CVE-2025-21739

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix use-after free in init error and remove paths<br /> <br /> devm_blk_crypto_profile_init() registers a cleanup handler to run when<br /> the associated (platform-) device is being released. For UFS, the<br /> crypto private data and pointers are stored as part of the ufs_hba&amp;#39;s<br /> data structure &amp;#39;struct ufs_hba::crypto_profile&amp;#39;. This structure is<br /> allocated as part of the underlying ufshcd and therefore Scsi_host<br /> allocation.<br /> <br /> During driver release or during error handling in ufshcd_pltfrm_init(),<br /> this structure is released as part of ufshcd_dealloc_host() before the<br /> (platform-) device associated with the crypto call above is released.<br /> Once this device is released, the crypto cleanup code will run, using<br /> the just-released &amp;#39;struct ufs_hba::crypto_profile&amp;#39;. This causes a<br /> use-after-free situation:<br /> <br /> Call trace:<br /> kfree+0x60/0x2d8 (P)<br /> kvfree+0x44/0x60<br /> blk_crypto_profile_destroy_callback+0x28/0x70<br /> devm_action_release+0x1c/0x30<br /> release_nodes+0x6c/0x108<br /> devres_release_all+0x98/0x100<br /> device_unbind_cleanup+0x20/0x70<br /> really_probe+0x218/0x2d0<br /> <br /> In other words, the initialisation code flow is:<br /> <br /> platform-device probe<br /> ufshcd_pltfrm_init()<br /> ufshcd_alloc_host()<br /> scsi_host_alloc()<br /> allocation of struct ufs_hba<br /> creation of scsi-host devices<br /> devm_blk_crypto_profile_init()<br /> devm registration of cleanup handler using platform-device<br /> <br /> and during error handling of ufshcd_pltfrm_init() or during driver<br /> removal:<br /> <br /> ufshcd_dealloc_host()<br /> scsi_host_put()<br /> put_device(scsi-host)<br /> release of struct ufs_hba<br /> put_device(platform-device)<br /> crypto cleanup handler<br /> <br /> To fix this use-after free, change ufshcd_alloc_host() to register a<br /> devres action to automatically cleanup the underlying SCSI device on<br /> ufshcd destruction, without requiring explicit calls to<br /> ufshcd_dealloc_host(). This way:<br /> <br /> * the crypto profile and all other ufs_hba-owned resources are<br /> destroyed before SCSI (as they&amp;#39;ve been registered after)<br /> * a memleak is plugged in tc-dwc-g210-pci.c remove() as a<br /> side-effect<br /> * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as<br /> it&amp;#39;s not needed anymore<br /> * no future drivers using ufshcd_alloc_host() could ever forget<br /> adding the cleanup