VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54100

CVE-2023-54100

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: qedi: Fix use after free bug in qedi_remove()

In qedi_probe() we call __qedi_probe() which initializes &qedi->recovery_work with qedi_recovery_handler() and &qedi->board_disable_work with qedi_board_disable_work().

When qedi_schedule_recovery_handler() is called, schedule_delayed_work() will finally start the work.

In qedi_remove(), which is called to remove the driver, the following sequence may be observed:

Fix this by finishing the work before cleanup in qedi_remove().

CPU0 CPU1

|qedi_recovery_handler qedi_remove | __qedi_remove | iscsi_host_free | scsi_host_put | //free shost | |iscsi_host_for_each_session |//use qedi->shost

Cancel recovery_work and board_disable_work in __qedi_remove().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Linux kernel's qedi driver due to delayed work items not being cancelled before driver removal.

Vulnerability

In the Linux kernel, a use-after-free bug was found in the qedi SCSI driver. The qedi_probe() function initializes two delayed work items (recovery_work and board_disable_work) that can be scheduled by qedi_schedule_recovery_handler(). When the driver is removed via qedi_remove(), the cleanup path in __qedi_remove() could free the SCSI host (shost) while the recovery work item was still running, leading to a use-after-free condition. The race occurs between CPU0 executing qedi_remove() and CPU1 executing qedi_recovery_handler().

Exploitation

Exploitation requires local access to trigger driver removal while the recovery handler is scheduled or running. No special privileges beyond root are needed to load or unload the kernel module, but an attacker must be able to control the timing to win the race condition.

Impact

An attacker who successfully triggers the use-after-free can cause a kernel crash (denial of service) or potentially escalate privileges if the freed memory is reallocated for a controlled structure. The bug affects systems that use the QLogic QEDF/iSCSI (qedi) driver, primarily in enterprise storage environments.

Mitigation

The fix cancels the delayed work items (recovery_work and board_disable_work) in __qedi_remove() before freeing the host structure, preventing the race. The patch has been merged into the upstream Linux kernel and is available in stable releases [1][2][3]. Users should update to a kernel version containing the fix.

References

[1] https://git.kernel.org/stable/c/5e756a59cee6a8a79b9059c5bdf0ecbf5bb8d151 [2] https://git.kernel.org/stable/c/3738a230831e861503119ee2691c4a7dc56ed60a [3] https://git.kernel.org/stable/c/124027cd1a624ce0347adcd59241a9966a726b22

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
fa19c533ab19
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5e756a59cee6
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3738a230831e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
89f6023fc321
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
124027cd1a62
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c5749639f2d0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Root cause

"A race condition during driver removal allows asynchronous work handlers to access a SCSI host structure after it has been freed."

Attack vector

An attacker can trigger this use-after-free by initiating a driver removal process while a recovery or board disable work item is concurrently executing [patch_id=4724]. The race condition occurs because `qedi_remove()` frees the SCSI host structure while the work handler `qedi_recovery_handler()` attempts to access it [patch_id=4724]. This leads to a use-after-free scenario when the work handler executes after the host has been deallocated.

Affected code

The vulnerability exists in the `qedi_remove()` function and its helper `__qedi_remove()` within the `qedi` driver [patch_id=4724]. These functions fail to properly synchronize with asynchronous work items during driver removal.

What the fix does

The fix involves explicitly cancelling the `recovery_work` and `board_disable_work` items within `__qedi_remove()` before the SCSI host is freed [patch_id=4724]. By ensuring these work items are finished or cancelled before cleanup, the driver prevents the work handler from accessing deallocated memory. This synchronization eliminates the race condition that previously led to the use-after-free [patch_id=4724].

Preconditions

  • configThe qedi driver must be in the process of being removed while a recovery or board disable work item is pending or executing.

Generated on May 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.