John Garry

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue occurs in the hisi sas driver when it fails to request the channel IRQ or fatal IRQ, causing the driver to free the IRQ vectors before freeing the IRQs. This results in a kernel BUG, as seen in the provided call trace. The problem is fixed by using devm add action() to control the order in which the vectors are freed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the pm8001 component of the Linux kernel. This occurs when a TMF sas task is aborted before handling the IO completion in mpi ssp completion(), which happens due to a timeout. As a result, the SAS TASK STATE ABORTED flag is set, and the sas task is freed in pm8001 exec internal tmf task(). However, if the I/O completion occurs later, it still thinks the sas task is available. The fix involves clearing the ccb->task if the TMF times out, ensuring the I/O completion handler does nothing if this pointer is cleared. This vulnerability could allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free issue may occur in the Linux kernel when a sas task is aborted by the upper layer before handling the I/O completion in `mpi ssp completion()` or `mpi sata completion()`. This happens because the upper layer may free the `sas task` after calling `complete()`, but the kernel still tries to access it in `pm8001 ccb task free()`. The issue is resolved by swapping the order of the `complete()` and `pm8001 ccb task free()` calls. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.