1.4 KiB
CVE-2024-56621
Description
In the Linux kernel, the following vulnerability has been resolved:scsi: ufs: core: Cancel RTC work during ufshcd_remove()Currently, RTC work is only cancelled during __ufshcd_wl_suspend(). Whenufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due tothis, any further trigger of the RTC work after ufshcd_remove() wouldresult in a NULL pointer dereference as below:Unable to handle kernel NULL pointer dereference at virtual address 00000000000002a4Workqueue: events ufshcd_rtc_workCall trace: _raw_spin_lock_irqsave+0x34/0x8c pm_runtime_get_if_active+0x24/0xb4 ufshcd_rtc_work+0x124/0x19c process_scheduled_works+0x18c/0x2d8 worker_thread+0x144/0x280 kthread+0x11c/0x128 ret_from_fork+0x10/0x20Since RTC work accesses the ufshcd internal structures, it should be cancelledwhen ufshcd is removed. So do that in ufshcd_remove(), as per the order inufshcd_init().
POC
Reference
No PoCs from references.