CVE-2022-48752 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending
Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel triggered below warning:
[ 172.851380] ------------[ cut here ]------------
[ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280
[ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse
[ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2
[ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180
[ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598)
[ 172.851465] MSR: 8000000000029033 CR: 48004884 XER: 20040000
[ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1
[ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004
[ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000
[ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68
[ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000
[ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0
[ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003
[ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600
[ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8
[ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280
[ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280
[ 172.851565] Call Trace:
[ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable)
[ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60
[ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660
[ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0
[ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140
[ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40
[ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380
[ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268
The warning indicates that MSR_EE being set(interrupt enabled) when there was an overflown PMC detected. This could happen in power_pmu_disable since it runs under interrupt soft disable condition ( local_irq_save ) and not with interrupts hard disabled. commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") intended to clear PMI pending bit in Paca when disabling the PMU. It could happen that PMC gets overflown while code is in power_pmu_disable callback function. Hence add a check to see if PMI pending bit is set in Paca before clearing it via clear_pmi_pending.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/29/2025
The vulnerability described in CVE-2022-48752 resides within the Linux kernel's powerpc architecture performance monitoring unit implementation, specifically in the power_pmu_disable function. This flaw manifests as a race condition or improper interrupt handling scenario that can lead to system instability. The issue becomes apparent when the kernel's selftest framework is executed with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled, which triggers a critical warning indicating that the MSR_EE (Machine State Register External Interrupt Enable) bit is set during an overflow condition of the Performance Monitoring Counters. The warning originates from the power_pmu_disable function at arch/powerpc/include/asm/hw_irq.h line 246, where the system attempts to clear pending PMI (Performance Monitoring Interrupt) while interrupts are in a soft-disabled state rather than hard-disabled state.
The root cause of this vulnerability stems from the improper sequence of operations within the power_pmu_disable callback function. According to the kernel commit 2c9ac51b850d, the original intention was to clear the PMI pending bit in the PACA (Per-Processor Area) structure before resetting an overflown PMC. However, the implementation fails to account for a critical timing window where the PMC can overflow while the power_pmu_disable function is executing under a soft interrupt disable condition established by local_irq_save(). This creates a scenario where the system attempts to clear a PMI pending bit that may not actually be set, or where the clearing operation occurs in an improper interrupt context, leading to potential system corruption or unexpected behavior. The call trace shows this issue propagates through perf_pmu_disable, __perf_event_task_sched_out, and scheduler functions, indicating the vulnerability affects the kernel's performance monitoring subsystem during task scheduling operations.
The operational impact of this vulnerability extends beyond simple system warnings, as it represents a fundamental flaw in interrupt handling within the powerpc architecture's performance monitoring subsystem. When the system encounters a scenario where a PMC overflows while power_pmu_disable is active, the improper handling of the PMI pending bit can lead to incorrect interrupt state management, potentially causing system instability, data corruption, or denial of service conditions. This vulnerability specifically affects systems running the Linux kernel with powerpc architecture and performance monitoring enabled, particularly those executing kernel selftests with debug configurations. The issue is classified under CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization, and aligns with ATT&CK technique T1490: Inhibit System Recovery, as the improper interrupt handling could prevent proper system recovery mechanisms from functioning correctly.
Mitigation strategies for this vulnerability involve ensuring that the power_pmu_disable function properly checks the PMI pending status before attempting to clear it, and that the function operates under appropriate interrupt disable conditions. The fix implemented in the kernel ensures that clear_pmi_irq_pending is only called when PMI is actually pending, preventing the erroneous clearing of interrupt status bits. System administrators should ensure their kernels are updated to versions containing the fix, and should avoid running kernel selftests with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in production environments. Additionally, monitoring systems should be configured to detect and alert on similar interrupt state anomalies, as this vulnerability may indicate broader issues with interrupt handling in the system's performance monitoring infrastructure. The fix addresses the core issue by adding proper conditional checks before interrupt status bit manipulation, ensuring that system stability is maintained during performance monitoring operations.