CVE-2022-49441

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: fix deadlock caused by calling printk() under tty_port-&gt;lock<br /> <br /> pty_write() invokes kmalloc() which may invoke a normal printk() to print<br /> failure message. This can cause a deadlock in the scenario reported by<br /> syz-bot below:<br /> <br /> CPU0 CPU1 CPU2<br /> ---- ---- ----<br /> lock(console_owner);<br /> lock(&amp;port_lock_key);<br /> lock(&amp;port-&gt;lock);<br /> lock(&amp;port_lock_key);<br /> lock(&amp;port-&gt;lock);<br /> lock(console_owner);<br /> <br /> As commit dbdda842fe96 ("printk: Add console owner and waiter logic to<br /> load balance console writes") said, such deadlock can be prevented by<br /> using printk_deferred() in kmalloc() (which is invoked in the section<br /> guarded by the port-&gt;lock). But there are too many printk() on the<br /> kmalloc() path, and kmalloc() can be called from anywhere, so changing<br /> printk() to printk_deferred() is too complicated and inelegant.<br /> <br /> Therefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so<br /> that printk() will not be called, and this deadlock problem can be<br /> avoided.<br /> <br /> Syzbot reported the following lockdep error:<br /> <br /> ======================================================<br /> WARNING: possible circular locking dependency detected<br /> 5.4.143-00237-g08ccc19a-dirty #10 Not tainted<br /> ------------------------------------------------------<br /> syz-executor.4/29420 is trying to acquire lock:<br /> ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]<br /> ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023<br /> <br /> but task is already holding lock:<br /> ffff8880119c9158 (&amp;port-&gt;lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #2 (&amp;port-&gt;lock){-.-.}-{2:2}:<br /> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br /> _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159<br /> tty_port_tty_get drivers/tty/tty_port.c:288 [inline] lock);<br /> tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47<br /> serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767<br /> serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854<br /> serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] #1 (&amp;port_lock_key){-.-.}-{2:2}:<br /> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br /> _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159<br /> serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198<br />