CVE-2022-49159: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Implement ref count for SRB The timeout handler and the done function are racing. When qla2x00_async_iocb_timeout() starts to run it can be preempted by the normal response path (via the firmware?). qla24xx_async_gpsc_sp_done() releases the SRB unconditionally. When scheduling back to qla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed sp->qpair pointer: qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21. qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21 qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400. qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5 BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx] Obvious solution to this is to introduce a reference counter. One reference is taken for the normal code path (the 'good' case) and one for the timeout path. As we always race between the normal good case and the timeout/abort handler we need to serialize it. Also we cannot assume any order between the handlers. Since this is slow path we can use proper synchronization via locks. When we are able to cancel a timer (del_timer returns 1) we know there can't be any error handling in progress because the timeout handler hasn't expired yet, thus we can safely decrement the refcounter by one. If we are not able to cancel the timer, we know an abort handler is running. We have to make sure we call sp->done() in the abort handlers before calling kref_put().
AI Analysis
Technical Summary
CVE-2022-49159 is a vulnerability in the Linux kernel's qla2xxx SCSI driver, which handles QLogic Fibre Channel Host Bus Adapters (HBAs). The issue arises from a race condition between the timeout handler (qla2x00_async_iocb_timeout) and the normal completion function (qla24xx_async_gpsc_sp_done). Specifically, the timeout handler can be preempted by the normal response path, which unconditionally releases the SCSI Request Block (SRB). When the timeout handler resumes, it may access a freed pointer (sp->qpair), leading to a NULL pointer dereference and kernel crash (BUG). This race condition occurs because there is no proper reference counting or synchronization between these two code paths, which can run concurrently. The vulnerability can cause a denial of service (DoS) by crashing the kernel due to the NULL pointer dereference. The proposed fix involves implementing a reference counting mechanism for the SRB, ensuring that one reference is held by the normal completion path and another by the timeout path. Proper locking is introduced to serialize access and prevent concurrent use-after-free scenarios. Additionally, the fix ensures that timers are correctly canceled and references decremented safely, preventing the abort handler from accessing freed memory. This vulnerability affects Linux kernel versions containing the qla2xxx driver with the described code paths, impacting systems using QLogic HBAs for storage connectivity. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux servers utilizing QLogic Fibre Channel HBAs, commonly found in enterprise storage area networks (SANs). A successful exploitation could cause kernel crashes, leading to system downtime and potential disruption of critical business applications relying on SAN storage. This is particularly impactful for data centers, cloud providers, financial institutions, and manufacturing sectors that depend on high availability and data integrity. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS could interrupt operations and cause financial and reputational damage. Recovery from kernel crashes may require system reboots and potential data recovery efforts, increasing operational costs. Given the widespread use of Linux in European enterprise environments and the reliance on SAN infrastructure, the vulnerability's impact is significant for organizations with such hardware configurations.
Mitigation Recommendations
1. Apply the official Linux kernel patches that implement the reference counting and synchronization fixes for the qla2xxx driver as soon as they are available from trusted Linux distributions or kernel maintainers. 2. For organizations unable to immediately patch, consider temporarily disabling or unloading the qla2xxx driver if feasible, or switching to alternative storage connectivity solutions to mitigate risk. 3. Monitor kernel logs for messages related to qla2xxx errors or kernel NULL pointer dereferences that may indicate exploitation attempts or instability. 4. Implement robust system monitoring and alerting to detect unexpected kernel crashes or storage subsystem failures. 5. Maintain up-to-date backups and disaster recovery plans to minimize downtime impact in case of DoS events. 6. Coordinate with hardware vendors and Linux distribution providers to ensure timely updates and support for affected systems. 7. Conduct thorough testing of patches in staging environments to ensure stability before deployment in production.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2022-49159: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Implement ref count for SRB The timeout handler and the done function are racing. When qla2x00_async_iocb_timeout() starts to run it can be preempted by the normal response path (via the firmware?). qla24xx_async_gpsc_sp_done() releases the SRB unconditionally. When scheduling back to qla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed sp->qpair pointer: qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21. qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21 qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400. qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5 BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx] Obvious solution to this is to introduce a reference counter. One reference is taken for the normal code path (the 'good' case) and one for the timeout path. As we always race between the normal good case and the timeout/abort handler we need to serialize it. Also we cannot assume any order between the handlers. Since this is slow path we can use proper synchronization via locks. When we are able to cancel a timer (del_timer returns 1) we know there can't be any error handling in progress because the timeout handler hasn't expired yet, thus we can safely decrement the refcounter by one. If we are not able to cancel the timer, we know an abort handler is running. We have to make sure we call sp->done() in the abort handlers before calling kref_put().
AI-Powered Analysis
Technical Analysis
CVE-2022-49159 is a vulnerability in the Linux kernel's qla2xxx SCSI driver, which handles QLogic Fibre Channel Host Bus Adapters (HBAs). The issue arises from a race condition between the timeout handler (qla2x00_async_iocb_timeout) and the normal completion function (qla24xx_async_gpsc_sp_done). Specifically, the timeout handler can be preempted by the normal response path, which unconditionally releases the SCSI Request Block (SRB). When the timeout handler resumes, it may access a freed pointer (sp->qpair), leading to a NULL pointer dereference and kernel crash (BUG). This race condition occurs because there is no proper reference counting or synchronization between these two code paths, which can run concurrently. The vulnerability can cause a denial of service (DoS) by crashing the kernel due to the NULL pointer dereference. The proposed fix involves implementing a reference counting mechanism for the SRB, ensuring that one reference is held by the normal completion path and another by the timeout path. Proper locking is introduced to serialize access and prevent concurrent use-after-free scenarios. Additionally, the fix ensures that timers are correctly canceled and references decremented safely, preventing the abort handler from accessing freed memory. This vulnerability affects Linux kernel versions containing the qla2xxx driver with the described code paths, impacting systems using QLogic HBAs for storage connectivity. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service on Linux servers utilizing QLogic Fibre Channel HBAs, commonly found in enterprise storage area networks (SANs). A successful exploitation could cause kernel crashes, leading to system downtime and potential disruption of critical business applications relying on SAN storage. This is particularly impactful for data centers, cloud providers, financial institutions, and manufacturing sectors that depend on high availability and data integrity. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS could interrupt operations and cause financial and reputational damage. Recovery from kernel crashes may require system reboots and potential data recovery efforts, increasing operational costs. Given the widespread use of Linux in European enterprise environments and the reliance on SAN infrastructure, the vulnerability's impact is significant for organizations with such hardware configurations.
Mitigation Recommendations
1. Apply the official Linux kernel patches that implement the reference counting and synchronization fixes for the qla2xxx driver as soon as they are available from trusted Linux distributions or kernel maintainers. 2. For organizations unable to immediately patch, consider temporarily disabling or unloading the qla2xxx driver if feasible, or switching to alternative storage connectivity solutions to mitigate risk. 3. Monitor kernel logs for messages related to qla2xxx errors or kernel NULL pointer dereferences that may indicate exploitation attempts or instability. 4. Implement robust system monitoring and alerting to detect unexpected kernel crashes or storage subsystem failures. 5. Maintain up-to-date backups and disaster recovery plans to minimize downtime impact in case of DoS events. 6. Coordinate with hardware vendors and Linux distribution providers to ensure timely updates and support for affected systems. 7. Conduct thorough testing of patches in staging environments to ensure stability before deployment in production.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.276Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe50cd
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 3:39:59 AM
Last updated: 8/6/2025, 6:38:12 PM
Views: 13
Related Threats
CVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.