CVE-2022-49265: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove() When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called with a spinlock being held. [ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460 [ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0 [ 0.029219] preempt_count: 1, expected: 0 [ 0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489 [ 0.029245] Hardware name: Thundercomm TurboX CM2290 (DT) [ 0.029256] Call trace: [ 0.029265] dump_backtrace.part.0+0xbc/0xd0 [ 0.029285] show_stack+0x3c/0xa0 [ 0.029298] dump_stack_lvl+0x7c/0xa0 [ 0.029311] dump_stack+0x18/0x34 [ 0.029323] __might_resched+0x10c/0x13c [ 0.029338] __might_sleep+0x4c/0x80 [ 0.029351] down_read+0x24/0xd0 [ 0.029363] lookup_one_len_unlocked+0x9c/0xcc [ 0.029379] lookup_positive_unlocked+0x10/0x50 [ 0.029392] debugfs_lookup+0x68/0xac [ 0.029406] genpd_remove.part.0+0x12c/0x1b4 [ 0.029419] of_genpd_remove_last+0xa8/0xd4 [ 0.029434] psci_cpuidle_domain_probe+0x174/0x53c [ 0.029449] platform_probe+0x68/0xe0 [ 0.029462] really_probe+0x190/0x430 [ 0.029473] __driver_probe_device+0x90/0x18c [ 0.029485] driver_probe_device+0x40/0xe0 [ 0.029497] __driver_attach+0xf4/0x1d0 [ 0.029508] bus_for_each_dev+0x70/0xd0 [ 0.029523] driver_attach+0x24/0x30 [ 0.029534] bus_add_driver+0x164/0x22c [ 0.029545] driver_register+0x78/0x130 [ 0.029556] __platform_driver_register+0x28/0x34 [ 0.029569] psci_idle_init_domains+0x1c/0x28 [ 0.029583] do_one_initcall+0x50/0x1b0 [ 0.029595] kernel_init_freeable+0x214/0x280 [ 0.029609] kernel_init+0x2c/0x13c [ 0.029622] ret_from_fork+0x10/0x20 It doesn't seem necessary to call genpd_debug_remove() with the lock, so move it out from locking to fix the problem.
AI Analysis
Technical Summary
CVE-2022-49265 is a vulnerability identified in the Linux kernel related to the power management (PM) subsystem, specifically involving the generic power domain (genpd) framework. The issue arises when a genpd object flagged with GENPD_FLAG_IRQ_SAFE is removed. During this removal process, the function genpd_debug_remove() is called while a spinlock is held, which leads to a 'sleep-in-atomic' bug. This bug manifests because genpd_debug_remove() invokes operations that may sleep, such as down_read(), which attempts to acquire a read lock on a semaphore. Sleeping while holding a spinlock or in atomic context is invalid in the Linux kernel and triggers kernel warnings or BUG messages, as demonstrated by the kernel logs included in the description. The root cause is that genpd_debug_remove() is called within a locked context where sleeping is prohibited. The fix involves moving the call to genpd_debug_remove() outside the locking context to prevent sleeping while atomic. This vulnerability affects the Linux kernel versions containing the specified commit hashes prior to the fix. Although it does not appear to be exploitable remotely or by unprivileged users, it can cause kernel instability, crashes, or denial of service (DoS) due to kernel BUGs or oops events. The vulnerability is technical and low-level, impacting kernel reliability rather than allowing privilege escalation or code execution. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2022-49265 primarily concerns system stability and availability. Linux is widely used across European enterprises, government agencies, and critical infrastructure, especially in servers, embedded devices, and IoT systems. Systems running affected kernel versions may experience unexpected kernel panics or crashes during power domain management operations, which could lead to service interruptions or downtime. This is particularly critical for environments requiring high availability such as telecommunications, industrial control systems, and cloud service providers. While the vulnerability does not directly enable remote code execution or data breaches, the resulting denial of service could disrupt business operations and impact service delivery. Organizations relying on Linux-based embedded devices or custom hardware platforms that utilize power domain management may be more susceptible. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to stability issues. European entities with strict uptime requirements or regulatory obligations around service continuity should prioritize addressing this vulnerability to avoid operational disruptions.
