CVE-2022-49701

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the version that includes the fix for the issue described

Description A vulnerability in the Linux kernel has been resolved, related to the ibmvfc driver. The issue arises from the allocation and freeing of sub-queue and event pool resources for every CRQ connection event, such as reset and LPM. This leads to inefficiency, potential allocation failures under memory pressure, and a race window where command submission/completion can try to access an event pool that is being deleted. An example of list corruption following a live partition migration (LPM) is provided, resulting in an Oops exception in kernel mode.

Recommendations For Linux kernel versions prior to the version that includes the fix, consider applying the patch that adds registration/deregistration helpers to sanitize and reconfigure the queues during connection resets, instead of allocating and freeing resources for every CRQ connection event. As a temporary workaround, consider disabling the ibmvfc driver until a patch is available. Restrict access to the vulnerable ibmvfc module to minimize the risk of exploitation. Avoid using the affected API endpoints related to the ibmvfc driver until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.