Bug 2334468 (CVE-2024-56621) - CVE-2024-56621 kernel: scsi: ufs: core: Cancel RTC work during ufshcd_remove()
Summary: CVE-2024-56621 kernel: scsi: ufs: core: Cancel RTC work during ufshcd_remove()
Keywords:
Status: NEW
Alias: CVE-2024-56621
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-12-27 15:04 UTC by OSIDB Bzimport
Modified: 2025-01-20 15:28 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-12-27 15:04:02 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Cancel RTC work during ufshcd_remove()

Currently, RTC work is only cancelled during __ufshcd_wl_suspend(). When
ufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due to
this, any further trigger of the RTC work after ufshcd_remove() would
result in a NULL pointer dereference as below:

Unable to handle kernel NULL pointer dereference at virtual address 00000000000002a4
Workqueue: events ufshcd_rtc_work
Call trace:
 _raw_spin_lock_irqsave+0x34/0x8c
 pm_runtime_get_if_active+0x24/0xb4
 ufshcd_rtc_work+0x124/0x19c
 process_scheduled_works+0x18c/0x2d8
 worker_thread+0x144/0x280
 kthread+0x11c/0x128
 ret_from_fork+0x10/0x20

Since RTC work accesses the ufshcd internal structures, it should be cancelled
when ufshcd is removed. So do that in ufshcd_remove(), as per the order in
ufshcd_init().
Comment 1 Avinash Hanwate 2024-12-28 07:02:26 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024122710-CVE-2024-56621-98bf@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.