DEBIAN-CVE-2022-49446

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2022-49446

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-49446.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-49446

Upstream

CVE-2022-49446

Published

2025-02-26T07:01:21Z

Modified

2025-09-30T05:15:53.603514Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: nvdimm: Fix firmware activation deadlock scenarios Lockdep reports the following deadlock scenarios for CXL root device power-management, deviceprepare(), operations, and deviceshutdown() operations for 'ndregion' devices: Chain exists of: &nvdimmregionkey --> &nvdimmbus->reconfigmutex --> systemtransitionmutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(systemtransitionmutex); lock(&nvdimmbus->reconfigmutex); lock(systemtransitionmutex); lock(&nvdimmregionkey); Chain exists of: &cxlnvdimmbridgekey --> acpiscanlock --> &cxlrootkey Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&cxlrootkey); lock(acpiscanlock); lock(&cxlrootkey); lock(&cxlnvdimmbridgekey); These stem from holding nvdimmbuslock() over hibernatequietexec() which walks the entire system device topology taking devicelock() along the way. The nvdimmbuslock() is protecting against unregistration, multiple simultaneous ops callers, and preventing activateshow() from racing activatestore(). For the first 2, the lock is redundant. Unregistration already flushes all ops users, and sysfs already prevents multiple threads to be active in an ops handler at the same time. For the last userspace should already be waiting for its last activatestore() to complete, and does not need activateshow() to flush the write side, so this lock usage can be deleted in these attributes.

References

https://security-tracker.debian.org/tracker/CVE-2022-49446

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.127-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}