scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
Summary
| CVE | CVE-2025-68818 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-13 16:16:04 UTC |
| Updated | 2026-07-14 13:18:01 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 </TASK> Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it. |
Risk And Classification
EPSS: 0.001730000 probability, percentile 0.068820000 (date 2026-07-14)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 231cfa78ec5badd84a1a2b09465bfad1a926aba1 b04b3733fff7e94566386b962e4795550fbdfd3d git | Not specified |
| CNA | Linux | Linux | affected d6f7377528d2abf338e504126e44439541be8f7d 50b097d92c99f718831b8b349722bc79f718ba1b git | Not specified |
| CNA | Linux | Linux | affected cd0a1804ac5bab2545ac700c8d0fe9ae9284c567 c5c37a821bd1708f26a9522b4a6f47b9f7a20003 git | Not specified |
| CNA | Linux | Linux | affected 0367076b0817d5c75dfb83001ce7ce5c64d803a9 e9e601b7df58ba0c667baf30263331df2c02ffe1 git | Not specified |
| CNA | Linux | Linux | affected 0367076b0817d5c75dfb83001ce7ce5c64d803a9 b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 git | Not specified |
| CNA | Linux | Linux | affected 0367076b0817d5c75dfb83001ce7ce5c64d803a9 1c728951bc769b795d377852eae1abddad88635d git | Not specified |
| CNA | Linux | Linux | affected 0367076b0817d5c75dfb83001ce7ce5c64d803a9 b57fbc88715b6d18f379463f48a15b560b087ffe git | Not specified |
| CNA | Linux | Linux | affected 9189f20b4c5307c0998682bb522e481b4567a8b8 git | Not specified |
| CNA | Linux | Linux | affected 415d614344a4f1bbddf55d724fc7eb9ef4b39aad git | Not specified |
| CNA | Linux | Linux | affected 5.10.177 5.10.248 semver | Not specified |
| CNA | Linux | Linux | affected 5.15.105 5.15.198 semver | Not specified |
| CNA | Linux | Linux | affected 6.1.22 6.1.160 semver | Not specified |
| CNA | Linux | Linux | affected 5.4.240 5.5 semver | Not specified |
| CNA | Linux | Linux | affected 6.2.9 6.3 semver | Not specified |
| CNA | Linux | Linux | affected 6.3 | Not specified |
| CNA | Linux | Linux | unaffected 6.3 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.248 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.198 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.160 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.120 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.64 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.3 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19 * original_commit_for_fix | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
| ADP | Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.6 * custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| cert-portal.siemens.com/productcert/html/ssa-019113.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.