Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2712384imm;
        Thu, 9 Aug 2018 19:05:04 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPwm6WtOkURmQ2JqGtS+Rs7uqWiNJQcnac+xtnKxmkBDs4+AZzbRkVWzmeONqDBcg9MzxCVW
X-Received: by 2002:a65:5641:: with SMTP id m1-v6mr4495079pgs.246.1533866704340;
        Thu, 09 Aug 2018 19:05:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533866704; cv=none;
        d=google.com; s=arc-20160816;
        b=XDsaQTy7YRQ6Zpo/u1chmkYmwmq6NtAvcfUkIkUfnaYODOPFTrISgWBQc6fh7QaYIf
         qQyndPziV9iKatJe43d97UAmmqWWowJfLTD6OXhTNHhSUyDzSc8zZ9J6tnl2fvl+Pgc9
         SfjzGrmSKrpz8AYxZ0R2wwji8yoYo7mg+KP5Qnlpq32ggzCD1DIDdGKXPiUCfXgWhvfw
         OO6CzJxE2GyCN66rbS9DR4sC/Wr2XKxXhJrRwRl5nBi5e54dTV4u9hXWoXUlFaK/tJBx
         ulLLqiCkuf6p9W+rqIB4teN+z0MTRLpNpsl/RfjMsK7b3MjVjtwWl3PD56OXoCP4YcWw
         T0Ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:mime-version:user-agent:date:message-id
         :cc:to:subject:from:dkim-signature:arc-authentication-results;
        bh=Mfswak1zEji05YffRKB1yd5fbflV++cN7UbyuxT2104=;
        b=J0b+6NvhYGCuynWizxbFzwna0YFan3tLOcP4gZ5kZneBTMccYUFjuPzCPCuiYDmbjN
         L50hgykrSX78hbwqqyQ+k0AYSYoKsvqZHcEgC9tvYhsnHm1TcvDohgFQX/Zi3zmX7YEI
         lsRlt3oSVnxthSsh27nW47WkC+yXWLAYdahyk96KLul8P3bW0OACDWXm6DupSsl3VGBj
         kdk9iwWgF7OjeJP6tDgJQ9g/4rkCcWXVx1m8NwTaucJVbiAYEs1KTWqb8ucR9nQAwknJ
         oO6L/tRmf6kotGTk5SafNDIwUVYRSBHuc4EYyQeJ05Pn62pyIcQ7xqvJrzFBSayo+v3L
         wEFQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=rKtIzjI0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j21-v6si8749226pgg.303.2018.08.09.19.04.48;
        Thu, 09 Aug 2018 19:05:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=rKtIzjI0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727043AbeHJEaY (ORCPT <rfc822;linuxbirdgao@gmail.com>
        + 99 others); Fri, 10 Aug 2018 00:30:24 -0400
Received: from mail-pf1-f194.google.com ([209.85.210.194]:41189 "EHLO
        mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725724AbeHJEaY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 10 Aug 2018 00:30:24 -0400
Received: by mail-pf1-f194.google.com with SMTP id y10-v6so3737174pfn.8;
        Thu, 09 Aug 2018 19:02:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:subject:to:cc:message-id:date:user-agent:mime-version
         :content-transfer-encoding:content-language;
        bh=Mfswak1zEji05YffRKB1yd5fbflV++cN7UbyuxT2104=;
        b=rKtIzjI0EdHoDD6RxxrgmDTnBRlXnDh6Dlg0B18y0TgLSPV/cBQg6h84IP1bdr6bpX
         VxFX4kbMtl/oEswar60b7GYg5tHyt/uHyvpGZ6fzMFOt4R9qal/3ru443TMSFxAWNeuF
         izdnLQpAsuL5mRvd93mCEqkBMPBlKdzbiP+tLsoNkNbS+noI2WEGzova/fCdIKitAb/Y
         545pJYDzClKP16Qj8sltJCLe/Yuyl3573kfpagXgTyGJlDgaXFrPv34bO/WIAQLbH+yj
         pfy/Llmz36RuPjPkxsMf/H0yiLgAybMAd3X1qCoMnH+vOBRzyoHpymAlnU0/F21s+6Cl
         jbxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:subject:to:cc:message-id:date:user-agent
         :mime-version:content-transfer-encoding:content-language;
        bh=Mfswak1zEji05YffRKB1yd5fbflV++cN7UbyuxT2104=;
        b=d7H/D7cArbQn8Whait1Sn53cQ5YvoiOHlmNOyymukp4qAJrMNCSCUEMd+Hwk7+T9Pk
         J7k5ohRUo8xmy0V1yLt6jA6+hcedfMWLtPF9xIXFFx6smztOWVwohS2KrOHjiCw4i2NT
         nNpxk4ZnEMwAst5Pd0bwMYLva4b8zDEWVZ3H8HaJbWHnCG2P0WdZ+3uM0nscqNxzu1nR
         EYMND3HoFmHOX8VHF3AGIsFylgRlox2kteEWDVc5hNIn7c9hDl5o6Xa2p2VaX17r/tzu
         uUvXLd4l7RSlY7e1k5fDMQyg/S7HeDeTJi4FXnKGz1EyVy6oX/rrdWHlWUEV1auM1I5t
         2Hmg==
X-Gm-Message-State: AOUpUlErILL81rhYJRMaR2PmjLN/IK/nY3MGuOCZIdEADSRW7Huk4Y6J
        FsSzXZD4xJDvRfL+w00tGryAfuSP
X-Received: by 2002:a62:6948:: with SMTP id e69-v6mr4826961pfc.166.1533866565603;
        Thu, 09 Aug 2018 19:02:45 -0700 (PDT)
Received: from ?IPv6:2402:f000:1:4414:ec41:2410:dee4:3bda? ([2402:f000:1:4414:ec41:2410:dee4:3bda])
        by smtp.gmail.com with ESMTPSA id m15-v6sm15829483pfk.149.2018.08.09.19.02.43
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 09 Aug 2018 19:02:44 -0700 (PDT)
From:   bai <baijiaju1990@gmail.com>
Subject: [BUG] net: xfrm: Two possible sleep-in-atomic-context bugs
To:     steffen.klassert@secunet.com, herbert@gondor.apana.org.au,
        davem@davemloft.net
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Message-ID: <b74ebf58-16c0-4a51-a004-7ce9e6abde7a@gmail.com>
Date:   Fri, 10 Aug 2018 10:02:42 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The code may sleep in interrupt handler.
xfrm_trans_reinject() is an interrupt handler set in tasklet_init().
The function call paths (from bottom to top) in Linux-4.16 are:

