CVE-2024-26929 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix double free of fcport
The server was crashing after LOGO because fcport was getting freed twice.
-----------[ cut here ]-----------
kernel BUG at mm/slub.c:371! invalid opcode: 0000 1 SMP PTI CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 RIP: 0010:set_freepointer.part.57+0x0/0x10 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: kfree+0x238/0x250 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]
? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]
qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
? kernfs_fop_write+0x11e/0x1a0
Remove one of the free calls and add check for valid fcport. Also use function qla2x00_free_fcport() instead of kfree().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/22/2026
The vulnerability identified in the Linux kernel's qla2xxx SCSI driver represents a critical double free error that can lead to system crashes and potential security implications. This issue specifically affects the Fibre Channel protocol implementation used by QLogic network adapters, where the fcport structure is being freed twice during the LOGO (Logout) process, resulting in memory corruption and kernel panics. The double free vulnerability occurs when the kernel attempts to release the same memory block twice, which violates fundamental memory management principles and can be exploited by malicious actors to gain unauthorized access or cause denial of service conditions.
The technical flaw manifests in the SCSI qla2xxx driver's handling of Fibre Channel port structures during the logout sequence. When a LOGO command is processed, the system executes a double free operation on the fcport structure, causing a kernel BUG trap at mm/slub.c:371 with an invalid opcode error. The stack trace reveals that kfree() is called twice on the same memory location during the qla2x00_els_dcmd_sp_free function execution, which is part of the ELS (Extended Link Services) command processing. This memory corruption occurs because the driver lacks proper validation checks to ensure that fcport structures are not freed multiple times, creating a classic use-after-free scenario that can be exploited to execute arbitrary code or cause system instability.
The operational impact of this vulnerability extends beyond simple system crashes to encompass potential security risks within enterprise storage environments that rely on QLogic SCSI drivers. The vulnerability affects systems running kernel versions including 4.18.0-425.3.1.el8.x86_64 and likely other variants of the Red Hat Enterprise Linux 8 kernel, making it a widespread concern for organizations using HPE ProLiant DL360 Gen10 servers or similar hardware configurations. The crash occurs specifically during the LOGO process when Fibre Channel ports are being terminated, which can happen during normal system operations or when network connectivity is disrupted, potentially causing unexpected service interruptions in mission-critical storage infrastructures. This vulnerability aligns with CWE-415: Double Free, which is categorized under the Common Weakness Enumeration framework as a fundamental memory management error that can lead to arbitrary code execution.
The recommended mitigations for this vulnerability involve implementing proper memory management practices within the driver code. The fix requires removing one of the redundant free calls and adding validation checks to ensure fcport structures are only freed once during the LOGO process. Additionally, the solution recommends using the dedicated function qla2x00_free_fcport() instead of the generic kfree() function, which provides proper cleanup handling specific to the qla2xxx driver's requirements. This approach follows ATT&CK technique T1068: Exploitation for Privilege Escalation by preventing memory corruption that could otherwise be leveraged for privilege escalation. Organizations should apply the kernel patches immediately to prevent exploitation and maintain system stability. The fix addresses the root cause by ensuring proper resource management and eliminating the double free condition that leads to kernel panics and potential security breaches in storage networking environments.