Linux Kernel SCSI lpfc Driver Null Pointer Dereference Vulnerability Leading to Use-After-Free

A vulnerability in the Linux kernel's SCSI lpfc driver can cause a null pointer dereference, resulting in a use-after-free error. This issue arises when the function lpfc_issue_els_flogi() fails and returns a non-zero status. The nodereference count is then decremented, prematurely releasing the nodelist structure. If there is pending work from a prior registration or a dev-loss-evt event, the released node is referenced again, causing the null pointer dereference. A similar issue occurs when processing non-zero ELS PLOGI completion statuses, where the node may be released too early, leading to the same use-after-free dereference when the dev-loss-evt work is completed.

Impact

Exploitation of this vulnerability causes a null pointer dereference, leading to a use-after-free condition. This can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.