:56PM +0200, Slawomir Stepien wrote:
> > From: Sławomir Stępień <slawomir.stepien@nokia.com>
> >
> > There is a race condition between the i2c_get_adapter() and the
> > i2c_add_adapter() if this mutex isn't hold for the whole execution of
> > i2c_register_adapter().
> >
> > If the mutex isn't locked, it is possible to find idr that points to
> > adapter that hasn't been registered yet (i.e. it's
> > kobj.state_initialized is still false), which will end up with warning
> > message:
> >
> > "... is not initialized, yet kobject_get() is being called."
> >
> > This patch will change how the locking is arranged around
> > i2c_register_adapter() call and will prevent such situations. The part
> > of the i2c_register_adapter() that do not need to be under the lock has
> > been moved to a new function i2c_process_adapter.
> >
> > Signed-off-by: Sławomir Stępień <slawomir.stepien@nokia.com>
>
> Thank you for tackling this one and sorry for the late reply.
>
> Do you have a test case for me so I could reproduce the bad case here?
I don't have any test case ready on hand, but please take a look at this flow:
Note: The assumption is that i2c_add_adapter() and i2c_get_adapter() are called
from separate threads of execution.
time | i2c_add_adapter() | i2c_get_adapter()
------------------------------------------------
0001 | lock of core_lock |
0002 | new idr via idr_alloc |
0003 | unlock of core_lock |
0004 | | lock of core_lock
0005 | | idr_find
0006 | | get_device [1]
0007 | i2c_register_adapter |
At point [1], the i2c_get_adapter() assumes the device is ready only because it
was found in idr. It calls get_device() which causes kobject_get() to fail.
--
Slawomir Stepien
prev parent reply other threads:[~2020-03-27 14:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191008163956.GB566933@t480s.localdomain>
2020-03-21 19:15 ` [RFCv3] i2c: hold the core_lock for the whole execution of i2c_register_adapter() Wolfram Sang
2020-03-27 14:01 ` Slawomir Stepien [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200327140126.GA2112@t480s.localdomain \
--to=sst@poczta.fm \
--cc=alexander.sverdlin@nokia.com \
--cc=jakub.lewalski@nokia.com \
--cc=krzysztof.adamski@nokia.com \
--cc=linux-i2c@vger.kernel.org \
--cc=slawomir.stepien@nokia.com \
--cc=wsa@the-dreams.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox