i2c: Fix a potential use after free

thefossguy-ciq · thefossguy-ciq · commit d93daad95942 · 2025-07-28T19:40:55.000+05:30
jira VULN-1497 cve CVE-2019-25162 commit-author Xu Wang <vulab@iscas.ac.cn> commit e4c72c0 upstream-diff There was a merge conflict because the file drivers/i2c/i2c-core.c was renamed to drivers/i2c/i2c-core-base.c in 91ed534 ("i2c: rename core source file to allow refactorization"). Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. Fixes: 611e12e ("i2c: core: manage i2c bus device refcount in i2c_[get|put]_adapter") Signed-off-by: Xu Wang <vulab@iscas.ac.cn> [wsa: added comment to the code, added Fixes tag] Signed-off-by: Wolfram Sang <wsa@kernel.org> (cherry picked from commit e4c72c0) Signed-off-by: Pratham Patel <ppatel@ciq.com>
diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
@@ -2775,8 +2775,9 @@ void i2c_put_adapter(struct i2c_adapter *adap)
 	if (!adap)
 		return;
 
-	put_device(&adap->dev);
 	module_put(adap->owner);
+	/* Should be last, otherwise we risk use-after-free with 'adap' */
+	put_device(&adap->dev);
 }
 EXPORT_SYMBOL(i2c_put_adapter);
 

Original file line number	Diff line number	Diff line change
`@@ -2775,8 +2775,9 @@ void i2c_put_adapter(struct i2c_adapter *adap)`
`2775`	`2775`	`if (!adap)`
`2776`	`2776`	`return;`
`2777`	`2777`
`2778`		`- put_device(&adap->dev);`
`2779`	`2778`	`module_put(adap->owner);`
	`2779`	`+ /* Should be last, otherwise we risk use-after-free with 'adap' */`
	`2780`	`+ put_device(&adap->dev);`
`2780`	`2781`	`}`
`2781`	`2782`	`EXPORT_SYMBOL(i2c_put_adapter);`
`2782`	`2783`