Re: [PATCH] mtd: docg3: fix use-after-free in docg3_release()

Next message: LB F: "Re: [BUG] wifi: rtw88: Hard system freeze on RTL8821CE when power_save is enabled (LPS/ASPM conflict)"
Previous message: Andrew Lunn: "Re: [PATCH net-next 02/11] ethtool: Add loopback netlink UAPI definitions"
In reply to: James Kim: "[PATCH] mtd: docg3: fix use-after-free in docg3_release()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miquel Raynal

Date: Wed Mar 11 2026 - 11:27:22 EST

On Mon, 09 Mar 2026 15:05:12 +0900, James Kim wrote:
> In docg3_release(), the docg3 pointer is obtained from
> cascade->floors[0]->priv before the loop that calls
> doc_release_device() on each floor. doc_release_device() frees the
> docg3 struct via kfree(docg3) at line 1881. After the loop,
> docg3->cascade->bch dereferences the already-freed pointer.
>
> Fix this by accessing cascade->bch directly, which is equivalent
> since docg3->cascade points back to the same cascade struct, and
> is already available as a local variable. This also removes the
> now-unused docg3 local variable.
>
> [...]

Applied to mtd/next, thanks!

[1/1] mtd: docg3: fix use-after-free in docg3_release()
commit: ca19808bc6fac7e29420d8508df569b346b3e339

Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).

Kind regards,
Miquèl