CVE-2022-49701 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Allocate/free queue resource only during probe/remove
Currently, the sub-queues and event pool resources are allocated/freed for every CRQ connection event such as reset and LPM. This exposes the driver to a couple issues. First the inefficiency of freeing and reallocating memory that can simply be resued after being sanitized. Further, a system under memory pressue runs the risk of allocation failures that could result in a crippled driver. Finally, there is a race window where command submission/compeletion can try to pull/return elements from/to an event pool that is being deleted or already has been deleted due to the lack of host state around freeing/allocating resources. The following is an example of list corruption following a live partition migration (LPM):
Oops: Exception in kernel mode, sig: 5 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: vfat fat isofs cdrom ext4 mbcache jbd2 nft_counter nft_compat nf_tables nfnetlink rpadlpar_io rpaphp xsk_diag nfsv3 nfs_acl nfs lockd grace fscache netfs rfkill bonding tls sunrpc pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc scsi_transport_fc ibmveth vmx_crypto dm_multipath dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse CPU: 0 PID: 2108 Comm: ibmvfc_0 Kdump: loaded Not tainted 5.14.0-70.9.1.el9_0.ppc64le #1 NIP: c0000000007c4bb0 LR: c0000000007c4bac CTR: 00000000005b9a10 REGS: c00000025c10b760 TRAP: 0700 Not tainted (5.14.0-70.9.1.el9_0.ppc64le) MSR: 800000000282b033 CR: 2800028f XER: 0000000f CFAR: c0000000001f55bc IRQMASK: 0 GPR00: c0000000007c4bac c00000025c10ba00 c000000002a47c00 000000000000004e GPR04: c0000031e3006f88 c0000031e308bd00 c00000025c10b768 0000000000000027 GPR08: 0000000000000000 c0000031e3009dc0 00000031e0eb0000 0000000000000000 GPR12: c0000031e2ffffa8 c000000002dd0000 c000000000187108 c00000020fcee2c0 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 c008000002f81300 GPR24: 5deadbeef0000100 5deadbeef0000122 c000000263ba6910 c00000024cc88000 GPR28: 000000000000003c c0000002430a0000 c0000002430ac300 000000000000c300 NIP [c0000000007c4bb0] __list_del_entry_valid+0x90/0x100
LR [c0000000007c4bac] __list_del_entry_valid+0x8c/0x100
Call Trace: [c00000025c10ba00] [c0000000007c4bac] __list_del_entry_valid+0x8c/0x100 (unreliable)
[c00000025c10ba60] [c008000002f42284] ibmvfc_free_queue+0xec/0x210 [ibmvfc]
[c00000025c10bb10] [c008000002f4246c] ibmvfc_deregister_scsi_channel+0xc4/0x160 [ibmvfc]
[c00000025c10bba0] [c008000002f42580] ibmvfc_release_sub_crqs+0x78/0x130 [ibmvfc]
[c00000025c10bc20] [c008000002f4f6cc] ibmvfc_do_work+0x5c4/0xc70 [ibmvfc]
[c00000025c10bce0] [c008000002f4fdec] ibmvfc_work+0x74/0x1e8 [ibmvfc]
[c00000025c10bda0] [c0000000001872b8] kthread+0x1b8/0x1c0
[c00000025c10be10] [c00000000000cd64] ret_from_kernel_thread+0x5c/0x64
Instruction dump: 40820034 38600001 38210060 4e800020 7c0802a6 7c641b78 3c62fe7a 7d254b78 3863b590 f8010070 4ba309cd 60000000 7c0802a6 3c62fe7a 3863b640 ---[ end trace 11a2b65a92f8b66c ]---
ibmvfc 30000003: Send warning. Receive queue closed, will retry.
Add registration/deregistration helpers that are called instead during connection resets to sanitize and reconfigure the queues.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/24/2025
The vulnerability described in CVE-2022-49701 affects the Linux kernel's ibmvfc SCSI driver, which is responsible for managing IBM Virtual Fibre Channel adapters in virtualized environments. This issue stems from improper resource management during CRQ (Channel Request Queue) connection events such as reset and LPM (Live Partition Migration). The driver currently allocates and frees sub-queues and event pool resources for every connection event, creating significant operational and security concerns that align with CWE-401: Unspecified Error in Resource Management and CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization.
The core technical flaw involves a race condition and memory management inefficiency where resources are repeatedly allocated and freed during connection events instead of being reused after sanitization. This approach exposes the driver to multiple failure scenarios including allocation failures under memory pressure, which can cripple the driver's functionality, and list corruption as demonstrated in the kernel oops trace. The crash occurs in the __list_del_entry_valid function, indicating that commands attempt to manipulate list entries from an event pool that has been deleted or is in the process of being deleted, resulting in memory corruption and system instability.
The operational impact of this vulnerability is severe for systems relying on IBM Virtual Fibre Channel adapters, particularly in virtualized environments where LPM operations are common. The vulnerability can lead to complete driver failure, system crashes, and loss of storage connectivity, making it a critical issue for enterprise environments. The race window during command submission and completion operations creates a window where concurrent access to freed resources can cause unpredictable behavior and system instability. This vulnerability specifically impacts PowerPC-based systems running the affected kernel versions and can be triggered during normal system operations such as connection resets or live partition migrations.
Mitigation strategies should focus on implementing proper resource lifecycle management by introducing registration and deregistration helpers that sanitize and reconfigure queues instead of performing full allocation and deallocation cycles. The fix ensures that resources are allocated once during probe and freed once during remove operations, with intermediate states properly managed through sanitization rather than complete resource destruction. This approach aligns with ATT&CK technique T1486: Data Encrypted for Ransom and addresses the underlying resource management issues that could lead to system compromise through denial of service. Organizations should apply the kernel patch immediately and monitor for any signs of driver instability or performance degradation during the transition period, particularly in high-availability environments where storage connectivity is critical for system operation.