| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Jan 2015 09:30:26 +0800
From: Yingjoe Chen <yingjoe.chen@...iatek.com>
To: Uwe Kleine-König
<u.kleine-koenig@...gutronix.de>, Wolfram Sang <wsa@...-dreams.de>
CC: Eddie Huang <eddie.huang@...iatek.com>,
Mark Rutland <mark.rutland@....com>,
Andrew Bresticker <abrestic@...omium.org>,
<linux-kernel@...r.kernel.org>, <linux-i2c@...r.kernel.org>,
Lee Jones <lee.jones@...aro.org>,
Jean Delvare <jdelvare@...e.de>,
Xudong Chen <xudong.chen@...iatek.com>,
Boris BREZILLON <boris.brezillon@...e-electrons.com>,
Arnd Bergmann <arnd@...db.de>, <yh.chen@...iatek.com>,
Wei Yan <sledge.yanwei@...wei.com>,
Bjorn Andersson <bjorn.andersson@...ymobile.com>,
Grant Likely <grant.likely@...aro.org>,
<devicetree@...r.kernel.org>, Pawel Moll <pawel.moll@....com>,
Ian Campbell <ijc+devicetree@...lion.org.uk>,
Beniamino Galvani <b.galvani@...il.com>,
Neelesh Gupta <neelegup@...ux.vnet.ibm.com>,
Rob Herring <robh+dt@...nel.org>,
Matthias Brugger <matthias.bgg@...il.com>,
<linux-arm-kernel@...ts.infradead.org>,
<srv_heupstream@...iatek.com>,
Anders Berg <anders.berg@...gotech.com>,
Jim Cromie <jim.cromie@...il.com>,
Simon Glass <sjg@...omium.org>,
Max Schwarz <max.schwarz@...ine.de>,
Doug Anderson <dianders@...omium.org>,
Sascha Hauer <kernel@...gutronix.de>,
Kumar Gala <galak@...eaurora.org>
Subject: Re: [PATCH v4 2/2] I2C: mediatek: Add driver for MediaTek I2C
controller
Hi,
On Wed, 2015-01-21 at 16:31 +0100, Uwe Kleine-König wrote:
> Hello,
>
> On Wed, Jan 21, 2015 at 08:49:40PM +0800, Yingjoe Chen wrote:
> > On Wed, 2015-01-21 at 09:15 +0100, Uwe Kleine-König wrote:
<...>
> > > > > > > +static int mtk_i2c_remove(struct platform_device *pdev)
> > > > > > > +{
> > > > > > > + struct mtk_i2c *i2c = platform_get_drvdata(pdev);
> > > > > > > +
> > > > > > > + i2c_del_adapter(&i2c->adap);
> > > > > > > + free_i2c_dma_bufs(i2c);
> > > > > > > + platform_set_drvdata(pdev, NULL);
> > > > > > > +
> > > > > > Here you need to make sure that no irq is running when i2c_del_adapter
> > > > > > is called.
> > > > > OK, add check here
> > > >
> > > > I thought after i2c_del_adapter() is complete, all i2c_transfer for this
> > > > adapter is completed. If this is true, then i2c clock is already off and
> > > > we won't have any on-going transfer/pending irq.
> > > Consider that there is an ongoing transaction and before it completes
> > > the adapter-device is unbound from the driver. Then i2c_del_adapter is
> > > called which frees the resources managed by the core, then the device's
> > > completion irq triggers and the freed adapter is used which probably
> > > results in an oops.
> >
> > Not sure if I missed anything. i2c_transfer() is a synchronize call. If
> > we fixed timeout issue you mentioned in mtk_i2c_transfer(), it will turn
> > off clock before it return, which disable any transaction and clear all
> > pending irq.
> There is no synchronization to prevent unbinding the i2c-bus device
> while there is a i2c transfer on the wire. i2c_del_adapter only takes
> i2c-core.c's &core_lock while i2c_transfer takes &adapter->bus_lock.
> If you want to test for it: do something like that:
>
> while true; do dd if=/sys/bus/i2c/.../eeprom of=/dev/null; done
>
> and while this is running do:
>
> cd /sys/bus/platform/drivers/mt-i2c
> while true; do
> echo 1100d000.i2c > unbind;
> sleep 1;
> echo 1100d000.i2c > bind;
> sleep 1;
> done
>
> > Your scenario can only happens when one thread is still running in
> > i2c_transfer/algo->master_xfer and the other thread is trying to remove
> > the device. If that happened, then every device data access in
> > mtk_i2c_transfer might cause oops. I looked at some i2c drivers and
> > can't find any checking for this case, I can't find anything prevent i2c
> > device removal before pending i2c_transfer complete either. Would you
> > give me an example?
> I just noticed that even "my" driver is affected. If the above recipe
> makes your driver barf there is something to fix, if not ... hmm, then
> maybe there is more synchronization than I'm aware of or my recipe is
> wrong.
>
> At least another driver author believed me:
> http://thread.gmane.org/gmane.linux.drivers.i2c/21531/focus=21662
If there is no synchronization mechanism then every driver is affected.
We should add the check in the core instead of fixing it in every
driver. We could take the bus_lock in i2c_del_adapter() and check if the
adapter is removed in __i2c_transfer(), this should fix the problem.
Wolfram, what do you think about this? Is there anything we are missing?
Joe.C
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists