James Smart

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference issue has been identified in the Linux kernel, specifically in the scsi: lpfc component. The issue arises when calls to the `starget to rport()` function return NULL, and subsequently, the returned `rport` value is dereferenced without a proper NULL check. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A resource leak issue has been identified in the Linux kernel, specifically in the lpfc sli4 send seq to ulp() function. When no handler is found in lpfc complete unsol iocb() to match the rctl of a received frame, the frame is dropped, resulting in a resource leak. The issue is resolved by returning resources when discarding an unhandled frame type and updating the lpfc fc frame check() handling of NOP basic link service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free crash can occur in the Linux kernel after an ELS LOGO is aborted, specifically when the discovery state machine is mistakenly called a second time with the NLP EVT DEVICE RM argument. This happens because a nodelist structure is freed and then `ndlp->vport->cfg log verbose` is dereferenced in `lpfc nlp get()`. The issue is resolved by reworking `lpfc cmpl els logo()` to prevent duplicate calls to release a nodelist structure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A null pointer dereference issue has been identified in the Linux kernel, specifically in the lpfc driver. This issue occurs when the `lpfc issue els flogi()` function fails and returns a non-zero status, causing the node reference count to be decremented prematurely. If there are pending registrations or dev-loss-evt work, the node may be released too early, resulting in a use-after-free null pointer dereference. A similar issue arises when processing non-zero ELS PLOGI completion status in `lpfc cmpl els plogi()`, where the node may be released prematurely, leading to a use-after-free ndlp dereference. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A deadlock issue in the Linux kernel's SCSI I/O completion and abort handler has been identified. This issue occurs during stress I/O tests with 500+ vports, resulting in hard LOCKUP call traces. The problem arises from the incorrect ordering of lock acquisition in the `lpfc abort handler` routine, specifically with `lpfc cmd->buf lock` and `phba->hbalock`. This can lead to a deadlock situation between two CPUs. **Recommendations** To resolve this issue, the `lpfc abort handler` routine should be modified to take the `lpfc cmd->buf lock` before `phba->hbalock`. This reordering prevents the deadlock situation from occurring. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A hard lockup issue in the Linux kernel has been identified, specifically in the lpfc driver. The problem occurs when attempting to log a message with LOG TRACE EVENT, resulting in a system hang. The call trace indicates a deadlock situation where the same CPU tries to claim the phba->port list lock twice. The issue arises from the lpfc dmp dbg() function being called without proper checks. **Recommendations** To resolve this issue, move the cfg log verbose checks as part of the lpfc printf vlog() and lpfc printf log() macros before calling lpfc dmp dbg(). Additionally, remove the need to take the phba->port list lock within lpfc dmp dbg(). At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free error in the `lpfc unreg rpi()` routine. The `NLP REG LOGIN SEND` `nlp flag` is set in `lpfc reg fab ctrl node()`, but not cleared upon completion of the login, allowing a second call to `lpfc unreg rpi()` to proceed with `nlp rpi` set to `LPFC RPI ALLOW ERROR`. This results in a use-after-free access when used as an `rpi ids` array index. The error is detected with the report "KASAN: use-after-free in `lpfc unreg rpi+0x1b1b`". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a NULL pointer dereference in the Linux kernel's lpfc component. This occurs when an FC link down transition happens while PLOGIs are outstanding to fabric well-known addresses, resulting in outstanding ABTS requests. The Link down processing leads to ABTS requests for outstanding ELS requests, and the Abort WQEs are sent before the driver sets the link state to down. In some conditions, the driver may auto-complete the ELSs, and if the link comes up, the Abort completions may reference an invalid structure. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a list corruption vulnerability in the Linux kernel's lpfc driver. When the driver attempts to pass requests to the adapter and fails, a local `fail msg` string is set, and a log message is output. The job is then added to a completions list for cancellation. However, since `fail msg` remains set, subsequent jobs are added to the completions list regardless of whether a wqe was passed to the adapter, resulting in list corruption. The fix involves clearing the `fail msg` string after adding a job to the completions list. This prevents subsequent jobs from being added to the completions list unless they had an appropriate failure. The vulnerability may allow an attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference in the `lpfc prep els iocb()` function. This can occur when `lpfc issue els plogi()` is called with a `did` for which no matching `ndlp` is found, resulting in a null pointer to a `lpfc nodelist` structure. The fix involves returning an error status if no valid `ndlp` is found and updating comments regarding `ndlp` reference counting. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.