CVE-2025-68818
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:
? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reverted Linux kernel commit in qla2xxx SCSI driver caused a NULL pointer dereference by calling sp->done() without checking sp->cmd_type, leading to a kernel crash.
Vulnerability
Analysis
CVE-2025-68818 is a vulnerability in the Linux kernel's qla2xxx SCSI driver, resulting from a commit (0367076b0817) that was subsequently reverted. The commit introduced code in __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. Unlike the existing code, this new code failed to check sp->cmd_type and assumed TYPE_SRB, which is incorrect for target-mode commands (TYPE_TGT_CMD). This leads to a jump to an invalid pointer, causing a kernel NULL pointer dereference [1][2][3].
Exploitation and
Impact
The vulnerability is triggered during ISP error recovery when the driver attempts to abort all commands. The attacker does not need local access; the issue can be triggered by a system error event (e.g., ISP System Error) that initiates the abort path. The crash occurs in the qla2xxx_8_dpc kernel thread, as shown in the oops report with a NULL pointer dereference at address 0x0 [1][2][3].
Impact
A successful exploitation results in a kernel panic (NULL pointer dereference), leading to a denial of service (DoS) on the affected system. The crash can disrupt storage operations and cause system instability. The vulnerability is rated with a CVSS score of 5.5 (Medium), indicating a moderate severity [1][2][3].
Mitigation
The fix is the revert of the problematic commit, which has been applied to the stable kernel trees. Users should update to a kernel version that includes the revert commit (e.g., commits b57fbc88715b, c5c37a821bd1, b04b3733fff7) to eliminate the vulnerability. No workaround is available; patching is required [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635dnvd
- git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1bnvd
- git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3dnvd
- git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0nvd
- git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffenvd
- git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003nvd
- git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1nvd
News mentions
0No linked articles in our index yet.