Re: [PATCH v3] i2c: dev: don't allow user-space to deadlock the kernel

[Wolfram Sang <wsa@kernel.org>]

[-- Attachment #1: Type: text/plain, Size: 1793 bytes --]

Hi Bartosz,

> > https://lkml.iu.edu/hypermail/linux/kernel/1501.2/01700.html
> >
> > There are still drivers using i2c_del_adapter()+kfree(), so removing the
> > completion could cause use-after-free there, or?
> >
> 
> Ugh, what a mess... I was mostly focused on the character device side
> of it but now I realized the true extent of the problem.

Still, thanks for trying. Really!

> It's all because the adapter struct really should be allocated by
> i2c_add_adapter() and bus drivers should only really provide some
> structure containing the adapter description for the subsystem the
> lifetime of which would not affect the adapter itself. This way the
> adapter (embedding struct device) would be freed by device type's
> .release() like we do over in the GPIO subsystem. Instead the adapter
> struct is allocated by drivers at .probe() meaning it will get dropped
> at .remove().

Or, like SPI does, use controller_alloc() which initializes the parts
needed by the core, returns to the driver which needs to setup the
private data, and finally calls controller_register().

> I don't have a good solution. I've been thinking about it for an hour
> and every solution requires sweeping changes across the entire
> subsystem. Or else we'd introduce a parallel solution that would do
> the right thing and wait in perpetuity until all drivers convert -
> like with i2e probe_new() which is after all much simpler.

Thank you for spending time on another solution. "Perpetuity" is a good
word to put it :/

> Anyway, that's all I've got. We probably need to drop this change and
> live with what we have now.

I am curious to see if this finding will make it into your FOSDEM talk.
Looking already forward to it!

Happy hacking,

   Wolfram


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]