scsi: aic94xx: fix use-after-free in device removal path

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The asd_pci_remove() function fails to synchronize with pending tasklets
before freeing the asd_ha structure, leading to a potential
use-after-free vulnerability.

When a device removal is triggered (via hot-unplug or module unload),
race condition can occur.

The fix adds tasklet_kill() before freeing the asd_ha structure,
ensuring all scheduled tasklets complete before cleanup proceeds.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by

Junrui Luo and committed by

Martin K. Petersen 4 months ago f6ab5946 d204087a

1 changed file

expand all

drivers

scsi

aic94xx

aic94xx_init.c

drivers/scsi/aic94xx/aic94xx_init.c

··· 882 882 883 883 asd_disable_ints(asd_ha); 884 884 885 + /* Ensure all scheduled tasklets complete before freeing resources */ 886 + tasklet_kill(&asd_ha->seq.dl_tasklet); 887 + 885 888 asd_remove_dev_attrs(asd_ha); 886 889 887 890 /* XXX more here as needed */