lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20260114081100.830758-1-coderlogicwei@gmail.com>
Date: Wed, 14 Jan 2026 16:11:00 +0800
From: weipeng <coderlogicwei@...il.com>
To: oneukum@...e.com
Cc: anna-maria@...utronix.de,
	coderlogicwei@...il.com,
	frederic@...nel.org,
	linux-kernel@...r.kernel.org,
	linux-usb@...r.kernel.org,
	syzkaller-bugs@...glegroups.com,
	tglx@...utronix.de
Subject: Re: [syzbot] [usb?] INFO: task hung in i2c_tiny_usb_disconnect

On 2026-01-13 20:23, Oliver Neukum wrote:

> what prevents the following sequence:
> 
> i2c_tiny_usb_disconnect() -> module unload -> i2c_tiny_usb_release()
> 
> As far as I can tell, this can happen and you'd execute already
> freed memory.

Hi,

I got it. It can be solved by using wait_for_completion in the module exit
function to wait for all the i2c_tiny_usb_release() to be done.

But after think twice, I think it is not a good idea. Because that would be
too complicated for a driver. Almost all the usb drivers does not do like this.
They just call release functions in the disconnect() rather than put all the
release works to another task. So I think the key point is not the disconnect().

The key point is the i2c subsystem:

> void i2c_del_adapter(struct i2c_adapter *adap)
> {
> ...
> /* wait until all references to the device are gone
>  *
>  * FIXME: This is old code and should ideally be replaced by an
>  * alternative which results in decoupling the lifetime of the struct
>  * device from the i2c_adapter, like spi or netdev do. Any solution
>  * should be thoroughly tested with DEBUG_KOBJECT_RELEASE enabled!
>  */
> init_completion(&adap->dev_released);
> device_unregister(&adap->dev);
> wait_for_completion(&adap->dev_released);
> ...
> }

The i2c_del_adapter() will wait for all the users to put the reference of the adapter.
It is not a good idea. We can't control the users. So the i2c_del_adapter() can wait
for any time.

Best Regards

weipeng

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