CVE-2025-21739

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-21739

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21739.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-21739

Related

Published

2025-02-27T03:15:14Z

Modified

2025-03-24T18:47:22.771690Z

Downstream

SUSE-SU-2025:1178-1

SUSE-SU-2025:1177-1

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix use-after free in init error and remove paths

devmblkcryptoprofileinit() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufshba's data structure 'struct ufshba::cryptoprofile'. This structure is allocated as part of the underlying ufshcd and therefore Scsihost allocation.

During driver release or during error handling in ufshcdpltfrminit(), this structure is released as part of ufshcddeallochost() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufshba::cryptoprofile'. This causes a use-after-free situation:

Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blkcryptoprofiledestroycallback+0x28/0x70 devmactionrelease+0x1c/0x30 releasenodes+0x6c/0x108 devresreleaseall+0x98/0x100 deviceunbindcleanup+0x20/0x70 reallyprobe+0x218/0x2d0

In other words, the initialisation code flow is:

platform-device probe ufshcdpltfrminit() ufshcdallochost() scsihostalloc() allocation of struct ufshba creation of scsi-host devices devmblkcryptoprofile_init() devm registration of cleanup handler using platform-device

and during error handling of ufshcdpltfrminit() or during driver removal:

ufshcddeallochost() scsihostput() putdevice(scsi-host) release of struct ufshba put_device(platform-device) crypto cleanup handler

To fix this use-after free, change ufshcdallochost() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcddeallochost(). This way:

* the crypto profile and all other ufs_hba-owned resources are
  destroyed before SCSI (as they've been registered after)
* a memleak is plugged in tc-dwc-g210-pci.c remove() as a
  side-effect
* EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as
  it's not needed anymore
* no future drivers using ufshcd_alloc_host() could ever forget
  adding the cleanup

References

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

6.1.115-1

6.1.119-1

6.1.123-1

6.1.124-1

6.1.128-1

6.1.129-1

6.3.1-1~exp1

6.3.2-1~exp1

6.3.4-1~exp1

6.3.5-1~exp1

6.3.7-1~bpo12+1

6.3.7-1

6.3.11-1

6.4~rc6-1~exp1

6.4~rc7-1~exp1

6.4.1-1~exp1

6.4.4-1~bpo12+1

6.4.4-1

6.4.4-2

6.4.4-3~bpo12+1

6.4.4-3

6.4.11-1

6.4.13-1

6.5~rc4-1~exp1

6.5~rc6-1~exp1

6.5~rc7-1~exp1

6.5.1-1~exp1

6.5.3-1~bpo12+1

6.5.3-1

6.5.6-1

6.5.8-1

6.5.10-1~bpo12+1

6.5.10-1

6.5.13-1

6.6.3-1~exp1

6.6.4-1~exp1

6.6.7-1~exp1

6.6.8-1

6.6.9-1

6.6.11-1

6.6.13-1~bpo12+1

6.6.13-1

6.6.15-1

6.6.15-2

6.7-1~exp1

6.7.1-1~exp1

6.7.4-1~exp1

6.7.7-1

6.7.9-1

6.7.9-2

6.7.12-1~bpo12+1

6.7.12-1

6.8.9-1

6.8.11-1

6.8.12-1~bpo12+1

6.8.12-1

6.9.2-1~exp1

6.9.7-1~bpo12+1

6.9.7-1

6.9.8-1

6.9.9-1

6.9.10-1~bpo12+1

6.9.10-1

6.9.11-1

6.9.12-1

6.10-1~exp1

6.10.1-1~exp1

6.10.3-1

6.10.4-1

6.10.6-1~bpo12+1

6.10.6-1

6.10.7-1

6.10.9-1

6.10.11-1~bpo12+1

6.10.11-1

6.10.12-1

6.11~rc4-1~exp1

6.11~rc5-1~exp1

6.11-1~exp1

6.11.2-1

6.11.4-1

6.11.5-1~bpo12+1

6.11.5-1

6.11.6-1

6.11.7-1

6.11.9-1

6.11.10-1~bpo12+1

6.11.10-1

6.12~rc6-1~exp1

6.12.3-1

6.12.5-1

6.12.6-1

6.12.8-1

6.12.9-1~bpo12+1

6.12.9-1

6.12.9-1+alpha

6.12.10-1

6.12.11-1

6.12.11-1+alpha

6.12.11-1+alpha.1

6.12.12-1~bpo12+1

6.12.12-1

6.12.13-1

6.12.15-1

6.12.16-1

6.12.17-1

6.12.19-1

6.12.20-1

6.13~rc6-1~exp1

6.13~rc7-1~exp1

6.13.2-1~exp1

6.13.3-1~exp1

6.13.4-1~exp1

6.13.5-1~exp1

6.13.6-1~exp1

6.13.7-1~exp1

6.13.8-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux