Re: [syzbot] [usb?] INFO: task hung in i2c_tiny_usb_disconnect

[weipeng]

On 2026-01-13 20:23, Oliver Neukum wrote:

> what prevents the following sequence:
> 
> i2c_tiny_usb_disconnect() -> module unload -> i2c_tiny_usb_release()
> 
> As far as I can tell, this can happen and you'd execute already
> freed memory.

Hi,

I got it. It can be solved by using wait_for_completion in the module exit
function to wait for all the i2c_tiny_usb_release() to be done.

But after think twice, I think it is not a good idea. Because that would be
too complicated for a driver. Almost all the usb drivers does not do like this.
They just call release functions in the disconnect() rather than put all the
release works to another task. So I think the key point is not the disconnect().

The key point is the i2c subsystem:

> void i2c_del_adapter(struct i2c_adapter *adap)
> {
> ...
> /* wait until all references to the device are gone
>  *
>  * FIXME: This is old code and should ideally be replaced by an
>  * alternative which results in decoupling the lifetime of the struct
>  * device from the i2c_adapter, like spi or netdev do. Any solution
>  * should be thoroughly tested with DEBUG_KOBJECT_RELEASE enabled!
>  */
> init_completion(&adap->dev_released);
> device_unregister(&adap->dev);
> wait_for_completion(&adap->dev_released);
> ...
> }

The i2c_del_adapter() will wait for all the users to put the reference of the adapter.
It is not a good idea. We can't control the users. So the i2c_del_adapter() can wait
for any time.

Best Regards

weipeng