From: Lars-Peter Clausen <lars@metafoo.de>
To: Wolfram Sang <wsa@the-dreams.de>
Cc: linux-mips@linux-mips.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Pantelis Antoniou <pantelis.antoniou@konsulko.com>,
linux-kernel@vger.kernel.org, Julia Lawall <julia.lawall@lip6.fr>,
linux-arm-kernel@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org, Jean Delvare <jdelvare@suse.de>
Subject: Re: [PATCH] i2c: drop ancient protection against sysfs refcounting issues
Date: Mon, 19 Jan 2015 21:01:57 +0100 [thread overview]
Message-ID: <54BD62B5.7050205@metafoo.de> (raw)
In-Reply-To: <1421693756-12917-1-git-send-email-wsa@the-dreams.de>
On 01/19/2015 07:55 PM, Wolfram Sang wrote:
[...]
>
> Let's get rid of this code before really nobody knows/understands
> anymore what this was for and if it has a subtle use.
Getting rid of this is the right thing, cause it's just not how it should be
done, but unfortunately it is not as simple as this. The problem is that the
adapter is typically embedded in the parent device's state struct. This state
struct is typically freed directly after calling i2c_del_adapter(). If there is
still something holding a reference to the adapter this will result in a use
after free. To do this properly i2c_add_adapter() needs to be changed to
i2c_alloc_adapter() that returns a pointer to a newly allocated adapter.
i2c_free_adapter() will then only drop a reference to the adapter, but not free
any memory. Once the last reference has been removed the memory can then be
freed in the release callback.
The other issue is as long as something has a reference to the adapter they can
run operations on the adapter. So freeing the adapter also has to make sure
that any further operations that are performed on the adapter do no longer call
into the device specific ops, but rather returns -ENODEV, or similar.
- Lars
prev parent reply other threads:[~2015-01-19 20:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-19 18:55 [PATCH] i2c: drop ancient protection against sysfs refcounting issues Wolfram Sang
2015-01-19 18:59 ` Pantelis Antoniou
2015-01-19 19:01 ` Greg Kroah-Hartman
2015-01-19 21:30 ` Wolfram Sang
2015-01-19 23:04 ` Russell King - ARM Linux
2015-01-20 1:41 ` Greg Kroah-Hartman
2015-01-20 7:05 ` Lars-Peter Clausen
2015-01-20 7:12 ` Greg Kroah-Hartman
2015-01-20 7:27 ` Lars-Peter Clausen
2015-01-20 10:17 ` Russell King - ARM Linux
2015-01-20 11:35 ` Wolfram Sang
2015-01-19 19:12 ` Russell King - ARM Linux
2015-01-19 19:39 ` Wolfram Sang
2015-01-19 20:01 ` Lars-Peter Clausen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54BD62B5.7050205@metafoo.de \
--to=lars@metafoo.de \
--cc=gregkh@linuxfoundation.org \
--cc=jdelvare@suse.de \
--cc=julia.lawall@lip6.fr \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=pantelis.antoniou@konsulko.com \
--cc=wsa@the-dreams.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).