CRITICAL
scsi/qla2xxx Fcport DoubleFree
CVE-2026-43414
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.
02KernelScan AI Analysis
Risk summary
Systems equipped with QLogic Fibre Channel HBAs are vulnerable to kernel memory corruption and potential crashes when ELS DCMD operations fail. The double free of fcport structures in error handling paths can corrupt kernel heap metadata. Exploitation requires local privileged access to trigger the vulnerable driver state.
Vulnerability analysis
The vulnerability exists in qla24xx_els_dcmd_iocb() where the fcport structure is freed twice during error handling. The function pointer sp->free is set to qla2x00_els_dcmd_sp_free(), which already invokes qla2x00_free_fcport() when the kref drops to zero. The erroneous code then calls qla2x00_free_fcport(fcport) again in the error paths after kref_put(), resulting in a double free. The fix removes the redundant qla2x00_free_fcport() calls so that the reference counting mechanism alone governs the object lifetime.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.16 | 5.16 | d48ea85463f5 |
| 6.19 | 6.19.9 | — |
| 6.2 | 6.2 | c0b7da13a04b |
| 6.7 | 6.7 | — |
| 6.8 | 6.8 | — |
| 6.9 | 6.9 | — |
| mainline | 7.0 | — |