CVE-2022-50636
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix pci_device_is_present() for VFs by checking PF
pci_device_is_present() previously didn't work for VFs because it reads the Vendor and Device ID, which are 0xffff for VFs, which looks like they aren't present. Check the PF instead.
Wei Gong reported that if virtio I/O is in progress when the driver is unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O operation hangs, which may result in output like this:
task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002 Call Trace: schedule+0x4f/0xc0 blk_mq_freeze_queue_wait+0x69/0xa0 blk_mq_freeze_queue+0x1b/0x20 blk_cleanup_queue+0x3d/0xd0 virtblk_remove+0x3c/0xb0 [virtio_blk] virtio_dev_remove+0x4b/0x80 ... device_unregister+0x1b/0x60 unregister_virtio_device+0x18/0x30 virtio_pci_remove+0x41/0x80 pci_device_remove+0x3e/0xb0
This happened because pci_device_is_present(VF) returned "false" in virtio_pci_remove(), so it called virtio_break_device(). The broken vq meant that vring_interrupt() skipped the vq.callback() that would have completed the virtio I/O operation via virtblk_done().
[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
pci_device_is_present() incorrectly returns false for VFs, causing device removal hangs and I/O timeouts.
Root
Cause
The pci_device_is_present() function in the Linux kernel failed to correctly detect Virtual Functions (VFs) because it reads the Vendor and Device ID registers, which return 0xffff for VFs (indicating 'not present'). This caused the function to always return false for VFs, even when the underlying Physical Function (PF) was present and operational [1].
Exploitation
Scenario
An attacker with the ability to trigger device removal—for example, by unbinding a driver or writing "0" to /sys/.../sriov_numvfs—could exploit this bug. When pci_device_is_present(VF) returns false during removal, the kernel calls virtio_break_device(), which breaks the virtqueues. This prevents the interrupt handler from completing pending I/O operations, leading to a hang in the block layer (e.g., blk_mq_freeze_queue_wait) [1].
Impact
The bug results in a denial-of-service condition: the system becomes unresponsive as processes (such as bash) enter an uninterruptible sleep state (D state) waiting for I/O to complete. The call trace shows a hang in virtblk_remove() and blk_cleanup_queue(), effectively freezing storage I/O for affected virtio devices [1].
Mitigation
The fix modifies pci_device_is_present() to always check the PF when called on a VF, using pci_physfn(). This ensures correct presence detection and prevents the spurious device break. The patch has been merged into the Linux kernel stable tree and is available in commits such commits as 99ef6cc79158, 518573988a2f, and 67fd41bbb0f5 [1][2][3]. Users should apply the latest stable kernel updates.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
8f4b44c7766da643d77fda08d65bd0962992a99ef6cc7915867fd41bbb0f581565e51ccaf518573988a2f98b04dd0b457Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/518573988a2f14f517403db2ece5ddaefba21e94nvd
- git.kernel.org/stable/c/643d77fda08d06f863af35e80a7e517ea61d9629nvd
- git.kernel.org/stable/c/65bd0962992abd42e77a05e68c7b40e7c73726d1nvd
- git.kernel.org/stable/c/67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34nvd
- git.kernel.org/stable/c/81565e51ccaf6fff8910e997ee22e16b5e1dabc3nvd
- git.kernel.org/stable/c/98b04dd0b4577894520493d96bc4623387767445nvd
- git.kernel.org/stable/c/99ef6cc791584495987dd11b14769b450dfa5820nvd
- git.kernel.org/stable/c/f4b44c7766dae2b8681f621941cabe9f14066d59nvd
News mentions
0No linked articles in our index yet.