CVE - CVE-2022-49607

CVE-ID
CVE-2022-49607	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Yang Jihing reported a race between perf_event_set_output() and perf_mmap_close(): CPU1 CPU2 perf_mmap_close(e2) if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0 detach_rest = true ioctl(e1, IOC_SET_OUTPUT, e2) perf_event_set_output(e1, e2) ... list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry) ring_buffer_attach(e, NULL); // e1 isn't yet added and // therefore not detached ring_buffer_attach(e1, e2->rb) list_add_rcu(&e1->rb_entry, &e2->rb->event_list) After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more: again: mutex_lock(&e->mmap_mutex); if (event->rb) { ... if (!atomic_inc_not_zero(&e->rb->mmap_count)) { ... mutex_unlock(&e->mmap_mutex); goto again; } } The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach in perf_event_set_output() holds e1->mmap_mutex. As such there is no serialization to avoid this race. Change perf_event_set_output() to take both e1->mmap_mutex and e2->mmap_mutex to alleviate that problem. Additionally, have the loop in perf_mmap() detach the rb directly, this avoids having to wait for the concurrent perf_mmap_close() to get around to doing it to make progress.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c URL:https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c MISC:https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0 URL:https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0 MISC:https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937 URL:https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937 MISC:https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf URL:https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf MISC:https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c URL:https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c MISC:https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c URL:https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c MISC:https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074 URL:https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074 MISC:https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998 URL:https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998
Assigning CNA
kernel.org
Date Record Created
20250226	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20250226)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)