This is a note to let you know that I've just added the patch titled
scsi: ufs: bsg: Set bsg_queue to NULL after removal
to the 6.13-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch
and it can be found in the queue-6.13 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit f7ca1f7413b111b5c6f0c502a104d8595aa9f340
Author: Guixin Liu <kanie@xxxxxxxxxxxxxxxxx>
Date: Wed Dec 18 09:42:14 2024 +0800
scsi: ufs: bsg: Set bsg_queue to NULL after removal
[ Upstream commit 1e95c798d8a7f70965f0f88d4657b682ff0ec75f ]
Currently, this does not cause any issues, but I believe it is necessary to
set bsg_queue to NULL after removing it to prevent potential use-after-free
(UAF) access.
Signed-off-by: Guixin Liu <kanie@xxxxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20241218014214.64533-3-kanie@xxxxxxxxxxxxxxxxx
Reviewed-by: Avri Altman <avri.altman@xxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c
index 58023f735c195..8d4ad0a3f2cf0 100644
--- a/drivers/ufs/core/ufs_bsg.c
+++ b/drivers/ufs/core/ufs_bsg.c
@@ -216,6 +216,7 @@ void ufs_bsg_remove(struct ufs_hba *hba)
return;
bsg_remove_queue(hba->bsg_queue);
+ hba->bsg_queue = NULL;
device_del(bsg_dev);
put_device(bsg_dev);
