Re: BUG: KASAN: i2c dev use after free
From: Dan Carpenter
Date: Mon Mar 04 2019 - 10:37:40 EST
I wasn't trying to fix anything so complicated as this, it was a
more obvious use after free. It does feel intuitively that we should
call device_destroy() before the cdev_del() so that it's in the reverse
order from how it was allocated but I don't see any reason to think
that will make a difference.
---
drivers/i2c/i2c-dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 3f7b9af11137..7e85e2cf26c1 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -687,9 +687,9 @@ static int i2cdev_detach_adapter(struct device *dev, void *dummy)
if (!i2c_dev) /* attach_adapter must have failed */
return 0;
+ device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
cdev_del(&i2c_dev->cdev);
put_i2c_dev(i2c_dev);
- device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
pr_debug("i2c-dev: adapter [%s] unregistered\n", adap->name);
return 0;
--
2.17.1