net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-43232
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-06 12:16:43 UTC
Updated2026-05-06 13:07:51 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task may still be running or pending, leading to use-after-free bugs when the already freed fst_card_info is accessed in fst_process_tx_work_q() or fst_process_int_work_q(). A typical race condition is depicted below: CPU 0 (cleanup) | CPU 1 (tasklet) | fst_start_xmit() fst_remove_one() | tasklet_schedule() unregister_hdlc_device()| | fst_process_tx_work_q() //handler kfree(card) //free | do_bottom_half_tx() | card-> //use The following KASAN trace was captured: ================================================================== BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32 ... Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_report+0xcb/0x5d0 ? do_bottom_half_tx+0xb88/0xd00 kasan_report+0xb8/0xf0 ? do_bottom_half_tx+0xb88/0xd00 do_bottom_half_tx+0xb88/0xd00 ? _raw_spin_lock_irqsave+0x85/0xe0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx___hrtimer_run_queues+0x10/0x10 fst_process_tx_work_q+0x67/0x90 tasklet_action_common+0x1fa/0x720 ? hrtimer_interrupt+0x31f/0x780 handle_softirqs+0x176/0x530 __irq_exit_rcu+0xab/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 41 on cpu 3 at 72.330843s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x7f/0x90 fst_add_one+0x1a5/0x1cd0 local_pci_probe+0xdd/0x190 pci_device_probe+0x341/0x480 really_probe+0x1c6/0x6a0 __driver_probe_device+0x248/0x310 driver_probe_device+0x48/0x210 __device_attach_driver+0x160/0x320 bus_for_each_drv+0x101/0x190 __device_attach+0x198/0x3a0 device_initial_probe+0x78/0xa0 pci_bus_add_device+0x81/0xc0 pci_bus_add_devices+0x7e/0x190 enable_slot+0x9b9/0x1130 acpiphp_check_bridge.part.0+0x2e1/0x460 acpiphp_hotplug_notify+0x36c/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... Freed by task 41 on cpu 1 at 75.138639s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x135/0x410 fst_remove_one+0x2ca/0x540 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0x364/0x530 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device+0xd/0x20 disable_slot+0x116/0x260 acpiphp_disable_and_eject_slot+0x4b/0x190 acpiphp_hotplug_notify+0x230/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... The buggy address belongs to the object at ffff88800aad1000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 28 bytes inside of freed 1024-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88800aad1000: fa fb ---truncated---

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 51e2d1b84acac39f79cacb60e6e154ce00a9d308 cac048ebfbb92d91d719f74b59177cb70a7633b8 git Not specified
CNA Linux Linux affected 998b4e54f517961d3d75144c088a24423e003005 086131807d119238cd464e5b0845e48d938dfd79 git Not specified
CNA Linux Linux affected bb1715a6bfb0c57a68524732a376498a2569f016 ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc git Not specified
CNA Linux Linux affected 2f623aaf9f31de968dea6169849706a2f9be444c 337d7b4112a47984ee319171b75b73bab47e7924 git Not specified
CNA Linux Linux affected 2f623aaf9f31de968dea6169849706a2f9be444c 200bdb8d367ca9b478f9c56ebe56411604d55c81 git Not specified
CNA Linux Linux affected 2f623aaf9f31de968dea6169849706a2f9be444c 21d341fe514fd07e345ed264c9eee21cb2061ca2 git Not specified
CNA Linux Linux affected 2f623aaf9f31de968dea6169849706a2f9be444c 04edfdfdfcdefc02408ab670607261b0a0a9a02e git Not specified
CNA Linux Linux affected 2f623aaf9f31de968dea6169849706a2f9be444c bae8a5d2e759da2e0cba33ab2080deee96a09373 git Not specified
CNA Linux Linux affected 41798a063fd4721b609e11ad839b6820f5070ca7 git Not specified
CNA Linux Linux affected b1fe377b43c405b169cffd1b3aa39c1dde16f3ed git Not specified
CNA Linux Linux affected ce9dc768767bbe73d2dd330a9075e849cb8a84d4 git Not specified
CNA Linux Linux affected 0c5f2c7700cb18aeab1574588d3bb9c0454bf228 git Not specified
CNA Linux Linux affected 024d2a7c8ee5bfe14357f20cf1bbbbcc5d228cc9 git Not specified
CNA Linux Linux affected 6.2 Not specified
CNA Linux Linux unaffected 6.2 semver Not specified
CNA Linux Linux unaffected 5.10.252 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.202 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.165 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.128 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.75 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.16 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.6 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/21d341fe514fd07e345ed264c9eee21cb2061ca2 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/bae8a5d2e759da2e0cba33ab2080deee96a09373 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/04edfdfdfcdefc02408ab670607261b0a0a9a02e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/cac048ebfbb92d91d719f74b59177cb70a7633b8 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/200bdb8d367ca9b478f9c56ebe56411604d55c81 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/086131807d119238cd464e5b0845e48d938dfd79 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/337d7b4112a47984ee319171b75b73bab47e7924 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report