2348137 – (CVE-2022-49304) CVE-2022-49304 kernel: drivers: tty: serial: Fix deadlock in sa1100_set_termios()

Bug 2348137 (CVE-2022-49304) - CVE-2022-49304 kernel: drivers: tty: serial: Fix deadlock in sa1100_set_termios()

Summary: CVE-2022-49304 kernel: drivers: tty: serial: Fix deadlock in sa1100_set_termi...

Keywords:
Status:	NEW
Alias:	CVE-2022-49304
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-02-26 03:18 UTC by OSIDB Bzimport
Modified:	2025-02-27 07:47 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-02-26 03:18:54 UTC

In the Linux kernel, the following vulnerability has been resolved:

drivers: tty: serial: Fix deadlock in sa1100_set_termios()

There is a deadlock in sa1100_set_termios(), which is shown
below:

   (Thread 1)              |      (Thread 2)
                           | sa1100_enable_ms()
sa1100_set_termios()       |  mod_timer()
 spin_lock_irqsave() //(1) |  (wait a time)
 ...                       | sa1100_timeout()
 del_timer_sync()          |  spin_lock_irqsave() //(2)
 (wait timer to stop)      |  ...

We hold sport->port.lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need sport->port.lock in position (2) of thread 2. As a result,
sa1100_set_termios() will block forever.

This patch moves del_timer_sync() before spin_lock_irqsave()
in order to prevent the deadlock.

Comment 1 Avinash Hanwate 2025-02-26 20:43:25 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022634-CVE-2022-49304-db99@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.