The driver may sleep under a spin lock, and the function call path is:
b43legacy_attr_interfmode_store (acquire the lock by spin_lock_irqsave)
b43legacy_radio_set_interference_mitigation
b43legacy_radio_interference_mitigation_disable
b43legacy_calc_nrssi_slope
b43legacy_synth_pu_workaround
might_sleep and msleep --> may sleep
Fixing it may be complex, and a possible way is to remove
spin_lock_irqsave and spin_lock_irqrestore in
b43legacy_attr_interfmode_store, and the code has been protected by
mutex_lock and mutex_unlock.
Signed-off-by: Jia-Ju Bai <[email protected]>
---
drivers/net/wireless/broadcom/b43legacy/sysfs.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/b43legacy/sysfs.c b/drivers/net/wireless/broadcom/b43legacy/sysfs.c
index 2a1da15..9ede143 100644
--- a/drivers/net/wireless/broadcom/b43legacy/sysfs.c
+++ b/drivers/net/wireless/broadcom/b43legacy/sysfs.c
@@ -137,14 +137,12 @@ static ssize_t b43legacy_attr_interfmode_store(struct device *dev,
}
mutex_lock(&wldev->wl->mutex);
- spin_lock_irqsave(&wldev->wl->irq_lock, flags);
err = b43legacy_radio_set_interference_mitigation(wldev, mode);
if (err)
b43legacyerr(wldev->wl, "Interference Mitigation not "
"supported by device\n");
mmiowb();
- spin_unlock_irqrestore(&wldev->wl->irq_lock, flags);
mutex_unlock(&wldev->wl->mutex);
return err ? err : count;
--
1.7.9.5
On 05/31/2017 05:29 AM, Jia-Ju Bai wrote:
> The driver may sleep under a spin lock, and the function call path is:
> b43legacy_attr_interfmode_store (acquire the lock by spin_lock_irqsave)
> b43legacy_radio_set_interference_mitigation
> b43legacy_radio_interference_mitigation_disable
> b43legacy_calc_nrssi_slope
> b43legacy_synth_pu_workaround
> might_sleep and msleep --> may sleep
>
> Fixing it may be complex, and a possible way is to remove
> spin_lock_irqsave and spin_lock_irqrestore in
> b43legacy_attr_interfmode_store, and the code has been protected by
> mutex_lock and mutex_unlock.
>
> Signed-off-by: Jia-Ju Bai <[email protected]>
> ---
> drivers/net/wireless/broadcom/b43legacy/sysfs.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/net/wireless/broadcom/b43legacy/sysfs.c b/drivers/net/wireless/broadcom/b43legacy/sysfs.c
> index 2a1da15..9ede143 100644
> --- a/drivers/net/wireless/broadcom/b43legacy/sysfs.c
> +++ b/drivers/net/wireless/broadcom/b43legacy/sysfs.c
> @@ -137,14 +137,12 @@ static ssize_t b43legacy_attr_interfmode_store(struct device *dev,
> }
>
> mutex_lock(&wldev->wl->mutex);
> - spin_lock_irqsave(&wldev->wl->irq_lock, flags);
>
> err = b43legacy_radio_set_interference_mitigation(wldev, mode);
> if (err)
> b43legacyerr(wldev->wl, "Interference Mitigation not "
> "supported by device\n");
> mmiowb();
> - spin_unlock_irqrestore(&wldev->wl->irq_lock, flags);
> mutex_unlock(&wldev->wl->mutex);
>
> return err ? err : count;
>
Jia-Ju,
Did you actually observe the attempt to sleep under the spin lock, or did you
discover this using some tool? In other words, have either of your patches been
tested?
Larry
On Wed, 31 May 2017 18:29:07 +0800
Jia-Ju Bai <[email protected]> wrote:
> The driver may sleep under a spin lock, and the function call path is:
> b43legacy_attr_interfmode_store (acquire the lock by spin_lock_irqsave)
> b43legacy_radio_set_interference_mitigation
> b43legacy_radio_interference_mitigation_disable
> b43legacy_calc_nrssi_slope
> b43legacy_synth_pu_workaround
> might_sleep and msleep --> may sleep
>
> Fixing it may be complex, and a possible way is to remove
> spin_lock_irqsave and spin_lock_irqrestore in
> b43legacy_attr_interfmode_store, and the code has been protected by
> mutex_lock and mutex_unlock.
>
> Signed-off-by: Jia-Ju Bai <[email protected]>
> ---
> drivers/net/wireless/broadcom/b43legacy/sysfs.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/net/wireless/broadcom/b43legacy/sysfs.c b/drivers/net/wireless/broadcom/b43legacy/sysfs.c
> index 2a1da15..9ede143 100644
> --- a/drivers/net/wireless/broadcom/b43legacy/sysfs.c
> +++ b/drivers/net/wireless/broadcom/b43legacy/sysfs.c
> @@ -137,14 +137,12 @@ static ssize_t b43legacy_attr_interfmode_store(struct device *dev,
> }
>
> mutex_lock(&wldev->wl->mutex);
> - spin_lock_irqsave(&wldev->wl->irq_lock, flags);
>
> err = b43legacy_radio_set_interference_mitigation(wldev, mode);
> if (err)
> b43legacyerr(wldev->wl, "Interference Mitigation not "
> "supported by device\n");
> mmiowb();
> - spin_unlock_irqrestore(&wldev->wl->irq_lock, flags);
> mutex_unlock(&wldev->wl->mutex);
>
> return err ? err : count;
Interference mitigation has never been properly implemented and tested.
