CVE-2022-48835: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Page fault in reply q processing A page fault was encountered in mpt3sas on a LUN reset error path: [ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) [ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) [ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) [ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00 [ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0) [ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0) [ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002) [ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d [ 149.885617] #PF: supervisor read access in kernel mode [ 149.894346] #PF: error_code(0x0000) - not-present page [ 149.903123] PGD 0 P4D 0 [ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1 [ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021 [ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas] [ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee [ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246 [ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071 [ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8 [ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff [ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000 [ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80 [ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000 [ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0 [ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 150.108323] PKRU: 55555554 [ 150.114690] Call Trace: [ 150.120497] ? printk+0x48/0x4a [ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas] [ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas] [ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas] [ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod] [ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod] [ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60 [ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod] [ 150.203206] ? __schedule+0x1e9/0x610 [ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod] [ 150.217924] kthread+0x12e/0x150 [ 150.224041] ? kthread_worker_fn+0x130/0x130 [ 150.231206] ret_from_fork+0x1f/0x30 This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q pointer outside of the list_for_each_entry() loop. At the end of the full list traversal the pointer is invalid. Move the _base_process_reply_queue() call inside of the loop.
AI Analysis
Technical Summary
CVE-2022-48835 is a vulnerability in the Linux kernel's mpt3sas driver, which manages SAS (Serial Attached SCSI) storage devices. The flaw arises from improper handling of reply queue pointers during LUN (Logical Unit Number) reset error processing. Specifically, the function _base_process_reply_queue() is called outside the bounds of a list traversal loop, causing it to operate on an invalid reply queue pointer after the loop completes. This leads to a kernel page fault due to supervisor read access of a non-present page, resulting in a kernel oops and potential system crash. The vulnerability manifests as a page fault triggered during error recovery when the driver attempts to abort or reset tasks on SAS devices. The root cause is a pointer misuse in mpt3sas_base_sync_reply_irqs(), which fails to maintain pointer validity throughout the reply queue processing. This bug can cause the kernel to dereference invalid memory addresses, leading to denial of service (DoS) conditions via system crashes or hangs. The vulnerability affects Linux kernel versions including 5.10.89-altav-1 and potentially others using the vulnerable mpt3sas driver code. No public exploits are currently known, and no CVSS score has been assigned. The fix involves moving the _base_process_reply_queue() call inside the list traversal loop to ensure the pointer remains valid during processing.
Potential Impact
For European organizations, the impact of CVE-2022-48835 primarily centers on availability and system stability. Organizations relying on Linux servers with SAS storage devices managed by the mpt3sas driver—common in enterprise storage arrays and data center environments—may experience unexpected kernel crashes or system hangs during storage error recovery. This can disrupt critical services, cause data unavailability, and require system reboots, impacting business continuity. Industries with high storage demands such as finance, telecommunications, healthcare, and cloud service providers are particularly at risk. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting denial of service could indirectly affect data access and operational reliability. Given the Linux kernel's widespread use in European data centers and infrastructure, unpatched systems could face increased downtime and operational costs. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation or accidental triggering during storage errors.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that correct the pointer handling in the mpt3sas driver as soon as they become available. Until patches are deployed, organizations can mitigate risk by: 1) Monitoring kernel logs for mpt3sas-related errors or page faults to detect early signs of the issue. 2) Avoiding or minimizing operations that trigger LUN resets or task aborts on SAS devices, such as heavy error recovery or device resets. 3) Implementing redundancy and failover mechanisms for critical storage systems to reduce impact of potential crashes. 4) Testing kernel updates in controlled environments before production deployment to ensure stability. 5) Keeping firmware of SAS controllers and storage arrays up to date, as vendor firmware updates may also address related stability issues. 6) Employing proactive system monitoring and alerting to quickly respond to storage subsystem anomalies. These steps go beyond generic patching advice by focusing on operational practices to reduce triggering conditions and improve resilience.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48835: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Page fault in reply q processing A page fault was encountered in mpt3sas on a LUN reset error path: [ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) [ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) [ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) [ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00 [ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0) [ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0) [ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002) [ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d [ 149.885617] #PF: supervisor read access in kernel mode [ 149.894346] #PF: error_code(0x0000) - not-present page [ 149.903123] PGD 0 P4D 0 [ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1 [ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021 [ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas] [ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee [ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246 [ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071 [ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8 [ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff [ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000 [ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80 [ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000 [ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0 [ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 150.108323] PKRU: 55555554 [ 150.114690] Call Trace: [ 150.120497] ? printk+0x48/0x4a [ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas] [ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas] [ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas] [ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod] [ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod] [ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60 [ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod] [ 150.203206] ? __schedule+0x1e9/0x610 [ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod] [ 150.217924] kthread+0x12e/0x150 [ 150.224041] ? kthread_worker_fn+0x130/0x130 [ 150.231206] ret_from_fork+0x1f/0x30 This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q pointer outside of the list_for_each_entry() loop. At the end of the full list traversal the pointer is invalid. Move the _base_process_reply_queue() call inside of the loop.
