Linux Kernel SCSI UFS NULL Pointer Dereference Vulnerability in Command Trace Function

A vulnerability in the Linux kernel's SCSI UFS subsystem can lead to a NULL pointer dereference in the 'ufshcd_add_command_trace' function. This issue occurs when the 'ufshcd_mcq_req_to_hwq' function returns NULL, causing a crash by attempting to access a hardware queue's ID. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference.

Reproduction

The vulnerability can be reproduced by enabling the multi-queue (MCQ) feature in the UFS driver. When a command trace is added, the 'ufshcd_mcq_req_to_hwq' function may return NULL, leading to a crash when the code attempts to access the ID of the non-existent hardware queue. This can be observed in the kernel log, which will show a series of 'notify_die' messages indicating a fatal error caused by the NULL pointer dereference.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can upgrade to the latest version to apply the fix.