CVE-2022-49789

EUVD-2025-12993

01.05.2025, 15:16

In the Linux kernel, the following vulnerability has been resolved:

scsi: zfcp: Fix double free of FSF request when qdio send fails

We used to use the wrong type of integer in 'zfcp_fsf_req_send()' to cache
the FSF request ID when sending a new FSF request. This is used in case the
sending fails and we need to remove the request from our internal hash
table again (so we don't keep an invalid reference and use it when we free
the request again).

In 'zfcp_fsf_req_send()' we used to cache the ID as 'int' (signed and 32
bit wide), but the rest of the zfcp code (and the firmware specification)
handles the ID as 'unsigned long'/'u64' (unsigned and 64 bit wide [s390x
ELF ABI]).  For one this has the obvious problem that when the ID grows
past 32 bit (this can happen reasonably fast) it is truncated to 32 bit
when storing it in the cache variable and so doesn't match the original ID
anymore.  The second less obvious problem is that even when the original ID
has not yet grown past 32 bit, as soon as the 32nd bit is set in the
original ID (0x80000000 = 2'147'483'648) we will have a mismatch when we
cast it back to 'unsigned long'. As the cached variable is of a signed
type, the compiler will choose a sign-extending instruction to load the 32
bit variable into a 64 bit register (e.g.: 'lgf %r11,188(%r15)'). So once
we pass the cached variable into 'zfcp_reqlist_find_rm()' to remove the
request again all the leading zeros will be flipped to ones to extend the
sign and won't match the original ID anymore (this has been observed in
practice).

If we can't successfully remove the request from the hash table again after
'zfcp_qdio_send()' fails (this happens regularly when zfcp cannot notify
the adapter about new work because the adapter is already gone during
e.g. a ChpID toggle) we will end up with a double free.  We unconditionally
free the request in the calling function when 'zfcp_fsf_req_send()' fails,
but because the request is still in the hash table we end up with a stale
memory reference, and once the zfcp adapter is either reset during recovery
or shutdown we end up freeing the same memory twice.

The resulting stack traces vary depending on the kernel and have no direct
correlation to the place where the bug occurs. Here are three examples that
have been seen in practice:

  list_del corruption. next->prev should be 00000001b9d13800, but was 00000000dead4ead. (next=00000001bd131a00)
  ------------[ cut here ]------------
  kernel BUG at lib/list_debug.c:62!
  monitor event: 0040 ilc:2 [#1] PREEMPT SMP
  Modules linked in: ...
  CPU: 9 PID: 1617 Comm: zfcperp0.0.1740 Kdump: loaded
  Hardware name: ...
  Krnl PSW : 0704d00180000000 00000003cbeea1f8 (__list_del_entry_valid+0x98/0x140)
             R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3
  Krnl GPRS: 00000000916d12f1 0000000080000000 000000000000006d 00000003cb665cd6
             0000000000000001 0000000000000000 0000000000000000 00000000d28d21e8
             00000000d3844000 00000380099efd28 00000001bd131a00 00000001b9d13800
             00000000d3290100 0000000000000000 00000003cbeea1f4 00000380099efc70
  Krnl Code: 00000003cbeea1e8: c020004f68a7        larl    %r2,00000003cc8d7336
             00000003cbeea1ee: c0e50027fd65        brasl   %r14,00000003cc3e9cb8
            #00000003cbeea1f4: af000000            mc      0,0
            >00000003cbeea1f8: c02000920440        larl    %r2,00000003cd12aa78
             00000003cbeea1fe: c0e500289c25        brasl   %r14,00000003cc3fda48
             00000003cbeea204: b9040043            lgr     %r4,%r3
             00000003cbeea208: b9040051            lgr     %r5,%r1
             00000003cbeea20c: b9040032            lgr     %r3,%r2
  Call Trace:
   [<00000003cbeea1f8>] __list_del_entry_valid+0x98/0x140
  ([<00000003cbeea1f4>] __list_del_entry_valid+0x94/0x140)
   [<000003ff7ff502fe>] zfcp_fsf_req_dismiss_all+0xde/0x150 [zfcp]
   [<000003ff7ff49cd0>] zfcp_erp_strategy_do_action+0x160/0x280 [zfcp]
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	2.6.34 ≤ 𝑥 < 5.4.225
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.156
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.80
linux	linux_kernel	5.16 ≤ 𝑥 < 6.0.10
linux	linux_kernel	6.1:rc1
linux	linux_kernel	6.1:rc2
linux	linux_kernel	6.1:rc3
linux	linux_kernel	6.1:rc4
linux	linux_kernel	6.1:rc5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.129-1 fixed
bookworm (security)	6.1.135-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
sid	6.12.25-1 fixed
trixie	6.12.22-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-allwinner-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-aws-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-aws-hwe

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-azure

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-azure-4.15

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-6.11

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-azure-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-fde

focal	ignored
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-nvidia

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-bluefield

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-gcp

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
xenial	needs-triage

linux-gcp-4.15

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.11

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-gcp-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-gcp-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-gke

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gkeop

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-gkeop-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.11

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-hwe-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	ignored

linux-ibm

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-ibm-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-ibm-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-intel-iot-realtime

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-intel-iotg

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-intel-iotg-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-iot

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-kvm

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-lowlatency

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	dne

linux-lowlatency-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.11

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-lts-xenial

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
trusty	needs-triage

linux-nvidia

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-nvidia-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-nvidia-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-nvidia-lowlatency

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-tegra

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-tegra-igx

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.17

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-6.0

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.1

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.11

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oem-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.8

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oracle

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
xenial	needs-triage

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oracle-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-raspi

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-raspi-5.4

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-raspi-realtime

focal	dne
jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-raspi2

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-realtime

focal	dne
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-riscv

focal	ignored
jammy	ignored
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-riscv-6.8

focal	dne
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-starfive-5.19

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-starfive-6.2

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-starfive-6.5

focal	dne
jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-xilinx-zynqmp

focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

Common Weakness Enumeration

CWE-415 - Double Free
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References

https://git.kernel.org/stable/c/0954256e970ecf371b03a6c9af2cf91b9c4085ff

https://git.kernel.org/stable/c/11edbdee4399401f533adda9bffe94567aa08b96

https://git.kernel.org/stable/c/1bf8ed585501bb2dd0b5f67c824eab45adfbdccd

https://git.kernel.org/stable/c/90a49a6b015fa439cd62e45121390284c125a91f

https://git.kernel.org/stable/c/d2c7d8f58e9cde8ac8d1f75e9d66c2a813ffe0ab