DEBIAN-CVE-2022-50818

In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix runningreq for internal abort commands Disabling the remote phy for a SATA disk causes a hang: root@(none)$ more /sys/class/sasphy/phy-0:0:8/targetportprotocols sata root@(none)$ echo 0 > sys/class/sasphy/phy-0:0:8/enable root@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed [ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache [ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVEROK [ 67.935094] sd 0:0:2:0: [sdc] Stopping disk [ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVEROK ... [ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds. [ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218 [ 124.012049] "echo 0 > /proc/sys/kernel/hungtasktimeoutsecs" disables this message. [ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008 [ 124.028223] Workqueue: 0000:04:00.0eventq sasporteventworker [ 124.034319] Call trace: [ 124.036758] _switchto+0x128/0x278 [ 124.040333] _schedule+0x434/0xa58 [ 124.043820] schedule+0x94/0x138 [ 124.047045] scheduletimeout+0x2fc/0x368 [ 124.051052] waitforcompletion+0xdc/0x200 [ 124.055234] _flushworkqueue+0x1a8/0x708 [ 124.059328] sasportebroadcastrcvd+0xa8/0xc0 [ 124.063858] sasporteventworker+0x60/0x98 [ 124.068126] processonework+0x3f8/0x660 [ 124.072134] workerthread+0x70/0x700 [ 124.075793] kthread+0x1a4/0x1b8 [ 124.079014] retfromfork+0x10/0x20 The issue is that the per-device runningreq read in pm8001devgonenotify() never goes to zero and we never make progress. This is caused by missing accounting for runningreq for when an internal abort command completes. In commit 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support") we started to send internal abort commands as a proper sastask. In this when we deliver a sastask to HW the per-device runningreq is incremented in pm8001queuecommand(). However it is never decremented for internal abort commnds, so decrement in pm8001mpitaskabortresp().