CVE-2025-68818

In the Linux kernel, the following vulnerability has been resolved:

scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"

This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.

The commit being reverted added code to _qla2x00abortallcmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmdtype and just assumed TYPESRB, which results in a jump to an invalid pointer in target-mode with TYPETGTCMD:

qla2xxx [0000:65:00.0]-d034:8: qla24xxdonackwork create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qlatarget(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: errorcode(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? pagefaultoops+0x91/0x180 ? tracebufferunlockcommitregs+0x38/0x1a0 ? excpagefault+0x391/0x5e0 ? asmexcpage_fault+0x22/0x30 __qla2x00abortallcmds+0xcb/0x3e0 [qla2xxxscst] qla2x00abortallcmds+0x50/0x70 [qla2xxxscst] qla2x00abortispcleanup+0x3b7/0x4b0 [qla2xxxscst] qla2x00abortisp+0xfd/0x860 [qla2xxxscst] qla2x00dodpc+0x581/0xa40 [qla2xxxscst] kthread+0xa8/0xd0 </TASK>

Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00abortsrb() in the switch below already checks for qla2x00chipis_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it.