CVE-2025-37828 (GCVE-0-2025-37828)
Vulnerability from cvelistv5
Published
2025-05-08 06:26
Modified
2025-05-26 05:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort() A race can occur between the MCQ completion path and the abort handler: once a request completes, __blk_mq_free_request() sets rq->mq_hctx to NULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in ufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is dereferenced, the kernel will crash. Add a NULL check for the returned hwq pointer. If hwq is NULL, log an error and return FAILED, preventing a potential NULL-pointer dereference. As suggested by Bart, the ufshcd_cmd_inflight() check is removed. This is similar to the fix in commit 74736103fb41 ("scsi: ufs: core: Fix ufshcd_abort_one racing issue"). This is found by our static analysis tool KNighter.
References
Impacted products
Vendor Product Version
Linux Linux Version: f1304d4420777f82a1d844c606db3d9eca841765
Version: f1304d4420777f82a1d844c606db3d9eca841765
Version: f1304d4420777f82a1d844c606db3d9eca841765
Version: f1304d4420777f82a1d844c606db3d9eca841765
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufs-mcq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d6979fabe812a168d5053e5a41d5a2e9b8afd7bf",
              "status": "affected",
              "version": "f1304d4420777f82a1d844c606db3d9eca841765",
              "versionType": "git"
            },
            {
              "lessThan": "7d002f591486f5ef4bc02eb02025a53f931f0eb5",
              "status": "affected",
              "version": "f1304d4420777f82a1d844c606db3d9eca841765",
              "versionType": "git"
            },
            {
              "lessThan": "47eec518aef3814f64a5da43df81bdd74d8c0041",
              "status": "affected",
              "version": "f1304d4420777f82a1d844c606db3d9eca841765",
              "versionType": "git"
            },
            {
              "lessThan": "4c324085062919d4e21c69e5e78456dcec0052fe",
              "status": "affected",
              "version": "f1304d4420777f82a1d844c606db3d9eca841765",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufs-mcq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()\n\nA race can occur between the MCQ completion path and the abort handler:\nonce a request completes, __blk_mq_free_request() sets rq-\u003emq_hctx to\nNULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in\nufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is\ndereferenced, the kernel will crash.\n\nAdd a NULL check for the returned hwq pointer. If hwq is NULL, log an\nerror and return FAILED, preventing a potential NULL-pointer\ndereference.  As suggested by Bart, the ufshcd_cmd_inflight() check is\nremoved.\n\nThis is similar to the fix in commit 74736103fb41 (\"scsi: ufs: core: Fix\nufshcd_abort_one racing issue\").\n\nThis is found by our static analysis tool KNighter."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:45.612Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d6979fabe812a168d5053e5a41d5a2e9b8afd7bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d002f591486f5ef4bc02eb02025a53f931f0eb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/47eec518aef3814f64a5da43df81bdd74d8c0041"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c324085062919d4e21c69e5e78456dcec0052fe"
        }
      ],
      "title": "scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37828",
    "datePublished": "2025-05-08T06:26:20.135Z",
    "dateReserved": "2025-04-16T04:51:23.950Z",
    "dateUpdated": "2025-05-26T05:21:45.612Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-37828\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-08T07:15:54.033\",\"lastModified\":\"2025-05-08T14:39:09.683\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()\\n\\nA race can occur between the MCQ completion path and the abort handler:\\nonce a request completes, __blk_mq_free_request() sets rq-\u003emq_hctx to\\nNULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in\\nufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is\\ndereferenced, the kernel will crash.\\n\\nAdd a NULL check for the returned hwq pointer. If hwq is NULL, log an\\nerror and return FAILED, preventing a potential NULL-pointer\\ndereference.  As suggested by Bart, the ufshcd_cmd_inflight() check is\\nremoved.\\n\\nThis is similar to the fix in commit 74736103fb41 (\\\"scsi: ufs: core: Fix\\nufshcd_abort_one racing issue\\\").\\n\\nThis is found by our static analysis tool KNighter.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: ufs: mcq: Agregar comprobaci\u00f3n NULL en ufshcd_mcq_abort() Puede ocurrir una ejecuci\u00f3n entre la ruta de finalizaci\u00f3n de MCQ y el controlador de aborto: una vez que se completa una solicitud, __blk_mq_free_request() establece rq-\u0026gt;mq_hctx en NULL, lo que significa que la llamada ufshcd_mcq_req_to_hwq() posterior en ufshcd_mcq_abort() puede devolver un puntero NULL. Si se desreferencia este puntero NULL, el kernel se bloquear\u00e1. Agregue una comprobaci\u00f3n NULL para el puntero hwq devuelto. Si hwq es NULL, registre un error y devuelva FAILED, lo que evita una posible desreferencia de puntero NULL. Como sugiri\u00f3 Bart, se elimina la comprobaci\u00f3n ufshcd_cmd_inflight(). Esto es similar a la correcci\u00f3n en el commit 74736103fb41 (\\\"scsi: ufs: core: Fix ufshcd_abort_one racing issue\\\"). Esta correcci\u00f3n la encontr\u00f3 nuestra herramienta de an\u00e1lisis est\u00e1tico Knighter.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/47eec518aef3814f64a5da43df81bdd74d8c0041\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4c324085062919d4e21c69e5e78456dcec0052fe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7d002f591486f5ef4bc02eb02025a53f931f0eb5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d6979fabe812a168d5053e5a41d5a2e9b8afd7bf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.