[PATCH v2 0/2] i2c: fortify the subsystem against user-space induced deadlocks

From: Bartosz Golaszewski
Date: Thu Dec 29 2022 - 11:00:55 EST


From: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx>

Several subsystems in the kernel that export device files to user-space
suffer from a bug where keeping an open file descriptor associated with
this device file, unbinding the device from its driver and then calling
any of the supported system calls on that file descriptor will result in
either a crash or - as is the case with i2c - a deadlock.

This behavior has been blamed on extensive usage of device resource
management interfaces but it seems that devres has nothing to do with it,
the problem would be the same whether using devres or freeing resources
in .remove() that should survive the driver detach.

Many subsystems already deal with this by implementing some kind of flags
in the character device data together with locking preventing the
user-space from dropping the subsystem data from under the open device.

In i2c the deadlock comes from the fact that the function unregistering
the adapter waits for a completion which will not be passed until all
references to the character device are dropped.

The first patch in this series is just a tweak of return values of the
notifier callback. The second addresses the deadlock problem in a way
similar to how we fixed this issue in the GPIO subystem. Details are in
the commit message.

v1 -> v2:
- keep the device release callback and use it to free the IDR number
- rebase on top of v6.2-rc1

Bartosz Golaszewski (2):
i2c: dev: fix notifier return values
i2c: dev: don't allow user-space to deadlock the kernel

drivers/i2c/i2c-core-base.c | 26 ++-------
drivers/i2c/i2c-dev.c | 112 +++++++++++++++++++++++++++++-------
include/linux/i2c.h | 2 -
3 files changed, 96 insertions(+), 44 deletions(-)

--
2.37.2