]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3e2041e)
i2c: core: fix adapter registration race
authorJohan Hovold <johan@kernel.org>
Mon, 11 May 2026 14:37:12 +0000 (16:37 +0200)
committerWolfram Sang <wsa+renesas@sang-engineering.com>
Sat, 30 May 2026 21:57:19 +0000 (23:57 +0200)
Adapters can be looked up based on their id using i2c_get_adapter()
which takes a reference to the embedded struct device.

Make sure that the adapter (including its struct device) has been
initialised before adding it to the IDR to avoid accessing uninitialised
data which could, for example, lead to NULL-pointer dereferences or
use-after-free.

Note that the i2c-dev chardev, which is registered from a bus notifier,
currently uses i2c_get_adapter() so the adapter needs to be added to the
IDR before registration.

Fixes: 6e13e6418418 ("i2c: Add i2c_add_numbered_adapter()")
Cc: stable@vger.kernel.org # 2.6.22
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
drivers/i2c/i2c-core-base.c patch | blob | blame | history

diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index fdf7d7d50f79b8bb22f01510656ed643510a275e..01a984d3ca0e2228121a3e830fcbf3bc3fe9ff95 100644 (file)
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1580,6 +1580,10 @@ static int i2c_register_adapter(struct i2c_adapter *adap)
 
        adap->debugfs = debugfs_create_dir(dev_name(&adap->dev), i2c_debugfs_root);
 
+       mutex_lock(&core_lock);
+       idr_replace(&i2c_adapter_idr, adap, adap->nr);
+       mutex_unlock(&core_lock);
+
        res = device_add(&adap->dev);
        if (res) {
                pr_err("adapter '%s': can't register device (%d)\n", adap->name, res);
@@ -1638,7 +1642,7 @@ static int __i2c_add_numbered_adapter(struct i2c_adapter *adap)
        int id;
 
        mutex_lock(&core_lock);
-       id = idr_alloc(&i2c_adapter_idr, adap, adap->nr, adap->nr + 1, GFP_KERNEL);
+       id = idr_alloc(&i2c_adapter_idr, NULL, adap->nr, adap->nr + 1, GFP_KERNEL);
        mutex_unlock(&core_lock);
        if (WARN(id < 0, "couldn't get idr"))
                return id == -ENOSPC ? -EBUSY : id;
@@ -1672,7 +1676,7 @@ int i2c_add_adapter(struct i2c_adapter *adapter)
        }
 
        mutex_lock(&core_lock);
-       id = idr_alloc(&i2c_adapter_idr, adapter,
+       id = idr_alloc(&i2c_adapter_idr, NULL,
                       __i2c_first_dynamic_bus_num, 0, GFP_KERNEL);
        mutex_unlock(&core_lock);
        if (WARN(id < 0, "couldn't get idr"))
A mirror of Linus' kernel repository