cve/published/2022/CVE-2022-49322.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49322: tracing: Fix sleeping function called from invalid context on RT kernel

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tracing: Fix sleeping function called from invalid context on RT kernel

 When setting bootparams="trace_event=initcall:initcall_start tp_printk=1" in the
 cmdline, the output_printk() was called, and the spin_lock_irqsave() was called in the
 atomic and irq disable interrupt context suitation. On the PREEMPT_RT kernel,
 these locks are replaced with sleepable rt-spinlock, so the stack calltrace will
 be triggered.
 Fix it by raw_spin_lock_irqsave when PREEMPT_RT and "trace_event=initcall:initcall_start
 tp_printk=1" enabled.

  BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
  in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
  preempt_count: 2, expected: 0
  RCU nest depth: 0, expected: 0
  Preemption disabled at:
  [<ffffffff8992303e>] try_to_wake_up+0x7e/0xba0
  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.1-rt17+ #19 34c5812404187a875f32bee7977f7367f9679ea7
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x60/0x8c
   dump_stack+0x10/0x12
   __might_resched.cold+0x11d/0x155
   rt_spin_lock+0x40/0x70
   trace_event_buffer_commit+0x2fa/0x4c0
   ? map_vsyscall+0x93/0x93
   trace_event_raw_event_initcall_start+0xbe/0x110
   ? perf_trace_initcall_finish+0x210/0x210
   ? probe_sched_wakeup+0x34/0x40
   ? ttwu_do_wakeup+0xda/0x310
   ? trace_hardirqs_on+0x35/0x170
   ? map_vsyscall+0x93/0x93
   do_one_initcall+0x217/0x3c0
   ? trace_event_raw_event_initcall_level+0x170/0x170
   ? push_cpu_stop+0x400/0x400
   ? cblist_init_generic+0x241/0x290
   kernel_init_freeable+0x1ac/0x347
   ? _raw_spin_unlock_irq+0x65/0x80
   ? rest_init+0xf0/0xf0
   kernel_init+0x1e/0x150
   ret_from_fork+0x22/0x30
   </TASK>

 The Linux kernel CVE team has assigned CVE-2022-49322 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.14.283 with commit be1f323fb9d9b14a505ca22d742d321769454de1
 	Fixed in 4.19.247 with commit 40f9fde06b25884baa0c4bd138b909a9b67218b4
 	Fixed in 5.4.198 with commit 48c6ee7d6c614f09b2c8553a95eefef6ecf196e0
 	Fixed in 5.10.122 with commit 1788e6dbb61286215442b1af99e51405a6206762
 	Fixed in 5.15.47 with commit 9b534640a2c6a8d88168febc82ec6d161184f2ec
 	Fixed in 5.17.15 with commit 43bfc4dccc416c964b53cbdc430e814f8b6f770b
 	Fixed in 5.18.4 with commit 9abf3db8bdb63ab545034148ef2118f4d088ca59
 	Fixed in 5.19 with commit 12025abdc8539ed9d5014e2d647a3fd1bd3de5cd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49322
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/trace/trace.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/be1f323fb9d9b14a505ca22d742d321769454de1
 	https://git.kernel.org/stable/c/40f9fde06b25884baa0c4bd138b909a9b67218b4
 	https://git.kernel.org/stable/c/48c6ee7d6c614f09b2c8553a95eefef6ecf196e0
 	https://git.kernel.org/stable/c/1788e6dbb61286215442b1af99e51405a6206762
 	https://git.kernel.org/stable/c/9b534640a2c6a8d88168febc82ec6d161184f2ec
 	https://git.kernel.org/stable/c/43bfc4dccc416c964b53cbdc430e814f8b6f770b
 	https://git.kernel.org/stable/c/9abf3db8bdb63ab545034148ef2118f4d088ca59
 	https://git.kernel.org/stable/c/12025abdc8539ed9d5014e2d647a3fd1bd3de5cd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49322: tracing: Fix sleeping function called from invalid context on RT kernel

