CVE-2022-49175: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: PM: core: keep irq flags in device_pm_check_callbacks() The function device_pm_check_callbacks() can be called under the spin lock (in the reported case it happens from genpd_add_device() -> dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes. However this function uncoditionally uses spin_lock_irq() / spin_unlock_irq(), thus not preserving the CPU flags. Use the irqsave/irqrestore instead. The backtrace for the reference: [ 2.752010] ------------[ cut here ]------------ [ 2.756769] raw_local_irq_restore() called with IRQs enabled [ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50 [ 2.772338] Modules linked in: [ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684 [ 2.781384] Freeing initrd memory: 46024K [ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50 [ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50 [ 2.785846] sp : ffff80000805b7d0 [ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002 [ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800 [ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00 [ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff [ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7 [ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8 [ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0 [ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0 [ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 [ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000 [ 2.889774] Call trace: [ 2.892290] warn_bogus_irq_restore+0x34/0x50 [ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0 [ 2.901690] genpd_unlock_spin+0x20/0x30 [ 2.905724] genpd_add_device+0x100/0x2d0 [ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c [ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190 [ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0 [ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30 [ 2.929102] psci_dt_attach_cpu+0x24/0x90 [ 2.933230] psci_cpuidle_probe+0x2d4/0x46c [ 2.937534] platform_probe+0x68/0xe0 [ 2.941304] really_probe.part.0+0x9c/0x2fc [ 2.945605] __driver_probe_device+0x98/0x144 [ 2.950085] driver_probe_device+0x44/0x15c [ 2.954385] __device_attach_driver+0xb8/0x120 [ 2.958950] bus_for_each_drv+0x78/0xd0 [ 2.962896] __device_attach+0xd8/0x180 [ 2.966843] device_initial_probe+0x14/0x20 [ 2.971144] bus_probe_device+0x9c/0xa4 [ 2.975092] device_add+0x380/0x88c [ 2.978679] platform_device_add+0x114/0x234 [ 2.983067] platform_device_register_full+0x100/0x190 [ 2.988344] psci_idle_init+0x6c/0xb0 [ 2.992113] do_one_initcall+0x74/0x3a0 [ 2.996060] kernel_init_freeable+0x2fc/0x384 [ 3.000543] kernel_init+0x28/0x130 [ 3.004132] ret_from_fork+0x10/0x20 [ 3.007817] irq event stamp: 319826 [ 3.011404] hardirqs last enabled at (319825): [<ffffd40e7eda0268>] __up_console_sem+0x78/0x84 [ 3.020332] hardirqs last disabled at (319826): [<ffffd40e7fd6d9d8>] el1_dbg+0x24/0x8c [ 3.028458] softirqs last enabled at (318312): [<ffffd40e7ec90410>] _stext+0x410/0x588 [ 3.036678] softirqs last disabled at (318299): [<ffffd40e7ed1bf68>] __irq_exit_rcu+0x158/0x174 [ 3.045607] ---[ end trace 0000000000000000 ]---
AI Analysis
Technical Summary
CVE-2022-49175 is a vulnerability identified in the Linux kernel's power management (PM) core subsystem, specifically within the function device_pm_check_callbacks(). This function is involved in device power management callback checks and can be invoked while holding a spinlock, particularly when the generic power domain (genpd) uses spinlocks instead of mutexes. The vulnerability arises because device_pm_check_callbacks() uses spin_lock_irq() and spin_unlock_irq() unconditionally, which do not preserve the CPU interrupt flags correctly. The correct approach should be to use the irqsave/irqrestore variants to save and restore the CPU flags properly. Failure to preserve these flags can lead to improper interrupt handling, causing warnings such as "raw_local_irq_restore() called with IRQs enabled" and potentially leading to kernel instability or crashes. The backtrace provided shows the kernel warning triggered during early boot, indicating that the issue can manifest during device initialization and power domain attachment. This bug is rooted in incorrect locking and interrupt flag management in the kernel's device power management code, which can cause unpredictable behavior in interrupt handling and system stability. Although no known exploits are reported in the wild, the vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and potentially others with similar code paths. The issue is technical and low-level, affecting the kernel's core locking mechanisms related to power management callbacks.
