In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix use-after free in init error and remove paths
devmblkcryptoprofileinit() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufshba's data structure 'struct ufshba::cryptoprofile'. This structure is allocated as part of the underlying ufshcd and therefore Scsihost allocation.
During driver release or during error handling in ufshcdpltfrminit(), this structure is released as part of ufshcddeallochost() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufshba::cryptoprofile'. This causes a use-after-free situation:
Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blkcryptoprofiledestroycallback+0x28/0x70 devmactionrelease+0x1c/0x30 releasenodes+0x6c/0x108 devresreleaseall+0x98/0x100 deviceunbindcleanup+0x20/0x70 reallyprobe+0x218/0x2d0
In other words, the initialisation code flow is:
platform-device probe ufshcdpltfrminit() ufshcdallochost() scsihostalloc() allocation of struct ufshba creation of scsi-host devices devmblkcryptoprofile_init() devm registration of cleanup handler using platform-device
and during error handling of ufshcdpltfrminit() or during driver removal:
ufshcddeallochost() scsihostput() putdevice(scsi-host) release of struct ufshba put_device(platform-device) crypto cleanup handler
To fix this use-after free, change ufshcdallochost() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcddeallochost(). This way:
* the crypto profile and all other ufs_hba-owned resources are
destroyed before SCSI (as they've been registered after)
* a memleak is plugged in tc-dwc-g210-pci.c remove() as a
side-effect
* EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as
it's not needed anymore
* no future drivers using ufshcd_alloc_host() could ever forget
adding the cleanup
[ { "deprecated": false, "digest": { "line_hashes": [ "178452475336665966909169457842851732781", "332880393302127984550701722861007945720", "142554182282169834425201806832710212197", "194568365763234856128170478597816419038" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "include/ufs/ufshcd.h" }, "id": "CVE-2025-21739-0e235c3b", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 1079.0, "function_hash": "330464314084741045815942893204294433197" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c", "function": "ufshcd_pltfrm_init" }, "id": "CVE-2025-21739-2295cd2e", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 176.0, "function_hash": "35455604970542176721803696668103947374" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/host/ufshcd-pci.c", "function": "ufshcd_pci_remove" }, "id": "CVE-2025-21739-2899c03e", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 65.0, "function_hash": "222655723100166034116103153501200313557" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/core/ufshcd.c", "function": "ufshcd_dealloc_host" }, "id": "CVE-2025-21739-2bd2677f", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "178452475336665966909169457842851732781", "332880393302127984550701722861007945720", "142554182282169834425201806832710212197", "194568365763234856128170478597816419038" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "include/ufs/ufshcd.h" }, "id": "CVE-2025-21739-345c1a53", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "217896987206016891707460512229228656990", "143631741101663457736590237610977021045", "122787227879664200673044148794561869215", "76712044241195753499053781461696175048", "269222184761069103207520528835457828575", "285388007123729508385652665727349436387", "277549926289419657977841325433507700756", "255651549716716779967848599637385747024", "77147712502802596676279514749874527503", "54521347835613595857112305718905751178", "282296198297991875903833657767011181867", "298400617341388058896334940664511225197", "149737807587474398916252839275048194965", "72911277904286933900777024805229527072", "238792006974537724665927313693732961893", "81269036382202946667954166523116627761", "81140915598135750917650795977025922158", "301334718221694191303963712279327085659", "326417391967331137518406501315695991084", "201687414868927822536639750426828237688", "280899126374582190908661668061308000450", "233979275095607051661914182274342598537", "319906460392464735334649214091674300001", "277258120031149061098207630209770746446", "337077222113461532900257895382844322892", "142602345128048647857221687052646949395", "113926563589304083035227102176990602073", "76431137331347203707062124362836317126", "54769978237212779799807333929169888753", "120339580250749196439234604705634435470", "49182367542030892018740931816291508020", "42929766036359649338039281348950021386", "326999909338465535834777061270200458559", "198085727193664106098764263194949403853", "189763482057421442387652125894399545230", "270126366259875501484763161943584577195", "339623423911710830934611178864711264955", "255225953233259081797212707536621836883", "294825097341360773769065934441453941242", "325033847657342686684172220856836416208", "141596834150573898105927196637615762003", "17742310606772389647208022655769733257", "325239593132102418719437380688935307956", "75635575602933329459055509900977730110", "812121854122809963221712924378010208", "203856991480969244689176834557963156630", "46637332236759056346911190110460528236", "18527929304111026804166122660151469989" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c" }, "id": "CVE-2025-21739-34b30173", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 