CVE-2023-54310
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
mptlan_probe() calls mpt_register_lan_device() which initializes the &priv->post_buckets_task workqueue. A call to mpt_lan_wake_post_buckets_task() will subsequently start the work.
During driver unload in mptlan_remove() the following race may occur:
CPU0 CPU1
|mpt_lan_post_receive_buckets_work() mptlan_remove() | free_netdev() | kfree(dev); | | | dev->mtu | //use
Fix this by finishing the work prior to cleaning up in mptlan_remove().
[mkp: we really should remove mptlan instead of attempting to fix it]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free bug in Linux kernel's mptlan driver due to a race condition between mptlan_remove() and a workqueue, fixed by ensuring work completion before netdev cleanup.
In the Linux kernel, the mptlan driver contains a use-after-free vulnerability in the mptlan_remove() function due to a race condition with the post_buckets_task workqueue. The mptlan_probe() function registers a workqueue that can be started by mpt_lan_wake_post_buckets_task(). During driver unload, mptlan_remove() calls free_netdev() without ensuring the workqueue has finished, allowing the work item to access freed memory (e.g., dev->mtu) [1][2][3].
To exploit this, an attacker requires local access and the ability to trigger module unloading while a work item is pending or executing. The race window occurs between the workqueue execution and the cleanup in mptlan_remove(), potentially leading to a use-after-free condition [1][2][3].
Successful exploitation could result in a denial of service (system crash) or, in some cases, privilege escalation if the freed memory is reallocated in a controlled manner. The official description does not detail exploitability but flags the risk [1][2][3].
The fix involves completing or canceling the workqueue before freeing the netdev, as implemented in the referenced stable kernel commits. Users should update to the latest stable kernel versions containing these patches [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
892f869693d8460c8645ad6f5410e610a96c5697f92f8317ee84282efc87f9c6da3b7f12548daa4a3015df486893288f3Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/410e610a96c52a7b41e2ab6c9ca60868d9aceccenvd
- git.kernel.org/stable/c/48daa4a3015d859ee424948844ce3c12f2fe44e6nvd
- git.kernel.org/stable/c/60c8645ad6f5b722615383d595d63b62b07a13c3nvd
- git.kernel.org/stable/c/697f92f8317e538d8409a0c95d6370eb40b34c05nvd
- git.kernel.org/stable/c/92f869693d84e813895ff4d25363744575515423nvd
- git.kernel.org/stable/c/9c6da3b7f12528cd52c458b33496a098b838fcfcnvd
- git.kernel.org/stable/c/e84282efc87f2414839f6e15c31b4daa34ebaac1nvd
- git.kernel.org/stable/c/f486893288f3e9b171b836f43853a6426515d800nvd
News mentions
0No linked articles in our index yet.