i2c: dev: use after free in detach
The call to put_i2c_dev() frees "i2c_dev" so there is a use after
free when we call cdev_del(&i2c_dev->cdev).
Fixes: d6760b14d4
('i2c: dev: switch from register_chrdev to cdev API')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
This commit is contained in:
parent
ed2608faa0
commit
e6be18f6d6
|
@ -592,9 +592,9 @@ static int i2cdev_detach_adapter(struct device *dev, void *dummy)
|
||||||
if (!i2c_dev) /* attach_adapter must have failed */
|
if (!i2c_dev) /* attach_adapter must have failed */
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
cdev_del(&i2c_dev->cdev);
|
||||||
put_i2c_dev(i2c_dev);
|
put_i2c_dev(i2c_dev);
|
||||||
device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
|
device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
|
||||||
cdev_del(&i2c_dev->cdev);
|
|
||||||
|
|
||||||
pr_debug("i2c-dev: adapter [%s] unregistered\n", adap->name);
|
pr_debug("i2c-dev: adapter [%s] unregistered\n", adap->name);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
Loading…
Reference in New Issue