CVE-2022-49607

MEDIUM EPSS 7.4%
Published Feb 26, 20251y ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Feb 26, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Yang Jihing reported a race between perf_event_set_output() and perf_mmap_close(): CPU1 CPU2 perf_mmap_close(e2) if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0 detach_rest = true ioctl(e1, IOC_SET_OUTPUT, e2) perf_event_set_output(e1, e2) ... list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry) ring_buffer_attach(e, NULL); // e1 isn't yet added and // therefore not detached ring_buffer_attach(e1, e2->rb) list_add_rcu(&e1->rb_entry, &e2->rb->event_list) After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more: again: mutex_lock(&e->mmap_mutex); if (event->rb) { ... if (!atomic_inc_not_zero(&e->rb->mmap_count)) { ... mutex_unlock(&e->mmap_mutex); goto again; } } The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach in perf_event_set_output() holds e1->mmap_mutex. As such there is no serialization to avoid this race. Change perf_event_set_output() to take both e1->mmap_mutex and e2->mmap_mutex to alleviate that problem. Additionally, have the loop in perf_mmap() detach the rb directly, this avoids having to wait for the concurrent perf_mmap_close() to get around to doing it to make progress.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
7.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 15

VendorProductVersionRange
linuxlinux_kernel*≥3.2.49  –  <3.3
linuxlinux_kernel*≥3.4.52  –  <3.5
linuxlinux_kernel*≥3.9.8  –  <4.9.325
linuxlinux_kernel*≥4.10  –  <4.14.290
linuxlinux_kernel*≥4.15  –  <4.19.254
linuxlinux_kernel*≥4.20  –  <5.4.208
linuxlinux_kernel*≥5.5  –  <5.10.134
linuxlinux_kernel*≥5.11  –  <5.15.58
linuxlinux_kernel*≥5.16  –  <5.18.15
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/17f5417194136517ee9bbd6511249e5310e5617c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3bbd868099287ff9027db59029b502fcfa2202a0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/43128b3eee337824158f34da6648163d2f2fb937
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/68e3c69803dada336893640110cb87221bb01dcf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98c3c8fd0d4c560e0f8335b79c407bbf7fc9462c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a9391ff7a7c5f113d6f2bf6621d49110950de49c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/da3c256e2d0ebc87c7db0c605c9692b6f1722074
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f836f9ac95df15f1e0af4beb0ec20021e8c91998
    Patch