Potential Impact
For European organizations relying on Linux-based systems, especially those using custom or embedded Linux kernels with power management features, this vulnerability can lead to system instability, unexpected kernel warnings, or crashes during device initialization or power management operations. This can affect servers, embedded devices, IoT infrastructure, and critical systems that depend on stable Linux kernel operation. While it does not directly lead to privilege escalation or remote code execution, the instability can cause denial of service conditions, impacting availability of critical services. Organizations in sectors such as telecommunications, manufacturing, automotive, and critical infrastructure that deploy Linux-based embedded systems or servers could experience operational disruptions. Additionally, data centers and cloud providers using affected Linux kernels might face service interruptions. The vulnerability's impact is primarily on system reliability and availability rather than confidentiality or integrity. Since the issue occurs at the kernel level, it could complicate debugging and maintenance, increasing operational costs and downtime risk.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2022-49175 as soon as they are available from their Linux distribution vendors or upstream kernel sources. 2) For custom or embedded Linux systems, review and update the kernel source to ensure that device_pm_check_callbacks() uses irqsave/irqrestore variants for spinlock management to preserve CPU interrupt flags correctly. 3) Conduct thorough testing of power management and device initialization routines after patching to confirm system stability and absence of kernel warnings related to interrupt flags. 4) Monitor kernel logs for warnings such as "raw_local_irq_restore() called with IRQs enabled" which indicate the presence of this issue. 5) Implement robust kernel update policies and automated patch management to reduce the window of exposure. 6) For critical systems where immediate patching is not feasible, consider isolating affected devices or limiting workloads that trigger power management callbacks until remediation is applied. 7) Engage with Linux vendor support channels to obtain backported fixes if using long-term support (LTS) kernels. These steps go beyond generic advice by focusing on kernel-level patching, testing, and monitoring specific to this vulnerability's nature.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49175: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: PM: core: keep irq flags in device_pm_check_callbacks() The function device_pm_check_callbacks() can be called under the spin lock (in the reported case it happens from genpd_add_device() -> dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes. However this function uncoditionally uses spin_lock_irq() / spin_unlock_irq(), thus not preserving the CPU flags. Use the irqsave/irqrestore instead. The backtrace for the reference: [ 2.752010] ------------[ cut here ]------------ [ 2.756769] raw_local_irq_restore() called with IRQs enabled [ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50 [ 2.772338] Modules linked in: [ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684 [ 2.781384] Freeing initrd memory: 46024K [ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50 [ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50 [ 2.785846] sp : ffff80000805b7d0 [ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002 [ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800 [ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00 [ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff [ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7 [ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8 [ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0 [ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0 [ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 [ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000 [ 2.889774] Call trace: [ 2.892290] warn_bogus_irq_restore+0x34/0x50 [ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0 [ 2.901690] genpd_unlock_spin+0x20/0x30 [ 2.905724] genpd_add_device+0x100/0x2d0 [ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c [ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190 [ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0 [ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30 [ 2.929102] psci_dt_attach_cpu+0x24/0x90 [ 2.933230] psci_cpuidle_probe+0x2d4/0x46c [ 2.937534] platform_probe+0x68/0xe0 [ 2.941304] really_probe.part.0+0x9c/0x2fc [ 2.945605] __driver_probe_device+0x98/0x144 [ 2.950085] driver_probe_device+0x44/0x15c [ 2.954385] __device_attach_driver+0xb8/0x120 [ 2.958950] bus_for_each_drv+0x78/0xd0 [ 2.962896] __device_attach+0xd8/0x180 [ 2.966843] device_initial_probe+0x14/0x20 [ 2.971144] bus_probe_device+0x9c/0xa4 [ 2.975092] device_add+0x380/0x88c [ 2.978679] platform_device_add+0x114/0x234 [ 2.983067] platform_device_register_full+0x100/0x190 [ 2.988344] psci_idle_init+0x6c/0xb0 [ 2.992113] do_one_initcall+0x74/0x3a0 [ 2.996060] kernel_init_freeable+0x2fc/0x384 [ 3.000543] kernel_init+0x28/0x130 [ 3.004132] ret_from_fork+0x10/0x20 [ 3.007817] irq event stamp: 319826 [ 3.011404] hardirqs last enabled at (319825): [<ffffd40e7eda0268>] __up_console_sem+0x78/0x84 [ 3.020332] hardirqs last disabled at (319826): [<ffffd40e7fd6d9d8>] el1_dbg+0x24/0x8c [ 3.028458] softirqs last enabled at (318312): [<ffffd40e7ec90410>] _stext+0x410/0x588 [ 3.036678] softirqs last disabled at (318299): [<ffffd40e7ed1bf68>] __irq_exit_rcu+0x158/0x174 [ 3.045607] ---[ end trace 0000000000000000 ]---