As such nobody should use it and I would be surprised if anybody uses
this attribute.
So I would suggest to remove this sysfs attribute entirely instead of
having this incorrect fix.
--
Michael
On 06/02/2017 12:11 AM, Jonathan Corbet wrote:
> On Thu, 01 Jun 2017 09:05:07 +0800
> Jia-Ju Bai<[email protected]> wrote:
>
>> I admit my patches are not well tested, and they may not well fix the bugs.
>> I am looking forward to opinions and suggestions :)
> May I politely suggest that sending out untested locking changes is a
> dangerous thing to do? You really should not be changing the locking in a
> piece of kernel code without understanding very well what the lock is
> protecting and being able to say why your changes are safe. Without that,
> the risk of introducing subtle bugs is very high.
>
> It looks like you have written a useful tool that could help us to make
> the kernel more robust. If you are interested in my suggestion, I would
> recommend that you post the sleep-in-atomic scenarios that you are
> finding, but refrain from "fixing" them in any case where you cannot offer
> a strong explanation of why your fix is correct.
>
> Thanks for working to find bugs in the kernel!
>
> jon
Hi,
Thanks for your good and helpful advice. I am sorry for my improper patches.
I will only report bugs instead of sending improper patches when I have
no good solution of fixing the bugs.
Thanks,
Jia-Ju Bai
Jia-Ju Bai <[email protected]> writes:
>> Did you actually observe the attempt to sleep under the spin lock,
>> or did you discover this using some tool? In other words, have
>> either of your patches been tested?
>
> In fact, my reported bugs are found by a static analysis tool written
> by me, and they are checked by my review of the driver code.
It's valuable information to add to the commit log how you found the
bug. If you check other wireless commits you can see comments like
"Found by spatch", "Coverity reported" quite frequently. So I recommend
that you also mention your tool in the commit log, makes understanding
the background of the patch easier.
--
Kalle Valo
On 06/01/2017 01:33 AM, Larry Finger wrote:
> On 05/31/2017 05:29 AM, Jia-Ju Bai wrote:
>> The driver may sleep under a spin lock, and the function call path is:
>> b43legacy_attr_interfmode_store (acquire the lock by spin_lock_irqsave)
>> b43legacy_radio_set_interference_mitigation
>> b43legacy_radio_interference_mitigation_disable
>> b43legacy_calc_nrssi_slope
>> b43legacy_synth_pu_workaround
>> might_sleep and msleep --> may sleep
>>
>> Fixing it may be complex, and a possible way is to remove
>> spin_lock_irqsave and spin_lock_irqrestore in
>> b43legacy_attr_interfmode_store, and the code has been protected by
>> mutex_lock and mutex_unlock.
>>
>> Signed-off-by: Jia-Ju Bai <[email protected]>
>> ---
>> drivers/net/wireless/broadcom/b43legacy/sysfs.c | 2 --
>> 1 file changed, 2 deletions(-)
>>
>> diff --git a/drivers/net/wireless/broadcom/b43legacy/sysfs.c
>> b/drivers/net/wireless/broadcom/b43legacy/sysfs.c
>> index 2a1da15..9ede143 100644
>> --- a/drivers/net/wireless/broadcom/b43legacy/sysfs.c
>> +++ b/drivers/net/wireless/broadcom/b43legacy/sysfs.c
>> @@ -137,14 +137,12 @@ static ssize_t
>> b43legacy_attr_interfmode_store(struct device *dev,
>> }
>> mutex_lock(&wldev->wl->mutex);
>> - spin_lock_irqsave(&wldev->wl->irq_lock, flags);
>> err = b43legacy_radio_set_interference_mitigation(wldev, mode);
>> if (err)
>> b43legacyerr(wldev->wl, "Interference Mitigation not "
>> "supported by device\n");
>> mmiowb();
>> - spin_unlock_irqrestore(&wldev->wl->irq_lock, flags);
>> mutex_unlock(&wldev->wl->mutex);
>> return err ? err : count;
>>
>
> Jia-Ju,
>
> Did you actually observe the attempt to sleep under the spin lock, or
> did you discover this using some tool? In other words, have either of
> your patches been tested?
>
> Larry
>
Hi,
In fact, my reported bugs are found by a static analysis tool written by
me, and they are checked by my review of the driver code.
I admit my patches are not well tested, and they may not well fix the bugs.
I am looking forward to opinions and suggestions :)
Thanks,
Jia-Ju Bai
On Thu, 01 Jun 2017 09:05:07 +0800
Jia-Ju Bai <[email protected]> wrote:
> I admit my patches are not well tested, and they may not well fix the bugs.
