CVE-2022-50215

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: sg: Allow waiting for commands to complete on removed device<br /> <br /> When a SCSI device is removed while in active use, currently sg will<br /> immediately return -ENODEV on any attempt to wait for active commands that<br /> were sent before the removal. This is problematic for commands that use<br /> SG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel<br /> when userspace frees or reuses it after getting ENODEV, leading to<br /> corrupted userspace memory (in the case of READ-type commands) or corrupted<br /> data being sent to the device (in the case of WRITE-type commands). This<br /> has been seen in practice when logging out of a iscsi_tcp session, where<br /> the iSCSI driver may still be processing commands after the device has been<br /> marked for removal.<br /> <br /> Change the policy to allow userspace to wait for active sg commands even<br /> when the device is being removed. Return -ENODEV only when there are no<br /> more responses to read.