CVE-2022-49159

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists between the timeout handler and the done function in the Linux kernel's qla2xxx module. This can lead to a NULL pointer dereference when qla24xx async abort cmd() accesses a freed sp->qpair pointer. The issue arises because qla24xx async gpsc sp done() releases the SRB unconditionally, and when the timeout handler is scheduled back, it attempts to access the already freed pointer. The problem can be resolved by introducing a reference counter to serialize access and prevent the race condition.

Recommendations To resolve this issue, introduce a reference counter for the SRB in the qla2xxx module. Take one reference for the normal code path and one for the timeout path, and use proper synchronization via locks to ensure exclusive access. When canceling a timer, safely decrement the refcounter by one if del timer returns 1, indicating no error handling is in progress. If unable to cancel the timer, ensure sp->done() is called in the abort handlers before calling kref put().