{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-50491", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-10-04T15:39:19.463Z", "datePublished": "2025-10-04T15:43:44.470Z", "dateUpdated": "2026-05-11T19:20:30.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:20:30.117Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: cti: Fix hang in cti_disable_hw()\n\ncti_enable_hw() and cti_disable_hw() are called from an atomic context\nso shouldn't use runtime PM because it can result in a sleep when\ncommunicating with firmware.\n\nSince commit 3c6656337852 (\"Revert \"firmware: arm_scmi: Add clock\nmanagement to the SCMI power domain\"\"), this causes a hang on Juno when\nrunning the Perf Coresight tests or running this command:\n\n perf record -e cs_etm//u -- ls\n\nThis was also missed until the revert commit because pm_runtime_put()\nwas called with the wrong device until commit 692c9a499b28 (\"coresight:\ncti: Correct the parameter for pm_runtime_put\")\n\nWith lock and scheduler debugging enabled the following is output:\n\n coresight cti_sys0: cti_enable_hw -- dev:cti_sys0 parent: 20020000.cti\n BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1151\n in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 330, name: perf-exec\n preempt_count: 2, expected: 0\n RCU nest depth: 0, expected: 0\n INFO: lockdep is turned off.\n irq event stamp: 0\n hardirqs last enabled at (0): [<0000000000000000>] 0x0\n hardirqs last disabled at (0): [<ffff80000822b394>] copy_process+0xa0c/0x1948\n softirqs last enabled at (0): [<ffff80000822b394>] copy_process+0xa0c/0x1948\n softirqs last disabled at (0): [<0000000000000000>] 0x0\n CPU: 3 PID: 330 Comm: perf-exec Not tainted 6.0.0-00053-g042116d99298 #7\n Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Sep 13 2022\n Call trace:\n dump_backtrace+0x134/0x140\n show_stack+0x20/0x58\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n __might_resched+0x180/0x228\n __might_sleep+0x50/0x88\n __pm_runtime_resume+0xac/0xb0\n cti_enable+0x44/0x120\n coresight_control_assoc_ectdev+0xc0/0x150\n coresight_enable_path+0xb4/0x288\n etm_event_start+0x138/0x170\n etm_event_add+0x48/0x70\n event_sched_in.isra.122+0xb4/0x280\n merge_sched_in+0x1fc/0x3d0\n visit_groups_merge.constprop.137+0x16c/0x4b0\n ctx_sched_in+0x114/0x1f0\n perf_event_sched_in+0x60/0x90\n ctx_resched+0x68/0xb0\n perf_event_exec+0x138/0x508\n begin_new_exec+0x52c/0xd40\n load_elf_binary+0x6b8/0x17d0\n bprm_execve+0x360/0x7f8\n do_execveat_common.isra.47+0x218/0x238\n __arm64_sys_execve+0x48/0x60\n invoke_syscall+0x4c/0x110\n el0_svc_common.constprop.4+0xfc/0x120\n do_el0_svc+0x34/0xc0\n el0_svc+0x40/0x98\n el0t_64_sync_handler+0x98/0xc0\n el0t_64_sync+0x170/0x174\n\nFix the issue by removing the runtime PM calls completely. They are not\nneeded here because it must have already been done when building the\npath for a trace.\n\n[ Fix build warnings ]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hwtracing/coresight/coresight-cti-core.c"], "versions": [{"version": "835d722ba10ac924adba1e8a46f2d80955222b4b", "lessThan": "e33ce54cef5d429430e3b1ae5c8ee4f4103c4fdc", "status": "affected", "versionType": "git"}, {"version": "835d722ba10ac924adba1e8a46f2d80955222b4b", "lessThan": "4c365a0c21aaf2b8fcc88de8dc298803288f61ac", "status": "affected", "versionType": "git"}, {"version": "835d722ba10ac924adba1e8a46f2d80955222b4b", "lessThan": "c51cfba50df8b9e16bfe0e6d4f2f252a4a10063d", "status": "affected", "versionType": "git"}, {"version": "835d722ba10ac924adba1e8a46f2d80955222b4b", "lessThan": "6746eae4bbaddcc16b40efb33dab79210828b3ce", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hwtracing/coresight/coresight-cti-core.