Linux Kernel Virtual Fibre Channel Timeout Handling Vulnerability in Storvsc Driver Causes Kernel Panic

A vulnerability in the Linux kernel's storvsc driver for Hyper-V can lead to a kernel panic. This issue arises when the driver, which manages virtual Fibre Channel (vFC) devices presented as SCSI devices in guest VMs, improperly handles FC transport timeouts. The root of the problem is a partial integration with the Linux SCSI subsystem's FC transport, which allows FC attributes to be displayed in the system. However, this integration is flawed, as it can cause the FC transport timeout function to dereference a NULL pointer, leading to a panic. The issue occurs because the function cannot locate the required resource port (rport) during a timeout, which often results from transient conditions. The original patch that introduced this behavior is defective, as it fails to account for these nuances. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability causes a kernel panic by dereferencing a NULL pointer, which can disrupt system operations and lead to a crash.

Reproduction

The vulnerability can be reproduced by connecting virtual Fibre Channel LUNs to a Hyper-V host and accessing them through a VM using the storvsc driver. When a timeout occurs, the FC transport's timeout handling will attempt to reference a resource that is not available, causing a kernel panic. This issue has been reported by users who experienced panics due to transient timeouts, which the original integration failed to manage properly.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patch removes the faulty call from the storvsc driver's timeout handler to the FC transport's timeout handler, allowing the driver to properly manage transient timeouts without causing a panic.