Linux Kernel SCSI UFS QCOM Driver Null Pointer Dereference Vulnerability in ESI Configuration

A null pointer dereference vulnerability has been identified in the Linux kernel's SCSI UFS Qualcomm driver. This issue arises in the Enhanced System Interrupt (ESI) configuration, which is designed to optimize performance by providing dedicated interrupts for each hardware queue. The vulnerability occurs when the platform's Message Signaled Interrupts (MSI) allocation fails, leading to a null pointer dereference. The problem was introduced by a previous commit that removed the improper use of MSI descriptors, but inadvertently caused a regression by mishandling the ESI configuration. The issue can be reproduced on the SM8750 platform with Multi-Channel Queuing (MCQ) enabled, both with and without platform ESI support.

Impact

Exploitation of this vulnerability leads to a kernel panic due to a null pointer dereference, causing a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by enabling Multi-Channel Queuing (MCQ) on a device with the SM8750 platform, and then configuring Enhanced System Interrupt (ESI) support. When the platform's Message Signaled Interrupts (MSI) allocation fails, the driver will attempt to clean up by freeing MSI resources that were never successfully allocated, leading to a null pointer dereference.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.