Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

[ Upstream commit eb988e46da2e4eae89f5337e047ce372fe33d5b1 ] The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://lore.kernel.org/r/706efd36-7561-42f3-adfa-dd1d0bd4f5a1@moroto.mountain Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Dan Carpenter <dan.carpenter@linaro.org> 2023-10-29 02:53:36 +0000
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-11-20 10:30:15 +0100
commit: 50d12253666195a14c6cd2b81c376e2dbeedbdff (patch)
tree: 88081a7aaff2288bef355b840d14738f8872beb6
parent: e3677bfcbbcb368f0b4ea4306dbc8c035b86f8b8 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/input/rmi4/rmi_bus.c b/drivers/input/rmi4/rmi_bus.c
index af706a583656..1e3aaff310c9 100644
--- a/drivers/input/rmi4/rmi_bus.c
+++ b/drivers/input/rmi4/rmi_bus.c
@@ -276,11 +276,11 @@ void rmi_unregister_function(struct rmi_function *fn)
 
 	device_del(&fn->dev);
 	of_node_put(fn->dev.of_node);
-	put_device(&fn->dev);
 
 	for (i = 0; i < fn->num_of_irqs; i++)
 		irq_dispose_mapping(fn->irq[i]);
 
+	put_device(&fn->dev);
 }
 
 /**
author	Dan Carpenter <dan.carpenter@linaro.org>	2023-10-29 02:53:36 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-11-20 10:30:15 +0100
commit	50d12253666195a14c6cd2b81c376e2dbeedbdff (patch)
tree	88081a7aaff2288bef355b840d14738f8872beb6
parent	e3677bfcbbcb368f0b4ea4306dbc8c035b86f8b8 (diff)