[PATCH] firmware: imx: Fix device context UAF in close
Harshit Mogalapalli
harshit.m.mogalapalli at oracle.com
Thu Jun 11 04:05:22 PDT 2026
se_if_fops_close() frees dev_ctx while still inside a
scoped_cond_guard() that holds dev_ctx->fops_lock. During the cleanup
phase it would do a mutex_unlock(dev_ctx->fops_lock) leading to UAF.
Fix it by freeing dev_ctx only after leaving the guarded scope.
Fixes: 2768fdfd5585 ("firmware: drivers: imx: adds miscdev")
Reported-by: sashiko-bot at kernel.org
Closes: https://lore.kernel.org/all/20260528094337.9C1D41F00A3A@smtp.kernel.org/
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli at oracle.com>
---
Only compile tested.
drivers/firmware/imx/se_ctrl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 8fab3b7767b7..fc3bbd1788bd 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -887,9 +887,10 @@ static int se_if_fops_close(struct inode *nd, struct file *fp)
list_del(&dev_ctx->link);
kfree(dev_ctx->devname);
- kfree(dev_ctx);
}
+ kfree(dev_ctx);
+
return 0;
}
--
2.50.1
More information about the linux-arm-kernel
mailing list