CVE-2026-23306

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: pm8001: Fix use-after-free in pm8001_queue_command()<br /> <br /> Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors<br /> pm8001_queue_command(), however it introduces a potential cause of a double<br /> free scenario when it changes the function to return -ENODEV in case of phy<br /> down/device gone state.<br /> <br /> In this path, pm8001_queue_command() updates task status and calls<br /> task_done to indicate to upper layer that the task has been handled.<br /> However, this also frees the underlying SAS task. A -ENODEV is then<br /> returned to the caller. When libsas sas_ata_qc_issue() receives this error<br /> value, it assumes the task wasn&amp;#39;t handled/queued by LLDD and proceeds to<br /> clean up and free the task again, resulting in a double free.<br /> <br /> Since pm8001_queue_command() handles the SAS task in this case, it should<br /> return 0 to the caller indicating that the task has been handled.