CVE-2024-42287 in Linux
Summary
by MITRE • 08/17/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Complete command early within lock
A crash was observed while performing NPIV and FW reset,
BUG: kernel NULL pointer dereference, address: 000000000000001c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 1 PREEMPT_RT SMP NOPTI RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0 RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0 RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034 R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000 FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __die_body+0x1a/0x60 ? page_fault_oops+0x16f/0x4a0 ? do_user_addr_fault+0x174/0x7f0 ? exc_page_fault+0x69/0x1a0 ? asm_exc_page_fault+0x22/0x30 ? dma_direct_unmap_sg+0x51/0x1e0 ? preempt_count_sub+0x96/0xe0 qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]
qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]
__qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]
The command completion was done early while aborting the commands in driver unload path but outside lock to avoid the WARN_ON condition of performing dma_free_attr within the lock. However this caused race condition while command completion via multiple paths causing system crash.
Hence complete the command early in unload path but within the lock to avoid race condition.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/01/2026
The vulnerability CVE-2024-42287 affects the Linux kernel's qla2xxx SCSI driver, which manages QLogic Fibre Channel HBA devices. This issue manifests as a kernel NULL pointer dereference during specific operational conditions involving NPIV (Virtual Machine) and firmware reset scenarios. The crash occurs when the system attempts to unmap scatter-gather lists through the dma_direct_unmap_sg function, resulting in access to address 0x000000000000001c, which corresponds to a page fault indicating a missing memory mapping. The error originates from a race condition that develops during command completion processing in the driver's unload path, where the sequence of operations creates a scenario susceptible to concurrent access violations.
The technical flaw stems from an improper implementation of command completion handling within the qla2xxx driver during device unload operations. The original code attempted to avoid triggering a WARN_ON condition by completing commands outside of a lock context, specifically to prevent issues with dma_free_attr operations within locked sections. However, this approach introduced a race condition where multiple code paths could simultaneously attempt to complete the same command, leading to inconsistent state management and ultimately a NULL pointer dereference. The call trace shows the execution flow passing through qla2xxx_qpair_sp_free_dma and qla2xxx_qpair_sp_compl functions before reaching the fatal dma_direct_unmap_sg function, demonstrating how the improper synchronization creates a path to kernel memory corruption.
The operational impact of this vulnerability is significant as it can cause complete system crashes during critical operations involving storage device management. When NPIV and firmware reset operations are performed concurrently with other storage I/O activities, the race condition becomes more likely to manifest, potentially leading to system instability and data loss. The vulnerability affects systems using QLogic Fibre Channel HBAs, particularly those running kernel versions where the problematic code path exists, and can be exploited through legitimate storage operations that trigger the driver's unload and command completion sequences. The issue is particularly concerning in high-availability environments where unexpected system crashes could lead to service disruption and data integrity concerns.
The fix implemented addresses the race condition by ensuring that command completion occurs within the appropriate lock context, thereby preventing concurrent access to shared command structures. This modification aligns with security best practices for kernel driver development, specifically addressing the CWE-362 weakness category related to race conditions in concurrent systems. The solution follows established mitigation patterns for preventing data races in kernel space, similar to techniques recommended in the ATT&CK framework for operating system kernel defenses. By completing commands within the lock, the driver maintains consistent state management and prevents the scenario where a command structure could be freed while another path attempts to access it, thus eliminating the NULL pointer dereference condition that led to system crashes. This approach ensures proper synchronization while maintaining the necessary functionality for clean driver unloading and command abort operations.