{"id":"CVE-2023-54270","summary":"media: usb: siano: Fix use after free bugs caused by do_submit_urb","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usb: siano: Fix use after free bugs caused by do_submit_urb\n\nThere are UAF bugs caused by do_submit_urb(). One of the KASan reports\nis shown below:\n\n[   36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890\n[   36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49\n[   36.408316]\n[   36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8\n[   36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584\n[   36.416157] Workqueue:  0x0 (events)\n[   36.417654] Call Trace:\n[   36.418546]  \u003cTASK\u003e\n[   36.419320]  dump_stack_lvl+0x96/0xd0\n[   36.420522]  print_address_description+0x75/0x350\n[   36.421992]  print_report+0x11b/0x250\n[   36.423174]  ? _raw_spin_lock_irqsave+0x87/0xd0\n[   36.424806]  ? __virt_addr_valid+0xcf/0x170\n[   36.426069]  ? worker_thread+0x4a2/0x890\n[   36.427355]  kasan_report+0x131/0x160\n[   36.428556]  ? worker_thread+0x4a2/0x890\n[   36.430053]  worker_thread+0x4a2/0x890\n[   36.431297]  ? worker_clr_flags+0x90/0x90\n[   36.432479]  kthread+0x166/0x190\n[   36.433493]  ? kthread_blkcg+0x50/0x50\n[   36.434669]  ret_from_fork+0x22/0x30\n[   36.435923]  \u003c/TASK\u003e\n[   36.436684]\n[   36.437215] Allocated by task 24:\n[   36.438289]  kasan_set_track+0x50/0x80\n[   36.439436]  __kasan_kmalloc+0x89/0xa0\n[   36.440566]  smsusb_probe+0x374/0xc90\n[   36.441920]  usb_probe_interface+0x2d1/0x4c0\n[   36.443253]  really_probe+0x1d5/0x580\n[   36.444539]  __driver_probe_device+0xe3/0x130\n[   36.446085]  driver_probe_device+0x49/0x220\n[   36.447423]  __device_attach_driver+0x19e/0x1b0\n[   36.448931]  bus_for_each_drv+0xcb/0x110\n[   36.450217]  __device_attach+0x132/0x1f0\n[   36.451470]  bus_probe_device+0x59/0xf0\n[   36.452563]  device_add+0x4ec/0x7b0\n[   36.453830]  usb_set_configuration+0xc63/0xe10\n[   36.455230]  usb_generic_driver_probe+0x3b/0x80\n[   36.456166] printk: console [ttyGS0] disabled\n[   36.456569]  usb_probe_device+0x90/0x110\n[   36.459523]  really_probe+0x1d5/0x580\n[   36.461027]  __driver_probe_device+0xe3/0x130\n[   36.462465]  driver_probe_device+0x49/0x220\n[   36.463847]  __device_attach_driver+0x19e/0x1b0\n[   36.465229]  bus_for_each_drv+0xcb/0x110\n[   36.466466]  __device_attach+0x132/0x1f0\n[   36.467799]  bus_probe_device+0x59/0xf0\n[   36.469010]  device_add+0x4ec/0x7b0\n[   36.470125]  usb_new_device+0x863/0xa00\n[   36.471374]  hub_event+0x18c7/0x2220\n[   36.472746]  process_one_work+0x34c/0x5b0\n[   36.474041]  worker_thread+0x4b7/0x890\n[   36.475216]  kthread+0x166/0x190\n[   36.476267]  ret_from_fork+0x22/0x30\n[   36.477447]\n[   36.478160] Freed by task 24:\n[   36.479239]  kasan_set_track+0x50/0x80\n[   36.480512]  kasan_save_free_info+0x2b/0x40\n[   36.481808]  ____kasan_slab_free+0x122/0x1a0\n[   36.483173]  __kmem_cache_free+0xc4/0x200\n[   36.484563]  smsusb_term_device+0xcd/0xf0\n[   36.485896]  smsusb_probe+0xc85/0xc90\n[   36.486976]  usb_probe_interface+0x2d1/0x4c0\n[   36.488303]  really_probe+0x1d5/0x580\n[   36.489498]  __driver_probe_device+0xe3/0x130\n[   36.491140]  driver_probe_device+0x49/0x220\n[   36.492475]  __device_attach_driver+0x19e/0x1b0\n[   36.493988]  bus_for_each_drv+0xcb/0x110\n[   36.495171]  __device_attach+0x132/0x1f0\n[   36.496617]  bus_probe_device+0x59/0xf0\n[   36.497875]  device_add+0x4ec/0x7b0\n[   36.498972]  usb_set_configuration+0xc63/0xe10\n[   36.500264]  usb_generic_driver_probe+0x3b/0x80\n[   36.501740]  usb_probe_device+0x90/0x110\n[   36.503084]  really_probe+0x1d5/0x580\n[   36.504241]  __driver_probe_device+0xe3/0x130\n[   36.505548]  driver_probe_device+0x49/0x220\n[   36.506766]  __device_attach_driver+0x19e/0x1b0\n[   36.508368]  bus_for_each_drv+0xcb/0x110\n[   36.509646]  __device_attach+0x132/0x1f0\n[   36.510911]  bus_probe_device+0x59/0xf0\n[   36.512103]  device_add+0x4ec/0x7b0\n[   36.513215]  usb_new_device+0x863/0xa00\n[   36.514736]  hub_event+0x18c7/0x2220\n[   36.516130]  process_one_work+\n---truncated---","modified":"2026-03-20T12:33:31.712666Z","published":"2025-12-30T12:16:00.990Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0316-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0350-1","SUSE-SU-2026:0369-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54270.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/114f768e7314ca9e1fdbebe11267c4403e89e7f2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1477b00ff582970df110fc9e15a5e2021acb9222"},{"type":"WEB","url":"https://git.kernel.org/stable/c/19aadf0eb70edae7180285dbb9bfa237d1ddb34d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/42f8ba8355682f6c4125b75503cac0cef4ac91d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/479796534a450fd44189080d51bebefa3b42c6fc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a41bb59eff7a58a6772f84a5b70ad7ec26dad074"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c379272ea9c2ee36f0a1327b0fb8889c975093f7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ebad8e731c1c06adf04621d6fd327b860c0861b5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54270.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54270"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"dd47fbd40e6ea6884e295e13a2e50b0894258fdf"},{"fixed":"c379272ea9c2ee36f0a1327b0fb8889c975093f7"},{"fixed":"1477b00ff582970df110fc9e15a5e2021acb9222"},{"fixed":"a41bb59eff7a58a6772f84a5b70ad7ec26dad074"},{"fixed":"42f8ba8355682f6c4125b75503cac0cef4ac91d3"},{"fixed":"114f768e7314ca9e1fdbebe11267c4403e89e7f2"},{"fixed":"479796534a450fd44189080d51bebefa3b42c6fc"},{"fixed":"19aadf0eb70edae7180285dbb9bfa237d1ddb34d"},{"fixed":"ebad8e731c1c06adf04621d6fd327b860c0861b5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54270.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.6.0"},{"fixed":"4.14.308"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.276"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.235"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.173"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.99"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54270.json"}}],"schema_version":"1.7.5"}