2025-10-01 11:46:03
Linux
PUBLISHED
In the Linux kernel, the following vulnerability has been resolved: virtio-mmio: dont break lifecycle of vm_dev vm_dev has a separate lifecycle because it has a struct device embedded. Thus, having a release callback for it is correct. Allocating the vm_dev struct with devres totally breaks this protection, though. Instead of waiting for the vm_dev release callback, the memory is freed when the platform_device is removed. Resulting in a use-after-free when finally the callback is to be called. To easily see the problem, compile the kernel with CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs. The fix is easy, dont use devres in this case. Found during my research about object lifetime problems.