media: mc: fix potential use-after-free in media_request_alloc()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Commit 6f504cbf108a ("media: convert media_request_alloc() to
FD_PREPARE()") moved the call to fd_install() (now hidden in
fd_publish()) before the snprintf(), making the later write to
potentially already freed memory, as userland is free to call
close() concurrently right after the call to fd_install() which
may end up in the request_fops.release() handler freeing 'req'.

Fixes: 6f504cbf108a ("media: convert media_request_alloc() to FD_PREPARE()")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Link: https://patch.msgid.link/20251209210903.603958-1-minipli@grsecurity.net
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by

Mathias Krause and committed by

Christian Brauner 3 months ago a260bd22 8f0b4cce

+3 -3

1 changed file

expand all

drivers

media

mc-request.c

+3 -3

drivers/media/mc/mc-request.c

··· 315 315 316 316 fd_prepare_file(fdf)->private_data = req; 317 317 318 - *alloc_fd = fd_publish(fdf); 319 - 320 318 snprintf(req->debug_str, sizeof(req->debug_str), "%u:%d", 321 - atomic_inc_return(&mdev->request_id), *alloc_fd); 319 + atomic_inc_return(&mdev->request_id), fd_prepare_fd(fdf)); 322 320 dev_dbg(mdev->dev, "request: allocated %s\n", req->debug_str); 321 + 322 + *alloc_fd = fd_publish(fdf); 323 323 324 324 return 0; 325 325