[PATCH -next] firmware: imx: secure-enclave: fix list UAF in init_device_context()
From: Pankaj Gupta
Date: Fri May 08 2026 - 02:04:37 EST
init_device_context() added a new device context to priv->dev_ctx_list
before calling init_se_shared_mem(). If initialization failed, the
device context was freed without being removed from the list, leaving
behind a dangling list entry.
Move the list insertion until after all fallible initialization has
completed successfully.
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Closes: https://smatch.sourceforge.net/
Fixes: 4de71839142b ("firmware: drivers: imx: adds miscdev")
Signed-off-by: Pankaj Gupta <pankaj.gupta@xxxxxxx>
---
drivers/firmware/imx/se_ctrl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 3a1e0c6a942b..814a1946d1c2 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -481,9 +481,6 @@ static int init_device_context(struct se_if_priv *priv, int ch_id,
dev_ctx->priv = priv;
*new_dev_ctx = dev_ctx;
- list_add_tail(&dev_ctx->link, &priv->dev_ctx_list);
- priv->active_devctx_count++;
-
ret = init_se_shared_mem(dev_ctx);
if (ret < 0) {
kfree(dev_ctx->devname);
@@ -491,6 +488,9 @@ static int init_device_context(struct se_if_priv *priv, int ch_id,
*new_dev_ctx = NULL;
}
+ list_add_tail(&dev_ctx->link, &priv->dev_ctx_list);
+ priv->active_devctx_count++;
+
return ret;
}
--
2.43.0