i2c: Fix a potential use after free

thefossguy-ciq · thefossguy-ciq · commit f85f16c42df6 · 2025-07-24T16:24:59.000+05:30
jira VULN-33 cve CVE-2019-25162 commit-author Xu Wang <vulab@iscas.ac.cn> commit e4c72c0 Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. Fixes: 611e12e ("i2c: core: manage i2c bus device refcount in i2c_[get|put]_adapter") Signed-off-by: Xu Wang <vulab@iscas.ac.cn> [wsa: added comment to the code, added Fixes tag] Signed-off-by: Wolfram Sang <wsa@kernel.org> (cherry picked from commit e4c72c0) Signed-off-by: Pratham Patel <ppatel@ciq.com>
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
@@ -2467,8 +2467,9 @@ void i2c_put_adapter(struct i2c_adapter *adap)
 	if (!adap)
 		return;
 
-	put_device(&adap->dev);
 	module_put(adap->owner);
+	/* Should be last, otherwise we risk use-after-free with 'adap' */
+	put_device(&adap->dev);
 }
 EXPORT_SYMBOL(i2c_put_adapter);
 

Original file line number	Diff line number	Diff line change
`@@ -2467,8 +2467,9 @@ void i2c_put_adapter(struct i2c_adapter *adap)`
`2467`	`2467`	`if (!adap)`
`2468`	`2468`	`return;`
`2469`	`2469`
`2470`		`- put_device(&adap->dev);`
`2471`	`2470`	`module_put(adap->owner);`
	`2471`	`+ /* Should be last, otherwise we risk use-after-free with 'adap' */`
	`2472`	`+ put_device(&adap->dev);`
`2472`	`2473`	`}`
`2473`	`2474`	`EXPORT_SYMBOL(i2c_put_adapter);`
`2474`	`2475`