i2c: core: Fix possible memleak in i2c_register_adapter()

Message ID	20221123081643.713184-1-lizetao1@huawei.com
State	Superseded
Headers	show Return-Path: <linux-i2c-owner@vger.kernel.org> From: Li Zetao <lizetao1@huawei.com> To: <wsa@kernel.org>, <gregkh@suse.de>, <khali@linux-fr.org> CC: <lizetao1@huawei.com>, <linux-i2c@vger.kernel.org>, <linux-kernel@vger.kernel.org> Subject: [PATCH] i2c: core: Fix possible memleak in i2c_register_adapter() Date: Wed, 23 Nov 2022 16:16:43 +0800 Message-ID: <20221123081643.713184-1-lizetao1@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII Precedence: bulk
Series	i2c: core: Fix possible memleak in i2c_register_adapter() \| expand i2c: core: Fix possible memleak in i2c_register_adapter()

Message ID

20221123081643.713184-1-lizetao1@huawei.com

State

Superseded

Headers

From: Li Zetao <lizetao1@huawei.com>
To: <wsa@kernel.org>, <gregkh@suse.de>, <khali@linux-fr.org>
CC: <lizetao1@huawei.com>, <linux-i2c@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>
Subject: [PATCH] i2c: core: Fix possible memleak in i2c_register_adapter()
Date: Wed, 23 Nov 2022 16:16:43 +0800
Message-ID: <20221123081643.713184-1-lizetao1@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk

Series

i2c: core: Fix possible memleak in i2c_register_adapter() | expand

Commit Message

Li Zetao Nov. 23, 2022, 8:16 a.m. UTC

I got memory leak as follows when doing fault injection test:

unreferenced object 0xffff88818be6dcb8 (size 8):
  comm "modprobe", pid 1022129, jiffies 4363911608 (age 43.838s)
    hex dump (first 8 bytes):
      69 32 63 2d 30 00 6b a5                          i2c-0.k.
    backtrace:
      [<ffffffff812f588f>] __kmem_cache_alloc_node+0x2cf/0x4b0
      [<ffffffff81283c43>] __kmalloc_node_track_caller+0x53/0x140
      [<ffffffff81604b0a>] kvasprintf+0x6a/0xd0
      [<ffffffff81604be7>] kvasprintf_const+0x77/0xa0
      [<ffffffff81a00173>] kobject_set_name_vargs+0x23/0x90
      [<ffffffff817bf743>] dev_set_name+0x53/0x70
      [<ffffffffa023ebb2>] i2c_register_adapter+0x112/0x6c0 [i2c_core]
      [<ffffffffa023f268>] i2c_add_adapter+0x78/0xc0 [i2c_core]
      [<ffffffffa0300182>] piix4_add_adapter+0x132/0x210 [i2c_piix4]
      [<ffffffffa0300535>] piix4_probe+0x2d5/0x5f4 [i2c_piix4]
      [<ffffffff816c5da2>] pci_device_probe+0xb2/0x180
      [<ffffffff817c769f>] really_probe+0xff/0x380
      [<ffffffff817c79aa>] __driver_probe_device+0x8a/0x190
      [<ffffffff817c7b33>] driver_probe_device+0x23/0xb0
      [<ffffffff817c80a3>] __driver_attach+0xd3/0x1b0
      [<ffffffff817c4ede>] bus_for_each_dev+0x7e/0xd0

The root cause was traced to an error handing path in
i2c_register_adapter() when device_register() fails. After
calling dev_set_name() which called by i2c_register_adapter(),
the put_device() should be used to give up the device reference
in error handling path in order to free "kobj->name" alloced
in dev_set_name().

Fix it by calling put_device() when device_register() fails in
i2c_register_adapter(). In addition, when i2c_adapter device
is released, i2c_adapter_dev_release() is called, in which
"dev_released" must be initialized, otherwise a kernel bug
will be triggered.

Fixes: b119c6c952a0 ("i2c: __must_check fixes (core drivers)")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
---
 drivers/i2c/i2c-core-base.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index 5dcea9f1deab..ef85e58533e2 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1472,6 +1472,9 @@  static int i2c_register_adapter(struct i2c_adapter *adap)
 	res = device_register(&adap->dev);
 	if (res) {
 		pr_err("adapter '%s': can't register device (%d)\n", adap->name, res);
+		init_completion(&adap->dev_released);
+		put_device(&adap->dev);
+		wait_for_completion(&adap->dev_released);
 		goto out_list;
 	}

i2c: core: Fix possible memleak in i2c_register_adapter()

Commit Message

Patch