CVE-2024-42289 in Linux
Summary
by MITRE • 08/17/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: During vport delete send async logout explicitly
During vport delete, it is observed that during unload we hit a crash because of stale entries in outstanding command array. For all these stale I/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but I/Os could not complete while vport delete is in process of deleting.
BUG: kernel NULL pointer dereference, address: 000000000000001c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI
Workqueue: qla2xxx_wq qla_do_work [qla2xxx]
RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0 RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0 RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8 R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0 Call Trace: qla2xxx_qpair_sp_free_dma+0x417/0x4e0 ? qla2xxx_qpair_sp_compl+0x10d/0x1a0 ? qla2x00_status_entry+0x768/0x2830 ? newidle_balance+0x2f0/0x430 ? dequeue_entity+0x100/0x3c0 ? qla24xx_process_response_queue+0x6a1/0x19e0 ? __schedule+0x2d5/0x1140 ? qla_do_work+0x47/0x60 ? process_one_work+0x267/0x440 ? process_one_work+0x440/0x440 ? worker_thread+0x2d/0x3d0 ? process_one_work+0x440/0x440 ? kthread+0x156/0x180 ? set_kthread_struct+0x50/0x50 ? ret_from_fork+0x22/0x30
Send out async logout explicitly for all the ports during vport delete.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/01/2026
The vulnerability described in CVE-2024-42289 affects the Linux kernel's qla2xxx driver, which is responsible for managing QLogic Fibre Channel host bus adapters. This issue manifests during the deletion of virtual ports (vports) within the SCSI subsystem, specifically when the driver attempts to clean up outstanding I/O operations. The root cause stems from improper handling of stale entries in the outstanding command array, leading to a kernel NULL pointer dereference and subsequent system crash. The crash occurs because the driver fails to properly terminate pending I/O operations before proceeding with vport deletion, resulting in dangling pointers and memory access violations.
The technical flaw involves the driver's failure to explicitly send asynchronous logout messages for all active ports during vport deletion. When the system attempts to unload or remove a virtual port, the existing code path issues eh_abort commands with fast_fail_io set to 2009h, but these abort operations do not guarantee completion of I/O requests before the deletion process continues. This creates a race condition where stale I/O entries remain in memory while the vport deletion process attempts to access them, triggering a NULL pointer dereference at address 0x1c during DMA unmap operations. The error occurs in the dma_direct_unmap_sg function, indicating that the driver tries to unmap scatter-gather lists associated with already-terminated but not fully cleaned up I/O operations.
The operational impact of this vulnerability is significant as it can lead to complete system crashes and potential data loss during normal operations involving virtual port management. The issue affects systems using QLogic Fibre Channel adapters where virtual ports are frequently created and destroyed, such as in enterprise storage environments or virtualized infrastructures. The crash occurs in the kernel's workqueue context (qla2xxx_wq), specifically within the qla_do_work function, making it particularly disruptive as it can affect the stability of the entire storage subsystem. This vulnerability directly relates to CWE-476, which describes NULL pointer dereference conditions, and aligns with ATT&CK technique T1490, which covers data destruction through system crashes or corruption.
The mitigation strategy involves explicitly sending asynchronous logout messages for all ports during vport deletion, ensuring that all pending I/O operations are properly terminated before proceeding with cleanup. This approach addresses the race condition by guaranteeing that no stale entries remain in the outstanding command array. The fix requires modifications to the vport deletion code path to ensure proper cleanup of I/O contexts before allowing the deletion process to complete. Organizations should update their kernel versions to include this patch, particularly those operating mission-critical storage environments where virtual port management is frequent. The solution follows established best practices for resource cleanup in kernel drivers and aligns with security standards that emphasize proper resource management and prevention of dangling pointer conditions in kernel space operations.