Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp560724imm; Wed, 20 Jun 2018 02:58:28 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL1jQSQvEF/7SCTmiZMV1ChlYM8lYkM1AMejem2RzM/kjemPBWgzDOFYDeqLvkPwOpB/KxH X-Received: by 2002:a65:6047:: with SMTP id b7-v6mr18171523pgv.241.1529488708211; Wed, 20 Jun 2018 02:58:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529488708; cv=none; d=google.com; s=arc-20160816; b=c9eCCA9XLCCTuBam/g+Xxi+J+sPZyq5diBU6/U2tMkEHgQQxDZOn91bQrBRQoYzUbQ zvDNAv+FihIeYD+zCRbsuRJiIiYEutpZD66vGkatNik7m5+l5DBQuZOrZlmWoz0UWJU5 8L6N5oBv7caVdRVfoqwSRAzFhB/j5Vf/RBKAz0AcZzwuGdF1ijjSqROmUURkCrF0UWc9 wxbaUDcG6T2mOut8ke8T9cEveWoSIWj5y0L+j1ueLdMm6Wde2QllfHIXHPbz0rzi9gYa TjtbkdmMKI8+IgxJ8arNwqu0a5BUXcjCq+rQKi4y8MGFsnQWJXsCJgMBbeG7VdTVx+wB NE5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=07a2GGD2mAAxXmuF1ClzdLxj0piNzUZJMamCOEYXqSo=; b=t+yBPhRwYhKcMJqK4mMkShRFnDVdwyl40lWWLDKxh4VXNtffisS+rhG2Mtyy9azZTQ fP5ORPk+HA/AgJ4/FIo+QDE5rCO2eTlPePleAoeVD1rvSQBEMlcaoAK6hiPeOYM6DizV JjOmpha5PhTbf0RIF5HupIK4RDoZQS6elLX5O5+CLshTSs0uSjaF+sQMOyI6fVd38jHJ nOLqQVhbJNpRB59zMm2b2LXpTf7LqSEKi5by4SJmci4u+f7TePRS28Ao+kzArvwT7Q4k eByPZT/NvO0uhyOMbPbEjvIfomL5/8Bqi1cM91o2ryrIY8lPwsCJRjUTG3iCNSMSZqyb /eiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=WUo2nbQl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r7-v6si1773532pgn.326.2018.06.20.02.58.14; Wed, 20 Jun 2018 02:58:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=WUo2nbQl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752930AbeFTJ5c (ORCPT + 99 others); Wed, 20 Jun 2018 05:57:32 -0400 Received: from userp2130.oracle.com ([156.151.31.86]:56742 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750821AbeFTJ53 (ORCPT ); Wed, 20 Jun 2018 05:57:29 -0400 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w5K9stCr099903; Wed, 20 Jun 2018 09:57:11 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=07a2GGD2mAAxXmuF1ClzdLxj0piNzUZJMamCOEYXqSo=; b=WUo2nbQlcciYw+88geANqBTD4VR99issxbdtEz5IQQO9uozAL9oHEiEoph92Wg3jHC0R DZap30uVHdsbwR0/0pFNldXfg1VLE9JtBzD+nImg/pPMcNqRlh9VA/Lbr6vVJIHOi/6t u3amKjXvIZylKriw4hY3yZMZD4rvSy7rebouejD146scJBU3gawEfzc2I+yhX3l4yCc8 h1nxU5jHJ7VPWfbpgy1u28CW4hAafJdY1YagsqWme5D6obvdoF5yauNMPRFxwthvKET7 4+4p1b9rpHubwLoV23OhhkzpYEXMtlq+USJCgkWtuMJfcmNXn+k7Ii70M1PT727QgWze yA== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2130.oracle.com with ESMTP id 2jmt01ksrv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Jun 2018 09:57:11 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w5K9v9fA022202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Jun 2018 09:57:09 GMT Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w5K9v4jm029116; Wed, 20 Jun 2018 09:57:06 GMT Received: from mwanda (/197.157.34.185) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 20 Jun 2018 02:57:03 -0700 Date: Wed, 20 Jun 2018 12:56:50 +0300 From: Dan Carpenter To: Jia-Ju Bai , cocci@systeme.lip6.fr, Julia Lawall Cc: gregkh@linuxfoundation.org, quytelda@tamalin.org, Larry.Finger@lwfinger.net, harshasharmaiitr@gmail.com, arushisinghal19971997@gmail.com, amitoj1606@gmail.com, jeremy.lefaure@lse.epita.fr, teo.dacquet@gmail.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] staging: rtl8723bs: Fix two possible sleep-in-atomic-context bugs in translate_scan() Message-ID: <20180620095650.fga6xi7fyjgybs76@mwanda> References: <20180620095016.8484-1-baijiaju1990@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180620095016.8484-1-baijiaju1990@gmail.com> User-Agent: NeoMutt/20170609 (1.8.3) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8929 signatures=668702 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=812 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806200113 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 20, 2018 at 05:50:16PM +0800, Jia-Ju Bai wrote: > The driver may sleep with holding a spinlock. > The function call paths (from bottom to top) in Linux-4.16.7 are: > > [FUNC] kzalloc(GFP_KERNEL) > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c, 323: > kzalloc in translate_scan > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c, 1554: > translate_scan in rtw_wx_get_scan > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c, 1533: > spin_lock_bh in rtw_wx_get_scan > > [FUNC] kzalloc(GFP_KERNEL) > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c, 455: > kzalloc in translate_scan > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c, 1554: > translate_scan in rtw_wx_get_scan > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c, 1533: > spin_lock_bh in rtw_wx_get_scan > > To fix these bugs, GFP_KERNEL is replaced with GFP_ATOMIC. > > These bugs are found by my static analysis tool (DSAC-2) and checked by > my code review. > > Signed-off-by: Jia-Ju Bai > --- > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > index b26533983864..7632b8974563 100644 > --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c > @@ -321,7 +321,7 @@ static char *translate_scan(struct adapter *padapter, > RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_get_scan: ssid =%s\n", pnetwork->network.Ssid.Ssid)); > RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_wx_get_scan: wpa_len =%d rsn_len =%d\n", wpa_len, rsn_len)); > > - buf = kzalloc(MAX_WPA_IE_LEN*2, GFP_KERNEL); > + buf = kzalloc(MAX_WPA_IE_LEN*2, GFP_ATOMIC); > if (!buf) > return start; Thanks! It occurs to me that another way to detect this bug is that one of the allocations in this function already uses GFP_ATOMIC. It doesn't normally make sense to mix GFP_ATOMIC and GFP_KERNEL when there isn't any locking in the function. regards, dan carpenter