CVE-2025-71235
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/02/2026
Last modified:
23/02/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
scsi: qla2xxx: Delay module unload while fabric scan in progress<br />
<br />
System crash seen during load/unload test in a loop.<br />
<br />
[105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086<br />
[105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0<br />
[105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000<br />
[105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000<br />
[105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
[105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0<br />
[105954.384928] PKRU: 55555554<br />
[105954.384929] Call Trace:<br />
[105954.384931] <br />
[105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx]<br />
[105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx]<br />
[105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx]<br />
[105954.384999] ? __wake_up_common+0x80/0x190<br />
[105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx]<br />
[105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx]<br />
[105954.385040] ? __handle_irq_event_percpu+0x3d/0x190<br />
[105954.385044] ? handle_irq_event+0x58/0xb0<br />
[105954.385046] ? handle_edge_irq+0x93/0x240<br />
[105954.385050] ? __common_interrupt+0x41/0xa0<br />
[105954.385055] ? common_interrupt+0x3e/0xa0<br />
[105954.385060] ? asm_common_interrupt+0x22/0x40<br />
<br />
The root cause of this was that there was a free (dma_free_attrs) in the<br />
interrupt context. There was a device discovery/fabric scan in<br />
progress. A module unload was issued which set the UNLOADING flag. As<br />
part of the discovery, after receiving an interrupt a work queue was<br />
scheduled (which involved a work to be queued). Since the UNLOADING<br />
flag is set, the work item was not allocated and the mapped memory had<br />
to be freed. The free occurred in interrupt context leading to system<br />
crash. Delay the driver unload until the fabric scan is complete to<br />
avoid the crash.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/528b2f1027edfb52af0171f0f4b227fb356dde05
- https://git.kernel.org/stable/c/7062eb0c488f35730334daad9495d9265c574853
- https://git.kernel.org/stable/c/8890bf450e0b6b283f48ac619fca5ac2f14ddd62
- https://git.kernel.org/stable/c/891f9969a29e9767a453cef4811c8d2472ccab49
- https://git.kernel.org/stable/c/984dc1a51bf6fc3ca4e726abe790ec38952935d8
- https://git.kernel.org/stable/c/c068ebbaf52820d6bdefb9b405a1e426663c635a
- https://git.kernel.org/stable/c/d70f71d4c92bcb8b6a21ac62d4ea3e87721f4f32
- https://git.kernel.org/stable/c/d8af012f92eee021c6ebb7093e65813c926c336b