diff options
| author | Johan Hovold <johan@kernel.org> | 2026-05-11 17:37:12 +0300 |
|---|---|---|
| committer | Wolfram Sang <wsa+renesas@sang-engineering.com> | 2026-05-31 00:57:19 +0300 |
| commit | ba14d7cf2fe7284610a29854bdff22b2537d3ce6 (patch) | |
| tree | 720c126bd42846350473cc74788e2795752a0db5 | |
| parent | 3e2041ea586ae37fcea918ecb505ab9972a1201d (diff) | |
| download | linux-ba14d7cf2fe7284610a29854bdff22b2537d3ce6.tar.xz | |
i2c: core: fix adapter registration race
Adapters can be looked up based on their id using i2c_get_adapter()
which takes a reference to the embedded struct device.
Make sure that the adapter (including its struct device) has been
initialised before adding it to the IDR to avoid accessing uninitialised
data which could, for example, lead to NULL-pointer dereferences or
use-after-free.
Note that the i2c-dev chardev, which is registered from a bus notifier,
currently uses i2c_get_adapter() so the adapter needs to be added to the
IDR before registration.
Fixes: 6e13e6418418 ("i2c: Add i2c_add_numbered_adapter()")
Cc: stable@vger.kernel.org # 2.6.22
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
| -rw-r--r-- | drivers/i2c/i2c-core-base.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c index fdf7d7d50f79..01a984d3ca0e 100644 --- a/drivers/i2c/i2c-core-base.c +++ b/drivers/i2c/i2c-core-base.c @@ -1580,6 +1580,10 @@ static int i2c_register_adapter(struct i2c_adapter *adap) adap->debugfs = debugfs_create_dir(dev_name(&adap->dev), i2c_debugfs_root); + mutex_lock(&core_lock); + idr_replace(&i2c_adapter_idr, adap, adap->nr); + mutex_unlock(&core_lock); + res = device_add(&adap->dev); if (res) { pr_err("adapter '%s': can't register device (%d)\n", adap->name, res); @@ -1638,7 +1642,7 @@ static int __i2c_add_numbered_adapter(struct i2c_adapter *adap) int id; mutex_lock(&core_lock); - id = idr_alloc(&i2c_adapter_idr, adap, adap->nr, adap->nr + 1, GFP_KERNEL); + id = idr_alloc(&i2c_adapter_idr, NULL, adap->nr, adap->nr + 1, GFP_KERNEL); mutex_unlock(&core_lock); if (WARN(id < 0, "couldn't get idr")) return id == -ENOSPC ? -EBUSY : id; @@ -1672,7 +1676,7 @@ int i2c_add_adapter(struct i2c_adapter *adapter) } mutex_lock(&core_lock); - id = idr_alloc(&i2c_adapter_idr, adapter, + id = idr_alloc(&i2c_adapter_idr, NULL, __i2c_first_dynamic_bus_num, 0, GFP_KERNEL); mutex_unlock(&core_lock); if (WARN(id < 0, "couldn't get idr")) |