CVE-2024-42289: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42289 affects the Linux kernel's SCSI qla2xxx driver. The vulnerability was discovered in July 2024 and involves a NULL pointer dereference issue that occurs during vport deletion when there are stale entries in the outstanding command array (Kernel Patch). The vulnerability affects multiple versions of the Linux kernel up to versions 4.19.320, 5.4.282, 5.10.224, 5.15.165, and 6.1.103 (NVD).

The vulnerability manifests as a kernel NULL pointer dereference at address 0x1c during vport deletion. The issue occurs when stale I/O entries remain in the outstanding command array after ehabort is issued and aborted (fastfail_io = 2009h), but I/Os cannot complete while vport delete is in process. This results in a supervisor read access fault in kernel mode with error code 0x0000 for a not-present page (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash (denial of service) when attempting to delete a virtual port in affected systems. This occurs due to a NULL pointer dereference in the kernel, which triggers a system panic (NVD).

The vulnerability has been patched by modifying the vport deletion process to send async logout explicitly for all ports during vport delete. The fix involves changing fcport->logoutondelete from 0 to 1 in the qla24xxdisablevp function (Kernel Patch). Users should update their Linux kernel to the latest patched version.