Linux Kernel SCSI PM8001 Use-After-Free Vulnerability in Command Queueing

A use-after-free vulnerability has been identified in the Linux kernel's SCSI PM8001 driver, specifically within the `pm8001_queue_command()` function. This issue arises from a double-free scenario introduced by a recent commit that refactored the command handling logic. The vulnerability occurs when the function returns an error code indicating that a device is no longer available. In this case, the function frees the associated SAS task but then returns an error, leading the calling function to assume the task was not processed and attempt to free it again, causing a double-free condition.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by sending a SAS task to the `pm8001_queue_command()` function when the associated device is in a 'phy down' or 'device gone' state. The function will incorrectly handle the task, leading to the double-free condition.

Remediation

Users can apply the patch included in the upstream commit 38353c26db28efd984f51d426eac2396d299cca7 to address this vulnerability.