Mathias Krause a260bd22a3

media: mc: fix potential use-after-free in media_request_alloc() ...

Commit 6f504cbf108a ("media: convert media_request_alloc() to
FD_PREPARE()") moved the call to fd_install() (now hidden in
fd_publish()) before the snprintf(), making the later write to
potentially already freed memory, as userland is free to call
close() concurrently right after the call to fd_install() which
may end up in the request_fops.release() handler freeing 'req'.

Fixes: 6f504cbf108a ("media: convert media_request_alloc() to FD_PREPARE()")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Link: https://patch.msgid.link/20251209210903.603958-1-minipli@grsecurity.net
Signed-off-by: Christian Brauner <brauner@kernel.org>

2025-12-15 15:12:28 +01:00

..

cec

…

common

Linux 6.18-rc5

2025-11-11 12:44:28 +01:00

dvb-core

media: dvb_ca_en50221: fix "writen"->"written"

2025-11-03 15:58:41 +01:00

dvb-frontends

…

firewire

…

i2c

media: i2c: add Sony IMX111 CMOS camera sensor driver

2025-11-13 11:33:39 +01:00

mc

media: mc: fix potential use-after-free in media_request_alloc()

2025-12-15 15:12:28 +01:00

mmc

…

pci

media: ipu6: isys: Add support for monochrome media bus formats

2025-11-13 10:57:52 +01:00

platform

hardening updates for v6.19-rc1

2025-12-05 09:11:02 -08:00

radio

media: radio: si470x: Fix DRIVER_AUTHOR macro definition

2025-11-05 14:08:56 +01:00

rc

media: rc: st_rc: Fix reset control resource leak

2025-11-11 10:17:33 +01:00

spi

…

test-drivers

[GIT PULL for v6.19] media updates

2025-12-04 08:15:19 -08:00

tuners

…

usb

Modules changes for v6.19-rc1

2025-12-06 08:27:07 -08:00

v4l2-core

media: v4l2-isp: Rename block_info to block_type_info

2025-11-14 15:48:49 +01:00

Kconfig

…

Makefile

…