[BUG] Null pointer dereference in esp_scsi leading to GPF(drivers/scsi/esp_scsi.c)
From: ziyang
Date: Mon Mar 02 2026 - 08:32:43 EST
Dear Linux kernel development team,
I would like to report a null pointer dereference vulnerability in the ESP SCSI driver
(drivers/scsi/esp_scsi.c) in Linux Kernel v6.18.
The bug can be triggered from userspace via BSG ioctls, leading to a general
protection fault and kernel crash. I discovered this bug during fuzzing with Syzkaller.
The crash stack shows below:
```
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 UID: 0 PID: 7936 Comm: syz.7.1383 Not tainted 6.18.0 #2 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014
RIP: 0010:esp_cur_dma_addr drivers/scsi/esp_scsi.c:414 [inline]
RIP: 0010:esp_process_event drivers/scsi/esp_scsi.c:1741 [inline]
RIP: 0010:__esp_interrupt drivers/scsi/esp_scsi.c:2168 [inline]
RIP: 0010:scsi_esp_intr+0x181d/0x6e20 drivers/scsi/esp_scsi.c:2184
Code: 00 00 48 89 f8 48 c1 e8 03 80 3c 28 00 0f 85 d8 43 00 00 48 8b 44 24 20 48 8b 98 88 01 00 00 48 8d 7b 10 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 c1 43 00 00 48 8d 7b 18 48 8b 73 10 48 89 f8 48
RSP: 0018:ffff88806ce08db8 EFLAGS: 00010012
RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffff834c13fc
RDX: ffff88800f4b4ec0 RSI: ffffffff834c1409 RDI: 0000000000000010
RBP: dffffc0000000000 R08: ffffffff834c13fc R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88800b99e700
R13: ffff88800b99e734 R14: 0000000000000000 R15: ffff88800bdf0d78
FS: 00007fd08930f6c0(0000) GS:ffff8880e56eb000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000021337000 CR4: 00000000000006f0
Call Trace:
<IRQ>
__handle_irq_event_percpu+0x21c/0x7b0 kernel/irq/handle.c:203
handle_irq_event_percpu kernel/irq/handle.c:240 [inline]
handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:257
handle_level_irq+0x26c/0x660 kernel/irq/chip.c:694
generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
handle_irq arch/x86/kernel/irq.c:254 [inline]
call_irq_handler arch/x86/kernel/irq.c:310 [inline]
__common_interrupt+0xa8/0x210 arch/x86/kernel/irq.c:325
common_interrupt+0x7a/0x90 arch/x86/kernel/irq.c:318
</IRQ>
<TASK>
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
RIP: 0010:__preempt_count_dec_and_test arch/x86/include/asm/preempt.h:95 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x2a/0x50 kernel/locking/spinlock.c:194
Code: f3 0f 1e fa 55 48 89 f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 d6 98 bb fc 48 89 df e8 4e e2 bb fc f7 c5 00 02 00 00 75 10 <65> ff 0d 1f 06 ca 02 74 0f 5b 5d c3 cc cc cc cc e8 41 58 e5 fc fb
RSP: 0018:ffff888010bcf7e8 EFLAGS: 00000292
RAX: 0000000000000407 RBX: ffff88800bdf0030 RCX: ffffffff84a94a1f
RDX: ffff88800f4b4ec0 RSI: 0000000000000000 RDI: ffffffff84a94a1f
RBP: 0000000000000246 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000010000 R12: ffff88800bdf0000
R13: ffff88800bdf0000 R14: 0000000000000246 R15: ffff88800bdf0da8
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
esp_queuecommand+0x2c3/0x4a0 drivers/scsi/esp_scsi.c:978
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1626 [inline]
scsi_queue_rq+0x20b8/0x3010 drivers/scsi/scsi_lib.c:1868
blk_mq_dispatch_rq_list+0x3e3/0x1d90 block/blk-mq.c:2129
__blk_mq_sched_dispatch_requests+0x21b/0x1690 block/blk-mq-sched.c:299
blk_mq_sched_dispatch_requests+0xd5/0x1c0 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x33e/0x670 block/blk-mq.c:2367
blk_execute_rq+0x3ab/0xaf0 block/blk-mq.c:1504
scsi_bsg_sg_io_fn+0x3de/0xae0 drivers/scsi/scsi_bsg.c:61
bsg_sg_io+0x1b7/0x2b0 block/bsg.c:67
bsg_ioctl+0x392/0x5a0 block/bsg.c:151
