From mboxrd@z Thu Jan  1 00:00:00 1970
From: isdn@linux-pingi.de
Subject: Re: [PATCH] isdn: mISDN: tei: Fix a sleep-in-atomic-context bug in
 create_teimgr()
Date: Sun, 2 Sep 2018 18:31:07 +0200
Message-ID: <3ecd32b2-81e5-038e-edc9-fd06d6e21851@linux-pingi.de>
References: <20180901120019.31664-1-baijiaju1990@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
To: Jia-Ju Bai <baijiaju1990@gmail.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mout.kundenserver.de ([212.227.17.24]:40311 "EHLO
        mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726065AbeIBUrb (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sun, 2 Sep 2018 16:47:31 -0400
In-Reply-To: <20180901120019.31664-1-baijiaju1990@gmail.com>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Hi,

I do not understand the analysis and do not see that the spinlock is a
problem here.
I think your DSAC analyzer assumes that the FUNC_PTR mgr_ctrl call calls
the  mgr_ctrl in tei.c, but in real it calls l2->ch.ctrl() which is the
function in layer2.c, not tei.c. And the function in layer2.c should not
do any GFP_KERNEL allocation.

Same for your 2. reported issue.

Am 01.09.2018 um 14:00 schrieb Jia-Ju Bai:
> The kernel module may sleep with holding a spinlock.
> 
> The function call paths (from bottom to top) in Linux-4.16 are:
> 
> [FUNC] kzalloc(GFP_KERNEL)
> drivers/isdn/mISDN/tei.c, 1058: kzalloc in create_teimgr
> drivers/isdn/mISDN/tei.c, 1278: create_teimgr in mgr_ctrl
> drivers/isdn/mISDN/tei.c, 1048: [FUNC_PTR]mgr_ctrl in create_teimgr
> drivers/isdn/mISDN/tei.c, 1045: _raw_read_lock_irqsave in create_teimgr
> 
> Note that [FUNC_PTR] means a function pointer call is used.
> 
> To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
> 
> This bug is found by my static analysis tool DSAC.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
>  drivers/isdn/mISDN/tei.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/isdn/mISDN/tei.c b/drivers/isdn/mISDN/tei.c
> index 12d9e5f4beb1..6d95ee639fdb 100644
> --- a/drivers/isdn/mISDN/tei.c
> +++ b/drivers/isdn/mISDN/tei.c
> @@ -1055,7 +1055,7 @@ create_teimgr(struct manager *mgr, struct channel_req *crq)
>  		       crq->adr.tei, crq->adr.sapi);
>  	if (!l2)
>  		return -ENOMEM;
> -	l2->tm = kzalloc(sizeof(struct teimgr), GFP_KERNEL);
> +	l2->tm = kzalloc(sizeof(struct teimgr), GFP_ATOMIC);
>  	if (!l2->tm) {
>  		kfree(l2);
>  		printk(KERN_ERR "kmalloc teimgr failed\n");
>