From patchwork Sat May 28 05:01:46 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <dan.carpenter@oracle.com>
X-Patchwork-Id: 627388
Return-Path: <linux-i2c-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3rGrN571TPz9t3v
	for <incoming@patchwork.ozlabs.org>;
	Sat, 28 May 2016 15:02:13 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751509AbcE1FCL (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Sat, 28 May 2016 01:02:11 -0400
Received: from userp1040.oracle.com ([156.151.31.81]:23804 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751468AbcE1FCK (ORCPT
	<rfc822; linux-i2c@vger.kernel.org>); Sat, 28 May 2016 01:02:10 -0400
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
	by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)
	with ESMTP id u4S51sHP027965
	(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Sat, 28 May 2016 05:01:55 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
	by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id u4S51rYp022176
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Sat, 28 May 2016 05:01:54 GMT
Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8])
	by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u4S51q8q030033;
	Sat, 28 May 2016 05:01:52 GMT
Received: from mwanda (/154.0.139.178)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Fri, 27 May 2016 22:01:52 -0700
Date: Sat, 28 May 2016 08:01:46 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Wolfram Sang <wsa@the-dreams.de>,
	Erico Nunes <erico.nunes@datacom.ind.br>
Cc: linux-i2c@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] i2c: dev: use after free in detach
Message-ID: <20160528050146.GC4107@mwanda>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.6.0 (2016-04-01)
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Sender: linux-i2c-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-i2c.vger.kernel.org>
X-Mailing-List: linux-i2c@vger.kernel.org

The call to return_i2c_dev() frees "i2c_dev" so there is a use after
free when we call cdev_del(&i2c_dev->cdev).

Fixes: d6760b14d4a1 ('i2c: dev: switch from register_chrdev to cdev API')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 2562a45..3bf4f0d 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -592,9 +592,9 @@ static int i2cdev_detach_adapter(struct device *dev, void *dummy)
 	if (!i2c_dev) /* attach_adapter must have failed */
 		return 0;
 
+	cdev_del(&i2c_dev->cdev);
 	return_i2c_dev(i2c_dev);
 	device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
-	cdev_del(&i2c_dev->cdev);
 
 	pr_debug("i2c-dev: adapter [%s] unregistered\n", adap->name);
 	return 0;