AI-Powered Analysis
Technical Analysis
CVE-2022-48835 is a vulnerability in the Linux kernel's mpt3sas driver, which manages SAS (Serial Attached SCSI) storage devices. The flaw arises from improper handling of reply queue pointers during LUN (Logical Unit Number) reset error processing. Specifically, the function _base_process_reply_queue() is called outside the bounds of a list traversal loop, causing it to operate on an invalid reply queue pointer after the loop completes. This leads to a kernel page fault due to supervisor read access of a non-present page, resulting in a kernel oops and potential system crash. The vulnerability manifests as a page fault triggered during error recovery when the driver attempts to abort or reset tasks on SAS devices. The root cause is a pointer misuse in mpt3sas_base_sync_reply_irqs(), which fails to maintain pointer validity throughout the reply queue processing. This bug can cause the kernel to dereference invalid memory addresses, leading to denial of service (DoS) conditions via system crashes or hangs. The vulnerability affects Linux kernel versions including 5.10.89-altav-1 and potentially others using the vulnerable mpt3sas driver code. No public exploits are currently known, and no CVSS score has been assigned. The fix involves moving the _base_process_reply_queue() call inside the list traversal loop to ensure the pointer remains valid during processing.
Potential Impact
For European organizations, the impact of CVE-2022-48835 primarily centers on availability and system stability. Organizations relying on Linux servers with SAS storage devices managed by the mpt3sas driver—common in enterprise storage arrays and data center environments—may experience unexpected kernel crashes or system hangs during storage error recovery. This can disrupt critical services, cause data unavailability, and require system reboots, impacting business continuity. Industries with high storage demands such as finance, telecommunications, healthcare, and cloud service providers are particularly at risk. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting denial of service could indirectly affect data access and operational reliability. Given the Linux kernel's widespread use in European data centers and infrastructure, unpatched systems could face increased downtime and operational costs. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation or accidental triggering during storage errors.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that correct the pointer handling in the mpt3sas driver as soon as they become available. Until patches are deployed, organizations can mitigate risk by: 1) Monitoring kernel logs for mpt3sas-related errors or page faults to detect early signs of the issue. 2) Avoiding or minimizing operations that trigger LUN resets or task aborts on SAS devices, such as heavy error recovery or device resets. 3) Implementing redundancy and failover mechanisms for critical storage systems to reduce impact of potential crashes. 4) Testing kernel updates in controlled environments before production deployment to ensure stability. 5) Keeping firmware of SAS controllers and storage arrays up to date, as vendor firmware updates may also address related stability issues. 6) Employing proactive system monitoring and alerting to quickly respond to storage subsystem anomalies. These steps go beyond generic patching advice by focusing on operational practices to reduce triggering conditions and improve resilience.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.906Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe6311
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 10:27:19 PM
Last updated: 8/7/2025, 6:43:25 PM
Views: 16
Related Threats
CVE-2025-22834: CWE-665 Improper Initialization in AMI AptioV
MediumCVE-2025-22830: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in AMI AptioV
HighCVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.