CVE-2022-48758 in Linuxinfo

Summary

by MITRE • 06/20/2024

In the Linux kernel, the following vulnerability has been resolved:

scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()

The bnx2fc_destroy() functions are removing the interface before calling destroy_work. This results multiple WARNings from sysfs_remove_group() as the controller rport device attributes are removed too early.

Replace the fcoe_port's destroy_work queue. It's not needed.

The problem is easily reproducible with the following steps.

Example:

$ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Link down on port (7500a1)
[ 583.472651] bnx2fc: 7500a1 - rport not created Yet!!
[ 583.490468] ------------[ cut here ]------------
[ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0'
[ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80
[ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ...
[ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1
[ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013
[ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc]
[ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80
[ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ...
[ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282
[ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000
[ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0
[ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00
[ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400
[ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004
[ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000
[ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0
[ 584.454888] Call Trace:
[ 584.466108] device_del+0xb2/0x3e0
[ 584.481701] device_unregister+0x13/0x60
[ 584.501306] bsg_unregister_queue+0x5b/0x80
[ 584.522029] bsg_remove_queue+0x1c/0x40
[ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc]
[ 584.573823] process_one_work+0x1e3/0x3b0
[ 584.592396] worker_thread+0x50/0x3b0
[ 584.609256] ? rescuer_thread+0x370/0x370
[ 584.628877] kthread+0x149/0x170
[ 584.643673] ? set_kthread_struct+0x40/0x40
[ 584.662909] ret_from_fork+0x22/0x30
[ 584.680002] ---[ end trace 53575ecefa942ece ]---

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/29/2025

The vulnerability described in CVE-2022-48758 affects the Linux kernel's SCSI subsystem, specifically within the bnx2fc driver responsible for handling Fibre Channel over Ethernet (FCoE) communications. This issue stems from improper sequence in the destruction process of FCoE port interfaces, leading to system warnings and potential instability during FCoE interface lifecycle management. The problem manifests when the bnx2fc_destroy() function removes the interface before properly flushing the destroy_work queue, creating a race condition that results in multiple kernel warnings from sysfs_remove_group().

The technical flaw occurs due to the incorrect order of operations within the FCoE driver's cleanup mechanism. When the system attempts to destroy an FCoE port interface, the driver removes the controller rport device attributes too early in the process, before the associated work queue has completed its operations. This premature removal causes sysfs_remove_group() to fail because it attempts to remove attributes that have already been partially or completely destroyed, leading to kernel warnings and potential memory inconsistency issues. The issue is particularly evident in environments where FCoE interfaces are frequently created and destroyed, such as in data center networking scenarios.

The operational impact of this vulnerability extends beyond simple warning messages, as it can compromise the stability of storage subsystems in Linux environments that rely on FCoE connectivity. The repeated warnings indicate a deeper problem in the device management framework where kernel threads attempt to clean up resources that are already in the process of being destroyed. This can lead to system instability, especially under high I/O load conditions where multiple FCoE interfaces are actively managed. The vulnerability affects systems running kernel versions that include the bnx2fc driver, particularly those using Red Hat Enterprise Linux 9 with kernel version 5.14.0-39.el9.x86_64 as demonstrated in the affected system.

The mitigation strategy involves modifying the bnx2fc driver to remove the unnecessary fcoe_port's destroy_work queue and ensure proper ordering of interface destruction operations. This aligns with the principle of maintaining proper resource lifecycle management in kernel drivers, where cleanup operations should complete before resource removal. The fix addresses the root cause by ensuring that destroy_work is properly flushed before calling bnx2fc_interface_put(), preventing the premature removal of sysfs attributes that would otherwise cause kernel warnings. This vulnerability demonstrates the importance of proper synchronization in kernel drivers and the potential for seemingly minor ordering issues to cause significant stability problems in storage subsystems. The issue relates to CWE-691, which covers inadequate control flow management in software, and aligns with ATT&CK technique T1547.001 for privilege escalation through kernel module manipulation, though the immediate impact is more focused on system stability rather than security compromise.

The fix implementation requires careful attention to work queue management and device attribute cleanup sequences. The solution involves ensuring that all pending work items in the destroy_work queue are completed before proceeding with interface removal operations. This approach prevents the race condition that causes sysfs_remove_group() to fail and eliminates the associated kernel warnings. The recommended approach follows established kernel development practices for managing device lifecycle operations, ensuring that all cleanup operations are properly synchronized and that no resources are prematurely removed while still in use by kernel subsystems. This vulnerability highlights the complexity of managing concurrent access to shared kernel resources and the importance of proper synchronization primitives in device driver development.

Sources

Do you need the next level of professionalism?

Upgrade your account now!