1079.0, "function_hash": "330464314084741045815942893204294433197" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c", "function": "ufshcd_pltfrm_init" }, "id": "CVE-2025-21739-3c5071ad", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "217896987206016891707460512229228656990", "143631741101663457736590237610977021045", "122787227879664200673044148794561869215", "76712044241195753499053781461696175048", "269222184761069103207520528835457828575", "285388007123729508385652665727349436387", "277549926289419657977841325433507700756", "255651549716716779967848599637385747024", "77147712502802596676279514749874527503", "54521347835613595857112305718905751178", "282296198297991875903833657767011181867", "298400617341388058896334940664511225197", "149737807587474398916252839275048194965", "72911277904286933900777024805229527072", "238792006974537724665927313693732961893", "81269036382202946667954166523116627761", "81140915598135750917650795977025922158", "301334718221694191303963712279327085659", "326417391967331137518406501315695991084", "201687414868927822536639750426828237688", "280899126374582190908661668061308000450", "233979275095607051661914182274342598537", "319906460392464735334649214091674300001", "277258120031149061098207630209770746446", "337077222113461532900257895382844322892", "142602345128048647857221687052646949395", "113926563589304083035227102176990602073", "76431137331347203707062124362836317126", "54769978237212779799807333929169888753", "120339580250749196439234604705634435470", "49182367542030892018740931816291508020", "42929766036359649338039281348950021386", "326999909338465535834777061270200458559", "198085727193664106098764263194949403853", "189763482057421442387652125894399545230", "270126366259875501484763161943584577195", "339623423911710830934611178864711264955", "255225953233259081797212707536621836883", "294825097341360773769065934441453941242", "325033847657342686684172220856836416208", "141596834150573898105927196637615762003", "17742310606772389647208022655769733257", "325239593132102418719437380688935307956", "75635575602933329459055509900977730110", "812121854122809963221712924378010208", "203856991480969244689176834557963156630", "46637332236759056346911190110460528236", "18527929304111026804166122660151469989" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c" }, "id": "CVE-2025-21739-5faa5b1b", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "73271642084424936938751888070131515000", "315785331392691169212147283703549793869", "274722037633753971631703736250572471351", "209577777273989534062933741918085953964", "105017367482047163895215524780614913786", "170385968585522299943603364238995310960", "340196433617063798375710064070660906345", "270035576054604857947745084393087465178" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/host/ufshcd-pci.c" }, "id": "CVE-2025-21739-6cd2cd1d", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 199.0, "function_hash": "65282486355026812947716450451715829781" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c", "function": "ufshcd_pltfrm_remove" }, "id": "CVE-2025-21739-6f79c1fe", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "217896987206016891707460512229228656990", "143631741101663457736590237610977021045", "122787227879664200673044148794561869215", "76712044241195753499053781461696175048", "269222184761069103207520528835457828575", "285388007123729508385652665727349436387", "277549926289419657977841325433507700756", "255651549716716779967848599637385747024", "77147712502802596676279514749874527503", "54521347835613595857112305718905751178", "282296198297991875903833657767011181867", "298400617341388058896334940664511225197", "149737807587474398916252839275048194965", "72911277904286933900777024805229527072", "238792006974537724665927313693732961893", "81269036382202946667954166523116627761", "81140915598135750917650795977025922158", "301334718221694191303963712279327085659", "326417391967331137518406501315695991084", "201687414868927822536639750426828237688", "280899126374582190908661668061308000450", "233979275095607051661914182274342598537", "319906460392464735334649214091674300001", "277258120031149061098207630209770746446", "337077222113461532900257895382844322892", "142602345128048647857221687052646949395", "113926563589304083035227102176990602073", "76431137331347203707062124362836317126", "54769978237212779799807333929169888753", "120339580250749196439234604705634435470", "49182367542030892018740931816291508020", "42929766036359649338039281348950021386", "326999909338465535834777061270200458559", "198085727193664106098764263194949403853", "189763482057421442387652125894399545230", "270126366259875501484763161943584577195", "339623423911710830934611178864711264955", "255225953233259081797212707536621836883", "294825097341360773769065934441453941242", "325033847657342686684172220856836416208", "141596834150573898105927196637615762003", "17742310606772389647208022655769733257", "325239593132102418719437380688935307956", "75635575602933329459055509900977730110", "812121854122809963221712924378010208", "203856991480969244689176834557963156630", "46637332236759056346911190110460528236", "18527929304111026804166122660151469989" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c" }, "id": "CVE-2025-21739-72bdd075", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 199.0, "function_hash": "65282486355026812947716450451715829781" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c", "function": "ufshcd_pltfrm_remove" }, "id": "CVE-2025-21739-7d4d7bed", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 199.0, "function_hash": "65282486355026812947716450451715829781" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c", "function": "ufshcd_pltfrm_remove" }, "id": "CVE-2025-21739-8aa4a2e0", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 1079.0, "function_hash": "330464314084741045815942893204294433197" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/host/ufshcd-pltfrm.c", "function": "ufshcd_pltfrm_init" }, "id": "CVE-2025-21739-93a16369", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 892.0, "function_hash": "28905337020185876045803769184726292551" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/host/ufshcd-pci.c", "function": "ufshcd_pci_probe" }, "id": "CVE-2025-21739-ae073f07", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 738.0, "function_hash": "164916177173149724461166966295638449157" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/core/ufshcd.c", "function": "ufshcd_alloc_host" }, "id": "CVE-2025-21739-b04cc8f2", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 