Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp649737imm;
        Fri, 10 Aug 2018 19:36:56 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPxxlKvZe5D7IqYl4S2Vmcfp47eOfYbCQw8P3qxS03wRvdG3PJh1KWZMuVDshvXQ7q4xRd5a
X-Received: by 2002:a63:5922:: with SMTP id n34-v6mr8695459pgb.113.1533955016881;
        Fri, 10 Aug 2018 19:36:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533955016; cv=none;
        d=google.com; s=arc-20160816;
        b=jfARYVta8vvN+8T4p7FEl/8/k9oP50SxuVbFCJmK9H/24VGDCfdDmoJiJ580Ey2TeP
         /s+C5jjnw/JQ32HfseF75NeZtepM1O6HDq8042/BczaRC1lflCzWrsNeI2XIjqChDUsq
         h1WEun/3zWAKrNO84AsCizYHYXUQMX6i0pUZuw+wVzC1w1olZcRpMJ/DuHqtn3dx8BVX
         aK+qh8Mi4Io+fayNNkYs34uUDXZwBKhsYpCY9H/Wg7fVMn3KsRzD/EVM+zuG8/o++IKd
         tcQbKBNQsdjJEj+x6w/WgbJfGl8wZsmARUgXa1GxX+HC2ayLfwVr3302ScWJxohfwqQI
         om5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=jttnbhd4Er7Bk31HDxo7R23H6lhSzWKwj8rB7AhvxiU=;
        b=fXOdtzKvavTVSHWHSWtIE1LeYJ8NfiKbHM8n/XivZ3dRHWz96AmpP1LJK8BeGzbu/t
         nJdw4+Iz5xvXJDHZyYBGSmHPodgAAxDc+IYmUZrErfinRcgyWcgpKYXN7Yh84bEwGR6O
         5LA2YeggWce3Czc99I4yQuIW/SAgtQ0Rch1cNRvXeTsvkZI0uM5wFgsLEuunWBhuKTUh
         c7J2gY6Mb+dMsQ16tHN2TZgDImkaPOF2t7E4QFTpN8hi7RgPy4tGIZum0S8pkhKhRacI
         P38NMSinzy6M1zcwDnHnCmMvuntAhtPlrNIBlciE8VKCblZwvv4wD+LB7L761Qu7+T1a
         QM/Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=e9sM9xws;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u1-v6si9470222plk.97.2018.08.10.19.36.42;
        Fri, 10 Aug 2018 19:36:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=e9sM9xws;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727319AbeHKFIJ (ORCPT <rfc822;stevepeted@gmail.com>
        + 99 others); Sat, 11 Aug 2018 01:08:09 -0400
Received: from mail-pl0-f65.google.com ([209.85.160.65]:42505 "EHLO
        mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727093AbeHKFIJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 11 Aug 2018 01:08:09 -0400
Received: by mail-pl0-f65.google.com with SMTP id g6-v6so4739114plq.9
        for <linux-kernel@vger.kernel.org>; Fri, 10 Aug 2018 19:35:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=jttnbhd4Er7Bk31HDxo7R23H6lhSzWKwj8rB7AhvxiU=;
        b=e9sM9xwsinY/v05qig8Jm3pReghkRU4vY5RDNqV7Kp41uHNaKmKJHHa/bYTq4fd91f
         4F3y3BxBzX6623c846JiiIw8476oahTP9b5HaolWiDFvR244UhblnFhkDn2GKJEbya6W
         aJbAHuKofXq8DbZrh+L9e4aR1FTfX/9QqeqjLj7NMwKS1Co2QxGs++6kNbqdpW4413lL
         ejb1DJ0aYN51tSiC/Rlf4Rh8UOeeZlhJcvKvayLcy5e2SR7H6FpU8wMo3NE4y9shJt4o
         BurMG0aTCML5CfTh0XBt8+aymjAFsdUwuj28HQ/JQRG9qqBNi6j8ozo4QnhY4Sj3ETwa
         R+IA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=jttnbhd4Er7Bk31HDxo7R23H6lhSzWKwj8rB7AhvxiU=;
        b=m53LloNXB9s867abeDKco6dcBwcBLWhTpuvtK56cMseFZ9VRFfKuGL4nhCZJcr7HKV
         GKEShRrtr+wrj9GYJIcaNhnnBYTYEtVVCd6VqTAL/keEr0MkNh+wUogMFyo2CyB+MfDM
         zFxTvpj2XZSAF4Eu6fjHK7voO+3TwUTZ6Br615nQLRdwljIhmIq5pG/iOXkNREfWV/1v
         Dg3Vo9g79sOI+I5smXO45sH0pvItz2CjjXIQLcw+Rzbo4dqQsRgeauiNDmGwWXKS0lvr
         UQafNbxRnOAh/LKAZgOvEMcCaWI1AfTYtMVqfHDdNHDbl3VNMpehQ+mJM28DAUH87rMJ
         RNrw==
X-Gm-Message-State: AOUpUlG0GJJBrMoGCWc8KL5R6N/wFkcy7KN8+XKTAML7GzNHptkbmB8k
        aMtyNJoLuOx9KweCkz1KllA=
X-Received: by 2002:a17:902:33c2:: with SMTP id b60-v6mr8338176plc.11.1533954939829;
        Fri, 10 Aug 2018 19:35:39 -0700 (PDT)
Received: from localhost.localdomain ([2402:f000:1:4414:a5a3:1607:66e7:4841])
        by smtp.gmail.com with ESMTPSA id t12-v6sm20233537pgg.72.2018.08.10.19.35.38
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 10 Aug 2018 19:35:39 -0700 (PDT)
From:   Jia-Ju Bai <baijiaju1990@gmail.com>
To:     peterz@infradead.org, mingo@redhat.com, will.deacon@arm.com
Cc:     linux-kernel@vger.kernel.org, Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [PATCH] kernel: locking: rtmutex: Fix a possible sleep-in-atomic-context bug in rt_mutex_handle_deadlock()
Date:   Sat, 11 Aug 2018 10:35:24 +0800
Message-Id: <20180811023524.13845-1-baijiaju1990@gmail.com>
X-Mailer: git-send-email 2.17.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The driver may sleep with holding a spinlock.

