Re: Re [PATCH v3] wmi/core: fix use-after-free in wmi_add_device()

Next message: Farhan Ali: "Re: [PATCH v20 4/4] PCI/MSI: Enable memory decoding before restoring MSI-X messages"
Previous message: Brian Daniels: "[PATCH v4 8/8] media: virtio: Add MAINTAINERS entry"
In reply to: yahia: "Re [PATCH v3] wmi/core: fix use-after-free in wmi_add_device()"
Next in thread: yahia: "Re: Re [PATCH v3] wmi/core: fix use-after-free in wmi_add_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Armin Wolf

Date: Mon Jun 22 2026 - 16:50:40 EST

Am 22.06.26 um 22:25 schrieb yahia:

Hi Armin,

As per the documentation, The automatic cleanup is only
triggered if the supplier probes or unbinds

Similarly, when the device link is added from supplier's ``->probe`` callback,
``DL_FLAG_AUTOREMOVE_SUPPLIER`` causes the device link to be automatically
purged when the supplier fails to probe or later unbinds.

To my understanding, the cleanup won't activate
here because we don't unbind pdev nor does the
probe fail.

Best regards,
yahia

True, but the associated wdev will be kept alive by the device link reference.
The cleanup will then happen when the platform driver unbinds.

So IMHO no UAF is taking place here, but we could optimize this by dropping
the flag to let the driver core to delete the device link earlier.

Thanks,
Armin Wolf