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.154", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.77", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.7", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.15.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e33ce54cef5d429430e3b1ae5c8ee4f4103c4fdc"}, {"url": "https://git.kernel.org/stable/c/4c365a0c21aaf2b8fcc88de8dc298803288f61ac"}, {"url": "https://git.kernel.org/stable/c/c51cfba50df8b9e16bfe0e6d4f2f252a4a10063d"}, {"url": "https://git.kernel.org/stable/c/6746eae4bbaddcc16b40efb33dab79210828b3ce"}], "title": "coresight: cti: Fix hang in cti_disable_hw()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CABD39F1-EBF4-4697-9B6A-AA778FAC9FE5", "versionEndExcluding": "5.10.154", "versionStartIncluding": "5.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "756161DE-EFE3-4008-964A-DFE360B188B7", "versionEndExcluding": "5.15.77", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "65D387F0-209C-4EAD-98BA-C4B430A840C9", "versionEndExcluding": "6.0.7", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: cti: Fix hang in cti_disable_hw()\n\ncti_enable_hw() and cti_disable_hw() are called from an atomic context\nso shouldn't use runtime PM because it can result in a sleep when\ncommunicating with firmware.\n\nSince commit 3c6656337852 (\"Revert \"firmware: arm_scmi: Add clock\nmanagement to the SCMI power domain\"\"), this causes a hang on Juno when\nrunning the Perf Coresight tests or running this command:\n\n perf record -e cs_etm//u -- ls\n\nThis was also missed until the revert commit because pm_runtime_put()\nwas called with the wrong device until commit 692c9a499b28 (\"coresight:\ncti: Correct the parameter for pm_runtime_put\")\n\nWith lock and scheduler debugging enabled the following is output:\n\n coresight cti_sys0: cti_enable_hw -- dev:cti_sys0 parent: 20020000.cti\n BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1151\n in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 330, name: perf-exec\n preempt_count: 2, expected: 0\n RCU nest depth: 0, expected: 0\n INFO: lockdep is turned off.\n irq event stamp: 0\n hardirqs last enabled at (0): [<0000000000000000>] 0x0\n hardirqs last disabled at (0): [<ffff80000822b394>] copy_process+0xa0c/0x1948\n softirqs last enabled at (0): [<ffff80000822b394>] copy_process+0xa0c/0x1948\n softirqs last disabled at (0): [<0000000000000000>] 0x0\n CPU: 3 PID: 330 Comm: perf-exec Not tainted 6.0.0-00053-g042116d99298 #7\n Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Sep 13 2022\n Call trace:\n dump_backtrace+0x134/0x140\n show_stack+0x20/0x58\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n __might_resched+0x180/0x228\n __might_sleep+0x50/0x88\n __pm_runtime_resume+0xac/0xb0\n cti_enable+0x44/0x120\n coresight_control_assoc_ectdev+0xc0/0x150\n coresight_enable_path+0xb4/0x288\n etm_event_start+0x138/0x170\n etm_event_add+0x48/0x70\n event_sched_in.isra.122+0xb4/0x280\n merge_sched_in+0x1fc/0x3d0\n visit_groups_merge.constprop.137+0x16c/0x4b0\n ctx_sched_in+0x114/0x1f0\n perf_event_sched_in+0x60/0x90\n ctx_resched+0x68/0xb0\n perf_event_exec+0x138/0x508\n begin_new_exec+0x52c/0xd40\n load_elf_binary+0x6b8/0x17d0\n bprm_execve+0x360/0x7f8\n do_execveat_common.isra.47+0x218/0x238\n __arm64_sys_execve+0x48/0x60\n invoke_syscall+0x4c/0x110\n el0_svc_common.constprop.4+0xfc/0x120\n do_el0_svc+0x34/0xc0\n el0_svc+0x40/0x98\n el0t_64_sync_handler+0x98/0xc0\n el0t_64_sync+0x170/0x174\n\nFix the issue by removing the runtime PM calls completely. They are not\nneeded here because it must have already been done when building the\npath for a trace.\n\n[ Fix build warnings ]"}], "id": "CVE-2022-50491", "lastModified": "2026-03-25T00:32:51.