WSL2-Linux-Kernel/drivers/tty
Fedor Pchelkin 902e02ea93 tty: n_gsm: avoid call of sleeping functions from atomic context
Syzkaller reports the following problem:

BUG: sleeping function called from invalid context at kernel/printk/printk.c:2347
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1105, name: syz-executor423
3 locks held by syz-executor423/1105:
 #0: ffff8881468b9098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x22/0x90 drivers/tty/tty_ldisc.c:266
 #1: ffff8881468b9130 (&tty->atomic_write_lock){+.+.}-{3:3}, at: tty_write_lock drivers/tty/tty_io.c:952 [inline]
 #1: ffff8881468b9130 (&tty->atomic_write_lock){+.+.}-{3:3}, at: do_tty_write drivers/tty/tty_io.c:975 [inline]
 #1: ffff8881468b9130 (&tty->atomic_write_lock){+.+.}-{3:3}, at: file_tty_write.constprop.0+0x2a8/0x8e0 drivers/tty/tty_io.c:1118
 #2: ffff88801b06c398 (&gsm->tx_lock){....}-{2:2}, at: gsmld_write+0x5e/0x150 drivers/tty/n_gsm.c:2717
irq event stamp: 3482
hardirqs last  enabled at (3481): [<ffffffff81d13343>] __get_reqs_available+0x143/0x2f0 fs/aio.c:946
hardirqs last disabled at (3482): [<ffffffff87d39722>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (3482): [<ffffffff87d39722>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:159
softirqs last  enabled at (3408): [<ffffffff87e01002>] asm_call_irq_on_stack+0x12/0x20
softirqs last disabled at (3401): [<ffffffff87e01002>] asm_call_irq_on_stack+0x12/0x20
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 2 PID: 1105 Comm: syz-executor423 Not tainted 5.10.137-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x167 lib/dump_stack.c:118
 ___might_sleep.cold+0x1e8/0x22e kernel/sched/core.c:7304
 console_lock+0x19/0x80 kernel/printk/printk.c:2347
 do_con_write+0x113/0x1de0 drivers/tty/vt/vt.c:2909
 con_write+0x22/0xc0 drivers/tty/vt/vt.c:3296
 gsmld_write+0xd0/0x150 drivers/tty/n_gsm.c:2720
 do_tty_write drivers/tty/tty_io.c:1028 [inline]
 file_tty_write.constprop.0+0x502/0x8e0 drivers/tty/tty_io.c:1118
 call_write_iter include/linux/fs.h:1903 [inline]
 aio_write+0x355/0x7b0 fs/aio.c:1580
 __io_submit_one fs/aio.c:1952 [inline]
 io_submit_one+0xf45/0x1a90 fs/aio.c:1999
 __do_sys_io_submit fs/aio.c:2058 [inline]
 __se_sys_io_submit fs/aio.c:2028 [inline]
 __x64_sys_io_submit+0x18c/0x2f0 fs/aio.c:2028
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

The problem happens in the following control flow:

gsmld_write(...)
spin_lock_irqsave(&gsm->tx_lock, flags) // taken a spinlock on TX data
 con_write(...)
  do_con_write(...)
   console_lock()
    might_sleep() // -> bug

As far as console_lock() might sleep it should not be called with
spinlock held.

The patch replaces tx_lock spinlock with mutex in order to avoid the
problem.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 32dd59f969 ("tty: n_gsm: fix race condition in gsmld_write()")
Cc: stable <stable@kernel.org>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Link: https://lore.kernel.org/r/20220829131640.69254-3-pchelkin@ispras.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-30 14:40:17 +02:00
..
hvc xen: branch for v5.19-rc1b 2022-06-04 13:42:53 -07:00
ipwireless tty: drop put_tty_driver 2021-07-27 12:17:21 +02:00
serdev tty: Replace acpi_bus_get_device() 2022-01-31 14:30:06 +01:00
serial tty: serial: atmel: Preserve previous USART mode if RS485 disabled 2022-08-30 14:33:08 +02:00
vt vt: Clear selection before changing the font 2022-08-30 14:30:52 +02:00
Kconfig tty: add rpmsg driver 2021-10-21 12:35:35 +02:00
Makefile tty: add rpmsg driver 2021-10-21 12:35:35 +02:00
amiserial.c tty: amiserial: Fix comment typo 2022-07-28 16:33:29 +02:00
ehv_bytechan.c tty: drop put_tty_driver 2021-07-27 12:17:21 +02:00
goldfish.c tty: goldfish: Fix free_irq() on remove 2022-06-10 13:31:31 +02:00
mips_ejtag_fdc.c serial: Convert SERIAL_XMIT_SIZE to UART_XMIT_SIZE 2022-06-27 14:41:31 +02:00
moxa.c tty: drivers/tty/, stop using tty_schedule_flip() 2021-11-25 18:35:23 +01:00
mxser.c tty: remove BOTHER ifdefs 2022-05-19 18:26:17 +02:00
n_gsm.c tty: n_gsm: avoid call of sleeping functions from atomic context 2022-08-30 14:40:17 +02:00
n_hdlc.c Linux 5.16-rc6 2021-12-20 10:00:30 +01:00
n_null.c tty: make tty_ldisc_ops a param in tty_unregister_ldisc 2021-05-13 16:57:16 +02:00
n_tty.c tty: Use flow-control char function on closing path 2022-06-10 13:51:31 +02:00
nozomi.c tty: drop put_tty_driver 2021-07-27 12:17:21 +02:00
pty.c tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() 2022-07-08 15:16:28 +02:00
rpmsg_tty.c tty: rpmsg: Fix race condition releasing tty port 2022-01-26 14:50:26 +01:00
synclink_gt.c tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() 2022-04-14 18:26:30 +02:00
sysrq.c Merge branch 'rework/kthreads' into for-linus 2022-06-23 19:11:28 +02:00
tty.h tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() 2022-07-08 15:16:28 +02:00
tty_audit.c tty: audit: move some local functions out of tty.h 2021-04-15 10:24:58 +02:00
tty_baudrate.c tty: remove IBSHIFT ifdefs 2022-05-19 18:26:17 +02:00
tty_buffer.c tty: Fix lookahead_buf crash with serdev 2022-08-30 14:31:53 +02:00
tty_io.c tty: fix typos in comments 2022-06-10 13:32:52 +02:00
tty_ioctl.c serial: Support for RS-485 multipoint addresses 2022-06-27 14:44:20 +02:00
tty_jobctrl.c signal: Replace __group_send_sig_info with send_signal_locked 2022-05-11 14:33:17 -05:00
tty_ldisc.c tty: reformat kernel-doc in tty_ldisc.c 2021-11-26 16:27:43 +01:00
tty_ldsem.c tty/ldsem: Fix syntax errors in comments 2021-12-21 09:15:49 +01:00
tty_mutex.c tty: move some internal tty lock enums and functions out of tty.h 2021-04-15 10:26:58 +02:00
tty_port.c tty: Implement lookahead to process XON/XOFF timely 2022-06-10 13:51:31 +02:00
ttynull.c tty: drop put_tty_driver 2021-07-27 12:17:21 +02:00
vcc.c tty: drop put_tty_driver 2021-07-27 12:17:21 +02:00