Description
In the Linux kernel, the following vulnerability has been resolved: scsi: imm: Fix use-after-free bug caused by unfinished delayed work The delayed work item 'imm_tq' is initialized in imm_attach() and scheduled via imm_queuecommand() for processing SCSI commands. When the IMM parallel port SCSI host adapter is detached through imm_detach(), the imm_struct device instance is deallocated. However, the delayed work might still be pending or executing when imm_detach() is called, leading to use-after-free bugs when the work function imm_interrupt() accesses the already freed imm_struct memory. The race condition can occur as follows: CPU 0(detach thread) | CPU 1 | imm_queuecommand() | imm_queuecommand_lck() imm_detach() | schedule_delayed_work() kfree(dev) //FREE | imm_interrupt() | dev = container_of(...) //USE dev-> //USE Add disable_delayed_work_sync() in imm_detach() to guarantee proper cancellation of the delayed work item before imm_struct is deallocated.
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 31ab2aad7a7b7501e904a09bf361e44671f66092
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 48dd41fa2d6c6a0c50e714deeba06ffe7f91961b
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9e434426cc23ad5e2aad649327b59aea00294b13
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c
2.6.12
Any version before 2.6.12
6.12.63 (semver)
6.17.13 (semver)
6.18.2 (semver)
6.19-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/31ab2aad7a7b7501e904a09bf361e44671f66092
git.kernel.org/...c/48dd41fa2d6c6a0c50e714deeba06ffe7f91961b
git.kernel.org/...c/9e434426cc23ad5e2aad649327b59aea00294b13
git.kernel.org/...c/ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
