{"id":"CVE-2022-49441","summary":"tty: fix deadlock caused by calling printk() under tty_port-\u003elock","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix deadlock caused by calling printk() under tty_port-\u003elock\n\npty_write() invokes kmalloc() which may invoke a normal printk() to print\nfailure message.  This can cause a deadlock in the scenario reported by\nsyz-bot below:\n\n       CPU0              CPU1                    CPU2\n       ----              ----                    ----\n                         lock(console_owner);\n                                                 lock(&port_lock_key);\n  lock(&port-\u003elock);\n                         lock(&port_lock_key);\n                                                 lock(&port-\u003elock);\n  lock(console_owner);\n\nAs commit dbdda842fe96 (\"printk: Add console owner and waiter logic to\nload balance console writes\") said, such deadlock can be prevented by\nusing printk_deferred() in kmalloc() (which is invoked in the section\nguarded by the port-\u003elock).  But there are too many printk() on the\nkmalloc() path, and kmalloc() can be called from anywhere, so changing\nprintk() to printk_deferred() is too complicated and inelegant.\n\nTherefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so\nthat printk() will not be called, and this deadlock problem can be\navoided.\n\nSyzbot reported the following lockdep error:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.4.143-00237-g08ccc19a-dirty #10 Not tainted\n------------------------------------------------------\nsyz-executor.4/29420 is trying to acquire lock:\nffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]\nffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023\n\nbut task is already holding lock:\nffff8880119c9158 (&port-\u003elock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #2 (&port-\u003elock){-.-.}-{2:2}:\n       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n       _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n       tty_port_tty_get drivers/tty/tty_port.c:288 [inline]          \t\t\u003c-- lock(&port-\u003elock);\n       tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47\n       serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767\n       serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854\n       serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] \t\u003c-- lock(&port_lock_key);\n       serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870\n       serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126\n       __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156\n       [...]\n\n-\u003e #1 (&port_lock_key){-.-.}-{2:2}:\n       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n       _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159\n       serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198\n\t\t\t\t\t\t\t\t\t\t\u003c-- lock(&port_lock_key);\n       call_console_drivers kernel/printk/printk.c:1819 [inline]\n       console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504\n       vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024\t\t\t\u003c-- lock(console_owner);\n       vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394\n       printk+0xba/0xed kernel/printk/printk.c:2084\n       register_console+0x8b3/0xc10 kernel/printk/printk.c:2829\n       univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681\n       console_init+0x49d/0x6d3 kernel/printk/printk.c:2915\n       start_kernel+0x5e9/0x879 init/main.c:713\n       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241\n\n-\u003e #0 (console_owner){....}-{0:0}:\n       [...]\n       lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734\n       console_trylock_spinning kernel/printk/printk.c:1773 \n---truncated---","modified":"2026-04-02T08:27:35.919200Z","published":"2025-02-26T02:12:54.649Z","related":["SUSE-SU-2025:01983-1","SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1194-1","SUSE-SU-2025:1241-1","SUSE-SU-2025:1263-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49441.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/04ee31678c128a6cc7bb057ea189a8624ba5a314"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0bcf44903ef4df742dcada86ccaedd25374ffb50"},{"type":"WEB","url":"https://git.kernel.org/stable/c/18ca0d55e8639b911df8aae1b47598b13f9acded"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3219ac364ac3d8d30771612a6010f1e0b7fa0a28"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4af21b12a60ed2d3642284f4f85b42d7dc6ac246"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4c253caf9264d2aa47ee806a87986dd8eb91a5d9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6b9dbedbe3499fef862c4dff5217cf91f34e43b3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9834b13e8b962caa28fbcf1f422dd82413da4ede"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b3c974501d0c32258ae0e04e5cc3fb92383b40f6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49441.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49441"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d83904cb2eb2c4d937eaf15032214b0578f25099"},{"fixed":"4af21b12a60ed2d3642284f4f85b42d7dc6ac246"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"deb1feaad03a78b545c949e54582ae57b3c56982"},{"fixed":"4c253caf9264d2aa47ee806a87986dd8eb91a5d9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b6da31b2c07c46f2dcad1d86caa835227a16d9ff"},{"fixed":"04ee31678c128a6cc7bb057ea189a8624ba5a314"},{"fixed":"3219ac364ac3d8d30771612a6010f1e0b7fa0a28"},{"fixed":"9834b13e8b962caa28fbcf1f422dd82413da4ede"},{"fixed":"18ca0d55e8639b911df8aae1b47598b13f9acded"},{"fixed":"b3c974501d0c32258ae0e04e5cc3fb92383b40f6"},{"fixed":"0bcf44903ef4df742dcada86ccaedd25374ffb50"},{"fixed":"6b9dbedbe3499fef862c4dff5217cf91f34e43b3"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"6d9cd12792270773fab9e5a129daff328d61ef9e"},{"last_affected":"6dbfa9b5ae65063cd61dc7fa11332e00bb794d8b"},{"last_affected":"60c4e8db32815474bfaeabe888ebb14e698caea1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49441.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}