CVE-2024-26893

In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scmi: Fix double free in SMC transport cleanup path When the
generic SCMI code tears down a channel, it calls the chan_free callback
function, defined by each transport. Since multiple protocols might share
the same transport_info member, chan_free() might want to clean up the same
member multiple times within the given SCMI transport implementation. In
this case, it is SMC transport. This will lead to a NULL pointer
dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling
mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications -
Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI |
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25:
DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 |
FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS =
0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 |
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit
VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000,
p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT
SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted
6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC
(DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=–) | pc
: smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: |
smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 |
scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 |
platform_probe+0x68/0xd8 | really_probe+0x110/0x27c |
__driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 |
__driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 |
driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 |
driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 |
scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c |
kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 |
ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70
(b9400280) | —[ end trace 0000000000000000 ]— Simply check for the
struct pointer being NULL before trying to access its members, to avoid
this situation. This was found when a transport doesn’t really work (for
instance no SMC service), the probe routines then tries to clean up, and
triggers a crash.