CVE-2026-23454

In the Linux kernel, the following vulnerability has been resolved:

net: mana: fix use-after-free in manahwcdestroy_channel() by reordering teardown

A potential race condition exists in manahwcdestroychannel() where hwc->callerctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in manahwchandle_resp().

manasmcteardownhwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in manahwcdestroycq() via managddestroyeq() -> managdderegisterirq(). Since this runs after kfree(hwc->callerctx), a concurrent manahwcrxeventhandler() can dereference freed callerctx (and rxq->msgbuf) in manahwchandleresp().

Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.