[FUNC] schedule_timeout
net/core/sock.c, 2044: schedule_timeout in sock_wait_for_wmem
net/core/sock.c, 2083: sock_wait_for_wmem in sock_alloc_send_pskb
net/core/sock.c, 2102: sock_alloc_send_pskb in sock_alloc_send_skb
net/ipv6/mcast.c, 1989: sock_alloc_send_skb in igmp6_send
net/ipv6/mcast.c, 2391: igmp6_send in igmp6_join_group
net/ipv6/mcast.c, 670: igmp6_join_group in igmp6_group_added
net/ipv6/mcast.c, 914: igmp6_group_added in ipv6_dev_mc_inc
net/ipv6/ndisc.c, 379: ipv6_dev_mc_inc in pndisc_constructor
net/core/neighbour.c, 640: [FUNC_PTR]pndisc_constructor in pneigh_lookup
net/ipv6/ip6_output.c, 483: pneigh_lookup in ip6_forward
./include/net/dst.h, 449: [FUNC_PTR]ip6_forward in dst_input
net/ipv6/ip6_input.c, 71: dst_input in ip6_rcv_finish
net/xfrm/xfrm_input.c, 511: [FUNC_PTR]ip6_rcv_finish in xfrm_trans_reinject

[FUNC] kmalloc(GFP_KERNEL)
net/core/neighbour.c, 630: kmalloc in pneigh_lookup
net/ipv6/ip6_output.c, 483: pneigh_lookup in ip6_forward
./include/net/dst.h, 449: [FUNC_PTR]ip6_forward in dst_input
net/ipv6/ip6_input.c, 71: dst_input in ip6_rcv_finish
net/xfrm/xfrm_input.c, 511: [FUNC_PTR]ip6_rcv_finish in xfrm_trans_reinject

Note that [FUNC_PTR] means a function pointer call is used.

I do not find a good way to fix them, so I only report.
These possible bugs are found by my static analysis tool (DSAC) and 
checked by my code review.


Best wishes,
Jia-Ju Bai