CVE-2022-49441

In the Linux kernel, the following vulnerability has been resolved:

tty: fix deadlock caused by calling printk() under tty_port->lock

pty_write() invokes kmalloc() which may invoke a normal printk() to print failure message. This can cause a deadlock in the scenario reported by syz-bot below:

   CPU0              CPU1                    CPU2
   ----              ----                    ----
                     lock(console_owner);
                                             lock(&port_lock_key);

lock(&port->lock); lock(&portlockkey); lock(&port->lock); lock(console_owner);

As commit dbdda842fe96 ("printk: Add console owner and waiter logic to load balance console writes") said, such deadlock can be prevented by using printkdeferred() in kmalloc() (which is invoked in the section guarded by the port->lock). But there are too many printk() on the kmalloc() path, and kmalloc() can be called from anywhere, so changing printk() to printkdeferred() is too complicated and inelegant.

Therefore, this patch chooses to specify _GFPNOWARN to kmalloc(), so that printk() will not be called, and this deadlock problem can be avoided.

Syzbot reported the following lockdep error:

====================================================== WARNING: possible circular locking dependency detected

5.4.143-00237-g08ccc19a-dirty #10 Not tainted

syz-executor.4/29420 is trying to acquire lock: ffffffff8aedb2a0 (consoleowner){....}-{0:0}, at: consoletrylockspinning kernel/printk/printk.c:1752 [inline] ffffffff8aedb2a0 (consoleowner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023

but task is already holding lock: ffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #2 (&port->lock){-.-.}-{2:2}: __rawspinlockirqsave include/linux/spinlockapismp.h:110 [inline] rawspinlockirqsave+0x35/0x50 kernel/locking/spinlock.c:159 ttyportttyget drivers/tty/ttyport.c:288 [inline] <-- lock(&port->lock); ttyportdefaultwakeup+0x1d/0xb0 drivers/tty/ttyport.c:47 serial8250txchars+0x530/0xa80 drivers/tty/serial/8250/8250port.c:1767 serial8250handleirq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250port.c:1854 serial8250handleirq drivers/tty/serial/8250/8250port.c:1827 [inline] <-- lock(&portlockkey); serial8250defaulthandleirq+0xb2/0x220 drivers/tty/serial/8250/8250port.c:1870 serial8250interrupt+0xfd/0x200 drivers/tty/serial/8250/8250core.c:126 _handleirqeventpercpu+0x109/0xa50 kernel/irq/handle.c:156 [...]

-> #1 (&portlockkey){-.-.}-{2:2}: __rawspinlockirqsave include/linux/spinlockapismp.h:110 [inline] rawspinlockirqsave+0x35/0x50 kernel/locking/spinlock.c:159 serial8250consolewrite+0x184/0xa40 drivers/tty/serial/8250/8250port.c:3198 <-- lock(&portlockkey); callconsoledrivers kernel/printk/printk.c:1819 [inline] consoleunlock+0x8cb/0xd00 kernel/printk/printk.c:2504 vprintkemit+0x1b5/0x470 kernel/printk/printk.c:2024 <-- lock(consoleowner); vprintkfunc+0x8d/0x250 kernel/printk/printksafe.c:394 printk+0xba/0xed kernel/printk/printk.c:2084 registerconsole+0x8b3/0xc10 kernel/printk/printk.c:2829 univ8250consoleinit+0x3a/0x46 drivers/tty/serial/8250/8250core.c:681 consoleinit+0x49d/0x6d3 kernel/printk/printk.c:2915 startkernel+0x5e9/0x879 init/main.c:713 secondarystartup64+0xa4/0xb0 arch/x86/kernel/head64.S:241

-> #0 (consoleowner){....}-{0:0}: [...] lockacquire+0x127/0x340 kernel/locking/lockdep.c:4734 consoletrylockspinning kernel/printk/printk.c:1773 ---truncated---