Linux Kernel NULL Pointer Dereference Vulnerability in hisi_sas SCSI Driver

A NULL pointer dereference vulnerability has been identified in the hisi_sas SCSI driver of the Linux kernel. This issue arises during the user_scan() function, which calls sas_user_scan() for channel 0. If this call is successful, it attempts to scan remaining channels (1 to shost->max_channel) using scsi_scan_host_selected(). However, the hisi_sas driver only supports one channel, and the max_channel is incorrectly set to 1. This discrepancy causes a NULL pointer exception when sas_user_scan() is called for channel 1, leading to a kernel crash.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by invoking the user_scan() function in the hisi_sas SCSI driver when the max_channel is set to 1. This can be done by triggering a scan that requires the second channel, which does not exist, causing a NULL pointer dereference.

Remediation

The vulnerability has been fixed by setting the max_channel value to 0 in the hisi_sas driver. Users should apply the latest patches available in the Linux kernel stable tree to address this issue.