[PATCH v2] wmi/core: fix use-after-free in wmi_add_device()

[yahia]

From: yahia ahmed <yahia.a.abdrabou@xxxxxxxxx>

Hi Armin,

You are correct about kzalloc_obj overriding wblock and
I apologize, However there is a different use-after-free
specifically in wmi_add_device() function, where if device_add()
fails, the function forwards the return code, then the caller
function parse_wdg() frees wblock from memory, but doesnt remove
wblock from pdev's list, thus if pdev calls wblock for any reason
like suspendension or similar activities, it will call freed memory,
hence the use-after-free.

I propose to fix this by adding device_link_del() function
if device_add() function fails, remove wblock from pdev's
list, thus avoiding a possible use-after-free.

Signed-off-by: yahia ahmed <yahia.a.abdrabou@xxxxxxxxx>
---
 drivers/platform/wmi/core.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/platform/wmi/core.c b/drivers/platform/wmi/core.c
index 5a2ffcbab6af..8c9b7ac2e5d8 100644
--- a/drivers/platform/wmi/core.c
+++ b/drivers/platform/wmi/core.c
@@ -1261,6 +1261,7 @@ static int wmi_create_device(struct device *wmi_bus_dev,
 static int wmi_add_device(struct platform_device *pdev, struct wmi_device *wdev)
 {
 	struct device_link *link;
+	int ret;
 
 	/*
 	 * Many aggregate WMI drivers do not use -EPROBE_DEFER when they
@@ -1275,7 +1276,11 @@ static int wmi_add_device(struct platform_device *pdev, struct wmi_device *wdev)
 	if (!link)
 		return -EINVAL;
 
-	return device_add(&wdev->dev);
+	ret = device_add(&wdev->dev);
+	
+	if (ret)
+		device_link_del(link);
+	return ret;
 }
 
@@ -1418,7 +1424,7 @@ static int wmi_notify_device(struct device *dev, void *data)
 		return 0;
 
 	/* The ACPI WMI specification says that _WED should be
-	 * evaluated every time an notification is received, even
+	 * evaluated every time a notification is received, even
 	 * if no consumers are present.
 	 *
 	 * Some firmware implementations actually depend on this
-- 
2.54.0