Re: [PATCH] hwmon: asus_atk0110: NULL buf.pointer after free
From: Purva Yeshi
Date: Fri Apr 11 2025 - 02:59:28 EST
On 11/04/25 01:34, Guenter Roeck wrote:
On Fri, Apr 11, 2025 at 12:04:50AM +0530, Purva Yeshi wrote:
Fix Smatch-detected issue:
drivers/hwmon/asus_atk0110.c:987 atk_enumerate_old_hwmon() error:
double free of 'buf.pointer' (line 966)
drivers/hwmon/asus_atk0110.c:1008 atk_enumerate_old_hwmon() error:
double free of 'buf.pointer' (line 987)
Smatch warns about double free of 'buf.pointer'.
This happens because the same buffer struct is reused multiple times
without resetting the pointer after free. Set buf.pointer = NULL
after each ACPI_FREE to prevent possible use-after-free bugs.
Signed-off-by: Purva Yeshi <purvayeshi550@xxxxxxxxx>
---
drivers/hwmon/asus_atk0110.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
index c80350e499e9..83ee7f25bb8e 100644
--- a/drivers/hwmon/asus_atk0110.c
+++ b/drivers/hwmon/asus_atk0110.c
@@ -964,6 +964,7 @@ static int atk_enumerate_old_hwmon(struct atk_data *data)
count++;
}
ACPI_FREE(buf.pointer);
+ buf.pointer = NULL;
/* Temperatures */
buf.length = ACPI_ALLOCATE_BUFFER;
@@ -985,6 +986,7 @@ static int atk_enumerate_old_hwmon(struct atk_data *data)
count++;
}
ACPI_FREE(buf.pointer);
+ buf.pointer = NULL;
/* Fans */
buf.length = ACPI_ALLOCATE_BUFFER;
buf.length is set to ACPI_ALLOCATE_BUFFER to trigger buffer
allocation in acpi_evaluate_object_typed(). The old content of
buf.pointer is irrelevant (and not initialized to start with
in the first call). The problem you describe does not exist.
Guenter
Thank you for the clarification, Guenter. I appreciate your review.
@@ -1006,6 +1008,7 @@ static int atk_enumerate_old_hwmon(struct atk_data *data)
count++;
}
ACPI_FREE(buf.pointer);
+ buf.pointer = NULL;
return count;
}
--
2.34.1
Best regards,
Purva