CVE-2024-56631

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: sg: Fix slab-use-after-free read in sg_release()<br /> <br /> Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN:<br /> <br /> BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30<br /> kernel/locking/lockdep.c:5838<br /> __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912<br /> sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407<br /> <br /> In sg_release(), the function kref_put(&amp;sfp-&gt;f_ref, sg_remove_sfp) is<br /> called before releasing the open_rel_lock mutex. The kref_put() call may<br /> decrement the reference count of sfp to zero, triggering its cleanup<br /> through sg_remove_sfp(). This cleanup includes scheduling deferred work<br /> via sg_remove_sfp_usercontext(), which ultimately frees sfp.<br /> <br /> After kref_put(), sg_release() continues to unlock open_rel_lock and may<br /> reference sfp or sdp. If sfp has already been freed, this results in a<br /> slab-use-after-free error.<br /> <br /> Move the kref_put(&amp;sfp-&gt;f_ref, sg_remove_sfp) call after unlocking the<br /> open_rel_lock mutex. This ensures:<br /> <br /> - No references to sfp or sdp occur after the reference count is<br /> decremented.<br /> <br /> - Cleanup functions such as sg_remove_sfp() and<br /> sg_remove_sfp_usercontext() can safely execute without impacting the<br /> mutex handling in sg_release().<br /> <br /> The fix has been tested and validated by syzbot. This patch closes the<br /> bug reported at the following syzkaller link and ensures proper<br /> sequencing of resource cleanup and mutex operations, eliminating the<br /> risk of use-after-free errors in sg_release().