1. Patchew
  2. linux
  3. View series

[PATCH] i2c: rust: fix I2cAdapter refcounts double increment

Nicolás Antinori posted 1 patch 2 weeks, 1 day ago
There is a newer version of this series
rust/kernel/i2c.rs | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
[PATCH] i2c: rust: fix I2cAdapter refcounts double increment
Posted by Nicolás Antinori 2 weeks, 1 day ago 
When `I2cAdapter::get` executes, it first calls
`bindings::i2c_get_adapter()` which increments the device and module
reference counts. It then takes a reference to the raw pointer and
converts it to an `ARef` via `.into()`.

The implementation of `From<&T> for ARef<T>` where `T: AlwaysRefCounted`
unconditionally calls `T::inc_ref()`. This leads to a second call to
`bindings::i2c_get_adapter()` inside `I2cAdapter::inc_ref()`.

Since the returned `ARef` will only release a single reference when
dropped via `dec_ref()`, this leaks one device and module reference count
on every call.

This fix was suggested by sashiko.dev.

Signed-off-by: Nicolás Antinori <nico.antinori.7@gmail.com>
---
 rust/kernel/i2c.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rust/kernel/i2c.rs b/rust/kernel/i2c.rs
index 7b908f0c5a58..ca6476cf4399 100644
--- a/rust/kernel/i2c.rs
+++ b/rust/kernel/i2c.rs
@@ -405,7 +405,11 @@ pub fn get(index: i32) -> Result<ARef<Self>> {
 
         // SAFETY: `adapter` is non-null and points to a live `i2c_adapter`.
         // `I2cAdapter` is #[repr(transparent)], so this cast is valid.
-        Ok(unsafe { (&*adapter.as_ptr().cast::<I2cAdapter<device::Normal>>()).into() })
+        Ok(unsafe {
+            ARef::from_raw(NonNull::new_unchecked(
+                adapter.as_ptr().cast::<I2cAdapter<device::Normal>>(),
+            ))
+        })
     }
 }
 
-- 
2.53.0
Re: [PATCH] i2c: rust: fix I2cAdapter refcounts double increment
Posted by Onur Özkan 2 weeks ago 
Hi Nicolás

On Sun, 24 May 2026 15:11:50 -0300
Nicolás Antinori <nico.antinori.7@gmail.com> wrote:

> When `I2cAdapter::get` executes, it first calls
> `bindings::i2c_get_adapter()` which increments the device and module
> reference counts. It then takes a reference to the raw pointer and
> converts it to an `ARef` via `.into()`.
> 
> The implementation of `From<&T> for ARef<T>` where `T: AlwaysRefCounted`
> unconditionally calls `T::inc_ref()`. This leads to a second call to
> `bindings::i2c_get_adapter()` inside `I2cAdapter::inc_ref()`.
> 
> Since the returned `ARef` will only release a single reference when
> dropped via `dec_ref()`, this leaks one device and module reference count
> on every call.
> 
> This fix was suggested by sashiko.dev.

Including the link tag would be great.

> 
> Signed-off-by: Nicolás Antinori <nico.antinori.7@gmail.com>
> ---
>  rust/kernel/i2c.rs | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/rust/kernel/i2c.rs b/rust/kernel/i2c.rs
> index 7b908f0c5a58..ca6476cf4399 100644
> --- a/rust/kernel/i2c.rs
> +++ b/rust/kernel/i2c.rs
> @@ -405,7 +405,11 @@ pub fn get(index: i32) -> Result<ARef<Self>> {
>  
>          // SAFETY: `adapter` is non-null and points to a live `i2c_adapter`.
>          // `I2cAdapter` is #[repr(transparent)], so this cast is valid.
> -        Ok(unsafe { (&*adapter.as_ptr().cast::<I2cAdapter<device::Normal>>()).into() })
> +        Ok(unsafe {
> +            ARef::from_raw(NonNull::new_unchecked(
> +                adapter.as_ptr().cast::<I2cAdapter<device::Normal>>(),
> +            ))
> +        })
>      }
>  }
>  
> -- 
> 2.53.0
>
Re: [PATCH] i2c: rust: fix I2cAdapter refcounts double increment
Posted by Nicolás Antinori 1 week, 6 days ago 
Hello Onur

On Mon, 25 May 2026 05:56:12 +0300
Onur Özkan <work@onurozkan.dev> wrote:

> Hi Nicolás
> 
> On Sun, 24 May 2026 15:11:50 -0300
> Nicolás Antinori <nico.antinori.7@gmail.com> wrote:
> 
> > When `I2cAdapter::get` executes, it first calls
> > `bindings::i2c_get_adapter()` which increments the device and module
> > reference counts. It then takes a reference to the raw pointer and
> > converts it to an `ARef` via `.into()`.
> > 
> > The implementation of `From<&T> for ARef<T>` where `T:
> > AlwaysRefCounted` unconditionally calls `T::inc_ref()`. This leads
> > to a second call to `bindings::i2c_get_adapter()` inside
> > `I2cAdapter::inc_ref()`.
> > 
> > Since the returned `ARef` will only release a single reference when
> > dropped via `dec_ref()`, this leaks one device and module reference
> > count on every call.
> > 
> > This fix was suggested by sashiko.dev.
> 
> Including the link tag would be great.

I will include the missing Link tag in a v2. Apologies for the
oversight.

Separately, Sashiko reported a critical issue in reply to this patch:
https://sashiko.dev/#/patchset/20260524181151.24988-1-nico.antinori.7@gmail.com?part=1

Since the report indicates this is a pre-existing issue, I believe it 
is better to address it in a separate patch. I will send a v2 for this 
change shortly.

Thank you

> 
> > 
> > Signed-off-by: Nicolás Antinori <nico.antinori.7@gmail.com>
> > ---
> >  rust/kernel/i2c.rs | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/rust/kernel/i2c.rs b/rust/kernel/i2c.rs
> > index 7b908f0c5a58..ca6476cf4399 100644
> > --- a/rust/kernel/i2c.rs
> > +++ b/rust/kernel/i2c.rs
> > @@ -405,7 +405,11 @@ pub fn get(index: i32) -> Result<ARef<Self>> {
> >  
> >          // SAFETY: `adapter` is non-null and points to a live
> > `i2c_adapter`. // `I2cAdapter` is #[repr(transparent)], so this
> > cast is valid.
> > -        Ok(unsafe {
> > (&*adapter.as_ptr().cast::<I2cAdapter<device::Normal>>()).into() })
> > +        Ok(unsafe {
> > +            ARef::from_raw(NonNull::new_unchecked(
> > +
> > adapter.as_ptr().cast::<I2cAdapter<device::Normal>>(),
> > +            ))
> > +        })
> >      }
> >  }
> >  
> > -- 
> > 2.53.0
> >

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.