Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

Dan Carpenter · dtor · commit eb988e46da2e · 2023-10-29T02:54:52.000Z
The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this. Fixes: 24d28e4 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://lore.kernel.org/r/706efd36-7561-42f3-adfa-dd1d0bd4f5a1@moroto.mountain Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
diff --git a/drivers/input/rmi4/rmi_bus.c b/drivers/input/rmi4/rmi_bus.c
@@ -277,11 +277,11 @@ void rmi_unregister_function(struct rmi_function *fn)
 
 	device_del(&fn->dev);
 	of_node_put(fn->dev.of_node);
-	put_device(&fn->dev);
 
 	for (i = 0; i < fn->num_of_irqs; i++)
 		irq_dispose_mapping(fn->irq[i]);
 
+	put_device(&fn->dev);
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -277,11 +277,11 @@ void rmi_unregister_function(struct rmi_function *fn)`
`277`	`277`
`278`	`278`	`device_del(&fn->dev);`
`279`	`279`	`of_node_put(fn->dev.of_node);`
`280`		`- put_device(&fn->dev);`
`281`	`280`
`282`	`281`	`for (i = 0; i < fn->num_of_irqs; i++)`
`283`	`282`	`irq_dispose_mapping(fn->irq[i]);`
`284`	`283`
	`284`	`+ put_device(&fn->dev);`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`/**`