Bug 2400714 (CVE-2023-53510) - CVE-2023-53510 kernel: scsi: ufs: core: Fix handling of lrbp->cmd
Summary: CVE-2023-53510 kernel: scsi: ufs: core: Fix handling of lrbp->cmd
Keywords:
Status: NEW
Alias: CVE-2023-53510
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-01 12:03 UTC by OSIDB Bzimport
Modified: 2025-11-27 16:13 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-01 12:03:09 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix handling of lrbp->cmd

ufshcd_queuecommand() may be called two times in a row for a SCSI command
before it is completed. Hence make the following changes:

 - In the functions that submit a command, do not check the old value of
   lrbp->cmd nor clear lrbp->cmd in error paths.

 - In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd.

See also scsi_send_eh_cmnd().

This commit prevents that the following appears if a command times out:

WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8
Call trace:
 ufshcd_queuecommand+0x6f8/0x9a8
 scsi_send_eh_cmnd+0x2c0/0x960
 scsi_eh_test_devices+0x100/0x314
 scsi_eh_ready_devs+0xd90/0x114c
 scsi_error_handler+0x2b4/0xb70
 kthread+0x16c/0x1e0
Comment 1 Jon Moroney 2025-10-01 22:54:11 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100130-CVE-2023-53510-9e6a@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.