CVE-2022-49765: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49765 affects the Linux kernel's net/9p subsystem and involves a vulnerability related to spinlock usage. The issue was discovered when syzbot reported inconsistent lock state in the p9_req_put() function. The vulnerability was identified in multiple Linux kernel versions, including Debian bullseye (5.10.223-1 and 5.10.234-1) (Debian Security).

The vulnerability stems from inconsistent lock protection mechanisms between client.c and trans_fd.c components. Specifically, p9_tag_remove() from p9_req_put() in IRQ context uses spin_lock_irqsave() on 'struct p9_client'->lock, while trans_fd (not from IRQ context) uses spin_lock(). The client.c's locks protect the idr for fid/tag allocations, while trans_fd.c's locks protect its own req list and request status field that acts as the transport's state machine (Wiz).

The vulnerability affects multiple versions of the Linux kernel, particularly impacting systems running Debian bullseye (5.10.223-1 and 5.10.234-1). However, newer versions such as Debian bookworm (6.1.129-1 and later) and trixie (6.12.22-1) have received fixes (Debian Security).

The issue has been resolved by implementing a dedicated spinlock for trans_fd, effectively separating the lock protection mechanisms between the client and transport components. The fix has been incorporated into newer kernel versions, including Debian bookworm and trixie releases (Debian Security).