Hi,

after writing drivers for some home-brew hardware which also has an
i2c bus, I suspect there is a bug in i2c-core causing 
i2c-dev to access fields of the i2c_adapter struct when the
bus is already removed (but not the corresponding kernel module.

After looking on the sources I found out that in i2c-dev.c
I found out that there seem to be no checks whether the adapter still exists
in the functions accessing the device.
By using i2c_get_adapter() the module is locked so it cannot be unloaded.
So if i2c_del_adapter() is called outside the module exit function,
in some circumstances I i2cdev_ioctl then seems to play around
with the zero addresses. I tortured the bus using
while true; do i2cdetect -y X ; done

Calling i2cdev_check_addr from i2cdev_ioctl seems to be devil in that
case. 

Another question is when the i2c bus driver can free the i2c_adapter struct.

Backtrace: 
[<c02d3eb0>] (klist_next+0x0/0xcc) from [<c01ca7dc>] (next_device+0x10/0x24)
 r7:c6e69f0c r6:c021922c r5:c6e69ee0 r4:00000000
[<c01ca7cc>] (next_device+0x0/0x24) from [<c01ca830>] (device_for_each_child+0x4
0/0x68)
[<c01ca7f0>] (device_for_each_child+0x0/0x68) from [<c0219220>] (i2cdev_check_ad
dr+0x28/0x34)
 r7:00000036 r6:00000703 r5:0000001b r4:c79ddc00
[<c02191f8>] (i2cdev_check_addr+0x0/0x34) from [<c0219a10>] (i2cdev_ioctl+0xd8/0
x198)
[<c0219938>] (i2cdev_ioctl+0x0/0x198) from [<c00ad654>] (vfs_ioctl+0x3c/0x9c)
 r5:0000001b r4:c6d79120
[<c00ad618>] (vfs_ioctl+0x0/0x9c) from [<c00add10>] (do_vfs_ioctl+0x184/0x1ac)
 r6:c6d79120 r5:0000001b r4:00000003
[<c00adb8c>] (do_vfs_ioctl+0x0/0x1ac) from [<c00add78>] (sys_ioctl+0x40/0x60)
 r6:00000703 r5:fffffff7 r4:c6d79120
[<c00add38>] (sys_ioctl+0x0/0x60) from [<c002a880>] (ret_fast_syscall+0x0/0x2c)
 r6:00000000 r5:0000001b r4:0000000b


Greetings
Andreas Kemnade

Attachment: signature.asc
Description: PGP signature

Reply via email to