DEBIAN-CVE-2022-49607

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2022-49607

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-49607.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-49607

Upstream

CVE-2022-49607

Published

2025-02-26T07:01:36Z

Modified

2025-09-19T07:32:42.346057Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix data race between perfeventsetoutput() and perfmmapclose() Yang Jihing reported a race between perfeventsetoutput() and perfmmapclose(): CPU1 CPU2 perfmmapclose(e2) if (atomicdecandtest(&e2->rb->mmapcount)) // 1 - > 0 detachrest = true ioctl(e1, IOCSETOUTPUT, e2) perfeventsetoutput(e1, e2) ... listforeachentryrcu(e, &e2->rb->eventlist, rbentry) ringbufferattach(e, NULL); // e1 isn't yet added and // therefore not detached ringbufferattach(e1, e2->rb) listaddrcu(&e1->rbentry, &e2->rb->eventlist) After this; e1 is attached to an unmapped rb and a subsequent perfmmap() will loop forever more: again: mutexlock(&e->mmapmutex); if (event->rb) { ... if (!atomicincnotzero(&e->rb->mmapcount)) { ... mutexunlock(&e->mmapmutex); goto again; } } The loop in perfmmapclose() holds e2->mmapmutex, while the attach in perfeventsetoutput() holds e1->mmapmutex. As such there is no serialization to avoid this race. Change perfeventsetoutput() to take both e1->mmapmutex and e2->mmapmutex to alleviate that problem. Additionally, have the loop in perfmmap() detach the rb directly, this avoids having to wait for the concurrent perfmmapclose() to get around to doing it to make progress.

References

https://security-tracker.debian.org/tracker/CVE-2022-49607

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.136-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}