Bug 2425099 (CVE-2023-54100) - CVE-2023-54100 kernel: scsi: qedi: Fix use after free bug in qedi_remove()
Summary: CVE-2023-54100 kernel: scsi: qedi: Fix use after free bug in qedi_remove()
Keywords:
Status: NEW
Alias: CVE-2023-54100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-24 14:02 UTC by OSIDB Bzimport
Modified: 2025-12-25 02:47 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-24 14:02:45 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: qedi: Fix use after free bug in qedi_remove()

In qedi_probe() we call __qedi_probe() which initializes
&qedi->recovery_work with qedi_recovery_handler() and
&qedi->board_disable_work with qedi_board_disable_work().

When qedi_schedule_recovery_handler() is called, schedule_delayed_work()
will finally start the work.

In qedi_remove(), which is called to remove the driver, the following
sequence may be observed:

Fix this by finishing the work before cleanup in qedi_remove().

CPU0                  CPU1

                     |qedi_recovery_handler
qedi_remove          |
  __qedi_remove      |
iscsi_host_free      |
scsi_host_put        |
//free shost         |
                     |iscsi_host_for_each_session
                     |//use qedi->shost

Cancel recovery_work and board_disable_work in __qedi_remove().
Comment 1 Alexander B 2025-12-25 02:43:20 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025122410-CVE-2023-54100-91a9@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.