Re: BUG: KASAN: i2c dev use after free
From: Anders Roxell
Date: Wed Mar 06 2019 - 12:28:47 EST
On Mon, 4 Mar 2019 at 16:37, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> I wasn't trying to fix anything so complicated as this, it was a
> more obvious use after free. It does feel intuitively that we should
> call device_destroy() before the cdev_del() so that it's in the reverse
> order from how it was allocated but I don't see any reason to think
> that will make a difference.
No that didn't make any difference... =/
>
> ---
> drivers/i2c/i2c-dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
> index 3f7b9af11137..7e85e2cf26c1 100644
> --- a/drivers/i2c/i2c-dev.c
> +++ b/drivers/i2c/i2c-dev.c
> @@ -687,9 +687,9 @@ static int i2cdev_detach_adapter(struct device *dev, void *dummy)
> if (!i2c_dev) /* attach_adapter must have failed */
> return 0;
>
> + device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
> cdev_del(&i2c_dev->cdev);
> put_i2c_dev(i2c_dev);
> - device_destroy(i2c_dev_class, MKDEV(I2C_MAJOR, adap->nr));
>
> pr_debug("i2c-dev: adapter [%s] unregistered\n", adap->name);
> return 0;
> --
> 2.17.1
>