CVE-2025-22020

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove<br /> <br /> This fixes the following crash:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]<br /> Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241<br /> <br /> CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1<br /> Tainted: [E]=UNSIGNED_MODULE<br /> Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024<br /> Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x51/0x70<br /> print_address_description.constprop.0+0x27/0x320<br /> ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]<br /> print_report+0x3e/0x70<br /> kasan_report+0xab/0xe0<br /> ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]<br /> rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]<br /> ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]<br /> ? __pfx___schedule+0x10/0x10<br /> ? kick_pool+0x3b/0x270<br /> process_one_work+0x357/0x660<br /> worker_thread+0x390/0x4c0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x190/0x1d0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x2d/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Allocated by task 161446:<br /> kasan_save_stack+0x20/0x40<br /> kasan_save_track+0x10/0x30<br /> __kasan_kmalloc+0x7b/0x90<br /> __kmalloc_noprof+0x1a7/0x470<br /> memstick_alloc_host+0x1f/0xe0 [memstick]<br /> rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]<br /> platform_probe+0x60/0xe0<br /> call_driver_probe+0x35/0x120<br /> really_probe+0x123/0x410<br /> __driver_probe_device+0xc7/0x1e0<br /> driver_probe_device+0x49/0xf0<br /> __device_attach_driver+0xc6/0x160<br /> bus_for_each_drv+0xe4/0x160<br /> __device_attach+0x13a/0x2b0<br /> bus_probe_device+0xbd/0xd0<br /> device_add+0x4a5/0x760<br /> platform_device_add+0x189/0x370<br /> mfd_add_device+0x587/0x5e0<br /> mfd_add_devices+0xb1/0x130<br /> rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]<br /> usb_probe_interface+0x15c/0x460<br /> call_driver_probe+0x35/0x120<br /> really_probe+0x123/0x410<br /> __driver_probe_device+0xc7/0x1e0<br /> driver_probe_device+0x49/0xf0<br /> __device_attach_driver+0xc6/0x160<br /> bus_for_each_drv+0xe4/0x160<br /> __device_attach+0x13a/0x2b0<br /> rebind_marked_interfaces.isra.0+0xcc/0x110<br /> usb_reset_device+0x352/0x410<br /> usbdev_do_ioctl+0xe5c/0x1860<br /> usbdev_ioctl+0xa/0x20<br /> __x64_sys_ioctl+0xc5/0xf0<br /> do_syscall_64+0x59/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 161506:<br /> kasan_save_stack+0x20/0x40<br /> kasan_save_track+0x10/0x30<br /> kasan_save_free_info+0x36/0x60<br /> __kasan_slab_free+0x34/0x50<br /> kfree+0x1fd/0x3b0<br /> device_release+0x56/0xf0<br /> kobject_cleanup+0x73/0x1c0<br /> rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]<br /> platform_remove+0x2f/0x50<br /> device_release_driver_internal+0x24b/0x2e0<br /> bus_remove_device+0x124/0x1d0<br /> device_del+0x239/0x530<br /> platform_device_del.part.0+0x19/0xe0<br /> platform_device_unregister+0x1c/0x40<br /> mfd_remove_devices_fn+0x167/0x170<br /> device_for_each_child_reverse+0xc9/0x130<br /> mfd_remove_devices+0x6e/0xa0<br /> rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]<br /> usb_unbind_interface+0xf3/0x3f0<br /> device_release_driver_internal+0x24b/0x2e0<br /> proc_disconnect_claim+0x13d/0x220<br /> usbdev_do_ioctl+0xb5e/0x1860<br /> usbdev_ioctl+0xa/0x20<br /> __x64_sys_ioctl+0xc5/0xf0<br /> do_syscall_64+0x59/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Last potentially related work creation:<br /> kasan_save_stack+0x20/0x40<br /> kasan_record_aux_stack+0x85/0x90<br /> insert_work+0x29/0x100<br /> __queue_work+0x34a/0x540<br /> call_timer_fn+0x2a/0x160<br /> expire_timers+0x5f/0x1f0<br /> __run_timer_base.part.0+0x1b6/0x1e0<br /> run_timer_softirq+0x8b/0xe0<br /> handle_softirqs+0xf9/0x360<br /> __irq_exit_rcu+0x114/0x130<br /> sysvec_apic_timer_interrupt+0x72/0x90<br /> asm_sysvec_apic_timer_interrupt+0x16/0x20<br /> <br /> Second to last potentially related work creation:<br /> kasan_save_stack+0x20/0x40<br /> kasan_record_aux_stack+0x85/0x90<br /> insert_work+0x29/0x100<br /> __queue_work+0x34a/0x540<br /> call_timer_fn+0x2a/0x160<br /> expire_timers+0x5f/0x1f0<br /> __run_timer_base.part.0+0x1b6/0x1e0<br /> run_timer_softirq+0x8b/0xe0<br /> handle_softirqs+0xf9/0x<br /> ---truncated---