CVE-2022-49537 is a vulnerability identified in the Linux kernel, specifically within the lpfc (LightPulse Fibre Channel) driver component. The issue arises when the driver operates with CMF (Command Management Facility) enabled. The vulnerability is related to improper use of CPU identification functions in a preemptible context. Specifically, the function this_cpu_ptr() internally calls smp_processor_id(), which is not safe to use in preemptible code paths. This misuse leads to a kernel BUG triggered during I/O operations, as observed in the systemd-udevd process. The root cause is that smp_processor_id() assumes preemption is disabled, but in this case, it was called in a preemptible context, causing instability. The fix involves replacing this_cpu_ptr() with per_cpu_ptr() combined with raw_smp_processor_id(), which safely retrieves per-CPU data without relying on preemption-disabled assumptions. This correction prevents kernel call traces and potential crashes during I/O operations involving the lpfc driver with CMF enabled. Although no known exploits are reported in the wild, the vulnerability can cause system instability or denial of service due to kernel panics or crashes triggered by the improper CPU ID usage in the driver code.

For European organizations relying on Linux servers that utilize Fibre Channel storage with the lpfc driver and have CMF enabled, this vulnerability could lead to unexpected kernel crashes or system instability. Such disruptions can affect critical infrastructure, data centers, and enterprise storage environments, potentially causing downtime and impacting availability of services. While the vulnerability does not directly allow remote code execution or privilege escalation, the resulting kernel panics could lead to denial of service conditions. Organizations with high availability requirements, such as financial institutions, healthcare providers, and cloud service operators in Europe, may face operational risks if their Linux kernel versions are affected and not patched. The impact is primarily on system reliability and availability rather than confidentiality or integrity.

European organizations should promptly identify Linux systems running the affected lpfc driver with CMF enabled. They should apply the vendor-provided patches or kernel updates that replace the unsafe CPU ID calls with safe alternatives (per_cpu_ptr() and raw_smp_processor_id()). In environments where immediate patching is not feasible, temporarily disabling CMF functionality in the lpfc driver could mitigate the risk of kernel crashes. Additionally, organizations should monitor system logs for kernel call traces or BUG messages related to lpfc and systemd-udevd processes as indicators of this issue. Implementing robust kernel crash recovery and system monitoring will help minimize downtime. Testing patches in staging environments before deployment is recommended to ensure compatibility and stability.