cve/published/2025/CVE-2025-21739.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21739: scsi: ufs: core: Fix use-after free in init error and remove paths

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: ufs: core: Fix use-after free in init error and remove paths

 devm_blk_crypto_profile_init() registers a cleanup handler to run when
 the associated (platform-) device is being released. For UFS, the
 crypto private data and pointers are stored as part of the ufs_hba's
 data structure 'struct ufs_hba::crypto_profile'. This structure is
 allocated as part of the underlying ufshcd and therefore Scsi_host
 allocation.

 During driver release or during error handling in ufshcd_pltfrm_init(),
 this structure is released as part of ufshcd_dealloc_host() before the
 (platform-) device associated with the crypto call above is released.
 Once this device is released, the crypto cleanup code will run, using
 the just-released 'struct ufs_hba::crypto_profile'. This causes a
 use-after-free situation:

   Call trace:
    kfree+0x60/0x2d8 (P)
    kvfree+0x44/0x60
    blk_crypto_profile_destroy_callback+0x28/0x70
    devm_action_release+0x1c/0x30
    release_nodes+0x6c/0x108
    devres_release_all+0x98/0x100
    device_unbind_cleanup+0x20/0x70
    really_probe+0x218/0x2d0

 In other words, the initialisation code flow is:

   platform-device probe
     ufshcd_pltfrm_init()
       ufshcd_alloc_host()
         scsi_host_alloc()
           allocation of struct ufs_hba
           creation of scsi-host devices
     devm_blk_crypto_profile_init()
       devm registration of cleanup handler using platform-device

 and during error handling of ufshcd_pltfrm_init() or during driver
 removal:

   ufshcd_dealloc_host()
     scsi_host_put()
       put_device(scsi-host)
         release of struct ufs_hba
   put_device(platform-device)
     crypto cleanup handler

 To fix this use-after free, change ufshcd_alloc_host() to register a
 devres action to automatically cleanup the underlying SCSI device on
 ufshcd destruction, without requiring explicit calls to
 ufshcd_dealloc_host(). This way:

     * the crypto profile and all other ufs_hba-owned resources are
       destroyed before SCSI (as they've been registered after)
     * a memleak is plugged in tc-dwc-g210-pci.c remove() as a
       side-effect
     * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as
       it's not needed anymore
     * no future drivers using ufshcd_alloc_host() could ever forget
       adding the cleanup

 The Linux kernel CVE team has assigned CVE-2025-21739 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350 and fixed in 6.12.14 with commit 0c77c0d754fe83cb154715fcfec6c3faef94f207
 	Issue introduced in 5.12 with commit d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350 and fixed in 6.13.3 with commit 9c185beae09a3eb85f54777edafa227f7e03075d
 	Issue introduced in 5.12 with commit d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350 and fixed in 6.14 with commit f8fb2403ddebb5eea0033d90d9daae4c88749ada

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21739
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/ufs/core/ufshcd.c
 	drivers/ufs/host/ufshcd-pci.c
 	drivers/ufs/host/ufshcd-pltfrm.c
 	include/ufs/ufshcd.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207
 	https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d
 	https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21739: scsi: ufs: core: Fix use-after free in init error and remove paths

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: ufs: core: Fix use-after free in init error and remove paths

	devm_blk_crypto_profile_init() registers a cleanup handler to run when
	the associated (platform-) device is being released. For UFS, the
	crypto private data and pointers are stored as part of the ufs_hba's
	data structure 'struct ufs_hba::crypto_profile'. This structure is
	allocated as part of the underlying ufshcd and therefore Scsi_host
	allocation.

	During driver release or during error handling in ufshcd_pltfrm_init(),
	this structure is released as part of ufshcd_dealloc_host() before the
	(platform-) device associated with the crypto call above is released.
	Once this device is released, the crypto cleanup code will run, using
	the just-released 'struct ufs_hba::crypto_profile'. This causes a
	use-after-free situation:

	Call trace:
	kfree+0x60/0x2d8 (P)
	kvfree+0x44/0x60
	blk_crypto_profile_destroy_callback+0x28/0x70
	devm_action_release+0x1c/0x30
	release_nodes+0x6c/0x108
	devres_release_all+0x98/0x100
	device_unbind_cleanup+0x20/0x70
	really_probe+0x218/0x2d0

	In other words, the initialisation code flow is:

	platform-device probe
	ufshcd_pltfrm_init()
	ufshcd_alloc_host()
	scsi_host_alloc()
	allocation of struct ufs_hba
	creation of scsi-host devices
	devm_blk_crypto_profile_init()
	devm registration of cleanup handler using platform-device

	and during error handling of ufshcd_pltfrm_init() or during driver
	removal:

	ufshcd_dealloc_host()
	scsi_host_put()
	put_device(scsi-host)
	release of struct ufs_hba
	put_device(platform-device)
	crypto cleanup handler

	To fix this use-after free, change ufshcd_alloc_host() to register a
	devres action to automatically cleanup the underlying SCSI device on
	ufshcd destruction, without requiring explicit calls to
	ufshcd_dealloc_host(). This way:

	* the crypto profile and all other ufs_hba-owned resources are
	destroyed before SCSI (as they've been registered after)
	* a memleak is plugged in tc-dwc-g210-pci.c remove() as a
	side-effect
	* EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as
	it's not needed anymore
	* no future drivers using ufshcd_alloc_host() could ever forget
	adding the cleanup

	The Linux kernel CVE team has assigned CVE-2025-21739 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350 and fixed in 6.12.14 with commit 0c77c0d754fe83cb154715fcfec6c3faef94f207
	Issue introduced in 5.12 with commit d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350 and fixed in 6.13.3 with commit 9c185beae09a3eb85f54777edafa227f7e03075d
	Issue introduced in 5.12 with commit d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350 and fixed in 6.14 with commit f8fb2403ddebb5eea0033d90d9daae4c88749ada

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21739
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/ufs/core/ufshcd.c
	drivers/ufs/host/ufshcd-pci.c
	drivers/ufs/host/ufshcd-pltfrm.c
	include/ufs/ufshcd.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207
	https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d
	https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada