Linux Kernel SCSI SmartPQI Race Condition Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Linux kernel's SCSI SmartPQI driver, allowing for use-after-free errors and improper access to freed resources. This issue arises during the removal of SCSI devices, where a scheduled work item to reset a Logical Unit Number (LUN) could still be executed after the device has been removed. The problem occurs because the abort handler may schedule a LUN reset at the same time as the device is being removed, leading to access violations. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to use-after-free conditions, allowing for potential memory corruption or execution of arbitrary code.

Reproduction

To reproduce this vulnerability, remove a SCSI device while a LUN reset is scheduled to occur. This can be done by initiating a device removal process through the sysfs interface, while simultaneously triggering an abort operation that schedules a LUN reset. The race condition will result in the LUN reset being processed after the device has been removed, causing a use-after-free error.

Remediation

The vulnerability has been addressed in the Linux kernel by implementing checks in the device reset handler to verify if the device is still present before executing a reset. Additionally, any pending Task Management Function (TMF) work that has not yet started is canceled during the device removal process.