CVE-2026-23454

In the Linux kernel, the following vulnerability has been resolved:

net: mana: fix use-after-free in mana hwc destroy channel() by reordering teardown

A potential race condition exists in mana hwc destroy channel() where hwc->caller ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana hwc handle resp().

mana smc teardown hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana hwc destroy cq() via mana gd destroy eq() -> mana gd deregister irq(). Since this runs after kfree(hwc->caller ctx), a concurrent mana hwc rx event handler() can dereference freed caller ctx (and rxq->msg buf) in mana hwc handle resp().

Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.