{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T01:15:13.647","vulnerabilities":[{"cve":{"id":"CVE-2022-50116","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-06-18T11:15:41.257","lastModified":"2025-11-18T18:13:48.470","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix deadlock and link starvation in outgoing data path\n\nThe current implementation queues up new control and user packets as needed\nand processes this queue down to the ldisc in the same code path.\nThat means that the upper and the lower layer are hard coupled in the code.\nDue to this deadlocks can happen as seen below while transmitting data,\nespecially during ldisc congestion. Furthermore, the data channels starve\nthe control channel on high transmission load on the ldisc.\n\nIntroduce an additional control channel data queue to prevent timeouts and\nlink hangups during ldisc congestion. This is being processed before the\nuser channel data queue in gsm_data_kick(), i.e. with the highest priority.\nPut the queue to ldisc data path into a workqueue and trigger it whenever\nnew data has been put into the transmission queue. Change\ngsm_dlci_data_sweep() accordingly to fill up the transmission queue until\nTX_THRESH_HI. This solves the locking issue, keeps latency low and provides\ngood performance on high data load.\nNote that now all packets from a DLCI are removed from the internal queue\nif the associated DLCI was closed. This ensures that no data is sent by the\nintroduced write task to an already closed DLCI.\n\nBUG: spinlock recursion on CPU#0, test_v24_loop/124\n lock: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0\nCPU: 0 PID: 124 Comm: test_v24_loop Tainted: G           O      5.18.0-rc2 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x34/0x44\n do_raw_spin_lock+0x76/0xa0\n _raw_spin_lock_irqsave+0x72/0x80\n uart_write_room+0x3b/0xc0\n gsm_data_kick+0x14b/0x240 [n_gsm]\n gsmld_write_wakeup+0x35/0x70 [n_gsm]\n tty_wakeup+0x53/0x60\n tty_port_default_wakeup+0x1b/0x30\n serial8250_tx_chars+0x12f/0x220\n serial8250_handle_irq.part.0+0xfe/0x150\n serial8250_default_handle_irq+0x48/0x80\n serial8250_interrupt+0x56/0xa0\n __handle_irq_event_percpu+0x78/0x1f0\n handle_irq_event+0x34/0x70\n handle_fasteoi_irq+0x90/0x1e0\n __common_interrupt+0x69/0x100\n common_interrupt+0x48/0xc0\n asm_common_interrupt+0x1e/0x40\nRIP: 0010:__do_softirq+0x83/0x34e\nCode: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d\ne2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff <49> c7 c2 40 61\n80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00\nRSP: 0018:ffffc90000003f98 EFLAGS: 00000286\nRAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7\nRBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000\n ? __do_softirq+0x73/0x34e\n irq_exit_rcu+0xb5/0x100\n common_interrupt+0xa4/0xc0\n </IRQ>\n <TASK>\n asm_common_interrupt+0x1e/0x40\nRIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50\nCode: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff\n48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00 <e8> 3d 97 33 ff\n65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44\nRSP: 0018:ffffc9000020fd08 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000\nRDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001\nRBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8\n ? _raw_spin_unlock_irqrestore+0x23/0x50\n gsmtty_write+0x65/0x80 [n_gsm]\n n_tty_write+0x33f/0x530\n ? swake_up_all+0xe0/0xe0\n file_tty_write.constprop.0+0x1b1/0x320\n ? n_tty_flush_buffer+0xb0/0xb0\n new_sync_write+0x10c/0x190\n vfs_write+0x282/0x310\n ksys_write+0x68/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f3e5e35c15c\nCode: 8b 7c 24 08 89 c5 e8 c5 ff ff ff 89 ef 89 44 24\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tty: n_gsm: corrige el bloqueo y la inanición del enlace en la ruta de datos de salida La implementación actual pone en cola nuevos paquetes de control y de usuario según sea necesario y procesa esta cola hasta el ldisc en la misma ruta de código. Eso significa que las capas superior e inferior están acopladas rígidamente en el código. Debido a esto, pueden ocurrir bloqueos como se ve a continuación mientras se transmiten datos, especialmente durante la congestión del ldisc. Además, los canales de datos privan al canal de control en una carga de transmisión alta en el ldisc. Introduzca una cola de datos de canal de control adicional para evitar tiempos de espera y cuelgues de enlace durante la congestión del ldisc. Esto se procesa antes que la cola de datos del canal de usuario en gsm_data_kick(), es decir, con la máxima prioridad. Coloque la cola a la ruta de datos del ldisc en una cola de trabajo y actívela siempre que se hayan incluido nuevos datos en la cola de transmisión. Modifique gsm_dlci_data_sweep() según corresponda para llenar la cola de transmisión hasta TX_THRESH_HI. Esto soluciona el problema de bloqueo, mantiene baja la latencia y proporciona un buen rendimiento con una carga de datos alta. Tenga en cuenta que ahora todos los paquetes de un DLCI se eliminan de la cola interna si el DLCI asociado estaba cerrado. Esto garantiza que la tarea de escritura introducida no envíe datos a un DLCI ya cerrado. ERROR: recursión de spinlock en CPU#0, test_v24_loop/124 bloqueo: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0 CPU: 0 PID: 124 Comm: test_v24_loop Contaminado: GO 5.18.0-rc2 #3 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 01/04/2014 Rastreo de llamadas:   dump_stack_lvl+0x34/0x44 do_raw_spin_lock+0x76/0xa0 _raw_spin_lock_irqsave+0x72/0x80 uart_write_room+0x3b/0xc0 gsm_data_kick+0x14b/0x240 [n_gsm] gsmld_write_wakeup+0x35/0x70 [n_gsm] tty_wakeup+0x53/0x60 tty_port_default_wakeup+0x1b/0x30 serial8250_tx_chars+0x12f/0x220 serial8250_handle_irq.part.0+0xfe/0x150 serial8250_default_handle_irq+0x48/0x80 serial8250_interrupt+0x56/0xa0 __handle_irq_event_percpu+0x78/0x1f0 handle_irq_event+0x34/0x70 handle_fasteoi_irq+0x90/0x1e0 __common_interrupt+0x69/0x100 common_interrupt+0x48/0xc0 asm_common_interrupt+0x1e/0x40 RIP: 0010:__do_softirq+0x83/0x34e Code: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d e2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff &lt;49&gt; c7 c2 40 61 80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00 RSP: 0018:ffffc90000003f98 EFLAGS: 00000286 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7 RBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000 ? __do_softirq+0x73/0x34e irq_exit_rcu+0xb5/0x100 common_interrupt+0xa4/0xc0   asm_common_interrupt+0x1e/0x40 RIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50 Code: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff 48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00  3d 97 33 ff 65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44 RSP: 0018:ffffc9000020fd08 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001 RBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8 ? _raw_spin_unlock_irqrestore+0x23/0x50 gsmtty_write+0x65/0x80 [n_gsm] n_tty_write+0x33f/0x530 ? swake_up_all+0xe0/0xe0 file_tty_write.constprop.0+0x1b1/0x320 ? n_tty_flush_buffer+0xb0/0xb0 new_sync_write+0x10c/0x190 vfs_write+0x282/0x310 ksys_write+0x68/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"5.18.18","matchCriteriaId":"D85A2140-5A58-48E8-BB38-4918B0EB5E8A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"5.19.2","matchCriteriaId":"A1A2A5A5-4598-4D7E-BA07-4660398D6C8F"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0af021678d5d30c31f5a6b631f404ead3575212a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7962a4b900099cf90e02859bb297f2c618d8d940","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c165698c9919b000bdbe73859d3bb7b33bdb9223","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}