| Message ID | a9dc272e4e06db661125b7b4c330821b532afc4d.1642209079.git.mirq-linux@rere.qmqm.pl |
|---|---|
| State | Superseded |
| Headers | show |
| Series | i2c: core: fix potential use-after-free on adapter removal | expand |
Hi Michał, I finally had a look at your patch... > put_device(&adap->dev) might free the memory pointed to by `adap`, > so we shouldn't read adap->owner after that. > > Fix by saving module pointer before calling put_device(). ... and found a different approach for this problem from 2019: http://patchwork.ozlabs.org/project/linux-i2c/patch/1577439272-10362-1-git-send-email-vulab@iscas.ac.cn/ I think this is also proper. I found other subsystems in the kernel first putting the module, then the device. Do you see problems with the above patch? Thanks for looking into the issue! Wolfram > > Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> > --- > drivers/i2c/i2c-core-base.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c > index 2c59dd748a49..5d694f8ce9ef 100644 > --- a/drivers/i2c/i2c-core-base.c > +++ b/drivers/i2c/i2c-core-base.c > @@ -2464,11 +2464,14 @@ EXPORT_SYMBOL(i2c_get_adapter); > > void i2c_put_adapter(struct i2c_adapter *adap) > { > + struct module *owner; > + > if (!adap) > return; > > + owner = adap->owner; > put_device(&adap->dev); > - module_put(adap->owner); > + module_put(owner); > } > EXPORT_SYMBOL(i2c_put_adapter); > > -- > 2.30.2 >
On Tue, Jun 14, 2022 at 09:45:42PM +0200, Wolfram Sang wrote: > Hi Michał, > > I finally had a look at your patch... > > > put_device(&adap->dev) might free the memory pointed to by `adap`, > > so we shouldn't read adap->owner after that. > > > > Fix by saving module pointer before calling put_device(). > > ... and found a different approach for this problem from 2019: > > http://patchwork.ozlabs.org/project/linux-i2c/patch/1577439272-10362-1-git-send-email-vulab@iscas.ac.cn/ > > I think this is also proper. I found other subsystems in the kernel > first putting the module, then the device. Do you see problems with the > above patch? > > Thanks for looking into the issue! Hi! I looked briefly at the kobject machinery and it seems to ignore module dependencies. So while both approaches might work, I'd usually reverse the order the init code is using: in this case module_get+device_get, so on release: device_put+module_put. I don't know what keeps the kernel from unloading the module after module_put() and before the function returns, but I assume that would blow up for both patches. Best Regards Michał Mirosław > > > > Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> > > --- > > drivers/i2c/i2c-core-base.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c > > index 2c59dd748a49..5d694f8ce9ef 100644 > > --- a/drivers/i2c/i2c-core-base.c > > +++ b/drivers/i2c/i2c-core-base.c > > @@ -2464,11 +2464,14 @@ EXPORT_SYMBOL(i2c_get_adapter); > > > > void i2c_put_adapter(struct i2c_adapter *adap) > > { > > + struct module *owner; > > + > > if (!adap) > > return; > > > > + owner = adap->owner; > > put_device(&adap->dev); > > - module_put(adap->owner); > > + module_put(owner); > > } > > EXPORT_SYMBOL(i2c_put_adapter); > > > > -- > > 2.30.2 > >
Hi Michał, > I looked briefly at the kobject machinery and it seems to ignore module > dependencies. So while both approaches might work, I'd usually reverse Thanks for checking! > the order the init code is using: in this case module_get+device_get, > so on release: device_put+module_put. I don't know what keeps the kernel I agree this is good style. I'll add a comment why we reverse the order. This will be also good to avoid regressions. > from unloading the module after module_put() and before the function > returns, but I assume that would blow up for both patches. Yes. There are other users in the kernel doing it like this (RTC and regmap IIRC), so I think problems would have become visible by then. Thank you for your help! Wolfram
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c index 2c59dd748a49..5d694f8ce9ef 100644 --- a/drivers/i2c/i2c-core-base.c +++ b/drivers/i2c/i2c-core-base.c @@ -2464,11 +2464,14 @@ EXPORT_SYMBOL(i2c_get_adapter); void i2c_put_adapter(struct i2c_adapter *adap) { + struct module *owner; + if (!adap) return; + owner = adap->owner; put_device(&adap->dev); - module_put(adap->owner); + module_put(owner); } EXPORT_SYMBOL(i2c_put_adapter);
put_device(&adap->dev) might free the memory pointed to by `adap`, so we shouldn't read adap->owner after that. Fix by saving module pointer before calling put_device(). Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> --- drivers/i2c/i2c-core-base.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)