Mike Christie

**Name of the Vulnerable Software and Affected Versions** Linux Kernel (affected versions not specified) **Description** A use-after-free vulnerability was found in the `iscsi sw tcp session create` function in the `drivers/scsi/iscsi tcp.c` file of the SCSI sub-component. This flaw is due to incorrect error handling returned by `iscsi tcp r2tpool alloc()`, allowing an attacker to leak kernel internal information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a regression in the Linux kernel's scsi core, specifically with the sysfs interface. After iSCSI recovery, the iscsid daemon calls into the kernel to set the device's state to running. However, due to a patch, the kernel now calls scsi rescan device() with the state mutex held, leading to a deadlock. The SCSI error handler thread tries to grab the state mutex, but it is already held by scsi rescan device(), causing the system to hang. To prevent this deadlock, the rescan-related code is moved to after the state mutex is dropped. This fix also adds a check to prevent extra scans when the device is already in the running state. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability has been resolved in the Linux kernel, specifically in the scsi: iscsi component. The issue arises from a use-after-free error in the `iscsi task` due to changes in abort handling. The commit d39df158518c introduced `iscsi get conn()` and `iscsi put conn()` calls during abort handling but also altered the handling of already completed tasks, leading to the `iscsi task` use after free. This occurs because the common cleanup code performs a put on the `iscsi task`. The fix reverts the goto and moves the `iscsi get conn()` call to after the check for `iscsi task` validity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.