init_device_context() added a new device context to priv->dev_ctx_list
before calling init_se_shared_mem(). If initialization failed, the
device context was freed without being removed from the list, leaving
behind a dangling list entry.

Move the list insertion until after all fallible initialization has
completed successfully.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Closes: https://smatch.sourceforge.net/
Fixes: 4de71839142b ("firmware: drivers: imx: adds miscdev")
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
 drivers/firmware/imx/se_ctrl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 3a1e0c6a942b..814a1946d1c2 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -481,9 +481,6 @@ static int init_device_context(struct se_if_priv *priv, int ch_id,
 	dev_ctx->priv = priv;
 	*new_dev_ctx = dev_ctx;
 
-	list_add_tail(&dev_ctx->link, &priv->dev_ctx_list);
-	priv->active_devctx_count++;
-
 	ret = init_se_shared_mem(dev_ctx);
 	if (ret < 0) {
 		kfree(dev_ctx->devname);
@@ -491,6 +488,9 @@ static int init_device_context(struct se_if_priv *priv, int ch_id,
 		*new_dev_ctx = NULL;
 	}
 
+	list_add_tail(&dev_ctx->link, &priv->dev_ctx_list);
+	priv->active_devctx_count++;
+
 	return ret;
 }
 
-- 
2.43.0

On Fri, 08 May 2026 11:29:45 +0530, Pankaj Gupta wrote:
> init_device_context() added a new device context to priv->dev_ctx_list
> before calling init_se_shared_mem(). If initialization failed, the
> device context was freed without being removed from the list, leaving
> behind a dangling list entry.
> 
> Move the list insertion until after all fallible initialization has
> completed successfully.
> 
> [...]

Applied, thanks!

[1/1] firmware: imx: secure-enclave: fix list UAF in init_device_context()
      commit: 66f3c3f91c48238dd13543cd428879b9184c80f4

Best regards,
-- 
Frank Li <Frank.Li@nxp.com>