In early 2022, Linux kernel maintainers patched a subtle but important vulnerability, CVE-2022-49322, involving the tracing subsystem and the PREEMPT_RT (real-time) patches. This issue could result in kernel hangs or panics by calling sleeping functions from contexts where sleeping is not permitted, notably when using certain boot parameters on a realtime-configured kernel.

This post will break down this vulnerability in simple terms, walk you through how it appears, show the problematic code, and explain the fix implemented by kernel developers. We’ll also provide original reference links and test/exploit details for researchers and sysadmins.

What is CVE-2022-49322?

CVE-2022-49322 is a bug in the Linux kernel’s tracing subsystem. It triggers when you set tracing event parameters through the kernel command line at boot—specifically, trace_event=initcall:initcall_start tp_printk=1—while running a kernel with real-time (RT) preemption enabled via the PREEMPT_RT patches. On such systems, certain locking functions are "sleepable". Mixing them up can trigger a "sleeping function called from invalid context" warning, and in some cases, an actual kernel crash.

What Causes the Issue?

Linux has different types of locks. Most are designed not to "sleep" (that is, not to block or pause in a context where the kernel can’t afford to be interrupted). But in RT kernels, common locks like spinlocks are replaced by rt-spinlocks, which MAY sleep.

When using the specific boot parameters above, the kernel tracing system calls output_printk(), which (via several function calls) tries to acquire what, under vanilla Linux, is a non-sleeping (atomic) spinlock. On PREEMPT_RT, however, this is a sleepable lock!

If the tracepoint fires from an atomic or interrupt-disabled context, and the code tries to take a sleeping lock, the kernel prints a scary bug:
BUG: sleeping function called from invalid context
...and the stack trace follows.

Original References

- Kernel Patch (commit) — Fix discussed and merged
- PREEMPT_RT Wiki — About PREEMPT_RT
- Linux Tracing Subsystem Docs

Typical Warning

BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
in_atomic(): 1, irqs_disabled(): , non_block: , pid: 1, name: swapper/
preempt_count: 2, expected: 
...
Call Trace:
  dump_stack_lvl+x60/x8c
  ...
  trace_event_buffer_commit+x2fa/x4c
  ...
  kernel_init_freeable+x1ac/x347
  ...

When the boot command line enables tracing with trace_event and tp_printk=1, the kernel executes

void output_printk(const char *fmt, ...)
{
    unsigned long flags;
    spin_lock_irqsave(&trace_buf_lock, flags);
    // ... output tracing information ...
    spin_unlock_irqrestore(&trace_buf_lock, flags);
}

On a PREEMPT_RT kernel, spin_lock_irqsave() becomes a sleepable lock

#define spin_lock_irqsave(lock, flags) rt_spin_lock(lock)

If the call originates in atomic context (preemption or interrupts disabled), sleeping is strictly forbidden—hence the bug message.

The Fix

Developers fixed this by using raw_spin_lock_irqsave() in this context, which is guaranteed not to sleep, even with RT enabled:

#if defined(CONFIG_PREEMPT_RT)
    raw_spin_lock_irqsave(&trace_buf_lock, flags);
#else
    spin_lock_irqsave(&trace_buf_lock, flags);
#endif

This ensures tracing output never tries to sleep, preserving consistency and reliability on all kernel variants.

View the actual patch:
See Git Commit fe8c86cbe6c

Exploit or Impact

CVE-2022-49322 is NOT a privilege escalation or code execution bug—it is a local denial of service problem. If exploited, it could hang the kernel during boot when specific tracer parameters are used. This is especially severe on specialized Linux systems using realtime kernels for critical deployments.

Attackers need console or boot parameter access, so for most cloud/VMs this is a low risk, but for embedded or field systems, it’s critical.

Add to GRUB_CMDLINE_LINUX

trace_event=initcall:initcall_start tp_printk=1

Update grub and reboot.

Recommendations

- If you use a PREEMPT_RT kernel, make sure to update to a kernel version with this patch (5.17.2+ or ported backports).

References:

- Kernel Patch
- PREEMPT_RT
- Linux Tracing Docs

Stay safe, and keep those kernel updates applied—especially on systems with unique real-time requirements!

Timeline

Published on: 02/26/2025 07:01:09 UTC
Last modified on: 04/14/2025 19:45:44 UTC