CVE-2025-68371
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: smartpqi: Fix device resources accessed after device removal
Correct possible race conditions during device removal.
Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues.
This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and improper access to freed resources.
- Check in the device reset handler if the device is still present in the controller's SCSI device list before running; if not, the reset is skipped.
- Cancel any pending TMF work that has not started in sdev_destroy().
- Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel vulnerability in the smartpqi driver allows use-after-free when a LUN reset work item executes after device removal.
Vulnerability
A race condition exists in the Linux kernel's smartpqi SCSI driver where a scheduled work item to reset a LUN can execute after the device has already been removed. This occurs because the root cause is that the abort handler may schedule a LUN reset concurrently with sdev_destroy(), leading to use-after-free and improper access to freed resources [1].
Exploitation
An attacker with local access and the ability to trigger device removal (e.g., via hot-unplug or driver unbind) while a LUN reset is pending could exploit this race. No special privileges beyond those needed to manage SCSI devices are required, but the attack window is narrow and depends on timing [1].
Impact
Successful exploitation results in use-after-free of device structures, which can lead to system memory corruption, denial of service (kernel panic), or potentially arbitrary code execution in kernel context [1].
Mitigation
The fix introduces three safeguards: checking device presence in the controller's SCSI device list before running a reset, canceling pending TMF work in sdev_destroy(), and holding the LUN reset mutex during device freeing to serialize with ongoing resets [1]. The patch has been applied to the stable kernel tree.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/1a5c5a2f88e839af5320216a02ffb075b668596anvd
- git.kernel.org/stable/c/4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1nvd
- git.kernel.org/stable/c/6d2390653d82cad0e1ba2676e536dd99678f6ef1nvd
- git.kernel.org/stable/c/7dfa5a5516ec3c6b9b6c22ee18f0eb2df3f38ef2nvd
- git.kernel.org/stable/c/b518e86d1a70a88f6592a7c396cf1b93493d1aabnvd
- git.kernel.org/stable/c/eccc02ba1747501d92bb2049e3ce378ba372f641nvd
News mentions
0No linked articles in our index yet.