Re: [PATCH] wmi/core Fix use-after-free in parse_wdg()

Next message: Kubalewski, Arkadiusz: "RE: [PATCH net-next v5 1/4] dpll: add DPLL_PIN_TYPE_INT_NCO pin type"
Previous message: Brian Masney: "Re: [PATCH v2 5/5] clk: implement sync_state support"
In reply to: yahia: "[PATCH] wmi/core Fix use-after-free in parse_wdg()"
Next in thread: yahia: "[PATCH v2] wmi/core: fix use-after-free in wmi_add_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Armin Wolf

Date: Mon Jun 22 2026 - 10:49:46 EST

Am 22.06.26 um 02:02 schrieb yahia:

From: yahia ahmed <yahia.a.abdrabou@xxxxxxxxx>

Fix use-after-free in parse_wdg() function by
setting wblock to null to prevent referencing
freed memory, if wblock is freed in the if
(retval) path and address a minor typo.

Hi,

where exactly does this UAF happen? Keep in mind that kmalloc_obj()
only "dereferences" *wblock to use sizeof() on the type pointed to by
the pointer.

Thanks,
Armin Wolf

Signed-off-by: yahia ahmed <yahia.a.abdrabou@xxxxxxxxx>
---
drivers/platform/wmi/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/wmi/core.c b/drivers/platform/wmi/core.c
index 5a2ffcbab6af..9b5bd9ef5ba2 100644
--- a/drivers/platform/wmi/core.c
+++ b/drivers/platform/wmi/core.c
@@ -1328,6 +1328,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct platform_device *pdev)
retval = wmi_create_device(wmi_bus_dev, wblock, device);
if (retval) {
kfree(wblock);
+ wblock = NULL; /* Set wblock to NULL to prevent a use after free */
continue;
}
@@ -1418,7 +1419,7 @@ static int wmi_notify_device(struct device *dev, void *data)
return 0;
/* The ACPI WMI specification says that _WED should be
- * evaluated every time an notification is received, even
+ * evaluated every time a notification is received, even
* if no consumers are present.
*
* Some firmware implementations actually depend on this