Linux Kernel Qla2xxx Double Free Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's QLA2XXX SCSI driver has been fixed, which caused a double free error. This issue was observed to lead to a kernel panic, with the system unable to handle a page fault for a specific address. The error was triggered by a supervisor write access in kernel mode, indicating that the kernel attempted to write to a memory page that was not present, causing a crash. The vulnerability arose because some routines in the QLA2XXX BSG (Block Storage Gateway) implementation called the 'bsg_done()' function to signal completion for failure cases, contrary to the standard practice of reserving this call for successful operations. This improper handling created a double free scenario, where the same memory was freed multiple times, leading to instability and the observed kernel panic.

Impact

Exploitation of this vulnerability caused a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by using the QLA2XXX SCSI driver in the Linux kernel version 5.14.0-503.34.1.el9_5.x86_64. When certain vendor-specific commands are processed, the driver incorrectly invokes 'bsg_done()' for failure cases, causing a double free of memory. This mismanagement leads to a kernel panic, as the system encounters a page fault for a memory address that is not valid, disrupting normal operations.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is available in the Linux stable repository.