unset tran_abort(9E) in a HBA driver can lead to a user controlled NULL-deref
if a hba driver does not provide a tran_abort function in it's scsi_hba_tran_t instance, it appears that a user may be able to get the kernel to follow it as a NULL pointer via scsi_abort(), which is called via the DKIOCABORT handling in sdioctl().
my suggestion would be to VERIFY or ASSERT that tran_setup is not NULL in scsi_hba_attach_setup(). however, i am unsure what impact this would have on existing hba drivers.
a more conservative option may be to have scsi_abort check if tran_abort is not NULL before calling it.
No data to display