Description
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done().
Product status
1b81e7f3019d632a707e07927e946ffbbc102910 (git) before 057a5bdc481e58ab853117254867ffb22caf9f6e
1b81e7f3019d632a707e07927e946ffbbc102910 (git) before f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720
1b81e7f3019d632a707e07927e946ffbbc102910 (git) before 27ac9679c43a09e54e2d9aae9980ada045b428e0
1b81e7f3019d632a707e07927e946ffbbc102910 (git) before 74e7458537cd9349cf019862e51491f670871707
1b81e7f3019d632a707e07927e946ffbbc102910 (git) before 871f6236da96c4a9712b8a29d7f555f767a47e95
1b81e7f3019d632a707e07927e946ffbbc102910 (git) before 31f33b856d2324d86bcaef295f4d210477a1c018
1b81e7f3019d632a707e07927e946ffbbc102910 (git) before 708003e1bc857dd014d4c44278d7d77c26f91b1c
1b81e7f3019d632a707e07927e946ffbbc102910 (git) before c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0
5.7
Any version before 5.7
5.10.251 (semver)
5.15.201 (semver)
6.1.164 (semver)
6.6.127 (semver)
6.12.74 (semver)
6.18.13 (semver)
6.19.3 (semver)
7.0-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/057a5bdc481e58ab853117254867ffb22caf9f6e
git.kernel.org/...c/f2bbb4db0e4a4fbd5e649c0b5d8733f61da24720
git.kernel.org/...c/27ac9679c43a09e54e2d9aae9980ada045b428e0
git.kernel.org/...c/74e7458537cd9349cf019862e51491f670871707
git.kernel.org/...c/871f6236da96c4a9712b8a29d7f555f767a47e95
git.kernel.org/...c/31f33b856d2324d86bcaef295f4d210477a1c018
git.kernel.org/...c/708003e1bc857dd014d4c44278d7d77c26f91b1c
git.kernel.org/...c/c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0