CVE-2025-68818

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"<br /> <br /> This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.<br /> <br /> The commit being reverted added code to __qla2x00_abort_all_cmds() to<br /> call sp-&gt;done() without holding a spinlock. But unlike the older code<br /> below it, this new code failed to check sp-&gt;cmd_type and just assumed<br /> TYPE_SRB, which results in a jump to an invalid pointer in target-mode<br /> with TYPE_TGT_CMD:<br /> <br /> qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success<br /> 0000000009f7a79b<br /> qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h<br /> mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.<br /> qla2xxx [0000:65:00.0]-d01e:8: -&gt; fwdump no buffer<br /> qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event<br /> 0x8002 occurred<br /> qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -<br /> ha=0000000058183fda.<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> PF: supervisor instruction fetch in kernel mode<br /> PF: error_code(0x0010) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0010 [#1] SMP<br /> CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1<br /> Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023<br /> RIP: 0010:0x0<br /> Code: Unable to access opcode bytes at 0xffffffffffffffd6.<br /> RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206<br /> RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000<br /> RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0<br /> RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045<br /> R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40<br /> R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400<br /> FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? __die+0x4d/0x8b<br /> ? page_fault_oops+0x91/0x180<br /> ? trace_buffer_unlock_commit_regs+0x38/0x1a0<br /> ? exc_page_fault+0x391/0x5e0<br /> ? asm_exc_page_fault+0x22/0x30<br /> __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]<br /> qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]<br /> qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]<br /> qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]<br /> qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]<br /> kthread+0xa8/0xd0<br /> <br /> <br /> Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within<br /> lock") added the spinlock back, because not having the lock caused a<br /> race and a crash. But qla2x00_abort_srb() in the switch below already<br /> checks for qla2x00_chip_is_down() and handles it the same way, so the<br /> code above the switch is now redundant and still buggy in target-mode.<br /> Remove it.