Description
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsit: Free cmds before session free Commands from recovery entries are freed after session has been closed. That leads to use-after-free at command free or NPE with such call trace: Time2Retain timer expired for SID: 1, cleaning up iSCSI session. BUG: kernel NULL pointer dereference, address: 0000000000000140 RIP: 0010:sbitmap_queue_clear+0x3a/0xa0 Call Trace: target_release_cmd_kref+0xd1/0x1f0 [target_core_mod] transport_generic_free_cmd+0xd1/0x180 [target_core_mod] iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod] iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod] iscsit_close_session+0x13a/0x140 [iscsi_target_mod] iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod] call_timer_fn+0x24/0x140 Move cleanup of recovery enrties to before session freeing.
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 89f5055f9b0b57c7e7f02e32df95ef401f809b71
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4621e24c9257c6379343bf0c11b473817cf7edcd
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 1911cca5916b6e106de7afa3ec0a38447158216c
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before a7a4def6c7046e090bb10c6d550fdeb487db98ba
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4ce221d295f53e6c6b835ab33181e735482c9aac
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before d8990b5a4d065f38f35d69bcd627ec5a7f8330ca
5.4.244 (semver)
5.10.181 (semver)
5.15.113 (semver)
6.1.30 (semver)
6.3.4 (semver)
6.4 (original_commit_for_fix)
References
git.kernel.org/...c/89f5055f9b0b57c7e7f02e32df95ef401f809b71
git.kernel.org/...c/4621e24c9257c6379343bf0c11b473817cf7edcd
git.kernel.org/...c/1911cca5916b6e106de7afa3ec0a38447158216c
git.kernel.org/...c/a7a4def6c7046e090bb10c6d550fdeb487db98ba
git.kernel.org/...c/4ce221d295f53e6c6b835ab33181e735482c9aac
git.kernel.org/...c/d8990b5a4d065f38f35d69bcd627ec5a7f8330ca
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
