Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026
CVE-2026-45857
CVE-2026-45857
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: csiostor: Fix dereference of null pointer rn
The error exit path when rn is NULL ends up deferencing the null pointer rn via the use of the macro CSIO_INC_STATS. Fix this by adding a new error return path label after the use of the macro to avoid the deference.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Null pointer dereference in Linux kernel scsi: csiostor driver leads to crash. Fixed by adding proper error path before stats macro.
Vulnerability
The rn pointer in the scsi: csiostor driver of the Linux kernel could be dereferenced when NULL. The vulnerability exists in the error exit path where a NULL check on rn is performed, but if rn is NULL the subsequent code uses the macro CSIO_INC_STATS, which dereferences rn. Affected versions include the Linux kernel stable branches up to the fix commits [1], [2].
Exploitation
An attacker would need the ability to trigger an error condition in the csiostor driver that causes the rn pointer to be NULL. This could occur during certain error handling sequences, likely requiring local access to the system or the ability to provoke a specific driver failure. No special privileges beyond normal driver usage are required; the race window is not timing-dependent but rather condition-based.
Impact
Successful exploitation leads to a null pointer dereference, which causes a kernel crash (denial of service). The vulnerability may also be exploitable to cause a use-after-free or code execution depending on memory layout, but the primary documented impact is system instability and denial of service.
Mitigation
Fixed in Linux kernel commits [1] and [2]. The fix adds a new error return path label that is used after the CSIO_INC_STATS macro call, preventing the dereference. Users should update their kernel to a version containing these commits (e.g., 5.10.x, 5.15.x, 6.1.x, 6.8.x where applicable). No workaround is provided; installing the patched kernel is recommended.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
161982257570b8scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitColin Ian KingJan 29, 2026Fixed in 7.0via kernel-cna
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index c29bf2807e3104..05137784f369b1 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index c29bf2807e3104..05137784f369b1 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
44ef9f81392dscsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitColin Ian KingJan 29, 2026Fixed in 5.15.202via kernel-cna
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 3b2eb6ce1fcff0..59d7dadfbfb714 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2215,6 +2215,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 3b2eb6ce1fcff0..59d7dadfbfb714 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2215,6 +2215,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
526ea3c0ccd4scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitColin Ian KingJan 29, 2026Fixed in 6.1.165via kernel-cna
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 05e1a63e00c3a1..ed40ae6b9800c0 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 05e1a63e00c3a1..ed40ae6b9800c0 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
25d623f0d77cscsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitColin Ian KingJan 29, 2026Fixed in 6.6.128via kernel-cna
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 05e1a63e00c3a1..ed40ae6b9800c0 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 05e1a63e00c3a1..ed40ae6b9800c0 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
6037124dbf67scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitColin Ian KingJan 29, 2026Fixed in 6.12.75via kernel-cna
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 8329f0cab4e7db..b0467251cece00 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 8329f0cab4e7db..b0467251cece00 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
16ccbfddcb32scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitColin Ian KingJan 29, 2026Fixed in 5.10.252via kernel-cna
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 55e74da2f3cbe1..e320ca2911e0cb 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2215,6 +2215,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 55e74da2f3cbe1..e320ca2911e0cb 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2215,6 +2215,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
25ab5e97d3c5scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitColin Ian KingJan 29, 2026Fixed in 6.18.14via kernel-cna
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 34bde6650fae0f..356a7c577ec3ef 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 34bde6650fae0f..356a7c577ec3ef 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
3bbbab7b6949scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitColin Ian KingJan 29, 2026Fixed in 6.19.4via kernel-cna
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 34bde6650fae0f..356a7c577ec3ef 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 34bde6650fae0f..356a7c577ec3ef 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
1982257570b8scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitColin Ian KingJan 29, 2026via nvd-ref
