2426084 – (CVE-2023-54310) CVE-2023-54310 kernel: scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition

Bug 2426084 (CVE-2023-54310) - CVE-2023-54310 kernel: scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition

Summary: CVE-2023-54310 kernel: scsi: message: mptlan: Fix use after free bug in mptla...

Keywords:
Status:	NEW
Alias:	CVE-2023-54310
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-30 13:07 UTC by OSIDB Bzimport
Modified:	2025-12-31 10:30 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-30 13:07:46 UTC

In the Linux kernel, the following vulnerability has been resolved:

scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition

mptlan_probe() calls mpt_register_lan_device() which initializes the
&priv->post_buckets_task workqueue. A call to
mpt_lan_wake_post_buckets_task() will subsequently start the work.

During driver unload in mptlan_remove() the following race may occur:

CPU0                  CPU1

                    |mpt_lan_post_receive_buckets_work()
mptlan_remove()     |
  free_netdev()     |
    kfree(dev);     |
                    |
                    | dev->mtu
                    |   //use

Fix this by finishing the work prior to cleaning up in mptlan_remove().

[mkp: we really should remove mptlan instead of attempting to fix it]

Comment 1 Alexander B 2025-12-31 10:25:31 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025123035-CVE-2023-54310-cc98@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.