In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120...
4.10.0-14.16~16.04.14.10.0-19.21~16.04.14.10.0-20.22~16.04.14.10.0-21.23~16.04.14.10.0-22.24~16.04.14.10.0-24.28~16.04.14.10.0-26.30~16.04.14.11.0-13.19~16.04.14.11.0-14.20~16.04.14.13.0-16.19~16.04.3+13 more5.0.0-1021.24~18.04.15.0.0-1022.25~18.04.15.0.0-1023.26~18.04.15.0.0-1024.27~18.04.15.0.0-1025.285.0.0-1027.305.3.0-1016.17~18.04.15.3.0-1017.18~18.04.15.3.0-1019.21~18.04.15.3.0-1023.25~18.04.15.3.0-1028.30~18.04.15.3.0-1030.32~18.04.15.3.0-1032.34~18.04.25.3.0-1033.355.3.0-1034.365.3.0-1035.374.15.0-1002.24.15.0-1003.34.15.0-1004.44.15.0-1008.84.15.0-1009.94.15.0-1012.124.15.0-1013.134.15.0-1014.144.15.0-1018.184.15.0-1019.19+34 more5.3.0-1007.8~18.04.15.3.0-1008.9~18.04.15.3.0-1009.10~18.04.15.3.0-1010.11~18.04.15.3.0-1012.13~18.04.15.3.0-1013.14~18.04.15.3.0-1016.17~18.04.15.3.0-1018.19~18.04.15.3.0-1019.20~18.04.15.3.0-1020.21~18.04.1+6 more4.18.0-1006.6~18.04.14.18.0-1007.7~18.04.14.18.0-1008.8~18.04.15.0.0-1012.12~18.04.24.15.0-1001.14.15.0-1003.34.15.0-1005.54.15.0-1006.64.15.0-1008.84.15.0-1009.94.15.0-1010.104.15.0-1014.144.15.0-1015.154.15.0-1017.18+28 more5.3.0-1008.9~18.04.15.3.0-1009.10~18.04.15.3.0-1010.11~18.04.15.3.0-1012.13~18.04.15.3.0-1014.15~18.04.15.3.0-1016.17~18.04.15.3.0-1017.18~18.04.15.3.0-1018.19~18.04.15.3.0-1020.22~18.04.15.3.0-1026.28~18.04.1+3 more4.15.0-1030.324.15.0-1032.344.15.0-1033.354.15.0-1034.364.15.0-1036.384.15.0-1037.394.15.0-1040.424.15.0-1041.434.15.0-1042.444.15.0-1044.46+23 more5.4.0-1025.25~18.04.15.4.0-1027.28~18.04.15.4.0-1029.31~18.04.15.4.0-1030.32~18.04.15.4.0-1032.34~18.04.15.4.0-1033.35~18.04.15.4.0-1035.37~18.04.15.4.0-1036.38~18.04.15.4.0-1037.39~18.04.15.4.0-1039.41~18.04.1+27 moreExploitability
AV:LAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:HCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H