[PATCH] mtd: docg3: fix use-after-free in docg3_release()
Miquel Raynal
miquel.raynal at bootlin.com
Wed Mar 11 08:25:47 PDT 2026
On Mon, 09 Mar 2026 15:05:12 +0900, James Kim wrote:
> In docg3_release(), the docg3 pointer is obtained from
> cascade->floors[0]->priv before the loop that calls
> doc_release_device() on each floor. doc_release_device() frees the
> docg3 struct via kfree(docg3) at line 1881. After the loop,
> docg3->cascade->bch dereferences the already-freed pointer.
>
> Fix this by accessing cascade->bch directly, which is equivalent
> since docg3->cascade points back to the same cascade struct, and
> is already available as a local variable. This also removes the
> now-unused docg3 local variable.
>
> [...]
Applied to mtd/next, thanks!
[1/1] mtd: docg3: fix use-after-free in docg3_release()
commit: ca19808bc6fac7e29420d8508df569b346b3e339
Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).
Kind regards,
Miquèl
More information about the linux-mtd
mailing list