CVE-2025-22020: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

Description

In the Linux kernel, the following vulnerability has been resolved:

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

This fixes the following crash:

==================================================================
BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241

CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1
Tainted: [E]=UNSIGNED_MODULE
Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024
Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]
Call Trace:

dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x27/0x320
? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
print_report+0x3e/0x70
kasan_report+0xab/0xe0
? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]
? __pfx___schedule+0x10/0x10
? kick_pool+0x3b/0x270
process_one_work+0x357/0x660
worker_thread+0x390/0x4c0
? __pfx_worker_thread+0x10/0x10
kthread+0x190/0x1d0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30

Allocated by task 161446:
kasan_save_stack+0x20/0x40
kasan_save_track+0x10/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x1a7/0x470
memstick_alloc_host+0x1f/0xe0 [memstick]
rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]
plat...

Classification

CVE ID: CVE-2025-22020

Affected Products

Vendor: Linux

Product: Linux, Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.02% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22020
https://git.kernel.org/stable/c/914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185
https://git.kernel.org/stable/c/9dfaf4d723c62bda8d9d1340e2e78acf0c190439
https://git.kernel.org/stable/c/31f0eaed6914333f42501fc7e0f6830879f5ef2d
https://git.kernel.org/stable/c/52d942a5302eefb3b7a3bfee310a5a33feeedc21
https://git.kernel.org/stable/c/6186fb2cd36317277a8423687982140a7f3f7841
https://git.kernel.org/stable/c/b094e8e3988e02e8cef7a756c8d2cea9c12509ab
https://git.kernel.org/stable/c/0067cb7d7e7c277e91a0887a3c24e71462379469
https://git.kernel.org/stable/c/75123adf204f997e11bbddee48408c284f51c050
https://git.kernel.org/stable/c/4676741a3464b300b486e70585c3c9b692be1632

Timeline