Linux Kernel Use-After-Free Vulnerability in SCSI MPT LAN Driver

A use-after-free vulnerability has been identified in the Linux kernel's SCSI message MPT LAN driver. This issue arises in the 'mptlan_remove()' function due to a race condition. When the driver is unloaded, the 'mptlan_remove()' function can free the network device while another CPU is still using it, leading to potential memory corruption. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to memory corruption, allowing for a use-after-free condition that could be exploited to execute arbitrary code or cause a denial-of-service.

Reproduction

The vulnerability can be reproduced by loading the MPT LAN driver, which initializes a workqueue task. If the driver is then unloaded while the workqueue task is still processing, the 'mptlan_remove()' function will free the network device before the task has completed, creating a race condition. This can be automated with a script that loads the driver, starts the workqueue task, and then unloads the driver before the task finishes.

Remediation

Users can apply the patch included in the upstream commit 'f486893288f3e9b171b836f43853a6426515d800' to address this vulnerability.