From: "Ilia.Gavrilov" Ilia.Gavrilov@infotecs.ru

From: Guixin Liu kanie@linux.alibaba.com

commit 1e95c798d8a7f70965f0f88d4657b682ff0ec75f upstream.

Currently, this does not cause any issues, but I believe it is necessary to set bsg_queue to NULL after removing it to prevent potential use-after-free (UAF) access.

Signed-off-by: Guixin Liu kanie@linux.alibaba.com Link: https://lore.kernel.org/r/20241218014214.64533-3-kanie@linux.alibaba.com Reviewed-by: Avri Altman avri.altman@wdc.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ilia Gavrilov Ilia.Gavrilov@infotecs.ru --- Backport fix for CVE-2024-54458 drivers/scsi/ufs/ufs_bsg.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/ufs/ufs_bsg.c b/drivers/scsi/ufs/ufs_bsg.c index 05c7347eda18..a7e1b011202b 100644 --- a/drivers/scsi/ufs/ufs_bsg.c +++ b/drivers/scsi/ufs/ufs_bsg.c @@ -175,6 +175,7 @@ void ufs_bsg_remove(struct ufs_hba *hba) return;

bsg_remove_queue(hba->bsg_queue); + hba->bsg_queue = NULL;

device_del(bsg_dev); put_device(bsg_dev);