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tracing: Fix sleeping function called from invalid context on RT kernel

	When setting bootparams="trace_event=initcall:initcall_start tp_printk=1" in the
	cmdline, the output_printk() was called, and the spin_lock_irqsave() was called in the
	atomic and irq disable interrupt context suitation. On the PREEMPT_RT kernel,
	these locks are replaced with sleepable rt-spinlock, so the stack calltrace will
	be triggered.
	Fix it by raw_spin_lock_irqsave when PREEMPT_RT and "trace_event=initcall:initcall_start
	tp_printk=1" enabled.

	BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
	in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
	preempt_count: 2, expected: 0
	RCU nest depth: 0, expected: 0
	Preemption disabled at:
	[<ffffffff8992303e>] try_to_wake_up+0x7e/0xba0
	CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.1-rt17+ #19 34c5812404187a875f32bee7977f7367f9679ea7
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
	Call Trace:
	<TASK>
	dump_stack_lvl+0x60/0x8c
	dump_stack+0x10/0x12
	__might_resched.cold+0x11d/0x155
	rt_spin_lock+0x40/0x70
	trace_event_buffer_commit+0x2fa/0x4c0
	? map_vsyscall+0x93/0x93
	trace_event_raw_event_initcall_start+0xbe/0x110
	? perf_trace_initcall_finish+0x210/0x210
	? probe_sched_wakeup+0x34/0x40
	? ttwu_do_wakeup+0xda/0x310
	? trace_hardirqs_on+0x35/0x170
	? map_vsyscall+0x93/0x93
	do_one_initcall+0x217/0x3c0
	? trace_event_raw_event_initcall_level+0x170/0x170
	? push_cpu_stop+0x400/0x400
	? cblist_init_generic+0x241/0x290
	kernel_init_freeable+0x1ac/0x347
	? _raw_spin_unlock_irq+0x65/0x80
	? rest_init+0xf0/0xf0
	kernel_init+0x1e/0x150
	ret_from_fork+0x22/0x30
	</TASK>

	The Linux kernel CVE team has assigned CVE-2022-49322 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.14.283 with commit be1f323fb9d9b14a505ca22d742d321769454de1
	Fixed in 4.19.247 with commit 40f9fde06b25884baa0c4bd138b909a9b67218b4
	Fixed in 5.4.198 with commit 48c6ee7d6c614f09b2c8553a95eefef6ecf196e0
	Fixed in 5.10.122 with commit 1788e6dbb61286215442b1af99e51405a6206762
	Fixed in 5.15.47 with commit 9b534640a2c6a8d88168febc82ec6d161184f2ec
	Fixed in 5.17.15 with commit 43bfc4dccc416c964b53cbdc430e814f8b6f770b
	Fixed in 5.18.4 with commit 9abf3db8bdb63ab545034148ef2118f4d088ca59
	Fixed in 5.19 with commit 12025abdc8539ed9d5014e2d647a3fd1bd3de5cd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49322
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/trace/trace.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/be1f323fb9d9b14a505ca22d742d321769454de1
	https://git.kernel.org/stable/c/40f9fde06b25884baa0c4bd138b909a9b67218b4
	https://git.kernel.org/stable/c/48c6ee7d6c614f09b2c8553a95eefef6ecf196e0
	https://git.kernel.org/stable/c/1788e6dbb61286215442b1af99e51405a6206762
	https://git.kernel.org/stable/c/9b534640a2c6a8d88168febc82ec6d161184f2ec
	https://git.kernel.org/stable/c/43bfc4dccc416c964b53cbdc430e814f8b6f770b
	https://git.kernel.org/stable/c/9abf3db8bdb63ab545034148ef2118f4d088ca59
	https://git.kernel.org/stable/c/12025abdc8539ed9d5014e2d647a3fd1bd3de5cd