Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3731668imm;
        Tue, 11 Sep 2018 00:50:34 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbIc4bGNM850f7PhnIxChlz5gxKZlMj1IIekVMj+MLZNkpKkj0O1PAJRDu/PqETAgxrZhCn
X-Received: by 2002:a17:902:934a:: with SMTP id g10-v6mr25598475plp.121.1536652234731;
        Tue, 11 Sep 2018 00:50:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536652234; cv=none;
        d=google.com; s=arc-20160816;
        b=A/tiFICP2WTLiwxP/o+q1+36J6rMZQ3QD50GnGQHhZgnsdiv7KEfiJoU0Ad2ujd4y5
         jewIfSTo3thfClQ4wGRam8Ckbczxu093gZ+G9X5KV0mFU5LAkpnd4Qpu99ZVWTLU3JZP
         qdw198AHA8JfZdAZnz3gC8BBaauB1SX85nzrExkd+JLSX4Mfbm5JU06QIbONRRMeA/Ln
         RpybXlcKv15NCSrI27KNByi5o3WKVRHSB5PVbafTjdZ3U3vTcpn0JtmqYkA7wBG+YBIL
         hcip4WDIyS4IV4eiDGoXwHoR1G8oAcldLaJiFwU8XRU1HE1cEsAmzgIHEYjJzsbiSKLE
         l8Cg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=EyjdRNICruvr4UOfINIRMytzT0/5QiyC8Gu/RShicjw=;
        b=RZe/7pFnT/fXQVzO+2Cd7LJe34+GD+W9GsCwGDGgeZBR4uAdvkLG3b/p69Xpd5khcz
         R1oRsY7iQ8ap8ayKIbEc4ztuufpYcZeqpf8vTUEkPxrZ1gpRiyhoMCE3unV3VfAk+UIF
         lDfKZdd/0jiSOJNLS+h+5si2KS4X+ki3EITLP5J2ouXtOnm3af3xbPVlFUJTxCPjrzgt
         05oqNuhWGzyX8A3C3ox1q1rLxGN1XekX5vEbBDETN5/yQyMsb7MhD9sLY9UQ1m2BWTao
         7pEIpqJFQoVQpe6tMl3nAwI1njMrs2AX4J5pjdtm8D4YttlKGRyEr/YmhCE9UsS4X+pj
         dmyA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q5-v6si18276999pgv.692.2018.09.11.00.50.19;
        Tue, 11 Sep 2018 00:50:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726949AbeIKMrq (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Tue, 11 Sep 2018 08:47:46 -0400
Received: from Galois.linutronix.de ([146.0.238.70]:41068 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726398AbeIKMrp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Sep 2018 08:47:45 -0400
Received: from bigeasy by Galois.linutronix.de with local (Exim 4.80)
        (envelope-from <bigeasy@linutronix.de>)
        id 1fzdQR-0000YZ-2A; Tue, 11 Sep 2018 09:49:31 +0200
Date:   Tue, 11 Sep 2018 09:49:31 +0200
From:   Sebastian Andrzej Siewior <bigeasy@linutronix.de>
To:     Jia-Ju Bai <baijiaju1990@gmail.com>
Cc:     gregkh@linuxfoundation.org, johan@kernel.org, bjorn@mork.no,
        mingo@kernel.org, oneukum@suse.com, viro@zeniv.linux.org.uk,
        mark.rutland@arm.com, linux-usb@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] usb: cdc-wdm: Fix a sleep-in-atomic-context bug in
 service_outstanding_interrupt()
Message-ID: <20180911074930.2g6ryk7qe46cijhi@linutronix.de>
References: <20180901081210.16655-1-baijiaju1990@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180901081210.16655-1-baijiaju1990@gmail.com>
User-Agent: NeoMutt/20180716
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2018-09-01 16:12:10 [+0800], Jia-Ju Bai wrote:
> wdm_in_callback() is a completion handler function for the USB driver.
> So it should not sleep. But it calls service_outstanding_interrupt(), 
> which calls usb_submit_urb() with GFP_KERNEL. 

At which point does wdm_in_callback() invoke
service_outstanding_interrupt()? I don't see it. I see one invocation
from wdm_read() and another from service_interrupt_work().

Also, if that would be the case, then spin_unlock_irq() in an USB
completion handler (which might run in IRQ context with interrupts
disabled) would be wrong.

> To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
> 
> This bug is found by my static analysis tool DSAC.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
> v2:
>  * Add more description.
> ---
>  drivers/usb/class/cdc-wdm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
> index a0d284ef3f40..632a2bfabc08 100644
> --- a/drivers/usb/class/cdc-wdm.c
> +++ b/drivers/usb/class/cdc-wdm.c
> @@ -458,7 +458,7 @@ static int service_outstanding_interrupt(struct wdm_device *desc)
>  
>  	set_bit(WDM_RESPONDING, &desc->flags);
>  	spin_unlock_irq(&desc->iuspin);
> -	rv = usb_submit_urb(desc->response, GFP_KERNEL);
> +	rv = usb_submit_urb(desc->response, GFP_ATOMIC);
>  	spin_lock_irq(&desc->iuspin);
>  	if (rv) {
>  		dev_err(&desc->intf->dev,

Sebastian