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index c29bf2807e3104..05137784f369b1 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index c29bf2807e3104..05137784f369b1 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
526ea3c0ccd4scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitColin Ian KingJan 29, 2026via nvd-ref
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 05e1a63e00c3a1..ed40ae6b9800c0 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 05e1a63e00c3a1..ed40ae6b9800c0 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
6037124dbf67scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitColin Ian KingJan 29, 2026via nvd-ref
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 8329f0cab4e7db..b0467251cece00 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 8329f0cab4e7db..b0467251cece00 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
3bbbab7b6949scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitColin Ian KingJan 29, 2026via nvd-ref
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 34bde6650fae0f..356a7c577ec3ef 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 34bde6650fae0f..356a7c577ec3ef 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
44ef9f81392dscsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitColin Ian KingJan 29, 2026via nvd-ref
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 3b2eb6ce1fcff0..59d7dadfbfb714 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2215,6 +2215,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 3b2eb6ce1fcff0..59d7dadfbfb714 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2215,6 +2215,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
16ccbfddcb32scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitColin Ian KingJan 29, 2026via nvd-ref
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 55e74da2f3cbe1..e320ca2911e0cb 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2215,6 +2215,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 55e74da2f3cbe1..e320ca2911e0cb 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2215,6 +2215,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
25ab5e97d3c5scsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitColin Ian KingJan 29, 2026via nvd-ref
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 34bde6650fae0f..356a7c577ec3ef 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 34bde6650fae0f..356a7c577ec3ef 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
25d623f0d77cscsi: csiostor: Fix dereference of null pointer rn
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitColin Ian KingJan 29, 2026via nvd-ref
2 files changed · +4 −4
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 05e1a63e00c3a1..ed40ae6b9800c0 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
drivers/scsi/csiostor/csio_scsi.c+2 −2 modifieddiff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c index 05e1a63e00c3a1..ed40ae6b9800c0 100644 --- a/drivers/scsi/csiostor/csio_scsi.c +++ b/drivers/scsi/csiostor/csio_scsi.c @@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd) struct csio_scsi_level_data sld; if (!rn) - goto fail; + goto fail_ret; csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n", cmnd->device->lun, rn->flowid, rn->scsi_id); @@ -2220,6 +2220,7 @@ fail_ret_ioreq: csio_put_scsi_ioreq_lock(hw, scsim, ioreq); fail: CSIO_INC_STATS(rn, n_lun_rst_fail); +fail_ret: return FAILED; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL-pointer guard before macro expansion allows dereference of null pointer rn in CSIO_INC_STATS."
Attack vector
An attacker who can trigger a SCSI LUN reset operation (via the SCSI error handler) that reaches `csio_eh_lun_reset_handler` with a NULL `rn` pointer will cause a null-pointer dereference. The `rn` pointer is checked for NULL at the top of the function, but the original code jumped to the `fail` label which unconditionally passed `rn` to the `CSIO_INC_STATS` macro, leading to a kernel crash or denial of service.
Affected code
The vulnerable code is in `drivers/scsi/csiostor/csio_scsi.c` in the function `csio_eh_lun_reset_handler`. The error exit path at the `fail` label unconditionally calls the macro `CSIO_INC_STATS(rn, n_lun_rst_fail)`, which dereferences the pointer `rn` even when `rn` is NULL [patch_id=2662038].
What the fix does
The patch changes the `if (!rn)` branch from `goto fail` to `goto fail_ret`, and adds a new label `fail_ret:` after the `CSIO_INC_STATS` call so that the function returns `FAILED` without ever dereferencing the NULL pointer `rn` [patch_id=2662038]. This ensures the statistics macro is only reached when `rn` is valid, closing the null-pointer dereference.
Preconditions
- inputThe SCSI error handler must invoke csio_eh_lun_reset_handler with a NULL rn pointer.
- configThe csiostor driver must be loaded and managing a Chelsio FCoE adapter.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/16ccbfddcb32365138c806cf572e69b42a193c5cnvd
- git.kernel.org/stable/c/1982257570b84dc33753d536dd969fd357a014e9nvd
- git.kernel.org/stable/c/25ab5e97d3c5f3ed594b4a65d1cc99dc24756681nvd
- git.kernel.org/stable/c/25d623f0d77c11a256a54e860d00c239aa9a2583nvd
- git.kernel.org/stable/c/3bbbab7b6949c76df64210348adbefedaabbf549nvd
- git.kernel.org/stable/c/44ef9f81392de885883f73b9f5c43936a82ae9d7nvd
- git.kernel.org/stable/c/526ea3c0ccd495b0079db3e28fdddd51c1bf01f7nvd
- git.kernel.org/stable/c/6037124dbf675fbd0a6248aaf04cf07387b8c323nvd
News mentions
0No linked articles in our index yet.