Re: [PATCH next] firmware: imx: fix use after free in init_device_context()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <error27@gmail.com>
To: sashiko-reviews@lists.linux.dev
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH next] firmware: imx: fix use after free in init_device_context()
Date: Tue, 19 May 2026 10:09:00 +0300	[thread overview]
Message-ID: <agwMjD3sjAaSMIuw@stanley.mountain> (raw)
In-Reply-To: <20260519064057.31E09C2BCB3@smtp.kernel.org>

On Tue, May 19, 2026 at 06:40:50AM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
> - [Critical] Unlocking `dev_ctx->fops_lock` after `dev_ctx` has been freed in `se_if_fops_close`.

That's true.  There is a use after free in se_if_fops_close().  Someone
else care to fix this?

> - [Critical] Invalid `kfree()` of an error pointer initialized from `memdup_user()` causes a kernel panic.

The way I remember it, I'm the person who said that __cleanup code
needs to handle error pointers and so for as I can see it still does.

> - [Critical] Direct dereference of a user-space pointer without `copy_from_user()` in `se_chk_tx_msg_hdr()`.

Heh.  Sashiko is smoking crack.

> - [High] Concurrent modifications to the global shared list `priv->dev_ctx_list` leading to memory corruption.
> - [High] Concurrent access to shared `cmd_receiver_clbk_hdl` state in `se_ioctl` causes a memory leak and state corruption.
> - [High] The `.release` file operation uses an interruptible mutex lock, permanently leaking resources if interrupted.
> --

regards,
dan carpenter

     prev parent reply	other threads:[~2026-05-19  7:09 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-19  6:13 [PATCH next] firmware: imx: fix use after free in init_device_context() Dan Carpenter
2026-05-19  6:40 ` sashiko-bot
2026-05-19  7:09   ` Dan Carpenter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=agwMjD3sjAaSMIuw@stanley.mountain \
    --to=error27@gmail.com \
    --cc=Frank.Li@kernel.org \
    --cc=imx@lists.linux.dev \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.