Hi, after writing drivers for some home-brew hardware which also has an i2c bus, I suspect there is a bug in i2c-core causing i2c-dev to access fields of the i2c_adapter struct when the bus is already removed (but not the corresponding kernel module. After looking on the sources I found out that in i2c-dev.c I found out that there seem to be no checks whether the adapter still exists in the functions accessing the device. By using i2c_get_adapter() the module is locked so it cannot be unloaded. So if i2c_del_adapter() is called outside the module exit function, in some circumstances I i2cdev_ioctl then seems to play around with the zero addresses. I tortured the bus using while true; do i2cdetect -y X ; done Calling i2cdev_check_addr from i2cdev_ioctl seems to be devil in that case. Another question is when the i2c bus driver can free the i2c_adapter struct. Backtrace: [<c02d3eb0>] (klist_next+0x0/0xcc) from [<c01ca7dc>] (next_device+0x10/0x24) r7:c6e69f0c r6:c021922c r5:c6e69ee0 r4:00000000 [<c01ca7cc>] (next_device+0x0/0x24) from [<c01ca830>] (device_for_each_child+0x4 0/0x68) [<c01ca7f0>] (device_for_each_child+0x0/0x68) from [<c0219220>] (i2cdev_check_ad dr+0x28/0x34) r7:00000036 r6:00000703 r5:0000001b r4:c79ddc00 [<c02191f8>] (i2cdev_check_addr+0x0/0x34) from [<c0219a10>] (i2cdev_ioctl+0xd8/0 x198) [<c0219938>] (i2cdev_ioctl+0x0/0x198) from [<c00ad654>] (vfs_ioctl+0x3c/0x9c) r5:0000001b r4:c6d79120 [<c00ad618>] (vfs_ioctl+0x0/0x9c) from [<c00add10>] (do_vfs_ioctl+0x184/0x1ac) r6:c6d79120 r5:0000001b r4:00000003 [<c00adb8c>] (do_vfs_ioctl+0x0/0x1ac) from [<c00add78>] (sys_ioctl+0x40/0x60) r6:00000703 r5:fffffff7 r4:c6d79120 [<c00add38>] (sys_ioctl+0x0/0x60) from [<c002a880>] (ret_fast_syscall+0x0/0x2c) r6:00000000 r5:0000001b r4:0000000b Greetings Andreas Kemnade
Attachment:
signature.asc
Description: PGP signature