{ "threat_severity" : "Low", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: coresight: cti: Fix hang in cti_disable_hw()", "id" : "2401482", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401482" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-1322", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncoresight: cti: Fix hang in cti_disable_hw()\ncti_enable_hw() and cti_disable_hw() are called from an atomic context\nso shouldn't use runtime PM because it can result in a sleep when\ncommunicating with firmware.\nSince commit 3c6656337852 (\"Revert \"firmware: arm_scmi: Add clock\nmanagement to the SCMI power domain\"\"), this causes a hang on Juno when\nrunning the Perf Coresight tests or running this command:\nperf record -e cs_etm//u -- ls\nThis was also missed until the revert commit because pm_runtime_put()\nwas called with the wrong device until commit 692c9a499b28 (\"coresight:\ncti: Correct the parameter for pm_runtime_put\")\nWith lock and scheduler debugging enabled the following is output:\ncoresight cti_sys0: cti_enable_hw -- dev:cti_sys0 parent: 20020000.cti\nBUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1151\nin_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 330, name: perf-exec\npreempt_count: 2, expected: 0\nRCU nest depth: 0, expected: 0\nINFO: lockdep is turned off.\nirq event stamp: 0\nhardirqs last enabled at (0): [<0000000000000000>] 0x0\nhardirqs last disabled at (0): [] copy_process+0xa0c/0x1948\nsoftirqs last enabled at (0): [] copy_process+0xa0c/0x1948\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\nCPU: 3 PID: 330 Comm: perf-exec Not tainted 6.0.0-00053-g042116d99298 #7\nHardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Sep 13 2022\nCall trace:\ndump_backtrace+0x134/0x140\nshow_stack+0x20/0x58\ndump_stack_lvl+0x8c/0xb8\ndump_stack+0x18/0x34\n__might_resched+0x180/0x228\n__might_sleep+0x50/0x88\n__pm_runtime_resume+0xac/0xb0\ncti_enable+0x44/0x120\ncoresight_control_assoc_ectdev+0xc0/0x150\ncoresight_enable_path+0xb4/0x288\netm_event_start+0x138/0x170\netm_event_add+0x48/0x70\nevent_sched_in.isra.122+0xb4/0x280\nmerge_sched_in+0x1fc/0x3d0\nvisit_groups_merge.constprop.137+0x16c/0x4b0\nctx_sched_in+0x114/0x1f0\nperf_event_sched_in+0x60/0x90\nctx_resched+0x68/0xb0\nperf_event_exec+0x138/0x508\nbegin_new_exec+0x52c/0xd40\nload_elf_binary+0x6b8/0x17d0\nbprm_execve+0x360/0x7f8\ndo_execveat_common.isra.47+0x218/0x238\n__arm64_sys_execve+0x48/0x60\ninvoke_syscall+0x4c/0x110\nel0_svc_common.constprop.4+0xfc/0x120\ndo_el0_svc+0x34/0xc0\nel0_svc+0x40/0x98\nel0t_64_sync_handler+0x98/0xc0\nel0t_64_sync+0x170/0x174\nFix the issue by removing the runtime PM calls completely. They are not\nneeded here because it must have already been done when building the\npath for a trace.\n[ Fix build warnings ]", "A context violation bug was found in the Linux kernel's CoreSight CTI (Cross Trigger Interface) driver in the hardware enable/disable functions. These functions are called from atomic context but attempt runtime PM operations that can sleep when communicating with firmware. This causes \"sleeping function called from invalid context\" errors and system hangs when enabling CoreSight tracing, particularly on ARM Juno platforms, resulting in denial of service." ], "statement" : "The CTI component coordinates debugging across multiple cores. When perf enables ETM (Embedded Trace Macrocell) tracing, it builds a trace path and enables each component along that path—including CTI devices. This happens under spinlocks in the perf event scheduling code, creating an atomic context where sleeping is forbidden. The cti_enable_hw and cti_disable_hw functions were calling pm_runtime_get and pm_runtime_put to manage power. These runtime PM calls can communicate with firmware (like ARM SCMI) to control clocks and power domains. Firmware communication typically involves waiting for responses, which means sleeping. Sleeping in atomic context triggers kernel warnings and can cause complete system hangs. The issue became more visible after a revert of SCMI power domain changes made the sleep more likely. The solution: remove the PM calls entirely from these functions. The runtime PM has already been handled at a higher level when building the trace path, so these redundant calls were both wrong and unnecessary.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50491\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50491\nhttps://lore.kernel.org/linux-cve-announce/2025100417-CVE-2022-50491-7a8b@gregkh/T" ], "name" : "CVE-2022-50491", "csaw" : false }