CVE-2025-68818

EPSS 0.03%
Veröffentlicht 13.01.2026 15:29:22
Zuletzt bearbeitet 19.01.2026 13:16:15
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"

This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.

The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock.  But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:

qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
  0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
  mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
  0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
  ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G           O       6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS:  0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ? __die+0x4d/0x8b
 ? page_fault_oops+0x91/0x180
 ? trace_buffer_unlock_commit_regs+0x38/0x1a0
 ? exc_page_fault+0x391/0x5e0
 ? asm_exc_page_fault+0x22/0x30
 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
 qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
 qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
 qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
 qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
 kthread+0xa8/0xd0
 </TASK>

Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash.  But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < b04b3733fff7e94566386b962e4795550fbdfd3d

Version 231cfa78ec5badd84a1a2b09465bfad1a926aba1

Status affected

Version < 50b097d92c99f718831b8b349722bc79f718ba1b

Version d6f7377528d2abf338e504126e44439541be8f7d

Status affected

Version < c5c37a821bd1708f26a9522b4a6f47b9f7a20003

Version cd0a1804ac5bab2545ac700c8d0fe9ae9284c567

Status affected

Version < e9e601b7df58ba0c667baf30263331df2c02ffe1

Version 0367076b0817d5c75dfb83001ce7ce5c64d803a9

Status affected

Version < b10ebbfd59a535c8d22f4ede6e8389622ce98dc0

Version 0367076b0817d5c75dfb83001ce7ce5c64d803a9

Status affected

Version < 1c728951bc769b795d377852eae1abddad88635d

Version 0367076b0817d5c75dfb83001ce7ce5c64d803a9

Status affected

Version < b57fbc88715b6d18f379463f48a15b560b087ffe

Version 0367076b0817d5c75dfb83001ce7ce5c64d803a9

Status affected

Version 9189f20b4c5307c0998682bb522e481b4567a8b8

Status affected

Version 415d614344a4f1bbddf55d724fc7eb9ef4b39aad

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.3

Status affected

Version < 6.3

Version 0

Status unaffected

Version <= 5.10.*

Version 5.10.248

Status unaffected

Version <= 5.15.*

Version 5.15.198

Status unaffected

Version <= 6.1.*

Version 6.1.160

Status unaffected

Version <= 6.6.*

Version 6.6.120

Status unaffected

Version <= 6.12.*

Version 6.12.64

Status unaffected

Version <= 6.18.*

Version 6.18.3

Status unaffected

Version <= *

Version 6.19-rc1

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.088

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003

https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1

https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0

https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d

https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe

https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b

https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d

https://nvd.nist.gov/vuln/detail/CVE-2025-68818

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68818

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68818

EUVD