[PATCH] firmware: imx: Fix device context UAF in close
From: Harshit Mogalapalli
Date: Thu Jun 11 2026 - 07:06:31 EST
se_if_fops_close() frees dev_ctx while still inside a
scoped_cond_guard() that holds dev_ctx->fops_lock. During the cleanup
phase it would do a mutex_unlock(dev_ctx->fops_lock) leading to UAF.
Fix it by freeing dev_ctx only after leaving the guarded scope.
Fixes: 2768fdfd5585 ("firmware: drivers: imx: adds miscdev")
Reported-by: sashiko-bot@xxxxxxxxxx
Closes: https://lore.kernel.org/all/20260528094337.9C1D41F00A3A@xxxxxxxxxxxxxxx/
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
---
Only compile tested.
drivers/firmware/imx/se_ctrl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 8fab3b7767b7..fc3bbd1788bd 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -887,9 +887,10 @@ static int se_if_fops_close(struct inode *nd, struct file *fp)
list_del(&dev_ctx->link);
kfree(dev_ctx->devname);
- kfree(dev_ctx);
}
+ kfree(dev_ctx);
+
return 0;
}
--
2.50.1