AI-Powered Analysis
Technical Analysis
CVE-2022-49175 is a vulnerability identified in the Linux kernel's power management (PM) core subsystem, specifically within the function device_pm_check_callbacks(). This function is involved in device power management callback checks and can be invoked while holding a spinlock, particularly when the generic power domain (genpd) uses spinlocks instead of mutexes. The vulnerability arises because device_pm_check_callbacks() uses spin_lock_irq() and spin_unlock_irq() unconditionally, which do not preserve the CPU interrupt flags correctly. The correct approach should be to use the irqsave/irqrestore variants to save and restore the CPU flags properly. Failure to preserve these flags can lead to improper interrupt handling, causing warnings such as "raw_local_irq_restore() called with IRQs enabled" and potentially leading to kernel instability or crashes. The backtrace provided shows the kernel warning triggered during early boot, indicating that the issue can manifest during device initialization and power domain attachment. This bug is rooted in incorrect locking and interrupt flag management in the kernel's device power management code, which can cause unpredictable behavior in interrupt handling and system stability. Although no known exploits are reported in the wild, the vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and potentially others with similar code paths. The issue is technical and low-level, affecting the kernel's core locking mechanisms related to power management callbacks.
Potential Impact
For European organizations relying on Linux-based systems, especially those using custom or embedded Linux kernels with power management features, this vulnerability can lead to system instability, unexpected kernel warnings, or crashes during device initialization or power management operations. This can affect servers, embedded devices, IoT infrastructure, and critical systems that depend on stable Linux kernel operation. While it does not directly lead to privilege escalation or remote code execution, the instability can cause denial of service conditions, impacting availability of critical services. Organizations in sectors such as telecommunications, manufacturing, automotive, and critical infrastructure that deploy Linux-based embedded systems or servers could experience operational disruptions. Additionally, data centers and cloud providers using affected Linux kernels might face service interruptions. The vulnerability's impact is primarily on system reliability and availability rather than confidentiality or integrity. Since the issue occurs at the kernel level, it could complicate debugging and maintenance, increasing operational costs and downtime risk.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2022-49175 as soon as they are available from their Linux distribution vendors or upstream kernel sources. 2) For custom or embedded Linux systems, review and update the kernel source to ensure that device_pm_check_callbacks() uses irqsave/irqrestore variants for spinlock management to preserve CPU interrupt flags correctly. 3) Conduct thorough testing of power management and device initialization routines after patching to confirm system stability and absence of kernel warnings related to interrupt flags. 4) Monitor kernel logs for warnings such as "raw_local_irq_restore() called with IRQs enabled" which indicate the presence of this issue. 5) Implement robust kernel update policies and automated patch management to reduce the window of exposure. 6) For critical systems where immediate patching is not feasible, consider isolating affected devices or limiting workloads that trigger power management callbacks until remediation is applied. 7) Engage with Linux vendor support channels to obtain backported fixes if using long-term support (LTS) kernels. These steps go beyond generic advice by focusing on kernel-level patching, testing, and monitoring specific to this vulnerability's nature.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.280Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe516e
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 3:43:40 AM
Last updated: 7/25/2025, 7:02:25 PM
Views: 8
Related Threats
CVE-2025-8835: NULL Pointer Dereference in JasPer
MediumCVE-2025-8833: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-7965: CWE-352 Cross-Site Request Forgery (CSRF) in CBX Restaurant Booking
MediumCVE-2025-8832: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8831: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.