CVE-2022-50818 in Linux
Summary
by MITRE • 12/30/2025
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix running_req for internal abort commands
Disabling the remote phy for a SATA disk causes a hang:
root@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols sata root@(none)$ echo 0 > sys/class/sas_phy/phy-0:0:8/enable root@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed
[ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache
[ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK
[ 67.935094] sd 0:0:2:0: [sdc] Stopping disk
[ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK
... [ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds.
[ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218
[ 124.012049] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008
[ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker
[ 124.034319] Call trace:
[ 124.036758] __switch_to+0x128/0x278
[ 124.040333] __schedule+0x434/0xa58
[ 124.043820] schedule+0x94/0x138
[ 124.047045] schedule_timeout+0x2fc/0x368
[ 124.051052] wait_for_completion+0xdc/0x200
[ 124.055234] __flush_workqueue+0x1a8/0x708
[ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0
[ 124.063858] sas_port_event_worker+0x60/0x98
[ 124.068126] process_one_work+0x3f8/0x660
[ 124.072134] worker_thread+0x70/0x700
[ 124.075793] kthread+0x1a4/0x1b8
[ 124.079014] ret_from_fork+0x10/0x20
The issue is that the per-device running_req read in pm8001_dev_gone_notify() never goes to zero and we never make progress. This is caused by missing accounting for running_req for when an internal abort command completes.
In commit 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support") we started to send internal abort commands as a proper sas_task. In this when we deliver a sas_task to HW the per-device running_req is incremented in pm8001_queue_command(). However it is never decremented for internal abort commnds, so decrement in pm8001_mpi_task_abort_resp().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/06/2026
The vulnerability CVE-2022-50818 represents a critical deadlock condition within the Linux kernel's SCSI subsystem, specifically affecting the pm8001 driver used for SAS storage controllers. This issue manifests when a SATA disk's remote PHY is disabled, causing the system to hang indefinitely. The root cause lies in improper accounting of the running_req counter within the pm8001 driver's internal abort command handling mechanism. When a SATA disk's PHY is disabled through the sysfs interface, the driver initiates internal abort commands to manage the device state transition, but fails to properly decrement the running request counter upon completion of these abort operations.
The technical flaw occurs in the pm8001 driver's implementation where the running_req counter, which tracks active commands per device, is incremented when internal abort commands are queued through pm8001_queue_command() but never decremented when these commands complete through pm8001_mpi_task_abort_resp(). This counter management failure creates a perpetual state where the driver believes there are still active requests pending, preventing proper cleanup and system progression. The vulnerability is particularly dangerous because it occurs during normal device state transitions, specifically when disabling a SATA disk's PHY, making it exploitable in routine storage operations rather than specialized attack scenarios.
The operational impact of this vulnerability is severe as it results in complete system hangs that can only be resolved through forced rebooting, effectively causing denial of service conditions for storage-intensive workloads. The hanging task identified in the kernel logs shows a kworker thread blocked for over 30 seconds, indicating the system has become unresponsive to further SCSI operations. This issue affects systems using pm8001 SAS controllers, particularly those managing SATA devices through the SAS protocol layer, and represents a regression introduced in commit 2cbbf489778e which implemented libsas internal abort support. The vulnerability aligns with CWE-691, indicating insufficient cleanup or resource management, and can be mapped to ATT&CK technique T1490, as it creates a persistent denial of service condition that impacts system availability and storage functionality.
Mitigation strategies for this vulnerability include applying the kernel patch that corrects the running_req counter decrement logic for internal abort commands, ensuring proper accounting when these commands complete. System administrators should prioritize updating to kernel versions containing the fix, particularly those with the corrected pm8001 driver implementation. Additionally, monitoring for blocked worker threads and system hangs during SATA PHY disable operations can help detect potential exploitation of this vulnerability. The fix specifically addresses the missing accounting in pm8001_mpi_task_abort_resp() to properly decrement the running_req counter when internal abort commands complete, restoring proper request tracking and preventing the deadlock condition that leads to system hangs.