Linux Kernel Use-After-Free Vulnerability in SCSI aic94xx Driver

A use-after-free vulnerability has been identified in the Linux kernel's SCSI aic94xx driver. This issue arises in the device removal process, where the asd_pci_remove() function does not properly synchronize with pending tasklets before freeing the asd_ha structure. This oversight can lead to a race condition, potentially allowing exploitation. The vulnerability is present in several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, remove a device using the SCSI aic94xx driver while tasklets are still pending. This can be done by hot-unplugging the device or unloading the module, which will trigger the asd_pci_remove() function. The lack of synchronization with the pending tasklets will create a race condition, leading to the use-after-free vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel stable tree. Users can apply the latest updates from the Linux kernel stable repository to address this issue.