CVE-2022-49607

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-49607

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49607.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-49607

Related

Published

2025-02-26T07:01:36Z

Modified

2025-03-13T22:49:46.220249Z

Downstream

SUSE-SU-2025:1293-1

SUSE-SU-2025:1176-1

SUSE-SU-2025:1183-1

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

perf/core: Fix data race between perfeventsetoutput() and perfmmap_close()

Yang Jihing reported a race between perfeventsetoutput() and perfmmap_close():

CPU1                    CPU2

perf_mmap_close(e2)
  if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0
    detach_rest = true

                    ioctl(e1, IOC_SET_OUTPUT, e2)
                      perf_event_set_output(e1, e2)

  ...
  list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry)
    ring_buffer_attach(e, NULL);
    // e1 isn't yet added and
    // therefore not detached

                        ring_buffer_attach(e1, e2->rb)
                          list_add_rcu(&e1->rb_entry,
                               &e2->rb->event_list)

After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more:

again:
    mutex_lock(&e->mmap_mutex);
    if (event->rb) {
        ...
        if (!atomic_inc_not_zero(&e->rb->mmap_count)) {
            ...
            mutex_unlock(&e->mmap_mutex);
            goto again;
        }
    }

The loop in perfmmapclose() holds e2->mmapmutex, while the attach in perfeventsetoutput() holds e1->mmap_mutex. As such there is no serialization to avoid this race.

Change perfeventsetoutput() to take both e1->mmapmutex and e2->mmapmutex to alleviate that problem. Additionally, have the loop in perfmmap() detach the rb directly, this avoids having to wait for the concurrent perfmmapclose() to get around to doing it to make progress.

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.136-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}