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd08a8dbf3d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd08930eff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fd08ab65fa0 RCX: 00007fd08a8dbf3d
RDX: 0000200000000100 RSI: 0000000000002285 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd1f5db2d0 R14: 00007fd08930fce4 R15: 00007ffd1f5db3c7
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:esp_cur_dma_addr drivers/scsi/esp_scsi.c:414 [inline]
RIP: 0010:esp_process_event drivers/scsi/esp_scsi.c:1741 [inline]
RIP: 0010:__esp_interrupt drivers/scsi/esp_scsi.c:2168 [inline]
RIP: 0010:scsi_esp_intr+0x181d/0x6e20 drivers/scsi/esp_scsi.c:2184
Code: 00 00 48 89 f8 48 c1 e8 03 80 3c 28 00 0f 85 d8 43 00 00 48 8b 44 24 20 48 8b 98 88 01 00 00 48 8d 7b 10 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 c1 43 00 00 48 8d 7b 18 48 8b 73 10 48 89 f8 48
RSP: 0018:ffff88806ce08db8 EFLAGS: 00010012
RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffff834c13fc
RDX: ffff88800f4b4ec0 RSI: ffffffff834c1409 RDI: 0000000000000010
RBP: dffffc0000000000 R08: ffffffff834c13fc R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88800b99e700
R13: ffff88800b99e734 R14: 0000000000000000 R15: ffff88800bdf0d78
FS: 00007fd08930f6c0(0000) GS:ffff8880e56eb000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000021337000 CR4: 00000000000006f0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 48 89 f8 mov %rdi,%rax
5: 48 c1 e8 03 shr $0x3,%rax
9: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1)
d: 0f 85 d8 43 00 00 jne 0x43eb
13: 48 8b 44 24 20 mov 0x20(%rsp),%rax
18: 48 8b 98 88 01 00 00 mov 0x188(%rax),%rbx
1f: 48 8d 7b 10 lea 0x10(%rbx),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) <-- trapping instruction
2e: 0f 85 c1 43 00 00 jne 0x43f5
34: 48 8d 7b 18 lea 0x18(%rbx),%rdi
38: 48 8b 73 10 mov 0x10(%rbx),%rsi
3c: 48 89 f8 mov %rdi,%rax
3f: 48 rex.W
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
```
According to the logs provided by Syzkaller, one of the programs
being executed just before the crash occurred is as follows:
```
r0 = openat$bsg(0xffffffffffffff9c,
&(0x7f00000000c0)='/dev/bsg/0:0:0:0\x00', 0x80800, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0xc0000, 0x0)
r2 = openat$binfmt_format(0xffffffffffffff9c,
&(0x7f0000000040)='/proc/sys/fs/binfmt_misc/syz0\x00', 0x2, 0x0)
write$binfmt_format(r2, 0x0, 0x300)
ioctl$TIOCSPTLCK(r1, 0x40045431, &(0x7f00000000c0))
ioctl$TIOCGLCKTRMIOS(0xffffffffffffffff, 0x5456, 0x0)
r3 = ioctl$TIOCGPTPEER(r1, 0x5441, 0x100000004)
ioctl$TIOCVHANGUP(r3, 0x5437, 0x0)
ioctl$TCSETSF(r1, 0x5404, &(0x7f0000000040)={0x80000000, 0x1ff, 0x7,
0x100, 0x5, "1fe51fe8984ae49145f23aa940cfc7e06d078d"})
syz_open_dev$sg(0x0, 0x0, 0x121bc1)
r4 = openat$procfs(0xffffffffffffff9c,
&(0x7f0000000000)='/proc/vmstat\x00', 0x0, 0x0)
pread64(r4, &(0x7f0000000140)=""/93, 0xfffffd3d, 0x5)
r5 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000000), 0x169101)
r6 = openat$bsg(0xffffffffffffff9c,
&(0x7f0000000000)='/dev/bsg/1:0:0:0\x00', 0x60100, 0x0)
ioctl$BSG_IO(r6, 0x2285, &(0x7f00000002c0)={0x51, 0x0, 0x0, 0x1,
&(0x7f00000000c0)="82", 0x0, 0x0, 0xc, 0x101, 0x60,
&(0x7f00000001c0), 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffeffff9, 0x20,
0x0})
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r5, 0xc08c5332,
&(0x7f00000000c0)={0xffffff18, 0xf14c, 0x1, 'queue1\x00'})
write$sndseq(r5, &(0x7f0000000340), 0x3a)
ioctl$BSG_IO(r0, 0x2285, &(0x7f0000000100)={0x51, 0x0, 0x0, 0x1,
&(0x7f0000000000)='U', 0x6, 0x0, 0x3, 0x200007, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x2})
```
Best regards,
Yang Zi <2959243019@xxxxxx>