CVE-2025-21739

HIGH

Linux Kernel 5.12-6.12.13, 6.13-6.13.2 - Use-After-Free in UFS Core Error and Remove Paths

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup

References (6)

Core 6

Core References

https://git.kernel.org/stable/c/0dc539b888fb5f56b6eeddd95433eab557d4b0c1

Patch

https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207

Patch

https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d

Patch

https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada

https://git.kernel.org/stable/c/0a6895c03b1f439236e2d22b1a69ebfc1eb9d5ea

https://git.kernel.org/stable/c/d06eb2620d3bf16056b8b7ea3744dbb5e30512f4

Scores

CVSS v3 7.8

EPSS 0.0021

EPSS Percentile 10.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-416

Status published

Products (18)

linux/Kernel 5.12.0 - 6.12.14linux

linux/Kernel 6.13.0 - 6.13.3linux

Linux/Linux < 5.12

Linux/Linux 5.12

Linux/Linux 5.15.209 - 5.15.*

Linux/Linux 6.1.175 - 6.1.*

Linux/Linux 6.12.14 - 6.12.*

Linux/Linux 6.13.3 - 6.13.*

Linux/Linux 6.14

Linux/Linux 6.6.135 - 6.6.*

... and 8 more

Published Feb 27, 2025

Tracked Since Feb 18, 2026