{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49441","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T02:08:31.570Z","datePublished":"2025-02-26T02:12:54.649Z","dateUpdated":"2025-10-01T19:46:49.473Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:44:42.797Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix deadlock caused by calling printk() under tty_port->lock\n\npty_write() invokes kmalloc() which may invoke a normal printk() to print\nfailure message.  This can cause a deadlock in the scenario reported by\nsyz-bot below:\n\n       CPU0              CPU1                    CPU2\n       ----              ----                    ----\n                         lock(console_owner);\n                                                 lock(&port_lock_key);\n  lock(&port->lock);\n                         lock(&port_lock_key);\n                                                 lock(&port->lock);\n  lock(console_owner);\n\nAs commit dbdda842fe96 (\"printk: Add console owner and waiter logic to\nload balance console writes\") said, such deadlock can be prevented by\nusing printk_deferred() in kmalloc() (which is invoked in the section\nguarded by the port->lock).  But there are too many printk() on the\nkmalloc() path, and kmalloc() can be called from anywhere, so changing\nprintk() to printk_deferred() is too complicated and inelegant.\n\nTherefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so\nthat printk() will not be called, and this deadlock problem can be\navoided.\n\nSyzbot reported the following lockdep error:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.4.143-00237-g08ccc19a-dirty #10 Not tainted\n------------------------------------------------------\nsyz-executor.4/29420 is trying to acquire lock:\nffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]\nffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023\n\nbut task is already holding lock:\nffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #2 (&port->lock){-.-.}-{2:2}:\n       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n       _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n       tty_port_tty_get drivers/tty/tty_port.c:288 [inline]          \t\t<-- lock(&port->lock);\n       tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47\n       serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767\n       serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854\n       serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] \t<-- lock(&port_lock_key);\n       serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870\n       serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126\n       __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156\n       [...]\n\n-> #1 (&port_lock_key){-.-.}-{2:2}:\n       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n       _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n       serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198\n\t\t\t\t\t\t\t\t\t\t<-- lock(&port_lock_key);\n       call_console_drivers kernel/printk/printk.c:1819 [inline]\n       console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504\n       vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024\t\t\t<-- lock(console_owner);\n       vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394\n       printk+0xba/0xed kernel/printk/printk.c:2084\n       register_console+0x8b3/0xc10 kernel/printk/printk.c:2829\n       univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681\n       console_init+0x49d/0x6d3 kernel/printk/printk.c:2915\n       start_kernel+0x5e9/0x879 init/main.c:713\n       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241\n\n-> #0 (console_owner){....}-{0:0}:\n       [...]\n       lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734\n       console_trylock_spinning kernel/printk/printk.c:1773 \n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/tty/tty_buffer.c"],"versions":[{"version":"d83904cb2eb2c4d937eaf15032214b0578f25099","lessThan":"4af21b12a60ed2d3642284f4f85b42d7dc6ac246","status":"affected","versionType":"git"},{"version":"deb1feaad03a78b545c949e54582ae57b3c56982","lessThan":"4c253caf9264d2aa47ee806a87986dd8eb91a5d9","status":"affected","versionType":"git"},{"version":"b6da31b2c07c46f2dcad1d86caa835227a16d9ff","lessThan":"04ee31678c128a6cc7bb057ea189a8624ba5a314","status":"affected","versionType":"git"},{"version":"b6da31b2c07c46f2dcad1d86caa835227a16d9ff","lessThan":"3219ac364ac3d8d30771612a6010f1e0b7fa0a28","status":"affected","versionType":"git"},{"version":"b6da31b2c07c46f2dcad1d86caa835227a16d9ff","lessThan":"9834b13e8b962caa28fbcf1f422dd82413da4ede","status":"affected","versionType":"git"},{"version":"b6da31b2c07c46f2dcad1d86caa835227a16d9ff","lessThan":"18ca0d55e8639b911df8aae1b47598b13f9acded","status":"affected","versionType":"git"},{"version":"b6da31b2c07c46f2dcad1d86caa835227a16d9ff","lessThan":"b3c974501d0c32258ae0e04e5cc3fb92383b40f6","status":"affected","versionType":"git"},{"version":"b6da31b2c07c46f2dcad1d86caa835227a16d9ff","lessThan":"0bcf44903ef4df742dcada86ccaedd25374ffb50","status":"affected","versionType":"git"},{"version":"b6da31b2c07c46f2dcad1d86caa835227a16d9ff","lessThan":"6b9dbedbe3499fef862c4dff5217cf91f34e43b3","status":"affected","versionType":"git"},{"version":"6d9cd12792270773fab9e5a129daff328d61ef9e","status":"affected","versionType":"git"},{"version":"6dbfa9b5ae65063cd61dc7fa11332e00bb794d8b","status":"affected","versionType":"git"},{"version":"60c4e8db32815474bfaeabe888ebb14e698caea1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/tty/tty_buffer.c"],"versions":[{"version":"4.18","status":"affected"},{"version":"0","lessThan":"4.18","status":"unaffected","versionType":"semver"},{"version":"4.9.318","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.283","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.247","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.198","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.121","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.46","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.17.14","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18.3","lessThanOrEqual":"5.18.*","status":"unaffected","versionType":"semver"},{"version":"5.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.117","versionEndExcluding":"4.9.318"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.60","versionEndExcluding":"4.14.283"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"4.19.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.4.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.10.121"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.15.46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.17.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.18.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18.118"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.146"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4af21b12a60ed2d3642284f4f85b42d7dc6ac246"},{"url":"https://git.kernel.org/stable/c/4c253caf9264d2aa47ee806a87986dd8eb91a5d9"},{"url":"https://git.kernel.org/stable/c/04ee31678c128a6cc7bb057ea189a8624ba5a314"},{"url":"https://git.kernel.org/stable/c/3219ac364ac3d8d30771612a6010f1e0b7fa0a28"},{"url":"https://git.kernel.org/stable/c/9834b13e8b962caa28fbcf1f422dd82413da4ede"},{"url":"https://git.kernel.org/stable/c/18ca0d55e8639b911df8aae1b47598b13f9acded"},{"url":"https://git.kernel.org/stable/c/b3c974501d0c32258ae0e04e5cc3fb92383b40f6"},{"url":"https://git.kernel.org/stable/c/0bcf44903ef4df742dcada86ccaedd25374ffb50"},{"url":"https://git.kernel.org/stable/c/6b9dbedbe3499fef862c4dff5217cf91f34e43b3"}],"title":"tty: fix deadlock caused by calling printk() under tty_port->lock","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49441","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T19:40:56.105263Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-667","description":"CWE-667 Improper Locking"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T19:46:49.473Z"}}]}}