908.0, "function_hash": "336669107270397694066574794082228201910" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/host/ufshcd-pci.c", "function": "ufshcd_pci_probe" }, "id": "CVE-2025-21739-b4249207", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "54253781986210570449986825699505643491", "199316461141602499330013170469945351458", "96744134076766510690730113189182345219", "249142531993714801007031200991958015315", "120837628683457410300845072162386012673", "76443026346869488969360541805296818638", "43585039190863987135538519324420652506", "47358935401313752864002121100266475679", "220338586194406548029656065349399743723", "175119759658775128620888984659080269418", "87137540350927609597768799675195166578", "178894670267377826244151759476645874699", "204456993583692696704144720130168067157", "201169803966300325199403156188381999588", "69725885846797068745663902862011717219" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/core/ufshcd.c" }, "id": "CVE-2025-21739-b511c0f7", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "54253781986210570449986825699505643491", "199316461141602499330013170469945351458", "96744134076766510690730113189182345219", "249142531993714801007031200991958015315", "120837628683457410300845072162386012673", "76443026346869488969360541805296818638", "43585039190863987135538519324420652506", "47358935401313752864002121100266475679", "220338586194406548029656065349399743723", "175119759658775128620888984659080269418", "87137540350927609597768799675195166578", "178894670267377826244151759476645874699", "204456993583692696704144720130168067157", "201169803966300325199403156188381999588", "69725885846797068745663902862011717219" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/core/ufshcd.c" }, "id": "CVE-2025-21739-bcac2d03", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 738.0, "function_hash": "164916177173149724461166966295638449157" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/core/ufshcd.c", "function": "ufshcd_alloc_host" }, "id": "CVE-2025-21739-c24a79d2", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "178452475336665966909169457842851732781", "332880393302127984550701722861007945720", "142554182282169834425201806832710212197", "194568365763234856128170478597816419038" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "include/ufs/ufshcd.h" }, "id": "CVE-2025-21739-d3bd11df", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "54253781986210570449986825699505643491", "199316461141602499330013170469945351458", "96744134076766510690730113189182345219", "249142531993714801007031200991958015315", "120837628683457410300845072162386012673", "76443026346869488969360541805296818638", "43585039190863987135538519324420652506", "47358935401313752864002121100266475679", "220338586194406548029656065349399743723", "175119759658775128620888984659080269418", "87137540350927609597768799675195166578", "178894670267377826244151759476645874699", "204456993583692696704144720130168067157", "201169803966300325199403156188381999588", "69725885846797068745663902862011717219" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/core/ufshcd.c" }, "id": "CVE-2025-21739-d881a421", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "73271642084424936938751888070131515000", "315785331392691169212147283703549793869", "274722037633753971631703736250572471351", "209577777273989534062933741918085953964", "105017367482047163895215524780614913786", "170385968585522299943603364238995310960", "340196433617063798375710064070660906345", "270035576054604857947745084393087465178" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/host/ufshcd-pci.c" }, "id": "CVE-2025-21739-dcee654c", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 65.0, "function_hash": "222655723100166034116103153501200313557" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/core/ufshcd.c", "function": "ufshcd_dealloc_host" }, "id": "CVE-2025-21739-ddd9b30f", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 738.0, "function_hash": "164916177173149724461166966295638449157" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/core/ufshcd.c", "function": "ufshcd_alloc_host" }, "id": "CVE-2025-21739-e0177908", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 176.0, "function_hash": "35455604970542176721803696668103947374" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/host/ufshcd-pci.c", "function": "ufshcd_pci_remove" }, "id": "CVE-2025-21739-e221bf24", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 176.0, "function_hash": "35455604970542176721803696668103947374" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8fb2403ddebb5eea0033d90d9daae4c88749ada", "target": { "file": "drivers/ufs/host/ufshcd-pci.c", "function": "ufshcd_pci_remove" }, "id": "CVE-2025-21739-e35081a6", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 892.0, "function_hash": "28905337020185876045803769184726292551" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c185beae09a3eb85f54777edafa227f7e03075d", "target": { "file": "drivers/ufs/host/ufshcd-pci.c", "function": "ufshcd_pci_probe" }, "id": "CVE-2025-21739-e780ad1f", "signature_version": "v1" }, { "deprecated": false, "digest": { "line_hashes": [ "73271642084424936938751888070131515000", "315785331392691169212147283703549793869", "274722037633753971631703736250572471351", "209577777273989534062933741918085953964", "105017367482047163895215524780614913786", "170385968585522299943603364238995310960", "340196433617063798375710064070660906345", "270035576054604857947745084393087465178" ], "threshold": 0.9 }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/host/ufshcd-pci.c" }, "id": "CVE-2025-21739-f720f7af", "signature_version": "v1" }, { "deprecated": false, "digest": { "length": 65.0, "function_hash": "222655723100166034116103153501200313557" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0c77c0d754fe83cb154715fcfec6c3faef94f207", "target": { "file": "drivers/ufs/core/ufshcd.c", "function": "ufshcd_dealloc_host" }, "id": "CVE-2025-21739-fe62d214", "signature_version": "v1" } ]