{"id":"CVE-2023-54026","summary":"opp: Fix use-after-free in lazy_opp_tables after probe deferral","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nopp: Fix use-after-free in lazy_opp_tables after probe deferral\n\nWhen dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns\n-EPROBE_DEFER, the opp_table is freed again, to wait until all the\ninterconnect paths are available.\n\nHowever, if the OPP table is using required-opps then it may already\nhave been added to the global lazy_opp_tables list. The error path\ndoes not remove the opp_table from the list again.\n\nThis can cause crashes later when the provider of the required-opps\nis added, since we will iterate over OPP tables that have already been\nfreed. E.g.:\n\n  Unable to handle kernel NULL pointer dereference when read\n  CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3\n  PC is at _of_add_opp_table_v2 (include/linux/of.h:949\n  drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404\n  drivers/opp/of.c:1032) -\u003e lazy_link_required_opp_table()\n\nFix this by calling _of_clear_opp_table() to remove the opp_table from\nthe list and clear other allocated resources. While at it, also add the\nmissing mutex_destroy() calls in the error path.","modified":"2026-04-02T09:45:30.335626Z","published":"2025-12-24T10:55:55.182Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54026.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/76ab057de777723ec924654502d1a260ba7d7d54"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b2a2ab039bd58f51355e33d7d3fc64605d7f870d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c05e76d6b249e5254c31994eedd06dd3cc90dee0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54026.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54026"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7eba0c7641b0009818e469dbfcdd87a0155ab9d4"},{"fixed":"39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc"},{"fixed":"76ab057de777723ec924654502d1a260ba7d7d54"},{"fixed":"c05e76d6b249e5254c31994eedd06dd3cc90dee0"},{"fixed":"b2a2ab039bd58f51355e33d7d3fc64605d7f870d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54026.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.12.0"},{"fixed":"5.15.121"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.40"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.4.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54026.json"}}],"schema_version":"1.7.5"}