CVE-2022-49371: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a deadlock vulnerability was discovered in the device_attach function. The issue occurs when async probes are allowed but fail due to out of memory conditions or work limits, causing a deadlock because deviceattachasync_helper attempts to acquire a lock that is already held (Kernel Git).

The vulnerability exists in the lock holding logic of deviceattach function. When async probes are allowed, the function holds devicelock(dev) while calling asyncscheduledev(deviceattachasynchelper, dev). If the async scheduling fails due to memory allocation failure or exceeding work limits, it executes the function synchronously while still holding the lock. Since _deviceattachasync_helper also attempts to acquire the same lock, this leads to an A-A deadlock condition (Kernel Git).

The vulnerability can cause system deadlocks when device probing occurs under memory pressure or high workload conditions. This could potentially affect system stability and availability, particularly during device initialization or hot-plug events (NVD).

The issue has been fixed by moving the asyncscheduledev call outside the devicelock. This is safe because the systemunboundwq used in asyncschedulenodedomain can handle concurrent operations. The fix was implemented in the Linux kernel through a patch that modifies the lock handling sequence (Kernel Git).