HIGH Published 2026-03-04

scsi qla2xxx BSG Double-Free

CVE-2025-71238

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done().

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A local attacker with access to QLogic Fibre Channel adapter management interfaces can trigger kernel memory corruption through double-free conditions, potentially leading to system crashes or privilege escalation. The vulnerability is triggered through BSG interface operations like firmware updates.

Affecteddrivers/scsi/qla2xxx/qla_bsg.c

Vulnerability analysis

Root Cause: The qla2xxx SCSI driver's BSG (Block Storage Gateway) interface has inconsistent error handling where some functions call bsg_done() in both success and failure paths, leading to double-free conditions. When an error occurs, the BSG framework may already have cleaned up resources, but the driver attempts to call bsg_done() again, causing memory corruption.

Attack Surface: This vulnerability affects systems with QLogic Fibre Channel HBAs where userspace applications interact with the BSG interface for firmware updates or management operations. The attack requires local access with sufficient privileges to interact with SCSI BSG devices, typically requiring root or membership in disk/storage groups.

Fix Mechanism: The patch adds conditional checks before calling bsg_job_done() to ensure it's only called when the operation succeeds (ret == 0 or rval == 0). This prevents the double-free by ensuring bsg_job_done() is called exactly once per BSG job, only on successful completion.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.251	`057a5bdc481e`
5.15	5.15.201	`f2bbb4db0e4a`
6.1	6.1.164	`27ac9679c43a`
6.12	6.12.74	`871f6236da96`
6.18	6.18.13	`31f33b856d23`
6.19	6.19.3	`708003e1bc85`
6.6	6.6.127	`74e7458537cd`
mainline	7.0	`c2c68225b145`