| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011314-CVE-2025-68818-08ea@gregkh>
Date: Tue, 13 Jan 2026 16:29:44 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68818: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock. But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x4d/0x8b
? page_fault_oops+0x91/0x180
? trace_buffer_unlock_commit_regs+0x38/0x1a0
? exc_page_fault+0x391/0x5e0
? asm_exc_page_fault+0x22/0x30
__qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
kthread+0xa8/0xd0
</TASK>
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash. But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.
The Linux kernel CVE team has assigned CVE-2025-68818 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.1.22 with commit cd0a1804ac5bab2545ac700c8d0fe9ae9284c567 and fixed in 6.1.160 with commit c5c37a821bd1708f26a9522b4a6f47b9f7a20003
Issue introduced in 6.3 with commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9 and fixed in 6.6.120 with commit e9e601b7df58ba0c667baf30263331df2c02ffe1
Issue introduced in 6.3 with commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9 and fixed in 6.12.64 with commit b10ebbfd59a535c8d22f4ede6e8389622ce98dc0
Issue introduced in 6.3 with commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9 and fixed in 6.18.3 with commit 1c728951bc769b795d377852eae1abddad88635d
Issue introduced in 6.3 with commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9 and fixed in 6.19-rc1 with commit b57fbc88715b6d18f379463f48a15b560b087ffe
Issue introduced in 5.4.240 with commit 9189f20b4c5307c0998682bb522e481b4567a8b8
Issue introduced in 5.10.177 with commit 231cfa78ec5badd84a1a2b09465bfad1a926aba1
Issue introduced in 5.15.105 with commit d6f7377528d2abf338e504126e44439541be8f7d
Issue introduced in 6.2.9 with commit 415d614344a4f1bbddf55d724fc7eb9ef4b39aad
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-68818
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/scsi/qla2xxx/qla_os.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003
https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1
https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0
https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d
https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe
Powered by blists - more mailing lists