i2c: Fix a potential use after free

thefossguy-ciq · thefossguy-ciq · commit 0e0e088681cc · 2025-07-28T19:36:54.000+05:30
jira VULN-28 cve CVE-2019-25162 commit-author Xu Wang <vulab@iscas.ac.cn> commit e4c72c0 Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. Fixes: 611e12e ("i2c: core: manage i2c bus device refcount in i2c_[get|put]_adapter") Signed-off-by: Xu Wang <vulab@iscas.ac.cn> [wsa: added comment to the code, added Fixes tag] Signed-off-by: Wolfram Sang <wsa@kernel.org> (cherry picked from commit e4c72c0) Signed-off-by: Pratham Patel <ppatel@ciq.com>
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
@@ -2328,8 +2328,9 @@ void i2c_put_adapter(struct i2c_adapter *adap)
 	if (!adap)
 		return;
 
-	put_device(&adap->dev);
 	module_put(adap->owner);
+	/* Should be last, otherwise we risk use-after-free with 'adap' */
+	put_device(&adap->dev);
 }
 EXPORT_SYMBOL(i2c_put_adapter);
 

Original file line number	Diff line number	Diff line change
`@@ -2328,8 +2328,9 @@ void i2c_put_adapter(struct i2c_adapter *adap)`
`2328`	`2328`	`if (!adap)`
`2329`	`2329`	`return;`
`2330`	`2330`
`2331`		`- put_device(&adap->dev);`
`2332`	`2331`	`module_put(adap->owner);`
	`2332`	`+ /* Should be last, otherwise we risk use-after-free with 'adap' */`
	`2333`	`+ put_device(&adap->dev);`
`2333`	`2334`	`}`
`2334`	`2335`	`EXPORT_SYMBOL(i2c_put_adapter);`
`2335`	`2336`