CVE-2024-53068

In the Linux kernel, the following vulnerability has been resolved:

firmware: armscmi: Fix slab-use-after-free in scmibus_notifier()

The scmidev->name is released prematurely in _scmidevicedestroy(), which causes slab-use-after-free when accessing scmidev->name in scmibusnotifier(). So move the release of scmidev->name to scmidevicerelease() to avoid slab-use-after-free.

| BUG: KASAN: slab-use-after-free in strncmp+0xe4/0xec | Read of size 1 at addr ffffff80a482bcc0 by task swapper/0/1 | | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.6.38-debug #1 | Hardware name: Qualcomm Technologies, Inc. SA8775P Ride (DT) | Call trace: | dumpbacktrace+0x94/0x114 | showstack+0x18/0x24 | dumpstacklvl+0x48/0x60 | printreport+0xf4/0x5b0 | kasanreport+0xa4/0xec | _asanreportload1noabort+0x20/0x2c | strncmp+0xe4/0xec | scmibusnotifier+0x5c/0x54c | notifiercallchain+0xb4/0x31c | blockingnotifiercallchain+0x68/0x9c | busnotify+0x54/0x78 | devicedel+0x1bc/0x840 | deviceunregister+0x20/0xb4 | _scmidevicedestroy+0xac/0x280 | scmidevicedestroy+0x94/0xd0 | scmichansetup+0x524/0x750 | scmiprobe+0x7fc/0x1508 | platformprobe+0xc4/0x19c | reallyprobe+0x32c/0x99c | _driverprobedevice+0x15c/0x3c4 | driverprobedevice+0x5c/0x170 | _driverattach+0x1c8/0x440 | busforeachdev+0xf4/0x178 | driverattach+0x3c/0x58 | busadddriver+0x234/0x4d4 | driverregister+0xf4/0x3c0 | _platformdriverregister+0x60/0x88 | scmidriverinit+0xb0/0x104 | dooneinitcall+0xb4/0x664 | kernelinitfreeable+0x3c8/0x894 | kernelinit+0x24/0x1e8 | retfromfork+0x10/0x20 | | Allocated by task 1: | kasansavestack+0x2c/0x54 | kasansettrack+0x2c/0x40 | kasansaveallocinfo+0x24/0x34 | _kasankmalloc+0xa0/0xb8 | _kmallocnodetrackcaller+0x6c/0x104 | kstrdup+0x48/0x84 | kstrdupconst+0x34/0x40 | _scmidevicecreate.part.0+0x8c/0x408 | scmidevicecreate+0x104/0x370 | scmichansetup+0x2a0/0x750 | scmiprobe+0x7fc/0x1508 | platformprobe+0xc4/0x19c | reallyprobe+0x32c/0x99c | _driverprobedevice+0x15c/0x3c4 | driverprobedevice+0x5c/0x170 | _driverattach+0x1c8/0x440 | busforeachdev+0xf4/0x178 | driverattach+0x3c/0x58 | busadddriver+0x234/0x4d4 | driverregister+0xf4/0x3c0 | _platformdriverregister+0x60/0x88 | scmidriverinit+0xb0/0x104 | dooneinitcall+0xb4/0x664 | kernelinitfreeable+0x3c8/0x894 | kernelinit+0x24/0x1e8 | retfromfork+0x10/0x20 | | Freed by task 1: | kasansavestack+0x2c/0x54 | kasansettrack+0x2c/0x40 | kasansavefreeinfo+0x38/0x5c | _kasanslabfree+0xe8/0x164 | _kmemcachefree+0x11c/0x230 | kfree+0x70/0x130 | kfreeconst+0x20/0x40 | _scmidevicedestroy+0x70/0x280 | scmidevicedestroy+0x94/0xd0 | scmichansetup+0x524/0x750 | scmiprobe+0x7fc/0x1508 | platformprobe+0xc4/0x19c | reallyprobe+0x32c/0x99c | _driverprobedevice+0x15c/0x3c4 | driverprobedevice+0x5c/0x170 | _driverattach+0x1c8/0x440 | busforeachdev+0xf4/0x178 | driverattach+0x3c/0x58 | busadddriver+0x234/0x4d4 | driverregister+0xf4/0x3c0 | _platformdriverregister+0x60/0x88 | scmidriverinit+0xb0/0x104 | dooneinitcall+0xb4/0x664 | kernelinitfreeable+0x3c8/0x894 | kernelinit+0x24/0x1e8 | retfromfork+0x10/0x20