CVE-2026-23454

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown<br /> <br /> A potential race condition exists in mana_hwc_destroy_channel() where<br /> hwc-&gt;caller_ctx is freed before the HWC&amp;#39;s Completion Queue (CQ) and<br /> Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt<br /> handler to dereference freed memory, leading to a use-after-free or<br /> NULL pointer dereference in mana_hwc_handle_resp().<br /> <br /> mana_smc_teardown_hwc() signals the hardware to stop but does not<br /> synchronize against IRQ handlers already executing on other CPUs. The<br /> IRQ synchronization only happens in mana_hwc_destroy_cq() via<br /> mana_gd_destroy_eq() -&gt; mana_gd_deregister_irq(). Since this runs<br /> after kfree(hwc-&gt;caller_ctx), a concurrent mana_hwc_rx_event_handler()<br /> can dereference freed caller_ctx (and rxq-&gt;msg_buf) in<br /> mana_hwc_handle_resp().<br /> <br /> Fix this by reordering teardown to reverse-of-creation order: destroy<br /> the TX/RX work queues and CQ/EQ before freeing hwc-&gt;caller_ctx. This<br /> ensures all in-flight interrupt handlers complete before the memory they<br /> access is freed.