Linux Kernel Qla2xxx SCSI Driver Use-After-Free Vulnerability Leading to System Crash

A use-after-free vulnerability has been identified in the Linux kernel's QLogic Fibre Channel over Ethernet (FCoE) driver, specifically within the Qla2xxx SCSI driver. This vulnerability can cause a system crash by allowing the 'terminate_rport_io' function to exit prematurely, before all input/output operations have been completed. In FCP-2 devices, I/Os can become stuck in hardware because the driver does not properly terminate the session in firmware at the first indication of a cable disconnection. When the 'dev_loss_tmo' timer expires, 'terminate_rport_io' is invoked, and the upper layer prepares to release various resources. However, this final cleanup process may not be swift enough, leaving the driver still reliant on the same resources. The vulnerability arises because the current implementation does not ensure that all I/Os have been returned to the upper layer before freeing resources, creating a race condition that can lead to a system crash.

Impact

Exploitation of this vulnerability causes a system crash due to a use-after-free condition, where resources are freed before all input/output operations have been completed, particularly in FCP-2 devices.

Reproduction

To reproduce this vulnerability, connect a device using the Qla2xxx SCSI driver and initiate I/O operations. Then, simulate a cable pull, which will cause the driver to hang onto the I/O resources. Once the 'dev_loss_tmo' timer expires, the 'terminate_rport_io' function will be called. However, because the session was not properly terminated in firmware, the I/Os will remain stuck in hardware. The 'terminate_rport_io' function will attempt to clean up, but the process may not be fast enough, leading to a use-after-free condition and causing the system to crash.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for updating the kernel can be found in the official Linux documentation.