{"id":"CVE-2022-48791","summary":"scsi: pm8001: Fix use-after-free for aborted TMF sas_task","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted TMF sas_task\n\nCurrently a use-after-free may occur if a TMF sas_task is aborted before we\nhandle the IO completion in mpi_ssp_completion(). The abort occurs due to\ntimeout.\n\nWhen the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the\nsas_task is freed in pm8001_exec_internal_tmf_task().\n\nHowever, if the I/O completion occurs later, the I/O completion still\nthinks that the sas_task is available. Fix this by clearing the ccb-\u003etask\nif the TMF times out - the I/O completion handler does nothing if this\npointer is cleared.","modified":"2026-03-20T12:21:52.575581Z","published":"2024-07-16T11:43:47.211Z","related":["SUSE-SU-2024:2894-1","SUSE-SU-2024:2902-1","SUSE-SU-2024:2929-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:3249-1","SUSE-SU-2024:3304-1","SUSE-SU-2024:3467-1","SUSE-SU-2024:3499-1","SUSE-SU-2024:3559-1","SUSE-SU-2024:3566-1","SUSE-SU-2024:3591-1","SUSE-SU-2025:1088-1","SUSE-SU-2025:1092-1","SUSE-SU-2025:1119-1","SUSE-SU-2025:1123-1","SUSE-SU-2025:1139-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48791.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3c334cdfd94945b8edb94022a0371a8665b17366"},{"type":"WEB","url":"https://git.kernel.org/stable/c/510b21442c3a2e3ecc071ba3e666b320e7acdd61"},{"type":"WEB","url":"https://git.kernel.org/stable/c/61f162aa4381845acbdc7f2be4dfb694d027c018"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d872e7b5fe38f325f5206b6872746fa02c2b4819"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48791.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48791"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"968ee9176a4489ce6d5ee54ff88dadfbff9b95f4"},{"fixed":"d872e7b5fe38f325f5206b6872746fa02c2b4819"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d712d3fb484b7fa8d1d57e9ca6f134bb9d8c18b1"},{"fixed":"3c334cdfd94945b8edb94022a0371a8665b17366"},{"fixed":"510b21442c3a2e3ecc071ba3e666b320e7acdd61"},{"fixed":"61f162aa4381845acbdc7f2be4dfb694d027c018"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"fa3c19ceaa8b4b7c29d710c2c407df57d256a6c5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48791.json"}}],"schema_version":"1.7.5"}