i2c: dev: use after free in detach
authorDan Carpenter <dan.carpenter@oracle.com>
Sat, 28 May 2016 05:01:46 +0000 (08:01 +0300)
committerWolfram Sang <wsa@the-dreams.de>
Sat, 28 May 2016 15:37:42 +0000 (17:37 +0200)
The call to put_i2c_dev() frees "i2c_dev" so there is a use after
free when we call cdev_del(&i2c_dev->cdev).

Fixes: d6760b14d4a1 ('i2c: dev: switch from register_chrdev to cdev API')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
drivers/i2c/i2c-dev.c

index 89593dcb79f0327f7ba3c2f3092ee51cefe1551d..6ecfd76270f2769fe5c9b0c21554977eeb563ccb 100644 (file)
@@ -592,9 +592,9 @@ static int i2cdev_detach_adapter(struct device *dev, void *dummy)
        if (!i2c_dev) /* attach_adapter must have failed */
                return 0;
 
+       cdev_del(&i2c_dev->cdev);
        put_i2c_dev(i2c_dev);
        device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
-       cdev_del(&i2c_dev->cdev);
 
        pr_debug("i2c-dev: adapter [%s] unregistered\n", adap->name);
        return 0;