Linux Kernel SCSI LPFC Loopback Handling Vulnerability Leading to System Oops

A vulnerability in the Linux kernel's SCSI LPFC driver has been addressed, related to improper handling of external loopback tests. When an external loopback plug is used, the system correctly processes a FLOGI request by aborting it, recognizing the loopback. However, after removing the loopback and connecting to a target device, the system encounters a fault in the 'llpfc_set_rrq_active()' routine. This issue arises from a reference counting error: the completion of a new FLOGI request releases a fabric node, which is then incorrectly referenced by an original ABTS command that has not been properly updated, causing the system to 'oops'. The vulnerability has been corrected by adding a flag to track loopback mode and prevent the ABTS from being sent when it is active.

Impact

The vulnerability can lead to a system 'oops', causing a kernel panic or similar fault condition.

Reproduction

To reproduce this vulnerability, insert an external loopback plug and allow a short test to complete. After removing the loopback, connect a normal cable to a target device. The system will 'oops' in the 'llpfc_set_rrq_active()' routine due to a reference counting error caused by the loopback handling.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the SCSI LPFC driver's loopback handling to prevent the ABTS command from being sent when a loopback is active.