[PATCH] firmware: dmi-sysfs: fix use-after-free in dmi_system_event_log()

[Junrui Luo]

The error path in dmi_system_event_log() uses kfree(entry->child)
after kobject_init_and_add() has initialized the kobject.  After
kobject_init_and_add(), even on failure, the kobject holds a reference
and must be cleaned up with kobject_put() rather than a direct kfree().

Furthermore, the caller dmi_sysfs_register_handle() unconditionally
calls kobject_put(entry->child) at its out_err label.  When
dmi_system_event_log() has already freed the child, this results in a
use-after-free.

Fix by replacing kfree() with kobject_put() in dmi_system_event_log()
, and splitting the out_err label in dmi_sysfs_register_handle() so that
child cleanup is only performed when sysfs_create_bin_file() fails,
not when dmi_system_event_log() fails.

Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Fixes: 925a1da7477f ("firmware: Break out system_event_log in dmi-sysfs")
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
 drivers/firmware/dmi-sysfs.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c
index cda53d037715..90890c50b5cd 100644
--- a/drivers/firmware/dmi-sysfs.c
+++ b/drivers/firmware/dmi-sysfs.c
@@ -470,7 +470,7 @@ static int dmi_system_event_log(struct dmi_sysfs_entry *entry)
 out_del:
 	kobject_del(entry->child);
 out_free:
-	kfree(entry->child);
+	kobject_put(entry->child);
 	return ret;
 }
 
@@ -626,11 +626,12 @@ static void __init dmi_sysfs_register_handle(const struct dmi_header *dh,
 	/* Create the raw binary file to access the entry */
 	*ret = sysfs_create_bin_file(&entry->kobj, &bin_attr_raw);
 	if (*ret)
-		goto out_err;
+		goto out_err_child;
 
 	return;
-out_err:
+out_err_child:
 	kobject_put(entry->child);
+out_err:
 	kobject_put(&entry->kobj);
 	return;
 }

---
base-commit: 4d349ee5c7782f8b27f6cb550f112c5e26fff38d
change-id: 20260301-fixes-0f63da902363

Best regards,
-- 
Junrui Luo <moonafterrain@xxxxxxxxxxx>