Re: [PATCH] i2c: drop ancient protection against sysfs refcounting issues

From: Lars-Peter Clausen
Date: Mon Jan 19 2015 - 15:00:19 EST


On 01/19/2015 07:55 PM, Wolfram Sang wrote:
[...]

Let's get rid of this code before really nobody knows/understands
anymore what this was for and if it has a subtle use.

Getting rid of this is the right thing, cause it's just not how it should be done, but unfortunately it is not as simple as this. The problem is that the adapter is typically embedded in the parent device's state struct. This state struct is typically freed directly after calling i2c_del_adapter(). If there is still something holding a reference to the adapter this will result in a use after free. To do this properly i2c_add_adapter() needs to be changed to i2c_alloc_adapter() that returns a pointer to a newly allocated adapter. i2c_free_adapter() will then only drop a reference to the adapter, but not free any memory. Once the last reference has been removed the memory can then be freed in the release callback.

The other issue is as long as something has a reference to the adapter they can run operations on the adapter. So freeing the adapter also has to make sure that any further operations that are performed on the adapter do no longer call into the device specific ops, but rather returns -ENODEV, or similar.

- Lars
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/