medium
5.5
CWE
667
Advisory Published
Updated

CVE-2022-49536: scsi: lpfc: Fix SCSI I/O completion and abort handler deadlock

First published: Wed Feb 26 2025(Updated: )

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix SCSI I/O completion and abort handler deadlock During stress I/O tests with 500+ vports, hard LOCKUP call traces are observed. CPU A: native_queued_spin_lock_slowpath+0x192 _raw_spin_lock_irqsave+0x32 lpfc_handle_fcp_err+0x4c6 lpfc_fcp_io_cmd_wqe_cmpl+0x964 lpfc_sli4_fp_handle_cqe+0x266 __lpfc_sli4_process_cq+0x105 __lpfc_sli4_hba_process_cq+0x3c lpfc_cq_poll_hdler+0x16 irq_poll_softirq+0x76 __softirqentry_text_start+0xe4 irq_exit+0xf7 do_IRQ+0x7f CPU B: native_queued_spin_lock_slowpath+0x5b _raw_spin_lock+0x1c lpfc_abort_handler+0x13e scmd_eh_abort_handler+0x85 process_one_work+0x1a7 worker_thread+0x30 kthread+0x112 ret_from_fork+0x1f Diagram of lockup: CPUA CPUB ---- ---- lpfc_cmd->buf_lock phba->hbalock lpfc_cmd->buf_lock phba->hbalock Fix by reordering the taking of the lpfc_cmd->buf_lock and phba->hbalock in lpfc_abort_handler routine so that it tries to take the lpfc_cmd->buf_lock first before phba->hbalock.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
Linux Kernel
Linux Kernel<5.15.46
Linux Kernel>=5.16<5.17.14
Linux Kernel>=5.18<5.18.3

Remedy

https://git.kernel.org/stable/c/03cbbd7c2f5ee288f648f4aeedc765a181188553

Remedy

https://git.kernel.org/stable/c/0c4eed901285b9cae36a622f32bea3e92490da6c

Remedy

https://git.kernel.org/stable/c/21c0d469349957b5dc811c41200a2a998996ca8d

Remedy

https://git.kernel.org/stable/c/7625e81de2164a082810e1f27547d388406da610

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2022-49536?

    The severity of CVE-2022-49536 is considered high due to the potential for deadlock during SCSI I/O processing, leading to a system hard lockup.

  • How do I fix CVE-2022-49536?

    To fix CVE-2022-49536, users should upgrade their Linux Kernel to a version greater than 5.15.46 or ensure they are on an unaffected version.

  • What systems are affected by CVE-2022-49536?

    CVE-2022-49536 affects the Linux Kernel versions between 5.16 and 5.17.14, as well as versions between 5.18 and 5.18.3.

  • What causes the CVE-2022-49536 vulnerability?

    CVE-2022-49536 is caused by a deadlock in the SCSI I/O completion and abort handler that manifests under stressful I/O conditions.

  • Is there a temporary workaround for CVE-2022-49536?

    Currently, the best option is to upgrade the kernel as there are no reliable temporary workarounds available for CVE-2022-49536.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203