In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
Currently a use-after-free may occur if a sastask is aborted by the upper layer before we handle the I/O completion in mpisspcompletion() or mpisata_completion().
In this case, the following are the two steps in handling those I/O completions:
Call complete() to inform the upper layer handler of completion of the I/O.
Release driver resources associated with the sastask in pm8001ccbtaskfree() call.
When complete() is called, the upper layer may free the sastask. As such, we should not touch the associated sastask afterwards, but we do so in the pm8001ccbtask_free() call.
Fix by swapping the complete() and pm8001ccbtask_free() calls ordering.