CVE-2022-49759
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/03/2025
Last modified:
01/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
VMCI: Use threaded irqs instead of tasklets<br />
<br />
The vmci_dispatch_dgs() tasklet function calls vmci_read_data()<br />
which uses wait_event() resulting in invalid sleep in an atomic<br />
context (and therefore potentially in a deadlock).<br />
<br />
Use threaded irqs to fix this issue and completely remove usage<br />
of tasklets.<br />
<br />
[ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145<br />
[ 20.264643] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 762, name: vmtoolsd<br />
[ 20.264645] preempt_count: 101, expected: 0<br />
[ 20.264646] RCU nest depth: 0, expected: 0<br />
[ 20.264647] 1 lock held by vmtoolsd/762:<br />
[ 20.264648] #0: ffff0000874ae440 (sk_lock-AF_VSOCK){+.+.}-{0:0}, at: vsock_connect+0x60/0x330 [vsock]<br />
[ 20.264658] Preemption disabled at:<br />
[ 20.264659] [] vmci_send_datagram+0x44/0xa0 [vmw_vmci]<br />
[ 20.264665] CPU: 0 PID: 762 Comm: vmtoolsd Not tainted 5.19.0-0.rc8.20220727git39c3c396f813.60.fc37.aarch64 #1<br />
[ 20.264667] Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020<br />
[ 20.264668] Call trace:<br />
[ 20.264669] dump_backtrace+0xc4/0x130<br />
[ 20.264672] show_stack+0x24/0x80<br />
[ 20.264673] dump_stack_lvl+0x88/0xb4<br />
[ 20.264676] dump_stack+0x18/0x34<br />
[ 20.264677] __might_resched+0x1a0/0x280<br />
[ 20.264679] __might_sleep+0x58/0x90<br />
[ 20.264681] vmci_read_data+0x74/0x120 [vmw_vmci]<br />
[ 20.264683] vmci_dispatch_dgs+0x64/0x204 [vmw_vmci]<br />
[ 20.264686] tasklet_action_common.constprop.0+0x13c/0x150<br />
[ 20.264688] tasklet_action+0x40/0x50<br />
[ 20.264689] __do_softirq+0x23c/0x6b4<br />
[ 20.264690] __irq_exit_rcu+0x104/0x214<br />
[ 20.264691] irq_exit_rcu+0x1c/0x50<br />
[ 20.264693] el1_interrupt+0x38/0x6c<br />
[ 20.264695] el1h_64_irq_handler+0x18/0x24<br />
[ 20.264696] el1h_64_irq+0x68/0x6c<br />
[ 20.264697] preempt_count_sub+0xa4/0xe0<br />
[ 20.264698] _raw_spin_unlock_irqrestore+0x64/0xb0<br />
[ 20.264701] vmci_send_datagram+0x7c/0xa0 [vmw_vmci]<br />
[ 20.264703] vmci_datagram_dispatch+0x84/0x100 [vmw_vmci]<br />
[ 20.264706] vmci_datagram_send+0x2c/0x40 [vmw_vmci]<br />
[ 20.264709] vmci_transport_send_control_pkt+0xb8/0x120 [vmw_vsock_vmci_transport]<br />
[ 20.264711] vmci_transport_connect+0x40/0x7c [vmw_vsock_vmci_transport]<br />
[ 20.264713] vsock_connect+0x278/0x330 [vsock]<br />
[ 20.264715] __sys_connect_file+0x8c/0xc0<br />
[ 20.264718] __sys_connect+0x84/0xb4<br />
[ 20.264720] __arm64_sys_connect+0x2c/0x3c<br />
[ 20.264721] invoke_syscall+0x78/0x100<br />
[ 20.264723] el0_svc_common.constprop.0+0x68/0x124<br />
[ 20.264724] do_el0_svc+0x38/0x4c<br />
[ 20.264725] el0_svc+0x60/0x180<br />
[ 20.264726] el0t_64_sync_handler+0x11c/0x150<br />
[ 20.264728] el0t_64_sync+0x190/0x194
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.18 (including) | 6.1.8 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page