The function call paths (from bottom to top) in Linux-4.16 are:

[FUNC] schedule
kernel/locking/rtmutex.c, 1223: 
	schedule in rt_mutex_handle_deadlock
kernel/locking/rtmutex.c, 1273: 
	rt_mutex_handle_deadlock in rt_mutex_slowlock
kernel/locking/rtmutex.c, 1249: 
	_raw_spin_lock_irqsave in rt_mutex_slowlock

To fix the bug, the spinlock is released before schedule() and then acquired again.
This is found by my static analysis tool (DSAC).

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 kernel/locking/rtmutex.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 2823d4163a37..af03e162f812 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1205,7 +1205,7 @@ __rt_mutex_slowlock(struct rt_mutex *lock, int state,
 }
 
 static void rt_mutex_handle_deadlock(int res, int detect_deadlock,
-				     struct rt_mutex_waiter *w)
+				     struct rt_mutex_waiter *w, struct rt_mutex *lock)
 {
 	/*
 	 * If the result is not -EDEADLOCK or the caller requested
@@ -1219,8 +1219,10 @@ static void rt_mutex_handle_deadlock(int res, int detect_deadlock,
 	 */
 	rt_mutex_print_deadlock(w);
 	while (1) {
+		raw_spin_unlock_irq(&lock->wait_lock);
 		set_current_state(TASK_INTERRUPTIBLE);
 		schedule();
+		raw_spin_lock_irq(&lock->wait_lock);
 	}
 }
 
@@ -1269,7 +1271,7 @@ rt_mutex_slowlock(struct rt_mutex *lock, int state,
 	if (unlikely(ret)) {
 		__set_current_state(TASK_RUNNING);
 		remove_waiter(lock, &waiter);
-		rt_mutex_handle_deadlock(ret, chwalk, &waiter);
+		rt_mutex_handle_deadlock(ret, chwalk, &waiter, lock);
 	}
 
 	/*
-- 
2.17.0