Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
From:   Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [BUG] xen: Two possible sleep-in-atomic-context bugs in
 bind_evtchn_to_irqhandler()
To:     Boris Ostrovsky <boris.ostrovsky@oracle.com>, jgross@suse.com
Cc:     xen-devel@lists.xenproject.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Message-ID: <80315b22-63c1-c8cc-1035-11fa36bee83a@gmail.com>
Date:   Wed, 20 Jun 2018 10:49:28 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16.7 are:

[FUNC] mutex_lock_nested --> can sleep
drivers/xen/events/events_base.c, 839: mutex_lock_nested in 
bind_evtchn_to_irq
drivers/xen/events/events_base.c, 1030: bind_evtchn_to_irq in 
bind_evtchn_to_irqhandler
drivers/xen/pvcalls-front.c, 371: bind_evtchn_to_irqhandler in create_active
drivers/xen/pvcalls-front.c, 417: create_active in pvcalls_front_connect
drivers/xen/pvcalls-front.c, 410: spin_lock in pvcalls_front_connect

[FUNC] request_irq --> can sleep
drivers/xen/events/events_base.c, 1003: request_irq in 
bind_evtchn_to_irqhandler
drivers/xen/pvcalls-front.c, 371: bind_evtchn_to_irqhandler in create_active
drivers/xen/pvcalls-front.c, 417: create_active in pvcalls_front_connect
drivers/xen/pvcalls-front.c, 410: spin_lock in pvcalls_front_connect

These bugs are found by my static analysis tool (DSAC-2) and checked by my
code review.

I do not know how to correctly fix these bugs, so I just report them.
Maybe create_active() should not be called with holding a spinlock.


Best wishes,
Jia-Ju Bai