CVE-2024-36930

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: fix null pointer dereference within spi_sync<br /> <br /> If spi_sync() is called with the non-empty queue and the same spi_message<br /> is then reused, the complete callback for the message remains set while<br /> the context is cleared, leading to a null pointer dereference when the<br /> callback is invoked from spi_finalize_current_message().<br /> <br /> With function inlining disabled, the call stack might look like this:<br /> <br /> _raw_spin_lock_irqsave from complete_with_flags+0x18/0x58<br /> complete_with_flags from spi_complete+0x8/0xc<br /> spi_complete from spi_finalize_current_message+0xec/0x184<br /> spi_finalize_current_message from spi_transfer_one_message+0x2a8/0x474<br /> spi_transfer_one_message from __spi_pump_transfer_message+0x104/0x230<br /> __spi_pump_transfer_message from __spi_transfer_message_noqueue+0x30/0xc4<br /> __spi_transfer_message_noqueue from __spi_sync+0x204/0x248<br /> __spi_sync from spi_sync+0x24/0x3c<br /> spi_sync from mcp251xfd_regmap_crc_read+0x124/0x28c [mcp251xfd]<br /> mcp251xfd_regmap_crc_read [mcp251xfd] from _regmap_raw_read+0xf8/0x154<br /> _regmap_raw_read from _regmap_bus_read+0x44/0x70<br /> _regmap_bus_read from _regmap_read+0x60/0xd8<br /> _regmap_read from regmap_read+0x3c/0x5c<br /> regmap_read from mcp251xfd_alloc_can_err_skb+0x1c/0x54 [mcp251xfd]<br /> mcp251xfd_alloc_can_err_skb [mcp251xfd] from mcp251xfd_irq+0x194/0xe70 [mcp251xfd]<br /> mcp251xfd_irq [mcp251xfd] from irq_thread_fn+0x1c/0x78<br /> irq_thread_fn from irq_thread+0x118/0x1f4<br /> irq_thread from kthread+0xd8/0xf4<br /> kthread from ret_from_fork+0x14/0x28<br /> <br /> Fix this by also setting message-&gt;complete to NULL when the transfer is<br /> complete.