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-10-04T16:15:46.073", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4c365a0c21aaf2b8fcc88de8dc298803288f61ac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6746eae4bbaddcc16b40efb33dab79210828b3ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c51cfba50df8b9e16bfe0e6d4f2f252a4a10063d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e33ce54cef5d429430e3b1ae5c8ee4f4103c4fdc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: coresight: cti: Fix hang in cti_disable_hw()", "id": "2401482", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401482"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ncoresight: cti: Fix hang in cti_disable_hw()\ncti_enable_hw() and cti_disable_hw() are called from an atomic context\nso shouldn't use runtime PM because it can result in a sleep when\ncommunicating with firmware.\nSince commit 3c6656337852 (\"Revert \"firmware: arm_scmi: Add clock\nmanagement to the SCMI power domain\"\"), this causes a hang on Juno when\nrunning the Perf Coresight tests or running this command:\nperf record -e cs_etm//u -- ls\nThis was also missed until the revert commit because pm_runtime_put()\nwas called with the wrong device until commit 692c9a499b28 (\"coresight:\ncti: Correct the parameter for pm_runtime_put\")\nWith lock and scheduler debugging enabled the following is output:\ncoresight cti_sys0: cti_enable_hw -- dev:cti_sys0 parent: 20020000.cti\nBUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1151\nin_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 330, name: perf-exec\npreempt_count: 2, expected: 0\nRCU nest depth: 0, expected: 0\nINFO: lockdep is turned off.\nirq event stamp: 0\nhardirqs last enabled at (0): [<0000000000000000>] 0x0\nhardirqs last disabled at (0): [<ffff80000822b394>] copy_process+0xa0c/0x1948\nsoftirqs last enabled at (0): [<ffff80000822b394>] copy_process+0xa0c/0x1948\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\nCPU: 3 PID: 330 Comm: perf-exec Not tainted 6.0.0-00053-g042116d99298 #7\nHardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Sep 13 2022\nCall trace:\ndump_backtrace+0x134/0x140\nshow_stack+0x20/0x58\ndump_stack_lvl+0x8c/0xb8\ndump_stack+0x18/0x34\n__might_resched+0x180/0x228\n__might_sleep+0x50/0x88\n__pm_runtime_resume+0xac/0xb0\ncti_enable+0x44/0x120\ncoresight_control_assoc_ectdev+0xc0/0x150\ncoresight_enable_path+0xb4/0x288\netm_event_start+0x138/0x170\netm_event_add+0x48/0x70\nevent_sched_in.isra.122+0xb4/0x280\nmerge_sched_in+0x1fc/0x3d0\nvisit_groups_merge.constprop.137+0x16c/0x4b0\nctx_sched_in+0x114/0x1f0\nperf_event_sched_in+0x60/0x90\nctx_resched+0x68/0xb0\nperf_event_exec+0x138/0x508\nbegin_new_exec+0x52c/0xd40\nload_elf_binary+0x6b8/0x17d0\nbprm_execve+0x360/0x7f8\ndo_execveat_common.isra.47+0x218/0x238\n__arm64_sys_execve+0x48/0x60\ninvoke_syscall+0x4c/0x110\nel0_svc_common.constprop.4+0xfc/0x120\ndo_el0_svc+0x34/0xc0\nel0_svc+0x40/0x98\nel0t_64_sync_handler+0x98/0xc0\nel0t_64_sync+0x170/0x174\nFix the issue by removing the runtime PM calls completely. They are not\nneeded here because it must have already been done when building the\npath for a trace.\n[ Fix build warnings ]"], "name": "CVE-2022-50491", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat In-Vehicle Operating System 1"}], "public_date": "2025-10-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50491\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50491\nhttps://lore.kernel.org/linux-cve-announce/2025100417-CVE-2022-50491-7a8b@gregkh/T"], "threat_severity": "Low"}

{"created": "2025-10-06T14:41:33.913935+00:00", "updated": "2025-10-06T14:41:33.913990+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}