From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 048743F074C for ; Fri, 8 May 2026 14:24:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250280; cv=none; b=roPy47SuWrkP71NEBKj6EdVvsPh9TmpZgGfIZ91kFQ91khPjNXNkkCaRsVHSe7A1S2VcAeY+IpDiVhshqRdA/dCpCOTRAvckZaDubRj9BUuruD+JemUMjAt9dMkYjTnd9JCxWiHpbyKOLA+BW/ajLzSmCjGggAF/bQLwbmm/o+8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250280; c=relaxed/simple; bh=hT45ETcEHpCPn1/pRdEW5nBb5ifFoaUn4BTUFvzv5yA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gfzz9fo9UtLEz1Tw6M5Eijc8SarYezh7/LliKx3dumNz+rfQHVzWMAv63qpL2vWF7rTLEdQ6ZXHMrZkT4tnnKf8zMXb9Lai71RXHbyzonTwGWFZc3kAVwoKzgYf+6sVPQja/eCmL9subrl2SgrSIq2p/jF1HsmzcqcSyg3rB7rw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=EIzILVOv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="EIzILVOv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8B624C2BCB0; Fri, 8 May 2026 14:24:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250279; bh=hT45ETcEHpCPn1/pRdEW5nBb5ifFoaUn4BTUFvzv5yA=; h=From:To:Cc:Subject:Date:Reply-To:From; b=EIzILVOvgnqb46JkmHLpU5G0JlTcW6v8ipPm+onw80+VsOeQ6tdfSChkUt7PP11uc 1BFGbvjCaWs4dPc7F8Xmp53VbWyAZpa+PSmGj2oADWxpIZE/ELRmpBh9OTdo/dhMq2 6/Dp0VvGfZ/VlbQTh9Iny/NId/bxAsXtQyvYHfGI= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43413: scsi: hisi_sas: Fix NULL pointer exception during user_scan() Date: Fri, 8 May 2026 16:22:22 +0200 Message-ID: <2026050844-CVE-2026-43413-11ed@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6444; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=pMEQPRbL2wB6igHksmJhWRMelNd/JkMMT0IFsCCIA3o=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P1bsc5t65mbdQi/pnzWlvRmOHNoH3TyPnuH++N5o1 kVWIaHOjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiIeRLDgqYjaRwpS1OL1zd+ Whm3YcY+rZKoJQzzPZekW0Rd+r5GapaIrMv24kbegoXdAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans"). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channel 1 will trigger the following NULL pointer exception: [ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0 [ 441.554699] Mem abort info: [ 441.554710] ESR = 0x0000000096000004 [ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits [ 441.554723] SET = 0, FnV = 0 [ 441.554726] EA = 0, S1PTW = 0 [ 441.554730] FSC = 0x04: level 0 translation fault [ 441.554735] Data abort info: [ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000 [ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000 [ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP [ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod [ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT [ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118 [ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118 [ 441.707502] sp : ffff80009abbba40 [ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08 [ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00 [ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000 [ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020 [ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff [ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a [ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4 [ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030 [ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000 [ 441.782053] Call trace: [ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P) [ 441.789095] sas_target_alloc+0x24/0xb0 [ 441.792920] scsi_alloc_target+0x290/0x330 [ 441.797010] __scsi_scan_target+0x88/0x258 [ 441.801096] scsi_scan_channel+0x74/0xb8 [ 441.805008] scsi_scan_host_selected+0x170/0x188 [ 441.809615] sas_user_scan+0xfc/0x148 [ 441.813267] store_scan+0x10c/0x180 [ 441.816743] dev_attr_store+0x20/0x40 [ 441.820398] sysfs_kf_write+0x84/0xa8 [ 441.824054] kernfs_fop_write_iter+0x130/0x1c8 [ 441.828487] vfs_write+0x2c0/0x370 [ 441.831880] ksys_write+0x74/0x118 [ 441.835271] __arm64_sys_write+0x24/0x38 [ 441.839182] invoke_syscall+0x50/0x120 [ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0 [ 441.847611] do_el0_svc+0x24/0x38 [ 441.850913] el0_svc+0x38/0x158 [ 441.854043] el0t_64_sync_handler+0xa0/0xe8 [ 441.858214] el0t_64_sync+0x1ac/0x1b0 [ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75) [ 441.867946] ---[ end trace 0000000000000000 ]--- Therefore, set max_channel to 0. The Linux kernel CVE team has assigned CVE-2026-43413 to this issue. Affected and fixed versions =========================== Issue introduced in 4.13 with commit e21fe3a52692f554efd67957c772c702de627a3a and fixed in 6.6.130 with commit 70c78429ef383e35f9c58848994aeeac8083ae35 Issue introduced in 4.13 with commit e21fe3a52692f554efd67957c772c702de627a3a and fixed in 6.12.78 with commit 40119a21d9769bf8fdab5c93c6c878296e628abf Issue introduced in 4.13 with commit e21fe3a52692f554efd67957c772c702de627a3a and fixed in 6.18.19 with commit 21a13db8d449b9c7eda4471da7f12417602dbbc7 Issue introduced in 4.13 with commit e21fe3a52692f554efd67957c772c702de627a3a and fixed in 6.19.9 with commit beadac156610a4f3bb15cb7bb4b07b6ac06f6567 Issue introduced in 4.13 with commit e21fe3a52692f554efd67957c772c702de627a3a and fixed in 7.0 with commit 8ddc0c26916574395447ebf4cff684314f6873a9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43413 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/scsi/hisi_sas/hisi_sas_main.c drivers/scsi/hisi_sas/hisi_sas_v3_hw.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/70c78429ef383e35f9c58848994aeeac8083ae35 https://git.kernel.org/stable/c/40119a21d9769bf8fdab5c93c6c878296e628abf https://git.kernel.org/stable/c/21a13db8d449b9c7eda4471da7f12417602dbbc7 https://git.kernel.org/stable/c/beadac156610a4f3bb15cb7bb4b07b6ac06f6567 https://git.kernel.org/stable/c/8ddc0c26916574395447ebf4cff684314f6873a9