CVE-2022-49504

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability in the Linux kernel has been identified, specifically in the scsi: lpfc component. The issue occurs when an external loopback plug is inserted and then removed, followed by the insertion of a normal cable directly connected to a target device. This sequence of events can cause the system to crash in the llpfc set rrq active() routine. The problem arises from a mix-up in reference counting, leading to the completion of a new FLOGI releasing the fabric ndlp, and the subsequent completion of the original ABTS referencing the released ndlp, resulting in a system crash. The issue is resolved by no-op'ing the ABTS when in loopback mode.

Recommendations As a temporary workaround, consider disabling the llpfc set rrq active() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.