CVE-2026-43413

In the Linux kernel, the following vulnerability has been resolved:

scsi: hisisas: Fix NULL pointer exception during userscan()

userscan() invokes updated sasuserscan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->maxchannel) via scsiscanhostselected() in commit 37c4e72b0651 ("scsi: Fix sasuserscan() to handle wildcard and multi-channel scans"). However, hisisas supports only one channel, and the current value of maxchannel is 1. sasuser_scan() for channel 1 will trigger the following NULL pointer exception:

[ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0 [ 441.554699] Mem abort info: [ 441.554710] ESR = 0x0000000096000004 [ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits [ 441.554723] SET = 0, FnV = 0 [ 441.554726] EA = 0, S1PTW = 0 [ 441.554730] FSC = 0x04: level 0 translation fault [ 441.554735] Data abort info: [ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000 [ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000 [ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP [ 441.629589] Modules linked in: armspepmu armsmmuv3pmu tpmtisspi hisiuncoresllcpmu hisiuncorepapmu hisiuncorel3cpmu hisiuncorehhapmu hisiuncoreddrcpmu hisiuncorecpapmu hns3pmu hisiptt hisipciepmu tpmtiscore spidev spihisisfcv3xx hisiuncorepmu spidwmmio fuse hclge hclgecommon hisisec2 hisihpre hisizip hisiqm hns3 hisisasv3hw sm3ce sbsagwdt hnae3 hisisasmain uacce hisidma i2chisi dmmirror dmregionhash dmlog dmmod [ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT [ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 441.698277] pc : sasfinddevbyrphy+0x44/0x118 [ 441.702896] lr : sasfinddevbyrphy+0x3c/0x118 [ 441.707502] sp : ffff80009abbba40 [ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08 [ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00 [ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000 [ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020 [ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff [ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a [ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4 [ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030 [ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000 [ 441.782053] Call trace: [ 441.784488] sasfinddevbyrphy+0x44/0x118 (P) [ 441.789095] sastargetalloc+0x24/0xb0 [ 441.792920] scsialloctarget+0x290/0x330 [ 441.797010] __scsiscantarget+0x88/0x258 [ 441.801096] scsi_scanchannel+0x74/0xb8 [ 441.805008] scsiscanhostselected+0x170/0x188 [ 441.809615] sasuserscan+0xfc/0x148 [ 441.813267] storescan+0x10c/0x180 [ 441.816743] devattrstore+0x20/0x40 [ 441.820398] sysfskfwrite+0x84/0xa8 [ 441.824054] kernfsfopwriteiter+0x130/0x1c8 [ 441.828487] vfswrite+0x2c0/0x370 [ 441.831880] ksyswrite+0x74/0x118 [ 441.835271] _arm64syswrite+0x24/0x38 [ 441.839182] invokesyscall+0x50/0x120 [ 441.842919] el0svccommon.constprop.0+0xc8/0xf0 [ 441.847611] doel0svc+0x24/0x38 [ 441.850913] el0svc+0x38/0x158 [ 441.854043] el0t64synchandler+0xa0/0xe8 [ 441.858214] el0t64sync+0x1ac/0x1b0 [ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75) [ 441.867946] ---[ end trace 0000000000000000 ]---

Therefore ---truncated---