The function __vipx_ioctl_put_container() in the Samsung kernel calls copy_to_user() on a vs4l_container_list structure that contains a kernel pointer, exposing that kernel pointer to userspace just before it gets passed to kfree().
MD5 | 4d763dd7a0edc38113e6a84e2a16619c