> I am looking forward to opinions and suggestions :)
May I politely suggest that sending out untested locking changes is a
dangerous thing to do? You really should not be changing the locking in a
piece of kernel code without understanding very well what the lock is
protecting and being able to say why your changes are safe. Without that,
the risk of introducing subtle bugs is very high.
It looks like you have written a useful tool that could help us to make
the kernel more robust. If you are interested in my suggestion, I would
recommend that you post the sleep-in-atomic scenarios that you are
finding, but refrain from "fixing" them in any case where you cannot offer
a strong explanation of why your fix is correct.
Thanks for working to find bugs in the kernel!
jon
Hi Jia-Ju,
[auto build test WARNING on wireless-drivers-next/master]
[also build test WARNING on v4.12-rc3 next-20170601]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Jia-Ju-Bai/b43legacy-Fix-a-sleep-in-atomic-bug-in-b43legacy_attr_interfmode_store/20170531-192639
base: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next.git master
config: x86_64-randconfig-a0-06020536 (attached as .config)
compiler: gcc-4.4 (Debian 4.4.7-8) 4.4.7
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All warnings (new ones prefixed by >>):
drivers/net/wireless/broadcom/b43legacy/sysfs.c: In function 'b43legacy_attr_interfmode_store':
>> drivers/net/wireless/broadcom/b43legacy/sysfs.c:114: warning: unused variable 'flags'
vim +/flags +114 drivers/net/wireless/broadcom/b43legacy/sysfs.c
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 98 " Mitigation)\n");
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 99 break;
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 100 default:
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 101 B43legacy_WARN_ON(1);
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 102 }
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 103
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 104 mutex_unlock(&wldev->wl->mutex);
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 105
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 106 return count;
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 107 }
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 108
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 109 static ssize_t b43legacy_attr_interfmode_store(struct device *dev,
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 110 struct device_attribute *attr,
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 111 const char *buf, size_t count)
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 112 {
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 113 struct b43legacy_wldev *wldev = dev_to_b43legacy_wldev(dev);
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 @114 unsigned long flags;
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 115 int err;
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 116 int mode;
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 117
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 118 if (!capable(CAP_NET_ADMIN))
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 119 return -EPERM;
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 120
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 121 mode = get_integer(buf, count);
75388acd drivers/net/wireless/b43legacy/sysfs.c Larry Finger 2007-09-25 122 switch (mode) {
:::::: The code at line 114 was first introduced by commit
:::::: 75388acd0cd827dc1498043daa7d1c760902cd67 [B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices
:::::: TO: Larry Finger <[email protected]>
:::::: CC: David S. Miller <[email protected]>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
On 06/01/2017 11:11 AM, Jonathan Corbet wrote:
> On Thu, 01 Jun 2017 09:05:07 +0800
> Jia-Ju Bai <[email protected]> wrote:
>
>> I admit my patches are not well tested, and they may not well fix the bugs.
>> I am looking forward to opinions and suggestions :)
>
> May I politely suggest that sending out untested locking changes is a
> dangerous thing to do? You really should not be changing the locking in a
> piece of kernel code without understanding very well what the lock is
> protecting and being able to say why your changes are safe. Without that,
> the risk of introducing subtle bugs is very high.
>
> It looks like you have written a useful tool that could help us to make
> the kernel more robust. If you are interested in my suggestion, I would
> recommend that you post the sleep-in-atomic scenarios that you are
> finding, but refrain from "fixing" them in any case where you cannot offer
> a strong explanation of why your fix is correct.
>
> Thanks for working to find bugs in the kernel!
I agree with the suggestion above. Locking changes should only be done in
conjunction with testing by someone that actually has the hardware.
Larry
On Fri, 02 Jun 2017 09:18:14 +0800
Jia-Ju Bai <[email protected]> wrote:
> On 06/02/2017 12:11 AM, Jonathan Corbet wrote:
> > On Thu, 01 Jun 2017 09:05:07 +0800
> > Jia-Ju Bai<[email protected]> wrote:
> >
> >> I admit my patches are not well tested, and they may not well fix the bugs.
> >> I am looking forward to opinions and suggestions :)
> > May I politely suggest that sending out untested locking changes is a
> > dangerous thing to do? You really should not be changing the locking in a
> > piece of kernel code without understanding very well what the lock is
> > protecting and being able to say why your changes are safe. Without that,
> > the risk of introducing subtle bugs is very high.
> >
> > It looks like you have written a useful tool that could help us to make
> > the kernel more robust. If you are interested in my suggestion, I would
> > recommend that you post the sleep-in-atomic scenarios that you are
> > finding, but refrain from "fixing" them in any case where you cannot offer
> > a strong explanation of why your fix is correct.
> >
> > Thanks for working to find bugs in the kernel!
> >
> > jon
> Hi,
>
> Thanks for your good and helpful advice. I am sorry for my improper patches.
> I will only report bugs instead of sending improper patches when I have
> no good solution of fixing the bugs.
Is somebody still working on these fixes?
I think I found my old b43-legacy based 4306, so that I will
be able to get these patches into properly tested shape.
--
Michael