ghsa-8fw5-h4j9-4g35
Vulnerability from github
Published
2025-05-20 18:30
Modified
2025-05-20 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scmi: Balance device refcount when destroying devices

Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release methods upon devices destruction.

As a consequence, one of the structures that is not freed properly upon destruction is the internal struct device_private dev->p populated by the drivers subsystem core.

KMemleak detects this situation since loading/unloding some SCMI driver causes related devices to be created/destroyed without calling any device_release method.

unreferenced object 0xffff00000f583800 (size 512): comm "insmod", pid 227, jiffies 4294912190 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff ........`6...... backtrace (crc 114e2eed): kmemleak_alloc+0xbc/0xd8 __kmalloc_cache_noprof+0x2dc/0x398 device_add+0x954/0x12d0 device_register+0x28/0x40 __scmi_device_create.part.0+0x1bc/0x380 scmi_device_create+0x2d0/0x390 scmi_create_protocol_devices+0x74/0xf8 scmi_device_request_notifier+0x1f8/0x2a8 notifier_call_chain+0x110/0x3b0 blocking_notifier_call_chain+0x70/0xb0 scmi_driver_register+0x350/0x7f0 0xffff80000a3b3038 do_one_initcall+0x12c/0x730 do_init_module+0x1dc/0x640 load_module+0x4b20/0x5b70 init_module_from_file+0xec/0x158

$ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0 device_add+0x954/0x12d0: kmalloc_noprof at include/linux/slab.h:901 (inlined by) kzalloc_noprof at include/linux/slab.h:1037 (inlined by) device_private_init at drivers/base/core.c:3510 (inlined by) device_add at drivers/base/core.c:3561

Balance device refcount by issuing a put_device() on devices found via device_find_child().

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2025-37905"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T16:15:26Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Balance device refcount when destroying devices\n\nUsing device_find_child() to lookup the proper SCMI device to destroy\ncauses an unbalance in device refcount, since device_find_child() calls an\nimplicit get_device(): this, in turns, inhibits the call of the provided\nrelease methods upon devices destruction.\n\nAs a consequence, one of the structures that is not freed properly upon\ndestruction is the internal struct device_private dev-\u003ep populated by the\ndrivers subsystem core.\n\nKMemleak detects this situation since loading/unloding some SCMI driver\ncauses related devices to be created/destroyed without calling any\ndevice_release method.\n\nunreferenced object 0xffff00000f583800 (size 512):\n  comm \"insmod\", pid 227, jiffies 4294912190\n  hex dump (first 32 bytes):\n    00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........\n    ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff  ........`6......\n  backtrace (crc 114e2eed):\n    kmemleak_alloc+0xbc/0xd8\n    __kmalloc_cache_noprof+0x2dc/0x398\n    device_add+0x954/0x12d0\n    device_register+0x28/0x40\n    __scmi_device_create.part.0+0x1bc/0x380\n    scmi_device_create+0x2d0/0x390\n    scmi_create_protocol_devices+0x74/0xf8\n    scmi_device_request_notifier+0x1f8/0x2a8\n    notifier_call_chain+0x110/0x3b0\n    blocking_notifier_call_chain+0x70/0xb0\n    scmi_driver_register+0x350/0x7f0\n    0xffff80000a3b3038\n    do_one_initcall+0x12c/0x730\n    do_init_module+0x1dc/0x640\n    load_module+0x4b20/0x5b70\n    init_module_from_file+0xec/0x158\n\n$ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0\ndevice_add+0x954/0x12d0:\nkmalloc_noprof at include/linux/slab.h:901\n(inlined by) kzalloc_noprof at include/linux/slab.h:1037\n(inlined by) device_private_init at drivers/base/core.c:3510\n(inlined by) device_add at drivers/base/core.c:3561\n\nBalance device refcount by issuing a put_device() on devices found via\ndevice_find_child().",
  "id": "GHSA-8fw5-h4j9-4g35",
  "modified": "2025-05-20T18:30:54Z",
  "published": "2025-05-20T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37905"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2fbf6c9695ad9f05e7e5c166bf43fac7cb3276b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a8a3547d5c4960da053df49c75bf623827a25da"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91ff1e9652fb9beb0174267d6bb38243dff211bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/969d8beaa2e374387bf9aa5602ef84fc50bb48d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ca67840c0ddf3f39407339624cef824a4f27599"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff4273d47da81b95ed9396110bcbd1b7b7470fe8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…