CVE-2022-49406 is a vulnerability identified in the Linux kernel related to the block subsystem, specifically within the function blk_ia_range_sysfs_show(). This function is responsible for reading a sysfs attribute that represents a range attribute of a block device. The vulnerability arises from improper locking behavior: the function unnecessarily acquires the queue sysfs lock (mutex_lock) while reading the attribute, despite the sysfs attribute already being protected by the kobject node's active reference counter. This redundant locking can lead to a potential deadlock scenario when the disk device is being removed. The deadlock occurs because two CPUs can acquire locks in conflicting orders—one CPU locks the queue sysfs lock first and then the kobject active reference, while the other CPU does the reverse—resulting in a circular wait condition. The Linux kernel's lock dependency validator (lockdep) can detect this unsafe locking pattern and signal a deadlock (splat) during device removal. The fix for this vulnerability involves removing the unnecessary mutex_lock and mutex_unlock calls from blk_ia_range_sysfs_show(), thereby preventing the deadlock by relying solely on the existing kobject reference counting for protection. This vulnerability affects certain versions of the Linux kernel identified by the commit hash a2247f19ee1c5ad75ef095cdfb909a3244b88aa8. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.

For European organizations, this vulnerability primarily poses a risk of system instability and potential denial of service (DoS) conditions on Linux-based systems that utilize the affected kernel versions. The deadlock can cause processes interacting with block devices to hang indefinitely during disk removal or sysfs attribute reads, potentially impacting critical storage operations. This can degrade availability of services relying on these block devices, including databases, file servers, and virtualized environments. While it does not directly lead to confidentiality or integrity breaches, the resulting system hangs or crashes could disrupt business operations, especially in environments with high storage device churn or dynamic device management. Organizations running Linux servers, embedded systems, or cloud infrastructure with affected kernels should be aware of this risk. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the impact could be significant if unpatched systems encounter this deadlock scenario during routine device management.

To mitigate this vulnerability, European organizations should prioritize updating their Linux kernel to a version that includes the fix removing the unnecessary queue sysfs lock in blk_ia_range_sysfs_show(). Specifically, applying the patch corresponding to commit a2247f19ee1c5ad75ef095cdfb909a3244b88aa8 or later is essential. Organizations should audit their Linux kernel versions across all systems, including servers, embedded devices, and virtual machines, to identify those running vulnerable versions. For systems where immediate patching is not feasible, operational mitigations include minimizing dynamic removal or hot-plugging of block devices, especially during critical workloads, to reduce the likelihood of triggering the deadlock. Monitoring kernel logs for lockdep warnings or splats related to sysfs locking can help detect attempts to exploit or encounter the deadlock. Additionally, testing kernel updates in staging environments before deployment can ensure stability and compatibility. Finally, organizations should maintain robust backup and recovery procedures to mitigate potential availability impacts from system hangs.