Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752556AbdLMJpu (ORCPT <rfc822;w@1wt.eu>);
        Wed, 13 Dec 2017 04:45:50 -0500
Received: from mail-io0-f196.google.com ([209.85.223.196]:45706 "EHLO
        mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752434AbdLMJpo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Dec 2017 04:45:44 -0500
X-Google-Smtp-Source: ACJfBou7oOv2xHl34RLR6FuMkgipy2K+U8uS2oCMBC5Kb3LQ4xUY5aE2IQlfg3/FotSTZh2UQu8ISQ==
From: Jia-Ju Bai <baijiaju1990@gmail.com>
To: perex@perex.cz, floeff@mathematik.uni-stuttgart.de,
        acme@conectiva.com.br
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [PATCH 2/2] hp100: Fix a possible sleep-in-atomic bug in hp100_down_vg_link
Date: Wed, 13 Dec 2017 17:48:01 +0800
Message-Id: <1513158481-14420-1-git-send-email-baijiaju1990@gmail.com>
X-Mailer: git-send-email 1.7.9.5
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2270
Lines: 72

The driver may sleep under a spinlock.
The function call path is:
hp100_set_multicast_list (acquire the spinlock)
  hp100_login_to_vg_hub
    hp100_down_vg_link
      schedule_timeout_interruptible --> may sleep

To fix it, schedule_timeout_interruptible is replaced with udelay.

This bug is found by my static analysis tool(DSAC) and checked by my code review.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 drivers/net/ethernet/hp/hp100.c |   15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ethernet/hp/hp100.c b/drivers/net/ethernet/hp/hp100.c
index c8c7ad2..e0e6376 100644
--- a/drivers/net/ethernet/hp/hp100.c
+++ b/drivers/net/ethernet/hp/hp100.c
@@ -2504,8 +2504,7 @@ static int hp100_down_vg_link(struct net_device *dev)
 	do {
 		if (hp100_inb(VG_LAN_CFG_1) & HP100_LINK_CABLE_ST)
 			break;
-		if (!in_interrupt())
-			schedule_timeout_interruptible(1);
+		udelay(10);
 	} while (time_after(time, jiffies));
 
 	if (time_after_eq(jiffies, time))	/* no signal->no logout */
@@ -2521,8 +2520,7 @@ static int hp100_down_vg_link(struct net_device *dev)
 	do {
 		if (!(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST))
 			break;
-		if (!in_interrupt())
-			schedule_timeout_interruptible(1);
+		udelay(10);
 	} while (time_after(time, jiffies));
 
 #ifdef HP100_DEBUG
@@ -2560,8 +2558,7 @@ static int hp100_down_vg_link(struct net_device *dev)
 		do {
 			if (!(hp100_inb(MAC_CFG_4) & HP100_MAC_SEL_ST))
 				break;
-			if (!in_interrupt())
-				schedule_timeout_interruptible(1);
+			udelay(10);
 		} while (time_after(time, jiffies));
 
 		hp100_orb(HP100_AUTO_MODE, MAC_CFG_3);	/* Autosel back on */
@@ -2572,8 +2569,7 @@ static int hp100_down_vg_link(struct net_device *dev)
 	do {
 		if ((hp100_inb(VG_LAN_CFG_1) & HP100_LINK_CABLE_ST) == 0)
 			break;
-		if (!in_interrupt())
-			schedule_timeout_interruptible(1);
+		udelay(10);
 	} while (time_after(time, jiffies));
 
 	if (time_before_eq(time, jiffies)) {
@@ -2585,8 +2581,7 @@ static int hp100_down_vg_link(struct net_device *dev)
 
 	time = jiffies + (2 * HZ);	/* This seems to take a while.... */
 	do {
-		if (!in_interrupt())
-			schedule_timeout_interruptible(1);
+		udelay(10);
 	} while (time_after(time, jiffies));
 
 	return 0;
-- 
1.7.9.5