CVE-2026-23306

In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free in pm8001 queue command()

Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001 task exec()") refactors pm8001 queue command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state.

In this path, pm8001 queue command() updates task status and calls task done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas ata qc issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free.

Since pm8001 queue command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled.