CVE-2022-50118

EUVD-2022-55384

18.06.2025, 11:15

In the Linux kernel, the following vulnerability has been resolved:

powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable

commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear
pending PMI before resetting an overflown PMC") added a new
function "pmi_irq_pending" in hw_irq.h. This function is to check
if there is a PMI marked as pending in Paca (PACA_IRQ_PMI).This is
used in power_pmu_disable in a WARN_ON. The intention here is to
provide a warning if there is PMI pending, but no counter is found
overflown.

During some of the perf runs, below warning is hit:

WARNING: CPU: 36 PID: 0 at arch/powerpc/perf/core-book3s.c:1332 power_pmu_disable+0x25c/0x2c0
 Modules linked in:
 -----

 NIP [c000000000141c3c] power_pmu_disable+0x25c/0x2c0
 LR [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0
 Call Trace:
 [c000000baffcfb90] [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0 (unreliable)
 [c000000baffcfc10] [c0000000003e2f8c] perf_pmu_disable+0x4c/0x60
 [c000000baffcfc30] [c0000000003e3344] group_sched_out.part.124+0x44/0x100
 [c000000baffcfc80] [c0000000003e353c] __perf_event_disable+0x13c/0x240
 [c000000baffcfcd0] [c0000000003dd334] event_function+0xc4/0x140
 [c000000baffcfd20] [c0000000003d855c] remote_function+0x7c/0xa0
 [c000000baffcfd50] [c00000000026c394] flush_smp_call_function_queue+0xd4/0x300
 [c000000baffcfde0] [c000000000065b24] smp_ipi_demux_relaxed+0xa4/0x100
 [c000000baffcfe20] [c0000000000cb2b0] xive_muxed_ipi_action+0x20/0x40
 [c000000baffcfe40] [c000000000207c3c] __handle_irq_event_percpu+0x8c/0x250
 [c000000baffcfee0] [c000000000207e2c] handle_irq_event_percpu+0x2c/0xa0
 [c000000baffcff10] [c000000000210a04] handle_percpu_irq+0x84/0xc0
 [c000000baffcff40] [c000000000205f14] generic_handle_irq+0x54/0x80
 [c000000baffcff60] [c000000000015740] __do_irq+0x90/0x1d0
 [c000000baffcff90] [c000000000016990] __do_IRQ+0xc0/0x140
 [c0000009732f3940] [c000000bafceaca8] 0xc000000bafceaca8
 [c0000009732f39d0] [c000000000016b78] do_IRQ+0x168/0x1c0
 [c0000009732f3a00] [c0000000000090c8] hardware_interrupt_common_virt+0x218/0x220

This means that there is no PMC overflown among the active events
in the PMU, but there is a PMU pending in Paca. The function
"any_pmc_overflown" checks the PMCs on active events in
cpuhw->n_events. Code snippet:

<<>>
if (any_pmc_overflown(cpuhw))
 	clear_pmi_irq_pending();
 else
 	WARN_ON(pmi_irq_pending());
<<>>

Here the PMC overflown is not from active event. Example: When we do
perf record, default cycles and instructions will be running on PMC6
and PMC5 respectively. It could happen that overflowed event is currently
not active and pending PMI is for the inactive event. Debug logs from
trace_printk:

<<>>
any_pmc_overflown: idx is 5: pmc value is 0xd9a
power_pmu_disable: PMC1: 0x0, PMC2: 0x0, PMC3: 0x0, PMC4: 0x0, PMC5: 0xd9a, PMC6: 0x80002011
<<>>

Here active PMC (from idx) is PMC5 , but overflown PMC is PMC6(0x80002011).
When we handle PMI interrupt for such cases, if the PMC overflown is
from inactive event, it will be ignored. Reference commit:
commit bc09c219b2e6 ("powerpc/perf: Fix finding overflowed PMC in interrupt")

Patch addresses two changes:
1) Fix 1 : Removal of warning ( WARN_ON(pmi_irq_pending()); )
   We were printing warning if no PMC is found overflown among active PMU
   events, but PMI pending in PACA. But this could happen in cases where
   PMC overflown is not in active PMC. An inactive event could have caused
   the overflow. Hence the warning is not needed. To know pending PMI is
   from an inactive event, we need to loop through all PMC's which will
   cause more SPR reads via mfspr and increase in context switch. Also in
   existing function: perf_event_interrupt, already we ignore PMI's
   overflown when it is from an inactive PMC.

2) Fix 2: optimization in clearing pending PMI.
   Currently we check for any active PMC overflown before clearing PMI
   pending in Paca. This is causing additional SP
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.10.94 ≤ 𝑥 < 5.10.137
linux	linux_kernel	5.15.17 ≤ 𝑥 < 5.15.61
linux	linux_kernel	5.16.3 ≤ 𝑥 < 5.18.18
linux	linux_kernel	5.19 ≤ 𝑥 < 5.19.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.137-1 fixed
bookworm (security)	6.1.140-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.237-1 fixed
sid	6.12.32-1 fixed
trixie	6.12.32-1 fixed
trixie (security)	6.12.31-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-allwinner-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-aws-5.0

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-aws-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-aws-hwe

jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-azure

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-azure-4.15

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-azure-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-edge

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-fde

focal	ignored
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-nvidia

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-bluefield

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-gcp

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
xenial	needs-triage

linux-gcp-4.15

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-gcp-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-gcp-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-gke

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-gke-4.15

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gke-5.4

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gkeop

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-gkeop-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gkeop-5.4

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-hwe-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-hwe-edge

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	ignored

linux-ibm

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-ibm-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-ibm-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-intel-iot-realtime

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-intel-iotg

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-intel-iotg-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-iot

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-kvm

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-lowlatency

jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	dne

linux-lowlatency-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-lts-xenial

jammy	dne
noble	dne
oracular	dne
plucky	dne
trusty	needs-triage

linux-nvidia

jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-nvidia-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-nvidia-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-nvidia-lowlatency

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-tegra

jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-tegra-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-nvidia-tegra-igx

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-oem

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.17

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-6.0

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.1

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oem-6.14

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oem-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.8

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oracle

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
xenial	needs-triage

linux-oracle-5.0

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oracle-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-raspi

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-raspi-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-raspi-realtime

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-raspi2

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-realtime

jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-riscv

focal	ignored
jammy	ignored
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-riscv-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-starfive-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-starfive-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-starfive-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-xilinx-zynqmp

focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

Common Weakness Enumeration

CWE-674 - Uncontrolled Recursion
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

https://git.kernel.org/stable/c/0a24ea26c3278216642a43291df7976a73a0a7ee

https://git.kernel.org/stable/c/7e83af3dd4a3afca8f83ffde518cafd52f45b830

https://git.kernel.org/stable/c/875b2bf469d094754ac2ba9af91dcd529eb12bf6

https://git.kernel.org/stable/c/87b1a9175f08313f40fcb6d6dc536dbe451090eb

https://git.kernel.org/stable/c/890005a7d98f7452cfe86dcfb2aeeb7df01132ce