Mitigation Recommendations
To mitigate CVE-2022-49265, organizations should: 1) Apply the official Linux kernel patches that move genpd_debug_remove() calls outside of atomic contexts. This fix is included in kernel versions released after the vulnerability disclosure date. 2) Identify and inventory all Linux systems running affected kernel versions, including embedded devices and custom hardware platforms. 3) For systems where immediate patching is not feasible, consider kernel parameter tuning or disabling affected power domain features if possible, to reduce the likelihood of triggering the bug. 4) Monitor kernel logs for BUG or oops messages related to sleep-in-atomic warnings as indicators of attempted exploitation or system instability. 5) Test kernel updates in staging environments to ensure compatibility and stability before deployment. 6) Engage with hardware and Linux distribution vendors to obtain updated kernel packages and support for embedded platforms. 7) Implement robust system monitoring and automated reboot mechanisms to minimize downtime in case of kernel crashes. These steps go beyond generic advice by focusing on inventorying embedded and specialized Linux deployments, proactive log monitoring for kernel warnings, and vendor coordination for patch availability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2022-49265: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: PM: domains: Fix sleep-in-atomic bug caused by genpd_debug_remove() When a genpd with GENPD_FLAG_IRQ_SAFE gets removed, the following sleep-in-atomic bug will be seen, as genpd_debug_remove() will be called with a spinlock being held. [ 0.029183] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1460 [ 0.029204] in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 1, name: swapper/0 [ 0.029219] preempt_count: 1, expected: 0 [ 0.029230] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc4+ #489 [ 0.029245] Hardware name: Thundercomm TurboX CM2290 (DT) [ 0.029256] Call trace: [ 0.029265] dump_backtrace.part.0+0xbc/0xd0 [ 0.029285] show_stack+0x3c/0xa0 [ 0.029298] dump_stack_lvl+0x7c/0xa0 [ 0.029311] dump_stack+0x18/0x34 [ 0.029323] __might_resched+0x10c/0x13c [ 0.029338] __might_sleep+0x4c/0x80 [ 0.029351] down_read+0x24/0xd0 [ 0.029363] lookup_one_len_unlocked+0x9c/0xcc [ 0.029379] lookup_positive_unlocked+0x10/0x50 [ 0.029392] debugfs_lookup+0x68/0xac [ 0.029406] genpd_remove.part.0+0x12c/0x1b4 [ 0.029419] of_genpd_remove_last+0xa8/0xd4 [ 0.029434] psci_cpuidle_domain_probe+0x174/0x53c [ 0.029449] platform_probe+0x68/0xe0 [ 0.029462] really_probe+0x190/0x430 [ 0.029473] __driver_probe_device+0x90/0x18c [ 0.029485] driver_probe_device+0x40/0xe0 [ 0.029497] __driver_attach+0xf4/0x1d0 [ 0.029508] bus_for_each_dev+0x70/0xd0 [ 0.029523] driver_attach+0x24/0x30 [ 0.029534] bus_add_driver+0x164/0x22c [ 0.029545] driver_register+0x78/0x130 [ 0.029556] __platform_driver_register+0x28/0x34 [ 0.029569] psci_idle_init_domains+0x1c/0x28 [ 0.029583] do_one_initcall+0x50/0x1b0 [ 0.029595] kernel_init_freeable+0x214/0x280 [ 0.029609] kernel_init+0x2c/0x13c [ 0.029622] ret_from_fork+0x10/0x20 It doesn't seem necessary to call genpd_debug_remove() with the lock, so move it out from locking to fix the problem.
AI-Powered Analysis
Technical Analysis
CVE-2022-49265 is a vulnerability identified in the Linux kernel related to the power management (PM) subsystem, specifically involving the generic power domain (genpd) framework. The issue arises when a genpd object flagged with GENPD_FLAG_IRQ_SAFE is removed. During this removal process, the function genpd_debug_remove() is called while a spinlock is held, which leads to a 'sleep-in-atomic' bug. This bug manifests because genpd_debug_remove() invokes operations that may sleep, such as down_read(), which attempts to acquire a read lock on a semaphore. Sleeping while holding a spinlock or in atomic context is invalid in the Linux kernel and triggers kernel warnings or BUG messages, as demonstrated by the kernel logs included in the description. The root cause is that genpd_debug_remove() is called within a locked context where sleeping is prohibited. The fix involves moving the call to genpd_debug_remove() outside the locking context to prevent sleeping while atomic. This vulnerability affects the Linux kernel versions containing the specified commit hashes prior to the fix. Although it does not appear to be exploitable remotely or by unprivileged users, it can cause kernel instability, crashes, or denial of service (DoS) due to kernel BUGs or oops events. The vulnerability is technical and low-level, impacting kernel reliability rather than allowing privilege escalation or code execution. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2022-49265 primarily concerns system stability and availability. Linux is widely used across European enterprises, government agencies, and critical infrastructure, especially in servers, embedded devices, and IoT systems. Systems running affected kernel versions may experience unexpected kernel panics or crashes during power domain management operations, which could lead to service interruptions or downtime. This is particularly critical for environments requiring high availability such as telecommunications, industrial control systems, and cloud service providers. While the vulnerability does not directly enable remote code execution or data breaches, the resulting denial of service could disrupt business operations and impact service delivery. Organizations relying on Linux-based embedded devices or custom hardware platforms that utilize power domain management may be more susceptible. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to stability issues. European entities with strict uptime requirements or regulatory obligations around service continuity should prioritize addressing this vulnerability to avoid operational disruptions.
Mitigation Recommendations
To mitigate CVE-2022-49265, organizations should: 1) Apply the official Linux kernel patches that move genpd_debug_remove() calls outside of atomic contexts. This fix is included in kernel versions released after the vulnerability disclosure date. 2) Identify and inventory all Linux systems running affected kernel versions, including embedded devices and custom hardware platforms. 3) For systems where immediate patching is not feasible, consider kernel parameter tuning or disabling affected power domain features if possible, to reduce the likelihood of triggering the bug. 4) Monitor kernel logs for BUG or oops messages related to sleep-in-atomic warnings as indicators of attempted exploitation or system instability. 5) Test kernel updates in staging environments to ensure compatibility and stability before deployment. 6) Engage with hardware and Linux distribution vendors to obtain updated kernel packages and support for embedded platforms. 7) Implement robust system monitoring and automated reboot mechanisms to minimize downtime in case of kernel crashes. These steps go beyond generic advice by focusing on inventorying embedded and specialized Linux deployments, proactive log monitoring for kernel warnings, and vendor coordination for patch availability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.297Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe54b9
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 4:57:45 AM
Last updated: 8/15/2025, 4:17:43 AM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.