CVE-2022-49703

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ibmvfc: Store vhost pointer during subcrq allocation<br /> <br /> Currently the back pointer from a queue to the vhost adapter isn&amp;#39;t set<br /> until after subcrq interrupt registration. The value is available when a<br /> queue is first allocated and can/should be also set for primary and async<br /> queues as well as subcrqs.<br /> <br /> This fixes a crash observed during kexec/kdump on Power 9 with legacy XICS<br /> interrupt controller where a pending subcrq interrupt from the previous<br /> kernel can be replayed immediately upon IRQ registration resulting in<br /> dereference of a garbage backpointer in ibmvfc_interrupt_scsi().<br /> <br /> Kernel attempted to read user page (58) - exploit attempt? (uid: 0)<br /> BUG: Kernel NULL pointer dereference on read at 0x00000058<br /> Faulting instruction address: 0xc008000003216a08<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> ...<br /> NIP [c008000003216a08] ibmvfc_interrupt_scsi+0x40/0xb0 [ibmvfc]<br /> LR [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270<br /> Call Trace:<br /> [c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable)<br /> [c000000047fa3df0] [c0000000082079e8] __handle_irq_event_percpu+0x98/0x270<br /> [c000000047fa3ea0] [c000000008207d18] handle_irq_event+0x98/0x188<br /> [c000000047fa3ef0] [c00000000820f564] handle_fasteoi_irq+0xc4/0x310<br /> [c000000047fa3f40] [c000000008205c60] generic_handle_irq+0x50/0x80<br /> [c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0<br /> [c000000047fa3f90] [c000000008016d7c] __do_IRQ+0x9c/0x130<br /> [c000000014622f60] [0000000020000000] 0x20000000<br /> [c000000014622ff0] [c000000008016e50] do_IRQ+0x40/0xa0<br /> [c000000014623020] [c000000008017044] replay_soft_interrupts+0x194/0x2f0<br /> [c000000014623210] [c0000000080172a8] arch_local_irq_restore+0x108/0x170<br /> [c000000014623240] [c000000008eb1008] _raw_spin_unlock_irqrestore+0x58/0xb0<br /> [c000000014623270] [c00000000820b12c] __setup_irq+0x49c/0x9f0<br /> [c000000014623310] [c00000000820b7c0] request_threaded_irq+0x140/0x230<br /> [c000000014623380] [c008000003212a50] ibmvfc_register_scsi_channel+0x1e8/0x2f0 [ibmvfc]<br /> [c000000014623450] [c008000003213d1c] ibmvfc_init_sub_crqs+0xc4/0x1f0 [ibmvfc]<br /> [c0000000146234d0] [c0080000032145a8] ibmvfc_reset_crq+0x150/0x210 [ibmvfc]<br /> [c000000014623550] [c0080000032147c8] ibmvfc_init_crq+0x160/0x280 [ibmvfc]<br /> [c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]