mirror of
https://github.com/torvalds/linux.git
synced 2026-01-12 00:42:35 +08:00
a260bd22a3
Commit6f504cbf10("media: convert media_request_alloc() to FD_PREPARE()") moved the call to fd_install() (now hidden in fd_publish()) before the snprintf(), making the later write to potentially already freed memory, as userland is free to call close() concurrently right after the call to fd_install() which may end up in the request_fops.release() handler freeing 'req'. Fixes:6f504cbf10("media: convert media_request_alloc() to FD_PREPARE()") Signed-off-by: Mathias Krause <minipli@grsecurity.net> Link: https://patch.msgid.link/20251209210903.603958-1-minipli@grsecurity.net Signed-off-by: Christian Brauner <brauner@kernel.org>