CVE-2022-49764 (GCVE-0-2022-49764)

Vulnerability from cvelistv5 – Published: 2025-05-01 14:09 – Updated: 2025-12-23 13:25
VLAI?
Title
bpf: Prevent bpf program recursion for raw tracepoint probes
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent bpf program recursion for raw tracepoint probes We got report from sysbot [1] about warnings that were caused by bpf program attached to contention_begin raw tracepoint triggering the same tracepoint by using bpf_trace_printk helper that takes trace_printk_lock lock. Call Trace: <TASK> ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90 bpf_trace_printk+0x2b/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 bpf_trace_printk+0x3f/0xe0 bpf_prog_a9aec6167c091eef_prog+0x1f/0x24 bpf_trace_run2+0x26/0x90 native_queued_spin_lock_slowpath+0x1c6/0x2b0 _raw_spin_lock_irqsave+0x44/0x50 __unfreeze_partials+0x5b/0x160 ... The can be reproduced by attaching bpf program as raw tracepoint on contention_begin tracepoint. The bpf prog calls bpf_trace_printk helper. Then by running perf bench the spin lock code is forced to take slow path and call contention_begin tracepoint. Fixing this by skipping execution of the bpf program if it's already running, Using bpf prog 'active' field, which is being currently used by trampoline programs for the same reason. Moving bpf_prog_inc_misses_counter to syscall.c because trampoline.c is compiled in just for CONFIG_BPF_JIT option. [1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: c4f6699dfcb8558d138fe838f741b2c10f416cf9 , < 2e5399879024fedd6cdc41f73fbf9bbe7208f899 (git)
Affected: c4f6699dfcb8558d138fe838f741b2c10f416cf9 , < 05b24ff9b2cfabfcfd951daaa915a036ab53c9e1 (git)
Create a notification for this product.
    Linux Linux Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 6.0.10 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/syscall.c",
            "kernel/bpf/trampoline.c",
            "kernel/trace/bpf_trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2e5399879024fedd6cdc41f73fbf9bbe7208f899",
              "status": "affected",
              "version": "c4f6699dfcb8558d138fe838f741b2c10f416cf9",
              "versionType": "git"
            },
            {
              "lessThan": "05b24ff9b2cfabfcfd951daaa915a036ab53c9e1",
              "status": "affected",
              "version": "c4f6699dfcb8558d138fe838f741b2c10f416cf9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/syscall.c",
            "kernel/bpf/trampoline.c",
            "kernel/trace/bpf_trace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.10",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent bpf program recursion for raw tracepoint probes\n\nWe got report from sysbot [1] about warnings that were caused by\nbpf program attached to contention_begin raw tracepoint triggering\nthe same tracepoint by using bpf_trace_printk helper that takes\ntrace_printk_lock lock.\n\n Call Trace:\n  \u003cTASK\u003e\n  ? trace_event_raw_event_bpf_trace_printk+0x5f/0x90\n  bpf_trace_printk+0x2b/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  bpf_trace_printk+0x3f/0xe0\n  bpf_prog_a9aec6167c091eef_prog+0x1f/0x24\n  bpf_trace_run2+0x26/0x90\n  native_queued_spin_lock_slowpath+0x1c6/0x2b0\n  _raw_spin_lock_irqsave+0x44/0x50\n  __unfreeze_partials+0x5b/0x160\n  ...\n\nThe can be reproduced by attaching bpf program as raw tracepoint on\ncontention_begin tracepoint. The bpf prog calls bpf_trace_printk\nhelper. Then by running perf bench the spin lock code is forced to\ntake slow path and call contention_begin tracepoint.\n\nFixing this by skipping execution of the bpf program if it\u0027s\nalready running, Using bpf prog \u0027active\u0027 field, which is being\ncurrently used by trampoline programs for the same reason.\n\nMoving bpf_prog_inc_misses_counter to syscall.c because\ntrampoline.c is compiled in just for CONFIG_BPF_JIT option.\n\n[1] https://lore.kernel.org/bpf/YxhFe3EwqchC%2FfYf@krava/T/#t"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:25:45.385Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2e5399879024fedd6cdc41f73fbf9bbe7208f899"
        },
        {
          "url": "https://git.kernel.org/stable/c/05b24ff9b2cfabfcfd951daaa915a036ab53c9e1"
        }
      ],
      "title": "bpf: Prevent bpf program recursion for raw tracepoint probes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49764",
    "datePublished": "2025-05-01T14:09:04.252Z",
    "dateReserved": "2025-04-16T07:17:33.804Z",
    "dateUpdated": "2025-12-23T13:25:45.385Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.