CVE-2022-49537: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49537 affects the Linux kernel's SCSI lpfc driver when CMF (Capability Management Framework) is enabled. The vulnerability was discovered when a call trace was observed during I/O operations, specifically related to improper usage of smp_processor_id() in preemptible code contexts (Kernel Git).

The vulnerability stems from the improper use of this_cpu_ptr() which calls smp_processor_id() in a preemptible context within the lpfc driver. The issue manifests in the lpfc_update_cmf_cmd function, causing a bug when the system attempts to access per-CPU data structures. The call trace shows the error occurring in systemd-udevd process with PID 31711 on CPU 12, specifically in the lpfc_update_cmf_cmd+0x214/0x420 [lpfc] function call chain (Kernel Git).

When exploited, this vulnerability can cause system instability and potential crashes due to improper CPU data structure access in preemptible code contexts. The issue specifically affects systems running the Linux kernel with the lpfc driver and CMF enabled (Ubuntu Security).

The issue has been fixed by replacing this_cpu_ptr() with per_cpu_ptr() using raw_smp_processor_id() instead. This change ensures proper access to per-CPU data structures in preemptible contexts. The fix has been implemented in the kernel source code and is available through system updates (Kernel Git).