Linux Kernel SCSI mpt3sas Transport Port Removal Crash Vulnerability

A vulnerability in the Linux kernel's SCSI mpt3sas driver can lead to a crash during the removal of a transport port. This issue occurs because the removal process may attempt to access a SAS transport device that has already been partially unregistered or freed, resulting in a general protection fault. The vulnerability affects several versions of the Linux kernel, including 6.16.0-rc1 and prior releases. The root cause lies in the logging mechanism used during the port removal process, which can reference invalid memory. Exploitation of this vulnerability can be triggered by manually removing a SCSI device while the kernel is running, particularly if the device is being managed by the mpt3sas driver.

Impact

The vulnerability causes a kernel crash due to a general protection fault, which occurs when the kernel tries to access an invalid memory address. This type of crash can lead to a system instability, requiring a reboot to recover.

Reproduction

To reproduce this vulnerability, load a SCSI device that uses the mpt3sas driver. Then, manually remove the device using the 'rmmod' command. The kernel will attempt to log the removal process, but if the device has already been unregistered or freed, it will cause a crash by accessing an invalid memory address.

Remediation

Users can upgrade to a patched version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is 1703fe4f8ae50d1fb6449854e1fcaed1053e3a14.