[PATCH v3] wmi/core: fix use-after-free in wmi_add_device()

Next message: Samiullah Khawaja: "Re: [PATCH v3 07/18] iommu/vt-d: Implement device and iommu preserve/unpreserve ops"
Previous message: Stephen Smalley: "Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()"
In reply to: yahia: "[PATCH v2] wmi/core: fix use-after-free in wmi_add_device()"
Next in thread: Armin Wolf: "Re: [PATCH v3] wmi/core: fix use-after-free in wmi_add_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: yahia

Date: Mon Jun 22 2026 - 15:18:55 EST

From: yahia ahmed <yahia.a.abdrabou@xxxxxxxxx>

Fix a use-after-free error in wmi_add_device()
where if a device_add() fails, it will forward
the error code to the caller function parse_wdg(),
which then frees wblock, but doesn't remove it From
pdev's list, thus if pdev were to call it, it will
call freed memory and result in a use-after-free

Signed-off-by: yahia ahmed <yahia.a.abdrabou@xxxxxxxxx>
---
v3:
- Fix corruption in v2
v2:
- Fix use-after-free in wmi_add_device() by using device_link_del()
drivers/platform/wmi/core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/wmi/core.c b/drivers/platform/wmi/core.c
index 529825dcfbfe..1afc4d12bdfb 100644
--- a/drivers/platform/wmi/core.c
+++ b/drivers/platform/wmi/core.c
@@ -1268,6 +1268,7 @@ static int wmi_create_device(struct device *wmi_bus_dev,
static int wmi_add_device(struct platform_device *pdev, struct wmi_device *wdev)
{
struct device_link *link;
+ int ret;

/*
* Many aggregate WMI drivers do not use -EPROBE_DEFER when they
@@ -1282,7 +1283,11 @@ static int wmi_add_device(struct platform_device *pdev, struct wmi_device *wdev)
if (!link)
return -EINVAL;

- return device_add(&wdev->dev);
+ ret = device_add(&wdev->dev);
+
+ if (ret)
+ device_link_del(link);
+ return ret;
}

/*
--
2.54.0