Bug 2347665 (CVE-2022-49118) - CVE-2022-49118 kernel: scsi: hisi_sas: Free irq vectors in order for v3 HW
Summary: CVE-2022-49118 kernel: scsi: hisi_sas: Free irq vectors in order for v3 HW
Keywords:
Status: NEW
Alias: CVE-2022-49118
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-26 03:02 UTC by OSIDB Bzimport
Modified: 2025-02-26 16:04 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-26 03:02:26 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: hisi_sas: Free irq vectors in order for v3 HW

If the driver probe fails to request the channel IRQ or fatal IRQ, the
driver will free the IRQ vectors before freeing the IRQs in free_irq(),
and this will cause a kernel BUG like this:

------------[ cut here ]------------
kernel BUG at drivers/pci/msi.c:369!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Call trace:
   free_msi_irqs+0x118/0x13c
   pci_disable_msi+0xfc/0x120
   pci_free_irq_vectors+0x24/0x3c
   hisi_sas_v3_probe+0x360/0x9d0 [hisi_sas_v3_hw]
   local_pci_probe+0x44/0xb0
   work_for_cpu_fn+0x20/0x34
   process_one_work+0x1d0/0x340
   worker_thread+0x2e0/0x460
   kthread+0x180/0x190
   ret_from_fork+0x10/0x20
---[ end trace b88990335b610c11 ]---

So we use devm_add_action() to control the order in which we free the
vectors.
Comment 2 Mauro Matteo Cascella 2025-02-26 15:43:38 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022603-CVE-2022-49118-e2fa@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.