Bug 2401490 (CVE-2023-53609)

Summary: CVE-2023-53609 kernel: scsi: Revert "scsi: core: Do not increase scsi_device's iorequest_cnt if dispatch failed"
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A use-after-free flaw was found in the Linux kernel's SCSI subsystem in the command dispatch error handling. A local user can trigger this issue through specific SCSI device operations that cause dispatch failures, where the code attempts to increment a reference counter on a device structure that may have already been freed after returning from the dispatch function. This results in accessing freed memory, leading to kernel panic or potential memory corruption.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-10-04 16:03:35 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: Revert "scsi: core: Do not increase scsi_device's iorequest_cnt if dispatch failed"

The "atomic_inc(&cmd->device->iorequest_cnt)" in scsi_queue_rq() would
cause kernel panic because cmd->device may be freed after returning from
scsi_dispatch_cmd().

This reverts commit cfee29ffb45b1c9798011b19d454637d1b0fe87d.
Comment 1 Alexander B 2025-10-06 15:48:51 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100433-CVE-2023-53609-1c39@gregkh/T